From 850d547d2de9044eb84ba65ceefb90880f3a776c Mon Sep 17 00:00:00 2001 From: Filippo Valsorda Date: Sun, 24 Jul 2022 15:48:29 +0200 Subject: [PATCH] doc/go1.19: expand crypto release notes MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit Not included are the following changes that were backported to Go 1.18 minor releases. bb1f441618 crypto/rand: properly handle large Read on windows 35998c0109 crypto/x509: only disable SHA-1 verification for certificates 0fca8a8f25 crypto/x509: fix Certificate.Verify crash fe4de36198 crypto/tls: randomly generate ticket_age_add 37065847d8 crypto/elliptic: tolerate zero-padded scalars in generic P-256 9a53b472b5 crypto/x509: properly handle issuerUniqueID and subjectUniqueID The following are the benchmarks to back up the 3x speedup claim in the crypto/elliptic notes. name old time/op new time/op delta pkg:crypto/elliptic goos:darwin goarch:arm64 ScalarBaseMult/P256-8 18.3µs ± 0% 18.2µs ± 0% -0.56% (p=0.000 n=10+10) ScalarBaseMult/P224-8 233µs ± 0% 74µs ± 0% -68.09% (p=0.000 n=9+10) ScalarBaseMult/P384-8 805µs ± 0% 236µs ± 0% -70.73% (p=0.000 n=8+10) ScalarBaseMult/P521-8 2.50ms ± 0% 0.68ms ± 0% -72.63% (p=0.000 n=10+8) ScalarMult/P256-8 68.4µs ± 0% 68.6µs ± 0% +0.26% (p=0.000 n=10+10) ScalarMult/P224-8 234µs ± 0% 231µs ± 0% -1.18% (p=0.000 n=10+8) ScalarMult/P384-8 805µs ± 0% 805µs ± 0% ~ (p=0.211 n=9+10) ScalarMult/P521-8 2.50ms ± 0% 2.49ms ± 0% -0.69% (p=0.000 n=10+10) pkg:crypto/ecdsa goos:darwin goarch:arm64 Sign/P256-8 31.9µs ± 1% 31.7µs ± 0% -0.64% (p=0.001 n=10+10) Sign/P224-8 264µs ± 0% 106µs ± 0% -60.09% (p=0.000 n=10+10) Sign/P384-8 884µs ± 0% 313µs ± 0% -64.53% (p=0.000 n=9+10) Sign/P521-8 2.64ms ± 0% 0.84ms ± 0% -68.13% (p=0.000 n=9+9) Verify/P256-8 91.6µs ± 0% 91.7µs ± 0% ~ (p=0.052 n=10+10) Verify/P224-8 486µs ± 0% 300µs ± 0% -38.15% (p=0.000 n=9+9) Verify/P384-8 1.66ms ± 0% 1.01ms ± 0% -39.12% (p=0.000 n=10+9) Verify/P521-8 5.12ms ± 1% 3.06ms ± 0% -40.27% (p=0.000 n=10+10) GenerateKey/P256-8 19.6µs ± 0% 19.4µs ± 0% -0.79% (p=0.000 n=10+10) GenerateKey/P224-8 235µs ± 0% 76µs ± 1% -67.45% (p=0.000 n=8+10) GenerateKey/P384-8 807µs ± 0% 239µs ± 0% -70.43% (p=0.000 n=9+10) GenerateKey/P521-8 2.49ms ± 0% 0.69ms ± 0% -72.36% (p=0.000 n=9+10) Change-Id: I7fb2db3aea4aac785a48d45fff7a32909f3b578c Reviewed-on: https://go-review.googlesource.com/c/go/+/419355 Reviewed-by: Roland Shoemaker TryBot-Result: Gopher Robot Reviewed-by: Ian Lance Taylor Run-TryBot: Filippo Valsorda Reviewed-by: Dmitri Shuralyov --- doc/go1.19.html | 92 +++++++++++++++++++++++++++++++++++++++---------- 1 file changed, 74 insertions(+), 18 deletions(-) diff --git a/doc/go1.19.html b/doc/go1.19.html index 41ffe8ebfd..3ce2233ab0 100644 --- a/doc/go1.19.html +++ b/doc/go1.19.html @@ -322,16 +322,58 @@ as well as support for rendering them to HTML, Markdown, and text. +
crypto/elliptic
+
+

+ Operating on invalid curve points (those for which the + IsOnCurve method returns false, and which are never returned + by Unmarshal or by a Curve method operating on a + valid point) has always been undefined behavior and can lead to key + recovery attacks. If an invalid point is supplied to + Marshal, + MarshalCompressed, + Add, + Double, or + ScalarMult, + they will now panic. +

+ +

+ ScalarBaseMult operations on the P224, + P384, and P521 curves are now up to three + times faster, leading to similar speedups in some ECDSA operations. The + generic (not platform optimized) P256 implementation was + replaced with one derived from a formally verified model; this might + lead to significant slowdowns on 32-bit platforms. +

+
+
+
crypto/rand

Read no longer buffers - random data obtained from the operating system between calls. + random data obtained from the operating system between calls. Applications + that perform many small reads at high frequency might choose to wrap + Reader in a + bufio.Reader for performance + reasons, taking care to use + io.ReadFull + to ensure no partial reads occur.

On Plan 9, Read has been reimplemented, replacing the ANSI - X9.31 algorithm with fast key erasure. + X9.31 algorithm with a fast key erasure generator. +

+ +

+ The Prime + implementation was simplified. This will lead to different outputs for the + same random stream compared to the previous implementation. The internals + of Prime are not stable, should not be relied upon not to + change, and the output is now intentionally non-deterministic with respect + to the input stream.

@@ -364,6 +406,19 @@ as well as support for rendering them to HTML, Markdown, and text. CreateCertificate no longer accepts negative serial numbers.

+

+ CreateCertificate will not emit an empty SEQUENCE anymore + when the produced certificate has no extensions. +

+ +

+ Removal of the x509sha1=1 GODEBUG option, + originally planned for Go 1.19, has been rescheduled to a future release. + Applications using it should work on migrating. Practical attacks against + SHA-1 have been demonstrated since 2017 and publicly trusted Certificate + Authorities have not issued SHA-1 certificates since 2015. +

+

ParseCertificate and ParseCertificateRequest @@ -373,7 +428,7 @@ as well as support for rendering them to HTML, Markdown, and text.

The new CertPool.Clone and CertPool.Equal - methods allow cloning a CertPool and checking the equality of two + methods allow cloning a CertPool and checking the equivalence of two CertPools respectively.

@@ -381,25 +436,26 @@ as well as support for rendering them to HTML, Markdown, and text. The new function ParseRevocationList provides a faster, safer to use CRL parser which returns a RevocationList. - To support this addition, RevocationList adds new fields + Parsing a CRL also populates the new RevocationList fields RawIssuer, Signature, - AuthorityKeyId, and Extensions. - + AuthorityKeyId, and Extensions, which are ignored by + CreateRevocationList. +

The new method RevocationList.CheckSignatureFrom checks that the signature on a CRL is a valid signature from a Certificate. - - With the new CRL functionality, the existing functions - ParseCRL and - ParseDERCRL are deprecated. - Additionally the method Certificate.CheckCRLSignature - is deprecated. -

- -

- When building paths, Certificate.Verify - now considers certificates to be equal when the subjects, public keys, and SANs - are all equal. Before, it required byte-for-byte equality. +

+ The ParseCRL and + ParseDERCRL functions + are now deprecated in favor of ParseRevocationList. + The Certificate.CheckCRLSignature + method is deprecated in favor of RevocationList.CheckSignatureFrom. +

+ +

+ The path builder of Certificate.Verify + was overhauled and should now produce better chains and/or be more efficient in complicated scenarios. + Name constraints are now also enforced on non-leaf certificates.

-- 2.48.1