From a9384eef7ae3a2587d215e3ec3d79bc1b335ce82 Mon Sep 17 00:00:00 2001
From: Filippo Valsorda <filippo@golang.org>
Date: Tue, 1 Feb 2022 21:24:51 +0100
Subject: [PATCH] doc/go1.18: add crypto/tls, crypto/x509, and crypto/elliptic
 release notes

Updates #45428
Updates #41682

Change-Id: I811bc4f8ec8de6b6db6a2917e265a72134a05e78
Reviewed-on: https://go-review.googlesource.com/c/go/+/382454
Trust: Filippo Valsorda <filippo@golang.org>
Trust: Katie Hockman <katie@golang.org>
Reviewed-by: Katie Hockman <katie@golang.org>
---
 doc/go1.18.html | 62 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 62 insertions(+)

diff --git a/doc/go1.18.html b/doc/go1.18.html
index b72c1288d1..e69113411e 100644
--- a/doc/go1.18.html
+++ b/doc/go1.18.html
@@ -546,6 +546,39 @@ Do not send CLs removing the interior tags from such phrases.
   <a href="/pkg/net/#UDPAddr.AddrPort"><code>UDPAddr.AddrPort</code></a>.
 </p>
 
+<h3 id="tls10">TLS 1.0 and 1.1 disabled by default client-side</h3>
+
+<p><!-- CL 359779, golang.org/issue/45428 -->
+  If <a href="/pkg/crypto/tls/#Config.MinVersion"><code>Config.MinVersion</code></a>
+  is not set, it now defaults to TLS 1.2 for client connections. Any safely
+  up-to-date server is expected to support TLS 1.2, and browsers have required
+  it since 2020. TLS 1.0 and 1.1 are still supported by setting
+  <code>Config.MinVersion</code> to <code>VersionTLS10</code>.
+  The server-side default is unchanged at TLS 1.0.
+</p>
+
+<p>
+  The default can be temporarily reverted to TLS 1.0 by setting the
+  <code>GODEBUG=tls10default=1</code> environment variable.
+  This option will be removed in Go 1.19.
+</p>
+
+<h3 id="sha1">Rejecting SHA-1 certificates</h3>
+
+<p><!-- CL 359777, golang.org/issue/41682 -->
+  <code>crypto/x509</code> will now
+  reject certificates signed with the SHA-1 hash function. This doesn't
+  apply to self-signed root certificates. Practical attacks against SHA-1
+  <a href="https://shattered.io/">have been demonstrated since 2017</a> and publicly
+  trusted Certificate Authorities have not issued SHA-1 certificates since 2015.
+</p>
+
+<p>
+  This can be temporarily reverted by setting the
+  <code>GODEBUG=x509sha1=1</code> environment variable.
+  This option will be removed in Go 1.19.
+</p>
+
 <h3 id="minor_library_changes">Minor changes to the library</h3>
 
 <p>
@@ -598,6 +631,35 @@ Do not send CLs removing the interior tags from such phrases.
   </dd>
 </dl><!-- bytes -->
 
+<dl id="crypto/elliptic"><dt><a href="/pkg/crypto/elliptic/">crypto/elliptic</a></dt>
+  <dd>
+    <p><!-- CL 320071, CL 320072, CL 320074, CL 361402, CL 360014 -->
+      The <a href="/pkg/crypto/elliptic#P224"><code>P224</code></a>,
+      <a href="/pkg/crypto/elliptic#P384"><code>P384</code></a>, and
+      <a href="/pkg/crypto/elliptic#P521"><code>P521</code></a> curve
+      implementations are now all backed by code generated by the
+      <a href="https://github.com/mmcloughlin/addchain">addchain</a> and
+      <a href="https://github.com/mit-plv/fiat-crypto">fiat-crypto</a>
+      projects, the latter of which is based on a formally-verified model
+      of the arithmetic operations. They now use safer complete formulas
+      and internal APIs. P-224 and P-384 are now approximately four times
+      faster. All specific curve implementations are now constant-time.
+    </p>
+
+    <p>
+      Operating on invalid curve points (those for which the
+      <code>IsOnCurve</code> method returns false, and which are never returned
+      by <a href="/pkg/crypto/elliptic#Unmarshal"><code>Unmarshal</code></a> or
+      a <code>Curve</code> method operating on a valid point) has always been
+      undefined behavior, can lead to key recovery attacks, and is now
+      unsupported by the new backend. If an invalid point is supplied to a
+      <code>P224</code>, <code>P384</code>, or <code>P521</code> method, that
+      method will now return a random point. The behavior might change to an
+      explicit panic in a future release.
+    </p>
+  </dd>
+</dl><!-- crypto/elliptic -->
+
 <dl id="crypto/tls"><dt><a href="/pkg/crypto/tls/">crypto/tls</a></dt>
   <dd>
     <p><!-- CL 325250 -->
-- 
2.50.0