The RFC is a little ambiguous here: “the subject field contains an empty
sequence” could mean th...

CL 71030 enforced EKU nesting at verification time, to go along with the
change in name constrai...

The GeneralSubtree structure can have additional elements after the name
(minimum and maximum, w...

Using ASCII values for keys is a bad idea since it makes them vastly
easier to guess. Instead, u...

Additions to:
https://go-review.googlesource.com/c/go/+/61570
https://go-review.googlesource.com...

Change-Id: I9bb7568ca16b420254796eb38dfb86c5ca3399d7
Reviewed-on: https://go-review.googlesource...

Unless you go back and read the hash package documentation, it's
not clear that all the hash pac...

Optimize with ARMv8 SHA256 instructions.
Result (Cortex-A72)

name old time/op new ...

Optimize with ARMv8 SHA1 instructions.
Results (Cortex-A72)

name old time/op new...

The Go compiler assumes that pointers escape when passed into assembly
functions. To override th...

This allows better precision and (the motivation) empty strings to
be handled correctly. With th...

This changes improves the ConstantTimeByteEq and ConstantTimeEq
primitives to both simplify them...

In the current implementation, it is possible for a client to
continuously send warning alerts, ...

This is the equivalent change to 1c105980 but for SHA-512.

SHA-512 certificates are already sup...

crypto/x509 has always enforced EKUs as a chain property (like CAPI, but
unlike the RFC). With t...

This change makes crypto/x509 enforce name constraints for all names in
a leaf certificate, not ...

Adds support for the cipher message with authentication (KMA)
instruction added in message-secur...

If the current time is equal to the NextUpdate time, then the CRL
should be considered expired.
...

The go repository contains a mix of github.com/golang/go/issues/xxxxx
and golang.org/issues/xxxx...

The marshal method allows the hash's internal state to be serialized and
unmarshaled at a later ...

Makes tests run ~1ms faster.

Change-Id: Ida509952469540280996d2bd9266724829e53c91
Reviewed-on: ...

Closes #21279

Change-Id: I84d6b168a684fa9f3c046028d0c9f00292d7c110
Reviewed-on: https://go-revi...

Since copy function can figure out how many bytes of data to copy when
two slices have different...

The crypto.Signer interface takes pre-hased messages for ECDSA and RSA,
but the argument in the ...

In https://golang.org/cl/9390 I messed up and put the critical extension
test in the wrong funct...

golang.org/cl/36941 enabled loading of all trusted certs on darwin
for the non-cgo execSecurityR...

ANSI X9.62 specifies that Unmarshal should fail if the a given coordinate is
not smaller than th...

Consolidate the signature and hash fields (SignatureAndHashAlgorithm in
TLS 1.2) into a single u...

https://golang.org/cl/67270 wasn't `go fmt`ed correctly, according to
the current `go fmt`. Howe...

In https://golang.org/cl/9390 I messed up and put the critical extension
test in the wrong funct...

The BadCBCPadding255 test from bogo failed because at most 255 trailing
bytes were checked, but ...

This reverts https://golang.org/cl/66372.

Updates #22148

Change-Id: I3e94af3dfc11a2883bf28e1d5...

This reverts https://golang.org/cl/65930.

Fixes #22148

Change-Id: Ie0712621ed89c43bef94417fc32...

This applies the amd64-specific changes from CL 42611 to the s390x P256
implementation. The s390...

Fixes #21615

Change-Id: Ic13190617d9b446b35f5dd00f142597c187ab669
Reviewed-on: https://go-revie...

We'll need this for handling name constraints during verification.

Change-Id: I4ef19d9489fb2a9a...

Change-Id: Idcda0fc1607157cb5bbf0521fbdc0c77f043ca3a
Reviewed-on: https://go-review.googlesource...

bytes.IndexByte can be used wherever the second argument to
strings.Index is exactly one byte lo...

strings.LastIndexByte was introduced in go1.5 and it can be used
effectively wherever the second...

strings.IndexByte was introduced in go1.2 and it can be used
effectively wherever the second arg...

Change-Id: I3268cab2de8aed9e2424e9c3bc7667083bc5e1ce
Reviewed-on: https://go-review.googlesource...

Change-Id: Ia4b49736d3b33cddf58905c6b19febbca45b2ad2
Reviewed-on: https://go-review.googlesource...

All the finalizer-enabled C wrappers must be careful to use
runtime.KeepAlive to ensure the C wr...

The syso is not compiled with -fsanitize=memory, so don't try to use it.
Otherwise the first tim...

I've now debugged multiple mysterious "inability to communicate"
bugs that manifest as a silent ...

This matches the standard GenerateKey and more importantly Precompute,
so that if you generate a...

When using the go command, test binaries end in .test,
but when using Bazel, test binaries conve...

In routines like GenerateKey, where bits from the randomness source have a
visible effect on the...

This is documented to work (in hash.Hash's definition)
and existing code assumes it works. Add a...

hmac.New returns a hash.Hash, which defines Sum as:

// Sum appends the current hash to b and r...

The standard Go crypto/rsa allows signatures to be shorter
than the RSA modulus and assumes lead...

a -> an

Change-Id: I7362bdc199e83073a712be657f5d9ba16df3077e
Reviewed-on: https://go-review.goo...

Use constants directly, instead of loading address to e. g. AX
and using (AX). Shouldn't affect ...

For very small blocks significant time is spent in checkSum function,
adding necessary padding. ...

The optimised P-256 includes a CombinedMult function, which doesn't do
dual-scalar multiplicatio...

This disables the s390x assembly. It will be re-enabled when #20215
is resolved on s390x.

Chang...

There is already a table of signature algorithm details so the code
should use it for the name t...

signatureAlgorithmDetails already knows the hash function for each
signature algorithm so there'...

It was causing mysterious fuzzing failure because it affects the
unmarshaling of the secureNegot...

TestGetClientCertificate had disabled verification, and was only passing
because it was mistaken...

Functions like NewCBCDecrypter, NewCBCEncrypter, NewCFBDecrypter,
NewCFBEncrypter and NewCTR all...

Change-Id: Iebb5b67c8defec22edd482d587edaf399a7ba82a
Reviewed-on: https://go-review.googlesource...

This is terrible but much simpler, cleaner, and more effective
than all the alternatives I have ...

This happens in the scrypt and pbkdf unit tests.

Change-Id: I1eda944d7c01d28c7a6dd9f428f5fdd1cb...

Test is in a separate CL for easier cherry-picking to master branch.

Change-Id: Ia4a9032892d289...

The override was not commented and was in the wrong file.

Change-Id: I739db561acff6d91b0f3559c8...

Found with mvdan.cc/unindent. It skipped the cases where parentheses
would need to be added, whe...

The PKCS #1 v2.2 document has been moved to an EMC
website with a new URL. This CL updates the r...

Closes #21519

Change-Id: I1247e9435de93aae7e4db2b6e8e5be1b010c296b
Reviewed-on: https://go-revi...

Change-Id: Ia4458090118c4391a73cf1ae65bc8d187f03eca0
Reviewed-on: https://go-review.googlesource...

Change-Id: Ie9dd13f3ae78a423a231f47e746a38f96768b93c
Reviewed-on: https://go-review.googlesource...

golang.org/cl/36941 enabled loading of all trusted certs on darwin
for the non-cgo execSecurityR...

Change-Id: Ibb92f0f8cb487f4d179b069e588e1cb266599384
Reviewed-on: https://go-review.googlesource...

Using atomic.Value causes vet errors in code copying
PublicKey or PrivateKey structures. I don't...

By processing 8 blocks in parallel GHASH achieves higher throughput on amd64

Results on Skylake...

Change-Id: I108e0a527bddd673b16582d206e0697341d0a0ea
Reviewed-on: https://go-review.googlesource...

Change-Id: Ide00c40c0ca8d486f3bd8968e1d301c8b0ed6d05
Reviewed-on: https://go-review.googlesource...

Change-Id: I8407310e7d00eafe9208879228dbf4ac3d26a907
Reviewed-on: https://go-review.googlesource...

Change-Id: If83fdeac31f65aba818bbc7edd2f215b16814021
Reviewed-on: https://go-review.googlesource...

Change-Id: Id4019d601c615b4835b0337d82be3d508292810e
Reviewed-on: https://go-review.googlesource...

Change-Id: I80a764971b41f75c3b699797bfed71f509e3407d
Reviewed-on: https://go-review.googlesource...

Change-Id: Ie630eff90f7fee9b359683930aec2daf96c1bdfe
Reviewed-on: https://go-review.googlesource...

Right now the package doesn't do anything useful, but it will.
This CL is about the machinery fo...

Detected by BoGo test FragmentAcrossChangeCipherSpec-Server-Packed.

Change-Id: I9a76697b9cdeb01...

Change-Id: I77d9c77875519d77bac49cc8870c2e0c4563fe55
Reviewed-on: https://go-review.googlesource...

name time/op
HandshakeServer/RSA-4 1....

The processClientKeyExchange and processServerKeyExchange functions unmarshal an
encoded EC poin...

asn1.NullRawValue was used according to RFC 3279 2.2.1. Without this tag,
the output didn't matc...

Change-Id: I23bfaa7e03a21aad4e85baa3bf52bb00c09b75d0
Reviewed-on: https://go-review.googlesource...

The linux getrandom system call returns at most 33554431 = 2^25-1 bytes per
call. The existing b...

The current modInverse implementation allocates a big.Int
for the second parameter of GCD, while...

Functions XORKeyStream should panic if len(dst) < len(src), but it
write to dst before bounds ch...

The current implementation ignores certificates that exist
in the login and System keychains.

T...

Apply code review suggestion from CL 46715.

The block is doing more than just checking len(r.ce...

This panic happens when the test fails due to the returned number of
certificates (r.certs) bein...

Change-Id: I2d0439a9f068e726173afafe2ef1f5d62b7feb4d
Reviewed-on: https://go-review.googlesource...

Fixes #19285

Change-Id: I11e864eff9980dec8247c47e4c600f76602e7ada
Reviewed-on: https://go-revie...

Change-Id: I4c2c82cb0354f843a3283a650ed2cd2b6aef5895
Reviewed-on: https://go-review.googlesource...

We only need to read the number of bytes required to store the value
"max - 1" to generate a ran...

By changing getRandomLinux to immediately use the getrandom() syscall
without GRND_NONBLOCK, we ...