libgo: update to Go1.14beta1

Reviewed-on: https://go-review.googlesource.com/c/gofrontend/+/214297
author: Ian Lance Taylor <iant@golang.org> 2020-01-02 15:05:27 -0800
committer: Ian Lance Taylor <iant@golang.org> 2020-01-21 23:53:22 -0800
commit: 5a8ea165926cb0737ab03bc48c18dc5198ab5305 (patch)
tree: 962dc3357c57f019f85658f99e2e753e30201c27 /libgo/go/crypto/ecdsa
parent: 6ac6529e155c9baa0aaaed7aca06bd38ebda5b43 (diff)
download: gcc-5a8ea165926cb0737ab03bc48c18dc5198ab5305.zip
gcc-5a8ea165926cb0737ab03bc48c18dc5198ab5305.tar.gz
gcc-5a8ea165926cb0737ab03bc48c18dc5198ab5305.tar.bz2
4 files changed, 19 insertions, 225 deletions
diff --git a/libgo/go/crypto/ecdsa/ecdsa.go b/libgo/go/crypto/ecdsa/ecdsa.go
index ddc3b35..65911e7 100644
--- a/libgo/go/crypto/ecdsa/ecdsa.go
+++ b/libgo/go/crypto/ecdsa/ecdsa.go
@@ -5,13 +5,23 @@
 // Package ecdsa implements the Elliptic Curve Digital Signature Algorithm, as
 // defined in FIPS 186-3.
 //
-// This implementation  derives the nonce from an AES-CTR CSPRNG keyed by
-// ChopMD(256, SHA2-512(priv.D || entropy || hash)). The CSPRNG key is IRO by
-// a result of Coron; the AES-CTR stream is IRO under standard assumptions.
+// This implementation derives the nonce from an AES-CTR CSPRNG keyed by:
+//
+// SHA2-512(priv.D || entropy || hash)[:32]
+//
+// The CSPRNG key is indifferentiable from a random oracle as shown in
+// [Coron], the AES-CTR stream is indifferentiable from a random oracle
+// under standard cryptographic assumptions (see [Larsson] for examples).
+//
+// References:
+//   [Coron]
+//     https://cs.nyu.edu/~dodis/ps/merkle.pdf
+//   [Larsson]
+//     https://www.nada.kth.se/kurser/kth/2D1441/semteo03/lecturenotes/assump.pdf
 package ecdsa
 
-// References:
-//   [NSA]: Suite B implementer's guide to FIPS 186-3,
+// Further references:
+//   [NSA]: Suite B implementer's guide to FIPS 186-3
 //     https://apps.nsa.gov/iaarchive/library/ia-guidance/ia-solutions-for-classified/algorithm-guidance/suite-b-implementers-guide-to-fips-186-3-ecdsa.cfm
 //   [SECG]: SECG, SEC1
 //     http://www.secg.org/sec1-v2.pdf
@@ -189,21 +199,14 @@ func Sign(rand io.Reader, priv *PrivateKey, hash []byte) (r, s *big.Int, err err
 
 	// See [NSA] 3.4.1
 	c := priv.PublicKey.Curve
-	e := hashToInt(hash, c)
-	r, s, err = sign(priv, &csprng, c, e)
-	return
-}
-
-func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, e *big.Int) (r, s *big.Int, err error) {
 	N := c.Params().N
 	if N.Sign() == 0 {
 		return nil, nil, errZeroParam
 	}
-
 	var k, kInv *big.Int
 	for {
 		for {
-			k, err = randFieldElement(c, *csprng)
+			k, err = randFieldElement(c, csprng)
 			if err != nil {
 				r = nil
 				return
@@ -221,6 +224,8 @@ func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve
 				break
 			}
 		}
+
+		e := hashToInt(hash, c)
 		s = new(big.Int).Mul(priv.D, r)
 		s.Add(s, e)
 		s.Mul(s, kInv)
@@ -229,6 +234,7 @@ func signGeneric(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve
 			break
 		}
 	}
+
 	return
 }
 
@@ -246,12 +252,8 @@ func Verify(pub *PublicKey, hash []byte, r, s *big.Int) bool {
 		return false
 	}
 	e := hashToInt(hash, c)
-	return verify(pub, c, e, r, s)
-}
 
-func verifyGeneric(pub *PublicKey, c elliptic.Curve, e, r, s *big.Int) bool {
 	var w *big.Int
-	N := c.Params().N
 	if in, ok := c.(invertible); ok {
 		w = in.Inverse(s)
 	} else {
diff --git a/libgo/go/crypto/ecdsa/ecdsa_noasm.go b/libgo/go/crypto/ecdsa/ecdsa_noasm.go
deleted file mode 100644
index d9f9cff..0000000
--- a/libgo/go/crypto/ecdsa/ecdsa_noasm.go
+++ /dev/null
@@ -1,22 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build !s390x gccgo
-
-package ecdsa
-
-import (
-	"crypto/cipher"
-	"crypto/elliptic"
-	"math/big"
-)
-
-func sign(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, e *big.Int) (r, s *big.Int, err error) {
-	r, s, err = signGeneric(priv, csprng, c, e)
-	return
-}
-
-func verify(pub *PublicKey, c elliptic.Curve, e, r, s *big.Int) bool {
-	return verifyGeneric(pub, c, e, r, s)
-}
diff --git a/libgo/go/crypto/ecdsa/ecdsa_s390x.go b/libgo/go/crypto/ecdsa/ecdsa_s390x.go
deleted file mode 100644
index f07c3bf..0000000
--- a/libgo/go/crypto/ecdsa/ecdsa_s390x.go
+++ /dev/null
@@ -1,153 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build s390x,!gccgo
-
-package ecdsa
-
-import (
-	"crypto/cipher"
-	"crypto/elliptic"
-	"internal/cpu"
-	"math/big"
-)
-
-// s390x accelerated signatures
-//go:noescape
-func kdsaSig(fc uint64, block *[1720]byte) (errn uint64)
-
-type signverify int
-
-const (
-	signing signverify = iota
-	verifying
-)
-
-// bufferOffsets represents the offset of a particular parameter in
-// the buffer passed to the KDSA instruction.
-type bufferOffsets struct {
-	baseSize       int
-	hashSize       int
-	offsetHash     int
-	offsetKey1     int
-	offsetRNorKey2 int
-	offsetR        int
-	offsetS        int
-	functionCode   uint64
-}
-
-func canUseKDSA(sv signverify, c elliptic.Curve, bo *bufferOffsets) bool {
-	if !cpu.S390X.HasECDSA {
-		return false
-	}
-
-	switch c.Params().Name {
-	case "P-256":
-		bo.baseSize = 32
-		bo.hashSize = 32
-		bo.offsetHash = 64
-		bo.offsetKey1 = 96
-		bo.offsetRNorKey2 = 128
-		bo.offsetR = 0
-		bo.offsetS = 32
-		if sv == signing {
-			bo.functionCode = 137
-		} else {
-			bo.functionCode = 1
-		}
-		return true
-	case "P-384":
-		bo.baseSize = 48
-		bo.hashSize = 48
-		bo.offsetHash = 96
-		bo.offsetKey1 = 144
-		bo.offsetRNorKey2 = 192
-		bo.offsetR = 0
-		bo.offsetS = 48
-		if sv == signing {
-			bo.functionCode = 138
-		} else {
-			bo.functionCode = 2
-		}
-		return true
-	case "P-521":
-		bo.baseSize = 66
-		bo.hashSize = 80
-		bo.offsetHash = 160
-		bo.offsetKey1 = 254
-		bo.offsetRNorKey2 = 334
-		bo.offsetR = 14
-		bo.offsetS = 94
-		if sv == signing {
-			bo.functionCode = 139
-		} else {
-			bo.functionCode = 3
-		}
-		return true
-	}
-	return false
-}
-
-// zeroExtendAndCopy pads src with leading zeros until it has the size given.
-// It then copies the padded src into the dst. Bytes beyond size in dst are
-// not modified.
-func zeroExtendAndCopy(dst, src []byte, size int) {
-	nz := size - len(src)
-	if nz < 0 {
-		panic("src is too long")
-	}
-	// the compiler should replace this loop with a memclr call
-	z := dst[:nz]
-	for i := range z {
-		z[i] = 0
-	}
-	copy(dst[nz:size], src[:size-nz])
-	return
-}
-
-func sign(priv *PrivateKey, csprng *cipher.StreamReader, c elliptic.Curve, e *big.Int) (r, s *big.Int, err error) {
-	var bo bufferOffsets
-	if canUseKDSA(signing, c, &bo) && e.Sign() != 0 {
-		var buffer [1720]byte
-		for {
-			var k *big.Int
-			k, err = randFieldElement(c, csprng)
-			if err != nil {
-				return nil, nil, err
-			}
-			zeroExtendAndCopy(buffer[bo.offsetHash:], e.Bytes(), bo.hashSize)
-			zeroExtendAndCopy(buffer[bo.offsetKey1:], priv.D.Bytes(), bo.baseSize)
-			zeroExtendAndCopy(buffer[bo.offsetRNorKey2:], k.Bytes(), bo.baseSize)
-			errn := kdsaSig(bo.functionCode, &buffer)
-			if errn == 2 {
-				return nil, nil, errZeroParam
-			}
-			if errn == 0 { // success == 0 means successful signing
-				r = new(big.Int)
-				r.SetBytes(buffer[bo.offsetR : bo.offsetR+bo.baseSize])
-				s = new(big.Int)
-				s.SetBytes(buffer[bo.offsetS : bo.offsetS+bo.baseSize])
-				return
-			}
-			//at this point, it must be that errn == 1: retry
-		}
-	}
-	r, s, err = signGeneric(priv, csprng, c, e)
-	return
-}
-
-func verify(pub *PublicKey, c elliptic.Curve, e, r, s *big.Int) bool {
-	var bo bufferOffsets
-	if canUseKDSA(verifying, c, &bo) && e.Sign() != 0 {
-		var buffer [1720]byte
-		zeroExtendAndCopy(buffer[bo.offsetR:], r.Bytes(), bo.baseSize)
-		zeroExtendAndCopy(buffer[bo.offsetS:], s.Bytes(), bo.baseSize)
-		zeroExtendAndCopy(buffer[bo.offsetHash:], e.Bytes(), bo.hashSize)
-		zeroExtendAndCopy(buffer[bo.offsetKey1:], pub.X.Bytes(), bo.baseSize)
-		zeroExtendAndCopy(buffer[bo.offsetRNorKey2:], pub.Y.Bytes(), bo.baseSize)
-		errn := kdsaSig(bo.functionCode, &buffer)
-		return errn == 0
-	}
-	return verifyGeneric(pub, c, e, r, s)
-}
diff --git a/libgo/go/crypto/ecdsa/ecdsa_s390x_test.go b/libgo/go/crypto/ecdsa/ecdsa_s390x_test.go
deleted file mode 100644
index 80babc9..0000000
--- a/libgo/go/crypto/ecdsa/ecdsa_s390x_test.go
+++ /dev/null
@@ -1,33 +0,0 @@
-// Copyright 2019 The Go Authors. All rights reserved.
-// Use of this source code is governed by a BSD-style
-// license that can be found in the LICENSE file.
-
-// +build s390x,!gccgo
-
-package ecdsa
-
-import (
-	"crypto/elliptic"
-	"testing"
-)
-
-func TestNoAsm(t *testing.T) {
-	curves := [...]elliptic.Curve{
-		elliptic.P256(),
-		elliptic.P384(),
-		elliptic.P521(),
-	}
-
-	for _, curve := range curves {
-		// override the name of the curve to stop the assembly path being taken
-		params := *curve.Params()
-		name := params.Name
-		params.Name = name + "_GENERIC_OVERRIDE"
-
-		testKeyGeneration(t, &params, name)
-		testSignAndVerify(t, &params, name)
-		testNonceSafety(t, &params, name)
-		testINDCCA(t, &params, name)
-		testNegativeInputs(t, &params, name)
-	}
-}
author	Ian Lance Taylor <iant@golang.org>	2020-01-02 15:05:27 -0800
committer	Ian Lance Taylor <iant@golang.org>	2020-01-21 23:53:22 -0800
commit	5a8ea165926cb0737ab03bc48c18dc5198ab5305 (patch)
tree	962dc3357c57f019f85658f99e2e753e30201c27 /libgo/go/crypto/ecdsa
parent	6ac6529e155c9baa0aaaed7aca06bd38ebda5b43 (diff)
download	gcc-5a8ea165926cb0737ab03bc48c18dc5198ab5305.zip gcc-5a8ea165926cb0737ab03bc48c18dc5198ab5305.tar.gz gcc-5a8ea165926cb0737ab03bc48c18dc5198ab5305.tar.bz2