diff --git a/src/crypto/ecdh/x25519.go b/src/crypto/ecdh/x25519.go index 5147b7e5e0..336c8e4c47 100644 --- a/src/crypto/ecdh/x25519.go +++ b/src/crypto/ecdh/x25519.go @@ -6,7 +6,7 @@ package ecdh import ( "bytes" - "crypto/internal/edwards25519/field" + "crypto/internal/fips/edwards25519/field" "crypto/internal/randutil" "errors" "io" diff --git a/src/crypto/ed25519/ed25519.go b/src/crypto/ed25519/ed25519.go index b75c5a6458..5cfd5b0acc 100644 --- a/src/crypto/ed25519/ed25519.go +++ b/src/crypto/ed25519/ed25519.go @@ -18,7 +18,7 @@ package ed25519 import ( "bytes" "crypto" - "crypto/internal/edwards25519" + "crypto/internal/fips/edwards25519" cryptorand "crypto/rand" "crypto/sha512" "crypto/subtle" diff --git a/src/crypto/internal/edwards25519/doc.go b/src/crypto/internal/fips/edwards25519/doc.go similarity index 100% rename from src/crypto/internal/edwards25519/doc.go rename to src/crypto/internal/fips/edwards25519/doc.go diff --git a/src/crypto/internal/edwards25519/edwards25519.go b/src/crypto/internal/fips/edwards25519/edwards25519.go similarity index 99% rename from src/crypto/internal/edwards25519/edwards25519.go rename to src/crypto/internal/fips/edwards25519/edwards25519.go index e162dc8cbd..c5bcfc231e 100644 --- a/src/crypto/internal/edwards25519/edwards25519.go +++ b/src/crypto/internal/fips/edwards25519/edwards25519.go @@ -5,7 +5,7 @@ package edwards25519 import ( - "crypto/internal/edwards25519/field" + "crypto/internal/fips/edwards25519/field" "errors" ) diff --git a/src/crypto/internal/edwards25519/edwards25519_test.go b/src/crypto/internal/fips/edwards25519/edwards25519_test.go similarity index 95% rename from src/crypto/internal/edwards25519/edwards25519_test.go rename to src/crypto/internal/fips/edwards25519/edwards25519_test.go index 6edea03546..f2c6f8694f 100644 --- a/src/crypto/internal/edwards25519/edwards25519_test.go +++ b/src/crypto/internal/fips/edwards25519/edwards25519_test.go @@ -5,8 +5,7 @@ package edwards25519 import ( - "crypto/internal/cryptotest" - "crypto/internal/edwards25519/field" + "crypto/internal/fips/edwards25519/field" "encoding/hex" "reflect" "testing" @@ -277,21 +276,6 @@ func TestNonCanonicalPoints(t *testing.T) { } } -var testAllocationsSink byte - -func TestAllocations(t *testing.T) { - cryptotest.SkipTestAllocations(t) - if allocs := testing.AllocsPerRun(100, func() { - p := NewIdentityPoint() - p.Add(p, NewGeneratorPoint()) - s := NewScalar() - testAllocationsSink ^= s.Bytes()[0] - testAllocationsSink ^= p.Bytes()[0] - }); allocs > 0 { - t.Errorf("expected zero allocations, got %0.1v", allocs) - } -} - func decodeHex(s string) []byte { b, err := hex.DecodeString(s) if err != nil { diff --git a/src/crypto/internal/edwards25519/field/_asm/fe_amd64_asm.go b/src/crypto/internal/fips/edwards25519/field/_asm/fe_amd64_asm.go similarity index 99% rename from src/crypto/internal/edwards25519/field/_asm/fe_amd64_asm.go rename to src/crypto/internal/fips/edwards25519/field/_asm/fe_amd64_asm.go index 6765a688f4..36df39fca0 100644 --- a/src/crypto/internal/edwards25519/field/_asm/fe_amd64_asm.go +++ b/src/crypto/internal/fips/edwards25519/field/_asm/fe_amd64_asm.go @@ -16,7 +16,7 @@ import ( //go:generate go run . -out ../fe_amd64.s -stubs ../fe_amd64.go -pkg field func main() { - Package("crypto/internal/edwards25519/field") + Package("crypto/internal/fips/edwards25519/field") ConstraintExpr("!purego") feMul() feSquare() diff --git a/src/crypto/internal/edwards25519/field/_asm/go.mod b/src/crypto/internal/fips/edwards25519/field/_asm/go.mod similarity index 83% rename from src/crypto/internal/edwards25519/field/_asm/go.mod rename to src/crypto/internal/fips/edwards25519/field/_asm/go.mod index 24ad644f76..ad95a61f8a 100644 --- a/src/crypto/internal/edwards25519/field/_asm/go.mod +++ b/src/crypto/internal/fips/edwards25519/field/_asm/go.mod @@ -1,4 +1,4 @@ -module std/crypto/internal/edwards25519/field/_asm +module std/crypto/internal/fips/edwards25519/field/_asm go 1.19 diff --git a/src/crypto/internal/edwards25519/field/_asm/go.sum b/src/crypto/internal/fips/edwards25519/field/_asm/go.sum similarity index 100% rename from src/crypto/internal/edwards25519/field/_asm/go.sum rename to src/crypto/internal/fips/edwards25519/field/_asm/go.sum diff --git a/src/crypto/internal/edwards25519/field/fe.go b/src/crypto/internal/fips/edwards25519/field/fe.go similarity index 97% rename from src/crypto/internal/edwards25519/field/fe.go rename to src/crypto/internal/fips/edwards25519/field/fe.go index 8a531f078e..e6402afa65 100644 --- a/src/crypto/internal/edwards25519/field/fe.go +++ b/src/crypto/internal/fips/edwards25519/field/fe.go @@ -6,9 +6,9 @@ package field import ( - "crypto/subtle" + "crypto/internal/fips/subtle" + "crypto/internal/fipsdeps/byteorder" "errors" - "internal/byteorder" "math/bits" ) @@ -201,20 +201,20 @@ func (v *Element) SetBytes(x []byte) (*Element, error) { } // Bits 0:51 (bytes 0:8, bits 0:64, shift 0, mask 51). - v.l0 = byteorder.LeUint64(x[0:8]) + v.l0 = byteorder.LEUint64(x[0:8]) v.l0 &= maskLow51Bits // Bits 51:102 (bytes 6:14, bits 48:112, shift 3, mask 51). - v.l1 = byteorder.LeUint64(x[6:14]) >> 3 + v.l1 = byteorder.LEUint64(x[6:14]) >> 3 v.l1 &= maskLow51Bits // Bits 102:153 (bytes 12:20, bits 96:160, shift 6, mask 51). - v.l2 = byteorder.LeUint64(x[12:20]) >> 6 + v.l2 = byteorder.LEUint64(x[12:20]) >> 6 v.l2 &= maskLow51Bits // Bits 153:204 (bytes 19:27, bits 152:216, shift 1, mask 51). - v.l3 = byteorder.LeUint64(x[19:27]) >> 1 + v.l3 = byteorder.LEUint64(x[19:27]) >> 1 v.l3 &= maskLow51Bits // Bits 204:255 (bytes 24:32, bits 192:256, shift 12, mask 51). // Note: not bytes 25:33, shift 4, to avoid overread. - v.l4 = byteorder.LeUint64(x[24:32]) >> 12 + v.l4 = byteorder.LEUint64(x[24:32]) >> 12 v.l4 &= maskLow51Bits return v, nil @@ -235,7 +235,7 @@ func (v *Element) bytes(out *[32]byte) []byte { var buf [8]byte for i, l := range [5]uint64{t.l0, t.l1, t.l2, t.l3, t.l4} { bitsOffset := i * 51 - byteorder.LePutUint64(buf[:], l<= len(out) { diff --git a/src/crypto/internal/edwards25519/field/fe_alias_test.go b/src/crypto/internal/fips/edwards25519/field/fe_alias_test.go similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_alias_test.go rename to src/crypto/internal/fips/edwards25519/field/fe_alias_test.go diff --git a/src/crypto/internal/edwards25519/field/fe_amd64.go b/src/crypto/internal/fips/edwards25519/field/fe_amd64.go similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_amd64.go rename to src/crypto/internal/fips/edwards25519/field/fe_amd64.go diff --git a/src/crypto/internal/edwards25519/field/fe_amd64.s b/src/crypto/internal/fips/edwards25519/field/fe_amd64.s similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_amd64.s rename to src/crypto/internal/fips/edwards25519/field/fe_amd64.s diff --git a/src/crypto/internal/edwards25519/field/fe_amd64_noasm.go b/src/crypto/internal/fips/edwards25519/field/fe_amd64_noasm.go similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_amd64_noasm.go rename to src/crypto/internal/fips/edwards25519/field/fe_amd64_noasm.go diff --git a/src/crypto/internal/edwards25519/field/fe_arm64.go b/src/crypto/internal/fips/edwards25519/field/fe_arm64.go similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_arm64.go rename to src/crypto/internal/fips/edwards25519/field/fe_arm64.go diff --git a/src/crypto/internal/edwards25519/field/fe_arm64.s b/src/crypto/internal/fips/edwards25519/field/fe_arm64.s similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_arm64.s rename to src/crypto/internal/fips/edwards25519/field/fe_arm64.s diff --git a/src/crypto/internal/edwards25519/field/fe_arm64_noasm.go b/src/crypto/internal/fips/edwards25519/field/fe_arm64_noasm.go similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_arm64_noasm.go rename to src/crypto/internal/fips/edwards25519/field/fe_arm64_noasm.go diff --git a/src/crypto/internal/edwards25519/field/fe_bench_test.go b/src/crypto/internal/fips/edwards25519/field/fe_bench_test.go similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_bench_test.go rename to src/crypto/internal/fips/edwards25519/field/fe_bench_test.go diff --git a/src/crypto/internal/edwards25519/field/fe_generic.go b/src/crypto/internal/fips/edwards25519/field/fe_generic.go similarity index 100% rename from src/crypto/internal/edwards25519/field/fe_generic.go rename to src/crypto/internal/fips/edwards25519/field/fe_generic.go diff --git a/src/crypto/internal/edwards25519/field/fe_test.go b/src/crypto/internal/fips/edwards25519/field/fe_test.go similarity index 88% rename from src/crypto/internal/edwards25519/field/fe_test.go rename to src/crypto/internal/fips/edwards25519/field/fe_test.go index a24fbfeb90..0d7ae2b0f6 100644 --- a/src/crypto/internal/edwards25519/field/fe_test.go +++ b/src/crypto/internal/fips/edwards25519/field/fe_test.go @@ -433,55 +433,55 @@ func TestMult32(t *testing.T) { func TestSqrtRatio(t *testing.T) { // From draft-irtf-cfrg-ristretto255-decaf448-00, Appendix A.4. type test struct { - u, v string + u, v []byte wasSquare int - r string + r []byte } var tests = []test{ // If u is 0, the function is defined to return (0, TRUE), even if v // is zero. Note that where used in this package, the denominator v // is never zero. { - "0000000000000000000000000000000000000000000000000000000000000000", - "0000000000000000000000000000000000000000000000000000000000000000", - 1, "0000000000000000000000000000000000000000000000000000000000000000", + decodeHex("0000000000000000000000000000000000000000000000000000000000000000"), + decodeHex("0000000000000000000000000000000000000000000000000000000000000000"), + 1, decodeHex("0000000000000000000000000000000000000000000000000000000000000000"), }, // 0/1 == 0² { - "0000000000000000000000000000000000000000000000000000000000000000", - "0100000000000000000000000000000000000000000000000000000000000000", - 1, "0000000000000000000000000000000000000000000000000000000000000000", + decodeHex("0000000000000000000000000000000000000000000000000000000000000000"), + decodeHex("0100000000000000000000000000000000000000000000000000000000000000"), + 1, decodeHex("0000000000000000000000000000000000000000000000000000000000000000"), }, // If u is non-zero and v is zero, defined to return (0, FALSE). { - "0100000000000000000000000000000000000000000000000000000000000000", - "0000000000000000000000000000000000000000000000000000000000000000", - 0, "0000000000000000000000000000000000000000000000000000000000000000", + decodeHex("0100000000000000000000000000000000000000000000000000000000000000"), + decodeHex("0000000000000000000000000000000000000000000000000000000000000000"), + 0, decodeHex("0000000000000000000000000000000000000000000000000000000000000000"), }, // 2/1 is not square in this field. { - "0200000000000000000000000000000000000000000000000000000000000000", - "0100000000000000000000000000000000000000000000000000000000000000", - 0, "3c5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54", + decodeHex("0200000000000000000000000000000000000000000000000000000000000000"), + decodeHex("0100000000000000000000000000000000000000000000000000000000000000"), + 0, decodeHex("3c5ff1b5d8e4113b871bd052f9e7bcd0582804c266ffb2d4f4203eb07fdb7c54"), }, // 4/1 == 2² { - "0400000000000000000000000000000000000000000000000000000000000000", - "0100000000000000000000000000000000000000000000000000000000000000", - 1, "0200000000000000000000000000000000000000000000000000000000000000", + decodeHex("0400000000000000000000000000000000000000000000000000000000000000"), + decodeHex("0100000000000000000000000000000000000000000000000000000000000000"), + 1, decodeHex("0200000000000000000000000000000000000000000000000000000000000000"), }, // 1/4 == (2⁻¹)² == (2^(p-2))² per Euler's theorem { - "0100000000000000000000000000000000000000000000000000000000000000", - "0400000000000000000000000000000000000000000000000000000000000000", - 1, "f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f", + decodeHex("0100000000000000000000000000000000000000000000000000000000000000"), + decodeHex("0400000000000000000000000000000000000000000000000000000000000000"), + 1, decodeHex("f6ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff3f"), }, } for i, tt := range tests { - u, _ := new(Element).SetBytes(decodeHex(tt.u)) - v, _ := new(Element).SetBytes(decodeHex(tt.v)) - want, _ := new(Element).SetBytes(decodeHex(tt.r)) + u, _ := new(Element).SetBytes(tt.u) + v, _ := new(Element).SetBytes(tt.v) + want, _ := new(Element).SetBytes(tt.r) got, wasSquare := new(Element).SqrtRatio(u, v) if got.Equal(want) == 0 || wasSquare != tt.wasSquare { t.Errorf("%d: got (%v, %v), want (%v, %v)", i, got, wasSquare, want, tt.wasSquare) diff --git a/src/crypto/internal/edwards25519/scalar.go b/src/crypto/internal/fips/edwards25519/scalar.go similarity index 99% rename from src/crypto/internal/edwards25519/scalar.go rename to src/crypto/internal/fips/edwards25519/scalar.go index 9f652faca1..ec2c7fa398 100644 --- a/src/crypto/internal/edwards25519/scalar.go +++ b/src/crypto/internal/fips/edwards25519/scalar.go @@ -5,8 +5,8 @@ package edwards25519 import ( + "crypto/internal/fipsdeps/byteorder" "errors" - "internal/byteorder" ) // A Scalar is an integer modulo @@ -271,7 +271,7 @@ func (s *Scalar) nonAdjacentForm(w uint) [256]int8 { var digits [5]uint64 for i := 0; i < 4; i++ { - digits[i] = byteorder.LeUint64(b[i*8:]) + digits[i] = byteorder.LEUint64(b[i*8:]) } width := uint64(1 << w) diff --git a/src/crypto/internal/edwards25519/scalar_alias_test.go b/src/crypto/internal/fips/edwards25519/scalar_alias_test.go similarity index 100% rename from src/crypto/internal/edwards25519/scalar_alias_test.go rename to src/crypto/internal/fips/edwards25519/scalar_alias_test.go diff --git a/src/crypto/internal/edwards25519/scalar_fiat.go b/src/crypto/internal/fips/edwards25519/scalar_fiat.go similarity index 100% rename from src/crypto/internal/edwards25519/scalar_fiat.go rename to src/crypto/internal/fips/edwards25519/scalar_fiat.go diff --git a/src/crypto/internal/edwards25519/scalar_test.go b/src/crypto/internal/fips/edwards25519/scalar_test.go similarity index 100% rename from src/crypto/internal/edwards25519/scalar_test.go rename to src/crypto/internal/fips/edwards25519/scalar_test.go diff --git a/src/crypto/internal/edwards25519/scalarmult.go b/src/crypto/internal/fips/edwards25519/scalarmult.go similarity index 100% rename from src/crypto/internal/edwards25519/scalarmult.go rename to src/crypto/internal/fips/edwards25519/scalarmult.go diff --git a/src/crypto/internal/edwards25519/scalarmult_test.go b/src/crypto/internal/fips/edwards25519/scalarmult_test.go similarity index 100% rename from src/crypto/internal/edwards25519/scalarmult_test.go rename to src/crypto/internal/fips/edwards25519/scalarmult_test.go diff --git a/src/crypto/internal/edwards25519/tables.go b/src/crypto/internal/fips/edwards25519/tables.go similarity index 99% rename from src/crypto/internal/edwards25519/tables.go rename to src/crypto/internal/fips/edwards25519/tables.go index 83234bbc0f..4d2a653d43 100644 --- a/src/crypto/internal/edwards25519/tables.go +++ b/src/crypto/internal/fips/edwards25519/tables.go @@ -5,7 +5,7 @@ package edwards25519 import ( - "crypto/subtle" + "crypto/internal/fips/subtle" ) // A dynamic lookup table for variable-base, constant-time scalar muls. diff --git a/src/crypto/internal/edwards25519/tables_test.go b/src/crypto/internal/fips/edwards25519/tables_test.go similarity index 100% rename from src/crypto/internal/edwards25519/tables_test.go rename to src/crypto/internal/fips/edwards25519/tables_test.go diff --git a/src/crypto/internal/fipstest/edwards25519_test.go b/src/crypto/internal/fipstest/edwards25519_test.go new file mode 100644 index 0000000000..b09a167f96 --- /dev/null +++ b/src/crypto/internal/fipstest/edwards25519_test.go @@ -0,0 +1,26 @@ +// Copyright 2024 The Go Authors. All rights reserved. +// Use of this source code is governed by a BSD-style +// license that can be found in the LICENSE file. + +package fipstest + +import ( + "crypto/internal/cryptotest" + . "crypto/internal/fips/edwards25519" + "testing" +) + +var testAllocationsSink byte + +func TestEdwards25519Allocations(t *testing.T) { + cryptotest.SkipTestAllocations(t) + if allocs := testing.AllocsPerRun(100, func() { + p := NewIdentityPoint() + p.Add(p, NewGeneratorPoint()) + s := NewScalar() + testAllocationsSink ^= s.Bytes()[0] + testAllocationsSink ^= p.Bytes()[0] + }); allocs > 0 { + t.Errorf("expected zero allocations, got %0.1v", allocs) + } +} diff --git a/src/go/build/deps_test.go b/src/go/build/deps_test.go index 50e1692fa1..0071fc5989 100644 --- a/src/go/build/deps_test.go +++ b/src/go/build/deps_test.go @@ -480,6 +480,8 @@ var depsRules = ` < crypto/internal/fips/nistec < crypto/internal/fips/ecdh < crypto/internal/fips/ecdsa + < crypto/internal/fips/edwards25519/field + < crypto/internal/fips/edwards25519 < FIPS; FIPS < crypto/internal/fips/check/checktest; @@ -503,16 +505,11 @@ var depsRules = ` < crypto/internal/boring < crypto/boring; - crypto/internal/fips/alias, - crypto/subtle, embed - < crypto/internal/edwards25519/field - < crypto/internal/edwards25519; - crypto/boring < crypto/aes, crypto/des, crypto/hmac, crypto/md5, crypto/rc4, crypto/sha1, crypto/sha256, crypto/sha512; - crypto/boring, crypto/internal/edwards25519/field + crypto/boring, crypto/internal/fips/edwards25519/field < crypto/ecdh; # Unfortunately, stuck with reflect via encoding/binary. @@ -522,7 +519,6 @@ var depsRules = ` crypto/des, crypto/ecdh, crypto/hmac, - crypto/internal/edwards25519, crypto/md5, crypto/rc4, crypto/sha1,