Go 1.20 adds a new crypto/ecdh package
- to provide direct support for Elliptic Curve Diffie-Hellman key exchange
+ to provide explicit support for Elliptic Curve Diffie-Hellman key exchanges
over NIST curves and Curve25519.
- Programs should prefer to use crypto/ecdh
- or crypto/ecdsa
- instead of the lower-level functionality in crypto/elliptic.
+ Programs should use crypto/ecdh instead of the lower-level functionality in
+ crypto/elliptic for ECDH, and
+ third-party modules for more advanced use cases.
+ When using supported curves, all operations are now implemented in constant time. + This led to an increase in CPU time between 5% and 30%, mostly affecting P-384 and P-521. +
+
The new PrivateKey.ECDH method
converts an ecdsa.PrivateKey to an ecdh.PrivateKey.
@@ -609,25 +614,21 @@ proxyHandler := &httputil.ReverseProxy{
- Use of custom Curve implementations
- not provided by this package (that is, curves other than
- P224,
- P256,
- P384, and
- P521)
- is deprecated.
-
The new field OAEPOptions.MGFHash
- allows configuring the MGF1 hash separately for OAEP encryption.
+ allows configuring the MGF1 hash separately for OAEP decryption.
+
+ crypto/rsa now uses a new, safer, constant-time backend. This causes a CPU
+ runtime increase for decryption operations between approximately 15%
+ (RSA-2048 on amd64) and 45% (RSA-4096 on arm64), and more on 32-bit architectures.
+ Encryption operations are approximately 20x slower than before (but still 5-10x faster than decryption).
+ Performance is expected to improve in future releases.
+ Programs must not modify or manually generate the fields of
+ PrecomputedValues.
- The TLS client now shares parsed certificates across all clients actively using that certificate. - The savings can be significant in programs that make many concurrent connections to a +
+ Parsed certificates are now shared across all clients actively using that certificate. + The memory savings can be significant in programs that make many concurrent connections to a server or collection of servers sharing any part of their certificate chains.
@@ -660,22 +661,22 @@ proxyHandler := &httputil.ReverseProxy{
+ ParsePKCS8PrivateKey
and
MarshalPKCS8PrivateKey
now support keys of type *crypto/ecdh.PrivateKey.
- CreateCertificate
+ ParsePKIXPublicKey
and
MarshalPKIXPublicKey
now support keys of type *crypto/ecdh.PublicKey.
- X.509 unmarshaling continues to unmarshal elliptic curve keys into
+ Parsing NIST curve keys still returns values of type
*ecdsa.PublicKey and *ecdsa.PrivateKey.
- Use their new ECDH methods to convert to the crypto/ecdh form.
+ Use their new ECDH methods to convert to the crypto/ecdh types.
The new SetFallbackRoots
- function allows a program to define a set of fallback root certificates in case the
+ function allows a program to define a set of fallback root certificates in case an
operating system verifier or standard platform root bundle is unavailable at runtime.
It will most commonly be used with a new package, golang.org/x/crypto/x509roots/fallback,
which will provide an up to date root bundle.
@@ -832,6 +833,20 @@ proxyHandler := &httputil.ReverseProxy{
+ The math/big package's wide scope and + input-dependent timing make it ill-suited for implementing cryptography. + The cryptography packages in the standard library no longer call non-trivial + Int methods on attacker-controlled inputs. + In the future, the determination of whether a bug in math/big is + considered a security vulnerability will depend on its wider impact on the + standard library. +
+