For #15490.
Change-Id: Ic268a7d1d54814e903fc44f5f143008fb5d6dcde
Reviewed-on: https://go-review.googlesource.com/c/go/+/725663
TryBot-Bypass: Michael Knyszek <mknyszek@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Auto-Submit: Michael Knyszek <mknyszek@google.com>
Very similar to last release's note.
Change-Id: Ie7afe21d98cee1c9718e53b20e8af8ee18504bb9
Reviewed-on: https://go-review.googlesource.com/c/go/+/725921
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Keith Randall <khr@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Keith Randall <khr@golang.org>
For #74774.
Change-Id: I6a6a636c579fa95938021cc73d7d11a86f8a19a3
Reviewed-on: https://go-review.googlesource.com/c/go/+/725540
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
The Var.Kind stuff was in Go 1.25.
And the net additions were in the wrong tense and didn't have links.
Change-Id: Ie710e1d41c714fe627a3a21a5afb6b7f78301f68
Reviewed-on: https://go-review.googlesource.com/c/go/+/724780
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
First, we centralize all random bytes generation through drbg.Read. The
rest of the FIPS 140-3 module can't use external functions anyway, so
drbg.Read needs to have all the logic.
Then, make sure that the crypto/... tree uses drbg.Read (or the new
crypto/internal/rand.Reader wrapper) instead of crypto/rand, so it is
unaffected by applications setting crypto/rand.Reader.
Next, pass all unspecified random io.Reader parameters through the new
crypto/internal/rand.CustomReader, which just redirects to drbg.Read
unless GODEBUG=cryptocustomrand=1 is set. Move all the calls to
MaybeReadByte there, since it's only needed for these custom Readers.
Finally, add testing/cryptotest.SetGlobalRandom which sets
crypto/rand.Reader to a locked deterministic source and overrides
drbg.Read. This way SetGlobalRandom should affect all cryptographic
randomness in the standard library.
Fixes#70942
Co-authored-by: qiulaidongfeng <2645477756@qq.com>
Change-Id: I6a6a69641311d9fac318abcc6d79677f0e406100
Reviewed-on: https://go-review.googlesource.com/c/go/+/724480
Reviewed-by: Nicholas Husin <nsh@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Implement secret.Do.
- When secret.Do returns:
- Clear stack that is used by the argument function.
- Clear all the registers that might contain secrets.
- On stack growth in secret mode, clear the old stack.
- When objects are allocated in secret mode, mark them and then zero
the marked objects immediately when they are freed.
- If the argument function panics, raise that panic as if it originated
from secret.Do. This removes anything about the secret function
from tracebacks.
For now, this is only implemented on linux for arm64 and amd64.
This is a rebased version of Keith Randalls initial implementation at
CL 600635. I have added arm64 support, signal handling, preemption
handling and dealt with vDSOs spilling into system stacks.
Fixes#21865
Change-Id: I6fbd5a233beeaceb160785e0c0199a5c94d8e520
Co-authored-by: Keith Randall <khr@golang.org>
Reviewed-on: https://go-review.googlesource.com/c/go/+/704615
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Also update comment in cmd/dist's broken map to point to the top-level
umbrella issue.
For #76475.
For #75005.
Change-Id: I43b8384af4264dc5d72ceea8d05730b9db81123a
Reviewed-on: https://go-review.googlesource.com/c/go/+/724860
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Auto-Submit: Dmitri Shuralyov <dmitshur@golang.org>
TryBot-Bypass: Dmitri Shuralyov <dmitshur@golang.org>
WithoutEnforcement lets programs running under GODEBUG=fips140=only
selectively opt out of strict enforcement. This is especially helpful
for non-critical uses of cryptography routines like SHA-1 for content
addressable storage backends (E.g. git).
Fixes#74630
Change-Id: Iabba1f5eb63498db98047aca45e09c5dccf2fbdf
Reviewed-on: https://go-review.googlesource.com/c/go/+/723720
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
And OIDFromASN1OID for converting between asn1.ObjectIdentifier and OID.
Fixes#75325
Change-Id: I3b84dce54346d88aab731ffe30d0fef07b014f04
Reviewed-on: https://go-review.googlesource.com/c/go/+/724761
Reviewed-by: Neal Patel <nealpatel@google.com>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Commit-Queue: Neal Patel <nealpatel@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The new methods are Type.Fields, Type.Methods, Type.Ins, Type.Outs,
Value.Fields and Value.Methods.
These methods have been introduced into the reflect package (as well
as tests) replacing three-clause for loops where possible.
Fixes#66631
Change-Id: Iab346e52c0eadd7817afae96d9ef73a35db65fd2
GitHub-Last-Rev: 8768ef71b9
GitHub-Pull-Request: golang/go#75646
Reviewed-on: https://go-review.googlesource.com/c/go/+/707356
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
Auto-Submit: Alan Donovan <adonovan@google.com>
This commit adds fields to the ClientHelloInfo and ConnectionState
structures to represent hello retry request state information.
ClientHelloInfo gains a new HelloRetryRequest bool field that indicates
if the client hello was sent in response to a TLS 1.3 hello retry
request message previously emitted by the server.
ConnectionState gains a new HelloRetryRequest bool field that indicates
(depending on the connection role) whether the client received a TLS 1.3
hello retry request message from the server, or whether the server sent
such a message to a client.
Fixes#74425
Change-Id: Ic1a5290b8a4ba1568da1d2c2cf9f148150955fa5
Reviewed-on: https://go-review.googlesource.com/c/go/+/717440
Reviewed-by: Roland Shoemaker <roland@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Cherry Mui <cherryyz@google.com>
Auto-Submit: Daniel McCarney <daniel@binaryparadox.net>
For #75772
Change-Id: Iad7607b40636bab1faf8653455e92e9700309003
Reviewed-on: https://go-review.googlesource.com/c/go/+/722223
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
For #75836
Change-Id: I7fd515eb7fcdfb5944388ab42716fd81bc13a7b4
Reviewed-on: https://go-review.googlesource.com/c/go/+/723080
Reviewed-by: Cherry Mui <cherryyz@google.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>
Add a new QUICEvent type for reporting errors.
This provides a way to report errors that don't occur as a result of
QUICConn.Start, QUICConn.HandleData, or QUICConn.SendSessionTicket.
Fixes#75108
Change-Id: I941371a21f26b940e75287a66d7e0211fc0baab1
Reviewed-on: https://go-review.googlesource.com/c/go/+/719040
Auto-Submit: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Roland Shoemaker <roland@golang.org>
This is especially useful when combined with the nesting semantics of
context.Cause, and with errgroup's use of CancelCauseFunc.
For example, with the following code
ctx, stop := signal.NotifyContext(context.Background(), os.Interrupt)
defer stop()
serveGroup, ctx := errgroup.WithContext(ctx)
calling context.Cause(ctx) after serveGroup.Wait() will return either
"interrupt signal received" (if that happens first) or the error from
serveGroup.
Change-Id: Ie181f5f84269f6e39defdad2d5fd8ead6a6a6964
Reviewed-on: https://go-review.googlesource.com/c/go/+/721700
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Sean Liao <sean@liao.dev>
Auto-Submit: Filippo Valsorda <filippo@golang.org>
Reviewed-by: Ian Lance Taylor <iant@golang.org>
Commit-Queue: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Junyang Shao <shaojunyang@google.com>
This CL causes the parser to record in a new field, BasicLit.EndPos,
the actual end position of each literal token, and to use it in
BasicLit.End. Previously, the End was computed heuristically as
Pos + len(Value). This heuristic is incorrect for a multiline
raw string literal on Windows, since the scanner normalizes
\r\n to \n.
Unfortunately the actual end position is not returned by the
Scanner.Scan method, so the scanner and parser conspire
using a global variable in the go/internal/scannerhook
package to communicate.
+ test, api change, relnote
Fixes#76031
Change-Id: I57c18a44e85f7403d470ba23d41dcdcc5a9432c2
Reviewed-on: https://go-review.googlesource.com/c/go/+/720060
Reviewed-by: Robert Griesemer <gri@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Also, use it in a number of places.
+ test, api, relnote
Fixes#75849
Change-Id: I44acf5b8190b964fd3975009aa407d7c82cee19b
Reviewed-on: https://go-review.googlesource.com/c/go/+/720061
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Robert Griesemer <gri@google.com>
RFC 3986 requires square brackets around IPv6 addresses.
Parse's acceptance of raw IPv6 addresses is non compliant,
and complicates splitting out a port.
This is a resubmission of CL 710176 after the revert in CL 711800,
this time with a new urlstrictipv6 godebug to control the behavior.
Fixes#31024Fixes#75223
Change-Id: I4cbe5bb84266b3efe9c98cf4300421ddf1df7291
Reviewed-on: https://go-review.googlesource.com/c/go/+/712840
Reviewed-by: Junyang Shao <shaojunyang@google.com>
Reviewed-by: Damien Neil <dneil@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
The internal linker was missing some pieces to support windows/arm64.
Closes#75485
Cq-Include-Trybots: luci.golang.try:gotip-windows-arm64
Change-Id: I5c18a47e63e09b8ae22c9b24832249b54f544b7e
Reviewed-on: https://go-review.googlesource.com/c/go/+/704295
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Michael Knyszek <mknyszek@google.com>
One reader pointed out that the example isn't compelling because
&age would have worked just as well. This CL changes the example
to use a nontrivial expression. Don't nitpick the arithmetic.
For #45624
Change-Id: Icc745f5ee7000c1d3559da1388c6a5596c4d1f46
Reviewed-on: https://go-review.googlesource.com/c/go/+/714040
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Alan Donovan <adonovan@google.com>
Reviewed-by: Robert Griesemer <gri@google.com>
This adds an ast.Directive API for parsing directive comments such as
"//go:build" and "//go:embed".
This will help tools standardize the syntax of these directive
comments. Even within the standard Go tools there's little agreement
on the finer details of the syntax of directives today.
Fixes#68021.
Change-Id: I84a988a667682c9ac70632df6e925461ac95e381
Reviewed-on: https://go-review.googlesource.com/c/go/+/704835
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Austin Clements <austin@google.com>
Reviewed-by: Mateusz Poliwczak <mpoliwczak34@gmail.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
This change unifies the fix and vet subcommands; they use the
same run function, action graph, and external tool (-vettool
for go vet and -fixtool for go fix). go fix runs the tool
with the -fix flag, whereas although go vet also supports
-fix, it is not the default. The two tools have different
(overlapping) suites of analyzers.
The high-level parts are fully parameterized over the
vet/fix distinction; the lower-level parts (the action
graph) continue to use only the "vet" terminology.
The cmd/{vet,fix} executable is referred to as the "tool".
The tool is generally invoked in -json mode, regardless
of whether -json was requested, so that the tool produces
a cacheable JSON blob on stdout. When the go user did not
request -json, this blob is parsed and printed to stderr
by logic in the go vet command. (Formerly the tool would
print diagnostics to stderr, but this interacts poorly
with the build cache.)
go fix's legacy -fix=fixer,... flag is now a no-op that
prints a warning that the flag is obsolete.
The unitchecker's -c=n flag (to display n lines of context
around each diagnostic) is reimplemented in go vet based
on the JSON information, to avoid reliance on the stderr
output of the tool.
cmd/fix is added to dist's prebuilt set of tools since
go fix cannot build it dynamically (though ideally
it would).
Updates #71859
For #75432
Change-Id: I0a84746720b59d05d662ed57826747c5598dca44
Reviewed-on: https://go-review.googlesource.com/c/go/+/700795
Reviewed-by: Michael Matloob <matloob@google.com>
Auto-Submit: Alan Donovan <adonovan@google.com>
Reviewed-by: Michael Matloob <matloob@golang.org>
TryBot-Bypass: Alan Donovan <adonovan@google.com>
Add TB.ArtifactDir, which returns a directory for a test to store
output files in. Add a -artifacts testflag which enables persistent
storage of artifacts in the output directory (-outputdir, or the
current directory by default).
Fixes#71287
Change-Id: I5f6515a6cd6c103f88588f4c033d5ea11ffd0c3c
Reviewed-on: https://go-review.googlesource.com/c/go/+/696399
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Alan Donovan <adonovan@google.com>
The Director function has been superseded by Rewrite.
Rewrite avoids fundamental security issues with hop-by-hop header
handling in the Director API and has better default handling
of X-Forwarded-* headers.
Fixes#73161
Change-Id: Iadaf3070e0082458f79fb892ade51cb7ce832802
Reviewed-on: https://go-review.googlesource.com/c/go/+/708615
Reviewed-by: Nicholas Husin <husin@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Add a field to HTTP2Config controlling how we behave when an HTTP/2
connection reaches its concurrency limit.
This field will have no effect until golang.org/x/net/http2 is
updated to make use of it, and h2_bundle.go is updated with the
new http2 package.
For #67813
Change-Id: Ic72a0986528abb21649f28e9fe7cf6e1236b388d
Reviewed-on: https://go-review.googlesource.com/c/go/+/615875
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Auto-Submit: Damien Neil <dneil@google.com>
Reviewed-by: Nicholas Husin <nsh@golang.org>
Reviewed-by: Nicholas Husin <husin@google.com>
Also, add a release note.
For #45624
Change-Id: I1a0e111e00885c9640c073000afb72731d0930fc
Reviewed-on: https://go-review.googlesource.com/c/go/+/704737
Auto-Submit: Alan Donovan <adonovan@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Robert Findley <rfindley@google.com>
This unfortunately nearly doubles the runtime of
NewPrivateKeyWithPrecomputation. It would be nice to find an alternative
way to check it.
fips140: off
goos: darwin
goarch: arm64
pkg: crypto/rsa
cpu: Apple M2
│ 6aeb841faf │ 62ec3e34f3 │
│ sec/op │ sec/op vs base │
ParsePKCS8PrivateKey/2048-8 70.28µ ± 0% 116.16µ ± 0% +65.28% (p=0.002 n=6)
Fixes#74115
Change-Id: I6a6a6964091817d9aee359cc48932167e55184b9
Reviewed-on: https://go-review.googlesource.com/c/go/+/687836
Auto-Submit: Filippo Valsorda <filippo@golang.org>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>
Reviewed-by: Mark Freeman <markfreeman@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Fixes#61642
Co-authored-by: David Anderson <dave@natulte.net>
Change-Id: I54795763bdc5f62da469c2ae20618c36b64396f3
Reviewed-on: https://go-review.googlesource.com/c/go/+/700355
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
Reviewed-by: Damien Neil <dneil@google.com>
Auto-Submit: Michael Pratt <mpratt@google.com>
Reviewed-by: Michael Pratt <mpratt@google.com>
Add support for FILE_FLAG_* constants in the flag argument of
os.OpenFile and syscall.Open on Windows.
Passing invalid flags will result in an error.
Updates #73676
Change-Id: Ie215a3dd14f0d74141533f0a07865a02a67a3846
Reviewed-on: https://go-review.googlesource.com/c/go/+/699415
Reviewed-by: Damien Neil <dneil@google.com>
Reviewed-by: Cherry Mui <cherryyz@google.com>
LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>
