Merge branch 'golang:master' into AccountKeyRollover

tailscale · May 13, 2022 · 12cfe9b · 12cfe9b
2 parents 3270492 + c6db032
commit 12cfe9b
Show file tree

Hide file tree

Showing 8 changed files with 222 additions and 165 deletions.
diff --git a/acme/autocert/internal/acmetest/ca.go b/acme/autocert/internal/acmetest/ca.go
@@ -380,7 +380,7 @@ func (ca *CAServer) handle(w http.ResponseWriter, r *http.Request) {
 			ca.httpErrorf(w, http.StatusBadRequest, "challenge accept: %v", err)
 			return
 		}
-		go ca.validateChallenge(a, typ)
+		ca.validateChallenge(a, typ)
 		w.Write([]byte("{}"))
 
 	// Get authorization status requests.

diff --git a/internal/wycheproof/boring.go b/internal/wycheproof/boring.go
@@ -0,0 +1,9 @@
+// Copyright 2022 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+//go:build boringcrypto
+
+package wycheproof
+
+const boringcryptoEnabled = true
diff --git a/internal/wycheproof/ecdh_test.go b/internal/wycheproof/ecdh_test.go
@@ -0,0 +1,163 @@
+// Copyright 2019 The Go Authors. All rights reserved.
+// Use of this source code is governed by a BSD-style
+// license that can be found in the LICENSE file.
+
+package wycheproof
+
+import (
+	"bytes"
+	"crypto/ecdsa"
+	"crypto/elliptic"
+	"crypto/x509"
+	"encoding/asn1"
+	"errors"
+	"fmt"
+	"testing"
+
+	"golang.org/x/crypto/cryptobyte"
+	casn1 "golang.org/x/crypto/cryptobyte/asn1"
+)
+
+func TestECDH(t *testing.T) {
+	type ECDHTestVector struct {
+		// A brief description of the test case
+		Comment string `json:"comment,omitempty"`
+		// A list of flags
+		Flags []string `json:"flags,omitempty"`
+		// the private key
+		Private string `json:"private,omitempty"`
+		// Encoded public key
+		Public string `json:"public,omitempty"`
+		// Test result
+		Result string `json:"result,omitempty"`
+		// The shared secret key
+		Shared string `json:"shared,omitempty"`
+		// Identifier of the test case
+		TcID int `json:"tcId,omitempty"`
+	}
+
+	type ECDHTestGroup struct {
+		Curve string            `json:"curve,omitempty"`
+		Tests []*ECDHTestVector `json:"tests,omitempty"`
+	}
+
+	type Root struct {
+		TestGroups []*ECDHTestGroup `json:"testGroups,omitempty"`
+	}
+
+	flagsShouldPass := map[string]bool{
+		// ParsePKIXPublicKey doesn't support compressed points, but we test
+		// them against UnmarshalCompressed anyway.
+		"CompressedPoint": true,
+		// We don't support decoding custom curves.
+		"UnnamedCurve": false,
+		// WrongOrder and UnusedParam are only found with UnnamedCurve.
+		"WrongOrder":  false,
+		"UnusedParam": false,
+	}
+
+	// supportedCurves is a map of all elliptic curves supported
+	// by crypto/elliptic, which can subsequently be parsed and tested.
+	supportedCurves := map[string]bool{
+		"secp224r1": true,
+		"secp256r1": true,
+		"secp384r1": true,
+		"secp521r1": true,
+	}
+
+	var root Root
+	readTestVector(t, "ecdh_test.json", &root)
+	for _, tg := range root.TestGroups {
+		if !supportedCurves[tg.Curve] {
+			continue
+		}
+		for _, tt := range tg.Tests {
+			tg, tt := tg, tt
+			t.Run(fmt.Sprintf("%s/%d", tg.Curve, tt.TcID), func(t *testing.T) {
+				t.Logf("Type: %v", tt.Result)
+				t.Logf("Flags: %q", tt.Flags)
+				t.Log(tt.Comment)
+
+				shouldPass := shouldPass(tt.Result, tt.Flags, flagsShouldPass)
+
+				p := decodeHex(tt.Public)
+				pp, err := x509.ParsePKIXPublicKey(p)
+				if err != nil {
+					pp, err = decodeCompressedPKIX(p)
+				}
+				if err != nil {
+					if shouldPass {
+						t.Errorf("unexpected parsing error: %s", err)
+					}
+					return
+				}
+				pub := pp.(*ecdsa.PublicKey)
+
+				priv := decodeHex(tt.Private)
+				shared := decodeHex(tt.Shared)
+
+				x, _ := pub.Curve.ScalarMult(pub.X, pub.Y, priv)
+				xBytes := make([]byte, (pub.Curve.Params().BitSize+7)/8)
+				got := bytes.Equal(shared, x.FillBytes(xBytes))
+
+				if want := shouldPass; got != want {
+					t.Errorf("wanted success %v, got %v", want, got)
+				}
+			})
+		}
+	}
+}
+
+func decodeCompressedPKIX(der []byte) (interface{}, error) {
+	s := cryptobyte.String(der)
+	var s1, s2 cryptobyte.String
+	var algoOID, namedCurveOID asn1.ObjectIdentifier
+	var pointDER []byte
+	if !s.ReadASN1(&s1, casn1.SEQUENCE) || !s.Empty() ||
+		!s1.ReadASN1(&s2, casn1.SEQUENCE) ||
+		!s2.ReadASN1ObjectIdentifier(&algoOID) ||
+		!s2.ReadASN1ObjectIdentifier(&namedCurveOID) || !s2.Empty() ||
+		!s1.ReadASN1BitStringAsBytes(&pointDER) || !s1.Empty() {
+		return nil, errors.New("failed to parse PKIX structure")
+	}
+
+	if !algoOID.Equal(oidPublicKeyECDSA) {
+		return nil, errors.New("wrong algorithm OID")
+	}
+	namedCurve := namedCurveFromOID(namedCurveOID)
+	if namedCurve == nil {
+		return nil, errors.New("unsupported elliptic curve")
+	}
+	x, y := elliptic.UnmarshalCompressed(namedCurve, pointDER)
+	if x == nil {
+		return nil, errors.New("failed to unmarshal elliptic curve point")
+	}
+	pub := &ecdsa.PublicKey{
+		Curve: namedCurve,
+		X:     x,
+		Y:     y,
+	}
+	return pub, nil
+}
+
+var (
+	oidPublicKeyECDSA = asn1.ObjectIdentifier{1, 2, 840, 10045, 2, 1}
+	oidNamedCurveP224 = asn1.ObjectIdentifier{1, 3, 132, 0, 33}
+	oidNamedCurveP256 = asn1.ObjectIdentifier{1, 2, 840, 10045, 3, 1, 7}
+	oidNamedCurveP384 = asn1.ObjectIdentifier{1, 3, 132, 0, 34}
+	oidNamedCurveP521 = asn1.ObjectIdentifier{1, 3, 132, 0, 35}
+)
+
+func namedCurveFromOID(oid asn1.ObjectIdentifier) elliptic.Curve {
+	switch {
+	case oid.Equal(oidNamedCurveP224):
+		return elliptic.P224()
+	case oid.Equal(oidNamedCurveP256):
+		return elliptic.P256()
+	case oid.Equal(oidNamedCurveP384):
+		return elliptic.P384()
+	case oid.Equal(oidNamedCurveP521):
+		return elliptic.P521()
+	}
+	return nil
+}
diff --git a/internal/wycheproof/ecdsa_compat_test.go b/internal/wycheproof/ecdsa_compat_test.go
diff --git a/internal/wycheproof/ecdsa_go115_test.go b/internal/wycheproof/ecdsa_go115_test.go