go vet was reporting

  blamka_amd64.s:203:1: [amd64] mixBlocksSSE2: invalid offset a+24(FP); expected a+8(FP)
  blamka_amd64.s:226:1: [amd64] xorBlocksSSE2: invalid offset a+24(FP); expected a+8(FP)
  blamka_amd64.s:204:1: frame pointer is clobbered before saving
  blamka_amd64.s:227:1: frame pointer is clobbered before saving

Also fix a similar naming issue in sha3:

  sha3\keccakf_amd64.s:325:1: [amd64] keccakF1600: unknown variable state; offset 0 is a+0(FP)

Updates golang/go#47027

Change-Id: Ia74852cdb0721ae0216787054197b0cac9e1c0f8
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/332289
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Filippo Valsorda <[email protected]>

When an error is returned by a user defined host key callback,
it is now possible to handle it using standard Go mechanisms
such as errors.Is or errors.As.

Fixes golang/go#61309

Change-Id: I4269c5f8eacd8e7e8d85070ad249f0e27777b15f
GitHub-Last-Rev: d2a34d5
GitHub-Pull-Request: #266
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/508876
Run-TryBot: Nicola Murino <[email protected]>
Auto-Submit: Dmitri Shuralyov <[email protected]>
Reviewed-by: Muhammad Shulhan <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Other packages already dropped compatibility with go < 1.12, so it
should be safe to remove it for this package as well.

Change-Id: I7e894fd11d2e7d1fe28c647bd921399a9a6e30d0
GitHub-Last-Rev: 2b4f576
GitHub-Pull-Request: #240
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/448240
Run-TryBot: Nicola Murino <[email protected]>
Reviewed-by: Joedian Reid <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
Commit-Queue: Nicola Murino <[email protected]>
Auto-Submit: Nicola Murino <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>

Sending a window adjustment after every read is unnecessarily chatty,
especially with a series of small reads like with TTY interactions.

Copy OpenSSH's logic for deferring these, which seemingly hasn't changed
since 2007. Note that since channelWindowSize and c.maxIncomingPayload
are currently constants here, the two checks could be combined into a
single check for c.myWindow < 2 MiB - 96 KiB (with the current values
of the constants).

Fixes golang/go#57424.

Change-Id: Ifcef5be76fcc3f0b1a6dc396096bed9c50d64f21
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/459915
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Michael Knyszek <[email protected]>
Run-TryBot: Nicola Murino <[email protected]>
Auto-Submit: Nicola Murino <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Commit-Queue: Nicola Murino <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

This is an automated CL which updates the NSS root bundle.

Change-Id: Ib8c85dc815297de7b59c3e23b0ad029baaf948ec
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/543735
Auto-Submit: Gopher Robot <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Dmitri Shuralyov <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>

This PR ensures that the net.Conn passed to ssh.NewServerConn is closed
on all error return paths, not just after a failed handshake. This matches
the behavior of ssh.NewClientConn.

Change-Id: Id8a51d10ae8d575cbbe26f2ef6b37de7cca840ec
GitHub-Last-Rev: 81bb2e5
GitHub-Pull-Request: #279
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/549095
Run-TryBot: Nicola Murino <[email protected]>
Auto-Submit: Nicola Murino <[email protected]>
Reviewed-by: Roland Shoemaker <[email protected]>
Reviewed-by: Nicola Murino <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>
Reviewed-by: Michael Pratt <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>

Implement the "strict KEX" protocol changes, as described in section
1.9 of the OpenSSH PROTOCOL file (as of OpenSSH version 9.6/9.6p1).

Namely this makes the following changes:
  * Both the server and the client add an additional algorithm to the
    initial KEXINIT message, indicating support for the strict KEX mode.
  * When one side of the connection sees the strict KEX extension
    algorithm, the strict KEX mode is enabled for messages originating
    from the other side of the connection. If the sequence number for
    the side which requested the extension is not 1 (indicating that it
    has already received non-KEXINIT packets), the connection is
    terminated.
  * When strict kex mode is enabled, unexpected messages during the
    handshake are considered fatal. Additionally when a key change
    occurs (on the receipt of the NEWKEYS message) the message sequence
    numbers are reset.

Thanks to Fabian Bäumer, Marcus Brinkmann, and Jörg Schwenk from Ruhr
University Bochum for reporting this issue.

Fixes CVE-2023-48795
Fixes golang/go#64784

Change-Id: I96b53afd2bd2fb94d2b6f2a46a5dacf325357604
Reviewed-on: https://go-review.googlesource.com/c/crypto/+/550715
Reviewed-by: Nicola Murino <[email protected]>
Reviewed-by: Tatiana Bradley <[email protected]>
TryBot-Result: Gopher Robot <[email protected]>
Run-TryBot: Roland Shoemaker <[email protected]>
Reviewed-by: Damien Neil <[email protected]>
LUCI-TryBot-Result: Go LUCI <[email protected]>