The cipher needs to load the stream in LE order. Use the bytereversing loads on BE.Also, remove the unused variable poly1305Mask in the PPC64asm file too.Change-Id: Ie90fe7bb0ea7a3bcb76583e0cf9c1e4133499541Reviewed-on:https://go-review.googlesource.com/c/crypto/+/614298Reviewed-by: Michael Knyszek <mknyszek@google.com>Reviewed-by: Archana Ravindar <aravinda@redhat.com>LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>Reviewed-by: David Chase <drchase@google.com>

This requires fixing an incorrect save of the counter. It is a wordvalue. It happens to work on LE because length is limited to u32.Refactor the constant table to load correctly independent of byteordering.Add byte order swapping where output needs converted to LEordering for storage.Change-Id: Ic7e09bd1c769bb77dd6e817f5a8639ba765f4c0fReviewed-on:https://go-review.googlesource.com/c/crypto/+/614297Reviewed-by: Cherry Mui <cherryyz@google.com>Reviewed-by: Michael Knyszek <mknyszek@google.com>Reviewed-by: Archana Ravindar <aravinda@redhat.com>LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>

…ve auth earlySeems the OpenSSH server running on windows fails keyboard-interactiveauth this way without sending any prompt to client. In such case thegolang ssh client should not retry keyboard-interactive auth when theauth method is wrapped in a RetryableAuthMethod(). Rather the authmethod should be immediately marked as tried&failed and the client authprocess should move on to next available and acceptable auth method.Fixesgolang/go#67855Change-Id: I6c64ae58ff8325774e37af716601b112f8833d8fGitHub-Last-Rev:7fafc4dGitHub-Pull-Request:#297Reviewed-on:https://go-review.googlesource.com/c/crypto/+/590956LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>Reviewed-by: Ian Lance Taylor <iant@google.com>Auto-Submit: Nicola Murino <nicola.murino@gmail.com>Reviewed-by: Nicola Murino <nicola.murino@gmail.com>

Previously, the package worked by copying the input (or the output) intoa buffer, and then XOR'ing (or copying) it into (or out of) the state.(Except for an input fast path.) There's no need for that! We can XORstraight into the state, and copy straight out of it, at least on littleendian machines. This is a bit faster, almost halves the state size, andwill make it easier to implement marshaling, but most importantly lookat how much simpler it makes the code!go: go1.23.0goos: linuxgoarch: amd64pkg: golang.org/x/crypto/sha3cpu: AMD Ryzen 7 PRO 8700GE w/ Radeon 780M Graphics                      │ v0.27.0-2-g42ee18b9637 │    v0.27.0-2-g42ee18b9637-dirty    │                      │         sec/op         │   sec/op     vs base               │PermutationFunction-8              270.8n ± 0%   270.4n ± 0%       ~ (p=0.099 n=10)Sha3_512_MTU-8                     5.762µ ± 0%   5.658µ ± 0%  -1.80% (p=0.000 n=10)Sha3_384_MTU-8                     4.179µ ± 0%   4.070µ ± 0%  -2.60% (p=0.000 n=10)Sha3_256_MTU-8                     3.316µ ± 0%   3.214µ ± 0%  -3.08% (p=0.000 n=10)Sha3_224_MTU-8                     3.175µ ± 0%   3.061µ ± 0%  -3.61% (p=0.000 n=10)Shake128_MTU-8                     2.779µ ± 0%   2.681µ ± 0%  -3.51% (p=0.000 n=10)Shake256_MTU-8                     2.947µ ± 0%   2.957µ ± 0%  +0.32% (p=0.000 n=10)Shake256_16x-8                     44.15µ ± 0%   44.45µ ± 0%  +0.67% (p=0.000 n=10)Shake256_1MiB-8                    2.319m ± 0%   2.274m ± 0%  -1.93% (p=0.000 n=10)Sha3_512_1MiB-8                    4.204m ± 0%   4.219m ± 0%  +0.34% (p=0.000 n=10)geomean                            13.75µ        13.54µ       -1.55%                      │ v0.27.0-2-g42ee18b9637 │    v0.27.0-2-g42ee18b9637-dirty     │                      │          B/s           │     B/s       vs base               │PermutationFunction-8             704.3Mi ± 0%   705.4Mi ± 0%       ~ (p=0.105 n=10)Sha3_512_MTU-8                    223.5Mi ± 0%   227.6Mi ± 0%  +1.83% (p=0.000 n=10)Sha3_384_MTU-8                    308.1Mi ± 0%   316.4Mi ± 0%  +2.67% (p=0.000 n=10)Sha3_256_MTU-8                    388.2Mi ± 0%   400.5Mi ± 0%  +3.17% (p=0.000 n=10)Sha3_224_MTU-8                    405.5Mi ± 0%   420.7Mi ± 0%  +3.73% (p=0.000 n=10)Shake128_MTU-8                    463.4Mi ± 0%   480.2Mi ± 0%  +3.64% (p=0.000 n=10)Shake256_MTU-8                    436.9Mi ± 0%   435.5Mi ± 0%  -0.32% (p=0.000 n=10)Shake256_16x-8                    353.9Mi ± 0%   351.5Mi ± 0%  -0.66% (p=0.000 n=10)Shake256_1MiB-8                   431.2Mi ± 0%   439.7Mi ± 0%  +1.97% (p=0.000 n=10)Sha3_512_1MiB-8                   237.8Mi ± 0%   237.1Mi ± 0%  -0.33% (p=0.000 n=10)geomean                           375.7Mi        381.6Mi       +1.57%Even stronger effect when patched on top of CL 616555 (forced on).go: go1.23.0goos: darwingoarch: arm64pkg: golang.org/x/crypto/sha3cpu: Apple M2                      │    old    │               new                   │                      │   sec/op  │     sec/op     vs base              │PermutationFunction-8   154.7n ± 2%   153.8n ± 1%        ~ (p=0.469 n=10)Sha3_512_MTU-8          3.260µ ± 2%   3.143µ ± 2%   -3.60% (p=0.000 n=10)Sha3_384_MTU-8          2.389µ ± 2%   2.244µ ± 2%   -6.07% (p=0.000 n=10)Sha3_256_MTU-8          1.950µ ± 2%   1.758µ ± 1%   -9.87% (p=0.000 n=10)Sha3_224_MTU-8          1.874µ ± 2%   1.686µ ± 1%  -10.06% (p=0.000 n=10)Shake128_MTU-8          1.827µ ± 3%   1.447µ ± 1%  -20.80% (p=0.000 n=10)Shake256_MTU-8          1.665µ ± 3%   1.604µ ± 3%   -3.63% (p=0.003 n=10)Shake256_16x-8          25.14µ ± 1%   25.23µ ± 2%        ~ (p=0.912 n=10)Shake256_1MiB-8         1.236m ± 2%   1.243m ± 2%        ~ (p=0.631 n=10)Sha3_512_1MiB-8         2.296m ± 2%   2.305m ± 1%        ~ (p=0.315 n=10)geomean                 7.906µ        7.467µ        -5.56%                      │    old    │               new                   │                      │    B/op   │      B/op      vs base              │PermutationFunction-8   1.204Gi ± 2%   1.212Gi ± 1%        ~ (p=0.529 n=10)Sha3_512_MTU-8          394.9Mi ± 2%   409.7Mi ± 2%   +3.73% (p=0.000 n=10)Sha3_384_MTU-8          539.0Mi ± 2%   573.8Mi ± 2%   +6.45% (p=0.000 n=10)Sha3_256_MTU-8          660.3Mi ± 2%   732.6Mi ± 1%  +10.95% (p=0.000 n=10)Sha3_224_MTU-8          687.1Mi ± 2%   763.9Mi ± 1%  +11.17% (p=0.000 n=10)Shake128_MTU-8          704.7Mi ± 2%   889.6Mi ± 2%  +26.24% (p=0.000 n=10)Shake256_MTU-8          773.4Mi ± 3%   802.5Mi ± 3%   +3.76% (p=0.004 n=10)Shake256_16x-8          621.6Mi ± 1%   619.3Mi ± 2%        ~ (p=0.912 n=10)Shake256_1MiB-8         809.1Mi ± 2%   804.7Mi ± 2%        ~ (p=0.631 n=10)Sha3_512_1MiB-8         435.6Mi ± 2%   433.9Mi ± 1%        ~ (p=0.315 n=10)geomean                 653.6Mi        692.0Mi        +5.88%Change-Id: I33a0a1ddf305c395f99bf17f81473e2f42c5ce42Reviewed-on:https://go-review.googlesource.com/c/crypto/+/616575Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>Reviewed-by: Michael Pratt <mpratt@google.com>Reviewed-by: Roland Shoemaker <roland@golang.org>LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>Auto-Submit: Filippo Valsorda <filippo@golang.org>Reviewed-by: Andrew Ekstedt <andrew.ekstedt@gmail.com>

We used to compute the incorrect value if len(initBlock) % rate == 0.Also, add a test vector forgolang/go#66232, confirmed to fail onGOARCH=386 without CL 570876.Fixesgolang/go#69169Change-Id: I3f2400926fca111dd0ca1327d6b5975e51b28f96Reviewed-on:https://go-review.googlesource.com/c/crypto/+/616576Reviewed-by: Andrew Ekstedt <andrew.ekstedt@gmail.com>Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>Reviewed-by: Michael Pratt <mpratt@google.com>LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>Auto-Submit: Filippo Valsorda <filippo@golang.org>Reviewed-by: Roland Shoemaker <roland@golang.org>

If you read a multiple of the rate, and then stop, there is no point inrunning the final permutation.Change-Id: Ic95e70f78b6e139aca1d3e3c11e09d2bbcf54f6cReviewed-on:https://go-review.googlesource.com/c/crypto/+/620555Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>Reviewed-by: Roland Shoemaker <roland@golang.org>LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>Reviewed-by: Michael Pratt <mpratt@google.com>Auto-Submit: Filippo Valsorda <filippo@golang.org>

Fixesgolang/go#24617Change-Id: I1d9d529950aa8a5953435e8d3412cda44b075d55Reviewed-on:https://go-review.googlesource.com/c/crypto/+/616635Reviewed-by: Roland Shoemaker <roland@golang.org>Auto-Submit: Filippo Valsorda <filippo@golang.org>LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>Reviewed-by: Daniel McCarney <daniel@binaryparadox.net>Reviewed-by: Michael Pratt <mpratt@google.com>

These days people will just import the packages and the go tool willdo the right thing. We don't need to explain it.Add a pointer to the git repo, though.Forgolang/go#62645Change-Id: I8b1e4a877bd83fe6891688a44d27a6c7902c8979Reviewed-on:https://go-review.googlesource.com/c/crypto/+/624155LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>Commit-Queue: Ian Lance Taylor <iant@google.com>Reviewed-by: Ian Lance Taylor <iant@google.com>Auto-Submit: Ian Lance Taylor <iant@google.com>Reviewed-by: Roland Shoemaker <roland@golang.org>

Update golang.org/x dependencies to their latest tagged versions.Change-Id: Ib4976eb0b062bcd71c208afc9ff53e8c3068fbf9Reviewed-on:https://go-review.googlesource.com/c/crypto/+/626377Reviewed-by: David Chase <drchase@google.com>Auto-Submit: Gopher Robot <gobot@golang.org>Reviewed-by: Dmitri Shuralyov <dmitshur@google.com>LUCI-TryBot-Result: Go LUCI <golang-scoped@luci-project-accounts.iam.gserviceaccount.com>