Deps update, gopkg.lock fix, flagger initialization fix.

vendor/golang.org/x/crypto/bn256/bn256.go

@@ -15,9 +15,14 @@
 // http://cryptojedi.org/papers/dclxvi-20100714.pdf. Its output is compatible
 // with the implementation described in that paper.
 //
-// (This package previously claimed to operate at a 128-bit security level.
+// This package previously claimed to operate at a 128-bit security level.
 // However, recent improvements in attacks mean that is no longer true. See
-// https://moderncrypto.org/mail-archive/curves/2016/000740.html.)
+// https://moderncrypto.org/mail-archive/curves/2016/000740.html.
+//
+// Deprecated: due to its weakened security, new systems should not rely on this
+// elliptic curve. This package is frozen, and not implemented in constant time.
+// There is a more complete implementation at github.com/cloudflare/bn256, but
+// note that it suffers from the same security issues of the underlying curve.
 package bn256 // import "golang.org/x/crypto/bn256"
 
 import (
@@ -26,9 +31,6 @@ import (
 	"math/big"
 )
 
-// BUG(agl): this implementation is not constant time.
-// TODO(agl): keep GF(p²) elements in Mongomery form.
-
 // G1 is an abstract cyclic group. The zero value is suitable for use as the
 // output of an operation, but cannot be used as an input.
 type G1 struct {
@@ -54,6 +56,9 @@ func RandomG1(r io.Reader) (*big.Int, *G1, error) {
 }
 
 func (e *G1) String() string {
+	if e.p == nil {
+		return "bn256.G1" + newCurvePoint(nil).String()
+	}
 	return "bn256.G1" + e.p.String()
 }
 
@@ -77,7 +82,8 @@ func (e *G1) ScalarMult(a *G1, k *big.Int) *G1 {
 }
 
 // Add sets e to a+b and then returns e.
-// BUG(agl): this function is not complete: a==b fails.
+//
+// Warning: this function is not complete, it fails for a equal to b.
 func (e *G1) Add(a, b *G1) *G1 {
 	if e.p == nil {
 		e.p = newCurvePoint(nil)
@@ -97,14 +103,18 @@ func (e *G1) Neg(a *G1) *G1 {
 
 // Marshal converts n to a byte slice.
 func (e *G1) Marshal() []byte {
+	// Each value is a 256-bit number.
+	const numBytes = 256 / 8
+
+	if e.p.IsInfinity() {
+		return make([]byte, numBytes*2)
+	}
+
 	e.p.MakeAffine(nil)
 
 	xBytes := new(big.Int).Mod(e.p.x, p).Bytes()
 	yBytes := new(big.Int).Mod(e.p.y, p).Bytes()
 
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
 	ret := make([]byte, numBytes*2)
 	copy(ret[1*numBytes-len(xBytes):], xBytes)
 	copy(ret[2*numBytes-len(yBytes):], yBytes)
@@ -171,6 +181,9 @@ func RandomG2(r io.Reader) (*big.Int, *G2, error) {
 }
 
 func (e *G2) String() string {
+	if e.p == nil {
+		return "bn256.G2" + newTwistPoint(nil).String()
+	}
 	return "bn256.G2" + e.p.String()
 }
 
@@ -194,7 +207,8 @@ func (e *G2) ScalarMult(a *G2, k *big.Int) *G2 {
 }
 
 // Add sets e to a+b and then returns e.
-// BUG(agl): this function is not complete: a==b fails.
+//
+// Warning: this function is not complete, it fails for a equal to b.
 func (e *G2) Add(a, b *G2) *G2 {
 	if e.p == nil {
 		e.p = newTwistPoint(nil)
@@ -205,6 +219,13 @@ func (e *G2) Add(a, b *G2) *G2 {
 
 // Marshal converts n into a byte slice.
 func (n *G2) Marshal() []byte {
+	// Each value is a 256-bit number.
+	const numBytes = 256 / 8
+
+	if n.p.IsInfinity() {
+		return make([]byte, numBytes*4)
+	}
+
 	n.p.MakeAffine(nil)
 
 	xxBytes := new(big.Int).Mod(n.p.x.x, p).Bytes()
@@ -212,9 +233,6 @@ func (n *G2) Marshal() []byte {
 	yxBytes := new(big.Int).Mod(n.p.y.x, p).Bytes()
 	yyBytes := new(big.Int).Mod(n.p.y.y, p).Bytes()
 
-	// Each value is a 256-bit number.
-	const numBytes = 256 / 8
-
 	ret := make([]byte, numBytes*4)
 	copy(ret[1*numBytes-len(xxBytes):], xxBytes)
 	copy(ret[2*numBytes-len(xyBytes):], xyBytes)
@@ -269,8 +287,11 @@ type GT struct {
 	p *gfP12
 }
 
-func (g *GT) String() string {
-	return "bn256.GT" + g.p.String()
+func (e *GT) String() string {
+	if e.p == nil {
+		return "bn256.GT" + newGFp12(nil).String()
+	}
+	return "bn256.GT" + e.p.String()
 }
 
 // ScalarMult sets e to a*k and then returns e.

vendor/golang.org/x/crypto/bn256/curve.go

@@ -245,10 +245,19 @@ func (c *curvePoint) Mul(a *curvePoint, scalar *big.Int, pool *bnPool) *curvePoi
 	return c
 }
 
+// MakeAffine converts c to affine form and returns c. If c is ∞, then it sets
+// c to 0 : 1 : 0.
 func (c *curvePoint) MakeAffine(pool *bnPool) *curvePoint {
 	if words := c.z.Bits(); len(words) == 1 && words[0] == 1 {
 		return c
 	}
+	if c.IsInfinity() {
+		c.x.SetInt64(0)
+		c.y.SetInt64(1)
+		c.z.SetInt64(0)
+		c.t.SetInt64(0)
+		return c
+	}
 
 	zInv := pool.Get().ModInverse(c.z, p)
 	t := pool.Get().Mul(c.y, zInv)

vendor/golang.org/x/crypto/bn256/gfp12.go

@@ -125,8 +125,8 @@ func (e *gfP12) Mul(a, b *gfP12, pool *bnPool) *gfP12 {
 }
 
 func (e *gfP12) MulScalar(a *gfP12, b *gfP6, pool *bnPool) *gfP12 {
-	e.x.Mul(e.x, b, pool)
-	e.y.Mul(e.y, b, pool)
+	e.x.Mul(a.x, b, pool)
+	e.y.Mul(a.y, b, pool)
 	return e
 }
 

vendor/golang.org/x/crypto/bn256/twist.go

@@ -219,10 +219,19 @@ func (c *twistPoint) Mul(a *twistPoint, scalar *big.Int, pool *bnPool) *twistPoi
 	return c
 }
 
+// MakeAffine converts c to affine form and returns c. If c is ∞, then it sets
+// c to 0 : 1 : 0.
 func (c *twistPoint) MakeAffine(pool *bnPool) *twistPoint {
 	if c.z.IsOne() {
 		return c
 	}
+	if c.IsInfinity() {
+		c.x.SetZero()
+		c.y.SetOne()
+		c.z.SetZero()
+		c.t.SetZero()
+		return c
+	}
 
 	zInv := newGFp2(pool).Invert(c.z, pool)
 	t := newGFp2(pool).Mul(c.y, zInv, pool)