x/crypto: freeze and deprecate a few more packages #65250
Description
Over the years we did some significant cleanups of x/crypto packages (#30141, #31044, #36646, #44226).
I propose we do one last round, marking as Deprecated
-
golang.org/x/crypto/salsa20/salsa: should have been an internal package, exposes low-level components of Salsa20, it has 662 importers, but that number is deceptive: all the ones I sampled are golang.org/x/crypto forks, or a shadowsocks implementation that should have used salsa20.XORKeyStream instead
-
golang.org/x/crypto/ssh/test: should also have been internal, or really a
_test.gofile, it exposes some test keys, zero importers
and marking as Frozen
-
golang.org/x/crypto/curve25519 and golang.org/x/crypto/ed25519: wrappers for crypto/ecdh and crypto/ed25519 respectively
-
golang.org/x/crypto/nacl/auth and golang.org/x/crypto/nacl/sign: mostly unused NaCl APIs (21 and 73 importers), they are essentially wrappers around crypto/hmac and crypto/ed25519 respectively
-
golang.org/x/crypto/otr: implements a deprecated version of OTR, basically unused (15 importers)
-
golang.org/x/crypto/xts: implements a mode that should be only used for disk encryption and under duress, increasingly replaced by filesystem-level encryption, basically unused (10 importers)
This leaves a pretty healthy list of non-Deprecated non-Frozen packages, which would be suitable for moving into the stdlib (ignoring x509roots for a moment since it's a special snowflake).
- golang.org/x/crypto/acme
- golang.org/x/crypto/acme/autocert
- golang.org/x/crypto/argon2
- golang.org/x/crypto/bcrypt
- golang.org/x/crypto/blake2b
- golang.org/x/crypto/blake2s
- golang.org/x/crypto/chacha20
- golang.org/x/crypto/chacha20poly1305
- golang.org/x/crypto/cryptobyte
- golang.org/x/crypto/cryptobyte/asn1
- golang.org/x/crypto/hkdf
- golang.org/x/crypto/internal/wycheproof
- golang.org/x/crypto/nacl/box
- golang.org/x/crypto/nacl/secretbox
- golang.org/x/crypto/ocsp
- golang.org/x/crypto/pbkdf2
- golang.org/x/crypto/salsa20
- golang.org/x/crypto/scrypt
- golang.org/x/crypto/sha3
- golang.org/x/crypto/ssh
- golang.org/x/crypto/ssh/agent
- golang.org/x/crypto/ssh/knownhosts
/cc @golang/security
Packages summary
| Package | Imported by | Current state | Proposed state |
|---|---|---|---|
| acme | 496 | ||
| acme/autocert | 2161 | ||
| argon2 | 1037 | ||
| bcrypt | 15602 | ||
| blake2b | 2500 | ||
| blake2s | 255 | ||
| blowfish | 881 | Deprecated | Deprecated |
| bn256 | 20 | Deprecated | Deprecated |
| cast5 | 501 | Deprecated | Deprecated |
| chacha20 | 258 | ||
| chacha20poly1305 | 2399 | ||
| cryptobyte | 647 | ||
| cryptobyte/asn1 | 377 | ||
| curve25519 | 1916 | Wrapper | Frozen |
| ed25519 | 2142 | Wrapper | Frozen |
| hkdf | 2208 | ||
| internal/wycheproof | - | Internal | Internal |
| md4 | 764 | Deprecated | Deprecated |
| nacl/auth | 21 | Frozen | |
| nacl/box | 1041 | ||
| nacl/secretbox | 1934 | ||
| nacl/sign | 73 | Frozen | |
| ocsp | 926 | ||
| openpgp/... | 1897 | Deprecated | Deprecated |
| otr | 15 | Notice | Frozen |
| pbkdf2 | 5239 | ||
| pkcs12 | 832 | Frozen | Frozen |
| poly1305 | 504 | Deprecated | Deprecated |
| ripemd160 | 3531 | Deprecated | Deprecated |
| salsa20 | 283 | ||
| salsa20/salsa | 662 | Deprecated | |
| scrypt | 2381 | ||
| sha3 | 10791 | ||
| ssh | 14420 | ||
| ssh/agent | 2236 | ||
| ssh/knownhosts | 590 | ||
| ssh/terminal | 8278 | Deprecated | Deprecated |
| ssh/test | 0 | Deprecated | |
| tea | 188 | Deprecated | Deprecated |
| twofish | 266 | Deprecated | Deprecated |
| x509roots/nss | 0 | ||
| x509roots/fallback | 11 | Submodule | Submodule |
| xtea | 219 | Deprecated | Deprecated |
| xts | 10 | Notice | Frozen |