JustAnotherArchivist
/
transfer.sh
forked from kiska/transfer.sh
1
0
Fork 1
Code Issues 0 Pull Requests 0 Releases 0 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
307 Commits
17 Branches
34 MiB
 
 
 
Tree: 6d23a8f5f3
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '6d23a8f5f3'
${ noResults }
transfer.sh/vendor/golang.org/x/crypto/internal/chacha20/chacha_generic.go

237 lines
6.5 KiB
Raw Blame History 

  1. // Copyright 2016 The Go Authors. All rights reserved.

  2. // Use of this source code is governed by a BSD-style

  3. // license that can be found in the LICENSE file.

  4. 

  5. // Package ChaCha20 implements the core ChaCha20 function as specified

  6. // in https://tools.ietf.org/html/rfc7539#section-2.3.

  7. package chacha20

  8. 

  9. import (

  10. 	"crypto/cipher"

  11. 	"encoding/binary"

  12. 

  13. 	"golang.org/x/crypto/internal/subtle"

  14. )

  15. 

  16. // assert that *Cipher implements cipher.Stream

  17. var _ cipher.Stream = (*Cipher)(nil)

  18. 

  19. // Cipher is a stateful instance of ChaCha20 using a particular key

  20. // and nonce. A *Cipher implements the cipher.Stream interface.

  21. type Cipher struct {

  22. 	key     [8]uint32

  23. 	counter uint32 // incremented after each block

  24. 	nonce   [3]uint32

  25. 	buf     [bufSize]byte // buffer for unused keystream bytes

  26. 	len     int           // number of unused keystream bytes at end of buf

  27. }

  28. 

  29. // New creates a new ChaCha20 stream cipher with the given key and nonce.

  30. // The initial counter value is set to 0.

  31. func New(key [8]uint32, nonce [3]uint32) *Cipher {

  32. 	return &Cipher{key: key, nonce: nonce}

  33. }

  34. 

  35. // XORKeyStream XORs each byte in the given slice with a byte from the

  36. // cipher's key stream. Dst and src must overlap entirely or not at all.

  37. //

  38. // If len(dst) < len(src), XORKeyStream will panic. It is acceptable

  39. // to pass a dst bigger than src, and in that case, XORKeyStream will

  40. // only update dst[:len(src)] and will not touch the rest of dst.

  41. //

  42. // Multiple calls to XORKeyStream behave as if the concatenation of

  43. // the src buffers was passed in a single run. That is, Cipher

  44. // maintains state and does not reset at each XORKeyStream call.

  45. func (s *Cipher) XORKeyStream(dst, src []byte) {

  46. 	if len(dst) < len(src) {

  47. 		panic("chacha20: output smaller than input")

  48. 	}

  49. 	if subtle.InexactOverlap(dst[:len(src)], src) {

  50. 		panic("chacha20: invalid buffer overlap")

  51. 	}

  52. 

  53. 	// xor src with buffered keystream first

  54. 	if s.len != 0 {

  55. 		buf := s.buf[len(s.buf)-s.len:]

  56. 		if len(src) < len(buf) {

  57. 			buf = buf[:len(src)]

  58. 		}

  59. 		td, ts := dst[:len(buf)], src[:len(buf)] // BCE hint

  60. 		for i, b := range buf {

  61. 			td[i] = ts[i] ^ b

  62. 		}

  63. 		s.len -= len(buf)

  64. 		if s.len != 0 {

  65. 			return

  66. 		}

  67. 		s.buf = [len(s.buf)]byte{} // zero the empty buffer

  68. 		src = src[len(buf):]

  69. 		dst = dst[len(buf):]

  70. 	}

  71. 

  72. 	if len(src) == 0 {

  73. 		return

  74. 	}

  75. 	if haveAsm {

  76. 		s.xorKeyStreamAsm(dst, src)

  77. 		return

  78. 	}

  79. 

  80. 	// set up a 64-byte buffer to pad out the final block if needed

  81. 	// (hoisted out of the main loop to avoid spills)

  82. 	rem := len(src) % 64  // length of final block

  83. 	fin := len(src) - rem // index of final block

  84. 	if rem > 0 {

  85. 		copy(s.buf[len(s.buf)-64:], src[fin:])

  86. 	}

  87. 

  88. 	// qr calculates a quarter round

  89. 	qr := func(a, b, c, d uint32) (uint32, uint32, uint32, uint32) {

  90. 		a += b

  91. 		d ^= a

  92. 		d = (d << 16) | (d >> 16)

  93. 		c += d

  94. 		b ^= c

  95. 		b = (b << 12) | (b >> 20)

  96. 		a += b

  97. 		d ^= a

  98. 		d = (d << 8) | (d >> 24)

  99. 		c += d

  100. 		b ^= c

  101. 		b = (b << 7) | (b >> 25)

  102. 		return a, b, c, d

  103. 	}

  104. 

  105. 	// ChaCha20 constants

  106. 	const (

  107. 		j0 = 0x61707865

  108. 		j1 = 0x3320646e

  109. 		j2 = 0x79622d32

  110. 		j3 = 0x6b206574

  111. 	)

  112. 

  113. 	// pre-calculate most of the first round

  114. 	s1, s5, s9, s13 := qr(j1, s.key[1], s.key[5], s.nonce[0])

  115. 	s2, s6, s10, s14 := qr(j2, s.key[2], s.key[6], s.nonce[1])

  116. 	s3, s7, s11, s15 := qr(j3, s.key[3], s.key[7], s.nonce[2])

  117. 

  118. 	n := len(src)

  119. 	src, dst = src[:n:n], dst[:n:n] // BCE hint

  120. 	for i := 0; i < n; i += 64 {

  121. 		// calculate the remainder of the first round

  122. 		s0, s4, s8, s12 := qr(j0, s.key[0], s.key[4], s.counter)

  123. 

  124. 		// execute the second round

  125. 		x0, x5, x10, x15 := qr(s0, s5, s10, s15)

  126. 		x1, x6, x11, x12 := qr(s1, s6, s11, s12)

  127. 		x2, x7, x8, x13 := qr(s2, s7, s8, s13)

  128. 		x3, x4, x9, x14 := qr(s3, s4, s9, s14)

  129. 

  130. 		// execute the remaining 18 rounds

  131. 		for i := 0; i < 9; i++ {

  132. 			x0, x4, x8, x12 = qr(x0, x4, x8, x12)

  133. 			x1, x5, x9, x13 = qr(x1, x5, x9, x13)

  134. 			x2, x6, x10, x14 = qr(x2, x6, x10, x14)

  135. 			x3, x7, x11, x15 = qr(x3, x7, x11, x15)

  136. 

  137. 			x0, x5, x10, x15 = qr(x0, x5, x10, x15)

  138. 			x1, x6, x11, x12 = qr(x1, x6, x11, x12)

  139. 			x2, x7, x8, x13 = qr(x2, x7, x8, x13)

  140. 			x3, x4, x9, x14 = qr(x3, x4, x9, x14)

  141. 		}

  142. 

  143. 		x0 += j0

  144. 		x1 += j1

  145. 		x2 += j2

  146. 		x3 += j3

  147. 

  148. 		x4 += s.key[0]

  149. 		x5 += s.key[1]

  150. 		x6 += s.key[2]

  151. 		x7 += s.key[3]

  152. 		x8 += s.key[4]

  153. 		x9 += s.key[5]

  154. 		x10 += s.key[6]

  155. 		x11 += s.key[7]

  156. 

  157. 		x12 += s.counter

  158. 		x13 += s.nonce[0]

  159. 		x14 += s.nonce[1]

  160. 		x15 += s.nonce[2]

  161. 

  162. 		// increment the counter

  163. 		s.counter += 1

  164. 		if s.counter == 0 {

  165. 			panic("chacha20: counter overflow")

  166. 		}

  167. 

  168. 		// pad to 64 bytes if needed

  169. 		in, out := src[i:], dst[i:]

  170. 		if i == fin {

  171. 			// src[fin:] has already been copied into s.buf before

  172. 			// the main loop

  173. 			in, out = s.buf[len(s.buf)-64:], s.buf[len(s.buf)-64:]

  174. 		}

  175. 		in, out = in[:64], out[:64] // BCE hint

  176. 

  177. 		// XOR the key stream with the source and write out the result

  178. 		xor(out[0:], in[0:], x0)

  179. 		xor(out[4:], in[4:], x1)

  180. 		xor(out[8:], in[8:], x2)

  181. 		xor(out[12:], in[12:], x3)

  182. 		xor(out[16:], in[16:], x4)

  183. 		xor(out[20:], in[20:], x5)

  184. 		xor(out[24:], in[24:], x6)

  185. 		xor(out[28:], in[28:], x7)

  186. 		xor(out[32:], in[32:], x8)

  187. 		xor(out[36:], in[36:], x9)

  188. 		xor(out[40:], in[40:], x10)

  189. 		xor(out[44:], in[44:], x11)

  190. 		xor(out[48:], in[48:], x12)

  191. 		xor(out[52:], in[52:], x13)

  192. 		xor(out[56:], in[56:], x14)

  193. 		xor(out[60:], in[60:], x15)

  194. 	}

  195. 	// copy any trailing bytes out of the buffer and into dst

  196. 	if rem != 0 {

  197. 		s.len = 64 - rem

  198. 		copy(dst[fin:], s.buf[len(s.buf)-64:])

  199. 	}

  200. }

  201. 

  202. // Advance discards bytes in the key stream until the next 64 byte block

  203. // boundary is reached and updates the counter accordingly. If the key

  204. // stream is already at a block boundary no bytes will be discarded and

  205. // the counter will be unchanged.

  206. func (s *Cipher) Advance() {

  207. 	s.len -= s.len % 64

  208. 	if s.len == 0 {

  209. 		s.buf = [len(s.buf)]byte{}

  210. 	}

  211. }

  212. 

  213. // XORKeyStream crypts bytes from in to out using the given key and counters.

  214. // In and out must overlap entirely or not at all. Counter contains the raw

  215. // ChaCha20 counter bytes (i.e. block counter followed by nonce).

  216. func XORKeyStream(out, in []byte, counter *[16]byte, key *[32]byte) {

  217. 	s := Cipher{

  218. 		key: [8]uint32{

  219. 			binary.LittleEndian.Uint32(key[0:4]),

  220. 			binary.LittleEndian.Uint32(key[4:8]),

  221. 			binary.LittleEndian.Uint32(key[8:12]),

  222. 			binary.LittleEndian.Uint32(key[12:16]),

  223. 			binary.LittleEndian.Uint32(key[16:20]),

  224. 			binary.LittleEndian.Uint32(key[20:24]),

  225. 			binary.LittleEndian.Uint32(key[24:28]),

  226. 			binary.LittleEndian.Uint32(key[28:32]),

  227. 		},

  228. 		nonce: [3]uint32{

  229. 			binary.LittleEndian.Uint32(counter[4:8]),

  230. 			binary.LittleEndian.Uint32(counter[8:12]),

  231. 			binary.LittleEndian.Uint32(counter[12:16]),

  232. 		},

  233. 		counter: binary.LittleEndian.Uint32(counter[0:4]),

  234. 	}

  235. 	s.XORKeyStream(out, in)

  236. }