protoc-gen-go-micro/vendor/golang.org/x/crypto/xts/xts.go

// Copyright 2012 The Go Authors. All rights reserved.
// Use of this source code is governed by a BSD-style
// license that can be found in the LICENSE file.

// Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.
//
// XTS mode is typically used for disk encryption, which presents a number of
// novel problems that make more common modes inapplicable. The disk is
// conceptually an array of sectors and we must be able to encrypt and decrypt
// a sector in isolation. However, an attacker must not be able to transpose
// two sectors of plaintext by transposing their ciphertext.
//
// XTS wraps a block cipher with Rogaway's XEX mode in order to build a
// tweakable block cipher. This allows each sector to have a unique tweak and
// effectively create a unique key for each sector.
//
// XTS does not provide any authentication. An attacker can manipulate the
// ciphertext and randomise a block (16 bytes) of the plaintext.
//
// (Note: this package does not implement ciphertext-stealing so sectors must
// be a multiple of 16 bytes.)
package xts // import "golang.org/x/crypto/xts"

import (
	"crypto/cipher"
	"errors"
)

// Cipher contains an expanded key structure. It doesn't contain mutable state
// and therefore can be used concurrently.
type Cipher struct {
	k1, k2 cipher.Block
}

// blockSize is the block size that the underlying cipher must have. XTS is
// only defined for 16-byte ciphers.
const blockSize = 16

// NewCipher creates a Cipher given a function for creating the underlying
// block cipher (which must have a block size of 16 bytes). The key must be
// twice the length of the underlying cipher's key.
func NewCipher(cipherFunc func([]byte) (cipher.Block, error), key []byte) (c *Cipher, err error) {
	c = new(Cipher)
	if c.k1, err = cipherFunc(key[:len(key)/2]); err != nil {
		return
	}
	c.k2, err = cipherFunc(key[len(key)/2:])

	if c.k1.BlockSize() != blockSize {
		err = errors.New("xts: cipher does not have a block size of 16")
	}

	return
}

// Encrypt encrypts a sector of plaintext and puts the result into ciphertext.
// Plaintext and ciphertext may be the same slice but should not overlap.
// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) {
	if len(ciphertext) < len(plaintext) {
		panic("xts: ciphertext is smaller than plaintext")
	}
	if len(plaintext)%blockSize != 0 {
		panic("xts: plaintext is not a multiple of the block size")
	}

	var tweak [blockSize]byte
	for i := 0; i < 8; i++ {
		tweak[i] = byte(sectorNum)
		sectorNum >>= 8
	}

	c.k2.Encrypt(tweak[:], tweak[:])

	for i := 0; i < len(plaintext); i += blockSize {
		for j := 0; j < blockSize; j++ {
			ciphertext[i+j] = plaintext[i+j] ^ tweak[j]
		}
		c.k1.Encrypt(ciphertext[i:], ciphertext[i:])
		for j := 0; j < blockSize; j++ {
			ciphertext[i+j] ^= tweak[j]
		}

		mul2(&tweak)
	}
}

// Decrypt decrypts a sector of ciphertext and puts the result into plaintext.
// Plaintext and ciphertext may be the same slice but should not overlap.
// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.
func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) {
	if len(plaintext) < len(ciphertext) {
		panic("xts: plaintext is smaller than ciphertext")
	}
	if len(ciphertext)%blockSize != 0 {
		panic("xts: ciphertext is not a multiple of the block size")
	}

	var tweak [blockSize]byte
	for i := 0; i < 8; i++ {
		tweak[i] = byte(sectorNum)
		sectorNum >>= 8
	}

	c.k2.Encrypt(tweak[:], tweak[:])

	for i := 0; i < len(plaintext); i += blockSize {
		for j := 0; j < blockSize; j++ {
			plaintext[i+j] = ciphertext[i+j] ^ tweak[j]
		}
		c.k1.Decrypt(plaintext[i:], plaintext[i:])
		for j := 0; j < blockSize; j++ {
			plaintext[i+j] ^= tweak[j]
		}

		mul2(&tweak)
	}
}

// mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of
// x¹²⁸ + x⁷ + x² + x + 1.
func mul2(tweak *[blockSize]byte) {
	var carryIn byte
	for j := range tweak {
		carryOut := tweak[j] >> 7
		tweak[j] = (tweak[j] << 1) + carryIn
		carryIn = carryOut
	}
	if carryIn != 0 {
		// If we have a carry bit then we need to subtract a multiple
		// of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).
		// By dropping the carry bit, we're subtracting the x^128 term
		// so all that remains is to subtract x⁷ + x² + x + 1.
		// Subtraction (and addition) in this representation is just
		// XOR.
		tweak[0] ^= 1<<7 | 1<<2 | 1<<1 | 1
	}
}
Moved to google.golang.org/genproto/googleapis/api/annotations Fixes #52 2017-03-31 19:01:58 +03:00			`// Copyright 2012 The Go Authors. All rights reserved.`
			`// Use of this source code is governed by a BSD-style`
			`// license that can be found in the LICENSE file.`

			`// Package xts implements the XTS cipher mode as specified in IEEE P1619/D16.`
			`//`
			`// XTS mode is typically used for disk encryption, which presents a number of`
			`// novel problems that make more common modes inapplicable. The disk is`
			`// conceptually an array of sectors and we must be able to encrypt and decrypt`
			`// a sector in isolation. However, an attacker must not be able to transpose`
			`// two sectors of plaintext by transposing their ciphertext.`
			`//`
			`// XTS wraps a block cipher with Rogaway's XEX mode in order to build a`
			`// tweakable block cipher. This allows each sector to have a unique tweak and`
			`// effectively create a unique key for each sector.`
			`//`
			`// XTS does not provide any authentication. An attacker can manipulate the`
			`// ciphertext and randomise a block (16 bytes) of the plaintext.`
			`//`
			`// (Note: this package does not implement ciphertext-stealing so sectors must`
			`// be a multiple of 16 bytes.)`
			`package xts // import "golang.org/x/crypto/xts"`

			`import (`
			`"crypto/cipher"`
			`"errors"`
			`)`

			`// Cipher contains an expanded key structure. It doesn't contain mutable state`
			`// and therefore can be used concurrently.`
			`type Cipher struct {`
			`k1, k2 cipher.Block`
			`}`

			`// blockSize is the block size that the underlying cipher must have. XTS is`
			`// only defined for 16-byte ciphers.`
			`const blockSize = 16`

			`// NewCipher creates a Cipher given a function for creating the underlying`
			`// block cipher (which must have a block size of 16 bytes). The key must be`
			`// twice the length of the underlying cipher's key.`
			`func NewCipher(cipherFunc func([]byte) (cipher.Block, error), key []byte) (c *Cipher, err error) {`
			`c = new(Cipher)`
			`if c.k1, err = cipherFunc(key[:len(key)/2]); err != nil {`
			`return`
			`}`
			`c.k2, err = cipherFunc(key[len(key)/2:])`

			`if c.k1.BlockSize() != blockSize {`
			`err = errors.New("xts: cipher does not have a block size of 16")`
			`}`

			`return`
			`}`

			`// Encrypt encrypts a sector of plaintext and puts the result into ciphertext.`
			`// Plaintext and ciphertext may be the same slice but should not overlap.`
			`// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.`
			`func (c *Cipher) Encrypt(ciphertext, plaintext []byte, sectorNum uint64) {`
			`if len(ciphertext) < len(plaintext) {`
			`panic("xts: ciphertext is smaller than plaintext")`
			`}`
			`if len(plaintext)%blockSize != 0 {`
			`panic("xts: plaintext is not a multiple of the block size")`
			`}`

			`var tweak [blockSize]byte`
			`for i := 0; i < 8; i++ {`
			`tweak[i] = byte(sectorNum)`
			`sectorNum >>= 8`
			`}`

			`c.k2.Encrypt(tweak[:], tweak[:])`

			`for i := 0; i < len(plaintext); i += blockSize {`
			`for j := 0; j < blockSize; j++ {`
			`ciphertext[i+j] = plaintext[i+j] ^ tweak[j]`
			`}`
			`c.k1.Encrypt(ciphertext[i:], ciphertext[i:])`
			`for j := 0; j < blockSize; j++ {`
			`ciphertext[i+j] ^= tweak[j]`
			`}`

			`mul2(&tweak)`
			`}`
			`}`

			`// Decrypt decrypts a sector of ciphertext and puts the result into plaintext.`
			`// Plaintext and ciphertext may be the same slice but should not overlap.`
			`// Sectors must be a multiple of 16 bytes and less than 2²⁴ bytes.`
			`func (c *Cipher) Decrypt(plaintext, ciphertext []byte, sectorNum uint64) {`
			`if len(plaintext) < len(ciphertext) {`
			`panic("xts: plaintext is smaller than ciphertext")`
			`}`
			`if len(ciphertext)%blockSize != 0 {`
			`panic("xts: ciphertext is not a multiple of the block size")`
			`}`

			`var tweak [blockSize]byte`
			`for i := 0; i < 8; i++ {`
			`tweak[i] = byte(sectorNum)`
			`sectorNum >>= 8`
			`}`

			`c.k2.Encrypt(tweak[:], tweak[:])`

			`for i := 0; i < len(plaintext); i += blockSize {`
			`for j := 0; j < blockSize; j++ {`
			`plaintext[i+j] = ciphertext[i+j] ^ tweak[j]`
			`}`
			`c.k1.Decrypt(plaintext[i:], plaintext[i:])`
			`for j := 0; j < blockSize; j++ {`
			`plaintext[i+j] ^= tweak[j]`
			`}`

			`mul2(&tweak)`
			`}`
			`}`

			`// mul2 multiplies tweak by 2 in GF(2¹²⁸) with an irreducible polynomial of`
			`// x¹²⁸ + x⁷ + x² + x + 1.`
			`func mul2(tweak *[blockSize]byte) {`
			`var carryIn byte`
			`for j := range tweak {`
			`carryOut := tweak[j] >> 7`
			`tweak[j] = (tweak[j] << 1) + carryIn`
			`carryIn = carryOut`
			`}`
			`if carryIn != 0 {`
			`// If we have a carry bit then we need to subtract a multiple`
			`// of the irreducible polynomial (x¹²⁸ + x⁷ + x² + x + 1).`
			`// By dropping the carry bit, we're subtracting the x^128 term`
			`// so all that remains is to subtract x⁷ + x² + x + 1.`
			`// Subtraction (and addition) in this representation is just`
			`// XOR.`
			`tweak[0] ^= 1<<7 \| 1<<2 \| 1<<1 \| 1`
			`}`
			`}`