diff options
Diffstat (limited to 'vendor/golang.org/x/crypto')
23 files changed, 82 insertions, 5378 deletions
diff --git a/vendor/golang.org/x/crypto/AUTHORS b/vendor/golang.org/x/crypto/AUTHORS new file mode 100644 index 000000000..2b00ddba0 --- /dev/null +++ b/vendor/golang.org/x/crypto/AUTHORS @@ -0,0 +1,3 @@ +# This source code refers to The Go Authors for copyright purposes. +# The master list of authors is in the main Go distribution, +# visible at https://tip.golang.org/AUTHORS. diff --git a/vendor/golang.org/x/crypto/CONTRIBUTORS b/vendor/golang.org/x/crypto/CONTRIBUTORS new file mode 100644 index 000000000..1fbd3e976 --- /dev/null +++ b/vendor/golang.org/x/crypto/CONTRIBUTORS @@ -0,0 +1,3 @@ +# This source code was written by the Go contributors. +# The master list of contributors is in the main Go distribution, +# visible at https://tip.golang.org/CONTRIBUTORS. diff --git a/vendor/golang.org/x/crypto/README.md b/vendor/golang.org/x/crypto/README.md deleted file mode 100644 index c9d6fecd1..000000000 --- a/vendor/golang.org/x/crypto/README.md +++ /dev/null @@ -1,21 +0,0 @@ -# Go Cryptography - -This repository holds supplementary Go cryptography libraries. - -## Download/Install - -The easiest way to install is to run `go get -u golang.org/x/crypto/...`. You -can also manually git clone the repository to `$GOPATH/src/golang.org/x/crypto`. - -## Report Issues / Send Patches - -This repository uses Gerrit for code changes. To learn how to submit changes to -this repository, see https://golang.org/doc/contribute.html. - -The main issue tracker for the crypto repository is located at -https://github.com/golang/go/issues. Prefix your issue with "x/crypto:" in the -subject line, so it is easy to find. - -Note that contributions to the cryptography package receive additional scrutiny -due to their sensitive nature. Patches may take longer than normal to receive -feedback. diff --git a/vendor/golang.org/x/crypto/cast5/cast5.go b/vendor/golang.org/x/crypto/cast5/cast5.go index 0b4af37bd..ddcbeb6f2 100644 --- a/vendor/golang.org/x/crypto/cast5/cast5.go +++ b/vendor/golang.org/x/crypto/cast5/cast5.go @@ -2,8 +2,15 @@ // Use of this source code is governed by a BSD-style // license that can be found in the LICENSE file. -// Package cast5 implements CAST5, as defined in RFC 2144. CAST5 is a common -// OpenPGP cipher. +// Package cast5 implements CAST5, as defined in RFC 2144. +// +// CAST5 is a legacy cipher and its short block size makes it vulnerable to +// birthday bound attacks (see https://sweet32.info). It should only be used +// where compatibility with legacy systems, not security, is the goal. +// +// Deprecated: any new system should use AES (from crypto/aes, if necessary in +// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from +// golang.org/x/crypto/chacha20poly1305). package cast5 // import "golang.org/x/crypto/cast5" import "errors" diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.h b/vendor/golang.org/x/crypto/curve25519/const_amd64.h deleted file mode 100644 index b3f74162f..000000000 --- a/vendor/golang.org/x/crypto/curve25519/const_amd64.h +++ /dev/null @@ -1,8 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html - -#define REDMASK51 0x0007FFFFFFFFFFFF diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.s b/vendor/golang.org/x/crypto/curve25519/const_amd64.s deleted file mode 100644 index ee7b4bd5f..000000000 --- a/vendor/golang.org/x/crypto/curve25519/const_amd64.s +++ /dev/null @@ -1,20 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html - -// +build amd64,!gccgo,!appengine - -// These constants cannot be encoded in non-MOVQ immediates. -// We access them directly from memory instead. - -DATA ·_121666_213(SB)/8, $996687872 -GLOBL ·_121666_213(SB), 8, $8 - -DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA -GLOBL ·_2P0(SB), 8, $8 - -DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE -GLOBL ·_2P1234(SB), 8, $8 diff --git a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s b/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s deleted file mode 100644 index cd793a5b5..000000000 --- a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s +++ /dev/null @@ -1,65 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build amd64,!gccgo,!appengine - -// func cswap(inout *[4][5]uint64, v uint64) -TEXT ·cswap(SB),7,$0 - MOVQ inout+0(FP),DI - MOVQ v+8(FP),SI - - SUBQ $1, SI - NOTQ SI - MOVQ SI, X15 - PSHUFD $0x44, X15, X15 - - MOVOU 0(DI), X0 - MOVOU 16(DI), X2 - MOVOU 32(DI), X4 - MOVOU 48(DI), X6 - MOVOU 64(DI), X8 - MOVOU 80(DI), X1 - MOVOU 96(DI), X3 - MOVOU 112(DI), X5 - MOVOU 128(DI), X7 - MOVOU 144(DI), X9 - - MOVO X1, X10 - MOVO X3, X11 - MOVO X5, X12 - MOVO X7, X13 - MOVO X9, X14 - - PXOR X0, X10 - PXOR X2, X11 - PXOR X4, X12 - PXOR X6, X13 - PXOR X8, X14 - PAND X15, X10 - PAND X15, X11 - PAND X15, X12 - PAND X15, X13 - PAND X15, X14 - PXOR X10, X0 - PXOR X10, X1 - PXOR X11, X2 - PXOR X11, X3 - PXOR X12, X4 - PXOR X12, X5 - PXOR X13, X6 - PXOR X13, X7 - PXOR X14, X8 - PXOR X14, X9 - - MOVOU X0, 0(DI) - MOVOU X2, 16(DI) - MOVOU X4, 32(DI) - MOVOU X6, 48(DI) - MOVOU X8, 64(DI) - MOVOU X1, 80(DI) - MOVOU X3, 96(DI) - MOVOU X5, 112(DI) - MOVOU X7, 128(DI) - MOVOU X9, 144(DI) - RET diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go deleted file mode 100644 index cb8fbc57b..000000000 --- a/vendor/golang.org/x/crypto/curve25519/curve25519.go +++ /dev/null @@ -1,834 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// We have an implementation in amd64 assembly so this code is only run on -// non-amd64 platforms. The amd64 assembly does not support gccgo. -// +build !amd64 gccgo appengine - -package curve25519 - -import ( - "encoding/binary" -) - -// This code is a port of the public domain, "ref10" implementation of -// curve25519 from SUPERCOP 20130419 by D. J. Bernstein. - -// fieldElement represents an element of the field GF(2^255 - 19). An element -// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77 -// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on -// context. -type fieldElement [10]int32 - -func feZero(fe *fieldElement) { - for i := range fe { - fe[i] = 0 - } -} - -func feOne(fe *fieldElement) { - feZero(fe) - fe[0] = 1 -} - -func feAdd(dst, a, b *fieldElement) { - for i := range dst { - dst[i] = a[i] + b[i] - } -} - -func feSub(dst, a, b *fieldElement) { - for i := range dst { - dst[i] = a[i] - b[i] - } -} - -func feCopy(dst, src *fieldElement) { - for i := range dst { - dst[i] = src[i] - } -} - -// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0. -// -// Preconditions: b in {0,1}. -func feCSwap(f, g *fieldElement, b int32) { - b = -b - for i := range f { - t := b & (f[i] ^ g[i]) - f[i] ^= t - g[i] ^= t - } -} - -// load3 reads a 24-bit, little-endian value from in. -func load3(in []byte) int64 { - var r int64 - r = int64(in[0]) - r |= int64(in[1]) << 8 - r |= int64(in[2]) << 16 - return r -} - -// load4 reads a 32-bit, little-endian value from in. -func load4(in []byte) int64 { - return int64(binary.LittleEndian.Uint32(in)) -} - -func feFromBytes(dst *fieldElement, src *[32]byte) { - h0 := load4(src[:]) - h1 := load3(src[4:]) << 6 - h2 := load3(src[7:]) << 5 - h3 := load3(src[10:]) << 3 - h4 := load3(src[13:]) << 2 - h5 := load4(src[16:]) - h6 := load3(src[20:]) << 7 - h7 := load3(src[23:]) << 5 - h8 := load3(src[26:]) << 4 - h9 := load3(src[29:]) << 2 - - var carry [10]int64 - carry[9] = (h9 + 1<<24) >> 25 - h0 += carry[9] * 19 - h9 -= carry[9] << 25 - carry[1] = (h1 + 1<<24) >> 25 - h2 += carry[1] - h1 -= carry[1] << 25 - carry[3] = (h3 + 1<<24) >> 25 - h4 += carry[3] - h3 -= carry[3] << 25 - carry[5] = (h5 + 1<<24) >> 25 - h6 += carry[5] - h5 -= carry[5] << 25 - carry[7] = (h7 + 1<<24) >> 25 - h8 += carry[7] - h7 -= carry[7] << 25 - - carry[0] = (h0 + 1<<25) >> 26 - h1 += carry[0] - h0 -= carry[0] << 26 - carry[2] = (h2 + 1<<25) >> 26 - h3 += carry[2] - h2 -= carry[2] << 26 - carry[4] = (h4 + 1<<25) >> 26 - h5 += carry[4] - h4 -= carry[4] << 26 - carry[6] = (h6 + 1<<25) >> 26 - h7 += carry[6] - h6 -= carry[6] << 26 - carry[8] = (h8 + 1<<25) >> 26 - h9 += carry[8] - h8 -= carry[8] << 26 - - dst[0] = int32(h0) - dst[1] = int32(h1) - dst[2] = int32(h2) - dst[3] = int32(h3) - dst[4] = int32(h4) - dst[5] = int32(h5) - dst[6] = int32(h6) - dst[7] = int32(h7) - dst[8] = int32(h8) - dst[9] = int32(h9) -} - -// feToBytes marshals h to s. -// Preconditions: -// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. -// -// Write p=2^255-19; q=floor(h/p). -// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). -// -// Proof: -// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. -// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4. -// -// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). -// Then 0<y<1. -// -// Write r=h-pq. -// Have 0<=r<=p-1=2^255-20. -// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1. -// -// Write x=r+19(2^-255)r+y. -// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q. -// -// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1)) -// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q. -func feToBytes(s *[32]byte, h *fieldElement) { - var carry [10]int32 - - q := (19*h[9] + (1 << 24)) >> 25 - q = (h[0] + q) >> 26 - q = (h[1] + q) >> 25 - q = (h[2] + q) >> 26 - q = (h[3] + q) >> 25 - q = (h[4] + q) >> 26 - q = (h[5] + q) >> 25 - q = (h[6] + q) >> 26 - q = (h[7] + q) >> 25 - q = (h[8] + q) >> 26 - q = (h[9] + q) >> 25 - - // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. - h[0] += 19 * q - // Goal: Output h-2^255 q, which is between 0 and 2^255-20. - - carry[0] = h[0] >> 26 - h[1] += carry[0] - h[0] -= carry[0] << 26 - carry[1] = h[1] >> 25 - h[2] += carry[1] - h[1] -= carry[1] << 25 - carry[2] = h[2] >> 26 - h[3] += carry[2] - h[2] -= carry[2] << 26 - carry[3] = h[3] >> 25 - h[4] += carry[3] - h[3] -= carry[3] << 25 - carry[4] = h[4] >> 26 - h[5] += carry[4] - h[4] -= carry[4] << 26 - carry[5] = h[5] >> 25 - h[6] += carry[5] - h[5] -= carry[5] << 25 - carry[6] = h[6] >> 26 - h[7] += carry[6] - h[6] -= carry[6] << 26 - carry[7] = h[7] >> 25 - h[8] += carry[7] - h[7] -= carry[7] << 25 - carry[8] = h[8] >> 26 - h[9] += carry[8] - h[8] -= carry[8] << 26 - carry[9] = h[9] >> 25 - h[9] -= carry[9] << 25 - // h10 = carry9 - - // Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. - // Have h[0]+...+2^230 h[9] between 0 and 2^255-1; - // evidently 2^255 h10-2^255 q = 0. - // Goal: Output h[0]+...+2^230 h[9]. - - s[0] = byte(h[0] >> 0) - s[1] = byte(h[0] >> 8) - s[2] = byte(h[0] >> 16) - s[3] = byte((h[0] >> 24) | (h[1] << 2)) - s[4] = byte(h[1] >> 6) - s[5] = byte(h[1] >> 14) - s[6] = byte((h[1] >> 22) | (h[2] << 3)) - s[7] = byte(h[2] >> 5) - s[8] = byte(h[2] >> 13) - s[9] = byte((h[2] >> 21) | (h[3] << 5)) - s[10] = byte(h[3] >> 3) - s[11] = byte(h[3] >> 11) - s[12] = byte((h[3] >> 19) | (h[4] << 6)) - s[13] = byte(h[4] >> 2) - s[14] = byte(h[4] >> 10) - s[15] = byte(h[4] >> 18) - s[16] = byte(h[5] >> 0) - s[17] = byte(h[5] >> 8) - s[18] = byte(h[5] >> 16) - s[19] = byte((h[5] >> 24) | (h[6] << 1)) - s[20] = byte(h[6] >> 7) - s[21] = byte(h[6] >> 15) - s[22] = byte((h[6] >> 23) | (h[7] << 3)) - s[23] = byte(h[7] >> 5) - s[24] = byte(h[7] >> 13) - s[25] = byte((h[7] >> 21) | (h[8] << 4)) - s[26] = byte(h[8] >> 4) - s[27] = byte(h[8] >> 12) - s[28] = byte((h[8] >> 20) | (h[9] << 6)) - s[29] = byte(h[9] >> 2) - s[30] = byte(h[9] >> 10) - s[31] = byte(h[9] >> 18) -} - -// feMul calculates h = f * g -// Can overlap h with f or g. -// -// Preconditions: -// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -// |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -// -// Postconditions: -// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. -// -// Notes on implementation strategy: -// -// Using schoolbook multiplication. -// Karatsuba would save a little in some cost models. -// -// Most multiplications by 2 and 19 are 32-bit precomputations; -// cheaper than 64-bit postcomputations. -// -// There is one remaining multiplication by 19 in the carry chain; -// one *19 precomputation can be merged into this, -// but the resulting data flow is considerably less clean. -// -// There are 12 carries below. -// 10 of them are 2-way parallelizable and vectorizable. -// Can get away with 11 carries, but then data flow is much deeper. -// -// With tighter constraints on inputs can squeeze carries into int32. -func feMul(h, f, g *fieldElement) { - f0 := f[0] - f1 := f[1] - f2 := f[2] - f3 := f[3] - f4 := f[4] - f5 := f[5] - f6 := f[6] - f7 := f[7] - f8 := f[8] - f9 := f[9] - g0 := g[0] - g1 := g[1] - g2 := g[2] - g3 := g[3] - g4 := g[4] - g5 := g[5] - g6 := g[6] - g7 := g[7] - g8 := g[8] - g9 := g[9] - g1_19 := 19 * g1 // 1.4*2^29 - g2_19 := 19 * g2 // 1.4*2^30; still ok - g3_19 := 19 * g3 - g4_19 := 19 * g4 - g5_19 := 19 * g5 - g6_19 := 19 * g6 - g7_19 := 19 * g7 - g8_19 := 19 * g8 - g9_19 := 19 * g9 - f1_2 := 2 * f1 - f3_2 := 2 * f3 - f5_2 := 2 * f5 - f7_2 := 2 * f7 - f9_2 := 2 * f9 - f0g0 := int64(f0) * int64(g0) - f0g1 := int64(f0) * int64(g1) - f0g2 := int64(f0) * int64(g2) - f0g3 := int64(f0) * int64(g3) - f0g4 := int64(f0) * int64(g4) - f0g5 := int64(f0) * int64(g5) - f0g6 := int64(f0) * int64(g6) - f0g7 := int64(f0) * int64(g7) - f0g8 := int64(f0) * int64(g8) - f0g9 := int64(f0) * int64(g9) - f1g0 := int64(f1) * int64(g0) - f1g1_2 := int64(f1_2) * int64(g1) - f1g2 := int64(f1) * int64(g2) - f1g3_2 := int64(f1_2) * int64(g3) - f1g4 := int64(f1) * int64(g4) - f1g5_2 := int64(f1_2) * int64(g5) - f1g6 := int64(f1) * int64(g6) - f1g7_2 := int64(f1_2) * int64(g7) - f1g8 := int64(f1) * int64(g8) - f1g9_38 := int64(f1_2) * int64(g9_19) - f2g0 := int64(f2) * int64(g0) - f2g1 := int64(f2) * int64(g1) - f2g2 := int64(f2) * int64(g2) - f2g3 := int64(f2) * int64(g3) - f2g4 := int64(f2) * int64(g4) - f2g5 := int64(f2) * int64(g5) - f2g6 := int64(f2) * int64(g6) - f2g7 := int64(f2) * int64(g7) - f2g8_19 := int64(f2) * int64(g8_19) - f2g9_19 := int64(f2) * int64(g9_19) - f3g0 := int64(f3) * int64(g0) - f3g1_2 := int64(f3_2) * int64(g1) - f3g2 := int64(f3) * int64(g2) - f3g3_2 := int64(f3_2) * int64(g3) - f3g4 := int64(f3) * int64(g4) - f3g5_2 := int64(f3_2) * int64(g5) - f3g6 := int64(f3) * int64(g6) - f3g7_38 := int64(f3_2) * int64(g7_19) - f3g8_19 := int64(f3) * int64(g8_19) - f3g9_38 := int64(f3_2) * int64(g9_19) - f4g0 := int64(f4) * int64(g0) - f4g1 := int64(f4) * int64(g1) - f4g2 := int64(f4) * int64(g2) - f4g3 := int64(f4) * int64(g3) - f4g4 := int64(f4) * int64(g4) - f4g5 := int64(f4) * int64(g5) - f4g6_19 := int64(f4) * int64(g6_19) - f4g7_19 := int64(f4) * int64(g7_19) - f4g8_19 := int64(f4) * int64(g8_19) - f4g9_19 := int64(f4) * int64(g9_19) - f5g0 := int64(f5) * int64(g0) - f5g1_2 := int64(f5_2) * int64(g1) - f5g2 := int64(f5) * int64(g2) - f5g3_2 := int64(f5_2) * int64(g3) - f5g4 := int64(f5) * int64(g4) - f5g5_38 := int64(f5_2) * int64(g5_19) - f5g6_19 := int64(f5) * int64(g6_19) - f5g7_38 := int64(f5_2) * int64(g7_19) - f5g8_19 := int64(f5) * int64(g8_19) - f5g9_38 := int64(f5_2) * int64(g9_19) - f6g0 := int64(f6) * int64(g0) - f6g1 := int64(f6) * int64(g1) - f6g2 := int64(f6) * int64(g2) - f6g3 := int64(f6) * int64(g3) - f6g4_19 := int64(f6) * int64(g4_19) - f6g5_19 := int64(f6) * int64(g5_19) - f6g6_19 := int64(f6) * int64(g6_19) - f6g7_19 := int64(f6) * int64(g7_19) - f6g8_19 := int64(f6) * int64(g8_19) - f6g9_19 := int64(f6) * int64(g9_19) - f7g0 := int64(f7) * int64(g0) - f7g1_2 := int64(f7_2) * int64(g1) - f7g2 := int64(f7) * int64(g2) - f7g3_38 := int64(f7_2) * int64(g3_19) - f7g4_19 := int64(f7) * int64(g4_19) - f7g5_38 := int64(f7_2) * int64(g5_19) - f7g6_19 := int64(f7) * int64(g6_19) - f7g7_38 := int64(f7_2) * int64(g7_19) - f7g8_19 := int64(f7) * int64(g8_19) - f7g9_38 := int64(f7_2) * int64(g9_19) - f8g0 := int64(f8) * int64(g0) - f8g1 := int64(f8) * int64(g1) - f8g2_19 := int64(f8) * int64(g2_19) - f8g3_19 := int64(f8) * int64(g3_19) - f8g4_19 := int64(f8) * int64(g4_19) - f8g5_19 := int64(f8) * int64(g5_19) - f8g6_19 := int64(f8) * int64(g6_19) - f8g7_19 := int64(f8) * int64(g7_19) - f8g8_19 := int64(f8) * int64(g8_19) - f8g9_19 := int64(f8) * int64(g9_19) - f9g0 := int64(f9) * int64(g0) - f9g1_38 := int64(f9_2) * int64(g1_19) - f9g2_19 := int64(f9) * int64(g2_19) - f9g3_38 := int64(f9_2) * int64(g3_19) - f9g4_19 := int64(f9) * int64(g4_19) - f9g5_38 := int64(f9_2) * int64(g5_19) - f9g6_19 := int64(f9) * int64(g6_19) - f9g7_38 := int64(f9_2) * int64(g7_19) - f9g8_19 := int64(f9) * int64(g8_19) - f9g9_38 := int64(f9_2) * int64(g9_19) - h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38 - h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19 - h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38 - h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19 - h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38 - h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19 - h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38 - h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19 - h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38 - h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0 - var carry [10]int64 - - // |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38)) - // i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8 - // |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19)) - // i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9 - - carry[0] = (h0 + (1 << 25)) >> 26 - h1 += carry[0] - h0 -= carry[0] << 26 - carry[4] = (h4 + (1 << 25)) >> 26 - h5 += carry[4] - h4 -= carry[4] << 26 - // |h0| <= 2^25 - // |h4| <= 2^25 - // |h1| <= 1.51*2^58 - // |h5| <= 1.51*2^58 - - carry[1] = (h1 + (1 << 24)) >> 25 - h2 += carry[1] - h1 -= carry[1] << 25 - carry[5] = (h5 + (1 << 24)) >> 25 - h6 += carry[5] - h5 -= carry[5] << 25 - // |h1| <= 2^24; from now on fits into int32 - // |h5| <= 2^24; from now on fits into int32 - // |h2| <= 1.21*2^59 - // |h6| <= 1.21*2^59 - - carry[2] = (h2 + (1 << 25)) >> 26 - h3 += carry[2] - h2 -= carry[2] << 26 - carry[6] = (h6 + (1 << 25)) >> 26 - h7 += carry[6] - h6 -= carry[6] << 26 - // |h2| <= 2^25; from now on fits into int32 unchanged - // |h6| <= 2^25; from now on fits into int32 unchanged - // |h3| <= 1.51*2^58 - // |h7| <= 1.51*2^58 - - carry[3] = (h3 + (1 << 24)) >> 25 - h4 += carry[3] - h3 -= carry[3] << 25 - carry[7] = (h7 + (1 << 24)) >> 25 - h8 += carry[7] - h7 -= carry[7] << 25 - // |h3| <= 2^24; from now on fits into int32 unchanged - // |h7| <= 2^24; from now on fits into int32 unchanged - // |h4| <= 1.52*2^33 - // |h8| <= 1.52*2^33 - - carry[4] = (h4 + (1 << 25)) >> 26 - h5 += carry[4] - h4 -= carry[4] << 26 - carry[8] = (h8 + (1 << 25)) >> 26 - h9 += carry[8] - h8 -= carry[8] << 26 - // |h4| <= 2^25; from now on fits into int32 unchanged - // |h8| <= 2^25; from now on fits into int32 unchanged - // |h5| <= 1.01*2^24 - // |h9| <= 1.51*2^58 - - carry[9] = (h9 + (1 << 24)) >> 25 - h0 += carry[9] * 19 - h9 -= carry[9] << 25 - // |h9| <= 2^24; from now on fits into int32 unchanged - // |h0| <= 1.8*2^37 - - carry[0] = (h0 + (1 << 25)) >> 26 - h1 += carry[0] - h0 -= carry[0] << 26 - // |h0| <= 2^25; from now on fits into int32 unchanged - // |h1| <= 1.01*2^24 - - h[0] = int32(h0) - h[1] = int32(h1) - h[2] = int32(h2) - h[3] = int32(h3) - h[4] = int32(h4) - h[5] = int32(h5) - h[6] = int32(h6) - h[7] = int32(h7) - h[8] = int32(h8) - h[9] = int32(h9) -} - -// feSquare calculates h = f*f. Can overlap h with f. -// -// Preconditions: -// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -// -// Postconditions: -// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. -func feSquare(h, f *fieldElement) { - f0 := f[0] - f1 := f[1] - f2 := f[2] - f3 := f[3] - f4 := f[4] - f5 := f[5] - f6 := f[6] - f7 := f[7] - f8 := f[8] - f9 := f[9] - f0_2 := 2 * f0 - f1_2 := 2 * f1 - f2_2 := 2 * f2 - f3_2 := 2 * f3 - f4_2 := 2 * f4 - f5_2 := 2 * f5 - f6_2 := 2 * f6 - f7_2 := 2 * f7 - f5_38 := 38 * f5 // 1.31*2^30 - f6_19 := 19 * f6 // 1.31*2^30 - f7_38 := 38 * f7 // 1.31*2^30 - f8_19 := 19 * f8 // 1.31*2^30 - f9_38 := 38 * f9 // 1.31*2^30 - f0f0 := int64(f0) * int64(f0) - f0f1_2 := int64(f0_2) * int64(f1) - f0f2_2 := int64(f0_2) * int64(f2) - f0f3_2 := int64(f0_2) * int64(f3) - f0f4_2 := int64(f0_2) * int64(f4) - f0f5_2 := int64(f0_2) * int64(f5) - f0f6_2 := int64(f0_2) * int64(f6) - f0f7_2 := int64(f0_2) * int64(f7) - f0f8_2 := int64(f0_2) * int64(f8) - f0f9_2 := int64(f0_2) * int64(f9) - f1f1_2 := int64(f1_2) * int64(f1) - f1f2_2 := int64(f1_2) * int64(f2) - f1f3_4 := int64(f1_2) * int64(f3_2) - f1f4_2 := int64(f1_2) * int64(f4) - f1f5_4 := int64(f1_2) * int64(f5_2) - f1f6_2 := int64(f1_2) * int64(f6) - f1f7_4 := int64(f1_2) * int64(f7_2) - f1f8_2 := int64(f1_2) * int64(f8) - f1f9_76 := int64(f1_2) * int64(f9_38) - f2f2 := int64(f2) * int64(f2) - f2f3_2 := int64(f2_2) * int64(f3) - f2f4_2 := int64(f2_2) * int64(f4) - f2f5_2 := int64(f2_2) * int64(f5) - f2f6_2 := int64(f2_2) * int64(f6) - f2f7_2 := int64(f2_2) * int64(f7) - f2f8_38 := int64(f2_2) * int64(f8_19) - f2f9_38 := int64(f2) * int64(f9_38) - f3f3_2 := int64(f3_2) * int64(f3) - f3f4_2 := int64(f3_2) * int64(f4) - f3f5_4 := int64(f3_2) * int64(f5_2) - f3f6_2 := int64(f3_2) * int64(f6) - f3f7_76 := int64(f3_2) * int64(f7_38) - f3f8_38 := int64(f3_2) * int64(f8_19) - f3f9_76 := int64(f3_2) * int64(f9_38) - f4f4 := int64(f4) * int64(f4) - f4f5_2 := int64(f4_2) * int64(f5) - f4f6_38 := int64(f4_2) * int64(f6_19) - f4f7_38 := int64(f4) * int64(f7_38) - f4f8_38 := int64(f4_2) * int64(f8_19) - f4f9_38 := int64(f4) * int64(f9_38) - f5f5_38 := int64(f5) * int64(f5_38) - f5f6_38 := int64(f5_2) * int64(f6_19) - f5f7_76 := int64(f5_2) * int64(f7_38) - f5f8_38 := int64(f5_2) * int64(f8_19) - f5f9_76 := int64(f5_2) * int64(f9_38) - f6f6_19 := int64(f6) * int64(f6_19) - f6f7_38 := int64(f6) * int64(f7_38) - f6f8_38 := int64(f6_2) * int64(f8_19) - f6f9_38 := int64(f6) * int64(f9_38) - f7f7_38 := int64(f7) * int64(f7_38) - f7f8_38 := int64(f7_2) * int64(f8_19) - f7f9_76 := int64(f7_2) * int64(f9_38) - f8f8_19 := int64(f8) * int64(f8_19) - f8f9_38 := int64(f8) * int64(f9_38) - f9f9_38 := int64(f9) * int64(f9_38) - h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38 - h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38 - h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19 - h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38 - h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38 - h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38 - h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19 - h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38 - h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38 - h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2 - var carry [10]int64 - - carry[0] = (h0 + (1 << 25)) >> 26 - h1 += carry[0] - h0 -= carry[0] << 26 - carry[4] = (h4 + (1 << 25)) >> 26 - h5 += carry[4] - h4 -= carry[4] << 26 - - carry[1] = (h1 + (1 << 24)) >> 25 - h2 += carry[1] - h1 -= carry[1] << 25 - carry[5] = (h5 + (1 << 24)) >> 25 - h6 += carry[5] - h5 -= carry[5] << 25 - - carry[2] = (h2 + (1 << 25)) >> 26 - h3 += carry[2] - h2 -= carry[2] << 26 - carry[6] = (h6 + (1 << 25)) >> 26 - h7 += carry[6] - h6 -= carry[6] << 26 - - carry[3] = (h3 + (1 << 24)) >> 25 - h4 += carry[3] - h3 -= carry[3] << 25 - carry[7] = (h7 + (1 << 24)) >> 25 - h8 += carry[7] - h7 -= carry[7] << 25 - - carry[4] = (h4 + (1 << 25)) >> 26 - h5 += carry[4] - h4 -= carry[4] << 26 - carry[8] = (h8 + (1 << 25)) >> 26 - h9 += carry[8] - h8 -= carry[8] << 26 - - carry[9] = (h9 + (1 << 24)) >> 25 - h0 += carry[9] * 19 - h9 -= carry[9] << 25 - - carry[0] = (h0 + (1 << 25)) >> 26 - h1 += carry[0] - h0 -= carry[0] << 26 - - h[0] = int32(h0) - h[1] = int32(h1) - h[2] = int32(h2) - h[3] = int32(h3) - h[4] = int32(h4) - h[5] = int32(h5) - h[6] = int32(h6) - h[7] = int32(h7) - h[8] = int32(h8) - h[9] = int32(h9) -} - -// feMul121666 calculates h = f * 121666. Can overlap h with f. -// -// Preconditions: -// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -// -// Postconditions: -// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. -func feMul121666(h, f *fieldElement) { - h0 := int64(f[0]) * 121666 - h1 := int64(f[1]) * 121666 - h2 := int64(f[2]) * 121666 - h3 := int64(f[3]) * 121666 - h4 := int64(f[4]) * 121666 - h5 := int64(f[5]) * 121666 - h6 := int64(f[6]) * 121666 - h7 := int64(f[7]) * 121666 - h8 := int64(f[8]) * 121666 - h9 := int64(f[9]) * 121666 - var carry [10]int64 - - carry[9] = (h9 + (1 << 24)) >> 25 - h0 += carry[9] * 19 - h9 -= carry[9] << 25 - carry[1] = (h1 + (1 << 24)) >> 25 - h2 += carry[1] - h1 -= carry[1] << 25 - carry[3] = (h3 + (1 << 24)) >> 25 - h4 += carry[3] - h3 -= carry[3] << 25 - carry[5] = (h5 + (1 << 24)) >> 25 - h6 += carry[5] - h5 -= carry[5] << 25 - carry[7] = (h7 + (1 << 24)) >> 25 - h8 += carry[7] - h7 -= carry[7] << 25 - - carry[0] = (h0 + (1 << 25)) >> 26 - h1 += carry[0] - h0 -= carry[0] << 26 - carry[2] = (h2 + (1 << 25)) >> 26 - h3 += carry[2] - h2 -= carry[2] << 26 - carry[4] = (h4 + (1 << 25)) >> 26 - h5 += carry[4] - h4 -= carry[4] << 26 - carry[6] = (h6 + (1 << 25)) >> 26 - h7 += carry[6] - h6 -= carry[6] << 26 - carry[8] = (h8 + (1 << 25)) >> 26 - h9 += carry[8] - h8 -= carry[8] << 26 - - h[0] = int32(h0) - h[1] = int32(h1) - h[2] = int32(h2) - h[3] = int32(h3) - h[4] = int32(h4) - h[5] = int32(h5) - h[6] = int32(h6) - h[7] = int32(h7) - h[8] = int32(h8) - h[9] = int32(h9) -} - -// feInvert sets out = z^-1. -func feInvert(out, z *fieldElement) { - var t0, t1, t2, t3 fieldElement - var i int - - feSquare(&t0, z) - for i = 1; i < 1; i++ { - feSquare(&t0, &t0) - } - feSquare(&t1, &t0) - for i = 1; i < 2; i++ { - feSquare(&t1, &t1) - } - feMul(&t1, z, &t1) - feMul(&t0, &t0, &t1) - feSquare(&t2, &t0) - for i = 1; i < 1; i++ { - feSquare(&t2, &t2) - } - feMul(&t1, &t1, &t2) - feSquare(&t2, &t1) - for i = 1; i < 5; i++ { - feSquare(&t2, &t2) - } - feMul(&t1, &t2, &t1) - feSquare(&t2, &t1) - for i = 1; i < 10; i++ { - feSquare(&t2, &t2) - } - feMul(&t2, &t2, &t1) - feSquare(&t3, &t2) - for i = 1; i < 20; i++ { - feSquare(&t3, &t3) - } - feMul(&t2, &t3, &t2) - feSquare(&t2, &t2) - for i = 1; i < 10; i++ { - feSquare(&t2, &t2) - } - feMul(&t1, &t2, &t1) - feSquare(&t2, &t1) - for i = 1; i < 50; i++ { - feSquare(&t2, &t2) - } - feMul(&t2, &t2, &t1) - feSquare(&t3, &t2) - for i = 1; i < 100; i++ { - feSquare(&t3, &t3) - } - feMul(&t2, &t3, &t2) - feSquare(&t2, &t2) - for i = 1; i < 50; i++ { - feSquare(&t2, &t2) - } - feMul(&t1, &t2, &t1) - feSquare(&t1, &t1) - for i = 1; i < 5; i++ { - feSquare(&t1, &t1) - } - feMul(out, &t1, &t0) -} - -func scalarMult(out, in, base *[32]byte) { - var e [32]byte - - copy(e[:], in[:]) - e[0] &= 248 - e[31] &= 127 - e[31] |= 64 - - var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement - feFromBytes(&x1, base) - feOne(&x2) - feCopy(&x3, &x1) - feOne(&z3) - - swap := int32(0) - for pos := 254; pos >= 0; pos-- { - b := e[pos/8] >> uint(pos&7) - b &= 1 - swap ^= int32(b) - feCSwap(&x2, &x3, swap) - feCSwap(&z2, &z3, swap) - swap = int32(b) - - feSub(&tmp0, &x3, &z3) - feSub(&tmp1, &x2, &z2) - feAdd(&x2, &x2, &z2) - feAdd(&z2, &x3, &z3) - feMul(&z3, &tmp0, &x2) - feMul(&z2, &z2, &tmp1) - feSquare(&tmp0, &tmp1) - feSquare(&tmp1, &x2) - feAdd(&x3, &z3, &z2) - feSub(&z2, &z3, &z2) - feMul(&x2, &tmp1, &tmp0) - feSub(&tmp1, &tmp1, &tmp0) - feSquare(&z2, &z2) - feMul121666(&z3, &tmp1) - feSquare(&x3, &x3) - feAdd(&tmp0, &tmp0, &z3) - feMul(&z3, &x1, &z2) - feMul(&z2, &tmp1, &tmp0) - } - - feCSwap(&x2, &x3, swap) - feCSwap(&z2, &z3, swap) - - feInvert(&z2, &z2) - feMul(&x2, &x2, &z2) - feToBytes(out, &x2) -} diff --git a/vendor/golang.org/x/crypto/curve25519/doc.go b/vendor/golang.org/x/crypto/curve25519/doc.go deleted file mode 100644 index da9b10d9c..000000000 --- a/vendor/golang.org/x/crypto/curve25519/doc.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package curve25519 provides an implementation of scalar multiplication on -// the elliptic curve known as curve25519. See https://cr.yp.to/ecdh.html -package curve25519 // import "golang.org/x/crypto/curve25519" - -// basePoint is the x coordinate of the generator of the curve. -var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} - -// ScalarMult sets dst to the product in*base where dst and base are the x -// coordinates of group points and all values are in little-endian form. -func ScalarMult(dst, in, base *[32]byte) { - scalarMult(dst, in, base) -} - -// ScalarBaseMult sets dst to the product in*base where dst and base are the x -// coordinates of group points, base is the standard generator and all values -// are in little-endian form. -func ScalarBaseMult(dst, in *[32]byte) { - ScalarMult(dst, in, &basePoint) -} diff --git a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s b/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s deleted file mode 100644 index 390816106..000000000 --- a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s +++ /dev/null @@ -1,73 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html - -// +build amd64,!gccgo,!appengine - -#include "const_amd64.h" - -// func freeze(inout *[5]uint64) -TEXT ·freeze(SB),7,$0-8 - MOVQ inout+0(FP), DI - - MOVQ 0(DI),SI - MOVQ 8(DI),DX - MOVQ 16(DI),CX - MOVQ 24(DI),R8 - MOVQ 32(DI),R9 - MOVQ $REDMASK51,AX - MOVQ AX,R10 - SUBQ $18,R10 - MOVQ $3,R11 -REDUCELOOP: - MOVQ SI,R12 - SHRQ $51,R12 - ANDQ AX,SI - ADDQ R12,DX - MOVQ DX,R12 - SHRQ $51,R12 - ANDQ AX,DX - ADDQ R12,CX - MOVQ CX,R12 - SHRQ $51,R12 - ANDQ AX,CX - ADDQ R12,R8 - MOVQ R8,R12 - SHRQ $51,R12 - ANDQ AX,R8 - ADDQ R12,R9 - MOVQ R9,R12 - SHRQ $51,R12 - ANDQ AX,R9 - IMUL3Q $19,R12,R12 - ADDQ R12,SI - SUBQ $1,R11 - JA REDUCELOOP - MOVQ $1,R12 - CMPQ R10,SI - CMOVQLT R11,R12 - CMPQ AX,DX - CMOVQNE R11,R12 - CMPQ AX,CX - CMOVQNE R11,R12 - CMPQ AX,R8 - CMOVQNE R11,R12 - CMPQ AX,R9 - CMOVQNE R11,R12 - NEGQ R12 - ANDQ R12,AX - ANDQ R12,R10 - SUBQ R10,SI - SUBQ AX,DX - SUBQ AX,CX - SUBQ AX,R8 - SUBQ AX,R9 - MOVQ SI,0(DI) - MOVQ DX,8(DI) - MOVQ CX,16(DI) - MOVQ R8,24(DI) - MOVQ R9,32(DI) - RET diff --git a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s b/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s deleted file mode 100644 index 9e9040b25..000000000 --- a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s +++ /dev/null @@ -1,1377 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html - -// +build amd64,!gccgo,!appengine - -#include "const_amd64.h" - -// func ladderstep(inout *[5][5]uint64) -TEXT ·ladderstep(SB),0,$296-8 - MOVQ inout+0(FP),DI - - MOVQ 40(DI),SI - MOVQ 48(DI),DX - MOVQ 56(DI),CX - MOVQ 64(DI),R8 - MOVQ 72(DI),R9 - MOVQ SI,AX - MOVQ DX,R10 - MOVQ CX,R11 - MOVQ R8,R12 - MOVQ R9,R13 - ADDQ ·_2P0(SB),AX - ADDQ ·_2P1234(SB),R10 - ADDQ ·_2P1234(SB),R11 - ADDQ ·_2P1234(SB),R12 - ADDQ ·_2P1234(SB),R13 - ADDQ 80(DI),SI - ADDQ 88(DI),DX - ADDQ 96(DI),CX - ADDQ 104(DI),R8 - ADDQ 112(DI),R9 - SUBQ 80(DI),AX - SUBQ 88(DI),R10 - SUBQ 96(DI),R11 - SUBQ 104(DI),R12 - SUBQ 112(DI),R13 - MOVQ SI,0(SP) - MOVQ DX,8(SP) - MOVQ CX,16(SP) - MOVQ R8,24(SP) - MOVQ R9,32(SP) - MOVQ AX,40(SP) - MOVQ R10,48(SP) - MOVQ R11,56(SP) - MOVQ R12,64(SP) - MOVQ R13,72(SP) - MOVQ 40(SP),AX - MULQ 40(SP) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 40(SP),AX - SHLQ $1,AX - MULQ 48(SP) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 40(SP),AX - SHLQ $1,AX - MULQ 56(SP) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 40(SP),AX - SHLQ $1,AX - MULQ 64(SP) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 40(SP),AX - SHLQ $1,AX - MULQ 72(SP) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 48(SP),AX - MULQ 48(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 48(SP),AX - SHLQ $1,AX - MULQ 56(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 48(SP),AX - SHLQ $1,AX - MULQ 64(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 48(SP),DX - IMUL3Q $38,DX,AX - MULQ 72(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 56(SP),AX - MULQ 56(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 56(SP),DX - IMUL3Q $38,DX,AX - MULQ 64(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 56(SP),DX - IMUL3Q $38,DX,AX - MULQ 72(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 64(SP),DX - IMUL3Q $19,DX,AX - MULQ 64(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 64(SP),DX - IMUL3Q $38,DX,AX - MULQ 72(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 72(SP),DX - IMUL3Q $19,DX,AX - MULQ 72(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - ANDQ DX,SI - MOVQ CX,R8 - SHRQ $51,CX - ADDQ R10,CX - ANDQ DX,R8 - MOVQ CX,R9 - SHRQ $51,CX - ADDQ R12,CX - ANDQ DX,R9 - MOVQ CX,AX - SHRQ $51,CX - ADDQ R14,CX - ANDQ DX,AX - MOVQ CX,R10 - SHRQ $51,CX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,80(SP) - MOVQ R8,88(SP) - MOVQ R9,96(SP) - MOVQ AX,104(SP) - MOVQ R10,112(SP) - MOVQ 0(SP),AX - MULQ 0(SP) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 0(SP),AX - SHLQ $1,AX - MULQ 8(SP) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 0(SP),AX - SHLQ $1,AX - MULQ 16(SP) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 0(SP),AX - SHLQ $1,AX - MULQ 24(SP) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 0(SP),AX - SHLQ $1,AX - MULQ 32(SP) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 8(SP),AX - MULQ 8(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 8(SP),AX - SHLQ $1,AX - MULQ 16(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 8(SP),AX - SHLQ $1,AX - MULQ 24(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 8(SP),DX - IMUL3Q $38,DX,AX - MULQ 32(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 16(SP),AX - MULQ 16(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 16(SP),DX - IMUL3Q $38,DX,AX - MULQ 24(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 16(SP),DX - IMUL3Q $38,DX,AX - MULQ 32(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 24(SP),DX - IMUL3Q $19,DX,AX - MULQ 24(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 24(SP),DX - IMUL3Q $38,DX,AX - MULQ 32(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 32(SP),DX - IMUL3Q $19,DX,AX - MULQ 32(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - ANDQ DX,SI - MOVQ CX,R8 - SHRQ $51,CX - ADDQ R10,CX - ANDQ DX,R8 - MOVQ CX,R9 - SHRQ $51,CX - ADDQ R12,CX - ANDQ DX,R9 - MOVQ CX,AX - SHRQ $51,CX - ADDQ R14,CX - ANDQ DX,AX - MOVQ CX,R10 - SHRQ $51,CX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,120(SP) - MOVQ R8,128(SP) - MOVQ R9,136(SP) - MOVQ AX,144(SP) - MOVQ R10,152(SP) - MOVQ SI,SI - MOVQ R8,DX - MOVQ R9,CX - MOVQ AX,R8 - MOVQ R10,R9 - ADDQ ·_2P0(SB),SI - ADDQ ·_2P1234(SB),DX - ADDQ ·_2P1234(SB),CX - ADDQ ·_2P1234(SB),R8 - ADDQ ·_2P1234(SB),R9 - SUBQ 80(SP),SI - SUBQ 88(SP),DX - SUBQ 96(SP),CX - SUBQ 104(SP),R8 - SUBQ 112(SP),R9 - MOVQ SI,160(SP) - MOVQ DX,168(SP) - MOVQ CX,176(SP) - MOVQ R8,184(SP) - MOVQ R9,192(SP) - MOVQ 120(DI),SI - MOVQ 128(DI),DX - MOVQ 136(DI),CX - MOVQ 144(DI),R8 - MOVQ 152(DI),R9 - MOVQ SI,AX - MOVQ DX,R10 - MOVQ CX,R11 - MOVQ R8,R12 - MOVQ R9,R13 - ADDQ ·_2P0(SB),AX - ADDQ ·_2P1234(SB),R10 - ADDQ ·_2P1234(SB),R11 - ADDQ ·_2P1234(SB),R12 - ADDQ ·_2P1234(SB),R13 - ADDQ 160(DI),SI - ADDQ 168(DI),DX - ADDQ 176(DI),CX - ADDQ 184(DI),R8 - ADDQ 192(DI),R9 - SUBQ 160(DI),AX - SUBQ 168(DI),R10 - SUBQ 176(DI),R11 - SUBQ 184(DI),R12 - SUBQ 192(DI),R13 - MOVQ SI,200(SP) - MOVQ DX,208(SP) - MOVQ CX,216(SP) - MOVQ R8,224(SP) - MOVQ R9,232(SP) - MOVQ AX,240(SP) - MOVQ R10,248(SP) - MOVQ R11,256(SP) - MOVQ R12,264(SP) - MOVQ R13,272(SP) - MOVQ 224(SP),SI - IMUL3Q $19,SI,AX - MOVQ AX,280(SP) - MULQ 56(SP) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 232(SP),DX - IMUL3Q $19,DX,AX - MOVQ AX,288(SP) - MULQ 48(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 200(SP),AX - MULQ 40(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 200(SP),AX - MULQ 48(SP) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 200(SP),AX - MULQ 56(SP) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 200(SP),AX - MULQ 64(SP) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 200(SP),AX - MULQ 72(SP) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 208(SP),AX - MULQ 40(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 208(SP),AX - MULQ 48(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 208(SP),AX - MULQ 56(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 208(SP),AX - MULQ 64(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 208(SP),DX - IMUL3Q $19,DX,AX - MULQ 72(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 216(SP),AX - MULQ 40(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 216(SP),AX - MULQ 48(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 216(SP),AX - MULQ 56(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 216(SP),DX - IMUL3Q $19,DX,AX - MULQ 64(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 216(SP),DX - IMUL3Q $19,DX,AX - MULQ 72(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 224(SP),AX - MULQ 40(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 224(SP),AX - MULQ 48(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 280(SP),AX - MULQ 64(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 280(SP),AX - MULQ 72(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 232(SP),AX - MULQ 40(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 288(SP),AX - MULQ 56(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 288(SP),AX - MULQ 64(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 288(SP),AX - MULQ 72(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - MOVQ CX,R8 - SHRQ $51,CX - ANDQ DX,SI - ADDQ R10,CX - MOVQ CX,R9 - SHRQ $51,CX - ANDQ DX,R8 - ADDQ R12,CX - MOVQ CX,AX - SHRQ $51,CX - ANDQ DX,R9 - ADDQ R14,CX - MOVQ CX,R10 - SHRQ $51,CX - ANDQ DX,AX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,40(SP) - MOVQ R8,48(SP) - MOVQ R9,56(SP) - MOVQ AX,64(SP) - MOVQ R10,72(SP) - MOVQ 264(SP),SI - IMUL3Q $19,SI,AX - MOVQ AX,200(SP) - MULQ 16(SP) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 272(SP),DX - IMUL3Q $19,DX,AX - MOVQ AX,208(SP) - MULQ 8(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 240(SP),AX - MULQ 0(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 240(SP),AX - MULQ 8(SP) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 240(SP),AX - MULQ 16(SP) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 240(SP),AX - MULQ 24(SP) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 240(SP),AX - MULQ 32(SP) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 248(SP),AX - MULQ 0(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 248(SP),AX - MULQ 8(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 248(SP),AX - MULQ 16(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 248(SP),AX - MULQ 24(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 248(SP),DX - IMUL3Q $19,DX,AX - MULQ 32(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 256(SP),AX - MULQ 0(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 256(SP),AX - MULQ 8(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 256(SP),AX - MULQ 16(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 256(SP),DX - IMUL3Q $19,DX,AX - MULQ 24(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 256(SP),DX - IMUL3Q $19,DX,AX - MULQ 32(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 264(SP),AX - MULQ 0(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 264(SP),AX - MULQ 8(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 200(SP),AX - MULQ 24(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 200(SP),AX - MULQ 32(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 272(SP),AX - MULQ 0(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 208(SP),AX - MULQ 16(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 208(SP),AX - MULQ 24(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 208(SP),AX - MULQ 32(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - MOVQ CX,R8 - SHRQ $51,CX - ANDQ DX,SI - ADDQ R10,CX - MOVQ CX,R9 - SHRQ $51,CX - ANDQ DX,R8 - ADDQ R12,CX - MOVQ CX,AX - SHRQ $51,CX - ANDQ DX,R9 - ADDQ R14,CX - MOVQ CX,R10 - SHRQ $51,CX - ANDQ DX,AX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,DX - MOVQ R8,CX - MOVQ R9,R11 - MOVQ AX,R12 - MOVQ R10,R13 - ADDQ ·_2P0(SB),DX - ADDQ ·_2P1234(SB),CX - ADDQ ·_2P1234(SB),R11 - ADDQ ·_2P1234(SB),R12 - ADDQ ·_2P1234(SB),R13 - ADDQ 40(SP),SI - ADDQ 48(SP),R8 - ADDQ 56(SP),R9 - ADDQ 64(SP),AX - ADDQ 72(SP),R10 - SUBQ 40(SP),DX - SUBQ 48(SP),CX - SUBQ 56(SP),R11 - SUBQ 64(SP),R12 - SUBQ 72(SP),R13 - MOVQ SI,120(DI) - MOVQ R8,128(DI) - MOVQ R9,136(DI) - MOVQ AX,144(DI) - MOVQ R10,152(DI) - MOVQ DX,160(DI) - MOVQ CX,168(DI) - MOVQ R11,176(DI) - MOVQ R12,184(DI) - MOVQ R13,192(DI) - MOVQ 120(DI),AX - MULQ 120(DI) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 120(DI),AX - SHLQ $1,AX - MULQ 128(DI) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 120(DI),AX - SHLQ $1,AX - MULQ 136(DI) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 120(DI),AX - SHLQ $1,AX - MULQ 144(DI) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 120(DI),AX - SHLQ $1,AX - MULQ 152(DI) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 128(DI),AX - MULQ 128(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 128(DI),AX - SHLQ $1,AX - MULQ 136(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 128(DI),AX - SHLQ $1,AX - MULQ 144(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 128(DI),DX - IMUL3Q $38,DX,AX - MULQ 152(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 136(DI),AX - MULQ 136(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 136(DI),DX - IMUL3Q $38,DX,AX - MULQ 144(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 136(DI),DX - IMUL3Q $38,DX,AX - MULQ 152(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 144(DI),DX - IMUL3Q $19,DX,AX - MULQ 144(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 144(DI),DX - IMUL3Q $38,DX,AX - MULQ 152(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 152(DI),DX - IMUL3Q $19,DX,AX - MULQ 152(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - ANDQ DX,SI - MOVQ CX,R8 - SHRQ $51,CX - ADDQ R10,CX - ANDQ DX,R8 - MOVQ CX,R9 - SHRQ $51,CX - ADDQ R12,CX - ANDQ DX,R9 - MOVQ CX,AX - SHRQ $51,CX - ADDQ R14,CX - ANDQ DX,AX - MOVQ CX,R10 - SHRQ $51,CX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,120(DI) - MOVQ R8,128(DI) - MOVQ R9,136(DI) - MOVQ AX,144(DI) - MOVQ R10,152(DI) - MOVQ 160(DI),AX - MULQ 160(DI) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 160(DI),AX - SHLQ $1,AX - MULQ 168(DI) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 160(DI),AX - SHLQ $1,AX - MULQ 176(DI) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 160(DI),AX - SHLQ $1,AX - MULQ 184(DI) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 160(DI),AX - SHLQ $1,AX - MULQ 192(DI) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 168(DI),AX - MULQ 168(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 168(DI),AX - SHLQ $1,AX - MULQ 176(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 168(DI),AX - SHLQ $1,AX - MULQ 184(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 168(DI),DX - IMUL3Q $38,DX,AX - MULQ 192(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 176(DI),AX - MULQ 176(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 176(DI),DX - IMUL3Q $38,DX,AX - MULQ 184(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 176(DI),DX - IMUL3Q $38,DX,AX - MULQ 192(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 184(DI),DX - IMUL3Q $19,DX,AX - MULQ 184(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 184(DI),DX - IMUL3Q $38,DX,AX - MULQ 192(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 192(DI),DX - IMUL3Q $19,DX,AX - MULQ 192(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - ANDQ DX,SI - MOVQ CX,R8 - SHRQ $51,CX - ADDQ R10,CX - ANDQ DX,R8 - MOVQ CX,R9 - SHRQ $51,CX - ADDQ R12,CX - ANDQ DX,R9 - MOVQ CX,AX - SHRQ $51,CX - ADDQ R14,CX - ANDQ DX,AX - MOVQ CX,R10 - SHRQ $51,CX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,160(DI) - MOVQ R8,168(DI) - MOVQ R9,176(DI) - MOVQ AX,184(DI) - MOVQ R10,192(DI) - MOVQ 184(DI),SI - IMUL3Q $19,SI,AX - MOVQ AX,0(SP) - MULQ 16(DI) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 192(DI),DX - IMUL3Q $19,DX,AX - MOVQ AX,8(SP) - MULQ 8(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 160(DI),AX - MULQ 0(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 160(DI),AX - MULQ 8(DI) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 160(DI),AX - MULQ 16(DI) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 160(DI),AX - MULQ 24(DI) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 160(DI),AX - MULQ 32(DI) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 168(DI),AX - MULQ 0(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 168(DI),AX - MULQ 8(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 168(DI),AX - MULQ 16(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 168(DI),AX - MULQ 24(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 168(DI),DX - IMUL3Q $19,DX,AX - MULQ 32(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 176(DI),AX - MULQ 0(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 176(DI),AX - MULQ 8(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 176(DI),AX - MULQ 16(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 176(DI),DX - IMUL3Q $19,DX,AX - MULQ 24(DI) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 176(DI),DX - IMUL3Q $19,DX,AX - MULQ 32(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 184(DI),AX - MULQ 0(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 184(DI),AX - MULQ 8(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 0(SP),AX - MULQ 24(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 0(SP),AX - MULQ 32(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 192(DI),AX - MULQ 0(DI) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 8(SP),AX - MULQ 16(DI) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 8(SP),AX - MULQ 24(DI) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 8(SP),AX - MULQ 32(DI) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - MOVQ CX,R8 - SHRQ $51,CX - ANDQ DX,SI - ADDQ R10,CX - MOVQ CX,R9 - SHRQ $51,CX - ANDQ DX,R8 - ADDQ R12,CX - MOVQ CX,AX - SHRQ $51,CX - ANDQ DX,R9 - ADDQ R14,CX - MOVQ CX,R10 - SHRQ $51,CX - ANDQ DX,AX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,160(DI) - MOVQ R8,168(DI) - MOVQ R9,176(DI) - MOVQ AX,184(DI) - MOVQ R10,192(DI) - MOVQ 144(SP),SI - IMUL3Q $19,SI,AX - MOVQ AX,0(SP) - MULQ 96(SP) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 152(SP),DX - IMUL3Q $19,DX,AX - MOVQ AX,8(SP) - MULQ 88(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 120(SP),AX - MULQ 80(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 120(SP),AX - MULQ 88(SP) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 120(SP),AX - MULQ 96(SP) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 120(SP),AX - MULQ 104(SP) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 120(SP),AX - MULQ 112(SP) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 128(SP),AX - MULQ 80(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 128(SP),AX - MULQ 88(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 128(SP),AX - MULQ 96(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 128(SP),AX - MULQ 104(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 128(SP),DX - IMUL3Q $19,DX,AX - MULQ 112(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 136(SP),AX - MULQ 80(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 136(SP),AX - MULQ 88(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 136(SP),AX - MULQ 96(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 136(SP),DX - IMUL3Q $19,DX,AX - MULQ 104(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 136(SP),DX - IMUL3Q $19,DX,AX - MULQ 112(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 144(SP),AX - MULQ 80(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 144(SP),AX - MULQ 88(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 0(SP),AX - MULQ 104(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 0(SP),AX - MULQ 112(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 152(SP),AX - MULQ 80(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 8(SP),AX - MULQ 96(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 8(SP),AX - MULQ 104(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 8(SP),AX - MULQ 112(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - MOVQ CX,R8 - SHRQ $51,CX - ANDQ DX,SI - ADDQ R10,CX - MOVQ CX,R9 - SHRQ $51,CX - ANDQ DX,R8 - ADDQ R12,CX - MOVQ CX,AX - SHRQ $51,CX - ANDQ DX,R9 - ADDQ R14,CX - MOVQ CX,R10 - SHRQ $51,CX - ANDQ DX,AX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,40(DI) - MOVQ R8,48(DI) - MOVQ R9,56(DI) - MOVQ AX,64(DI) - MOVQ R10,72(DI) - MOVQ 160(SP),AX - MULQ ·_121666_213(SB) - SHRQ $13,AX - MOVQ AX,SI - MOVQ DX,CX - MOVQ 168(SP),AX - MULQ ·_121666_213(SB) - SHRQ $13,AX - ADDQ AX,CX - MOVQ DX,R8 - MOVQ 176(SP),AX - MULQ ·_121666_213(SB) - SHRQ $13,AX - ADDQ AX,R8 - MOVQ DX,R9 - MOVQ 184(SP),AX - MULQ ·_121666_213(SB) - SHRQ $13,AX - ADDQ AX,R9 - MOVQ DX,R10 - MOVQ 192(SP),AX - MULQ ·_121666_213(SB) - SHRQ $13,AX - ADDQ AX,R10 - IMUL3Q $19,DX,DX - ADDQ DX,SI - ADDQ 80(SP),SI - ADDQ 88(SP),CX - ADDQ 96(SP),R8 - ADDQ 104(SP),R9 - ADDQ 112(SP),R10 - MOVQ SI,80(DI) - MOVQ CX,88(DI) - MOVQ R8,96(DI) - MOVQ R9,104(DI) - MOVQ R10,112(DI) - MOVQ 104(DI),SI - IMUL3Q $19,SI,AX - MOVQ AX,0(SP) - MULQ 176(SP) - MOVQ AX,SI - MOVQ DX,CX - MOVQ 112(DI),DX - IMUL3Q $19,DX,AX - MOVQ AX,8(SP) - MULQ 168(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 80(DI),AX - MULQ 160(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 80(DI),AX - MULQ 168(SP) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 80(DI),AX - MULQ 176(SP) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 80(DI),AX - MULQ 184(SP) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 80(DI),AX - MULQ 192(SP) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 88(DI),AX - MULQ 160(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 88(DI),AX - MULQ 168(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 88(DI),AX - MULQ 176(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 88(DI),AX - MULQ 184(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 88(DI),DX - IMUL3Q $19,DX,AX - MULQ 192(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 96(DI),AX - MULQ 160(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 96(DI),AX - MULQ 168(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 96(DI),AX - MULQ 176(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 96(DI),DX - IMUL3Q $19,DX,AX - MULQ 184(SP) - ADDQ AX,SI - ADCQ DX,CX - MOVQ 96(DI),DX - IMUL3Q $19,DX,AX - MULQ 192(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 104(DI),AX - MULQ 160(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 104(DI),AX - MULQ 168(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 0(SP),AX - MULQ 184(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 0(SP),AX - MULQ 192(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 112(DI),AX - MULQ 160(SP) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 8(SP),AX - MULQ 176(SP) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 8(SP),AX - MULQ 184(SP) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 8(SP),AX - MULQ 192(SP) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ $REDMASK51,DX - SHLQ $13,CX:SI - ANDQ DX,SI - SHLQ $13,R9:R8 - ANDQ DX,R8 - ADDQ CX,R8 - SHLQ $13,R11:R10 - ANDQ DX,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ DX,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ DX,R14 - ADDQ R13,R14 - IMUL3Q $19,R15,CX - ADDQ CX,SI - MOVQ SI,CX - SHRQ $51,CX - ADDQ R8,CX - MOVQ CX,R8 - SHRQ $51,CX - ANDQ DX,SI - ADDQ R10,CX - MOVQ CX,R9 - SHRQ $51,CX - ANDQ DX,R8 - ADDQ R12,CX - MOVQ CX,AX - SHRQ $51,CX - ANDQ DX,R9 - ADDQ R14,CX - MOVQ CX,R10 - SHRQ $51,CX - ANDQ DX,AX - IMUL3Q $19,CX,CX - ADDQ CX,SI - ANDQ DX,R10 - MOVQ SI,80(DI) - MOVQ R8,88(DI) - MOVQ R9,96(DI) - MOVQ AX,104(DI) - MOVQ R10,112(DI) - RET diff --git a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go b/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go deleted file mode 100644 index 5822bd533..000000000 --- a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go +++ /dev/null @@ -1,240 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// +build amd64,!gccgo,!appengine - -package curve25519 - -// These functions are implemented in the .s files. The names of the functions -// in the rest of the file are also taken from the SUPERCOP sources to help -// people following along. - -//go:noescape - -func cswap(inout *[5]uint64, v uint64) - -//go:noescape - -func ladderstep(inout *[5][5]uint64) - -//go:noescape - -func freeze(inout *[5]uint64) - -//go:noescape - -func mul(dest, a, b *[5]uint64) - -//go:noescape - -func square(out, in *[5]uint64) - -// mladder uses a Montgomery ladder to calculate (xr/zr) *= s. -func mladder(xr, zr *[5]uint64, s *[32]byte) { - var work [5][5]uint64 - - work[0] = *xr - setint(&work[1], 1) - setint(&work[2], 0) - work[3] = *xr - setint(&work[4], 1) - - j := uint(6) - var prevbit byte - - for i := 31; i >= 0; i-- { - for j < 8 { - bit := ((*s)[i] >> j) & 1 - swap := bit ^ prevbit - prevbit = bit - cswap(&work[1], uint64(swap)) - ladderstep(&work) - j-- - } - j = 7 - } - - *xr = work[1] - *zr = work[2] -} - -func scalarMult(out, in, base *[32]byte) { - var e [32]byte - copy(e[:], (*in)[:]) - e[0] &= 248 - e[31] &= 127 - e[31] |= 64 - - var t, z [5]uint64 - unpack(&t, base) - mladder(&t, &z, &e) - invert(&z, &z) - mul(&t, &t, &z) - pack(out, &t) -} - -func setint(r *[5]uint64, v uint64) { - r[0] = v - r[1] = 0 - r[2] = 0 - r[3] = 0 - r[4] = 0 -} - -// unpack sets r = x where r consists of 5, 51-bit limbs in little-endian -// order. -func unpack(r *[5]uint64, x *[32]byte) { - r[0] = uint64(x[0]) | - uint64(x[1])<<8 | - uint64(x[2])<<16 | - uint64(x[3])<<24 | - uint64(x[4])<<32 | - uint64(x[5])<<40 | - uint64(x[6]&7)<<48 - - r[1] = uint64(x[6])>>3 | - uint64(x[7])<<5 | - uint64(x[8])<<13 | - uint64(x[9])<<21 | - uint64(x[10])<<29 | - uint64(x[11])<<37 | - uint64(x[12]&63)<<45 - - r[2] = uint64(x[12])>>6 | - uint64(x[13])<<2 | - uint64(x[14])<<10 | - uint64(x[15])<<18 | - uint64(x[16])<<26 | - uint64(x[17])<<34 | - uint64(x[18])<<42 | - uint64(x[19]&1)<<50 - - r[3] = uint64(x[19])>>1 | - uint64(x[20])<<7 | - uint64(x[21])<<15 | - uint64(x[22])<<23 | - uint64(x[23])<<31 | - uint64(x[24])<<39 | - uint64(x[25]&15)<<47 - - r[4] = uint64(x[25])>>4 | - uint64(x[26])<<4 | - uint64(x[27])<<12 | - uint64(x[28])<<20 | - uint64(x[29])<<28 | - uint64(x[30])<<36 | - uint64(x[31]&127)<<44 -} - -// pack sets out = x where out is the usual, little-endian form of the 5, -// 51-bit limbs in x. -func pack(out *[32]byte, x *[5]uint64) { - t := *x - freeze(&t) - - out[0] = byte(t[0]) - out[1] = byte(t[0] >> 8) - out[2] = byte(t[0] >> 16) - out[3] = byte(t[0] >> 24) - out[4] = byte(t[0] >> 32) - out[5] = byte(t[0] >> 40) - out[6] = byte(t[0] >> 48) - - out[6] ^= byte(t[1]<<3) & 0xf8 - out[7] = byte(t[1] >> 5) - out[8] = byte(t[1] >> 13) - out[9] = byte(t[1] >> 21) - out[10] = byte(t[1] >> 29) - out[11] = byte(t[1] >> 37) - out[12] = byte(t[1] >> 45) - - out[12] ^= byte(t[2]<<6) & 0xc0 - out[13] = byte(t[2] >> 2) - out[14] = byte(t[2] >> 10) - out[15] = byte(t[2] >> 18) - out[16] = byte(t[2] >> 26) - out[17] = byte(t[2] >> 34) - out[18] = byte(t[2] >> 42) - out[19] = byte(t[2] >> 50) - - out[19] ^= byte(t[3]<<1) & 0xfe - out[20] = byte(t[3] >> 7) - out[21] = byte(t[3] >> 15) - out[22] = byte(t[3] >> 23) - out[23] = byte(t[3] >> 31) - out[24] = byte(t[3] >> 39) - out[25] = byte(t[3] >> 47) - - out[25] ^= byte(t[4]<<4) & 0xf0 - out[26] = byte(t[4] >> 4) - out[27] = byte(t[4] >> 12) - out[28] = byte(t[4] >> 20) - out[29] = byte(t[4] >> 28) - out[30] = byte(t[4] >> 36) - out[31] = byte(t[4] >> 44) -} - -// invert calculates r = x^-1 mod p using Fermat's little theorem. -func invert(r *[5]uint64, x *[5]uint64) { - var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t [5]uint64 - - square(&z2, x) /* 2 */ - square(&t, &z2) /* 4 */ - square(&t, &t) /* 8 */ - mul(&z9, &t, x) /* 9 */ - mul(&z11, &z9, &z2) /* 11 */ - square(&t, &z11) /* 22 */ - mul(&z2_5_0, &t, &z9) /* 2^5 - 2^0 = 31 */ - - square(&t, &z2_5_0) /* 2^6 - 2^1 */ - for i := 1; i < 5; i++ { /* 2^20 - 2^10 */ - square(&t, &t) - } - mul(&z2_10_0, &t, &z2_5_0) /* 2^10 - 2^0 */ - - square(&t, &z2_10_0) /* 2^11 - 2^1 */ - for i := 1; i < 10; i++ { /* 2^20 - 2^10 */ - square(&t, &t) - } - mul(&z2_20_0, &t, &z2_10_0) /* 2^20 - 2^0 */ - - square(&t, &z2_20_0) /* 2^21 - 2^1 */ - for i := 1; i < 20; i++ { /* 2^40 - 2^20 */ - square(&t, &t) - } - mul(&t, &t, &z2_20_0) /* 2^40 - 2^0 */ - - square(&t, &t) /* 2^41 - 2^1 */ - for i := 1; i < 10; i++ { /* 2^50 - 2^10 */ - square(&t, &t) - } - mul(&z2_50_0, &t, &z2_10_0) /* 2^50 - 2^0 */ - - square(&t, &z2_50_0) /* 2^51 - 2^1 */ - for i := 1; i < 50; i++ { /* 2^100 - 2^50 */ - square(&t, &t) - } - mul(&z2_100_0, &t, &z2_50_0) /* 2^100 - 2^0 */ - - square(&t, &z2_100_0) /* 2^101 - 2^1 */ - for i := 1; i < 100; i++ { /* 2^200 - 2^100 */ - square(&t, &t) - } - mul(&t, &t, &z2_100_0) /* 2^200 - 2^0 */ - - square(&t, &t) /* 2^201 - 2^1 */ - for i := 1; i < 50; i++ { /* 2^250 - 2^50 */ - square(&t, &t) - } - mul(&t, &t, &z2_50_0) /* 2^250 - 2^0 */ - - square(&t, &t) /* 2^251 - 2^1 */ - square(&t, &t) /* 2^252 - 2^2 */ - square(&t, &t) /* 2^253 - 2^3 */ - - square(&t, &t) /* 2^254 - 2^4 */ - - square(&t, &t) /* 2^255 - 2^5 */ - mul(r, &t, &z11) /* 2^255 - 21 */ -} diff --git a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s b/vendor/golang.org/x/crypto/curve25519/mul_amd64.s deleted file mode 100644 index 5ce80a2e5..000000000 --- a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s +++ /dev/null @@ -1,169 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html - -// +build amd64,!gccgo,!appengine - -#include "const_amd64.h" - -// func mul(dest, a, b *[5]uint64) -TEXT ·mul(SB),0,$16-24 - MOVQ dest+0(FP), DI - MOVQ a+8(FP), SI - MOVQ b+16(FP), DX - - MOVQ DX,CX - MOVQ 24(SI),DX - IMUL3Q $19,DX,AX - MOVQ AX,0(SP) - MULQ 16(CX) - MOVQ AX,R8 - MOVQ DX,R9 - MOVQ 32(SI),DX - IMUL3Q $19,DX,AX - MOVQ AX,8(SP) - MULQ 8(CX) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 0(SI),AX - MULQ 0(CX) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 0(SI),AX - MULQ 8(CX) - MOVQ AX,R10 - MOVQ DX,R11 - MOVQ 0(SI),AX - MULQ 16(CX) - MOVQ AX,R12 - MOVQ DX,R13 - MOVQ 0(SI),AX - MULQ 24(CX) - MOVQ AX,R14 - MOVQ DX,R15 - MOVQ 0(SI),AX - MULQ 32(CX) - MOVQ AX,BX - MOVQ DX,BP - MOVQ 8(SI),AX - MULQ 0(CX) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 8(SI),AX - MULQ 8(CX) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 8(SI),AX - MULQ 16(CX) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 8(SI),AX - MULQ 24(CX) - ADDQ AX,BX - ADCQ DX,BP - MOVQ 8(SI),DX - IMUL3Q $19,DX,AX - MULQ 32(CX) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 16(SI),AX - MULQ 0(CX) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 16(SI),AX - MULQ 8(CX) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 16(SI),AX - MULQ 16(CX) - ADDQ AX,BX - ADCQ DX,BP - MOVQ 16(SI),DX - IMUL3Q $19,DX,AX - MULQ 24(CX) - ADDQ AX,R8 - ADCQ DX,R9 - MOVQ 16(SI),DX - IMUL3Q $19,DX,AX - MULQ 32(CX) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 24(SI),AX - MULQ 0(CX) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ 24(SI),AX - MULQ 8(CX) - ADDQ AX,BX - ADCQ DX,BP - MOVQ 0(SP),AX - MULQ 24(CX) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 0(SP),AX - MULQ 32(CX) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 32(SI),AX - MULQ 0(CX) - ADDQ AX,BX - ADCQ DX,BP - MOVQ 8(SP),AX - MULQ 16(CX) - ADDQ AX,R10 - ADCQ DX,R11 - MOVQ 8(SP),AX - MULQ 24(CX) - ADDQ AX,R12 - ADCQ DX,R13 - MOVQ 8(SP),AX - MULQ 32(CX) - ADDQ AX,R14 - ADCQ DX,R15 - MOVQ $REDMASK51,SI - SHLQ $13,R9:R8 - ANDQ SI,R8 - SHLQ $13,R11:R10 - ANDQ SI,R10 - ADDQ R9,R10 - SHLQ $13,R13:R12 - ANDQ SI,R12 - ADDQ R11,R12 - SHLQ $13,R15:R14 - ANDQ SI,R14 - ADDQ R13,R14 - SHLQ $13,BP:BX - ANDQ SI,BX - ADDQ R15,BX - IMUL3Q $19,BP,DX - ADDQ DX,R8 - MOVQ R8,DX - SHRQ $51,DX - ADDQ R10,DX - MOVQ DX,CX - SHRQ $51,DX - ANDQ SI,R8 - ADDQ R12,DX - MOVQ DX,R9 - SHRQ $51,DX - ANDQ SI,CX - ADDQ R14,DX - MOVQ DX,AX - SHRQ $51,DX - ANDQ SI,R9 - ADDQ BX,DX - MOVQ DX,R10 - SHRQ $51,DX - ANDQ SI,AX - IMUL3Q $19,DX,DX - ADDQ DX,R8 - ANDQ SI,R10 - MOVQ R8,0(DI) - MOVQ CX,8(DI) - MOVQ R9,16(DI) - MOVQ AX,24(DI) - MOVQ R10,32(DI) - RET diff --git a/vendor/golang.org/x/crypto/curve25519/square_amd64.s b/vendor/golang.org/x/crypto/curve25519/square_amd64.s deleted file mode 100644 index 12f73734f..000000000 --- a/vendor/golang.org/x/crypto/curve25519/square_amd64.s +++ /dev/null @@ -1,132 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code was translated into a form compatible with 6a from the public -// domain sources in SUPERCOP: https://bench.cr.yp.to/supercop.html - -// +build amd64,!gccgo,!appengine - -#include "const_amd64.h" - -// func square(out, in *[5]uint64) -TEXT ·square(SB),7,$0-16 - MOVQ out+0(FP), DI - MOVQ in+8(FP), SI - - MOVQ 0(SI),AX - MULQ 0(SI) - MOVQ AX,CX - MOVQ DX,R8 - MOVQ 0(SI),AX - SHLQ $1,AX - MULQ 8(SI) - MOVQ AX,R9 - MOVQ DX,R10 - MOVQ 0(SI),AX - SHLQ $1,AX - MULQ 16(SI) - MOVQ AX,R11 - MOVQ DX,R12 - MOVQ 0(SI),AX - SHLQ $1,AX - MULQ 24(SI) - MOVQ AX,R13 - MOVQ DX,R14 - MOVQ 0(SI),AX - SHLQ $1,AX - MULQ 32(SI) - MOVQ AX,R15 - MOVQ DX,BX - MOVQ 8(SI),AX - MULQ 8(SI) - ADDQ AX,R11 - ADCQ DX,R12 - MOVQ 8(SI),AX - SHLQ $1,AX - MULQ 16(SI) - ADDQ AX,R13 - ADCQ DX,R14 - MOVQ 8(SI),AX - SHLQ $1,AX - MULQ 24(SI) - ADDQ AX,R15 - ADCQ DX,BX - MOVQ 8(SI),DX - IMUL3Q $38,DX,AX - MULQ 32(SI) - ADDQ AX,CX - ADCQ DX,R8 - MOVQ 16(SI),AX - MULQ 16(SI) - ADDQ AX,R15 - ADCQ DX,BX - MOVQ 16(SI),DX - IMUL3Q $38,DX,AX - MULQ 24(SI) - ADDQ AX,CX - ADCQ DX,R8 - MOVQ 16(SI),DX - IMUL3Q $38,DX,AX - MULQ 32(SI) - ADDQ AX,R9 - ADCQ DX,R10 - MOVQ 24(SI),DX - IMUL3Q $19,DX,AX - MULQ 24(SI) - ADDQ AX,R9 - ADCQ DX,R10 - MOVQ 24(SI),DX - IMUL3Q $38,DX,AX - MULQ 32(SI) - ADDQ AX,R11 - ADCQ DX,R12 - MOVQ 32(SI),DX - IMUL3Q $19,DX,AX - MULQ 32(SI) - ADDQ AX,R13 - ADCQ DX,R14 - MOVQ $REDMASK51,SI - SHLQ $13,R8:CX - ANDQ SI,CX - SHLQ $13,R10:R9 - ANDQ SI,R9 - ADDQ R8,R9 - SHLQ $13,R12:R11 - ANDQ SI,R11 - ADDQ R10,R11 - SHLQ $13,R14:R13 - ANDQ SI,R13 - ADDQ R12,R13 - SHLQ $13,BX:R15 - ANDQ SI,R15 - ADDQ R14,R15 - IMUL3Q $19,BX,DX - ADDQ DX,CX - MOVQ CX,DX - SHRQ $51,DX - ADDQ R9,DX - ANDQ SI,CX - MOVQ DX,R8 - SHRQ $51,DX - ADDQ R11,DX - ANDQ SI,R8 - MOVQ DX,R9 - SHRQ $51,DX - ADDQ R13,DX - ANDQ SI,R9 - MOVQ DX,AX - SHRQ $51,DX - ADDQ R15,DX - ANDQ SI,AX - MOVQ DX,R10 - SHRQ $51,DX - IMUL3Q $19,DX,DX - ADDQ DX,CX - ANDQ SI,R10 - MOVQ CX,0(DI) - MOVQ R8,8(DI) - MOVQ R9,16(DI) - MOVQ AX,24(DI) - MOVQ R10,32(DI) - RET diff --git a/vendor/golang.org/x/crypto/openpgp/keys.go b/vendor/golang.org/x/crypto/openpgp/keys.go index 3e2518600..faa2fb369 100644 --- a/vendor/golang.org/x/crypto/openpgp/keys.go +++ b/vendor/golang.org/x/crypto/openpgp/keys.go @@ -504,7 +504,7 @@ const defaultRSAKeyBits = 2048 // which may be empty but must not contain any of "()<>\x00". // If config is nil, sensible defaults will be used. func NewEntity(name, comment, email string, config *packet.Config) (*Entity, error) { - currentTime := config.Now() + creationTime := config.Now() bits := defaultRSAKeyBits if config != nil && config.RSABits != 0 { @@ -525,8 +525,8 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err } e := &Entity{ - PrimaryKey: packet.NewRSAPublicKey(currentTime, &signingPriv.PublicKey), - PrivateKey: packet.NewRSAPrivateKey(currentTime, signingPriv), + PrimaryKey: packet.NewRSAPublicKey(creationTime, &signingPriv.PublicKey), + PrivateKey: packet.NewRSAPrivateKey(creationTime, signingPriv), Identities: make(map[string]*Identity), } isPrimaryId := true @@ -534,7 +534,7 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err Name: uid.Id, UserId: uid, SelfSignature: &packet.Signature{ - CreationTime: currentTime, + CreationTime: creationTime, SigType: packet.SigTypePositiveCert, PubKeyAlgo: packet.PubKeyAlgoRSA, Hash: config.Hash(), @@ -563,10 +563,10 @@ func NewEntity(name, comment, email string, config *packet.Config) (*Entity, err e.Subkeys = make([]Subkey, 1) e.Subkeys[0] = Subkey{ - PublicKey: packet.NewRSAPublicKey(currentTime, &encryptingPriv.PublicKey), - PrivateKey: packet.NewRSAPrivateKey(currentTime, encryptingPriv), + PublicKey: packet.NewRSAPublicKey(creationTime, &encryptingPriv.PublicKey), + PrivateKey: packet.NewRSAPrivateKey(creationTime, encryptingPriv), Sig: &packet.Signature{ - CreationTime: currentTime, + CreationTime: creationTime, SigType: packet.SigTypeSubkeyBinding, PubKeyAlgo: packet.PubKeyAlgoRSA, Hash: config.Hash(), diff --git a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go index bd31cceac..6f8ec0938 100644 --- a/vendor/golang.org/x/crypto/openpgp/packet/private_key.go +++ b/vendor/golang.org/x/crypto/openpgp/packet/private_key.go @@ -36,49 +36,49 @@ type PrivateKey struct { iv []byte } -func NewRSAPrivateKey(currentTime time.Time, priv *rsa.PrivateKey) *PrivateKey { +func NewRSAPrivateKey(creationTime time.Time, priv *rsa.PrivateKey) *PrivateKey { pk := new(PrivateKey) - pk.PublicKey = *NewRSAPublicKey(currentTime, &priv.PublicKey) + pk.PublicKey = *NewRSAPublicKey(creationTime, &priv.PublicKey) pk.PrivateKey = priv return pk } -func NewDSAPrivateKey(currentTime time.Time, priv *dsa.PrivateKey) *PrivateKey { +func NewDSAPrivateKey(creationTime time.Time, priv *dsa.PrivateKey) *PrivateKey { pk := new(PrivateKey) - pk.PublicKey = *NewDSAPublicKey(currentTime, &priv.PublicKey) + pk.PublicKey = *NewDSAPublicKey(creationTime, &priv.PublicKey) pk.PrivateKey = priv return pk } -func NewElGamalPrivateKey(currentTime time.Time, priv *elgamal.PrivateKey) *PrivateKey { +func NewElGamalPrivateKey(creationTime time.Time, priv *elgamal.PrivateKey) *PrivateKey { pk := new(PrivateKey) - pk.PublicKey = *NewElGamalPublicKey(currentTime, &priv.PublicKey) + pk.PublicKey = *NewElGamalPublicKey(creationTime, &priv.PublicKey) pk.PrivateKey = priv return pk } -func NewECDSAPrivateKey(currentTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey { +func NewECDSAPrivateKey(creationTime time.Time, priv *ecdsa.PrivateKey) *PrivateKey { pk := new(PrivateKey) - pk.PublicKey = *NewECDSAPublicKey(currentTime, &priv.PublicKey) + pk.PublicKey = *NewECDSAPublicKey(creationTime, &priv.PublicKey) pk.PrivateKey = priv return pk } // NewSignerPrivateKey creates a PrivateKey from a crypto.Signer that // implements RSA or ECDSA. -func NewSignerPrivateKey(currentTime time.Time, signer crypto.Signer) *PrivateKey { +func NewSignerPrivateKey(creationTime time.Time, signer crypto.Signer) *PrivateKey { pk := new(PrivateKey) // In general, the public Keys should be used as pointers. We still // type-switch on the values, for backwards-compatibility. switch pubkey := signer.Public().(type) { case *rsa.PublicKey: - pk.PublicKey = *NewRSAPublicKey(currentTime, pubkey) + pk.PublicKey = *NewRSAPublicKey(creationTime, pubkey) case rsa.PublicKey: - pk.PublicKey = *NewRSAPublicKey(currentTime, &pubkey) + pk.PublicKey = *NewRSAPublicKey(creationTime, &pubkey) case *ecdsa.PublicKey: - pk.PublicKey = *NewECDSAPublicKey(currentTime, pubkey) + pk.PublicKey = *NewECDSAPublicKey(creationTime, pubkey) case ecdsa.PublicKey: - pk.PublicKey = *NewECDSAPublicKey(currentTime, &pubkey) + pk.PublicKey = *NewECDSAPublicKey(creationTime, &pubkey) default: panic("openpgp: unknown crypto.Signer type in NewSignerPrivateKey") } diff --git a/vendor/golang.org/x/crypto/otr/libotr_test_helper.c b/vendor/golang.org/x/crypto/otr/libotr_test_helper.c deleted file mode 100644 index b3ca072d4..000000000 --- a/vendor/golang.org/x/crypto/otr/libotr_test_helper.c +++ /dev/null @@ -1,197 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This code can be compiled and used to test the otr package against libotr. -// See otr_test.go. - -// +build ignore - -#include <stdio.h> -#include <stdlib.h> -#include <unistd.h> - -#include <proto.h> -#include <message.h> -#include <privkey.h> - -static int g_session_established = 0; - -OtrlPolicy policy(void *opdata, ConnContext *context) { - return OTRL_POLICY_ALWAYS; -} - -int is_logged_in(void *opdata, const char *accountname, const char *protocol, - const char *recipient) { - return 1; -} - -void inject_message(void *opdata, const char *accountname, const char *protocol, - const char *recipient, const char *message) { - printf("%s\n", message); - fflush(stdout); - fprintf(stderr, "libotr helper sent: %s\n", message); -} - -void update_context_list(void *opdata) {} - -void new_fingerprint(void *opdata, OtrlUserState us, const char *accountname, - const char *protocol, const char *username, - unsigned char fingerprint[20]) { - fprintf(stderr, "NEW FINGERPRINT\n"); - g_session_established = 1; -} - -void write_fingerprints(void *opdata) {} - -void gone_secure(void *opdata, ConnContext *context) {} - -void gone_insecure(void *opdata, ConnContext *context) {} - -void still_secure(void *opdata, ConnContext *context, int is_reply) {} - -int max_message_size(void *opdata, ConnContext *context) { return 99999; } - -const char *account_name(void *opdata, const char *account, - const char *protocol) { - return "ACCOUNT"; -} - -void account_name_free(void *opdata, const char *account_name) {} - -const char *error_message(void *opdata, ConnContext *context, - OtrlErrorCode err_code) { - return "ERR"; -} - -void error_message_free(void *opdata, const char *msg) {} - -void resent_msg_prefix_free(void *opdata, const char *prefix) {} - -void handle_smp_event(void *opdata, OtrlSMPEvent smp_event, - ConnContext *context, unsigned short progress_event, - char *question) {} - -void handle_msg_event(void *opdata, OtrlMessageEvent msg_event, - ConnContext *context, const char *message, - gcry_error_t err) { - fprintf(stderr, "msg event: %d %s\n", msg_event, message); -} - -OtrlMessageAppOps uiops = { - policy, - NULL, - is_logged_in, - inject_message, - update_context_list, - new_fingerprint, - write_fingerprints, - gone_secure, - gone_insecure, - still_secure, - max_message_size, - account_name, - account_name_free, - NULL, /* received_symkey */ - error_message, - error_message_free, - NULL, /* resent_msg_prefix */ - resent_msg_prefix_free, - handle_smp_event, - handle_msg_event, - NULL /* create_instag */, - NULL /* convert_msg */, - NULL /* convert_free */, - NULL /* timer_control */, -}; - -static const char kPrivateKeyData[] = - "(privkeys (account (name \"account\") (protocol proto) (private-key (dsa " - "(p " - "#00FC07ABCF0DC916AFF6E9AE47BEF60C7AB9B4D6B2469E436630E36F8A489BE812486A09F" - "30B71224508654940A835301ACC525A4FF133FC152CC53DCC59D65C30A54F1993FE13FE63E" - "5823D4C746DB21B90F9B9C00B49EC7404AB1D929BA7FBA12F2E45C6E0A651689750E8528AB" - "8C031D3561FECEE72EBB4A090D450A9B7A857#) (q " - "#00997BD266EF7B1F60A5C23F3A741F2AEFD07A2081#) (g " - "#535E360E8A95EBA46A4F7DE50AD6E9B2A6DB785A66B64EB9F20338D2A3E8FB0E94725848F" - "1AA6CC567CB83A1CC517EC806F2E92EAE71457E80B2210A189B91250779434B41FC8A8873F" - "6DB94BEA7D177F5D59E7E114EE10A49CFD9CEF88AE43387023B672927BA74B04EB6BBB5E57" - "597766A2F9CE3857D7ACE3E1E3BC1FC6F26#) (y " - "#0AC8670AD767D7A8D9D14CC1AC6744CD7D76F993B77FFD9E39DF01E5A6536EF65E775FCEF" - "2A983E2A19BD6415500F6979715D9FD1257E1FE2B6F5E1E74B333079E7C880D39868462A93" - "454B41877BE62E5EF0A041C2EE9C9E76BD1E12AE25D9628DECB097025DD625EF49C3258A1A" - "3C0FF501E3DC673B76D7BABF349009B6ECF#) (x " - "#14D0345A3562C480A039E3C72764F72D79043216#)))))\n"; - -int main() { - OTRL_INIT; - - // We have to write the private key information to a file because the libotr - // API demands a filename to read from. - const char *tmpdir = "/tmp"; - if (getenv("TMP")) { - tmpdir = getenv("TMP"); - } - - char private_key_file[256]; - snprintf(private_key_file, sizeof(private_key_file), - "%s/libotr_test_helper_privatekeys-XXXXXX", tmpdir); - int fd = mkstemp(private_key_file); - if (fd == -1) { - perror("creating temp file"); - } - write(fd, kPrivateKeyData, sizeof(kPrivateKeyData) - 1); - close(fd); - - OtrlUserState userstate = otrl_userstate_create(); - otrl_privkey_read(userstate, private_key_file); - unlink(private_key_file); - - fprintf(stderr, "libotr helper started\n"); - - char buf[4096]; - - for (;;) { - char *message = fgets(buf, sizeof(buf), stdin); - if (strlen(message) == 0) { - break; - } - message[strlen(message) - 1] = 0; - fprintf(stderr, "libotr helper got: %s\n", message); - - char *newmessage = NULL; - OtrlTLV *tlvs; - int ignore_message = otrl_message_receiving( - userstate, &uiops, NULL, "account", "proto", "peer", message, - &newmessage, &tlvs, NULL, NULL, NULL); - if (tlvs) { - otrl_tlv_free(tlvs); - } - - if (newmessage != NULL) { - fprintf(stderr, "libotr got: %s\n", newmessage); - otrl_message_free(newmessage); - - gcry_error_t err; - char *newmessage = NULL; - - err = otrl_message_sending(userstate, &uiops, NULL, "account", "proto", - "peer", 0, "test message", NULL, &newmessage, - OTRL_FRAGMENT_SEND_SKIP, NULL, NULL, NULL); - if (newmessage == NULL) { - fprintf(stderr, "libotr didn't encrypt message\n"); - return 1; - } - write(1, newmessage, strlen(newmessage)); - write(1, "\n", 1); - fprintf(stderr, "libotr sent: %s\n", newmessage); - otrl_message_free(newmessage); - - g_session_established = 0; - write(1, "?OTRv2?\n", 8); - fprintf(stderr, "libotr sent: ?OTRv2\n"); - } - } - - return 0; -} diff --git a/vendor/golang.org/x/crypto/otr/otr.go b/vendor/golang.org/x/crypto/otr/otr.go deleted file mode 100644 index 173b753db..000000000 --- a/vendor/golang.org/x/crypto/otr/otr.go +++ /dev/null @@ -1,1415 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package otr implements the Off The Record protocol as specified in -// http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html -package otr // import "golang.org/x/crypto/otr" - -import ( - "bytes" - "crypto/aes" - "crypto/cipher" - "crypto/dsa" - "crypto/hmac" - "crypto/rand" - "crypto/sha1" - "crypto/sha256" - "crypto/subtle" - "encoding/base64" - "encoding/hex" - "errors" - "hash" - "io" - "math/big" - "strconv" -) - -// SecurityChange describes a change in the security state of a Conversation. -type SecurityChange int - -const ( - NoChange SecurityChange = iota - // NewKeys indicates that a key exchange has completed. This occurs - // when a conversation first becomes encrypted, and when the keys are - // renegotiated within an encrypted conversation. - NewKeys - // SMPSecretNeeded indicates that the peer has started an - // authentication and that we need to supply a secret. Call SMPQuestion - // to get the optional, human readable challenge and then Authenticate - // to supply the matching secret. - SMPSecretNeeded - // SMPComplete indicates that an authentication completed. The identity - // of the peer has now been confirmed. - SMPComplete - // SMPFailed indicates that an authentication failed. - SMPFailed - // ConversationEnded indicates that the peer ended the secure - // conversation. - ConversationEnded -) - -// QueryMessage can be sent to a peer to start an OTR conversation. -var QueryMessage = "?OTRv2?" - -// ErrorPrefix can be used to make an OTR error by appending an error message -// to it. -var ErrorPrefix = "?OTR Error:" - -var ( - fragmentPartSeparator = []byte(",") - fragmentPrefix = []byte("?OTR,") - msgPrefix = []byte("?OTR:") - queryMarker = []byte("?OTR") -) - -// isQuery attempts to parse an OTR query from msg and returns the greatest -// common version, or 0 if msg is not an OTR query. -func isQuery(msg []byte) (greatestCommonVersion int) { - pos := bytes.Index(msg, queryMarker) - if pos == -1 { - return 0 - } - for i, c := range msg[pos+len(queryMarker):] { - if i == 0 { - if c == '?' { - // Indicates support for version 1, but we don't - // implement that. - continue - } - - if c != 'v' { - // Invalid message - return 0 - } - - continue - } - - if c == '?' { - // End of message - return - } - - if c == ' ' || c == '\t' { - // Probably an invalid message - return 0 - } - - if c == '2' { - greatestCommonVersion = 2 - } - } - - return 0 -} - -const ( - statePlaintext = iota - stateEncrypted - stateFinished -) - -const ( - authStateNone = iota - authStateAwaitingDHKey - authStateAwaitingRevealSig - authStateAwaitingSig -) - -const ( - msgTypeDHCommit = 2 - msgTypeData = 3 - msgTypeDHKey = 10 - msgTypeRevealSig = 17 - msgTypeSig = 18 -) - -const ( - // If the requested fragment size is less than this, it will be ignored. - minFragmentSize = 18 - // Messages are padded to a multiple of this number of bytes. - paddingGranularity = 256 - // The number of bytes in a Diffie-Hellman private value (320-bits). - dhPrivateBytes = 40 - // The number of bytes needed to represent an element of the DSA - // subgroup (160-bits). - dsaSubgroupBytes = 20 - // The number of bytes of the MAC that are sent on the wire (160-bits). - macPrefixBytes = 20 -) - -// These are the global, common group parameters for OTR. -var ( - p *big.Int // group prime - g *big.Int // group generator - q *big.Int // group order - pMinus2 *big.Int -) - -func init() { - p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA237327FFFFFFFFFFFFFFFF", 16) - q, _ = new(big.Int).SetString("7FFFFFFFFFFFFFFFE487ED5110B4611A62633145C06E0E68948127044533E63A0105DF531D89CD9128A5043CC71A026EF7CA8CD9E69D218D98158536F92F8A1BA7F09AB6B6A8E122F242DABB312F3F637A262174D31BF6B585FFAE5B7A035BF6F71C35FDAD44CFD2D74F9208BE258FF324943328F6722D9EE1003E5C50B1DF82CC6D241B0E2AE9CD348B1FD47E9267AFC1B2AE91EE51D6CB0E3179AB1042A95DCF6A9483B84B4B36B3861AA7255E4C0278BA36046511B993FFFFFFFFFFFFFFFF", 16) - g = new(big.Int).SetInt64(2) - pMinus2 = new(big.Int).Sub(p, g) -} - -// Conversation represents a relation with a peer. The zero value is a valid -// Conversation, although PrivateKey must be set. -// -// When communicating with a peer, all inbound messages should be passed to -// Conversation.Receive and all outbound messages to Conversation.Send. The -// Conversation will take care of maintaining the encryption state and -// negotiating encryption as needed. -type Conversation struct { - // PrivateKey contains the private key to use to sign key exchanges. - PrivateKey *PrivateKey - - // Rand can be set to override the entropy source. Otherwise, - // crypto/rand will be used. - Rand io.Reader - // If FragmentSize is set, all messages produced by Receive and Send - // will be fragmented into messages of, at most, this number of bytes. - FragmentSize int - - // Once Receive has returned NewKeys once, the following fields are - // valid. - SSID [8]byte - TheirPublicKey PublicKey - - state, authState int - - r [16]byte - x, y *big.Int - gx, gy *big.Int - gxBytes []byte - digest [sha256.Size]byte - - revealKeys, sigKeys akeKeys - - myKeyId uint32 - myCurrentDHPub *big.Int - myCurrentDHPriv *big.Int - myLastDHPub *big.Int - myLastDHPriv *big.Int - - theirKeyId uint32 - theirCurrentDHPub *big.Int - theirLastDHPub *big.Int - - keySlots [4]keySlot - - myCounter [8]byte - theirLastCtr [8]byte - oldMACs []byte - - k, n int // fragment state - frag []byte - - smp smpState -} - -// A keySlot contains key material for a specific (their keyid, my keyid) pair. -type keySlot struct { - // used is true if this slot is valid. If false, it's free for reuse. - used bool - theirKeyId uint32 - myKeyId uint32 - sendAESKey, recvAESKey []byte - sendMACKey, recvMACKey []byte - theirLastCtr [8]byte -} - -// akeKeys are generated during key exchange. There's one set for the reveal -// signature message and another for the signature message. In the protocol -// spec the latter are indicated with a prime mark. -type akeKeys struct { - c [16]byte - m1, m2 [32]byte -} - -func (c *Conversation) rand() io.Reader { - if c.Rand != nil { - return c.Rand - } - return rand.Reader -} - -func (c *Conversation) randMPI(buf []byte) *big.Int { - _, err := io.ReadFull(c.rand(), buf) - if err != nil { - panic("otr: short read from random source") - } - - return new(big.Int).SetBytes(buf) -} - -// tlv represents the type-length value from the protocol. -type tlv struct { - typ, length uint16 - data []byte -} - -const ( - tlvTypePadding = 0 - tlvTypeDisconnected = 1 - tlvTypeSMP1 = 2 - tlvTypeSMP2 = 3 - tlvTypeSMP3 = 4 - tlvTypeSMP4 = 5 - tlvTypeSMPAbort = 6 - tlvTypeSMP1WithQuestion = 7 -) - -// Receive handles a message from a peer. It returns a human readable message, -// an indicator of whether that message was encrypted, a hint about the -// encryption state and zero or more messages to send back to the peer. -// These messages do not need to be passed to Send before transmission. -func (c *Conversation) Receive(in []byte) (out []byte, encrypted bool, change SecurityChange, toSend [][]byte, err error) { - if bytes.HasPrefix(in, fragmentPrefix) { - in, err = c.processFragment(in) - if in == nil || err != nil { - return - } - } - - if bytes.HasPrefix(in, msgPrefix) && in[len(in)-1] == '.' { - in = in[len(msgPrefix) : len(in)-1] - } else if version := isQuery(in); version > 0 { - c.authState = authStateAwaitingDHKey - c.reset() - toSend = c.encode(c.generateDHCommit()) - return - } else { - // plaintext message - out = in - return - } - - msg := make([]byte, base64.StdEncoding.DecodedLen(len(in))) - msgLen, err := base64.StdEncoding.Decode(msg, in) - if err != nil { - err = errors.New("otr: invalid base64 encoding in message") - return - } - msg = msg[:msgLen] - - // The first two bytes are the protocol version (2) - if len(msg) < 3 || msg[0] != 0 || msg[1] != 2 { - err = errors.New("otr: invalid OTR message") - return - } - - msgType := int(msg[2]) - msg = msg[3:] - - switch msgType { - case msgTypeDHCommit: - switch c.authState { - case authStateNone: - c.authState = authStateAwaitingRevealSig - if err = c.processDHCommit(msg); err != nil { - return - } - c.reset() - toSend = c.encode(c.generateDHKey()) - return - case authStateAwaitingDHKey: - // This is a 'SYN-crossing'. The greater digest wins. - var cmp int - if cmp, err = c.compareToDHCommit(msg); err != nil { - return - } - if cmp > 0 { - // We win. Retransmit DH commit. - toSend = c.encode(c.serializeDHCommit()) - return - } else { - // They win. We forget about our DH commit. - c.authState = authStateAwaitingRevealSig - if err = c.processDHCommit(msg); err != nil { - return - } - c.reset() - toSend = c.encode(c.generateDHKey()) - return - } - case authStateAwaitingRevealSig: - if err = c.processDHCommit(msg); err != nil { - return - } - toSend = c.encode(c.serializeDHKey()) - case authStateAwaitingSig: - if err = c.processDHCommit(msg); err != nil { - return - } - c.reset() - toSend = c.encode(c.generateDHKey()) - c.authState = authStateAwaitingRevealSig - default: - panic("bad state") - } - case msgTypeDHKey: - switch c.authState { - case authStateAwaitingDHKey: - var isSame bool - if isSame, err = c.processDHKey(msg); err != nil { - return - } - if isSame { - err = errors.New("otr: unexpected duplicate DH key") - return - } - toSend = c.encode(c.generateRevealSig()) - c.authState = authStateAwaitingSig - case authStateAwaitingSig: - var isSame bool - if isSame, err = c.processDHKey(msg); err != nil { - return - } - if isSame { - toSend = c.encode(c.serializeDHKey()) - } - } - case msgTypeRevealSig: - if c.authState != authStateAwaitingRevealSig { - return - } - if err = c.processRevealSig(msg); err != nil { - return - } - toSend = c.encode(c.generateSig()) - c.authState = authStateNone - c.state = stateEncrypted - change = NewKeys - case msgTypeSig: - if c.authState != authStateAwaitingSig { - return - } - if err = c.processSig(msg); err != nil { - return - } - c.authState = authStateNone - c.state = stateEncrypted - change = NewKeys - case msgTypeData: - if c.state != stateEncrypted { - err = errors.New("otr: encrypted message received without encrypted session established") - return - } - var tlvs []tlv - out, tlvs, err = c.processData(msg) - encrypted = true - - EachTLV: - for _, inTLV := range tlvs { - switch inTLV.typ { - case tlvTypeDisconnected: - change = ConversationEnded - c.state = stateFinished - break EachTLV - case tlvTypeSMP1, tlvTypeSMP2, tlvTypeSMP3, tlvTypeSMP4, tlvTypeSMPAbort, tlvTypeSMP1WithQuestion: - var reply tlv - var complete bool - reply, complete, err = c.processSMP(inTLV) - if err == smpSecretMissingError { - err = nil - change = SMPSecretNeeded - c.smp.saved = &inTLV - return - } - if err == smpFailureError { - err = nil - change = SMPFailed - } else if complete { - change = SMPComplete - } - if reply.typ != 0 { - toSend = c.encode(c.generateData(nil, &reply)) - } - break EachTLV - default: - // skip unknown TLVs - } - } - default: - err = errors.New("otr: unknown message type " + strconv.Itoa(msgType)) - } - - return -} - -// Send takes a human readable message from the local user, possibly encrypts -// it and returns zero one or more messages to send to the peer. -func (c *Conversation) Send(msg []byte) ([][]byte, error) { - switch c.state { - case statePlaintext: - return [][]byte{msg}, nil - case stateEncrypted: - return c.encode(c.generateData(msg, nil)), nil - case stateFinished: - return nil, errors.New("otr: cannot send message because secure conversation has finished") - } - - return nil, errors.New("otr: cannot send message in current state") -} - -// SMPQuestion returns the human readable challenge question from the peer. -// It's only valid after Receive has returned SMPSecretNeeded. -func (c *Conversation) SMPQuestion() string { - return c.smp.question -} - -// Authenticate begins an authentication with the peer. Authentication involves -// an optional challenge message and a shared secret. The authentication -// proceeds until either Receive returns SMPComplete, SMPSecretNeeded (which -// indicates that a new authentication is happening and thus this one was -// aborted) or SMPFailed. -func (c *Conversation) Authenticate(question string, mutualSecret []byte) (toSend [][]byte, err error) { - if c.state != stateEncrypted { - err = errors.New("otr: can't authenticate a peer without a secure conversation established") - return - } - - if c.smp.saved != nil { - c.calcSMPSecret(mutualSecret, false /* they started it */) - - var out tlv - var complete bool - out, complete, err = c.processSMP(*c.smp.saved) - if complete { - panic("SMP completed on the first message") - } - c.smp.saved = nil - if out.typ != 0 { - toSend = c.encode(c.generateData(nil, &out)) - } - return - } - - c.calcSMPSecret(mutualSecret, true /* we started it */) - outs := c.startSMP(question) - for _, out := range outs { - toSend = append(toSend, c.encode(c.generateData(nil, &out))...) - } - return -} - -// End ends a secure conversation by generating a termination message for -// the peer and switches to unencrypted communication. -func (c *Conversation) End() (toSend [][]byte) { - switch c.state { - case statePlaintext: - return nil - case stateEncrypted: - c.state = statePlaintext - return c.encode(c.generateData(nil, &tlv{typ: tlvTypeDisconnected})) - case stateFinished: - c.state = statePlaintext - return nil - } - panic("unreachable") -} - -// IsEncrypted returns true if a message passed to Send would be encrypted -// before transmission. This result remains valid until the next call to -// Receive or End, which may change the state of the Conversation. -func (c *Conversation) IsEncrypted() bool { - return c.state == stateEncrypted -} - -var fragmentError = errors.New("otr: invalid OTR fragment") - -// processFragment processes a fragmented OTR message and possibly returns a -// complete message. Fragmented messages look like "?OTR,k,n,msg," where k is -// the fragment number (starting from 1), n is the number of fragments in this -// message and msg is a substring of the base64 encoded message. -func (c *Conversation) processFragment(in []byte) (out []byte, err error) { - in = in[len(fragmentPrefix):] // remove "?OTR," - parts := bytes.Split(in, fragmentPartSeparator) - if len(parts) != 4 || len(parts[3]) != 0 { - return nil, fragmentError - } - - k, err := strconv.Atoi(string(parts[0])) - if err != nil { - return nil, fragmentError - } - - n, err := strconv.Atoi(string(parts[1])) - if err != nil { - return nil, fragmentError - } - - if k < 1 || n < 1 || k > n { - return nil, fragmentError - } - - if k == 1 { - c.frag = append(c.frag[:0], parts[2]...) - c.k, c.n = k, n - } else if n == c.n && k == c.k+1 { - c.frag = append(c.frag, parts[2]...) - c.k++ - } else { - c.frag = c.frag[:0] - c.n, c.k = 0, 0 - } - - if c.n > 0 && c.k == c.n { - c.n, c.k = 0, 0 - return c.frag, nil - } - - return nil, nil -} - -func (c *Conversation) generateDHCommit() []byte { - _, err := io.ReadFull(c.rand(), c.r[:]) - if err != nil { - panic("otr: short read from random source") - } - - var xBytes [dhPrivateBytes]byte - c.x = c.randMPI(xBytes[:]) - c.gx = new(big.Int).Exp(g, c.x, p) - c.gy = nil - c.gxBytes = appendMPI(nil, c.gx) - - h := sha256.New() - h.Write(c.gxBytes) - h.Sum(c.digest[:0]) - - aesCipher, err := aes.NewCipher(c.r[:]) - if err != nil { - panic(err.Error()) - } - - var iv [aes.BlockSize]byte - ctr := cipher.NewCTR(aesCipher, iv[:]) - ctr.XORKeyStream(c.gxBytes, c.gxBytes) - - return c.serializeDHCommit() -} - -func (c *Conversation) serializeDHCommit() []byte { - var ret []byte - ret = appendU16(ret, 2) // protocol version - ret = append(ret, msgTypeDHCommit) - ret = appendData(ret, c.gxBytes) - ret = appendData(ret, c.digest[:]) - return ret -} - -func (c *Conversation) processDHCommit(in []byte) error { - var ok1, ok2 bool - c.gxBytes, in, ok1 = getData(in) - digest, in, ok2 := getData(in) - if !ok1 || !ok2 || len(in) > 0 { - return errors.New("otr: corrupt DH commit message") - } - copy(c.digest[:], digest) - return nil -} - -func (c *Conversation) compareToDHCommit(in []byte) (int, error) { - _, in, ok1 := getData(in) - digest, in, ok2 := getData(in) - if !ok1 || !ok2 || len(in) > 0 { - return 0, errors.New("otr: corrupt DH commit message") - } - return bytes.Compare(c.digest[:], digest), nil -} - -func (c *Conversation) generateDHKey() []byte { - var yBytes [dhPrivateBytes]byte - c.y = c.randMPI(yBytes[:]) - c.gy = new(big.Int).Exp(g, c.y, p) - return c.serializeDHKey() -} - -func (c *Conversation) serializeDHKey() []byte { - var ret []byte - ret = appendU16(ret, 2) // protocol version - ret = append(ret, msgTypeDHKey) - ret = appendMPI(ret, c.gy) - return ret -} - -func (c *Conversation) processDHKey(in []byte) (isSame bool, err error) { - gy, in, ok := getMPI(in) - if !ok { - err = errors.New("otr: corrupt DH key message") - return - } - if gy.Cmp(g) < 0 || gy.Cmp(pMinus2) > 0 { - err = errors.New("otr: DH value out of range") - return - } - if c.gy != nil { - isSame = c.gy.Cmp(gy) == 0 - return - } - c.gy = gy - return -} - -func (c *Conversation) generateEncryptedSignature(keys *akeKeys, xFirst bool) ([]byte, []byte) { - var xb []byte - xb = c.PrivateKey.PublicKey.Serialize(xb) - - var verifyData []byte - if xFirst { - verifyData = appendMPI(verifyData, c.gx) - verifyData = appendMPI(verifyData, c.gy) - } else { - verifyData = appendMPI(verifyData, c.gy) - verifyData = appendMPI(verifyData, c.gx) - } - verifyData = append(verifyData, xb...) - verifyData = appendU32(verifyData, c.myKeyId) - - mac := hmac.New(sha256.New, keys.m1[:]) - mac.Write(verifyData) - mb := mac.Sum(nil) - - xb = appendU32(xb, c.myKeyId) - xb = append(xb, c.PrivateKey.Sign(c.rand(), mb)...) - - aesCipher, err := aes.NewCipher(keys.c[:]) - if err != nil { - panic(err.Error()) - } - var iv [aes.BlockSize]byte - ctr := cipher.NewCTR(aesCipher, iv[:]) - ctr.XORKeyStream(xb, xb) - - mac = hmac.New(sha256.New, keys.m2[:]) - encryptedSig := appendData(nil, xb) - mac.Write(encryptedSig) - - return encryptedSig, mac.Sum(nil) -} - -func (c *Conversation) generateRevealSig() []byte { - s := new(big.Int).Exp(c.gy, c.x, p) - c.calcAKEKeys(s) - c.myKeyId++ - - encryptedSig, mac := c.generateEncryptedSignature(&c.revealKeys, true /* gx comes first */) - - c.myCurrentDHPub = c.gx - c.myCurrentDHPriv = c.x - c.rotateDHKeys() - incCounter(&c.myCounter) - - var ret []byte - ret = appendU16(ret, 2) - ret = append(ret, msgTypeRevealSig) - ret = appendData(ret, c.r[:]) - ret = append(ret, encryptedSig...) - ret = append(ret, mac[:20]...) - return ret -} - -func (c *Conversation) processEncryptedSig(encryptedSig, theirMAC []byte, keys *akeKeys, xFirst bool) error { - mac := hmac.New(sha256.New, keys.m2[:]) - mac.Write(appendData(nil, encryptedSig)) - myMAC := mac.Sum(nil)[:20] - - if len(myMAC) != len(theirMAC) || subtle.ConstantTimeCompare(myMAC, theirMAC) == 0 { - return errors.New("bad signature MAC in encrypted signature") - } - - aesCipher, err := aes.NewCipher(keys.c[:]) - if err != nil { - panic(err.Error()) - } - var iv [aes.BlockSize]byte - ctr := cipher.NewCTR(aesCipher, iv[:]) - ctr.XORKeyStream(encryptedSig, encryptedSig) - - sig := encryptedSig - sig, ok1 := c.TheirPublicKey.Parse(sig) - keyId, sig, ok2 := getU32(sig) - if !ok1 || !ok2 { - return errors.New("otr: corrupt encrypted signature") - } - - var verifyData []byte - if xFirst { - verifyData = appendMPI(verifyData, c.gx) - verifyData = appendMPI(verifyData, c.gy) - } else { - verifyData = appendMPI(verifyData, c.gy) - verifyData = appendMPI(verifyData, c.gx) - } - verifyData = c.TheirPublicKey.Serialize(verifyData) - verifyData = appendU32(verifyData, keyId) - - mac = hmac.New(sha256.New, keys.m1[:]) - mac.Write(verifyData) - mb := mac.Sum(nil) - - sig, ok1 = c.TheirPublicKey.Verify(mb, sig) - if !ok1 { - return errors.New("bad signature in encrypted signature") - } - if len(sig) > 0 { - return errors.New("corrupt encrypted signature") - } - - c.theirKeyId = keyId - zero(c.theirLastCtr[:]) - return nil -} - -func (c *Conversation) processRevealSig(in []byte) error { - r, in, ok1 := getData(in) - encryptedSig, in, ok2 := getData(in) - theirMAC := in - if !ok1 || !ok2 || len(theirMAC) != 20 { - return errors.New("otr: corrupt reveal signature message") - } - - aesCipher, err := aes.NewCipher(r) - if err != nil { - return errors.New("otr: cannot create AES cipher from reveal signature message: " + err.Error()) - } - var iv [aes.BlockSize]byte - ctr := cipher.NewCTR(aesCipher, iv[:]) - ctr.XORKeyStream(c.gxBytes, c.gxBytes) - h := sha256.New() - h.Write(c.gxBytes) - digest := h.Sum(nil) - if len(digest) != len(c.digest) || subtle.ConstantTimeCompare(digest, c.digest[:]) == 0 { - return errors.New("otr: bad commit MAC in reveal signature message") - } - var rest []byte - c.gx, rest, ok1 = getMPI(c.gxBytes) - if !ok1 || len(rest) > 0 { - return errors.New("otr: gx corrupt after decryption") - } - if c.gx.Cmp(g) < 0 || c.gx.Cmp(pMinus2) > 0 { - return errors.New("otr: DH value out of range") - } - s := new(big.Int).Exp(c.gx, c.y, p) - c.calcAKEKeys(s) - - if err := c.processEncryptedSig(encryptedSig, theirMAC, &c.revealKeys, true /* gx comes first */); err != nil { - return errors.New("otr: in reveal signature message: " + err.Error()) - } - - c.theirCurrentDHPub = c.gx - c.theirLastDHPub = nil - - return nil -} - -func (c *Conversation) generateSig() []byte { - c.myKeyId++ - - encryptedSig, mac := c.generateEncryptedSignature(&c.sigKeys, false /* gy comes first */) - - c.myCurrentDHPub = c.gy - c.myCurrentDHPriv = c.y - c.rotateDHKeys() - incCounter(&c.myCounter) - - var ret []byte - ret = appendU16(ret, 2) - ret = append(ret, msgTypeSig) - ret = append(ret, encryptedSig...) - ret = append(ret, mac[:macPrefixBytes]...) - return ret -} - -func (c *Conversation) processSig(in []byte) error { - encryptedSig, in, ok1 := getData(in) - theirMAC := in - if !ok1 || len(theirMAC) != macPrefixBytes { - return errors.New("otr: corrupt signature message") - } - - if err := c.processEncryptedSig(encryptedSig, theirMAC, &c.sigKeys, false /* gy comes first */); err != nil { - return errors.New("otr: in signature message: " + err.Error()) - } - - c.theirCurrentDHPub = c.gy - c.theirLastDHPub = nil - - return nil -} - -func (c *Conversation) rotateDHKeys() { - // evict slots using our retired key id - for i := range c.keySlots { - slot := &c.keySlots[i] - if slot.used && slot.myKeyId == c.myKeyId-1 { - slot.used = false - c.oldMACs = append(c.oldMACs, slot.recvMACKey...) - } - } - - c.myLastDHPriv = c.myCurrentDHPriv - c.myLastDHPub = c.myCurrentDHPub - - var xBytes [dhPrivateBytes]byte - c.myCurrentDHPriv = c.randMPI(xBytes[:]) - c.myCurrentDHPub = new(big.Int).Exp(g, c.myCurrentDHPriv, p) - c.myKeyId++ -} - -func (c *Conversation) processData(in []byte) (out []byte, tlvs []tlv, err error) { - origIn := in - flags, in, ok1 := getU8(in) - theirKeyId, in, ok2 := getU32(in) - myKeyId, in, ok3 := getU32(in) - y, in, ok4 := getMPI(in) - counter, in, ok5 := getNBytes(in, 8) - encrypted, in, ok6 := getData(in) - macedData := origIn[:len(origIn)-len(in)] - theirMAC, in, ok7 := getNBytes(in, macPrefixBytes) - _, in, ok8 := getData(in) - if !ok1 || !ok2 || !ok3 || !ok4 || !ok5 || !ok6 || !ok7 || !ok8 || len(in) > 0 { - err = errors.New("otr: corrupt data message") - return - } - - ignoreErrors := flags&1 != 0 - - slot, err := c.calcDataKeys(myKeyId, theirKeyId) - if err != nil { - if ignoreErrors { - err = nil - } - return - } - - mac := hmac.New(sha1.New, slot.recvMACKey) - mac.Write([]byte{0, 2, 3}) - mac.Write(macedData) - myMAC := mac.Sum(nil) - if len(myMAC) != len(theirMAC) || subtle.ConstantTimeCompare(myMAC, theirMAC) == 0 { - if !ignoreErrors { - err = errors.New("otr: bad MAC on data message") - } - return - } - - if bytes.Compare(counter, slot.theirLastCtr[:]) <= 0 { - err = errors.New("otr: counter regressed") - return - } - copy(slot.theirLastCtr[:], counter) - - var iv [aes.BlockSize]byte - copy(iv[:], counter) - aesCipher, err := aes.NewCipher(slot.recvAESKey) - if err != nil { - panic(err.Error()) - } - ctr := cipher.NewCTR(aesCipher, iv[:]) - ctr.XORKeyStream(encrypted, encrypted) - decrypted := encrypted - - if myKeyId == c.myKeyId { - c.rotateDHKeys() - } - if theirKeyId == c.theirKeyId { - // evict slots using their retired key id - for i := range c.keySlots { - slot := &c.keySlots[i] - if slot.used && slot.theirKeyId == theirKeyId-1 { - slot.used = false - c.oldMACs = append(c.oldMACs, slot.recvMACKey...) - } - } - - c.theirLastDHPub = c.theirCurrentDHPub - c.theirKeyId++ - c.theirCurrentDHPub = y - } - - if nulPos := bytes.IndexByte(decrypted, 0); nulPos >= 0 { - out = decrypted[:nulPos] - tlvData := decrypted[nulPos+1:] - for len(tlvData) > 0 { - var t tlv - var ok1, ok2, ok3 bool - - t.typ, tlvData, ok1 = getU16(tlvData) - t.length, tlvData, ok2 = getU16(tlvData) - t.data, tlvData, ok3 = getNBytes(tlvData, int(t.length)) - if !ok1 || !ok2 || !ok3 { - err = errors.New("otr: corrupt tlv data") - return - } - tlvs = append(tlvs, t) - } - } else { - out = decrypted - } - - return -} - -func (c *Conversation) generateData(msg []byte, extra *tlv) []byte { - slot, err := c.calcDataKeys(c.myKeyId-1, c.theirKeyId) - if err != nil { - panic("otr: failed to generate sending keys: " + err.Error()) - } - - var plaintext []byte - plaintext = append(plaintext, msg...) - plaintext = append(plaintext, 0) - - padding := paddingGranularity - ((len(plaintext) + 4) % paddingGranularity) - plaintext = appendU16(plaintext, tlvTypePadding) - plaintext = appendU16(plaintext, uint16(padding)) - for i := 0; i < padding; i++ { - plaintext = append(plaintext, 0) - } - - if extra != nil { - plaintext = appendU16(plaintext, extra.typ) - plaintext = appendU16(plaintext, uint16(len(extra.data))) - plaintext = append(plaintext, extra.data...) - } - - encrypted := make([]byte, len(plaintext)) - - var iv [aes.BlockSize]byte - copy(iv[:], c.myCounter[:]) - aesCipher, err := aes.NewCipher(slot.sendAESKey) - if err != nil { - panic(err.Error()) - } - ctr := cipher.NewCTR(aesCipher, iv[:]) - ctr.XORKeyStream(encrypted, plaintext) - - var ret []byte - ret = appendU16(ret, 2) - ret = append(ret, msgTypeData) - ret = append(ret, 0 /* flags */) - ret = appendU32(ret, c.myKeyId-1) - ret = appendU32(ret, c.theirKeyId) - ret = appendMPI(ret, c.myCurrentDHPub) - ret = append(ret, c.myCounter[:]...) - ret = appendData(ret, encrypted) - - mac := hmac.New(sha1.New, slot.sendMACKey) - mac.Write(ret) - ret = append(ret, mac.Sum(nil)[:macPrefixBytes]...) - ret = appendData(ret, c.oldMACs) - c.oldMACs = nil - incCounter(&c.myCounter) - - return ret -} - -func incCounter(counter *[8]byte) { - for i := 7; i >= 0; i-- { - counter[i]++ - if counter[i] > 0 { - break - } - } -} - -// calcDataKeys computes the keys used to encrypt a data message given the key -// IDs. -func (c *Conversation) calcDataKeys(myKeyId, theirKeyId uint32) (slot *keySlot, err error) { - // Check for a cache hit. - for i := range c.keySlots { - slot = &c.keySlots[i] - if slot.used && slot.theirKeyId == theirKeyId && slot.myKeyId == myKeyId { - return - } - } - - // Find an empty slot to write into. - slot = nil - for i := range c.keySlots { - if !c.keySlots[i].used { - slot = &c.keySlots[i] - break - } - } - if slot == nil { - return nil, errors.New("otr: internal error: no more key slots") - } - - var myPriv, myPub, theirPub *big.Int - - if myKeyId == c.myKeyId { - myPriv = c.myCurrentDHPriv - myPub = c.myCurrentDHPub - } else if myKeyId == c.myKeyId-1 { - myPriv = c.myLastDHPriv - myPub = c.myLastDHPub - } else { - err = errors.New("otr: peer requested keyid " + strconv.FormatUint(uint64(myKeyId), 10) + " when I'm on " + strconv.FormatUint(uint64(c.myKeyId), 10)) - return - } - - if theirKeyId == c.theirKeyId { - theirPub = c.theirCurrentDHPub - } else if theirKeyId == c.theirKeyId-1 && c.theirLastDHPub != nil { - theirPub = c.theirLastDHPub - } else { - err = errors.New("otr: peer requested keyid " + strconv.FormatUint(uint64(myKeyId), 10) + " when they're on " + strconv.FormatUint(uint64(c.myKeyId), 10)) - return - } - - var sendPrefixByte, recvPrefixByte [1]byte - - if myPub.Cmp(theirPub) > 0 { - // we're the high end - sendPrefixByte[0], recvPrefixByte[0] = 1, 2 - } else { - // we're the low end - sendPrefixByte[0], recvPrefixByte[0] = 2, 1 - } - - s := new(big.Int).Exp(theirPub, myPriv, p) - sBytes := appendMPI(nil, s) - - h := sha1.New() - h.Write(sendPrefixByte[:]) - h.Write(sBytes) - slot.sendAESKey = h.Sum(slot.sendAESKey[:0])[:16] - - h.Reset() - h.Write(slot.sendAESKey) - slot.sendMACKey = h.Sum(slot.sendMACKey[:0]) - - h.Reset() - h.Write(recvPrefixByte[:]) - h.Write(sBytes) - slot.recvAESKey = h.Sum(slot.recvAESKey[:0])[:16] - - h.Reset() - h.Write(slot.recvAESKey) - slot.recvMACKey = h.Sum(slot.recvMACKey[:0]) - - slot.theirKeyId = theirKeyId - slot.myKeyId = myKeyId - slot.used = true - - zero(slot.theirLastCtr[:]) - return -} - -func (c *Conversation) calcAKEKeys(s *big.Int) { - mpi := appendMPI(nil, s) - h := sha256.New() - - var cBytes [32]byte - hashWithPrefix(c.SSID[:], 0, mpi, h) - - hashWithPrefix(cBytes[:], 1, mpi, h) - copy(c.revealKeys.c[:], cBytes[:16]) - copy(c.sigKeys.c[:], cBytes[16:]) - - hashWithPrefix(c.revealKeys.m1[:], 2, mpi, h) - hashWithPrefix(c.revealKeys.m2[:], 3, mpi, h) - hashWithPrefix(c.sigKeys.m1[:], 4, mpi, h) - hashWithPrefix(c.sigKeys.m2[:], 5, mpi, h) -} - -func hashWithPrefix(out []byte, prefix byte, in []byte, h hash.Hash) { - h.Reset() - var p [1]byte - p[0] = prefix - h.Write(p[:]) - h.Write(in) - if len(out) == h.Size() { - h.Sum(out[:0]) - } else { - digest := h.Sum(nil) - copy(out, digest) - } -} - -func (c *Conversation) encode(msg []byte) [][]byte { - b64 := make([]byte, base64.StdEncoding.EncodedLen(len(msg))+len(msgPrefix)+1) - base64.StdEncoding.Encode(b64[len(msgPrefix):], msg) - copy(b64, msgPrefix) - b64[len(b64)-1] = '.' - - if c.FragmentSize < minFragmentSize || len(b64) <= c.FragmentSize { - // We can encode this in a single fragment. - return [][]byte{b64} - } - - // We have to fragment this message. - var ret [][]byte - bytesPerFragment := c.FragmentSize - minFragmentSize - numFragments := (len(b64) + bytesPerFragment) / bytesPerFragment - - for i := 0; i < numFragments; i++ { - frag := []byte("?OTR," + strconv.Itoa(i+1) + "," + strconv.Itoa(numFragments) + ",") - todo := bytesPerFragment - if todo > len(b64) { - todo = len(b64) - } - frag = append(frag, b64[:todo]...) - b64 = b64[todo:] - frag = append(frag, ',') - ret = append(ret, frag) - } - - return ret -} - -func (c *Conversation) reset() { - c.myKeyId = 0 - - for i := range c.keySlots { - c.keySlots[i].used = false - } -} - -type PublicKey struct { - dsa.PublicKey -} - -func (pk *PublicKey) Parse(in []byte) ([]byte, bool) { - var ok bool - var pubKeyType uint16 - - if pubKeyType, in, ok = getU16(in); !ok || pubKeyType != 0 { - return nil, false - } - if pk.P, in, ok = getMPI(in); !ok { - return nil, false - } - if pk.Q, in, ok = getMPI(in); !ok { - return nil, false - } - if pk.G, in, ok = getMPI(in); !ok { - return nil, false - } - if pk.Y, in, ok = getMPI(in); !ok { - return nil, false - } - - return in, true -} - -func (pk *PublicKey) Serialize(in []byte) []byte { - in = appendU16(in, 0) - in = appendMPI(in, pk.P) - in = appendMPI(in, pk.Q) - in = appendMPI(in, pk.G) - in = appendMPI(in, pk.Y) - return in -} - -// Fingerprint returns the 20-byte, binary fingerprint of the PublicKey. -func (pk *PublicKey) Fingerprint() []byte { - b := pk.Serialize(nil) - h := sha1.New() - h.Write(b[2:]) - return h.Sum(nil) -} - -func (pk *PublicKey) Verify(hashed, sig []byte) ([]byte, bool) { - if len(sig) != 2*dsaSubgroupBytes { - return nil, false - } - r := new(big.Int).SetBytes(sig[:dsaSubgroupBytes]) - s := new(big.Int).SetBytes(sig[dsaSubgroupBytes:]) - ok := dsa.Verify(&pk.PublicKey, hashed, r, s) - return sig[dsaSubgroupBytes*2:], ok -} - -type PrivateKey struct { - PublicKey - dsa.PrivateKey -} - -func (priv *PrivateKey) Sign(rand io.Reader, hashed []byte) []byte { - r, s, err := dsa.Sign(rand, &priv.PrivateKey, hashed) - if err != nil { - panic(err.Error()) - } - rBytes := r.Bytes() - sBytes := s.Bytes() - if len(rBytes) > dsaSubgroupBytes || len(sBytes) > dsaSubgroupBytes { - panic("DSA signature too large") - } - - out := make([]byte, 2*dsaSubgroupBytes) - copy(out[dsaSubgroupBytes-len(rBytes):], rBytes) - copy(out[len(out)-len(sBytes):], sBytes) - return out -} - -func (priv *PrivateKey) Serialize(in []byte) []byte { - in = priv.PublicKey.Serialize(in) - in = appendMPI(in, priv.PrivateKey.X) - return in -} - -func (priv *PrivateKey) Parse(in []byte) ([]byte, bool) { - in, ok := priv.PublicKey.Parse(in) - if !ok { - return in, ok - } - priv.PrivateKey.PublicKey = priv.PublicKey.PublicKey - priv.PrivateKey.X, in, ok = getMPI(in) - return in, ok -} - -func (priv *PrivateKey) Generate(rand io.Reader) { - if err := dsa.GenerateParameters(&priv.PrivateKey.PublicKey.Parameters, rand, dsa.L1024N160); err != nil { - panic(err.Error()) - } - if err := dsa.GenerateKey(&priv.PrivateKey, rand); err != nil { - panic(err.Error()) - } - priv.PublicKey.PublicKey = priv.PrivateKey.PublicKey -} - -func notHex(r rune) bool { - if r >= '0' && r <= '9' || - r >= 'a' && r <= 'f' || - r >= 'A' && r <= 'F' { - return false - } - - return true -} - -// Import parses the contents of a libotr private key file. -func (priv *PrivateKey) Import(in []byte) bool { - mpiStart := []byte(" #") - - mpis := make([]*big.Int, 5) - - for i := 0; i < len(mpis); i++ { - start := bytes.Index(in, mpiStart) - if start == -1 { - return false - } - in = in[start+len(mpiStart):] - end := bytes.IndexFunc(in, notHex) - if end == -1 { - return false - } - hexBytes := in[:end] - in = in[end:] - - if len(hexBytes)&1 != 0 { - return false - } - - mpiBytes := make([]byte, len(hexBytes)/2) - if _, err := hex.Decode(mpiBytes, hexBytes); err != nil { - return false - } - - mpis[i] = new(big.Int).SetBytes(mpiBytes) - } - - for _, mpi := range mpis { - if mpi.Sign() <= 0 { - return false - } - } - - priv.PrivateKey.P = mpis[0] - priv.PrivateKey.Q = mpis[1] - priv.PrivateKey.G = mpis[2] - priv.PrivateKey.Y = mpis[3] - priv.PrivateKey.X = mpis[4] - priv.PublicKey.PublicKey = priv.PrivateKey.PublicKey - - a := new(big.Int).Exp(priv.PrivateKey.G, priv.PrivateKey.X, priv.PrivateKey.P) - return a.Cmp(priv.PrivateKey.Y) == 0 -} - -func getU8(in []byte) (uint8, []byte, bool) { - if len(in) < 1 { - return 0, in, false - } - return in[0], in[1:], true -} - -func getU16(in []byte) (uint16, []byte, bool) { - if len(in) < 2 { - return 0, in, false - } - r := uint16(in[0])<<8 | uint16(in[1]) - return r, in[2:], true -} - -func getU32(in []byte) (uint32, []byte, bool) { - if len(in) < 4 { - return 0, in, false - } - r := uint32(in[0])<<24 | uint32(in[1])<<16 | uint32(in[2])<<8 | uint32(in[3]) - return r, in[4:], true -} - -func getMPI(in []byte) (*big.Int, []byte, bool) { - l, in, ok := getU32(in) - if !ok || uint32(len(in)) < l { - return nil, in, false - } - r := new(big.Int).SetBytes(in[:l]) - return r, in[l:], true -} - -func getData(in []byte) ([]byte, []byte, bool) { - l, in, ok := getU32(in) - if !ok || uint32(len(in)) < l { - return nil, in, false - } - return in[:l], in[l:], true -} - -func getNBytes(in []byte, n int) ([]byte, []byte, bool) { - if len(in) < n { - return nil, in, false - } - return in[:n], in[n:], true -} - -func appendU16(out []byte, v uint16) []byte { - out = append(out, byte(v>>8), byte(v)) - return out -} - -func appendU32(out []byte, v uint32) []byte { - out = append(out, byte(v>>24), byte(v>>16), byte(v>>8), byte(v)) - return out -} - -func appendData(out, v []byte) []byte { - out = appendU32(out, uint32(len(v))) - out = append(out, v...) - return out -} - -func appendMPI(out []byte, v *big.Int) []byte { - vBytes := v.Bytes() - out = appendU32(out, uint32(len(vBytes))) - out = append(out, vBytes...) - return out -} - -func appendMPIs(out []byte, mpis ...*big.Int) []byte { - for _, mpi := range mpis { - out = appendMPI(out, mpi) - } - return out -} - -func zero(b []byte) { - for i := range b { - b[i] = 0 - } -} diff --git a/vendor/golang.org/x/crypto/otr/smp.go b/vendor/golang.org/x/crypto/otr/smp.go deleted file mode 100644 index dc6de4ee0..000000000 --- a/vendor/golang.org/x/crypto/otr/smp.go +++ /dev/null @@ -1,572 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This file implements the Socialist Millionaires Protocol as described in -// http://www.cypherpunks.ca/otr/Protocol-v2-3.1.0.html. The protocol -// specification is required in order to understand this code and, where -// possible, the variable names in the code match up with the spec. - -package otr - -import ( - "bytes" - "crypto/sha256" - "errors" - "hash" - "math/big" -) - -type smpFailure string - -func (s smpFailure) Error() string { - return string(s) -} - -var smpFailureError = smpFailure("otr: SMP protocol failed") -var smpSecretMissingError = smpFailure("otr: mutual secret needed") - -const smpVersion = 1 - -const ( - smpState1 = iota - smpState2 - smpState3 - smpState4 -) - -type smpState struct { - state int - a2, a3, b2, b3, pb, qb *big.Int - g2a, g3a *big.Int - g2, g3 *big.Int - g3b, papb, qaqb, ra *big.Int - saved *tlv - secret *big.Int - question string -} - -func (c *Conversation) startSMP(question string) (tlvs []tlv) { - if c.smp.state != smpState1 { - tlvs = append(tlvs, c.generateSMPAbort()) - } - tlvs = append(tlvs, c.generateSMP1(question)) - c.smp.question = "" - c.smp.state = smpState2 - return -} - -func (c *Conversation) resetSMP() { - c.smp.state = smpState1 - c.smp.secret = nil - c.smp.question = "" -} - -func (c *Conversation) processSMP(in tlv) (out tlv, complete bool, err error) { - data := in.data - - switch in.typ { - case tlvTypeSMPAbort: - if c.smp.state != smpState1 { - err = smpFailureError - } - c.resetSMP() - return - case tlvTypeSMP1WithQuestion: - // We preprocess this into a SMP1 message. - nulPos := bytes.IndexByte(data, 0) - if nulPos == -1 { - err = errors.New("otr: SMP message with question didn't contain a NUL byte") - return - } - c.smp.question = string(data[:nulPos]) - data = data[nulPos+1:] - } - - numMPIs, data, ok := getU32(data) - if !ok || numMPIs > 20 { - err = errors.New("otr: corrupt SMP message") - return - } - - mpis := make([]*big.Int, numMPIs) - for i := range mpis { - var ok bool - mpis[i], data, ok = getMPI(data) - if !ok { - err = errors.New("otr: corrupt SMP message") - return - } - } - - switch in.typ { - case tlvTypeSMP1, tlvTypeSMP1WithQuestion: - if c.smp.state != smpState1 { - c.resetSMP() - out = c.generateSMPAbort() - return - } - if c.smp.secret == nil { - err = smpSecretMissingError - return - } - if err = c.processSMP1(mpis); err != nil { - return - } - c.smp.state = smpState3 - out = c.generateSMP2() - case tlvTypeSMP2: - if c.smp.state != smpState2 { - c.resetSMP() - out = c.generateSMPAbort() - return - } - if out, err = c.processSMP2(mpis); err != nil { - out = c.generateSMPAbort() - return - } - c.smp.state = smpState4 - case tlvTypeSMP3: - if c.smp.state != smpState3 { - c.resetSMP() - out = c.generateSMPAbort() - return - } - if out, err = c.processSMP3(mpis); err != nil { - return - } - c.smp.state = smpState1 - c.smp.secret = nil - complete = true - case tlvTypeSMP4: - if c.smp.state != smpState4 { - c.resetSMP() - out = c.generateSMPAbort() - return - } - if err = c.processSMP4(mpis); err != nil { - out = c.generateSMPAbort() - return - } - c.smp.state = smpState1 - c.smp.secret = nil - complete = true - default: - panic("unknown SMP message") - } - - return -} - -func (c *Conversation) calcSMPSecret(mutualSecret []byte, weStarted bool) { - h := sha256.New() - h.Write([]byte{smpVersion}) - if weStarted { - h.Write(c.PrivateKey.PublicKey.Fingerprint()) - h.Write(c.TheirPublicKey.Fingerprint()) - } else { - h.Write(c.TheirPublicKey.Fingerprint()) - h.Write(c.PrivateKey.PublicKey.Fingerprint()) - } - h.Write(c.SSID[:]) - h.Write(mutualSecret) - c.smp.secret = new(big.Int).SetBytes(h.Sum(nil)) -} - -func (c *Conversation) generateSMP1(question string) tlv { - var randBuf [16]byte - c.smp.a2 = c.randMPI(randBuf[:]) - c.smp.a3 = c.randMPI(randBuf[:]) - g2a := new(big.Int).Exp(g, c.smp.a2, p) - g3a := new(big.Int).Exp(g, c.smp.a3, p) - h := sha256.New() - - r2 := c.randMPI(randBuf[:]) - r := new(big.Int).Exp(g, r2, p) - c2 := new(big.Int).SetBytes(hashMPIs(h, 1, r)) - d2 := new(big.Int).Mul(c.smp.a2, c2) - d2.Sub(r2, d2) - d2.Mod(d2, q) - if d2.Sign() < 0 { - d2.Add(d2, q) - } - - r3 := c.randMPI(randBuf[:]) - r.Exp(g, r3, p) - c3 := new(big.Int).SetBytes(hashMPIs(h, 2, r)) - d3 := new(big.Int).Mul(c.smp.a3, c3) - d3.Sub(r3, d3) - d3.Mod(d3, q) - if d3.Sign() < 0 { - d3.Add(d3, q) - } - - var ret tlv - if len(question) > 0 { - ret.typ = tlvTypeSMP1WithQuestion - ret.data = append(ret.data, question...) - ret.data = append(ret.data, 0) - } else { - ret.typ = tlvTypeSMP1 - } - ret.data = appendU32(ret.data, 6) - ret.data = appendMPIs(ret.data, g2a, c2, d2, g3a, c3, d3) - return ret -} - -func (c *Conversation) processSMP1(mpis []*big.Int) error { - if len(mpis) != 6 { - return errors.New("otr: incorrect number of arguments in SMP1 message") - } - g2a := mpis[0] - c2 := mpis[1] - d2 := mpis[2] - g3a := mpis[3] - c3 := mpis[4] - d3 := mpis[5] - h := sha256.New() - - r := new(big.Int).Exp(g, d2, p) - s := new(big.Int).Exp(g2a, c2, p) - r.Mul(r, s) - r.Mod(r, p) - t := new(big.Int).SetBytes(hashMPIs(h, 1, r)) - if c2.Cmp(t) != 0 { - return errors.New("otr: ZKP c2 incorrect in SMP1 message") - } - r.Exp(g, d3, p) - s.Exp(g3a, c3, p) - r.Mul(r, s) - r.Mod(r, p) - t.SetBytes(hashMPIs(h, 2, r)) - if c3.Cmp(t) != 0 { - return errors.New("otr: ZKP c3 incorrect in SMP1 message") - } - - c.smp.g2a = g2a - c.smp.g3a = g3a - return nil -} - -func (c *Conversation) generateSMP2() tlv { - var randBuf [16]byte - b2 := c.randMPI(randBuf[:]) - c.smp.b3 = c.randMPI(randBuf[:]) - r2 := c.randMPI(randBuf[:]) - r3 := c.randMPI(randBuf[:]) - r4 := c.randMPI(randBuf[:]) - r5 := c.randMPI(randBuf[:]) - r6 := c.randMPI(randBuf[:]) - - g2b := new(big.Int).Exp(g, b2, p) - g3b := new(big.Int).Exp(g, c.smp.b3, p) - - r := new(big.Int).Exp(g, r2, p) - h := sha256.New() - c2 := new(big.Int).SetBytes(hashMPIs(h, 3, r)) - d2 := new(big.Int).Mul(b2, c2) - d2.Sub(r2, d2) - d2.Mod(d2, q) - if d2.Sign() < 0 { - d2.Add(d2, q) - } - - r.Exp(g, r3, p) - c3 := new(big.Int).SetBytes(hashMPIs(h, 4, r)) - d3 := new(big.Int).Mul(c.smp.b3, c3) - d3.Sub(r3, d3) - d3.Mod(d3, q) - if d3.Sign() < 0 { - d3.Add(d3, q) - } - - c.smp.g2 = new(big.Int).Exp(c.smp.g2a, b2, p) - c.smp.g3 = new(big.Int).Exp(c.smp.g3a, c.smp.b3, p) - c.smp.pb = new(big.Int).Exp(c.smp.g3, r4, p) - c.smp.qb = new(big.Int).Exp(g, r4, p) - r.Exp(c.smp.g2, c.smp.secret, p) - c.smp.qb.Mul(c.smp.qb, r) - c.smp.qb.Mod(c.smp.qb, p) - - s := new(big.Int) - s.Exp(c.smp.g2, r6, p) - r.Exp(g, r5, p) - s.Mul(r, s) - s.Mod(s, p) - r.Exp(c.smp.g3, r5, p) - cp := new(big.Int).SetBytes(hashMPIs(h, 5, r, s)) - - // D5 = r5 - r4 cP mod q and D6 = r6 - y cP mod q - - s.Mul(r4, cp) - r.Sub(r5, s) - d5 := new(big.Int).Mod(r, q) - if d5.Sign() < 0 { - d5.Add(d5, q) - } - - s.Mul(c.smp.secret, cp) - r.Sub(r6, s) - d6 := new(big.Int).Mod(r, q) - if d6.Sign() < 0 { - d6.Add(d6, q) - } - - var ret tlv - ret.typ = tlvTypeSMP2 - ret.data = appendU32(ret.data, 11) - ret.data = appendMPIs(ret.data, g2b, c2, d2, g3b, c3, d3, c.smp.pb, c.smp.qb, cp, d5, d6) - return ret -} - -func (c *Conversation) processSMP2(mpis []*big.Int) (out tlv, err error) { - if len(mpis) != 11 { - err = errors.New("otr: incorrect number of arguments in SMP2 message") - return - } - g2b := mpis[0] - c2 := mpis[1] - d2 := mpis[2] - g3b := mpis[3] - c3 := mpis[4] - d3 := mpis[5] - pb := mpis[6] - qb := mpis[7] - cp := mpis[8] - d5 := mpis[9] - d6 := mpis[10] - h := sha256.New() - - r := new(big.Int).Exp(g, d2, p) - s := new(big.Int).Exp(g2b, c2, p) - r.Mul(r, s) - r.Mod(r, p) - s.SetBytes(hashMPIs(h, 3, r)) - if c2.Cmp(s) != 0 { - err = errors.New("otr: ZKP c2 failed in SMP2 message") - return - } - - r.Exp(g, d3, p) - s.Exp(g3b, c3, p) - r.Mul(r, s) - r.Mod(r, p) - s.SetBytes(hashMPIs(h, 4, r)) - if c3.Cmp(s) != 0 { - err = errors.New("otr: ZKP c3 failed in SMP2 message") - return - } - - c.smp.g2 = new(big.Int).Exp(g2b, c.smp.a2, p) - c.smp.g3 = new(big.Int).Exp(g3b, c.smp.a3, p) - - r.Exp(g, d5, p) - s.Exp(c.smp.g2, d6, p) - r.Mul(r, s) - s.Exp(qb, cp, p) - r.Mul(r, s) - r.Mod(r, p) - - s.Exp(c.smp.g3, d5, p) - t := new(big.Int).Exp(pb, cp, p) - s.Mul(s, t) - s.Mod(s, p) - t.SetBytes(hashMPIs(h, 5, s, r)) - if cp.Cmp(t) != 0 { - err = errors.New("otr: ZKP cP failed in SMP2 message") - return - } - - var randBuf [16]byte - r4 := c.randMPI(randBuf[:]) - r5 := c.randMPI(randBuf[:]) - r6 := c.randMPI(randBuf[:]) - r7 := c.randMPI(randBuf[:]) - - pa := new(big.Int).Exp(c.smp.g3, r4, p) - r.Exp(c.smp.g2, c.smp.secret, p) - qa := new(big.Int).Exp(g, r4, p) - qa.Mul(qa, r) - qa.Mod(qa, p) - - r.Exp(g, r5, p) - s.Exp(c.smp.g2, r6, p) - r.Mul(r, s) - r.Mod(r, p) - - s.Exp(c.smp.g3, r5, p) - cp.SetBytes(hashMPIs(h, 6, s, r)) - - r.Mul(r4, cp) - d5 = new(big.Int).Sub(r5, r) - d5.Mod(d5, q) - if d5.Sign() < 0 { - d5.Add(d5, q) - } - - r.Mul(c.smp.secret, cp) - d6 = new(big.Int).Sub(r6, r) - d6.Mod(d6, q) - if d6.Sign() < 0 { - d6.Add(d6, q) - } - - r.ModInverse(qb, p) - qaqb := new(big.Int).Mul(qa, r) - qaqb.Mod(qaqb, p) - - ra := new(big.Int).Exp(qaqb, c.smp.a3, p) - r.Exp(qaqb, r7, p) - s.Exp(g, r7, p) - cr := new(big.Int).SetBytes(hashMPIs(h, 7, s, r)) - - r.Mul(c.smp.a3, cr) - d7 := new(big.Int).Sub(r7, r) - d7.Mod(d7, q) - if d7.Sign() < 0 { - d7.Add(d7, q) - } - - c.smp.g3b = g3b - c.smp.qaqb = qaqb - - r.ModInverse(pb, p) - c.smp.papb = new(big.Int).Mul(pa, r) - c.smp.papb.Mod(c.smp.papb, p) - c.smp.ra = ra - - out.typ = tlvTypeSMP3 - out.data = appendU32(out.data, 8) - out.data = appendMPIs(out.data, pa, qa, cp, d5, d6, ra, cr, d7) - return -} - -func (c *Conversation) processSMP3(mpis []*big.Int) (out tlv, err error) { - if len(mpis) != 8 { - err = errors.New("otr: incorrect number of arguments in SMP3 message") - return - } - pa := mpis[0] - qa := mpis[1] - cp := mpis[2] - d5 := mpis[3] - d6 := mpis[4] - ra := mpis[5] - cr := mpis[6] - d7 := mpis[7] - h := sha256.New() - - r := new(big.Int).Exp(g, d5, p) - s := new(big.Int).Exp(c.smp.g2, d6, p) - r.Mul(r, s) - s.Exp(qa, cp, p) - r.Mul(r, s) - r.Mod(r, p) - - s.Exp(c.smp.g3, d5, p) - t := new(big.Int).Exp(pa, cp, p) - s.Mul(s, t) - s.Mod(s, p) - t.SetBytes(hashMPIs(h, 6, s, r)) - if t.Cmp(cp) != 0 { - err = errors.New("otr: ZKP cP failed in SMP3 message") - return - } - - r.ModInverse(c.smp.qb, p) - qaqb := new(big.Int).Mul(qa, r) - qaqb.Mod(qaqb, p) - - r.Exp(qaqb, d7, p) - s.Exp(ra, cr, p) - r.Mul(r, s) - r.Mod(r, p) - - s.Exp(g, d7, p) - t.Exp(c.smp.g3a, cr, p) - s.Mul(s, t) - s.Mod(s, p) - t.SetBytes(hashMPIs(h, 7, s, r)) - if t.Cmp(cr) != 0 { - err = errors.New("otr: ZKP cR failed in SMP3 message") - return - } - - var randBuf [16]byte - r7 := c.randMPI(randBuf[:]) - rb := new(big.Int).Exp(qaqb, c.smp.b3, p) - - r.Exp(qaqb, r7, p) - s.Exp(g, r7, p) - cr = new(big.Int).SetBytes(hashMPIs(h, 8, s, r)) - - r.Mul(c.smp.b3, cr) - d7 = new(big.Int).Sub(r7, r) - d7.Mod(d7, q) - if d7.Sign() < 0 { - d7.Add(d7, q) - } - - out.typ = tlvTypeSMP4 - out.data = appendU32(out.data, 3) - out.data = appendMPIs(out.data, rb, cr, d7) - - r.ModInverse(c.smp.pb, p) - r.Mul(pa, r) - r.Mod(r, p) - s.Exp(ra, c.smp.b3, p) - if r.Cmp(s) != 0 { - err = smpFailureError - } - - return -} - -func (c *Conversation) processSMP4(mpis []*big.Int) error { - if len(mpis) != 3 { - return errors.New("otr: incorrect number of arguments in SMP4 message") - } - rb := mpis[0] - cr := mpis[1] - d7 := mpis[2] - h := sha256.New() - - r := new(big.Int).Exp(c.smp.qaqb, d7, p) - s := new(big.Int).Exp(rb, cr, p) - r.Mul(r, s) - r.Mod(r, p) - - s.Exp(g, d7, p) - t := new(big.Int).Exp(c.smp.g3b, cr, p) - s.Mul(s, t) - s.Mod(s, p) - t.SetBytes(hashMPIs(h, 8, s, r)) - if t.Cmp(cr) != 0 { - return errors.New("otr: ZKP cR failed in SMP4 message") - } - - r.Exp(rb, c.smp.a3, p) - if r.Cmp(c.smp.papb) != 0 { - return smpFailureError - } - - return nil -} - -func (c *Conversation) generateSMPAbort() tlv { - return tlv{typ: tlvTypeSMPAbort} -} - -func hashMPIs(h hash.Hash, magic byte, mpis ...*big.Int) []byte { - if h != nil { - h.Reset() - } else { - h = sha256.New() - } - - h.Write([]byte{magic}) - for _, mpi := range mpis { - h.Write(appendMPI(nil, mpi)) - } - return h.Sum(nil) -} diff --git a/vendor/golang.org/x/crypto/ssh/terminal/terminal.go b/vendor/golang.org/x/crypto/ssh/terminal/terminal.go index 9a887598f..2f04ee5b5 100644 --- a/vendor/golang.org/x/crypto/ssh/terminal/terminal.go +++ b/vendor/golang.org/x/crypto/ssh/terminal/terminal.go @@ -7,6 +7,7 @@ package terminal import ( "bytes" "io" + "strconv" "sync" "unicode/utf8" ) @@ -159,6 +160,10 @@ func bytesToKey(b []byte, pasteActive bool) (rune, []byte) { return keyClearScreen, b[1:] case 23: // ^W return keyDeleteWord, b[1:] + case 14: // ^N + return keyDown, b[1:] + case 16: // ^P + return keyUp, b[1:] } } @@ -267,34 +272,44 @@ func (t *Terminal) moveCursorToPos(pos int) { } func (t *Terminal) move(up, down, left, right int) { - movement := make([]rune, 3*(up+down+left+right)) - m := movement - for i := 0; i < up; i++ { - m[0] = keyEscape - m[1] = '[' - m[2] = 'A' - m = m[3:] - } - for i := 0; i < down; i++ { - m[0] = keyEscape - m[1] = '[' - m[2] = 'B' - m = m[3:] - } - for i := 0; i < left; i++ { - m[0] = keyEscape - m[1] = '[' - m[2] = 'D' - m = m[3:] - } - for i := 0; i < right; i++ { - m[0] = keyEscape - m[1] = '[' - m[2] = 'C' - m = m[3:] - } - - t.queue(movement) + m := []rune{} + + // 1 unit up can be expressed as ^[[A or ^[A + // 5 units up can be expressed as ^[[5A + + if up == 1 { + m = append(m, keyEscape, '[', 'A') + } else if up > 1 { + m = append(m, keyEscape, '[') + m = append(m, []rune(strconv.Itoa(up))...) + m = append(m, 'A') + } + + if down == 1 { + m = append(m, keyEscape, '[', 'B') + } else if down > 1 { + m = append(m, keyEscape, '[') + m = append(m, []rune(strconv.Itoa(down))...) + m = append(m, 'B') + } + + if right == 1 { + m = append(m, keyEscape, '[', 'C') + } else if right > 1 { + m = append(m, keyEscape, '[') + m = append(m, []rune(strconv.Itoa(right))...) + m = append(m, 'C') + } + + if left == 1 { + m = append(m, keyEscape, '[', 'D') + } else if left > 1 { + m = append(m, keyEscape, '[') + m = append(m, []rune(strconv.Itoa(left))...) + m = append(m, 'D') + } + + t.queue(m) } func (t *Terminal) clearLineToRight() { diff --git a/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go b/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go index 6cb8a9503..5cfdf8f3f 100644 --- a/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go +++ b/vendor/golang.org/x/crypto/ssh/terminal/util_windows.go @@ -64,13 +64,15 @@ func Restore(fd int, state *State) error { return windows.SetConsoleMode(windows.Handle(fd), state.mode) } -// GetSize returns the dimensions of the given terminal. +// GetSize returns the visible dimensions of the given terminal. +// +// These dimensions don't include any scrollback buffer height. func GetSize(fd int) (width, height int, err error) { var info windows.ConsoleScreenBufferInfo if err := windows.GetConsoleScreenBufferInfo(windows.Handle(fd), &info); err != nil { return 0, 0, err } - return int(info.Size.X), int(info.Size.Y), nil + return int(info.Window.Right - info.Window.Left + 1), int(info.Window.Bottom - info.Window.Top + 1), nil } // ReadPassword reads a line of input from a terminal without local echo. This diff --git a/vendor/golang.org/x/crypto/ssh/test/doc.go b/vendor/golang.org/x/crypto/ssh/test/doc.go deleted file mode 100644 index 198f0ca1e..000000000 --- a/vendor/golang.org/x/crypto/ssh/test/doc.go +++ /dev/null @@ -1,7 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package test contains integration tests for the -// golang.org/x/crypto/ssh package. -package test // import "golang.org/x/crypto/ssh/test" diff --git a/vendor/golang.org/x/crypto/ssh/test/sshd_test_pw.c b/vendor/golang.org/x/crypto/ssh/test/sshd_test_pw.c deleted file mode 100644 index 2794a563a..000000000 --- a/vendor/golang.org/x/crypto/ssh/test/sshd_test_pw.c +++ /dev/null @@ -1,173 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// sshd_test_pw.c -// Wrapper to inject test password data for sshd PAM authentication -// -// This wrapper implements custom versions of getpwnam, getpwnam_r, -// getspnam and getspnam_r. These functions first call their real -// libc versions, then check if the requested user matches test user -// specified in env variable TEST_USER and if so replace the password -// with crypted() value of TEST_PASSWD env variable. -// -// Compile: -// gcc -Wall -shared -o sshd_test_pw.so -fPIC sshd_test_pw.c -// -// Compile with debug: -// gcc -DVERBOSE -Wall -shared -o sshd_test_pw.so -fPIC sshd_test_pw.c -// -// Run sshd: -// LD_PRELOAD="sshd_test_pw.so" TEST_USER="..." TEST_PASSWD="..." sshd ... - -// +build ignore - -#define _GNU_SOURCE -#include <string.h> -#include <pwd.h> -#include <shadow.h> -#include <dlfcn.h> -#include <stdlib.h> -#include <unistd.h> -#include <stdio.h> - -#ifdef VERBOSE -#define DEBUG(X...) fprintf(stderr, X) -#else -#define DEBUG(X...) while (0) { } -#endif - -/* crypt() password */ -static char * -pwhash(char *passwd) { - return strdup(crypt(passwd, "$6$")); -} - -/* Pointers to real functions in libc */ -static struct passwd * (*real_getpwnam)(const char *) = NULL; -static int (*real_getpwnam_r)(const char *, struct passwd *, char *, size_t, struct passwd **) = NULL; -static struct spwd * (*real_getspnam)(const char *) = NULL; -static int (*real_getspnam_r)(const char *, struct spwd *, char *, size_t, struct spwd **) = NULL; - -/* Cached test user and test password */ -static char *test_user = NULL; -static char *test_passwd_hash = NULL; - -static void -init(void) { - /* Fetch real libc function pointers */ - real_getpwnam = dlsym(RTLD_NEXT, "getpwnam"); - real_getpwnam_r = dlsym(RTLD_NEXT, "getpwnam_r"); - real_getspnam = dlsym(RTLD_NEXT, "getspnam"); - real_getspnam_r = dlsym(RTLD_NEXT, "getspnam_r"); - - /* abort if env variables are not defined */ - if (getenv("TEST_USER") == NULL || getenv("TEST_PASSWD") == NULL) { - fprintf(stderr, "env variables TEST_USER and TEST_PASSWD are missing\n"); - abort(); - } - - /* Fetch test user and test password from env */ - test_user = strdup(getenv("TEST_USER")); - test_passwd_hash = pwhash(getenv("TEST_PASSWD")); - - DEBUG("sshd_test_pw init():\n"); - DEBUG("\treal_getpwnam: %p\n", real_getpwnam); - DEBUG("\treal_getpwnam_r: %p\n", real_getpwnam_r); - DEBUG("\treal_getspnam: %p\n", real_getspnam); - DEBUG("\treal_getspnam_r: %p\n", real_getspnam_r); - DEBUG("\tTEST_USER: '%s'\n", test_user); - DEBUG("\tTEST_PASSWD: '%s'\n", getenv("TEST_PASSWD")); - DEBUG("\tTEST_PASSWD_HASH: '%s'\n", test_passwd_hash); -} - -static int -is_test_user(const char *name) { - if (test_user != NULL && strcmp(test_user, name) == 0) - return 1; - return 0; -} - -/* getpwnam */ - -struct passwd * -getpwnam(const char *name) { - struct passwd *pw; - - DEBUG("sshd_test_pw getpwnam(%s)\n", name); - - if (real_getpwnam == NULL) - init(); - if ((pw = real_getpwnam(name)) == NULL) - return NULL; - - if (is_test_user(name)) - pw->pw_passwd = strdup(test_passwd_hash); - - return pw; -} - -/* getpwnam_r */ - -int -getpwnam_r(const char *name, - struct passwd *pwd, - char *buf, - size_t buflen, - struct passwd **result) { - int r; - - DEBUG("sshd_test_pw getpwnam_r(%s)\n", name); - - if (real_getpwnam_r == NULL) - init(); - if ((r = real_getpwnam_r(name, pwd, buf, buflen, result)) != 0 || *result == NULL) - return r; - - if (is_test_user(name)) - pwd->pw_passwd = strdup(test_passwd_hash); - - return 0; -} - -/* getspnam */ - -struct spwd * -getspnam(const char *name) { - struct spwd *sp; - - DEBUG("sshd_test_pw getspnam(%s)\n", name); - - if (real_getspnam == NULL) - init(); - if ((sp = real_getspnam(name)) == NULL) - return NULL; - - if (is_test_user(name)) - sp->sp_pwdp = strdup(test_passwd_hash); - - return sp; -} - -/* getspnam_r */ - -int -getspnam_r(const char *name, - struct spwd *spbuf, - char *buf, - size_t buflen, - struct spwd **spbufp) { - int r; - - DEBUG("sshd_test_pw getspnam_r(%s)\n", name); - - if (real_getspnam_r == NULL) - init(); - if ((r = real_getspnam_r(name, spbuf, buf, buflen, spbufp)) != 0) - return r; - - if (is_test_user(name)) - spbuf->sp_pwdp = strdup(test_passwd_hash); - - return r; -} |