Home Explore Help
Sign In
yawning
/
norx
Watch 1
Star 0
Fork 0
Files Issues 0 Pull Requests 0 Wiki
Branch: master
Branches Tags
norx
/
norx.go

norx.go 2.3 KB
Permalink History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101 
  1. // norx.go - High-level interface
    2. 

  2. //
    3. 

  3. // To the extent possible under law, Yawning Angel has waived all copyright
    4. 

  4. // and related or neighboring rights to the software, using the Creative
    5. 

  5. // Commons "CC0" public domain dedication. See LICENSE or
    6. 

  6. // <http://creativecommons.org/publicdomain/zero/1.0/> for full details.
    7. 

  7. 

  8. package norx
    9. 

  9. 

  10. import "crypto/subtle"
    11. 

  11. 

  12. const (
    13. 

  13. 	// KeySize is the size of a key in bytes.
    14. 

  14. 	KeySize = 32
    15. 

  15. 

  16. 	// NonceSize is the size of a nonce in bytes.
    17. 

  17. 	NonceSize = 32
    18. 

  18. 

  19. 	// TagSize is the size of an authentication tag in bytes.
    20. 

  20. 	TagSize = 32
    21. 

  21. 

  22. 	// Version is the version of the NORX specification implemented.
    23. 

  23. 	Version = "3.0"
    24. 

  24. )
    25. 

  25. 

  26. func aeadEncrypt(l int, c, a, m, z, nonce, key []byte) []byte {
    27. 

  27. 	var k [bytesK]byte
    28. 

  28. 	s := &state{rounds: l}
    29. 

  29. 	mLen := len(m)
    30. 

  30. 

  31. 	ret, out := sliceForAppend(c, mLen+bytesT)
    32. 

  32. 

  33. 	copy(k[:], key)
    34. 

  34. 	hardwareAccelImpl.initFn(s, k[:], nonce)
    35. 

  35. 	hardwareAccelImpl.absorbDataFn(s, a, tagHeader)
    36. 

  36. 	hardwareAccelImpl.encryptDataFn(s, out, m)
    37. 

  37. 	hardwareAccelImpl.absorbDataFn(s, z, tagTrailer)
    38. 

  38. 	hardwareAccelImpl.finalizeFn(s, out[mLen:], k[:])
    39. 

  39. 

  40. 	burnUint64s(s.s[:])
    41. 

  41. 	burnBytes(k[:])
    42. 

  42. 

  43. 	return ret
    44. 

  44. }
    45. 

  45. 

  46. func aeadDecrypt(l int, m, a, c, z, nonce, key []byte) ([]byte, bool) {
    47. 

  47. 	var k [bytesK]byte
    48. 

  48. 	var tag [bytesT]byte
    49. 

  49. 	s := &state{rounds: l}
    50. 

  50. 	cLen := len(c)
    51. 

  51. 

  52. 	if cLen < bytesT {
    53. 

  53. 		return nil, false
    54. 

  54. 	}
    55. 

  55. 

  56. 	mLen := cLen - bytesT
    57. 

  57. 	ret, out := sliceForAppend(m, mLen)
    58. 

  58. 

  59. 	copy(k[:], key)
    60. 

  60. 	hardwareAccelImpl.initFn(s, k[:], nonce)
    61. 

  61. 	hardwareAccelImpl.absorbDataFn(s, a, tagHeader)
    62. 

  62. 	hardwareAccelImpl.decryptDataFn(s, out, c[:mLen])
    63. 

  63. 	hardwareAccelImpl.absorbDataFn(s, z, tagTrailer)
    64. 

  64. 	hardwareAccelImpl.finalizeFn(s, tag[:], k[:])
    65. 

  65. 

  66. 	srcTag := c[mLen:]
    67. 

  67. 	ok := subtle.ConstantTimeCompare(srcTag, tag[:]) == 1
    68. 

  68. 	if !ok && mLen > 0 { // burn decrypted plaintext on auth failure
    69. 

  69. 		burnBytes(out[:mLen])
    70. 

  70. 		ret = nil
    71. 

  71. 	}
    72. 

  72. 

  73. 	burnUint64s(s.s[:])
    74. 

  74. 	burnBytes(k[:])
    75. 

  75. 

  76. 	return ret, ok
    77. 

  77. }
    78. 

  78. 

  79. // Shamelessly stolen from the Go runtime library.
    80. 

  80. func sliceForAppend(in []byte, n int) (head, tail []byte) {
    81. 

  81. 	if total := len(in) + n; cap(in) >= total {
    82. 

  82. 		head = in[:total]
    83. 

  83. 	} else {
    84. 

  84. 		head = make([]byte, total)
    85. 

  85. 		copy(head, in)
    86. 

  86. 	}
    87. 

  87. 	tail = head[len(in):]
    88. 

  88. 	return
    89. 

  89. }
    90. 

  90. 

  91. func init() {
    92. 

  92. 	if KeySize != bytesK {
    93. 

  93. 		panic("BUG: KeySize != paramK/8")
    94. 

  94. 	}
    95. 

  95. 	if NonceSize != paramN/8 {
    96. 

  96. 		panic("BUG: NonceSize != paramN/8")
    97. 

  97. 	}
    98. 

  98. 	if TagSize != bytesT {
    99. 

  99. 		panic("BUG: TagSize != bytesT")
    100. 

  100. 	}
    101. 

  101. }
    102.