OLD | NEW |
(Empty) | |
| 1 // Copyright 2012 The Go Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style |
| 3 // license that can be found in the LICENSE file. |
| 4 |
| 5 /* |
| 6 Package salsa20 implements the Salsa20 stream cipher as specified in http://cr.y
p.to/snuffle/spec.pdf. |
| 7 |
| 8 Salsa20 differs from many other stream ciphers in that is message orientated |
| 9 rather than byte orientated. Keystream blocks are not preserved between calls, |
| 10 therefore each side must encrypt/decrypt data with the same segmentation. |
| 11 |
| 12 Another aspect of this difference is that part of the counter is exposed as |
| 13 an nonce in each call. Encrypting two different messages with the same (key, |
| 14 nonce) pair leads to trivial plaintext recovery. This is analogous to |
| 15 encrypting two different messages with the same key with a traditional stream |
| 16 cipher. |
| 17 |
| 18 This package also implements XSalsa20: a version of Salsa20 with a 24-byte |
| 19 nonce as specified in http://cr.yp.to/snuffle/xsalsa-20081128.pdf. Simply |
| 20 passing a 24-byte slice as the nonce triggers XSalsa20. |
| 21 |
| 22 TODO(agl): implement XORKeyStream12 and XORKeyStream8 - the |
| 23 reduced round variants of Salsa20. */ |
| 24 package salsa20 |
| 25 |
| 26 import ( |
| 27 "code.google.com/p/go.crypto/salsa20/salsa" |
| 28 ) |
| 29 |
| 30 // XORKeyStream crypts bytes from in to out using the given key and nonce. In |
| 31 // and out may be the same slice but otherwise should not overlap. Nonce must |
| 32 // be either 8 or 24 bytes long. |
| 33 func XORKeyStream(out, in []byte, nonce []byte, key *[32]byte) { |
| 34 if len(out) < len(in) { |
| 35 in = in[:len(out)] |
| 36 } |
| 37 |
| 38 var subNonce [16]byte |
| 39 |
| 40 if len(nonce) == 24 { |
| 41 var subKey [32]byte |
| 42 var hNonce [16]byte |
| 43 copy(hNonce[:], nonce[:16]) |
| 44 salsa.HSalsa20(&subKey, &hNonce, key, &salsa.Sigma) |
| 45 copy(subNonce[:], nonce[16:]) |
| 46 key = &subKey |
| 47 } else if len(nonce) == 8 { |
| 48 copy(subNonce[:], nonce[:]) |
| 49 } else { |
| 50 panic("salsa20: nonce must be 8 or 24 bytes") |
| 51 } |
| 52 |
| 53 salsa.XORKeyStream(out, in, &subNonce, key) |
| 54 } |
OLD | NEW |