diff options
Diffstat (limited to 'vendor/golang.org/x/crypto')
98 files changed, 0 insertions, 40444 deletions
diff --git a/vendor/golang.org/x/crypto/LICENSE b/vendor/golang.org/x/crypto/LICENSE deleted file mode 100644 index 2a7cf70da..000000000 --- a/vendor/golang.org/x/crypto/LICENSE +++ /dev/null @@ -1,27 +0,0 @@ -Copyright 2009 The Go Authors. - -Redistribution and use in source and binary forms, with or without -modification, are permitted provided that the following conditions are -met: - - * Redistributions of source code must retain the above copyright -notice, this list of conditions and the following disclaimer. - * Redistributions in binary form must reproduce the above -copyright notice, this list of conditions and the following disclaimer -in the documentation and/or other materials provided with the -distribution. - * Neither the name of Google LLC nor the names of its -contributors may be used to endorse or promote products derived from -this software without specific prior written permission. - -THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS -"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT -LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR -A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT -OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, -SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT -LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, -DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY -THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT -(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE -OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. diff --git a/vendor/golang.org/x/crypto/PATENTS b/vendor/golang.org/x/crypto/PATENTS deleted file mode 100644 index 733099041..000000000 --- a/vendor/golang.org/x/crypto/PATENTS +++ /dev/null @@ -1,22 +0,0 @@ -Additional IP Rights Grant (Patents) - -"This implementation" means the copyrightable works distributed by -Google as part of the Go project. - -Google hereby grants to You a perpetual, worldwide, non-exclusive, -no-charge, royalty-free, irrevocable (except as stated in this section) -patent license to make, have made, use, offer to sell, sell, import, -transfer and otherwise run, modify and propagate the contents of this -implementation of Go, where such license applies only to those patent -claims, both currently owned or controlled by Google and acquired in -the future, licensable by Google that are necessarily infringed by this -implementation of Go. This grant does not include claims that would be -infringed only as a consequence of further modification of this -implementation. If you or your agent or exclusive licensee institute or -order or agree to the institution of patent litigation against any -entity (including a cross-claim or counterclaim in a lawsuit) alleging -that this implementation of Go or any code incorporated within this -implementation of Go constitutes direct or contributory patent -infringement, or inducement of patent infringement, then any patent -rights granted to you under this License for this implementation of Go -shall terminate as of the date such litigation is filed. diff --git a/vendor/golang.org/x/crypto/acme/acme.go b/vendor/golang.org/x/crypto/acme/acme.go deleted file mode 100644 index a43c62f1d..000000000 --- a/vendor/golang.org/x/crypto/acme/acme.go +++ /dev/null @@ -1,822 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package acme provides an implementation of the -// Automatic Certificate Management Environment (ACME) spec, -// most famously used by Let's Encrypt. -// -// The initial implementation of this package was based on an early version -// of the spec. The current implementation supports only the modern -// RFC 8555 but some of the old API surface remains for compatibility. -// While code using the old API will still compile, it will return an error. -// Note the deprecation comments to update your code. -// -// See https://tools.ietf.org/html/rfc8555 for the spec. -// -// Most common scenarios will want to use autocert subdirectory instead, -// which provides automatic access to certificates from Let's Encrypt -// and any other ACME-based CA. -package acme - -import ( - "context" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "crypto/sha256" - "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" - "encoding/asn1" - "encoding/base64" - "encoding/hex" - "encoding/json" - "encoding/pem" - "errors" - "fmt" - "math/big" - "net/http" - "strings" - "sync" - "time" -) - -const ( - // LetsEncryptURL is the Directory endpoint of Let's Encrypt CA. - LetsEncryptURL = "https://acme-v02.api.letsencrypt.org/directory" - - // ALPNProto is the ALPN protocol name used by a CA server when validating - // tls-alpn-01 challenges. - // - // Package users must ensure their servers can negotiate the ACME ALPN in - // order for tls-alpn-01 challenge verifications to succeed. - // See the crypto/tls package's Config.NextProtos field. - ALPNProto = "acme-tls/1" -) - -// idPeACMEIdentifier is the OID for the ACME extension for the TLS-ALPN challenge. -// https://tools.ietf.org/html/draft-ietf-acme-tls-alpn-05#section-5.1 -var idPeACMEIdentifier = asn1.ObjectIdentifier{1, 3, 6, 1, 5, 5, 7, 1, 31} - -const ( - maxChainLen = 5 // max depth and breadth of a certificate chain - maxCertSize = 1 << 20 // max size of a certificate, in DER bytes - // Used for decoding certs from application/pem-certificate-chain response, - // the default when in RFC mode. - maxCertChainSize = maxCertSize * maxChainLen - - // Max number of collected nonces kept in memory. - // Expect usual peak of 1 or 2. - maxNonces = 100 -) - -// Client is an ACME client. -// -// The only required field is Key. An example of creating a client with a new key -// is as follows: -// -// key, err := rsa.GenerateKey(rand.Reader, 2048) -// if err != nil { -// log.Fatal(err) -// } -// client := &Client{Key: key} -type Client struct { - // Key is the account key used to register with a CA and sign requests. - // Key.Public() must return a *rsa.PublicKey or *ecdsa.PublicKey. - // - // The following algorithms are supported: - // RS256, ES256, ES384 and ES512. - // See RFC 7518 for more details about the algorithms. - Key crypto.Signer - - // HTTPClient optionally specifies an HTTP client to use - // instead of http.DefaultClient. - HTTPClient *http.Client - - // DirectoryURL points to the CA directory endpoint. - // If empty, LetsEncryptURL is used. - // Mutating this value after a successful call of Client's Discover method - // will have no effect. - DirectoryURL string - - // RetryBackoff computes the duration after which the nth retry of a failed request - // should occur. The value of n for the first call on failure is 1. - // The values of r and resp are the request and response of the last failed attempt. - // If the returned value is negative or zero, no more retries are done and an error - // is returned to the caller of the original method. - // - // Requests which result in a 4xx client error are not retried, - // except for 400 Bad Request due to "bad nonce" errors and 429 Too Many Requests. - // - // If RetryBackoff is nil, a truncated exponential backoff algorithm - // with the ceiling of 10 seconds is used, where each subsequent retry n - // is done after either ("Retry-After" + jitter) or (2^n seconds + jitter), - // preferring the former if "Retry-After" header is found in the resp. - // The jitter is a random value up to 1 second. - RetryBackoff func(n int, r *http.Request, resp *http.Response) time.Duration - - // UserAgent is prepended to the User-Agent header sent to the ACME server, - // which by default is this package's name and version. - // - // Reusable libraries and tools in particular should set this value to be - // identifiable by the server, in case they are causing issues. - UserAgent string - - cacheMu sync.Mutex - dir *Directory // cached result of Client's Discover method - // KID is the key identifier provided by the CA. If not provided it will be - // retrieved from the CA by making a call to the registration endpoint. - KID KeyID - - noncesMu sync.Mutex - nonces map[string]struct{} // nonces collected from previous responses -} - -// accountKID returns a key ID associated with c.Key, the account identity -// provided by the CA during RFC based registration. -// It assumes c.Discover has already been called. -// -// accountKID requires at most one network roundtrip. -// It caches only successful result. -// -// When in pre-RFC mode or when c.getRegRFC responds with an error, accountKID -// returns noKeyID. -func (c *Client) accountKID(ctx context.Context) KeyID { - c.cacheMu.Lock() - defer c.cacheMu.Unlock() - if c.KID != noKeyID { - return c.KID - } - a, err := c.getRegRFC(ctx) - if err != nil { - return noKeyID - } - c.KID = KeyID(a.URI) - return c.KID -} - -var errPreRFC = errors.New("acme: server does not support the RFC 8555 version of ACME") - -// Discover performs ACME server discovery using c.DirectoryURL. -// -// It caches successful result. So, subsequent calls will not result in -// a network round-trip. This also means mutating c.DirectoryURL after successful call -// of this method will have no effect. -func (c *Client) Discover(ctx context.Context) (Directory, error) { - c.cacheMu.Lock() - defer c.cacheMu.Unlock() - if c.dir != nil { - return *c.dir, nil - } - - res, err := c.get(ctx, c.directoryURL(), wantStatus(http.StatusOK)) - if err != nil { - return Directory{}, err - } - defer res.Body.Close() - c.addNonce(res.Header) - - var v struct { - Reg string `json:"newAccount"` - Authz string `json:"newAuthz"` - Order string `json:"newOrder"` - Revoke string `json:"revokeCert"` - Nonce string `json:"newNonce"` - KeyChange string `json:"keyChange"` - Meta struct { - Terms string `json:"termsOfService"` - Website string `json:"website"` - CAA []string `json:"caaIdentities"` - ExternalAcct bool `json:"externalAccountRequired"` - } - } - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return Directory{}, err - } - if v.Order == "" { - return Directory{}, errPreRFC - } - c.dir = &Directory{ - RegURL: v.Reg, - AuthzURL: v.Authz, - OrderURL: v.Order, - RevokeURL: v.Revoke, - NonceURL: v.Nonce, - KeyChangeURL: v.KeyChange, - Terms: v.Meta.Terms, - Website: v.Meta.Website, - CAA: v.Meta.CAA, - ExternalAccountRequired: v.Meta.ExternalAcct, - } - return *c.dir, nil -} - -func (c *Client) directoryURL() string { - if c.DirectoryURL != "" { - return c.DirectoryURL - } - return LetsEncryptURL -} - -// CreateCert was part of the old version of ACME. It is incompatible with RFC 8555. -// -// Deprecated: this was for the pre-RFC 8555 version of ACME. Callers should use CreateOrderCert. -func (c *Client) CreateCert(ctx context.Context, csr []byte, exp time.Duration, bundle bool) (der [][]byte, certURL string, err error) { - return nil, "", errPreRFC -} - -// FetchCert retrieves already issued certificate from the given url, in DER format. -// It retries the request until the certificate is successfully retrieved, -// context is cancelled by the caller or an error response is received. -// -// If the bundle argument is true, the returned value also contains the CA (issuer) -// certificate chain. -// -// FetchCert returns an error if the CA's response or chain was unreasonably large. -// Callers are encouraged to parse the returned value to ensure the certificate is valid -// and has expected features. -func (c *Client) FetchCert(ctx context.Context, url string, bundle bool) ([][]byte, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - return c.fetchCertRFC(ctx, url, bundle) -} - -// RevokeCert revokes a previously issued certificate cert, provided in DER format. -// -// The key argument, used to sign the request, must be authorized -// to revoke the certificate. It's up to the CA to decide which keys are authorized. -// For instance, the key pair of the certificate may be authorized. -// If the key is nil, c.Key is used instead. -func (c *Client) RevokeCert(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error { - if _, err := c.Discover(ctx); err != nil { - return err - } - return c.revokeCertRFC(ctx, key, cert, reason) -} - -// AcceptTOS always returns true to indicate the acceptance of a CA's Terms of Service -// during account registration. See Register method of Client for more details. -func AcceptTOS(tosURL string) bool { return true } - -// Register creates a new account with the CA using c.Key. -// It returns the registered account. The account acct is not modified. -// -// The registration may require the caller to agree to the CA's Terms of Service (TOS). -// If so, and the account has not indicated the acceptance of the terms (see Account for details), -// Register calls prompt with a TOS URL provided by the CA. Prompt should report -// whether the caller agrees to the terms. To always accept the terms, the caller can use AcceptTOS. -// -// When interfacing with an RFC-compliant CA, non-RFC 8555 fields of acct are ignored -// and prompt is called if Directory's Terms field is non-zero. -// Also see Error's Instance field for when a CA requires already registered accounts to agree -// to an updated Terms of Service. -func (c *Client) Register(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) { - if c.Key == nil { - return nil, errors.New("acme: client.Key must be set to Register") - } - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - return c.registerRFC(ctx, acct, prompt) -} - -// GetReg retrieves an existing account associated with c.Key. -// -// The url argument is a legacy artifact of the pre-RFC 8555 API -// and is ignored. -func (c *Client) GetReg(ctx context.Context, url string) (*Account, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - return c.getRegRFC(ctx) -} - -// UpdateReg updates an existing registration. -// It returns an updated account copy. The provided account is not modified. -// -// The account's URI is ignored and the account URL associated with -// c.Key is used instead. -func (c *Client) UpdateReg(ctx context.Context, acct *Account) (*Account, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - return c.updateRegRFC(ctx, acct) -} - -// AccountKeyRollover attempts to transition a client's account key to a new key. -// On success client's Key is updated which is not concurrency safe. -// On failure an error will be returned. -// The new key is already registered with the ACME provider if the following is true: -// - error is of type acme.Error -// - StatusCode should be 409 (Conflict) -// - Location header will have the KID of the associated account -// -// More about account key rollover can be found at -// https://tools.ietf.org/html/rfc8555#section-7.3.5. -func (c *Client) AccountKeyRollover(ctx context.Context, newKey crypto.Signer) error { - return c.accountKeyRollover(ctx, newKey) -} - -// Authorize performs the initial step in the pre-authorization flow, -// as opposed to order-based flow. -// The caller will then need to choose from and perform a set of returned -// challenges using c.Accept in order to successfully complete authorization. -// -// Once complete, the caller can use AuthorizeOrder which the CA -// should provision with the already satisfied authorization. -// For pre-RFC CAs, the caller can proceed directly to requesting a certificate -// using CreateCert method. -// -// If an authorization has been previously granted, the CA may return -// a valid authorization which has its Status field set to StatusValid. -// -// More about pre-authorization can be found at -// https://tools.ietf.org/html/rfc8555#section-7.4.1. -func (c *Client) Authorize(ctx context.Context, domain string) (*Authorization, error) { - return c.authorize(ctx, "dns", domain) -} - -// AuthorizeIP is the same as Authorize but requests IP address authorization. -// Clients which successfully obtain such authorization may request to issue -// a certificate for IP addresses. -// -// See the ACME spec extension for more details about IP address identifiers: -// https://tools.ietf.org/html/draft-ietf-acme-ip. -func (c *Client) AuthorizeIP(ctx context.Context, ipaddr string) (*Authorization, error) { - return c.authorize(ctx, "ip", ipaddr) -} - -func (c *Client) authorize(ctx context.Context, typ, val string) (*Authorization, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - - type authzID struct { - Type string `json:"type"` - Value string `json:"value"` - } - req := struct { - Resource string `json:"resource"` - Identifier authzID `json:"identifier"` - }{ - Resource: "new-authz", - Identifier: authzID{Type: typ, Value: val}, - } - res, err := c.post(ctx, nil, c.dir.AuthzURL, req, wantStatus(http.StatusCreated)) - if err != nil { - return nil, err - } - defer res.Body.Close() - - var v wireAuthz - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - if v.Status != StatusPending && v.Status != StatusValid { - return nil, fmt.Errorf("acme: unexpected status: %s", v.Status) - } - return v.authorization(res.Header.Get("Location")), nil -} - -// GetAuthorization retrieves an authorization identified by the given URL. -// -// If a caller needs to poll an authorization until its status is final, -// see the WaitAuthorization method. -func (c *Client) GetAuthorization(ctx context.Context, url string) (*Authorization, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - - res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK)) - if err != nil { - return nil, err - } - defer res.Body.Close() - var v wireAuthz - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - return v.authorization(url), nil -} - -// RevokeAuthorization relinquishes an existing authorization identified -// by the given URL. -// The url argument is an Authorization.URI value. -// -// If successful, the caller will be required to obtain a new authorization -// using the Authorize or AuthorizeOrder methods before being able to request -// a new certificate for the domain associated with the authorization. -// -// It does not revoke existing certificates. -func (c *Client) RevokeAuthorization(ctx context.Context, url string) error { - if _, err := c.Discover(ctx); err != nil { - return err - } - - req := struct { - Resource string `json:"resource"` - Status string `json:"status"` - Delete bool `json:"delete"` - }{ - Resource: "authz", - Status: "deactivated", - Delete: true, - } - res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK)) - if err != nil { - return err - } - defer res.Body.Close() - return nil -} - -// WaitAuthorization polls an authorization at the given URL -// until it is in one of the final states, StatusValid or StatusInvalid, -// the ACME CA responded with a 4xx error code, or the context is done. -// -// It returns a non-nil Authorization only if its Status is StatusValid. -// In all other cases WaitAuthorization returns an error. -// If the Status is StatusInvalid, the returned error is of type *AuthorizationError. -func (c *Client) WaitAuthorization(ctx context.Context, url string) (*Authorization, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - for { - res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted)) - if err != nil { - return nil, err - } - - var raw wireAuthz - err = json.NewDecoder(res.Body).Decode(&raw) - res.Body.Close() - switch { - case err != nil: - // Skip and retry. - case raw.Status == StatusValid: - return raw.authorization(url), nil - case raw.Status == StatusInvalid: - return nil, raw.error(url) - } - - // Exponential backoff is implemented in c.get above. - // This is just to prevent continuously hitting the CA - // while waiting for a final authorization status. - d := retryAfter(res.Header.Get("Retry-After")) - if d == 0 { - // Given that the fastest challenges TLS-SNI and HTTP-01 - // require a CA to make at least 1 network round trip - // and most likely persist a challenge state, - // this default delay seems reasonable. - d = time.Second - } - t := time.NewTimer(d) - select { - case <-ctx.Done(): - t.Stop() - return nil, ctx.Err() - case <-t.C: - // Retry. - } - } -} - -// GetChallenge retrieves the current status of an challenge. -// -// A client typically polls a challenge status using this method. -func (c *Client) GetChallenge(ctx context.Context, url string) (*Challenge, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - - res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK, http.StatusAccepted)) - if err != nil { - return nil, err - } - - defer res.Body.Close() - v := wireChallenge{URI: url} - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - return v.challenge(), nil -} - -// Accept informs the server that the client accepts one of its challenges -// previously obtained with c.Authorize. -// -// The server will then perform the validation asynchronously. -func (c *Client) Accept(ctx context.Context, chal *Challenge) (*Challenge, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - - payload := json.RawMessage("{}") - if len(chal.Payload) != 0 { - payload = chal.Payload - } - res, err := c.post(ctx, nil, chal.URI, payload, wantStatus( - http.StatusOK, // according to the spec - http.StatusAccepted, // Let's Encrypt: see https://goo.gl/WsJ7VT (acme-divergences.md) - )) - if err != nil { - return nil, err - } - defer res.Body.Close() - - var v wireChallenge - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid response: %v", err) - } - return v.challenge(), nil -} - -// DNS01ChallengeRecord returns a DNS record value for a dns-01 challenge response. -// A TXT record containing the returned value must be provisioned under -// "_acme-challenge" name of the domain being validated. -// -// The token argument is a Challenge.Token value. -func (c *Client) DNS01ChallengeRecord(token string) (string, error) { - ka, err := keyAuth(c.Key.Public(), token) - if err != nil { - return "", err - } - b := sha256.Sum256([]byte(ka)) - return base64.RawURLEncoding.EncodeToString(b[:]), nil -} - -// HTTP01ChallengeResponse returns the response for an http-01 challenge. -// Servers should respond with the value to HTTP requests at the URL path -// provided by HTTP01ChallengePath to validate the challenge and prove control -// over a domain name. -// -// The token argument is a Challenge.Token value. -func (c *Client) HTTP01ChallengeResponse(token string) (string, error) { - return keyAuth(c.Key.Public(), token) -} - -// HTTP01ChallengePath returns the URL path at which the response for an http-01 challenge -// should be provided by the servers. -// The response value can be obtained with HTTP01ChallengeResponse. -// -// The token argument is a Challenge.Token value. -func (c *Client) HTTP01ChallengePath(token string) string { - return "/.well-known/acme-challenge/" + token -} - -// TLSSNI01ChallengeCert creates a certificate for TLS-SNI-01 challenge response. -// -// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec. -func (c *Client) TLSSNI01ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) { - ka, err := keyAuth(c.Key.Public(), token) - if err != nil { - return tls.Certificate{}, "", err - } - b := sha256.Sum256([]byte(ka)) - h := hex.EncodeToString(b[:]) - name = fmt.Sprintf("%s.%s.acme.invalid", h[:32], h[32:]) - cert, err = tlsChallengeCert([]string{name}, opt) - if err != nil { - return tls.Certificate{}, "", err - } - return cert, name, nil -} - -// TLSSNI02ChallengeCert creates a certificate for TLS-SNI-02 challenge response. -// -// Deprecated: This challenge type is unused in both draft-02 and RFC versions of the ACME spec. -func (c *Client) TLSSNI02ChallengeCert(token string, opt ...CertOption) (cert tls.Certificate, name string, err error) { - b := sha256.Sum256([]byte(token)) - h := hex.EncodeToString(b[:]) - sanA := fmt.Sprintf("%s.%s.token.acme.invalid", h[:32], h[32:]) - - ka, err := keyAuth(c.Key.Public(), token) - if err != nil { - return tls.Certificate{}, "", err - } - b = sha256.Sum256([]byte(ka)) - h = hex.EncodeToString(b[:]) - sanB := fmt.Sprintf("%s.%s.ka.acme.invalid", h[:32], h[32:]) - - cert, err = tlsChallengeCert([]string{sanA, sanB}, opt) - if err != nil { - return tls.Certificate{}, "", err - } - return cert, sanA, nil -} - -// TLSALPN01ChallengeCert creates a certificate for TLS-ALPN-01 challenge response. -// Servers can present the certificate to validate the challenge and prove control -// over a domain name. For more details on TLS-ALPN-01 see -// https://tools.ietf.org/html/draft-shoemaker-acme-tls-alpn-00#section-3 -// -// The token argument is a Challenge.Token value. -// If a WithKey option is provided, its private part signs the returned cert, -// and the public part is used to specify the signee. -// If no WithKey option is provided, a new ECDSA key is generated using P-256 curve. -// -// The returned certificate is valid for the next 24 hours and must be presented only when -// the server name in the TLS ClientHello matches the domain, and the special acme-tls/1 ALPN protocol -// has been specified. -func (c *Client) TLSALPN01ChallengeCert(token, domain string, opt ...CertOption) (cert tls.Certificate, err error) { - ka, err := keyAuth(c.Key.Public(), token) - if err != nil { - return tls.Certificate{}, err - } - shasum := sha256.Sum256([]byte(ka)) - extValue, err := asn1.Marshal(shasum[:]) - if err != nil { - return tls.Certificate{}, err - } - acmeExtension := pkix.Extension{ - Id: idPeACMEIdentifier, - Critical: true, - Value: extValue, - } - - tmpl := defaultTLSChallengeCertTemplate() - - var newOpt []CertOption - for _, o := range opt { - switch o := o.(type) { - case *certOptTemplate: - t := *(*x509.Certificate)(o) // shallow copy is ok - tmpl = &t - default: - newOpt = append(newOpt, o) - } - } - tmpl.ExtraExtensions = append(tmpl.ExtraExtensions, acmeExtension) - newOpt = append(newOpt, WithTemplate(tmpl)) - return tlsChallengeCert([]string{domain}, newOpt) -} - -// popNonce returns a nonce value previously stored with c.addNonce -// or fetches a fresh one from c.dir.NonceURL. -// If NonceURL is empty, it first tries c.directoryURL() and, failing that, -// the provided url. -func (c *Client) popNonce(ctx context.Context, url string) (string, error) { - c.noncesMu.Lock() - defer c.noncesMu.Unlock() - if len(c.nonces) == 0 { - if c.dir != nil && c.dir.NonceURL != "" { - return c.fetchNonce(ctx, c.dir.NonceURL) - } - dirURL := c.directoryURL() - v, err := c.fetchNonce(ctx, dirURL) - if err != nil && url != dirURL { - v, err = c.fetchNonce(ctx, url) - } - return v, err - } - var nonce string - for nonce = range c.nonces { - delete(c.nonces, nonce) - break - } - return nonce, nil -} - -// clearNonces clears any stored nonces -func (c *Client) clearNonces() { - c.noncesMu.Lock() - defer c.noncesMu.Unlock() - c.nonces = make(map[string]struct{}) -} - -// addNonce stores a nonce value found in h (if any) for future use. -func (c *Client) addNonce(h http.Header) { - v := nonceFromHeader(h) - if v == "" { - return - } - c.noncesMu.Lock() - defer c.noncesMu.Unlock() - if len(c.nonces) >= maxNonces { - return - } - if c.nonces == nil { - c.nonces = make(map[string]struct{}) - } - c.nonces[v] = struct{}{} -} - -func (c *Client) fetchNonce(ctx context.Context, url string) (string, error) { - r, err := http.NewRequest("HEAD", url, nil) - if err != nil { - return "", err - } - resp, err := c.doNoRetry(ctx, r) - if err != nil { - return "", err - } - defer resp.Body.Close() - nonce := nonceFromHeader(resp.Header) - if nonce == "" { - if resp.StatusCode > 299 { - return "", responseError(resp) - } - return "", errors.New("acme: nonce not found") - } - return nonce, nil -} - -func nonceFromHeader(h http.Header) string { - return h.Get("Replay-Nonce") -} - -// linkHeader returns URI-Reference values of all Link headers -// with relation-type rel. -// See https://tools.ietf.org/html/rfc5988#section-5 for details. -func linkHeader(h http.Header, rel string) []string { - var links []string - for _, v := range h["Link"] { - parts := strings.Split(v, ";") - for _, p := range parts { - p = strings.TrimSpace(p) - if !strings.HasPrefix(p, "rel=") { - continue - } - if v := strings.Trim(p[4:], `"`); v == rel { - links = append(links, strings.Trim(parts[0], "<>")) - } - } - } - return links -} - -// keyAuth generates a key authorization string for a given token. -func keyAuth(pub crypto.PublicKey, token string) (string, error) { - th, err := JWKThumbprint(pub) - if err != nil { - return "", err - } - return fmt.Sprintf("%s.%s", token, th), nil -} - -// defaultTLSChallengeCertTemplate is a template used to create challenge certs for TLS challenges. -func defaultTLSChallengeCertTemplate() *x509.Certificate { - return &x509.Certificate{ - SerialNumber: big.NewInt(1), - NotBefore: time.Now(), - NotAfter: time.Now().Add(24 * time.Hour), - BasicConstraintsValid: true, - KeyUsage: x509.KeyUsageKeyEncipherment | x509.KeyUsageDigitalSignature, - ExtKeyUsage: []x509.ExtKeyUsage{x509.ExtKeyUsageServerAuth}, - } -} - -// tlsChallengeCert creates a temporary certificate for TLS-SNI challenges -// with the given SANs and auto-generated public/private key pair. -// The Subject Common Name is set to the first SAN to aid debugging. -// To create a cert with a custom key pair, specify WithKey option. -func tlsChallengeCert(san []string, opt []CertOption) (tls.Certificate, error) { - var key crypto.Signer - tmpl := defaultTLSChallengeCertTemplate() - for _, o := range opt { - switch o := o.(type) { - case *certOptKey: - if key != nil { - return tls.Certificate{}, errors.New("acme: duplicate key option") - } - key = o.key - case *certOptTemplate: - t := *(*x509.Certificate)(o) // shallow copy is ok - tmpl = &t - default: - // package's fault, if we let this happen: - panic(fmt.Sprintf("unsupported option type %T", o)) - } - } - if key == nil { - var err error - if key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader); err != nil { - return tls.Certificate{}, err - } - } - tmpl.DNSNames = san - if len(san) > 0 { - tmpl.Subject.CommonName = san[0] - } - - der, err := x509.CreateCertificate(rand.Reader, tmpl, tmpl, key.Public(), key) - if err != nil { - return tls.Certificate{}, err - } - return tls.Certificate{ - Certificate: [][]byte{der}, - PrivateKey: key, - }, nil -} - -// encodePEM returns b encoded as PEM with block of type typ. -func encodePEM(typ string, b []byte) []byte { - pb := &pem.Block{Type: typ, Bytes: b} - return pem.EncodeToMemory(pb) -} - -// timeNow is time.Now, except in tests which can mess with it. -var timeNow = time.Now diff --git a/vendor/golang.org/x/crypto/acme/autocert/autocert.go b/vendor/golang.org/x/crypto/acme/autocert/autocert.go deleted file mode 100644 index 6b4cdf406..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/autocert.go +++ /dev/null @@ -1,1198 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package autocert provides automatic access to certificates from Let's Encrypt -// and any other ACME-based CA. -// -// This package is a work in progress and makes no API stability promises. -package autocert - -import ( - "bytes" - "context" - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "crypto/rsa" - "crypto/tls" - "crypto/x509" - "crypto/x509/pkix" - "encoding/pem" - "errors" - "fmt" - "io" - mathrand "math/rand" - "net" - "net/http" - "path" - "strings" - "sync" - "time" - - "golang.org/x/crypto/acme" - "golang.org/x/net/idna" -) - -// DefaultACMEDirectory is the default ACME Directory URL used when the Manager's Client is nil. -const DefaultACMEDirectory = "https://acme-v02.api.letsencrypt.org/directory" - -// createCertRetryAfter is how much time to wait before removing a failed state -// entry due to an unsuccessful createCert call. -// This is a variable instead of a const for testing. -// TODO: Consider making it configurable or an exp backoff? -var createCertRetryAfter = time.Minute - -// pseudoRand is safe for concurrent use. -var pseudoRand *lockedMathRand - -var errPreRFC = errors.New("autocert: ACME server doesn't support RFC 8555") - -func init() { - src := mathrand.NewSource(time.Now().UnixNano()) - pseudoRand = &lockedMathRand{rnd: mathrand.New(src)} -} - -// AcceptTOS is a Manager.Prompt function that always returns true to -// indicate acceptance of the CA's Terms of Service during account -// registration. -func AcceptTOS(tosURL string) bool { return true } - -// HostPolicy specifies which host names the Manager is allowed to respond to. -// It returns a non-nil error if the host should be rejected. -// The returned error is accessible via tls.Conn.Handshake and its callers. -// See Manager's HostPolicy field and GetCertificate method docs for more details. -type HostPolicy func(ctx context.Context, host string) error - -// HostWhitelist returns a policy where only the specified host names are allowed. -// Only exact matches are currently supported. Subdomains, regexp or wildcard -// will not match. -// -// Note that all hosts will be converted to Punycode via idna.Lookup.ToASCII so that -// Manager.GetCertificate can handle the Unicode IDN and mixedcase hosts correctly. -// Invalid hosts will be silently ignored. -func HostWhitelist(hosts ...string) HostPolicy { - whitelist := make(map[string]bool, len(hosts)) - for _, h := range hosts { - if h, err := idna.Lookup.ToASCII(h); err == nil { - whitelist[h] = true - } - } - return func(_ context.Context, host string) error { - if !whitelist[host] { - return fmt.Errorf("acme/autocert: host %q not configured in HostWhitelist", host) - } - return nil - } -} - -// defaultHostPolicy is used when Manager.HostPolicy is not set. -func defaultHostPolicy(context.Context, string) error { - return nil -} - -// Manager is a stateful certificate manager built on top of acme.Client. -// It obtains and refreshes certificates automatically using "tls-alpn-01" -// or "http-01" challenge types, as well as providing them to a TLS server -// via tls.Config. -// -// You must specify a cache implementation, such as DirCache, -// to reuse obtained certificates across program restarts. -// Otherwise your server is very likely to exceed the certificate -// issuer's request rate limits. -type Manager struct { - // Prompt specifies a callback function to conditionally accept a CA's Terms of Service (TOS). - // The registration may require the caller to agree to the CA's TOS. - // If so, Manager calls Prompt with a TOS URL provided by the CA. Prompt should report - // whether the caller agrees to the terms. - // - // To always accept the terms, the callers can use AcceptTOS. - Prompt func(tosURL string) bool - - // Cache optionally stores and retrieves previously-obtained certificates - // and other state. If nil, certs will only be cached for the lifetime of - // the Manager. Multiple Managers can share the same Cache. - // - // Using a persistent Cache, such as DirCache, is strongly recommended. - Cache Cache - - // HostPolicy controls which domains the Manager will attempt - // to retrieve new certificates for. It does not affect cached certs. - // - // If non-nil, HostPolicy is called before requesting a new cert. - // If nil, all hosts are currently allowed. This is not recommended, - // as it opens a potential attack where clients connect to a server - // by IP address and pretend to be asking for an incorrect host name. - // Manager will attempt to obtain a certificate for that host, incorrectly, - // eventually reaching the CA's rate limit for certificate requests - // and making it impossible to obtain actual certificates. - // - // See GetCertificate for more details. - HostPolicy HostPolicy - - // RenewBefore optionally specifies how early certificates should - // be renewed before they expire. - // - // If zero, they're renewed 30 days before expiration. - RenewBefore time.Duration - - // Client is used to perform low-level operations, such as account registration - // and requesting new certificates. - // - // If Client is nil, a zero-value acme.Client is used with DefaultACMEDirectory - // as the directory endpoint. - // If the Client.Key is nil, a new ECDSA P-256 key is generated and, - // if Cache is not nil, stored in cache. - // - // Mutating the field after the first call of GetCertificate method will have no effect. - Client *acme.Client - - // Email optionally specifies a contact email address. - // This is used by CAs, such as Let's Encrypt, to notify about problems - // with issued certificates. - // - // If the Client's account key is already registered, Email is not used. - Email string - - // ForceRSA used to make the Manager generate RSA certificates. It is now ignored. - // - // Deprecated: the Manager will request the correct type of certificate based - // on what each client supports. - ForceRSA bool - - // ExtraExtensions are used when generating a new CSR (Certificate Request), - // thus allowing customization of the resulting certificate. - // For instance, TLS Feature Extension (RFC 7633) can be used - // to prevent an OCSP downgrade attack. - // - // The field value is passed to crypto/x509.CreateCertificateRequest - // in the template's ExtraExtensions field as is. - ExtraExtensions []pkix.Extension - - // ExternalAccountBinding optionally represents an arbitrary binding to an - // account of the CA to which the ACME server is tied. - // See RFC 8555, Section 7.3.4 for more details. - ExternalAccountBinding *acme.ExternalAccountBinding - - clientMu sync.Mutex - client *acme.Client // initialized by acmeClient method - - stateMu sync.Mutex - state map[certKey]*certState - - // renewal tracks the set of domains currently running renewal timers. - renewalMu sync.Mutex - renewal map[certKey]*domainRenewal - - // challengeMu guards tryHTTP01, certTokens and httpTokens. - challengeMu sync.RWMutex - // tryHTTP01 indicates whether the Manager should try "http-01" challenge type - // during the authorization flow. - tryHTTP01 bool - // httpTokens contains response body values for http-01 challenges - // and is keyed by the URL path at which a challenge response is expected - // to be provisioned. - // The entries are stored for the duration of the authorization flow. - httpTokens map[string][]byte - // certTokens contains temporary certificates for tls-alpn-01 challenges - // and is keyed by the domain name which matches the ClientHello server name. - // The entries are stored for the duration of the authorization flow. - certTokens map[string]*tls.Certificate - - // nowFunc, if not nil, returns the current time. This may be set for - // testing purposes. - nowFunc func() time.Time -} - -// certKey is the key by which certificates are tracked in state, renewal and cache. -type certKey struct { - domain string // without trailing dot - isRSA bool // RSA cert for legacy clients (as opposed to default ECDSA) - isToken bool // tls-based challenge token cert; key type is undefined regardless of isRSA -} - -func (c certKey) String() string { - if c.isToken { - return c.domain + "+token" - } - if c.isRSA { - return c.domain + "+rsa" - } - return c.domain -} - -// TLSConfig creates a new TLS config suitable for net/http.Server servers, -// supporting HTTP/2 and the tls-alpn-01 ACME challenge type. -func (m *Manager) TLSConfig() *tls.Config { - return &tls.Config{ - GetCertificate: m.GetCertificate, - NextProtos: []string{ - "h2", "http/1.1", // enable HTTP/2 - acme.ALPNProto, // enable tls-alpn ACME challenges - }, - } -} - -// GetCertificate implements the tls.Config.GetCertificate hook. -// It provides a TLS certificate for hello.ServerName host, including answering -// tls-alpn-01 challenges. -// All other fields of hello are ignored. -// -// If m.HostPolicy is non-nil, GetCertificate calls the policy before requesting -// a new cert. A non-nil error returned from m.HostPolicy halts TLS negotiation. -// The error is propagated back to the caller of GetCertificate and is user-visible. -// This does not affect cached certs. See HostPolicy field description for more details. -// -// If GetCertificate is used directly, instead of via Manager.TLSConfig, package users will -// also have to add acme.ALPNProto to NextProtos for tls-alpn-01, or use HTTPHandler for http-01. -func (m *Manager) GetCertificate(hello *tls.ClientHelloInfo) (*tls.Certificate, error) { - if m.Prompt == nil { - return nil, errors.New("acme/autocert: Manager.Prompt not set") - } - - name := hello.ServerName - if name == "" { - return nil, errors.New("acme/autocert: missing server name") - } - if !strings.Contains(strings.Trim(name, "."), ".") { - return nil, errors.New("acme/autocert: server name component count invalid") - } - - // Note that this conversion is necessary because some server names in the handshakes - // started by some clients (such as cURL) are not converted to Punycode, which will - // prevent us from obtaining certificates for them. In addition, we should also treat - // example.com and EXAMPLE.COM as equivalent and return the same certificate for them. - // Fortunately, this conversion also helped us deal with this kind of mixedcase problems. - // - // Due to the "σςΣ" problem (see https://unicode.org/faq/idn.html#22), we can't use - // idna.Punycode.ToASCII (or just idna.ToASCII) here. - name, err := idna.Lookup.ToASCII(name) - if err != nil { - return nil, errors.New("acme/autocert: server name contains invalid character") - } - - // In the worst-case scenario, the timeout needs to account for caching, host policy, - // domain ownership verification and certificate issuance. - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) - defer cancel() - - // Check whether this is a token cert requested for TLS-ALPN challenge. - if wantsTokenCert(hello) { - m.challengeMu.RLock() - defer m.challengeMu.RUnlock() - if cert := m.certTokens[name]; cert != nil { - return cert, nil - } - if cert, err := m.cacheGet(ctx, certKey{domain: name, isToken: true}); err == nil { - return cert, nil - } - // TODO: cache error results? - return nil, fmt.Errorf("acme/autocert: no token cert for %q", name) - } - - // regular domain - ck := certKey{ - domain: strings.TrimSuffix(name, "."), // golang.org/issue/18114 - isRSA: !supportsECDSA(hello), - } - cert, err := m.cert(ctx, ck) - if err == nil { - return cert, nil - } - if err != ErrCacheMiss { - return nil, err - } - - // first-time - if err := m.hostPolicy()(ctx, name); err != nil { - return nil, err - } - cert, err = m.createCert(ctx, ck) - if err != nil { - return nil, err - } - m.cachePut(ctx, ck, cert) - return cert, nil -} - -// wantsTokenCert reports whether a TLS request with SNI is made by a CA server -// for a challenge verification. -func wantsTokenCert(hello *tls.ClientHelloInfo) bool { - // tls-alpn-01 - if len(hello.SupportedProtos) == 1 && hello.SupportedProtos[0] == acme.ALPNProto { - return true - } - return false -} - -func supportsECDSA(hello *tls.ClientHelloInfo) bool { - // The "signature_algorithms" extension, if present, limits the key exchange - // algorithms allowed by the cipher suites. See RFC 5246, section 7.4.1.4.1. - if hello.SignatureSchemes != nil { - ecdsaOK := false - schemeLoop: - for _, scheme := range hello.SignatureSchemes { - const tlsECDSAWithSHA1 tls.SignatureScheme = 0x0203 // constant added in Go 1.10 - switch scheme { - case tlsECDSAWithSHA1, tls.ECDSAWithP256AndSHA256, - tls.ECDSAWithP384AndSHA384, tls.ECDSAWithP521AndSHA512: - ecdsaOK = true - break schemeLoop - } - } - if !ecdsaOK { - return false - } - } - if hello.SupportedCurves != nil { - ecdsaOK := false - for _, curve := range hello.SupportedCurves { - if curve == tls.CurveP256 { - ecdsaOK = true - break - } - } - if !ecdsaOK { - return false - } - } - for _, suite := range hello.CipherSuites { - switch suite { - case tls.TLS_ECDHE_ECDSA_WITH_RC4_128_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, - tls.TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305: - return true - } - } - return false -} - -// HTTPHandler configures the Manager to provision ACME "http-01" challenge responses. -// It returns an http.Handler that responds to the challenges and must be -// running on port 80. If it receives a request that is not an ACME challenge, -// it delegates the request to the optional fallback handler. -// -// If fallback is nil, the returned handler redirects all GET and HEAD requests -// to the default TLS port 443 with 302 Found status code, preserving the original -// request path and query. It responds with 400 Bad Request to all other HTTP methods. -// The fallback is not protected by the optional HostPolicy. -// -// Because the fallback handler is run with unencrypted port 80 requests, -// the fallback should not serve TLS-only requests. -// -// If HTTPHandler is never called, the Manager will only use the "tls-alpn-01" -// challenge for domain verification. -func (m *Manager) HTTPHandler(fallback http.Handler) http.Handler { - m.challengeMu.Lock() - defer m.challengeMu.Unlock() - m.tryHTTP01 = true - - if fallback == nil { - fallback = http.HandlerFunc(handleHTTPRedirect) - } - return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - if !strings.HasPrefix(r.URL.Path, "/.well-known/acme-challenge/") { - fallback.ServeHTTP(w, r) - return - } - // A reasonable context timeout for cache and host policy only, - // because we don't wait for a new certificate issuance here. - ctx, cancel := context.WithTimeout(r.Context(), time.Minute) - defer cancel() - if err := m.hostPolicy()(ctx, r.Host); err != nil { - http.Error(w, err.Error(), http.StatusForbidden) - return - } - data, err := m.httpToken(ctx, r.URL.Path) - if err != nil { - http.Error(w, err.Error(), http.StatusNotFound) - return - } - w.Write(data) - }) -} - -func handleHTTPRedirect(w http.ResponseWriter, r *http.Request) { - if r.Method != "GET" && r.Method != "HEAD" { - http.Error(w, "Use HTTPS", http.StatusBadRequest) - return - } - target := "https://" + stripPort(r.Host) + r.URL.RequestURI() - http.Redirect(w, r, target, http.StatusFound) -} - -func stripPort(hostport string) string { - host, _, err := net.SplitHostPort(hostport) - if err != nil { - return hostport - } - return net.JoinHostPort(host, "443") -} - -// cert returns an existing certificate either from m.state or cache. -// If a certificate is found in cache but not in m.state, the latter will be filled -// with the cached value. -func (m *Manager) cert(ctx context.Context, ck certKey) (*tls.Certificate, error) { - m.stateMu.Lock() - if s, ok := m.state[ck]; ok { - m.stateMu.Unlock() - s.RLock() - defer s.RUnlock() - return s.tlscert() - } - defer m.stateMu.Unlock() - cert, err := m.cacheGet(ctx, ck) - if err != nil { - return nil, err - } - signer, ok := cert.PrivateKey.(crypto.Signer) - if !ok { - return nil, errors.New("acme/autocert: private key cannot sign") - } - if m.state == nil { - m.state = make(map[certKey]*certState) - } - s := &certState{ - key: signer, - cert: cert.Certificate, - leaf: cert.Leaf, - } - m.state[ck] = s - m.startRenew(ck, s.key, s.leaf.NotAfter) - return cert, nil -} - -// cacheGet always returns a valid certificate, or an error otherwise. -// If a cached certificate exists but is not valid, ErrCacheMiss is returned. -func (m *Manager) cacheGet(ctx context.Context, ck certKey) (*tls.Certificate, error) { - if m.Cache == nil { - return nil, ErrCacheMiss - } - data, err := m.Cache.Get(ctx, ck.String()) - if err != nil { - return nil, err - } - - // private - priv, pub := pem.Decode(data) - if priv == nil || !strings.Contains(priv.Type, "PRIVATE") { - return nil, ErrCacheMiss - } - privKey, err := parsePrivateKey(priv.Bytes) - if err != nil { - return nil, err - } - - // public - var pubDER [][]byte - for len(pub) > 0 { - var b *pem.Block - b, pub = pem.Decode(pub) - if b == nil { - break - } - pubDER = append(pubDER, b.Bytes) - } - if len(pub) > 0 { - // Leftover content not consumed by pem.Decode. Corrupt. Ignore. - return nil, ErrCacheMiss - } - - // verify and create TLS cert - leaf, err := validCert(ck, pubDER, privKey, m.now()) - if err != nil { - return nil, ErrCacheMiss - } - tlscert := &tls.Certificate{ - Certificate: pubDER, - PrivateKey: privKey, - Leaf: leaf, - } - return tlscert, nil -} - -func (m *Manager) cachePut(ctx context.Context, ck certKey, tlscert *tls.Certificate) error { - if m.Cache == nil { - return nil - } - - // contains PEM-encoded data - var buf bytes.Buffer - - // private - switch key := tlscert.PrivateKey.(type) { - case *ecdsa.PrivateKey: - if err := encodeECDSAKey(&buf, key); err != nil { - return err - } - case *rsa.PrivateKey: - b := x509.MarshalPKCS1PrivateKey(key) - pb := &pem.Block{Type: "RSA PRIVATE KEY", Bytes: b} - if err := pem.Encode(&buf, pb); err != nil { - return err - } - default: - return errors.New("acme/autocert: unknown private key type") - } - - // public - for _, b := range tlscert.Certificate { - pb := &pem.Block{Type: "CERTIFICATE", Bytes: b} - if err := pem.Encode(&buf, pb); err != nil { - return err - } - } - - return m.Cache.Put(ctx, ck.String(), buf.Bytes()) -} - -func encodeECDSAKey(w io.Writer, key *ecdsa.PrivateKey) error { - b, err := x509.MarshalECPrivateKey(key) - if err != nil { - return err - } - pb := &pem.Block{Type: "EC PRIVATE KEY", Bytes: b} - return pem.Encode(w, pb) -} - -// createCert starts the domain ownership verification and returns a certificate -// for that domain upon success. -// -// If the domain is already being verified, it waits for the existing verification to complete. -// Either way, createCert blocks for the duration of the whole process. -func (m *Manager) createCert(ctx context.Context, ck certKey) (*tls.Certificate, error) { - // TODO: maybe rewrite this whole piece using sync.Once - state, err := m.certState(ck) - if err != nil { - return nil, err - } - // state may exist if another goroutine is already working on it - // in which case just wait for it to finish - if !state.locked { - state.RLock() - defer state.RUnlock() - return state.tlscert() - } - - // We are the first; state is locked. - // Unblock the readers when domain ownership is verified - // and we got the cert or the process failed. - defer state.Unlock() - state.locked = false - - der, leaf, err := m.authorizedCert(ctx, state.key, ck) - if err != nil { - // Remove the failed state after some time, - // making the manager call createCert again on the following TLS hello. - didRemove := testDidRemoveState // The lifetime of this timer is untracked, so copy mutable local state to avoid races. - time.AfterFunc(createCertRetryAfter, func() { - defer didRemove(ck) - m.stateMu.Lock() - defer m.stateMu.Unlock() - // Verify the state hasn't changed and it's still invalid - // before deleting. - s, ok := m.state[ck] - if !ok { - return - } - if _, err := validCert(ck, s.cert, s.key, m.now()); err == nil { - return - } - delete(m.state, ck) - }) - return nil, err - } - state.cert = der - state.leaf = leaf - m.startRenew(ck, state.key, state.leaf.NotAfter) - return state.tlscert() -} - -// certState returns a new or existing certState. -// If a new certState is returned, state.exist is false and the state is locked. -// The returned error is non-nil only in the case where a new state could not be created. -func (m *Manager) certState(ck certKey) (*certState, error) { - m.stateMu.Lock() - defer m.stateMu.Unlock() - if m.state == nil { - m.state = make(map[certKey]*certState) - } - // existing state - if state, ok := m.state[ck]; ok { - return state, nil - } - - // new locked state - var ( - err error - key crypto.Signer - ) - if ck.isRSA { - key, err = rsa.GenerateKey(rand.Reader, 2048) - } else { - key, err = ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - } - if err != nil { - return nil, err - } - - state := &certState{ - key: key, - locked: true, - } - state.Lock() // will be unlocked by m.certState caller - m.state[ck] = state - return state, nil -} - -// authorizedCert starts the domain ownership verification process and requests a new cert upon success. -// The key argument is the certificate private key. -func (m *Manager) authorizedCert(ctx context.Context, key crypto.Signer, ck certKey) (der [][]byte, leaf *x509.Certificate, err error) { - csr, err := certRequest(key, ck.domain, m.ExtraExtensions) - if err != nil { - return nil, nil, err - } - - client, err := m.acmeClient(ctx) - if err != nil { - return nil, nil, err - } - dir, err := client.Discover(ctx) - if err != nil { - return nil, nil, err - } - if dir.OrderURL == "" { - return nil, nil, errPreRFC - } - - o, err := m.verifyRFC(ctx, client, ck.domain) - if err != nil { - return nil, nil, err - } - chain, _, err := client.CreateOrderCert(ctx, o.FinalizeURL, csr, true) - if err != nil { - return nil, nil, err - } - - leaf, err = validCert(ck, chain, key, m.now()) - if err != nil { - return nil, nil, err - } - return chain, leaf, nil -} - -// verifyRFC runs the identifier (domain) order-based authorization flow for RFC compliant CAs -// using each applicable ACME challenge type. -func (m *Manager) verifyRFC(ctx context.Context, client *acme.Client, domain string) (*acme.Order, error) { - // Try each supported challenge type starting with a new order each time. - // The nextTyp index of the next challenge type to try is shared across - // all order authorizations: if we've tried a challenge type once and it didn't work, - // it will most likely not work on another order's authorization either. - challengeTypes := m.supportedChallengeTypes() - nextTyp := 0 // challengeTypes index -AuthorizeOrderLoop: - for { - o, err := client.AuthorizeOrder(ctx, acme.DomainIDs(domain)) - if err != nil { - return nil, err - } - // Remove all hanging authorizations to reduce rate limit quotas - // after we're done. - defer func(urls []string) { - go m.deactivatePendingAuthz(urls) - }(o.AuthzURLs) - - // Check if there's actually anything we need to do. - switch o.Status { - case acme.StatusReady: - // Already authorized. - return o, nil - case acme.StatusPending: - // Continue normal Order-based flow. - default: - return nil, fmt.Errorf("acme/autocert: invalid new order status %q; order URL: %q", o.Status, o.URI) - } - - // Satisfy all pending authorizations. - for _, zurl := range o.AuthzURLs { - z, err := client.GetAuthorization(ctx, zurl) - if err != nil { - return nil, err - } - if z.Status != acme.StatusPending { - // We are interested only in pending authorizations. - continue - } - // Pick the next preferred challenge. - var chal *acme.Challenge - for chal == nil && nextTyp < len(challengeTypes) { - chal = pickChallenge(challengeTypes[nextTyp], z.Challenges) - nextTyp++ - } - if chal == nil { - return nil, fmt.Errorf("acme/autocert: unable to satisfy %q for domain %q: no viable challenge type found", z.URI, domain) - } - // Respond to the challenge and wait for validation result. - cleanup, err := m.fulfill(ctx, client, chal, domain) - if err != nil { - continue AuthorizeOrderLoop - } - defer cleanup() - if _, err := client.Accept(ctx, chal); err != nil { - continue AuthorizeOrderLoop - } - if _, err := client.WaitAuthorization(ctx, z.URI); err != nil { - continue AuthorizeOrderLoop - } - } - - // All authorizations are satisfied. - // Wait for the CA to update the order status. - o, err = client.WaitOrder(ctx, o.URI) - if err != nil { - continue AuthorizeOrderLoop - } - return o, nil - } -} - -func pickChallenge(typ string, chal []*acme.Challenge) *acme.Challenge { - for _, c := range chal { - if c.Type == typ { - return c - } - } - return nil -} - -func (m *Manager) supportedChallengeTypes() []string { - m.challengeMu.RLock() - defer m.challengeMu.RUnlock() - typ := []string{"tls-alpn-01"} - if m.tryHTTP01 { - typ = append(typ, "http-01") - } - return typ -} - -// deactivatePendingAuthz relinquishes all authorizations identified by the elements -// of the provided uri slice which are in "pending" state. -// It ignores revocation errors. -// -// deactivatePendingAuthz takes no context argument and instead runs with its own -// "detached" context because deactivations are done in a goroutine separate from -// that of the main issuance or renewal flow. -func (m *Manager) deactivatePendingAuthz(uri []string) { - ctx, cancel := context.WithTimeout(context.Background(), 5*time.Minute) - defer cancel() - client, err := m.acmeClient(ctx) - if err != nil { - return - } - for _, u := range uri { - z, err := client.GetAuthorization(ctx, u) - if err == nil && z.Status == acme.StatusPending { - client.RevokeAuthorization(ctx, u) - } - } -} - -// fulfill provisions a response to the challenge chal. -// The cleanup is non-nil only if provisioning succeeded. -func (m *Manager) fulfill(ctx context.Context, client *acme.Client, chal *acme.Challenge, domain string) (cleanup func(), err error) { - switch chal.Type { - case "tls-alpn-01": - cert, err := client.TLSALPN01ChallengeCert(chal.Token, domain) - if err != nil { - return nil, err - } - m.putCertToken(ctx, domain, &cert) - return func() { go m.deleteCertToken(domain) }, nil - case "http-01": - resp, err := client.HTTP01ChallengeResponse(chal.Token) - if err != nil { - return nil, err - } - p := client.HTTP01ChallengePath(chal.Token) - m.putHTTPToken(ctx, p, resp) - return func() { go m.deleteHTTPToken(p) }, nil - } - return nil, fmt.Errorf("acme/autocert: unknown challenge type %q", chal.Type) -} - -// putCertToken stores the token certificate with the specified name -// in both m.certTokens map and m.Cache. -func (m *Manager) putCertToken(ctx context.Context, name string, cert *tls.Certificate) { - m.challengeMu.Lock() - defer m.challengeMu.Unlock() - if m.certTokens == nil { - m.certTokens = make(map[string]*tls.Certificate) - } - m.certTokens[name] = cert - m.cachePut(ctx, certKey{domain: name, isToken: true}, cert) -} - -// deleteCertToken removes the token certificate with the specified name -// from both m.certTokens map and m.Cache. -func (m *Manager) deleteCertToken(name string) { - m.challengeMu.Lock() - defer m.challengeMu.Unlock() - delete(m.certTokens, name) - if m.Cache != nil { - ck := certKey{domain: name, isToken: true} - m.Cache.Delete(context.Background(), ck.String()) - } -} - -// httpToken retrieves an existing http-01 token value from an in-memory map -// or the optional cache. -func (m *Manager) httpToken(ctx context.Context, tokenPath string) ([]byte, error) { - m.challengeMu.RLock() - defer m.challengeMu.RUnlock() - if v, ok := m.httpTokens[tokenPath]; ok { - return v, nil - } - if m.Cache == nil { - return nil, fmt.Errorf("acme/autocert: no token at %q", tokenPath) - } - return m.Cache.Get(ctx, httpTokenCacheKey(tokenPath)) -} - -// putHTTPToken stores an http-01 token value using tokenPath as key -// in both in-memory map and the optional Cache. -// -// It ignores any error returned from Cache.Put. -func (m *Manager) putHTTPToken(ctx context.Context, tokenPath, val string) { - m.challengeMu.Lock() - defer m.challengeMu.Unlock() - if m.httpTokens == nil { - m.httpTokens = make(map[string][]byte) - } - b := []byte(val) - m.httpTokens[tokenPath] = b - if m.Cache != nil { - m.Cache.Put(ctx, httpTokenCacheKey(tokenPath), b) - } -} - -// deleteHTTPToken removes an http-01 token value from both in-memory map -// and the optional Cache, ignoring any error returned from the latter. -// -// If m.Cache is non-nil, it blocks until Cache.Delete returns without a timeout. -func (m *Manager) deleteHTTPToken(tokenPath string) { - m.challengeMu.Lock() - defer m.challengeMu.Unlock() - delete(m.httpTokens, tokenPath) - if m.Cache != nil { - m.Cache.Delete(context.Background(), httpTokenCacheKey(tokenPath)) - } -} - -// httpTokenCacheKey returns a key at which an http-01 token value may be stored -// in the Manager's optional Cache. -func httpTokenCacheKey(tokenPath string) string { - return path.Base(tokenPath) + "+http-01" -} - -// startRenew starts a cert renewal timer loop, one per domain. -// -// The loop is scheduled in two cases: -// - a cert was fetched from cache for the first time (wasn't in m.state) -// - a new cert was created by m.createCert -// -// The key argument is a certificate private key. -// The exp argument is the cert expiration time (NotAfter). -func (m *Manager) startRenew(ck certKey, key crypto.Signer, exp time.Time) { - m.renewalMu.Lock() - defer m.renewalMu.Unlock() - if m.renewal[ck] != nil { - // another goroutine is already on it - return - } - if m.renewal == nil { - m.renewal = make(map[certKey]*domainRenewal) - } - dr := &domainRenewal{m: m, ck: ck, key: key} - m.renewal[ck] = dr - dr.start(exp) -} - -// stopRenew stops all currently running cert renewal timers. -// The timers are not restarted during the lifetime of the Manager. -func (m *Manager) stopRenew() { - m.renewalMu.Lock() - defer m.renewalMu.Unlock() - for name, dr := range m.renewal { - delete(m.renewal, name) - dr.stop() - } -} - -func (m *Manager) accountKey(ctx context.Context) (crypto.Signer, error) { - const keyName = "acme_account+key" - - // Previous versions of autocert stored the value under a different key. - const legacyKeyName = "acme_account.key" - - genKey := func() (*ecdsa.PrivateKey, error) { - return ecdsa.GenerateKey(elliptic.P256(), rand.Reader) - } - - if m.Cache == nil { - return genKey() - } - - data, err := m.Cache.Get(ctx, keyName) - if err == ErrCacheMiss { - data, err = m.Cache.Get(ctx, legacyKeyName) - } - if err == ErrCacheMiss { - key, err := genKey() - if err != nil { - return nil, err - } - var buf bytes.Buffer - if err := encodeECDSAKey(&buf, key); err != nil { - return nil, err - } - if err := m.Cache.Put(ctx, keyName, buf.Bytes()); err != nil { - return nil, err - } - return key, nil - } - if err != nil { - return nil, err - } - - priv, _ := pem.Decode(data) - if priv == nil || !strings.Contains(priv.Type, "PRIVATE") { - return nil, errors.New("acme/autocert: invalid account key found in cache") - } - return parsePrivateKey(priv.Bytes) -} - -func (m *Manager) acmeClient(ctx context.Context) (*acme.Client, error) { - m.clientMu.Lock() - defer m.clientMu.Unlock() - if m.client != nil { - return m.client, nil - } - - client := m.Client - if client == nil { - client = &acme.Client{DirectoryURL: DefaultACMEDirectory} - } - if client.Key == nil { - var err error - client.Key, err = m.accountKey(ctx) - if err != nil { - return nil, err - } - } - if client.UserAgent == "" { - client.UserAgent = "autocert" - } - var contact []string - if m.Email != "" { - contact = []string{"mailto:" + m.Email} - } - a := &acme.Account{Contact: contact, ExternalAccountBinding: m.ExternalAccountBinding} - _, err := client.Register(ctx, a, m.Prompt) - if err == nil || isAccountAlreadyExist(err) { - m.client = client - err = nil - } - return m.client, err -} - -// isAccountAlreadyExist reports whether the err, as returned from acme.Client.Register, -// indicates the account has already been registered. -func isAccountAlreadyExist(err error) bool { - if err == acme.ErrAccountAlreadyExists { - return true - } - ae, ok := err.(*acme.Error) - return ok && ae.StatusCode == http.StatusConflict -} - -func (m *Manager) hostPolicy() HostPolicy { - if m.HostPolicy != nil { - return m.HostPolicy - } - return defaultHostPolicy -} - -func (m *Manager) renewBefore() time.Duration { - if m.RenewBefore > renewJitter { - return m.RenewBefore - } - return 720 * time.Hour // 30 days -} - -func (m *Manager) now() time.Time { - if m.nowFunc != nil { - return m.nowFunc() - } - return time.Now() -} - -// certState is ready when its mutex is unlocked for reading. -type certState struct { - sync.RWMutex - locked bool // locked for read/write - key crypto.Signer // private key for cert - cert [][]byte // DER encoding - leaf *x509.Certificate // parsed cert[0]; always non-nil if cert != nil -} - -// tlscert creates a tls.Certificate from s.key and s.cert. -// Callers should wrap it in s.RLock() and s.RUnlock(). -func (s *certState) tlscert() (*tls.Certificate, error) { - if s.key == nil { - return nil, errors.New("acme/autocert: missing signer") - } - if len(s.cert) == 0 { - return nil, errors.New("acme/autocert: missing certificate") - } - return &tls.Certificate{ - PrivateKey: s.key, - Certificate: s.cert, - Leaf: s.leaf, - }, nil -} - -// certRequest generates a CSR for the given common name. -func certRequest(key crypto.Signer, name string, ext []pkix.Extension) ([]byte, error) { - req := &x509.CertificateRequest{ - Subject: pkix.Name{CommonName: name}, - DNSNames: []string{name}, - ExtraExtensions: ext, - } - return x509.CreateCertificateRequest(rand.Reader, req, key) -} - -// Attempt to parse the given private key DER block. OpenSSL 0.9.8 generates -// PKCS#1 private keys by default, while OpenSSL 1.0.0 generates PKCS#8 keys. -// OpenSSL ecparam generates SEC1 EC private keys for ECDSA. We try all three. -// -// Inspired by parsePrivateKey in crypto/tls/tls.go. -func parsePrivateKey(der []byte) (crypto.Signer, error) { - if key, err := x509.ParsePKCS1PrivateKey(der); err == nil { - return key, nil - } - if key, err := x509.ParsePKCS8PrivateKey(der); err == nil { - switch key := key.(type) { - case *rsa.PrivateKey: - return key, nil - case *ecdsa.PrivateKey: - return key, nil - default: - return nil, errors.New("acme/autocert: unknown private key type in PKCS#8 wrapping") - } - } - if key, err := x509.ParseECPrivateKey(der); err == nil { - return key, nil - } - - return nil, errors.New("acme/autocert: failed to parse private key") -} - -// validCert parses a cert chain provided as der argument and verifies the leaf and der[0] -// correspond to the private key, the domain and key type match, and expiration dates -// are valid. It doesn't do any revocation checking. -// -// The returned value is the verified leaf cert. -func validCert(ck certKey, der [][]byte, key crypto.Signer, now time.Time) (leaf *x509.Certificate, err error) { - // parse public part(s) - var n int - for _, b := range der { - n += len(b) - } - pub := make([]byte, n) - n = 0 - for _, b := range der { - n += copy(pub[n:], b) - } - x509Cert, err := x509.ParseCertificates(pub) - if err != nil || len(x509Cert) == 0 { - return nil, errors.New("acme/autocert: no public key found") - } - // verify the leaf is not expired and matches the domain name - leaf = x509Cert[0] - if now.Before(leaf.NotBefore) { - return nil, errors.New("acme/autocert: certificate is not valid yet") - } - if now.After(leaf.NotAfter) { - return nil, errors.New("acme/autocert: expired certificate") - } - if err := leaf.VerifyHostname(ck.domain); err != nil { - return nil, err - } - // renew certificates revoked by Let's Encrypt in January 2022 - if isRevokedLetsEncrypt(leaf) { - return nil, errors.New("acme/autocert: certificate was probably revoked by Let's Encrypt") - } - // ensure the leaf corresponds to the private key and matches the certKey type - switch pub := leaf.PublicKey.(type) { - case *rsa.PublicKey: - prv, ok := key.(*rsa.PrivateKey) - if !ok { - return nil, errors.New("acme/autocert: private key type does not match public key type") - } - if pub.N.Cmp(prv.N) != 0 { - return nil, errors.New("acme/autocert: private key does not match public key") - } - if !ck.isRSA && !ck.isToken { - return nil, errors.New("acme/autocert: key type does not match expected value") - } - case *ecdsa.PublicKey: - prv, ok := key.(*ecdsa.PrivateKey) - if !ok { - return nil, errors.New("acme/autocert: private key type does not match public key type") - } - if pub.X.Cmp(prv.X) != 0 || pub.Y.Cmp(prv.Y) != 0 { - return nil, errors.New("acme/autocert: private key does not match public key") - } - if ck.isRSA && !ck.isToken { - return nil, errors.New("acme/autocert: key type does not match expected value") - } - default: - return nil, errors.New("acme/autocert: unknown public key algorithm") - } - return leaf, nil -} - -// https://community.letsencrypt.org/t/2022-01-25-issue-with-tls-alpn-01-validation-method/170450 -var letsEncryptFixDeployTime = time.Date(2022, time.January, 26, 00, 48, 0, 0, time.UTC) - -// isRevokedLetsEncrypt returns whether the certificate is likely to be part of -// a batch of certificates revoked by Let's Encrypt in January 2022. This check -// can be safely removed from May 2022. -func isRevokedLetsEncrypt(cert *x509.Certificate) bool { - O := cert.Issuer.Organization - return len(O) == 1 && O[0] == "Let's Encrypt" && - cert.NotBefore.Before(letsEncryptFixDeployTime) -} - -type lockedMathRand struct { - sync.Mutex - rnd *mathrand.Rand -} - -func (r *lockedMathRand) int63n(max int64) int64 { - r.Lock() - n := r.rnd.Int63n(max) - r.Unlock() - return n -} - -// For easier testing. -var ( - // Called when a state is removed. - testDidRemoveState = func(certKey) {} -) diff --git a/vendor/golang.org/x/crypto/acme/autocert/cache.go b/vendor/golang.org/x/crypto/acme/autocert/cache.go deleted file mode 100644 index 758ab12cb..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/cache.go +++ /dev/null @@ -1,135 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package autocert - -import ( - "context" - "errors" - "os" - "path/filepath" -) - -// ErrCacheMiss is returned when a certificate is not found in cache. -var ErrCacheMiss = errors.New("acme/autocert: certificate cache miss") - -// Cache is used by Manager to store and retrieve previously obtained certificates -// and other account data as opaque blobs. -// -// Cache implementations should not rely on the key naming pattern. Keys can -// include any printable ASCII characters, except the following: \/:*?"<>| -type Cache interface { - // Get returns a certificate data for the specified key. - // If there's no such key, Get returns ErrCacheMiss. - Get(ctx context.Context, key string) ([]byte, error) - - // Put stores the data in the cache under the specified key. - // Underlying implementations may use any data storage format, - // as long as the reverse operation, Get, results in the original data. - Put(ctx context.Context, key string, data []byte) error - - // Delete removes a certificate data from the cache under the specified key. - // If there's no such key in the cache, Delete returns nil. - Delete(ctx context.Context, key string) error -} - -// DirCache implements Cache using a directory on the local filesystem. -// If the directory does not exist, it will be created with 0700 permissions. -type DirCache string - -// Get reads a certificate data from the specified file name. -func (d DirCache) Get(ctx context.Context, name string) ([]byte, error) { - name = filepath.Join(string(d), filepath.Clean("/"+name)) - var ( - data []byte - err error - done = make(chan struct{}) - ) - go func() { - data, err = os.ReadFile(name) - close(done) - }() - select { - case <-ctx.Done(): - return nil, ctx.Err() - case <-done: - } - if os.IsNotExist(err) { - return nil, ErrCacheMiss - } - return data, err -} - -// Put writes the certificate data to the specified file name. -// The file will be created with 0600 permissions. -func (d DirCache) Put(ctx context.Context, name string, data []byte) error { - if err := os.MkdirAll(string(d), 0700); err != nil { - return err - } - - done := make(chan struct{}) - var err error - go func() { - defer close(done) - var tmp string - if tmp, err = d.writeTempFile(name, data); err != nil { - return - } - defer os.Remove(tmp) - select { - case <-ctx.Done(): - // Don't overwrite the file if the context was canceled. - default: - newName := filepath.Join(string(d), filepath.Clean("/"+name)) - err = os.Rename(tmp, newName) - } - }() - select { - case <-ctx.Done(): - return ctx.Err() - case <-done: - } - return err -} - -// Delete removes the specified file name. -func (d DirCache) Delete(ctx context.Context, name string) error { - name = filepath.Join(string(d), filepath.Clean("/"+name)) - var ( - err error - done = make(chan struct{}) - ) - go func() { - err = os.Remove(name) - close(done) - }() - select { - case <-ctx.Done(): - return ctx.Err() - case <-done: - } - if err != nil && !os.IsNotExist(err) { - return err - } - return nil -} - -// writeTempFile writes b to a temporary file, closes the file and returns its path. -func (d DirCache) writeTempFile(prefix string, b []byte) (name string, reterr error) { - // TempFile uses 0600 permissions - f, err := os.CreateTemp(string(d), prefix) - if err != nil { - return "", err - } - defer func() { - if reterr != nil { - os.Remove(f.Name()) - } - }() - if _, err := f.Write(b); err != nil { - f.Close() - return "", err - } - return f.Name(), f.Close() -} diff --git a/vendor/golang.org/x/crypto/acme/autocert/listener.go b/vendor/golang.org/x/crypto/acme/autocert/listener.go deleted file mode 100644 index 9d62f8ced..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/listener.go +++ /dev/null @@ -1,155 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package autocert - -import ( - "crypto/tls" - "log" - "net" - "os" - "path/filepath" - "runtime" - "time" -) - -// NewListener returns a net.Listener that listens on the standard TLS -// port (443) on all interfaces and returns *tls.Conn connections with -// LetsEncrypt certificates for the provided domain or domains. -// -// It enables one-line HTTPS servers: -// -// log.Fatal(http.Serve(autocert.NewListener("example.com"), handler)) -// -// NewListener is a convenience function for a common configuration. -// More complex or custom configurations can use the autocert.Manager -// type instead. -// -// Use of this function implies acceptance of the LetsEncrypt Terms of -// Service. If domains is not empty, the provided domains are passed -// to HostWhitelist. If domains is empty, the listener will do -// LetsEncrypt challenges for any requested domain, which is not -// recommended. -// -// Certificates are cached in a "golang-autocert" directory under an -// operating system-specific cache or temp directory. This may not -// be suitable for servers spanning multiple machines. -// -// The returned listener uses a *tls.Config that enables HTTP/2, and -// should only be used with servers that support HTTP/2. -// -// The returned Listener also enables TCP keep-alives on the accepted -// connections. The returned *tls.Conn are returned before their TLS -// handshake has completed. -func NewListener(domains ...string) net.Listener { - m := &Manager{ - Prompt: AcceptTOS, - } - if len(domains) > 0 { - m.HostPolicy = HostWhitelist(domains...) - } - dir := cacheDir() - if err := os.MkdirAll(dir, 0700); err != nil { - log.Printf("warning: autocert.NewListener not using a cache: %v", err) - } else { - m.Cache = DirCache(dir) - } - return m.Listener() -} - -// Listener listens on the standard TLS port (443) on all interfaces -// and returns a net.Listener returning *tls.Conn connections. -// -// The returned listener uses a *tls.Config that enables HTTP/2, and -// should only be used with servers that support HTTP/2. -// -// The returned Listener also enables TCP keep-alives on the accepted -// connections. The returned *tls.Conn are returned before their TLS -// handshake has completed. -// -// Unlike NewListener, it is the caller's responsibility to initialize -// the Manager m's Prompt, Cache, HostPolicy, and other desired options. -func (m *Manager) Listener() net.Listener { - ln := &listener{ - conf: m.TLSConfig(), - } - ln.tcpListener, ln.tcpListenErr = net.Listen("tcp", ":443") - return ln -} - -type listener struct { - conf *tls.Config - - tcpListener net.Listener - tcpListenErr error -} - -func (ln *listener) Accept() (net.Conn, error) { - if ln.tcpListenErr != nil { - return nil, ln.tcpListenErr - } - conn, err := ln.tcpListener.Accept() - if err != nil { - return nil, err - } - tcpConn := conn.(*net.TCPConn) - - // Because Listener is a convenience function, help out with - // this too. This is not possible for the caller to set once - // we return a *tcp.Conn wrapping an inaccessible net.Conn. - // If callers don't want this, they can do things the manual - // way and tweak as needed. But this is what net/http does - // itself, so copy that. If net/http changes, we can change - // here too. - tcpConn.SetKeepAlive(true) - tcpConn.SetKeepAlivePeriod(3 * time.Minute) - - return tls.Server(tcpConn, ln.conf), nil -} - -func (ln *listener) Addr() net.Addr { - if ln.tcpListener != nil { - return ln.tcpListener.Addr() - } - // net.Listen failed. Return something non-nil in case callers - // call Addr before Accept: - return &net.TCPAddr{IP: net.IP{0, 0, 0, 0}, Port: 443} -} - -func (ln *listener) Close() error { - if ln.tcpListenErr != nil { - return ln.tcpListenErr - } - return ln.tcpListener.Close() -} - -func homeDir() string { - if runtime.GOOS == "windows" { - return os.Getenv("HOMEDRIVE") + os.Getenv("HOMEPATH") - } - if h := os.Getenv("HOME"); h != "" { - return h - } - return "/" -} - -func cacheDir() string { - const base = "golang-autocert" - switch runtime.GOOS { - case "darwin": - return filepath.Join(homeDir(), "Library", "Caches", base) - case "windows": - for _, ev := range []string{"APPDATA", "CSIDL_APPDATA", "TEMP", "TMP"} { - if v := os.Getenv(ev); v != "" { - return filepath.Join(v, base) - } - } - // Worst case: - return filepath.Join(homeDir(), base) - } - if xdg := os.Getenv("XDG_CACHE_HOME"); xdg != "" { - return filepath.Join(xdg, base) - } - return filepath.Join(homeDir(), ".cache", base) -} diff --git a/vendor/golang.org/x/crypto/acme/autocert/renewal.go b/vendor/golang.org/x/crypto/acme/autocert/renewal.go deleted file mode 100644 index 0df7da78a..000000000 --- a/vendor/golang.org/x/crypto/acme/autocert/renewal.go +++ /dev/null @@ -1,156 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package autocert - -import ( - "context" - "crypto" - "sync" - "time" -) - -// renewJitter is the maximum deviation from Manager.RenewBefore. -const renewJitter = time.Hour - -// domainRenewal tracks the state used by the periodic timers -// renewing a single domain's cert. -type domainRenewal struct { - m *Manager - ck certKey - key crypto.Signer - - timerMu sync.Mutex - timer *time.Timer - timerClose chan struct{} // if non-nil, renew closes this channel (and nils out the timer fields) instead of running -} - -// start starts a cert renewal timer at the time -// defined by the certificate expiration time exp. -// -// If the timer is already started, calling start is a noop. -func (dr *domainRenewal) start(exp time.Time) { - dr.timerMu.Lock() - defer dr.timerMu.Unlock() - if dr.timer != nil { - return - } - dr.timer = time.AfterFunc(dr.next(exp), dr.renew) -} - -// stop stops the cert renewal timer and waits for any in-flight calls to renew -// to complete. If the timer is already stopped, calling stop is a noop. -func (dr *domainRenewal) stop() { - dr.timerMu.Lock() - defer dr.timerMu.Unlock() - for { - if dr.timer == nil { - return - } - if dr.timer.Stop() { - dr.timer = nil - return - } else { - // dr.timer fired, and we acquired dr.timerMu before the renew callback did. - // (We know this because otherwise the renew callback would have reset dr.timer!) - timerClose := make(chan struct{}) - dr.timerClose = timerClose - dr.timerMu.Unlock() - <-timerClose - dr.timerMu.Lock() - } - } -} - -// renew is called periodically by a timer. -// The first renew call is kicked off by dr.start. -func (dr *domainRenewal) renew() { - dr.timerMu.Lock() - defer dr.timerMu.Unlock() - if dr.timerClose != nil { - close(dr.timerClose) - dr.timer, dr.timerClose = nil, nil - return - } - - ctx, cancel := context.WithTimeout(context.Background(), 10*time.Minute) - defer cancel() - // TODO: rotate dr.key at some point? - next, err := dr.do(ctx) - if err != nil { - next = renewJitter / 2 - next += time.Duration(pseudoRand.int63n(int64(next))) - } - testDidRenewLoop(next, err) - dr.timer = time.AfterFunc(next, dr.renew) -} - -// updateState locks and replaces the relevant Manager.state item with the given -// state. It additionally updates dr.key with the given state's key. -func (dr *domainRenewal) updateState(state *certState) { - dr.m.stateMu.Lock() - defer dr.m.stateMu.Unlock() - dr.key = state.key - dr.m.state[dr.ck] = state -} - -// do is similar to Manager.createCert but it doesn't lock a Manager.state item. -// Instead, it requests a new certificate independently and, upon success, -// replaces dr.m.state item with a new one and updates cache for the given domain. -// -// It may lock and update the Manager.state if the expiration date of the currently -// cached cert is far enough in the future. -// -// The returned value is a time interval after which the renewal should occur again. -func (dr *domainRenewal) do(ctx context.Context) (time.Duration, error) { - // a race is likely unavoidable in a distributed environment - // but we try nonetheless - if tlscert, err := dr.m.cacheGet(ctx, dr.ck); err == nil { - next := dr.next(tlscert.Leaf.NotAfter) - if next > dr.m.renewBefore()+renewJitter { - signer, ok := tlscert.PrivateKey.(crypto.Signer) - if ok { - state := &certState{ - key: signer, - cert: tlscert.Certificate, - leaf: tlscert.Leaf, - } - dr.updateState(state) - return next, nil - } - } - } - - der, leaf, err := dr.m.authorizedCert(ctx, dr.key, dr.ck) - if err != nil { - return 0, err - } - state := &certState{ - key: dr.key, - cert: der, - leaf: leaf, - } - tlscert, err := state.tlscert() - if err != nil { - return 0, err - } - if err := dr.m.cachePut(ctx, dr.ck, tlscert); err != nil { - return 0, err - } - dr.updateState(state) - return dr.next(leaf.NotAfter), nil -} - -func (dr *domainRenewal) next(expiry time.Time) time.Duration { - d := expiry.Sub(dr.m.now()) - dr.m.renewBefore() - // add a bit of randomness to renew deadline - n := pseudoRand.int63n(int64(renewJitter)) - d -= time.Duration(n) - if d < 0 { - return 0 - } - return d -} - -var testDidRenewLoop = func(next time.Duration, err error) {} diff --git a/vendor/golang.org/x/crypto/acme/http.go b/vendor/golang.org/x/crypto/acme/http.go deleted file mode 100644 index d92ff232f..000000000 --- a/vendor/golang.org/x/crypto/acme/http.go +++ /dev/null @@ -1,344 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package acme - -import ( - "bytes" - "context" - "crypto" - "crypto/rand" - "encoding/json" - "errors" - "fmt" - "io" - "math/big" - "net/http" - "runtime/debug" - "strconv" - "strings" - "time" -) - -// retryTimer encapsulates common logic for retrying unsuccessful requests. -// It is not safe for concurrent use. -type retryTimer struct { - // backoffFn provides backoff delay sequence for retries. - // See Client.RetryBackoff doc comment. - backoffFn func(n int, r *http.Request, res *http.Response) time.Duration - // n is the current retry attempt. - n int -} - -func (t *retryTimer) inc() { - t.n++ -} - -// backoff pauses the current goroutine as described in Client.RetryBackoff. -func (t *retryTimer) backoff(ctx context.Context, r *http.Request, res *http.Response) error { - d := t.backoffFn(t.n, r, res) - if d <= 0 { - return fmt.Errorf("acme: no more retries for %s; tried %d time(s)", r.URL, t.n) - } - wakeup := time.NewTimer(d) - defer wakeup.Stop() - select { - case <-ctx.Done(): - return ctx.Err() - case <-wakeup.C: - return nil - } -} - -func (c *Client) retryTimer() *retryTimer { - f := c.RetryBackoff - if f == nil { - f = defaultBackoff - } - return &retryTimer{backoffFn: f} -} - -// defaultBackoff provides default Client.RetryBackoff implementation -// using a truncated exponential backoff algorithm, -// as described in Client.RetryBackoff. -// -// The n argument is always bounded between 1 and 30. -// The returned value is always greater than 0. -func defaultBackoff(n int, r *http.Request, res *http.Response) time.Duration { - const max = 10 * time.Second - var jitter time.Duration - if x, err := rand.Int(rand.Reader, big.NewInt(1000)); err == nil { - // Set the minimum to 1ms to avoid a case where - // an invalid Retry-After value is parsed into 0 below, - // resulting in the 0 returned value which would unintentionally - // stop the retries. - jitter = (1 + time.Duration(x.Int64())) * time.Millisecond - } - if v, ok := res.Header["Retry-After"]; ok { - return retryAfter(v[0]) + jitter - } - - if n < 1 { - n = 1 - } - if n > 30 { - n = 30 - } - d := time.Duration(1<<uint(n-1))*time.Second + jitter - if d > max { - return max - } - return d -} - -// retryAfter parses a Retry-After HTTP header value, -// trying to convert v into an int (seconds) or use http.ParseTime otherwise. -// It returns zero value if v cannot be parsed. -func retryAfter(v string) time.Duration { - if i, err := strconv.Atoi(v); err == nil { - return time.Duration(i) * time.Second - } - t, err := http.ParseTime(v) - if err != nil { - return 0 - } - return t.Sub(timeNow()) -} - -// resOkay is a function that reports whether the provided response is okay. -// It is expected to keep the response body unread. -type resOkay func(*http.Response) bool - -// wantStatus returns a function which reports whether the code -// matches the status code of a response. -func wantStatus(codes ...int) resOkay { - return func(res *http.Response) bool { - for _, code := range codes { - if code == res.StatusCode { - return true - } - } - return false - } -} - -// get issues an unsigned GET request to the specified URL. -// It returns a non-error value only when ok reports true. -// -// get retries unsuccessful attempts according to c.RetryBackoff -// until the context is done or a non-retriable error is received. -func (c *Client) get(ctx context.Context, url string, ok resOkay) (*http.Response, error) { - retry := c.retryTimer() - for { - req, err := http.NewRequest("GET", url, nil) - if err != nil { - return nil, err - } - res, err := c.doNoRetry(ctx, req) - switch { - case err != nil: - return nil, err - case ok(res): - return res, nil - case isRetriable(res.StatusCode): - retry.inc() - resErr := responseError(res) - res.Body.Close() - // Ignore the error value from retry.backoff - // and return the one from last retry, as received from the CA. - if retry.backoff(ctx, req, res) != nil { - return nil, resErr - } - default: - defer res.Body.Close() - return nil, responseError(res) - } - } -} - -// postAsGet is POST-as-GET, a replacement for GET in RFC 8555 -// as described in https://tools.ietf.org/html/rfc8555#section-6.3. -// It makes a POST request in KID form with zero JWS payload. -// See nopayload doc comments in jws.go. -func (c *Client) postAsGet(ctx context.Context, url string, ok resOkay) (*http.Response, error) { - return c.post(ctx, nil, url, noPayload, ok) -} - -// post issues a signed POST request in JWS format using the provided key -// to the specified URL. If key is nil, c.Key is used instead. -// It returns a non-error value only when ok reports true. -// -// post retries unsuccessful attempts according to c.RetryBackoff -// until the context is done or a non-retriable error is received. -// It uses postNoRetry to make individual requests. -func (c *Client) post(ctx context.Context, key crypto.Signer, url string, body interface{}, ok resOkay) (*http.Response, error) { - retry := c.retryTimer() - for { - res, req, err := c.postNoRetry(ctx, key, url, body) - if err != nil { - return nil, err - } - if ok(res) { - return res, nil - } - resErr := responseError(res) - res.Body.Close() - switch { - // Check for bad nonce before isRetriable because it may have been returned - // with an unretriable response code such as 400 Bad Request. - case isBadNonce(resErr): - // Consider any previously stored nonce values to be invalid. - c.clearNonces() - case !isRetriable(res.StatusCode): - return nil, resErr - } - retry.inc() - // Ignore the error value from retry.backoff - // and return the one from last retry, as received from the CA. - if err := retry.backoff(ctx, req, res); err != nil { - return nil, resErr - } - } -} - -// postNoRetry signs the body with the given key and POSTs it to the provided url. -// It is used by c.post to retry unsuccessful attempts. -// The body argument must be JSON-serializable. -// -// If key argument is nil, c.Key is used to sign the request. -// If key argument is nil and c.accountKID returns a non-zero keyID, -// the request is sent in KID form. Otherwise, JWK form is used. -// -// In practice, when interfacing with RFC-compliant CAs most requests are sent in KID form -// and JWK is used only when KID is unavailable: new account endpoint and certificate -// revocation requests authenticated by a cert key. -// See jwsEncodeJSON for other details. -func (c *Client) postNoRetry(ctx context.Context, key crypto.Signer, url string, body interface{}) (*http.Response, *http.Request, error) { - kid := noKeyID - if key == nil { - if c.Key == nil { - return nil, nil, errors.New("acme: Client.Key must be populated to make POST requests") - } - key = c.Key - kid = c.accountKID(ctx) - } - nonce, err := c.popNonce(ctx, url) - if err != nil { - return nil, nil, err - } - b, err := jwsEncodeJSON(body, key, kid, nonce, url) - if err != nil { - return nil, nil, err - } - req, err := http.NewRequest("POST", url, bytes.NewReader(b)) - if err != nil { - return nil, nil, err - } - req.Header.Set("Content-Type", "application/jose+json") - res, err := c.doNoRetry(ctx, req) - if err != nil { - return nil, nil, err - } - c.addNonce(res.Header) - return res, req, nil -} - -// doNoRetry issues a request req, replacing its context (if any) with ctx. -func (c *Client) doNoRetry(ctx context.Context, req *http.Request) (*http.Response, error) { - req.Header.Set("User-Agent", c.userAgent()) - res, err := c.httpClient().Do(req.WithContext(ctx)) - if err != nil { - select { - case <-ctx.Done(): - // Prefer the unadorned context error. - // (The acme package had tests assuming this, previously from ctxhttp's - // behavior, predating net/http supporting contexts natively) - // TODO(bradfitz): reconsider this in the future. But for now this - // requires no test updates. - return nil, ctx.Err() - default: - return nil, err - } - } - return res, nil -} - -func (c *Client) httpClient() *http.Client { - if c.HTTPClient != nil { - return c.HTTPClient - } - return http.DefaultClient -} - -// packageVersion is the version of the module that contains this package, for -// sending as part of the User-Agent header. -var packageVersion string - -func init() { - // Set packageVersion if the binary was built in modules mode and x/crypto - // was not replaced with a different module. - info, ok := debug.ReadBuildInfo() - if !ok { - return - } - for _, m := range info.Deps { - if m.Path != "golang.org/x/crypto" { - continue - } - if m.Replace == nil { - packageVersion = m.Version - } - break - } -} - -// userAgent returns the User-Agent header value. It includes the package name, -// the module version (if available), and the c.UserAgent value (if set). -func (c *Client) userAgent() string { - ua := "golang.org/x/crypto/acme" - if packageVersion != "" { - ua += "@" + packageVersion - } - if c.UserAgent != "" { - ua = c.UserAgent + " " + ua - } - return ua -} - -// isBadNonce reports whether err is an ACME "badnonce" error. -func isBadNonce(err error) bool { - // According to the spec badNonce is urn:ietf:params:acme:error:badNonce. - // However, ACME servers in the wild return their versions of the error. - // See https://tools.ietf.org/html/draft-ietf-acme-acme-02#section-5.4 - // and https://github.com/letsencrypt/boulder/blob/0e07eacb/docs/acme-divergences.md#section-66. - ae, ok := err.(*Error) - return ok && strings.HasSuffix(strings.ToLower(ae.ProblemType), ":badnonce") -} - -// isRetriable reports whether a request can be retried -// based on the response status code. -// -// Note that a "bad nonce" error is returned with a non-retriable 400 Bad Request code. -// Callers should parse the response and check with isBadNonce. -func isRetriable(code int) bool { - return code <= 399 || code >= 500 || code == http.StatusTooManyRequests -} - -// responseError creates an error of Error type from resp. -func responseError(resp *http.Response) error { - // don't care if ReadAll returns an error: - // json.Unmarshal will fail in that case anyway - b, _ := io.ReadAll(resp.Body) - e := &wireError{Status: resp.StatusCode} - if err := json.Unmarshal(b, e); err != nil { - // this is not a regular error response: - // populate detail with anything we received, - // e.Status will already contain HTTP response code value - e.Detail = string(b) - if e.Detail == "" { - e.Detail = resp.Status - } - } - return e.error(resp.Header) -} diff --git a/vendor/golang.org/x/crypto/acme/jws.go b/vendor/golang.org/x/crypto/acme/jws.go deleted file mode 100644 index b38828d85..000000000 --- a/vendor/golang.org/x/crypto/acme/jws.go +++ /dev/null @@ -1,257 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package acme - -import ( - "crypto" - "crypto/ecdsa" - "crypto/hmac" - "crypto/rand" - "crypto/rsa" - "crypto/sha256" - _ "crypto/sha512" // need for EC keys - "encoding/asn1" - "encoding/base64" - "encoding/json" - "errors" - "fmt" - "math/big" -) - -// KeyID is the account key identity provided by a CA during registration. -type KeyID string - -// noKeyID indicates that jwsEncodeJSON should compute and use JWK instead of a KID. -// See jwsEncodeJSON for details. -const noKeyID = KeyID("") - -// noPayload indicates jwsEncodeJSON will encode zero-length octet string -// in a JWS request. This is called POST-as-GET in RFC 8555 and is used to make -// authenticated GET requests via POSTing with an empty payload. -// See https://tools.ietf.org/html/rfc8555#section-6.3 for more details. -const noPayload = "" - -// noNonce indicates that the nonce should be omitted from the protected header. -// See jwsEncodeJSON for details. -const noNonce = "" - -// jsonWebSignature can be easily serialized into a JWS following -// https://tools.ietf.org/html/rfc7515#section-3.2. -type jsonWebSignature struct { - Protected string `json:"protected"` - Payload string `json:"payload"` - Sig string `json:"signature"` -} - -// jwsEncodeJSON signs claimset using provided key and a nonce. -// The result is serialized in JSON format containing either kid or jwk -// fields based on the provided KeyID value. -// -// The claimset is marshalled using json.Marshal unless it is a string. -// In which case it is inserted directly into the message. -// -// If kid is non-empty, its quoted value is inserted in the protected header -// as "kid" field value. Otherwise, JWK is computed using jwkEncode and inserted -// as "jwk" field value. The "jwk" and "kid" fields are mutually exclusive. -// -// If nonce is non-empty, its quoted value is inserted in the protected header. -// -// See https://tools.ietf.org/html/rfc7515#section-7. -func jwsEncodeJSON(claimset interface{}, key crypto.Signer, kid KeyID, nonce, url string) ([]byte, error) { - if key == nil { - return nil, errors.New("nil key") - } - alg, sha := jwsHasher(key.Public()) - if alg == "" || !sha.Available() { - return nil, ErrUnsupportedKey - } - headers := struct { - Alg string `json:"alg"` - KID string `json:"kid,omitempty"` - JWK json.RawMessage `json:"jwk,omitempty"` - Nonce string `json:"nonce,omitempty"` - URL string `json:"url"` - }{ - Alg: alg, - Nonce: nonce, - URL: url, - } - switch kid { - case noKeyID: - jwk, err := jwkEncode(key.Public()) - if err != nil { - return nil, err - } - headers.JWK = json.RawMessage(jwk) - default: - headers.KID = string(kid) - } - phJSON, err := json.Marshal(headers) - if err != nil { - return nil, err - } - phead := base64.RawURLEncoding.EncodeToString([]byte(phJSON)) - var payload string - if val, ok := claimset.(string); ok { - payload = val - } else { - cs, err := json.Marshal(claimset) - if err != nil { - return nil, err - } - payload = base64.RawURLEncoding.EncodeToString(cs) - } - hash := sha.New() - hash.Write([]byte(phead + "." + payload)) - sig, err := jwsSign(key, sha, hash.Sum(nil)) - if err != nil { - return nil, err - } - enc := jsonWebSignature{ - Protected: phead, - Payload: payload, - Sig: base64.RawURLEncoding.EncodeToString(sig), - } - return json.Marshal(&enc) -} - -// jwsWithMAC creates and signs a JWS using the given key and the HS256 -// algorithm. kid and url are included in the protected header. rawPayload -// should not be base64-URL-encoded. -func jwsWithMAC(key []byte, kid, url string, rawPayload []byte) (*jsonWebSignature, error) { - if len(key) == 0 { - return nil, errors.New("acme: cannot sign JWS with an empty MAC key") - } - header := struct { - Algorithm string `json:"alg"` - KID string `json:"kid"` - URL string `json:"url,omitempty"` - }{ - // Only HMAC-SHA256 is supported. - Algorithm: "HS256", - KID: kid, - URL: url, - } - rawProtected, err := json.Marshal(header) - if err != nil { - return nil, err - } - protected := base64.RawURLEncoding.EncodeToString(rawProtected) - payload := base64.RawURLEncoding.EncodeToString(rawPayload) - - h := hmac.New(sha256.New, key) - if _, err := h.Write([]byte(protected + "." + payload)); err != nil { - return nil, err - } - mac := h.Sum(nil) - - return &jsonWebSignature{ - Protected: protected, - Payload: payload, - Sig: base64.RawURLEncoding.EncodeToString(mac), - }, nil -} - -// jwkEncode encodes public part of an RSA or ECDSA key into a JWK. -// The result is also suitable for creating a JWK thumbprint. -// https://tools.ietf.org/html/rfc7517 -func jwkEncode(pub crypto.PublicKey) (string, error) { - switch pub := pub.(type) { - case *rsa.PublicKey: - // https://tools.ietf.org/html/rfc7518#section-6.3.1 - n := pub.N - e := big.NewInt(int64(pub.E)) - // Field order is important. - // See https://tools.ietf.org/html/rfc7638#section-3.3 for details. - return fmt.Sprintf(`{"e":"%s","kty":"RSA","n":"%s"}`, - base64.RawURLEncoding.EncodeToString(e.Bytes()), - base64.RawURLEncoding.EncodeToString(n.Bytes()), - ), nil - case *ecdsa.PublicKey: - // https://tools.ietf.org/html/rfc7518#section-6.2.1 - p := pub.Curve.Params() - n := p.BitSize / 8 - if p.BitSize%8 != 0 { - n++ - } - x := pub.X.Bytes() - if n > len(x) { - x = append(make([]byte, n-len(x)), x...) - } - y := pub.Y.Bytes() - if n > len(y) { - y = append(make([]byte, n-len(y)), y...) - } - // Field order is important. - // See https://tools.ietf.org/html/rfc7638#section-3.3 for details. - return fmt.Sprintf(`{"crv":"%s","kty":"EC","x":"%s","y":"%s"}`, - p.Name, - base64.RawURLEncoding.EncodeToString(x), - base64.RawURLEncoding.EncodeToString(y), - ), nil - } - return "", ErrUnsupportedKey -} - -// jwsSign signs the digest using the given key. -// The hash is unused for ECDSA keys. -func jwsSign(key crypto.Signer, hash crypto.Hash, digest []byte) ([]byte, error) { - switch pub := key.Public().(type) { - case *rsa.PublicKey: - return key.Sign(rand.Reader, digest, hash) - case *ecdsa.PublicKey: - sigASN1, err := key.Sign(rand.Reader, digest, hash) - if err != nil { - return nil, err - } - - var rs struct{ R, S *big.Int } - if _, err := asn1.Unmarshal(sigASN1, &rs); err != nil { - return nil, err - } - - rb, sb := rs.R.Bytes(), rs.S.Bytes() - size := pub.Params().BitSize / 8 - if size%8 > 0 { - size++ - } - sig := make([]byte, size*2) - copy(sig[size-len(rb):], rb) - copy(sig[size*2-len(sb):], sb) - return sig, nil - } - return nil, ErrUnsupportedKey -} - -// jwsHasher indicates suitable JWS algorithm name and a hash function -// to use for signing a digest with the provided key. -// It returns ("", 0) if the key is not supported. -func jwsHasher(pub crypto.PublicKey) (string, crypto.Hash) { - switch pub := pub.(type) { - case *rsa.PublicKey: - return "RS256", crypto.SHA256 - case *ecdsa.PublicKey: - switch pub.Params().Name { - case "P-256": - return "ES256", crypto.SHA256 - case "P-384": - return "ES384", crypto.SHA384 - case "P-521": - return "ES512", crypto.SHA512 - } - } - return "", 0 -} - -// JWKThumbprint creates a JWK thumbprint out of pub -// as specified in https://tools.ietf.org/html/rfc7638. -func JWKThumbprint(pub crypto.PublicKey) (string, error) { - jwk, err := jwkEncode(pub) - if err != nil { - return "", err - } - b := sha256.Sum256([]byte(jwk)) - return base64.RawURLEncoding.EncodeToString(b[:]), nil -} diff --git a/vendor/golang.org/x/crypto/acme/rfc8555.go b/vendor/golang.org/x/crypto/acme/rfc8555.go deleted file mode 100644 index 3152e531b..000000000 --- a/vendor/golang.org/x/crypto/acme/rfc8555.go +++ /dev/null @@ -1,476 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package acme - -import ( - "context" - "crypto" - "encoding/base64" - "encoding/json" - "encoding/pem" - "errors" - "fmt" - "io" - "net/http" - "time" -) - -// DeactivateReg permanently disables an existing account associated with c.Key. -// A deactivated account can no longer request certificate issuance or access -// resources related to the account, such as orders or authorizations. -// -// It only works with CAs implementing RFC 8555. -func (c *Client) DeactivateReg(ctx context.Context) error { - if _, err := c.Discover(ctx); err != nil { // required by c.accountKID - return err - } - url := string(c.accountKID(ctx)) - if url == "" { - return ErrNoAccount - } - req := json.RawMessage(`{"status": "deactivated"}`) - res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK)) - if err != nil { - return err - } - res.Body.Close() - return nil -} - -// registerRFC is equivalent to c.Register but for CAs implementing RFC 8555. -// It expects c.Discover to have already been called. -func (c *Client) registerRFC(ctx context.Context, acct *Account, prompt func(tosURL string) bool) (*Account, error) { - c.cacheMu.Lock() // guard c.kid access - defer c.cacheMu.Unlock() - - req := struct { - TermsAgreed bool `json:"termsOfServiceAgreed,omitempty"` - Contact []string `json:"contact,omitempty"` - ExternalAccountBinding *jsonWebSignature `json:"externalAccountBinding,omitempty"` - }{ - Contact: acct.Contact, - } - if c.dir.Terms != "" { - req.TermsAgreed = prompt(c.dir.Terms) - } - - // set 'externalAccountBinding' field if requested - if acct.ExternalAccountBinding != nil { - eabJWS, err := c.encodeExternalAccountBinding(acct.ExternalAccountBinding) - if err != nil { - return nil, fmt.Errorf("acme: failed to encode external account binding: %v", err) - } - req.ExternalAccountBinding = eabJWS - } - - res, err := c.post(ctx, c.Key, c.dir.RegURL, req, wantStatus( - http.StatusOK, // account with this key already registered - http.StatusCreated, // new account created - )) - if err != nil { - return nil, err - } - - defer res.Body.Close() - a, err := responseAccount(res) - if err != nil { - return nil, err - } - // Cache Account URL even if we return an error to the caller. - // It is by all means a valid and usable "kid" value for future requests. - c.KID = KeyID(a.URI) - if res.StatusCode == http.StatusOK { - return nil, ErrAccountAlreadyExists - } - return a, nil -} - -// encodeExternalAccountBinding will encode an external account binding stanza -// as described in https://tools.ietf.org/html/rfc8555#section-7.3.4. -func (c *Client) encodeExternalAccountBinding(eab *ExternalAccountBinding) (*jsonWebSignature, error) { - jwk, err := jwkEncode(c.Key.Public()) - if err != nil { - return nil, err - } - return jwsWithMAC(eab.Key, eab.KID, c.dir.RegURL, []byte(jwk)) -} - -// updateRegRFC is equivalent to c.UpdateReg but for CAs implementing RFC 8555. -// It expects c.Discover to have already been called. -func (c *Client) updateRegRFC(ctx context.Context, a *Account) (*Account, error) { - url := string(c.accountKID(ctx)) - if url == "" { - return nil, ErrNoAccount - } - req := struct { - Contact []string `json:"contact,omitempty"` - }{ - Contact: a.Contact, - } - res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK)) - if err != nil { - return nil, err - } - defer res.Body.Close() - return responseAccount(res) -} - -// getRegRFC is equivalent to c.GetReg but for CAs implementing RFC 8555. -// It expects c.Discover to have already been called. -func (c *Client) getRegRFC(ctx context.Context) (*Account, error) { - req := json.RawMessage(`{"onlyReturnExisting": true}`) - res, err := c.post(ctx, c.Key, c.dir.RegURL, req, wantStatus(http.StatusOK)) - if e, ok := err.(*Error); ok && e.ProblemType == "urn:ietf:params:acme:error:accountDoesNotExist" { - return nil, ErrNoAccount - } - if err != nil { - return nil, err - } - - defer res.Body.Close() - return responseAccount(res) -} - -func responseAccount(res *http.Response) (*Account, error) { - var v struct { - Status string - Contact []string - Orders string - } - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: invalid account response: %v", err) - } - return &Account{ - URI: res.Header.Get("Location"), - Status: v.Status, - Contact: v.Contact, - OrdersURL: v.Orders, - }, nil -} - -// accountKeyRollover attempts to perform account key rollover. -// On success it will change client.Key to the new key. -func (c *Client) accountKeyRollover(ctx context.Context, newKey crypto.Signer) error { - dir, err := c.Discover(ctx) // Also required by c.accountKID - if err != nil { - return err - } - kid := c.accountKID(ctx) - if kid == noKeyID { - return ErrNoAccount - } - oldKey, err := jwkEncode(c.Key.Public()) - if err != nil { - return err - } - payload := struct { - Account string `json:"account"` - OldKey json.RawMessage `json:"oldKey"` - }{ - Account: string(kid), - OldKey: json.RawMessage(oldKey), - } - inner, err := jwsEncodeJSON(payload, newKey, noKeyID, noNonce, dir.KeyChangeURL) - if err != nil { - return err - } - - res, err := c.post(ctx, nil, dir.KeyChangeURL, base64.RawURLEncoding.EncodeToString(inner), wantStatus(http.StatusOK)) - if err != nil { - return err - } - defer res.Body.Close() - c.Key = newKey - return nil -} - -// AuthorizeOrder initiates the order-based application for certificate issuance, -// as opposed to pre-authorization in Authorize. -// It is only supported by CAs implementing RFC 8555. -// -// The caller then needs to fetch each authorization with GetAuthorization, -// identify those with StatusPending status and fulfill a challenge using Accept. -// Once all authorizations are satisfied, the caller will typically want to poll -// order status using WaitOrder until it's in StatusReady state. -// To finalize the order and obtain a certificate, the caller submits a CSR with CreateOrderCert. -func (c *Client) AuthorizeOrder(ctx context.Context, id []AuthzID, opt ...OrderOption) (*Order, error) { - dir, err := c.Discover(ctx) - if err != nil { - return nil, err - } - - req := struct { - Identifiers []wireAuthzID `json:"identifiers"` - NotBefore string `json:"notBefore,omitempty"` - NotAfter string `json:"notAfter,omitempty"` - }{} - for _, v := range id { - req.Identifiers = append(req.Identifiers, wireAuthzID{ - Type: v.Type, - Value: v.Value, - }) - } - for _, o := range opt { - switch o := o.(type) { - case orderNotBeforeOpt: - req.NotBefore = time.Time(o).Format(time.RFC3339) - case orderNotAfterOpt: - req.NotAfter = time.Time(o).Format(time.RFC3339) - default: - // Package's fault if we let this happen. - panic(fmt.Sprintf("unsupported order option type %T", o)) - } - } - - res, err := c.post(ctx, nil, dir.OrderURL, req, wantStatus(http.StatusCreated)) - if err != nil { - return nil, err - } - defer res.Body.Close() - return responseOrder(res) -} - -// GetOrder retrives an order identified by the given URL. -// For orders created with AuthorizeOrder, the url value is Order.URI. -// -// If a caller needs to poll an order until its status is final, -// see the WaitOrder method. -func (c *Client) GetOrder(ctx context.Context, url string) (*Order, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - - res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK)) - if err != nil { - return nil, err - } - defer res.Body.Close() - return responseOrder(res) -} - -// WaitOrder polls an order from the given URL until it is in one of the final states, -// StatusReady, StatusValid or StatusInvalid, the CA responded with a non-retryable error -// or the context is done. -// -// It returns a non-nil Order only if its Status is StatusReady or StatusValid. -// In all other cases WaitOrder returns an error. -// If the Status is StatusInvalid, the returned error is of type *OrderError. -func (c *Client) WaitOrder(ctx context.Context, url string) (*Order, error) { - if _, err := c.Discover(ctx); err != nil { - return nil, err - } - for { - res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK)) - if err != nil { - return nil, err - } - o, err := responseOrder(res) - res.Body.Close() - switch { - case err != nil: - // Skip and retry. - case o.Status == StatusInvalid: - return nil, &OrderError{OrderURL: o.URI, Status: o.Status} - case o.Status == StatusReady || o.Status == StatusValid: - return o, nil - } - - d := retryAfter(res.Header.Get("Retry-After")) - if d == 0 { - // Default retry-after. - // Same reasoning as in WaitAuthorization. - d = time.Second - } - t := time.NewTimer(d) - select { - case <-ctx.Done(): - t.Stop() - return nil, ctx.Err() - case <-t.C: - // Retry. - } - } -} - -func responseOrder(res *http.Response) (*Order, error) { - var v struct { - Status string - Expires time.Time - Identifiers []wireAuthzID - NotBefore time.Time - NotAfter time.Time - Error *wireError - Authorizations []string - Finalize string - Certificate string - } - if err := json.NewDecoder(res.Body).Decode(&v); err != nil { - return nil, fmt.Errorf("acme: error reading order: %v", err) - } - o := &Order{ - URI: res.Header.Get("Location"), - Status: v.Status, - Expires: v.Expires, - NotBefore: v.NotBefore, - NotAfter: v.NotAfter, - AuthzURLs: v.Authorizations, - FinalizeURL: v.Finalize, - CertURL: v.Certificate, - } - for _, id := range v.Identifiers { - o.Identifiers = append(o.Identifiers, AuthzID{Type: id.Type, Value: id.Value}) - } - if v.Error != nil { - o.Error = v.Error.error(nil /* headers */) - } - return o, nil -} - -// CreateOrderCert submits the CSR (Certificate Signing Request) to a CA at the specified URL. -// The URL is the FinalizeURL field of an Order created with AuthorizeOrder. -// -// If the bundle argument is true, the returned value also contain the CA (issuer) -// certificate chain. Otherwise, only a leaf certificate is returned. -// The returned URL can be used to re-fetch the certificate using FetchCert. -// -// This method is only supported by CAs implementing RFC 8555. See CreateCert for pre-RFC CAs. -// -// CreateOrderCert returns an error if the CA's response is unreasonably large. -// Callers are encouraged to parse the returned value to ensure the certificate is valid and has the expected features. -func (c *Client) CreateOrderCert(ctx context.Context, url string, csr []byte, bundle bool) (der [][]byte, certURL string, err error) { - if _, err := c.Discover(ctx); err != nil { // required by c.accountKID - return nil, "", err - } - - // RFC describes this as "finalize order" request. - req := struct { - CSR string `json:"csr"` - }{ - CSR: base64.RawURLEncoding.EncodeToString(csr), - } - res, err := c.post(ctx, nil, url, req, wantStatus(http.StatusOK)) - if err != nil { - return nil, "", err - } - defer res.Body.Close() - o, err := responseOrder(res) - if err != nil { - return nil, "", err - } - - // Wait for CA to issue the cert if they haven't. - if o.Status != StatusValid { - o, err = c.WaitOrder(ctx, o.URI) - } - if err != nil { - return nil, "", err - } - // The only acceptable status post finalize and WaitOrder is "valid". - if o.Status != StatusValid { - return nil, "", &OrderError{OrderURL: o.URI, Status: o.Status} - } - crt, err := c.fetchCertRFC(ctx, o.CertURL, bundle) - return crt, o.CertURL, err -} - -// fetchCertRFC downloads issued certificate from the given URL. -// It expects the CA to respond with PEM-encoded certificate chain. -// -// The URL argument is the CertURL field of Order. -func (c *Client) fetchCertRFC(ctx context.Context, url string, bundle bool) ([][]byte, error) { - res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK)) - if err != nil { - return nil, err - } - defer res.Body.Close() - - // Get all the bytes up to a sane maximum. - // Account very roughly for base64 overhead. - const max = maxCertChainSize + maxCertChainSize/33 - b, err := io.ReadAll(io.LimitReader(res.Body, max+1)) - if err != nil { - return nil, fmt.Errorf("acme: fetch cert response stream: %v", err) - } - if len(b) > max { - return nil, errors.New("acme: certificate chain is too big") - } - - // Decode PEM chain. - var chain [][]byte - for { - var p *pem.Block - p, b = pem.Decode(b) - if p == nil { - break - } - if p.Type != "CERTIFICATE" { - return nil, fmt.Errorf("acme: invalid PEM cert type %q", p.Type) - } - - chain = append(chain, p.Bytes) - if !bundle { - return chain, nil - } - if len(chain) > maxChainLen { - return nil, errors.New("acme: certificate chain is too long") - } - } - if len(chain) == 0 { - return nil, errors.New("acme: certificate chain is empty") - } - return chain, nil -} - -// sends a cert revocation request in either JWK form when key is non-nil or KID form otherwise. -func (c *Client) revokeCertRFC(ctx context.Context, key crypto.Signer, cert []byte, reason CRLReasonCode) error { - req := &struct { - Cert string `json:"certificate"` - Reason int `json:"reason"` - }{ - Cert: base64.RawURLEncoding.EncodeToString(cert), - Reason: int(reason), - } - res, err := c.post(ctx, key, c.dir.RevokeURL, req, wantStatus(http.StatusOK)) - if err != nil { - if isAlreadyRevoked(err) { - // Assume it is not an error to revoke an already revoked cert. - return nil - } - return err - } - defer res.Body.Close() - return nil -} - -func isAlreadyRevoked(err error) bool { - e, ok := err.(*Error) - return ok && e.ProblemType == "urn:ietf:params:acme:error:alreadyRevoked" -} - -// ListCertAlternates retrieves any alternate certificate chain URLs for the -// given certificate chain URL. These alternate URLs can be passed to FetchCert -// in order to retrieve the alternate certificate chains. -// -// If there are no alternate issuer certificate chains, a nil slice will be -// returned. -func (c *Client) ListCertAlternates(ctx context.Context, url string) ([]string, error) { - if _, err := c.Discover(ctx); err != nil { // required by c.accountKID - return nil, err - } - - res, err := c.postAsGet(ctx, url, wantStatus(http.StatusOK)) - if err != nil { - return nil, err - } - defer res.Body.Close() - - // We don't need the body but we need to discard it so we don't end up - // preventing keep-alive - if _, err := io.Copy(io.Discard, res.Body); err != nil { - return nil, fmt.Errorf("acme: cert alternates response stream: %v", err) - } - alts := linkHeader(res.Header, "alternate") - return alts, nil -} diff --git a/vendor/golang.org/x/crypto/acme/types.go b/vendor/golang.org/x/crypto/acme/types.go deleted file mode 100644 index 45492adc8..000000000 --- a/vendor/golang.org/x/crypto/acme/types.go +++ /dev/null @@ -1,625 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package acme - -import ( - "crypto" - "crypto/x509" - "encoding/json" - "errors" - "fmt" - "net/http" - "strings" - "time" -) - -// ACME status values of Account, Order, Authorization and Challenge objects. -// See https://tools.ietf.org/html/rfc8555#section-7.1.6 for details. -const ( - StatusDeactivated = "deactivated" - StatusExpired = "expired" - StatusInvalid = "invalid" - StatusPending = "pending" - StatusProcessing = "processing" - StatusReady = "ready" - StatusRevoked = "revoked" - StatusUnknown = "unknown" - StatusValid = "valid" -) - -// CRLReasonCode identifies the reason for a certificate revocation. -type CRLReasonCode int - -// CRL reason codes as defined in RFC 5280. -const ( - CRLReasonUnspecified CRLReasonCode = 0 - CRLReasonKeyCompromise CRLReasonCode = 1 - CRLReasonCACompromise CRLReasonCode = 2 - CRLReasonAffiliationChanged CRLReasonCode = 3 - CRLReasonSuperseded CRLReasonCode = 4 - CRLReasonCessationOfOperation CRLReasonCode = 5 - CRLReasonCertificateHold CRLReasonCode = 6 - CRLReasonRemoveFromCRL CRLReasonCode = 8 - CRLReasonPrivilegeWithdrawn CRLReasonCode = 9 - CRLReasonAACompromise CRLReasonCode = 10 -) - -var ( - // ErrUnsupportedKey is returned when an unsupported key type is encountered. - ErrUnsupportedKey = errors.New("acme: unknown key type; only RSA and ECDSA are supported") - - // ErrAccountAlreadyExists indicates that the Client's key has already been registered - // with the CA. It is returned by Register method. - ErrAccountAlreadyExists = errors.New("acme: account already exists") - - // ErrNoAccount indicates that the Client's key has not been registered with the CA. - ErrNoAccount = errors.New("acme: account does not exist") -) - -// A Subproblem describes an ACME subproblem as reported in an Error. -type Subproblem struct { - // Type is a URI reference that identifies the problem type, - // typically in a "urn:acme:error:xxx" form. - Type string - // Detail is a human-readable explanation specific to this occurrence of the problem. - Detail string - // Instance indicates a URL that the client should direct a human user to visit - // in order for instructions on how to agree to the updated Terms of Service. - // In such an event CA sets StatusCode to 403, Type to - // "urn:ietf:params:acme:error:userActionRequired", and adds a Link header with relation - // "terms-of-service" containing the latest TOS URL. - Instance string - // Identifier may contain the ACME identifier that the error is for. - Identifier *AuthzID -} - -func (sp Subproblem) String() string { - str := fmt.Sprintf("%s: ", sp.Type) - if sp.Identifier != nil { - str += fmt.Sprintf("[%s: %s] ", sp.Identifier.Type, sp.Identifier.Value) - } - str += sp.Detail - return str -} - -// Error is an ACME error, defined in Problem Details for HTTP APIs doc -// http://tools.ietf.org/html/draft-ietf-appsawg-http-problem. -type Error struct { - // StatusCode is The HTTP status code generated by the origin server. - StatusCode int - // ProblemType is a URI reference that identifies the problem type, - // typically in a "urn:acme:error:xxx" form. - ProblemType string - // Detail is a human-readable explanation specific to this occurrence of the problem. - Detail string - // Instance indicates a URL that the client should direct a human user to visit - // in order for instructions on how to agree to the updated Terms of Service. - // In such an event CA sets StatusCode to 403, ProblemType to - // "urn:ietf:params:acme:error:userActionRequired" and a Link header with relation - // "terms-of-service" containing the latest TOS URL. - Instance string - // Header is the original server error response headers. - // It may be nil. - Header http.Header - // Subproblems may contain more detailed information about the individual problems - // that caused the error. This field is only sent by RFC 8555 compatible ACME - // servers. Defined in RFC 8555 Section 6.7.1. - Subproblems []Subproblem -} - -func (e *Error) Error() string { - str := fmt.Sprintf("%d %s: %s", e.StatusCode, e.ProblemType, e.Detail) - if len(e.Subproblems) > 0 { - str += fmt.Sprintf("; subproblems:") - for _, sp := range e.Subproblems { - str += fmt.Sprintf("\n\t%s", sp) - } - } - return str -} - -// AuthorizationError indicates that an authorization for an identifier -// did not succeed. -// It contains all errors from Challenge items of the failed Authorization. -type AuthorizationError struct { - // URI uniquely identifies the failed Authorization. - URI string - - // Identifier is an AuthzID.Value of the failed Authorization. - Identifier string - - // Errors is a collection of non-nil error values of Challenge items - // of the failed Authorization. - Errors []error -} - -func (a *AuthorizationError) Error() string { - e := make([]string, len(a.Errors)) - for i, err := range a.Errors { - e[i] = err.Error() - } - - if a.Identifier != "" { - return fmt.Sprintf("acme: authorization error for %s: %s", a.Identifier, strings.Join(e, "; ")) - } - - return fmt.Sprintf("acme: authorization error: %s", strings.Join(e, "; ")) -} - -// OrderError is returned from Client's order related methods. -// It indicates the order is unusable and the clients should start over with -// AuthorizeOrder. -// -// The clients can still fetch the order object from CA using GetOrder -// to inspect its state. -type OrderError struct { - OrderURL string - Status string -} - -func (oe *OrderError) Error() string { - return fmt.Sprintf("acme: order %s status: %s", oe.OrderURL, oe.Status) -} - -// RateLimit reports whether err represents a rate limit error and -// any Retry-After duration returned by the server. -// -// See the following for more details on rate limiting: -// https://tools.ietf.org/html/draft-ietf-acme-acme-05#section-5.6 -func RateLimit(err error) (time.Duration, bool) { - e, ok := err.(*Error) - if !ok { - return 0, false - } - // Some CA implementations may return incorrect values. - // Use case-insensitive comparison. - if !strings.HasSuffix(strings.ToLower(e.ProblemType), ":ratelimited") { - return 0, false - } - if e.Header == nil { - return 0, true - } - return retryAfter(e.Header.Get("Retry-After")), true -} - -// Account is a user account. It is associated with a private key. -// Non-RFC 8555 fields are empty when interfacing with a compliant CA. -type Account struct { - // URI is the account unique ID, which is also a URL used to retrieve - // account data from the CA. - // When interfacing with RFC 8555-compliant CAs, URI is the "kid" field - // value in JWS signed requests. - URI string - - // Contact is a slice of contact info used during registration. - // See https://tools.ietf.org/html/rfc8555#section-7.3 for supported - // formats. - Contact []string - - // Status indicates current account status as returned by the CA. - // Possible values are StatusValid, StatusDeactivated, and StatusRevoked. - Status string - - // OrdersURL is a URL from which a list of orders submitted by this account - // can be fetched. - OrdersURL string - - // The terms user has agreed to. - // A value not matching CurrentTerms indicates that the user hasn't agreed - // to the actual Terms of Service of the CA. - // - // It is non-RFC 8555 compliant. Package users can store the ToS they agree to - // during Client's Register call in the prompt callback function. - AgreedTerms string - - // Actual terms of a CA. - // - // It is non-RFC 8555 compliant. Use Directory's Terms field. - // When a CA updates their terms and requires an account agreement, - // a URL at which instructions to do so is available in Error's Instance field. - CurrentTerms string - - // Authz is the authorization URL used to initiate a new authz flow. - // - // It is non-RFC 8555 compliant. Use Directory's AuthzURL or OrderURL. - Authz string - - // Authorizations is a URI from which a list of authorizations - // granted to this account can be fetched via a GET request. - // - // It is non-RFC 8555 compliant and is obsoleted by OrdersURL. - Authorizations string - - // Certificates is a URI from which a list of certificates - // issued for this account can be fetched via a GET request. - // - // It is non-RFC 8555 compliant and is obsoleted by OrdersURL. - Certificates string - - // ExternalAccountBinding represents an arbitrary binding to an account of - // the CA which the ACME server is tied to. - // See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more details. - ExternalAccountBinding *ExternalAccountBinding -} - -// ExternalAccountBinding contains the data needed to form a request with -// an external account binding. -// See https://tools.ietf.org/html/rfc8555#section-7.3.4 for more details. -type ExternalAccountBinding struct { - // KID is the Key ID of the symmetric MAC key that the CA provides to - // identify an external account from ACME. - KID string - - // Key is the bytes of the symmetric key that the CA provides to identify - // the account. Key must correspond to the KID. - Key []byte -} - -func (e *ExternalAccountBinding) String() string { - return fmt.Sprintf("&{KID: %q, Key: redacted}", e.KID) -} - -// Directory is ACME server discovery data. -// See https://tools.ietf.org/html/rfc8555#section-7.1.1 for more details. -type Directory struct { - // NonceURL indicates an endpoint where to fetch fresh nonce values from. - NonceURL string - - // RegURL is an account endpoint URL, allowing for creating new accounts. - // Pre-RFC 8555 CAs also allow modifying existing accounts at this URL. - RegURL string - - // OrderURL is used to initiate the certificate issuance flow - // as described in RFC 8555. - OrderURL string - - // AuthzURL is used to initiate identifier pre-authorization flow. - // Empty string indicates the flow is unsupported by the CA. - AuthzURL string - - // CertURL is a new certificate issuance endpoint URL. - // It is non-RFC 8555 compliant and is obsoleted by OrderURL. - CertURL string - - // RevokeURL is used to initiate a certificate revocation flow. - RevokeURL string - - // KeyChangeURL allows to perform account key rollover flow. - KeyChangeURL string - - // Terms is a URI identifying the current terms of service. - Terms string - - // Website is an HTTP or HTTPS URL locating a website - // providing more information about the ACME server. - Website string - - // CAA consists of lowercase hostname elements, which the ACME server - // recognises as referring to itself for the purposes of CAA record validation - // as defined in RFC 6844. - CAA []string - - // ExternalAccountRequired indicates that the CA requires for all account-related - // requests to include external account binding information. - ExternalAccountRequired bool -} - -// Order represents a client's request for a certificate. -// It tracks the request flow progress through to issuance. -type Order struct { - // URI uniquely identifies an order. - URI string - - // Status represents the current status of the order. - // It indicates which action the client should take. - // - // Possible values are StatusPending, StatusReady, StatusProcessing, StatusValid and StatusInvalid. - // Pending means the CA does not believe that the client has fulfilled the requirements. - // Ready indicates that the client has fulfilled all the requirements and can submit a CSR - // to obtain a certificate. This is done with Client's CreateOrderCert. - // Processing means the certificate is being issued. - // Valid indicates the CA has issued the certificate. It can be downloaded - // from the Order's CertURL. This is done with Client's FetchCert. - // Invalid means the certificate will not be issued. Users should consider this order - // abandoned. - Status string - - // Expires is the timestamp after which CA considers this order invalid. - Expires time.Time - - // Identifiers contains all identifier objects which the order pertains to. - Identifiers []AuthzID - - // NotBefore is the requested value of the notBefore field in the certificate. - NotBefore time.Time - - // NotAfter is the requested value of the notAfter field in the certificate. - NotAfter time.Time - - // AuthzURLs represents authorizations to complete before a certificate - // for identifiers specified in the order can be issued. - // It also contains unexpired authorizations that the client has completed - // in the past. - // - // Authorization objects can be fetched using Client's GetAuthorization method. - // - // The required authorizations are dictated by CA policies. - // There may not be a 1:1 relationship between the identifiers and required authorizations. - // Required authorizations can be identified by their StatusPending status. - // - // For orders in the StatusValid or StatusInvalid state these are the authorizations - // which were completed. - AuthzURLs []string - - // FinalizeURL is the endpoint at which a CSR is submitted to obtain a certificate - // once all the authorizations are satisfied. - FinalizeURL string - - // CertURL points to the certificate that has been issued in response to this order. - CertURL string - - // The error that occurred while processing the order as received from a CA, if any. - Error *Error -} - -// OrderOption allows customizing Client.AuthorizeOrder call. -type OrderOption interface { - privateOrderOpt() -} - -// WithOrderNotBefore sets order's NotBefore field. -func WithOrderNotBefore(t time.Time) OrderOption { - return orderNotBeforeOpt(t) -} - -// WithOrderNotAfter sets order's NotAfter field. -func WithOrderNotAfter(t time.Time) OrderOption { - return orderNotAfterOpt(t) -} - -type orderNotBeforeOpt time.Time - -func (orderNotBeforeOpt) privateOrderOpt() {} - -type orderNotAfterOpt time.Time - -func (orderNotAfterOpt) privateOrderOpt() {} - -// Authorization encodes an authorization response. -type Authorization struct { - // URI uniquely identifies a authorization. - URI string - - // Status is the current status of an authorization. - // Possible values are StatusPending, StatusValid, StatusInvalid, StatusDeactivated, - // StatusExpired and StatusRevoked. - Status string - - // Identifier is what the account is authorized to represent. - Identifier AuthzID - - // The timestamp after which the CA considers the authorization invalid. - Expires time.Time - - // Wildcard is true for authorizations of a wildcard domain name. - Wildcard bool - - // Challenges that the client needs to fulfill in order to prove possession - // of the identifier (for pending authorizations). - // For valid authorizations, the challenge that was validated. - // For invalid authorizations, the challenge that was attempted and failed. - // - // RFC 8555 compatible CAs require users to fuflfill only one of the challenges. - Challenges []*Challenge - - // A collection of sets of challenges, each of which would be sufficient - // to prove possession of the identifier. - // Clients must complete a set of challenges that covers at least one set. - // Challenges are identified by their indices in the challenges array. - // If this field is empty, the client needs to complete all challenges. - // - // This field is unused in RFC 8555. - Combinations [][]int -} - -// AuthzID is an identifier that an account is authorized to represent. -type AuthzID struct { - Type string // The type of identifier, "dns" or "ip". - Value string // The identifier itself, e.g. "example.org". -} - -// DomainIDs creates a slice of AuthzID with "dns" identifier type. -func DomainIDs(names ...string) []AuthzID { - a := make([]AuthzID, len(names)) - for i, v := range names { - a[i] = AuthzID{Type: "dns", Value: v} - } - return a -} - -// IPIDs creates a slice of AuthzID with "ip" identifier type. -// Each element of addr is textual form of an address as defined -// in RFC 1123 Section 2.1 for IPv4 and in RFC 5952 Section 4 for IPv6. -func IPIDs(addr ...string) []AuthzID { - a := make([]AuthzID, len(addr)) - for i, v := range addr { - a[i] = AuthzID{Type: "ip", Value: v} - } - return a -} - -// wireAuthzID is ACME JSON representation of authorization identifier objects. -type wireAuthzID struct { - Type string `json:"type"` - Value string `json:"value"` -} - -// wireAuthz is ACME JSON representation of Authorization objects. -type wireAuthz struct { - Identifier wireAuthzID - Status string - Expires time.Time - Wildcard bool - Challenges []wireChallenge - Combinations [][]int - Error *wireError -} - -func (z *wireAuthz) authorization(uri string) *Authorization { - a := &Authorization{ - URI: uri, - Status: z.Status, - Identifier: AuthzID{Type: z.Identifier.Type, Value: z.Identifier.Value}, - Expires: z.Expires, - Wildcard: z.Wildcard, - Challenges: make([]*Challenge, len(z.Challenges)), - Combinations: z.Combinations, // shallow copy - } - for i, v := range z.Challenges { - a.Challenges[i] = v.challenge() - } - return a -} - -func (z *wireAuthz) error(uri string) *AuthorizationError { - err := &AuthorizationError{ - URI: uri, - Identifier: z.Identifier.Value, - } - - if z.Error != nil { - err.Errors = append(err.Errors, z.Error.error(nil)) - } - - for _, raw := range z.Challenges { - if raw.Error != nil { - err.Errors = append(err.Errors, raw.Error.error(nil)) - } - } - - return err -} - -// Challenge encodes a returned CA challenge. -// Its Error field may be non-nil if the challenge is part of an Authorization -// with StatusInvalid. -type Challenge struct { - // Type is the challenge type, e.g. "http-01", "tls-alpn-01", "dns-01". - Type string - - // URI is where a challenge response can be posted to. - URI string - - // Token is a random value that uniquely identifies the challenge. - Token string - - // Status identifies the status of this challenge. - // In RFC 8555, possible values are StatusPending, StatusProcessing, StatusValid, - // and StatusInvalid. - Status string - - // Validated is the time at which the CA validated this challenge. - // Always zero value in pre-RFC 8555. - Validated time.Time - - // Error indicates the reason for an authorization failure - // when this challenge was used. - // The type of a non-nil value is *Error. - Error error - - // Payload is the JSON-formatted payload that the client sends - // to the server to indicate it is ready to respond to the challenge. - // When unset, it defaults to an empty JSON object: {}. - // For most challenges, the client must not set Payload, - // see https://tools.ietf.org/html/rfc8555#section-7.5.1. - // Payload is used only for newer challenges (such as "device-attest-01") - // where the client must send additional data for the server to validate - // the challenge. - Payload json.RawMessage -} - -// wireChallenge is ACME JSON challenge representation. -type wireChallenge struct { - URL string `json:"url"` // RFC - URI string `json:"uri"` // pre-RFC - Type string - Token string - Status string - Validated time.Time - Error *wireError -} - -func (c *wireChallenge) challenge() *Challenge { - v := &Challenge{ - URI: c.URL, - Type: c.Type, - Token: c.Token, - Status: c.Status, - } - if v.URI == "" { - v.URI = c.URI // c.URL was empty; use legacy - } - if v.Status == "" { - v.Status = StatusPending - } - if c.Error != nil { - v.Error = c.Error.error(nil) - } - return v -} - -// wireError is a subset of fields of the Problem Details object -// as described in https://tools.ietf.org/html/rfc7807#section-3.1. -type wireError struct { - Status int - Type string - Detail string - Instance string - Subproblems []Subproblem -} - -func (e *wireError) error(h http.Header) *Error { - err := &Error{ - StatusCode: e.Status, - ProblemType: e.Type, - Detail: e.Detail, - Instance: e.Instance, - Header: h, - Subproblems: e.Subproblems, - } - return err -} - -// CertOption is an optional argument type for the TLS ChallengeCert methods for -// customizing a temporary certificate for TLS-based challenges. -type CertOption interface { - privateCertOpt() -} - -// WithKey creates an option holding a private/public key pair. -// The private part signs a certificate, and the public part represents the signee. -func WithKey(key crypto.Signer) CertOption { - return &certOptKey{key} -} - -type certOptKey struct { - key crypto.Signer -} - -func (*certOptKey) privateCertOpt() {} - -// WithTemplate creates an option for specifying a certificate template. -// See x509.CreateCertificate for template usage details. -// -// In TLS ChallengeCert methods, the template is also used as parent, -// resulting in a self-signed certificate. -// The DNSNames field of t is always overwritten for tls-sni challenge certs. -func WithTemplate(t *x509.Certificate) CertOption { - return (*certOptTemplate)(t) -} - -type certOptTemplate x509.Certificate - -func (*certOptTemplate) privateCertOpt() {} diff --git a/vendor/golang.org/x/crypto/argon2/argon2.go b/vendor/golang.org/x/crypto/argon2/argon2.go deleted file mode 100644 index 29f0a2de4..000000000 --- a/vendor/golang.org/x/crypto/argon2/argon2.go +++ /dev/null @@ -1,283 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package argon2 implements the key derivation function Argon2. -// Argon2 was selected as the winner of the Password Hashing Competition and can -// be used to derive cryptographic keys from passwords. -// -// For a detailed specification of Argon2 see [1]. -// -// If you aren't sure which function you need, use Argon2id (IDKey) and -// the parameter recommendations for your scenario. -// -// # Argon2i -// -// Argon2i (implemented by Key) is the side-channel resistant version of Argon2. -// It uses data-independent memory access, which is preferred for password -// hashing and password-based key derivation. Argon2i requires more passes over -// memory than Argon2id to protect from trade-off attacks. The recommended -// parameters (taken from [2]) for non-interactive operations are time=3 and to -// use the maximum available memory. -// -// # Argon2id -// -// Argon2id (implemented by IDKey) is a hybrid version of Argon2 combining -// Argon2i and Argon2d. It uses data-independent memory access for the first -// half of the first iteration over the memory and data-dependent memory access -// for the rest. Argon2id is side-channel resistant and provides better brute- -// force cost savings due to time-memory tradeoffs than Argon2i. The recommended -// parameters for non-interactive operations (taken from [2]) are time=1 and to -// use the maximum available memory. -// -// [1] https://github.com/P-H-C/phc-winner-argon2/blob/master/argon2-specs.pdf -// [2] https://tools.ietf.org/html/draft-irtf-cfrg-argon2-03#section-9.3 -package argon2 - -import ( - "encoding/binary" - "sync" - - "golang.org/x/crypto/blake2b" -) - -// The Argon2 version implemented by this package. -const Version = 0x13 - -const ( - argon2d = iota - argon2i - argon2id -) - -// Key derives a key from the password, salt, and cost parameters using Argon2i -// returning a byte slice of length keyLen that can be used as cryptographic -// key. The CPU cost and parallelism degree must be greater than zero. -// -// For example, you can get a derived key for e.g. AES-256 (which needs a -// 32-byte key) by doing: -// -// key := argon2.Key([]byte("some password"), salt, 3, 32*1024, 4, 32) -// -// The draft RFC recommends[2] time=3, and memory=32*1024 is a sensible number. -// If using that amount of memory (32 MB) is not possible in some contexts then -// the time parameter can be increased to compensate. -// -// The time parameter specifies the number of passes over the memory and the -// memory parameter specifies the size of the memory in KiB. For example -// memory=32*1024 sets the memory cost to ~32 MB. The number of threads can be -// adjusted to the number of available CPUs. The cost parameters should be -// increased as memory latency and CPU parallelism increases. Remember to get a -// good random salt. -func Key(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte { - return deriveKey(argon2i, password, salt, nil, nil, time, memory, threads, keyLen) -} - -// IDKey derives a key from the password, salt, and cost parameters using -// Argon2id returning a byte slice of length keyLen that can be used as -// cryptographic key. The CPU cost and parallelism degree must be greater than -// zero. -// -// For example, you can get a derived key for e.g. AES-256 (which needs a -// 32-byte key) by doing: -// -// key := argon2.IDKey([]byte("some password"), salt, 1, 64*1024, 4, 32) -// -// The draft RFC recommends[2] time=1, and memory=64*1024 is a sensible number. -// If using that amount of memory (64 MB) is not possible in some contexts then -// the time parameter can be increased to compensate. -// -// The time parameter specifies the number of passes over the memory and the -// memory parameter specifies the size of the memory in KiB. For example -// memory=64*1024 sets the memory cost to ~64 MB. The number of threads can be -// adjusted to the numbers of available CPUs. The cost parameters should be -// increased as memory latency and CPU parallelism increases. Remember to get a -// good random salt. -func IDKey(password, salt []byte, time, memory uint32, threads uint8, keyLen uint32) []byte { - return deriveKey(argon2id, password, salt, nil, nil, time, memory, threads, keyLen) -} - -func deriveKey(mode int, password, salt, secret, data []byte, time, memory uint32, threads uint8, keyLen uint32) []byte { - if time < 1 { - panic("argon2: number of rounds too small") - } - if threads < 1 { - panic("argon2: parallelism degree too low") - } - h0 := initHash(password, salt, secret, data, time, memory, uint32(threads), keyLen, mode) - - memory = memory / (syncPoints * uint32(threads)) * (syncPoints * uint32(threads)) - if memory < 2*syncPoints*uint32(threads) { - memory = 2 * syncPoints * uint32(threads) - } - B := initBlocks(&h0, memory, uint32(threads)) - processBlocks(B, time, memory, uint32(threads), mode) - return extractKey(B, memory, uint32(threads), keyLen) -} - -const ( - blockLength = 128 - syncPoints = 4 -) - -type block [blockLength]uint64 - -func initHash(password, salt, key, data []byte, time, memory, threads, keyLen uint32, mode int) [blake2b.Size + 8]byte { - var ( - h0 [blake2b.Size + 8]byte - params [24]byte - tmp [4]byte - ) - - b2, _ := blake2b.New512(nil) - binary.LittleEndian.PutUint32(params[0:4], threads) - binary.LittleEndian.PutUint32(params[4:8], keyLen) - binary.LittleEndian.PutUint32(params[8:12], memory) - binary.LittleEndian.PutUint32(params[12:16], time) - binary.LittleEndian.PutUint32(params[16:20], uint32(Version)) - binary.LittleEndian.PutUint32(params[20:24], uint32(mode)) - b2.Write(params[:]) - binary.LittleEndian.PutUint32(tmp[:], uint32(len(password))) - b2.Write(tmp[:]) - b2.Write(password) - binary.LittleEndian.PutUint32(tmp[:], uint32(len(salt))) - b2.Write(tmp[:]) - b2.Write(salt) - binary.LittleEndian.PutUint32(tmp[:], uint32(len(key))) - b2.Write(tmp[:]) - b2.Write(key) - binary.LittleEndian.PutUint32(tmp[:], uint32(len(data))) - b2.Write(tmp[:]) - b2.Write(data) - b2.Sum(h0[:0]) - return h0 -} - -func initBlocks(h0 *[blake2b.Size + 8]byte, memory, threads uint32) []block { - var block0 [1024]byte - B := make([]block, memory) - for lane := uint32(0); lane < threads; lane++ { - j := lane * (memory / threads) - binary.LittleEndian.PutUint32(h0[blake2b.Size+4:], lane) - - binary.LittleEndian.PutUint32(h0[blake2b.Size:], 0) - blake2bHash(block0[:], h0[:]) - for i := range B[j+0] { - B[j+0][i] = binary.LittleEndian.Uint64(block0[i*8:]) - } - - binary.LittleEndian.PutUint32(h0[blake2b.Size:], 1) - blake2bHash(block0[:], h0[:]) - for i := range B[j+1] { - B[j+1][i] = binary.LittleEndian.Uint64(block0[i*8:]) - } - } - return B -} - -func processBlocks(B []block, time, memory, threads uint32, mode int) { - lanes := memory / threads - segments := lanes / syncPoints - - processSegment := func(n, slice, lane uint32, wg *sync.WaitGroup) { - var addresses, in, zero block - if mode == argon2i || (mode == argon2id && n == 0 && slice < syncPoints/2) { - in[0] = uint64(n) - in[1] = uint64(lane) - in[2] = uint64(slice) - in[3] = uint64(memory) - in[4] = uint64(time) - in[5] = uint64(mode) - } - - index := uint32(0) - if n == 0 && slice == 0 { - index = 2 // we have already generated the first two blocks - if mode == argon2i || mode == argon2id { - in[6]++ - processBlock(&addresses, &in, &zero) - processBlock(&addresses, &addresses, &zero) - } - } - - offset := lane*lanes + slice*segments + index - var random uint64 - for index < segments { - prev := offset - 1 - if index == 0 && slice == 0 { - prev += lanes // last block in lane - } - if mode == argon2i || (mode == argon2id && n == 0 && slice < syncPoints/2) { - if index%blockLength == 0 { - in[6]++ - processBlock(&addresses, &in, &zero) - processBlock(&addresses, &addresses, &zero) - } - random = addresses[index%blockLength] - } else { - random = B[prev][0] - } - newOffset := indexAlpha(random, lanes, segments, threads, n, slice, lane, index) - processBlockXOR(&B[offset], &B[prev], &B[newOffset]) - index, offset = index+1, offset+1 - } - wg.Done() - } - - for n := uint32(0); n < time; n++ { - for slice := uint32(0); slice < syncPoints; slice++ { - var wg sync.WaitGroup - for lane := uint32(0); lane < threads; lane++ { - wg.Add(1) - go processSegment(n, slice, lane, &wg) - } - wg.Wait() - } - } - -} - -func extractKey(B []block, memory, threads, keyLen uint32) []byte { - lanes := memory / threads - for lane := uint32(0); lane < threads-1; lane++ { - for i, v := range B[(lane*lanes)+lanes-1] { - B[memory-1][i] ^= v - } - } - - var block [1024]byte - for i, v := range B[memory-1] { - binary.LittleEndian.PutUint64(block[i*8:], v) - } - key := make([]byte, keyLen) - blake2bHash(key, block[:]) - return key -} - -func indexAlpha(rand uint64, lanes, segments, threads, n, slice, lane, index uint32) uint32 { - refLane := uint32(rand>>32) % threads - if n == 0 && slice == 0 { - refLane = lane - } - m, s := 3*segments, ((slice+1)%syncPoints)*segments - if lane == refLane { - m += index - } - if n == 0 { - m, s = slice*segments, 0 - if slice == 0 || lane == refLane { - m += index - } - } - if index == 0 || lane == refLane { - m-- - } - return phi(rand, uint64(m), uint64(s), refLane, lanes) -} - -func phi(rand, m, s uint64, lane, lanes uint32) uint32 { - p := rand & 0xFFFFFFFF - p = (p * p) >> 32 - p = (p * m) >> 32 - return lane*lanes + uint32((s+m-(p+1))%uint64(lanes)) -} diff --git a/vendor/golang.org/x/crypto/argon2/blake2b.go b/vendor/golang.org/x/crypto/argon2/blake2b.go deleted file mode 100644 index 10f46948d..000000000 --- a/vendor/golang.org/x/crypto/argon2/blake2b.go +++ /dev/null @@ -1,53 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package argon2 - -import ( - "encoding/binary" - "hash" - - "golang.org/x/crypto/blake2b" -) - -// blake2bHash computes an arbitrary long hash value of in -// and writes the hash to out. -func blake2bHash(out []byte, in []byte) { - var b2 hash.Hash - if n := len(out); n < blake2b.Size { - b2, _ = blake2b.New(n, nil) - } else { - b2, _ = blake2b.New512(nil) - } - - var buffer [blake2b.Size]byte - binary.LittleEndian.PutUint32(buffer[:4], uint32(len(out))) - b2.Write(buffer[:4]) - b2.Write(in) - - if len(out) <= blake2b.Size { - b2.Sum(out[:0]) - return - } - - outLen := len(out) - b2.Sum(buffer[:0]) - b2.Reset() - copy(out, buffer[:32]) - out = out[32:] - for len(out) > blake2b.Size { - b2.Write(buffer[:]) - b2.Sum(buffer[:0]) - copy(out, buffer[:32]) - out = out[32:] - b2.Reset() - } - - if outLen%blake2b.Size > 0 { // outLen > 64 - r := ((outLen + 31) / 32) - 2 // ⌈τ /32⌉-2 - b2, _ = blake2b.New(outLen-32*r, nil) - } - b2.Write(buffer[:]) - b2.Sum(out[:0]) -} diff --git a/vendor/golang.org/x/crypto/argon2/blamka_amd64.go b/vendor/golang.org/x/crypto/argon2/blamka_amd64.go deleted file mode 100644 index 063e7784f..000000000 --- a/vendor/golang.org/x/crypto/argon2/blamka_amd64.go +++ /dev/null @@ -1,60 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build amd64 && gc && !purego - -package argon2 - -import "golang.org/x/sys/cpu" - -func init() { - useSSE4 = cpu.X86.HasSSE41 -} - -//go:noescape -func mixBlocksSSE2(out, a, b, c *block) - -//go:noescape -func xorBlocksSSE2(out, a, b, c *block) - -//go:noescape -func blamkaSSE4(b *block) - -func processBlockSSE(out, in1, in2 *block, xor bool) { - var t block - mixBlocksSSE2(&t, in1, in2, &t) - if useSSE4 { - blamkaSSE4(&t) - } else { - for i := 0; i < blockLength; i += 16 { - blamkaGeneric( - &t[i+0], &t[i+1], &t[i+2], &t[i+3], - &t[i+4], &t[i+5], &t[i+6], &t[i+7], - &t[i+8], &t[i+9], &t[i+10], &t[i+11], - &t[i+12], &t[i+13], &t[i+14], &t[i+15], - ) - } - for i := 0; i < blockLength/8; i += 2 { - blamkaGeneric( - &t[i], &t[i+1], &t[16+i], &t[16+i+1], - &t[32+i], &t[32+i+1], &t[48+i], &t[48+i+1], - &t[64+i], &t[64+i+1], &t[80+i], &t[80+i+1], - &t[96+i], &t[96+i+1], &t[112+i], &t[112+i+1], - ) - } - } - if xor { - xorBlocksSSE2(out, in1, in2, &t) - } else { - mixBlocksSSE2(out, in1, in2, &t) - } -} - -func processBlock(out, in1, in2 *block) { - processBlockSSE(out, in1, in2, false) -} - -func processBlockXOR(out, in1, in2 *block) { - processBlockSSE(out, in1, in2, true) -} diff --git a/vendor/golang.org/x/crypto/argon2/blamka_amd64.s b/vendor/golang.org/x/crypto/argon2/blamka_amd64.s deleted file mode 100644 index c3895478e..000000000 --- a/vendor/golang.org/x/crypto/argon2/blamka_amd64.s +++ /dev/null @@ -1,2791 +0,0 @@ -// Code generated by command: go run blamka_amd64.go -out ../blamka_amd64.s -pkg argon2. DO NOT EDIT. - -//go:build amd64 && gc && !purego - -#include "textflag.h" - -// func blamkaSSE4(b *block) -// Requires: SSE2, SSSE3 -TEXT ·blamkaSSE4(SB), NOSPLIT, $0-8 - MOVQ b+0(FP), AX - MOVOU ·c40<>+0(SB), X10 - MOVOU ·c48<>+0(SB), X11 - MOVOU (AX), X0 - MOVOU 16(AX), X1 - MOVOU 32(AX), X2 - MOVOU 48(AX), X3 - MOVOU 64(AX), X4 - MOVOU 80(AX), X5 - MOVOU 96(AX), X6 - MOVOU 112(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, (AX) - MOVOU X1, 16(AX) - MOVOU X2, 32(AX) - MOVOU X3, 48(AX) - MOVOU X4, 64(AX) - MOVOU X5, 80(AX) - MOVOU X6, 96(AX) - MOVOU X7, 112(AX) - MOVOU 128(AX), X0 - MOVOU 144(AX), X1 - MOVOU 160(AX), X2 - MOVOU 176(AX), X3 - MOVOU 192(AX), X4 - MOVOU 208(AX), X5 - MOVOU 224(AX), X6 - MOVOU 240(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 128(AX) - MOVOU X1, 144(AX) - MOVOU X2, 160(AX) - MOVOU X3, 176(AX) - MOVOU X4, 192(AX) - MOVOU X5, 208(AX) - MOVOU X6, 224(AX) - MOVOU X7, 240(AX) - MOVOU 256(AX), X0 - MOVOU 272(AX), X1 - MOVOU 288(AX), X2 - MOVOU 304(AX), X3 - MOVOU 320(AX), X4 - MOVOU 336(AX), X5 - MOVOU 352(AX), X6 - MOVOU 368(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 256(AX) - MOVOU X1, 272(AX) - MOVOU X2, 288(AX) - MOVOU X3, 304(AX) - MOVOU X4, 320(AX) - MOVOU X5, 336(AX) - MOVOU X6, 352(AX) - MOVOU X7, 368(AX) - MOVOU 384(AX), X0 - MOVOU 400(AX), X1 - MOVOU 416(AX), X2 - MOVOU 432(AX), X3 - MOVOU 448(AX), X4 - MOVOU 464(AX), X5 - MOVOU 480(AX), X6 - MOVOU 496(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 384(AX) - MOVOU X1, 400(AX) - MOVOU X2, 416(AX) - MOVOU X3, 432(AX) - MOVOU X4, 448(AX) - MOVOU X5, 464(AX) - MOVOU X6, 480(AX) - MOVOU X7, 496(AX) - MOVOU 512(AX), X0 - MOVOU 528(AX), X1 - MOVOU 544(AX), X2 - MOVOU 560(AX), X3 - MOVOU 576(AX), X4 - MOVOU 592(AX), X5 - MOVOU 608(AX), X6 - MOVOU 624(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 512(AX) - MOVOU X1, 528(AX) - MOVOU X2, 544(AX) - MOVOU X3, 560(AX) - MOVOU X4, 576(AX) - MOVOU X5, 592(AX) - MOVOU X6, 608(AX) - MOVOU X7, 624(AX) - MOVOU 640(AX), X0 - MOVOU 656(AX), X1 - MOVOU 672(AX), X2 - MOVOU 688(AX), X3 - MOVOU 704(AX), X4 - MOVOU 720(AX), X5 - MOVOU 736(AX), X6 - MOVOU 752(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 640(AX) - MOVOU X1, 656(AX) - MOVOU X2, 672(AX) - MOVOU X3, 688(AX) - MOVOU X4, 704(AX) - MOVOU X5, 720(AX) - MOVOU X6, 736(AX) - MOVOU X7, 752(AX) - MOVOU 768(AX), X0 - MOVOU 784(AX), X1 - MOVOU 800(AX), X2 - MOVOU 816(AX), X3 - MOVOU 832(AX), X4 - MOVOU 848(AX), X5 - MOVOU 864(AX), X6 - MOVOU 880(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 768(AX) - MOVOU X1, 784(AX) - MOVOU X2, 800(AX) - MOVOU X3, 816(AX) - MOVOU X4, 832(AX) - MOVOU X5, 848(AX) - MOVOU X6, 864(AX) - MOVOU X7, 880(AX) - MOVOU 896(AX), X0 - MOVOU 912(AX), X1 - MOVOU 928(AX), X2 - MOVOU 944(AX), X3 - MOVOU 960(AX), X4 - MOVOU 976(AX), X5 - MOVOU 992(AX), X6 - MOVOU 1008(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 896(AX) - MOVOU X1, 912(AX) - MOVOU X2, 928(AX) - MOVOU X3, 944(AX) - MOVOU X4, 960(AX) - MOVOU X5, 976(AX) - MOVOU X6, 992(AX) - MOVOU X7, 1008(AX) - MOVOU (AX), X0 - MOVOU 128(AX), X1 - MOVOU 256(AX), X2 - MOVOU 384(AX), X3 - MOVOU 512(AX), X4 - MOVOU 640(AX), X5 - MOVOU 768(AX), X6 - MOVOU 896(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, (AX) - MOVOU X1, 128(AX) - MOVOU X2, 256(AX) - MOVOU X3, 384(AX) - MOVOU X4, 512(AX) - MOVOU X5, 640(AX) - MOVOU X6, 768(AX) - MOVOU X7, 896(AX) - MOVOU 16(AX), X0 - MOVOU 144(AX), X1 - MOVOU 272(AX), X2 - MOVOU 400(AX), X3 - MOVOU 528(AX), X4 - MOVOU 656(AX), X5 - MOVOU 784(AX), X6 - MOVOU 912(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 16(AX) - MOVOU X1, 144(AX) - MOVOU X2, 272(AX) - MOVOU X3, 400(AX) - MOVOU X4, 528(AX) - MOVOU X5, 656(AX) - MOVOU X6, 784(AX) - MOVOU X7, 912(AX) - MOVOU 32(AX), X0 - MOVOU 160(AX), X1 - MOVOU 288(AX), X2 - MOVOU 416(AX), X3 - MOVOU 544(AX), X4 - MOVOU 672(AX), X5 - MOVOU 800(AX), X6 - MOVOU 928(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 32(AX) - MOVOU X1, 160(AX) - MOVOU X2, 288(AX) - MOVOU X3, 416(AX) - MOVOU X4, 544(AX) - MOVOU X5, 672(AX) - MOVOU X6, 800(AX) - MOVOU X7, 928(AX) - MOVOU 48(AX), X0 - MOVOU 176(AX), X1 - MOVOU 304(AX), X2 - MOVOU 432(AX), X3 - MOVOU 560(AX), X4 - MOVOU 688(AX), X5 - MOVOU 816(AX), X6 - MOVOU 944(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 48(AX) - MOVOU X1, 176(AX) - MOVOU X2, 304(AX) - MOVOU X3, 432(AX) - MOVOU X4, 560(AX) - MOVOU X5, 688(AX) - MOVOU X6, 816(AX) - MOVOU X7, 944(AX) - MOVOU 64(AX), X0 - MOVOU 192(AX), X1 - MOVOU 320(AX), X2 - MOVOU 448(AX), X3 - MOVOU 576(AX), X4 - MOVOU 704(AX), X5 - MOVOU 832(AX), X6 - MOVOU 960(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 64(AX) - MOVOU X1, 192(AX) - MOVOU X2, 320(AX) - MOVOU X3, 448(AX) - MOVOU X4, 576(AX) - MOVOU X5, 704(AX) - MOVOU X6, 832(AX) - MOVOU X7, 960(AX) - MOVOU 80(AX), X0 - MOVOU 208(AX), X1 - MOVOU 336(AX), X2 - MOVOU 464(AX), X3 - MOVOU 592(AX), X4 - MOVOU 720(AX), X5 - MOVOU 848(AX), X6 - MOVOU 976(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 80(AX) - MOVOU X1, 208(AX) - MOVOU X2, 336(AX) - MOVOU X3, 464(AX) - MOVOU X4, 592(AX) - MOVOU X5, 720(AX) - MOVOU X6, 848(AX) - MOVOU X7, 976(AX) - MOVOU 96(AX), X0 - MOVOU 224(AX), X1 - MOVOU 352(AX), X2 - MOVOU 480(AX), X3 - MOVOU 608(AX), X4 - MOVOU 736(AX), X5 - MOVOU 864(AX), X6 - MOVOU 992(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 96(AX) - MOVOU X1, 224(AX) - MOVOU X2, 352(AX) - MOVOU X3, 480(AX) - MOVOU X4, 608(AX) - MOVOU X5, 736(AX) - MOVOU X6, 864(AX) - MOVOU X7, 992(AX) - MOVOU 112(AX), X0 - MOVOU 240(AX), X1 - MOVOU 368(AX), X2 - MOVOU 496(AX), X3 - MOVOU 624(AX), X4 - MOVOU 752(AX), X5 - MOVOU 880(AX), X6 - MOVOU 1008(AX), X7 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFD $0xb1, X6, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - PSHUFB X10, X2 - MOVO X0, X8 - PMULULQ X2, X8 - PADDQ X2, X0 - PADDQ X8, X0 - PADDQ X8, X0 - PXOR X0, X6 - PSHUFB X11, X6 - MOVO X4, X8 - PMULULQ X6, X8 - PADDQ X6, X4 - PADDQ X8, X4 - PADDQ X8, X4 - PXOR X4, X2 - MOVO X2, X8 - PADDQ X2, X8 - PSRLQ $0x3f, X2 - PXOR X8, X2 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFD $0xb1, X7, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - PSHUFB X10, X3 - MOVO X1, X8 - PMULULQ X3, X8 - PADDQ X3, X1 - PADDQ X8, X1 - PADDQ X8, X1 - PXOR X1, X7 - PSHUFB X11, X7 - MOVO X5, X8 - PMULULQ X7, X8 - PADDQ X7, X5 - PADDQ X8, X5 - PADDQ X8, X5 - PXOR X5, X3 - MOVO X3, X8 - PADDQ X3, X8 - PSRLQ $0x3f, X3 - PXOR X8, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU X0, 112(AX) - MOVOU X1, 240(AX) - MOVOU X2, 368(AX) - MOVOU X3, 496(AX) - MOVOU X4, 624(AX) - MOVOU X5, 752(AX) - MOVOU X6, 880(AX) - MOVOU X7, 1008(AX) - RET - -DATA ·c40<>+0(SB)/8, $0x0201000706050403 -DATA ·c40<>+8(SB)/8, $0x0a09080f0e0d0c0b -GLOBL ·c40<>(SB), RODATA|NOPTR, $16 - -DATA ·c48<>+0(SB)/8, $0x0100070605040302 -DATA ·c48<>+8(SB)/8, $0x09080f0e0d0c0b0a -GLOBL ·c48<>(SB), RODATA|NOPTR, $16 - -// func mixBlocksSSE2(out *block, a *block, b *block, c *block) -// Requires: SSE2 -TEXT ·mixBlocksSSE2(SB), NOSPLIT, $0-32 - MOVQ out+0(FP), DX - MOVQ a+8(FP), AX - MOVQ b+16(FP), BX - MOVQ c+24(FP), CX - MOVQ $0x00000080, DI - -loop: - MOVOU (AX), X0 - MOVOU (BX), X1 - MOVOU (CX), X2 - PXOR X1, X0 - PXOR X2, X0 - MOVOU X0, (DX) - ADDQ $0x10, AX - ADDQ $0x10, BX - ADDQ $0x10, CX - ADDQ $0x10, DX - SUBQ $0x02, DI - JA loop - RET - -// func xorBlocksSSE2(out *block, a *block, b *block, c *block) -// Requires: SSE2 -TEXT ·xorBlocksSSE2(SB), NOSPLIT, $0-32 - MOVQ out+0(FP), DX - MOVQ a+8(FP), AX - MOVQ b+16(FP), BX - MOVQ c+24(FP), CX - MOVQ $0x00000080, DI - -loop: - MOVOU (AX), X0 - MOVOU (BX), X1 - MOVOU (CX), X2 - MOVOU (DX), X3 - PXOR X1, X0 - PXOR X2, X0 - PXOR X3, X0 - MOVOU X0, (DX) - ADDQ $0x10, AX - ADDQ $0x10, BX - ADDQ $0x10, CX - ADDQ $0x10, DX - SUBQ $0x02, DI - JA loop - RET diff --git a/vendor/golang.org/x/crypto/argon2/blamka_generic.go b/vendor/golang.org/x/crypto/argon2/blamka_generic.go deleted file mode 100644 index a481b2243..000000000 --- a/vendor/golang.org/x/crypto/argon2/blamka_generic.go +++ /dev/null @@ -1,163 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package argon2 - -var useSSE4 bool - -func processBlockGeneric(out, in1, in2 *block, xor bool) { - var t block - for i := range t { - t[i] = in1[i] ^ in2[i] - } - for i := 0; i < blockLength; i += 16 { - blamkaGeneric( - &t[i+0], &t[i+1], &t[i+2], &t[i+3], - &t[i+4], &t[i+5], &t[i+6], &t[i+7], - &t[i+8], &t[i+9], &t[i+10], &t[i+11], - &t[i+12], &t[i+13], &t[i+14], &t[i+15], - ) - } - for i := 0; i < blockLength/8; i += 2 { - blamkaGeneric( - &t[i], &t[i+1], &t[16+i], &t[16+i+1], - &t[32+i], &t[32+i+1], &t[48+i], &t[48+i+1], - &t[64+i], &t[64+i+1], &t[80+i], &t[80+i+1], - &t[96+i], &t[96+i+1], &t[112+i], &t[112+i+1], - ) - } - if xor { - for i := range t { - out[i] ^= in1[i] ^ in2[i] ^ t[i] - } - } else { - for i := range t { - out[i] = in1[i] ^ in2[i] ^ t[i] - } - } -} - -func blamkaGeneric(t00, t01, t02, t03, t04, t05, t06, t07, t08, t09, t10, t11, t12, t13, t14, t15 *uint64) { - v00, v01, v02, v03 := *t00, *t01, *t02, *t03 - v04, v05, v06, v07 := *t04, *t05, *t06, *t07 - v08, v09, v10, v11 := *t08, *t09, *t10, *t11 - v12, v13, v14, v15 := *t12, *t13, *t14, *t15 - - v00 += v04 + 2*uint64(uint32(v00))*uint64(uint32(v04)) - v12 ^= v00 - v12 = v12>>32 | v12<<32 - v08 += v12 + 2*uint64(uint32(v08))*uint64(uint32(v12)) - v04 ^= v08 - v04 = v04>>24 | v04<<40 - - v00 += v04 + 2*uint64(uint32(v00))*uint64(uint32(v04)) - v12 ^= v00 - v12 = v12>>16 | v12<<48 - v08 += v12 + 2*uint64(uint32(v08))*uint64(uint32(v12)) - v04 ^= v08 - v04 = v04>>63 | v04<<1 - - v01 += v05 + 2*uint64(uint32(v01))*uint64(uint32(v05)) - v13 ^= v01 - v13 = v13>>32 | v13<<32 - v09 += v13 + 2*uint64(uint32(v09))*uint64(uint32(v13)) - v05 ^= v09 - v05 = v05>>24 | v05<<40 - - v01 += v05 + 2*uint64(uint32(v01))*uint64(uint32(v05)) - v13 ^= v01 - v13 = v13>>16 | v13<<48 - v09 += v13 + 2*uint64(uint32(v09))*uint64(uint32(v13)) - v05 ^= v09 - v05 = v05>>63 | v05<<1 - - v02 += v06 + 2*uint64(uint32(v02))*uint64(uint32(v06)) - v14 ^= v02 - v14 = v14>>32 | v14<<32 - v10 += v14 + 2*uint64(uint32(v10))*uint64(uint32(v14)) - v06 ^= v10 - v06 = v06>>24 | v06<<40 - - v02 += v06 + 2*uint64(uint32(v02))*uint64(uint32(v06)) - v14 ^= v02 - v14 = v14>>16 | v14<<48 - v10 += v14 + 2*uint64(uint32(v10))*uint64(uint32(v14)) - v06 ^= v10 - v06 = v06>>63 | v06<<1 - - v03 += v07 + 2*uint64(uint32(v03))*uint64(uint32(v07)) - v15 ^= v03 - v15 = v15>>32 | v15<<32 - v11 += v15 + 2*uint64(uint32(v11))*uint64(uint32(v15)) - v07 ^= v11 - v07 = v07>>24 | v07<<40 - - v03 += v07 + 2*uint64(uint32(v03))*uint64(uint32(v07)) - v15 ^= v03 - v15 = v15>>16 | v15<<48 - v11 += v15 + 2*uint64(uint32(v11))*uint64(uint32(v15)) - v07 ^= v11 - v07 = v07>>63 | v07<<1 - - v00 += v05 + 2*uint64(uint32(v00))*uint64(uint32(v05)) - v15 ^= v00 - v15 = v15>>32 | v15<<32 - v10 += v15 + 2*uint64(uint32(v10))*uint64(uint32(v15)) - v05 ^= v10 - v05 = v05>>24 | v05<<40 - - v00 += v05 + 2*uint64(uint32(v00))*uint64(uint32(v05)) - v15 ^= v00 - v15 = v15>>16 | v15<<48 - v10 += v15 + 2*uint64(uint32(v10))*uint64(uint32(v15)) - v05 ^= v10 - v05 = v05>>63 | v05<<1 - - v01 += v06 + 2*uint64(uint32(v01))*uint64(uint32(v06)) - v12 ^= v01 - v12 = v12>>32 | v12<<32 - v11 += v12 + 2*uint64(uint32(v11))*uint64(uint32(v12)) - v06 ^= v11 - v06 = v06>>24 | v06<<40 - - v01 += v06 + 2*uint64(uint32(v01))*uint64(uint32(v06)) - v12 ^= v01 - v12 = v12>>16 | v12<<48 - v11 += v12 + 2*uint64(uint32(v11))*uint64(uint32(v12)) - v06 ^= v11 - v06 = v06>>63 | v06<<1 - - v02 += v07 + 2*uint64(uint32(v02))*uint64(uint32(v07)) - v13 ^= v02 - v13 = v13>>32 | v13<<32 - v08 += v13 + 2*uint64(uint32(v08))*uint64(uint32(v13)) - v07 ^= v08 - v07 = v07>>24 | v07<<40 - - v02 += v07 + 2*uint64(uint32(v02))*uint64(uint32(v07)) - v13 ^= v02 - v13 = v13>>16 | v13<<48 - v08 += v13 + 2*uint64(uint32(v08))*uint64(uint32(v13)) - v07 ^= v08 - v07 = v07>>63 | v07<<1 - - v03 += v04 + 2*uint64(uint32(v03))*uint64(uint32(v04)) - v14 ^= v03 - v14 = v14>>32 | v14<<32 - v09 += v14 + 2*uint64(uint32(v09))*uint64(uint32(v14)) - v04 ^= v09 - v04 = v04>>24 | v04<<40 - - v03 += v04 + 2*uint64(uint32(v03))*uint64(uint32(v04)) - v14 ^= v03 - v14 = v14>>16 | v14<<48 - v09 += v14 + 2*uint64(uint32(v09))*uint64(uint32(v14)) - v04 ^= v09 - v04 = v04>>63 | v04<<1 - - *t00, *t01, *t02, *t03 = v00, v01, v02, v03 - *t04, *t05, *t06, *t07 = v04, v05, v06, v07 - *t08, *t09, *t10, *t11 = v08, v09, v10, v11 - *t12, *t13, *t14, *t15 = v12, v13, v14, v15 -} diff --git a/vendor/golang.org/x/crypto/argon2/blamka_ref.go b/vendor/golang.org/x/crypto/argon2/blamka_ref.go deleted file mode 100644 index 16d58c650..000000000 --- a/vendor/golang.org/x/crypto/argon2/blamka_ref.go +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !amd64 || purego || !gc - -package argon2 - -func processBlock(out, in1, in2 *block) { - processBlockGeneric(out, in1, in2, false) -} - -func processBlockXOR(out, in1, in2 *block) { - processBlockGeneric(out, in1, in2, true) -} diff --git a/vendor/golang.org/x/crypto/bcrypt/base64.go b/vendor/golang.org/x/crypto/bcrypt/base64.go deleted file mode 100644 index fc3116090..000000000 --- a/vendor/golang.org/x/crypto/bcrypt/base64.go +++ /dev/null @@ -1,35 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package bcrypt - -import "encoding/base64" - -const alphabet = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" - -var bcEncoding = base64.NewEncoding(alphabet) - -func base64Encode(src []byte) []byte { - n := bcEncoding.EncodedLen(len(src)) - dst := make([]byte, n) - bcEncoding.Encode(dst, src) - for dst[n-1] == '=' { - n-- - } - return dst[:n] -} - -func base64Decode(src []byte) ([]byte, error) { - numOfEquals := 4 - (len(src) % 4) - for i := 0; i < numOfEquals; i++ { - src = append(src, '=') - } - - dst := make([]byte, bcEncoding.DecodedLen(len(src))) - n, err := bcEncoding.Decode(dst, src) - if err != nil { - return nil, err - } - return dst[:n], nil -} diff --git a/vendor/golang.org/x/crypto/bcrypt/bcrypt.go b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go deleted file mode 100644 index dc9311870..000000000 --- a/vendor/golang.org/x/crypto/bcrypt/bcrypt.go +++ /dev/null @@ -1,304 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing -// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf -package bcrypt - -// The code is a port of Provos and Mazières's C implementation. -import ( - "crypto/rand" - "crypto/subtle" - "errors" - "fmt" - "io" - "strconv" - - "golang.org/x/crypto/blowfish" -) - -const ( - MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword - MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword - DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword -) - -// The error returned from CompareHashAndPassword when a password and hash do -// not match. -var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password") - -// The error returned from CompareHashAndPassword when a hash is too short to -// be a bcrypt hash. -var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password") - -// The error returned from CompareHashAndPassword when a hash was created with -// a bcrypt algorithm newer than this implementation. -type HashVersionTooNewError byte - -func (hv HashVersionTooNewError) Error() string { - return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion) -} - -// The error returned from CompareHashAndPassword when a hash starts with something other than '$' -type InvalidHashPrefixError byte - -func (ih InvalidHashPrefixError) Error() string { - return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih)) -} - -type InvalidCostError int - -func (ic InvalidCostError) Error() string { - return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), MinCost, MaxCost) -} - -const ( - majorVersion = '2' - minorVersion = 'a' - maxSaltSize = 16 - maxCryptedHashSize = 23 - encodedSaltSize = 22 - encodedHashSize = 31 - minHashSize = 59 -) - -// magicCipherData is an IV for the 64 Blowfish encryption calls in -// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes. -var magicCipherData = []byte{ - 0x4f, 0x72, 0x70, 0x68, - 0x65, 0x61, 0x6e, 0x42, - 0x65, 0x68, 0x6f, 0x6c, - 0x64, 0x65, 0x72, 0x53, - 0x63, 0x72, 0x79, 0x44, - 0x6f, 0x75, 0x62, 0x74, -} - -type hashed struct { - hash []byte - salt []byte - cost int // allowed range is MinCost to MaxCost - major byte - minor byte -} - -// ErrPasswordTooLong is returned when the password passed to -// GenerateFromPassword is too long (i.e. > 72 bytes). -var ErrPasswordTooLong = errors.New("bcrypt: password length exceeds 72 bytes") - -// GenerateFromPassword returns the bcrypt hash of the password at the given -// cost. If the cost given is less than MinCost, the cost will be set to -// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package, -// to compare the returned hashed password with its cleartext version. -// GenerateFromPassword does not accept passwords longer than 72 bytes, which -// is the longest password bcrypt will operate on. -func GenerateFromPassword(password []byte, cost int) ([]byte, error) { - if len(password) > 72 { - return nil, ErrPasswordTooLong - } - p, err := newFromPassword(password, cost) - if err != nil { - return nil, err - } - return p.Hash(), nil -} - -// CompareHashAndPassword compares a bcrypt hashed password with its possible -// plaintext equivalent. Returns nil on success, or an error on failure. -func CompareHashAndPassword(hashedPassword, password []byte) error { - p, err := newFromHash(hashedPassword) - if err != nil { - return err - } - - otherHash, err := bcrypt(password, p.cost, p.salt) - if err != nil { - return err - } - - otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor} - if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 { - return nil - } - - return ErrMismatchedHashAndPassword -} - -// Cost returns the hashing cost used to create the given hashed -// password. When, in the future, the hashing cost of a password system needs -// to be increased in order to adjust for greater computational power, this -// function allows one to establish which passwords need to be updated. -func Cost(hashedPassword []byte) (int, error) { - p, err := newFromHash(hashedPassword) - if err != nil { - return 0, err - } - return p.cost, nil -} - -func newFromPassword(password []byte, cost int) (*hashed, error) { - if cost < MinCost { - cost = DefaultCost - } - p := new(hashed) - p.major = majorVersion - p.minor = minorVersion - - err := checkCost(cost) - if err != nil { - return nil, err - } - p.cost = cost - - unencodedSalt := make([]byte, maxSaltSize) - _, err = io.ReadFull(rand.Reader, unencodedSalt) - if err != nil { - return nil, err - } - - p.salt = base64Encode(unencodedSalt) - hash, err := bcrypt(password, p.cost, p.salt) - if err != nil { - return nil, err - } - p.hash = hash - return p, err -} - -func newFromHash(hashedSecret []byte) (*hashed, error) { - if len(hashedSecret) < minHashSize { - return nil, ErrHashTooShort - } - p := new(hashed) - n, err := p.decodeVersion(hashedSecret) - if err != nil { - return nil, err - } - hashedSecret = hashedSecret[n:] - n, err = p.decodeCost(hashedSecret) - if err != nil { - return nil, err - } - hashedSecret = hashedSecret[n:] - - // The "+2" is here because we'll have to append at most 2 '=' to the salt - // when base64 decoding it in expensiveBlowfishSetup(). - p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2) - copy(p.salt, hashedSecret[:encodedSaltSize]) - - hashedSecret = hashedSecret[encodedSaltSize:] - p.hash = make([]byte, len(hashedSecret)) - copy(p.hash, hashedSecret) - - return p, nil -} - -func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) { - cipherData := make([]byte, len(magicCipherData)) - copy(cipherData, magicCipherData) - - c, err := expensiveBlowfishSetup(password, uint32(cost), salt) - if err != nil { - return nil, err - } - - for i := 0; i < 24; i += 8 { - for j := 0; j < 64; j++ { - c.Encrypt(cipherData[i:i+8], cipherData[i:i+8]) - } - } - - // Bug compatibility with C bcrypt implementations. We only encode 23 of - // the 24 bytes encrypted. - hsh := base64Encode(cipherData[:maxCryptedHashSize]) - return hsh, nil -} - -func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) { - csalt, err := base64Decode(salt) - if err != nil { - return nil, err - } - - // Bug compatibility with C bcrypt implementations. They use the trailing - // NULL in the key string during expansion. - // We copy the key to prevent changing the underlying array. - ckey := append(key[:len(key):len(key)], 0) - - c, err := blowfish.NewSaltedCipher(ckey, csalt) - if err != nil { - return nil, err - } - - var i, rounds uint64 - rounds = 1 << cost - for i = 0; i < rounds; i++ { - blowfish.ExpandKey(ckey, c) - blowfish.ExpandKey(csalt, c) - } - - return c, nil -} - -func (p *hashed) Hash() []byte { - arr := make([]byte, 60) - arr[0] = '$' - arr[1] = p.major - n := 2 - if p.minor != 0 { - arr[2] = p.minor - n = 3 - } - arr[n] = '$' - n++ - copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost))) - n += 2 - arr[n] = '$' - n++ - copy(arr[n:], p.salt) - n += encodedSaltSize - copy(arr[n:], p.hash) - n += encodedHashSize - return arr[:n] -} - -func (p *hashed) decodeVersion(sbytes []byte) (int, error) { - if sbytes[0] != '$' { - return -1, InvalidHashPrefixError(sbytes[0]) - } - if sbytes[1] > majorVersion { - return -1, HashVersionTooNewError(sbytes[1]) - } - p.major = sbytes[1] - n := 3 - if sbytes[2] != '$' { - p.minor = sbytes[2] - n++ - } - return n, nil -} - -// sbytes should begin where decodeVersion left off. -func (p *hashed) decodeCost(sbytes []byte) (int, error) { - cost, err := strconv.Atoi(string(sbytes[0:2])) - if err != nil { - return -1, err - } - err = checkCost(cost) - if err != nil { - return -1, err - } - p.cost = cost - return 3, nil -} - -func (p *hashed) String() string { - return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor) -} - -func checkCost(cost int) error { - if cost < MinCost || cost > MaxCost { - return InvalidCostError(cost) - } - return nil -} diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b.go b/vendor/golang.org/x/crypto/blake2b/blake2b.go deleted file mode 100644 index d2e98d429..000000000 --- a/vendor/golang.org/x/crypto/blake2b/blake2b.go +++ /dev/null @@ -1,291 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package blake2b implements the BLAKE2b hash algorithm defined by RFC 7693 -// and the extendable output function (XOF) BLAKE2Xb. -// -// BLAKE2b is optimized for 64-bit platforms—including NEON-enabled ARMs—and -// produces digests of any size between 1 and 64 bytes. -// For a detailed specification of BLAKE2b see https://blake2.net/blake2.pdf -// and for BLAKE2Xb see https://blake2.net/blake2x.pdf -// -// If you aren't sure which function you need, use BLAKE2b (Sum512 or New512). -// If you need a secret-key MAC (message authentication code), use the New512 -// function with a non-nil key. -// -// BLAKE2X is a construction to compute hash values larger than 64 bytes. It -// can produce hash values between 0 and 4 GiB. -package blake2b - -import ( - "encoding/binary" - "errors" - "hash" -) - -const ( - // The blocksize of BLAKE2b in bytes. - BlockSize = 128 - // The hash size of BLAKE2b-512 in bytes. - Size = 64 - // The hash size of BLAKE2b-384 in bytes. - Size384 = 48 - // The hash size of BLAKE2b-256 in bytes. - Size256 = 32 -) - -var ( - useAVX2 bool - useAVX bool - useSSE4 bool -) - -var ( - errKeySize = errors.New("blake2b: invalid key size") - errHashSize = errors.New("blake2b: invalid hash size") -) - -var iv = [8]uint64{ - 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, - 0x510e527fade682d1, 0x9b05688c2b3e6c1f, 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179, -} - -// Sum512 returns the BLAKE2b-512 checksum of the data. -func Sum512(data []byte) [Size]byte { - var sum [Size]byte - checkSum(&sum, Size, data) - return sum -} - -// Sum384 returns the BLAKE2b-384 checksum of the data. -func Sum384(data []byte) [Size384]byte { - var sum [Size]byte - var sum384 [Size384]byte - checkSum(&sum, Size384, data) - copy(sum384[:], sum[:Size384]) - return sum384 -} - -// Sum256 returns the BLAKE2b-256 checksum of the data. -func Sum256(data []byte) [Size256]byte { - var sum [Size]byte - var sum256 [Size256]byte - checkSum(&sum, Size256, data) - copy(sum256[:], sum[:Size256]) - return sum256 -} - -// New512 returns a new hash.Hash computing the BLAKE2b-512 checksum. A non-nil -// key turns the hash into a MAC. The key must be between zero and 64 bytes long. -func New512(key []byte) (hash.Hash, error) { return newDigest(Size, key) } - -// New384 returns a new hash.Hash computing the BLAKE2b-384 checksum. A non-nil -// key turns the hash into a MAC. The key must be between zero and 64 bytes long. -func New384(key []byte) (hash.Hash, error) { return newDigest(Size384, key) } - -// New256 returns a new hash.Hash computing the BLAKE2b-256 checksum. A non-nil -// key turns the hash into a MAC. The key must be between zero and 64 bytes long. -func New256(key []byte) (hash.Hash, error) { return newDigest(Size256, key) } - -// New returns a new hash.Hash computing the BLAKE2b checksum with a custom length. -// A non-nil key turns the hash into a MAC. The key must be between zero and 64 bytes long. -// The hash size can be a value between 1 and 64 but it is highly recommended to use -// values equal or greater than: -// - 32 if BLAKE2b is used as a hash function (The key is zero bytes long). -// - 16 if BLAKE2b is used as a MAC function (The key is at least 16 bytes long). -// When the key is nil, the returned hash.Hash implements BinaryMarshaler -// and BinaryUnmarshaler for state (de)serialization as documented by hash.Hash. -func New(size int, key []byte) (hash.Hash, error) { return newDigest(size, key) } - -func newDigest(hashSize int, key []byte) (*digest, error) { - if hashSize < 1 || hashSize > Size { - return nil, errHashSize - } - if len(key) > Size { - return nil, errKeySize - } - d := &digest{ - size: hashSize, - keyLen: len(key), - } - copy(d.key[:], key) - d.Reset() - return d, nil -} - -func checkSum(sum *[Size]byte, hashSize int, data []byte) { - h := iv - h[0] ^= uint64(hashSize) | (1 << 16) | (1 << 24) - var c [2]uint64 - - if length := len(data); length > BlockSize { - n := length &^ (BlockSize - 1) - if length == n { - n -= BlockSize - } - hashBlocks(&h, &c, 0, data[:n]) - data = data[n:] - } - - var block [BlockSize]byte - offset := copy(block[:], data) - remaining := uint64(BlockSize - offset) - if c[0] < remaining { - c[1]-- - } - c[0] -= remaining - - hashBlocks(&h, &c, 0xFFFFFFFFFFFFFFFF, block[:]) - - for i, v := range h[:(hashSize+7)/8] { - binary.LittleEndian.PutUint64(sum[8*i:], v) - } -} - -type digest struct { - h [8]uint64 - c [2]uint64 - size int - block [BlockSize]byte - offset int - - key [BlockSize]byte - keyLen int -} - -const ( - magic = "b2b" - marshaledSize = len(magic) + 8*8 + 2*8 + 1 + BlockSize + 1 -) - -func (d *digest) MarshalBinary() ([]byte, error) { - if d.keyLen != 0 { - return nil, errors.New("crypto/blake2b: cannot marshal MACs") - } - b := make([]byte, 0, marshaledSize) - b = append(b, magic...) - for i := 0; i < 8; i++ { - b = appendUint64(b, d.h[i]) - } - b = appendUint64(b, d.c[0]) - b = appendUint64(b, d.c[1]) - // Maximum value for size is 64 - b = append(b, byte(d.size)) - b = append(b, d.block[:]...) - b = append(b, byte(d.offset)) - return b, nil -} - -func (d *digest) UnmarshalBinary(b []byte) error { - if len(b) < len(magic) || string(b[:len(magic)]) != magic { - return errors.New("crypto/blake2b: invalid hash state identifier") - } - if len(b) != marshaledSize { - return errors.New("crypto/blake2b: invalid hash state size") - } - b = b[len(magic):] - for i := 0; i < 8; i++ { - b, d.h[i] = consumeUint64(b) - } - b, d.c[0] = consumeUint64(b) - b, d.c[1] = consumeUint64(b) - d.size = int(b[0]) - b = b[1:] - copy(d.block[:], b[:BlockSize]) - b = b[BlockSize:] - d.offset = int(b[0]) - return nil -} - -func (d *digest) BlockSize() int { return BlockSize } - -func (d *digest) Size() int { return d.size } - -func (d *digest) Reset() { - d.h = iv - d.h[0] ^= uint64(d.size) | (uint64(d.keyLen) << 8) | (1 << 16) | (1 << 24) - d.offset, d.c[0], d.c[1] = 0, 0, 0 - if d.keyLen > 0 { - d.block = d.key - d.offset = BlockSize - } -} - -func (d *digest) Write(p []byte) (n int, err error) { - n = len(p) - - if d.offset > 0 { - remaining := BlockSize - d.offset - if n <= remaining { - d.offset += copy(d.block[d.offset:], p) - return - } - copy(d.block[d.offset:], p[:remaining]) - hashBlocks(&d.h, &d.c, 0, d.block[:]) - d.offset = 0 - p = p[remaining:] - } - - if length := len(p); length > BlockSize { - nn := length &^ (BlockSize - 1) - if length == nn { - nn -= BlockSize - } - hashBlocks(&d.h, &d.c, 0, p[:nn]) - p = p[nn:] - } - - if len(p) > 0 { - d.offset += copy(d.block[:], p) - } - - return -} - -func (d *digest) Sum(sum []byte) []byte { - var hash [Size]byte - d.finalize(&hash) - return append(sum, hash[:d.size]...) -} - -func (d *digest) finalize(hash *[Size]byte) { - var block [BlockSize]byte - copy(block[:], d.block[:d.offset]) - remaining := uint64(BlockSize - d.offset) - - c := d.c - if c[0] < remaining { - c[1]-- - } - c[0] -= remaining - - h := d.h - hashBlocks(&h, &c, 0xFFFFFFFFFFFFFFFF, block[:]) - - for i, v := range h { - binary.LittleEndian.PutUint64(hash[8*i:], v) - } -} - -func appendUint64(b []byte, x uint64) []byte { - var a [8]byte - binary.BigEndian.PutUint64(a[:], x) - return append(b, a[:]...) -} - -func appendUint32(b []byte, x uint32) []byte { - var a [4]byte - binary.BigEndian.PutUint32(a[:], x) - return append(b, a[:]...) -} - -func consumeUint64(b []byte) ([]byte, uint64) { - x := binary.BigEndian.Uint64(b) - return b[8:], x -} - -func consumeUint32(b []byte) ([]byte, uint32) { - x := binary.BigEndian.Uint32(b) - return b[4:], x -} diff --git a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.go b/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.go deleted file mode 100644 index 199c21d27..000000000 --- a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build amd64 && gc && !purego - -package blake2b - -import "golang.org/x/sys/cpu" - -func init() { - useAVX2 = cpu.X86.HasAVX2 - useAVX = cpu.X86.HasAVX - useSSE4 = cpu.X86.HasSSE41 -} - -//go:noescape -func hashBlocksAVX2(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) - -//go:noescape -func hashBlocksAVX(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) - -//go:noescape -func hashBlocksSSE4(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) - -func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) { - switch { - case useAVX2: - hashBlocksAVX2(h, c, flag, blocks) - case useAVX: - hashBlocksAVX(h, c, flag, blocks) - case useSSE4: - hashBlocksSSE4(h, c, flag, blocks) - default: - hashBlocksGeneric(h, c, flag, blocks) - } -} diff --git a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.s b/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.s deleted file mode 100644 index f75162e03..000000000 --- a/vendor/golang.org/x/crypto/blake2b/blake2bAVX2_amd64.s +++ /dev/null @@ -1,4559 +0,0 @@ -// Code generated by command: go run blake2bAVX2_amd64_asm.go -out ../../blake2bAVX2_amd64.s -pkg blake2b. DO NOT EDIT. - -//go:build amd64 && gc && !purego - -#include "textflag.h" - -// func hashBlocksAVX2(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) -// Requires: AVX, AVX2 -TEXT ·hashBlocksAVX2(SB), NOSPLIT, $320-48 - MOVQ h+0(FP), AX - MOVQ c+8(FP), BX - MOVQ flag+16(FP), CX - MOVQ blocks_base+24(FP), SI - MOVQ blocks_len+32(FP), DI - MOVQ SP, DX - ADDQ $+31, DX - ANDQ $-32, DX - MOVQ CX, 16(DX) - XORQ CX, CX - MOVQ CX, 24(DX) - VMOVDQU ·AVX2_c40<>+0(SB), Y4 - VMOVDQU ·AVX2_c48<>+0(SB), Y5 - VMOVDQU (AX), Y8 - VMOVDQU 32(AX), Y9 - VMOVDQU ·AVX2_iv0<>+0(SB), Y6 - VMOVDQU ·AVX2_iv1<>+0(SB), Y7 - MOVQ (BX), R8 - MOVQ 8(BX), R9 - MOVQ R9, 8(DX) - -loop: - ADDQ $0x80, R8 - MOVQ R8, (DX) - CMPQ R8, $0x80 - JGE noinc - INCQ R9 - MOVQ R9, 8(DX) - -noinc: - VMOVDQA Y8, Y0 - VMOVDQA Y9, Y1 - VMOVDQA Y6, Y2 - VPXOR (DX), Y7, Y3 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x26 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x20 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x10 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x30 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x08 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x28 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x38 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x40 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x60 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x70 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x48 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x68 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x58 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x78 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VMOVDQA Y12, 32(DX) - VMOVDQA Y13, 64(DX) - VMOVDQA Y14, 96(DX) - VMOVDQA Y15, 128(DX) - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x70 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x48 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x20 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x68 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x50 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x78 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x40 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x30 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x58 - VPSHUFD $0x4e, (SI), X14 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x28 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x38 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x10 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x18 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VMOVDQA Y12, 160(DX) - VMOVDQA Y13, 192(DX) - VMOVDQA Y14, 224(DX) - VMOVDQA Y15, 256(DX) - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x28 - VMOVDQU 88(SI), X12 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x78 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x40 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x10 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x2e - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x68 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x50 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x38 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x48 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x70 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x08 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x30 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x20 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x38 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x68 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x58 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x48 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x60 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x08 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x70 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x10 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x20 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x28 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x78 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x30 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x1e - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x40 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x48 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x10 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x28 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x50 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x2e - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x20 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x38 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x78 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x70 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x30 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x58 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x18 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x08 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x40 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x60 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x68 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x10 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x1e - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x30 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x40 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x58 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x18 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x20 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x78 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x38 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x08 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x68 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x70 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x28 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x48 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x70 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x08 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x20 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x28 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x68 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x78 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x50 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x36 - VPSHUFD $0x4e, 64(SI), X11 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x30 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x38 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x10 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x58 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x68 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x60 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x38 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x18 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x58 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x08 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x70 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x48 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x28 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x40 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x78 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x10 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x3e - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x30 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x20 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x50 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x30 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x58 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x70 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x1e - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x78 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x18 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x48 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x40 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x08 - VMOVDQU 96(SI), X14 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x50 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x10 - VMOVDQU 32(SI), X11 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x38 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x50 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x38 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x40 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x08 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y12, Y12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x10 - VPSHUFD $0x4e, 40(SI), X11 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x20 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y13, Y13 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x78 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x18 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x48 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x5e - BYTE $0x68 - BYTE $0x01 - VINSERTI128 $0x01, X11, Y14, Y14 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x58 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x5e - BYTE $0x60 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x70 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0xa1 - BYTE $0x22 - BYTE $0x1e - BYTE $0x01 - VINSERTI128 $0x01, X11, Y15, Y15 - VPADDQ Y12, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y13, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ Y14, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ Y15, Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - VPADDQ 32(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ 64(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ 96(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ 128(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - VPADDQ 160(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ 192(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x93 - VPADDQ 224(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFD $-79, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPSHUFB Y4, Y1, Y1 - VPADDQ 256(DX), Y0, Y0 - VPADDQ Y1, Y0, Y0 - VPXOR Y0, Y3, Y3 - VPSHUFB Y5, Y3, Y3 - VPADDQ Y3, Y2, Y2 - VPXOR Y2, Y1, Y1 - VPADDQ Y1, Y1, Y10 - VPSRLQ $0x3f, Y1, Y1 - VPXOR Y10, Y1, Y1 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xdb - BYTE $0x39 - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xd2 - BYTE $0x4e - BYTE $0xc4 - BYTE $0xe3 - BYTE $0xfd - BYTE $0x00 - BYTE $0xc9 - BYTE $0x93 - VPXOR Y0, Y8, Y8 - VPXOR Y1, Y9, Y9 - VPXOR Y2, Y8, Y8 - VPXOR Y3, Y9, Y9 - LEAQ 128(SI), SI - SUBQ $0x80, DI - JNE loop - MOVQ R8, (BX) - MOVQ R9, 8(BX) - VMOVDQU Y8, (AX) - VMOVDQU Y9, 32(AX) - VZEROUPPER - RET - -DATA ·AVX2_c40<>+0(SB)/8, $0x0201000706050403 -DATA ·AVX2_c40<>+8(SB)/8, $0x0a09080f0e0d0c0b -DATA ·AVX2_c40<>+16(SB)/8, $0x0201000706050403 -DATA ·AVX2_c40<>+24(SB)/8, $0x0a09080f0e0d0c0b -GLOBL ·AVX2_c40<>(SB), RODATA|NOPTR, $32 - -DATA ·AVX2_c48<>+0(SB)/8, $0x0100070605040302 -DATA ·AVX2_c48<>+8(SB)/8, $0x09080f0e0d0c0b0a -DATA ·AVX2_c48<>+16(SB)/8, $0x0100070605040302 -DATA ·AVX2_c48<>+24(SB)/8, $0x09080f0e0d0c0b0a -GLOBL ·AVX2_c48<>(SB), RODATA|NOPTR, $32 - -DATA ·AVX2_iv0<>+0(SB)/8, $0x6a09e667f3bcc908 -DATA ·AVX2_iv0<>+8(SB)/8, $0xbb67ae8584caa73b -DATA ·AVX2_iv0<>+16(SB)/8, $0x3c6ef372fe94f82b -DATA ·AVX2_iv0<>+24(SB)/8, $0xa54ff53a5f1d36f1 -GLOBL ·AVX2_iv0<>(SB), RODATA|NOPTR, $32 - -DATA ·AVX2_iv1<>+0(SB)/8, $0x510e527fade682d1 -DATA ·AVX2_iv1<>+8(SB)/8, $0x9b05688c2b3e6c1f -DATA ·AVX2_iv1<>+16(SB)/8, $0x1f83d9abfb41bd6b -DATA ·AVX2_iv1<>+24(SB)/8, $0x5be0cd19137e2179 -GLOBL ·AVX2_iv1<>(SB), RODATA|NOPTR, $32 - -// func hashBlocksAVX(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) -// Requires: AVX, SSE2 -TEXT ·hashBlocksAVX(SB), NOSPLIT, $288-48 - MOVQ h+0(FP), AX - MOVQ c+8(FP), BX - MOVQ flag+16(FP), CX - MOVQ blocks_base+24(FP), SI - MOVQ blocks_len+32(FP), DI - MOVQ SP, R10 - ADDQ $0x0f, R10 - ANDQ $-16, R10 - VMOVDQU ·AVX_c40<>+0(SB), X0 - VMOVDQU ·AVX_c48<>+0(SB), X1 - VMOVDQA X0, X8 - VMOVDQA X1, X9 - VMOVDQU ·AVX_iv3<>+0(SB), X0 - VMOVDQA X0, (R10) - XORQ CX, (R10) - VMOVDQU (AX), X10 - VMOVDQU 16(AX), X11 - VMOVDQU 32(AX), X2 - VMOVDQU 48(AX), X3 - MOVQ (BX), R8 - MOVQ 8(BX), R9 - -loop: - ADDQ $0x80, R8 - CMPQ R8, $0x80 - JGE noinc - INCQ R9 - -noinc: - BYTE $0xc4 - BYTE $0x41 - BYTE $0xf9 - BYTE $0x6e - BYTE $0xf8 - BYTE $0xc4 - BYTE $0x43 - BYTE $0x81 - BYTE $0x22 - BYTE $0xf9 - BYTE $0x01 - VMOVDQA X10, X0 - VMOVDQA X11, X1 - VMOVDQU ·AVX_iv0<>+0(SB), X4 - VMOVDQU ·AVX_iv1<>+0(SB), X5 - VMOVDQU ·AVX_iv2<>+0(SB), X6 - VPXOR X15, X6, X6 - VMOVDQA (R10), X7 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x26 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x20 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x08 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x28 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x10 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x30 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x38 - BYTE $0x01 - VMOVDQA X12, 16(R10) - VMOVDQA X13, 32(R10) - VMOVDQA X14, 48(R10) - VMOVDQA X15, 64(R10) - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x40 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x48 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x68 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x70 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x58 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x78 - BYTE $0x01 - VMOVDQA X12, 80(R10) - VMOVDQA X13, 96(R10) - VMOVDQA X14, 112(R10) - VMOVDQA X15, 128(R10) - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x70 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x48 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x50 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x78 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x20 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x68 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x40 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x30 - BYTE $0x01 - VMOVDQA X12, 144(R10) - VMOVDQA X13, 160(R10) - VMOVDQA X14, 176(R10) - VMOVDQA X15, 192(R10) - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - VPSHUFD $0x4e, (SI), X12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x58 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x38 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x28 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x10 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x18 - BYTE $0x01 - VMOVDQA X12, 208(R10) - VMOVDQA X13, 224(R10) - VMOVDQA X14, 240(R10) - VMOVDQA X15, 256(R10) - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - VMOVDQU 88(SI), X12 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x28 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x40 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x10 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x78 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x36 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x68 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x50 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x38 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x70 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x08 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x48 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x30 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x20 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x38 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x68 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x48 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x60 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x58 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x08 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x70 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x10 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x20 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x30 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x3e - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x28 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x78 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x40 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x48 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x10 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x36 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x20 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x28 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x38 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x78 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x70 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x30 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x08 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x40 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x58 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x60 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x68 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x10 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x2e - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x58 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x30 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x40 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x18 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x20 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x78 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x68 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x70 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x38 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x08 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x28 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x48 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x70 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x28 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x68 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x08 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x20 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x78 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x50 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - MOVQ (SI), X12 - VPSHUFD $0x4e, 64(SI), X13 - MOVQ 56(SI), X14 - MOVQ 16(SI), X15 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x30 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x58 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x68 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x60 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x58 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x08 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x38 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x18 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x70 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x48 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - MOVQ 40(SI), X12 - MOVQ 64(SI), X13 - MOVQ (SI), X14 - MOVQ 48(SI), X15 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x78 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x10 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x20 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x50 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - MOVQ 48(SI), X12 - MOVQ 88(SI), X13 - MOVQ 120(SI), X14 - MOVQ 24(SI), X15 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x70 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x2e - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x48 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x40 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - VMOVDQU 96(SI), X12 - MOVQ 8(SI), X13 - MOVQ 16(SI), X14 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x50 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x38 - BYTE $0x01 - VMOVDQU 32(SI), X15 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x66 - BYTE $0x50 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x6e - BYTE $0x38 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x76 - BYTE $0x10 - BYTE $0xc5 - BYTE $0x7a - BYTE $0x7e - BYTE $0x7e - BYTE $0x30 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x40 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x08 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x20 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x7e - BYTE $0x28 - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - MOVQ 120(SI), X12 - MOVQ 24(SI), X13 - MOVQ 88(SI), X14 - MOVQ 96(SI), X15 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x99 - BYTE $0x22 - BYTE $0x66 - BYTE $0x48 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x91 - BYTE $0x22 - BYTE $0x6e - BYTE $0x68 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x89 - BYTE $0x22 - BYTE $0x76 - BYTE $0x70 - BYTE $0x01 - BYTE $0xc4 - BYTE $0x63 - BYTE $0x81 - BYTE $0x22 - BYTE $0x3e - BYTE $0x01 - VPADDQ X12, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X13, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ X14, X0, X0 - VPADDQ X2, X0, X0 - VPADDQ X15, X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - VPADDQ 16(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 32(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ 48(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 64(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - VPADDQ 80(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 96(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ 112(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 128(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - VPADDQ 144(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 160(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ 176(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 192(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X6, X13 - VMOVDQA X2, X14 - VMOVDQA X4, X6 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x11 - BYTE $0x6c - BYTE $0xfd - VMOVDQA X5, X4 - VMOVDQA X6, X5 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xff - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x69 - BYTE $0x6d - BYTE $0xd7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xdf - VPADDQ 208(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 224(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFD $-79, X6, X6 - VPSHUFD $-79, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPSHUFB X8, X2, X2 - VPSHUFB X8, X3, X3 - VPADDQ 240(R10), X0, X0 - VPADDQ X2, X0, X0 - VPADDQ 256(R10), X1, X1 - VPADDQ X3, X1, X1 - VPXOR X0, X6, X6 - VPXOR X1, X7, X7 - VPSHUFB X9, X6, X6 - VPSHUFB X9, X7, X7 - VPADDQ X6, X4, X4 - VPADDQ X7, X5, X5 - VPXOR X4, X2, X2 - VPXOR X5, X3, X3 - VPADDQ X2, X2, X15 - VPSRLQ $0x3f, X2, X2 - VPXOR X15, X2, X2 - VPADDQ X3, X3, X15 - VPSRLQ $0x3f, X3, X3 - VPXOR X15, X3, X3 - VMOVDQA X2, X13 - VMOVDQA X4, X14 - BYTE $0xc5 - BYTE $0x69 - BYTE $0x6c - BYTE $0xfa - VMOVDQA X5, X4 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x61 - BYTE $0x6d - BYTE $0xd7 - VMOVDQA X14, X5 - BYTE $0xc5 - BYTE $0x61 - BYTE $0x6c - BYTE $0xfb - VMOVDQA X6, X14 - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x11 - BYTE $0x6d - BYTE $0xdf - BYTE $0xc5 - BYTE $0x41 - BYTE $0x6c - BYTE $0xff - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x49 - BYTE $0x6d - BYTE $0xf7 - BYTE $0xc4 - BYTE $0x41 - BYTE $0x09 - BYTE $0x6c - BYTE $0xfe - BYTE $0xc4 - BYTE $0xc1 - BYTE $0x41 - BYTE $0x6d - BYTE $0xff - VMOVDQU 32(AX), X14 - VMOVDQU 48(AX), X15 - VPXOR X0, X10, X10 - VPXOR X1, X11, X11 - VPXOR X2, X14, X14 - VPXOR X3, X15, X15 - VPXOR X4, X10, X10 - VPXOR X5, X11, X11 - VPXOR X6, X14, X2 - VPXOR X7, X15, X3 - VMOVDQU X2, 32(AX) - VMOVDQU X3, 48(AX) - LEAQ 128(SI), SI - SUBQ $0x80, DI - JNE loop - VMOVDQU X10, (AX) - VMOVDQU X11, 16(AX) - MOVQ R8, (BX) - MOVQ R9, 8(BX) - VZEROUPPER - RET - -DATA ·AVX_c40<>+0(SB)/8, $0x0201000706050403 -DATA ·AVX_c40<>+8(SB)/8, $0x0a09080f0e0d0c0b -GLOBL ·AVX_c40<>(SB), RODATA|NOPTR, $16 - -DATA ·AVX_c48<>+0(SB)/8, $0x0100070605040302 -DATA ·AVX_c48<>+8(SB)/8, $0x09080f0e0d0c0b0a -GLOBL ·AVX_c48<>(SB), RODATA|NOPTR, $16 - -DATA ·AVX_iv3<>+0(SB)/8, $0x1f83d9abfb41bd6b -DATA ·AVX_iv3<>+8(SB)/8, $0x5be0cd19137e2179 -GLOBL ·AVX_iv3<>(SB), RODATA|NOPTR, $16 - -DATA ·AVX_iv0<>+0(SB)/8, $0x6a09e667f3bcc908 -DATA ·AVX_iv0<>+8(SB)/8, $0xbb67ae8584caa73b -GLOBL ·AVX_iv0<>(SB), RODATA|NOPTR, $16 - -DATA ·AVX_iv1<>+0(SB)/8, $0x3c6ef372fe94f82b -DATA ·AVX_iv1<>+8(SB)/8, $0xa54ff53a5f1d36f1 -GLOBL ·AVX_iv1<>(SB), RODATA|NOPTR, $16 - -DATA ·AVX_iv2<>+0(SB)/8, $0x510e527fade682d1 -DATA ·AVX_iv2<>+8(SB)/8, $0x9b05688c2b3e6c1f -GLOBL ·AVX_iv2<>(SB), RODATA|NOPTR, $16 diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.s b/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.s deleted file mode 100644 index 9a0ce2124..000000000 --- a/vendor/golang.org/x/crypto/blake2b/blake2b_amd64.s +++ /dev/null @@ -1,1441 +0,0 @@ -// Code generated by command: go run blake2b_amd64_asm.go -out ../../blake2b_amd64.s -pkg blake2b. DO NOT EDIT. - -//go:build amd64 && gc && !purego - -#include "textflag.h" - -// func hashBlocksSSE4(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) -// Requires: SSE2, SSE4.1, SSSE3 -TEXT ·hashBlocksSSE4(SB), NOSPLIT, $288-48 - MOVQ h+0(FP), AX - MOVQ c+8(FP), BX - MOVQ flag+16(FP), CX - MOVQ blocks_base+24(FP), SI - MOVQ blocks_len+32(FP), DI - MOVQ SP, R10 - ADDQ $0x0f, R10 - ANDQ $-16, R10 - MOVOU ·iv3<>+0(SB), X0 - MOVO X0, (R10) - XORQ CX, (R10) - MOVOU ·c40<>+0(SB), X13 - MOVOU ·c48<>+0(SB), X14 - MOVOU (AX), X12 - MOVOU 16(AX), X15 - MOVQ (BX), R8 - MOVQ 8(BX), R9 - -loop: - ADDQ $0x80, R8 - CMPQ R8, $0x80 - JGE noinc - INCQ R9 - -noinc: - MOVQ R8, X8 - PINSRQ $0x01, R9, X8 - MOVO X12, X0 - MOVO X15, X1 - MOVOU 32(AX), X2 - MOVOU 48(AX), X3 - MOVOU ·iv0<>+0(SB), X4 - MOVOU ·iv1<>+0(SB), X5 - MOVOU ·iv2<>+0(SB), X6 - PXOR X8, X6 - MOVO (R10), X7 - MOVQ (SI), X8 - PINSRQ $0x01, 16(SI), X8 - MOVQ 32(SI), X9 - PINSRQ $0x01, 48(SI), X9 - MOVQ 8(SI), X10 - PINSRQ $0x01, 24(SI), X10 - MOVQ 40(SI), X11 - PINSRQ $0x01, 56(SI), X11 - MOVO X8, 16(R10) - MOVO X9, 32(R10) - MOVO X10, 48(R10) - MOVO X11, 64(R10) - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 64(SI), X8 - PINSRQ $0x01, 80(SI), X8 - MOVQ 96(SI), X9 - PINSRQ $0x01, 112(SI), X9 - MOVQ 72(SI), X10 - PINSRQ $0x01, 88(SI), X10 - MOVQ 104(SI), X11 - PINSRQ $0x01, 120(SI), X11 - MOVO X8, 80(R10) - MOVO X9, 96(R10) - MOVO X10, 112(R10) - MOVO X11, 128(R10) - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 112(SI), X8 - PINSRQ $0x01, 32(SI), X8 - MOVQ 72(SI), X9 - PINSRQ $0x01, 104(SI), X9 - MOVQ 80(SI), X10 - PINSRQ $0x01, 64(SI), X10 - MOVQ 120(SI), X11 - PINSRQ $0x01, 48(SI), X11 - MOVO X8, 144(R10) - MOVO X9, 160(R10) - MOVO X10, 176(R10) - MOVO X11, 192(R10) - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 8(SI), X8 - PINSRQ $0x01, (SI), X8 - MOVQ 88(SI), X9 - PINSRQ $0x01, 40(SI), X9 - MOVQ 96(SI), X10 - PINSRQ $0x01, 16(SI), X10 - MOVQ 56(SI), X11 - PINSRQ $0x01, 24(SI), X11 - MOVO X8, 208(R10) - MOVO X9, 224(R10) - MOVO X10, 240(R10) - MOVO X11, 256(R10) - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 88(SI), X8 - PINSRQ $0x01, 96(SI), X8 - MOVQ 40(SI), X9 - PINSRQ $0x01, 120(SI), X9 - MOVQ 64(SI), X10 - PINSRQ $0x01, (SI), X10 - MOVQ 16(SI), X11 - PINSRQ $0x01, 104(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 80(SI), X8 - PINSRQ $0x01, 24(SI), X8 - MOVQ 56(SI), X9 - PINSRQ $0x01, 72(SI), X9 - MOVQ 112(SI), X10 - PINSRQ $0x01, 48(SI), X10 - MOVQ 8(SI), X11 - PINSRQ $0x01, 32(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 56(SI), X8 - PINSRQ $0x01, 24(SI), X8 - MOVQ 104(SI), X9 - PINSRQ $0x01, 88(SI), X9 - MOVQ 72(SI), X10 - PINSRQ $0x01, 8(SI), X10 - MOVQ 96(SI), X11 - PINSRQ $0x01, 112(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 16(SI), X8 - PINSRQ $0x01, 40(SI), X8 - MOVQ 32(SI), X9 - PINSRQ $0x01, 120(SI), X9 - MOVQ 48(SI), X10 - PINSRQ $0x01, 80(SI), X10 - MOVQ (SI), X11 - PINSRQ $0x01, 64(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 72(SI), X8 - PINSRQ $0x01, 40(SI), X8 - MOVQ 16(SI), X9 - PINSRQ $0x01, 80(SI), X9 - MOVQ (SI), X10 - PINSRQ $0x01, 56(SI), X10 - MOVQ 32(SI), X11 - PINSRQ $0x01, 120(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 112(SI), X8 - PINSRQ $0x01, 88(SI), X8 - MOVQ 48(SI), X9 - PINSRQ $0x01, 24(SI), X9 - MOVQ 8(SI), X10 - PINSRQ $0x01, 96(SI), X10 - MOVQ 64(SI), X11 - PINSRQ $0x01, 104(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 16(SI), X8 - PINSRQ $0x01, 48(SI), X8 - MOVQ (SI), X9 - PINSRQ $0x01, 64(SI), X9 - MOVQ 96(SI), X10 - PINSRQ $0x01, 80(SI), X10 - MOVQ 88(SI), X11 - PINSRQ $0x01, 24(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 32(SI), X8 - PINSRQ $0x01, 56(SI), X8 - MOVQ 120(SI), X9 - PINSRQ $0x01, 8(SI), X9 - MOVQ 104(SI), X10 - PINSRQ $0x01, 40(SI), X10 - MOVQ 112(SI), X11 - PINSRQ $0x01, 72(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 96(SI), X8 - PINSRQ $0x01, 8(SI), X8 - MOVQ 112(SI), X9 - PINSRQ $0x01, 32(SI), X9 - MOVQ 40(SI), X10 - PINSRQ $0x01, 120(SI), X10 - MOVQ 104(SI), X11 - PINSRQ $0x01, 80(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ (SI), X8 - PINSRQ $0x01, 48(SI), X8 - MOVQ 72(SI), X9 - PINSRQ $0x01, 64(SI), X9 - MOVQ 56(SI), X10 - PINSRQ $0x01, 24(SI), X10 - MOVQ 16(SI), X11 - PINSRQ $0x01, 88(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 104(SI), X8 - PINSRQ $0x01, 56(SI), X8 - MOVQ 96(SI), X9 - PINSRQ $0x01, 24(SI), X9 - MOVQ 88(SI), X10 - PINSRQ $0x01, 112(SI), X10 - MOVQ 8(SI), X11 - PINSRQ $0x01, 72(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 40(SI), X8 - PINSRQ $0x01, 120(SI), X8 - MOVQ 64(SI), X9 - PINSRQ $0x01, 16(SI), X9 - MOVQ (SI), X10 - PINSRQ $0x01, 32(SI), X10 - MOVQ 48(SI), X11 - PINSRQ $0x01, 80(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 48(SI), X8 - PINSRQ $0x01, 112(SI), X8 - MOVQ 88(SI), X9 - PINSRQ $0x01, (SI), X9 - MOVQ 120(SI), X10 - PINSRQ $0x01, 72(SI), X10 - MOVQ 24(SI), X11 - PINSRQ $0x01, 64(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 96(SI), X8 - PINSRQ $0x01, 104(SI), X8 - MOVQ 8(SI), X9 - PINSRQ $0x01, 80(SI), X9 - MOVQ 16(SI), X10 - PINSRQ $0x01, 56(SI), X10 - MOVQ 32(SI), X11 - PINSRQ $0x01, 40(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVQ 80(SI), X8 - PINSRQ $0x01, 64(SI), X8 - MOVQ 56(SI), X9 - PINSRQ $0x01, 8(SI), X9 - MOVQ 16(SI), X10 - PINSRQ $0x01, 32(SI), X10 - MOVQ 48(SI), X11 - PINSRQ $0x01, 40(SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - MOVQ 120(SI), X8 - PINSRQ $0x01, 72(SI), X8 - MOVQ 24(SI), X9 - PINSRQ $0x01, 104(SI), X9 - MOVQ 88(SI), X10 - PINSRQ $0x01, 112(SI), X10 - MOVQ 96(SI), X11 - PINSRQ $0x01, (SI), X11 - PADDQ X8, X0 - PADDQ X9, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ X10, X0 - PADDQ X11, X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - PADDQ 16(R10), X0 - PADDQ 32(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ 48(R10), X0 - PADDQ 64(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - PADDQ 80(R10), X0 - PADDQ 96(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ 112(R10), X0 - PADDQ 128(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - PADDQ 144(R10), X0 - PADDQ 160(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ 176(R10), X0 - PADDQ 192(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X6, X8 - PUNPCKLQDQ X6, X9 - PUNPCKHQDQ X7, X6 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X7, X9 - MOVO X8, X7 - MOVO X2, X8 - PUNPCKHQDQ X9, X7 - PUNPCKLQDQ X3, X9 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X3 - PADDQ 208(R10), X0 - PADDQ 224(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFD $0xb1, X6, X6 - PSHUFD $0xb1, X7, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - PSHUFB X13, X2 - PSHUFB X13, X3 - PADDQ 240(R10), X0 - PADDQ 256(R10), X1 - PADDQ X2, X0 - PADDQ X3, X1 - PXOR X0, X6 - PXOR X1, X7 - PSHUFB X14, X6 - PSHUFB X14, X7 - PADDQ X6, X4 - PADDQ X7, X5 - PXOR X4, X2 - PXOR X5, X3 - MOVOU X2, X11 - PADDQ X2, X11 - PSRLQ $0x3f, X2 - PXOR X11, X2 - MOVOU X3, X11 - PADDQ X3, X11 - PSRLQ $0x3f, X3 - PXOR X11, X3 - MOVO X4, X8 - MOVO X5, X4 - MOVO X8, X5 - MOVO X2, X8 - PUNPCKLQDQ X2, X9 - PUNPCKHQDQ X3, X2 - PUNPCKHQDQ X9, X2 - PUNPCKLQDQ X3, X9 - MOVO X8, X3 - MOVO X6, X8 - PUNPCKHQDQ X9, X3 - PUNPCKLQDQ X7, X9 - PUNPCKHQDQ X9, X6 - PUNPCKLQDQ X8, X9 - PUNPCKHQDQ X9, X7 - MOVOU 32(AX), X10 - MOVOU 48(AX), X11 - PXOR X0, X12 - PXOR X1, X15 - PXOR X2, X10 - PXOR X3, X11 - PXOR X4, X12 - PXOR X5, X15 - PXOR X6, X10 - PXOR X7, X11 - MOVOU X10, 32(AX) - MOVOU X11, 48(AX) - LEAQ 128(SI), SI - SUBQ $0x80, DI - JNE loop - MOVOU X12, (AX) - MOVOU X15, 16(AX) - MOVQ R8, (BX) - MOVQ R9, 8(BX) - RET - -DATA ·iv3<>+0(SB)/8, $0x1f83d9abfb41bd6b -DATA ·iv3<>+8(SB)/8, $0x5be0cd19137e2179 -GLOBL ·iv3<>(SB), RODATA|NOPTR, $16 - -DATA ·c40<>+0(SB)/8, $0x0201000706050403 -DATA ·c40<>+8(SB)/8, $0x0a09080f0e0d0c0b -GLOBL ·c40<>(SB), RODATA|NOPTR, $16 - -DATA ·c48<>+0(SB)/8, $0x0100070605040302 -DATA ·c48<>+8(SB)/8, $0x09080f0e0d0c0b0a -GLOBL ·c48<>(SB), RODATA|NOPTR, $16 - -DATA ·iv0<>+0(SB)/8, $0x6a09e667f3bcc908 -DATA ·iv0<>+8(SB)/8, $0xbb67ae8584caa73b -GLOBL ·iv0<>(SB), RODATA|NOPTR, $16 - -DATA ·iv1<>+0(SB)/8, $0x3c6ef372fe94f82b -DATA ·iv1<>+8(SB)/8, $0xa54ff53a5f1d36f1 -GLOBL ·iv1<>(SB), RODATA|NOPTR, $16 - -DATA ·iv2<>+0(SB)/8, $0x510e527fade682d1 -DATA ·iv2<>+8(SB)/8, $0x9b05688c2b3e6c1f -GLOBL ·iv2<>(SB), RODATA|NOPTR, $16 diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_generic.go b/vendor/golang.org/x/crypto/blake2b/blake2b_generic.go deleted file mode 100644 index 3168a8aa3..000000000 --- a/vendor/golang.org/x/crypto/blake2b/blake2b_generic.go +++ /dev/null @@ -1,182 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package blake2b - -import ( - "encoding/binary" - "math/bits" -) - -// the precomputed values for BLAKE2b -// there are 12 16-byte arrays - one for each round -// the entries are calculated from the sigma constants. -var precomputed = [12][16]byte{ - {0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15}, - {14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3}, - {11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4}, - {7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8}, - {9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13}, - {2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9}, - {12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11}, - {13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10}, - {6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5}, - {10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0}, - {0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15}, // equal to the first - {14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3}, // equal to the second -} - -func hashBlocksGeneric(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) { - var m [16]uint64 - c0, c1 := c[0], c[1] - - for i := 0; i < len(blocks); { - c0 += BlockSize - if c0 < BlockSize { - c1++ - } - - v0, v1, v2, v3, v4, v5, v6, v7 := h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7] - v8, v9, v10, v11, v12, v13, v14, v15 := iv[0], iv[1], iv[2], iv[3], iv[4], iv[5], iv[6], iv[7] - v12 ^= c0 - v13 ^= c1 - v14 ^= flag - - for j := range m { - m[j] = binary.LittleEndian.Uint64(blocks[i:]) - i += 8 - } - - for j := range precomputed { - s := &(precomputed[j]) - - v0 += m[s[0]] - v0 += v4 - v12 ^= v0 - v12 = bits.RotateLeft64(v12, -32) - v8 += v12 - v4 ^= v8 - v4 = bits.RotateLeft64(v4, -24) - v1 += m[s[1]] - v1 += v5 - v13 ^= v1 - v13 = bits.RotateLeft64(v13, -32) - v9 += v13 - v5 ^= v9 - v5 = bits.RotateLeft64(v5, -24) - v2 += m[s[2]] - v2 += v6 - v14 ^= v2 - v14 = bits.RotateLeft64(v14, -32) - v10 += v14 - v6 ^= v10 - v6 = bits.RotateLeft64(v6, -24) - v3 += m[s[3]] - v3 += v7 - v15 ^= v3 - v15 = bits.RotateLeft64(v15, -32) - v11 += v15 - v7 ^= v11 - v7 = bits.RotateLeft64(v7, -24) - - v0 += m[s[4]] - v0 += v4 - v12 ^= v0 - v12 = bits.RotateLeft64(v12, -16) - v8 += v12 - v4 ^= v8 - v4 = bits.RotateLeft64(v4, -63) - v1 += m[s[5]] - v1 += v5 - v13 ^= v1 - v13 = bits.RotateLeft64(v13, -16) - v9 += v13 - v5 ^= v9 - v5 = bits.RotateLeft64(v5, -63) - v2 += m[s[6]] - v2 += v6 - v14 ^= v2 - v14 = bits.RotateLeft64(v14, -16) - v10 += v14 - v6 ^= v10 - v6 = bits.RotateLeft64(v6, -63) - v3 += m[s[7]] - v3 += v7 - v15 ^= v3 - v15 = bits.RotateLeft64(v15, -16) - v11 += v15 - v7 ^= v11 - v7 = bits.RotateLeft64(v7, -63) - - v0 += m[s[8]] - v0 += v5 - v15 ^= v0 - v15 = bits.RotateLeft64(v15, -32) - v10 += v15 - v5 ^= v10 - v5 = bits.RotateLeft64(v5, -24) - v1 += m[s[9]] - v1 += v6 - v12 ^= v1 - v12 = bits.RotateLeft64(v12, -32) - v11 += v12 - v6 ^= v11 - v6 = bits.RotateLeft64(v6, -24) - v2 += m[s[10]] - v2 += v7 - v13 ^= v2 - v13 = bits.RotateLeft64(v13, -32) - v8 += v13 - v7 ^= v8 - v7 = bits.RotateLeft64(v7, -24) - v3 += m[s[11]] - v3 += v4 - v14 ^= v3 - v14 = bits.RotateLeft64(v14, -32) - v9 += v14 - v4 ^= v9 - v4 = bits.RotateLeft64(v4, -24) - - v0 += m[s[12]] - v0 += v5 - v15 ^= v0 - v15 = bits.RotateLeft64(v15, -16) - v10 += v15 - v5 ^= v10 - v5 = bits.RotateLeft64(v5, -63) - v1 += m[s[13]] - v1 += v6 - v12 ^= v1 - v12 = bits.RotateLeft64(v12, -16) - v11 += v12 - v6 ^= v11 - v6 = bits.RotateLeft64(v6, -63) - v2 += m[s[14]] - v2 += v7 - v13 ^= v2 - v13 = bits.RotateLeft64(v13, -16) - v8 += v13 - v7 ^= v8 - v7 = bits.RotateLeft64(v7, -63) - v3 += m[s[15]] - v3 += v4 - v14 ^= v3 - v14 = bits.RotateLeft64(v14, -16) - v9 += v14 - v4 ^= v9 - v4 = bits.RotateLeft64(v4, -63) - - } - - h[0] ^= v0 ^ v8 - h[1] ^= v1 ^ v9 - h[2] ^= v2 ^ v10 - h[3] ^= v3 ^ v11 - h[4] ^= v4 ^ v12 - h[5] ^= v5 ^ v13 - h[6] ^= v6 ^ v14 - h[7] ^= v7 ^ v15 - } - c[0], c[1] = c0, c1 -} diff --git a/vendor/golang.org/x/crypto/blake2b/blake2b_ref.go b/vendor/golang.org/x/crypto/blake2b/blake2b_ref.go deleted file mode 100644 index 6e28668cd..000000000 --- a/vendor/golang.org/x/crypto/blake2b/blake2b_ref.go +++ /dev/null @@ -1,11 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !amd64 || purego || !gc - -package blake2b - -func hashBlocks(h *[8]uint64, c *[2]uint64, flag uint64, blocks []byte) { - hashBlocksGeneric(h, c, flag, blocks) -} diff --git a/vendor/golang.org/x/crypto/blake2b/blake2x.go b/vendor/golang.org/x/crypto/blake2b/blake2x.go deleted file mode 100644 index 52c414db0..000000000 --- a/vendor/golang.org/x/crypto/blake2b/blake2x.go +++ /dev/null @@ -1,177 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package blake2b - -import ( - "encoding/binary" - "errors" - "io" -) - -// XOF defines the interface to hash functions that -// support arbitrary-length output. -type XOF interface { - // Write absorbs more data into the hash's state. It panics if called - // after Read. - io.Writer - - // Read reads more output from the hash. It returns io.EOF if the limit - // has been reached. - io.Reader - - // Clone returns a copy of the XOF in its current state. - Clone() XOF - - // Reset resets the XOF to its initial state. - Reset() -} - -// OutputLengthUnknown can be used as the size argument to NewXOF to indicate -// the length of the output is not known in advance. -const OutputLengthUnknown = 0 - -// magicUnknownOutputLength is a magic value for the output size that indicates -// an unknown number of output bytes. -const magicUnknownOutputLength = (1 << 32) - 1 - -// maxOutputLength is the absolute maximum number of bytes to produce when the -// number of output bytes is unknown. -const maxOutputLength = (1 << 32) * 64 - -// NewXOF creates a new variable-output-length hash. The hash either produce a -// known number of bytes (1 <= size < 2**32-1), or an unknown number of bytes -// (size == OutputLengthUnknown). In the latter case, an absolute limit of -// 256GiB applies. -// -// A non-nil key turns the hash into a MAC. The key must between -// zero and 32 bytes long. -func NewXOF(size uint32, key []byte) (XOF, error) { - if len(key) > Size { - return nil, errKeySize - } - if size == magicUnknownOutputLength { - // 2^32-1 indicates an unknown number of bytes and thus isn't a - // valid length. - return nil, errors.New("blake2b: XOF length too large") - } - if size == OutputLengthUnknown { - size = magicUnknownOutputLength - } - x := &xof{ - d: digest{ - size: Size, - keyLen: len(key), - }, - length: size, - } - copy(x.d.key[:], key) - x.Reset() - return x, nil -} - -type xof struct { - d digest - length uint32 - remaining uint64 - cfg, root, block [Size]byte - offset int - nodeOffset uint32 - readMode bool -} - -func (x *xof) Write(p []byte) (n int, err error) { - if x.readMode { - panic("blake2b: write to XOF after read") - } - return x.d.Write(p) -} - -func (x *xof) Clone() XOF { - clone := *x - return &clone -} - -func (x *xof) Reset() { - x.cfg[0] = byte(Size) - binary.LittleEndian.PutUint32(x.cfg[4:], uint32(Size)) // leaf length - binary.LittleEndian.PutUint32(x.cfg[12:], x.length) // XOF length - x.cfg[17] = byte(Size) // inner hash size - - x.d.Reset() - x.d.h[1] ^= uint64(x.length) << 32 - - x.remaining = uint64(x.length) - if x.remaining == magicUnknownOutputLength { - x.remaining = maxOutputLength - } - x.offset, x.nodeOffset = 0, 0 - x.readMode = false -} - -func (x *xof) Read(p []byte) (n int, err error) { - if !x.readMode { - x.d.finalize(&x.root) - x.readMode = true - } - - if x.remaining == 0 { - return 0, io.EOF - } - - n = len(p) - if uint64(n) > x.remaining { - n = int(x.remaining) - p = p[:n] - } - - if x.offset > 0 { - blockRemaining := Size - x.offset - if n < blockRemaining { - x.offset += copy(p, x.block[x.offset:]) - x.remaining -= uint64(n) - return - } - copy(p, x.block[x.offset:]) - p = p[blockRemaining:] - x.offset = 0 - x.remaining -= uint64(blockRemaining) - } - - for len(p) >= Size { - binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset) - x.nodeOffset++ - - x.d.initConfig(&x.cfg) - x.d.Write(x.root[:]) - x.d.finalize(&x.block) - - copy(p, x.block[:]) - p = p[Size:] - x.remaining -= uint64(Size) - } - - if todo := len(p); todo > 0 { - if x.remaining < uint64(Size) { - x.cfg[0] = byte(x.remaining) - } - binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset) - x.nodeOffset++ - - x.d.initConfig(&x.cfg) - x.d.Write(x.root[:]) - x.d.finalize(&x.block) - - x.offset = copy(p, x.block[:todo]) - x.remaining -= uint64(todo) - } - return -} - -func (d *digest) initConfig(cfg *[Size]byte) { - d.offset, d.c[0], d.c[1] = 0, 0, 0 - for i := range d.h { - d.h[i] = iv[i] ^ binary.LittleEndian.Uint64(cfg[i*8:]) - } -} diff --git a/vendor/golang.org/x/crypto/blake2b/register.go b/vendor/golang.org/x/crypto/blake2b/register.go deleted file mode 100644 index 54e446e1d..000000000 --- a/vendor/golang.org/x/crypto/blake2b/register.go +++ /dev/null @@ -1,30 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package blake2b - -import ( - "crypto" - "hash" -) - -func init() { - newHash256 := func() hash.Hash { - h, _ := New256(nil) - return h - } - newHash384 := func() hash.Hash { - h, _ := New384(nil) - return h - } - - newHash512 := func() hash.Hash { - h, _ := New512(nil) - return h - } - - crypto.RegisterHash(crypto.BLAKE2b_256, newHash256) - crypto.RegisterHash(crypto.BLAKE2b_384, newHash384) - crypto.RegisterHash(crypto.BLAKE2b_512, newHash512) -} diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s.go b/vendor/golang.org/x/crypto/blake2s/blake2s.go deleted file mode 100644 index c25d07d4f..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2s.go +++ /dev/null @@ -1,254 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package blake2s implements the BLAKE2s hash algorithm defined by RFC 7693 -// and the extendable output function (XOF) BLAKE2Xs. -// -// BLAKE2s is optimized for 8- to 32-bit platforms and produces digests of any -// size between 1 and 32 bytes. -// For a detailed specification of BLAKE2s see https://blake2.net/blake2.pdf -// and for BLAKE2Xs see https://blake2.net/blake2x.pdf -// -// If you aren't sure which function you need, use BLAKE2s (Sum256 or New256). -// If you need a secret-key MAC (message authentication code), use the New256 -// function with a non-nil key. -// -// BLAKE2X is a construction to compute hash values larger than 32 bytes. It -// can produce hash values between 0 and 65535 bytes. -package blake2s - -import ( - "crypto" - "encoding/binary" - "errors" - "hash" -) - -const ( - // The blocksize of BLAKE2s in bytes. - BlockSize = 64 - - // The hash size of BLAKE2s-256 in bytes. - Size = 32 - - // The hash size of BLAKE2s-128 in bytes. - Size128 = 16 -) - -var errKeySize = errors.New("blake2s: invalid key size") - -var iv = [8]uint32{ - 0x6a09e667, 0xbb67ae85, 0x3c6ef372, 0xa54ff53a, - 0x510e527f, 0x9b05688c, 0x1f83d9ab, 0x5be0cd19, -} - -// Sum256 returns the BLAKE2s-256 checksum of the data. -func Sum256(data []byte) [Size]byte { - var sum [Size]byte - checkSum(&sum, Size, data) - return sum -} - -// New256 returns a new hash.Hash computing the BLAKE2s-256 checksum. A non-nil -// key turns the hash into a MAC. The key must between zero and 32 bytes long. -// When the key is nil, the returned hash.Hash implements BinaryMarshaler -// and BinaryUnmarshaler for state (de)serialization as documented by hash.Hash. -func New256(key []byte) (hash.Hash, error) { return newDigest(Size, key) } - -func init() { - crypto.RegisterHash(crypto.BLAKE2s_256, func() hash.Hash { - h, _ := New256(nil) - return h - }) -} - -// New128 returns a new hash.Hash computing the BLAKE2s-128 checksum given a -// non-empty key. Note that a 128-bit digest is too small to be secure as a -// cryptographic hash and should only be used as a MAC, thus the key argument -// is not optional. -func New128(key []byte) (hash.Hash, error) { - if len(key) == 0 { - return nil, errors.New("blake2s: a key is required for a 128-bit hash") - } - return newDigest(Size128, key) -} - -func newDigest(hashSize int, key []byte) (*digest, error) { - if len(key) > Size { - return nil, errKeySize - } - d := &digest{ - size: hashSize, - keyLen: len(key), - } - copy(d.key[:], key) - d.Reset() - return d, nil -} - -func checkSum(sum *[Size]byte, hashSize int, data []byte) { - var ( - h [8]uint32 - c [2]uint32 - ) - - h = iv - h[0] ^= uint32(hashSize) | (1 << 16) | (1 << 24) - - if length := len(data); length > BlockSize { - n := length &^ (BlockSize - 1) - if length == n { - n -= BlockSize - } - hashBlocks(&h, &c, 0, data[:n]) - data = data[n:] - } - - var block [BlockSize]byte - offset := copy(block[:], data) - remaining := uint32(BlockSize - offset) - - if c[0] < remaining { - c[1]-- - } - c[0] -= remaining - - hashBlocks(&h, &c, 0xFFFFFFFF, block[:]) - - for i, v := range h { - binary.LittleEndian.PutUint32(sum[4*i:], v) - } -} - -type digest struct { - h [8]uint32 - c [2]uint32 - size int - block [BlockSize]byte - offset int - - key [BlockSize]byte - keyLen int -} - -const ( - magic = "b2s" - marshaledSize = len(magic) + 8*4 + 2*4 + 1 + BlockSize + 1 -) - -func (d *digest) MarshalBinary() ([]byte, error) { - if d.keyLen != 0 { - return nil, errors.New("crypto/blake2s: cannot marshal MACs") - } - b := make([]byte, 0, marshaledSize) - b = append(b, magic...) - for i := 0; i < 8; i++ { - b = appendUint32(b, d.h[i]) - } - b = appendUint32(b, d.c[0]) - b = appendUint32(b, d.c[1]) - // Maximum value for size is 32 - b = append(b, byte(d.size)) - b = append(b, d.block[:]...) - b = append(b, byte(d.offset)) - return b, nil -} - -func (d *digest) UnmarshalBinary(b []byte) error { - if len(b) < len(magic) || string(b[:len(magic)]) != magic { - return errors.New("crypto/blake2s: invalid hash state identifier") - } - if len(b) != marshaledSize { - return errors.New("crypto/blake2s: invalid hash state size") - } - b = b[len(magic):] - for i := 0; i < 8; i++ { - b, d.h[i] = consumeUint32(b) - } - b, d.c[0] = consumeUint32(b) - b, d.c[1] = consumeUint32(b) - d.size = int(b[0]) - b = b[1:] - copy(d.block[:], b[:BlockSize]) - b = b[BlockSize:] - d.offset = int(b[0]) - return nil -} - -func (d *digest) BlockSize() int { return BlockSize } - -func (d *digest) Size() int { return d.size } - -func (d *digest) Reset() { - d.h = iv - d.h[0] ^= uint32(d.size) | (uint32(d.keyLen) << 8) | (1 << 16) | (1 << 24) - d.offset, d.c[0], d.c[1] = 0, 0, 0 - if d.keyLen > 0 { - d.block = d.key - d.offset = BlockSize - } -} - -func (d *digest) Write(p []byte) (n int, err error) { - n = len(p) - - if d.offset > 0 { - remaining := BlockSize - d.offset - if n <= remaining { - d.offset += copy(d.block[d.offset:], p) - return - } - copy(d.block[d.offset:], p[:remaining]) - hashBlocks(&d.h, &d.c, 0, d.block[:]) - d.offset = 0 - p = p[remaining:] - } - - if length := len(p); length > BlockSize { - nn := length &^ (BlockSize - 1) - if length == nn { - nn -= BlockSize - } - hashBlocks(&d.h, &d.c, 0, p[:nn]) - p = p[nn:] - } - - d.offset += copy(d.block[:], p) - return -} - -func (d *digest) Sum(sum []byte) []byte { - var hash [Size]byte - d.finalize(&hash) - return append(sum, hash[:d.size]...) -} - -func (d *digest) finalize(hash *[Size]byte) { - var block [BlockSize]byte - h := d.h - c := d.c - - copy(block[:], d.block[:d.offset]) - remaining := uint32(BlockSize - d.offset) - if c[0] < remaining { - c[1]-- - } - c[0] -= remaining - - hashBlocks(&h, &c, 0xFFFFFFFF, block[:]) - for i, v := range h { - binary.LittleEndian.PutUint32(hash[4*i:], v) - } -} - -func appendUint32(b []byte, x uint32) []byte { - var a [4]byte - binary.BigEndian.PutUint32(a[:], x) - return append(b, a[:]...) -} - -func consumeUint32(b []byte) ([]byte, uint32) { - x := binary.BigEndian.Uint32(b) - return b[4:], x -} diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_386.go b/vendor/golang.org/x/crypto/blake2s/blake2s_386.go deleted file mode 100644 index 97f629617..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2s_386.go +++ /dev/null @@ -1,32 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build 386 && gc && !purego - -package blake2s - -import "golang.org/x/sys/cpu" - -var ( - useSSE4 = false - useSSSE3 = cpu.X86.HasSSSE3 - useSSE2 = cpu.X86.HasSSE2 -) - -//go:noescape -func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) - -//go:noescape -func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) - -func hashBlocks(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) { - switch { - case useSSSE3: - hashBlocksSSSE3(h, c, flag, blocks) - case useSSE2: - hashBlocksSSE2(h, c, flag, blocks) - default: - hashBlocksGeneric(h, c, flag, blocks) - } -} diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_386.s b/vendor/golang.org/x/crypto/blake2s/blake2s_386.s deleted file mode 100644 index 919c02654..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2s_386.s +++ /dev/null @@ -1,429 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build 386 && gc && !purego - -#include "textflag.h" - -DATA iv0<>+0x00(SB)/4, $0x6a09e667 -DATA iv0<>+0x04(SB)/4, $0xbb67ae85 -DATA iv0<>+0x08(SB)/4, $0x3c6ef372 -DATA iv0<>+0x0c(SB)/4, $0xa54ff53a -GLOBL iv0<>(SB), (NOPTR+RODATA), $16 - -DATA iv1<>+0x00(SB)/4, $0x510e527f -DATA iv1<>+0x04(SB)/4, $0x9b05688c -DATA iv1<>+0x08(SB)/4, $0x1f83d9ab -DATA iv1<>+0x0c(SB)/4, $0x5be0cd19 -GLOBL iv1<>(SB), (NOPTR+RODATA), $16 - -DATA rol16<>+0x00(SB)/8, $0x0504070601000302 -DATA rol16<>+0x08(SB)/8, $0x0D0C0F0E09080B0A -GLOBL rol16<>(SB), (NOPTR+RODATA), $16 - -DATA rol8<>+0x00(SB)/8, $0x0407060500030201 -DATA rol8<>+0x08(SB)/8, $0x0C0F0E0D080B0A09 -GLOBL rol8<>(SB), (NOPTR+RODATA), $16 - -DATA counter<>+0x00(SB)/8, $0x40 -DATA counter<>+0x08(SB)/8, $0x0 -GLOBL counter<>(SB), (NOPTR+RODATA), $16 - -#define ROTL_SSE2(n, t, v) \ - MOVO v, t; \ - PSLLL $n, t; \ - PSRLL $(32-n), v; \ - PXOR t, v - -#define ROTL_SSSE3(c, v) \ - PSHUFB c, v - -#define ROUND_SSE2(v0, v1, v2, v3, m0, m1, m2, m3, t) \ - PADDL m0, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSE2(16, t, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(20, t, v1); \ - PADDL m1, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSE2(24, t, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(25, t, v1); \ - PSHUFL $0x39, v1, v1; \ - PSHUFL $0x4E, v2, v2; \ - PSHUFL $0x93, v3, v3; \ - PADDL m2, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSE2(16, t, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(20, t, v1); \ - PADDL m3, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSE2(24, t, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(25, t, v1); \ - PSHUFL $0x39, v3, v3; \ - PSHUFL $0x4E, v2, v2; \ - PSHUFL $0x93, v1, v1 - -#define ROUND_SSSE3(v0, v1, v2, v3, m0, m1, m2, m3, t, c16, c8) \ - PADDL m0, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSSE3(c16, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(20, t, v1); \ - PADDL m1, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSSE3(c8, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(25, t, v1); \ - PSHUFL $0x39, v1, v1; \ - PSHUFL $0x4E, v2, v2; \ - PSHUFL $0x93, v3, v3; \ - PADDL m2, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSSE3(c16, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(20, t, v1); \ - PADDL m3, v0; \ - PADDL v1, v0; \ - PXOR v0, v3; \ - ROTL_SSSE3(c8, v3); \ - PADDL v3, v2; \ - PXOR v2, v1; \ - ROTL_SSE2(25, t, v1); \ - PSHUFL $0x39, v3, v3; \ - PSHUFL $0x4E, v2, v2; \ - PSHUFL $0x93, v1, v1 - -#define PRECOMPUTE(dst, off, src, t) \ - MOVL 0*4(src), t; \ - MOVL t, 0*4+off+0(dst); \ - MOVL t, 9*4+off+64(dst); \ - MOVL t, 5*4+off+128(dst); \ - MOVL t, 14*4+off+192(dst); \ - MOVL t, 4*4+off+256(dst); \ - MOVL t, 2*4+off+320(dst); \ - MOVL t, 8*4+off+384(dst); \ - MOVL t, 12*4+off+448(dst); \ - MOVL t, 3*4+off+512(dst); \ - MOVL t, 15*4+off+576(dst); \ - MOVL 1*4(src), t; \ - MOVL t, 4*4+off+0(dst); \ - MOVL t, 8*4+off+64(dst); \ - MOVL t, 14*4+off+128(dst); \ - MOVL t, 5*4+off+192(dst); \ - MOVL t, 12*4+off+256(dst); \ - MOVL t, 11*4+off+320(dst); \ - MOVL t, 1*4+off+384(dst); \ - MOVL t, 6*4+off+448(dst); \ - MOVL t, 10*4+off+512(dst); \ - MOVL t, 3*4+off+576(dst); \ - MOVL 2*4(src), t; \ - MOVL t, 1*4+off+0(dst); \ - MOVL t, 13*4+off+64(dst); \ - MOVL t, 6*4+off+128(dst); \ - MOVL t, 8*4+off+192(dst); \ - MOVL t, 2*4+off+256(dst); \ - MOVL t, 0*4+off+320(dst); \ - MOVL t, 14*4+off+384(dst); \ - MOVL t, 11*4+off+448(dst); \ - MOVL t, 12*4+off+512(dst); \ - MOVL t, 4*4+off+576(dst); \ - MOVL 3*4(src), t; \ - MOVL t, 5*4+off+0(dst); \ - MOVL t, 15*4+off+64(dst); \ - MOVL t, 9*4+off+128(dst); \ - MOVL t, 1*4+off+192(dst); \ - MOVL t, 11*4+off+256(dst); \ - MOVL t, 7*4+off+320(dst); \ - MOVL t, 13*4+off+384(dst); \ - MOVL t, 3*4+off+448(dst); \ - MOVL t, 6*4+off+512(dst); \ - MOVL t, 10*4+off+576(dst); \ - MOVL 4*4(src), t; \ - MOVL t, 2*4+off+0(dst); \ - MOVL t, 1*4+off+64(dst); \ - MOVL t, 15*4+off+128(dst); \ - MOVL t, 10*4+off+192(dst); \ - MOVL t, 6*4+off+256(dst); \ - MOVL t, 8*4+off+320(dst); \ - MOVL t, 3*4+off+384(dst); \ - MOVL t, 13*4+off+448(dst); \ - MOVL t, 14*4+off+512(dst); \ - MOVL t, 5*4+off+576(dst); \ - MOVL 5*4(src), t; \ - MOVL t, 6*4+off+0(dst); \ - MOVL t, 11*4+off+64(dst); \ - MOVL t, 2*4+off+128(dst); \ - MOVL t, 9*4+off+192(dst); \ - MOVL t, 1*4+off+256(dst); \ - MOVL t, 13*4+off+320(dst); \ - MOVL t, 4*4+off+384(dst); \ - MOVL t, 8*4+off+448(dst); \ - MOVL t, 15*4+off+512(dst); \ - MOVL t, 7*4+off+576(dst); \ - MOVL 6*4(src), t; \ - MOVL t, 3*4+off+0(dst); \ - MOVL t, 7*4+off+64(dst); \ - MOVL t, 13*4+off+128(dst); \ - MOVL t, 12*4+off+192(dst); \ - MOVL t, 10*4+off+256(dst); \ - MOVL t, 1*4+off+320(dst); \ - MOVL t, 9*4+off+384(dst); \ - MOVL t, 14*4+off+448(dst); \ - MOVL t, 0*4+off+512(dst); \ - MOVL t, 6*4+off+576(dst); \ - MOVL 7*4(src), t; \ - MOVL t, 7*4+off+0(dst); \ - MOVL t, 14*4+off+64(dst); \ - MOVL t, 10*4+off+128(dst); \ - MOVL t, 0*4+off+192(dst); \ - MOVL t, 5*4+off+256(dst); \ - MOVL t, 9*4+off+320(dst); \ - MOVL t, 12*4+off+384(dst); \ - MOVL t, 1*4+off+448(dst); \ - MOVL t, 13*4+off+512(dst); \ - MOVL t, 2*4+off+576(dst); \ - MOVL 8*4(src), t; \ - MOVL t, 8*4+off+0(dst); \ - MOVL t, 5*4+off+64(dst); \ - MOVL t, 4*4+off+128(dst); \ - MOVL t, 15*4+off+192(dst); \ - MOVL t, 14*4+off+256(dst); \ - MOVL t, 3*4+off+320(dst); \ - MOVL t, 11*4+off+384(dst); \ - MOVL t, 10*4+off+448(dst); \ - MOVL t, 7*4+off+512(dst); \ - MOVL t, 1*4+off+576(dst); \ - MOVL 9*4(src), t; \ - MOVL t, 12*4+off+0(dst); \ - MOVL t, 2*4+off+64(dst); \ - MOVL t, 11*4+off+128(dst); \ - MOVL t, 4*4+off+192(dst); \ - MOVL t, 0*4+off+256(dst); \ - MOVL t, 15*4+off+320(dst); \ - MOVL t, 10*4+off+384(dst); \ - MOVL t, 7*4+off+448(dst); \ - MOVL t, 5*4+off+512(dst); \ - MOVL t, 9*4+off+576(dst); \ - MOVL 10*4(src), t; \ - MOVL t, 9*4+off+0(dst); \ - MOVL t, 4*4+off+64(dst); \ - MOVL t, 8*4+off+128(dst); \ - MOVL t, 13*4+off+192(dst); \ - MOVL t, 3*4+off+256(dst); \ - MOVL t, 5*4+off+320(dst); \ - MOVL t, 7*4+off+384(dst); \ - MOVL t, 15*4+off+448(dst); \ - MOVL t, 11*4+off+512(dst); \ - MOVL t, 0*4+off+576(dst); \ - MOVL 11*4(src), t; \ - MOVL t, 13*4+off+0(dst); \ - MOVL t, 10*4+off+64(dst); \ - MOVL t, 0*4+off+128(dst); \ - MOVL t, 3*4+off+192(dst); \ - MOVL t, 9*4+off+256(dst); \ - MOVL t, 6*4+off+320(dst); \ - MOVL t, 15*4+off+384(dst); \ - MOVL t, 4*4+off+448(dst); \ - MOVL t, 2*4+off+512(dst); \ - MOVL t, 12*4+off+576(dst); \ - MOVL 12*4(src), t; \ - MOVL t, 10*4+off+0(dst); \ - MOVL t, 12*4+off+64(dst); \ - MOVL t, 1*4+off+128(dst); \ - MOVL t, 6*4+off+192(dst); \ - MOVL t, 13*4+off+256(dst); \ - MOVL t, 4*4+off+320(dst); \ - MOVL t, 0*4+off+384(dst); \ - MOVL t, 2*4+off+448(dst); \ - MOVL t, 8*4+off+512(dst); \ - MOVL t, 14*4+off+576(dst); \ - MOVL 13*4(src), t; \ - MOVL t, 14*4+off+0(dst); \ - MOVL t, 3*4+off+64(dst); \ - MOVL t, 7*4+off+128(dst); \ - MOVL t, 2*4+off+192(dst); \ - MOVL t, 15*4+off+256(dst); \ - MOVL t, 12*4+off+320(dst); \ - MOVL t, 6*4+off+384(dst); \ - MOVL t, 0*4+off+448(dst); \ - MOVL t, 9*4+off+512(dst); \ - MOVL t, 11*4+off+576(dst); \ - MOVL 14*4(src), t; \ - MOVL t, 11*4+off+0(dst); \ - MOVL t, 0*4+off+64(dst); \ - MOVL t, 12*4+off+128(dst); \ - MOVL t, 7*4+off+192(dst); \ - MOVL t, 8*4+off+256(dst); \ - MOVL t, 14*4+off+320(dst); \ - MOVL t, 2*4+off+384(dst); \ - MOVL t, 5*4+off+448(dst); \ - MOVL t, 1*4+off+512(dst); \ - MOVL t, 13*4+off+576(dst); \ - MOVL 15*4(src), t; \ - MOVL t, 15*4+off+0(dst); \ - MOVL t, 6*4+off+64(dst); \ - MOVL t, 3*4+off+128(dst); \ - MOVL t, 11*4+off+192(dst); \ - MOVL t, 7*4+off+256(dst); \ - MOVL t, 10*4+off+320(dst); \ - MOVL t, 5*4+off+384(dst); \ - MOVL t, 9*4+off+448(dst); \ - MOVL t, 4*4+off+512(dst); \ - MOVL t, 8*4+off+576(dst) - -// func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) -TEXT ·hashBlocksSSE2(SB), 0, $672-24 // frame = 656 + 16 byte alignment - MOVL h+0(FP), AX - MOVL c+4(FP), BX - MOVL flag+8(FP), CX - MOVL blocks_base+12(FP), SI - MOVL blocks_len+16(FP), DX - - MOVL SP, DI - ADDL $15, DI - ANDL $~15, DI - - MOVL CX, 8(DI) - MOVL 0(BX), CX - MOVL CX, 0(DI) - MOVL 4(BX), CX - MOVL CX, 4(DI) - XORL CX, CX - MOVL CX, 12(DI) - - MOVOU 0(AX), X0 - MOVOU 16(AX), X1 - MOVOU counter<>(SB), X2 - -loop: - MOVO X0, X4 - MOVO X1, X5 - MOVOU iv0<>(SB), X6 - MOVOU iv1<>(SB), X7 - - MOVO 0(DI), X3 - PADDQ X2, X3 - PXOR X3, X7 - MOVO X3, 0(DI) - - PRECOMPUTE(DI, 16, SI, CX) - ROUND_SSE2(X4, X5, X6, X7, 16(DI), 32(DI), 48(DI), 64(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+64(DI), 32+64(DI), 48+64(DI), 64+64(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+128(DI), 32+128(DI), 48+128(DI), 64+128(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+192(DI), 32+192(DI), 48+192(DI), 64+192(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+256(DI), 32+256(DI), 48+256(DI), 64+256(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+320(DI), 32+320(DI), 48+320(DI), 64+320(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+384(DI), 32+384(DI), 48+384(DI), 64+384(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+448(DI), 32+448(DI), 48+448(DI), 64+448(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+512(DI), 32+512(DI), 48+512(DI), 64+512(DI), X3) - ROUND_SSE2(X4, X5, X6, X7, 16+576(DI), 32+576(DI), 48+576(DI), 64+576(DI), X3) - - PXOR X4, X0 - PXOR X5, X1 - PXOR X6, X0 - PXOR X7, X1 - - LEAL 64(SI), SI - SUBL $64, DX - JNE loop - - MOVL 0(DI), CX - MOVL CX, 0(BX) - MOVL 4(DI), CX - MOVL CX, 4(BX) - - MOVOU X0, 0(AX) - MOVOU X1, 16(AX) - - RET - -// func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) -TEXT ·hashBlocksSSSE3(SB), 0, $704-24 // frame = 688 + 16 byte alignment - MOVL h+0(FP), AX - MOVL c+4(FP), BX - MOVL flag+8(FP), CX - MOVL blocks_base+12(FP), SI - MOVL blocks_len+16(FP), DX - - MOVL SP, DI - ADDL $15, DI - ANDL $~15, DI - - MOVL CX, 8(DI) - MOVL 0(BX), CX - MOVL CX, 0(DI) - MOVL 4(BX), CX - MOVL CX, 4(DI) - XORL CX, CX - MOVL CX, 12(DI) - - MOVOU 0(AX), X0 - MOVOU 16(AX), X1 - MOVOU counter<>(SB), X2 - -loop: - MOVO X0, 656(DI) - MOVO X1, 672(DI) - MOVO X0, X4 - MOVO X1, X5 - MOVOU iv0<>(SB), X6 - MOVOU iv1<>(SB), X7 - - MOVO 0(DI), X3 - PADDQ X2, X3 - PXOR X3, X7 - MOVO X3, 0(DI) - - MOVOU rol16<>(SB), X0 - MOVOU rol8<>(SB), X1 - - PRECOMPUTE(DI, 16, SI, CX) - ROUND_SSSE3(X4, X5, X6, X7, 16(DI), 32(DI), 48(DI), 64(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+64(DI), 32+64(DI), 48+64(DI), 64+64(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+128(DI), 32+128(DI), 48+128(DI), 64+128(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+192(DI), 32+192(DI), 48+192(DI), 64+192(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+256(DI), 32+256(DI), 48+256(DI), 64+256(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+320(DI), 32+320(DI), 48+320(DI), 64+320(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+384(DI), 32+384(DI), 48+384(DI), 64+384(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+448(DI), 32+448(DI), 48+448(DI), 64+448(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+512(DI), 32+512(DI), 48+512(DI), 64+512(DI), X3, X0, X1) - ROUND_SSSE3(X4, X5, X6, X7, 16+576(DI), 32+576(DI), 48+576(DI), 64+576(DI), X3, X0, X1) - - MOVO 656(DI), X0 - MOVO 672(DI), X1 - PXOR X4, X0 - PXOR X5, X1 - PXOR X6, X0 - PXOR X7, X1 - - LEAL 64(SI), SI - SUBL $64, DX - JNE loop - - MOVL 0(DI), CX - MOVL CX, 0(BX) - MOVL 4(DI), CX - MOVL CX, 4(BX) - - MOVOU X0, 0(AX) - MOVOU X1, 16(AX) - - RET diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.go b/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.go deleted file mode 100644 index 8a7310254..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.go +++ /dev/null @@ -1,37 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build amd64 && gc && !purego - -package blake2s - -import "golang.org/x/sys/cpu" - -var ( - useSSE4 = cpu.X86.HasSSE41 - useSSSE3 = cpu.X86.HasSSSE3 - useSSE2 = cpu.X86.HasSSE2 -) - -//go:noescape -func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) - -//go:noescape -func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) - -//go:noescape -func hashBlocksSSE4(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) - -func hashBlocks(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) { - switch { - case useSSE4: - hashBlocksSSE4(h, c, flag, blocks) - case useSSSE3: - hashBlocksSSSE3(h, c, flag, blocks) - case useSSE2: - hashBlocksSSE2(h, c, flag, blocks) - default: - hashBlocksGeneric(h, c, flag, blocks) - } -} diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.s b/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.s deleted file mode 100644 index 57d510fc0..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2s_amd64.s +++ /dev/null @@ -1,2173 +0,0 @@ -// Code generated by command: go run blake2s_amd64_asm.go -out ../blake2s_amd64.s -pkg blake2s. DO NOT EDIT. - -//go:build amd64 && gc && !purego - -#include "textflag.h" - -// func hashBlocksSSE2(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) -// Requires: SSE2 -TEXT ·hashBlocksSSE2(SB), $672-48 - MOVQ h+0(FP), AX - MOVQ c+8(FP), BX - MOVL flag+16(FP), CX - MOVQ blocks_base+24(FP), SI - MOVQ blocks_len+32(FP), DX - MOVQ SP, BP - ADDQ $0x0f, BP - ANDQ $-16, BP - MOVQ (BX), R9 - MOVQ R9, (BP) - MOVQ CX, 8(BP) - MOVOU (AX), X0 - MOVOU 16(AX), X1 - MOVOU iv0<>+0(SB), X2 - MOVOU iv1<>+0(SB), X3 - MOVOU counter<>+0(SB), X12 - MOVOU rol16<>+0(SB), X13 - MOVOU rol8<>+0(SB), X14 - MOVO (BP), X15 - -loop: - MOVO X0, X4 - MOVO X1, X5 - MOVO X2, X6 - MOVO X3, X7 - PADDQ X12, X15 - PXOR X15, X7 - MOVQ (SI), R8 - MOVQ 8(SI), R9 - MOVQ 16(SI), R10 - MOVQ 24(SI), R11 - MOVQ 32(SI), R12 - MOVQ 40(SI), R13 - MOVQ 48(SI), R14 - MOVQ 56(SI), R15 - MOVL R8, 16(BP) - MOVL R8, 116(BP) - MOVL R8, 164(BP) - MOVL R8, 264(BP) - MOVL R8, 288(BP) - MOVL R8, 344(BP) - MOVL R8, 432(BP) - MOVL R8, 512(BP) - MOVL R8, 540(BP) - MOVL R8, 652(BP) - SHRQ $0x20, R8 - MOVL R8, 32(BP) - MOVL R8, 112(BP) - MOVL R8, 200(BP) - MOVL R8, 228(BP) - MOVL R8, 320(BP) - MOVL R8, 380(BP) - MOVL R8, 404(BP) - MOVL R8, 488(BP) - MOVL R8, 568(BP) - MOVL R8, 604(BP) - MOVL R9, 20(BP) - MOVL R9, 132(BP) - MOVL R9, 168(BP) - MOVL R9, 240(BP) - MOVL R9, 280(BP) - MOVL R9, 336(BP) - MOVL R9, 456(BP) - MOVL R9, 508(BP) - MOVL R9, 576(BP) - MOVL R9, 608(BP) - SHRQ $0x20, R9 - MOVL R9, 36(BP) - MOVL R9, 140(BP) - MOVL R9, 180(BP) - MOVL R9, 212(BP) - MOVL R9, 316(BP) - MOVL R9, 364(BP) - MOVL R9, 452(BP) - MOVL R9, 476(BP) - MOVL R9, 552(BP) - MOVL R9, 632(BP) - MOVL R10, 24(BP) - MOVL R10, 84(BP) - MOVL R10, 204(BP) - MOVL R10, 248(BP) - MOVL R10, 296(BP) - MOVL R10, 368(BP) - MOVL R10, 412(BP) - MOVL R10, 516(BP) - MOVL R10, 584(BP) - MOVL R10, 612(BP) - SHRQ $0x20, R10 - MOVL R10, 40(BP) - MOVL R10, 124(BP) - MOVL R10, 152(BP) - MOVL R10, 244(BP) - MOVL R10, 276(BP) - MOVL R10, 388(BP) - MOVL R10, 416(BP) - MOVL R10, 496(BP) - MOVL R10, 588(BP) - MOVL R10, 620(BP) - MOVL R11, 28(BP) - MOVL R11, 108(BP) - MOVL R11, 196(BP) - MOVL R11, 256(BP) - MOVL R11, 312(BP) - MOVL R11, 340(BP) - MOVL R11, 436(BP) - MOVL R11, 520(BP) - MOVL R11, 528(BP) - MOVL R11, 616(BP) - SHRQ $0x20, R11 - MOVL R11, 44(BP) - MOVL R11, 136(BP) - MOVL R11, 184(BP) - MOVL R11, 208(BP) - MOVL R11, 292(BP) - MOVL R11, 372(BP) - MOVL R11, 448(BP) - MOVL R11, 468(BP) - MOVL R11, 580(BP) - MOVL R11, 600(BP) - MOVL R12, 48(BP) - MOVL R12, 100(BP) - MOVL R12, 160(BP) - MOVL R12, 268(BP) - MOVL R12, 328(BP) - MOVL R12, 348(BP) - MOVL R12, 444(BP) - MOVL R12, 504(BP) - MOVL R12, 556(BP) - MOVL R12, 596(BP) - SHRQ $0x20, R12 - MOVL R12, 64(BP) - MOVL R12, 88(BP) - MOVL R12, 188(BP) - MOVL R12, 224(BP) - MOVL R12, 272(BP) - MOVL R12, 396(BP) - MOVL R12, 440(BP) - MOVL R12, 492(BP) - MOVL R12, 548(BP) - MOVL R12, 628(BP) - MOVL R13, 52(BP) - MOVL R13, 96(BP) - MOVL R13, 176(BP) - MOVL R13, 260(BP) - MOVL R13, 284(BP) - MOVL R13, 356(BP) - MOVL R13, 428(BP) - MOVL R13, 524(BP) - MOVL R13, 572(BP) - MOVL R13, 592(BP) - SHRQ $0x20, R13 - MOVL R13, 68(BP) - MOVL R13, 120(BP) - MOVL R13, 144(BP) - MOVL R13, 220(BP) - MOVL R13, 308(BP) - MOVL R13, 360(BP) - MOVL R13, 460(BP) - MOVL R13, 480(BP) - MOVL R13, 536(BP) - MOVL R13, 640(BP) - MOVL R14, 56(BP) - MOVL R14, 128(BP) - MOVL R14, 148(BP) - MOVL R14, 232(BP) - MOVL R14, 324(BP) - MOVL R14, 352(BP) - MOVL R14, 400(BP) - MOVL R14, 472(BP) - MOVL R14, 560(BP) - MOVL R14, 648(BP) - SHRQ $0x20, R14 - MOVL R14, 72(BP) - MOVL R14, 92(BP) - MOVL R14, 172(BP) - MOVL R14, 216(BP) - MOVL R14, 332(BP) - MOVL R14, 384(BP) - MOVL R14, 424(BP) - MOVL R14, 464(BP) - MOVL R14, 564(BP) - MOVL R14, 636(BP) - MOVL R15, 60(BP) - MOVL R15, 80(BP) - MOVL R15, 192(BP) - MOVL R15, 236(BP) - MOVL R15, 304(BP) - MOVL R15, 392(BP) - MOVL R15, 408(BP) - MOVL R15, 484(BP) - MOVL R15, 532(BP) - MOVL R15, 644(BP) - SHRQ $0x20, R15 - MOVL R15, 76(BP) - MOVL R15, 104(BP) - MOVL R15, 156(BP) - MOVL R15, 252(BP) - MOVL R15, 300(BP) - MOVL R15, 376(BP) - MOVL R15, 420(BP) - MOVL R15, 500(BP) - MOVL R15, 544(BP) - MOVL R15, 624(BP) - PADDL 16(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 32(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 48(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 64(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 80(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 96(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 112(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 128(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 144(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 160(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 176(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 192(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 208(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 224(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 240(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 256(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 272(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 288(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 304(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 320(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 336(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 352(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 368(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 384(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 400(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 416(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 432(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 448(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 464(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 480(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 496(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 512(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 528(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 544(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 560(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 576(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 592(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 608(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 624(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x10, X8 - PSRLL $0x10, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 640(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - MOVO X7, X8 - PSLLL $0x18, X8 - PSRLL $0x08, X7 - PXOR X8, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PXOR X4, X0 - PXOR X5, X1 - PXOR X6, X0 - PXOR X7, X1 - LEAQ 64(SI), SI - SUBQ $0x40, DX - JNE loop - MOVO X15, (BP) - MOVQ (BP), R9 - MOVQ R9, (BX) - MOVOU X0, (AX) - MOVOU X1, 16(AX) - RET - -DATA iv0<>+0(SB)/4, $0x6a09e667 -DATA iv0<>+4(SB)/4, $0xbb67ae85 -DATA iv0<>+8(SB)/4, $0x3c6ef372 -DATA iv0<>+12(SB)/4, $0xa54ff53a -GLOBL iv0<>(SB), RODATA|NOPTR, $16 - -DATA iv1<>+0(SB)/4, $0x510e527f -DATA iv1<>+4(SB)/4, $0x9b05688c -DATA iv1<>+8(SB)/4, $0x1f83d9ab -DATA iv1<>+12(SB)/4, $0x5be0cd19 -GLOBL iv1<>(SB), RODATA|NOPTR, $16 - -DATA counter<>+0(SB)/8, $0x0000000000000040 -DATA counter<>+8(SB)/8, $0x0000000000000000 -GLOBL counter<>(SB), RODATA|NOPTR, $16 - -DATA rol16<>+0(SB)/8, $0x0504070601000302 -DATA rol16<>+8(SB)/8, $0x0d0c0f0e09080b0a -GLOBL rol16<>(SB), RODATA|NOPTR, $16 - -DATA rol8<>+0(SB)/8, $0x0407060500030201 -DATA rol8<>+8(SB)/8, $0x0c0f0e0d080b0a09 -GLOBL rol8<>(SB), RODATA|NOPTR, $16 - -// func hashBlocksSSSE3(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) -// Requires: SSE2, SSSE3 -TEXT ·hashBlocksSSSE3(SB), $672-48 - MOVQ h+0(FP), AX - MOVQ c+8(FP), BX - MOVL flag+16(FP), CX - MOVQ blocks_base+24(FP), SI - MOVQ blocks_len+32(FP), DX - MOVQ SP, BP - ADDQ $0x0f, BP - ANDQ $-16, BP - MOVQ (BX), R9 - MOVQ R9, (BP) - MOVQ CX, 8(BP) - MOVOU (AX), X0 - MOVOU 16(AX), X1 - MOVOU iv0<>+0(SB), X2 - MOVOU iv1<>+0(SB), X3 - MOVOU counter<>+0(SB), X12 - MOVOU rol16<>+0(SB), X13 - MOVOU rol8<>+0(SB), X14 - MOVO (BP), X15 - -loop: - MOVO X0, X4 - MOVO X1, X5 - MOVO X2, X6 - MOVO X3, X7 - PADDQ X12, X15 - PXOR X15, X7 - MOVQ (SI), R8 - MOVQ 8(SI), R9 - MOVQ 16(SI), R10 - MOVQ 24(SI), R11 - MOVQ 32(SI), R12 - MOVQ 40(SI), R13 - MOVQ 48(SI), R14 - MOVQ 56(SI), R15 - MOVL R8, 16(BP) - MOVL R8, 116(BP) - MOVL R8, 164(BP) - MOVL R8, 264(BP) - MOVL R8, 288(BP) - MOVL R8, 344(BP) - MOVL R8, 432(BP) - MOVL R8, 512(BP) - MOVL R8, 540(BP) - MOVL R8, 652(BP) - SHRQ $0x20, R8 - MOVL R8, 32(BP) - MOVL R8, 112(BP) - MOVL R8, 200(BP) - MOVL R8, 228(BP) - MOVL R8, 320(BP) - MOVL R8, 380(BP) - MOVL R8, 404(BP) - MOVL R8, 488(BP) - MOVL R8, 568(BP) - MOVL R8, 604(BP) - MOVL R9, 20(BP) - MOVL R9, 132(BP) - MOVL R9, 168(BP) - MOVL R9, 240(BP) - MOVL R9, 280(BP) - MOVL R9, 336(BP) - MOVL R9, 456(BP) - MOVL R9, 508(BP) - MOVL R9, 576(BP) - MOVL R9, 608(BP) - SHRQ $0x20, R9 - MOVL R9, 36(BP) - MOVL R9, 140(BP) - MOVL R9, 180(BP) - MOVL R9, 212(BP) - MOVL R9, 316(BP) - MOVL R9, 364(BP) - MOVL R9, 452(BP) - MOVL R9, 476(BP) - MOVL R9, 552(BP) - MOVL R9, 632(BP) - MOVL R10, 24(BP) - MOVL R10, 84(BP) - MOVL R10, 204(BP) - MOVL R10, 248(BP) - MOVL R10, 296(BP) - MOVL R10, 368(BP) - MOVL R10, 412(BP) - MOVL R10, 516(BP) - MOVL R10, 584(BP) - MOVL R10, 612(BP) - SHRQ $0x20, R10 - MOVL R10, 40(BP) - MOVL R10, 124(BP) - MOVL R10, 152(BP) - MOVL R10, 244(BP) - MOVL R10, 276(BP) - MOVL R10, 388(BP) - MOVL R10, 416(BP) - MOVL R10, 496(BP) - MOVL R10, 588(BP) - MOVL R10, 620(BP) - MOVL R11, 28(BP) - MOVL R11, 108(BP) - MOVL R11, 196(BP) - MOVL R11, 256(BP) - MOVL R11, 312(BP) - MOVL R11, 340(BP) - MOVL R11, 436(BP) - MOVL R11, 520(BP) - MOVL R11, 528(BP) - MOVL R11, 616(BP) - SHRQ $0x20, R11 - MOVL R11, 44(BP) - MOVL R11, 136(BP) - MOVL R11, 184(BP) - MOVL R11, 208(BP) - MOVL R11, 292(BP) - MOVL R11, 372(BP) - MOVL R11, 448(BP) - MOVL R11, 468(BP) - MOVL R11, 580(BP) - MOVL R11, 600(BP) - MOVL R12, 48(BP) - MOVL R12, 100(BP) - MOVL R12, 160(BP) - MOVL R12, 268(BP) - MOVL R12, 328(BP) - MOVL R12, 348(BP) - MOVL R12, 444(BP) - MOVL R12, 504(BP) - MOVL R12, 556(BP) - MOVL R12, 596(BP) - SHRQ $0x20, R12 - MOVL R12, 64(BP) - MOVL R12, 88(BP) - MOVL R12, 188(BP) - MOVL R12, 224(BP) - MOVL R12, 272(BP) - MOVL R12, 396(BP) - MOVL R12, 440(BP) - MOVL R12, 492(BP) - MOVL R12, 548(BP) - MOVL R12, 628(BP) - MOVL R13, 52(BP) - MOVL R13, 96(BP) - MOVL R13, 176(BP) - MOVL R13, 260(BP) - MOVL R13, 284(BP) - MOVL R13, 356(BP) - MOVL R13, 428(BP) - MOVL R13, 524(BP) - MOVL R13, 572(BP) - MOVL R13, 592(BP) - SHRQ $0x20, R13 - MOVL R13, 68(BP) - MOVL R13, 120(BP) - MOVL R13, 144(BP) - MOVL R13, 220(BP) - MOVL R13, 308(BP) - MOVL R13, 360(BP) - MOVL R13, 460(BP) - MOVL R13, 480(BP) - MOVL R13, 536(BP) - MOVL R13, 640(BP) - MOVL R14, 56(BP) - MOVL R14, 128(BP) - MOVL R14, 148(BP) - MOVL R14, 232(BP) - MOVL R14, 324(BP) - MOVL R14, 352(BP) - MOVL R14, 400(BP) - MOVL R14, 472(BP) - MOVL R14, 560(BP) - MOVL R14, 648(BP) - SHRQ $0x20, R14 - MOVL R14, 72(BP) - MOVL R14, 92(BP) - MOVL R14, 172(BP) - MOVL R14, 216(BP) - MOVL R14, 332(BP) - MOVL R14, 384(BP) - MOVL R14, 424(BP) - MOVL R14, 464(BP) - MOVL R14, 564(BP) - MOVL R14, 636(BP) - MOVL R15, 60(BP) - MOVL R15, 80(BP) - MOVL R15, 192(BP) - MOVL R15, 236(BP) - MOVL R15, 304(BP) - MOVL R15, 392(BP) - MOVL R15, 408(BP) - MOVL R15, 484(BP) - MOVL R15, 532(BP) - MOVL R15, 644(BP) - SHRQ $0x20, R15 - MOVL R15, 76(BP) - MOVL R15, 104(BP) - MOVL R15, 156(BP) - MOVL R15, 252(BP) - MOVL R15, 300(BP) - MOVL R15, 376(BP) - MOVL R15, 420(BP) - MOVL R15, 500(BP) - MOVL R15, 544(BP) - MOVL R15, 624(BP) - PADDL 16(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 32(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 48(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 64(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 80(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 96(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 112(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 128(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 144(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 160(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 176(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 192(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 208(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 224(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 240(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 256(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 272(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 288(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 304(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 320(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 336(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 352(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 368(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 384(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 400(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 416(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 432(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 448(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 464(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 480(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 496(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 512(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 528(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 544(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 560(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 576(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PADDL 592(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 608(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL 624(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL 640(BP), X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PXOR X4, X0 - PXOR X5, X1 - PXOR X6, X0 - PXOR X7, X1 - LEAQ 64(SI), SI - SUBQ $0x40, DX - JNE loop - MOVO X15, (BP) - MOVQ (BP), R9 - MOVQ R9, (BX) - MOVOU X0, (AX) - MOVOU X1, 16(AX) - RET - -// func hashBlocksSSE4(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) -// Requires: SSE2, SSE4.1, SSSE3 -TEXT ·hashBlocksSSE4(SB), $32-48 - MOVQ h+0(FP), AX - MOVQ c+8(FP), BX - MOVL flag+16(FP), CX - MOVQ blocks_base+24(FP), SI - MOVQ blocks_len+32(FP), DX - MOVQ SP, BP - ADDQ $0x0f, BP - ANDQ $-16, BP - MOVQ (BX), R9 - MOVQ R9, (BP) - MOVQ CX, 8(BP) - MOVOU (AX), X0 - MOVOU 16(AX), X1 - MOVOU iv0<>+0(SB), X2 - MOVOU iv1<>+0(SB), X3 - MOVOU counter<>+0(SB), X12 - MOVOU rol16<>+0(SB), X13 - MOVOU rol8<>+0(SB), X14 - MOVO (BP), X15 - -loop: - MOVO X0, X4 - MOVO X1, X5 - MOVO X2, X6 - MOVO X3, X7 - PADDQ X12, X15 - PXOR X15, X7 - MOVL (SI), X8 - PINSRD $0x01, 8(SI), X8 - PINSRD $0x02, 16(SI), X8 - PINSRD $0x03, 24(SI), X8 - MOVL 4(SI), X9 - PINSRD $0x01, 12(SI), X9 - PINSRD $0x02, 20(SI), X9 - PINSRD $0x03, 28(SI), X9 - MOVL 32(SI), X10 - PINSRD $0x01, 40(SI), X10 - PINSRD $0x02, 48(SI), X10 - PINSRD $0x03, 56(SI), X10 - MOVL 36(SI), X11 - PINSRD $0x01, 44(SI), X11 - PINSRD $0x02, 52(SI), X11 - PINSRD $0x03, 60(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 56(SI), X8 - PINSRD $0x01, 16(SI), X8 - PINSRD $0x02, 36(SI), X8 - PINSRD $0x03, 52(SI), X8 - MOVL 40(SI), X9 - PINSRD $0x01, 32(SI), X9 - PINSRD $0x02, 60(SI), X9 - PINSRD $0x03, 24(SI), X9 - MOVL 4(SI), X10 - PINSRD $0x01, (SI), X10 - PINSRD $0x02, 44(SI), X10 - PINSRD $0x03, 20(SI), X10 - MOVL 48(SI), X11 - PINSRD $0x01, 8(SI), X11 - PINSRD $0x02, 28(SI), X11 - PINSRD $0x03, 12(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 44(SI), X8 - PINSRD $0x01, 48(SI), X8 - PINSRD $0x02, 20(SI), X8 - PINSRD $0x03, 60(SI), X8 - MOVL 32(SI), X9 - PINSRD $0x01, (SI), X9 - PINSRD $0x02, 8(SI), X9 - PINSRD $0x03, 52(SI), X9 - MOVL 40(SI), X10 - PINSRD $0x01, 12(SI), X10 - PINSRD $0x02, 28(SI), X10 - PINSRD $0x03, 36(SI), X10 - MOVL 56(SI), X11 - PINSRD $0x01, 24(SI), X11 - PINSRD $0x02, 4(SI), X11 - PINSRD $0x03, 16(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 28(SI), X8 - PINSRD $0x01, 12(SI), X8 - PINSRD $0x02, 52(SI), X8 - PINSRD $0x03, 44(SI), X8 - MOVL 36(SI), X9 - PINSRD $0x01, 4(SI), X9 - PINSRD $0x02, 48(SI), X9 - PINSRD $0x03, 56(SI), X9 - MOVL 8(SI), X10 - PINSRD $0x01, 20(SI), X10 - PINSRD $0x02, 16(SI), X10 - PINSRD $0x03, 60(SI), X10 - MOVL 24(SI), X11 - PINSRD $0x01, 40(SI), X11 - PINSRD $0x02, (SI), X11 - PINSRD $0x03, 32(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 36(SI), X8 - PINSRD $0x01, 20(SI), X8 - PINSRD $0x02, 8(SI), X8 - PINSRD $0x03, 40(SI), X8 - MOVL (SI), X9 - PINSRD $0x01, 28(SI), X9 - PINSRD $0x02, 16(SI), X9 - PINSRD $0x03, 60(SI), X9 - MOVL 56(SI), X10 - PINSRD $0x01, 44(SI), X10 - PINSRD $0x02, 24(SI), X10 - PINSRD $0x03, 12(SI), X10 - MOVL 4(SI), X11 - PINSRD $0x01, 48(SI), X11 - PINSRD $0x02, 32(SI), X11 - PINSRD $0x03, 52(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 8(SI), X8 - PINSRD $0x01, 24(SI), X8 - PINSRD $0x02, (SI), X8 - PINSRD $0x03, 32(SI), X8 - MOVL 48(SI), X9 - PINSRD $0x01, 40(SI), X9 - PINSRD $0x02, 44(SI), X9 - PINSRD $0x03, 12(SI), X9 - MOVL 16(SI), X10 - PINSRD $0x01, 28(SI), X10 - PINSRD $0x02, 60(SI), X10 - PINSRD $0x03, 4(SI), X10 - MOVL 52(SI), X11 - PINSRD $0x01, 20(SI), X11 - PINSRD $0x02, 56(SI), X11 - PINSRD $0x03, 36(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 48(SI), X8 - PINSRD $0x01, 4(SI), X8 - PINSRD $0x02, 56(SI), X8 - PINSRD $0x03, 16(SI), X8 - MOVL 20(SI), X9 - PINSRD $0x01, 60(SI), X9 - PINSRD $0x02, 52(SI), X9 - PINSRD $0x03, 40(SI), X9 - MOVL (SI), X10 - PINSRD $0x01, 24(SI), X10 - PINSRD $0x02, 36(SI), X10 - PINSRD $0x03, 32(SI), X10 - MOVL 28(SI), X11 - PINSRD $0x01, 12(SI), X11 - PINSRD $0x02, 8(SI), X11 - PINSRD $0x03, 44(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 52(SI), X8 - PINSRD $0x01, 28(SI), X8 - PINSRD $0x02, 48(SI), X8 - PINSRD $0x03, 12(SI), X8 - MOVL 44(SI), X9 - PINSRD $0x01, 56(SI), X9 - PINSRD $0x02, 4(SI), X9 - PINSRD $0x03, 36(SI), X9 - MOVL 20(SI), X10 - PINSRD $0x01, 60(SI), X10 - PINSRD $0x02, 32(SI), X10 - PINSRD $0x03, 8(SI), X10 - MOVL (SI), X11 - PINSRD $0x01, 16(SI), X11 - PINSRD $0x02, 24(SI), X11 - PINSRD $0x03, 40(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 24(SI), X8 - PINSRD $0x01, 56(SI), X8 - PINSRD $0x02, 44(SI), X8 - PINSRD $0x03, (SI), X8 - MOVL 60(SI), X9 - PINSRD $0x01, 36(SI), X9 - PINSRD $0x02, 12(SI), X9 - PINSRD $0x03, 32(SI), X9 - MOVL 48(SI), X10 - PINSRD $0x01, 52(SI), X10 - PINSRD $0x02, 4(SI), X10 - PINSRD $0x03, 40(SI), X10 - MOVL 8(SI), X11 - PINSRD $0x01, 28(SI), X11 - PINSRD $0x02, 16(SI), X11 - PINSRD $0x03, 20(SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - MOVL 40(SI), X8 - PINSRD $0x01, 32(SI), X8 - PINSRD $0x02, 28(SI), X8 - PINSRD $0x03, 4(SI), X8 - MOVL 8(SI), X9 - PINSRD $0x01, 16(SI), X9 - PINSRD $0x02, 24(SI), X9 - PINSRD $0x03, 20(SI), X9 - MOVL 60(SI), X10 - PINSRD $0x01, 36(SI), X10 - PINSRD $0x02, 12(SI), X10 - PINSRD $0x03, 52(SI), X10 - MOVL 44(SI), X11 - PINSRD $0x01, 56(SI), X11 - PINSRD $0x02, 48(SI), X11 - PINSRD $0x03, (SI), X11 - PADDL X8, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X9, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X5, X5 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X7, X7 - PADDL X10, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X13, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x14, X8 - PSRLL $0x0c, X5 - PXOR X8, X5 - PADDL X11, X4 - PADDL X5, X4 - PXOR X4, X7 - PSHUFB X14, X7 - PADDL X7, X6 - PXOR X6, X5 - MOVO X5, X8 - PSLLL $0x19, X8 - PSRLL $0x07, X5 - PXOR X8, X5 - PSHUFL $0x39, X7, X7 - PSHUFL $0x4e, X6, X6 - PSHUFL $0x93, X5, X5 - PXOR X4, X0 - PXOR X5, X1 - PXOR X6, X0 - PXOR X7, X1 - LEAQ 64(SI), SI - SUBQ $0x40, DX - JNE loop - MOVO X15, (BP) - MOVQ (BP), R9 - MOVQ R9, (BX) - MOVOU X0, (AX) - MOVOU X1, 16(AX) - RET diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_generic.go b/vendor/golang.org/x/crypto/blake2s/blake2s_generic.go deleted file mode 100644 index 24a1ff22a..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2s_generic.go +++ /dev/null @@ -1,178 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package blake2s - -import ( - "math/bits" -) - -// the precomputed values for BLAKE2s -// there are 10 16-byte arrays - one for each round -// the entries are calculated from the sigma constants. -var precomputed = [10][16]byte{ - {0, 2, 4, 6, 1, 3, 5, 7, 8, 10, 12, 14, 9, 11, 13, 15}, - {14, 4, 9, 13, 10, 8, 15, 6, 1, 0, 11, 5, 12, 2, 7, 3}, - {11, 12, 5, 15, 8, 0, 2, 13, 10, 3, 7, 9, 14, 6, 1, 4}, - {7, 3, 13, 11, 9, 1, 12, 14, 2, 5, 4, 15, 6, 10, 0, 8}, - {9, 5, 2, 10, 0, 7, 4, 15, 14, 11, 6, 3, 1, 12, 8, 13}, - {2, 6, 0, 8, 12, 10, 11, 3, 4, 7, 15, 1, 13, 5, 14, 9}, - {12, 1, 14, 4, 5, 15, 13, 10, 0, 6, 9, 8, 7, 3, 2, 11}, - {13, 7, 12, 3, 11, 14, 1, 9, 5, 15, 8, 2, 0, 4, 6, 10}, - {6, 14, 11, 0, 15, 9, 3, 8, 12, 13, 1, 10, 2, 7, 4, 5}, - {10, 8, 7, 1, 2, 4, 6, 5, 15, 9, 3, 13, 11, 14, 12, 0}, -} - -func hashBlocksGeneric(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) { - var m [16]uint32 - c0, c1 := c[0], c[1] - - for i := 0; i < len(blocks); { - c0 += BlockSize - if c0 < BlockSize { - c1++ - } - - v0, v1, v2, v3, v4, v5, v6, v7 := h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7] - v8, v9, v10, v11, v12, v13, v14, v15 := iv[0], iv[1], iv[2], iv[3], iv[4], iv[5], iv[6], iv[7] - v12 ^= c0 - v13 ^= c1 - v14 ^= flag - - for j := range m { - m[j] = uint32(blocks[i]) | uint32(blocks[i+1])<<8 | uint32(blocks[i+2])<<16 | uint32(blocks[i+3])<<24 - i += 4 - } - - for k := range precomputed { - s := &(precomputed[k]) - - v0 += m[s[0]] - v0 += v4 - v12 ^= v0 - v12 = bits.RotateLeft32(v12, -16) - v8 += v12 - v4 ^= v8 - v4 = bits.RotateLeft32(v4, -12) - v1 += m[s[1]] - v1 += v5 - v13 ^= v1 - v13 = bits.RotateLeft32(v13, -16) - v9 += v13 - v5 ^= v9 - v5 = bits.RotateLeft32(v5, -12) - v2 += m[s[2]] - v2 += v6 - v14 ^= v2 - v14 = bits.RotateLeft32(v14, -16) - v10 += v14 - v6 ^= v10 - v6 = bits.RotateLeft32(v6, -12) - v3 += m[s[3]] - v3 += v7 - v15 ^= v3 - v15 = bits.RotateLeft32(v15, -16) - v11 += v15 - v7 ^= v11 - v7 = bits.RotateLeft32(v7, -12) - - v0 += m[s[4]] - v0 += v4 - v12 ^= v0 - v12 = bits.RotateLeft32(v12, -8) - v8 += v12 - v4 ^= v8 - v4 = bits.RotateLeft32(v4, -7) - v1 += m[s[5]] - v1 += v5 - v13 ^= v1 - v13 = bits.RotateLeft32(v13, -8) - v9 += v13 - v5 ^= v9 - v5 = bits.RotateLeft32(v5, -7) - v2 += m[s[6]] - v2 += v6 - v14 ^= v2 - v14 = bits.RotateLeft32(v14, -8) - v10 += v14 - v6 ^= v10 - v6 = bits.RotateLeft32(v6, -7) - v3 += m[s[7]] - v3 += v7 - v15 ^= v3 - v15 = bits.RotateLeft32(v15, -8) - v11 += v15 - v7 ^= v11 - v7 = bits.RotateLeft32(v7, -7) - - v0 += m[s[8]] - v0 += v5 - v15 ^= v0 - v15 = bits.RotateLeft32(v15, -16) - v10 += v15 - v5 ^= v10 - v5 = bits.RotateLeft32(v5, -12) - v1 += m[s[9]] - v1 += v6 - v12 ^= v1 - v12 = bits.RotateLeft32(v12, -16) - v11 += v12 - v6 ^= v11 - v6 = bits.RotateLeft32(v6, -12) - v2 += m[s[10]] - v2 += v7 - v13 ^= v2 - v13 = bits.RotateLeft32(v13, -16) - v8 += v13 - v7 ^= v8 - v7 = bits.RotateLeft32(v7, -12) - v3 += m[s[11]] - v3 += v4 - v14 ^= v3 - v14 = bits.RotateLeft32(v14, -16) - v9 += v14 - v4 ^= v9 - v4 = bits.RotateLeft32(v4, -12) - - v0 += m[s[12]] - v0 += v5 - v15 ^= v0 - v15 = bits.RotateLeft32(v15, -8) - v10 += v15 - v5 ^= v10 - v5 = bits.RotateLeft32(v5, -7) - v1 += m[s[13]] - v1 += v6 - v12 ^= v1 - v12 = bits.RotateLeft32(v12, -8) - v11 += v12 - v6 ^= v11 - v6 = bits.RotateLeft32(v6, -7) - v2 += m[s[14]] - v2 += v7 - v13 ^= v2 - v13 = bits.RotateLeft32(v13, -8) - v8 += v13 - v7 ^= v8 - v7 = bits.RotateLeft32(v7, -7) - v3 += m[s[15]] - v3 += v4 - v14 ^= v3 - v14 = bits.RotateLeft32(v14, -8) - v9 += v14 - v4 ^= v9 - v4 = bits.RotateLeft32(v4, -7) - } - - h[0] ^= v0 ^ v8 - h[1] ^= v1 ^ v9 - h[2] ^= v2 ^ v10 - h[3] ^= v3 ^ v11 - h[4] ^= v4 ^ v12 - h[5] ^= v5 ^ v13 - h[6] ^= v6 ^ v14 - h[7] ^= v7 ^ v15 - } - c[0], c[1] = c0, c1 -} diff --git a/vendor/golang.org/x/crypto/blake2s/blake2s_ref.go b/vendor/golang.org/x/crypto/blake2s/blake2s_ref.go deleted file mode 100644 index 38ce8e283..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2s_ref.go +++ /dev/null @@ -1,17 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !386) || !gc || purego - -package blake2s - -var ( - useSSE4 = false - useSSSE3 = false - useSSE2 = false -) - -func hashBlocks(h *[8]uint32, c *[2]uint32, flag uint32, blocks []byte) { - hashBlocksGeneric(h, c, flag, blocks) -} diff --git a/vendor/golang.org/x/crypto/blake2s/blake2x.go b/vendor/golang.org/x/crypto/blake2s/blake2x.go deleted file mode 100644 index 828749ff0..000000000 --- a/vendor/golang.org/x/crypto/blake2s/blake2x.go +++ /dev/null @@ -1,178 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package blake2s - -import ( - "encoding/binary" - "errors" - "io" -) - -// XOF defines the interface to hash functions that -// support arbitrary-length output. -type XOF interface { - // Write absorbs more data into the hash's state. It panics if called - // after Read. - io.Writer - - // Read reads more output from the hash. It returns io.EOF if the limit - // has been reached. - io.Reader - - // Clone returns a copy of the XOF in its current state. - Clone() XOF - - // Reset resets the XOF to its initial state. - Reset() -} - -// OutputLengthUnknown can be used as the size argument to NewXOF to indicate -// the length of the output is not known in advance. -const OutputLengthUnknown = 0 - -// magicUnknownOutputLength is a magic value for the output size that indicates -// an unknown number of output bytes. -const magicUnknownOutputLength = 65535 - -// maxOutputLength is the absolute maximum number of bytes to produce when the -// number of output bytes is unknown. -const maxOutputLength = (1 << 32) * 32 - -// NewXOF creates a new variable-output-length hash. The hash either produce a -// known number of bytes (1 <= size < 65535), or an unknown number of bytes -// (size == OutputLengthUnknown). In the latter case, an absolute limit of -// 128GiB applies. -// -// A non-nil key turns the hash into a MAC. The key must between -// zero and 32 bytes long. -func NewXOF(size uint16, key []byte) (XOF, error) { - if len(key) > Size { - return nil, errKeySize - } - if size == magicUnknownOutputLength { - // 2^16-1 indicates an unknown number of bytes and thus isn't a - // valid length. - return nil, errors.New("blake2s: XOF length too large") - } - if size == OutputLengthUnknown { - size = magicUnknownOutputLength - } - x := &xof{ - d: digest{ - size: Size, - keyLen: len(key), - }, - length: size, - } - copy(x.d.key[:], key) - x.Reset() - return x, nil -} - -type xof struct { - d digest - length uint16 - remaining uint64 - cfg, root, block [Size]byte - offset int - nodeOffset uint32 - readMode bool -} - -func (x *xof) Write(p []byte) (n int, err error) { - if x.readMode { - panic("blake2s: write to XOF after read") - } - return x.d.Write(p) -} - -func (x *xof) Clone() XOF { - clone := *x - return &clone -} - -func (x *xof) Reset() { - x.cfg[0] = byte(Size) - binary.LittleEndian.PutUint32(x.cfg[4:], uint32(Size)) // leaf length - binary.LittleEndian.PutUint16(x.cfg[12:], x.length) // XOF length - x.cfg[15] = byte(Size) // inner hash size - - x.d.Reset() - x.d.h[3] ^= uint32(x.length) - - x.remaining = uint64(x.length) - if x.remaining == magicUnknownOutputLength { - x.remaining = maxOutputLength - } - x.offset, x.nodeOffset = 0, 0 - x.readMode = false -} - -func (x *xof) Read(p []byte) (n int, err error) { - if !x.readMode { - x.d.finalize(&x.root) - x.readMode = true - } - - if x.remaining == 0 { - return 0, io.EOF - } - - n = len(p) - if uint64(n) > x.remaining { - n = int(x.remaining) - p = p[:n] - } - - if x.offset > 0 { - blockRemaining := Size - x.offset - if n < blockRemaining { - x.offset += copy(p, x.block[x.offset:]) - x.remaining -= uint64(n) - return - } - copy(p, x.block[x.offset:]) - p = p[blockRemaining:] - x.offset = 0 - x.remaining -= uint64(blockRemaining) - } - - for len(p) >= Size { - binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset) - x.nodeOffset++ - - x.d.initConfig(&x.cfg) - x.d.Write(x.root[:]) - x.d.finalize(&x.block) - - copy(p, x.block[:]) - p = p[Size:] - x.remaining -= uint64(Size) - } - - if todo := len(p); todo > 0 { - if x.remaining < uint64(Size) { - x.cfg[0] = byte(x.remaining) - } - binary.LittleEndian.PutUint32(x.cfg[8:], x.nodeOffset) - x.nodeOffset++ - - x.d.initConfig(&x.cfg) - x.d.Write(x.root[:]) - x.d.finalize(&x.block) - - x.offset = copy(p, x.block[:todo]) - x.remaining -= uint64(todo) - } - - return -} - -func (d *digest) initConfig(cfg *[Size]byte) { - d.offset, d.c[0], d.c[1] = 0, 0, 0 - for i := range d.h { - d.h[i] = iv[i] ^ binary.LittleEndian.Uint32(cfg[i*4:]) - } -} diff --git a/vendor/golang.org/x/crypto/blowfish/block.go b/vendor/golang.org/x/crypto/blowfish/block.go deleted file mode 100644 index 9d80f1952..000000000 --- a/vendor/golang.org/x/crypto/blowfish/block.go +++ /dev/null @@ -1,159 +0,0 @@ -// Copyright 2010 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package blowfish - -// getNextWord returns the next big-endian uint32 value from the byte slice -// at the given position in a circular manner, updating the position. -func getNextWord(b []byte, pos *int) uint32 { - var w uint32 - j := *pos - for i := 0; i < 4; i++ { - w = w<<8 | uint32(b[j]) - j++ - if j >= len(b) { - j = 0 - } - } - *pos = j - return w -} - -// ExpandKey performs a key expansion on the given *Cipher. Specifically, it -// performs the Blowfish algorithm's key schedule which sets up the *Cipher's -// pi and substitution tables for calls to Encrypt. This is used, primarily, -// by the bcrypt package to reuse the Blowfish key schedule during its -// set up. It's unlikely that you need to use this directly. -func ExpandKey(key []byte, c *Cipher) { - j := 0 - for i := 0; i < 18; i++ { - // Using inlined getNextWord for performance. - var d uint32 - for k := 0; k < 4; k++ { - d = d<<8 | uint32(key[j]) - j++ - if j >= len(key) { - j = 0 - } - } - c.p[i] ^= d - } - - var l, r uint32 - for i := 0; i < 18; i += 2 { - l, r = encryptBlock(l, r, c) - c.p[i], c.p[i+1] = l, r - } - - for i := 0; i < 256; i += 2 { - l, r = encryptBlock(l, r, c) - c.s0[i], c.s0[i+1] = l, r - } - for i := 0; i < 256; i += 2 { - l, r = encryptBlock(l, r, c) - c.s1[i], c.s1[i+1] = l, r - } - for i := 0; i < 256; i += 2 { - l, r = encryptBlock(l, r, c) - c.s2[i], c.s2[i+1] = l, r - } - for i := 0; i < 256; i += 2 { - l, r = encryptBlock(l, r, c) - c.s3[i], c.s3[i+1] = l, r - } -} - -// This is similar to ExpandKey, but folds the salt during the key -// schedule. While ExpandKey is essentially expandKeyWithSalt with an all-zero -// salt passed in, reusing ExpandKey turns out to be a place of inefficiency -// and specializing it here is useful. -func expandKeyWithSalt(key []byte, salt []byte, c *Cipher) { - j := 0 - for i := 0; i < 18; i++ { - c.p[i] ^= getNextWord(key, &j) - } - - j = 0 - var l, r uint32 - for i := 0; i < 18; i += 2 { - l ^= getNextWord(salt, &j) - r ^= getNextWord(salt, &j) - l, r = encryptBlock(l, r, c) - c.p[i], c.p[i+1] = l, r - } - - for i := 0; i < 256; i += 2 { - l ^= getNextWord(salt, &j) - r ^= getNextWord(salt, &j) - l, r = encryptBlock(l, r, c) - c.s0[i], c.s0[i+1] = l, r - } - - for i := 0; i < 256; i += 2 { - l ^= getNextWord(salt, &j) - r ^= getNextWord(salt, &j) - l, r = encryptBlock(l, r, c) - c.s1[i], c.s1[i+1] = l, r - } - - for i := 0; i < 256; i += 2 { - l ^= getNextWord(salt, &j) - r ^= getNextWord(salt, &j) - l, r = encryptBlock(l, r, c) - c.s2[i], c.s2[i+1] = l, r - } - - for i := 0; i < 256; i += 2 { - l ^= getNextWord(salt, &j) - r ^= getNextWord(salt, &j) - l, r = encryptBlock(l, r, c) - c.s3[i], c.s3[i+1] = l, r - } -} - -func encryptBlock(l, r uint32, c *Cipher) (uint32, uint32) { - xl, xr := l, r - xl ^= c.p[0] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[1] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[2] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[3] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[4] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[5] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[6] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[7] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[8] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[9] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[10] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[11] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[12] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[13] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[14] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[15] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[16] - xr ^= c.p[17] - return xr, xl -} - -func decryptBlock(l, r uint32, c *Cipher) (uint32, uint32) { - xl, xr := l, r - xl ^= c.p[17] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[16] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[15] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[14] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[13] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[12] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[11] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[10] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[9] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[8] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[7] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[6] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[5] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[4] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[3] - xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[2] - xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[1] - xr ^= c.p[0] - return xr, xl -} diff --git a/vendor/golang.org/x/crypto/blowfish/cipher.go b/vendor/golang.org/x/crypto/blowfish/cipher.go deleted file mode 100644 index 089895680..000000000 --- a/vendor/golang.org/x/crypto/blowfish/cipher.go +++ /dev/null @@ -1,99 +0,0 @@ -// Copyright 2010 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package blowfish implements Bruce Schneier's Blowfish encryption algorithm. -// -// Blowfish is a legacy cipher and its short block size makes it vulnerable to -// birthday bound attacks (see https://sweet32.info). It should only be used -// where compatibility with legacy systems, not security, is the goal. -// -// Deprecated: any new system should use AES (from crypto/aes, if necessary in -// an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from -// golang.org/x/crypto/chacha20poly1305). -package blowfish - -// The code is a port of Bruce Schneier's C implementation. -// See https://www.schneier.com/blowfish.html. - -import "strconv" - -// The Blowfish block size in bytes. -const BlockSize = 8 - -// A Cipher is an instance of Blowfish encryption using a particular key. -type Cipher struct { - p [18]uint32 - s0, s1, s2, s3 [256]uint32 -} - -type KeySizeError int - -func (k KeySizeError) Error() string { - return "crypto/blowfish: invalid key size " + strconv.Itoa(int(k)) -} - -// NewCipher creates and returns a Cipher. -// The key argument should be the Blowfish key, from 1 to 56 bytes. -func NewCipher(key []byte) (*Cipher, error) { - var result Cipher - if k := len(key); k < 1 || k > 56 { - return nil, KeySizeError(k) - } - initCipher(&result) - ExpandKey(key, &result) - return &result, nil -} - -// NewSaltedCipher creates a returns a Cipher that folds a salt into its key -// schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is -// sufficient and desirable. For bcrypt compatibility, the key can be over 56 -// bytes. -func NewSaltedCipher(key, salt []byte) (*Cipher, error) { - if len(salt) == 0 { - return NewCipher(key) - } - var result Cipher - if k := len(key); k < 1 { - return nil, KeySizeError(k) - } - initCipher(&result) - expandKeyWithSalt(key, salt, &result) - return &result, nil -} - -// BlockSize returns the Blowfish block size, 8 bytes. -// It is necessary to satisfy the Block interface in the -// package "crypto/cipher". -func (c *Cipher) BlockSize() int { return BlockSize } - -// Encrypt encrypts the 8-byte buffer src using the key k -// and stores the result in dst. -// Note that for amounts of data larger than a block, -// it is not safe to just call Encrypt on successive blocks; -// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go). -func (c *Cipher) Encrypt(dst, src []byte) { - l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) - r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) - l, r = encryptBlock(l, r, c) - dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) - dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) -} - -// Decrypt decrypts the 8-byte buffer src using the key k -// and stores the result in dst. -func (c *Cipher) Decrypt(dst, src []byte) { - l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3]) - r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7]) - l, r = decryptBlock(l, r, c) - dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l) - dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r) -} - -func initCipher(c *Cipher) { - copy(c.p[0:], p[0:]) - copy(c.s0[0:], s0[0:]) - copy(c.s1[0:], s1[0:]) - copy(c.s2[0:], s2[0:]) - copy(c.s3[0:], s3[0:]) -} diff --git a/vendor/golang.org/x/crypto/blowfish/const.go b/vendor/golang.org/x/crypto/blowfish/const.go deleted file mode 100644 index d04077595..000000000 --- a/vendor/golang.org/x/crypto/blowfish/const.go +++ /dev/null @@ -1,199 +0,0 @@ -// Copyright 2010 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// The startup permutation array and substitution boxes. -// They are the hexadecimal digits of PI; see: -// https://www.schneier.com/code/constants.txt. - -package blowfish - -var s0 = [256]uint32{ - 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 0xb8e1afed, 0x6a267e96, - 0xba7c9045, 0xf12c7f99, 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, - 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 0x0d95748f, 0x728eb658, - 0x718bcd58, 0x82154aee, 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, - 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 0x8e79dcb0, 0x603a180e, - 0x6c9e0e8b, 0xb01e8a3e, 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, - 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 0x55ca396a, 0x2aab10b6, - 0xb4cc5c34, 0x1141e8ce, 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, - 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 0xafd6ba33, 0x6c24cf5c, - 0x7a325381, 0x28958677, 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, - 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 0xef845d5d, 0xe98575b1, - 0xdc262302, 0xeb651b88, 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, - 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 0x21c66842, 0xf6e96c9a, - 0x670c9c61, 0xabd388f0, 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, - 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 0xa1f1651d, 0x39af0176, - 0x66ca593e, 0x82430e88, 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, - 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 0x4ed3aa62, 0x363f7706, - 0x1bfedf72, 0x429b023d, 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, - 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 0xe3fe501a, 0xb6794c3b, - 0x976ce0bd, 0x04c006ba, 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, - 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 0x6dfc511f, 0x9b30952c, - 0xcc814544, 0xaf5ebd09, 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, - 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 0x5579c0bd, 0x1a60320a, - 0xd6a100c6, 0x402c7279, 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, - 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 0x323db5fa, 0xfd238760, - 0x53317b48, 0x3e00df82, 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, - 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 0x695b27b0, 0xbbca58c8, - 0xe1ffa35d, 0xb8f011a0, 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, - 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 0xe1ddf2da, 0xa4cb7e33, - 0x62fb1341, 0xcee4c6e8, 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, - 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 0xd08ed1d0, 0xafc725e0, - 0x8e3c5b2f, 0x8e7594b7, 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, - 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 0x2f2f2218, 0xbe0e1777, - 0xea752dfe, 0x8b021fa1, 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, - 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 0x165fa266, 0x80957705, - 0x93cc7314, 0x211a1477, 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, - 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 0x00250e2d, 0x2071b35e, - 0x226800bb, 0x57b8e0af, 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, - 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 0x83260376, 0x6295cfa9, - 0x11c81968, 0x4e734a41, 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, - 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 0x08ba6fb5, 0x571be91f, - 0xf296ec6b, 0x2a0dd915, 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, - 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a, -} - -var s1 = [256]uint32{ - 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, 0xad6ea6b0, 0x49a7df7d, - 0x9cee60b8, 0x8fedb266, 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, - 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, 0x3f54989a, 0x5b429d65, - 0x6b8fe4d6, 0x99f73fd6, 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, - 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, 0x09686b3f, 0x3ebaefc9, - 0x3c971814, 0x6b6a70a1, 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, - 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, 0xb03ada37, 0xf0500c0d, - 0xf01c1f04, 0x0200b3ff, 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, - 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, 0x3ae5e581, 0x37c2dadc, - 0xc8b57634, 0x9af3dda7, 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, - 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, 0x4e548b38, 0x4f6db908, - 0x6f420d03, 0xf60a04bf, 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, - 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, 0x5512721f, 0x2e6b7124, - 0x501adde6, 0x9f84cd87, 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, - 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, 0xef1c1847, 0x3215d908, - 0xdd433b37, 0x24c2ba16, 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, - 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, 0x043556f1, 0xd7a3c76b, - 0x3c11183b, 0x5924a509, 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, - 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, 0x771fe71c, 0x4e3d06fa, - 0x2965dcb9, 0x99e71d0f, 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, - 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, 0xf2f74ea7, 0x361d2b3d, - 0x1939260f, 0x19c27960, 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, - 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, 0xc332ddef, 0xbe6c5aa5, - 0x65582185, 0x68ab9802, 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, - 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, 0x13cca830, 0xeb61bd96, - 0x0334fe1e, 0xaa0363cf, 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, - 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, 0x648b1eaf, 0x19bdf0ca, - 0xa02369b9, 0x655abb50, 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, - 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, 0xf837889a, 0x97e32d77, - 0x11ed935f, 0x16681281, 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, - 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, 0xcdb30aeb, 0x532e3054, - 0x8fd948e4, 0x6dbc3128, 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, - 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, 0x45eee2b6, 0xa3aaabea, - 0xdb6c4f15, 0xfacb4fd0, 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, - 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, 0xcf62a1f2, 0x5b8d2646, - 0xfc8883a0, 0xc1c7b6a3, 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, - 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, 0x58428d2a, 0x0c55f5ea, - 0x1dadf43e, 0x233f7061, 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, - 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, 0xa6078084, 0x19f8509e, - 0xe8efd855, 0x61d99735, 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, - 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, 0xdb73dbd3, 0x105588cd, - 0x675fda79, 0xe3674340, 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, - 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7, -} - -var s2 = [256]uint32{ - 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, 0x411520f7, 0x7602d4f7, - 0xbcf46b2e, 0xd4a20068, 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, - 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, 0x4d95fc1d, 0x96b591af, - 0x70f4ddd3, 0x66a02f45, 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, - 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, 0x28507825, 0x530429f4, - 0x0a2c86da, 0xe9b66dfb, 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, - 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, 0xaace1e7c, 0xd3375fec, - 0xce78a399, 0x406b2a42, 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, - 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, 0x3a6efa74, 0xdd5b4332, - 0x6841e7f7, 0xca7820fb, 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, - 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, 0x55a867bc, 0xa1159a58, - 0xcca92963, 0x99e1db33, 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, - 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, 0x95c11548, 0xe4c66d22, - 0x48c1133f, 0xc70f86dc, 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, - 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, 0x257b7834, 0x602a9c60, - 0xdff8e8a3, 0x1f636c1b, 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, - 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, 0x85b2a20e, 0xe6ba0d99, - 0xde720c8c, 0x2da2f728, 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, - 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, 0x0a476341, 0x992eff74, - 0x3a6f6eab, 0xf4f8fd37, 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, - 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, 0xf1290dc7, 0xcc00ffa3, - 0xb5390f92, 0x690fed0b, 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, - 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, 0x37392eb3, 0xcc115979, - 0x8026e297, 0xf42e312d, 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, - 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, 0x1a6b1018, 0x11caedfa, - 0x3d25bdd8, 0xe2e1c3c9, 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, - 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, 0x9dbc8057, 0xf0f7c086, - 0x60787bf8, 0x6003604d, 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, - 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, 0x77a057be, 0xbde8ae24, - 0x55464299, 0xbf582e61, 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, - 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, 0x7aeb2661, 0x8b1ddf84, - 0x846a0e79, 0x915f95e2, 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, - 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, 0xb77f19b6, 0xe0a9dc09, - 0x662d09a1, 0xc4324633, 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, - 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, 0xdcb7da83, 0x573906fe, - 0xa1e2ce9b, 0x4fcd7f52, 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, - 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, 0xf0177a28, 0xc0f586e0, - 0x006058aa, 0x30dc7d62, 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, - 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, 0x6f05e409, 0x4b7c0188, - 0x39720a3d, 0x7c927c24, 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, - 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, 0x1e50ef5e, 0xb161e6f8, - 0xa28514d9, 0x6c51133c, 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, - 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0, -} - -var s3 = [256]uint32{ - 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, 0x5cb0679e, 0x4fa33742, - 0xd3822740, 0x99bc9bbe, 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, - 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, 0x5748ab2f, 0xbc946e79, - 0xc6a376d2, 0x6549c2c8, 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, - 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, 0xa1fad5f0, 0x6a2d519a, - 0x63ef8ce2, 0x9a86ee22, 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, - 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, 0x2826a2f9, 0xa73a3ae1, - 0x4ba99586, 0xef5562e9, 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, - 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, 0xe990fd5a, 0x9e34d797, - 0x2cf0b7d9, 0x022b8b51, 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, - 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, 0xe029ac71, 0xe019a5e6, - 0x47b0acfd, 0xed93fa9b, 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, - 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, 0x15056dd4, 0x88f46dba, - 0x03a16125, 0x0564f0bd, 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, - 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, 0x7533d928, 0xb155fdf5, - 0x03563482, 0x8aba3cbb, 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, - 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, 0xea7a90c2, 0xfb3e7bce, - 0x5121ce64, 0x774fbe32, 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, - 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, 0xb39a460a, 0x6445c0dd, - 0x586cdecf, 0x1c20c8ae, 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, - 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, 0x72eacea8, 0xfa6484bb, - 0x8d6612ae, 0xbf3c6f47, 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, - 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, 0x4040cb08, 0x4eb4e2cc, - 0x34d2466a, 0x0115af84, 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, - 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, 0x611560b1, 0xe7933fdc, - 0xbb3a792b, 0x344525bd, 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, - 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, 0x1a908749, 0xd44fbd9a, - 0xd0dadecb, 0xd50ada38, 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, - 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, 0xbf97222c, 0x15e6fc2a, - 0x0f91fc71, 0x9b941525, 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, - 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, 0xe0ec6e0e, 0x1698db3b, - 0x4c98a0be, 0x3278e964, 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, - 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, 0xdf359f8d, 0x9b992f2e, - 0xe60b6f47, 0x0fe3f11d, 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, - 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, 0xf523f357, 0xa6327623, - 0x93a83531, 0x56cccd02, 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, - 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, 0xe6c6c7bd, 0x327a140a, - 0x45e1d006, 0xc3f27b9a, 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, - 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, 0x53113ec0, 0x1640e3d3, - 0x38abbd60, 0x2547adf0, 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, - 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, 0x1948c25c, 0x02fb8a8c, - 0x01c36ae4, 0xd6ebe1f9, 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, - 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6, -} - -var p = [18]uint32{ - 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 0xa4093822, 0x299f31d0, - 0x082efa98, 0xec4e6c89, 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, - 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b, -} diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.go b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.go deleted file mode 100644 index 661ea132e..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.go +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -package chacha20 - -const bufSize = 256 - -//go:noescape -func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32) - -func (c *Cipher) xorKeyStreamBlocks(dst, src []byte) { - xorKeyStreamVX(dst, src, &c.key, &c.nonce, &c.counter) -} diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s b/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s deleted file mode 100644 index 7dd2638e8..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_arm64.s +++ /dev/null @@ -1,307 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -#include "textflag.h" - -#define NUM_ROUNDS 10 - -// func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32) -TEXT ·xorKeyStreamVX(SB), NOSPLIT, $0 - MOVD dst+0(FP), R1 - MOVD src+24(FP), R2 - MOVD src_len+32(FP), R3 - MOVD key+48(FP), R4 - MOVD nonce+56(FP), R6 - MOVD counter+64(FP), R7 - - MOVD $·constants(SB), R10 - MOVD $·incRotMatrix(SB), R11 - - MOVW (R7), R20 - - AND $~255, R3, R13 - ADD R2, R13, R12 // R12 for block end - AND $255, R3, R13 -loop: - MOVD $NUM_ROUNDS, R21 - VLD1 (R11), [V30.S4, V31.S4] - - // load contants - // VLD4R (R10), [V0.S4, V1.S4, V2.S4, V3.S4] - WORD $0x4D60E940 - - // load keys - // VLD4R 16(R4), [V4.S4, V5.S4, V6.S4, V7.S4] - WORD $0x4DFFE884 - // VLD4R 16(R4), [V8.S4, V9.S4, V10.S4, V11.S4] - WORD $0x4DFFE888 - SUB $32, R4 - - // load counter + nonce - // VLD1R (R7), [V12.S4] - WORD $0x4D40C8EC - - // VLD3R (R6), [V13.S4, V14.S4, V15.S4] - WORD $0x4D40E8CD - - // update counter - VADD V30.S4, V12.S4, V12.S4 - -chacha: - // V0..V3 += V4..V7 - // V12..V15 <<<= ((V12..V15 XOR V0..V3), 16) - VADD V0.S4, V4.S4, V0.S4 - VADD V1.S4, V5.S4, V1.S4 - VADD V2.S4, V6.S4, V2.S4 - VADD V3.S4, V7.S4, V3.S4 - VEOR V12.B16, V0.B16, V12.B16 - VEOR V13.B16, V1.B16, V13.B16 - VEOR V14.B16, V2.B16, V14.B16 - VEOR V15.B16, V3.B16, V15.B16 - VREV32 V12.H8, V12.H8 - VREV32 V13.H8, V13.H8 - VREV32 V14.H8, V14.H8 - VREV32 V15.H8, V15.H8 - // V8..V11 += V12..V15 - // V4..V7 <<<= ((V4..V7 XOR V8..V11), 12) - VADD V8.S4, V12.S4, V8.S4 - VADD V9.S4, V13.S4, V9.S4 - VADD V10.S4, V14.S4, V10.S4 - VADD V11.S4, V15.S4, V11.S4 - VEOR V8.B16, V4.B16, V16.B16 - VEOR V9.B16, V5.B16, V17.B16 - VEOR V10.B16, V6.B16, V18.B16 - VEOR V11.B16, V7.B16, V19.B16 - VSHL $12, V16.S4, V4.S4 - VSHL $12, V17.S4, V5.S4 - VSHL $12, V18.S4, V6.S4 - VSHL $12, V19.S4, V7.S4 - VSRI $20, V16.S4, V4.S4 - VSRI $20, V17.S4, V5.S4 - VSRI $20, V18.S4, V6.S4 - VSRI $20, V19.S4, V7.S4 - - // V0..V3 += V4..V7 - // V12..V15 <<<= ((V12..V15 XOR V0..V3), 8) - VADD V0.S4, V4.S4, V0.S4 - VADD V1.S4, V5.S4, V1.S4 - VADD V2.S4, V6.S4, V2.S4 - VADD V3.S4, V7.S4, V3.S4 - VEOR V12.B16, V0.B16, V12.B16 - VEOR V13.B16, V1.B16, V13.B16 - VEOR V14.B16, V2.B16, V14.B16 - VEOR V15.B16, V3.B16, V15.B16 - VTBL V31.B16, [V12.B16], V12.B16 - VTBL V31.B16, [V13.B16], V13.B16 - VTBL V31.B16, [V14.B16], V14.B16 - VTBL V31.B16, [V15.B16], V15.B16 - - // V8..V11 += V12..V15 - // V4..V7 <<<= ((V4..V7 XOR V8..V11), 7) - VADD V12.S4, V8.S4, V8.S4 - VADD V13.S4, V9.S4, V9.S4 - VADD V14.S4, V10.S4, V10.S4 - VADD V15.S4, V11.S4, V11.S4 - VEOR V8.B16, V4.B16, V16.B16 - VEOR V9.B16, V5.B16, V17.B16 - VEOR V10.B16, V6.B16, V18.B16 - VEOR V11.B16, V7.B16, V19.B16 - VSHL $7, V16.S4, V4.S4 - VSHL $7, V17.S4, V5.S4 - VSHL $7, V18.S4, V6.S4 - VSHL $7, V19.S4, V7.S4 - VSRI $25, V16.S4, V4.S4 - VSRI $25, V17.S4, V5.S4 - VSRI $25, V18.S4, V6.S4 - VSRI $25, V19.S4, V7.S4 - - // V0..V3 += V5..V7, V4 - // V15,V12-V14 <<<= ((V15,V12-V14 XOR V0..V3), 16) - VADD V0.S4, V5.S4, V0.S4 - VADD V1.S4, V6.S4, V1.S4 - VADD V2.S4, V7.S4, V2.S4 - VADD V3.S4, V4.S4, V3.S4 - VEOR V15.B16, V0.B16, V15.B16 - VEOR V12.B16, V1.B16, V12.B16 - VEOR V13.B16, V2.B16, V13.B16 - VEOR V14.B16, V3.B16, V14.B16 - VREV32 V12.H8, V12.H8 - VREV32 V13.H8, V13.H8 - VREV32 V14.H8, V14.H8 - VREV32 V15.H8, V15.H8 - - // V10 += V15; V5 <<<= ((V10 XOR V5), 12) - // ... - VADD V15.S4, V10.S4, V10.S4 - VADD V12.S4, V11.S4, V11.S4 - VADD V13.S4, V8.S4, V8.S4 - VADD V14.S4, V9.S4, V9.S4 - VEOR V10.B16, V5.B16, V16.B16 - VEOR V11.B16, V6.B16, V17.B16 - VEOR V8.B16, V7.B16, V18.B16 - VEOR V9.B16, V4.B16, V19.B16 - VSHL $12, V16.S4, V5.S4 - VSHL $12, V17.S4, V6.S4 - VSHL $12, V18.S4, V7.S4 - VSHL $12, V19.S4, V4.S4 - VSRI $20, V16.S4, V5.S4 - VSRI $20, V17.S4, V6.S4 - VSRI $20, V18.S4, V7.S4 - VSRI $20, V19.S4, V4.S4 - - // V0 += V5; V15 <<<= ((V0 XOR V15), 8) - // ... - VADD V5.S4, V0.S4, V0.S4 - VADD V6.S4, V1.S4, V1.S4 - VADD V7.S4, V2.S4, V2.S4 - VADD V4.S4, V3.S4, V3.S4 - VEOR V0.B16, V15.B16, V15.B16 - VEOR V1.B16, V12.B16, V12.B16 - VEOR V2.B16, V13.B16, V13.B16 - VEOR V3.B16, V14.B16, V14.B16 - VTBL V31.B16, [V12.B16], V12.B16 - VTBL V31.B16, [V13.B16], V13.B16 - VTBL V31.B16, [V14.B16], V14.B16 - VTBL V31.B16, [V15.B16], V15.B16 - - // V10 += V15; V5 <<<= ((V10 XOR V5), 7) - // ... - VADD V15.S4, V10.S4, V10.S4 - VADD V12.S4, V11.S4, V11.S4 - VADD V13.S4, V8.S4, V8.S4 - VADD V14.S4, V9.S4, V9.S4 - VEOR V10.B16, V5.B16, V16.B16 - VEOR V11.B16, V6.B16, V17.B16 - VEOR V8.B16, V7.B16, V18.B16 - VEOR V9.B16, V4.B16, V19.B16 - VSHL $7, V16.S4, V5.S4 - VSHL $7, V17.S4, V6.S4 - VSHL $7, V18.S4, V7.S4 - VSHL $7, V19.S4, V4.S4 - VSRI $25, V16.S4, V5.S4 - VSRI $25, V17.S4, V6.S4 - VSRI $25, V18.S4, V7.S4 - VSRI $25, V19.S4, V4.S4 - - SUB $1, R21 - CBNZ R21, chacha - - // VLD4R (R10), [V16.S4, V17.S4, V18.S4, V19.S4] - WORD $0x4D60E950 - - // VLD4R 16(R4), [V20.S4, V21.S4, V22.S4, V23.S4] - WORD $0x4DFFE894 - VADD V30.S4, V12.S4, V12.S4 - VADD V16.S4, V0.S4, V0.S4 - VADD V17.S4, V1.S4, V1.S4 - VADD V18.S4, V2.S4, V2.S4 - VADD V19.S4, V3.S4, V3.S4 - // VLD4R 16(R4), [V24.S4, V25.S4, V26.S4, V27.S4] - WORD $0x4DFFE898 - // restore R4 - SUB $32, R4 - - // load counter + nonce - // VLD1R (R7), [V28.S4] - WORD $0x4D40C8FC - // VLD3R (R6), [V29.S4, V30.S4, V31.S4] - WORD $0x4D40E8DD - - VADD V20.S4, V4.S4, V4.S4 - VADD V21.S4, V5.S4, V5.S4 - VADD V22.S4, V6.S4, V6.S4 - VADD V23.S4, V7.S4, V7.S4 - VADD V24.S4, V8.S4, V8.S4 - VADD V25.S4, V9.S4, V9.S4 - VADD V26.S4, V10.S4, V10.S4 - VADD V27.S4, V11.S4, V11.S4 - VADD V28.S4, V12.S4, V12.S4 - VADD V29.S4, V13.S4, V13.S4 - VADD V30.S4, V14.S4, V14.S4 - VADD V31.S4, V15.S4, V15.S4 - - VZIP1 V1.S4, V0.S4, V16.S4 - VZIP2 V1.S4, V0.S4, V17.S4 - VZIP1 V3.S4, V2.S4, V18.S4 - VZIP2 V3.S4, V2.S4, V19.S4 - VZIP1 V5.S4, V4.S4, V20.S4 - VZIP2 V5.S4, V4.S4, V21.S4 - VZIP1 V7.S4, V6.S4, V22.S4 - VZIP2 V7.S4, V6.S4, V23.S4 - VZIP1 V9.S4, V8.S4, V24.S4 - VZIP2 V9.S4, V8.S4, V25.S4 - VZIP1 V11.S4, V10.S4, V26.S4 - VZIP2 V11.S4, V10.S4, V27.S4 - VZIP1 V13.S4, V12.S4, V28.S4 - VZIP2 V13.S4, V12.S4, V29.S4 - VZIP1 V15.S4, V14.S4, V30.S4 - VZIP2 V15.S4, V14.S4, V31.S4 - VZIP1 V18.D2, V16.D2, V0.D2 - VZIP2 V18.D2, V16.D2, V4.D2 - VZIP1 V19.D2, V17.D2, V8.D2 - VZIP2 V19.D2, V17.D2, V12.D2 - VLD1.P 64(R2), [V16.B16, V17.B16, V18.B16, V19.B16] - - VZIP1 V22.D2, V20.D2, V1.D2 - VZIP2 V22.D2, V20.D2, V5.D2 - VZIP1 V23.D2, V21.D2, V9.D2 - VZIP2 V23.D2, V21.D2, V13.D2 - VLD1.P 64(R2), [V20.B16, V21.B16, V22.B16, V23.B16] - VZIP1 V26.D2, V24.D2, V2.D2 - VZIP2 V26.D2, V24.D2, V6.D2 - VZIP1 V27.D2, V25.D2, V10.D2 - VZIP2 V27.D2, V25.D2, V14.D2 - VLD1.P 64(R2), [V24.B16, V25.B16, V26.B16, V27.B16] - VZIP1 V30.D2, V28.D2, V3.D2 - VZIP2 V30.D2, V28.D2, V7.D2 - VZIP1 V31.D2, V29.D2, V11.D2 - VZIP2 V31.D2, V29.D2, V15.D2 - VLD1.P 64(R2), [V28.B16, V29.B16, V30.B16, V31.B16] - VEOR V0.B16, V16.B16, V16.B16 - VEOR V1.B16, V17.B16, V17.B16 - VEOR V2.B16, V18.B16, V18.B16 - VEOR V3.B16, V19.B16, V19.B16 - VST1.P [V16.B16, V17.B16, V18.B16, V19.B16], 64(R1) - VEOR V4.B16, V20.B16, V20.B16 - VEOR V5.B16, V21.B16, V21.B16 - VEOR V6.B16, V22.B16, V22.B16 - VEOR V7.B16, V23.B16, V23.B16 - VST1.P [V20.B16, V21.B16, V22.B16, V23.B16], 64(R1) - VEOR V8.B16, V24.B16, V24.B16 - VEOR V9.B16, V25.B16, V25.B16 - VEOR V10.B16, V26.B16, V26.B16 - VEOR V11.B16, V27.B16, V27.B16 - VST1.P [V24.B16, V25.B16, V26.B16, V27.B16], 64(R1) - VEOR V12.B16, V28.B16, V28.B16 - VEOR V13.B16, V29.B16, V29.B16 - VEOR V14.B16, V30.B16, V30.B16 - VEOR V15.B16, V31.B16, V31.B16 - VST1.P [V28.B16, V29.B16, V30.B16, V31.B16], 64(R1) - - ADD $4, R20 - MOVW R20, (R7) // update counter - - CMP R2, R12 - BGT loop - - RET - - -DATA ·constants+0x00(SB)/4, $0x61707865 -DATA ·constants+0x04(SB)/4, $0x3320646e -DATA ·constants+0x08(SB)/4, $0x79622d32 -DATA ·constants+0x0c(SB)/4, $0x6b206574 -GLOBL ·constants(SB), NOPTR|RODATA, $32 - -DATA ·incRotMatrix+0x00(SB)/4, $0x00000000 -DATA ·incRotMatrix+0x04(SB)/4, $0x00000001 -DATA ·incRotMatrix+0x08(SB)/4, $0x00000002 -DATA ·incRotMatrix+0x0c(SB)/4, $0x00000003 -DATA ·incRotMatrix+0x10(SB)/4, $0x02010003 -DATA ·incRotMatrix+0x14(SB)/4, $0x06050407 -DATA ·incRotMatrix+0x18(SB)/4, $0x0A09080B -DATA ·incRotMatrix+0x1c(SB)/4, $0x0E0D0C0F -GLOBL ·incRotMatrix(SB), NOPTR|RODATA, $32 diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_generic.go b/vendor/golang.org/x/crypto/chacha20/chacha_generic.go deleted file mode 100644 index 93eb5ae6d..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_generic.go +++ /dev/null @@ -1,398 +0,0 @@ -// Copyright 2016 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package chacha20 implements the ChaCha20 and XChaCha20 encryption algorithms -// as specified in RFC 8439 and draft-irtf-cfrg-xchacha-01. -package chacha20 - -import ( - "crypto/cipher" - "encoding/binary" - "errors" - "math/bits" - - "golang.org/x/crypto/internal/alias" -) - -const ( - // KeySize is the size of the key used by this cipher, in bytes. - KeySize = 32 - - // NonceSize is the size of the nonce used with the standard variant of this - // cipher, in bytes. - // - // Note that this is too short to be safely generated at random if the same - // key is reused more than 2³² times. - NonceSize = 12 - - // NonceSizeX is the size of the nonce used with the XChaCha20 variant of - // this cipher, in bytes. - NonceSizeX = 24 -) - -// Cipher is a stateful instance of ChaCha20 or XChaCha20 using a particular key -// and nonce. A *Cipher implements the cipher.Stream interface. -type Cipher struct { - // The ChaCha20 state is 16 words: 4 constant, 8 of key, 1 of counter - // (incremented after each block), and 3 of nonce. - key [8]uint32 - counter uint32 - nonce [3]uint32 - - // The last len bytes of buf are leftover key stream bytes from the previous - // XORKeyStream invocation. The size of buf depends on how many blocks are - // computed at a time by xorKeyStreamBlocks. - buf [bufSize]byte - len int - - // overflow is set when the counter overflowed, no more blocks can be - // generated, and the next XORKeyStream call should panic. - overflow bool - - // The counter-independent results of the first round are cached after they - // are computed the first time. - precompDone bool - p1, p5, p9, p13 uint32 - p2, p6, p10, p14 uint32 - p3, p7, p11, p15 uint32 -} - -var _ cipher.Stream = (*Cipher)(nil) - -// NewUnauthenticatedCipher creates a new ChaCha20 stream cipher with the given -// 32 bytes key and a 12 or 24 bytes nonce. If a nonce of 24 bytes is provided, -// the XChaCha20 construction will be used. It returns an error if key or nonce -// have any other length. -// -// Note that ChaCha20, like all stream ciphers, is not authenticated and allows -// attackers to silently tamper with the plaintext. For this reason, it is more -// appropriate as a building block than as a standalone encryption mechanism. -// Instead, consider using package golang.org/x/crypto/chacha20poly1305. -func NewUnauthenticatedCipher(key, nonce []byte) (*Cipher, error) { - // This function is split into a wrapper so that the Cipher allocation will - // be inlined, and depending on how the caller uses the return value, won't - // escape to the heap. - c := &Cipher{} - return newUnauthenticatedCipher(c, key, nonce) -} - -func newUnauthenticatedCipher(c *Cipher, key, nonce []byte) (*Cipher, error) { - if len(key) != KeySize { - return nil, errors.New("chacha20: wrong key size") - } - if len(nonce) == NonceSizeX { - // XChaCha20 uses the ChaCha20 core to mix 16 bytes of the nonce into a - // derived key, allowing it to operate on a nonce of 24 bytes. See - // draft-irtf-cfrg-xchacha-01, Section 2.3. - key, _ = HChaCha20(key, nonce[0:16]) - cNonce := make([]byte, NonceSize) - copy(cNonce[4:12], nonce[16:24]) - nonce = cNonce - } else if len(nonce) != NonceSize { - return nil, errors.New("chacha20: wrong nonce size") - } - - key, nonce = key[:KeySize], nonce[:NonceSize] // bounds check elimination hint - c.key = [8]uint32{ - binary.LittleEndian.Uint32(key[0:4]), - binary.LittleEndian.Uint32(key[4:8]), - binary.LittleEndian.Uint32(key[8:12]), - binary.LittleEndian.Uint32(key[12:16]), - binary.LittleEndian.Uint32(key[16:20]), - binary.LittleEndian.Uint32(key[20:24]), - binary.LittleEndian.Uint32(key[24:28]), - binary.LittleEndian.Uint32(key[28:32]), - } - c.nonce = [3]uint32{ - binary.LittleEndian.Uint32(nonce[0:4]), - binary.LittleEndian.Uint32(nonce[4:8]), - binary.LittleEndian.Uint32(nonce[8:12]), - } - return c, nil -} - -// The constant first 4 words of the ChaCha20 state. -const ( - j0 uint32 = 0x61707865 // expa - j1 uint32 = 0x3320646e // nd 3 - j2 uint32 = 0x79622d32 // 2-by - j3 uint32 = 0x6b206574 // te k -) - -const blockSize = 64 - -// quarterRound is the core of ChaCha20. It shuffles the bits of 4 state words. -// It's executed 4 times for each of the 20 ChaCha20 rounds, operating on all 16 -// words each round, in columnar or diagonal groups of 4 at a time. -func quarterRound(a, b, c, d uint32) (uint32, uint32, uint32, uint32) { - a += b - d ^= a - d = bits.RotateLeft32(d, 16) - c += d - b ^= c - b = bits.RotateLeft32(b, 12) - a += b - d ^= a - d = bits.RotateLeft32(d, 8) - c += d - b ^= c - b = bits.RotateLeft32(b, 7) - return a, b, c, d -} - -// SetCounter sets the Cipher counter. The next invocation of XORKeyStream will -// behave as if (64 * counter) bytes had been encrypted so far. -// -// To prevent accidental counter reuse, SetCounter panics if counter is less -// than the current value. -// -// Note that the execution time of XORKeyStream is not independent of the -// counter value. -func (s *Cipher) SetCounter(counter uint32) { - // Internally, s may buffer multiple blocks, which complicates this - // implementation slightly. When checking whether the counter has rolled - // back, we must use both s.counter and s.len to determine how many blocks - // we have already output. - outputCounter := s.counter - uint32(s.len)/blockSize - if s.overflow || counter < outputCounter { - panic("chacha20: SetCounter attempted to rollback counter") - } - - // In the general case, we set the new counter value and reset s.len to 0, - // causing the next call to XORKeyStream to refill the buffer. However, if - // we're advancing within the existing buffer, we can save work by simply - // setting s.len. - if counter < s.counter { - s.len = int(s.counter-counter) * blockSize - } else { - s.counter = counter - s.len = 0 - } -} - -// XORKeyStream XORs each byte in the given slice with a byte from the -// cipher's key stream. Dst and src must overlap entirely or not at all. -// -// If len(dst) < len(src), XORKeyStream will panic. It is acceptable -// to pass a dst bigger than src, and in that case, XORKeyStream will -// only update dst[:len(src)] and will not touch the rest of dst. -// -// Multiple calls to XORKeyStream behave as if the concatenation of -// the src buffers was passed in a single run. That is, Cipher -// maintains state and does not reset at each XORKeyStream call. -func (s *Cipher) XORKeyStream(dst, src []byte) { - if len(src) == 0 { - return - } - if len(dst) < len(src) { - panic("chacha20: output smaller than input") - } - dst = dst[:len(src)] - if alias.InexactOverlap(dst, src) { - panic("chacha20: invalid buffer overlap") - } - - // First, drain any remaining key stream from a previous XORKeyStream. - if s.len != 0 { - keyStream := s.buf[bufSize-s.len:] - if len(src) < len(keyStream) { - keyStream = keyStream[:len(src)] - } - _ = src[len(keyStream)-1] // bounds check elimination hint - for i, b := range keyStream { - dst[i] = src[i] ^ b - } - s.len -= len(keyStream) - dst, src = dst[len(keyStream):], src[len(keyStream):] - } - if len(src) == 0 { - return - } - - // If we'd need to let the counter overflow and keep generating output, - // panic immediately. If instead we'd only reach the last block, remember - // not to generate any more output after the buffer is drained. - numBlocks := (uint64(len(src)) + blockSize - 1) / blockSize - if s.overflow || uint64(s.counter)+numBlocks > 1<<32 { - panic("chacha20: counter overflow") - } else if uint64(s.counter)+numBlocks == 1<<32 { - s.overflow = true - } - - // xorKeyStreamBlocks implementations expect input lengths that are a - // multiple of bufSize. Platform-specific ones process multiple blocks at a - // time, so have bufSizes that are a multiple of blockSize. - - full := len(src) - len(src)%bufSize - if full > 0 { - s.xorKeyStreamBlocks(dst[:full], src[:full]) - } - dst, src = dst[full:], src[full:] - - // If using a multi-block xorKeyStreamBlocks would overflow, use the generic - // one that does one block at a time. - const blocksPerBuf = bufSize / blockSize - if uint64(s.counter)+blocksPerBuf > 1<<32 { - s.buf = [bufSize]byte{} - numBlocks := (len(src) + blockSize - 1) / blockSize - buf := s.buf[bufSize-numBlocks*blockSize:] - copy(buf, src) - s.xorKeyStreamBlocksGeneric(buf, buf) - s.len = len(buf) - copy(dst, buf) - return - } - - // If we have a partial (multi-)block, pad it for xorKeyStreamBlocks, and - // keep the leftover keystream for the next XORKeyStream invocation. - if len(src) > 0 { - s.buf = [bufSize]byte{} - copy(s.buf[:], src) - s.xorKeyStreamBlocks(s.buf[:], s.buf[:]) - s.len = bufSize - copy(dst, s.buf[:]) - } -} - -func (s *Cipher) xorKeyStreamBlocksGeneric(dst, src []byte) { - if len(dst) != len(src) || len(dst)%blockSize != 0 { - panic("chacha20: internal error: wrong dst and/or src length") - } - - // To generate each block of key stream, the initial cipher state - // (represented below) is passed through 20 rounds of shuffling, - // alternatively applying quarterRounds by columns (like 1, 5, 9, 13) - // or by diagonals (like 1, 6, 11, 12). - // - // 0:cccccccc 1:cccccccc 2:cccccccc 3:cccccccc - // 4:kkkkkkkk 5:kkkkkkkk 6:kkkkkkkk 7:kkkkkkkk - // 8:kkkkkkkk 9:kkkkkkkk 10:kkkkkkkk 11:kkkkkkkk - // 12:bbbbbbbb 13:nnnnnnnn 14:nnnnnnnn 15:nnnnnnnn - // - // c=constant k=key b=blockcount n=nonce - var ( - c0, c1, c2, c3 = j0, j1, j2, j3 - c4, c5, c6, c7 = s.key[0], s.key[1], s.key[2], s.key[3] - c8, c9, c10, c11 = s.key[4], s.key[5], s.key[6], s.key[7] - _, c13, c14, c15 = s.counter, s.nonce[0], s.nonce[1], s.nonce[2] - ) - - // Three quarters of the first round don't depend on the counter, so we can - // calculate them here, and reuse them for multiple blocks in the loop, and - // for future XORKeyStream invocations. - if !s.precompDone { - s.p1, s.p5, s.p9, s.p13 = quarterRound(c1, c5, c9, c13) - s.p2, s.p6, s.p10, s.p14 = quarterRound(c2, c6, c10, c14) - s.p3, s.p7, s.p11, s.p15 = quarterRound(c3, c7, c11, c15) - s.precompDone = true - } - - // A condition of len(src) > 0 would be sufficient, but this also - // acts as a bounds check elimination hint. - for len(src) >= 64 && len(dst) >= 64 { - // The remainder of the first column round. - fcr0, fcr4, fcr8, fcr12 := quarterRound(c0, c4, c8, s.counter) - - // The second diagonal round. - x0, x5, x10, x15 := quarterRound(fcr0, s.p5, s.p10, s.p15) - x1, x6, x11, x12 := quarterRound(s.p1, s.p6, s.p11, fcr12) - x2, x7, x8, x13 := quarterRound(s.p2, s.p7, fcr8, s.p13) - x3, x4, x9, x14 := quarterRound(s.p3, fcr4, s.p9, s.p14) - - // The remaining 18 rounds. - for i := 0; i < 9; i++ { - // Column round. - x0, x4, x8, x12 = quarterRound(x0, x4, x8, x12) - x1, x5, x9, x13 = quarterRound(x1, x5, x9, x13) - x2, x6, x10, x14 = quarterRound(x2, x6, x10, x14) - x3, x7, x11, x15 = quarterRound(x3, x7, x11, x15) - - // Diagonal round. - x0, x5, x10, x15 = quarterRound(x0, x5, x10, x15) - x1, x6, x11, x12 = quarterRound(x1, x6, x11, x12) - x2, x7, x8, x13 = quarterRound(x2, x7, x8, x13) - x3, x4, x9, x14 = quarterRound(x3, x4, x9, x14) - } - - // Add back the initial state to generate the key stream, then - // XOR the key stream with the source and write out the result. - addXor(dst[0:4], src[0:4], x0, c0) - addXor(dst[4:8], src[4:8], x1, c1) - addXor(dst[8:12], src[8:12], x2, c2) - addXor(dst[12:16], src[12:16], x3, c3) - addXor(dst[16:20], src[16:20], x4, c4) - addXor(dst[20:24], src[20:24], x5, c5) - addXor(dst[24:28], src[24:28], x6, c6) - addXor(dst[28:32], src[28:32], x7, c7) - addXor(dst[32:36], src[32:36], x8, c8) - addXor(dst[36:40], src[36:40], x9, c9) - addXor(dst[40:44], src[40:44], x10, c10) - addXor(dst[44:48], src[44:48], x11, c11) - addXor(dst[48:52], src[48:52], x12, s.counter) - addXor(dst[52:56], src[52:56], x13, c13) - addXor(dst[56:60], src[56:60], x14, c14) - addXor(dst[60:64], src[60:64], x15, c15) - - s.counter += 1 - - src, dst = src[blockSize:], dst[blockSize:] - } -} - -// HChaCha20 uses the ChaCha20 core to generate a derived key from a 32 bytes -// key and a 16 bytes nonce. It returns an error if key or nonce have any other -// length. It is used as part of the XChaCha20 construction. -func HChaCha20(key, nonce []byte) ([]byte, error) { - // This function is split into a wrapper so that the slice allocation will - // be inlined, and depending on how the caller uses the return value, won't - // escape to the heap. - out := make([]byte, 32) - return hChaCha20(out, key, nonce) -} - -func hChaCha20(out, key, nonce []byte) ([]byte, error) { - if len(key) != KeySize { - return nil, errors.New("chacha20: wrong HChaCha20 key size") - } - if len(nonce) != 16 { - return nil, errors.New("chacha20: wrong HChaCha20 nonce size") - } - - x0, x1, x2, x3 := j0, j1, j2, j3 - x4 := binary.LittleEndian.Uint32(key[0:4]) - x5 := binary.LittleEndian.Uint32(key[4:8]) - x6 := binary.LittleEndian.Uint32(key[8:12]) - x7 := binary.LittleEndian.Uint32(key[12:16]) - x8 := binary.LittleEndian.Uint32(key[16:20]) - x9 := binary.LittleEndian.Uint32(key[20:24]) - x10 := binary.LittleEndian.Uint32(key[24:28]) - x11 := binary.LittleEndian.Uint32(key[28:32]) - x12 := binary.LittleEndian.Uint32(nonce[0:4]) - x13 := binary.LittleEndian.Uint32(nonce[4:8]) - x14 := binary.LittleEndian.Uint32(nonce[8:12]) - x15 := binary.LittleEndian.Uint32(nonce[12:16]) - - for i := 0; i < 10; i++ { - // Diagonal round. - x0, x4, x8, x12 = quarterRound(x0, x4, x8, x12) - x1, x5, x9, x13 = quarterRound(x1, x5, x9, x13) - x2, x6, x10, x14 = quarterRound(x2, x6, x10, x14) - x3, x7, x11, x15 = quarterRound(x3, x7, x11, x15) - - // Column round. - x0, x5, x10, x15 = quarterRound(x0, x5, x10, x15) - x1, x6, x11, x12 = quarterRound(x1, x6, x11, x12) - x2, x7, x8, x13 = quarterRound(x2, x7, x8, x13) - x3, x4, x9, x14 = quarterRound(x3, x4, x9, x14) - } - - _ = out[31] // bounds check elimination hint - binary.LittleEndian.PutUint32(out[0:4], x0) - binary.LittleEndian.PutUint32(out[4:8], x1) - binary.LittleEndian.PutUint32(out[8:12], x2) - binary.LittleEndian.PutUint32(out[12:16], x3) - binary.LittleEndian.PutUint32(out[16:20], x12) - binary.LittleEndian.PutUint32(out[20:24], x13) - binary.LittleEndian.PutUint32(out[24:28], x14) - binary.LittleEndian.PutUint32(out[28:32], x15) - return out, nil -} diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_noasm.go b/vendor/golang.org/x/crypto/chacha20/chacha_noasm.go deleted file mode 100644 index c709b7284..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_noasm.go +++ /dev/null @@ -1,13 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!arm64 && !s390x && !ppc64 && !ppc64le) || !gc || purego - -package chacha20 - -const bufSize = blockSize - -func (s *Cipher) xorKeyStreamBlocks(dst, src []byte) { - s.xorKeyStreamBlocksGeneric(dst, src) -} diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_ppc64x.go b/vendor/golang.org/x/crypto/chacha20/chacha_ppc64x.go deleted file mode 100644 index bd183d9ba..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_ppc64x.go +++ /dev/null @@ -1,16 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego && (ppc64 || ppc64le) - -package chacha20 - -const bufSize = 256 - -//go:noescape -func chaCha20_ctr32_vsx(out, inp *byte, len int, key *[8]uint32, counter *uint32) - -func (c *Cipher) xorKeyStreamBlocks(dst, src []byte) { - chaCha20_ctr32_vsx(&dst[0], &src[0], len(src), &c.key, &c.counter) -} diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_ppc64x.s b/vendor/golang.org/x/crypto/chacha20/chacha_ppc64x.s deleted file mode 100644 index a660b4112..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_ppc64x.s +++ /dev/null @@ -1,501 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Based on CRYPTOGAMS code with the following comment: -// # ==================================================================== -// # Written by Andy Polyakov <appro@openssl.org> for the OpenSSL -// # project. The module is, however, dual licensed under OpenSSL and -// # CRYPTOGAMS licenses depending on where you obtain it. For further -// # details see http://www.openssl.org/~appro/cryptogams/. -// # ==================================================================== - -// Code for the perl script that generates the ppc64 assembler -// can be found in the cryptogams repository at the link below. It is based on -// the original from openssl. - -// https://github.com/dot-asm/cryptogams/commit/a60f5b50ed908e91 - -// The differences in this and the original implementation are -// due to the calling conventions and initialization of constants. - -//go:build gc && !purego && (ppc64 || ppc64le) - -#include "textflag.h" - -#define OUT R3 -#define INP R4 -#define LEN R5 -#define KEY R6 -#define CNT R7 -#define TMP R15 - -#define CONSTBASE R16 -#define BLOCKS R17 - -// for VPERMXOR -#define MASK R18 - -DATA consts<>+0x00(SB)/4, $0x61707865 -DATA consts<>+0x04(SB)/4, $0x3320646e -DATA consts<>+0x08(SB)/4, $0x79622d32 -DATA consts<>+0x0c(SB)/4, $0x6b206574 -DATA consts<>+0x10(SB)/4, $0x00000001 -DATA consts<>+0x14(SB)/4, $0x00000000 -DATA consts<>+0x18(SB)/4, $0x00000000 -DATA consts<>+0x1c(SB)/4, $0x00000000 -DATA consts<>+0x20(SB)/4, $0x00000004 -DATA consts<>+0x24(SB)/4, $0x00000000 -DATA consts<>+0x28(SB)/4, $0x00000000 -DATA consts<>+0x2c(SB)/4, $0x00000000 -DATA consts<>+0x30(SB)/4, $0x0e0f0c0d -DATA consts<>+0x34(SB)/4, $0x0a0b0809 -DATA consts<>+0x38(SB)/4, $0x06070405 -DATA consts<>+0x3c(SB)/4, $0x02030001 -DATA consts<>+0x40(SB)/4, $0x0d0e0f0c -DATA consts<>+0x44(SB)/4, $0x090a0b08 -DATA consts<>+0x48(SB)/4, $0x05060704 -DATA consts<>+0x4c(SB)/4, $0x01020300 -DATA consts<>+0x50(SB)/4, $0x61707865 -DATA consts<>+0x54(SB)/4, $0x61707865 -DATA consts<>+0x58(SB)/4, $0x61707865 -DATA consts<>+0x5c(SB)/4, $0x61707865 -DATA consts<>+0x60(SB)/4, $0x3320646e -DATA consts<>+0x64(SB)/4, $0x3320646e -DATA consts<>+0x68(SB)/4, $0x3320646e -DATA consts<>+0x6c(SB)/4, $0x3320646e -DATA consts<>+0x70(SB)/4, $0x79622d32 -DATA consts<>+0x74(SB)/4, $0x79622d32 -DATA consts<>+0x78(SB)/4, $0x79622d32 -DATA consts<>+0x7c(SB)/4, $0x79622d32 -DATA consts<>+0x80(SB)/4, $0x6b206574 -DATA consts<>+0x84(SB)/4, $0x6b206574 -DATA consts<>+0x88(SB)/4, $0x6b206574 -DATA consts<>+0x8c(SB)/4, $0x6b206574 -DATA consts<>+0x90(SB)/4, $0x00000000 -DATA consts<>+0x94(SB)/4, $0x00000001 -DATA consts<>+0x98(SB)/4, $0x00000002 -DATA consts<>+0x9c(SB)/4, $0x00000003 -DATA consts<>+0xa0(SB)/4, $0x11223300 -DATA consts<>+0xa4(SB)/4, $0x55667744 -DATA consts<>+0xa8(SB)/4, $0x99aabb88 -DATA consts<>+0xac(SB)/4, $0xddeeffcc -DATA consts<>+0xb0(SB)/4, $0x22330011 -DATA consts<>+0xb4(SB)/4, $0x66774455 -DATA consts<>+0xb8(SB)/4, $0xaabb8899 -DATA consts<>+0xbc(SB)/4, $0xeeffccdd -GLOBL consts<>(SB), RODATA, $0xc0 - -#ifdef GOARCH_ppc64 -#define BE_XXBRW_INIT() \ - LVSL (R0)(R0), V24 \ - VSPLTISB $3, V25 \ - VXOR V24, V25, V24 \ - -#define BE_XXBRW(vr) VPERM vr, vr, V24, vr -#else -#define BE_XXBRW_INIT() -#define BE_XXBRW(vr) -#endif - -//func chaCha20_ctr32_vsx(out, inp *byte, len int, key *[8]uint32, counter *uint32) -TEXT ·chaCha20_ctr32_vsx(SB),NOSPLIT,$64-40 - MOVD out+0(FP), OUT - MOVD inp+8(FP), INP - MOVD len+16(FP), LEN - MOVD key+24(FP), KEY - MOVD counter+32(FP), CNT - - // Addressing for constants - MOVD $consts<>+0x00(SB), CONSTBASE - MOVD $16, R8 - MOVD $32, R9 - MOVD $48, R10 - MOVD $64, R11 - SRD $6, LEN, BLOCKS - // for VPERMXOR - MOVD $consts<>+0xa0(SB), MASK - MOVD $16, R20 - // V16 - LXVW4X (CONSTBASE)(R0), VS48 - ADD $80,CONSTBASE - - // Load key into V17,V18 - LXVW4X (KEY)(R0), VS49 - LXVW4X (KEY)(R8), VS50 - - // Load CNT, NONCE into V19 - LXVW4X (CNT)(R0), VS51 - - // Clear V27 - VXOR V27, V27, V27 - - BE_XXBRW_INIT() - - // V28 - LXVW4X (CONSTBASE)(R11), VS60 - - // Load mask constants for VPERMXOR - LXVW4X (MASK)(R0), V20 - LXVW4X (MASK)(R20), V21 - - // splat slot from V19 -> V26 - VSPLTW $0, V19, V26 - - VSLDOI $4, V19, V27, V19 - VSLDOI $12, V27, V19, V19 - - VADDUWM V26, V28, V26 - - MOVD $10, R14 - MOVD R14, CTR - PCALIGN $16 -loop_outer_vsx: - // V0, V1, V2, V3 - LXVW4X (R0)(CONSTBASE), VS32 - LXVW4X (R8)(CONSTBASE), VS33 - LXVW4X (R9)(CONSTBASE), VS34 - LXVW4X (R10)(CONSTBASE), VS35 - - // splat values from V17, V18 into V4-V11 - VSPLTW $0, V17, V4 - VSPLTW $1, V17, V5 - VSPLTW $2, V17, V6 - VSPLTW $3, V17, V7 - VSPLTW $0, V18, V8 - VSPLTW $1, V18, V9 - VSPLTW $2, V18, V10 - VSPLTW $3, V18, V11 - - // VOR - VOR V26, V26, V12 - - // splat values from V19 -> V13, V14, V15 - VSPLTW $1, V19, V13 - VSPLTW $2, V19, V14 - VSPLTW $3, V19, V15 - - // splat const values - VSPLTISW $-16, V27 - VSPLTISW $12, V28 - VSPLTISW $8, V29 - VSPLTISW $7, V30 - PCALIGN $16 -loop_vsx: - VADDUWM V0, V4, V0 - VADDUWM V1, V5, V1 - VADDUWM V2, V6, V2 - VADDUWM V3, V7, V3 - - VPERMXOR V12, V0, V21, V12 - VPERMXOR V13, V1, V21, V13 - VPERMXOR V14, V2, V21, V14 - VPERMXOR V15, V3, V21, V15 - - VADDUWM V8, V12, V8 - VADDUWM V9, V13, V9 - VADDUWM V10, V14, V10 - VADDUWM V11, V15, V11 - - VXOR V4, V8, V4 - VXOR V5, V9, V5 - VXOR V6, V10, V6 - VXOR V7, V11, V7 - - VRLW V4, V28, V4 - VRLW V5, V28, V5 - VRLW V6, V28, V6 - VRLW V7, V28, V7 - - VADDUWM V0, V4, V0 - VADDUWM V1, V5, V1 - VADDUWM V2, V6, V2 - VADDUWM V3, V7, V3 - - VPERMXOR V12, V0, V20, V12 - VPERMXOR V13, V1, V20, V13 - VPERMXOR V14, V2, V20, V14 - VPERMXOR V15, V3, V20, V15 - - VADDUWM V8, V12, V8 - VADDUWM V9, V13, V9 - VADDUWM V10, V14, V10 - VADDUWM V11, V15, V11 - - VXOR V4, V8, V4 - VXOR V5, V9, V5 - VXOR V6, V10, V6 - VXOR V7, V11, V7 - - VRLW V4, V30, V4 - VRLW V5, V30, V5 - VRLW V6, V30, V6 - VRLW V7, V30, V7 - - VADDUWM V0, V5, V0 - VADDUWM V1, V6, V1 - VADDUWM V2, V7, V2 - VADDUWM V3, V4, V3 - - VPERMXOR V15, V0, V21, V15 - VPERMXOR V12, V1, V21, V12 - VPERMXOR V13, V2, V21, V13 - VPERMXOR V14, V3, V21, V14 - - VADDUWM V10, V15, V10 - VADDUWM V11, V12, V11 - VADDUWM V8, V13, V8 - VADDUWM V9, V14, V9 - - VXOR V5, V10, V5 - VXOR V6, V11, V6 - VXOR V7, V8, V7 - VXOR V4, V9, V4 - - VRLW V5, V28, V5 - VRLW V6, V28, V6 - VRLW V7, V28, V7 - VRLW V4, V28, V4 - - VADDUWM V0, V5, V0 - VADDUWM V1, V6, V1 - VADDUWM V2, V7, V2 - VADDUWM V3, V4, V3 - - VPERMXOR V15, V0, V20, V15 - VPERMXOR V12, V1, V20, V12 - VPERMXOR V13, V2, V20, V13 - VPERMXOR V14, V3, V20, V14 - - VADDUWM V10, V15, V10 - VADDUWM V11, V12, V11 - VADDUWM V8, V13, V8 - VADDUWM V9, V14, V9 - - VXOR V5, V10, V5 - VXOR V6, V11, V6 - VXOR V7, V8, V7 - VXOR V4, V9, V4 - - VRLW V5, V30, V5 - VRLW V6, V30, V6 - VRLW V7, V30, V7 - VRLW V4, V30, V4 - BDNZ loop_vsx - - VADDUWM V12, V26, V12 - - VMRGEW V0, V1, V27 - VMRGEW V2, V3, V28 - - VMRGOW V0, V1, V0 - VMRGOW V2, V3, V2 - - VMRGEW V4, V5, V29 - VMRGEW V6, V7, V30 - - XXPERMDI VS32, VS34, $0, VS33 - XXPERMDI VS32, VS34, $3, VS35 - XXPERMDI VS59, VS60, $0, VS32 - XXPERMDI VS59, VS60, $3, VS34 - - VMRGOW V4, V5, V4 - VMRGOW V6, V7, V6 - - VMRGEW V8, V9, V27 - VMRGEW V10, V11, V28 - - XXPERMDI VS36, VS38, $0, VS37 - XXPERMDI VS36, VS38, $3, VS39 - XXPERMDI VS61, VS62, $0, VS36 - XXPERMDI VS61, VS62, $3, VS38 - - VMRGOW V8, V9, V8 - VMRGOW V10, V11, V10 - - VMRGEW V12, V13, V29 - VMRGEW V14, V15, V30 - - XXPERMDI VS40, VS42, $0, VS41 - XXPERMDI VS40, VS42, $3, VS43 - XXPERMDI VS59, VS60, $0, VS40 - XXPERMDI VS59, VS60, $3, VS42 - - VMRGOW V12, V13, V12 - VMRGOW V14, V15, V14 - - VSPLTISW $4, V27 - VADDUWM V26, V27, V26 - - XXPERMDI VS44, VS46, $0, VS45 - XXPERMDI VS44, VS46, $3, VS47 - XXPERMDI VS61, VS62, $0, VS44 - XXPERMDI VS61, VS62, $3, VS46 - - VADDUWM V0, V16, V0 - VADDUWM V4, V17, V4 - VADDUWM V8, V18, V8 - VADDUWM V12, V19, V12 - - BE_XXBRW(V0) - BE_XXBRW(V4) - BE_XXBRW(V8) - BE_XXBRW(V12) - - CMPU LEN, $64 - BLT tail_vsx - - // Bottom of loop - LXVW4X (INP)(R0), VS59 - LXVW4X (INP)(R8), VS60 - LXVW4X (INP)(R9), VS61 - LXVW4X (INP)(R10), VS62 - - VXOR V27, V0, V27 - VXOR V28, V4, V28 - VXOR V29, V8, V29 - VXOR V30, V12, V30 - - STXVW4X VS59, (OUT)(R0) - STXVW4X VS60, (OUT)(R8) - ADD $64, INP - STXVW4X VS61, (OUT)(R9) - ADD $-64, LEN - STXVW4X VS62, (OUT)(R10) - ADD $64, OUT - BEQ done_vsx - - VADDUWM V1, V16, V0 - VADDUWM V5, V17, V4 - VADDUWM V9, V18, V8 - VADDUWM V13, V19, V12 - - BE_XXBRW(V0) - BE_XXBRW(V4) - BE_XXBRW(V8) - BE_XXBRW(V12) - - CMPU LEN, $64 - BLT tail_vsx - - LXVW4X (INP)(R0), VS59 - LXVW4X (INP)(R8), VS60 - LXVW4X (INP)(R9), VS61 - LXVW4X (INP)(R10), VS62 - - VXOR V27, V0, V27 - VXOR V28, V4, V28 - VXOR V29, V8, V29 - VXOR V30, V12, V30 - - STXVW4X VS59, (OUT)(R0) - STXVW4X VS60, (OUT)(R8) - ADD $64, INP - STXVW4X VS61, (OUT)(R9) - ADD $-64, LEN - STXVW4X VS62, (OUT)(V10) - ADD $64, OUT - BEQ done_vsx - - VADDUWM V2, V16, V0 - VADDUWM V6, V17, V4 - VADDUWM V10, V18, V8 - VADDUWM V14, V19, V12 - - BE_XXBRW(V0) - BE_XXBRW(V4) - BE_XXBRW(V8) - BE_XXBRW(V12) - - CMPU LEN, $64 - BLT tail_vsx - - LXVW4X (INP)(R0), VS59 - LXVW4X (INP)(R8), VS60 - LXVW4X (INP)(R9), VS61 - LXVW4X (INP)(R10), VS62 - - VXOR V27, V0, V27 - VXOR V28, V4, V28 - VXOR V29, V8, V29 - VXOR V30, V12, V30 - - STXVW4X VS59, (OUT)(R0) - STXVW4X VS60, (OUT)(R8) - ADD $64, INP - STXVW4X VS61, (OUT)(R9) - ADD $-64, LEN - STXVW4X VS62, (OUT)(R10) - ADD $64, OUT - BEQ done_vsx - - VADDUWM V3, V16, V0 - VADDUWM V7, V17, V4 - VADDUWM V11, V18, V8 - VADDUWM V15, V19, V12 - - BE_XXBRW(V0) - BE_XXBRW(V4) - BE_XXBRW(V8) - BE_XXBRW(V12) - - CMPU LEN, $64 - BLT tail_vsx - - LXVW4X (INP)(R0), VS59 - LXVW4X (INP)(R8), VS60 - LXVW4X (INP)(R9), VS61 - LXVW4X (INP)(R10), VS62 - - VXOR V27, V0, V27 - VXOR V28, V4, V28 - VXOR V29, V8, V29 - VXOR V30, V12, V30 - - STXVW4X VS59, (OUT)(R0) - STXVW4X VS60, (OUT)(R8) - ADD $64, INP - STXVW4X VS61, (OUT)(R9) - ADD $-64, LEN - STXVW4X VS62, (OUT)(R10) - ADD $64, OUT - - MOVD $10, R14 - MOVD R14, CTR - BNE loop_outer_vsx - -done_vsx: - // Increment counter by number of 64 byte blocks - MOVWZ (CNT), R14 - ADD BLOCKS, R14 - MOVWZ R14, (CNT) - RET - -tail_vsx: - ADD $32, R1, R11 - MOVD LEN, CTR - - // Save values on stack to copy from - STXVW4X VS32, (R11)(R0) - STXVW4X VS36, (R11)(R8) - STXVW4X VS40, (R11)(R9) - STXVW4X VS44, (R11)(R10) - ADD $-1, R11, R12 - ADD $-1, INP - ADD $-1, OUT - PCALIGN $16 -looptail_vsx: - // Copying the result to OUT - // in bytes. - MOVBZU 1(R12), KEY - MOVBZU 1(INP), TMP - XOR KEY, TMP, KEY - MOVBU KEY, 1(OUT) - BDNZ looptail_vsx - - // Clear the stack values - STXVW4X VS48, (R11)(R0) - STXVW4X VS48, (R11)(R8) - STXVW4X VS48, (R11)(R9) - STXVW4X VS48, (R11)(R10) - BR done_vsx diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_s390x.go b/vendor/golang.org/x/crypto/chacha20/chacha_s390x.go deleted file mode 100644 index 683ccfd1c..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_s390x.go +++ /dev/null @@ -1,27 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -package chacha20 - -import "golang.org/x/sys/cpu" - -var haveAsm = cpu.S390X.HasVX - -const bufSize = 256 - -// xorKeyStreamVX is an assembly implementation of XORKeyStream. It must only -// be called when the vector facility is available. Implementation in asm_s390x.s. -// -//go:noescape -func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32) - -func (c *Cipher) xorKeyStreamBlocks(dst, src []byte) { - if cpu.S390X.HasVX { - xorKeyStreamVX(dst, src, &c.key, &c.nonce, &c.counter) - } else { - c.xorKeyStreamBlocksGeneric(dst, src) - } -} diff --git a/vendor/golang.org/x/crypto/chacha20/chacha_s390x.s b/vendor/golang.org/x/crypto/chacha20/chacha_s390x.s deleted file mode 100644 index 1eda91a3d..000000000 --- a/vendor/golang.org/x/crypto/chacha20/chacha_s390x.s +++ /dev/null @@ -1,224 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -#include "go_asm.h" -#include "textflag.h" - -// This is an implementation of the ChaCha20 encryption algorithm as -// specified in RFC 7539. It uses vector instructions to compute -// 4 keystream blocks in parallel (256 bytes) which are then XORed -// with the bytes in the input slice. - -GLOBL ·constants<>(SB), RODATA|NOPTR, $32 -// BSWAP: swap bytes in each 4-byte element -DATA ·constants<>+0x00(SB)/4, $0x03020100 -DATA ·constants<>+0x04(SB)/4, $0x07060504 -DATA ·constants<>+0x08(SB)/4, $0x0b0a0908 -DATA ·constants<>+0x0c(SB)/4, $0x0f0e0d0c -// J0: [j0, j1, j2, j3] -DATA ·constants<>+0x10(SB)/4, $0x61707865 -DATA ·constants<>+0x14(SB)/4, $0x3320646e -DATA ·constants<>+0x18(SB)/4, $0x79622d32 -DATA ·constants<>+0x1c(SB)/4, $0x6b206574 - -#define BSWAP V5 -#define J0 V6 -#define KEY0 V7 -#define KEY1 V8 -#define NONCE V9 -#define CTR V10 -#define M0 V11 -#define M1 V12 -#define M2 V13 -#define M3 V14 -#define INC V15 -#define X0 V16 -#define X1 V17 -#define X2 V18 -#define X3 V19 -#define X4 V20 -#define X5 V21 -#define X6 V22 -#define X7 V23 -#define X8 V24 -#define X9 V25 -#define X10 V26 -#define X11 V27 -#define X12 V28 -#define X13 V29 -#define X14 V30 -#define X15 V31 - -#define NUM_ROUNDS 20 - -#define ROUND4(a0, a1, a2, a3, b0, b1, b2, b3, c0, c1, c2, c3, d0, d1, d2, d3) \ - VAF a1, a0, a0 \ - VAF b1, b0, b0 \ - VAF c1, c0, c0 \ - VAF d1, d0, d0 \ - VX a0, a2, a2 \ - VX b0, b2, b2 \ - VX c0, c2, c2 \ - VX d0, d2, d2 \ - VERLLF $16, a2, a2 \ - VERLLF $16, b2, b2 \ - VERLLF $16, c2, c2 \ - VERLLF $16, d2, d2 \ - VAF a2, a3, a3 \ - VAF b2, b3, b3 \ - VAF c2, c3, c3 \ - VAF d2, d3, d3 \ - VX a3, a1, a1 \ - VX b3, b1, b1 \ - VX c3, c1, c1 \ - VX d3, d1, d1 \ - VERLLF $12, a1, a1 \ - VERLLF $12, b1, b1 \ - VERLLF $12, c1, c1 \ - VERLLF $12, d1, d1 \ - VAF a1, a0, a0 \ - VAF b1, b0, b0 \ - VAF c1, c0, c0 \ - VAF d1, d0, d0 \ - VX a0, a2, a2 \ - VX b0, b2, b2 \ - VX c0, c2, c2 \ - VX d0, d2, d2 \ - VERLLF $8, a2, a2 \ - VERLLF $8, b2, b2 \ - VERLLF $8, c2, c2 \ - VERLLF $8, d2, d2 \ - VAF a2, a3, a3 \ - VAF b2, b3, b3 \ - VAF c2, c3, c3 \ - VAF d2, d3, d3 \ - VX a3, a1, a1 \ - VX b3, b1, b1 \ - VX c3, c1, c1 \ - VX d3, d1, d1 \ - VERLLF $7, a1, a1 \ - VERLLF $7, b1, b1 \ - VERLLF $7, c1, c1 \ - VERLLF $7, d1, d1 - -#define PERMUTE(mask, v0, v1, v2, v3) \ - VPERM v0, v0, mask, v0 \ - VPERM v1, v1, mask, v1 \ - VPERM v2, v2, mask, v2 \ - VPERM v3, v3, mask, v3 - -#define ADDV(x, v0, v1, v2, v3) \ - VAF x, v0, v0 \ - VAF x, v1, v1 \ - VAF x, v2, v2 \ - VAF x, v3, v3 - -#define XORV(off, dst, src, v0, v1, v2, v3) \ - VLM off(src), M0, M3 \ - PERMUTE(BSWAP, v0, v1, v2, v3) \ - VX v0, M0, M0 \ - VX v1, M1, M1 \ - VX v2, M2, M2 \ - VX v3, M3, M3 \ - VSTM M0, M3, off(dst) - -#define SHUFFLE(a, b, c, d, t, u, v, w) \ - VMRHF a, c, t \ // t = {a[0], c[0], a[1], c[1]} - VMRHF b, d, u \ // u = {b[0], d[0], b[1], d[1]} - VMRLF a, c, v \ // v = {a[2], c[2], a[3], c[3]} - VMRLF b, d, w \ // w = {b[2], d[2], b[3], d[3]} - VMRHF t, u, a \ // a = {a[0], b[0], c[0], d[0]} - VMRLF t, u, b \ // b = {a[1], b[1], c[1], d[1]} - VMRHF v, w, c \ // c = {a[2], b[2], c[2], d[2]} - VMRLF v, w, d // d = {a[3], b[3], c[3], d[3]} - -// func xorKeyStreamVX(dst, src []byte, key *[8]uint32, nonce *[3]uint32, counter *uint32) -TEXT ·xorKeyStreamVX(SB), NOSPLIT, $0 - MOVD $·constants<>(SB), R1 - MOVD dst+0(FP), R2 // R2=&dst[0] - LMG src+24(FP), R3, R4 // R3=&src[0] R4=len(src) - MOVD key+48(FP), R5 // R5=key - MOVD nonce+56(FP), R6 // R6=nonce - MOVD counter+64(FP), R7 // R7=counter - - // load BSWAP and J0 - VLM (R1), BSWAP, J0 - - // setup - MOVD $95, R0 - VLM (R5), KEY0, KEY1 - VLL R0, (R6), NONCE - VZERO M0 - VLEIB $7, $32, M0 - VSRLB M0, NONCE, NONCE - - // initialize counter values - VLREPF (R7), CTR - VZERO INC - VLEIF $1, $1, INC - VLEIF $2, $2, INC - VLEIF $3, $3, INC - VAF INC, CTR, CTR - VREPIF $4, INC - -chacha: - VREPF $0, J0, X0 - VREPF $1, J0, X1 - VREPF $2, J0, X2 - VREPF $3, J0, X3 - VREPF $0, KEY0, X4 - VREPF $1, KEY0, X5 - VREPF $2, KEY0, X6 - VREPF $3, KEY0, X7 - VREPF $0, KEY1, X8 - VREPF $1, KEY1, X9 - VREPF $2, KEY1, X10 - VREPF $3, KEY1, X11 - VLR CTR, X12 - VREPF $1, NONCE, X13 - VREPF $2, NONCE, X14 - VREPF $3, NONCE, X15 - - MOVD $(NUM_ROUNDS/2), R1 - -loop: - ROUND4(X0, X4, X12, X8, X1, X5, X13, X9, X2, X6, X14, X10, X3, X7, X15, X11) - ROUND4(X0, X5, X15, X10, X1, X6, X12, X11, X2, X7, X13, X8, X3, X4, X14, X9) - - ADD $-1, R1 - BNE loop - - // decrement length - ADD $-256, R4 - - // rearrange vectors - SHUFFLE(X0, X1, X2, X3, M0, M1, M2, M3) - ADDV(J0, X0, X1, X2, X3) - SHUFFLE(X4, X5, X6, X7, M0, M1, M2, M3) - ADDV(KEY0, X4, X5, X6, X7) - SHUFFLE(X8, X9, X10, X11, M0, M1, M2, M3) - ADDV(KEY1, X8, X9, X10, X11) - VAF CTR, X12, X12 - SHUFFLE(X12, X13, X14, X15, M0, M1, M2, M3) - ADDV(NONCE, X12, X13, X14, X15) - - // increment counters - VAF INC, CTR, CTR - - // xor keystream with plaintext - XORV(0*64, R2, R3, X0, X4, X8, X12) - XORV(1*64, R2, R3, X1, X5, X9, X13) - XORV(2*64, R2, R3, X2, X6, X10, X14) - XORV(3*64, R2, R3, X3, X7, X11, X15) - - // increment pointers - MOVD $256(R2), R2 - MOVD $256(R3), R3 - - CMPBNE R4, $0, chacha - - VSTEF $0, CTR, (R7) - RET diff --git a/vendor/golang.org/x/crypto/chacha20/xor.go b/vendor/golang.org/x/crypto/chacha20/xor.go deleted file mode 100644 index c2d04851e..000000000 --- a/vendor/golang.org/x/crypto/chacha20/xor.go +++ /dev/null @@ -1,42 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found src the LICENSE file. - -package chacha20 - -import "runtime" - -// Platforms that have fast unaligned 32-bit little endian accesses. -const unaligned = runtime.GOARCH == "386" || - runtime.GOARCH == "amd64" || - runtime.GOARCH == "arm64" || - runtime.GOARCH == "ppc64le" || - runtime.GOARCH == "s390x" - -// addXor reads a little endian uint32 from src, XORs it with (a + b) and -// places the result in little endian byte order in dst. -func addXor(dst, src []byte, a, b uint32) { - _, _ = src[3], dst[3] // bounds check elimination hint - if unaligned { - // The compiler should optimize this code into - // 32-bit unaligned little endian loads and stores. - // TODO: delete once the compiler does a reliably - // good job with the generic code below. - // See issue #25111 for more details. - v := uint32(src[0]) - v |= uint32(src[1]) << 8 - v |= uint32(src[2]) << 16 - v |= uint32(src[3]) << 24 - v ^= a + b - dst[0] = byte(v) - dst[1] = byte(v >> 8) - dst[2] = byte(v >> 16) - dst[3] = byte(v >> 24) - } else { - a += b - dst[0] = src[0] ^ byte(a) - dst[1] = src[1] ^ byte(a>>8) - dst[2] = src[2] ^ byte(a>>16) - dst[3] = src[3] ^ byte(a>>24) - } -} diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go deleted file mode 100644 index 21ca3b2ee..000000000 --- a/vendor/golang.org/x/crypto/curve25519/curve25519.go +++ /dev/null @@ -1,90 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package curve25519 provides an implementation of the X25519 function, which -// performs scalar multiplication on the elliptic curve known as Curve25519. -// See RFC 7748. -// -// This package is a wrapper for the X25519 implementation -// in the crypto/ecdh package. -package curve25519 - -import "crypto/ecdh" - -// ScalarMult sets dst to the product scalar * point. -// -// Deprecated: when provided a low-order point, ScalarMult will set dst to all -// zeroes, irrespective of the scalar. Instead, use the X25519 function, which -// will return an error. -func ScalarMult(dst, scalar, point *[32]byte) { - if _, err := x25519(dst, scalar[:], point[:]); err != nil { - // The only error condition for x25519 when the inputs are 32 bytes long - // is if the output would have been the all-zero value. - for i := range dst { - dst[i] = 0 - } - } -} - -// ScalarBaseMult sets dst to the product scalar * base where base is the -// standard generator. -// -// It is recommended to use the X25519 function with Basepoint instead, as -// copying into fixed size arrays can lead to unexpected bugs. -func ScalarBaseMult(dst, scalar *[32]byte) { - curve := ecdh.X25519() - priv, err := curve.NewPrivateKey(scalar[:]) - if err != nil { - panic("curve25519: internal error: scalarBaseMult was not 32 bytes") - } - copy(dst[:], priv.PublicKey().Bytes()) -} - -const ( - // ScalarSize is the size of the scalar input to X25519. - ScalarSize = 32 - // PointSize is the size of the point input to X25519. - PointSize = 32 -) - -// Basepoint is the canonical Curve25519 generator. -var Basepoint []byte - -var basePoint = [32]byte{9} - -func init() { Basepoint = basePoint[:] } - -// X25519 returns the result of the scalar multiplication (scalar * point), -// according to RFC 7748, Section 5. scalar, point and the return value are -// slices of 32 bytes. -// -// scalar can be generated at random, for example with crypto/rand. point should -// be either Basepoint or the output of another X25519 call. -// -// If point is Basepoint (but not if it's a different slice with the same -// contents) a precomputed implementation might be used for performance. -func X25519(scalar, point []byte) ([]byte, error) { - // Outline the body of function, to let the allocation be inlined in the - // caller, and possibly avoid escaping to the heap. - var dst [32]byte - return x25519(&dst, scalar, point) -} - -func x25519(dst *[32]byte, scalar, point []byte) ([]byte, error) { - curve := ecdh.X25519() - pub, err := curve.NewPublicKey(point) - if err != nil { - return nil, err - } - priv, err := curve.NewPrivateKey(scalar) - if err != nil { - return nil, err - } - out, err := priv.ECDH(pub) - if err != nil { - return nil, err - } - copy(dst[:], out) - return dst[:], nil -} diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go deleted file mode 100644 index 59b3a95a7..000000000 --- a/vendor/golang.org/x/crypto/ed25519/ed25519.go +++ /dev/null @@ -1,69 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package ed25519 implements the Ed25519 signature algorithm. See -// https://ed25519.cr.yp.to/. -// -// These functions are also compatible with the “Ed25519” function defined in -// RFC 8032. However, unlike RFC 8032's formulation, this package's private key -// representation includes a public key suffix to make multiple signing -// operations with the same key more efficient. This package refers to the RFC -// 8032 private key as the “seed”. -// -// This package is a wrapper around the standard library crypto/ed25519 package. -package ed25519 - -import ( - "crypto/ed25519" - "io" -) - -const ( - // PublicKeySize is the size, in bytes, of public keys as used in this package. - PublicKeySize = 32 - // PrivateKeySize is the size, in bytes, of private keys as used in this package. - PrivateKeySize = 64 - // SignatureSize is the size, in bytes, of signatures generated and verified by this package. - SignatureSize = 64 - // SeedSize is the size, in bytes, of private key seeds. These are the private key representations used by RFC 8032. - SeedSize = 32 -) - -// PublicKey is the type of Ed25519 public keys. -// -// This type is an alias for crypto/ed25519's PublicKey type. -// See the crypto/ed25519 package for the methods on this type. -type PublicKey = ed25519.PublicKey - -// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer. -// -// This type is an alias for crypto/ed25519's PrivateKey type. -// See the crypto/ed25519 package for the methods on this type. -type PrivateKey = ed25519.PrivateKey - -// GenerateKey generates a public/private key pair using entropy from rand. -// If rand is nil, crypto/rand.Reader will be used. -func GenerateKey(rand io.Reader) (PublicKey, PrivateKey, error) { - return ed25519.GenerateKey(rand) -} - -// NewKeyFromSeed calculates a private key from a seed. It will panic if -// len(seed) is not SeedSize. This function is provided for interoperability -// with RFC 8032. RFC 8032's private keys correspond to seeds in this -// package. -func NewKeyFromSeed(seed []byte) PrivateKey { - return ed25519.NewKeyFromSeed(seed) -} - -// Sign signs the message with privateKey and returns a signature. It will -// panic if len(privateKey) is not PrivateKeySize. -func Sign(privateKey PrivateKey, message []byte) []byte { - return ed25519.Sign(privateKey, message) -} - -// Verify reports whether sig is a valid signature of message by publicKey. It -// will panic if len(publicKey) is not PublicKeySize. -func Verify(publicKey PublicKey, message, sig []byte) bool { - return ed25519.Verify(publicKey, message, sig) -} diff --git a/vendor/golang.org/x/crypto/hkdf/hkdf.go b/vendor/golang.org/x/crypto/hkdf/hkdf.go deleted file mode 100644 index 3bee66294..000000000 --- a/vendor/golang.org/x/crypto/hkdf/hkdf.go +++ /dev/null @@ -1,95 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package hkdf implements the HMAC-based Extract-and-Expand Key Derivation -// Function (HKDF) as defined in RFC 5869. -// -// HKDF is a cryptographic key derivation function (KDF) with the goal of -// expanding limited input keying material into one or more cryptographically -// strong secret keys. -package hkdf - -import ( - "crypto/hmac" - "errors" - "hash" - "io" -) - -// Extract generates a pseudorandom key for use with Expand from an input secret -// and an optional independent salt. -// -// Only use this function if you need to reuse the extracted key with multiple -// Expand invocations and different context values. Most common scenarios, -// including the generation of multiple keys, should use New instead. -func Extract(hash func() hash.Hash, secret, salt []byte) []byte { - if salt == nil { - salt = make([]byte, hash().Size()) - } - extractor := hmac.New(hash, salt) - extractor.Write(secret) - return extractor.Sum(nil) -} - -type hkdf struct { - expander hash.Hash - size int - - info []byte - counter byte - - prev []byte - buf []byte -} - -func (f *hkdf) Read(p []byte) (int, error) { - // Check whether enough data can be generated - need := len(p) - remains := len(f.buf) + int(255-f.counter+1)*f.size - if remains < need { - return 0, errors.New("hkdf: entropy limit reached") - } - // Read any leftover from the buffer - n := copy(p, f.buf) - p = p[n:] - - // Fill the rest of the buffer - for len(p) > 0 { - if f.counter > 1 { - f.expander.Reset() - } - f.expander.Write(f.prev) - f.expander.Write(f.info) - f.expander.Write([]byte{f.counter}) - f.prev = f.expander.Sum(f.prev[:0]) - f.counter++ - - // Copy the new batch into p - f.buf = f.prev - n = copy(p, f.buf) - p = p[n:] - } - // Save leftovers for next run - f.buf = f.buf[n:] - - return need, nil -} - -// Expand returns a Reader, from which keys can be read, using the given -// pseudorandom key and optional context info, skipping the extraction step. -// -// The pseudorandomKey should have been generated by Extract, or be a uniformly -// random or pseudorandom cryptographically strong key. See RFC 5869, Section -// 3.3. Most common scenarios will want to use New instead. -func Expand(hash func() hash.Hash, pseudorandomKey, info []byte) io.Reader { - expander := hmac.New(hash, pseudorandomKey) - return &hkdf{expander, expander.Size(), info, 1, nil, nil} -} - -// New returns a Reader, from which keys can be read, using the given hash, -// secret, salt and context info. Salt and info can be nil. -func New(hash func() hash.Hash, secret, salt, info []byte) io.Reader { - prk := Extract(hash, secret, salt) - return Expand(hash, prk, info) -} diff --git a/vendor/golang.org/x/crypto/internal/alias/alias.go b/vendor/golang.org/x/crypto/internal/alias/alias.go deleted file mode 100644 index 551ff0c35..000000000 --- a/vendor/golang.org/x/crypto/internal/alias/alias.go +++ /dev/null @@ -1,31 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !purego - -// Package alias implements memory aliasing tests. -package alias - -import "unsafe" - -// AnyOverlap reports whether x and y share memory at any (not necessarily -// corresponding) index. The memory beyond the slice length is ignored. -func AnyOverlap(x, y []byte) bool { - return len(x) > 0 && len(y) > 0 && - uintptr(unsafe.Pointer(&x[0])) <= uintptr(unsafe.Pointer(&y[len(y)-1])) && - uintptr(unsafe.Pointer(&y[0])) <= uintptr(unsafe.Pointer(&x[len(x)-1])) -} - -// InexactOverlap reports whether x and y share memory at any non-corresponding -// index. The memory beyond the slice length is ignored. Note that x and y can -// have different lengths and still not have any inexact overlap. -// -// InexactOverlap can be used to implement the requirements of the crypto/cipher -// AEAD, Block, BlockMode and Stream interfaces. -func InexactOverlap(x, y []byte) bool { - if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { - return false - } - return AnyOverlap(x, y) -} diff --git a/vendor/golang.org/x/crypto/internal/alias/alias_purego.go b/vendor/golang.org/x/crypto/internal/alias/alias_purego.go deleted file mode 100644 index 6fe61b5c6..000000000 --- a/vendor/golang.org/x/crypto/internal/alias/alias_purego.go +++ /dev/null @@ -1,34 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build purego - -// Package alias implements memory aliasing tests. -package alias - -// This is the Google App Engine standard variant based on reflect -// because the unsafe package and cgo are disallowed. - -import "reflect" - -// AnyOverlap reports whether x and y share memory at any (not necessarily -// corresponding) index. The memory beyond the slice length is ignored. -func AnyOverlap(x, y []byte) bool { - return len(x) > 0 && len(y) > 0 && - reflect.ValueOf(&x[0]).Pointer() <= reflect.ValueOf(&y[len(y)-1]).Pointer() && - reflect.ValueOf(&y[0]).Pointer() <= reflect.ValueOf(&x[len(x)-1]).Pointer() -} - -// InexactOverlap reports whether x and y share memory at any non-corresponding -// index. The memory beyond the slice length is ignored. Note that x and y can -// have different lengths and still not have any inexact overlap. -// -// InexactOverlap can be used to implement the requirements of the crypto/cipher -// AEAD, Block, BlockMode and Stream interfaces. -func InexactOverlap(x, y []byte) bool { - if len(x) == 0 || len(y) == 0 || &x[0] == &y[0] { - return false - } - return AnyOverlap(x, y) -} diff --git a/vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go b/vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go deleted file mode 100644 index bd896bdc7..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/mac_noasm.go +++ /dev/null @@ -1,9 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build (!amd64 && !ppc64le && !ppc64 && !s390x) || !gc || purego - -package poly1305 - -type mac struct{ macGeneric } diff --git a/vendor/golang.org/x/crypto/internal/poly1305/poly1305.go b/vendor/golang.org/x/crypto/internal/poly1305/poly1305.go deleted file mode 100644 index 4aaea810a..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/poly1305.go +++ /dev/null @@ -1,99 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package poly1305 implements Poly1305 one-time message authentication code as -// specified in https://cr.yp.to/mac/poly1305-20050329.pdf. -// -// Poly1305 is a fast, one-time authentication function. It is infeasible for an -// attacker to generate an authenticator for a message without the key. However, a -// key must only be used for a single message. Authenticating two different -// messages with the same key allows an attacker to forge authenticators for other -// messages with the same key. -// -// Poly1305 was originally coupled with AES in order to make Poly1305-AES. AES was -// used with a fixed key in order to generate one-time keys from an nonce. -// However, in this package AES isn't used and the one-time key is specified -// directly. -package poly1305 - -import "crypto/subtle" - -// TagSize is the size, in bytes, of a poly1305 authenticator. -const TagSize = 16 - -// Sum generates an authenticator for msg using a one-time key and puts the -// 16-byte result into out. Authenticating two different messages with the same -// key allows an attacker to forge messages at will. -func Sum(out *[16]byte, m []byte, key *[32]byte) { - h := New(key) - h.Write(m) - h.Sum(out[:0]) -} - -// Verify returns true if mac is a valid authenticator for m with the given key. -func Verify(mac *[16]byte, m []byte, key *[32]byte) bool { - var tmp [16]byte - Sum(&tmp, m, key) - return subtle.ConstantTimeCompare(tmp[:], mac[:]) == 1 -} - -// New returns a new MAC computing an authentication -// tag of all data written to it with the given key. -// This allows writing the message progressively instead -// of passing it as a single slice. Common users should use -// the Sum function instead. -// -// The key must be unique for each message, as authenticating -// two different messages with the same key allows an attacker -// to forge messages at will. -func New(key *[32]byte) *MAC { - m := &MAC{} - initialize(key, &m.macState) - return m -} - -// MAC is an io.Writer computing an authentication tag -// of the data written to it. -// -// MAC cannot be used like common hash.Hash implementations, -// because using a poly1305 key twice breaks its security. -// Therefore writing data to a running MAC after calling -// Sum or Verify causes it to panic. -type MAC struct { - mac // platform-dependent implementation - - finalized bool -} - -// Size returns the number of bytes Sum will return. -func (h *MAC) Size() int { return TagSize } - -// Write adds more data to the running message authentication code. -// It never returns an error. -// -// It must not be called after the first call of Sum or Verify. -func (h *MAC) Write(p []byte) (n int, err error) { - if h.finalized { - panic("poly1305: write to MAC after Sum or Verify") - } - return h.mac.Write(p) -} - -// Sum computes the authenticator of all data written to the -// message authentication code. -func (h *MAC) Sum(b []byte) []byte { - var mac [TagSize]byte - h.mac.Sum(&mac) - h.finalized = true - return append(b, mac[:]...) -} - -// Verify returns whether the authenticator of all data written to -// the message authentication code matches the expected value. -func (h *MAC) Verify(expected []byte) bool { - var mac [TagSize]byte - h.mac.Sum(&mac) - h.finalized = true - return subtle.ConstantTimeCompare(expected, mac[:]) == 1 -} diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go b/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go deleted file mode 100644 index 164cd47d3..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.go +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -package poly1305 - -//go:noescape -func update(state *macState, msg []byte) - -// mac is a wrapper for macGeneric that redirects calls that would have gone to -// updateGeneric to update. -// -// Its Write and Sum methods are otherwise identical to the macGeneric ones, but -// using function pointers would carry a major performance cost. -type mac struct{ macGeneric } - -func (h *mac) Write(p []byte) (int, error) { - nn := len(p) - if h.offset > 0 { - n := copy(h.buffer[h.offset:], p) - if h.offset+n < TagSize { - h.offset += n - return nn, nil - } - p = p[n:] - h.offset = 0 - update(&h.macState, h.buffer[:]) - } - if n := len(p) - (len(p) % TagSize); n > 0 { - update(&h.macState, p[:n]) - p = p[n:] - } - if len(p) > 0 { - h.offset += copy(h.buffer[h.offset:], p) - } - return nn, nil -} - -func (h *mac) Sum(out *[16]byte) { - state := h.macState - if h.offset > 0 { - update(&state, h.buffer[:h.offset]) - } - finalize(out, &state.h, &state.s) -} diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.s b/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.s deleted file mode 100644 index 133757384..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/sum_amd64.s +++ /dev/null @@ -1,93 +0,0 @@ -// Code generated by command: go run sum_amd64_asm.go -out ../sum_amd64.s -pkg poly1305. DO NOT EDIT. - -//go:build gc && !purego - -// func update(state *macState, msg []byte) -TEXT ·update(SB), $0-32 - MOVQ state+0(FP), DI - MOVQ msg_base+8(FP), SI - MOVQ msg_len+16(FP), R15 - MOVQ (DI), R8 - MOVQ 8(DI), R9 - MOVQ 16(DI), R10 - MOVQ 24(DI), R11 - MOVQ 32(DI), R12 - CMPQ R15, $0x10 - JB bytes_between_0_and_15 - -loop: - ADDQ (SI), R8 - ADCQ 8(SI), R9 - ADCQ $0x01, R10 - LEAQ 16(SI), SI - -multiply: - MOVQ R11, AX - MULQ R8 - MOVQ AX, BX - MOVQ DX, CX - MOVQ R11, AX - MULQ R9 - ADDQ AX, CX - ADCQ $0x00, DX - MOVQ R11, R13 - IMULQ R10, R13 - ADDQ DX, R13 - MOVQ R12, AX - MULQ R8 - ADDQ AX, CX - ADCQ $0x00, DX - MOVQ DX, R8 - MOVQ R12, R14 - IMULQ R10, R14 - MOVQ R12, AX - MULQ R9 - ADDQ AX, R13 - ADCQ DX, R14 - ADDQ R8, R13 - ADCQ $0x00, R14 - MOVQ BX, R8 - MOVQ CX, R9 - MOVQ R13, R10 - ANDQ $0x03, R10 - MOVQ R13, BX - ANDQ $-4, BX - ADDQ BX, R8 - ADCQ R14, R9 - ADCQ $0x00, R10 - SHRQ $0x02, R14, R13 - SHRQ $0x02, R14 - ADDQ R13, R8 - ADCQ R14, R9 - ADCQ $0x00, R10 - SUBQ $0x10, R15 - CMPQ R15, $0x10 - JAE loop - -bytes_between_0_and_15: - TESTQ R15, R15 - JZ done - MOVQ $0x00000001, BX - XORQ CX, CX - XORQ R13, R13 - ADDQ R15, SI - -flush_buffer: - SHLQ $0x08, BX, CX - SHLQ $0x08, BX - MOVB -1(SI), R13 - XORQ R13, BX - DECQ SI - DECQ R15 - JNZ flush_buffer - ADDQ BX, R8 - ADCQ CX, R9 - ADCQ $0x00, R10 - MOVQ $0x00000010, R15 - JMP multiply - -done: - MOVQ R8, (DI) - MOVQ R9, 8(DI) - MOVQ R10, 16(DI) - RET diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go b/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go deleted file mode 100644 index ec2202bd7..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/sum_generic.go +++ /dev/null @@ -1,312 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// This file provides the generic implementation of Sum and MAC. Other files -// might provide optimized assembly implementations of some of this code. - -package poly1305 - -import ( - "encoding/binary" - "math/bits" -) - -// Poly1305 [RFC 7539] is a relatively simple algorithm: the authentication tag -// for a 64 bytes message is approximately -// -// s + m[0:16] * r⁴ + m[16:32] * r³ + m[32:48] * r² + m[48:64] * r mod 2¹³⁰ - 5 -// -// for some secret r and s. It can be computed sequentially like -// -// for len(msg) > 0: -// h += read(msg, 16) -// h *= r -// h %= 2¹³⁰ - 5 -// return h + s -// -// All the complexity is about doing performant constant-time math on numbers -// larger than any available numeric type. - -func sumGeneric(out *[TagSize]byte, msg []byte, key *[32]byte) { - h := newMACGeneric(key) - h.Write(msg) - h.Sum(out) -} - -func newMACGeneric(key *[32]byte) macGeneric { - m := macGeneric{} - initialize(key, &m.macState) - return m -} - -// macState holds numbers in saturated 64-bit little-endian limbs. That is, -// the value of [x0, x1, x2] is x[0] + x[1] * 2⁶⁴ + x[2] * 2¹²⁸. -type macState struct { - // h is the main accumulator. It is to be interpreted modulo 2¹³⁰ - 5, but - // can grow larger during and after rounds. It must, however, remain below - // 2 * (2¹³⁰ - 5). - h [3]uint64 - // r and s are the private key components. - r [2]uint64 - s [2]uint64 -} - -type macGeneric struct { - macState - - buffer [TagSize]byte - offset int -} - -// Write splits the incoming message into TagSize chunks, and passes them to -// update. It buffers incomplete chunks. -func (h *macGeneric) Write(p []byte) (int, error) { - nn := len(p) - if h.offset > 0 { - n := copy(h.buffer[h.offset:], p) - if h.offset+n < TagSize { - h.offset += n - return nn, nil - } - p = p[n:] - h.offset = 0 - updateGeneric(&h.macState, h.buffer[:]) - } - if n := len(p) - (len(p) % TagSize); n > 0 { - updateGeneric(&h.macState, p[:n]) - p = p[n:] - } - if len(p) > 0 { - h.offset += copy(h.buffer[h.offset:], p) - } - return nn, nil -} - -// Sum flushes the last incomplete chunk from the buffer, if any, and generates -// the MAC output. It does not modify its state, in order to allow for multiple -// calls to Sum, even if no Write is allowed after Sum. -func (h *macGeneric) Sum(out *[TagSize]byte) { - state := h.macState - if h.offset > 0 { - updateGeneric(&state, h.buffer[:h.offset]) - } - finalize(out, &state.h, &state.s) -} - -// [rMask0, rMask1] is the specified Poly1305 clamping mask in little-endian. It -// clears some bits of the secret coefficient to make it possible to implement -// multiplication more efficiently. -const ( - rMask0 = 0x0FFFFFFC0FFFFFFF - rMask1 = 0x0FFFFFFC0FFFFFFC -) - -// initialize loads the 256-bit key into the two 128-bit secret values r and s. -func initialize(key *[32]byte, m *macState) { - m.r[0] = binary.LittleEndian.Uint64(key[0:8]) & rMask0 - m.r[1] = binary.LittleEndian.Uint64(key[8:16]) & rMask1 - m.s[0] = binary.LittleEndian.Uint64(key[16:24]) - m.s[1] = binary.LittleEndian.Uint64(key[24:32]) -} - -// uint128 holds a 128-bit number as two 64-bit limbs, for use with the -// bits.Mul64 and bits.Add64 intrinsics. -type uint128 struct { - lo, hi uint64 -} - -func mul64(a, b uint64) uint128 { - hi, lo := bits.Mul64(a, b) - return uint128{lo, hi} -} - -func add128(a, b uint128) uint128 { - lo, c := bits.Add64(a.lo, b.lo, 0) - hi, c := bits.Add64(a.hi, b.hi, c) - if c != 0 { - panic("poly1305: unexpected overflow") - } - return uint128{lo, hi} -} - -func shiftRightBy2(a uint128) uint128 { - a.lo = a.lo>>2 | (a.hi&3)<<62 - a.hi = a.hi >> 2 - return a -} - -// updateGeneric absorbs msg into the state.h accumulator. For each chunk m of -// 128 bits of message, it computes -// -// h₊ = (h + m) * r mod 2¹³⁰ - 5 -// -// If the msg length is not a multiple of TagSize, it assumes the last -// incomplete chunk is the final one. -func updateGeneric(state *macState, msg []byte) { - h0, h1, h2 := state.h[0], state.h[1], state.h[2] - r0, r1 := state.r[0], state.r[1] - - for len(msg) > 0 { - var c uint64 - - // For the first step, h + m, we use a chain of bits.Add64 intrinsics. - // The resulting value of h might exceed 2¹³⁰ - 5, but will be partially - // reduced at the end of the multiplication below. - // - // The spec requires us to set a bit just above the message size, not to - // hide leading zeroes. For full chunks, that's 1 << 128, so we can just - // add 1 to the most significant (2¹²⁸) limb, h2. - if len(msg) >= TagSize { - h0, c = bits.Add64(h0, binary.LittleEndian.Uint64(msg[0:8]), 0) - h1, c = bits.Add64(h1, binary.LittleEndian.Uint64(msg[8:16]), c) - h2 += c + 1 - - msg = msg[TagSize:] - } else { - var buf [TagSize]byte - copy(buf[:], msg) - buf[len(msg)] = 1 - - h0, c = bits.Add64(h0, binary.LittleEndian.Uint64(buf[0:8]), 0) - h1, c = bits.Add64(h1, binary.LittleEndian.Uint64(buf[8:16]), c) - h2 += c - - msg = nil - } - - // Multiplication of big number limbs is similar to elementary school - // columnar multiplication. Instead of digits, there are 64-bit limbs. - // - // We are multiplying a 3 limbs number, h, by a 2 limbs number, r. - // - // h2 h1 h0 x - // r1 r0 = - // ---------------- - // h2r0 h1r0 h0r0 <-- individual 128-bit products - // + h2r1 h1r1 h0r1 - // ------------------------ - // m3 m2 m1 m0 <-- result in 128-bit overlapping limbs - // ------------------------ - // m3.hi m2.hi m1.hi m0.hi <-- carry propagation - // + m3.lo m2.lo m1.lo m0.lo - // ------------------------------- - // t4 t3 t2 t1 t0 <-- final result in 64-bit limbs - // - // The main difference from pen-and-paper multiplication is that we do - // carry propagation in a separate step, as if we wrote two digit sums - // at first (the 128-bit limbs), and then carried the tens all at once. - - h0r0 := mul64(h0, r0) - h1r0 := mul64(h1, r0) - h2r0 := mul64(h2, r0) - h0r1 := mul64(h0, r1) - h1r1 := mul64(h1, r1) - h2r1 := mul64(h2, r1) - - // Since h2 is known to be at most 7 (5 + 1 + 1), and r0 and r1 have their - // top 4 bits cleared by rMask{0,1}, we know that their product is not going - // to overflow 64 bits, so we can ignore the high part of the products. - // - // This also means that the product doesn't have a fifth limb (t4). - if h2r0.hi != 0 { - panic("poly1305: unexpected overflow") - } - if h2r1.hi != 0 { - panic("poly1305: unexpected overflow") - } - - m0 := h0r0 - m1 := add128(h1r0, h0r1) // These two additions don't overflow thanks again - m2 := add128(h2r0, h1r1) // to the 4 masked bits at the top of r0 and r1. - m3 := h2r1 - - t0 := m0.lo - t1, c := bits.Add64(m1.lo, m0.hi, 0) - t2, c := bits.Add64(m2.lo, m1.hi, c) - t3, _ := bits.Add64(m3.lo, m2.hi, c) - - // Now we have the result as 4 64-bit limbs, and we need to reduce it - // modulo 2¹³⁰ - 5. The special shape of this Crandall prime lets us do - // a cheap partial reduction according to the reduction identity - // - // c * 2¹³⁰ + n = c * 5 + n mod 2¹³⁰ - 5 - // - // because 2¹³⁰ = 5 mod 2¹³⁰ - 5. Partial reduction since the result is - // likely to be larger than 2¹³⁰ - 5, but still small enough to fit the - // assumptions we make about h in the rest of the code. - // - // See also https://speakerdeck.com/gtank/engineering-prime-numbers?slide=23 - - // We split the final result at the 2¹³⁰ mark into h and cc, the carry. - // Note that the carry bits are effectively shifted left by 2, in other - // words, cc = c * 4 for the c in the reduction identity. - h0, h1, h2 = t0, t1, t2&maskLow2Bits - cc := uint128{t2 & maskNotLow2Bits, t3} - - // To add c * 5 to h, we first add cc = c * 4, and then add (cc >> 2) = c. - - h0, c = bits.Add64(h0, cc.lo, 0) - h1, c = bits.Add64(h1, cc.hi, c) - h2 += c - - cc = shiftRightBy2(cc) - - h0, c = bits.Add64(h0, cc.lo, 0) - h1, c = bits.Add64(h1, cc.hi, c) - h2 += c - - // h2 is at most 3 + 1 + 1 = 5, making the whole of h at most - // - // 5 * 2¹²⁸ + (2¹²⁸ - 1) = 6 * 2¹²⁸ - 1 - } - - state.h[0], state.h[1], state.h[2] = h0, h1, h2 -} - -const ( - maskLow2Bits uint64 = 0x0000000000000003 - maskNotLow2Bits uint64 = ^maskLow2Bits -) - -// select64 returns x if v == 1 and y if v == 0, in constant time. -func select64(v, x, y uint64) uint64 { return ^(v-1)&x | (v-1)&y } - -// [p0, p1, p2] is 2¹³⁰ - 5 in little endian order. -const ( - p0 = 0xFFFFFFFFFFFFFFFB - p1 = 0xFFFFFFFFFFFFFFFF - p2 = 0x0000000000000003 -) - -// finalize completes the modular reduction of h and computes -// -// out = h + s mod 2¹²⁸ -func finalize(out *[TagSize]byte, h *[3]uint64, s *[2]uint64) { - h0, h1, h2 := h[0], h[1], h[2] - - // After the partial reduction in updateGeneric, h might be more than - // 2¹³⁰ - 5, but will be less than 2 * (2¹³⁰ - 5). To complete the reduction - // in constant time, we compute t = h - (2¹³⁰ - 5), and select h as the - // result if the subtraction underflows, and t otherwise. - - hMinusP0, b := bits.Sub64(h0, p0, 0) - hMinusP1, b := bits.Sub64(h1, p1, b) - _, b = bits.Sub64(h2, p2, b) - - // h = h if h < p else h - p - h0 = select64(b, h0, hMinusP0) - h1 = select64(b, h1, hMinusP1) - - // Finally, we compute the last Poly1305 step - // - // tag = h + s mod 2¹²⁸ - // - // by just doing a wide addition with the 128 low bits of h and discarding - // the overflow. - h0, c := bits.Add64(h0, s[0], 0) - h1, _ = bits.Add64(h1, s[1], c) - - binary.LittleEndian.PutUint64(out[0:8], h0) - binary.LittleEndian.PutUint64(out[8:16], h1) -} diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.go b/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.go deleted file mode 100644 index 1a1679aaa..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.go +++ /dev/null @@ -1,47 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego && (ppc64 || ppc64le) - -package poly1305 - -//go:noescape -func update(state *macState, msg []byte) - -// mac is a wrapper for macGeneric that redirects calls that would have gone to -// updateGeneric to update. -// -// Its Write and Sum methods are otherwise identical to the macGeneric ones, but -// using function pointers would carry a major performance cost. -type mac struct{ macGeneric } - -func (h *mac) Write(p []byte) (int, error) { - nn := len(p) - if h.offset > 0 { - n := copy(h.buffer[h.offset:], p) - if h.offset+n < TagSize { - h.offset += n - return nn, nil - } - p = p[n:] - h.offset = 0 - update(&h.macState, h.buffer[:]) - } - if n := len(p) - (len(p) % TagSize); n > 0 { - update(&h.macState, p[:n]) - p = p[n:] - } - if len(p) > 0 { - h.offset += copy(h.buffer[h.offset:], p) - } - return nn, nil -} - -func (h *mac) Sum(out *[16]byte) { - state := h.macState - if h.offset > 0 { - update(&state, h.buffer[:h.offset]) - } - finalize(out, &state.h, &state.s) -} diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.s b/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.s deleted file mode 100644 index 6899a1dab..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/sum_ppc64x.s +++ /dev/null @@ -1,187 +0,0 @@ -// Copyright 2019 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego && (ppc64 || ppc64le) - -#include "textflag.h" - -// This was ported from the amd64 implementation. - -#ifdef GOARCH_ppc64le -#define LE_MOVD MOVD -#define LE_MOVWZ MOVWZ -#define LE_MOVHZ MOVHZ -#else -#define LE_MOVD MOVDBR -#define LE_MOVWZ MOVWBR -#define LE_MOVHZ MOVHBR -#endif - -#define POLY1305_ADD(msg, h0, h1, h2, t0, t1, t2) \ - LE_MOVD (msg)( R0), t0; \ - LE_MOVD (msg)(R24), t1; \ - MOVD $1, t2; \ - ADDC t0, h0, h0; \ - ADDE t1, h1, h1; \ - ADDE t2, h2; \ - ADD $16, msg - -#define POLY1305_MUL(h0, h1, h2, r0, r1, t0, t1, t2, t3, t4, t5) \ - MULLD r0, h0, t0; \ - MULHDU r0, h0, t1; \ - MULLD r0, h1, t4; \ - MULHDU r0, h1, t5; \ - ADDC t4, t1, t1; \ - MULLD r0, h2, t2; \ - MULHDU r1, h0, t4; \ - MULLD r1, h0, h0; \ - ADDE t5, t2, t2; \ - ADDC h0, t1, t1; \ - MULLD h2, r1, t3; \ - ADDZE t4, h0; \ - MULHDU r1, h1, t5; \ - MULLD r1, h1, t4; \ - ADDC t4, t2, t2; \ - ADDE t5, t3, t3; \ - ADDC h0, t2, t2; \ - MOVD $-4, t4; \ - ADDZE t3; \ - RLDICL $0, t2, $62, h2; \ - AND t2, t4, h0; \ - ADDC t0, h0, h0; \ - ADDE t3, t1, h1; \ - SLD $62, t3, t4; \ - SRD $2, t2; \ - ADDZE h2; \ - OR t4, t2, t2; \ - SRD $2, t3; \ - ADDC t2, h0, h0; \ - ADDE t3, h1, h1; \ - ADDZE h2 - -// func update(state *[7]uint64, msg []byte) -TEXT ·update(SB), $0-32 - MOVD state+0(FP), R3 - MOVD msg_base+8(FP), R4 - MOVD msg_len+16(FP), R5 - - MOVD 0(R3), R8 // h0 - MOVD 8(R3), R9 // h1 - MOVD 16(R3), R10 // h2 - MOVD 24(R3), R11 // r0 - MOVD 32(R3), R12 // r1 - - MOVD $8, R24 - - CMP R5, $16 - BLT bytes_between_0_and_15 - -loop: - POLY1305_ADD(R4, R8, R9, R10, R20, R21, R22) - - PCALIGN $16 -multiply: - POLY1305_MUL(R8, R9, R10, R11, R12, R16, R17, R18, R14, R20, R21) - ADD $-16, R5 - CMP R5, $16 - BGE loop - -bytes_between_0_and_15: - CMP R5, $0 - BEQ done - MOVD $0, R16 // h0 - MOVD $0, R17 // h1 - -flush_buffer: - CMP R5, $8 - BLE just1 - - MOVD $8, R21 - SUB R21, R5, R21 - - // Greater than 8 -- load the rightmost remaining bytes in msg - // and put into R17 (h1) - LE_MOVD (R4)(R21), R17 - MOVD $16, R22 - - // Find the offset to those bytes - SUB R5, R22, R22 - SLD $3, R22 - - // Shift to get only the bytes in msg - SRD R22, R17, R17 - - // Put 1 at high end - MOVD $1, R23 - SLD $3, R21 - SLD R21, R23, R23 - OR R23, R17, R17 - - // Remainder is 8 - MOVD $8, R5 - -just1: - CMP R5, $8 - BLT less8 - - // Exactly 8 - LE_MOVD (R4), R16 - - CMP R17, $0 - - // Check if we've already set R17; if not - // set 1 to indicate end of msg. - BNE carry - MOVD $1, R17 - BR carry - -less8: - MOVD $0, R16 // h0 - MOVD $0, R22 // shift count - CMP R5, $4 - BLT less4 - LE_MOVWZ (R4), R16 - ADD $4, R4 - ADD $-4, R5 - MOVD $32, R22 - -less4: - CMP R5, $2 - BLT less2 - LE_MOVHZ (R4), R21 - SLD R22, R21, R21 - OR R16, R21, R16 - ADD $16, R22 - ADD $-2, R5 - ADD $2, R4 - -less2: - CMP R5, $0 - BEQ insert1 - MOVBZ (R4), R21 - SLD R22, R21, R21 - OR R16, R21, R16 - ADD $8, R22 - -insert1: - // Insert 1 at end of msg - MOVD $1, R21 - SLD R22, R21, R21 - OR R16, R21, R16 - -carry: - // Add new values to h0, h1, h2 - ADDC R16, R8 - ADDE R17, R9 - ADDZE R10, R10 - MOVD $16, R5 - ADD R5, R4 - BR multiply - -done: - // Save h0, h1, h2 in state - MOVD R8, 0(R3) - MOVD R9, 8(R3) - MOVD R10, 16(R3) - RET diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.go b/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.go deleted file mode 100644 index e1d033a49..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.go +++ /dev/null @@ -1,76 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -package poly1305 - -import ( - "golang.org/x/sys/cpu" -) - -// updateVX is an assembly implementation of Poly1305 that uses vector -// instructions. It must only be called if the vector facility (vx) is -// available. -// -//go:noescape -func updateVX(state *macState, msg []byte) - -// mac is a replacement for macGeneric that uses a larger buffer and redirects -// calls that would have gone to updateGeneric to updateVX if the vector -// facility is installed. -// -// A larger buffer is required for good performance because the vector -// implementation has a higher fixed cost per call than the generic -// implementation. -type mac struct { - macState - - buffer [16 * TagSize]byte // size must be a multiple of block size (16) - offset int -} - -func (h *mac) Write(p []byte) (int, error) { - nn := len(p) - if h.offset > 0 { - n := copy(h.buffer[h.offset:], p) - if h.offset+n < len(h.buffer) { - h.offset += n - return nn, nil - } - p = p[n:] - h.offset = 0 - if cpu.S390X.HasVX { - updateVX(&h.macState, h.buffer[:]) - } else { - updateGeneric(&h.macState, h.buffer[:]) - } - } - - tail := len(p) % len(h.buffer) // number of bytes to copy into buffer - body := len(p) - tail // number of bytes to process now - if body > 0 { - if cpu.S390X.HasVX { - updateVX(&h.macState, p[:body]) - } else { - updateGeneric(&h.macState, p[:body]) - } - } - h.offset = copy(h.buffer[:], p[body:]) // copy tail bytes - can be 0 - return nn, nil -} - -func (h *mac) Sum(out *[TagSize]byte) { - state := h.macState - remainder := h.buffer[:h.offset] - - // Use the generic implementation if we have 2 or fewer blocks left - // to sum. The vector implementation has a higher startup time. - if cpu.S390X.HasVX && len(remainder) > 2*TagSize { - updateVX(&state, remainder) - } else if len(remainder) > 0 { - updateGeneric(&state, remainder) - } - finalize(out, &state.h, &state.s) -} diff --git a/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.s b/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.s deleted file mode 100644 index 0fe3a7c21..000000000 --- a/vendor/golang.org/x/crypto/internal/poly1305/sum_s390x.s +++ /dev/null @@ -1,503 +0,0 @@ -// Copyright 2018 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -#include "textflag.h" - -// This implementation of Poly1305 uses the vector facility (vx) -// to process up to 2 blocks (32 bytes) per iteration using an -// algorithm based on the one described in: -// -// NEON crypto, Daniel J. Bernstein & Peter Schwabe -// https://cryptojedi.org/papers/neoncrypto-20120320.pdf -// -// This algorithm uses 5 26-bit limbs to represent a 130-bit -// value. These limbs are, for the most part, zero extended and -// placed into 64-bit vector register elements. Each vector -// register is 128-bits wide and so holds 2 of these elements. -// Using 26-bit limbs allows us plenty of headroom to accommodate -// accumulations before and after multiplication without -// overflowing either 32-bits (before multiplication) or 64-bits -// (after multiplication). -// -// In order to parallelise the operations required to calculate -// the sum we use two separate accumulators and then sum those -// in an extra final step. For compatibility with the generic -// implementation we perform this summation at the end of every -// updateVX call. -// -// To use two accumulators we must multiply the message blocks -// by r² rather than r. Only the final message block should be -// multiplied by r. -// -// Example: -// -// We want to calculate the sum (h) for a 64 byte message (m): -// -// h = m[0:16]r⁴ + m[16:32]r³ + m[32:48]r² + m[48:64]r -// -// To do this we split the calculation into the even indices -// and odd indices of the message. These form our SIMD 'lanes': -// -// h = m[ 0:16]r⁴ + m[32:48]r² + <- lane 0 -// m[16:32]r³ + m[48:64]r <- lane 1 -// -// To calculate this iteratively we refactor so that both lanes -// are written in terms of r² and r: -// -// h = (m[ 0:16]r² + m[32:48])r² + <- lane 0 -// (m[16:32]r² + m[48:64])r <- lane 1 -// ^ ^ -// | coefficients for second iteration -// coefficients for first iteration -// -// So in this case we would have two iterations. In the first -// both lanes are multiplied by r². In the second only the -// first lane is multiplied by r² and the second lane is -// instead multiplied by r. This gives use the odd and even -// powers of r that we need from the original equation. -// -// Notation: -// -// h - accumulator -// r - key -// m - message -// -// [a, b] - SIMD register holding two 64-bit values -// [a, b, c, d] - SIMD register holding four 32-bit values -// xᵢ[n] - limb n of variable x with bit width i -// -// Limbs are expressed in little endian order, so for 26-bit -// limbs x₂₆[4] will be the most significant limb and x₂₆[0] -// will be the least significant limb. - -// masking constants -#define MOD24 V0 // [0x0000000000ffffff, 0x0000000000ffffff] - mask low 24-bits -#define MOD26 V1 // [0x0000000003ffffff, 0x0000000003ffffff] - mask low 26-bits - -// expansion constants (see EXPAND macro) -#define EX0 V2 -#define EX1 V3 -#define EX2 V4 - -// key (r², r or 1 depending on context) -#define R_0 V5 -#define R_1 V6 -#define R_2 V7 -#define R_3 V8 -#define R_4 V9 - -// precalculated coefficients (5r², 5r or 0 depending on context) -#define R5_1 V10 -#define R5_2 V11 -#define R5_3 V12 -#define R5_4 V13 - -// message block (m) -#define M_0 V14 -#define M_1 V15 -#define M_2 V16 -#define M_3 V17 -#define M_4 V18 - -// accumulator (h) -#define H_0 V19 -#define H_1 V20 -#define H_2 V21 -#define H_3 V22 -#define H_4 V23 - -// temporary registers (for short-lived values) -#define T_0 V24 -#define T_1 V25 -#define T_2 V26 -#define T_3 V27 -#define T_4 V28 - -GLOBL ·constants<>(SB), RODATA, $0x30 -// EX0 -DATA ·constants<>+0x00(SB)/8, $0x0006050403020100 -DATA ·constants<>+0x08(SB)/8, $0x1016151413121110 -// EX1 -DATA ·constants<>+0x10(SB)/8, $0x060c0b0a09080706 -DATA ·constants<>+0x18(SB)/8, $0x161c1b1a19181716 -// EX2 -DATA ·constants<>+0x20(SB)/8, $0x0d0d0d0d0d0f0e0d -DATA ·constants<>+0x28(SB)/8, $0x1d1d1d1d1d1f1e1d - -// MULTIPLY multiplies each lane of f and g, partially reduced -// modulo 2¹³⁰ - 5. The result, h, consists of partial products -// in each lane that need to be reduced further to produce the -// final result. -// -// h₁₃₀ = (f₁₃₀g₁₃₀) % 2¹³⁰ + (5f₁₃₀g₁₃₀) / 2¹³⁰ -// -// Note that the multiplication by 5 of the high bits is -// achieved by precalculating the multiplication of four of the -// g coefficients by 5. These are g51-g54. -#define MULTIPLY(f0, f1, f2, f3, f4, g0, g1, g2, g3, g4, g51, g52, g53, g54, h0, h1, h2, h3, h4) \ - VMLOF f0, g0, h0 \ - VMLOF f0, g3, h3 \ - VMLOF f0, g1, h1 \ - VMLOF f0, g4, h4 \ - VMLOF f0, g2, h2 \ - VMLOF f1, g54, T_0 \ - VMLOF f1, g2, T_3 \ - VMLOF f1, g0, T_1 \ - VMLOF f1, g3, T_4 \ - VMLOF f1, g1, T_2 \ - VMALOF f2, g53, h0, h0 \ - VMALOF f2, g1, h3, h3 \ - VMALOF f2, g54, h1, h1 \ - VMALOF f2, g2, h4, h4 \ - VMALOF f2, g0, h2, h2 \ - VMALOF f3, g52, T_0, T_0 \ - VMALOF f3, g0, T_3, T_3 \ - VMALOF f3, g53, T_1, T_1 \ - VMALOF f3, g1, T_4, T_4 \ - VMALOF f3, g54, T_2, T_2 \ - VMALOF f4, g51, h0, h0 \ - VMALOF f4, g54, h3, h3 \ - VMALOF f4, g52, h1, h1 \ - VMALOF f4, g0, h4, h4 \ - VMALOF f4, g53, h2, h2 \ - VAG T_0, h0, h0 \ - VAG T_3, h3, h3 \ - VAG T_1, h1, h1 \ - VAG T_4, h4, h4 \ - VAG T_2, h2, h2 - -// REDUCE performs the following carry operations in four -// stages, as specified in Bernstein & Schwabe: -// -// 1: h₂₆[0]->h₂₆[1] h₂₆[3]->h₂₆[4] -// 2: h₂₆[1]->h₂₆[2] h₂₆[4]->h₂₆[0] -// 3: h₂₆[0]->h₂₆[1] h₂₆[2]->h₂₆[3] -// 4: h₂₆[3]->h₂₆[4] -// -// The result is that all of the limbs are limited to 26-bits -// except for h₂₆[1] and h₂₆[4] which are limited to 27-bits. -// -// Note that although each limb is aligned at 26-bit intervals -// they may contain values that exceed 2²⁶ - 1, hence the need -// to carry the excess bits in each limb. -#define REDUCE(h0, h1, h2, h3, h4) \ - VESRLG $26, h0, T_0 \ - VESRLG $26, h3, T_1 \ - VN MOD26, h0, h0 \ - VN MOD26, h3, h3 \ - VAG T_0, h1, h1 \ - VAG T_1, h4, h4 \ - VESRLG $26, h1, T_2 \ - VESRLG $26, h4, T_3 \ - VN MOD26, h1, h1 \ - VN MOD26, h4, h4 \ - VESLG $2, T_3, T_4 \ - VAG T_3, T_4, T_4 \ - VAG T_2, h2, h2 \ - VAG T_4, h0, h0 \ - VESRLG $26, h2, T_0 \ - VESRLG $26, h0, T_1 \ - VN MOD26, h2, h2 \ - VN MOD26, h0, h0 \ - VAG T_0, h3, h3 \ - VAG T_1, h1, h1 \ - VESRLG $26, h3, T_2 \ - VN MOD26, h3, h3 \ - VAG T_2, h4, h4 - -// EXPAND splits the 128-bit little-endian values in0 and in1 -// into 26-bit big-endian limbs and places the results into -// the first and second lane of d₂₆[0:4] respectively. -// -// The EX0, EX1 and EX2 constants are arrays of byte indices -// for permutation. The permutation both reverses the bytes -// in the input and ensures the bytes are copied into the -// destination limb ready to be shifted into their final -// position. -#define EXPAND(in0, in1, d0, d1, d2, d3, d4) \ - VPERM in0, in1, EX0, d0 \ - VPERM in0, in1, EX1, d2 \ - VPERM in0, in1, EX2, d4 \ - VESRLG $26, d0, d1 \ - VESRLG $30, d2, d3 \ - VESRLG $4, d2, d2 \ - VN MOD26, d0, d0 \ // [in0₂₆[0], in1₂₆[0]] - VN MOD26, d3, d3 \ // [in0₂₆[3], in1₂₆[3]] - VN MOD26, d1, d1 \ // [in0₂₆[1], in1₂₆[1]] - VN MOD24, d4, d4 \ // [in0₂₆[4], in1₂₆[4]] - VN MOD26, d2, d2 // [in0₂₆[2], in1₂₆[2]] - -// func updateVX(state *macState, msg []byte) -TEXT ·updateVX(SB), NOSPLIT, $0 - MOVD state+0(FP), R1 - LMG msg+8(FP), R2, R3 // R2=msg_base, R3=msg_len - - // load EX0, EX1 and EX2 - MOVD $·constants<>(SB), R5 - VLM (R5), EX0, EX2 - - // generate masks - VGMG $(64-24), $63, MOD24 // [0x00ffffff, 0x00ffffff] - VGMG $(64-26), $63, MOD26 // [0x03ffffff, 0x03ffffff] - - // load h (accumulator) and r (key) from state - VZERO T_1 // [0, 0] - VL 0(R1), T_0 // [h₆₄[0], h₆₄[1]] - VLEG $0, 16(R1), T_1 // [h₆₄[2], 0] - VL 24(R1), T_2 // [r₆₄[0], r₆₄[1]] - VPDI $0, T_0, T_2, T_3 // [h₆₄[0], r₆₄[0]] - VPDI $5, T_0, T_2, T_4 // [h₆₄[1], r₆₄[1]] - - // unpack h and r into 26-bit limbs - // note: h₆₄[2] may have the low 3 bits set, so h₂₆[4] is a 27-bit value - VN MOD26, T_3, H_0 // [h₂₆[0], r₂₆[0]] - VZERO H_1 // [0, 0] - VZERO H_3 // [0, 0] - VGMG $(64-12-14), $(63-12), T_0 // [0x03fff000, 0x03fff000] - 26-bit mask with low 12 bits masked out - VESLG $24, T_1, T_1 // [h₆₄[2]<<24, 0] - VERIMG $-26&63, T_3, MOD26, H_1 // [h₂₆[1], r₂₆[1]] - VESRLG $+52&63, T_3, H_2 // [h₂₆[2], r₂₆[2]] - low 12 bits only - VERIMG $-14&63, T_4, MOD26, H_3 // [h₂₆[1], r₂₆[1]] - VESRLG $40, T_4, H_4 // [h₂₆[4], r₂₆[4]] - low 24 bits only - VERIMG $+12&63, T_4, T_0, H_2 // [h₂₆[2], r₂₆[2]] - complete - VO T_1, H_4, H_4 // [h₂₆[4], r₂₆[4]] - complete - - // replicate r across all 4 vector elements - VREPF $3, H_0, R_0 // [r₂₆[0], r₂₆[0], r₂₆[0], r₂₆[0]] - VREPF $3, H_1, R_1 // [r₂₆[1], r₂₆[1], r₂₆[1], r₂₆[1]] - VREPF $3, H_2, R_2 // [r₂₆[2], r₂₆[2], r₂₆[2], r₂₆[2]] - VREPF $3, H_3, R_3 // [r₂₆[3], r₂₆[3], r₂₆[3], r₂₆[3]] - VREPF $3, H_4, R_4 // [r₂₆[4], r₂₆[4], r₂₆[4], r₂₆[4]] - - // zero out lane 1 of h - VLEIG $1, $0, H_0 // [h₂₆[0], 0] - VLEIG $1, $0, H_1 // [h₂₆[1], 0] - VLEIG $1, $0, H_2 // [h₂₆[2], 0] - VLEIG $1, $0, H_3 // [h₂₆[3], 0] - VLEIG $1, $0, H_4 // [h₂₆[4], 0] - - // calculate 5r (ignore least significant limb) - VREPIF $5, T_0 - VMLF T_0, R_1, R5_1 // [5r₂₆[1], 5r₂₆[1], 5r₂₆[1], 5r₂₆[1]] - VMLF T_0, R_2, R5_2 // [5r₂₆[2], 5r₂₆[2], 5r₂₆[2], 5r₂₆[2]] - VMLF T_0, R_3, R5_3 // [5r₂₆[3], 5r₂₆[3], 5r₂₆[3], 5r₂₆[3]] - VMLF T_0, R_4, R5_4 // [5r₂₆[4], 5r₂₆[4], 5r₂₆[4], 5r₂₆[4]] - - // skip r² calculation if we are only calculating one block - CMPBLE R3, $16, skip - - // calculate r² - MULTIPLY(R_0, R_1, R_2, R_3, R_4, R_0, R_1, R_2, R_3, R_4, R5_1, R5_2, R5_3, R5_4, M_0, M_1, M_2, M_3, M_4) - REDUCE(M_0, M_1, M_2, M_3, M_4) - VGBM $0x0f0f, T_0 - VERIMG $0, M_0, T_0, R_0 // [r₂₆[0], r²₂₆[0], r₂₆[0], r²₂₆[0]] - VERIMG $0, M_1, T_0, R_1 // [r₂₆[1], r²₂₆[1], r₂₆[1], r²₂₆[1]] - VERIMG $0, M_2, T_0, R_2 // [r₂₆[2], r²₂₆[2], r₂₆[2], r²₂₆[2]] - VERIMG $0, M_3, T_0, R_3 // [r₂₆[3], r²₂₆[3], r₂₆[3], r²₂₆[3]] - VERIMG $0, M_4, T_0, R_4 // [r₂₆[4], r²₂₆[4], r₂₆[4], r²₂₆[4]] - - // calculate 5r² (ignore least significant limb) - VREPIF $5, T_0 - VMLF T_0, R_1, R5_1 // [5r₂₆[1], 5r²₂₆[1], 5r₂₆[1], 5r²₂₆[1]] - VMLF T_0, R_2, R5_2 // [5r₂₆[2], 5r²₂₆[2], 5r₂₆[2], 5r²₂₆[2]] - VMLF T_0, R_3, R5_3 // [5r₂₆[3], 5r²₂₆[3], 5r₂₆[3], 5r²₂₆[3]] - VMLF T_0, R_4, R5_4 // [5r₂₆[4], 5r²₂₆[4], 5r₂₆[4], 5r²₂₆[4]] - -loop: - CMPBLE R3, $32, b2 // 2 or fewer blocks remaining, need to change key coefficients - - // load next 2 blocks from message - VLM (R2), T_0, T_1 - - // update message slice - SUB $32, R3 - MOVD $32(R2), R2 - - // unpack message blocks into 26-bit big-endian limbs - EXPAND(T_0, T_1, M_0, M_1, M_2, M_3, M_4) - - // add 2¹²⁸ to each message block value - VLEIB $4, $1, M_4 - VLEIB $12, $1, M_4 - -multiply: - // accumulate the incoming message - VAG H_0, M_0, M_0 - VAG H_3, M_3, M_3 - VAG H_1, M_1, M_1 - VAG H_4, M_4, M_4 - VAG H_2, M_2, M_2 - - // multiply the accumulator by the key coefficient - MULTIPLY(M_0, M_1, M_2, M_3, M_4, R_0, R_1, R_2, R_3, R_4, R5_1, R5_2, R5_3, R5_4, H_0, H_1, H_2, H_3, H_4) - - // carry and partially reduce the partial products - REDUCE(H_0, H_1, H_2, H_3, H_4) - - CMPBNE R3, $0, loop - -finish: - // sum lane 0 and lane 1 and put the result in lane 1 - VZERO T_0 - VSUMQG H_0, T_0, H_0 - VSUMQG H_3, T_0, H_3 - VSUMQG H_1, T_0, H_1 - VSUMQG H_4, T_0, H_4 - VSUMQG H_2, T_0, H_2 - - // reduce again after summation - // TODO(mundaym): there might be a more efficient way to do this - // now that we only have 1 active lane. For example, we could - // simultaneously pack the values as we reduce them. - REDUCE(H_0, H_1, H_2, H_3, H_4) - - // carry h[1] through to h[4] so that only h[4] can exceed 2²⁶ - 1 - // TODO(mundaym): in testing this final carry was unnecessary. - // Needs a proof before it can be removed though. - VESRLG $26, H_1, T_1 - VN MOD26, H_1, H_1 - VAQ T_1, H_2, H_2 - VESRLG $26, H_2, T_2 - VN MOD26, H_2, H_2 - VAQ T_2, H_3, H_3 - VESRLG $26, H_3, T_3 - VN MOD26, H_3, H_3 - VAQ T_3, H_4, H_4 - - // h is now < 2(2¹³⁰ - 5) - // Pack each lane in h₂₆[0:4] into h₁₂₈[0:1]. - VESLG $26, H_1, H_1 - VESLG $26, H_3, H_3 - VO H_0, H_1, H_0 - VO H_2, H_3, H_2 - VESLG $4, H_2, H_2 - VLEIB $7, $48, H_1 - VSLB H_1, H_2, H_2 - VO H_0, H_2, H_0 - VLEIB $7, $104, H_1 - VSLB H_1, H_4, H_3 - VO H_3, H_0, H_0 - VLEIB $7, $24, H_1 - VSRLB H_1, H_4, H_1 - - // update state - VSTEG $1, H_0, 0(R1) - VSTEG $0, H_0, 8(R1) - VSTEG $1, H_1, 16(R1) - RET - -b2: // 2 or fewer blocks remaining - CMPBLE R3, $16, b1 - - // Load the 2 remaining blocks (17-32 bytes remaining). - MOVD $-17(R3), R0 // index of final byte to load modulo 16 - VL (R2), T_0 // load full 16 byte block - VLL R0, 16(R2), T_1 // load final (possibly partial) block and pad with zeros to 16 bytes - - // The Poly1305 algorithm requires that a 1 bit be appended to - // each message block. If the final block is less than 16 bytes - // long then it is easiest to insert the 1 before the message - // block is split into 26-bit limbs. If, on the other hand, the - // final message block is 16 bytes long then we append the 1 bit - // after expansion as normal. - MOVBZ $1, R0 - MOVD $-16(R3), R3 // index of byte in last block to insert 1 at (could be 16) - CMPBEQ R3, $16, 2(PC) // skip the insertion if the final block is 16 bytes long - VLVGB R3, R0, T_1 // insert 1 into the byte at index R3 - - // Split both blocks into 26-bit limbs in the appropriate lanes. - EXPAND(T_0, T_1, M_0, M_1, M_2, M_3, M_4) - - // Append a 1 byte to the end of the second to last block. - VLEIB $4, $1, M_4 - - // Append a 1 byte to the end of the last block only if it is a - // full 16 byte block. - CMPBNE R3, $16, 2(PC) - VLEIB $12, $1, M_4 - - // Finally, set up the coefficients for the final multiplication. - // We have previously saved r and 5r in the 32-bit even indexes - // of the R_[0-4] and R5_[1-4] coefficient registers. - // - // We want lane 0 to be multiplied by r² so that can be kept the - // same. We want lane 1 to be multiplied by r so we need to move - // the saved r value into the 32-bit odd index in lane 1 by - // rotating the 64-bit lane by 32. - VGBM $0x00ff, T_0 // [0, 0xffffffffffffffff] - mask lane 1 only - VERIMG $32, R_0, T_0, R_0 // [_, r²₂₆[0], _, r₂₆[0]] - VERIMG $32, R_1, T_0, R_1 // [_, r²₂₆[1], _, r₂₆[1]] - VERIMG $32, R_2, T_0, R_2 // [_, r²₂₆[2], _, r₂₆[2]] - VERIMG $32, R_3, T_0, R_3 // [_, r²₂₆[3], _, r₂₆[3]] - VERIMG $32, R_4, T_0, R_4 // [_, r²₂₆[4], _, r₂₆[4]] - VERIMG $32, R5_1, T_0, R5_1 // [_, 5r²₂₆[1], _, 5r₂₆[1]] - VERIMG $32, R5_2, T_0, R5_2 // [_, 5r²₂₆[2], _, 5r₂₆[2]] - VERIMG $32, R5_3, T_0, R5_3 // [_, 5r²₂₆[3], _, 5r₂₆[3]] - VERIMG $32, R5_4, T_0, R5_4 // [_, 5r²₂₆[4], _, 5r₂₆[4]] - - MOVD $0, R3 - BR multiply - -skip: - CMPBEQ R3, $0, finish - -b1: // 1 block remaining - - // Load the final block (1-16 bytes). This will be placed into - // lane 0. - MOVD $-1(R3), R0 - VLL R0, (R2), T_0 // pad to 16 bytes with zeros - - // The Poly1305 algorithm requires that a 1 bit be appended to - // each message block. If the final block is less than 16 bytes - // long then it is easiest to insert the 1 before the message - // block is split into 26-bit limbs. If, on the other hand, the - // final message block is 16 bytes long then we append the 1 bit - // after expansion as normal. - MOVBZ $1, R0 - CMPBEQ R3, $16, 2(PC) - VLVGB R3, R0, T_0 - - // Set the message block in lane 1 to the value 0 so that it - // can be accumulated without affecting the final result. - VZERO T_1 - - // Split the final message block into 26-bit limbs in lane 0. - // Lane 1 will be contain 0. - EXPAND(T_0, T_1, M_0, M_1, M_2, M_3, M_4) - - // Append a 1 byte to the end of the last block only if it is a - // full 16 byte block. - CMPBNE R3, $16, 2(PC) - VLEIB $4, $1, M_4 - - // We have previously saved r and 5r in the 32-bit even indexes - // of the R_[0-4] and R5_[1-4] coefficient registers. - // - // We want lane 0 to be multiplied by r so we need to move the - // saved r value into the 32-bit odd index in lane 0. We want - // lane 1 to be set to the value 1. This makes multiplication - // a no-op. We do this by setting lane 1 in every register to 0 - // and then just setting the 32-bit index 3 in R_0 to 1. - VZERO T_0 - MOVD $0, R0 - MOVD $0x10111213, R12 - VLVGP R12, R0, T_1 // [_, 0x10111213, _, 0x00000000] - VPERM T_0, R_0, T_1, R_0 // [_, r₂₆[0], _, 0] - VPERM T_0, R_1, T_1, R_1 // [_, r₂₆[1], _, 0] - VPERM T_0, R_2, T_1, R_2 // [_, r₂₆[2], _, 0] - VPERM T_0, R_3, T_1, R_3 // [_, r₂₆[3], _, 0] - VPERM T_0, R_4, T_1, R_4 // [_, r₂₆[4], _, 0] - VPERM T_0, R5_1, T_1, R5_1 // [_, 5r₂₆[1], _, 0] - VPERM T_0, R5_2, T_1, R5_2 // [_, 5r₂₆[2], _, 0] - VPERM T_0, R5_3, T_1, R5_3 // [_, 5r₂₆[3], _, 0] - VPERM T_0, R5_4, T_1, R5_4 // [_, 5r₂₆[4], _, 0] - - // Set the value of lane 1 to be 1. - VLEIF $3, $1, R_0 // [_, r₂₆[0], _, 1] - - MOVD $0, R3 - BR multiply diff --git a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go b/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go deleted file mode 100644 index 28cd99c7f..000000000 --- a/vendor/golang.org/x/crypto/pbkdf2/pbkdf2.go +++ /dev/null @@ -1,77 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -/* -Package pbkdf2 implements the key derivation function PBKDF2 as defined in RFC -2898 / PKCS #5 v2.0. - -A key derivation function is useful when encrypting data based on a password -or any other not-fully-random data. It uses a pseudorandom function to derive -a secure encryption key based on the password. - -While v2.0 of the standard defines only one pseudorandom function to use, -HMAC-SHA1, the drafted v2.1 specification allows use of all five FIPS Approved -Hash Functions SHA-1, SHA-224, SHA-256, SHA-384 and SHA-512 for HMAC. To -choose, you can pass the `New` functions from the different SHA packages to -pbkdf2.Key. -*/ -package pbkdf2 - -import ( - "crypto/hmac" - "hash" -) - -// Key derives a key from the password, salt and iteration count, returning a -// []byte of length keylen that can be used as cryptographic key. The key is -// derived based on the method described as PBKDF2 with the HMAC variant using -// the supplied hash function. -// -// For example, to use a HMAC-SHA-1 based PBKDF2 key derivation function, you -// can get a derived key for e.g. AES-256 (which needs a 32-byte key) by -// doing: -// -// dk := pbkdf2.Key([]byte("some password"), salt, 4096, 32, sha1.New) -// -// Remember to get a good random salt. At least 8 bytes is recommended by the -// RFC. -// -// Using a higher iteration count will increase the cost of an exhaustive -// search but will also make derivation proportionally slower. -func Key(password, salt []byte, iter, keyLen int, h func() hash.Hash) []byte { - prf := hmac.New(h, password) - hashLen := prf.Size() - numBlocks := (keyLen + hashLen - 1) / hashLen - - var buf [4]byte - dk := make([]byte, 0, numBlocks*hashLen) - U := make([]byte, hashLen) - for block := 1; block <= numBlocks; block++ { - // N.B.: || means concatenation, ^ means XOR - // for each block T_i = U_1 ^ U_2 ^ ... ^ U_iter - // U_1 = PRF(password, salt || uint(i)) - prf.Reset() - prf.Write(salt) - buf[0] = byte(block >> 24) - buf[1] = byte(block >> 16) - buf[2] = byte(block >> 8) - buf[3] = byte(block) - prf.Write(buf[:4]) - dk = prf.Sum(dk) - T := dk[len(dk)-hashLen:] - copy(U, T) - - // U_n = PRF(password, U_(n-1)) - for n := 2; n <= iter; n++ { - prf.Reset() - prf.Write(U) - U = U[:0] - U = prf.Sum(U) - for x := range U { - T[x] ^= U[x] - } - } - } - return dk[:keyLen] -} diff --git a/vendor/golang.org/x/crypto/ripemd160/ripemd160.go b/vendor/golang.org/x/crypto/ripemd160/ripemd160.go deleted file mode 100644 index b6d33ef07..000000000 --- a/vendor/golang.org/x/crypto/ripemd160/ripemd160.go +++ /dev/null @@ -1,124 +0,0 @@ -// Copyright 2010 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package ripemd160 implements the RIPEMD-160 hash algorithm. -// -// Deprecated: RIPEMD-160 is a legacy hash and should not be used for new -// applications. Also, this package does not and will not provide an optimized -// implementation. Instead, use a modern hash like SHA-256 (from crypto/sha256). -package ripemd160 - -// RIPEMD-160 is designed by Hans Dobbertin, Antoon Bosselaers, and Bart -// Preneel with specifications available at: -// http://homes.esat.kuleuven.be/~cosicart/pdf/AB-9601/AB-9601.pdf. - -import ( - "crypto" - "hash" -) - -func init() { - crypto.RegisterHash(crypto.RIPEMD160, New) -} - -// The size of the checksum in bytes. -const Size = 20 - -// The block size of the hash algorithm in bytes. -const BlockSize = 64 - -const ( - _s0 = 0x67452301 - _s1 = 0xefcdab89 - _s2 = 0x98badcfe - _s3 = 0x10325476 - _s4 = 0xc3d2e1f0 -) - -// digest represents the partial evaluation of a checksum. -type digest struct { - s [5]uint32 // running context - x [BlockSize]byte // temporary buffer - nx int // index into x - tc uint64 // total count of bytes processed -} - -func (d *digest) Reset() { - d.s[0], d.s[1], d.s[2], d.s[3], d.s[4] = _s0, _s1, _s2, _s3, _s4 - d.nx = 0 - d.tc = 0 -} - -// New returns a new hash.Hash computing the checksum. -func New() hash.Hash { - result := new(digest) - result.Reset() - return result -} - -func (d *digest) Size() int { return Size } - -func (d *digest) BlockSize() int { return BlockSize } - -func (d *digest) Write(p []byte) (nn int, err error) { - nn = len(p) - d.tc += uint64(nn) - if d.nx > 0 { - n := len(p) - if n > BlockSize-d.nx { - n = BlockSize - d.nx - } - for i := 0; i < n; i++ { - d.x[d.nx+i] = p[i] - } - d.nx += n - if d.nx == BlockSize { - _Block(d, d.x[0:]) - d.nx = 0 - } - p = p[n:] - } - n := _Block(d, p) - p = p[n:] - if len(p) > 0 { - d.nx = copy(d.x[:], p) - } - return -} - -func (d0 *digest) Sum(in []byte) []byte { - // Make a copy of d0 so that caller can keep writing and summing. - d := *d0 - - // Padding. Add a 1 bit and 0 bits until 56 bytes mod 64. - tc := d.tc - var tmp [64]byte - tmp[0] = 0x80 - if tc%64 < 56 { - d.Write(tmp[0 : 56-tc%64]) - } else { - d.Write(tmp[0 : 64+56-tc%64]) - } - - // Length in bits. - tc <<= 3 - for i := uint(0); i < 8; i++ { - tmp[i] = byte(tc >> (8 * i)) - } - d.Write(tmp[0:8]) - - if d.nx != 0 { - panic("d.nx != 0") - } - - var digest [Size]byte - for i, s := range d.s { - digest[i*4] = byte(s) - digest[i*4+1] = byte(s >> 8) - digest[i*4+2] = byte(s >> 16) - digest[i*4+3] = byte(s >> 24) - } - - return append(in, digest[:]...) -} diff --git a/vendor/golang.org/x/crypto/ripemd160/ripemd160block.go b/vendor/golang.org/x/crypto/ripemd160/ripemd160block.go deleted file mode 100644 index e0edc02f0..000000000 --- a/vendor/golang.org/x/crypto/ripemd160/ripemd160block.go +++ /dev/null @@ -1,165 +0,0 @@ -// Copyright 2010 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// RIPEMD-160 block step. -// In its own file so that a faster assembly or C version -// can be substituted easily. - -package ripemd160 - -import ( - "math/bits" -) - -// work buffer indices and roll amounts for one line -var _n = [80]uint{ - 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, - 7, 4, 13, 1, 10, 6, 15, 3, 12, 0, 9, 5, 2, 14, 11, 8, - 3, 10, 14, 4, 9, 15, 8, 1, 2, 7, 0, 6, 13, 11, 5, 12, - 1, 9, 11, 10, 0, 8, 12, 4, 13, 3, 7, 15, 14, 5, 6, 2, - 4, 0, 5, 9, 7, 12, 2, 10, 14, 1, 3, 8, 11, 6, 15, 13, -} - -var _r = [80]uint{ - 11, 14, 15, 12, 5, 8, 7, 9, 11, 13, 14, 15, 6, 7, 9, 8, - 7, 6, 8, 13, 11, 9, 7, 15, 7, 12, 15, 9, 11, 7, 13, 12, - 11, 13, 6, 7, 14, 9, 13, 15, 14, 8, 13, 6, 5, 12, 7, 5, - 11, 12, 14, 15, 14, 15, 9, 8, 9, 14, 5, 6, 8, 6, 5, 12, - 9, 15, 5, 11, 6, 8, 13, 12, 5, 12, 13, 14, 11, 8, 5, 6, -} - -// same for the other parallel one -var n_ = [80]uint{ - 5, 14, 7, 0, 9, 2, 11, 4, 13, 6, 15, 8, 1, 10, 3, 12, - 6, 11, 3, 7, 0, 13, 5, 10, 14, 15, 8, 12, 4, 9, 1, 2, - 15, 5, 1, 3, 7, 14, 6, 9, 11, 8, 12, 2, 10, 0, 4, 13, - 8, 6, 4, 1, 3, 11, 15, 0, 5, 12, 2, 13, 9, 7, 10, 14, - 12, 15, 10, 4, 1, 5, 8, 7, 6, 2, 13, 14, 0, 3, 9, 11, -} - -var r_ = [80]uint{ - 8, 9, 9, 11, 13, 15, 15, 5, 7, 7, 8, 11, 14, 14, 12, 6, - 9, 13, 15, 7, 12, 8, 9, 11, 7, 7, 12, 7, 6, 15, 13, 11, - 9, 7, 15, 11, 8, 6, 6, 14, 12, 13, 5, 14, 13, 13, 7, 5, - 15, 5, 8, 11, 14, 14, 6, 14, 6, 9, 12, 9, 12, 5, 15, 8, - 8, 5, 12, 9, 12, 5, 14, 6, 8, 13, 6, 5, 15, 13, 11, 11, -} - -func _Block(md *digest, p []byte) int { - n := 0 - var x [16]uint32 - var alpha, beta uint32 - for len(p) >= BlockSize { - a, b, c, d, e := md.s[0], md.s[1], md.s[2], md.s[3], md.s[4] - aa, bb, cc, dd, ee := a, b, c, d, e - j := 0 - for i := 0; i < 16; i++ { - x[i] = uint32(p[j]) | uint32(p[j+1])<<8 | uint32(p[j+2])<<16 | uint32(p[j+3])<<24 - j += 4 - } - - // round 1 - i := 0 - for i < 16 { - alpha = a + (b ^ c ^ d) + x[_n[i]] - s := int(_r[i]) - alpha = bits.RotateLeft32(alpha, s) + e - beta = bits.RotateLeft32(c, 10) - a, b, c, d, e = e, alpha, b, beta, d - - // parallel line - alpha = aa + (bb ^ (cc | ^dd)) + x[n_[i]] + 0x50a28be6 - s = int(r_[i]) - alpha = bits.RotateLeft32(alpha, s) + ee - beta = bits.RotateLeft32(cc, 10) - aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd - - i++ - } - - // round 2 - for i < 32 { - alpha = a + (b&c | ^b&d) + x[_n[i]] + 0x5a827999 - s := int(_r[i]) - alpha = bits.RotateLeft32(alpha, s) + e - beta = bits.RotateLeft32(c, 10) - a, b, c, d, e = e, alpha, b, beta, d - - // parallel line - alpha = aa + (bb&dd | cc&^dd) + x[n_[i]] + 0x5c4dd124 - s = int(r_[i]) - alpha = bits.RotateLeft32(alpha, s) + ee - beta = bits.RotateLeft32(cc, 10) - aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd - - i++ - } - - // round 3 - for i < 48 { - alpha = a + (b | ^c ^ d) + x[_n[i]] + 0x6ed9eba1 - s := int(_r[i]) - alpha = bits.RotateLeft32(alpha, s) + e - beta = bits.RotateLeft32(c, 10) - a, b, c, d, e = e, alpha, b, beta, d - - // parallel line - alpha = aa + (bb | ^cc ^ dd) + x[n_[i]] + 0x6d703ef3 - s = int(r_[i]) - alpha = bits.RotateLeft32(alpha, s) + ee - beta = bits.RotateLeft32(cc, 10) - aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd - - i++ - } - - // round 4 - for i < 64 { - alpha = a + (b&d | c&^d) + x[_n[i]] + 0x8f1bbcdc - s := int(_r[i]) - alpha = bits.RotateLeft32(alpha, s) + e - beta = bits.RotateLeft32(c, 10) - a, b, c, d, e = e, alpha, b, beta, d - - // parallel line - alpha = aa + (bb&cc | ^bb&dd) + x[n_[i]] + 0x7a6d76e9 - s = int(r_[i]) - alpha = bits.RotateLeft32(alpha, s) + ee - beta = bits.RotateLeft32(cc, 10) - aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd - - i++ - } - - // round 5 - for i < 80 { - alpha = a + (b ^ (c | ^d)) + x[_n[i]] + 0xa953fd4e - s := int(_r[i]) - alpha = bits.RotateLeft32(alpha, s) + e - beta = bits.RotateLeft32(c, 10) - a, b, c, d, e = e, alpha, b, beta, d - - // parallel line - alpha = aa + (bb ^ cc ^ dd) + x[n_[i]] - s = int(r_[i]) - alpha = bits.RotateLeft32(alpha, s) + ee - beta = bits.RotateLeft32(cc, 10) - aa, bb, cc, dd, ee = ee, alpha, bb, beta, dd - - i++ - } - - // combine results - dd += c + md.s[1] - md.s[1] = md.s[2] + d + ee - md.s[2] = md.s[3] + e + aa - md.s[3] = md.s[4] + a + bb - md.s[4] = md.s[0] + b + cc - md.s[0] = dd - - p = p[BlockSize:] - n += BlockSize - } - return n -} diff --git a/vendor/golang.org/x/crypto/scrypt/scrypt.go b/vendor/golang.org/x/crypto/scrypt/scrypt.go deleted file mode 100644 index 76fa40fb2..000000000 --- a/vendor/golang.org/x/crypto/scrypt/scrypt.go +++ /dev/null @@ -1,212 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package scrypt implements the scrypt key derivation function as defined in -// Colin Percival's paper "Stronger Key Derivation via Sequential Memory-Hard -// Functions" (https://www.tarsnap.com/scrypt/scrypt.pdf). -package scrypt - -import ( - "crypto/sha256" - "encoding/binary" - "errors" - "math/bits" - - "golang.org/x/crypto/pbkdf2" -) - -const maxInt = int(^uint(0) >> 1) - -// blockCopy copies n numbers from src into dst. -func blockCopy(dst, src []uint32, n int) { - copy(dst, src[:n]) -} - -// blockXOR XORs numbers from dst with n numbers from src. -func blockXOR(dst, src []uint32, n int) { - for i, v := range src[:n] { - dst[i] ^= v - } -} - -// salsaXOR applies Salsa20/8 to the XOR of 16 numbers from tmp and in, -// and puts the result into both tmp and out. -func salsaXOR(tmp *[16]uint32, in, out []uint32) { - w0 := tmp[0] ^ in[0] - w1 := tmp[1] ^ in[1] - w2 := tmp[2] ^ in[2] - w3 := tmp[3] ^ in[3] - w4 := tmp[4] ^ in[4] - w5 := tmp[5] ^ in[5] - w6 := tmp[6] ^ in[6] - w7 := tmp[7] ^ in[7] - w8 := tmp[8] ^ in[8] - w9 := tmp[9] ^ in[9] - w10 := tmp[10] ^ in[10] - w11 := tmp[11] ^ in[11] - w12 := tmp[12] ^ in[12] - w13 := tmp[13] ^ in[13] - w14 := tmp[14] ^ in[14] - w15 := tmp[15] ^ in[15] - - x0, x1, x2, x3, x4, x5, x6, x7, x8 := w0, w1, w2, w3, w4, w5, w6, w7, w8 - x9, x10, x11, x12, x13, x14, x15 := w9, w10, w11, w12, w13, w14, w15 - - for i := 0; i < 8; i += 2 { - x4 ^= bits.RotateLeft32(x0+x12, 7) - x8 ^= bits.RotateLeft32(x4+x0, 9) - x12 ^= bits.RotateLeft32(x8+x4, 13) - x0 ^= bits.RotateLeft32(x12+x8, 18) - - x9 ^= bits.RotateLeft32(x5+x1, 7) - x13 ^= bits.RotateLeft32(x9+x5, 9) - x1 ^= bits.RotateLeft32(x13+x9, 13) - x5 ^= bits.RotateLeft32(x1+x13, 18) - - x14 ^= bits.RotateLeft32(x10+x6, 7) - x2 ^= bits.RotateLeft32(x14+x10, 9) - x6 ^= bits.RotateLeft32(x2+x14, 13) - x10 ^= bits.RotateLeft32(x6+x2, 18) - - x3 ^= bits.RotateLeft32(x15+x11, 7) - x7 ^= bits.RotateLeft32(x3+x15, 9) - x11 ^= bits.RotateLeft32(x7+x3, 13) - x15 ^= bits.RotateLeft32(x11+x7, 18) - - x1 ^= bits.RotateLeft32(x0+x3, 7) - x2 ^= bits.RotateLeft32(x1+x0, 9) - x3 ^= bits.RotateLeft32(x2+x1, 13) - x0 ^= bits.RotateLeft32(x3+x2, 18) - - x6 ^= bits.RotateLeft32(x5+x4, 7) - x7 ^= bits.RotateLeft32(x6+x5, 9) - x4 ^= bits.RotateLeft32(x7+x6, 13) - x5 ^= bits.RotateLeft32(x4+x7, 18) - - x11 ^= bits.RotateLeft32(x10+x9, 7) - x8 ^= bits.RotateLeft32(x11+x10, 9) - x9 ^= bits.RotateLeft32(x8+x11, 13) - x10 ^= bits.RotateLeft32(x9+x8, 18) - - x12 ^= bits.RotateLeft32(x15+x14, 7) - x13 ^= bits.RotateLeft32(x12+x15, 9) - x14 ^= bits.RotateLeft32(x13+x12, 13) - x15 ^= bits.RotateLeft32(x14+x13, 18) - } - x0 += w0 - x1 += w1 - x2 += w2 - x3 += w3 - x4 += w4 - x5 += w5 - x6 += w6 - x7 += w7 - x8 += w8 - x9 += w9 - x10 += w10 - x11 += w11 - x12 += w12 - x13 += w13 - x14 += w14 - x15 += w15 - - out[0], tmp[0] = x0, x0 - out[1], tmp[1] = x1, x1 - out[2], tmp[2] = x2, x2 - out[3], tmp[3] = x3, x3 - out[4], tmp[4] = x4, x4 - out[5], tmp[5] = x5, x5 - out[6], tmp[6] = x6, x6 - out[7], tmp[7] = x7, x7 - out[8], tmp[8] = x8, x8 - out[9], tmp[9] = x9, x9 - out[10], tmp[10] = x10, x10 - out[11], tmp[11] = x11, x11 - out[12], tmp[12] = x12, x12 - out[13], tmp[13] = x13, x13 - out[14], tmp[14] = x14, x14 - out[15], tmp[15] = x15, x15 -} - -func blockMix(tmp *[16]uint32, in, out []uint32, r int) { - blockCopy(tmp[:], in[(2*r-1)*16:], 16) - for i := 0; i < 2*r; i += 2 { - salsaXOR(tmp, in[i*16:], out[i*8:]) - salsaXOR(tmp, in[i*16+16:], out[i*8+r*16:]) - } -} - -func integer(b []uint32, r int) uint64 { - j := (2*r - 1) * 16 - return uint64(b[j]) | uint64(b[j+1])<<32 -} - -func smix(b []byte, r, N int, v, xy []uint32) { - var tmp [16]uint32 - R := 32 * r - x := xy - y := xy[R:] - - j := 0 - for i := 0; i < R; i++ { - x[i] = binary.LittleEndian.Uint32(b[j:]) - j += 4 - } - for i := 0; i < N; i += 2 { - blockCopy(v[i*R:], x, R) - blockMix(&tmp, x, y, r) - - blockCopy(v[(i+1)*R:], y, R) - blockMix(&tmp, y, x, r) - } - for i := 0; i < N; i += 2 { - j := int(integer(x, r) & uint64(N-1)) - blockXOR(x, v[j*R:], R) - blockMix(&tmp, x, y, r) - - j = int(integer(y, r) & uint64(N-1)) - blockXOR(y, v[j*R:], R) - blockMix(&tmp, y, x, r) - } - j = 0 - for _, v := range x[:R] { - binary.LittleEndian.PutUint32(b[j:], v) - j += 4 - } -} - -// Key derives a key from the password, salt, and cost parameters, returning -// a byte slice of length keyLen that can be used as cryptographic key. -// -// N is a CPU/memory cost parameter, which must be a power of two greater than 1. -// r and p must satisfy r * p < 2³⁰. If the parameters do not satisfy the -// limits, the function returns a nil byte slice and an error. -// -// For example, you can get a derived key for e.g. AES-256 (which needs a -// 32-byte key) by doing: -// -// dk, err := scrypt.Key([]byte("some password"), salt, 32768, 8, 1, 32) -// -// The recommended parameters for interactive logins as of 2017 are N=32768, r=8 -// and p=1. The parameters N, r, and p should be increased as memory latency and -// CPU parallelism increases; consider setting N to the highest power of 2 you -// can derive within 100 milliseconds. Remember to get a good random salt. -func Key(password, salt []byte, N, r, p, keyLen int) ([]byte, error) { - if N <= 1 || N&(N-1) != 0 { - return nil, errors.New("scrypt: N must be > 1 and a power of 2") - } - if uint64(r)*uint64(p) >= 1<<30 || r > maxInt/128/p || r > maxInt/256 || N > maxInt/128/r { - return nil, errors.New("scrypt: parameters are too large") - } - - xy := make([]uint32, 64*r) - v := make([]uint32, 32*N*r) - b := pbkdf2.Key(password, salt, 1, p*128*r, sha256.New) - - for i := 0; i < p; i++ { - smix(b[i*128*r:], r, N, v, xy) - } - - return pbkdf2.Key(password, b, 1, keyLen, sha256.New), nil -} diff --git a/vendor/golang.org/x/crypto/sha3/doc.go b/vendor/golang.org/x/crypto/sha3/doc.go deleted file mode 100644 index bbf391fe6..000000000 --- a/vendor/golang.org/x/crypto/sha3/doc.go +++ /dev/null @@ -1,66 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package sha3 implements the SHA-3 fixed-output-length hash functions and -// the SHAKE variable-output-length hash functions defined by FIPS-202. -// -// All types in this package also implement [encoding.BinaryMarshaler], -// [encoding.BinaryAppender] and [encoding.BinaryUnmarshaler] to marshal and -// unmarshal the internal state of the hash. -// -// Both types of hash function use the "sponge" construction and the Keccak -// permutation. For a detailed specification see http://keccak.noekeon.org/ -// -// # Guidance -// -// If you aren't sure what function you need, use SHAKE256 with at least 64 -// bytes of output. The SHAKE instances are faster than the SHA3 instances; -// the latter have to allocate memory to conform to the hash.Hash interface. -// -// If you need a secret-key MAC (message authentication code), prepend the -// secret key to the input, hash with SHAKE256 and read at least 32 bytes of -// output. -// -// # Security strengths -// -// The SHA3-x (x equals 224, 256, 384, or 512) functions have a security -// strength against preimage attacks of x bits. Since they only produce "x" -// bits of output, their collision-resistance is only "x/2" bits. -// -// The SHAKE-256 and -128 functions have a generic security strength of 256 and -// 128 bits against all attacks, provided that at least 2x bits of their output -// is used. Requesting more than 64 or 32 bytes of output, respectively, does -// not increase the collision-resistance of the SHAKE functions. -// -// # The sponge construction -// -// A sponge builds a pseudo-random function from a public pseudo-random -// permutation, by applying the permutation to a state of "rate + capacity" -// bytes, but hiding "capacity" of the bytes. -// -// A sponge starts out with a zero state. To hash an input using a sponge, up -// to "rate" bytes of the input are XORed into the sponge's state. The sponge -// is then "full" and the permutation is applied to "empty" it. This process is -// repeated until all the input has been "absorbed". The input is then padded. -// The digest is "squeezed" from the sponge in the same way, except that output -// is copied out instead of input being XORed in. -// -// A sponge is parameterized by its generic security strength, which is equal -// to half its capacity; capacity + rate is equal to the permutation's width. -// Since the KeccakF-1600 permutation is 1600 bits (200 bytes) wide, this means -// that the security strength of a sponge instance is equal to (1600 - bitrate) / 2. -// -// # Recommendations -// -// The SHAKE functions are recommended for most new uses. They can produce -// output of arbitrary length. SHAKE256, with an output length of at least -// 64 bytes, provides 256-bit security against all attacks. The Keccak team -// recommends it for most applications upgrading from SHA2-512. (NIST chose a -// much stronger, but much slower, sponge instance for SHA3-512.) -// -// The SHA-3 functions are "drop-in" replacements for the SHA-2 functions. -// They produce output of the same length, with the same security strengths -// against all attacks. This means, in particular, that SHA3-256 only has -// 128-bit collision resistance, because its output length is 32 bytes. -package sha3 diff --git a/vendor/golang.org/x/crypto/sha3/hashes.go b/vendor/golang.org/x/crypto/sha3/hashes.go deleted file mode 100644 index 31fffbe04..000000000 --- a/vendor/golang.org/x/crypto/sha3/hashes.go +++ /dev/null @@ -1,128 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha3 - -// This file provides functions for creating instances of the SHA-3 -// and SHAKE hash functions, as well as utility functions for hashing -// bytes. - -import ( - "crypto" - "hash" -) - -// New224 creates a new SHA3-224 hash. -// Its generic security strength is 224 bits against preimage attacks, -// and 112 bits against collision attacks. -func New224() hash.Hash { - return new224() -} - -// New256 creates a new SHA3-256 hash. -// Its generic security strength is 256 bits against preimage attacks, -// and 128 bits against collision attacks. -func New256() hash.Hash { - return new256() -} - -// New384 creates a new SHA3-384 hash. -// Its generic security strength is 384 bits against preimage attacks, -// and 192 bits against collision attacks. -func New384() hash.Hash { - return new384() -} - -// New512 creates a new SHA3-512 hash. -// Its generic security strength is 512 bits against preimage attacks, -// and 256 bits against collision attacks. -func New512() hash.Hash { - return new512() -} - -func init() { - crypto.RegisterHash(crypto.SHA3_224, New224) - crypto.RegisterHash(crypto.SHA3_256, New256) - crypto.RegisterHash(crypto.SHA3_384, New384) - crypto.RegisterHash(crypto.SHA3_512, New512) -} - -const ( - dsbyteSHA3 = 0b00000110 - dsbyteKeccak = 0b00000001 - dsbyteShake = 0b00011111 - dsbyteCShake = 0b00000100 - - // rateK[c] is the rate in bytes for Keccak[c] where c is the capacity in - // bits. Given the sponge size is 1600 bits, the rate is 1600 - c bits. - rateK256 = (1600 - 256) / 8 - rateK448 = (1600 - 448) / 8 - rateK512 = (1600 - 512) / 8 - rateK768 = (1600 - 768) / 8 - rateK1024 = (1600 - 1024) / 8 -) - -func new224Generic() *state { - return &state{rate: rateK448, outputLen: 28, dsbyte: dsbyteSHA3} -} - -func new256Generic() *state { - return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteSHA3} -} - -func new384Generic() *state { - return &state{rate: rateK768, outputLen: 48, dsbyte: dsbyteSHA3} -} - -func new512Generic() *state { - return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteSHA3} -} - -// NewLegacyKeccak256 creates a new Keccak-256 hash. -// -// Only use this function if you require compatibility with an existing cryptosystem -// that uses non-standard padding. All other users should use New256 instead. -func NewLegacyKeccak256() hash.Hash { - return &state{rate: rateK512, outputLen: 32, dsbyte: dsbyteKeccak} -} - -// NewLegacyKeccak512 creates a new Keccak-512 hash. -// -// Only use this function if you require compatibility with an existing cryptosystem -// that uses non-standard padding. All other users should use New512 instead. -func NewLegacyKeccak512() hash.Hash { - return &state{rate: rateK1024, outputLen: 64, dsbyte: dsbyteKeccak} -} - -// Sum224 returns the SHA3-224 digest of the data. -func Sum224(data []byte) (digest [28]byte) { - h := New224() - h.Write(data) - h.Sum(digest[:0]) - return -} - -// Sum256 returns the SHA3-256 digest of the data. -func Sum256(data []byte) (digest [32]byte) { - h := New256() - h.Write(data) - h.Sum(digest[:0]) - return -} - -// Sum384 returns the SHA3-384 digest of the data. -func Sum384(data []byte) (digest [48]byte) { - h := New384() - h.Write(data) - h.Sum(digest[:0]) - return -} - -// Sum512 returns the SHA3-512 digest of the data. -func Sum512(data []byte) (digest [64]byte) { - h := New512() - h.Write(data) - h.Sum(digest[:0]) - return -} diff --git a/vendor/golang.org/x/crypto/sha3/hashes_noasm.go b/vendor/golang.org/x/crypto/sha3/hashes_noasm.go deleted file mode 100644 index 9d85fb621..000000000 --- a/vendor/golang.org/x/crypto/sha3/hashes_noasm.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !gc || purego || !s390x - -package sha3 - -func new224() *state { - return new224Generic() -} - -func new256() *state { - return new256Generic() -} - -func new384() *state { - return new384Generic() -} - -func new512() *state { - return new512Generic() -} diff --git a/vendor/golang.org/x/crypto/sha3/keccakf.go b/vendor/golang.org/x/crypto/sha3/keccakf.go deleted file mode 100644 index ce48b1dd3..000000000 --- a/vendor/golang.org/x/crypto/sha3/keccakf.go +++ /dev/null @@ -1,414 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !amd64 || purego || !gc - -package sha3 - -import "math/bits" - -// rc stores the round constants for use in the ι step. -var rc = [24]uint64{ - 0x0000000000000001, - 0x0000000000008082, - 0x800000000000808A, - 0x8000000080008000, - 0x000000000000808B, - 0x0000000080000001, - 0x8000000080008081, - 0x8000000000008009, - 0x000000000000008A, - 0x0000000000000088, - 0x0000000080008009, - 0x000000008000000A, - 0x000000008000808B, - 0x800000000000008B, - 0x8000000000008089, - 0x8000000000008003, - 0x8000000000008002, - 0x8000000000000080, - 0x000000000000800A, - 0x800000008000000A, - 0x8000000080008081, - 0x8000000000008080, - 0x0000000080000001, - 0x8000000080008008, -} - -// keccakF1600 applies the Keccak permutation to a 1600b-wide -// state represented as a slice of 25 uint64s. -func keccakF1600(a *[25]uint64) { - // Implementation translated from Keccak-inplace.c - // in the keccak reference code. - var t, bc0, bc1, bc2, bc3, bc4, d0, d1, d2, d3, d4 uint64 - - for i := 0; i < 24; i += 4 { - // Combines the 5 steps in each round into 2 steps. - // Unrolls 4 rounds per loop and spreads some steps across rounds. - - // Round 1 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[6] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[12] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[18] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[24] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i] - a[6] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[16] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[22] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[3] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[10] = bc0 ^ (bc2 &^ bc1) - a[16] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[1] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[7] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[19] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[20] = bc0 ^ (bc2 &^ bc1) - a[1] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[11] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[23] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[4] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[5] = bc0 ^ (bc2 &^ bc1) - a[11] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[2] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[8] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[14] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[15] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - // Round 2 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[16] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[7] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[23] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[14] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+1] - a[16] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[11] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[2] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[18] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[20] = bc0 ^ (bc2 &^ bc1) - a[11] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[6] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[22] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[4] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[15] = bc0 ^ (bc2 &^ bc1) - a[6] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[1] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[8] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[24] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[10] = bc0 ^ (bc2 &^ bc1) - a[1] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[12] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[3] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[19] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[5] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - // Round 3 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[11] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[22] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[8] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[19] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+2] - a[11] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[1] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[12] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[23] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[15] = bc0 ^ (bc2 &^ bc1) - a[1] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[16] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[2] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[24] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[5] = bc0 ^ (bc2 &^ bc1) - a[16] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[6] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[3] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[14] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[20] = bc0 ^ (bc2 &^ bc1) - a[6] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[7] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[18] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[4] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[10] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - // Round 4 - bc0 = a[0] ^ a[5] ^ a[10] ^ a[15] ^ a[20] - bc1 = a[1] ^ a[6] ^ a[11] ^ a[16] ^ a[21] - bc2 = a[2] ^ a[7] ^ a[12] ^ a[17] ^ a[22] - bc3 = a[3] ^ a[8] ^ a[13] ^ a[18] ^ a[23] - bc4 = a[4] ^ a[9] ^ a[14] ^ a[19] ^ a[24] - d0 = bc4 ^ (bc1<<1 | bc1>>63) - d1 = bc0 ^ (bc2<<1 | bc2>>63) - d2 = bc1 ^ (bc3<<1 | bc3>>63) - d3 = bc2 ^ (bc4<<1 | bc4>>63) - d4 = bc3 ^ (bc0<<1 | bc0>>63) - - bc0 = a[0] ^ d0 - t = a[1] ^ d1 - bc1 = bits.RotateLeft64(t, 44) - t = a[2] ^ d2 - bc2 = bits.RotateLeft64(t, 43) - t = a[3] ^ d3 - bc3 = bits.RotateLeft64(t, 21) - t = a[4] ^ d4 - bc4 = bits.RotateLeft64(t, 14) - a[0] = bc0 ^ (bc2 &^ bc1) ^ rc[i+3] - a[1] = bc1 ^ (bc3 &^ bc2) - a[2] = bc2 ^ (bc4 &^ bc3) - a[3] = bc3 ^ (bc0 &^ bc4) - a[4] = bc4 ^ (bc1 &^ bc0) - - t = a[5] ^ d0 - bc2 = bits.RotateLeft64(t, 3) - t = a[6] ^ d1 - bc3 = bits.RotateLeft64(t, 45) - t = a[7] ^ d2 - bc4 = bits.RotateLeft64(t, 61) - t = a[8] ^ d3 - bc0 = bits.RotateLeft64(t, 28) - t = a[9] ^ d4 - bc1 = bits.RotateLeft64(t, 20) - a[5] = bc0 ^ (bc2 &^ bc1) - a[6] = bc1 ^ (bc3 &^ bc2) - a[7] = bc2 ^ (bc4 &^ bc3) - a[8] = bc3 ^ (bc0 &^ bc4) - a[9] = bc4 ^ (bc1 &^ bc0) - - t = a[10] ^ d0 - bc4 = bits.RotateLeft64(t, 18) - t = a[11] ^ d1 - bc0 = bits.RotateLeft64(t, 1) - t = a[12] ^ d2 - bc1 = bits.RotateLeft64(t, 6) - t = a[13] ^ d3 - bc2 = bits.RotateLeft64(t, 25) - t = a[14] ^ d4 - bc3 = bits.RotateLeft64(t, 8) - a[10] = bc0 ^ (bc2 &^ bc1) - a[11] = bc1 ^ (bc3 &^ bc2) - a[12] = bc2 ^ (bc4 &^ bc3) - a[13] = bc3 ^ (bc0 &^ bc4) - a[14] = bc4 ^ (bc1 &^ bc0) - - t = a[15] ^ d0 - bc1 = bits.RotateLeft64(t, 36) - t = a[16] ^ d1 - bc2 = bits.RotateLeft64(t, 10) - t = a[17] ^ d2 - bc3 = bits.RotateLeft64(t, 15) - t = a[18] ^ d3 - bc4 = bits.RotateLeft64(t, 56) - t = a[19] ^ d4 - bc0 = bits.RotateLeft64(t, 27) - a[15] = bc0 ^ (bc2 &^ bc1) - a[16] = bc1 ^ (bc3 &^ bc2) - a[17] = bc2 ^ (bc4 &^ bc3) - a[18] = bc3 ^ (bc0 &^ bc4) - a[19] = bc4 ^ (bc1 &^ bc0) - - t = a[20] ^ d0 - bc3 = bits.RotateLeft64(t, 41) - t = a[21] ^ d1 - bc4 = bits.RotateLeft64(t, 2) - t = a[22] ^ d2 - bc0 = bits.RotateLeft64(t, 62) - t = a[23] ^ d3 - bc1 = bits.RotateLeft64(t, 55) - t = a[24] ^ d4 - bc2 = bits.RotateLeft64(t, 39) - a[20] = bc0 ^ (bc2 &^ bc1) - a[21] = bc1 ^ (bc3 &^ bc2) - a[22] = bc2 ^ (bc4 &^ bc3) - a[23] = bc3 ^ (bc0 &^ bc4) - a[24] = bc4 ^ (bc1 &^ bc0) - } -} diff --git a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go deleted file mode 100644 index b908696be..000000000 --- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.go +++ /dev/null @@ -1,13 +0,0 @@ -// Copyright 2015 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build amd64 && !purego && gc - -package sha3 - -// This function is implemented in keccakf_amd64.s. - -//go:noescape - -func keccakF1600(a *[25]uint64) diff --git a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s b/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s deleted file mode 100644 index 99e2f16e9..000000000 --- a/vendor/golang.org/x/crypto/sha3/keccakf_amd64.s +++ /dev/null @@ -1,5419 +0,0 @@ -// Code generated by command: go run keccakf_amd64_asm.go -out ../keccakf_amd64.s -pkg sha3. DO NOT EDIT. - -//go:build amd64 && !purego && gc - -// func keccakF1600(a *[25]uint64) -TEXT ·keccakF1600(SB), $200-8 - MOVQ a+0(FP), DI - - // Convert the user state into an internal state - NOTQ 8(DI) - NOTQ 16(DI) - NOTQ 64(DI) - NOTQ 96(DI) - NOTQ 136(DI) - NOTQ 160(DI) - - // Execute the KeccakF permutation - MOVQ (DI), SI - MOVQ 8(DI), BP - MOVQ 32(DI), R15 - XORQ 40(DI), SI - XORQ 48(DI), BP - XORQ 72(DI), R15 - XORQ 80(DI), SI - XORQ 88(DI), BP - XORQ 112(DI), R15 - XORQ 120(DI), SI - XORQ 128(DI), BP - XORQ 152(DI), R15 - XORQ 160(DI), SI - XORQ 168(DI), BP - MOVQ 176(DI), DX - MOVQ 184(DI), R8 - XORQ 192(DI), R15 - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000000000001, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000000008082, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x800000000000808a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008000, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000000000808b, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000080000001, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008081, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008009, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000000000008a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000000000088, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000080008009, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000008000000a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000008000808b, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x800000000000008b, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008089, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008003, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008002, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000000080, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x000000000000800a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x800000008000000a, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008081, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000000008080, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - MOVQ R12, BP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - XORQ R10, R15 - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - XORQ R11, R15 - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(DI), R12 - XORQ 56(DI), DX - XORQ R15, BX - XORQ 96(DI), R12 - XORQ 136(DI), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(DI), R13 - XORQ 64(DI), R8 - XORQ SI, CX - XORQ 104(DI), R13 - XORQ 144(DI), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (DI), R10 - MOVQ 48(DI), R11 - XORQ R13, R9 - MOVQ 96(DI), R12 - MOVQ 144(DI), R13 - MOVQ 192(DI), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x0000000080000001, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (SP) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(SP) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(SP) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(SP) - MOVQ R12, 8(SP) - MOVQ R12, BP - - // Result g - MOVQ 72(DI), R11 - XORQ R9, R11 - MOVQ 80(DI), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(DI), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(DI), R13 - MOVQ 176(DI), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(SP) - XORQ AX, SI - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(SP) - XORQ AX, BP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(SP) - NOTQ R14 - XORQ R10, R15 - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(SP) - - // Result k - MOVQ 8(DI), R10 - MOVQ 56(DI), R11 - MOVQ 104(DI), R12 - MOVQ 152(DI), R13 - MOVQ 160(DI), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(SP) - XORQ AX, SI - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(SP) - XORQ AX, BP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(SP) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(SP) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(SP) - XORQ R10, R15 - - // Result m - MOVQ 40(DI), R11 - XORQ BX, R11 - MOVQ 88(DI), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(DI), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(DI), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(DI), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(SP) - XORQ AX, SI - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(SP) - XORQ AX, BP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(SP) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(SP) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(SP) - XORQ R11, R15 - - // Result s - MOVQ 16(DI), R10 - MOVQ 64(DI), R11 - MOVQ 112(DI), R12 - XORQ DX, R10 - MOVQ 120(DI), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(DI), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(SP) - ROLQ $0x27, R12 - XORQ R9, R15 - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(SP) - XORQ BX, SI - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(SP) - XORQ CX, BP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(SP) - MOVQ R8, 184(SP) - - // Prepare round - MOVQ BP, BX - ROLQ $0x01, BX - MOVQ 16(SP), R12 - XORQ 56(SP), DX - XORQ R15, BX - XORQ 96(SP), R12 - XORQ 136(SP), DX - XORQ DX, R12 - MOVQ R12, CX - ROLQ $0x01, CX - MOVQ 24(SP), R13 - XORQ 64(SP), R8 - XORQ SI, CX - XORQ 104(SP), R13 - XORQ 144(SP), R8 - XORQ R8, R13 - MOVQ R13, DX - ROLQ $0x01, DX - MOVQ R15, R8 - XORQ BP, DX - ROLQ $0x01, R8 - MOVQ SI, R9 - XORQ R12, R8 - ROLQ $0x01, R9 - - // Result b - MOVQ (SP), R10 - MOVQ 48(SP), R11 - XORQ R13, R9 - MOVQ 96(SP), R12 - MOVQ 144(SP), R13 - MOVQ 192(SP), R14 - XORQ CX, R11 - ROLQ $0x2c, R11 - XORQ DX, R12 - XORQ BX, R10 - ROLQ $0x2b, R12 - MOVQ R11, SI - MOVQ $0x8000000080008008, AX - ORQ R12, SI - XORQ R10, AX - XORQ AX, SI - MOVQ SI, (DI) - XORQ R9, R14 - ROLQ $0x0e, R14 - MOVQ R10, R15 - ANDQ R11, R15 - XORQ R14, R15 - MOVQ R15, 32(DI) - XORQ R8, R13 - ROLQ $0x15, R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 16(DI) - NOTQ R12 - ORQ R10, R14 - ORQ R13, R12 - XORQ R13, R14 - XORQ R11, R12 - MOVQ R14, 24(DI) - MOVQ R12, 8(DI) - NOP - - // Result g - MOVQ 72(SP), R11 - XORQ R9, R11 - MOVQ 80(SP), R12 - ROLQ $0x14, R11 - XORQ BX, R12 - ROLQ $0x03, R12 - MOVQ 24(SP), R10 - MOVQ R11, AX - ORQ R12, AX - XORQ R8, R10 - MOVQ 128(SP), R13 - MOVQ 176(SP), R14 - ROLQ $0x1c, R10 - XORQ R10, AX - MOVQ AX, 40(DI) - NOP - XORQ CX, R13 - ROLQ $0x2d, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 48(DI) - NOP - XORQ DX, R14 - ROLQ $0x3d, R14 - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 64(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 72(DI) - NOTQ R14 - NOP - ORQ R14, R13 - XORQ R12, R13 - MOVQ R13, 56(DI) - - // Result k - MOVQ 8(SP), R10 - MOVQ 56(SP), R11 - MOVQ 104(SP), R12 - MOVQ 152(SP), R13 - MOVQ 160(SP), R14 - XORQ DX, R11 - ROLQ $0x06, R11 - XORQ R8, R12 - ROLQ $0x19, R12 - MOVQ R11, AX - ORQ R12, AX - XORQ CX, R10 - ROLQ $0x01, R10 - XORQ R10, AX - MOVQ AX, 80(DI) - NOP - XORQ R9, R13 - ROLQ $0x08, R13 - MOVQ R12, AX - ANDQ R13, AX - XORQ R11, AX - MOVQ AX, 88(DI) - NOP - XORQ BX, R14 - ROLQ $0x12, R14 - NOTQ R13 - MOVQ R13, AX - ANDQ R14, AX - XORQ R12, AX - MOVQ AX, 96(DI) - MOVQ R14, AX - ORQ R10, AX - XORQ R13, AX - MOVQ AX, 104(DI) - ANDQ R11, R10 - XORQ R14, R10 - MOVQ R10, 112(DI) - NOP - - // Result m - MOVQ 40(SP), R11 - XORQ BX, R11 - MOVQ 88(SP), R12 - ROLQ $0x24, R11 - XORQ CX, R12 - MOVQ 32(SP), R10 - ROLQ $0x0a, R12 - MOVQ R11, AX - MOVQ 136(SP), R13 - ANDQ R12, AX - XORQ R9, R10 - MOVQ 184(SP), R14 - ROLQ $0x1b, R10 - XORQ R10, AX - MOVQ AX, 120(DI) - NOP - XORQ DX, R13 - ROLQ $0x0f, R13 - MOVQ R12, AX - ORQ R13, AX - XORQ R11, AX - MOVQ AX, 128(DI) - NOP - XORQ R8, R14 - ROLQ $0x38, R14 - NOTQ R13 - MOVQ R13, AX - ORQ R14, AX - XORQ R12, AX - MOVQ AX, 136(DI) - ORQ R10, R11 - XORQ R14, R11 - MOVQ R11, 152(DI) - ANDQ R10, R14 - XORQ R13, R14 - MOVQ R14, 144(DI) - NOP - - // Result s - MOVQ 16(SP), R10 - MOVQ 64(SP), R11 - MOVQ 112(SP), R12 - XORQ DX, R10 - MOVQ 120(SP), R13 - ROLQ $0x3e, R10 - XORQ R8, R11 - MOVQ 168(SP), R14 - ROLQ $0x37, R11 - XORQ R9, R12 - MOVQ R10, R9 - XORQ CX, R14 - ROLQ $0x02, R14 - ANDQ R11, R9 - XORQ R14, R9 - MOVQ R9, 192(DI) - ROLQ $0x27, R12 - NOP - NOTQ R11 - XORQ BX, R13 - MOVQ R11, BX - ANDQ R12, BX - XORQ R10, BX - MOVQ BX, 160(DI) - NOP - ROLQ $0x29, R13 - MOVQ R12, CX - ORQ R13, CX - XORQ R11, CX - MOVQ CX, 168(DI) - NOP - MOVQ R13, DX - MOVQ R14, R8 - ANDQ R14, DX - ORQ R10, R8 - XORQ R12, DX - XORQ R13, R8 - MOVQ DX, 176(DI) - MOVQ R8, 184(DI) - - // Revert the internal state to the user state - NOTQ 8(DI) - NOTQ 16(DI) - NOTQ 64(DI) - NOTQ 96(DI) - NOTQ 136(DI) - NOTQ 160(DI) - RET diff --git a/vendor/golang.org/x/crypto/sha3/sha3.go b/vendor/golang.org/x/crypto/sha3/sha3.go deleted file mode 100644 index 6658c4447..000000000 --- a/vendor/golang.org/x/crypto/sha3/sha3.go +++ /dev/null @@ -1,244 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha3 - -import ( - "crypto/subtle" - "encoding/binary" - "errors" - "unsafe" - - "golang.org/x/sys/cpu" -) - -// spongeDirection indicates the direction bytes are flowing through the sponge. -type spongeDirection int - -const ( - // spongeAbsorbing indicates that the sponge is absorbing input. - spongeAbsorbing spongeDirection = iota - // spongeSqueezing indicates that the sponge is being squeezed. - spongeSqueezing -) - -type state struct { - a [1600 / 8]byte // main state of the hash - - // a[n:rate] is the buffer. If absorbing, it's the remaining space to XOR - // into before running the permutation. If squeezing, it's the remaining - // output to produce before running the permutation. - n, rate int - - // dsbyte contains the "domain separation" bits and the first bit of - // the padding. Sections 6.1 and 6.2 of [1] separate the outputs of the - // SHA-3 and SHAKE functions by appending bitstrings to the message. - // Using a little-endian bit-ordering convention, these are "01" for SHA-3 - // and "1111" for SHAKE, or 00000010b and 00001111b, respectively. Then the - // padding rule from section 5.1 is applied to pad the message to a multiple - // of the rate, which involves adding a "1" bit, zero or more "0" bits, and - // a final "1" bit. We merge the first "1" bit from the padding into dsbyte, - // giving 00000110b (0x06) and 00011111b (0x1f). - // [1] http://csrc.nist.gov/publications/drafts/fips-202/fips_202_draft.pdf - // "Draft FIPS 202: SHA-3 Standard: Permutation-Based Hash and - // Extendable-Output Functions (May 2014)" - dsbyte byte - - outputLen int // the default output size in bytes - state spongeDirection // whether the sponge is absorbing or squeezing -} - -// BlockSize returns the rate of sponge underlying this hash function. -func (d *state) BlockSize() int { return d.rate } - -// Size returns the output size of the hash function in bytes. -func (d *state) Size() int { return d.outputLen } - -// Reset clears the internal state by zeroing the sponge state and -// the buffer indexes, and setting Sponge.state to absorbing. -func (d *state) Reset() { - // Zero the permutation's state. - for i := range d.a { - d.a[i] = 0 - } - d.state = spongeAbsorbing - d.n = 0 -} - -func (d *state) clone() *state { - ret := *d - return &ret -} - -// permute applies the KeccakF-1600 permutation. -func (d *state) permute() { - var a *[25]uint64 - if cpu.IsBigEndian { - a = new([25]uint64) - for i := range a { - a[i] = binary.LittleEndian.Uint64(d.a[i*8:]) - } - } else { - a = (*[25]uint64)(unsafe.Pointer(&d.a)) - } - - keccakF1600(a) - d.n = 0 - - if cpu.IsBigEndian { - for i := range a { - binary.LittleEndian.PutUint64(d.a[i*8:], a[i]) - } - } -} - -// pads appends the domain separation bits in dsbyte, applies -// the multi-bitrate 10..1 padding rule, and permutes the state. -func (d *state) padAndPermute() { - // Pad with this instance's domain-separator bits. We know that there's - // at least one byte of space in the sponge because, if it were full, - // permute would have been called to empty it. dsbyte also contains the - // first one bit for the padding. See the comment in the state struct. - d.a[d.n] ^= d.dsbyte - // This adds the final one bit for the padding. Because of the way that - // bits are numbered from the LSB upwards, the final bit is the MSB of - // the last byte. - d.a[d.rate-1] ^= 0x80 - // Apply the permutation - d.permute() - d.state = spongeSqueezing -} - -// Write absorbs more data into the hash's state. It panics if any -// output has already been read. -func (d *state) Write(p []byte) (n int, err error) { - if d.state != spongeAbsorbing { - panic("sha3: Write after Read") - } - - n = len(p) - - for len(p) > 0 { - x := subtle.XORBytes(d.a[d.n:d.rate], d.a[d.n:d.rate], p) - d.n += x - p = p[x:] - - // If the sponge is full, apply the permutation. - if d.n == d.rate { - d.permute() - } - } - - return -} - -// Read squeezes an arbitrary number of bytes from the sponge. -func (d *state) Read(out []byte) (n int, err error) { - // If we're still absorbing, pad and apply the permutation. - if d.state == spongeAbsorbing { - d.padAndPermute() - } - - n = len(out) - - // Now, do the squeezing. - for len(out) > 0 { - // Apply the permutation if we've squeezed the sponge dry. - if d.n == d.rate { - d.permute() - } - - x := copy(out, d.a[d.n:d.rate]) - d.n += x - out = out[x:] - } - - return -} - -// Sum applies padding to the hash state and then squeezes out the desired -// number of output bytes. It panics if any output has already been read. -func (d *state) Sum(in []byte) []byte { - if d.state != spongeAbsorbing { - panic("sha3: Sum after Read") - } - - // Make a copy of the original hash so that caller can keep writing - // and summing. - dup := d.clone() - hash := make([]byte, dup.outputLen, 64) // explicit cap to allow stack allocation - dup.Read(hash) - return append(in, hash...) -} - -const ( - magicSHA3 = "sha\x08" - magicShake = "sha\x09" - magicCShake = "sha\x0a" - magicKeccak = "sha\x0b" - // magic || rate || main state || n || sponge direction - marshaledSize = len(magicSHA3) + 1 + 200 + 1 + 1 -) - -func (d *state) MarshalBinary() ([]byte, error) { - return d.AppendBinary(make([]byte, 0, marshaledSize)) -} - -func (d *state) AppendBinary(b []byte) ([]byte, error) { - switch d.dsbyte { - case dsbyteSHA3: - b = append(b, magicSHA3...) - case dsbyteShake: - b = append(b, magicShake...) - case dsbyteCShake: - b = append(b, magicCShake...) - case dsbyteKeccak: - b = append(b, magicKeccak...) - default: - panic("unknown dsbyte") - } - // rate is at most 168, and n is at most rate. - b = append(b, byte(d.rate)) - b = append(b, d.a[:]...) - b = append(b, byte(d.n), byte(d.state)) - return b, nil -} - -func (d *state) UnmarshalBinary(b []byte) error { - if len(b) != marshaledSize { - return errors.New("sha3: invalid hash state") - } - - magic := string(b[:len(magicSHA3)]) - b = b[len(magicSHA3):] - switch { - case magic == magicSHA3 && d.dsbyte == dsbyteSHA3: - case magic == magicShake && d.dsbyte == dsbyteShake: - case magic == magicCShake && d.dsbyte == dsbyteCShake: - case magic == magicKeccak && d.dsbyte == dsbyteKeccak: - default: - return errors.New("sha3: invalid hash state identifier") - } - - rate := int(b[0]) - b = b[1:] - if rate != d.rate { - return errors.New("sha3: invalid hash state function") - } - - copy(d.a[:], b) - b = b[len(d.a):] - - n, state := int(b[0]), spongeDirection(b[1]) - if n > d.rate { - return errors.New("sha3: invalid hash state") - } - d.n = n - if state != spongeAbsorbing && state != spongeSqueezing { - return errors.New("sha3: invalid hash state") - } - d.state = state - - return nil -} diff --git a/vendor/golang.org/x/crypto/sha3/sha3_s390x.go b/vendor/golang.org/x/crypto/sha3/sha3_s390x.go deleted file mode 100644 index 00d8034ae..000000000 --- a/vendor/golang.org/x/crypto/sha3/sha3_s390x.go +++ /dev/null @@ -1,303 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -package sha3 - -// This file contains code for using the 'compute intermediate -// message digest' (KIMD) and 'compute last message digest' (KLMD) -// instructions to compute SHA-3 and SHAKE hashes on IBM Z. - -import ( - "hash" - - "golang.org/x/sys/cpu" -) - -// codes represent 7-bit KIMD/KLMD function codes as defined in -// the Principles of Operation. -type code uint64 - -const ( - // function codes for KIMD/KLMD - sha3_224 code = 32 - sha3_256 = 33 - sha3_384 = 34 - sha3_512 = 35 - shake_128 = 36 - shake_256 = 37 - nopad = 0x100 -) - -// kimd is a wrapper for the 'compute intermediate message digest' instruction. -// src must be a multiple of the rate for the given function code. -// -//go:noescape -func kimd(function code, chain *[200]byte, src []byte) - -// klmd is a wrapper for the 'compute last message digest' instruction. -// src padding is handled by the instruction. -// -//go:noescape -func klmd(function code, chain *[200]byte, dst, src []byte) - -type asmState struct { - a [200]byte // 1600 bit state - buf []byte // care must be taken to ensure cap(buf) is a multiple of rate - rate int // equivalent to block size - storage [3072]byte // underlying storage for buf - outputLen int // output length for full security - function code // KIMD/KLMD function code - state spongeDirection // whether the sponge is absorbing or squeezing -} - -func newAsmState(function code) *asmState { - var s asmState - s.function = function - switch function { - case sha3_224: - s.rate = 144 - s.outputLen = 28 - case sha3_256: - s.rate = 136 - s.outputLen = 32 - case sha3_384: - s.rate = 104 - s.outputLen = 48 - case sha3_512: - s.rate = 72 - s.outputLen = 64 - case shake_128: - s.rate = 168 - s.outputLen = 32 - case shake_256: - s.rate = 136 - s.outputLen = 64 - default: - panic("sha3: unrecognized function code") - } - - // limit s.buf size to a multiple of s.rate - s.resetBuf() - return &s -} - -func (s *asmState) clone() *asmState { - c := *s - c.buf = c.storage[:len(s.buf):cap(s.buf)] - return &c -} - -// copyIntoBuf copies b into buf. It will panic if there is not enough space to -// store all of b. -func (s *asmState) copyIntoBuf(b []byte) { - bufLen := len(s.buf) - s.buf = s.buf[:len(s.buf)+len(b)] - copy(s.buf[bufLen:], b) -} - -// resetBuf points buf at storage, sets the length to 0 and sets cap to be a -// multiple of the rate. -func (s *asmState) resetBuf() { - max := (cap(s.storage) / s.rate) * s.rate - s.buf = s.storage[:0:max] -} - -// Write (via the embedded io.Writer interface) adds more data to the running hash. -// It never returns an error. -func (s *asmState) Write(b []byte) (int, error) { - if s.state != spongeAbsorbing { - panic("sha3: Write after Read") - } - length := len(b) - for len(b) > 0 { - if len(s.buf) == 0 && len(b) >= cap(s.buf) { - // Hash the data directly and push any remaining bytes - // into the buffer. - remainder := len(b) % s.rate - kimd(s.function, &s.a, b[:len(b)-remainder]) - if remainder != 0 { - s.copyIntoBuf(b[len(b)-remainder:]) - } - return length, nil - } - - if len(s.buf) == cap(s.buf) { - // flush the buffer - kimd(s.function, &s.a, s.buf) - s.buf = s.buf[:0] - } - - // copy as much as we can into the buffer - n := len(b) - if len(b) > cap(s.buf)-len(s.buf) { - n = cap(s.buf) - len(s.buf) - } - s.copyIntoBuf(b[:n]) - b = b[n:] - } - return length, nil -} - -// Read squeezes an arbitrary number of bytes from the sponge. -func (s *asmState) Read(out []byte) (n int, err error) { - // The 'compute last message digest' instruction only stores the digest - // at the first operand (dst) for SHAKE functions. - if s.function != shake_128 && s.function != shake_256 { - panic("sha3: can only call Read for SHAKE functions") - } - - n = len(out) - - // need to pad if we were absorbing - if s.state == spongeAbsorbing { - s.state = spongeSqueezing - - // write hash directly into out if possible - if len(out)%s.rate == 0 { - klmd(s.function, &s.a, out, s.buf) // len(out) may be 0 - s.buf = s.buf[:0] - return - } - - // write hash into buffer - max := cap(s.buf) - if max > len(out) { - max = (len(out)/s.rate)*s.rate + s.rate - } - klmd(s.function, &s.a, s.buf[:max], s.buf) - s.buf = s.buf[:max] - } - - for len(out) > 0 { - // flush the buffer - if len(s.buf) != 0 { - c := copy(out, s.buf) - out = out[c:] - s.buf = s.buf[c:] - continue - } - - // write hash directly into out if possible - if len(out)%s.rate == 0 { - klmd(s.function|nopad, &s.a, out, nil) - return - } - - // write hash into buffer - s.resetBuf() - if cap(s.buf) > len(out) { - s.buf = s.buf[:(len(out)/s.rate)*s.rate+s.rate] - } - klmd(s.function|nopad, &s.a, s.buf, nil) - } - return -} - -// Sum appends the current hash to b and returns the resulting slice. -// It does not change the underlying hash state. -func (s *asmState) Sum(b []byte) []byte { - if s.state != spongeAbsorbing { - panic("sha3: Sum after Read") - } - - // Copy the state to preserve the original. - a := s.a - - // Hash the buffer. Note that we don't clear it because we - // aren't updating the state. - switch s.function { - case sha3_224, sha3_256, sha3_384, sha3_512: - klmd(s.function, &a, nil, s.buf) - return append(b, a[:s.outputLen]...) - case shake_128, shake_256: - d := make([]byte, s.outputLen, 64) - klmd(s.function, &a, d, s.buf) - return append(b, d[:s.outputLen]...) - default: - panic("sha3: unknown function") - } -} - -// Reset resets the Hash to its initial state. -func (s *asmState) Reset() { - for i := range s.a { - s.a[i] = 0 - } - s.resetBuf() - s.state = spongeAbsorbing -} - -// Size returns the number of bytes Sum will return. -func (s *asmState) Size() int { - return s.outputLen -} - -// BlockSize returns the hash's underlying block size. -// The Write method must be able to accept any amount -// of data, but it may operate more efficiently if all writes -// are a multiple of the block size. -func (s *asmState) BlockSize() int { - return s.rate -} - -// Clone returns a copy of the ShakeHash in its current state. -func (s *asmState) Clone() ShakeHash { - return s.clone() -} - -// new224 returns an assembly implementation of SHA3-224 if available, -// otherwise it returns a generic implementation. -func new224() hash.Hash { - if cpu.S390X.HasSHA3 { - return newAsmState(sha3_224) - } - return new224Generic() -} - -// new256 returns an assembly implementation of SHA3-256 if available, -// otherwise it returns a generic implementation. -func new256() hash.Hash { - if cpu.S390X.HasSHA3 { - return newAsmState(sha3_256) - } - return new256Generic() -} - -// new384 returns an assembly implementation of SHA3-384 if available, -// otherwise it returns a generic implementation. -func new384() hash.Hash { - if cpu.S390X.HasSHA3 { - return newAsmState(sha3_384) - } - return new384Generic() -} - -// new512 returns an assembly implementation of SHA3-512 if available, -// otherwise it returns a generic implementation. -func new512() hash.Hash { - if cpu.S390X.HasSHA3 { - return newAsmState(sha3_512) - } - return new512Generic() -} - -// newShake128 returns an assembly implementation of SHAKE-128 if available, -// otherwise it returns a generic implementation. -func newShake128() ShakeHash { - if cpu.S390X.HasSHA3 { - return newAsmState(shake_128) - } - return newShake128Generic() -} - -// newShake256 returns an assembly implementation of SHAKE-256 if available, -// otherwise it returns a generic implementation. -func newShake256() ShakeHash { - if cpu.S390X.HasSHA3 { - return newAsmState(shake_256) - } - return newShake256Generic() -} diff --git a/vendor/golang.org/x/crypto/sha3/sha3_s390x.s b/vendor/golang.org/x/crypto/sha3/sha3_s390x.s deleted file mode 100644 index 826b862c7..000000000 --- a/vendor/golang.org/x/crypto/sha3/sha3_s390x.s +++ /dev/null @@ -1,33 +0,0 @@ -// Copyright 2017 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build gc && !purego - -#include "textflag.h" - -// func kimd(function code, chain *[200]byte, src []byte) -TEXT ·kimd(SB), NOFRAME|NOSPLIT, $0-40 - MOVD function+0(FP), R0 - MOVD chain+8(FP), R1 - LMG src+16(FP), R2, R3 // R2=base, R3=len - -continue: - WORD $0xB93E0002 // KIMD --, R2 - BVS continue // continue if interrupted - MOVD $0, R0 // reset R0 for pre-go1.8 compilers - RET - -// func klmd(function code, chain *[200]byte, dst, src []byte) -TEXT ·klmd(SB), NOFRAME|NOSPLIT, $0-64 - // TODO: SHAKE support - MOVD function+0(FP), R0 - MOVD chain+8(FP), R1 - LMG dst+16(FP), R2, R3 // R2=base, R3=len - LMG src+40(FP), R4, R5 // R4=base, R5=len - -continue: - WORD $0xB93F0024 // KLMD R2, R4 - BVS continue // continue if interrupted - MOVD $0, R0 // reset R0 for pre-go1.8 compilers - RET diff --git a/vendor/golang.org/x/crypto/sha3/shake.go b/vendor/golang.org/x/crypto/sha3/shake.go deleted file mode 100644 index a6b3a4281..000000000 --- a/vendor/golang.org/x/crypto/sha3/shake.go +++ /dev/null @@ -1,193 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package sha3 - -// This file defines the ShakeHash interface, and provides -// functions for creating SHAKE and cSHAKE instances, as well as utility -// functions for hashing bytes to arbitrary-length output. -// -// -// SHAKE implementation is based on FIPS PUB 202 [1] -// cSHAKE implementations is based on NIST SP 800-185 [2] -// -// [1] https://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.202.pdf -// [2] https://doi.org/10.6028/NIST.SP.800-185 - -import ( - "bytes" - "encoding/binary" - "errors" - "hash" - "io" - "math/bits" -) - -// ShakeHash defines the interface to hash functions that support -// arbitrary-length output. When used as a plain [hash.Hash], it -// produces minimum-length outputs that provide full-strength generic -// security. -type ShakeHash interface { - hash.Hash - - // Read reads more output from the hash; reading affects the hash's - // state. (ShakeHash.Read is thus very different from Hash.Sum) - // It never returns an error, but subsequent calls to Write or Sum - // will panic. - io.Reader - - // Clone returns a copy of the ShakeHash in its current state. - Clone() ShakeHash -} - -// cSHAKE specific context -type cshakeState struct { - *state // SHA-3 state context and Read/Write operations - - // initBlock is the cSHAKE specific initialization set of bytes. It is initialized - // by newCShake function and stores concatenation of N followed by S, encoded - // by the method specified in 3.3 of [1]. - // It is stored here in order for Reset() to be able to put context into - // initial state. - initBlock []byte -} - -func bytepad(data []byte, rate int) []byte { - out := make([]byte, 0, 9+len(data)+rate-1) - out = append(out, leftEncode(uint64(rate))...) - out = append(out, data...) - if padlen := rate - len(out)%rate; padlen < rate { - out = append(out, make([]byte, padlen)...) - } - return out -} - -func leftEncode(x uint64) []byte { - // Let n be the smallest positive integer for which 2^(8n) > x. - n := (bits.Len64(x) + 7) / 8 - if n == 0 { - n = 1 - } - // Return n || x with n as a byte and x an n bytes in big-endian order. - b := make([]byte, 9) - binary.BigEndian.PutUint64(b[1:], x) - b = b[9-n-1:] - b[0] = byte(n) - return b -} - -func newCShake(N, S []byte, rate, outputLen int, dsbyte byte) ShakeHash { - c := cshakeState{state: &state{rate: rate, outputLen: outputLen, dsbyte: dsbyte}} - c.initBlock = make([]byte, 0, 9+len(N)+9+len(S)) // leftEncode returns max 9 bytes - c.initBlock = append(c.initBlock, leftEncode(uint64(len(N))*8)...) - c.initBlock = append(c.initBlock, N...) - c.initBlock = append(c.initBlock, leftEncode(uint64(len(S))*8)...) - c.initBlock = append(c.initBlock, S...) - c.Write(bytepad(c.initBlock, c.rate)) - return &c -} - -// Reset resets the hash to initial state. -func (c *cshakeState) Reset() { - c.state.Reset() - c.Write(bytepad(c.initBlock, c.rate)) -} - -// Clone returns copy of a cSHAKE context within its current state. -func (c *cshakeState) Clone() ShakeHash { - b := make([]byte, len(c.initBlock)) - copy(b, c.initBlock) - return &cshakeState{state: c.clone(), initBlock: b} -} - -// Clone returns copy of SHAKE context within its current state. -func (c *state) Clone() ShakeHash { - return c.clone() -} - -func (c *cshakeState) MarshalBinary() ([]byte, error) { - return c.AppendBinary(make([]byte, 0, marshaledSize+len(c.initBlock))) -} - -func (c *cshakeState) AppendBinary(b []byte) ([]byte, error) { - b, err := c.state.AppendBinary(b) - if err != nil { - return nil, err - } - b = append(b, c.initBlock...) - return b, nil -} - -func (c *cshakeState) UnmarshalBinary(b []byte) error { - if len(b) <= marshaledSize { - return errors.New("sha3: invalid hash state") - } - if err := c.state.UnmarshalBinary(b[:marshaledSize]); err != nil { - return err - } - c.initBlock = bytes.Clone(b[marshaledSize:]) - return nil -} - -// NewShake128 creates a new SHAKE128 variable-output-length ShakeHash. -// Its generic security strength is 128 bits against all attacks if at -// least 32 bytes of its output are used. -func NewShake128() ShakeHash { - return newShake128() -} - -// NewShake256 creates a new SHAKE256 variable-output-length ShakeHash. -// Its generic security strength is 256 bits against all attacks if -// at least 64 bytes of its output are used. -func NewShake256() ShakeHash { - return newShake256() -} - -func newShake128Generic() *state { - return &state{rate: rateK256, outputLen: 32, dsbyte: dsbyteShake} -} - -func newShake256Generic() *state { - return &state{rate: rateK512, outputLen: 64, dsbyte: dsbyteShake} -} - -// NewCShake128 creates a new instance of cSHAKE128 variable-output-length ShakeHash, -// a customizable variant of SHAKE128. -// N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is -// desired. S is a customization byte string used for domain separation - two cSHAKE -// computations on same input with different S yield unrelated outputs. -// When N and S are both empty, this is equivalent to NewShake128. -func NewCShake128(N, S []byte) ShakeHash { - if len(N) == 0 && len(S) == 0 { - return NewShake128() - } - return newCShake(N, S, rateK256, 32, dsbyteCShake) -} - -// NewCShake256 creates a new instance of cSHAKE256 variable-output-length ShakeHash, -// a customizable variant of SHAKE256. -// N is used to define functions based on cSHAKE, it can be empty when plain cSHAKE is -// desired. S is a customization byte string used for domain separation - two cSHAKE -// computations on same input with different S yield unrelated outputs. -// When N and S are both empty, this is equivalent to NewShake256. -func NewCShake256(N, S []byte) ShakeHash { - if len(N) == 0 && len(S) == 0 { - return NewShake256() - } - return newCShake(N, S, rateK512, 64, dsbyteCShake) -} - -// ShakeSum128 writes an arbitrary-length digest of data into hash. -func ShakeSum128(hash, data []byte) { - h := NewShake128() - h.Write(data) - h.Read(hash) -} - -// ShakeSum256 writes an arbitrary-length digest of data into hash. -func ShakeSum256(hash, data []byte) { - h := NewShake256() - h.Write(data) - h.Read(hash) -} diff --git a/vendor/golang.org/x/crypto/sha3/shake_noasm.go b/vendor/golang.org/x/crypto/sha3/shake_noasm.go deleted file mode 100644 index 4276ba4ab..000000000 --- a/vendor/golang.org/x/crypto/sha3/shake_noasm.go +++ /dev/null @@ -1,15 +0,0 @@ -// Copyright 2023 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -//go:build !gc || purego || !s390x - -package sha3 - -func newShake128() *state { - return newShake128Generic() -} - -func newShake256() *state { - return newShake256Generic() -} diff --git a/vendor/golang.org/x/crypto/ssh/buffer.go b/vendor/golang.org/x/crypto/ssh/buffer.go deleted file mode 100644 index 1ab07d078..000000000 --- a/vendor/golang.org/x/crypto/ssh/buffer.go +++ /dev/null @@ -1,97 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "io" - "sync" -) - -// buffer provides a linked list buffer for data exchange -// between producer and consumer. Theoretically the buffer is -// of unlimited capacity as it does no allocation of its own. -type buffer struct { - // protects concurrent access to head, tail and closed - *sync.Cond - - head *element // the buffer that will be read first - tail *element // the buffer that will be read last - - closed bool -} - -// An element represents a single link in a linked list. -type element struct { - buf []byte - next *element -} - -// newBuffer returns an empty buffer that is not closed. -func newBuffer() *buffer { - e := new(element) - b := &buffer{ - Cond: newCond(), - head: e, - tail: e, - } - return b -} - -// write makes buf available for Read to receive. -// buf must not be modified after the call to write. -func (b *buffer) write(buf []byte) { - b.Cond.L.Lock() - e := &element{buf: buf} - b.tail.next = e - b.tail = e - b.Cond.Signal() - b.Cond.L.Unlock() -} - -// eof closes the buffer. Reads from the buffer once all -// the data has been consumed will receive io.EOF. -func (b *buffer) eof() { - b.Cond.L.Lock() - b.closed = true - b.Cond.Signal() - b.Cond.L.Unlock() -} - -// Read reads data from the internal buffer in buf. Reads will block -// if no data is available, or until the buffer is closed. -func (b *buffer) Read(buf []byte) (n int, err error) { - b.Cond.L.Lock() - defer b.Cond.L.Unlock() - - for len(buf) > 0 { - // if there is data in b.head, copy it - if len(b.head.buf) > 0 { - r := copy(buf, b.head.buf) - buf, b.head.buf = buf[r:], b.head.buf[r:] - n += r - continue - } - // if there is a next buffer, make it the head - if len(b.head.buf) == 0 && b.head != b.tail { - b.head = b.head.next - continue - } - - // if at least one byte has been copied, return - if n > 0 { - break - } - - // if nothing was read, and there is nothing outstanding - // check to see if the buffer is closed. - if b.closed { - err = io.EOF - break - } - // out of buffers, wait for producer - b.Cond.Wait() - } - return -} diff --git a/vendor/golang.org/x/crypto/ssh/certs.go b/vendor/golang.org/x/crypto/ssh/certs.go deleted file mode 100644 index 27d0e14aa..000000000 --- a/vendor/golang.org/x/crypto/ssh/certs.go +++ /dev/null @@ -1,611 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "bytes" - "errors" - "fmt" - "io" - "net" - "sort" - "time" -) - -// Certificate algorithm names from [PROTOCOL.certkeys]. These values can appear -// in Certificate.Type, PublicKey.Type, and ClientConfig.HostKeyAlgorithms. -// Unlike key algorithm names, these are not passed to AlgorithmSigner nor -// returned by MultiAlgorithmSigner and don't appear in the Signature.Format -// field. -const ( - CertAlgoRSAv01 = "ssh-rsa-cert-v01@openssh.com" - CertAlgoDSAv01 = "ssh-dss-cert-v01@openssh.com" - CertAlgoECDSA256v01 = "ecdsa-sha2-nistp256-cert-v01@openssh.com" - CertAlgoECDSA384v01 = "ecdsa-sha2-nistp384-cert-v01@openssh.com" - CertAlgoECDSA521v01 = "ecdsa-sha2-nistp521-cert-v01@openssh.com" - CertAlgoSKECDSA256v01 = "sk-ecdsa-sha2-nistp256-cert-v01@openssh.com" - CertAlgoED25519v01 = "ssh-ed25519-cert-v01@openssh.com" - CertAlgoSKED25519v01 = "sk-ssh-ed25519-cert-v01@openssh.com" - - // CertAlgoRSASHA256v01 and CertAlgoRSASHA512v01 can't appear as a - // Certificate.Type (or PublicKey.Type), but only in - // ClientConfig.HostKeyAlgorithms. - CertAlgoRSASHA256v01 = "rsa-sha2-256-cert-v01@openssh.com" - CertAlgoRSASHA512v01 = "rsa-sha2-512-cert-v01@openssh.com" -) - -const ( - // Deprecated: use CertAlgoRSAv01. - CertSigAlgoRSAv01 = CertAlgoRSAv01 - // Deprecated: use CertAlgoRSASHA256v01. - CertSigAlgoRSASHA2256v01 = CertAlgoRSASHA256v01 - // Deprecated: use CertAlgoRSASHA512v01. - CertSigAlgoRSASHA2512v01 = CertAlgoRSASHA512v01 -) - -// Certificate types distinguish between host and user -// certificates. The values can be set in the CertType field of -// Certificate. -const ( - UserCert = 1 - HostCert = 2 -) - -// Signature represents a cryptographic signature. -type Signature struct { - Format string - Blob []byte - Rest []byte `ssh:"rest"` -} - -// CertTimeInfinity can be used for OpenSSHCertV01.ValidBefore to indicate that -// a certificate does not expire. -const CertTimeInfinity = 1<<64 - 1 - -// An Certificate represents an OpenSSH certificate as defined in -// [PROTOCOL.certkeys]?rev=1.8. The Certificate type implements the -// PublicKey interface, so it can be unmarshaled using -// ParsePublicKey. -type Certificate struct { - Nonce []byte - Key PublicKey - Serial uint64 - CertType uint32 - KeyId string - ValidPrincipals []string - ValidAfter uint64 - ValidBefore uint64 - Permissions - Reserved []byte - SignatureKey PublicKey - Signature *Signature -} - -// genericCertData holds the key-independent part of the certificate data. -// Overall, certificates contain an nonce, public key fields and -// key-independent fields. -type genericCertData struct { - Serial uint64 - CertType uint32 - KeyId string - ValidPrincipals []byte - ValidAfter uint64 - ValidBefore uint64 - CriticalOptions []byte - Extensions []byte - Reserved []byte - SignatureKey []byte - Signature []byte -} - -func marshalStringList(namelist []string) []byte { - var to []byte - for _, name := range namelist { - s := struct{ N string }{name} - to = append(to, Marshal(&s)...) - } - return to -} - -type optionsTuple struct { - Key string - Value []byte -} - -type optionsTupleValue struct { - Value string -} - -// serialize a map of critical options or extensions -// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation, -// we need two length prefixes for a non-empty string value -func marshalTuples(tups map[string]string) []byte { - keys := make([]string, 0, len(tups)) - for key := range tups { - keys = append(keys, key) - } - sort.Strings(keys) - - var ret []byte - for _, key := range keys { - s := optionsTuple{Key: key} - if value := tups[key]; len(value) > 0 { - s.Value = Marshal(&optionsTupleValue{value}) - } - ret = append(ret, Marshal(&s)...) - } - return ret -} - -// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation, -// we need two length prefixes for a non-empty option value -func parseTuples(in []byte) (map[string]string, error) { - tups := map[string]string{} - var lastKey string - var haveLastKey bool - - for len(in) > 0 { - var key, val, extra []byte - var ok bool - - if key, in, ok = parseString(in); !ok { - return nil, errShortRead - } - keyStr := string(key) - // according to [PROTOCOL.certkeys], the names must be in - // lexical order. - if haveLastKey && keyStr <= lastKey { - return nil, fmt.Errorf("ssh: certificate options are not in lexical order") - } - lastKey, haveLastKey = keyStr, true - // the next field is a data field, which if non-empty has a string embedded - if val, in, ok = parseString(in); !ok { - return nil, errShortRead - } - if len(val) > 0 { - val, extra, ok = parseString(val) - if !ok { - return nil, errShortRead - } - if len(extra) > 0 { - return nil, fmt.Errorf("ssh: unexpected trailing data after certificate option value") - } - tups[keyStr] = string(val) - } else { - tups[keyStr] = "" - } - } - return tups, nil -} - -func parseCert(in []byte, privAlgo string) (*Certificate, error) { - nonce, rest, ok := parseString(in) - if !ok { - return nil, errShortRead - } - - key, rest, err := parsePubKey(rest, privAlgo) - if err != nil { - return nil, err - } - - var g genericCertData - if err := Unmarshal(rest, &g); err != nil { - return nil, err - } - - c := &Certificate{ - Nonce: nonce, - Key: key, - Serial: g.Serial, - CertType: g.CertType, - KeyId: g.KeyId, - ValidAfter: g.ValidAfter, - ValidBefore: g.ValidBefore, - } - - for principals := g.ValidPrincipals; len(principals) > 0; { - principal, rest, ok := parseString(principals) - if !ok { - return nil, errShortRead - } - c.ValidPrincipals = append(c.ValidPrincipals, string(principal)) - principals = rest - } - - c.CriticalOptions, err = parseTuples(g.CriticalOptions) - if err != nil { - return nil, err - } - c.Extensions, err = parseTuples(g.Extensions) - if err != nil { - return nil, err - } - c.Reserved = g.Reserved - k, err := ParsePublicKey(g.SignatureKey) - if err != nil { - return nil, err - } - - c.SignatureKey = k - c.Signature, rest, ok = parseSignatureBody(g.Signature) - if !ok || len(rest) > 0 { - return nil, errors.New("ssh: signature parse error") - } - - return c, nil -} - -type openSSHCertSigner struct { - pub *Certificate - signer Signer -} - -type algorithmOpenSSHCertSigner struct { - *openSSHCertSigner - algorithmSigner AlgorithmSigner -} - -// NewCertSigner returns a Signer that signs with the given Certificate, whose -// private key is held by signer. It returns an error if the public key in cert -// doesn't match the key used by signer. -func NewCertSigner(cert *Certificate, signer Signer) (Signer, error) { - if !bytes.Equal(cert.Key.Marshal(), signer.PublicKey().Marshal()) { - return nil, errors.New("ssh: signer and cert have different public key") - } - - switch s := signer.(type) { - case MultiAlgorithmSigner: - return &multiAlgorithmSigner{ - AlgorithmSigner: &algorithmOpenSSHCertSigner{ - &openSSHCertSigner{cert, signer}, s}, - supportedAlgorithms: s.Algorithms(), - }, nil - case AlgorithmSigner: - return &algorithmOpenSSHCertSigner{ - &openSSHCertSigner{cert, signer}, s}, nil - default: - return &openSSHCertSigner{cert, signer}, nil - } -} - -func (s *openSSHCertSigner) Sign(rand io.Reader, data []byte) (*Signature, error) { - return s.signer.Sign(rand, data) -} - -func (s *openSSHCertSigner) PublicKey() PublicKey { - return s.pub -} - -func (s *algorithmOpenSSHCertSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) { - return s.algorithmSigner.SignWithAlgorithm(rand, data, algorithm) -} - -const sourceAddressCriticalOption = "source-address" - -// CertChecker does the work of verifying a certificate. Its methods -// can be plugged into ClientConfig.HostKeyCallback and -// ServerConfig.PublicKeyCallback. For the CertChecker to work, -// minimally, the IsAuthority callback should be set. -type CertChecker struct { - // SupportedCriticalOptions lists the CriticalOptions that the - // server application layer understands. These are only used - // for user certificates. - SupportedCriticalOptions []string - - // IsUserAuthority should return true if the key is recognized as an - // authority for the given user certificate. This allows for - // certificates to be signed by other certificates. This must be set - // if this CertChecker will be checking user certificates. - IsUserAuthority func(auth PublicKey) bool - - // IsHostAuthority should report whether the key is recognized as - // an authority for this host. This allows for certificates to be - // signed by other keys, and for those other keys to only be valid - // signers for particular hostnames. This must be set if this - // CertChecker will be checking host certificates. - IsHostAuthority func(auth PublicKey, address string) bool - - // Clock is used for verifying time stamps. If nil, time.Now - // is used. - Clock func() time.Time - - // UserKeyFallback is called when CertChecker.Authenticate encounters a - // public key that is not a certificate. It must implement validation - // of user keys or else, if nil, all such keys are rejected. - UserKeyFallback func(conn ConnMetadata, key PublicKey) (*Permissions, error) - - // HostKeyFallback is called when CertChecker.CheckHostKey encounters a - // public key that is not a certificate. It must implement host key - // validation or else, if nil, all such keys are rejected. - HostKeyFallback HostKeyCallback - - // IsRevoked is called for each certificate so that revocation checking - // can be implemented. It should return true if the given certificate - // is revoked and false otherwise. If nil, no certificates are - // considered to have been revoked. - IsRevoked func(cert *Certificate) bool -} - -// CheckHostKey checks a host key certificate. This method can be -// plugged into ClientConfig.HostKeyCallback. -func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key PublicKey) error { - cert, ok := key.(*Certificate) - if !ok { - if c.HostKeyFallback != nil { - return c.HostKeyFallback(addr, remote, key) - } - return errors.New("ssh: non-certificate host key") - } - if cert.CertType != HostCert { - return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType) - } - if !c.IsHostAuthority(cert.SignatureKey, addr) { - return fmt.Errorf("ssh: no authorities for hostname: %v", addr) - } - - hostname, _, err := net.SplitHostPort(addr) - if err != nil { - return err - } - - // Pass hostname only as principal for host certificates (consistent with OpenSSH) - return c.CheckCert(hostname, cert) -} - -// Authenticate checks a user certificate. Authenticate can be used as -// a value for ServerConfig.PublicKeyCallback. -func (c *CertChecker) Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permissions, error) { - cert, ok := pubKey.(*Certificate) - if !ok { - if c.UserKeyFallback != nil { - return c.UserKeyFallback(conn, pubKey) - } - return nil, errors.New("ssh: normal key pairs not accepted") - } - - if cert.CertType != UserCert { - return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType) - } - if !c.IsUserAuthority(cert.SignatureKey) { - return nil, fmt.Errorf("ssh: certificate signed by unrecognized authority") - } - - if err := c.CheckCert(conn.User(), cert); err != nil { - return nil, err - } - - return &cert.Permissions, nil -} - -// CheckCert checks CriticalOptions, ValidPrincipals, revocation, timestamp and -// the signature of the certificate. -func (c *CertChecker) CheckCert(principal string, cert *Certificate) error { - if c.IsRevoked != nil && c.IsRevoked(cert) { - return fmt.Errorf("ssh: certificate serial %d revoked", cert.Serial) - } - - for opt := range cert.CriticalOptions { - // sourceAddressCriticalOption will be enforced by - // serverAuthenticate - if opt == sourceAddressCriticalOption { - continue - } - - found := false - for _, supp := range c.SupportedCriticalOptions { - if supp == opt { - found = true - break - } - } - if !found { - return fmt.Errorf("ssh: unsupported critical option %q in certificate", opt) - } - } - - if len(cert.ValidPrincipals) > 0 { - // By default, certs are valid for all users/hosts. - found := false - for _, p := range cert.ValidPrincipals { - if p == principal { - found = true - break - } - } - if !found { - return fmt.Errorf("ssh: principal %q not in the set of valid principals for given certificate: %q", principal, cert.ValidPrincipals) - } - } - - clock := c.Clock - if clock == nil { - clock = time.Now - } - - unixNow := clock().Unix() - if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) { - return fmt.Errorf("ssh: cert is not yet valid") - } - if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(CertTimeInfinity) && (unixNow >= before || before < 0) { - return fmt.Errorf("ssh: cert has expired") - } - if err := cert.SignatureKey.Verify(cert.bytesForSigning(), cert.Signature); err != nil { - return fmt.Errorf("ssh: certificate signature does not verify") - } - - return nil -} - -// SignCert signs the certificate with an authority, setting the Nonce, -// SignatureKey, and Signature fields. If the authority implements the -// MultiAlgorithmSigner interface the first algorithm in the list is used. This -// is useful if you want to sign with a specific algorithm. -func (c *Certificate) SignCert(rand io.Reader, authority Signer) error { - c.Nonce = make([]byte, 32) - if _, err := io.ReadFull(rand, c.Nonce); err != nil { - return err - } - c.SignatureKey = authority.PublicKey() - - if v, ok := authority.(MultiAlgorithmSigner); ok { - if len(v.Algorithms()) == 0 { - return errors.New("the provided authority has no signature algorithm") - } - // Use the first algorithm in the list. - sig, err := v.SignWithAlgorithm(rand, c.bytesForSigning(), v.Algorithms()[0]) - if err != nil { - return err - } - c.Signature = sig - return nil - } else if v, ok := authority.(AlgorithmSigner); ok && v.PublicKey().Type() == KeyAlgoRSA { - // Default to KeyAlgoRSASHA512 for ssh-rsa signers. - // TODO: consider using KeyAlgoRSASHA256 as default. - sig, err := v.SignWithAlgorithm(rand, c.bytesForSigning(), KeyAlgoRSASHA512) - if err != nil { - return err - } - c.Signature = sig - return nil - } - - sig, err := authority.Sign(rand, c.bytesForSigning()) - if err != nil { - return err - } - c.Signature = sig - return nil -} - -// certKeyAlgoNames is a mapping from known certificate algorithm names to the -// corresponding public key signature algorithm. -// -// This map must be kept in sync with the one in agent/client.go. -var certKeyAlgoNames = map[string]string{ - CertAlgoRSAv01: KeyAlgoRSA, - CertAlgoRSASHA256v01: KeyAlgoRSASHA256, - CertAlgoRSASHA512v01: KeyAlgoRSASHA512, - CertAlgoDSAv01: KeyAlgoDSA, - CertAlgoECDSA256v01: KeyAlgoECDSA256, - CertAlgoECDSA384v01: KeyAlgoECDSA384, - CertAlgoECDSA521v01: KeyAlgoECDSA521, - CertAlgoSKECDSA256v01: KeyAlgoSKECDSA256, - CertAlgoED25519v01: KeyAlgoED25519, - CertAlgoSKED25519v01: KeyAlgoSKED25519, -} - -// underlyingAlgo returns the signature algorithm associated with algo (which is -// an advertised or negotiated public key or host key algorithm). These are -// usually the same, except for certificate algorithms. -func underlyingAlgo(algo string) string { - if a, ok := certKeyAlgoNames[algo]; ok { - return a - } - return algo -} - -// certificateAlgo returns the certificate algorithms that uses the provided -// underlying signature algorithm. -func certificateAlgo(algo string) (certAlgo string, ok bool) { - for certName, algoName := range certKeyAlgoNames { - if algoName == algo { - return certName, true - } - } - return "", false -} - -func (cert *Certificate) bytesForSigning() []byte { - c2 := *cert - c2.Signature = nil - out := c2.Marshal() - // Drop trailing signature length. - return out[:len(out)-4] -} - -// Marshal serializes c into OpenSSH's wire format. It is part of the -// PublicKey interface. -func (c *Certificate) Marshal() []byte { - generic := genericCertData{ - Serial: c.Serial, - CertType: c.CertType, - KeyId: c.KeyId, - ValidPrincipals: marshalStringList(c.ValidPrincipals), - ValidAfter: uint64(c.ValidAfter), - ValidBefore: uint64(c.ValidBefore), - CriticalOptions: marshalTuples(c.CriticalOptions), - Extensions: marshalTuples(c.Extensions), - Reserved: c.Reserved, - SignatureKey: c.SignatureKey.Marshal(), - } - if c.Signature != nil { - generic.Signature = Marshal(c.Signature) - } - genericBytes := Marshal(&generic) - keyBytes := c.Key.Marshal() - _, keyBytes, _ = parseString(keyBytes) - prefix := Marshal(&struct { - Name string - Nonce []byte - Key []byte `ssh:"rest"` - }{c.Type(), c.Nonce, keyBytes}) - - result := make([]byte, 0, len(prefix)+len(genericBytes)) - result = append(result, prefix...) - result = append(result, genericBytes...) - return result -} - -// Type returns the certificate algorithm name. It is part of the PublicKey interface. -func (c *Certificate) Type() string { - certName, ok := certificateAlgo(c.Key.Type()) - if !ok { - panic("unknown certificate type for key type " + c.Key.Type()) - } - return certName -} - -// Verify verifies a signature against the certificate's public -// key. It is part of the PublicKey interface. -func (c *Certificate) Verify(data []byte, sig *Signature) error { - return c.Key.Verify(data, sig) -} - -func parseSignatureBody(in []byte) (out *Signature, rest []byte, ok bool) { - format, in, ok := parseString(in) - if !ok { - return - } - - out = &Signature{ - Format: string(format), - } - - if out.Blob, in, ok = parseString(in); !ok { - return - } - - switch out.Format { - case KeyAlgoSKECDSA256, CertAlgoSKECDSA256v01, KeyAlgoSKED25519, CertAlgoSKED25519v01: - out.Rest = in - return out, nil, ok - } - - return out, in, ok -} - -func parseSignature(in []byte) (out *Signature, rest []byte, ok bool) { - sigBytes, rest, ok := parseString(in) - if !ok { - return - } - - out, trailing, ok := parseSignatureBody(sigBytes) - if !ok || len(trailing) > 0 { - return nil, nil, false - } - return -} diff --git a/vendor/golang.org/x/crypto/ssh/channel.go b/vendor/golang.org/x/crypto/ssh/channel.go deleted file mode 100644 index cc0bb7ab6..000000000 --- a/vendor/golang.org/x/crypto/ssh/channel.go +++ /dev/null @@ -1,645 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "encoding/binary" - "errors" - "fmt" - "io" - "log" - "sync" -) - -const ( - minPacketLength = 9 - // channelMaxPacket contains the maximum number of bytes that will be - // sent in a single packet. As per RFC 4253, section 6.1, 32k is also - // the minimum. - channelMaxPacket = 1 << 15 - // We follow OpenSSH here. - channelWindowSize = 64 * channelMaxPacket -) - -// NewChannel represents an incoming request to a channel. It must either be -// accepted for use by calling Accept, or rejected by calling Reject. -type NewChannel interface { - // Accept accepts the channel creation request. It returns the Channel - // and a Go channel containing SSH requests. The Go channel must be - // serviced otherwise the Channel will hang. - Accept() (Channel, <-chan *Request, error) - - // Reject rejects the channel creation request. After calling - // this, no other methods on the Channel may be called. - Reject(reason RejectionReason, message string) error - - // ChannelType returns the type of the channel, as supplied by the - // client. - ChannelType() string - - // ExtraData returns the arbitrary payload for this channel, as supplied - // by the client. This data is specific to the channel type. - ExtraData() []byte -} - -// A Channel is an ordered, reliable, flow-controlled, duplex stream -// that is multiplexed over an SSH connection. -type Channel interface { - // Read reads up to len(data) bytes from the channel. - Read(data []byte) (int, error) - - // Write writes len(data) bytes to the channel. - Write(data []byte) (int, error) - - // Close signals end of channel use. No data may be sent after this - // call. - Close() error - - // CloseWrite signals the end of sending in-band - // data. Requests may still be sent, and the other side may - // still send data - CloseWrite() error - - // SendRequest sends a channel request. If wantReply is true, - // it will wait for a reply and return the result as a - // boolean, otherwise the return value will be false. Channel - // requests are out-of-band messages so they may be sent even - // if the data stream is closed or blocked by flow control. - // If the channel is closed before a reply is returned, io.EOF - // is returned. - SendRequest(name string, wantReply bool, payload []byte) (bool, error) - - // Stderr returns an io.ReadWriter that writes to this channel - // with the extended data type set to stderr. Stderr may - // safely be read and written from a different goroutine than - // Read and Write respectively. - Stderr() io.ReadWriter -} - -// Request is a request sent outside of the normal stream of -// data. Requests can either be specific to an SSH channel, or they -// can be global. -type Request struct { - Type string - WantReply bool - Payload []byte - - ch *channel - mux *mux -} - -// Reply sends a response to a request. It must be called for all requests -// where WantReply is true and is a no-op otherwise. The payload argument is -// ignored for replies to channel-specific requests. -func (r *Request) Reply(ok bool, payload []byte) error { - if !r.WantReply { - return nil - } - - if r.ch == nil { - return r.mux.ackRequest(ok, payload) - } - - return r.ch.ackRequest(ok) -} - -// RejectionReason is an enumeration used when rejecting channel creation -// requests. See RFC 4254, section 5.1. -type RejectionReason uint32 - -const ( - Prohibited RejectionReason = iota + 1 - ConnectionFailed - UnknownChannelType - ResourceShortage -) - -// String converts the rejection reason to human readable form. -func (r RejectionReason) String() string { - switch r { - case Prohibited: - return "administratively prohibited" - case ConnectionFailed: - return "connect failed" - case UnknownChannelType: - return "unknown channel type" - case ResourceShortage: - return "resource shortage" - } - return fmt.Sprintf("unknown reason %d", int(r)) -} - -func min(a uint32, b int) uint32 { - if a < uint32(b) { - return a - } - return uint32(b) -} - -type channelDirection uint8 - -const ( - channelInbound channelDirection = iota - channelOutbound -) - -// channel is an implementation of the Channel interface that works -// with the mux class. -type channel struct { - // R/O after creation - chanType string - extraData []byte - localId, remoteId uint32 - - // maxIncomingPayload and maxRemotePayload are the maximum - // payload sizes of normal and extended data packets for - // receiving and sending, respectively. The wire packet will - // be 9 or 13 bytes larger (excluding encryption overhead). - maxIncomingPayload uint32 - maxRemotePayload uint32 - - mux *mux - - // decided is set to true if an accept or reject message has been sent - // (for outbound channels) or received (for inbound channels). - decided bool - - // direction contains either channelOutbound, for channels created - // locally, or channelInbound, for channels created by the peer. - direction channelDirection - - // Pending internal channel messages. - msg chan interface{} - - // Since requests have no ID, there can be only one request - // with WantReply=true outstanding. This lock is held by a - // goroutine that has such an outgoing request pending. - sentRequestMu sync.Mutex - - incomingRequests chan *Request - - sentEOF bool - - // thread-safe data - remoteWin window - pending *buffer - extPending *buffer - - // windowMu protects myWindow, the flow-control window, and myConsumed, - // the number of bytes consumed since we last increased myWindow - windowMu sync.Mutex - myWindow uint32 - myConsumed uint32 - - // writeMu serializes calls to mux.conn.writePacket() and - // protects sentClose and packetPool. This mutex must be - // different from windowMu, as writePacket can block if there - // is a key exchange pending. - writeMu sync.Mutex - sentClose bool - - // packetPool has a buffer for each extended channel ID to - // save allocations during writes. - packetPool map[uint32][]byte -} - -// writePacket sends a packet. If the packet is a channel close, it updates -// sentClose. This method takes the lock c.writeMu. -func (ch *channel) writePacket(packet []byte) error { - ch.writeMu.Lock() - if ch.sentClose { - ch.writeMu.Unlock() - return io.EOF - } - ch.sentClose = (packet[0] == msgChannelClose) - err := ch.mux.conn.writePacket(packet) - ch.writeMu.Unlock() - return err -} - -func (ch *channel) sendMessage(msg interface{}) error { - if debugMux { - log.Printf("send(%d): %#v", ch.mux.chanList.offset, msg) - } - - p := Marshal(msg) - binary.BigEndian.PutUint32(p[1:], ch.remoteId) - return ch.writePacket(p) -} - -// WriteExtended writes data to a specific extended stream. These streams are -// used, for example, for stderr. -func (ch *channel) WriteExtended(data []byte, extendedCode uint32) (n int, err error) { - if ch.sentEOF { - return 0, io.EOF - } - // 1 byte message type, 4 bytes remoteId, 4 bytes data length - opCode := byte(msgChannelData) - headerLength := uint32(9) - if extendedCode > 0 { - headerLength += 4 - opCode = msgChannelExtendedData - } - - ch.writeMu.Lock() - packet := ch.packetPool[extendedCode] - // We don't remove the buffer from packetPool, so - // WriteExtended calls from different goroutines will be - // flagged as errors by the race detector. - ch.writeMu.Unlock() - - for len(data) > 0 { - space := min(ch.maxRemotePayload, len(data)) - if space, err = ch.remoteWin.reserve(space); err != nil { - return n, err - } - if want := headerLength + space; uint32(cap(packet)) < want { - packet = make([]byte, want) - } else { - packet = packet[:want] - } - - todo := data[:space] - - packet[0] = opCode - binary.BigEndian.PutUint32(packet[1:], ch.remoteId) - if extendedCode > 0 { - binary.BigEndian.PutUint32(packet[5:], uint32(extendedCode)) - } - binary.BigEndian.PutUint32(packet[headerLength-4:], uint32(len(todo))) - copy(packet[headerLength:], todo) - if err = ch.writePacket(packet); err != nil { - return n, err - } - - n += len(todo) - data = data[len(todo):] - } - - ch.writeMu.Lock() - ch.packetPool[extendedCode] = packet - ch.writeMu.Unlock() - - return n, err -} - -func (ch *channel) handleData(packet []byte) error { - headerLen := 9 - isExtendedData := packet[0] == msgChannelExtendedData - if isExtendedData { - headerLen = 13 - } - if len(packet) < headerLen { - // malformed data packet - return parseError(packet[0]) - } - - var extended uint32 - if isExtendedData { - extended = binary.BigEndian.Uint32(packet[5:]) - } - - length := binary.BigEndian.Uint32(packet[headerLen-4 : headerLen]) - if length == 0 { - return nil - } - if length > ch.maxIncomingPayload { - // TODO(hanwen): should send Disconnect? - return errors.New("ssh: incoming packet exceeds maximum payload size") - } - - data := packet[headerLen:] - if length != uint32(len(data)) { - return errors.New("ssh: wrong packet length") - } - - ch.windowMu.Lock() - if ch.myWindow < length { - ch.windowMu.Unlock() - // TODO(hanwen): should send Disconnect with reason? - return errors.New("ssh: remote side wrote too much") - } - ch.myWindow -= length - ch.windowMu.Unlock() - - if extended == 1 { - ch.extPending.write(data) - } else if extended > 0 { - // discard other extended data. - } else { - ch.pending.write(data) - } - return nil -} - -func (c *channel) adjustWindow(adj uint32) error { - c.windowMu.Lock() - // Since myConsumed and myWindow are managed on our side, and can never - // exceed the initial window setting, we don't worry about overflow. - c.myConsumed += adj - var sendAdj uint32 - if (channelWindowSize-c.myWindow > 3*c.maxIncomingPayload) || - (c.myWindow < channelWindowSize/2) { - sendAdj = c.myConsumed - c.myConsumed = 0 - c.myWindow += sendAdj - } - c.windowMu.Unlock() - if sendAdj == 0 { - return nil - } - return c.sendMessage(windowAdjustMsg{ - AdditionalBytes: sendAdj, - }) -} - -func (c *channel) ReadExtended(data []byte, extended uint32) (n int, err error) { - switch extended { - case 1: - n, err = c.extPending.Read(data) - case 0: - n, err = c.pending.Read(data) - default: - return 0, fmt.Errorf("ssh: extended code %d unimplemented", extended) - } - - if n > 0 { - err = c.adjustWindow(uint32(n)) - // sendWindowAdjust can return io.EOF if the remote - // peer has closed the connection, however we want to - // defer forwarding io.EOF to the caller of Read until - // the buffer has been drained. - if n > 0 && err == io.EOF { - err = nil - } - } - - return n, err -} - -func (c *channel) close() { - c.pending.eof() - c.extPending.eof() - close(c.msg) - close(c.incomingRequests) - c.writeMu.Lock() - // This is not necessary for a normal channel teardown, but if - // there was another error, it is. - c.sentClose = true - c.writeMu.Unlock() - // Unblock writers. - c.remoteWin.close() -} - -// responseMessageReceived is called when a success or failure message is -// received on a channel to check that such a message is reasonable for the -// given channel. -func (ch *channel) responseMessageReceived() error { - if ch.direction == channelInbound { - return errors.New("ssh: channel response message received on inbound channel") - } - if ch.decided { - return errors.New("ssh: duplicate response received for channel") - } - ch.decided = true - return nil -} - -func (ch *channel) handlePacket(packet []byte) error { - switch packet[0] { - case msgChannelData, msgChannelExtendedData: - return ch.handleData(packet) - case msgChannelClose: - ch.sendMessage(channelCloseMsg{PeersID: ch.remoteId}) - ch.mux.chanList.remove(ch.localId) - ch.close() - return nil - case msgChannelEOF: - // RFC 4254 is mute on how EOF affects dataExt messages but - // it is logical to signal EOF at the same time. - ch.extPending.eof() - ch.pending.eof() - return nil - } - - decoded, err := decode(packet) - if err != nil { - return err - } - - switch msg := decoded.(type) { - case *channelOpenFailureMsg: - if err := ch.responseMessageReceived(); err != nil { - return err - } - ch.mux.chanList.remove(msg.PeersID) - ch.msg <- msg - case *channelOpenConfirmMsg: - if err := ch.responseMessageReceived(); err != nil { - return err - } - if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 { - return fmt.Errorf("ssh: invalid MaxPacketSize %d from peer", msg.MaxPacketSize) - } - ch.remoteId = msg.MyID - ch.maxRemotePayload = msg.MaxPacketSize - ch.remoteWin.add(msg.MyWindow) - ch.msg <- msg - case *windowAdjustMsg: - if !ch.remoteWin.add(msg.AdditionalBytes) { - return fmt.Errorf("ssh: invalid window update for %d bytes", msg.AdditionalBytes) - } - case *channelRequestMsg: - req := Request{ - Type: msg.Request, - WantReply: msg.WantReply, - Payload: msg.RequestSpecificData, - ch: ch, - } - - ch.incomingRequests <- &req - default: - ch.msg <- msg - } - return nil -} - -func (m *mux) newChannel(chanType string, direction channelDirection, extraData []byte) *channel { - ch := &channel{ - remoteWin: window{Cond: newCond()}, - myWindow: channelWindowSize, - pending: newBuffer(), - extPending: newBuffer(), - direction: direction, - incomingRequests: make(chan *Request, chanSize), - msg: make(chan interface{}, chanSize), - chanType: chanType, - extraData: extraData, - mux: m, - packetPool: make(map[uint32][]byte), - } - ch.localId = m.chanList.add(ch) - return ch -} - -var errUndecided = errors.New("ssh: must Accept or Reject channel") -var errDecidedAlready = errors.New("ssh: can call Accept or Reject only once") - -type extChannel struct { - code uint32 - ch *channel -} - -func (e *extChannel) Write(data []byte) (n int, err error) { - return e.ch.WriteExtended(data, e.code) -} - -func (e *extChannel) Read(data []byte) (n int, err error) { - return e.ch.ReadExtended(data, e.code) -} - -func (ch *channel) Accept() (Channel, <-chan *Request, error) { - if ch.decided { - return nil, nil, errDecidedAlready - } - ch.maxIncomingPayload = channelMaxPacket - confirm := channelOpenConfirmMsg{ - PeersID: ch.remoteId, - MyID: ch.localId, - MyWindow: ch.myWindow, - MaxPacketSize: ch.maxIncomingPayload, - } - ch.decided = true - if err := ch.sendMessage(confirm); err != nil { - return nil, nil, err - } - - return ch, ch.incomingRequests, nil -} - -func (ch *channel) Reject(reason RejectionReason, message string) error { - if ch.decided { - return errDecidedAlready - } - reject := channelOpenFailureMsg{ - PeersID: ch.remoteId, - Reason: reason, - Message: message, - Language: "en", - } - ch.decided = true - return ch.sendMessage(reject) -} - -func (ch *channel) Read(data []byte) (int, error) { - if !ch.decided { - return 0, errUndecided - } - return ch.ReadExtended(data, 0) -} - -func (ch *channel) Write(data []byte) (int, error) { - if !ch.decided { - return 0, errUndecided - } - return ch.WriteExtended(data, 0) -} - -func (ch *channel) CloseWrite() error { - if !ch.decided { - return errUndecided - } - ch.sentEOF = true - return ch.sendMessage(channelEOFMsg{ - PeersID: ch.remoteId}) -} - -func (ch *channel) Close() error { - if !ch.decided { - return errUndecided - } - - return ch.sendMessage(channelCloseMsg{ - PeersID: ch.remoteId}) -} - -// Extended returns an io.ReadWriter that sends and receives data on the given, -// SSH extended stream. Such streams are used, for example, for stderr. -func (ch *channel) Extended(code uint32) io.ReadWriter { - if !ch.decided { - return nil - } - return &extChannel{code, ch} -} - -func (ch *channel) Stderr() io.ReadWriter { - return ch.Extended(1) -} - -func (ch *channel) SendRequest(name string, wantReply bool, payload []byte) (bool, error) { - if !ch.decided { - return false, errUndecided - } - - if wantReply { - ch.sentRequestMu.Lock() - defer ch.sentRequestMu.Unlock() - } - - msg := channelRequestMsg{ - PeersID: ch.remoteId, - Request: name, - WantReply: wantReply, - RequestSpecificData: payload, - } - - if err := ch.sendMessage(msg); err != nil { - return false, err - } - - if wantReply { - m, ok := (<-ch.msg) - if !ok { - return false, io.EOF - } - switch m.(type) { - case *channelRequestFailureMsg: - return false, nil - case *channelRequestSuccessMsg: - return true, nil - default: - return false, fmt.Errorf("ssh: unexpected response to channel request: %#v", m) - } - } - - return false, nil -} - -// ackRequest either sends an ack or nack to the channel request. -func (ch *channel) ackRequest(ok bool) error { - if !ch.decided { - return errUndecided - } - - var msg interface{} - if !ok { - msg = channelRequestFailureMsg{ - PeersID: ch.remoteId, - } - } else { - msg = channelRequestSuccessMsg{ - PeersID: ch.remoteId, - } - } - return ch.sendMessage(msg) -} - -func (ch *channel) ChannelType() string { - return ch.chanType -} - -func (ch *channel) ExtraData() []byte { - return ch.extraData -} diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go deleted file mode 100644 index 741e984f3..000000000 --- a/vendor/golang.org/x/crypto/ssh/cipher.go +++ /dev/null @@ -1,789 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "crypto/aes" - "crypto/cipher" - "crypto/des" - "crypto/rc4" - "crypto/subtle" - "encoding/binary" - "errors" - "fmt" - "hash" - "io" - - "golang.org/x/crypto/chacha20" - "golang.org/x/crypto/internal/poly1305" -) - -const ( - packetSizeMultiple = 16 // TODO(huin) this should be determined by the cipher. - - // RFC 4253 section 6.1 defines a minimum packet size of 32768 that implementations - // MUST be able to process (plus a few more kilobytes for padding and mac). The RFC - // indicates implementations SHOULD be able to handle larger packet sizes, but then - // waffles on about reasonable limits. - // - // OpenSSH caps their maxPacket at 256kB so we choose to do - // the same. maxPacket is also used to ensure that uint32 - // length fields do not overflow, so it should remain well - // below 4G. - maxPacket = 256 * 1024 -) - -// noneCipher implements cipher.Stream and provides no encryption. It is used -// by the transport before the first key-exchange. -type noneCipher struct{} - -func (c noneCipher) XORKeyStream(dst, src []byte) { - copy(dst, src) -} - -func newAESCTR(key, iv []byte) (cipher.Stream, error) { - c, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - return cipher.NewCTR(c, iv), nil -} - -func newRC4(key, iv []byte) (cipher.Stream, error) { - return rc4.NewCipher(key) -} - -type cipherMode struct { - keySize int - ivSize int - create func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error) -} - -func streamCipherMode(skip int, createFunc func(key, iv []byte) (cipher.Stream, error)) func(key, iv []byte, macKey []byte, algs directionAlgorithms) (packetCipher, error) { - return func(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) { - stream, err := createFunc(key, iv) - if err != nil { - return nil, err - } - - var streamDump []byte - if skip > 0 { - streamDump = make([]byte, 512) - } - - for remainingToDump := skip; remainingToDump > 0; { - dumpThisTime := remainingToDump - if dumpThisTime > len(streamDump) { - dumpThisTime = len(streamDump) - } - stream.XORKeyStream(streamDump[:dumpThisTime], streamDump[:dumpThisTime]) - remainingToDump -= dumpThisTime - } - - mac := macModes[algs.MAC].new(macKey) - return &streamPacketCipher{ - mac: mac, - etm: macModes[algs.MAC].etm, - macResult: make([]byte, mac.Size()), - cipher: stream, - }, nil - } -} - -// cipherModes documents properties of supported ciphers. Ciphers not included -// are not supported and will not be negotiated, even if explicitly requested in -// ClientConfig.Crypto.Ciphers. -var cipherModes = map[string]*cipherMode{ - // Ciphers from RFC 4344, which introduced many CTR-based ciphers. Algorithms - // are defined in the order specified in the RFC. - "aes128-ctr": {16, aes.BlockSize, streamCipherMode(0, newAESCTR)}, - "aes192-ctr": {24, aes.BlockSize, streamCipherMode(0, newAESCTR)}, - "aes256-ctr": {32, aes.BlockSize, streamCipherMode(0, newAESCTR)}, - - // Ciphers from RFC 4345, which introduces security-improved arcfour ciphers. - // They are defined in the order specified in the RFC. - "arcfour128": {16, 0, streamCipherMode(1536, newRC4)}, - "arcfour256": {32, 0, streamCipherMode(1536, newRC4)}, - - // Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol. - // Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and - // RC4) has problems with weak keys, and should be used with caution." - // RFC 4345 introduces improved versions of Arcfour. - "arcfour": {16, 0, streamCipherMode(0, newRC4)}, - - // AEAD ciphers - gcm128CipherID: {16, 12, newGCMCipher}, - gcm256CipherID: {32, 12, newGCMCipher}, - chacha20Poly1305ID: {64, 0, newChaCha20Cipher}, - - // CBC mode is insecure and so is not included in the default config. - // (See https://www.ieee-security.org/TC/SP2013/papers/4977a526.pdf). If absolutely - // needed, it's possible to specify a custom Config to enable it. - // You should expect that an active attacker can recover plaintext if - // you do. - aes128cbcID: {16, aes.BlockSize, newAESCBCCipher}, - - // 3des-cbc is insecure and is not included in the default - // config. - tripledescbcID: {24, des.BlockSize, newTripleDESCBCCipher}, -} - -// prefixLen is the length of the packet prefix that contains the packet length -// and number of padding bytes. -const prefixLen = 5 - -// streamPacketCipher is a packetCipher using a stream cipher. -type streamPacketCipher struct { - mac hash.Hash - cipher cipher.Stream - etm bool - - // The following members are to avoid per-packet allocations. - prefix [prefixLen]byte - seqNumBytes [4]byte - padding [2 * packetSizeMultiple]byte - packetData []byte - macResult []byte -} - -// readCipherPacket reads and decrypt a single packet from the reader argument. -func (s *streamPacketCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) { - if _, err := io.ReadFull(r, s.prefix[:]); err != nil { - return nil, err - } - - var encryptedPaddingLength [1]byte - if s.mac != nil && s.etm { - copy(encryptedPaddingLength[:], s.prefix[4:5]) - s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5]) - } else { - s.cipher.XORKeyStream(s.prefix[:], s.prefix[:]) - } - - length := binary.BigEndian.Uint32(s.prefix[0:4]) - paddingLength := uint32(s.prefix[4]) - - var macSize uint32 - if s.mac != nil { - s.mac.Reset() - binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum) - s.mac.Write(s.seqNumBytes[:]) - if s.etm { - s.mac.Write(s.prefix[:4]) - s.mac.Write(encryptedPaddingLength[:]) - } else { - s.mac.Write(s.prefix[:]) - } - macSize = uint32(s.mac.Size()) - } - - if length <= paddingLength+1 { - return nil, errors.New("ssh: invalid packet length, packet too small") - } - - if length > maxPacket { - return nil, errors.New("ssh: invalid packet length, packet too large") - } - - // the maxPacket check above ensures that length-1+macSize - // does not overflow. - if uint32(cap(s.packetData)) < length-1+macSize { - s.packetData = make([]byte, length-1+macSize) - } else { - s.packetData = s.packetData[:length-1+macSize] - } - - if _, err := io.ReadFull(r, s.packetData); err != nil { - return nil, err - } - mac := s.packetData[length-1:] - data := s.packetData[:length-1] - - if s.mac != nil && s.etm { - s.mac.Write(data) - } - - s.cipher.XORKeyStream(data, data) - - if s.mac != nil { - if !s.etm { - s.mac.Write(data) - } - s.macResult = s.mac.Sum(s.macResult[:0]) - if subtle.ConstantTimeCompare(s.macResult, mac) != 1 { - return nil, errors.New("ssh: MAC failure") - } - } - - return s.packetData[:length-paddingLength-1], nil -} - -// writeCipherPacket encrypts and sends a packet of data to the writer argument -func (s *streamPacketCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error { - if len(packet) > maxPacket { - return errors.New("ssh: packet too large") - } - - aadlen := 0 - if s.mac != nil && s.etm { - // packet length is not encrypted for EtM modes - aadlen = 4 - } - - paddingLength := packetSizeMultiple - (prefixLen+len(packet)-aadlen)%packetSizeMultiple - if paddingLength < 4 { - paddingLength += packetSizeMultiple - } - - length := len(packet) + 1 + paddingLength - binary.BigEndian.PutUint32(s.prefix[:], uint32(length)) - s.prefix[4] = byte(paddingLength) - padding := s.padding[:paddingLength] - if _, err := io.ReadFull(rand, padding); err != nil { - return err - } - - if s.mac != nil { - s.mac.Reset() - binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum) - s.mac.Write(s.seqNumBytes[:]) - - if s.etm { - // For EtM algorithms, the packet length must stay unencrypted, - // but the following data (padding length) must be encrypted - s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5]) - } - - s.mac.Write(s.prefix[:]) - - if !s.etm { - // For non-EtM algorithms, the algorithm is applied on unencrypted data - s.mac.Write(packet) - s.mac.Write(padding) - } - } - - if !(s.mac != nil && s.etm) { - // For EtM algorithms, the padding length has already been encrypted - // and the packet length must remain unencrypted - s.cipher.XORKeyStream(s.prefix[:], s.prefix[:]) - } - - s.cipher.XORKeyStream(packet, packet) - s.cipher.XORKeyStream(padding, padding) - - if s.mac != nil && s.etm { - // For EtM algorithms, packet and padding must be encrypted - s.mac.Write(packet) - s.mac.Write(padding) - } - - if _, err := w.Write(s.prefix[:]); err != nil { - return err - } - if _, err := w.Write(packet); err != nil { - return err - } - if _, err := w.Write(padding); err != nil { - return err - } - - if s.mac != nil { - s.macResult = s.mac.Sum(s.macResult[:0]) - if _, err := w.Write(s.macResult); err != nil { - return err - } - } - - return nil -} - -type gcmCipher struct { - aead cipher.AEAD - prefix [4]byte - iv []byte - buf []byte -} - -func newGCMCipher(key, iv, unusedMacKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) { - c, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - - aead, err := cipher.NewGCM(c) - if err != nil { - return nil, err - } - - return &gcmCipher{ - aead: aead, - iv: iv, - }, nil -} - -const gcmTagSize = 16 - -func (c *gcmCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error { - // Pad out to multiple of 16 bytes. This is different from the - // stream cipher because that encrypts the length too. - padding := byte(packetSizeMultiple - (1+len(packet))%packetSizeMultiple) - if padding < 4 { - padding += packetSizeMultiple - } - - length := uint32(len(packet) + int(padding) + 1) - binary.BigEndian.PutUint32(c.prefix[:], length) - if _, err := w.Write(c.prefix[:]); err != nil { - return err - } - - if cap(c.buf) < int(length) { - c.buf = make([]byte, length) - } else { - c.buf = c.buf[:length] - } - - c.buf[0] = padding - copy(c.buf[1:], packet) - if _, err := io.ReadFull(rand, c.buf[1+len(packet):]); err != nil { - return err - } - c.buf = c.aead.Seal(c.buf[:0], c.iv, c.buf, c.prefix[:]) - if _, err := w.Write(c.buf); err != nil { - return err - } - c.incIV() - - return nil -} - -func (c *gcmCipher) incIV() { - for i := 4 + 7; i >= 4; i-- { - c.iv[i]++ - if c.iv[i] != 0 { - break - } - } -} - -func (c *gcmCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) { - if _, err := io.ReadFull(r, c.prefix[:]); err != nil { - return nil, err - } - length := binary.BigEndian.Uint32(c.prefix[:]) - if length > maxPacket { - return nil, errors.New("ssh: max packet length exceeded") - } - - if cap(c.buf) < int(length+gcmTagSize) { - c.buf = make([]byte, length+gcmTagSize) - } else { - c.buf = c.buf[:length+gcmTagSize] - } - - if _, err := io.ReadFull(r, c.buf); err != nil { - return nil, err - } - - plain, err := c.aead.Open(c.buf[:0], c.iv, c.buf, c.prefix[:]) - if err != nil { - return nil, err - } - c.incIV() - - if len(plain) == 0 { - return nil, errors.New("ssh: empty packet") - } - - padding := plain[0] - if padding < 4 { - // padding is a byte, so it automatically satisfies - // the maximum size, which is 255. - return nil, fmt.Errorf("ssh: illegal padding %d", padding) - } - - if int(padding+1) >= len(plain) { - return nil, fmt.Errorf("ssh: padding %d too large", padding) - } - plain = plain[1 : length-uint32(padding)] - return plain, nil -} - -// cbcCipher implements aes128-cbc cipher defined in RFC 4253 section 6.1 -type cbcCipher struct { - mac hash.Hash - macSize uint32 - decrypter cipher.BlockMode - encrypter cipher.BlockMode - - // The following members are to avoid per-packet allocations. - seqNumBytes [4]byte - packetData []byte - macResult []byte - - // Amount of data we should still read to hide which - // verification error triggered. - oracleCamouflage uint32 -} - -func newCBCCipher(c cipher.Block, key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) { - cbc := &cbcCipher{ - mac: macModes[algs.MAC].new(macKey), - decrypter: cipher.NewCBCDecrypter(c, iv), - encrypter: cipher.NewCBCEncrypter(c, iv), - packetData: make([]byte, 1024), - } - if cbc.mac != nil { - cbc.macSize = uint32(cbc.mac.Size()) - } - - return cbc, nil -} - -func newAESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) { - c, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - - cbc, err := newCBCCipher(c, key, iv, macKey, algs) - if err != nil { - return nil, err - } - - return cbc, nil -} - -func newTripleDESCBCCipher(key, iv, macKey []byte, algs directionAlgorithms) (packetCipher, error) { - c, err := des.NewTripleDESCipher(key) - if err != nil { - return nil, err - } - - cbc, err := newCBCCipher(c, key, iv, macKey, algs) - if err != nil { - return nil, err - } - - return cbc, nil -} - -func maxUInt32(a, b int) uint32 { - if a > b { - return uint32(a) - } - return uint32(b) -} - -const ( - cbcMinPacketSizeMultiple = 8 - cbcMinPacketSize = 16 - cbcMinPaddingSize = 4 -) - -// cbcError represents a verification error that may leak information. -type cbcError string - -func (e cbcError) Error() string { return string(e) } - -func (c *cbcCipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) { - p, err := c.readCipherPacketLeaky(seqNum, r) - if err != nil { - if _, ok := err.(cbcError); ok { - // Verification error: read a fixed amount of - // data, to make distinguishing between - // failing MAC and failing length check more - // difficult. - io.CopyN(io.Discard, r, int64(c.oracleCamouflage)) - } - } - return p, err -} - -func (c *cbcCipher) readCipherPacketLeaky(seqNum uint32, r io.Reader) ([]byte, error) { - blockSize := c.decrypter.BlockSize() - - // Read the header, which will include some of the subsequent data in the - // case of block ciphers - this is copied back to the payload later. - // How many bytes of payload/padding will be read with this first read. - firstBlockLength := uint32((prefixLen + blockSize - 1) / blockSize * blockSize) - firstBlock := c.packetData[:firstBlockLength] - if _, err := io.ReadFull(r, firstBlock); err != nil { - return nil, err - } - - c.oracleCamouflage = maxPacket + 4 + c.macSize - firstBlockLength - - c.decrypter.CryptBlocks(firstBlock, firstBlock) - length := binary.BigEndian.Uint32(firstBlock[:4]) - if length > maxPacket { - return nil, cbcError("ssh: packet too large") - } - if length+4 < maxUInt32(cbcMinPacketSize, blockSize) { - // The minimum size of a packet is 16 (or the cipher block size, whichever - // is larger) bytes. - return nil, cbcError("ssh: packet too small") - } - // The length of the packet (including the length field but not the MAC) must - // be a multiple of the block size or 8, whichever is larger. - if (length+4)%maxUInt32(cbcMinPacketSizeMultiple, blockSize) != 0 { - return nil, cbcError("ssh: invalid packet length multiple") - } - - paddingLength := uint32(firstBlock[4]) - if paddingLength < cbcMinPaddingSize || length <= paddingLength+1 { - return nil, cbcError("ssh: invalid packet length") - } - - // Positions within the c.packetData buffer: - macStart := 4 + length - paddingStart := macStart - paddingLength - - // Entire packet size, starting before length, ending at end of mac. - entirePacketSize := macStart + c.macSize - - // Ensure c.packetData is large enough for the entire packet data. - if uint32(cap(c.packetData)) < entirePacketSize { - // Still need to upsize and copy, but this should be rare at runtime, only - // on upsizing the packetData buffer. - c.packetData = make([]byte, entirePacketSize) - copy(c.packetData, firstBlock) - } else { - c.packetData = c.packetData[:entirePacketSize] - } - - n, err := io.ReadFull(r, c.packetData[firstBlockLength:]) - if err != nil { - return nil, err - } - c.oracleCamouflage -= uint32(n) - - remainingCrypted := c.packetData[firstBlockLength:macStart] - c.decrypter.CryptBlocks(remainingCrypted, remainingCrypted) - - mac := c.packetData[macStart:] - if c.mac != nil { - c.mac.Reset() - binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum) - c.mac.Write(c.seqNumBytes[:]) - c.mac.Write(c.packetData[:macStart]) - c.macResult = c.mac.Sum(c.macResult[:0]) - if subtle.ConstantTimeCompare(c.macResult, mac) != 1 { - return nil, cbcError("ssh: MAC failure") - } - } - - return c.packetData[prefixLen:paddingStart], nil -} - -func (c *cbcCipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error { - effectiveBlockSize := maxUInt32(cbcMinPacketSizeMultiple, c.encrypter.BlockSize()) - - // Length of encrypted portion of the packet (header, payload, padding). - // Enforce minimum padding and packet size. - encLength := maxUInt32(prefixLen+len(packet)+cbcMinPaddingSize, cbcMinPaddingSize) - // Enforce block size. - encLength = (encLength + effectiveBlockSize - 1) / effectiveBlockSize * effectiveBlockSize - - length := encLength - 4 - paddingLength := int(length) - (1 + len(packet)) - - // Overall buffer contains: header, payload, padding, mac. - // Space for the MAC is reserved in the capacity but not the slice length. - bufferSize := encLength + c.macSize - if uint32(cap(c.packetData)) < bufferSize { - c.packetData = make([]byte, encLength, bufferSize) - } else { - c.packetData = c.packetData[:encLength] - } - - p := c.packetData - - // Packet header. - binary.BigEndian.PutUint32(p, length) - p = p[4:] - p[0] = byte(paddingLength) - - // Payload. - p = p[1:] - copy(p, packet) - - // Padding. - p = p[len(packet):] - if _, err := io.ReadFull(rand, p); err != nil { - return err - } - - if c.mac != nil { - c.mac.Reset() - binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum) - c.mac.Write(c.seqNumBytes[:]) - c.mac.Write(c.packetData) - // The MAC is now appended into the capacity reserved for it earlier. - c.packetData = c.mac.Sum(c.packetData) - } - - c.encrypter.CryptBlocks(c.packetData[:encLength], c.packetData[:encLength]) - - if _, err := w.Write(c.packetData); err != nil { - return err - } - - return nil -} - -const chacha20Poly1305ID = "chacha20-poly1305@openssh.com" - -// chacha20Poly1305Cipher implements the chacha20-poly1305@openssh.com -// AEAD, which is described here: -// -// https://tools.ietf.org/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00 -// -// the methods here also implement padding, which RFC 4253 Section 6 -// also requires of stream ciphers. -type chacha20Poly1305Cipher struct { - lengthKey [32]byte - contentKey [32]byte - buf []byte -} - -func newChaCha20Cipher(key, unusedIV, unusedMACKey []byte, unusedAlgs directionAlgorithms) (packetCipher, error) { - if len(key) != 64 { - panic(len(key)) - } - - c := &chacha20Poly1305Cipher{ - buf: make([]byte, 256), - } - - copy(c.contentKey[:], key[:32]) - copy(c.lengthKey[:], key[32:]) - return c, nil -} - -func (c *chacha20Poly1305Cipher) readCipherPacket(seqNum uint32, r io.Reader) ([]byte, error) { - nonce := make([]byte, 12) - binary.BigEndian.PutUint32(nonce[8:], seqNum) - s, err := chacha20.NewUnauthenticatedCipher(c.contentKey[:], nonce) - if err != nil { - return nil, err - } - var polyKey, discardBuf [32]byte - s.XORKeyStream(polyKey[:], polyKey[:]) - s.XORKeyStream(discardBuf[:], discardBuf[:]) // skip the next 32 bytes - - encryptedLength := c.buf[:4] - if _, err := io.ReadFull(r, encryptedLength); err != nil { - return nil, err - } - - var lenBytes [4]byte - ls, err := chacha20.NewUnauthenticatedCipher(c.lengthKey[:], nonce) - if err != nil { - return nil, err - } - ls.XORKeyStream(lenBytes[:], encryptedLength) - - length := binary.BigEndian.Uint32(lenBytes[:]) - if length > maxPacket { - return nil, errors.New("ssh: invalid packet length, packet too large") - } - - contentEnd := 4 + length - packetEnd := contentEnd + poly1305.TagSize - if uint32(cap(c.buf)) < packetEnd { - c.buf = make([]byte, packetEnd) - copy(c.buf[:], encryptedLength) - } else { - c.buf = c.buf[:packetEnd] - } - - if _, err := io.ReadFull(r, c.buf[4:packetEnd]); err != nil { - return nil, err - } - - var mac [poly1305.TagSize]byte - copy(mac[:], c.buf[contentEnd:packetEnd]) - if !poly1305.Verify(&mac, c.buf[:contentEnd], &polyKey) { - return nil, errors.New("ssh: MAC failure") - } - - plain := c.buf[4:contentEnd] - s.XORKeyStream(plain, plain) - - if len(plain) == 0 { - return nil, errors.New("ssh: empty packet") - } - - padding := plain[0] - if padding < 4 { - // padding is a byte, so it automatically satisfies - // the maximum size, which is 255. - return nil, fmt.Errorf("ssh: illegal padding %d", padding) - } - - if int(padding)+1 >= len(plain) { - return nil, fmt.Errorf("ssh: padding %d too large", padding) - } - - plain = plain[1 : len(plain)-int(padding)] - - return plain, nil -} - -func (c *chacha20Poly1305Cipher) writeCipherPacket(seqNum uint32, w io.Writer, rand io.Reader, payload []byte) error { - nonce := make([]byte, 12) - binary.BigEndian.PutUint32(nonce[8:], seqNum) - s, err := chacha20.NewUnauthenticatedCipher(c.contentKey[:], nonce) - if err != nil { - return err - } - var polyKey, discardBuf [32]byte - s.XORKeyStream(polyKey[:], polyKey[:]) - s.XORKeyStream(discardBuf[:], discardBuf[:]) // skip the next 32 bytes - - // There is no blocksize, so fall back to multiple of 8 byte - // padding, as described in RFC 4253, Sec 6. - const packetSizeMultiple = 8 - - padding := packetSizeMultiple - (1+len(payload))%packetSizeMultiple - if padding < 4 { - padding += packetSizeMultiple - } - - // size (4 bytes), padding (1), payload, padding, tag. - totalLength := 4 + 1 + len(payload) + padding + poly1305.TagSize - if cap(c.buf) < totalLength { - c.buf = make([]byte, totalLength) - } else { - c.buf = c.buf[:totalLength] - } - - binary.BigEndian.PutUint32(c.buf, uint32(1+len(payload)+padding)) - ls, err := chacha20.NewUnauthenticatedCipher(c.lengthKey[:], nonce) - if err != nil { - return err - } - ls.XORKeyStream(c.buf, c.buf[:4]) - c.buf[4] = byte(padding) - copy(c.buf[5:], payload) - packetEnd := 5 + len(payload) + padding - if _, err := io.ReadFull(rand, c.buf[5+len(payload):packetEnd]); err != nil { - return err - } - - s.XORKeyStream(c.buf[4:], c.buf[4:packetEnd]) - - var mac [poly1305.TagSize]byte - poly1305.Sum(&mac, c.buf[:packetEnd], &polyKey) - - copy(c.buf[packetEnd:], mac[:]) - - if _, err := w.Write(c.buf); err != nil { - return err - } - return nil -} diff --git a/vendor/golang.org/x/crypto/ssh/client.go b/vendor/golang.org/x/crypto/ssh/client.go deleted file mode 100644 index fd8c49749..000000000 --- a/vendor/golang.org/x/crypto/ssh/client.go +++ /dev/null @@ -1,282 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "bytes" - "errors" - "fmt" - "net" - "os" - "sync" - "time" -) - -// Client implements a traditional SSH client that supports shells, -// subprocesses, TCP port/streamlocal forwarding and tunneled dialing. -type Client struct { - Conn - - handleForwardsOnce sync.Once // guards calling (*Client).handleForwards - - forwards forwardList // forwarded tcpip connections from the remote side - mu sync.Mutex - channelHandlers map[string]chan NewChannel -} - -// HandleChannelOpen returns a channel on which NewChannel requests -// for the given type are sent. If the type already is being handled, -// nil is returned. The channel is closed when the connection is closed. -func (c *Client) HandleChannelOpen(channelType string) <-chan NewChannel { - c.mu.Lock() - defer c.mu.Unlock() - if c.channelHandlers == nil { - // The SSH channel has been closed. - c := make(chan NewChannel) - close(c) - return c - } - - ch := c.channelHandlers[channelType] - if ch != nil { - return nil - } - - ch = make(chan NewChannel, chanSize) - c.channelHandlers[channelType] = ch - return ch -} - -// NewClient creates a Client on top of the given connection. -func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client { - conn := &Client{ - Conn: c, - channelHandlers: make(map[string]chan NewChannel, 1), - } - - go conn.handleGlobalRequests(reqs) - go conn.handleChannelOpens(chans) - go func() { - conn.Wait() - conn.forwards.closeAll() - }() - return conn -} - -// NewClientConn establishes an authenticated SSH connection using c -// as the underlying transport. The Request and NewChannel channels -// must be serviced or the connection will hang. -func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) { - fullConf := *config - fullConf.SetDefaults() - if fullConf.HostKeyCallback == nil { - c.Close() - return nil, nil, nil, errors.New("ssh: must specify HostKeyCallback") - } - - conn := &connection{ - sshConn: sshConn{conn: c, user: fullConf.User}, - } - - if err := conn.clientHandshake(addr, &fullConf); err != nil { - c.Close() - return nil, nil, nil, fmt.Errorf("ssh: handshake failed: %w", err) - } - conn.mux = newMux(conn.transport) - return conn, conn.mux.incomingChannels, conn.mux.incomingRequests, nil -} - -// clientHandshake performs the client side key exchange. See RFC 4253 Section -// 7. -func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) error { - if config.ClientVersion != "" { - c.clientVersion = []byte(config.ClientVersion) - } else { - c.clientVersion = []byte(packageVersion) - } - var err error - c.serverVersion, err = exchangeVersions(c.sshConn.conn, c.clientVersion) - if err != nil { - return err - } - - c.transport = newClientTransport( - newTransport(c.sshConn.conn, config.Rand, true /* is client */), - c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr()) - if err := c.transport.waitSession(); err != nil { - return err - } - - c.sessionID = c.transport.getSessionID() - return c.clientAuthenticate(config) -} - -// verifyHostKeySignature verifies the host key obtained in the key exchange. -// algo is the negotiated algorithm, and may be a certificate type. -func verifyHostKeySignature(hostKey PublicKey, algo string, result *kexResult) error { - sig, rest, ok := parseSignatureBody(result.Signature) - if len(rest) > 0 || !ok { - return errors.New("ssh: signature parse error") - } - - if a := underlyingAlgo(algo); sig.Format != a { - return fmt.Errorf("ssh: invalid signature algorithm %q, expected %q", sig.Format, a) - } - - return hostKey.Verify(result.H, sig) -} - -// NewSession opens a new Session for this client. (A session is a remote -// execution of a program.) -func (c *Client) NewSession() (*Session, error) { - ch, in, err := c.OpenChannel("session", nil) - if err != nil { - return nil, err - } - return newSession(ch, in) -} - -func (c *Client) handleGlobalRequests(incoming <-chan *Request) { - for r := range incoming { - // This handles keepalive messages and matches - // the behaviour of OpenSSH. - r.Reply(false, nil) - } -} - -// handleChannelOpens channel open messages from the remote side. -func (c *Client) handleChannelOpens(in <-chan NewChannel) { - for ch := range in { - c.mu.Lock() - handler := c.channelHandlers[ch.ChannelType()] - c.mu.Unlock() - - if handler != nil { - handler <- ch - } else { - ch.Reject(UnknownChannelType, fmt.Sprintf("unknown channel type: %v", ch.ChannelType())) - } - } - - c.mu.Lock() - for _, ch := range c.channelHandlers { - close(ch) - } - c.channelHandlers = nil - c.mu.Unlock() -} - -// Dial starts a client connection to the given SSH server. It is a -// convenience function that connects to the given network address, -// initiates the SSH handshake, and then sets up a Client. For access -// to incoming channels and requests, use net.Dial with NewClientConn -// instead. -func Dial(network, addr string, config *ClientConfig) (*Client, error) { - conn, err := net.DialTimeout(network, addr, config.Timeout) - if err != nil { - return nil, err - } - c, chans, reqs, err := NewClientConn(conn, addr, config) - if err != nil { - return nil, err - } - return NewClient(c, chans, reqs), nil -} - -// HostKeyCallback is the function type used for verifying server -// keys. A HostKeyCallback must return nil if the host key is OK, or -// an error to reject it. It receives the hostname as passed to Dial -// or NewClientConn. The remote address is the RemoteAddr of the -// net.Conn underlying the SSH connection. -type HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error - -// BannerCallback is the function type used for treat the banner sent by -// the server. A BannerCallback receives the message sent by the remote server. -type BannerCallback func(message string) error - -// A ClientConfig structure is used to configure a Client. It must not be -// modified after having been passed to an SSH function. -type ClientConfig struct { - // Config contains configuration that is shared between clients and - // servers. - Config - - // User contains the username to authenticate as. - User string - - // Auth contains possible authentication methods to use with the - // server. Only the first instance of a particular RFC 4252 method will - // be used during authentication. - Auth []AuthMethod - - // HostKeyCallback is called during the cryptographic - // handshake to validate the server's host key. The client - // configuration must supply this callback for the connection - // to succeed. The functions InsecureIgnoreHostKey or - // FixedHostKey can be used for simplistic host key checks. - HostKeyCallback HostKeyCallback - - // BannerCallback is called during the SSH dance to display a custom - // server's message. The client configuration can supply this callback to - // handle it as wished. The function BannerDisplayStderr can be used for - // simplistic display on Stderr. - BannerCallback BannerCallback - - // ClientVersion contains the version identification string that will - // be used for the connection. If empty, a reasonable default is used. - ClientVersion string - - // HostKeyAlgorithms lists the public key algorithms that the client will - // accept from the server for host key authentication, in order of - // preference. If empty, a reasonable default is used. Any - // string returned from a PublicKey.Type method may be used, or - // any of the CertAlgo and KeyAlgo constants. - HostKeyAlgorithms []string - - // Timeout is the maximum amount of time for the TCP connection to establish. - // - // A Timeout of zero means no timeout. - Timeout time.Duration -} - -// InsecureIgnoreHostKey returns a function that can be used for -// ClientConfig.HostKeyCallback to accept any host key. It should -// not be used for production code. -func InsecureIgnoreHostKey() HostKeyCallback { - return func(hostname string, remote net.Addr, key PublicKey) error { - return nil - } -} - -type fixedHostKey struct { - key PublicKey -} - -func (f *fixedHostKey) check(hostname string, remote net.Addr, key PublicKey) error { - if f.key == nil { - return fmt.Errorf("ssh: required host key was nil") - } - if !bytes.Equal(key.Marshal(), f.key.Marshal()) { - return fmt.Errorf("ssh: host key mismatch") - } - return nil -} - -// FixedHostKey returns a function for use in -// ClientConfig.HostKeyCallback to accept only a specific host key. -func FixedHostKey(key PublicKey) HostKeyCallback { - hk := &fixedHostKey{key} - return hk.check -} - -// BannerDisplayStderr returns a function that can be used for -// ClientConfig.BannerCallback to display banners on os.Stderr. -func BannerDisplayStderr() BannerCallback { - return func(banner string) error { - _, err := os.Stderr.WriteString(banner) - - return err - } -} diff --git a/vendor/golang.org/x/crypto/ssh/client_auth.go b/vendor/golang.org/x/crypto/ssh/client_auth.go deleted file mode 100644 index b86dde151..000000000 --- a/vendor/golang.org/x/crypto/ssh/client_auth.go +++ /dev/null @@ -1,796 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "bytes" - "errors" - "fmt" - "io" - "strings" -) - -type authResult int - -const ( - authFailure authResult = iota - authPartialSuccess - authSuccess -) - -// clientAuthenticate authenticates with the remote server. See RFC 4252. -func (c *connection) clientAuthenticate(config *ClientConfig) error { - // initiate user auth session - if err := c.transport.writePacket(Marshal(&serviceRequestMsg{serviceUserAuth})); err != nil { - return err - } - packet, err := c.transport.readPacket() - if err != nil { - return err - } - // The server may choose to send a SSH_MSG_EXT_INFO at this point (if we - // advertised willingness to receive one, which we always do) or not. See - // RFC 8308, Section 2.4. - extensions := make(map[string][]byte) - if len(packet) > 0 && packet[0] == msgExtInfo { - var extInfo extInfoMsg - if err := Unmarshal(packet, &extInfo); err != nil { - return err - } - payload := extInfo.Payload - for i := uint32(0); i < extInfo.NumExtensions; i++ { - name, rest, ok := parseString(payload) - if !ok { - return parseError(msgExtInfo) - } - value, rest, ok := parseString(rest) - if !ok { - return parseError(msgExtInfo) - } - extensions[string(name)] = value - payload = rest - } - packet, err = c.transport.readPacket() - if err != nil { - return err - } - } - var serviceAccept serviceAcceptMsg - if err := Unmarshal(packet, &serviceAccept); err != nil { - return err - } - - // during the authentication phase the client first attempts the "none" method - // then any untried methods suggested by the server. - var tried []string - var lastMethods []string - - sessionID := c.transport.getSessionID() - for auth := AuthMethod(new(noneAuth)); auth != nil; { - ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand, extensions) - if err != nil { - // On disconnect, return error immediately - if _, ok := err.(*disconnectMsg); ok { - return err - } - // We return the error later if there is no other method left to - // try. - ok = authFailure - } - if ok == authSuccess { - // success - return nil - } else if ok == authFailure { - if m := auth.method(); !contains(tried, m) { - tried = append(tried, m) - } - } - if methods == nil { - methods = lastMethods - } - lastMethods = methods - - auth = nil - - findNext: - for _, a := range config.Auth { - candidateMethod := a.method() - if contains(tried, candidateMethod) { - continue - } - for _, meth := range methods { - if meth == candidateMethod { - auth = a - break findNext - } - } - } - - if auth == nil && err != nil { - // We have an error and there are no other authentication methods to - // try, so we return it. - return err - } - } - return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", tried) -} - -func contains(list []string, e string) bool { - for _, s := range list { - if s == e { - return true - } - } - return false -} - -// An AuthMethod represents an instance of an RFC 4252 authentication method. -type AuthMethod interface { - // auth authenticates user over transport t. - // Returns true if authentication is successful. - // If authentication is not successful, a []string of alternative - // method names is returned. If the slice is nil, it will be ignored - // and the previous set of possible methods will be reused. - auth(session []byte, user string, p packetConn, rand io.Reader, extensions map[string][]byte) (authResult, []string, error) - - // method returns the RFC 4252 method name. - method() string -} - -// "none" authentication, RFC 4252 section 5.2. -type noneAuth int - -func (n *noneAuth) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) { - if err := c.writePacket(Marshal(&userAuthRequestMsg{ - User: user, - Service: serviceSSH, - Method: "none", - })); err != nil { - return authFailure, nil, err - } - - return handleAuthResponse(c) -} - -func (n *noneAuth) method() string { - return "none" -} - -// passwordCallback is an AuthMethod that fetches the password through -// a function call, e.g. by prompting the user. -type passwordCallback func() (password string, err error) - -func (cb passwordCallback) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) { - type passwordAuthMsg struct { - User string `sshtype:"50"` - Service string - Method string - Reply bool - Password string - } - - pw, err := cb() - // REVIEW NOTE: is there a need to support skipping a password attempt? - // The program may only find out that the user doesn't have a password - // when prompting. - if err != nil { - return authFailure, nil, err - } - - if err := c.writePacket(Marshal(&passwordAuthMsg{ - User: user, - Service: serviceSSH, - Method: cb.method(), - Reply: false, - Password: pw, - })); err != nil { - return authFailure, nil, err - } - - return handleAuthResponse(c) -} - -func (cb passwordCallback) method() string { - return "password" -} - -// Password returns an AuthMethod using the given password. -func Password(secret string) AuthMethod { - return passwordCallback(func() (string, error) { return secret, nil }) -} - -// PasswordCallback returns an AuthMethod that uses a callback for -// fetching a password. -func PasswordCallback(prompt func() (secret string, err error)) AuthMethod { - return passwordCallback(prompt) -} - -type publickeyAuthMsg struct { - User string `sshtype:"50"` - Service string - Method string - // HasSig indicates to the receiver packet that the auth request is signed and - // should be used for authentication of the request. - HasSig bool - Algoname string - PubKey []byte - // Sig is tagged with "rest" so Marshal will exclude it during - // validateKey - Sig []byte `ssh:"rest"` -} - -// publicKeyCallback is an AuthMethod that uses a set of key -// pairs for authentication. -type publicKeyCallback func() ([]Signer, error) - -func (cb publicKeyCallback) method() string { - return "publickey" -} - -func pickSignatureAlgorithm(signer Signer, extensions map[string][]byte) (MultiAlgorithmSigner, string, error) { - var as MultiAlgorithmSigner - keyFormat := signer.PublicKey().Type() - - // If the signer implements MultiAlgorithmSigner we use the algorithms it - // support, if it implements AlgorithmSigner we assume it supports all - // algorithms, otherwise only the key format one. - switch s := signer.(type) { - case MultiAlgorithmSigner: - as = s - case AlgorithmSigner: - as = &multiAlgorithmSigner{ - AlgorithmSigner: s, - supportedAlgorithms: algorithmsForKeyFormat(underlyingAlgo(keyFormat)), - } - default: - as = &multiAlgorithmSigner{ - AlgorithmSigner: algorithmSignerWrapper{signer}, - supportedAlgorithms: []string{underlyingAlgo(keyFormat)}, - } - } - - getFallbackAlgo := func() (string, error) { - // Fallback to use if there is no "server-sig-algs" extension or a - // common algorithm cannot be found. We use the public key format if the - // MultiAlgorithmSigner supports it, otherwise we return an error. - if !contains(as.Algorithms(), underlyingAlgo(keyFormat)) { - return "", fmt.Errorf("ssh: no common public key signature algorithm, server only supports %q for key type %q, signer only supports %v", - underlyingAlgo(keyFormat), keyFormat, as.Algorithms()) - } - return keyFormat, nil - } - - extPayload, ok := extensions["server-sig-algs"] - if !ok { - // If there is no "server-sig-algs" extension use the fallback - // algorithm. - algo, err := getFallbackAlgo() - return as, algo, err - } - - // The server-sig-algs extension only carries underlying signature - // algorithm, but we are trying to select a protocol-level public key - // algorithm, which might be a certificate type. Extend the list of server - // supported algorithms to include the corresponding certificate algorithms. - serverAlgos := strings.Split(string(extPayload), ",") - for _, algo := range serverAlgos { - if certAlgo, ok := certificateAlgo(algo); ok { - serverAlgos = append(serverAlgos, certAlgo) - } - } - - // Filter algorithms based on those supported by MultiAlgorithmSigner. - var keyAlgos []string - for _, algo := range algorithmsForKeyFormat(keyFormat) { - if contains(as.Algorithms(), underlyingAlgo(algo)) { - keyAlgos = append(keyAlgos, algo) - } - } - - algo, err := findCommon("public key signature algorithm", keyAlgos, serverAlgos) - if err != nil { - // If there is no overlap, return the fallback algorithm to support - // servers that fail to list all supported algorithms. - algo, err := getFallbackAlgo() - return as, algo, err - } - return as, algo, nil -} - -func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader, extensions map[string][]byte) (authResult, []string, error) { - // Authentication is performed by sending an enquiry to test if a key is - // acceptable to the remote. If the key is acceptable, the client will - // attempt to authenticate with the valid key. If not the client will repeat - // the process with the remaining keys. - - signers, err := cb() - if err != nil { - return authFailure, nil, err - } - var methods []string - var errSigAlgo error - - origSignersLen := len(signers) - for idx := 0; idx < len(signers); idx++ { - signer := signers[idx] - pub := signer.PublicKey() - as, algo, err := pickSignatureAlgorithm(signer, extensions) - if err != nil && errSigAlgo == nil { - // If we cannot negotiate a signature algorithm store the first - // error so we can return it to provide a more meaningful message if - // no other signers work. - errSigAlgo = err - continue - } - ok, err := validateKey(pub, algo, user, c) - if err != nil { - return authFailure, nil, err - } - // OpenSSH 7.2-7.7 advertises support for rsa-sha2-256 and rsa-sha2-512 - // in the "server-sig-algs" extension but doesn't support these - // algorithms for certificate authentication, so if the server rejects - // the key try to use the obtained algorithm as if "server-sig-algs" had - // not been implemented if supported from the algorithm signer. - if !ok && idx < origSignersLen && isRSACert(algo) && algo != CertAlgoRSAv01 { - if contains(as.Algorithms(), KeyAlgoRSA) { - // We retry using the compat algorithm after all signers have - // been tried normally. - signers = append(signers, &multiAlgorithmSigner{ - AlgorithmSigner: as, - supportedAlgorithms: []string{KeyAlgoRSA}, - }) - } - } - if !ok { - continue - } - - pubKey := pub.Marshal() - data := buildDataSignedForAuth(session, userAuthRequestMsg{ - User: user, - Service: serviceSSH, - Method: cb.method(), - }, algo, pubKey) - sign, err := as.SignWithAlgorithm(rand, data, underlyingAlgo(algo)) - if err != nil { - return authFailure, nil, err - } - - // manually wrap the serialized signature in a string - s := Marshal(sign) - sig := make([]byte, stringLength(len(s))) - marshalString(sig, s) - msg := publickeyAuthMsg{ - User: user, - Service: serviceSSH, - Method: cb.method(), - HasSig: true, - Algoname: algo, - PubKey: pubKey, - Sig: sig, - } - p := Marshal(&msg) - if err := c.writePacket(p); err != nil { - return authFailure, nil, err - } - var success authResult - success, methods, err = handleAuthResponse(c) - if err != nil { - return authFailure, nil, err - } - - // If authentication succeeds or the list of available methods does not - // contain the "publickey" method, do not attempt to authenticate with any - // other keys. According to RFC 4252 Section 7, the latter can occur when - // additional authentication methods are required. - if success == authSuccess || !contains(methods, cb.method()) { - return success, methods, err - } - } - - return authFailure, methods, errSigAlgo -} - -// validateKey validates the key provided is acceptable to the server. -func validateKey(key PublicKey, algo string, user string, c packetConn) (bool, error) { - pubKey := key.Marshal() - msg := publickeyAuthMsg{ - User: user, - Service: serviceSSH, - Method: "publickey", - HasSig: false, - Algoname: algo, - PubKey: pubKey, - } - if err := c.writePacket(Marshal(&msg)); err != nil { - return false, err - } - - return confirmKeyAck(key, c) -} - -func confirmKeyAck(key PublicKey, c packetConn) (bool, error) { - pubKey := key.Marshal() - - for { - packet, err := c.readPacket() - if err != nil { - return false, err - } - switch packet[0] { - case msgUserAuthBanner: - if err := handleBannerResponse(c, packet); err != nil { - return false, err - } - case msgUserAuthPubKeyOk: - var msg userAuthPubKeyOkMsg - if err := Unmarshal(packet, &msg); err != nil { - return false, err - } - // According to RFC 4252 Section 7 the algorithm in - // SSH_MSG_USERAUTH_PK_OK should match that of the request but some - // servers send the key type instead. OpenSSH allows any algorithm - // that matches the public key, so we do the same. - // https://github.com/openssh/openssh-portable/blob/86bdd385/sshconnect2.c#L709 - if !contains(algorithmsForKeyFormat(key.Type()), msg.Algo) { - return false, nil - } - if !bytes.Equal(msg.PubKey, pubKey) { - return false, nil - } - return true, nil - case msgUserAuthFailure: - return false, nil - default: - return false, unexpectedMessageError(msgUserAuthPubKeyOk, packet[0]) - } - } -} - -// PublicKeys returns an AuthMethod that uses the given key -// pairs. -func PublicKeys(signers ...Signer) AuthMethod { - return publicKeyCallback(func() ([]Signer, error) { return signers, nil }) -} - -// PublicKeysCallback returns an AuthMethod that runs the given -// function to obtain a list of key pairs. -func PublicKeysCallback(getSigners func() (signers []Signer, err error)) AuthMethod { - return publicKeyCallback(getSigners) -} - -// handleAuthResponse returns whether the preceding authentication request succeeded -// along with a list of remaining authentication methods to try next and -// an error if an unexpected response was received. -func handleAuthResponse(c packetConn) (authResult, []string, error) { - gotMsgExtInfo := false - for { - packet, err := c.readPacket() - if err != nil { - return authFailure, nil, err - } - - switch packet[0] { - case msgUserAuthBanner: - if err := handleBannerResponse(c, packet); err != nil { - return authFailure, nil, err - } - case msgExtInfo: - // Ignore post-authentication RFC 8308 extensions, once. - if gotMsgExtInfo { - return authFailure, nil, unexpectedMessageError(msgUserAuthSuccess, packet[0]) - } - gotMsgExtInfo = true - case msgUserAuthFailure: - var msg userAuthFailureMsg - if err := Unmarshal(packet, &msg); err != nil { - return authFailure, nil, err - } - if msg.PartialSuccess { - return authPartialSuccess, msg.Methods, nil - } - return authFailure, msg.Methods, nil - case msgUserAuthSuccess: - return authSuccess, nil, nil - default: - return authFailure, nil, unexpectedMessageError(msgUserAuthSuccess, packet[0]) - } - } -} - -func handleBannerResponse(c packetConn, packet []byte) error { - var msg userAuthBannerMsg - if err := Unmarshal(packet, &msg); err != nil { - return err - } - - transport, ok := c.(*handshakeTransport) - if !ok { - return nil - } - - if transport.bannerCallback != nil { - return transport.bannerCallback(msg.Message) - } - - return nil -} - -// KeyboardInteractiveChallenge should print questions, optionally -// disabling echoing (e.g. for passwords), and return all the answers. -// Challenge may be called multiple times in a single session. After -// successful authentication, the server may send a challenge with no -// questions, for which the name and instruction messages should be -// printed. RFC 4256 section 3.3 details how the UI should behave for -// both CLI and GUI environments. -type KeyboardInteractiveChallenge func(name, instruction string, questions []string, echos []bool) (answers []string, err error) - -// KeyboardInteractive returns an AuthMethod using a prompt/response -// sequence controlled by the server. -func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod { - return challenge -} - -func (cb KeyboardInteractiveChallenge) method() string { - return "keyboard-interactive" -} - -func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) { - type initiateMsg struct { - User string `sshtype:"50"` - Service string - Method string - Language string - Submethods string - } - - if err := c.writePacket(Marshal(&initiateMsg{ - User: user, - Service: serviceSSH, - Method: "keyboard-interactive", - })); err != nil { - return authFailure, nil, err - } - - gotMsgExtInfo := false - gotUserAuthInfoRequest := false - for { - packet, err := c.readPacket() - if err != nil { - return authFailure, nil, err - } - - // like handleAuthResponse, but with less options. - switch packet[0] { - case msgUserAuthBanner: - if err := handleBannerResponse(c, packet); err != nil { - return authFailure, nil, err - } - continue - case msgExtInfo: - // Ignore post-authentication RFC 8308 extensions, once. - if gotMsgExtInfo { - return authFailure, nil, unexpectedMessageError(msgUserAuthInfoRequest, packet[0]) - } - gotMsgExtInfo = true - continue - case msgUserAuthInfoRequest: - // OK - case msgUserAuthFailure: - var msg userAuthFailureMsg - if err := Unmarshal(packet, &msg); err != nil { - return authFailure, nil, err - } - if msg.PartialSuccess { - return authPartialSuccess, msg.Methods, nil - } - if !gotUserAuthInfoRequest { - return authFailure, msg.Methods, unexpectedMessageError(msgUserAuthInfoRequest, packet[0]) - } - return authFailure, msg.Methods, nil - case msgUserAuthSuccess: - return authSuccess, nil, nil - default: - return authFailure, nil, unexpectedMessageError(msgUserAuthInfoRequest, packet[0]) - } - - var msg userAuthInfoRequestMsg - if err := Unmarshal(packet, &msg); err != nil { - return authFailure, nil, err - } - gotUserAuthInfoRequest = true - - // Manually unpack the prompt/echo pairs. - rest := msg.Prompts - var prompts []string - var echos []bool - for i := 0; i < int(msg.NumPrompts); i++ { - prompt, r, ok := parseString(rest) - if !ok || len(r) == 0 { - return authFailure, nil, errors.New("ssh: prompt format error") - } - prompts = append(prompts, string(prompt)) - echos = append(echos, r[0] != 0) - rest = r[1:] - } - - if len(rest) != 0 { - return authFailure, nil, errors.New("ssh: extra data following keyboard-interactive pairs") - } - - answers, err := cb(msg.Name, msg.Instruction, prompts, echos) - if err != nil { - return authFailure, nil, err - } - - if len(answers) != len(prompts) { - return authFailure, nil, fmt.Errorf("ssh: incorrect number of answers from keyboard-interactive callback %d (expected %d)", len(answers), len(prompts)) - } - responseLength := 1 + 4 - for _, a := range answers { - responseLength += stringLength(len(a)) - } - serialized := make([]byte, responseLength) - p := serialized - p[0] = msgUserAuthInfoResponse - p = p[1:] - p = marshalUint32(p, uint32(len(answers))) - for _, a := range answers { - p = marshalString(p, []byte(a)) - } - - if err := c.writePacket(serialized); err != nil { - return authFailure, nil, err - } - } -} - -type retryableAuthMethod struct { - authMethod AuthMethod - maxTries int -} - -func (r *retryableAuthMethod) auth(session []byte, user string, c packetConn, rand io.Reader, extensions map[string][]byte) (ok authResult, methods []string, err error) { - for i := 0; r.maxTries <= 0 || i < r.maxTries; i++ { - ok, methods, err = r.authMethod.auth(session, user, c, rand, extensions) - if ok != authFailure || err != nil { // either success, partial success or error terminate - return ok, methods, err - } - } - return ok, methods, err -} - -func (r *retryableAuthMethod) method() string { - return r.authMethod.method() -} - -// RetryableAuthMethod is a decorator for other auth methods enabling them to -// be retried up to maxTries before considering that AuthMethod itself failed. -// If maxTries is <= 0, will retry indefinitely -// -// This is useful for interactive clients using challenge/response type -// authentication (e.g. Keyboard-Interactive, Password, etc) where the user -// could mistype their response resulting in the server issuing a -// SSH_MSG_USERAUTH_FAILURE (rfc4252 #8 [password] and rfc4256 #3.4 -// [keyboard-interactive]); Without this decorator, the non-retryable -// AuthMethod would be removed from future consideration, and never tried again -// (and so the user would never be able to retry their entry). -func RetryableAuthMethod(auth AuthMethod, maxTries int) AuthMethod { - return &retryableAuthMethod{authMethod: auth, maxTries: maxTries} -} - -// GSSAPIWithMICAuthMethod is an AuthMethod with "gssapi-with-mic" authentication. -// See RFC 4462 section 3 -// gssAPIClient is implementation of the GSSAPIClient interface, see the definition of the interface for details. -// target is the server host you want to log in to. -func GSSAPIWithMICAuthMethod(gssAPIClient GSSAPIClient, target string) AuthMethod { - if gssAPIClient == nil { - panic("gss-api client must be not nil with enable gssapi-with-mic") - } - return &gssAPIWithMICCallback{gssAPIClient: gssAPIClient, target: target} -} - -type gssAPIWithMICCallback struct { - gssAPIClient GSSAPIClient - target string -} - -func (g *gssAPIWithMICCallback) auth(session []byte, user string, c packetConn, rand io.Reader, _ map[string][]byte) (authResult, []string, error) { - m := &userAuthRequestMsg{ - User: user, - Service: serviceSSH, - Method: g.method(), - } - // The GSS-API authentication method is initiated when the client sends an SSH_MSG_USERAUTH_REQUEST. - // See RFC 4462 section 3.2. - m.Payload = appendU32(m.Payload, 1) - m.Payload = appendString(m.Payload, string(krb5OID)) - if err := c.writePacket(Marshal(m)); err != nil { - return authFailure, nil, err - } - // The server responds to the SSH_MSG_USERAUTH_REQUEST with either an - // SSH_MSG_USERAUTH_FAILURE if none of the mechanisms are supported or - // with an SSH_MSG_USERAUTH_GSSAPI_RESPONSE. - // See RFC 4462 section 3.3. - // OpenSSH supports Kerberos V5 mechanism only for GSS-API authentication,so I don't want to check - // selected mech if it is valid. - packet, err := c.readPacket() - if err != nil { - return authFailure, nil, err - } - userAuthGSSAPIResp := &userAuthGSSAPIResponse{} - if err := Unmarshal(packet, userAuthGSSAPIResp); err != nil { - return authFailure, nil, err - } - // Start the loop into the exchange token. - // See RFC 4462 section 3.4. - var token []byte - defer g.gssAPIClient.DeleteSecContext() - for { - // Initiates the establishment of a security context between the application and a remote peer. - nextToken, needContinue, err := g.gssAPIClient.InitSecContext("host@"+g.target, token, false) - if err != nil { - return authFailure, nil, err - } - if len(nextToken) > 0 { - if err := c.writePacket(Marshal(&userAuthGSSAPIToken{ - Token: nextToken, - })); err != nil { - return authFailure, nil, err - } - } - if !needContinue { - break - } - packet, err = c.readPacket() - if err != nil { - return authFailure, nil, err - } - switch packet[0] { - case msgUserAuthFailure: - var msg userAuthFailureMsg - if err := Unmarshal(packet, &msg); err != nil { - return authFailure, nil, err - } - if msg.PartialSuccess { - return authPartialSuccess, msg.Methods, nil - } - return authFailure, msg.Methods, nil - case msgUserAuthGSSAPIError: - userAuthGSSAPIErrorResp := &userAuthGSSAPIError{} - if err := Unmarshal(packet, userAuthGSSAPIErrorResp); err != nil { - return authFailure, nil, err - } - return authFailure, nil, fmt.Errorf("GSS-API Error:\n"+ - "Major Status: %d\n"+ - "Minor Status: %d\n"+ - "Error Message: %s\n", userAuthGSSAPIErrorResp.MajorStatus, userAuthGSSAPIErrorResp.MinorStatus, - userAuthGSSAPIErrorResp.Message) - case msgUserAuthGSSAPIToken: - userAuthGSSAPITokenReq := &userAuthGSSAPIToken{} - if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil { - return authFailure, nil, err - } - token = userAuthGSSAPITokenReq.Token - } - } - // Binding Encryption Keys. - // See RFC 4462 section 3.5. - micField := buildMIC(string(session), user, "ssh-connection", "gssapi-with-mic") - micToken, err := g.gssAPIClient.GetMIC(micField) - if err != nil { - return authFailure, nil, err - } - if err := c.writePacket(Marshal(&userAuthGSSAPIMIC{ - MIC: micToken, - })); err != nil { - return authFailure, nil, err - } - return handleAuthResponse(c) -} - -func (g *gssAPIWithMICCallback) method() string { - return "gssapi-with-mic" -} diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go deleted file mode 100644 index 7e9c2cbc6..000000000 --- a/vendor/golang.org/x/crypto/ssh/common.go +++ /dev/null @@ -1,476 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "crypto" - "crypto/rand" - "fmt" - "io" - "math" - "sync" - - _ "crypto/sha1" - _ "crypto/sha256" - _ "crypto/sha512" -) - -// These are string constants in the SSH protocol. -const ( - compressionNone = "none" - serviceUserAuth = "ssh-userauth" - serviceSSH = "ssh-connection" -) - -// supportedCiphers lists ciphers we support but might not recommend. -var supportedCiphers = []string{ - "aes128-ctr", "aes192-ctr", "aes256-ctr", - "aes128-gcm@openssh.com", gcm256CipherID, - chacha20Poly1305ID, - "arcfour256", "arcfour128", "arcfour", - aes128cbcID, - tripledescbcID, -} - -// preferredCiphers specifies the default preference for ciphers. -var preferredCiphers = []string{ - "aes128-gcm@openssh.com", gcm256CipherID, - chacha20Poly1305ID, - "aes128-ctr", "aes192-ctr", "aes256-ctr", -} - -// supportedKexAlgos specifies the supported key-exchange algorithms in -// preference order. -var supportedKexAlgos = []string{ - kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH, - // P384 and P521 are not constant-time yet, but since we don't - // reuse ephemeral keys, using them for ECDH should be OK. - kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, - kexAlgoDH14SHA256, kexAlgoDH16SHA512, kexAlgoDH14SHA1, - kexAlgoDH1SHA1, -} - -// serverForbiddenKexAlgos contains key exchange algorithms, that are forbidden -// for the server half. -var serverForbiddenKexAlgos = map[string]struct{}{ - kexAlgoDHGEXSHA1: {}, // server half implementation is only minimal to satisfy the automated tests - kexAlgoDHGEXSHA256: {}, // server half implementation is only minimal to satisfy the automated tests -} - -// preferredKexAlgos specifies the default preference for key-exchange -// algorithms in preference order. The diffie-hellman-group16-sha512 algorithm -// is disabled by default because it is a bit slower than the others. -var preferredKexAlgos = []string{ - kexAlgoCurve25519SHA256, kexAlgoCurve25519SHA256LibSSH, - kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521, - kexAlgoDH14SHA256, kexAlgoDH14SHA1, -} - -// supportedHostKeyAlgos specifies the supported host-key algorithms (i.e. methods -// of authenticating servers) in preference order. -var supportedHostKeyAlgos = []string{ - CertAlgoRSASHA256v01, CertAlgoRSASHA512v01, - CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, - CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01, - - KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, - KeyAlgoRSASHA256, KeyAlgoRSASHA512, - KeyAlgoRSA, KeyAlgoDSA, - - KeyAlgoED25519, -} - -// supportedMACs specifies a default set of MAC algorithms in preference order. -// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed -// because they have reached the end of their useful life. -var supportedMACs = []string{ - "hmac-sha2-256-etm@openssh.com", "hmac-sha2-512-etm@openssh.com", "hmac-sha2-256", "hmac-sha2-512", "hmac-sha1", "hmac-sha1-96", -} - -var supportedCompressions = []string{compressionNone} - -// hashFuncs keeps the mapping of supported signature algorithms to their -// respective hashes needed for signing and verification. -var hashFuncs = map[string]crypto.Hash{ - KeyAlgoRSA: crypto.SHA1, - KeyAlgoRSASHA256: crypto.SHA256, - KeyAlgoRSASHA512: crypto.SHA512, - KeyAlgoDSA: crypto.SHA1, - KeyAlgoECDSA256: crypto.SHA256, - KeyAlgoECDSA384: crypto.SHA384, - KeyAlgoECDSA521: crypto.SHA512, - // KeyAlgoED25519 doesn't pre-hash. - KeyAlgoSKECDSA256: crypto.SHA256, - KeyAlgoSKED25519: crypto.SHA256, -} - -// algorithmsForKeyFormat returns the supported signature algorithms for a given -// public key format (PublicKey.Type), in order of preference. See RFC 8332, -// Section 2. See also the note in sendKexInit on backwards compatibility. -func algorithmsForKeyFormat(keyFormat string) []string { - switch keyFormat { - case KeyAlgoRSA: - return []string{KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA} - case CertAlgoRSAv01: - return []string{CertAlgoRSASHA256v01, CertAlgoRSASHA512v01, CertAlgoRSAv01} - default: - return []string{keyFormat} - } -} - -// isRSA returns whether algo is a supported RSA algorithm, including certificate -// algorithms. -func isRSA(algo string) bool { - algos := algorithmsForKeyFormat(KeyAlgoRSA) - return contains(algos, underlyingAlgo(algo)) -} - -func isRSACert(algo string) bool { - _, ok := certKeyAlgoNames[algo] - if !ok { - return false - } - return isRSA(algo) -} - -// supportedPubKeyAuthAlgos specifies the supported client public key -// authentication algorithms. Note that this doesn't include certificate types -// since those use the underlying algorithm. This list is sent to the client if -// it supports the server-sig-algs extension. Order is irrelevant. -var supportedPubKeyAuthAlgos = []string{ - KeyAlgoED25519, - KeyAlgoSKED25519, KeyAlgoSKECDSA256, - KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, - KeyAlgoRSASHA256, KeyAlgoRSASHA512, KeyAlgoRSA, - KeyAlgoDSA, -} - -// unexpectedMessageError results when the SSH message that we received didn't -// match what we wanted. -func unexpectedMessageError(expected, got uint8) error { - return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected) -} - -// parseError results from a malformed SSH message. -func parseError(tag uint8) error { - return fmt.Errorf("ssh: parse error in message type %d", tag) -} - -func findCommon(what string, client []string, server []string) (common string, err error) { - for _, c := range client { - for _, s := range server { - if c == s { - return c, nil - } - } - } - return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server) -} - -// directionAlgorithms records algorithm choices in one direction (either read or write) -type directionAlgorithms struct { - Cipher string - MAC string - Compression string -} - -// rekeyBytes returns a rekeying intervals in bytes. -func (a *directionAlgorithms) rekeyBytes() int64 { - // According to RFC 4344 block ciphers should rekey after - // 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is - // 128. - switch a.Cipher { - case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcm128CipherID, gcm256CipherID, aes128cbcID: - return 16 * (1 << 32) - - } - - // For others, stick with RFC 4253 recommendation to rekey after 1 Gb of data. - return 1 << 30 -} - -var aeadCiphers = map[string]bool{ - gcm128CipherID: true, - gcm256CipherID: true, - chacha20Poly1305ID: true, -} - -type algorithms struct { - kex string - hostKey string - w directionAlgorithms - r directionAlgorithms -} - -func findAgreedAlgorithms(isClient bool, clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) { - result := &algorithms{} - - result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos) - if err != nil { - return - } - - result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos) - if err != nil { - return - } - - stoc, ctos := &result.w, &result.r - if isClient { - ctos, stoc = stoc, ctos - } - - ctos.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer) - if err != nil { - return - } - - stoc.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient) - if err != nil { - return - } - - if !aeadCiphers[ctos.Cipher] { - ctos.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer) - if err != nil { - return - } - } - - if !aeadCiphers[stoc.Cipher] { - stoc.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient) - if err != nil { - return - } - } - - ctos.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer) - if err != nil { - return - } - - stoc.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient) - if err != nil { - return - } - - return result, nil -} - -// If rekeythreshold is too small, we can't make any progress sending -// stuff. -const minRekeyThreshold uint64 = 256 - -// Config contains configuration data common to both ServerConfig and -// ClientConfig. -type Config struct { - // Rand provides the source of entropy for cryptographic - // primitives. If Rand is nil, the cryptographic random reader - // in package crypto/rand will be used. - Rand io.Reader - - // The maximum number of bytes sent or received after which a - // new key is negotiated. It must be at least 256. If - // unspecified, a size suitable for the chosen cipher is used. - RekeyThreshold uint64 - - // The allowed key exchanges algorithms. If unspecified then a default set - // of algorithms is used. Unsupported values are silently ignored. - KeyExchanges []string - - // The allowed cipher algorithms. If unspecified then a sensible default is - // used. Unsupported values are silently ignored. - Ciphers []string - - // The allowed MAC algorithms. If unspecified then a sensible default is - // used. Unsupported values are silently ignored. - MACs []string -} - -// SetDefaults sets sensible values for unset fields in config. This is -// exported for testing: Configs passed to SSH functions are copied and have -// default values set automatically. -func (c *Config) SetDefaults() { - if c.Rand == nil { - c.Rand = rand.Reader - } - if c.Ciphers == nil { - c.Ciphers = preferredCiphers - } - var ciphers []string - for _, c := range c.Ciphers { - if cipherModes[c] != nil { - // Ignore the cipher if we have no cipherModes definition. - ciphers = append(ciphers, c) - } - } - c.Ciphers = ciphers - - if c.KeyExchanges == nil { - c.KeyExchanges = preferredKexAlgos - } - var kexs []string - for _, k := range c.KeyExchanges { - if kexAlgoMap[k] != nil { - // Ignore the KEX if we have no kexAlgoMap definition. - kexs = append(kexs, k) - } - } - c.KeyExchanges = kexs - - if c.MACs == nil { - c.MACs = supportedMACs - } - var macs []string - for _, m := range c.MACs { - if macModes[m] != nil { - // Ignore the MAC if we have no macModes definition. - macs = append(macs, m) - } - } - c.MACs = macs - - if c.RekeyThreshold == 0 { - // cipher specific default - } else if c.RekeyThreshold < minRekeyThreshold { - c.RekeyThreshold = minRekeyThreshold - } else if c.RekeyThreshold >= math.MaxInt64 { - // Avoid weirdness if somebody uses -1 as a threshold. - c.RekeyThreshold = math.MaxInt64 - } -} - -// buildDataSignedForAuth returns the data that is signed in order to prove -// possession of a private key. See RFC 4252, section 7. algo is the advertised -// algorithm, and may be a certificate type. -func buildDataSignedForAuth(sessionID []byte, req userAuthRequestMsg, algo string, pubKey []byte) []byte { - data := struct { - Session []byte - Type byte - User string - Service string - Method string - Sign bool - Algo string - PubKey []byte - }{ - sessionID, - msgUserAuthRequest, - req.User, - req.Service, - req.Method, - true, - algo, - pubKey, - } - return Marshal(data) -} - -func appendU16(buf []byte, n uint16) []byte { - return append(buf, byte(n>>8), byte(n)) -} - -func appendU32(buf []byte, n uint32) []byte { - return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n)) -} - -func appendU64(buf []byte, n uint64) []byte { - return append(buf, - byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32), - byte(n>>24), byte(n>>16), byte(n>>8), byte(n)) -} - -func appendInt(buf []byte, n int) []byte { - return appendU32(buf, uint32(n)) -} - -func appendString(buf []byte, s string) []byte { - buf = appendU32(buf, uint32(len(s))) - buf = append(buf, s...) - return buf -} - -func appendBool(buf []byte, b bool) []byte { - if b { - return append(buf, 1) - } - return append(buf, 0) -} - -// newCond is a helper to hide the fact that there is no usable zero -// value for sync.Cond. -func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) } - -// window represents the buffer available to clients -// wishing to write to a channel. -type window struct { - *sync.Cond - win uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1 - writeWaiters int - closed bool -} - -// add adds win to the amount of window available -// for consumers. -func (w *window) add(win uint32) bool { - // a zero sized window adjust is a noop. - if win == 0 { - return true - } - w.L.Lock() - if w.win+win < win { - w.L.Unlock() - return false - } - w.win += win - // It is unusual that multiple goroutines would be attempting to reserve - // window space, but not guaranteed. Use broadcast to notify all waiters - // that additional window is available. - w.Broadcast() - w.L.Unlock() - return true -} - -// close sets the window to closed, so all reservations fail -// immediately. -func (w *window) close() { - w.L.Lock() - w.closed = true - w.Broadcast() - w.L.Unlock() -} - -// reserve reserves win from the available window capacity. -// If no capacity remains, reserve will block. reserve may -// return less than requested. -func (w *window) reserve(win uint32) (uint32, error) { - var err error - w.L.Lock() - w.writeWaiters++ - w.Broadcast() - for w.win == 0 && !w.closed { - w.Wait() - } - w.writeWaiters-- - if w.win < win { - win = w.win - } - w.win -= win - if w.closed { - err = io.EOF - } - w.L.Unlock() - return win, err -} - -// waitWriterBlocked waits until some goroutine is blocked for further -// writes. It is used in tests only. -func (w *window) waitWriterBlocked() { - w.Cond.L.Lock() - for w.writeWaiters == 0 { - w.Cond.Wait() - } - w.Cond.L.Unlock() -} diff --git a/vendor/golang.org/x/crypto/ssh/connection.go b/vendor/golang.org/x/crypto/ssh/connection.go deleted file mode 100644 index 8f345ee92..000000000 --- a/vendor/golang.org/x/crypto/ssh/connection.go +++ /dev/null @@ -1,143 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "fmt" - "net" -) - -// OpenChannelError is returned if the other side rejects an -// OpenChannel request. -type OpenChannelError struct { - Reason RejectionReason - Message string -} - -func (e *OpenChannelError) Error() string { - return fmt.Sprintf("ssh: rejected: %s (%s)", e.Reason, e.Message) -} - -// ConnMetadata holds metadata for the connection. -type ConnMetadata interface { - // User returns the user ID for this connection. - User() string - - // SessionID returns the session hash, also denoted by H. - SessionID() []byte - - // ClientVersion returns the client's version string as hashed - // into the session ID. - ClientVersion() []byte - - // ServerVersion returns the server's version string as hashed - // into the session ID. - ServerVersion() []byte - - // RemoteAddr returns the remote address for this connection. - RemoteAddr() net.Addr - - // LocalAddr returns the local address for this connection. - LocalAddr() net.Addr -} - -// Conn represents an SSH connection for both server and client roles. -// Conn is the basis for implementing an application layer, such -// as ClientConn, which implements the traditional shell access for -// clients. -type Conn interface { - ConnMetadata - - // SendRequest sends a global request, and returns the - // reply. If wantReply is true, it returns the response status - // and payload. See also RFC 4254, section 4. - SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error) - - // OpenChannel tries to open an channel. If the request is - // rejected, it returns *OpenChannelError. On success it returns - // the SSH Channel and a Go channel for incoming, out-of-band - // requests. The Go channel must be serviced, or the - // connection will hang. - OpenChannel(name string, data []byte) (Channel, <-chan *Request, error) - - // Close closes the underlying network connection - Close() error - - // Wait blocks until the connection has shut down, and returns the - // error causing the shutdown. - Wait() error - - // TODO(hanwen): consider exposing: - // RequestKeyChange - // Disconnect -} - -// DiscardRequests consumes and rejects all requests from the -// passed-in channel. -func DiscardRequests(in <-chan *Request) { - for req := range in { - if req.WantReply { - req.Reply(false, nil) - } - } -} - -// A connection represents an incoming connection. -type connection struct { - transport *handshakeTransport - sshConn - - // The connection protocol. - *mux -} - -func (c *connection) Close() error { - return c.sshConn.conn.Close() -} - -// sshConn provides net.Conn metadata, but disallows direct reads and -// writes. -type sshConn struct { - conn net.Conn - - user string - sessionID []byte - clientVersion []byte - serverVersion []byte -} - -func dup(src []byte) []byte { - dst := make([]byte, len(src)) - copy(dst, src) - return dst -} - -func (c *sshConn) User() string { - return c.user -} - -func (c *sshConn) RemoteAddr() net.Addr { - return c.conn.RemoteAddr() -} - -func (c *sshConn) Close() error { - return c.conn.Close() -} - -func (c *sshConn) LocalAddr() net.Addr { - return c.conn.LocalAddr() -} - -func (c *sshConn) SessionID() []byte { - return dup(c.sessionID) -} - -func (c *sshConn) ClientVersion() []byte { - return dup(c.clientVersion) -} - -func (c *sshConn) ServerVersion() []byte { - return dup(c.serverVersion) -} diff --git a/vendor/golang.org/x/crypto/ssh/doc.go b/vendor/golang.org/x/crypto/ssh/doc.go deleted file mode 100644 index f5d352fe3..000000000 --- a/vendor/golang.org/x/crypto/ssh/doc.go +++ /dev/null @@ -1,23 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -/* -Package ssh implements an SSH client and server. - -SSH is a transport security protocol, an authentication protocol and a -family of application protocols. The most typical application level -protocol is a remote shell and this is specifically implemented. However, -the multiplexed nature of SSH is exposed to users that wish to support -others. - -References: - - [PROTOCOL]: https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL?rev=HEAD - [PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD - [SSH-PARAMETERS]: http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1 - -This package does not fall under the stability promise of the Go language itself, -so its API may be changed when pressing needs arise. -*/ -package ssh diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go deleted file mode 100644 index fef687db0..000000000 --- a/vendor/golang.org/x/crypto/ssh/handshake.go +++ /dev/null @@ -1,816 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "crypto/rand" - "errors" - "fmt" - "io" - "log" - "net" - "strings" - "sync" -) - -// debugHandshake, if set, prints messages sent and received. Key -// exchange messages are printed as if DH were used, so the debug -// messages are wrong when using ECDH. -const debugHandshake = false - -// chanSize sets the amount of buffering SSH connections. This is -// primarily for testing: setting chanSize=0 uncovers deadlocks more -// quickly. -const chanSize = 16 - -// keyingTransport is a packet based transport that supports key -// changes. It need not be thread-safe. It should pass through -// msgNewKeys in both directions. -type keyingTransport interface { - packetConn - - // prepareKeyChange sets up a key change. The key change for a - // direction will be effected if a msgNewKeys message is sent - // or received. - prepareKeyChange(*algorithms, *kexResult) error - - // setStrictMode sets the strict KEX mode, notably triggering - // sequence number resets on sending or receiving msgNewKeys. - // If the sequence number is already > 1 when setStrictMode - // is called, an error is returned. - setStrictMode() error - - // setInitialKEXDone indicates to the transport that the initial key exchange - // was completed - setInitialKEXDone() -} - -// handshakeTransport implements rekeying on top of a keyingTransport -// and offers a thread-safe writePacket() interface. -type handshakeTransport struct { - conn keyingTransport - config *Config - - serverVersion []byte - clientVersion []byte - - // hostKeys is non-empty if we are the server. In that case, - // it contains all host keys that can be used to sign the - // connection. - hostKeys []Signer - - // publicKeyAuthAlgorithms is non-empty if we are the server. In that case, - // it contains the supported client public key authentication algorithms. - publicKeyAuthAlgorithms []string - - // hostKeyAlgorithms is non-empty if we are the client. In that case, - // we accept these key types from the server as host key. - hostKeyAlgorithms []string - - // On read error, incoming is closed, and readError is set. - incoming chan []byte - readError error - - mu sync.Mutex - writeError error - sentInitPacket []byte - sentInitMsg *kexInitMsg - pendingPackets [][]byte // Used when a key exchange is in progress. - writePacketsLeft uint32 - writeBytesLeft int64 - userAuthComplete bool // whether the user authentication phase is complete - - // If the read loop wants to schedule a kex, it pings this - // channel, and the write loop will send out a kex - // message. - requestKex chan struct{} - - // If the other side requests or confirms a kex, its kexInit - // packet is sent here for the write loop to find it. - startKex chan *pendingKex - kexLoopDone chan struct{} // closed (with writeError non-nil) when kexLoop exits - - // data for host key checking - hostKeyCallback HostKeyCallback - dialAddress string - remoteAddr net.Addr - - // bannerCallback is non-empty if we are the client and it has been set in - // ClientConfig. In that case it is called during the user authentication - // dance to handle a custom server's message. - bannerCallback BannerCallback - - // Algorithms agreed in the last key exchange. - algorithms *algorithms - - // Counters exclusively owned by readLoop. - readPacketsLeft uint32 - readBytesLeft int64 - - // The session ID or nil if first kex did not complete yet. - sessionID []byte - - // strictMode indicates if the other side of the handshake indicated - // that we should be following the strict KEX protocol restrictions. - strictMode bool -} - -type pendingKex struct { - otherInit []byte - done chan error -} - -func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport { - t := &handshakeTransport{ - conn: conn, - serverVersion: serverVersion, - clientVersion: clientVersion, - incoming: make(chan []byte, chanSize), - requestKex: make(chan struct{}, 1), - startKex: make(chan *pendingKex), - kexLoopDone: make(chan struct{}), - - config: config, - } - t.resetReadThresholds() - t.resetWriteThresholds() - - // We always start with a mandatory key exchange. - t.requestKex <- struct{}{} - return t -} - -func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ClientConfig, dialAddr string, addr net.Addr) *handshakeTransport { - t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion) - t.dialAddress = dialAddr - t.remoteAddr = addr - t.hostKeyCallback = config.HostKeyCallback - t.bannerCallback = config.BannerCallback - if config.HostKeyAlgorithms != nil { - t.hostKeyAlgorithms = config.HostKeyAlgorithms - } else { - t.hostKeyAlgorithms = supportedHostKeyAlgos - } - go t.readLoop() - go t.kexLoop() - return t -} - -func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ServerConfig) *handshakeTransport { - t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion) - t.hostKeys = config.hostKeys - t.publicKeyAuthAlgorithms = config.PublicKeyAuthAlgorithms - go t.readLoop() - go t.kexLoop() - return t -} - -func (t *handshakeTransport) getSessionID() []byte { - return t.sessionID -} - -// waitSession waits for the session to be established. This should be -// the first thing to call after instantiating handshakeTransport. -func (t *handshakeTransport) waitSession() error { - p, err := t.readPacket() - if err != nil { - return err - } - if p[0] != msgNewKeys { - return fmt.Errorf("ssh: first packet should be msgNewKeys") - } - - return nil -} - -func (t *handshakeTransport) id() string { - if len(t.hostKeys) > 0 { - return "server" - } - return "client" -} - -func (t *handshakeTransport) printPacket(p []byte, write bool) { - action := "got" - if write { - action = "sent" - } - - if p[0] == msgChannelData || p[0] == msgChannelExtendedData { - log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p)) - } else { - msg, err := decode(p) - log.Printf("%s %s %T %v (%v)", t.id(), action, msg, msg, err) - } -} - -func (t *handshakeTransport) readPacket() ([]byte, error) { - p, ok := <-t.incoming - if !ok { - return nil, t.readError - } - return p, nil -} - -func (t *handshakeTransport) readLoop() { - first := true - for { - p, err := t.readOnePacket(first) - first = false - if err != nil { - t.readError = err - close(t.incoming) - break - } - // If this is the first kex, and strict KEX mode is enabled, - // we don't ignore any messages, as they may be used to manipulate - // the packet sequence numbers. - if !(t.sessionID == nil && t.strictMode) && (p[0] == msgIgnore || p[0] == msgDebug) { - continue - } - t.incoming <- p - } - - // Stop writers too. - t.recordWriteError(t.readError) - - // Unblock the writer should it wait for this. - close(t.startKex) - - // Don't close t.requestKex; it's also written to from writePacket. -} - -func (t *handshakeTransport) pushPacket(p []byte) error { - if debugHandshake { - t.printPacket(p, true) - } - return t.conn.writePacket(p) -} - -func (t *handshakeTransport) getWriteError() error { - t.mu.Lock() - defer t.mu.Unlock() - return t.writeError -} - -func (t *handshakeTransport) recordWriteError(err error) { - t.mu.Lock() - defer t.mu.Unlock() - if t.writeError == nil && err != nil { - t.writeError = err - } -} - -func (t *handshakeTransport) requestKeyExchange() { - select { - case t.requestKex <- struct{}{}: - default: - // something already requested a kex, so do nothing. - } -} - -func (t *handshakeTransport) resetWriteThresholds() { - t.writePacketsLeft = packetRekeyThreshold - if t.config.RekeyThreshold > 0 { - t.writeBytesLeft = int64(t.config.RekeyThreshold) - } else if t.algorithms != nil { - t.writeBytesLeft = t.algorithms.w.rekeyBytes() - } else { - t.writeBytesLeft = 1 << 30 - } -} - -func (t *handshakeTransport) kexLoop() { - -write: - for t.getWriteError() == nil { - var request *pendingKex - var sent bool - - for request == nil || !sent { - var ok bool - select { - case request, ok = <-t.startKex: - if !ok { - break write - } - case <-t.requestKex: - break - } - - if !sent { - if err := t.sendKexInit(); err != nil { - t.recordWriteError(err) - break - } - sent = true - } - } - - if err := t.getWriteError(); err != nil { - if request != nil { - request.done <- err - } - break - } - - // We're not servicing t.requestKex, but that is OK: - // we never block on sending to t.requestKex. - - // We're not servicing t.startKex, but the remote end - // has just sent us a kexInitMsg, so it can't send - // another key change request, until we close the done - // channel on the pendingKex request. - - err := t.enterKeyExchange(request.otherInit) - - t.mu.Lock() - t.writeError = err - t.sentInitPacket = nil - t.sentInitMsg = nil - - t.resetWriteThresholds() - - // we have completed the key exchange. Since the - // reader is still blocked, it is safe to clear out - // the requestKex channel. This avoids the situation - // where: 1) we consumed our own request for the - // initial kex, and 2) the kex from the remote side - // caused another send on the requestKex channel, - clear: - for { - select { - case <-t.requestKex: - // - default: - break clear - } - } - - request.done <- t.writeError - - // kex finished. Push packets that we received while - // the kex was in progress. Don't look at t.startKex - // and don't increment writtenSinceKex: if we trigger - // another kex while we are still busy with the last - // one, things will become very confusing. - for _, p := range t.pendingPackets { - t.writeError = t.pushPacket(p) - if t.writeError != nil { - break - } - } - t.pendingPackets = t.pendingPackets[:0] - t.mu.Unlock() - } - - // Unblock reader. - t.conn.Close() - - // drain startKex channel. We don't service t.requestKex - // because nobody does blocking sends there. - for request := range t.startKex { - request.done <- t.getWriteError() - } - - // Mark that the loop is done so that Close can return. - close(t.kexLoopDone) -} - -// The protocol uses uint32 for packet counters, so we can't let them -// reach 1<<32. We will actually read and write more packets than -// this, though: the other side may send more packets, and after we -// hit this limit on writing we will send a few more packets for the -// key exchange itself. -const packetRekeyThreshold = (1 << 31) - -func (t *handshakeTransport) resetReadThresholds() { - t.readPacketsLeft = packetRekeyThreshold - if t.config.RekeyThreshold > 0 { - t.readBytesLeft = int64(t.config.RekeyThreshold) - } else if t.algorithms != nil { - t.readBytesLeft = t.algorithms.r.rekeyBytes() - } else { - t.readBytesLeft = 1 << 30 - } -} - -func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) { - p, err := t.conn.readPacket() - if err != nil { - return nil, err - } - - if t.readPacketsLeft > 0 { - t.readPacketsLeft-- - } else { - t.requestKeyExchange() - } - - if t.readBytesLeft > 0 { - t.readBytesLeft -= int64(len(p)) - } else { - t.requestKeyExchange() - } - - if debugHandshake { - t.printPacket(p, false) - } - - if first && p[0] != msgKexInit { - return nil, fmt.Errorf("ssh: first packet should be msgKexInit") - } - - if p[0] != msgKexInit { - return p, nil - } - - firstKex := t.sessionID == nil - - kex := pendingKex{ - done: make(chan error, 1), - otherInit: p, - } - t.startKex <- &kex - err = <-kex.done - - if debugHandshake { - log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err) - } - - if err != nil { - return nil, err - } - - t.resetReadThresholds() - - // By default, a key exchange is hidden from higher layers by - // translating it into msgIgnore. - successPacket := []byte{msgIgnore} - if firstKex { - // sendKexInit() for the first kex waits for - // msgNewKeys so the authentication process is - // guaranteed to happen over an encrypted transport. - successPacket = []byte{msgNewKeys} - } - - return successPacket, nil -} - -const ( - kexStrictClient = "kex-strict-c-v00@openssh.com" - kexStrictServer = "kex-strict-s-v00@openssh.com" -) - -// sendKexInit sends a key change message. -func (t *handshakeTransport) sendKexInit() error { - t.mu.Lock() - defer t.mu.Unlock() - if t.sentInitMsg != nil { - // kexInits may be sent either in response to the other side, - // or because our side wants to initiate a key change, so we - // may have already sent a kexInit. In that case, don't send a - // second kexInit. - return nil - } - - msg := &kexInitMsg{ - CiphersClientServer: t.config.Ciphers, - CiphersServerClient: t.config.Ciphers, - MACsClientServer: t.config.MACs, - MACsServerClient: t.config.MACs, - CompressionClientServer: supportedCompressions, - CompressionServerClient: supportedCompressions, - } - io.ReadFull(rand.Reader, msg.Cookie[:]) - - // We mutate the KexAlgos slice, in order to add the kex-strict extension algorithm, - // and possibly to add the ext-info extension algorithm. Since the slice may be the - // user owned KeyExchanges, we create our own slice in order to avoid using user - // owned memory by mistake. - msg.KexAlgos = make([]string, 0, len(t.config.KeyExchanges)+2) // room for kex-strict and ext-info - msg.KexAlgos = append(msg.KexAlgos, t.config.KeyExchanges...) - - isServer := len(t.hostKeys) > 0 - if isServer { - for _, k := range t.hostKeys { - // If k is a MultiAlgorithmSigner, we restrict the signature - // algorithms. If k is a AlgorithmSigner, presume it supports all - // signature algorithms associated with the key format. If k is not - // an AlgorithmSigner, we can only assume it only supports the - // algorithms that matches the key format. (This means that Sign - // can't pick a different default). - keyFormat := k.PublicKey().Type() - - switch s := k.(type) { - case MultiAlgorithmSigner: - for _, algo := range algorithmsForKeyFormat(keyFormat) { - if contains(s.Algorithms(), underlyingAlgo(algo)) { - msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algo) - } - } - case AlgorithmSigner: - msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, algorithmsForKeyFormat(keyFormat)...) - default: - msg.ServerHostKeyAlgos = append(msg.ServerHostKeyAlgos, keyFormat) - } - } - - if t.sessionID == nil { - msg.KexAlgos = append(msg.KexAlgos, kexStrictServer) - } - } else { - msg.ServerHostKeyAlgos = t.hostKeyAlgorithms - - // As a client we opt in to receiving SSH_MSG_EXT_INFO so we know what - // algorithms the server supports for public key authentication. See RFC - // 8308, Section 2.1. - // - // We also send the strict KEX mode extension algorithm, in order to opt - // into the strict KEX mode. - if firstKeyExchange := t.sessionID == nil; firstKeyExchange { - msg.KexAlgos = append(msg.KexAlgos, "ext-info-c") - msg.KexAlgos = append(msg.KexAlgos, kexStrictClient) - } - - } - - packet := Marshal(msg) - - // writePacket destroys the contents, so save a copy. - packetCopy := make([]byte, len(packet)) - copy(packetCopy, packet) - - if err := t.pushPacket(packetCopy); err != nil { - return err - } - - t.sentInitMsg = msg - t.sentInitPacket = packet - - return nil -} - -var errSendBannerPhase = errors.New("ssh: SendAuthBanner outside of authentication phase") - -func (t *handshakeTransport) writePacket(p []byte) error { - t.mu.Lock() - defer t.mu.Unlock() - - switch p[0] { - case msgKexInit: - return errors.New("ssh: only handshakeTransport can send kexInit") - case msgNewKeys: - return errors.New("ssh: only handshakeTransport can send newKeys") - case msgUserAuthBanner: - if t.userAuthComplete { - return errSendBannerPhase - } - case msgUserAuthSuccess: - t.userAuthComplete = true - } - - if t.writeError != nil { - return t.writeError - } - - if t.sentInitMsg != nil { - // Copy the packet so the writer can reuse the buffer. - cp := make([]byte, len(p)) - copy(cp, p) - t.pendingPackets = append(t.pendingPackets, cp) - return nil - } - - if t.writeBytesLeft > 0 { - t.writeBytesLeft -= int64(len(p)) - } else { - t.requestKeyExchange() - } - - if t.writePacketsLeft > 0 { - t.writePacketsLeft-- - } else { - t.requestKeyExchange() - } - - if err := t.pushPacket(p); err != nil { - t.writeError = err - } - - return nil -} - -func (t *handshakeTransport) Close() error { - // Close the connection. This should cause the readLoop goroutine to wake up - // and close t.startKex, which will shut down kexLoop if running. - err := t.conn.Close() - - // Wait for the kexLoop goroutine to complete. - // At that point we know that the readLoop goroutine is complete too, - // because kexLoop itself waits for readLoop to close the startKex channel. - <-t.kexLoopDone - - return err -} - -func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error { - if debugHandshake { - log.Printf("%s entered key exchange", t.id()) - } - - otherInit := &kexInitMsg{} - if err := Unmarshal(otherInitPacket, otherInit); err != nil { - return err - } - - magics := handshakeMagics{ - clientVersion: t.clientVersion, - serverVersion: t.serverVersion, - clientKexInit: otherInitPacket, - serverKexInit: t.sentInitPacket, - } - - clientInit := otherInit - serverInit := t.sentInitMsg - isClient := len(t.hostKeys) == 0 - if isClient { - clientInit, serverInit = serverInit, clientInit - - magics.clientKexInit = t.sentInitPacket - magics.serverKexInit = otherInitPacket - } - - var err error - t.algorithms, err = findAgreedAlgorithms(isClient, clientInit, serverInit) - if err != nil { - return err - } - - if t.sessionID == nil && ((isClient && contains(serverInit.KexAlgos, kexStrictServer)) || (!isClient && contains(clientInit.KexAlgos, kexStrictClient))) { - t.strictMode = true - if err := t.conn.setStrictMode(); err != nil { - return err - } - } - - // We don't send FirstKexFollows, but we handle receiving it. - // - // RFC 4253 section 7 defines the kex and the agreement method for - // first_kex_packet_follows. It states that the guessed packet - // should be ignored if the "kex algorithm and/or the host - // key algorithm is guessed wrong (server and client have - // different preferred algorithm), or if any of the other - // algorithms cannot be agreed upon". The other algorithms have - // already been checked above so the kex algorithm and host key - // algorithm are checked here. - if otherInit.FirstKexFollows && (clientInit.KexAlgos[0] != serverInit.KexAlgos[0] || clientInit.ServerHostKeyAlgos[0] != serverInit.ServerHostKeyAlgos[0]) { - // other side sent a kex message for the wrong algorithm, - // which we have to ignore. - if _, err := t.conn.readPacket(); err != nil { - return err - } - } - - kex, ok := kexAlgoMap[t.algorithms.kex] - if !ok { - return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex) - } - - var result *kexResult - if len(t.hostKeys) > 0 { - result, err = t.server(kex, &magics) - } else { - result, err = t.client(kex, &magics) - } - - if err != nil { - return err - } - - firstKeyExchange := t.sessionID == nil - if firstKeyExchange { - t.sessionID = result.H - } - result.SessionID = t.sessionID - - if err := t.conn.prepareKeyChange(t.algorithms, result); err != nil { - return err - } - if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil { - return err - } - - // On the server side, after the first SSH_MSG_NEWKEYS, send a SSH_MSG_EXT_INFO - // message with the server-sig-algs extension if the client supports it. See - // RFC 8308, Sections 2.4 and 3.1, and [PROTOCOL], Section 1.9. - if !isClient && firstKeyExchange && contains(clientInit.KexAlgos, "ext-info-c") { - supportedPubKeyAuthAlgosList := strings.Join(t.publicKeyAuthAlgorithms, ",") - extInfo := &extInfoMsg{ - NumExtensions: 2, - Payload: make([]byte, 0, 4+15+4+len(supportedPubKeyAuthAlgosList)+4+16+4+1), - } - extInfo.Payload = appendInt(extInfo.Payload, len("server-sig-algs")) - extInfo.Payload = append(extInfo.Payload, "server-sig-algs"...) - extInfo.Payload = appendInt(extInfo.Payload, len(supportedPubKeyAuthAlgosList)) - extInfo.Payload = append(extInfo.Payload, supportedPubKeyAuthAlgosList...) - extInfo.Payload = appendInt(extInfo.Payload, len("ping@openssh.com")) - extInfo.Payload = append(extInfo.Payload, "ping@openssh.com"...) - extInfo.Payload = appendInt(extInfo.Payload, 1) - extInfo.Payload = append(extInfo.Payload, "0"...) - if err := t.conn.writePacket(Marshal(extInfo)); err != nil { - return err - } - } - - if packet, err := t.conn.readPacket(); err != nil { - return err - } else if packet[0] != msgNewKeys { - return unexpectedMessageError(msgNewKeys, packet[0]) - } - - if firstKeyExchange { - // Indicates to the transport that the first key exchange is completed - // after receiving SSH_MSG_NEWKEYS. - t.conn.setInitialKEXDone() - } - - return nil -} - -// algorithmSignerWrapper is an AlgorithmSigner that only supports the default -// key format algorithm. -// -// This is technically a violation of the AlgorithmSigner interface, but it -// should be unreachable given where we use this. Anyway, at least it returns an -// error instead of panicing or producing an incorrect signature. -type algorithmSignerWrapper struct { - Signer -} - -func (a algorithmSignerWrapper) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) { - if algorithm != underlyingAlgo(a.PublicKey().Type()) { - return nil, errors.New("ssh: internal error: algorithmSignerWrapper invoked with non-default algorithm") - } - return a.Sign(rand, data) -} - -func pickHostKey(hostKeys []Signer, algo string) AlgorithmSigner { - for _, k := range hostKeys { - if s, ok := k.(MultiAlgorithmSigner); ok { - if !contains(s.Algorithms(), underlyingAlgo(algo)) { - continue - } - } - - if algo == k.PublicKey().Type() { - return algorithmSignerWrapper{k} - } - - k, ok := k.(AlgorithmSigner) - if !ok { - continue - } - for _, a := range algorithmsForKeyFormat(k.PublicKey().Type()) { - if algo == a { - return k - } - } - } - return nil -} - -func (t *handshakeTransport) server(kex kexAlgorithm, magics *handshakeMagics) (*kexResult, error) { - hostKey := pickHostKey(t.hostKeys, t.algorithms.hostKey) - if hostKey == nil { - return nil, errors.New("ssh: internal error: negotiated unsupported signature type") - } - - r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey, t.algorithms.hostKey) - return r, err -} - -func (t *handshakeTransport) client(kex kexAlgorithm, magics *handshakeMagics) (*kexResult, error) { - result, err := kex.Client(t.conn, t.config.Rand, magics) - if err != nil { - return nil, err - } - - hostKey, err := ParsePublicKey(result.HostKey) - if err != nil { - return nil, err - } - - if err := verifyHostKeySignature(hostKey, t.algorithms.hostKey, result); err != nil { - return nil, err - } - - err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey) - if err != nil { - return nil, err - } - - return result, nil -} diff --git a/vendor/golang.org/x/crypto/ssh/internal/bcrypt_pbkdf/bcrypt_pbkdf.go b/vendor/golang.org/x/crypto/ssh/internal/bcrypt_pbkdf/bcrypt_pbkdf.go deleted file mode 100644 index af81d2665..000000000 --- a/vendor/golang.org/x/crypto/ssh/internal/bcrypt_pbkdf/bcrypt_pbkdf.go +++ /dev/null @@ -1,93 +0,0 @@ -// Copyright 2014 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -// Package bcrypt_pbkdf implements bcrypt_pbkdf(3) from OpenBSD. -// -// See https://flak.tedunangst.com/post/bcrypt-pbkdf and -// https://cvsweb.openbsd.org/cgi-bin/cvsweb/src/lib/libutil/bcrypt_pbkdf.c. -package bcrypt_pbkdf - -import ( - "crypto/sha512" - "errors" - "golang.org/x/crypto/blowfish" -) - -const blockSize = 32 - -// Key derives a key from the password, salt and rounds count, returning a -// []byte of length keyLen that can be used as cryptographic key. -func Key(password, salt []byte, rounds, keyLen int) ([]byte, error) { - if rounds < 1 { - return nil, errors.New("bcrypt_pbkdf: number of rounds is too small") - } - if len(password) == 0 { - return nil, errors.New("bcrypt_pbkdf: empty password") - } - if len(salt) == 0 || len(salt) > 1<<20 { - return nil, errors.New("bcrypt_pbkdf: bad salt length") - } - if keyLen > 1024 { - return nil, errors.New("bcrypt_pbkdf: keyLen is too large") - } - - numBlocks := (keyLen + blockSize - 1) / blockSize - key := make([]byte, numBlocks*blockSize) - - h := sha512.New() - h.Write(password) - shapass := h.Sum(nil) - - shasalt := make([]byte, 0, sha512.Size) - cnt, tmp := make([]byte, 4), make([]byte, blockSize) - for block := 1; block <= numBlocks; block++ { - h.Reset() - h.Write(salt) - cnt[0] = byte(block >> 24) - cnt[1] = byte(block >> 16) - cnt[2] = byte(block >> 8) - cnt[3] = byte(block) - h.Write(cnt) - bcryptHash(tmp, shapass, h.Sum(shasalt)) - - out := make([]byte, blockSize) - copy(out, tmp) - for i := 2; i <= rounds; i++ { - h.Reset() - h.Write(tmp) - bcryptHash(tmp, shapass, h.Sum(shasalt)) - for j := 0; j < len(out); j++ { - out[j] ^= tmp[j] - } - } - - for i, v := range out { - key[i*numBlocks+(block-1)] = v - } - } - return key[:keyLen], nil -} - -var magic = []byte("OxychromaticBlowfishSwatDynamite") - -func bcryptHash(out, shapass, shasalt []byte) { - c, err := blowfish.NewSaltedCipher(shapass, shasalt) - if err != nil { - panic(err) - } - for i := 0; i < 64; i++ { - blowfish.ExpandKey(shasalt, c) - blowfish.ExpandKey(shapass, c) - } - copy(out, magic) - for i := 0; i < 32; i += 8 { - for j := 0; j < 64; j++ { - c.Encrypt(out[i:i+8], out[i:i+8]) - } - } - // Swap bytes due to different endianness. - for i := 0; i < 32; i += 4 { - out[i+3], out[i+2], out[i+1], out[i] = out[i], out[i+1], out[i+2], out[i+3] - } -} diff --git a/vendor/golang.org/x/crypto/ssh/kex.go b/vendor/golang.org/x/crypto/ssh/kex.go deleted file mode 100644 index 8a05f7990..000000000 --- a/vendor/golang.org/x/crypto/ssh/kex.go +++ /dev/null @@ -1,786 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "crypto" - "crypto/ecdsa" - "crypto/elliptic" - "crypto/rand" - "crypto/subtle" - "encoding/binary" - "errors" - "fmt" - "io" - "math/big" - - "golang.org/x/crypto/curve25519" -) - -const ( - kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1" - kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1" - kexAlgoDH14SHA256 = "diffie-hellman-group14-sha256" - kexAlgoDH16SHA512 = "diffie-hellman-group16-sha512" - kexAlgoECDH256 = "ecdh-sha2-nistp256" - kexAlgoECDH384 = "ecdh-sha2-nistp384" - kexAlgoECDH521 = "ecdh-sha2-nistp521" - kexAlgoCurve25519SHA256LibSSH = "curve25519-sha256@libssh.org" - kexAlgoCurve25519SHA256 = "curve25519-sha256" - - // For the following kex only the client half contains a production - // ready implementation. The server half only consists of a minimal - // implementation to satisfy the automated tests. - kexAlgoDHGEXSHA1 = "diffie-hellman-group-exchange-sha1" - kexAlgoDHGEXSHA256 = "diffie-hellman-group-exchange-sha256" -) - -// kexResult captures the outcome of a key exchange. -type kexResult struct { - // Session hash. See also RFC 4253, section 8. - H []byte - - // Shared secret. See also RFC 4253, section 8. - K []byte - - // Host key as hashed into H. - HostKey []byte - - // Signature of H. - Signature []byte - - // A cryptographic hash function that matches the security - // level of the key exchange algorithm. It is used for - // calculating H, and for deriving keys from H and K. - Hash crypto.Hash - - // The session ID, which is the first H computed. This is used - // to derive key material inside the transport. - SessionID []byte -} - -// handshakeMagics contains data that is always included in the -// session hash. -type handshakeMagics struct { - clientVersion, serverVersion []byte - clientKexInit, serverKexInit []byte -} - -func (m *handshakeMagics) write(w io.Writer) { - writeString(w, m.clientVersion) - writeString(w, m.serverVersion) - writeString(w, m.clientKexInit) - writeString(w, m.serverKexInit) -} - -// kexAlgorithm abstracts different key exchange algorithms. -type kexAlgorithm interface { - // Server runs server-side key agreement, signing the result - // with a hostkey. algo is the negotiated algorithm, and may - // be a certificate type. - Server(p packetConn, rand io.Reader, magics *handshakeMagics, s AlgorithmSigner, algo string) (*kexResult, error) - - // Client runs the client-side key agreement. Caller is - // responsible for verifying the host key signature. - Client(p packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) -} - -// dhGroup is a multiplicative group suitable for implementing Diffie-Hellman key agreement. -type dhGroup struct { - g, p, pMinus1 *big.Int - hashFunc crypto.Hash -} - -func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, error) { - if theirPublic.Cmp(bigOne) <= 0 || theirPublic.Cmp(group.pMinus1) >= 0 { - return nil, errors.New("ssh: DH parameter out of bounds") - } - return new(big.Int).Exp(theirPublic, myPrivate, group.p), nil -} - -func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) { - var x *big.Int - for { - var err error - if x, err = rand.Int(randSource, group.pMinus1); err != nil { - return nil, err - } - if x.Sign() > 0 { - break - } - } - - X := new(big.Int).Exp(group.g, x, group.p) - kexDHInit := kexDHInitMsg{ - X: X, - } - if err := c.writePacket(Marshal(&kexDHInit)); err != nil { - return nil, err - } - - packet, err := c.readPacket() - if err != nil { - return nil, err - } - - var kexDHReply kexDHReplyMsg - if err = Unmarshal(packet, &kexDHReply); err != nil { - return nil, err - } - - ki, err := group.diffieHellman(kexDHReply.Y, x) - if err != nil { - return nil, err - } - - h := group.hashFunc.New() - magics.write(h) - writeString(h, kexDHReply.HostKey) - writeInt(h, X) - writeInt(h, kexDHReply.Y) - K := make([]byte, intLength(ki)) - marshalInt(K, ki) - h.Write(K) - - return &kexResult{ - H: h.Sum(nil), - K: K, - HostKey: kexDHReply.HostKey, - Signature: kexDHReply.Signature, - Hash: group.hashFunc, - }, nil -} - -func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) { - packet, err := c.readPacket() - if err != nil { - return - } - var kexDHInit kexDHInitMsg - if err = Unmarshal(packet, &kexDHInit); err != nil { - return - } - - var y *big.Int - for { - if y, err = rand.Int(randSource, group.pMinus1); err != nil { - return - } - if y.Sign() > 0 { - break - } - } - - Y := new(big.Int).Exp(group.g, y, group.p) - ki, err := group.diffieHellman(kexDHInit.X, y) - if err != nil { - return nil, err - } - - hostKeyBytes := priv.PublicKey().Marshal() - - h := group.hashFunc.New() - magics.write(h) - writeString(h, hostKeyBytes) - writeInt(h, kexDHInit.X) - writeInt(h, Y) - - K := make([]byte, intLength(ki)) - marshalInt(K, ki) - h.Write(K) - - H := h.Sum(nil) - - // H is already a hash, but the hostkey signing will apply its - // own key-specific hash algorithm. - sig, err := signAndMarshal(priv, randSource, H, algo) - if err != nil { - return nil, err - } - - kexDHReply := kexDHReplyMsg{ - HostKey: hostKeyBytes, - Y: Y, - Signature: sig, - } - packet = Marshal(&kexDHReply) - - err = c.writePacket(packet) - return &kexResult{ - H: H, - K: K, - HostKey: hostKeyBytes, - Signature: sig, - Hash: group.hashFunc, - }, err -} - -// ecdh performs Elliptic Curve Diffie-Hellman key exchange as -// described in RFC 5656, section 4. -type ecdh struct { - curve elliptic.Curve -} - -func (kex *ecdh) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) { - ephKey, err := ecdsa.GenerateKey(kex.curve, rand) - if err != nil { - return nil, err - } - - kexInit := kexECDHInitMsg{ - ClientPubKey: elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y), - } - - serialized := Marshal(&kexInit) - if err := c.writePacket(serialized); err != nil { - return nil, err - } - - packet, err := c.readPacket() - if err != nil { - return nil, err - } - - var reply kexECDHReplyMsg - if err = Unmarshal(packet, &reply); err != nil { - return nil, err - } - - x, y, err := unmarshalECKey(kex.curve, reply.EphemeralPubKey) - if err != nil { - return nil, err - } - - // generate shared secret - secret, _ := kex.curve.ScalarMult(x, y, ephKey.D.Bytes()) - - h := ecHash(kex.curve).New() - magics.write(h) - writeString(h, reply.HostKey) - writeString(h, kexInit.ClientPubKey) - writeString(h, reply.EphemeralPubKey) - K := make([]byte, intLength(secret)) - marshalInt(K, secret) - h.Write(K) - - return &kexResult{ - H: h.Sum(nil), - K: K, - HostKey: reply.HostKey, - Signature: reply.Signature, - Hash: ecHash(kex.curve), - }, nil -} - -// unmarshalECKey parses and checks an EC key. -func unmarshalECKey(curve elliptic.Curve, pubkey []byte) (x, y *big.Int, err error) { - x, y = elliptic.Unmarshal(curve, pubkey) - if x == nil { - return nil, nil, errors.New("ssh: elliptic.Unmarshal failure") - } - if !validateECPublicKey(curve, x, y) { - return nil, nil, errors.New("ssh: public key not on curve") - } - return x, y, nil -} - -// validateECPublicKey checks that the point is a valid public key for -// the given curve. See [SEC1], 3.2.2 -func validateECPublicKey(curve elliptic.Curve, x, y *big.Int) bool { - if x.Sign() == 0 && y.Sign() == 0 { - return false - } - - if x.Cmp(curve.Params().P) >= 0 { - return false - } - - if y.Cmp(curve.Params().P) >= 0 { - return false - } - - if !curve.IsOnCurve(x, y) { - return false - } - - // We don't check if N * PubKey == 0, since - // - // - the NIST curves have cofactor = 1, so this is implicit. - // (We don't foresee an implementation that supports non NIST - // curves) - // - // - for ephemeral keys, we don't need to worry about small - // subgroup attacks. - return true -} - -func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) { - packet, err := c.readPacket() - if err != nil { - return nil, err - } - - var kexECDHInit kexECDHInitMsg - if err = Unmarshal(packet, &kexECDHInit); err != nil { - return nil, err - } - - clientX, clientY, err := unmarshalECKey(kex.curve, kexECDHInit.ClientPubKey) - if err != nil { - return nil, err - } - - // We could cache this key across multiple users/multiple - // connection attempts, but the benefit is small. OpenSSH - // generates a new key for each incoming connection. - ephKey, err := ecdsa.GenerateKey(kex.curve, rand) - if err != nil { - return nil, err - } - - hostKeyBytes := priv.PublicKey().Marshal() - - serializedEphKey := elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y) - - // generate shared secret - secret, _ := kex.curve.ScalarMult(clientX, clientY, ephKey.D.Bytes()) - - h := ecHash(kex.curve).New() - magics.write(h) - writeString(h, hostKeyBytes) - writeString(h, kexECDHInit.ClientPubKey) - writeString(h, serializedEphKey) - - K := make([]byte, intLength(secret)) - marshalInt(K, secret) - h.Write(K) - - H := h.Sum(nil) - - // H is already a hash, but the hostkey signing will apply its - // own key-specific hash algorithm. - sig, err := signAndMarshal(priv, rand, H, algo) - if err != nil { - return nil, err - } - - reply := kexECDHReplyMsg{ - EphemeralPubKey: serializedEphKey, - HostKey: hostKeyBytes, - Signature: sig, - } - - serialized := Marshal(&reply) - if err := c.writePacket(serialized); err != nil { - return nil, err - } - - return &kexResult{ - H: H, - K: K, - HostKey: reply.HostKey, - Signature: sig, - Hash: ecHash(kex.curve), - }, nil -} - -// ecHash returns the hash to match the given elliptic curve, see RFC -// 5656, section 6.2.1 -func ecHash(curve elliptic.Curve) crypto.Hash { - bitSize := curve.Params().BitSize - switch { - case bitSize <= 256: - return crypto.SHA256 - case bitSize <= 384: - return crypto.SHA384 - } - return crypto.SHA512 -} - -var kexAlgoMap = map[string]kexAlgorithm{} - -func init() { - // This is the group called diffie-hellman-group1-sha1 in - // RFC 4253 and Oakley Group 2 in RFC 2409. - p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16) - kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{ - g: new(big.Int).SetInt64(2), - p: p, - pMinus1: new(big.Int).Sub(p, bigOne), - hashFunc: crypto.SHA1, - } - - // This are the groups called diffie-hellman-group14-sha1 and - // diffie-hellman-group14-sha256 in RFC 4253 and RFC 8268, - // and Oakley Group 14 in RFC 3526. - p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16) - group14 := &dhGroup{ - g: new(big.Int).SetInt64(2), - p: p, - pMinus1: new(big.Int).Sub(p, bigOne), - } - - kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{ - g: group14.g, p: group14.p, pMinus1: group14.pMinus1, - hashFunc: crypto.SHA1, - } - kexAlgoMap[kexAlgoDH14SHA256] = &dhGroup{ - g: group14.g, p: group14.p, pMinus1: group14.pMinus1, - hashFunc: crypto.SHA256, - } - - // This is the group called diffie-hellman-group16-sha512 in RFC - // 8268 and Oakley Group 16 in RFC 3526. - p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AAAC42DAD33170D04507A33A85521ABDF1CBA64ECFB850458DBEF0A8AEA71575D060C7DB3970F85A6E1E4C7ABF5AE8CDB0933D71E8C94E04A25619DCEE3D2261AD2EE6BF12FFA06D98A0864D87602733EC86A64521F2B18177B200CBBE117577A615D6C770988C0BAD946E208E24FA074E5AB3143DB5BFCE0FD108E4B82D120A92108011A723C12A787E6D788719A10BDBA5B2699C327186AF4E23C1A946834B6150BDA2583E9CA2AD44CE8DBBBC2DB04DE8EF92E8EFC141FBECAA6287C59474E6BC05D99B2964FA090C3A2233BA186515BE7ED1F612970CEE2D7AFB81BDD762170481CD0069127D5B05AA993B4EA988D8FDDC186FFB7DC90A6C08F4DF435C934063199FFFFFFFFFFFFFFFF", 16) - - kexAlgoMap[kexAlgoDH16SHA512] = &dhGroup{ - g: new(big.Int).SetInt64(2), - p: p, - pMinus1: new(big.Int).Sub(p, bigOne), - hashFunc: crypto.SHA512, - } - - kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()} - kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()} - kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()} - kexAlgoMap[kexAlgoCurve25519SHA256] = &curve25519sha256{} - kexAlgoMap[kexAlgoCurve25519SHA256LibSSH] = &curve25519sha256{} - kexAlgoMap[kexAlgoDHGEXSHA1] = &dhGEXSHA{hashFunc: crypto.SHA1} - kexAlgoMap[kexAlgoDHGEXSHA256] = &dhGEXSHA{hashFunc: crypto.SHA256} -} - -// curve25519sha256 implements the curve25519-sha256 (formerly known as -// curve25519-sha256@libssh.org) key exchange method, as described in RFC 8731. -type curve25519sha256 struct{} - -type curve25519KeyPair struct { - priv [32]byte - pub [32]byte -} - -func (kp *curve25519KeyPair) generate(rand io.Reader) error { - if _, err := io.ReadFull(rand, kp.priv[:]); err != nil { - return err - } - curve25519.ScalarBaseMult(&kp.pub, &kp.priv) - return nil -} - -// curve25519Zeros is just an array of 32 zero bytes so that we have something -// convenient to compare against in order to reject curve25519 points with the -// wrong order. -var curve25519Zeros [32]byte - -func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) { - var kp curve25519KeyPair - if err := kp.generate(rand); err != nil { - return nil, err - } - if err := c.writePacket(Marshal(&kexECDHInitMsg{kp.pub[:]})); err != nil { - return nil, err - } - - packet, err := c.readPacket() - if err != nil { - return nil, err - } - - var reply kexECDHReplyMsg - if err = Unmarshal(packet, &reply); err != nil { - return nil, err - } - if len(reply.EphemeralPubKey) != 32 { - return nil, errors.New("ssh: peer's curve25519 public value has wrong length") - } - - var servPub, secret [32]byte - copy(servPub[:], reply.EphemeralPubKey) - curve25519.ScalarMult(&secret, &kp.priv, &servPub) - if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 { - return nil, errors.New("ssh: peer's curve25519 public value has wrong order") - } - - h := crypto.SHA256.New() - magics.write(h) - writeString(h, reply.HostKey) - writeString(h, kp.pub[:]) - writeString(h, reply.EphemeralPubKey) - - ki := new(big.Int).SetBytes(secret[:]) - K := make([]byte, intLength(ki)) - marshalInt(K, ki) - h.Write(K) - - return &kexResult{ - H: h.Sum(nil), - K: K, - HostKey: reply.HostKey, - Signature: reply.Signature, - Hash: crypto.SHA256, - }, nil -} - -func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) { - packet, err := c.readPacket() - if err != nil { - return - } - var kexInit kexECDHInitMsg - if err = Unmarshal(packet, &kexInit); err != nil { - return - } - - if len(kexInit.ClientPubKey) != 32 { - return nil, errors.New("ssh: peer's curve25519 public value has wrong length") - } - - var kp curve25519KeyPair - if err := kp.generate(rand); err != nil { - return nil, err - } - - var clientPub, secret [32]byte - copy(clientPub[:], kexInit.ClientPubKey) - curve25519.ScalarMult(&secret, &kp.priv, &clientPub) - if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 { - return nil, errors.New("ssh: peer's curve25519 public value has wrong order") - } - - hostKeyBytes := priv.PublicKey().Marshal() - - h := crypto.SHA256.New() - magics.write(h) - writeString(h, hostKeyBytes) - writeString(h, kexInit.ClientPubKey) - writeString(h, kp.pub[:]) - - ki := new(big.Int).SetBytes(secret[:]) - K := make([]byte, intLength(ki)) - marshalInt(K, ki) - h.Write(K) - - H := h.Sum(nil) - - sig, err := signAndMarshal(priv, rand, H, algo) - if err != nil { - return nil, err - } - - reply := kexECDHReplyMsg{ - EphemeralPubKey: kp.pub[:], - HostKey: hostKeyBytes, - Signature: sig, - } - if err := c.writePacket(Marshal(&reply)); err != nil { - return nil, err - } - return &kexResult{ - H: H, - K: K, - HostKey: hostKeyBytes, - Signature: sig, - Hash: crypto.SHA256, - }, nil -} - -// dhGEXSHA implements the diffie-hellman-group-exchange-sha1 and -// diffie-hellman-group-exchange-sha256 key agreement protocols, -// as described in RFC 4419 -type dhGEXSHA struct { - hashFunc crypto.Hash -} - -const ( - dhGroupExchangeMinimumBits = 2048 - dhGroupExchangePreferredBits = 2048 - dhGroupExchangeMaximumBits = 8192 -) - -func (gex *dhGEXSHA) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) { - // Send GexRequest - kexDHGexRequest := kexDHGexRequestMsg{ - MinBits: dhGroupExchangeMinimumBits, - PreferedBits: dhGroupExchangePreferredBits, - MaxBits: dhGroupExchangeMaximumBits, - } - if err := c.writePacket(Marshal(&kexDHGexRequest)); err != nil { - return nil, err - } - - // Receive GexGroup - packet, err := c.readPacket() - if err != nil { - return nil, err - } - - var msg kexDHGexGroupMsg - if err = Unmarshal(packet, &msg); err != nil { - return nil, err - } - - // reject if p's bit length < dhGroupExchangeMinimumBits or > dhGroupExchangeMaximumBits - if msg.P.BitLen() < dhGroupExchangeMinimumBits || msg.P.BitLen() > dhGroupExchangeMaximumBits { - return nil, fmt.Errorf("ssh: server-generated gex p is out of range (%d bits)", msg.P.BitLen()) - } - - // Check if g is safe by verifying that 1 < g < p-1 - pMinusOne := new(big.Int).Sub(msg.P, bigOne) - if msg.G.Cmp(bigOne) <= 0 || msg.G.Cmp(pMinusOne) >= 0 { - return nil, fmt.Errorf("ssh: server provided gex g is not safe") - } - - // Send GexInit - pHalf := new(big.Int).Rsh(msg.P, 1) - x, err := rand.Int(randSource, pHalf) - if err != nil { - return nil, err - } - X := new(big.Int).Exp(msg.G, x, msg.P) - kexDHGexInit := kexDHGexInitMsg{ - X: X, - } - if err := c.writePacket(Marshal(&kexDHGexInit)); err != nil { - return nil, err - } - - // Receive GexReply - packet, err = c.readPacket() - if err != nil { - return nil, err - } - - var kexDHGexReply kexDHGexReplyMsg - if err = Unmarshal(packet, &kexDHGexReply); err != nil { - return nil, err - } - - if kexDHGexReply.Y.Cmp(bigOne) <= 0 || kexDHGexReply.Y.Cmp(pMinusOne) >= 0 { - return nil, errors.New("ssh: DH parameter out of bounds") - } - kInt := new(big.Int).Exp(kexDHGexReply.Y, x, msg.P) - - // Check if k is safe by verifying that k > 1 and k < p - 1 - if kInt.Cmp(bigOne) <= 0 || kInt.Cmp(pMinusOne) >= 0 { - return nil, fmt.Errorf("ssh: derived k is not safe") - } - - h := gex.hashFunc.New() - magics.write(h) - writeString(h, kexDHGexReply.HostKey) - binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMinimumBits)) - binary.Write(h, binary.BigEndian, uint32(dhGroupExchangePreferredBits)) - binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMaximumBits)) - writeInt(h, msg.P) - writeInt(h, msg.G) - writeInt(h, X) - writeInt(h, kexDHGexReply.Y) - K := make([]byte, intLength(kInt)) - marshalInt(K, kInt) - h.Write(K) - - return &kexResult{ - H: h.Sum(nil), - K: K, - HostKey: kexDHGexReply.HostKey, - Signature: kexDHGexReply.Signature, - Hash: gex.hashFunc, - }, nil -} - -// Server half implementation of the Diffie Hellman Key Exchange with SHA1 and SHA256. -// -// This is a minimal implementation to satisfy the automated tests. -func (gex dhGEXSHA) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv AlgorithmSigner, algo string) (result *kexResult, err error) { - // Receive GexRequest - packet, err := c.readPacket() - if err != nil { - return - } - var kexDHGexRequest kexDHGexRequestMsg - if err = Unmarshal(packet, &kexDHGexRequest); err != nil { - return - } - - // Send GexGroup - // This is the group called diffie-hellman-group14-sha1 in RFC - // 4253 and Oakley Group 14 in RFC 3526. - p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16) - g := big.NewInt(2) - - msg := &kexDHGexGroupMsg{ - P: p, - G: g, - } - if err := c.writePacket(Marshal(msg)); err != nil { - return nil, err - } - - // Receive GexInit - packet, err = c.readPacket() - if err != nil { - return - } - var kexDHGexInit kexDHGexInitMsg - if err = Unmarshal(packet, &kexDHGexInit); err != nil { - return - } - - pHalf := new(big.Int).Rsh(p, 1) - - y, err := rand.Int(randSource, pHalf) - if err != nil { - return - } - Y := new(big.Int).Exp(g, y, p) - - pMinusOne := new(big.Int).Sub(p, bigOne) - if kexDHGexInit.X.Cmp(bigOne) <= 0 || kexDHGexInit.X.Cmp(pMinusOne) >= 0 { - return nil, errors.New("ssh: DH parameter out of bounds") - } - kInt := new(big.Int).Exp(kexDHGexInit.X, y, p) - - hostKeyBytes := priv.PublicKey().Marshal() - - h := gex.hashFunc.New() - magics.write(h) - writeString(h, hostKeyBytes) - binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMinimumBits)) - binary.Write(h, binary.BigEndian, uint32(dhGroupExchangePreferredBits)) - binary.Write(h, binary.BigEndian, uint32(dhGroupExchangeMaximumBits)) - writeInt(h, p) - writeInt(h, g) - writeInt(h, kexDHGexInit.X) - writeInt(h, Y) - - K := make([]byte, intLength(kInt)) - marshalInt(K, kInt) - h.Write(K) - - H := h.Sum(nil) - - // H is already a hash, but the hostkey signing will apply its - // own key-specific hash algorithm. - sig, err := signAndMarshal(priv, randSource, H, algo) - if err != nil { - return nil, err - } - - kexDHGexReply := kexDHGexReplyMsg{ - HostKey: hostKeyBytes, - Y: Y, - Signature: sig, - } - packet = Marshal(&kexDHGexReply) - - err = c.writePacket(packet) - - return &kexResult{ - H: H, - K: K, - HostKey: hostKeyBytes, - Signature: sig, - Hash: gex.hashFunc, - }, err -} diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go deleted file mode 100644 index 98e6706d5..000000000 --- a/vendor/golang.org/x/crypto/ssh/keys.go +++ /dev/null @@ -1,1778 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "bytes" - "crypto" - "crypto/aes" - "crypto/cipher" - "crypto/dsa" - "crypto/ecdsa" - "crypto/ed25519" - "crypto/elliptic" - "crypto/md5" - "crypto/rand" - "crypto/rsa" - "crypto/sha256" - "crypto/x509" - "encoding/asn1" - "encoding/base64" - "encoding/binary" - "encoding/hex" - "encoding/pem" - "errors" - "fmt" - "io" - "math/big" - "strings" - - "golang.org/x/crypto/ssh/internal/bcrypt_pbkdf" -) - -// Public key algorithms names. These values can appear in PublicKey.Type, -// ClientConfig.HostKeyAlgorithms, Signature.Format, or as AlgorithmSigner -// arguments. -const ( - KeyAlgoRSA = "ssh-rsa" - KeyAlgoDSA = "ssh-dss" - KeyAlgoECDSA256 = "ecdsa-sha2-nistp256" - KeyAlgoSKECDSA256 = "sk-ecdsa-sha2-nistp256@openssh.com" - KeyAlgoECDSA384 = "ecdsa-sha2-nistp384" - KeyAlgoECDSA521 = "ecdsa-sha2-nistp521" - KeyAlgoED25519 = "ssh-ed25519" - KeyAlgoSKED25519 = "sk-ssh-ed25519@openssh.com" - - // KeyAlgoRSASHA256 and KeyAlgoRSASHA512 are only public key algorithms, not - // public key formats, so they can't appear as a PublicKey.Type. The - // corresponding PublicKey.Type is KeyAlgoRSA. See RFC 8332, Section 2. - KeyAlgoRSASHA256 = "rsa-sha2-256" - KeyAlgoRSASHA512 = "rsa-sha2-512" -) - -const ( - // Deprecated: use KeyAlgoRSA. - SigAlgoRSA = KeyAlgoRSA - // Deprecated: use KeyAlgoRSASHA256. - SigAlgoRSASHA2256 = KeyAlgoRSASHA256 - // Deprecated: use KeyAlgoRSASHA512. - SigAlgoRSASHA2512 = KeyAlgoRSASHA512 -) - -// parsePubKey parses a public key of the given algorithm. -// Use ParsePublicKey for keys with prepended algorithm. -func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err error) { - switch algo { - case KeyAlgoRSA: - return parseRSA(in) - case KeyAlgoDSA: - return parseDSA(in) - case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521: - return parseECDSA(in) - case KeyAlgoSKECDSA256: - return parseSKECDSA(in) - case KeyAlgoED25519: - return parseED25519(in) - case KeyAlgoSKED25519: - return parseSKEd25519(in) - case CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoSKECDSA256v01, CertAlgoED25519v01, CertAlgoSKED25519v01: - cert, err := parseCert(in, certKeyAlgoNames[algo]) - if err != nil { - return nil, nil, err - } - return cert, nil, nil - } - return nil, nil, fmt.Errorf("ssh: unknown key algorithm: %v", algo) -} - -// parseAuthorizedKey parses a public key in OpenSSH authorized_keys format -// (see sshd(8) manual page) once the options and key type fields have been -// removed. -func parseAuthorizedKey(in []byte) (out PublicKey, comment string, err error) { - in = bytes.TrimSpace(in) - - i := bytes.IndexAny(in, " \t") - if i == -1 { - i = len(in) - } - base64Key := in[:i] - - key := make([]byte, base64.StdEncoding.DecodedLen(len(base64Key))) - n, err := base64.StdEncoding.Decode(key, base64Key) - if err != nil { - return nil, "", err - } - key = key[:n] - out, err = ParsePublicKey(key) - if err != nil { - return nil, "", err - } - comment = string(bytes.TrimSpace(in[i:])) - return out, comment, nil -} - -// ParseKnownHosts parses an entry in the format of the known_hosts file. -// -// The known_hosts format is documented in the sshd(8) manual page. This -// function will parse a single entry from in. On successful return, marker -// will contain the optional marker value (i.e. "cert-authority" or "revoked") -// or else be empty, hosts will contain the hosts that this entry matches, -// pubKey will contain the public key and comment will contain any trailing -// comment at the end of the line. See the sshd(8) manual page for the various -// forms that a host string can take. -// -// The unparsed remainder of the input will be returned in rest. This function -// can be called repeatedly to parse multiple entries. -// -// If no entries were found in the input then err will be io.EOF. Otherwise a -// non-nil err value indicates a parse error. -func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey, comment string, rest []byte, err error) { - for len(in) > 0 { - end := bytes.IndexByte(in, '\n') - if end != -1 { - rest = in[end+1:] - in = in[:end] - } else { - rest = nil - } - - end = bytes.IndexByte(in, '\r') - if end != -1 { - in = in[:end] - } - - in = bytes.TrimSpace(in) - if len(in) == 0 || in[0] == '#' { - in = rest - continue - } - - i := bytes.IndexAny(in, " \t") - if i == -1 { - in = rest - continue - } - - // Strip out the beginning of the known_host key. - // This is either an optional marker or a (set of) hostname(s). - keyFields := bytes.Fields(in) - if len(keyFields) < 3 || len(keyFields) > 5 { - return "", nil, nil, "", nil, errors.New("ssh: invalid entry in known_hosts data") - } - - // keyFields[0] is either "@cert-authority", "@revoked" or a comma separated - // list of hosts - marker := "" - if keyFields[0][0] == '@' { - marker = string(keyFields[0][1:]) - keyFields = keyFields[1:] - } - - hosts := string(keyFields[0]) - // keyFields[1] contains the key type (e.g. “ssh-rsa”). - // However, that information is duplicated inside the - // base64-encoded key and so is ignored here. - - key := bytes.Join(keyFields[2:], []byte(" ")) - if pubKey, comment, err = parseAuthorizedKey(key); err != nil { - return "", nil, nil, "", nil, err - } - - return marker, strings.Split(hosts, ","), pubKey, comment, rest, nil - } - - return "", nil, nil, "", nil, io.EOF -} - -// ParseAuthorizedKey parses a public key from an authorized_keys -// file used in OpenSSH according to the sshd(8) manual page. -func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) { - for len(in) > 0 { - end := bytes.IndexByte(in, '\n') - if end != -1 { - rest = in[end+1:] - in = in[:end] - } else { - rest = nil - } - - end = bytes.IndexByte(in, '\r') - if end != -1 { - in = in[:end] - } - - in = bytes.TrimSpace(in) - if len(in) == 0 || in[0] == '#' { - in = rest - continue - } - - i := bytes.IndexAny(in, " \t") - if i == -1 { - in = rest - continue - } - - if out, comment, err = parseAuthorizedKey(in[i:]); err == nil { - return out, comment, options, rest, nil - } - - // No key type recognised. Maybe there's an options field at - // the beginning. - var b byte - inQuote := false - var candidateOptions []string - optionStart := 0 - for i, b = range in { - isEnd := !inQuote && (b == ' ' || b == '\t') - if (b == ',' && !inQuote) || isEnd { - if i-optionStart > 0 { - candidateOptions = append(candidateOptions, string(in[optionStart:i])) - } - optionStart = i + 1 - } - if isEnd { - break - } - if b == '"' && (i == 0 || (i > 0 && in[i-1] != '\\')) { - inQuote = !inQuote - } - } - for i < len(in) && (in[i] == ' ' || in[i] == '\t') { - i++ - } - if i == len(in) { - // Invalid line: unmatched quote - in = rest - continue - } - - in = in[i:] - i = bytes.IndexAny(in, " \t") - if i == -1 { - in = rest - continue - } - - if out, comment, err = parseAuthorizedKey(in[i:]); err == nil { - options = candidateOptions - return out, comment, options, rest, nil - } - - in = rest - continue - } - - return nil, "", nil, nil, errors.New("ssh: no key found") -} - -// ParsePublicKey parses an SSH public key formatted for use in -// the SSH wire protocol according to RFC 4253, section 6.6. -func ParsePublicKey(in []byte) (out PublicKey, err error) { - algo, in, ok := parseString(in) - if !ok { - return nil, errShortRead - } - var rest []byte - out, rest, err = parsePubKey(in, string(algo)) - if len(rest) > 0 { - return nil, errors.New("ssh: trailing junk in public key") - } - - return out, err -} - -// MarshalAuthorizedKey serializes key for inclusion in an OpenSSH -// authorized_keys file. The return value ends with newline. -func MarshalAuthorizedKey(key PublicKey) []byte { - b := &bytes.Buffer{} - b.WriteString(key.Type()) - b.WriteByte(' ') - e := base64.NewEncoder(base64.StdEncoding, b) - e.Write(key.Marshal()) - e.Close() - b.WriteByte('\n') - return b.Bytes() -} - -// MarshalPrivateKey returns a PEM block with the private key serialized in the -// OpenSSH format. -func MarshalPrivateKey(key crypto.PrivateKey, comment string) (*pem.Block, error) { - return marshalOpenSSHPrivateKey(key, comment, unencryptedOpenSSHMarshaler) -} - -// MarshalPrivateKeyWithPassphrase returns a PEM block holding the encrypted -// private key serialized in the OpenSSH format. -func MarshalPrivateKeyWithPassphrase(key crypto.PrivateKey, comment string, passphrase []byte) (*pem.Block, error) { - return marshalOpenSSHPrivateKey(key, comment, passphraseProtectedOpenSSHMarshaler(passphrase)) -} - -// PublicKey represents a public key using an unspecified algorithm. -// -// Some PublicKeys provided by this package also implement CryptoPublicKey. -type PublicKey interface { - // Type returns the key format name, e.g. "ssh-rsa". - Type() string - - // Marshal returns the serialized key data in SSH wire format, with the name - // prefix. To unmarshal the returned data, use the ParsePublicKey function. - Marshal() []byte - - // Verify that sig is a signature on the given data using this key. This - // method will hash the data appropriately first. sig.Format is allowed to - // be any signature algorithm compatible with the key type, the caller - // should check if it has more stringent requirements. - Verify(data []byte, sig *Signature) error -} - -// CryptoPublicKey, if implemented by a PublicKey, -// returns the underlying crypto.PublicKey form of the key. -type CryptoPublicKey interface { - CryptoPublicKey() crypto.PublicKey -} - -// A Signer can create signatures that verify against a public key. -// -// Some Signers provided by this package also implement MultiAlgorithmSigner. -type Signer interface { - // PublicKey returns the associated PublicKey. - PublicKey() PublicKey - - // Sign returns a signature for the given data. This method will hash the - // data appropriately first. The signature algorithm is expected to match - // the key format returned by the PublicKey.Type method (and not to be any - // alternative algorithm supported by the key format). - Sign(rand io.Reader, data []byte) (*Signature, error) -} - -// An AlgorithmSigner is a Signer that also supports specifying an algorithm to -// use for signing. -// -// An AlgorithmSigner can't advertise the algorithms it supports, unless it also -// implements MultiAlgorithmSigner, so it should be prepared to be invoked with -// every algorithm supported by the public key format. -type AlgorithmSigner interface { - Signer - - // SignWithAlgorithm is like Signer.Sign, but allows specifying a desired - // signing algorithm. Callers may pass an empty string for the algorithm in - // which case the AlgorithmSigner will use a default algorithm. This default - // doesn't currently control any behavior in this package. - SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) -} - -// MultiAlgorithmSigner is an AlgorithmSigner that also reports the algorithms -// supported by that signer. -type MultiAlgorithmSigner interface { - AlgorithmSigner - - // Algorithms returns the available algorithms in preference order. The list - // must not be empty, and it must not include certificate types. - Algorithms() []string -} - -// NewSignerWithAlgorithms returns a signer restricted to the specified -// algorithms. The algorithms must be set in preference order. The list must not -// be empty, and it must not include certificate types. An error is returned if -// the specified algorithms are incompatible with the public key type. -func NewSignerWithAlgorithms(signer AlgorithmSigner, algorithms []string) (MultiAlgorithmSigner, error) { - if len(algorithms) == 0 { - return nil, errors.New("ssh: please specify at least one valid signing algorithm") - } - var signerAlgos []string - supportedAlgos := algorithmsForKeyFormat(underlyingAlgo(signer.PublicKey().Type())) - if s, ok := signer.(*multiAlgorithmSigner); ok { - signerAlgos = s.Algorithms() - } else { - signerAlgos = supportedAlgos - } - - for _, algo := range algorithms { - if !contains(supportedAlgos, algo) { - return nil, fmt.Errorf("ssh: algorithm %q is not supported for key type %q", - algo, signer.PublicKey().Type()) - } - if !contains(signerAlgos, algo) { - return nil, fmt.Errorf("ssh: algorithm %q is restricted for the provided signer", algo) - } - } - return &multiAlgorithmSigner{ - AlgorithmSigner: signer, - supportedAlgorithms: algorithms, - }, nil -} - -type multiAlgorithmSigner struct { - AlgorithmSigner - supportedAlgorithms []string -} - -func (s *multiAlgorithmSigner) Algorithms() []string { - return s.supportedAlgorithms -} - -func (s *multiAlgorithmSigner) isAlgorithmSupported(algorithm string) bool { - if algorithm == "" { - algorithm = underlyingAlgo(s.PublicKey().Type()) - } - for _, algo := range s.supportedAlgorithms { - if algorithm == algo { - return true - } - } - return false -} - -func (s *multiAlgorithmSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) { - if !s.isAlgorithmSupported(algorithm) { - return nil, fmt.Errorf("ssh: algorithm %q is not supported: %v", algorithm, s.supportedAlgorithms) - } - return s.AlgorithmSigner.SignWithAlgorithm(rand, data, algorithm) -} - -type rsaPublicKey rsa.PublicKey - -func (r *rsaPublicKey) Type() string { - return "ssh-rsa" -} - -// parseRSA parses an RSA key according to RFC 4253, section 6.6. -func parseRSA(in []byte) (out PublicKey, rest []byte, err error) { - var w struct { - E *big.Int - N *big.Int - Rest []byte `ssh:"rest"` - } - if err := Unmarshal(in, &w); err != nil { - return nil, nil, err - } - - if w.E.BitLen() > 24 { - return nil, nil, errors.New("ssh: exponent too large") - } - e := w.E.Int64() - if e < 3 || e&1 == 0 { - return nil, nil, errors.New("ssh: incorrect exponent") - } - - var key rsa.PublicKey - key.E = int(e) - key.N = w.N - return (*rsaPublicKey)(&key), w.Rest, nil -} - -func (r *rsaPublicKey) Marshal() []byte { - e := new(big.Int).SetInt64(int64(r.E)) - // RSA publickey struct layout should match the struct used by - // parseRSACert in the x/crypto/ssh/agent package. - wirekey := struct { - Name string - E *big.Int - N *big.Int - }{ - KeyAlgoRSA, - e, - r.N, - } - return Marshal(&wirekey) -} - -func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error { - supportedAlgos := algorithmsForKeyFormat(r.Type()) - if !contains(supportedAlgos, sig.Format) { - return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type()) - } - hash := hashFuncs[sig.Format] - h := hash.New() - h.Write(data) - digest := h.Sum(nil) - - // Signatures in PKCS1v15 must match the key's modulus in - // length. However with SSH, some signers provide RSA - // signatures which are missing the MSB 0's of the bignum - // represented. With ssh-rsa signatures, this is encouraged by - // the spec (even though e.g. OpenSSH will give the full - // length unconditionally). With rsa-sha2-* signatures, the - // verifier is allowed to support these, even though they are - // out of spec. See RFC 4253 Section 6.6 for ssh-rsa and RFC - // 8332 Section 3 for rsa-sha2-* details. - // - // In practice: - // * OpenSSH always allows "short" signatures: - // https://github.com/openssh/openssh-portable/blob/V_9_8_P1/ssh-rsa.c#L526 - // but always generates padded signatures: - // https://github.com/openssh/openssh-portable/blob/V_9_8_P1/ssh-rsa.c#L439 - // - // * PuTTY versions 0.81 and earlier will generate short - // signatures for all RSA signature variants. Note that - // PuTTY is embedded in other software, such as WinSCP and - // FileZilla. At the time of writing, a patch has been - // applied to PuTTY to generate padded signatures for - // rsa-sha2-*, but not yet released: - // https://git.tartarus.org/?p=simon/putty.git;a=commitdiff;h=a5bcf3d384e1bf15a51a6923c3724cbbee022d8e - // - // * SSH.NET versions 2024.0.0 and earlier will generate short - // signatures for all RSA signature variants, fixed in 2024.1.0: - // https://github.com/sshnet/SSH.NET/releases/tag/2024.1.0 - // - // As a result, we pad these up to the key size by inserting - // leading 0's. - // - // Note that support for short signatures with rsa-sha2-* may - // be removed in the future due to such signatures not being - // allowed by the spec. - blob := sig.Blob - keySize := (*rsa.PublicKey)(r).Size() - if len(blob) < keySize { - padded := make([]byte, keySize) - copy(padded[keySize-len(blob):], blob) - blob = padded - } - return rsa.VerifyPKCS1v15((*rsa.PublicKey)(r), hash, digest, blob) -} - -func (r *rsaPublicKey) CryptoPublicKey() crypto.PublicKey { - return (*rsa.PublicKey)(r) -} - -type dsaPublicKey dsa.PublicKey - -func (k *dsaPublicKey) Type() string { - return "ssh-dss" -} - -func checkDSAParams(param *dsa.Parameters) error { - // SSH specifies FIPS 186-2, which only provided a single size - // (1024 bits) DSA key. FIPS 186-3 allows for larger key - // sizes, which would confuse SSH. - if l := param.P.BitLen(); l != 1024 { - return fmt.Errorf("ssh: unsupported DSA key size %d", l) - } - - return nil -} - -// parseDSA parses an DSA key according to RFC 4253, section 6.6. -func parseDSA(in []byte) (out PublicKey, rest []byte, err error) { - var w struct { - P, Q, G, Y *big.Int - Rest []byte `ssh:"rest"` - } - if err := Unmarshal(in, &w); err != nil { - return nil, nil, err - } - - param := dsa.Parameters{ - P: w.P, - Q: w.Q, - G: w.G, - } - if err := checkDSAParams(¶m); err != nil { - return nil, nil, err - } - - key := &dsaPublicKey{ - Parameters: param, - Y: w.Y, - } - return key, w.Rest, nil -} - -func (k *dsaPublicKey) Marshal() []byte { - // DSA publickey struct layout should match the struct used by - // parseDSACert in the x/crypto/ssh/agent package. - w := struct { - Name string - P, Q, G, Y *big.Int - }{ - k.Type(), - k.P, - k.Q, - k.G, - k.Y, - } - - return Marshal(&w) -} - -func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error { - if sig.Format != k.Type() { - return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type()) - } - h := hashFuncs[sig.Format].New() - h.Write(data) - digest := h.Sum(nil) - - // Per RFC 4253, section 6.6, - // The value for 'dss_signature_blob' is encoded as a string containing - // r, followed by s (which are 160-bit integers, without lengths or - // padding, unsigned, and in network byte order). - // For DSS purposes, sig.Blob should be exactly 40 bytes in length. - if len(sig.Blob) != 40 { - return errors.New("ssh: DSA signature parse error") - } - r := new(big.Int).SetBytes(sig.Blob[:20]) - s := new(big.Int).SetBytes(sig.Blob[20:]) - if dsa.Verify((*dsa.PublicKey)(k), digest, r, s) { - return nil - } - return errors.New("ssh: signature did not verify") -} - -func (k *dsaPublicKey) CryptoPublicKey() crypto.PublicKey { - return (*dsa.PublicKey)(k) -} - -type dsaPrivateKey struct { - *dsa.PrivateKey -} - -func (k *dsaPrivateKey) PublicKey() PublicKey { - return (*dsaPublicKey)(&k.PrivateKey.PublicKey) -} - -func (k *dsaPrivateKey) Sign(rand io.Reader, data []byte) (*Signature, error) { - return k.SignWithAlgorithm(rand, data, k.PublicKey().Type()) -} - -func (k *dsaPrivateKey) Algorithms() []string { - return []string{k.PublicKey().Type()} -} - -func (k *dsaPrivateKey) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) { - if algorithm != "" && algorithm != k.PublicKey().Type() { - return nil, fmt.Errorf("ssh: unsupported signature algorithm %s", algorithm) - } - - h := hashFuncs[k.PublicKey().Type()].New() - h.Write(data) - digest := h.Sum(nil) - r, s, err := dsa.Sign(rand, k.PrivateKey, digest) - if err != nil { - return nil, err - } - - sig := make([]byte, 40) - rb := r.Bytes() - sb := s.Bytes() - - copy(sig[20-len(rb):20], rb) - copy(sig[40-len(sb):], sb) - - return &Signature{ - Format: k.PublicKey().Type(), - Blob: sig, - }, nil -} - -type ecdsaPublicKey ecdsa.PublicKey - -func (k *ecdsaPublicKey) Type() string { - return "ecdsa-sha2-" + k.nistID() -} - -func (k *ecdsaPublicKey) nistID() string { - switch k.Params().BitSize { - case 256: - return "nistp256" - case 384: - return "nistp384" - case 521: - return "nistp521" - } - panic("ssh: unsupported ecdsa key size") -} - -type ed25519PublicKey ed25519.PublicKey - -func (k ed25519PublicKey) Type() string { - return KeyAlgoED25519 -} - -func parseED25519(in []byte) (out PublicKey, rest []byte, err error) { - var w struct { - KeyBytes []byte - Rest []byte `ssh:"rest"` - } - - if err := Unmarshal(in, &w); err != nil { - return nil, nil, err - } - - if l := len(w.KeyBytes); l != ed25519.PublicKeySize { - return nil, nil, fmt.Errorf("invalid size %d for Ed25519 public key", l) - } - - return ed25519PublicKey(w.KeyBytes), w.Rest, nil -} - -func (k ed25519PublicKey) Marshal() []byte { - w := struct { - Name string - KeyBytes []byte - }{ - KeyAlgoED25519, - []byte(k), - } - return Marshal(&w) -} - -func (k ed25519PublicKey) Verify(b []byte, sig *Signature) error { - if sig.Format != k.Type() { - return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type()) - } - if l := len(k); l != ed25519.PublicKeySize { - return fmt.Errorf("ssh: invalid size %d for Ed25519 public key", l) - } - - if ok := ed25519.Verify(ed25519.PublicKey(k), b, sig.Blob); !ok { - return errors.New("ssh: signature did not verify") - } - - return nil -} - -func (k ed25519PublicKey) CryptoPublicKey() crypto.PublicKey { - return ed25519.PublicKey(k) -} - -func supportedEllipticCurve(curve elliptic.Curve) bool { - return curve == elliptic.P256() || curve == elliptic.P384() || curve == elliptic.P521() -} - -// parseECDSA parses an ECDSA key according to RFC 5656, section 3.1. -func parseECDSA(in []byte) (out PublicKey, rest []byte, err error) { - var w struct { - Curve string - KeyBytes []byte - Rest []byte `ssh:"rest"` - } - - if err := Unmarshal(in, &w); err != nil { - return nil, nil, err - } - - key := new(ecdsa.PublicKey) - - switch w.Curve { - case "nistp256": - key.Curve = elliptic.P256() - case "nistp384": - key.Curve = elliptic.P384() - case "nistp521": - key.Curve = elliptic.P521() - default: - return nil, nil, errors.New("ssh: unsupported curve") - } - - key.X, key.Y = elliptic.Unmarshal(key.Curve, w.KeyBytes) - if key.X == nil || key.Y == nil { - return nil, nil, errors.New("ssh: invalid curve point") - } - return (*ecdsaPublicKey)(key), w.Rest, nil -} - -func (k *ecdsaPublicKey) Marshal() []byte { - // See RFC 5656, section 3.1. - keyBytes := elliptic.Marshal(k.Curve, k.X, k.Y) - // ECDSA publickey struct layout should match the struct used by - // parseECDSACert in the x/crypto/ssh/agent package. - w := struct { - Name string - ID string - Key []byte - }{ - k.Type(), - k.nistID(), - keyBytes, - } - - return Marshal(&w) -} - -func (k *ecdsaPublicKey) Verify(data []byte, sig *Signature) error { - if sig.Format != k.Type() { - return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type()) - } - - h := hashFuncs[sig.Format].New() - h.Write(data) - digest := h.Sum(nil) - - // Per RFC 5656, section 3.1.2, - // The ecdsa_signature_blob value has the following specific encoding: - // mpint r - // mpint s - var ecSig struct { - R *big.Int - S *big.Int - } - - if err := Unmarshal(sig.Blob, &ecSig); err != nil { - return err - } - - if ecdsa.Verify((*ecdsa.PublicKey)(k), digest, ecSig.R, ecSig.S) { - return nil - } - return errors.New("ssh: signature did not verify") -} - -func (k *ecdsaPublicKey) CryptoPublicKey() crypto.PublicKey { - return (*ecdsa.PublicKey)(k) -} - -// skFields holds the additional fields present in U2F/FIDO2 signatures. -// See openssh/PROTOCOL.u2f 'SSH U2F Signatures' for details. -type skFields struct { - // Flags contains U2F/FIDO2 flags such as 'user present' - Flags byte - // Counter is a monotonic signature counter which can be - // used to detect concurrent use of a private key, should - // it be extracted from hardware. - Counter uint32 -} - -type skECDSAPublicKey struct { - // application is a URL-like string, typically "ssh:" for SSH. - // see openssh/PROTOCOL.u2f for details. - application string - ecdsa.PublicKey -} - -func (k *skECDSAPublicKey) Type() string { - return KeyAlgoSKECDSA256 -} - -func (k *skECDSAPublicKey) nistID() string { - return "nistp256" -} - -func parseSKECDSA(in []byte) (out PublicKey, rest []byte, err error) { - var w struct { - Curve string - KeyBytes []byte - Application string - Rest []byte `ssh:"rest"` - } - - if err := Unmarshal(in, &w); err != nil { - return nil, nil, err - } - - key := new(skECDSAPublicKey) - key.application = w.Application - - if w.Curve != "nistp256" { - return nil, nil, errors.New("ssh: unsupported curve") - } - key.Curve = elliptic.P256() - - key.X, key.Y = elliptic.Unmarshal(key.Curve, w.KeyBytes) - if key.X == nil || key.Y == nil { - return nil, nil, errors.New("ssh: invalid curve point") - } - - return key, w.Rest, nil -} - -func (k *skECDSAPublicKey) Marshal() []byte { - // See RFC 5656, section 3.1. - keyBytes := elliptic.Marshal(k.Curve, k.X, k.Y) - w := struct { - Name string - ID string - Key []byte - Application string - }{ - k.Type(), - k.nistID(), - keyBytes, - k.application, - } - - return Marshal(&w) -} - -func (k *skECDSAPublicKey) Verify(data []byte, sig *Signature) error { - if sig.Format != k.Type() { - return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type()) - } - - h := hashFuncs[sig.Format].New() - h.Write([]byte(k.application)) - appDigest := h.Sum(nil) - - h.Reset() - h.Write(data) - dataDigest := h.Sum(nil) - - var ecSig struct { - R *big.Int - S *big.Int - } - if err := Unmarshal(sig.Blob, &ecSig); err != nil { - return err - } - - var skf skFields - if err := Unmarshal(sig.Rest, &skf); err != nil { - return err - } - - blob := struct { - ApplicationDigest []byte `ssh:"rest"` - Flags byte - Counter uint32 - MessageDigest []byte `ssh:"rest"` - }{ - appDigest, - skf.Flags, - skf.Counter, - dataDigest, - } - - original := Marshal(blob) - - h.Reset() - h.Write(original) - digest := h.Sum(nil) - - if ecdsa.Verify((*ecdsa.PublicKey)(&k.PublicKey), digest, ecSig.R, ecSig.S) { - return nil - } - return errors.New("ssh: signature did not verify") -} - -func (k *skECDSAPublicKey) CryptoPublicKey() crypto.PublicKey { - return &k.PublicKey -} - -type skEd25519PublicKey struct { - // application is a URL-like string, typically "ssh:" for SSH. - // see openssh/PROTOCOL.u2f for details. - application string - ed25519.PublicKey -} - -func (k *skEd25519PublicKey) Type() string { - return KeyAlgoSKED25519 -} - -func parseSKEd25519(in []byte) (out PublicKey, rest []byte, err error) { - var w struct { - KeyBytes []byte - Application string - Rest []byte `ssh:"rest"` - } - - if err := Unmarshal(in, &w); err != nil { - return nil, nil, err - } - - if l := len(w.KeyBytes); l != ed25519.PublicKeySize { - return nil, nil, fmt.Errorf("invalid size %d for Ed25519 public key", l) - } - - key := new(skEd25519PublicKey) - key.application = w.Application - key.PublicKey = ed25519.PublicKey(w.KeyBytes) - - return key, w.Rest, nil -} - -func (k *skEd25519PublicKey) Marshal() []byte { - w := struct { - Name string - KeyBytes []byte - Application string - }{ - KeyAlgoSKED25519, - []byte(k.PublicKey), - k.application, - } - return Marshal(&w) -} - -func (k *skEd25519PublicKey) Verify(data []byte, sig *Signature) error { - if sig.Format != k.Type() { - return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type()) - } - if l := len(k.PublicKey); l != ed25519.PublicKeySize { - return fmt.Errorf("invalid size %d for Ed25519 public key", l) - } - - h := hashFuncs[sig.Format].New() - h.Write([]byte(k.application)) - appDigest := h.Sum(nil) - - h.Reset() - h.Write(data) - dataDigest := h.Sum(nil) - - var edSig struct { - Signature []byte `ssh:"rest"` - } - - if err := Unmarshal(sig.Blob, &edSig); err != nil { - return err - } - - var skf skFields - if err := Unmarshal(sig.Rest, &skf); err != nil { - return err - } - - blob := struct { - ApplicationDigest []byte `ssh:"rest"` - Flags byte - Counter uint32 - MessageDigest []byte `ssh:"rest"` - }{ - appDigest, - skf.Flags, - skf.Counter, - dataDigest, - } - - original := Marshal(blob) - - if ok := ed25519.Verify(k.PublicKey, original, edSig.Signature); !ok { - return errors.New("ssh: signature did not verify") - } - - return nil -} - -func (k *skEd25519PublicKey) CryptoPublicKey() crypto.PublicKey { - return k.PublicKey -} - -// NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey, -// *ecdsa.PrivateKey or any other crypto.Signer and returns a -// corresponding Signer instance. ECDSA keys must use P-256, P-384 or -// P-521. DSA keys must use parameter size L1024N160. -func NewSignerFromKey(key interface{}) (Signer, error) { - switch key := key.(type) { - case crypto.Signer: - return NewSignerFromSigner(key) - case *dsa.PrivateKey: - return newDSAPrivateKey(key) - default: - return nil, fmt.Errorf("ssh: unsupported key type %T", key) - } -} - -func newDSAPrivateKey(key *dsa.PrivateKey) (Signer, error) { - if err := checkDSAParams(&key.PublicKey.Parameters); err != nil { - return nil, err - } - - return &dsaPrivateKey{key}, nil -} - -type wrappedSigner struct { - signer crypto.Signer - pubKey PublicKey -} - -// NewSignerFromSigner takes any crypto.Signer implementation and -// returns a corresponding Signer interface. This can be used, for -// example, with keys kept in hardware modules. -func NewSignerFromSigner(signer crypto.Signer) (Signer, error) { - pubKey, err := NewPublicKey(signer.Public()) - if err != nil { - return nil, err - } - - return &wrappedSigner{signer, pubKey}, nil -} - -func (s *wrappedSigner) PublicKey() PublicKey { - return s.pubKey -} - -func (s *wrappedSigner) Sign(rand io.Reader, data []byte) (*Signature, error) { - return s.SignWithAlgorithm(rand, data, s.pubKey.Type()) -} - -func (s *wrappedSigner) Algorithms() []string { - return algorithmsForKeyFormat(s.pubKey.Type()) -} - -func (s *wrappedSigner) SignWithAlgorithm(rand io.Reader, data []byte, algorithm string) (*Signature, error) { - if algorithm == "" { - algorithm = s.pubKey.Type() - } - - if !contains(s.Algorithms(), algorithm) { - return nil, fmt.Errorf("ssh: unsupported signature algorithm %q for key format %q", algorithm, s.pubKey.Type()) - } - - hashFunc := hashFuncs[algorithm] - var digest []byte - if hashFunc != 0 { - h := hashFunc.New() - h.Write(data) - digest = h.Sum(nil) - } else { - digest = data - } - - signature, err := s.signer.Sign(rand, digest, hashFunc) - if err != nil { - return nil, err - } - - // crypto.Signer.Sign is expected to return an ASN.1-encoded signature - // for ECDSA and DSA, but that's not the encoding expected by SSH, so - // re-encode. - switch s.pubKey.(type) { - case *ecdsaPublicKey, *dsaPublicKey: - type asn1Signature struct { - R, S *big.Int - } - asn1Sig := new(asn1Signature) - _, err := asn1.Unmarshal(signature, asn1Sig) - if err != nil { - return nil, err - } - - switch s.pubKey.(type) { - case *ecdsaPublicKey: - signature = Marshal(asn1Sig) - - case *dsaPublicKey: - signature = make([]byte, 40) - r := asn1Sig.R.Bytes() - s := asn1Sig.S.Bytes() - copy(signature[20-len(r):20], r) - copy(signature[40-len(s):40], s) - } - } - - return &Signature{ - Format: algorithm, - Blob: signature, - }, nil -} - -// NewPublicKey takes an *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey, -// or ed25519.PublicKey returns a corresponding PublicKey instance. -// ECDSA keys must use P-256, P-384 or P-521. -func NewPublicKey(key interface{}) (PublicKey, error) { - switch key := key.(type) { - case *rsa.PublicKey: - return (*rsaPublicKey)(key), nil - case *ecdsa.PublicKey: - if !supportedEllipticCurve(key.Curve) { - return nil, errors.New("ssh: only P-256, P-384 and P-521 EC keys are supported") - } - return (*ecdsaPublicKey)(key), nil - case *dsa.PublicKey: - return (*dsaPublicKey)(key), nil - case ed25519.PublicKey: - if l := len(key); l != ed25519.PublicKeySize { - return nil, fmt.Errorf("ssh: invalid size %d for Ed25519 public key", l) - } - return ed25519PublicKey(key), nil - default: - return nil, fmt.Errorf("ssh: unsupported key type %T", key) - } -} - -// ParsePrivateKey returns a Signer from a PEM encoded private key. It supports -// the same keys as ParseRawPrivateKey. If the private key is encrypted, it -// will return a PassphraseMissingError. -func ParsePrivateKey(pemBytes []byte) (Signer, error) { - key, err := ParseRawPrivateKey(pemBytes) - if err != nil { - return nil, err - } - - return NewSignerFromKey(key) -} - -// ParsePrivateKeyWithPassphrase returns a Signer from a PEM encoded private -// key and passphrase. It supports the same keys as -// ParseRawPrivateKeyWithPassphrase. -func ParsePrivateKeyWithPassphrase(pemBytes, passphrase []byte) (Signer, error) { - key, err := ParseRawPrivateKeyWithPassphrase(pemBytes, passphrase) - if err != nil { - return nil, err - } - - return NewSignerFromKey(key) -} - -// encryptedBlock tells whether a private key is -// encrypted by examining its Proc-Type header -// for a mention of ENCRYPTED -// according to RFC 1421 Section 4.6.1.1. -func encryptedBlock(block *pem.Block) bool { - return strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED") -} - -// A PassphraseMissingError indicates that parsing this private key requires a -// passphrase. Use ParsePrivateKeyWithPassphrase. -type PassphraseMissingError struct { - // PublicKey will be set if the private key format includes an unencrypted - // public key along with the encrypted private key. - PublicKey PublicKey -} - -func (*PassphraseMissingError) Error() string { - return "ssh: this private key is passphrase protected" -} - -// ParseRawPrivateKey returns a private key from a PEM encoded private key. It supports -// RSA, DSA, ECDSA, and Ed25519 private keys in PKCS#1, PKCS#8, OpenSSL, and OpenSSH -// formats. If the private key is encrypted, it will return a PassphraseMissingError. -func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) { - block, _ := pem.Decode(pemBytes) - if block == nil { - return nil, errors.New("ssh: no key found") - } - - if encryptedBlock(block) { - return nil, &PassphraseMissingError{} - } - - switch block.Type { - case "RSA PRIVATE KEY": - return x509.ParsePKCS1PrivateKey(block.Bytes) - // RFC5208 - https://tools.ietf.org/html/rfc5208 - case "PRIVATE KEY": - return x509.ParsePKCS8PrivateKey(block.Bytes) - case "EC PRIVATE KEY": - return x509.ParseECPrivateKey(block.Bytes) - case "DSA PRIVATE KEY": - return ParseDSAPrivateKey(block.Bytes) - case "OPENSSH PRIVATE KEY": - return parseOpenSSHPrivateKey(block.Bytes, unencryptedOpenSSHKey) - default: - return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type) - } -} - -// ParseRawPrivateKeyWithPassphrase returns a private key decrypted with -// passphrase from a PEM encoded private key. If the passphrase is wrong, it -// will return x509.IncorrectPasswordError. -func ParseRawPrivateKeyWithPassphrase(pemBytes, passphrase []byte) (interface{}, error) { - block, _ := pem.Decode(pemBytes) - if block == nil { - return nil, errors.New("ssh: no key found") - } - - if block.Type == "OPENSSH PRIVATE KEY" { - return parseOpenSSHPrivateKey(block.Bytes, passphraseProtectedOpenSSHKey(passphrase)) - } - - if !encryptedBlock(block) || !x509.IsEncryptedPEMBlock(block) { - return nil, errors.New("ssh: not an encrypted key") - } - - buf, err := x509.DecryptPEMBlock(block, passphrase) - if err != nil { - if err == x509.IncorrectPasswordError { - return nil, err - } - return nil, fmt.Errorf("ssh: cannot decode encrypted private keys: %v", err) - } - - var result interface{} - - switch block.Type { - case "RSA PRIVATE KEY": - result, err = x509.ParsePKCS1PrivateKey(buf) - case "EC PRIVATE KEY": - result, err = x509.ParseECPrivateKey(buf) - case "DSA PRIVATE KEY": - result, err = ParseDSAPrivateKey(buf) - default: - err = fmt.Errorf("ssh: unsupported key type %q", block.Type) - } - // Because of deficiencies in the format, DecryptPEMBlock does not always - // detect an incorrect password. In these cases decrypted DER bytes is - // random noise. If the parsing of the key returns an asn1.StructuralError - // we return x509.IncorrectPasswordError. - if _, ok := err.(asn1.StructuralError); ok { - return nil, x509.IncorrectPasswordError - } - - return result, err -} - -// ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as -// specified by the OpenSSL DSA man page. -func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) { - var k struct { - Version int - P *big.Int - Q *big.Int - G *big.Int - Pub *big.Int - Priv *big.Int - } - rest, err := asn1.Unmarshal(der, &k) - if err != nil { - return nil, errors.New("ssh: failed to parse DSA key: " + err.Error()) - } - if len(rest) > 0 { - return nil, errors.New("ssh: garbage after DSA key") - } - - return &dsa.PrivateKey{ - PublicKey: dsa.PublicKey{ - Parameters: dsa.Parameters{ - P: k.P, - Q: k.Q, - G: k.G, - }, - Y: k.Pub, - }, - X: k.Priv, - }, nil -} - -func unencryptedOpenSSHKey(cipherName, kdfName, kdfOpts string, privKeyBlock []byte) ([]byte, error) { - if kdfName != "none" || cipherName != "none" { - return nil, &PassphraseMissingError{} - } - if kdfOpts != "" { - return nil, errors.New("ssh: invalid openssh private key") - } - return privKeyBlock, nil -} - -func passphraseProtectedOpenSSHKey(passphrase []byte) openSSHDecryptFunc { - return func(cipherName, kdfName, kdfOpts string, privKeyBlock []byte) ([]byte, error) { - if kdfName == "none" || cipherName == "none" { - return nil, errors.New("ssh: key is not password protected") - } - if kdfName != "bcrypt" { - return nil, fmt.Errorf("ssh: unknown KDF %q, only supports %q", kdfName, "bcrypt") - } - - var opts struct { - Salt string - Rounds uint32 - } - if err := Unmarshal([]byte(kdfOpts), &opts); err != nil { - return nil, err - } - - k, err := bcrypt_pbkdf.Key(passphrase, []byte(opts.Salt), int(opts.Rounds), 32+16) - if err != nil { - return nil, err - } - key, iv := k[:32], k[32:] - - c, err := aes.NewCipher(key) - if err != nil { - return nil, err - } - switch cipherName { - case "aes256-ctr": - ctr := cipher.NewCTR(c, iv) - ctr.XORKeyStream(privKeyBlock, privKeyBlock) - case "aes256-cbc": - if len(privKeyBlock)%c.BlockSize() != 0 { - return nil, fmt.Errorf("ssh: invalid encrypted private key length, not a multiple of the block size") - } - cbc := cipher.NewCBCDecrypter(c, iv) - cbc.CryptBlocks(privKeyBlock, privKeyBlock) - default: - return nil, fmt.Errorf("ssh: unknown cipher %q, only supports %q or %q", cipherName, "aes256-ctr", "aes256-cbc") - } - - return privKeyBlock, nil - } -} - -func unencryptedOpenSSHMarshaler(privKeyBlock []byte) ([]byte, string, string, string, error) { - key := generateOpenSSHPadding(privKeyBlock, 8) - return key, "none", "none", "", nil -} - -func passphraseProtectedOpenSSHMarshaler(passphrase []byte) openSSHEncryptFunc { - return func(privKeyBlock []byte) ([]byte, string, string, string, error) { - salt := make([]byte, 16) - if _, err := rand.Read(salt); err != nil { - return nil, "", "", "", err - } - - opts := struct { - Salt []byte - Rounds uint32 - }{salt, 16} - - // Derive key to encrypt the private key block. - k, err := bcrypt_pbkdf.Key(passphrase, salt, int(opts.Rounds), 32+aes.BlockSize) - if err != nil { - return nil, "", "", "", err - } - - // Add padding matching the block size of AES. - keyBlock := generateOpenSSHPadding(privKeyBlock, aes.BlockSize) - - // Encrypt the private key using the derived secret. - - dst := make([]byte, len(keyBlock)) - key, iv := k[:32], k[32:] - block, err := aes.NewCipher(key) - if err != nil { - return nil, "", "", "", err - } - - stream := cipher.NewCTR(block, iv) - stream.XORKeyStream(dst, keyBlock) - - return dst, "aes256-ctr", "bcrypt", string(Marshal(opts)), nil - } -} - -const privateKeyAuthMagic = "openssh-key-v1\x00" - -type openSSHDecryptFunc func(CipherName, KdfName, KdfOpts string, PrivKeyBlock []byte) ([]byte, error) -type openSSHEncryptFunc func(PrivKeyBlock []byte) (ProtectedKeyBlock []byte, cipherName, kdfName, kdfOptions string, err error) - -type openSSHEncryptedPrivateKey struct { - CipherName string - KdfName string - KdfOpts string - NumKeys uint32 - PubKey []byte - PrivKeyBlock []byte -} - -type openSSHPrivateKey struct { - Check1 uint32 - Check2 uint32 - Keytype string - Rest []byte `ssh:"rest"` -} - -type openSSHRSAPrivateKey struct { - N *big.Int - E *big.Int - D *big.Int - Iqmp *big.Int - P *big.Int - Q *big.Int - Comment string - Pad []byte `ssh:"rest"` -} - -type openSSHEd25519PrivateKey struct { - Pub []byte - Priv []byte - Comment string - Pad []byte `ssh:"rest"` -} - -type openSSHECDSAPrivateKey struct { - Curve string - Pub []byte - D *big.Int - Comment string - Pad []byte `ssh:"rest"` -} - -// parseOpenSSHPrivateKey parses an OpenSSH private key, using the decrypt -// function to unwrap the encrypted portion. unencryptedOpenSSHKey can be used -// as the decrypt function to parse an unencrypted private key. See -// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key. -func parseOpenSSHPrivateKey(key []byte, decrypt openSSHDecryptFunc) (crypto.PrivateKey, error) { - if len(key) < len(privateKeyAuthMagic) || string(key[:len(privateKeyAuthMagic)]) != privateKeyAuthMagic { - return nil, errors.New("ssh: invalid openssh private key format") - } - remaining := key[len(privateKeyAuthMagic):] - - var w openSSHEncryptedPrivateKey - if err := Unmarshal(remaining, &w); err != nil { - return nil, err - } - if w.NumKeys != 1 { - // We only support single key files, and so does OpenSSH. - // https://github.com/openssh/openssh-portable/blob/4103a3ec7/sshkey.c#L4171 - return nil, errors.New("ssh: multi-key files are not supported") - } - - privKeyBlock, err := decrypt(w.CipherName, w.KdfName, w.KdfOpts, w.PrivKeyBlock) - if err != nil { - if err, ok := err.(*PassphraseMissingError); ok { - pub, errPub := ParsePublicKey(w.PubKey) - if errPub != nil { - return nil, fmt.Errorf("ssh: failed to parse embedded public key: %v", errPub) - } - err.PublicKey = pub - } - return nil, err - } - - var pk1 openSSHPrivateKey - if err := Unmarshal(privKeyBlock, &pk1); err != nil || pk1.Check1 != pk1.Check2 { - if w.CipherName != "none" { - return nil, x509.IncorrectPasswordError - } - return nil, errors.New("ssh: malformed OpenSSH key") - } - - switch pk1.Keytype { - case KeyAlgoRSA: - var key openSSHRSAPrivateKey - if err := Unmarshal(pk1.Rest, &key); err != nil { - return nil, err - } - - if err := checkOpenSSHKeyPadding(key.Pad); err != nil { - return nil, err - } - - pk := &rsa.PrivateKey{ - PublicKey: rsa.PublicKey{ - N: key.N, - E: int(key.E.Int64()), - }, - D: key.D, - Primes: []*big.Int{key.P, key.Q}, - } - - if err := pk.Validate(); err != nil { - return nil, err - } - - pk.Precompute() - - return pk, nil - case KeyAlgoED25519: - var key openSSHEd25519PrivateKey - if err := Unmarshal(pk1.Rest, &key); err != nil { - return nil, err - } - - if len(key.Priv) != ed25519.PrivateKeySize { - return nil, errors.New("ssh: private key unexpected length") - } - - if err := checkOpenSSHKeyPadding(key.Pad); err != nil { - return nil, err - } - - pk := ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize)) - copy(pk, key.Priv) - return &pk, nil - case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521: - var key openSSHECDSAPrivateKey - if err := Unmarshal(pk1.Rest, &key); err != nil { - return nil, err - } - - if err := checkOpenSSHKeyPadding(key.Pad); err != nil { - return nil, err - } - - var curve elliptic.Curve - switch key.Curve { - case "nistp256": - curve = elliptic.P256() - case "nistp384": - curve = elliptic.P384() - case "nistp521": - curve = elliptic.P521() - default: - return nil, errors.New("ssh: unhandled elliptic curve: " + key.Curve) - } - - X, Y := elliptic.Unmarshal(curve, key.Pub) - if X == nil || Y == nil { - return nil, errors.New("ssh: failed to unmarshal public key") - } - - if key.D.Cmp(curve.Params().N) >= 0 { - return nil, errors.New("ssh: scalar is out of range") - } - - x, y := curve.ScalarBaseMult(key.D.Bytes()) - if x.Cmp(X) != 0 || y.Cmp(Y) != 0 { - return nil, errors.New("ssh: public key does not match private key") - } - - return &ecdsa.PrivateKey{ - PublicKey: ecdsa.PublicKey{ - Curve: curve, - X: X, - Y: Y, - }, - D: key.D, - }, nil - default: - return nil, errors.New("ssh: unhandled key type") - } -} - -func marshalOpenSSHPrivateKey(key crypto.PrivateKey, comment string, encrypt openSSHEncryptFunc) (*pem.Block, error) { - var w openSSHEncryptedPrivateKey - var pk1 openSSHPrivateKey - - // Random check bytes. - var check uint32 - if err := binary.Read(rand.Reader, binary.BigEndian, &check); err != nil { - return nil, err - } - - pk1.Check1 = check - pk1.Check2 = check - w.NumKeys = 1 - - // Use a []byte directly on ed25519 keys. - if k, ok := key.(*ed25519.PrivateKey); ok { - key = *k - } - - switch k := key.(type) { - case *rsa.PrivateKey: - E := new(big.Int).SetInt64(int64(k.PublicKey.E)) - // Marshal public key: - // E and N are in reversed order in the public and private key. - pubKey := struct { - KeyType string - E *big.Int - N *big.Int - }{ - KeyAlgoRSA, - E, k.PublicKey.N, - } - w.PubKey = Marshal(pubKey) - - // Marshal private key. - key := openSSHRSAPrivateKey{ - N: k.PublicKey.N, - E: E, - D: k.D, - Iqmp: k.Precomputed.Qinv, - P: k.Primes[0], - Q: k.Primes[1], - Comment: comment, - } - pk1.Keytype = KeyAlgoRSA - pk1.Rest = Marshal(key) - case ed25519.PrivateKey: - pub := make([]byte, ed25519.PublicKeySize) - priv := make([]byte, ed25519.PrivateKeySize) - copy(pub, k[32:]) - copy(priv, k) - - // Marshal public key. - pubKey := struct { - KeyType string - Pub []byte - }{ - KeyAlgoED25519, pub, - } - w.PubKey = Marshal(pubKey) - - // Marshal private key. - key := openSSHEd25519PrivateKey{ - Pub: pub, - Priv: priv, - Comment: comment, - } - pk1.Keytype = KeyAlgoED25519 - pk1.Rest = Marshal(key) - case *ecdsa.PrivateKey: - var curve, keyType string - switch name := k.Curve.Params().Name; name { - case "P-256": - curve = "nistp256" - keyType = KeyAlgoECDSA256 - case "P-384": - curve = "nistp384" - keyType = KeyAlgoECDSA384 - case "P-521": - curve = "nistp521" - keyType = KeyAlgoECDSA521 - default: - return nil, errors.New("ssh: unhandled elliptic curve " + name) - } - - pub := elliptic.Marshal(k.Curve, k.PublicKey.X, k.PublicKey.Y) - - // Marshal public key. - pubKey := struct { - KeyType string - Curve string - Pub []byte - }{ - keyType, curve, pub, - } - w.PubKey = Marshal(pubKey) - - // Marshal private key. - key := openSSHECDSAPrivateKey{ - Curve: curve, - Pub: pub, - D: k.D, - Comment: comment, - } - pk1.Keytype = keyType - pk1.Rest = Marshal(key) - default: - return nil, fmt.Errorf("ssh: unsupported key type %T", k) - } - - var err error - // Add padding and encrypt the key if necessary. - w.PrivKeyBlock, w.CipherName, w.KdfName, w.KdfOpts, err = encrypt(Marshal(pk1)) - if err != nil { - return nil, err - } - - b := Marshal(w) - block := &pem.Block{ - Type: "OPENSSH PRIVATE KEY", - Bytes: append([]byte(privateKeyAuthMagic), b...), - } - return block, nil -} - -func checkOpenSSHKeyPadding(pad []byte) error { - for i, b := range pad { - if int(b) != i+1 { - return errors.New("ssh: padding not as expected") - } - } - return nil -} - -func generateOpenSSHPadding(block []byte, blockSize int) []byte { - for i, l := 0, len(block); (l+i)%blockSize != 0; i++ { - block = append(block, byte(i+1)) - } - return block -} - -// FingerprintLegacyMD5 returns the user presentation of the key's -// fingerprint as described by RFC 4716 section 4. -func FingerprintLegacyMD5(pubKey PublicKey) string { - md5sum := md5.Sum(pubKey.Marshal()) - hexarray := make([]string, len(md5sum)) - for i, c := range md5sum { - hexarray[i] = hex.EncodeToString([]byte{c}) - } - return strings.Join(hexarray, ":") -} - -// FingerprintSHA256 returns the user presentation of the key's -// fingerprint as unpadded base64 encoded sha256 hash. -// This format was introduced from OpenSSH 6.8. -// https://www.openssh.com/txt/release-6.8 -// https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding) -func FingerprintSHA256(pubKey PublicKey) string { - sha256sum := sha256.Sum256(pubKey.Marshal()) - hash := base64.RawStdEncoding.EncodeToString(sha256sum[:]) - return "SHA256:" + hash -} diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go deleted file mode 100644 index 06a1b2750..000000000 --- a/vendor/golang.org/x/crypto/ssh/mac.go +++ /dev/null @@ -1,68 +0,0 @@ -// Copyright 2012 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -// Message authentication support - -import ( - "crypto/hmac" - "crypto/sha1" - "crypto/sha256" - "crypto/sha512" - "hash" -) - -type macMode struct { - keySize int - etm bool - new func(key []byte) hash.Hash -} - -// truncatingMAC wraps around a hash.Hash and truncates the output digest to -// a given size. -type truncatingMAC struct { - length int - hmac hash.Hash -} - -func (t truncatingMAC) Write(data []byte) (int, error) { - return t.hmac.Write(data) -} - -func (t truncatingMAC) Sum(in []byte) []byte { - out := t.hmac.Sum(in) - return out[:len(in)+t.length] -} - -func (t truncatingMAC) Reset() { - t.hmac.Reset() -} - -func (t truncatingMAC) Size() int { - return t.length -} - -func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() } - -var macModes = map[string]*macMode{ - "hmac-sha2-512-etm@openssh.com": {64, true, func(key []byte) hash.Hash { - return hmac.New(sha512.New, key) - }}, - "hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash { - return hmac.New(sha256.New, key) - }}, - "hmac-sha2-512": {64, false, func(key []byte) hash.Hash { - return hmac.New(sha512.New, key) - }}, - "hmac-sha2-256": {32, false, func(key []byte) hash.Hash { - return hmac.New(sha256.New, key) - }}, - "hmac-sha1": {20, false, func(key []byte) hash.Hash { - return hmac.New(sha1.New, key) - }}, - "hmac-sha1-96": {20, false, func(key []byte) hash.Hash { - return truncatingMAC{12, hmac.New(sha1.New, key)} - }}, -} diff --git a/vendor/golang.org/x/crypto/ssh/messages.go b/vendor/golang.org/x/crypto/ssh/messages.go deleted file mode 100644 index b55f86056..000000000 --- a/vendor/golang.org/x/crypto/ssh/messages.go +++ /dev/null @@ -1,891 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "bytes" - "encoding/binary" - "errors" - "fmt" - "io" - "math/big" - "reflect" - "strconv" - "strings" -) - -// These are SSH message type numbers. They are scattered around several -// documents but many were taken from [SSH-PARAMETERS]. -const ( - msgIgnore = 2 - msgUnimplemented = 3 - msgDebug = 4 - msgNewKeys = 21 -) - -// SSH messages: -// -// These structures mirror the wire format of the corresponding SSH messages. -// They are marshaled using reflection with the marshal and unmarshal functions -// in this file. The only wrinkle is that a final member of type []byte with a -// ssh tag of "rest" receives the remainder of a packet when unmarshaling. - -// See RFC 4253, section 11.1. -const msgDisconnect = 1 - -// disconnectMsg is the message that signals a disconnect. It is also -// the error type returned from mux.Wait() -type disconnectMsg struct { - Reason uint32 `sshtype:"1"` - Message string - Language string -} - -func (d *disconnectMsg) Error() string { - return fmt.Sprintf("ssh: disconnect, reason %d: %s", d.Reason, d.Message) -} - -// See RFC 4253, section 7.1. -const msgKexInit = 20 - -type kexInitMsg struct { - Cookie [16]byte `sshtype:"20"` - KexAlgos []string - ServerHostKeyAlgos []string - CiphersClientServer []string - CiphersServerClient []string - MACsClientServer []string - MACsServerClient []string - CompressionClientServer []string - CompressionServerClient []string - LanguagesClientServer []string - LanguagesServerClient []string - FirstKexFollows bool - Reserved uint32 -} - -// See RFC 4253, section 8. - -// Diffie-Hellman -const msgKexDHInit = 30 - -type kexDHInitMsg struct { - X *big.Int `sshtype:"30"` -} - -const msgKexECDHInit = 30 - -type kexECDHInitMsg struct { - ClientPubKey []byte `sshtype:"30"` -} - -const msgKexECDHReply = 31 - -type kexECDHReplyMsg struct { - HostKey []byte `sshtype:"31"` - EphemeralPubKey []byte - Signature []byte -} - -const msgKexDHReply = 31 - -type kexDHReplyMsg struct { - HostKey []byte `sshtype:"31"` - Y *big.Int - Signature []byte -} - -// See RFC 4419, section 5. -const msgKexDHGexGroup = 31 - -type kexDHGexGroupMsg struct { - P *big.Int `sshtype:"31"` - G *big.Int -} - -const msgKexDHGexInit = 32 - -type kexDHGexInitMsg struct { - X *big.Int `sshtype:"32"` -} - -const msgKexDHGexReply = 33 - -type kexDHGexReplyMsg struct { - HostKey []byte `sshtype:"33"` - Y *big.Int - Signature []byte -} - -const msgKexDHGexRequest = 34 - -type kexDHGexRequestMsg struct { - MinBits uint32 `sshtype:"34"` - PreferedBits uint32 - MaxBits uint32 -} - -// See RFC 4253, section 10. -const msgServiceRequest = 5 - -type serviceRequestMsg struct { - Service string `sshtype:"5"` -} - -// See RFC 4253, section 10. -const msgServiceAccept = 6 - -type serviceAcceptMsg struct { - Service string `sshtype:"6"` -} - -// See RFC 8308, section 2.3 -const msgExtInfo = 7 - -type extInfoMsg struct { - NumExtensions uint32 `sshtype:"7"` - Payload []byte `ssh:"rest"` -} - -// See RFC 4252, section 5. -const msgUserAuthRequest = 50 - -type userAuthRequestMsg struct { - User string `sshtype:"50"` - Service string - Method string - Payload []byte `ssh:"rest"` -} - -// Used for debug printouts of packets. -type userAuthSuccessMsg struct { -} - -// See RFC 4252, section 5.1 -const msgUserAuthFailure = 51 - -type userAuthFailureMsg struct { - Methods []string `sshtype:"51"` - PartialSuccess bool -} - -// See RFC 4252, section 5.1 -const msgUserAuthSuccess = 52 - -// See RFC 4252, section 5.4 -const msgUserAuthBanner = 53 - -type userAuthBannerMsg struct { - Message string `sshtype:"53"` - // unused, but required to allow message parsing - Language string -} - -// See RFC 4256, section 3.2 -const msgUserAuthInfoRequest = 60 -const msgUserAuthInfoResponse = 61 - -type userAuthInfoRequestMsg struct { - Name string `sshtype:"60"` - Instruction string - Language string - NumPrompts uint32 - Prompts []byte `ssh:"rest"` -} - -// See RFC 4254, section 5.1. -const msgChannelOpen = 90 - -type channelOpenMsg struct { - ChanType string `sshtype:"90"` - PeersID uint32 - PeersWindow uint32 - MaxPacketSize uint32 - TypeSpecificData []byte `ssh:"rest"` -} - -const msgChannelExtendedData = 95 -const msgChannelData = 94 - -// Used for debug print outs of packets. -type channelDataMsg struct { - PeersID uint32 `sshtype:"94"` - Length uint32 - Rest []byte `ssh:"rest"` -} - -// See RFC 4254, section 5.1. -const msgChannelOpenConfirm = 91 - -type channelOpenConfirmMsg struct { - PeersID uint32 `sshtype:"91"` - MyID uint32 - MyWindow uint32 - MaxPacketSize uint32 - TypeSpecificData []byte `ssh:"rest"` -} - -// See RFC 4254, section 5.1. -const msgChannelOpenFailure = 92 - -type channelOpenFailureMsg struct { - PeersID uint32 `sshtype:"92"` - Reason RejectionReason - Message string - Language string -} - -const msgChannelRequest = 98 - -type channelRequestMsg struct { - PeersID uint32 `sshtype:"98"` - Request string - WantReply bool - RequestSpecificData []byte `ssh:"rest"` -} - -// See RFC 4254, section 5.4. -const msgChannelSuccess = 99 - -type channelRequestSuccessMsg struct { - PeersID uint32 `sshtype:"99"` -} - -// See RFC 4254, section 5.4. -const msgChannelFailure = 100 - -type channelRequestFailureMsg struct { - PeersID uint32 `sshtype:"100"` -} - -// See RFC 4254, section 5.3 -const msgChannelClose = 97 - -type channelCloseMsg struct { - PeersID uint32 `sshtype:"97"` -} - -// See RFC 4254, section 5.3 -const msgChannelEOF = 96 - -type channelEOFMsg struct { - PeersID uint32 `sshtype:"96"` -} - -// See RFC 4254, section 4 -const msgGlobalRequest = 80 - -type globalRequestMsg struct { - Type string `sshtype:"80"` - WantReply bool - Data []byte `ssh:"rest"` -} - -// See RFC 4254, section 4 -const msgRequestSuccess = 81 - -type globalRequestSuccessMsg struct { - Data []byte `ssh:"rest" sshtype:"81"` -} - -// See RFC 4254, section 4 -const msgRequestFailure = 82 - -type globalRequestFailureMsg struct { - Data []byte `ssh:"rest" sshtype:"82"` -} - -// See RFC 4254, section 5.2 -const msgChannelWindowAdjust = 93 - -type windowAdjustMsg struct { - PeersID uint32 `sshtype:"93"` - AdditionalBytes uint32 -} - -// See RFC 4252, section 7 -const msgUserAuthPubKeyOk = 60 - -type userAuthPubKeyOkMsg struct { - Algo string `sshtype:"60"` - PubKey []byte -} - -// See RFC 4462, section 3 -const msgUserAuthGSSAPIResponse = 60 - -type userAuthGSSAPIResponse struct { - SupportMech []byte `sshtype:"60"` -} - -const msgUserAuthGSSAPIToken = 61 - -type userAuthGSSAPIToken struct { - Token []byte `sshtype:"61"` -} - -const msgUserAuthGSSAPIMIC = 66 - -type userAuthGSSAPIMIC struct { - MIC []byte `sshtype:"66"` -} - -// See RFC 4462, section 3.9 -const msgUserAuthGSSAPIErrTok = 64 - -type userAuthGSSAPIErrTok struct { - ErrorToken []byte `sshtype:"64"` -} - -// See RFC 4462, section 3.8 -const msgUserAuthGSSAPIError = 65 - -type userAuthGSSAPIError struct { - MajorStatus uint32 `sshtype:"65"` - MinorStatus uint32 - Message string - LanguageTag string -} - -// Transport layer OpenSSH extension. See [PROTOCOL], section 1.9 -const msgPing = 192 - -type pingMsg struct { - Data string `sshtype:"192"` -} - -// Transport layer OpenSSH extension. See [PROTOCOL], section 1.9 -const msgPong = 193 - -type pongMsg struct { - Data string `sshtype:"193"` -} - -// typeTags returns the possible type bytes for the given reflect.Type, which -// should be a struct. The possible values are separated by a '|' character. -func typeTags(structType reflect.Type) (tags []byte) { - tagStr := structType.Field(0).Tag.Get("sshtype") - - for _, tag := range strings.Split(tagStr, "|") { - i, err := strconv.Atoi(tag) - if err == nil { - tags = append(tags, byte(i)) - } - } - - return tags -} - -func fieldError(t reflect.Type, field int, problem string) error { - if problem != "" { - problem = ": " + problem - } - return fmt.Errorf("ssh: unmarshal error for field %s of type %s%s", t.Field(field).Name, t.Name(), problem) -} - -var errShortRead = errors.New("ssh: short read") - -// Unmarshal parses data in SSH wire format into a structure. The out -// argument should be a pointer to struct. If the first member of the -// struct has the "sshtype" tag set to a '|'-separated set of numbers -// in decimal, the packet must start with one of those numbers. In -// case of error, Unmarshal returns a ParseError or -// UnexpectedMessageError. -func Unmarshal(data []byte, out interface{}) error { - v := reflect.ValueOf(out).Elem() - structType := v.Type() - expectedTypes := typeTags(structType) - - var expectedType byte - if len(expectedTypes) > 0 { - expectedType = expectedTypes[0] - } - - if len(data) == 0 { - return parseError(expectedType) - } - - if len(expectedTypes) > 0 { - goodType := false - for _, e := range expectedTypes { - if e > 0 && data[0] == e { - goodType = true - break - } - } - if !goodType { - return fmt.Errorf("ssh: unexpected message type %d (expected one of %v)", data[0], expectedTypes) - } - data = data[1:] - } - - var ok bool - for i := 0; i < v.NumField(); i++ { - field := v.Field(i) - t := field.Type() - switch t.Kind() { - case reflect.Bool: - if len(data) < 1 { - return errShortRead - } - field.SetBool(data[0] != 0) - data = data[1:] - case reflect.Array: - if t.Elem().Kind() != reflect.Uint8 { - return fieldError(structType, i, "array of unsupported type") - } - if len(data) < t.Len() { - return errShortRead - } - for j, n := 0, t.Len(); j < n; j++ { - field.Index(j).Set(reflect.ValueOf(data[j])) - } - data = data[t.Len():] - case reflect.Uint64: - var u64 uint64 - if u64, data, ok = parseUint64(data); !ok { - return errShortRead - } - field.SetUint(u64) - case reflect.Uint32: - var u32 uint32 - if u32, data, ok = parseUint32(data); !ok { - return errShortRead - } - field.SetUint(uint64(u32)) - case reflect.Uint8: - if len(data) < 1 { - return errShortRead - } - field.SetUint(uint64(data[0])) - data = data[1:] - case reflect.String: - var s []byte - if s, data, ok = parseString(data); !ok { - return fieldError(structType, i, "") - } - field.SetString(string(s)) - case reflect.Slice: - switch t.Elem().Kind() { - case reflect.Uint8: - if structType.Field(i).Tag.Get("ssh") == "rest" { - field.Set(reflect.ValueOf(data)) - data = nil - } else { - var s []byte - if s, data, ok = parseString(data); !ok { - return errShortRead - } - field.Set(reflect.ValueOf(s)) - } - case reflect.String: - var nl []string - if nl, data, ok = parseNameList(data); !ok { - return errShortRead - } - field.Set(reflect.ValueOf(nl)) - default: - return fieldError(structType, i, "slice of unsupported type") - } - case reflect.Ptr: - if t == bigIntType { - var n *big.Int - if n, data, ok = parseInt(data); !ok { - return errShortRead - } - field.Set(reflect.ValueOf(n)) - } else { - return fieldError(structType, i, "pointer to unsupported type") - } - default: - return fieldError(structType, i, fmt.Sprintf("unsupported type: %v", t)) - } - } - - if len(data) != 0 { - return parseError(expectedType) - } - - return nil -} - -// Marshal serializes the message in msg to SSH wire format. The msg -// argument should be a struct or pointer to struct. If the first -// member has the "sshtype" tag set to a number in decimal, that -// number is prepended to the result. If the last of member has the -// "ssh" tag set to "rest", its contents are appended to the output. -func Marshal(msg interface{}) []byte { - out := make([]byte, 0, 64) - return marshalStruct(out, msg) -} - -func marshalStruct(out []byte, msg interface{}) []byte { - v := reflect.Indirect(reflect.ValueOf(msg)) - msgTypes := typeTags(v.Type()) - if len(msgTypes) > 0 { - out = append(out, msgTypes[0]) - } - - for i, n := 0, v.NumField(); i < n; i++ { - field := v.Field(i) - switch t := field.Type(); t.Kind() { - case reflect.Bool: - var v uint8 - if field.Bool() { - v = 1 - } - out = append(out, v) - case reflect.Array: - if t.Elem().Kind() != reflect.Uint8 { - panic(fmt.Sprintf("array of non-uint8 in field %d: %T", i, field.Interface())) - } - for j, l := 0, t.Len(); j < l; j++ { - out = append(out, uint8(field.Index(j).Uint())) - } - case reflect.Uint32: - out = appendU32(out, uint32(field.Uint())) - case reflect.Uint64: - out = appendU64(out, uint64(field.Uint())) - case reflect.Uint8: - out = append(out, uint8(field.Uint())) - case reflect.String: - s := field.String() - out = appendInt(out, len(s)) - out = append(out, s...) - case reflect.Slice: - switch t.Elem().Kind() { - case reflect.Uint8: - if v.Type().Field(i).Tag.Get("ssh") != "rest" { - out = appendInt(out, field.Len()) - } - out = append(out, field.Bytes()...) - case reflect.String: - offset := len(out) - out = appendU32(out, 0) - if n := field.Len(); n > 0 { - for j := 0; j < n; j++ { - f := field.Index(j) - if j != 0 { - out = append(out, ',') - } - out = append(out, f.String()...) - } - // overwrite length value - binary.BigEndian.PutUint32(out[offset:], uint32(len(out)-offset-4)) - } - default: - panic(fmt.Sprintf("slice of unknown type in field %d: %T", i, field.Interface())) - } - case reflect.Ptr: - if t == bigIntType { - var n *big.Int - nValue := reflect.ValueOf(&n) - nValue.Elem().Set(field) - needed := intLength(n) - oldLength := len(out) - - if cap(out)-len(out) < needed { - newOut := make([]byte, len(out), 2*(len(out)+needed)) - copy(newOut, out) - out = newOut - } - out = out[:oldLength+needed] - marshalInt(out[oldLength:], n) - } else { - panic(fmt.Sprintf("pointer to unknown type in field %d: %T", i, field.Interface())) - } - } - } - - return out -} - -var bigOne = big.NewInt(1) - -func parseString(in []byte) (out, rest []byte, ok bool) { - if len(in) < 4 { - return - } - length := binary.BigEndian.Uint32(in) - in = in[4:] - if uint32(len(in)) < length { - return - } - out = in[:length] - rest = in[length:] - ok = true - return -} - -var ( - comma = []byte{','} - emptyNameList = []string{} -) - -func parseNameList(in []byte) (out []string, rest []byte, ok bool) { - contents, rest, ok := parseString(in) - if !ok { - return - } - if len(contents) == 0 { - out = emptyNameList - return - } - parts := bytes.Split(contents, comma) - out = make([]string, len(parts)) - for i, part := range parts { - out[i] = string(part) - } - return -} - -func parseInt(in []byte) (out *big.Int, rest []byte, ok bool) { - contents, rest, ok := parseString(in) - if !ok { - return - } - out = new(big.Int) - - if len(contents) > 0 && contents[0]&0x80 == 0x80 { - // This is a negative number - notBytes := make([]byte, len(contents)) - for i := range notBytes { - notBytes[i] = ^contents[i] - } - out.SetBytes(notBytes) - out.Add(out, bigOne) - out.Neg(out) - } else { - // Positive number - out.SetBytes(contents) - } - ok = true - return -} - -func parseUint32(in []byte) (uint32, []byte, bool) { - if len(in) < 4 { - return 0, nil, false - } - return binary.BigEndian.Uint32(in), in[4:], true -} - -func parseUint64(in []byte) (uint64, []byte, bool) { - if len(in) < 8 { - return 0, nil, false - } - return binary.BigEndian.Uint64(in), in[8:], true -} - -func intLength(n *big.Int) int { - length := 4 /* length bytes */ - if n.Sign() < 0 { - nMinus1 := new(big.Int).Neg(n) - nMinus1.Sub(nMinus1, bigOne) - bitLen := nMinus1.BitLen() - if bitLen%8 == 0 { - // The number will need 0xff padding - length++ - } - length += (bitLen + 7) / 8 - } else if n.Sign() == 0 { - // A zero is the zero length string - } else { - bitLen := n.BitLen() - if bitLen%8 == 0 { - // The number will need 0x00 padding - length++ - } - length += (bitLen + 7) / 8 - } - - return length -} - -func marshalUint32(to []byte, n uint32) []byte { - binary.BigEndian.PutUint32(to, n) - return to[4:] -} - -func marshalUint64(to []byte, n uint64) []byte { - binary.BigEndian.PutUint64(to, n) - return to[8:] -} - -func marshalInt(to []byte, n *big.Int) []byte { - lengthBytes := to - to = to[4:] - length := 0 - - if n.Sign() < 0 { - // A negative number has to be converted to two's-complement - // form. So we'll subtract 1 and invert. If the - // most-significant-bit isn't set then we'll need to pad the - // beginning with 0xff in order to keep the number negative. - nMinus1 := new(big.Int).Neg(n) - nMinus1.Sub(nMinus1, bigOne) - bytes := nMinus1.Bytes() - for i := range bytes { - bytes[i] ^= 0xff - } - if len(bytes) == 0 || bytes[0]&0x80 == 0 { - to[0] = 0xff - to = to[1:] - length++ - } - nBytes := copy(to, bytes) - to = to[nBytes:] - length += nBytes - } else if n.Sign() == 0 { - // A zero is the zero length string - } else { - bytes := n.Bytes() - if len(bytes) > 0 && bytes[0]&0x80 != 0 { - // We'll have to pad this with a 0x00 in order to - // stop it looking like a negative number. - to[0] = 0 - to = to[1:] - length++ - } - nBytes := copy(to, bytes) - to = to[nBytes:] - length += nBytes - } - - lengthBytes[0] = byte(length >> 24) - lengthBytes[1] = byte(length >> 16) - lengthBytes[2] = byte(length >> 8) - lengthBytes[3] = byte(length) - return to -} - -func writeInt(w io.Writer, n *big.Int) { - length := intLength(n) - buf := make([]byte, length) - marshalInt(buf, n) - w.Write(buf) -} - -func writeString(w io.Writer, s []byte) { - var lengthBytes [4]byte - lengthBytes[0] = byte(len(s) >> 24) - lengthBytes[1] = byte(len(s) >> 16) - lengthBytes[2] = byte(len(s) >> 8) - lengthBytes[3] = byte(len(s)) - w.Write(lengthBytes[:]) - w.Write(s) -} - -func stringLength(n int) int { - return 4 + n -} - -func marshalString(to []byte, s []byte) []byte { - to[0] = byte(len(s) >> 24) - to[1] = byte(len(s) >> 16) - to[2] = byte(len(s) >> 8) - to[3] = byte(len(s)) - to = to[4:] - copy(to, s) - return to[len(s):] -} - -var bigIntType = reflect.TypeOf((*big.Int)(nil)) - -// Decode a packet into its corresponding message. -func decode(packet []byte) (interface{}, error) { - var msg interface{} - switch packet[0] { - case msgDisconnect: - msg = new(disconnectMsg) - case msgServiceRequest: - msg = new(serviceRequestMsg) - case msgServiceAccept: - msg = new(serviceAcceptMsg) - case msgExtInfo: - msg = new(extInfoMsg) - case msgKexInit: - msg = new(kexInitMsg) - case msgKexDHInit: - msg = new(kexDHInitMsg) - case msgKexDHReply: - msg = new(kexDHReplyMsg) - case msgUserAuthRequest: - msg = new(userAuthRequestMsg) - case msgUserAuthSuccess: - return new(userAuthSuccessMsg), nil - case msgUserAuthFailure: - msg = new(userAuthFailureMsg) - case msgUserAuthPubKeyOk: - msg = new(userAuthPubKeyOkMsg) - case msgGlobalRequest: - msg = new(globalRequestMsg) - case msgRequestSuccess: - msg = new(globalRequestSuccessMsg) - case msgRequestFailure: - msg = new(globalRequestFailureMsg) - case msgChannelOpen: - msg = new(channelOpenMsg) - case msgChannelData: - msg = new(channelDataMsg) - case msgChannelOpenConfirm: - msg = new(channelOpenConfirmMsg) - case msgChannelOpenFailure: - msg = new(channelOpenFailureMsg) - case msgChannelWindowAdjust: - msg = new(windowAdjustMsg) - case msgChannelEOF: - msg = new(channelEOFMsg) - case msgChannelClose: - msg = new(channelCloseMsg) - case msgChannelRequest: - msg = new(channelRequestMsg) - case msgChannelSuccess: - msg = new(channelRequestSuccessMsg) - case msgChannelFailure: - msg = new(channelRequestFailureMsg) - case msgUserAuthGSSAPIToken: - msg = new(userAuthGSSAPIToken) - case msgUserAuthGSSAPIMIC: - msg = new(userAuthGSSAPIMIC) - case msgUserAuthGSSAPIErrTok: - msg = new(userAuthGSSAPIErrTok) - case msgUserAuthGSSAPIError: - msg = new(userAuthGSSAPIError) - default: - return nil, unexpectedMessageError(0, packet[0]) - } - if err := Unmarshal(packet, msg); err != nil { - return nil, err - } - return msg, nil -} - -var packetTypeNames = map[byte]string{ - msgDisconnect: "disconnectMsg", - msgServiceRequest: "serviceRequestMsg", - msgServiceAccept: "serviceAcceptMsg", - msgExtInfo: "extInfoMsg", - msgKexInit: "kexInitMsg", - msgKexDHInit: "kexDHInitMsg", - msgKexDHReply: "kexDHReplyMsg", - msgUserAuthRequest: "userAuthRequestMsg", - msgUserAuthSuccess: "userAuthSuccessMsg", - msgUserAuthFailure: "userAuthFailureMsg", - msgUserAuthPubKeyOk: "userAuthPubKeyOkMsg", - msgGlobalRequest: "globalRequestMsg", - msgRequestSuccess: "globalRequestSuccessMsg", - msgRequestFailure: "globalRequestFailureMsg", - msgChannelOpen: "channelOpenMsg", - msgChannelData: "channelDataMsg", - msgChannelOpenConfirm: "channelOpenConfirmMsg", - msgChannelOpenFailure: "channelOpenFailureMsg", - msgChannelWindowAdjust: "windowAdjustMsg", - msgChannelEOF: "channelEOFMsg", - msgChannelClose: "channelCloseMsg", - msgChannelRequest: "channelRequestMsg", - msgChannelSuccess: "channelRequestSuccessMsg", - msgChannelFailure: "channelRequestFailureMsg", -} diff --git a/vendor/golang.org/x/crypto/ssh/mux.go b/vendor/golang.org/x/crypto/ssh/mux.go deleted file mode 100644 index d2d24c635..000000000 --- a/vendor/golang.org/x/crypto/ssh/mux.go +++ /dev/null @@ -1,357 +0,0 @@ -// Copyright 2013 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "encoding/binary" - "fmt" - "io" - "log" - "sync" - "sync/atomic" -) - -// debugMux, if set, causes messages in the connection protocol to be -// logged. -const debugMux = false - -// chanList is a thread safe channel list. -type chanList struct { - // protects concurrent access to chans - sync.Mutex - - // chans are indexed by the local id of the channel, which the - // other side should send in the PeersId field. - chans []*channel - - // This is a debugging aid: it offsets all IDs by this - // amount. This helps distinguish otherwise identical - // server/client muxes - offset uint32 -} - -// Assigns a channel ID to the given channel. -func (c *chanList) add(ch *channel) uint32 { - c.Lock() - defer c.Unlock() - for i := range c.chans { - if c.chans[i] == nil { - c.chans[i] = ch - return uint32(i) + c.offset - } - } - c.chans = append(c.chans, ch) - return uint32(len(c.chans)-1) + c.offset -} - -// getChan returns the channel for the given ID. -func (c *chanList) getChan(id uint32) *channel { - id -= c.offset - - c.Lock() - defer c.Unlock() - if id < uint32(len(c.chans)) { - return c.chans[id] - } - return nil -} - -func (c *chanList) remove(id uint32) { - id -= c.offset - c.Lock() - if id < uint32(len(c.chans)) { - c.chans[id] = nil - } - c.Unlock() -} - -// dropAll forgets all channels it knows, returning them in a slice. -func (c *chanList) dropAll() []*channel { - c.Lock() - defer c.Unlock() - var r []*channel - - for _, ch := range c.chans { - if ch == nil { - continue - } - r = append(r, ch) - } - c.chans = nil - return r -} - -// mux represents the state for the SSH connection protocol, which -// multiplexes many channels onto a single packet transport. -type mux struct { - conn packetConn - chanList chanList - - incomingChannels chan NewChannel - - globalSentMu sync.Mutex - globalResponses chan interface{} - incomingRequests chan *Request - - errCond *sync.Cond - err error -} - -// When debugging, each new chanList instantiation has a different -// offset. -var globalOff uint32 - -func (m *mux) Wait() error { - m.errCond.L.Lock() - defer m.errCond.L.Unlock() - for m.err == nil { - m.errCond.Wait() - } - return m.err -} - -// newMux returns a mux that runs over the given connection. -func newMux(p packetConn) *mux { - m := &mux{ - conn: p, - incomingChannels: make(chan NewChannel, chanSize), - globalResponses: make(chan interface{}, 1), - incomingRequests: make(chan *Request, chanSize), - errCond: newCond(), - } - if debugMux { - m.chanList.offset = atomic.AddUint32(&globalOff, 1) - } - - go m.loop() - return m -} - -func (m *mux) sendMessage(msg interface{}) error { - p := Marshal(msg) - if debugMux { - log.Printf("send global(%d): %#v", m.chanList.offset, msg) - } - return m.conn.writePacket(p) -} - -func (m *mux) SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error) { - if wantReply { - m.globalSentMu.Lock() - defer m.globalSentMu.Unlock() - } - - if err := m.sendMessage(globalRequestMsg{ - Type: name, - WantReply: wantReply, - Data: payload, - }); err != nil { - return false, nil, err - } - - if !wantReply { - return false, nil, nil - } - - msg, ok := <-m.globalResponses - if !ok { - return false, nil, io.EOF - } - switch msg := msg.(type) { - case *globalRequestFailureMsg: - return false, msg.Data, nil - case *globalRequestSuccessMsg: - return true, msg.Data, nil - default: - return false, nil, fmt.Errorf("ssh: unexpected response to request: %#v", msg) - } -} - -// ackRequest must be called after processing a global request that -// has WantReply set. -func (m *mux) ackRequest(ok bool, data []byte) error { - if ok { - return m.sendMessage(globalRequestSuccessMsg{Data: data}) - } - return m.sendMessage(globalRequestFailureMsg{Data: data}) -} - -func (m *mux) Close() error { - return m.conn.Close() -} - -// loop runs the connection machine. It will process packets until an -// error is encountered. To synchronize on loop exit, use mux.Wait. -func (m *mux) loop() { - var err error - for err == nil { - err = m.onePacket() - } - - for _, ch := range m.chanList.dropAll() { - ch.close() - } - - close(m.incomingChannels) - close(m.incomingRequests) - close(m.globalResponses) - - m.conn.Close() - - m.errCond.L.Lock() - m.err = err - m.errCond.Broadcast() - m.errCond.L.Unlock() - - if debugMux { - log.Println("loop exit", err) - } -} - -// onePacket reads and processes one packet. -func (m *mux) onePacket() error { - packet, err := m.conn.readPacket() - if err != nil { - return err - } - - if debugMux { - if packet[0] == msgChannelData || packet[0] == msgChannelExtendedData { - log.Printf("decoding(%d): data packet - %d bytes", m.chanList.offset, len(packet)) - } else { - p, _ := decode(packet) - log.Printf("decoding(%d): %d %#v - %d bytes", m.chanList.offset, packet[0], p, len(packet)) - } - } - - switch packet[0] { - case msgChannelOpen: - return m.handleChannelOpen(packet) - case msgGlobalRequest, msgRequestSuccess, msgRequestFailure: - return m.handleGlobalPacket(packet) - case msgPing: - var msg pingMsg - if err := Unmarshal(packet, &msg); err != nil { - return fmt.Errorf("failed to unmarshal ping@openssh.com message: %w", err) - } - return m.sendMessage(pongMsg(msg)) - } - - // assume a channel packet. - if len(packet) < 5 { - return parseError(packet[0]) - } - id := binary.BigEndian.Uint32(packet[1:]) - ch := m.chanList.getChan(id) - if ch == nil { - return m.handleUnknownChannelPacket(id, packet) - } - - return ch.handlePacket(packet) -} - -func (m *mux) handleGlobalPacket(packet []byte) error { - msg, err := decode(packet) - if err != nil { - return err - } - - switch msg := msg.(type) { - case *globalRequestMsg: - m.incomingRequests <- &Request{ - Type: msg.Type, - WantReply: msg.WantReply, - Payload: msg.Data, - mux: m, - } - case *globalRequestSuccessMsg, *globalRequestFailureMsg: - m.globalResponses <- msg - default: - panic(fmt.Sprintf("not a global message %#v", msg)) - } - - return nil -} - -// handleChannelOpen schedules a channel to be Accept()ed. -func (m *mux) handleChannelOpen(packet []byte) error { - var msg channelOpenMsg - if err := Unmarshal(packet, &msg); err != nil { - return err - } - - if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 { - failMsg := channelOpenFailureMsg{ - PeersID: msg.PeersID, - Reason: ConnectionFailed, - Message: "invalid request", - Language: "en_US.UTF-8", - } - return m.sendMessage(failMsg) - } - - c := m.newChannel(msg.ChanType, channelInbound, msg.TypeSpecificData) - c.remoteId = msg.PeersID - c.maxRemotePayload = msg.MaxPacketSize - c.remoteWin.add(msg.PeersWindow) - m.incomingChannels <- c - return nil -} - -func (m *mux) OpenChannel(chanType string, extra []byte) (Channel, <-chan *Request, error) { - ch, err := m.openChannel(chanType, extra) - if err != nil { - return nil, nil, err - } - - return ch, ch.incomingRequests, nil -} - -func (m *mux) openChannel(chanType string, extra []byte) (*channel, error) { - ch := m.newChannel(chanType, channelOutbound, extra) - - ch.maxIncomingPayload = channelMaxPacket - - open := channelOpenMsg{ - ChanType: chanType, - PeersWindow: ch.myWindow, - MaxPacketSize: ch.maxIncomingPayload, - TypeSpecificData: extra, - PeersID: ch.localId, - } - if err := m.sendMessage(open); err != nil { - return nil, err - } - - switch msg := (<-ch.msg).(type) { - case *channelOpenConfirmMsg: - return ch, nil - case *channelOpenFailureMsg: - return nil, &OpenChannelError{msg.Reason, msg.Message} - default: - return nil, fmt.Errorf("ssh: unexpected packet in response to channel open: %T", msg) - } -} - -func (m *mux) handleUnknownChannelPacket(id uint32, packet []byte) error { - msg, err := decode(packet) - if err != nil { - return err - } - - switch msg := msg.(type) { - // RFC 4254 section 5.4 says unrecognized channel requests should - // receive a failure response. - case *channelRequestMsg: - if msg.WantReply { - return m.sendMessage(channelRequestFailureMsg{ - PeersID: msg.PeersID, - }) - } - return nil - default: - return fmt.Errorf("ssh: invalid channel %d", id) - } -} diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go deleted file mode 100644 index 1839ddc6a..000000000 --- a/vendor/golang.org/x/crypto/ssh/server.go +++ /dev/null @@ -1,933 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "bytes" - "errors" - "fmt" - "io" - "net" - "strings" -) - -// The Permissions type holds fine-grained permissions that are -// specific to a user or a specific authentication method for a user. -// The Permissions value for a successful authentication attempt is -// available in ServerConn, so it can be used to pass information from -// the user-authentication phase to the application layer. -type Permissions struct { - // CriticalOptions indicate restrictions to the default - // permissions, and are typically used in conjunction with - // user certificates. The standard for SSH certificates - // defines "force-command" (only allow the given command to - // execute) and "source-address" (only allow connections from - // the given address). The SSH package currently only enforces - // the "source-address" critical option. It is up to server - // implementations to enforce other critical options, such as - // "force-command", by checking them after the SSH handshake - // is successful. In general, SSH servers should reject - // connections that specify critical options that are unknown - // or not supported. - CriticalOptions map[string]string - - // Extensions are extra functionality that the server may - // offer on authenticated connections. Lack of support for an - // extension does not preclude authenticating a user. Common - // extensions are "permit-agent-forwarding", - // "permit-X11-forwarding". The Go SSH library currently does - // not act on any extension, and it is up to server - // implementations to honor them. Extensions can be used to - // pass data from the authentication callbacks to the server - // application layer. - Extensions map[string]string -} - -type GSSAPIWithMICConfig struct { - // AllowLogin, must be set, is called when gssapi-with-mic - // authentication is selected (RFC 4462 section 3). The srcName is from the - // results of the GSS-API authentication. The format is username@DOMAIN. - // GSSAPI just guarantees to the server who the user is, but not if they can log in, and with what permissions. - // This callback is called after the user identity is established with GSSAPI to decide if the user can login with - // which permissions. If the user is allowed to login, it should return a nil error. - AllowLogin func(conn ConnMetadata, srcName string) (*Permissions, error) - - // Server must be set. It's the implementation - // of the GSSAPIServer interface. See GSSAPIServer interface for details. - Server GSSAPIServer -} - -// SendAuthBanner implements [ServerPreAuthConn]. -func (s *connection) SendAuthBanner(msg string) error { - return s.transport.writePacket(Marshal(&userAuthBannerMsg{ - Message: msg, - })) -} - -func (*connection) unexportedMethodForFutureProofing() {} - -// ServerPreAuthConn is the interface available on an incoming server -// connection before authentication has completed. -type ServerPreAuthConn interface { - unexportedMethodForFutureProofing() // permits growing ServerPreAuthConn safely later, ala testing.TB - - ConnMetadata - - // SendAuthBanner sends a banner message to the client. - // It returns an error once the authentication phase has ended. - SendAuthBanner(string) error -} - -// ServerConfig holds server specific configuration data. -type ServerConfig struct { - // Config contains configuration shared between client and server. - Config - - // PublicKeyAuthAlgorithms specifies the supported client public key - // authentication algorithms. Note that this should not include certificate - // types since those use the underlying algorithm. This list is sent to the - // client if it supports the server-sig-algs extension. Order is irrelevant. - // If unspecified then a default set of algorithms is used. - PublicKeyAuthAlgorithms []string - - hostKeys []Signer - - // NoClientAuth is true if clients are allowed to connect without - // authenticating. - // To determine NoClientAuth at runtime, set NoClientAuth to true - // and the optional NoClientAuthCallback to a non-nil value. - NoClientAuth bool - - // NoClientAuthCallback, if non-nil, is called when a user - // attempts to authenticate with auth method "none". - // NoClientAuth must also be set to true for this be used, or - // this func is unused. - NoClientAuthCallback func(ConnMetadata) (*Permissions, error) - - // MaxAuthTries specifies the maximum number of authentication attempts - // permitted per connection. If set to a negative number, the number of - // attempts are unlimited. If set to zero, the number of attempts are limited - // to 6. - MaxAuthTries int - - // PasswordCallback, if non-nil, is called when a user - // attempts to authenticate using a password. - PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error) - - // PublicKeyCallback, if non-nil, is called when a client - // offers a public key for authentication. It must return a nil error - // if the given public key can be used to authenticate the - // given user. For example, see CertChecker.Authenticate. A - // call to this function does not guarantee that the key - // offered is in fact used to authenticate. To record any data - // depending on the public key, store it inside a - // Permissions.Extensions entry. - PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error) - - // KeyboardInteractiveCallback, if non-nil, is called when - // keyboard-interactive authentication is selected (RFC - // 4256). The client object's Challenge function should be - // used to query the user. The callback may offer multiple - // Challenge rounds. To avoid information leaks, the client - // should be presented a challenge even if the user is - // unknown. - KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error) - - // AuthLogCallback, if non-nil, is called to log all authentication - // attempts. - AuthLogCallback func(conn ConnMetadata, method string, err error) - - // PreAuthConnCallback, if non-nil, is called upon receiving a new connection - // before any authentication has started. The provided ServerPreAuthConn - // can be used at any time before authentication is complete, including - // after this callback has returned. - PreAuthConnCallback func(ServerPreAuthConn) - - // ServerVersion is the version identification string to announce in - // the public handshake. - // If empty, a reasonable default is used. - // Note that RFC 4253 section 4.2 requires that this string start with - // "SSH-2.0-". - ServerVersion string - - // BannerCallback, if present, is called and the return string is sent to - // the client after key exchange completed but before authentication. - BannerCallback func(conn ConnMetadata) string - - // GSSAPIWithMICConfig includes gssapi server and callback, which if both non-nil, is used - // when gssapi-with-mic authentication is selected (RFC 4462 section 3). - GSSAPIWithMICConfig *GSSAPIWithMICConfig -} - -// AddHostKey adds a private key as a host key. If an existing host -// key exists with the same public key format, it is replaced. Each server -// config must have at least one host key. -func (s *ServerConfig) AddHostKey(key Signer) { - for i, k := range s.hostKeys { - if k.PublicKey().Type() == key.PublicKey().Type() { - s.hostKeys[i] = key - return - } - } - - s.hostKeys = append(s.hostKeys, key) -} - -// cachedPubKey contains the results of querying whether a public key is -// acceptable for a user. This is a FIFO cache. -type cachedPubKey struct { - user string - pubKeyData []byte - result error - perms *Permissions -} - -// maxCachedPubKeys is the number of cache entries we store. -// -// Due to consistent misuse of the PublicKeyCallback API, we have reduced this -// to 1, such that the only key in the cache is the most recently seen one. This -// forces the behavior that the last call to PublicKeyCallback will always be -// with the key that is used for authentication. -const maxCachedPubKeys = 1 - -// pubKeyCache caches tests for public keys. Since SSH clients -// will query whether a public key is acceptable before attempting to -// authenticate with it, we end up with duplicate queries for public -// key validity. The cache only applies to a single ServerConn. -type pubKeyCache struct { - keys []cachedPubKey -} - -// get returns the result for a given user/algo/key tuple. -func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) { - for _, k := range c.keys { - if k.user == user && bytes.Equal(k.pubKeyData, pubKeyData) { - return k, true - } - } - return cachedPubKey{}, false -} - -// add adds the given tuple to the cache. -func (c *pubKeyCache) add(candidate cachedPubKey) { - if len(c.keys) >= maxCachedPubKeys { - c.keys = c.keys[1:] - } - c.keys = append(c.keys, candidate) -} - -// ServerConn is an authenticated SSH connection, as seen from the -// server -type ServerConn struct { - Conn - - // If the succeeding authentication callback returned a - // non-nil Permissions pointer, it is stored here. - Permissions *Permissions -} - -// NewServerConn starts a new SSH server with c as the underlying -// transport. It starts with a handshake and, if the handshake is -// unsuccessful, it closes the connection and returns an error. The -// Request and NewChannel channels must be serviced, or the connection -// will hang. -// -// The returned error may be of type *ServerAuthError for -// authentication errors. -func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) { - fullConf := *config - fullConf.SetDefaults() - if fullConf.MaxAuthTries == 0 { - fullConf.MaxAuthTries = 6 - } - if len(fullConf.PublicKeyAuthAlgorithms) == 0 { - fullConf.PublicKeyAuthAlgorithms = supportedPubKeyAuthAlgos - } else { - for _, algo := range fullConf.PublicKeyAuthAlgorithms { - if !contains(supportedPubKeyAuthAlgos, algo) { - c.Close() - return nil, nil, nil, fmt.Errorf("ssh: unsupported public key authentication algorithm %s", algo) - } - } - } - // Check if the config contains any unsupported key exchanges - for _, kex := range fullConf.KeyExchanges { - if _, ok := serverForbiddenKexAlgos[kex]; ok { - c.Close() - return nil, nil, nil, fmt.Errorf("ssh: unsupported key exchange %s for server", kex) - } - } - - s := &connection{ - sshConn: sshConn{conn: c}, - } - perms, err := s.serverHandshake(&fullConf) - if err != nil { - c.Close() - return nil, nil, nil, err - } - return &ServerConn{s, perms}, s.mux.incomingChannels, s.mux.incomingRequests, nil -} - -// signAndMarshal signs the data with the appropriate algorithm, -// and serializes the result in SSH wire format. algo is the negotiate -// algorithm and may be a certificate type. -func signAndMarshal(k AlgorithmSigner, rand io.Reader, data []byte, algo string) ([]byte, error) { - sig, err := k.SignWithAlgorithm(rand, data, underlyingAlgo(algo)) - if err != nil { - return nil, err - } - - return Marshal(sig), nil -} - -// handshake performs key exchange and user authentication. -func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error) { - if len(config.hostKeys) == 0 { - return nil, errors.New("ssh: server has no host keys") - } - - if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil && - config.KeyboardInteractiveCallback == nil && (config.GSSAPIWithMICConfig == nil || - config.GSSAPIWithMICConfig.AllowLogin == nil || config.GSSAPIWithMICConfig.Server == nil) { - return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false") - } - - if config.ServerVersion != "" { - s.serverVersion = []byte(config.ServerVersion) - } else { - s.serverVersion = []byte(packageVersion) - } - var err error - s.clientVersion, err = exchangeVersions(s.sshConn.conn, s.serverVersion) - if err != nil { - return nil, err - } - - tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */) - s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config) - - if err := s.transport.waitSession(); err != nil { - return nil, err - } - - // We just did the key change, so the session ID is established. - s.sessionID = s.transport.getSessionID() - - var packet []byte - if packet, err = s.transport.readPacket(); err != nil { - return nil, err - } - - var serviceRequest serviceRequestMsg - if err = Unmarshal(packet, &serviceRequest); err != nil { - return nil, err - } - if serviceRequest.Service != serviceUserAuth { - return nil, errors.New("ssh: requested service '" + serviceRequest.Service + "' before authenticating") - } - serviceAccept := serviceAcceptMsg{ - Service: serviceUserAuth, - } - if err := s.transport.writePacket(Marshal(&serviceAccept)); err != nil { - return nil, err - } - - perms, err := s.serverAuthenticate(config) - if err != nil { - return nil, err - } - s.mux = newMux(s.transport) - return perms, err -} - -func checkSourceAddress(addr net.Addr, sourceAddrs string) error { - if addr == nil { - return errors.New("ssh: no address known for client, but source-address match required") - } - - tcpAddr, ok := addr.(*net.TCPAddr) - if !ok { - return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr) - } - - for _, sourceAddr := range strings.Split(sourceAddrs, ",") { - if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil { - if allowedIP.Equal(tcpAddr.IP) { - return nil - } - } else { - _, ipNet, err := net.ParseCIDR(sourceAddr) - if err != nil { - return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err) - } - - if ipNet.Contains(tcpAddr.IP) { - return nil - } - } - } - - return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr) -} - -func gssExchangeToken(gssapiConfig *GSSAPIWithMICConfig, token []byte, s *connection, - sessionID []byte, userAuthReq userAuthRequestMsg) (authErr error, perms *Permissions, err error) { - gssAPIServer := gssapiConfig.Server - defer gssAPIServer.DeleteSecContext() - var srcName string - for { - var ( - outToken []byte - needContinue bool - ) - outToken, srcName, needContinue, err = gssAPIServer.AcceptSecContext(token) - if err != nil { - return err, nil, nil - } - if len(outToken) != 0 { - if err := s.transport.writePacket(Marshal(&userAuthGSSAPIToken{ - Token: outToken, - })); err != nil { - return nil, nil, err - } - } - if !needContinue { - break - } - packet, err := s.transport.readPacket() - if err != nil { - return nil, nil, err - } - userAuthGSSAPITokenReq := &userAuthGSSAPIToken{} - if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil { - return nil, nil, err - } - token = userAuthGSSAPITokenReq.Token - } - packet, err := s.transport.readPacket() - if err != nil { - return nil, nil, err - } - userAuthGSSAPIMICReq := &userAuthGSSAPIMIC{} - if err := Unmarshal(packet, userAuthGSSAPIMICReq); err != nil { - return nil, nil, err - } - mic := buildMIC(string(sessionID), userAuthReq.User, userAuthReq.Service, userAuthReq.Method) - if err := gssAPIServer.VerifyMIC(mic, userAuthGSSAPIMICReq.MIC); err != nil { - return err, nil, nil - } - perms, authErr = gssapiConfig.AllowLogin(s, srcName) - return authErr, perms, nil -} - -// isAlgoCompatible checks if the signature format is compatible with the -// selected algorithm taking into account edge cases that occur with old -// clients. -func isAlgoCompatible(algo, sigFormat string) bool { - // Compatibility for old clients. - // - // For certificate authentication with OpenSSH 7.2-7.7 signature format can - // be rsa-sha2-256 or rsa-sha2-512 for the algorithm - // ssh-rsa-cert-v01@openssh.com. - // - // With gpg-agent < 2.2.6 the algorithm can be rsa-sha2-256 or rsa-sha2-512 - // for signature format ssh-rsa. - if isRSA(algo) && isRSA(sigFormat) { - return true - } - // Standard case: the underlying algorithm must match the signature format. - return underlyingAlgo(algo) == sigFormat -} - -// ServerAuthError represents server authentication errors and is -// sometimes returned by NewServerConn. It appends any authentication -// errors that may occur, and is returned if all of the authentication -// methods provided by the user failed to authenticate. -type ServerAuthError struct { - // Errors contains authentication errors returned by the authentication - // callback methods. The first entry is typically ErrNoAuth. - Errors []error -} - -func (l ServerAuthError) Error() string { - var errs []string - for _, err := range l.Errors { - errs = append(errs, err.Error()) - } - return "[" + strings.Join(errs, ", ") + "]" -} - -// ServerAuthCallbacks defines server-side authentication callbacks. -type ServerAuthCallbacks struct { - // PasswordCallback behaves like [ServerConfig.PasswordCallback]. - PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error) - - // PublicKeyCallback behaves like [ServerConfig.PublicKeyCallback]. - PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error) - - // KeyboardInteractiveCallback behaves like [ServerConfig.KeyboardInteractiveCallback]. - KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error) - - // GSSAPIWithMICConfig behaves like [ServerConfig.GSSAPIWithMICConfig]. - GSSAPIWithMICConfig *GSSAPIWithMICConfig -} - -// PartialSuccessError can be returned by any of the [ServerConfig] -// authentication callbacks to indicate to the client that authentication has -// partially succeeded, but further steps are required. -type PartialSuccessError struct { - // Next defines the authentication callbacks to apply to further steps. The - // available methods communicated to the client are based on the non-nil - // ServerAuthCallbacks fields. - Next ServerAuthCallbacks -} - -func (p *PartialSuccessError) Error() string { - return "ssh: authenticated with partial success" -} - -// ErrNoAuth is the error value returned if no -// authentication method has been passed yet. This happens as a normal -// part of the authentication loop, since the client first tries -// 'none' authentication to discover available methods. -// It is returned in ServerAuthError.Errors from NewServerConn. -var ErrNoAuth = errors.New("ssh: no auth passed yet") - -// BannerError is an error that can be returned by authentication handlers in -// ServerConfig to send a banner message to the client. -type BannerError struct { - Err error - Message string -} - -func (b *BannerError) Unwrap() error { - return b.Err -} - -func (b *BannerError) Error() string { - if b.Err == nil { - return b.Message - } - return b.Err.Error() -} - -func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) { - if config.PreAuthConnCallback != nil { - config.PreAuthConnCallback(s) - } - - sessionID := s.transport.getSessionID() - var cache pubKeyCache - var perms *Permissions - - authFailures := 0 - noneAuthCount := 0 - var authErrs []error - var calledBannerCallback bool - partialSuccessReturned := false - // Set the initial authentication callbacks from the config. They can be - // changed if a PartialSuccessError is returned. - authConfig := ServerAuthCallbacks{ - PasswordCallback: config.PasswordCallback, - PublicKeyCallback: config.PublicKeyCallback, - KeyboardInteractiveCallback: config.KeyboardInteractiveCallback, - GSSAPIWithMICConfig: config.GSSAPIWithMICConfig, - } - -userAuthLoop: - for { - if authFailures >= config.MaxAuthTries && config.MaxAuthTries > 0 { - discMsg := &disconnectMsg{ - Reason: 2, - Message: "too many authentication failures", - } - - if err := s.transport.writePacket(Marshal(discMsg)); err != nil { - return nil, err - } - authErrs = append(authErrs, discMsg) - return nil, &ServerAuthError{Errors: authErrs} - } - - var userAuthReq userAuthRequestMsg - if packet, err := s.transport.readPacket(); err != nil { - if err == io.EOF { - return nil, &ServerAuthError{Errors: authErrs} - } - return nil, err - } else if err = Unmarshal(packet, &userAuthReq); err != nil { - return nil, err - } - - if userAuthReq.Service != serviceSSH { - return nil, errors.New("ssh: client attempted to negotiate for unknown service: " + userAuthReq.Service) - } - - if s.user != userAuthReq.User && partialSuccessReturned { - return nil, fmt.Errorf("ssh: client changed the user after a partial success authentication, previous user %q, current user %q", - s.user, userAuthReq.User) - } - - s.user = userAuthReq.User - - if !calledBannerCallback && config.BannerCallback != nil { - calledBannerCallback = true - if msg := config.BannerCallback(s); msg != "" { - if err := s.SendAuthBanner(msg); err != nil { - return nil, err - } - } - } - - perms = nil - authErr := ErrNoAuth - - switch userAuthReq.Method { - case "none": - noneAuthCount++ - // We don't allow none authentication after a partial success - // response. - if config.NoClientAuth && !partialSuccessReturned { - if config.NoClientAuthCallback != nil { - perms, authErr = config.NoClientAuthCallback(s) - } else { - authErr = nil - } - } - case "password": - if authConfig.PasswordCallback == nil { - authErr = errors.New("ssh: password auth not configured") - break - } - payload := userAuthReq.Payload - if len(payload) < 1 || payload[0] != 0 { - return nil, parseError(msgUserAuthRequest) - } - payload = payload[1:] - password, payload, ok := parseString(payload) - if !ok || len(payload) > 0 { - return nil, parseError(msgUserAuthRequest) - } - - perms, authErr = authConfig.PasswordCallback(s, password) - case "keyboard-interactive": - if authConfig.KeyboardInteractiveCallback == nil { - authErr = errors.New("ssh: keyboard-interactive auth not configured") - break - } - - prompter := &sshClientKeyboardInteractive{s} - perms, authErr = authConfig.KeyboardInteractiveCallback(s, prompter.Challenge) - case "publickey": - if authConfig.PublicKeyCallback == nil { - authErr = errors.New("ssh: publickey auth not configured") - break - } - payload := userAuthReq.Payload - if len(payload) < 1 { - return nil, parseError(msgUserAuthRequest) - } - isQuery := payload[0] == 0 - payload = payload[1:] - algoBytes, payload, ok := parseString(payload) - if !ok { - return nil, parseError(msgUserAuthRequest) - } - algo := string(algoBytes) - if !contains(config.PublicKeyAuthAlgorithms, underlyingAlgo(algo)) { - authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo) - break - } - - pubKeyData, payload, ok := parseString(payload) - if !ok { - return nil, parseError(msgUserAuthRequest) - } - - pubKey, err := ParsePublicKey(pubKeyData) - if err != nil { - return nil, err - } - - candidate, ok := cache.get(s.user, pubKeyData) - if !ok { - candidate.user = s.user - candidate.pubKeyData = pubKeyData - candidate.perms, candidate.result = authConfig.PublicKeyCallback(s, pubKey) - _, isPartialSuccessError := candidate.result.(*PartialSuccessError) - - if (candidate.result == nil || isPartialSuccessError) && - candidate.perms != nil && - candidate.perms.CriticalOptions != nil && - candidate.perms.CriticalOptions[sourceAddressCriticalOption] != "" { - if err := checkSourceAddress( - s.RemoteAddr(), - candidate.perms.CriticalOptions[sourceAddressCriticalOption]); err != nil { - candidate.result = err - } - } - cache.add(candidate) - } - - if isQuery { - // The client can query if the given public key - // would be okay. - - if len(payload) > 0 { - return nil, parseError(msgUserAuthRequest) - } - _, isPartialSuccessError := candidate.result.(*PartialSuccessError) - if candidate.result == nil || isPartialSuccessError { - okMsg := userAuthPubKeyOkMsg{ - Algo: algo, - PubKey: pubKeyData, - } - if err = s.transport.writePacket(Marshal(&okMsg)); err != nil { - return nil, err - } - continue userAuthLoop - } - authErr = candidate.result - } else { - sig, payload, ok := parseSignature(payload) - if !ok || len(payload) > 0 { - return nil, parseError(msgUserAuthRequest) - } - // Ensure the declared public key algo is compatible with the - // decoded one. This check will ensure we don't accept e.g. - // ssh-rsa-cert-v01@openssh.com algorithm with ssh-rsa public - // key type. The algorithm and public key type must be - // consistent: both must be certificate algorithms, or neither. - if !contains(algorithmsForKeyFormat(pubKey.Type()), algo) { - authErr = fmt.Errorf("ssh: public key type %q not compatible with selected algorithm %q", - pubKey.Type(), algo) - break - } - // Ensure the public key algo and signature algo - // are supported. Compare the private key - // algorithm name that corresponds to algo with - // sig.Format. This is usually the same, but - // for certs, the names differ. - if !contains(config.PublicKeyAuthAlgorithms, sig.Format) { - authErr = fmt.Errorf("ssh: algorithm %q not accepted", sig.Format) - break - } - if !isAlgoCompatible(algo, sig.Format) { - authErr = fmt.Errorf("ssh: signature %q not compatible with selected algorithm %q", sig.Format, algo) - break - } - - signedData := buildDataSignedForAuth(sessionID, userAuthReq, algo, pubKeyData) - - if err := pubKey.Verify(signedData, sig); err != nil { - return nil, err - } - - authErr = candidate.result - perms = candidate.perms - } - case "gssapi-with-mic": - if authConfig.GSSAPIWithMICConfig == nil { - authErr = errors.New("ssh: gssapi-with-mic auth not configured") - break - } - gssapiConfig := authConfig.GSSAPIWithMICConfig - userAuthRequestGSSAPI, err := parseGSSAPIPayload(userAuthReq.Payload) - if err != nil { - return nil, parseError(msgUserAuthRequest) - } - // OpenSSH supports Kerberos V5 mechanism only for GSS-API authentication. - if userAuthRequestGSSAPI.N == 0 { - authErr = fmt.Errorf("ssh: Mechanism negotiation is not supported") - break - } - var i uint32 - present := false - for i = 0; i < userAuthRequestGSSAPI.N; i++ { - if userAuthRequestGSSAPI.OIDS[i].Equal(krb5Mesh) { - present = true - break - } - } - if !present { - authErr = fmt.Errorf("ssh: GSSAPI authentication must use the Kerberos V5 mechanism") - break - } - // Initial server response, see RFC 4462 section 3.3. - if err := s.transport.writePacket(Marshal(&userAuthGSSAPIResponse{ - SupportMech: krb5OID, - })); err != nil { - return nil, err - } - // Exchange token, see RFC 4462 section 3.4. - packet, err := s.transport.readPacket() - if err != nil { - return nil, err - } - userAuthGSSAPITokenReq := &userAuthGSSAPIToken{} - if err := Unmarshal(packet, userAuthGSSAPITokenReq); err != nil { - return nil, err - } - authErr, perms, err = gssExchangeToken(gssapiConfig, userAuthGSSAPITokenReq.Token, s, sessionID, - userAuthReq) - if err != nil { - return nil, err - } - default: - authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method) - } - - authErrs = append(authErrs, authErr) - - if config.AuthLogCallback != nil { - config.AuthLogCallback(s, userAuthReq.Method, authErr) - } - - var bannerErr *BannerError - if errors.As(authErr, &bannerErr) { - if bannerErr.Message != "" { - if err := s.SendAuthBanner(bannerErr.Message); err != nil { - return nil, err - } - } - } - - if authErr == nil { - break userAuthLoop - } - - var failureMsg userAuthFailureMsg - - if partialSuccess, ok := authErr.(*PartialSuccessError); ok { - // After a partial success error we don't allow changing the user - // name and execute the NoClientAuthCallback. - partialSuccessReturned = true - - // In case a partial success is returned, the server may send - // a new set of authentication methods. - authConfig = partialSuccess.Next - - // Reset pubkey cache, as the new PublicKeyCallback might - // accept a different set of public keys. - cache = pubKeyCache{} - - // Send back a partial success message to the user. - failureMsg.PartialSuccess = true - } else { - // Allow initial attempt of 'none' without penalty. - if authFailures > 0 || userAuthReq.Method != "none" || noneAuthCount != 1 { - authFailures++ - } - if config.MaxAuthTries > 0 && authFailures >= config.MaxAuthTries { - // If we have hit the max attempts, don't bother sending the - // final SSH_MSG_USERAUTH_FAILURE message, since there are - // no more authentication methods which can be attempted, - // and this message may cause the client to re-attempt - // authentication while we send the disconnect message. - // Continue, and trigger the disconnect at the start of - // the loop. - // - // The SSH specification is somewhat confusing about this, - // RFC 4252 Section 5.1 requires each authentication failure - // be responded to with a respective SSH_MSG_USERAUTH_FAILURE - // message, but Section 4 says the server should disconnect - // after some number of attempts, but it isn't explicit which - // message should take precedence (i.e. should there be a failure - // message than a disconnect message, or if we are going to - // disconnect, should we only send that message.) - // - // Either way, OpenSSH disconnects immediately after the last - // failed authentication attempt, and given they are typically - // considered the golden implementation it seems reasonable - // to match that behavior. - continue - } - } - - if authConfig.PasswordCallback != nil { - failureMsg.Methods = append(failureMsg.Methods, "password") - } - if authConfig.PublicKeyCallback != nil { - failureMsg.Methods = append(failureMsg.Methods, "publickey") - } - if authConfig.KeyboardInteractiveCallback != nil { - failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive") - } - if authConfig.GSSAPIWithMICConfig != nil && authConfig.GSSAPIWithMICConfig.Server != nil && - authConfig.GSSAPIWithMICConfig.AllowLogin != nil { - failureMsg.Methods = append(failureMsg.Methods, "gssapi-with-mic") - } - - if len(failureMsg.Methods) == 0 { - return nil, errors.New("ssh: no authentication methods available") - } - - if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil { - return nil, err - } - } - - if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil { - return nil, err - } - return perms, nil -} - -// sshClientKeyboardInteractive implements a ClientKeyboardInteractive by -// asking the client on the other side of a ServerConn. -type sshClientKeyboardInteractive struct { - *connection -} - -func (c *sshClientKeyboardInteractive) Challenge(name, instruction string, questions []string, echos []bool) (answers []string, err error) { - if len(questions) != len(echos) { - return nil, errors.New("ssh: echos and questions must have equal length") - } - - var prompts []byte - for i := range questions { - prompts = appendString(prompts, questions[i]) - prompts = appendBool(prompts, echos[i]) - } - - if err := c.transport.writePacket(Marshal(&userAuthInfoRequestMsg{ - Name: name, - Instruction: instruction, - NumPrompts: uint32(len(questions)), - Prompts: prompts, - })); err != nil { - return nil, err - } - - packet, err := c.transport.readPacket() - if err != nil { - return nil, err - } - if packet[0] != msgUserAuthInfoResponse { - return nil, unexpectedMessageError(msgUserAuthInfoResponse, packet[0]) - } - packet = packet[1:] - - n, packet, ok := parseUint32(packet) - if !ok || int(n) != len(questions) { - return nil, parseError(msgUserAuthInfoResponse) - } - - for i := uint32(0); i < n; i++ { - ans, rest, ok := parseString(packet) - if !ok { - return nil, parseError(msgUserAuthInfoResponse) - } - - answers = append(answers, string(ans)) - packet = rest - } - if len(packet) != 0 { - return nil, errors.New("ssh: junk at end of message") - } - - return answers, nil -} diff --git a/vendor/golang.org/x/crypto/ssh/session.go b/vendor/golang.org/x/crypto/ssh/session.go deleted file mode 100644 index acef62259..000000000 --- a/vendor/golang.org/x/crypto/ssh/session.go +++ /dev/null @@ -1,647 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -// Session implements an interactive session described in -// "RFC 4254, section 6". - -import ( - "bytes" - "encoding/binary" - "errors" - "fmt" - "io" - "sync" -) - -type Signal string - -// POSIX signals as listed in RFC 4254 Section 6.10. -const ( - SIGABRT Signal = "ABRT" - SIGALRM Signal = "ALRM" - SIGFPE Signal = "FPE" - SIGHUP Signal = "HUP" - SIGILL Signal = "ILL" - SIGINT Signal = "INT" - SIGKILL Signal = "KILL" - SIGPIPE Signal = "PIPE" - SIGQUIT Signal = "QUIT" - SIGSEGV Signal = "SEGV" - SIGTERM Signal = "TERM" - SIGUSR1 Signal = "USR1" - SIGUSR2 Signal = "USR2" -) - -var signals = map[Signal]int{ - SIGABRT: 6, - SIGALRM: 14, - SIGFPE: 8, - SIGHUP: 1, - SIGILL: 4, - SIGINT: 2, - SIGKILL: 9, - SIGPIPE: 13, - SIGQUIT: 3, - SIGSEGV: 11, - SIGTERM: 15, -} - -type TerminalModes map[uint8]uint32 - -// POSIX terminal mode flags as listed in RFC 4254 Section 8. -const ( - tty_OP_END = 0 - VINTR = 1 - VQUIT = 2 - VERASE = 3 - VKILL = 4 - VEOF = 5 - VEOL = 6 - VEOL2 = 7 - VSTART = 8 - VSTOP = 9 - VSUSP = 10 - VDSUSP = 11 - VREPRINT = 12 - VWERASE = 13 - VLNEXT = 14 - VFLUSH = 15 - VSWTCH = 16 - VSTATUS = 17 - VDISCARD = 18 - IGNPAR = 30 - PARMRK = 31 - INPCK = 32 - ISTRIP = 33 - INLCR = 34 - IGNCR = 35 - ICRNL = 36 - IUCLC = 37 - IXON = 38 - IXANY = 39 - IXOFF = 40 - IMAXBEL = 41 - IUTF8 = 42 // RFC 8160 - ISIG = 50 - ICANON = 51 - XCASE = 52 - ECHO = 53 - ECHOE = 54 - ECHOK = 55 - ECHONL = 56 - NOFLSH = 57 - TOSTOP = 58 - IEXTEN = 59 - ECHOCTL = 60 - ECHOKE = 61 - PENDIN = 62 - OPOST = 70 - OLCUC = 71 - ONLCR = 72 - OCRNL = 73 - ONOCR = 74 - ONLRET = 75 - CS7 = 90 - CS8 = 91 - PARENB = 92 - PARODD = 93 - TTY_OP_ISPEED = 128 - TTY_OP_OSPEED = 129 -) - -// A Session represents a connection to a remote command or shell. -type Session struct { - // Stdin specifies the remote process's standard input. - // If Stdin is nil, the remote process reads from an empty - // bytes.Buffer. - Stdin io.Reader - - // Stdout and Stderr specify the remote process's standard - // output and error. - // - // If either is nil, Run connects the corresponding file - // descriptor to an instance of io.Discard. There is a - // fixed amount of buffering that is shared for the two streams. - // If either blocks it may eventually cause the remote - // command to block. - Stdout io.Writer - Stderr io.Writer - - ch Channel // the channel backing this session - started bool // true once Start, Run or Shell is invoked. - copyFuncs []func() error - errors chan error // one send per copyFunc - - // true if pipe method is active - stdinpipe, stdoutpipe, stderrpipe bool - - // stdinPipeWriter is non-nil if StdinPipe has not been called - // and Stdin was specified by the user; it is the write end of - // a pipe connecting Session.Stdin to the stdin channel. - stdinPipeWriter io.WriteCloser - - exitStatus chan error -} - -// SendRequest sends an out-of-band channel request on the SSH channel -// underlying the session. -func (s *Session) SendRequest(name string, wantReply bool, payload []byte) (bool, error) { - return s.ch.SendRequest(name, wantReply, payload) -} - -func (s *Session) Close() error { - return s.ch.Close() -} - -// RFC 4254 Section 6.4. -type setenvRequest struct { - Name string - Value string -} - -// Setenv sets an environment variable that will be applied to any -// command executed by Shell or Run. -func (s *Session) Setenv(name, value string) error { - msg := setenvRequest{ - Name: name, - Value: value, - } - ok, err := s.ch.SendRequest("env", true, Marshal(&msg)) - if err == nil && !ok { - err = errors.New("ssh: setenv failed") - } - return err -} - -// RFC 4254 Section 6.2. -type ptyRequestMsg struct { - Term string - Columns uint32 - Rows uint32 - Width uint32 - Height uint32 - Modelist string -} - -// RequestPty requests the association of a pty with the session on the remote host. -func (s *Session) RequestPty(term string, h, w int, termmodes TerminalModes) error { - var tm []byte - for k, v := range termmodes { - kv := struct { - Key byte - Val uint32 - }{k, v} - - tm = append(tm, Marshal(&kv)...) - } - tm = append(tm, tty_OP_END) - req := ptyRequestMsg{ - Term: term, - Columns: uint32(w), - Rows: uint32(h), - Width: uint32(w * 8), - Height: uint32(h * 8), - Modelist: string(tm), - } - ok, err := s.ch.SendRequest("pty-req", true, Marshal(&req)) - if err == nil && !ok { - err = errors.New("ssh: pty-req failed") - } - return err -} - -// RFC 4254 Section 6.5. -type subsystemRequestMsg struct { - Subsystem string -} - -// RequestSubsystem requests the association of a subsystem with the session on the remote host. -// A subsystem is a predefined command that runs in the background when the ssh session is initiated -func (s *Session) RequestSubsystem(subsystem string) error { - msg := subsystemRequestMsg{ - Subsystem: subsystem, - } - ok, err := s.ch.SendRequest("subsystem", true, Marshal(&msg)) - if err == nil && !ok { - err = errors.New("ssh: subsystem request failed") - } - return err -} - -// RFC 4254 Section 6.7. -type ptyWindowChangeMsg struct { - Columns uint32 - Rows uint32 - Width uint32 - Height uint32 -} - -// WindowChange informs the remote host about a terminal window dimension change to h rows and w columns. -func (s *Session) WindowChange(h, w int) error { - req := ptyWindowChangeMsg{ - Columns: uint32(w), - Rows: uint32(h), - Width: uint32(w * 8), - Height: uint32(h * 8), - } - _, err := s.ch.SendRequest("window-change", false, Marshal(&req)) - return err -} - -// RFC 4254 Section 6.9. -type signalMsg struct { - Signal string -} - -// Signal sends the given signal to the remote process. -// sig is one of the SIG* constants. -func (s *Session) Signal(sig Signal) error { - msg := signalMsg{ - Signal: string(sig), - } - - _, err := s.ch.SendRequest("signal", false, Marshal(&msg)) - return err -} - -// RFC 4254 Section 6.5. -type execMsg struct { - Command string -} - -// Start runs cmd on the remote host. Typically, the remote -// server passes cmd to the shell for interpretation. -// A Session only accepts one call to Run, Start or Shell. -func (s *Session) Start(cmd string) error { - if s.started { - return errors.New("ssh: session already started") - } - req := execMsg{ - Command: cmd, - } - - ok, err := s.ch.SendRequest("exec", true, Marshal(&req)) - if err == nil && !ok { - err = fmt.Errorf("ssh: command %v failed", cmd) - } - if err != nil { - return err - } - return s.start() -} - -// Run runs cmd on the remote host. Typically, the remote -// server passes cmd to the shell for interpretation. -// A Session only accepts one call to Run, Start, Shell, Output, -// or CombinedOutput. -// -// The returned error is nil if the command runs, has no problems -// copying stdin, stdout, and stderr, and exits with a zero exit -// status. -// -// If the remote server does not send an exit status, an error of type -// *ExitMissingError is returned. If the command completes -// unsuccessfully or is interrupted by a signal, the error is of type -// *ExitError. Other error types may be returned for I/O problems. -func (s *Session) Run(cmd string) error { - err := s.Start(cmd) - if err != nil { - return err - } - return s.Wait() -} - -// Output runs cmd on the remote host and returns its standard output. -func (s *Session) Output(cmd string) ([]byte, error) { - if s.Stdout != nil { - return nil, errors.New("ssh: Stdout already set") - } - var b bytes.Buffer - s.Stdout = &b - err := s.Run(cmd) - return b.Bytes(), err -} - -type singleWriter struct { - b bytes.Buffer - mu sync.Mutex -} - -func (w *singleWriter) Write(p []byte) (int, error) { - w.mu.Lock() - defer w.mu.Unlock() - return w.b.Write(p) -} - -// CombinedOutput runs cmd on the remote host and returns its combined -// standard output and standard error. -func (s *Session) CombinedOutput(cmd string) ([]byte, error) { - if s.Stdout != nil { - return nil, errors.New("ssh: Stdout already set") - } - if s.Stderr != nil { - return nil, errors.New("ssh: Stderr already set") - } - var b singleWriter - s.Stdout = &b - s.Stderr = &b - err := s.Run(cmd) - return b.b.Bytes(), err -} - -// Shell starts a login shell on the remote host. A Session only -// accepts one call to Run, Start, Shell, Output, or CombinedOutput. -func (s *Session) Shell() error { - if s.started { - return errors.New("ssh: session already started") - } - - ok, err := s.ch.SendRequest("shell", true, nil) - if err == nil && !ok { - return errors.New("ssh: could not start shell") - } - if err != nil { - return err - } - return s.start() -} - -func (s *Session) start() error { - s.started = true - - type F func(*Session) - for _, setupFd := range []F{(*Session).stdin, (*Session).stdout, (*Session).stderr} { - setupFd(s) - } - - s.errors = make(chan error, len(s.copyFuncs)) - for _, fn := range s.copyFuncs { - go func(fn func() error) { - s.errors <- fn() - }(fn) - } - return nil -} - -// Wait waits for the remote command to exit. -// -// The returned error is nil if the command runs, has no problems -// copying stdin, stdout, and stderr, and exits with a zero exit -// status. -// -// If the remote server does not send an exit status, an error of type -// *ExitMissingError is returned. If the command completes -// unsuccessfully or is interrupted by a signal, the error is of type -// *ExitError. Other error types may be returned for I/O problems. -func (s *Session) Wait() error { - if !s.started { - return errors.New("ssh: session not started") - } - waitErr := <-s.exitStatus - - if s.stdinPipeWriter != nil { - s.stdinPipeWriter.Close() - } - var copyError error - for range s.copyFuncs { - if err := <-s.errors; err != nil && copyError == nil { - copyError = err - } - } - if waitErr != nil { - return waitErr - } - return copyError -} - -func (s *Session) wait(reqs <-chan *Request) error { - wm := Waitmsg{status: -1} - // Wait for msg channel to be closed before returning. - for msg := range reqs { - switch msg.Type { - case "exit-status": - wm.status = int(binary.BigEndian.Uint32(msg.Payload)) - case "exit-signal": - var sigval struct { - Signal string - CoreDumped bool - Error string - Lang string - } - if err := Unmarshal(msg.Payload, &sigval); err != nil { - return err - } - - // Must sanitize strings? - wm.signal = sigval.Signal - wm.msg = sigval.Error - wm.lang = sigval.Lang - default: - // This handles keepalives and matches - // OpenSSH's behaviour. - if msg.WantReply { - msg.Reply(false, nil) - } - } - } - if wm.status == 0 { - return nil - } - if wm.status == -1 { - // exit-status was never sent from server - if wm.signal == "" { - // signal was not sent either. RFC 4254 - // section 6.10 recommends against this - // behavior, but it is allowed, so we let - // clients handle it. - return &ExitMissingError{} - } - wm.status = 128 - if _, ok := signals[Signal(wm.signal)]; ok { - wm.status += signals[Signal(wm.signal)] - } - } - - return &ExitError{wm} -} - -// ExitMissingError is returned if a session is torn down cleanly, but -// the server sends no confirmation of the exit status. -type ExitMissingError struct{} - -func (e *ExitMissingError) Error() string { - return "wait: remote command exited without exit status or exit signal" -} - -func (s *Session) stdin() { - if s.stdinpipe { - return - } - var stdin io.Reader - if s.Stdin == nil { - stdin = new(bytes.Buffer) - } else { - r, w := io.Pipe() - go func() { - _, err := io.Copy(w, s.Stdin) - w.CloseWithError(err) - }() - stdin, s.stdinPipeWriter = r, w - } - s.copyFuncs = append(s.copyFuncs, func() error { - _, err := io.Copy(s.ch, stdin) - if err1 := s.ch.CloseWrite(); err == nil && err1 != io.EOF { - err = err1 - } - return err - }) -} - -func (s *Session) stdout() { - if s.stdoutpipe { - return - } - if s.Stdout == nil { - s.Stdout = io.Discard - } - s.copyFuncs = append(s.copyFuncs, func() error { - _, err := io.Copy(s.Stdout, s.ch) - return err - }) -} - -func (s *Session) stderr() { - if s.stderrpipe { - return - } - if s.Stderr == nil { - s.Stderr = io.Discard - } - s.copyFuncs = append(s.copyFuncs, func() error { - _, err := io.Copy(s.Stderr, s.ch.Stderr()) - return err - }) -} - -// sessionStdin reroutes Close to CloseWrite. -type sessionStdin struct { - io.Writer - ch Channel -} - -func (s *sessionStdin) Close() error { - return s.ch.CloseWrite() -} - -// StdinPipe returns a pipe that will be connected to the -// remote command's standard input when the command starts. -func (s *Session) StdinPipe() (io.WriteCloser, error) { - if s.Stdin != nil { - return nil, errors.New("ssh: Stdin already set") - } - if s.started { - return nil, errors.New("ssh: StdinPipe after process started") - } - s.stdinpipe = true - return &sessionStdin{s.ch, s.ch}, nil -} - -// StdoutPipe returns a pipe that will be connected to the -// remote command's standard output when the command starts. -// There is a fixed amount of buffering that is shared between -// stdout and stderr streams. If the StdoutPipe reader is -// not serviced fast enough it may eventually cause the -// remote command to block. -func (s *Session) StdoutPipe() (io.Reader, error) { - if s.Stdout != nil { - return nil, errors.New("ssh: Stdout already set") - } - if s.started { - return nil, errors.New("ssh: StdoutPipe after process started") - } - s.stdoutpipe = true - return s.ch, nil -} - -// StderrPipe returns a pipe that will be connected to the -// remote command's standard error when the command starts. -// There is a fixed amount of buffering that is shared between -// stdout and stderr streams. If the StderrPipe reader is -// not serviced fast enough it may eventually cause the -// remote command to block. -func (s *Session) StderrPipe() (io.Reader, error) { - if s.Stderr != nil { - return nil, errors.New("ssh: Stderr already set") - } - if s.started { - return nil, errors.New("ssh: StderrPipe after process started") - } - s.stderrpipe = true - return s.ch.Stderr(), nil -} - -// newSession returns a new interactive session on the remote host. -func newSession(ch Channel, reqs <-chan *Request) (*Session, error) { - s := &Session{ - ch: ch, - } - s.exitStatus = make(chan error, 1) - go func() { - s.exitStatus <- s.wait(reqs) - }() - - return s, nil -} - -// An ExitError reports unsuccessful completion of a remote command. -type ExitError struct { - Waitmsg -} - -func (e *ExitError) Error() string { - return e.Waitmsg.String() -} - -// Waitmsg stores the information about an exited remote command -// as reported by Wait. -type Waitmsg struct { - status int - signal string - msg string - lang string -} - -// ExitStatus returns the exit status of the remote command. -func (w Waitmsg) ExitStatus() int { - return w.status -} - -// Signal returns the exit signal of the remote command if -// it was terminated violently. -func (w Waitmsg) Signal() string { - return w.signal -} - -// Msg returns the exit message given by the remote command -func (w Waitmsg) Msg() string { - return w.msg -} - -// Lang returns the language tag. See RFC 3066 -func (w Waitmsg) Lang() string { - return w.lang -} - -func (w Waitmsg) String() string { - str := fmt.Sprintf("Process exited with status %v", w.status) - if w.signal != "" { - str += fmt.Sprintf(" from signal %v", w.signal) - } - if w.msg != "" { - str += fmt.Sprintf(". Reason was: %v", w.msg) - } - return str -} diff --git a/vendor/golang.org/x/crypto/ssh/ssh_gss.go b/vendor/golang.org/x/crypto/ssh/ssh_gss.go deleted file mode 100644 index 24bd7c8e8..000000000 --- a/vendor/golang.org/x/crypto/ssh/ssh_gss.go +++ /dev/null @@ -1,139 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "encoding/asn1" - "errors" -) - -var krb5OID []byte - -func init() { - krb5OID, _ = asn1.Marshal(krb5Mesh) -} - -// GSSAPIClient provides the API to plug-in GSSAPI authentication for client logins. -type GSSAPIClient interface { - // InitSecContext initiates the establishment of a security context for GSS-API between the - // ssh client and ssh server. Initially the token parameter should be specified as nil. - // The routine may return a outputToken which should be transferred to - // the ssh server, where the ssh server will present it to - // AcceptSecContext. If no token need be sent, InitSecContext will indicate this by setting - // needContinue to false. To complete the context - // establishment, one or more reply tokens may be required from the ssh - // server;if so, InitSecContext will return a needContinue which is true. - // In this case, InitSecContext should be called again when the - // reply token is received from the ssh server, passing the reply - // token to InitSecContext via the token parameters. - // See RFC 2743 section 2.2.1 and RFC 4462 section 3.4. - InitSecContext(target string, token []byte, isGSSDelegCreds bool) (outputToken []byte, needContinue bool, err error) - // GetMIC generates a cryptographic MIC for the SSH2 message, and places - // the MIC in a token for transfer to the ssh server. - // The contents of the MIC field are obtained by calling GSS_GetMIC() - // over the following, using the GSS-API context that was just - // established: - // string session identifier - // byte SSH_MSG_USERAUTH_REQUEST - // string user name - // string service - // string "gssapi-with-mic" - // See RFC 2743 section 2.3.1 and RFC 4462 3.5. - GetMIC(micFiled []byte) ([]byte, error) - // Whenever possible, it should be possible for - // DeleteSecContext() calls to be successfully processed even - // if other calls cannot succeed, thereby enabling context-related - // resources to be released. - // In addition to deleting established security contexts, - // gss_delete_sec_context must also be able to delete "half-built" - // security contexts resulting from an incomplete sequence of - // InitSecContext()/AcceptSecContext() calls. - // See RFC 2743 section 2.2.3. - DeleteSecContext() error -} - -// GSSAPIServer provides the API to plug in GSSAPI authentication for server logins. -type GSSAPIServer interface { - // AcceptSecContext allows a remotely initiated security context between the application - // and a remote peer to be established by the ssh client. The routine may return a - // outputToken which should be transferred to the ssh client, - // where the ssh client will present it to InitSecContext. - // If no token need be sent, AcceptSecContext will indicate this - // by setting the needContinue to false. To - // complete the context establishment, one or more reply tokens may be - // required from the ssh client. if so, AcceptSecContext - // will return a needContinue which is true, in which case it - // should be called again when the reply token is received from the ssh - // client, passing the token to AcceptSecContext via the - // token parameters. - // The srcName return value is the authenticated username. - // See RFC 2743 section 2.2.2 and RFC 4462 section 3.4. - AcceptSecContext(token []byte) (outputToken []byte, srcName string, needContinue bool, err error) - // VerifyMIC verifies that a cryptographic MIC, contained in the token parameter, - // fits the supplied message is received from the ssh client. - // See RFC 2743 section 2.3.2. - VerifyMIC(micField []byte, micToken []byte) error - // Whenever possible, it should be possible for - // DeleteSecContext() calls to be successfully processed even - // if other calls cannot succeed, thereby enabling context-related - // resources to be released. - // In addition to deleting established security contexts, - // gss_delete_sec_context must also be able to delete "half-built" - // security contexts resulting from an incomplete sequence of - // InitSecContext()/AcceptSecContext() calls. - // See RFC 2743 section 2.2.3. - DeleteSecContext() error -} - -var ( - // OpenSSH supports Kerberos V5 mechanism only for GSS-API authentication, - // so we also support the krb5 mechanism only. - // See RFC 1964 section 1. - krb5Mesh = asn1.ObjectIdentifier{1, 2, 840, 113554, 1, 2, 2} -) - -// The GSS-API authentication method is initiated when the client sends an SSH_MSG_USERAUTH_REQUEST -// See RFC 4462 section 3.2. -type userAuthRequestGSSAPI struct { - N uint32 - OIDS []asn1.ObjectIdentifier -} - -func parseGSSAPIPayload(payload []byte) (*userAuthRequestGSSAPI, error) { - n, rest, ok := parseUint32(payload) - if !ok { - return nil, errors.New("parse uint32 failed") - } - s := &userAuthRequestGSSAPI{ - N: n, - OIDS: make([]asn1.ObjectIdentifier, n), - } - for i := 0; i < int(n); i++ { - var ( - desiredMech []byte - err error - ) - desiredMech, rest, ok = parseString(rest) - if !ok { - return nil, errors.New("parse string failed") - } - if rest, err = asn1.Unmarshal(desiredMech, &s.OIDS[i]); err != nil { - return nil, err - } - - } - return s, nil -} - -// See RFC 4462 section 3.6. -func buildMIC(sessionID string, username string, service string, authMethod string) []byte { - out := make([]byte, 0, 0) - out = appendString(out, sessionID) - out = append(out, msgUserAuthRequest) - out = appendString(out, username) - out = appendString(out, service) - out = appendString(out, authMethod) - return out -} diff --git a/vendor/golang.org/x/crypto/ssh/streamlocal.go b/vendor/golang.org/x/crypto/ssh/streamlocal.go deleted file mode 100644 index b171b330b..000000000 --- a/vendor/golang.org/x/crypto/ssh/streamlocal.go +++ /dev/null @@ -1,116 +0,0 @@ -package ssh - -import ( - "errors" - "io" - "net" -) - -// streamLocalChannelOpenDirectMsg is a struct used for SSH_MSG_CHANNEL_OPEN message -// with "direct-streamlocal@openssh.com" string. -// -// See openssh-portable/PROTOCOL, section 2.4. connection: Unix domain socket forwarding -// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL#L235 -type streamLocalChannelOpenDirectMsg struct { - socketPath string - reserved0 string - reserved1 uint32 -} - -// forwardedStreamLocalPayload is a struct used for SSH_MSG_CHANNEL_OPEN message -// with "forwarded-streamlocal@openssh.com" string. -type forwardedStreamLocalPayload struct { - SocketPath string - Reserved0 string -} - -// streamLocalChannelForwardMsg is a struct used for SSH2_MSG_GLOBAL_REQUEST message -// with "streamlocal-forward@openssh.com"/"cancel-streamlocal-forward@openssh.com" string. -type streamLocalChannelForwardMsg struct { - socketPath string -} - -// ListenUnix is similar to ListenTCP but uses a Unix domain socket. -func (c *Client) ListenUnix(socketPath string) (net.Listener, error) { - c.handleForwardsOnce.Do(c.handleForwards) - m := streamLocalChannelForwardMsg{ - socketPath, - } - // send message - ok, _, err := c.SendRequest("streamlocal-forward@openssh.com", true, Marshal(&m)) - if err != nil { - return nil, err - } - if !ok { - return nil, errors.New("ssh: streamlocal-forward@openssh.com request denied by peer") - } - ch := c.forwards.add(&net.UnixAddr{Name: socketPath, Net: "unix"}) - - return &unixListener{socketPath, c, ch}, nil -} - -func (c *Client) dialStreamLocal(socketPath string) (Channel, error) { - msg := streamLocalChannelOpenDirectMsg{ - socketPath: socketPath, - } - ch, in, err := c.OpenChannel("direct-streamlocal@openssh.com", Marshal(&msg)) - if err != nil { - return nil, err - } - go DiscardRequests(in) - return ch, err -} - -type unixListener struct { - socketPath string - - conn *Client - in <-chan forward -} - -// Accept waits for and returns the next connection to the listener. -func (l *unixListener) Accept() (net.Conn, error) { - s, ok := <-l.in - if !ok { - return nil, io.EOF - } - ch, incoming, err := s.newCh.Accept() - if err != nil { - return nil, err - } - go DiscardRequests(incoming) - - return &chanConn{ - Channel: ch, - laddr: &net.UnixAddr{ - Name: l.socketPath, - Net: "unix", - }, - raddr: &net.UnixAddr{ - Name: "@", - Net: "unix", - }, - }, nil -} - -// Close closes the listener. -func (l *unixListener) Close() error { - // this also closes the listener. - l.conn.forwards.remove(&net.UnixAddr{Name: l.socketPath, Net: "unix"}) - m := streamLocalChannelForwardMsg{ - l.socketPath, - } - ok, _, err := l.conn.SendRequest("cancel-streamlocal-forward@openssh.com", true, Marshal(&m)) - if err == nil && !ok { - err = errors.New("ssh: cancel-streamlocal-forward@openssh.com failed") - } - return err -} - -// Addr returns the listener's network address. -func (l *unixListener) Addr() net.Addr { - return &net.UnixAddr{ - Name: l.socketPath, - Net: "unix", - } -} diff --git a/vendor/golang.org/x/crypto/ssh/tcpip.go b/vendor/golang.org/x/crypto/ssh/tcpip.go deleted file mode 100644 index ef5059a11..000000000 --- a/vendor/golang.org/x/crypto/ssh/tcpip.go +++ /dev/null @@ -1,509 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "context" - "errors" - "fmt" - "io" - "math/rand" - "net" - "strconv" - "strings" - "sync" - "time" -) - -// Listen requests the remote peer open a listening socket on -// addr. Incoming connections will be available by calling Accept on -// the returned net.Listener. The listener must be serviced, or the -// SSH connection may hang. -// N must be "tcp", "tcp4", "tcp6", or "unix". -func (c *Client) Listen(n, addr string) (net.Listener, error) { - switch n { - case "tcp", "tcp4", "tcp6": - laddr, err := net.ResolveTCPAddr(n, addr) - if err != nil { - return nil, err - } - return c.ListenTCP(laddr) - case "unix": - return c.ListenUnix(addr) - default: - return nil, fmt.Errorf("ssh: unsupported protocol: %s", n) - } -} - -// Automatic port allocation is broken with OpenSSH before 6.0. See -// also https://bugzilla.mindrot.org/show_bug.cgi?id=2017. In -// particular, OpenSSH 5.9 sends a channelOpenMsg with port number 0, -// rather than the actual port number. This means you can never open -// two different listeners with auto allocated ports. We work around -// this by trying explicit ports until we succeed. - -const openSSHPrefix = "OpenSSH_" - -var portRandomizer = rand.New(rand.NewSource(time.Now().UnixNano())) - -// isBrokenOpenSSHVersion returns true if the given version string -// specifies a version of OpenSSH that is known to have a bug in port -// forwarding. -func isBrokenOpenSSHVersion(versionStr string) bool { - i := strings.Index(versionStr, openSSHPrefix) - if i < 0 { - return false - } - i += len(openSSHPrefix) - j := i - for ; j < len(versionStr); j++ { - if versionStr[j] < '0' || versionStr[j] > '9' { - break - } - } - version, _ := strconv.Atoi(versionStr[i:j]) - return version < 6 -} - -// autoPortListenWorkaround simulates automatic port allocation by -// trying random ports repeatedly. -func (c *Client) autoPortListenWorkaround(laddr *net.TCPAddr) (net.Listener, error) { - var sshListener net.Listener - var err error - const tries = 10 - for i := 0; i < tries; i++ { - addr := *laddr - addr.Port = 1024 + portRandomizer.Intn(60000) - sshListener, err = c.ListenTCP(&addr) - if err == nil { - laddr.Port = addr.Port - return sshListener, err - } - } - return nil, fmt.Errorf("ssh: listen on random port failed after %d tries: %v", tries, err) -} - -// RFC 4254 7.1 -type channelForwardMsg struct { - addr string - rport uint32 -} - -// handleForwards starts goroutines handling forwarded connections. -// It's called on first use by (*Client).ListenTCP to not launch -// goroutines until needed. -func (c *Client) handleForwards() { - go c.forwards.handleChannels(c.HandleChannelOpen("forwarded-tcpip")) - go c.forwards.handleChannels(c.HandleChannelOpen("forwarded-streamlocal@openssh.com")) -} - -// ListenTCP requests the remote peer open a listening socket -// on laddr. Incoming connections will be available by calling -// Accept on the returned net.Listener. -func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) { - c.handleForwardsOnce.Do(c.handleForwards) - if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) { - return c.autoPortListenWorkaround(laddr) - } - - m := channelForwardMsg{ - laddr.IP.String(), - uint32(laddr.Port), - } - // send message - ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m)) - if err != nil { - return nil, err - } - if !ok { - return nil, errors.New("ssh: tcpip-forward request denied by peer") - } - - // If the original port was 0, then the remote side will - // supply a real port number in the response. - if laddr.Port == 0 { - var p struct { - Port uint32 - } - if err := Unmarshal(resp, &p); err != nil { - return nil, err - } - laddr.Port = int(p.Port) - } - - // Register this forward, using the port number we obtained. - ch := c.forwards.add(laddr) - - return &tcpListener{laddr, c, ch}, nil -} - -// forwardList stores a mapping between remote -// forward requests and the tcpListeners. -type forwardList struct { - sync.Mutex - entries []forwardEntry -} - -// forwardEntry represents an established mapping of a laddr on a -// remote ssh server to a channel connected to a tcpListener. -type forwardEntry struct { - laddr net.Addr - c chan forward -} - -// forward represents an incoming forwarded tcpip connection. The -// arguments to add/remove/lookup should be address as specified in -// the original forward-request. -type forward struct { - newCh NewChannel // the ssh client channel underlying this forward - raddr net.Addr // the raddr of the incoming connection -} - -func (l *forwardList) add(addr net.Addr) chan forward { - l.Lock() - defer l.Unlock() - f := forwardEntry{ - laddr: addr, - c: make(chan forward, 1), - } - l.entries = append(l.entries, f) - return f.c -} - -// See RFC 4254, section 7.2 -type forwardedTCPPayload struct { - Addr string - Port uint32 - OriginAddr string - OriginPort uint32 -} - -// parseTCPAddr parses the originating address from the remote into a *net.TCPAddr. -func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) { - if port == 0 || port > 65535 { - return nil, fmt.Errorf("ssh: port number out of range: %d", port) - } - ip := net.ParseIP(string(addr)) - if ip == nil { - return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr) - } - return &net.TCPAddr{IP: ip, Port: int(port)}, nil -} - -func (l *forwardList) handleChannels(in <-chan NewChannel) { - for ch := range in { - var ( - laddr net.Addr - raddr net.Addr - err error - ) - switch channelType := ch.ChannelType(); channelType { - case "forwarded-tcpip": - var payload forwardedTCPPayload - if err = Unmarshal(ch.ExtraData(), &payload); err != nil { - ch.Reject(ConnectionFailed, "could not parse forwarded-tcpip payload: "+err.Error()) - continue - } - - // RFC 4254 section 7.2 specifies that incoming - // addresses should list the address, in string - // format. It is implied that this should be an IP - // address, as it would be impossible to connect to it - // otherwise. - laddr, err = parseTCPAddr(payload.Addr, payload.Port) - if err != nil { - ch.Reject(ConnectionFailed, err.Error()) - continue - } - raddr, err = parseTCPAddr(payload.OriginAddr, payload.OriginPort) - if err != nil { - ch.Reject(ConnectionFailed, err.Error()) - continue - } - - case "forwarded-streamlocal@openssh.com": - var payload forwardedStreamLocalPayload - if err = Unmarshal(ch.ExtraData(), &payload); err != nil { - ch.Reject(ConnectionFailed, "could not parse forwarded-streamlocal@openssh.com payload: "+err.Error()) - continue - } - laddr = &net.UnixAddr{ - Name: payload.SocketPath, - Net: "unix", - } - raddr = &net.UnixAddr{ - Name: "@", - Net: "unix", - } - default: - panic(fmt.Errorf("ssh: unknown channel type %s", channelType)) - } - if ok := l.forward(laddr, raddr, ch); !ok { - // Section 7.2, implementations MUST reject spurious incoming - // connections. - ch.Reject(Prohibited, "no forward for address") - continue - } - - } -} - -// remove removes the forward entry, and the channel feeding its -// listener. -func (l *forwardList) remove(addr net.Addr) { - l.Lock() - defer l.Unlock() - for i, f := range l.entries { - if addr.Network() == f.laddr.Network() && addr.String() == f.laddr.String() { - l.entries = append(l.entries[:i], l.entries[i+1:]...) - close(f.c) - return - } - } -} - -// closeAll closes and clears all forwards. -func (l *forwardList) closeAll() { - l.Lock() - defer l.Unlock() - for _, f := range l.entries { - close(f.c) - } - l.entries = nil -} - -func (l *forwardList) forward(laddr, raddr net.Addr, ch NewChannel) bool { - l.Lock() - defer l.Unlock() - for _, f := range l.entries { - if laddr.Network() == f.laddr.Network() && laddr.String() == f.laddr.String() { - f.c <- forward{newCh: ch, raddr: raddr} - return true - } - } - return false -} - -type tcpListener struct { - laddr *net.TCPAddr - - conn *Client - in <-chan forward -} - -// Accept waits for and returns the next connection to the listener. -func (l *tcpListener) Accept() (net.Conn, error) { - s, ok := <-l.in - if !ok { - return nil, io.EOF - } - ch, incoming, err := s.newCh.Accept() - if err != nil { - return nil, err - } - go DiscardRequests(incoming) - - return &chanConn{ - Channel: ch, - laddr: l.laddr, - raddr: s.raddr, - }, nil -} - -// Close closes the listener. -func (l *tcpListener) Close() error { - m := channelForwardMsg{ - l.laddr.IP.String(), - uint32(l.laddr.Port), - } - - // this also closes the listener. - l.conn.forwards.remove(l.laddr) - ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m)) - if err == nil && !ok { - err = errors.New("ssh: cancel-tcpip-forward failed") - } - return err -} - -// Addr returns the listener's network address. -func (l *tcpListener) Addr() net.Addr { - return l.laddr -} - -// DialContext initiates a connection to the addr from the remote host. -// -// The provided Context must be non-nil. If the context expires before the -// connection is complete, an error is returned. Once successfully connected, -// any expiration of the context will not affect the connection. -// -// See func Dial for additional information. -func (c *Client) DialContext(ctx context.Context, n, addr string) (net.Conn, error) { - if err := ctx.Err(); err != nil { - return nil, err - } - type connErr struct { - conn net.Conn - err error - } - ch := make(chan connErr) - go func() { - conn, err := c.Dial(n, addr) - select { - case ch <- connErr{conn, err}: - case <-ctx.Done(): - if conn != nil { - conn.Close() - } - } - }() - select { - case res := <-ch: - return res.conn, res.err - case <-ctx.Done(): - return nil, ctx.Err() - } -} - -// Dial initiates a connection to the addr from the remote host. -// The resulting connection has a zero LocalAddr() and RemoteAddr(). -func (c *Client) Dial(n, addr string) (net.Conn, error) { - var ch Channel - switch n { - case "tcp", "tcp4", "tcp6": - // Parse the address into host and numeric port. - host, portString, err := net.SplitHostPort(addr) - if err != nil { - return nil, err - } - port, err := strconv.ParseUint(portString, 10, 16) - if err != nil { - return nil, err - } - ch, err = c.dial(net.IPv4zero.String(), 0, host, int(port)) - if err != nil { - return nil, err - } - // Use a zero address for local and remote address. - zeroAddr := &net.TCPAddr{ - IP: net.IPv4zero, - Port: 0, - } - return &chanConn{ - Channel: ch, - laddr: zeroAddr, - raddr: zeroAddr, - }, nil - case "unix": - var err error - ch, err = c.dialStreamLocal(addr) - if err != nil { - return nil, err - } - return &chanConn{ - Channel: ch, - laddr: &net.UnixAddr{ - Name: "@", - Net: "unix", - }, - raddr: &net.UnixAddr{ - Name: addr, - Net: "unix", - }, - }, nil - default: - return nil, fmt.Errorf("ssh: unsupported protocol: %s", n) - } -} - -// DialTCP connects to the remote address raddr on the network net, -// which must be "tcp", "tcp4", or "tcp6". If laddr is not nil, it is used -// as the local address for the connection. -func (c *Client) DialTCP(n string, laddr, raddr *net.TCPAddr) (net.Conn, error) { - if laddr == nil { - laddr = &net.TCPAddr{ - IP: net.IPv4zero, - Port: 0, - } - } - ch, err := c.dial(laddr.IP.String(), laddr.Port, raddr.IP.String(), raddr.Port) - if err != nil { - return nil, err - } - return &chanConn{ - Channel: ch, - laddr: laddr, - raddr: raddr, - }, nil -} - -// RFC 4254 7.2 -type channelOpenDirectMsg struct { - raddr string - rport uint32 - laddr string - lport uint32 -} - -func (c *Client) dial(laddr string, lport int, raddr string, rport int) (Channel, error) { - msg := channelOpenDirectMsg{ - raddr: raddr, - rport: uint32(rport), - laddr: laddr, - lport: uint32(lport), - } - ch, in, err := c.OpenChannel("direct-tcpip", Marshal(&msg)) - if err != nil { - return nil, err - } - go DiscardRequests(in) - return ch, err -} - -type tcpChan struct { - Channel // the backing channel -} - -// chanConn fulfills the net.Conn interface without -// the tcpChan having to hold laddr or raddr directly. -type chanConn struct { - Channel - laddr, raddr net.Addr -} - -// LocalAddr returns the local network address. -func (t *chanConn) LocalAddr() net.Addr { - return t.laddr -} - -// RemoteAddr returns the remote network address. -func (t *chanConn) RemoteAddr() net.Addr { - return t.raddr -} - -// SetDeadline sets the read and write deadlines associated -// with the connection. -func (t *chanConn) SetDeadline(deadline time.Time) error { - if err := t.SetReadDeadline(deadline); err != nil { - return err - } - return t.SetWriteDeadline(deadline) -} - -// SetReadDeadline sets the read deadline. -// A zero value for t means Read will not time out. -// After the deadline, the error from Read will implement net.Error -// with Timeout() == true. -func (t *chanConn) SetReadDeadline(deadline time.Time) error { - // for compatibility with previous version, - // the error message contains "tcpChan" - return errors.New("ssh: tcpChan: deadline not supported") -} - -// SetWriteDeadline exists to satisfy the net.Conn interface -// but is not implemented by this type. It always returns an error. -func (t *chanConn) SetWriteDeadline(deadline time.Time) error { - return errors.New("ssh: tcpChan: deadline not supported") -} diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go deleted file mode 100644 index 0424d2d37..000000000 --- a/vendor/golang.org/x/crypto/ssh/transport.go +++ /dev/null @@ -1,380 +0,0 @@ -// Copyright 2011 The Go Authors. All rights reserved. -// Use of this source code is governed by a BSD-style -// license that can be found in the LICENSE file. - -package ssh - -import ( - "bufio" - "bytes" - "errors" - "io" - "log" -) - -// debugTransport if set, will print packet types as they go over the -// wire. No message decoding is done, to minimize the impact on timing. -const debugTransport = false - -const ( - gcm128CipherID = "aes128-gcm@openssh.com" - gcm256CipherID = "aes256-gcm@openssh.com" - aes128cbcID = "aes128-cbc" - tripledescbcID = "3des-cbc" -) - -// packetConn represents a transport that implements packet based -// operations. -type packetConn interface { - // Encrypt and send a packet of data to the remote peer. - writePacket(packet []byte) error - - // Read a packet from the connection. The read is blocking, - // i.e. if error is nil, then the returned byte slice is - // always non-empty. - readPacket() ([]byte, error) - - // Close closes the write-side of the connection. - Close() error -} - -// transport is the keyingTransport that implements the SSH packet -// protocol. -type transport struct { - reader connectionState - writer connectionState - - bufReader *bufio.Reader - bufWriter *bufio.Writer - rand io.Reader - isClient bool - io.Closer - - strictMode bool - initialKEXDone bool -} - -// packetCipher represents a combination of SSH encryption/MAC -// protocol. A single instance should be used for one direction only. -type packetCipher interface { - // writeCipherPacket encrypts the packet and writes it to w. The - // contents of the packet are generally scrambled. - writeCipherPacket(seqnum uint32, w io.Writer, rand io.Reader, packet []byte) error - - // readCipherPacket reads and decrypts a packet of data. The - // returned packet may be overwritten by future calls of - // readPacket. - readCipherPacket(seqnum uint32, r io.Reader) ([]byte, error) -} - -// connectionState represents one side (read or write) of the -// connection. This is necessary because each direction has its own -// keys, and can even have its own algorithms -type connectionState struct { - packetCipher - seqNum uint32 - dir direction - pendingKeyChange chan packetCipher -} - -func (t *transport) setStrictMode() error { - if t.reader.seqNum != 1 { - return errors.New("ssh: sequence number != 1 when strict KEX mode requested") - } - t.strictMode = true - return nil -} - -func (t *transport) setInitialKEXDone() { - t.initialKEXDone = true -} - -// prepareKeyChange sets up key material for a keychange. The key changes in -// both directions are triggered by reading and writing a msgNewKey packet -// respectively. -func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error { - ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult) - if err != nil { - return err - } - t.reader.pendingKeyChange <- ciph - - ciph, err = newPacketCipher(t.writer.dir, algs.w, kexResult) - if err != nil { - return err - } - t.writer.pendingKeyChange <- ciph - - return nil -} - -func (t *transport) printPacket(p []byte, write bool) { - if len(p) == 0 { - return - } - who := "server" - if t.isClient { - who = "client" - } - what := "read" - if write { - what = "write" - } - - log.Println(what, who, p[0]) -} - -// Read and decrypt next packet. -func (t *transport) readPacket() (p []byte, err error) { - for { - p, err = t.reader.readPacket(t.bufReader, t.strictMode) - if err != nil { - break - } - // in strict mode we pass through DEBUG and IGNORE packets only during the initial KEX - if len(p) == 0 || (t.strictMode && !t.initialKEXDone) || (p[0] != msgIgnore && p[0] != msgDebug) { - break - } - } - if debugTransport { - t.printPacket(p, false) - } - - return p, err -} - -func (s *connectionState) readPacket(r *bufio.Reader, strictMode bool) ([]byte, error) { - packet, err := s.packetCipher.readCipherPacket(s.seqNum, r) - s.seqNum++ - if err == nil && len(packet) == 0 { - err = errors.New("ssh: zero length packet") - } - - if len(packet) > 0 { - switch packet[0] { - case msgNewKeys: - select { - case cipher := <-s.pendingKeyChange: - s.packetCipher = cipher - if strictMode { - s.seqNum = 0 - } - default: - return nil, errors.New("ssh: got bogus newkeys message") - } - - case msgDisconnect: - // Transform a disconnect message into an - // error. Since this is lowest level at which - // we interpret message types, doing it here - // ensures that we don't have to handle it - // elsewhere. - var msg disconnectMsg - if err := Unmarshal(packet, &msg); err != nil { - return nil, err - } - return nil, &msg - } - } - - // The packet may point to an internal buffer, so copy the - // packet out here. - fresh := make([]byte, len(packet)) - copy(fresh, packet) - - return fresh, err -} - -func (t *transport) writePacket(packet []byte) error { - if debugTransport { - t.printPacket(packet, true) - } - return t.writer.writePacket(t.bufWriter, t.rand, packet, t.strictMode) -} - -func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte, strictMode bool) error { - changeKeys := len(packet) > 0 && packet[0] == msgNewKeys - - err := s.packetCipher.writeCipherPacket(s.seqNum, w, rand, packet) - if err != nil { - return err - } - if err = w.Flush(); err != nil { - return err - } - s.seqNum++ - if changeKeys { - select { - case cipher := <-s.pendingKeyChange: - s.packetCipher = cipher - if strictMode { - s.seqNum = 0 - } - default: - panic("ssh: no key material for msgNewKeys") - } - } - return err -} - -func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transport { - t := &transport{ - bufReader: bufio.NewReader(rwc), - bufWriter: bufio.NewWriter(rwc), - rand: rand, - reader: connectionState{ - packetCipher: &streamPacketCipher{cipher: noneCipher{}}, - pendingKeyChange: make(chan packetCipher, 1), - }, - writer: connectionState{ - packetCipher: &streamPacketCipher{cipher: noneCipher{}}, - pendingKeyChange: make(chan packetCipher, 1), - }, - Closer: rwc, - } - t.isClient = isClient - - if isClient { - t.reader.dir = serverKeys - t.writer.dir = clientKeys - } else { - t.reader.dir = clientKeys - t.writer.dir = serverKeys - } - - return t -} - -type direction struct { - ivTag []byte - keyTag []byte - macKeyTag []byte -} - -var ( - serverKeys = direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}} - clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}} -) - -// setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as -// described in RFC 4253, section 6.4. direction should either be serverKeys -// (to setup server->client keys) or clientKeys (for client->server keys). -func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) { - cipherMode := cipherModes[algs.Cipher] - - iv := make([]byte, cipherMode.ivSize) - key := make([]byte, cipherMode.keySize) - - generateKeyMaterial(iv, d.ivTag, kex) - generateKeyMaterial(key, d.keyTag, kex) - - var macKey []byte - if !aeadCiphers[algs.Cipher] { - macMode := macModes[algs.MAC] - macKey = make([]byte, macMode.keySize) - generateKeyMaterial(macKey, d.macKeyTag, kex) - } - - return cipherModes[algs.Cipher].create(key, iv, macKey, algs) -} - -// generateKeyMaterial fills out with key material generated from tag, K, H -// and sessionId, as specified in RFC 4253, section 7.2. -func generateKeyMaterial(out, tag []byte, r *kexResult) { - var digestsSoFar []byte - - h := r.Hash.New() - for len(out) > 0 { - h.Reset() - h.Write(r.K) - h.Write(r.H) - - if len(digestsSoFar) == 0 { - h.Write(tag) - h.Write(r.SessionID) - } else { - h.Write(digestsSoFar) - } - - digest := h.Sum(nil) - n := copy(out, digest) - out = out[n:] - if len(out) > 0 { - digestsSoFar = append(digestsSoFar, digest...) - } - } -} - -const packageVersion = "SSH-2.0-Go" - -// Sends and receives a version line. The versionLine string should -// be US ASCII, start with "SSH-2.0-", and should not include a -// newline. exchangeVersions returns the other side's version line. -func exchangeVersions(rw io.ReadWriter, versionLine []byte) (them []byte, err error) { - // Contrary to the RFC, we do not ignore lines that don't - // start with "SSH-2.0-" to make the library usable with - // nonconforming servers. - for _, c := range versionLine { - // The spec disallows non US-ASCII chars, and - // specifically forbids null chars. - if c < 32 { - return nil, errors.New("ssh: junk character in version line") - } - } - if _, err = rw.Write(append(versionLine, '\r', '\n')); err != nil { - return - } - - them, err = readVersion(rw) - return them, err -} - -// maxVersionStringBytes is the maximum number of bytes that we'll -// accept as a version string. RFC 4253 section 4.2 limits this at 255 -// chars -const maxVersionStringBytes = 255 - -// Read version string as specified by RFC 4253, section 4.2. -func readVersion(r io.Reader) ([]byte, error) { - versionString := make([]byte, 0, 64) - var ok bool - var buf [1]byte - - for length := 0; length < maxVersionStringBytes; length++ { - _, err := io.ReadFull(r, buf[:]) - if err != nil { - return nil, err - } - // The RFC says that the version should be terminated with \r\n - // but several SSH servers actually only send a \n. - if buf[0] == '\n' { - if !bytes.HasPrefix(versionString, []byte("SSH-")) { - // RFC 4253 says we need to ignore all version string lines - // except the one containing the SSH version (provided that - // all the lines do not exceed 255 bytes in total). - versionString = versionString[:0] - continue - } - ok = true - break - } - - // non ASCII chars are disallowed, but we are lenient, - // since Go doesn't use null-terminated strings. - - // The RFC allows a comment after a space, however, - // all of it (version and comments) goes into the - // session hash. - versionString = append(versionString, buf[0]) - } - - if !ok { - return nil, errors.New("ssh: overflow reading version string") - } - - // There might be a '\r' on the end which we should remove. - if len(versionString) > 0 && versionString[len(versionString)-1] == '\r' { - versionString = versionString[:len(versionString)-1] - } - return versionString, nil -} |