podman
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5/*
6Package secretbox encrypts and authenticates small messages.
7
8Secretbox uses XSalsa20 and Poly1305 to encrypt and authenticate messages with
9secret-key cryptography. The length of messages is not hidden.
10
11It is the caller's responsibility to ensure the uniqueness of nonces—for
12example, by using nonce 1 for the first message, nonce 2 for the second
13message, etc. Nonces are long enough that randomly generated nonces have
14negligible risk of collision.
15
16Messages should be small because:
17
181. The whole message needs to be held in memory to be processed.
19
202. Using large messages pressures implementations on small machines to decrypt
21and process plaintext before authenticating it. This is very dangerous, and
22this API does not allow it, but a protocol that uses excessive message sizes
23might present some implementations with no other choice.
24
253. Fixed overheads will be sufficiently amortised by messages as small as 8KB.
26
274. Performance may be improved by working with messages that fit into data caches.
28
29Thus large amounts of data should be chunked so that each message is small.
30(Each message still needs a unique nonce.) If in doubt, 16KB is a reasonable
31chunk size.
32
33This package is interoperable with NaCl: https://nacl.cr.yp.to/secretbox.html.
34*/
35package secretbox // import "golang.org/x/crypto/nacl/secretbox"36
37import (38"golang.org/x/crypto/internal/alias"39"golang.org/x/crypto/internal/poly1305"40"golang.org/x/crypto/salsa20/salsa"41)
42
43// Overhead is the number of bytes of overhead when boxing a message.
44const Overhead = poly1305.TagSize45
46// setup produces a sub-key and Salsa20 counter given a nonce and key.
47func setup(subKey *[32]byte, counter *[16]byte, nonce *[24]byte, key *[32]byte) {48// We use XSalsa20 for encryption so first we need to generate a49// key and nonce with HSalsa20.50var hNonce [16]byte51copy(hNonce[:], nonce[:])52salsa.HSalsa20(subKey, &hNonce, key, &salsa.Sigma)53
54// The final 8 bytes of the original nonce form the new nonce.55copy(counter[:], nonce[16:])56}
57
58// sliceForAppend takes a slice and a requested number of bytes. It returns a
59// slice with the contents of the given slice followed by that many bytes and a
60// second slice that aliases into it and contains only the extra bytes. If the
61// original slice has sufficient capacity then no allocation is performed.
62func sliceForAppend(in []byte, n int) (head, tail []byte) {63if total := len(in) + n; cap(in) >= total {64head = in[:total]65} else {66head = make([]byte, total)67copy(head, in)68}69tail = head[len(in):]70return71}
72
73// Seal appends an encrypted and authenticated copy of message to out, which
74// must not overlap message. The key and nonce pair must be unique for each
75// distinct message and the output will be Overhead bytes longer than message.
76func Seal(out, message []byte, nonce *[24]byte, key *[32]byte) []byte {77var subKey [32]byte78var counter [16]byte79setup(&subKey, &counter, nonce, key)80
81// The Poly1305 key is generated by encrypting 32 bytes of zeros. Since82// Salsa20 works with 64-byte blocks, we also generate 32 bytes of83// keystream as a side effect.84var firstBlock [64]byte85salsa.XORKeyStream(firstBlock[:], firstBlock[:], &counter, &subKey)86
87var poly1305Key [32]byte88copy(poly1305Key[:], firstBlock[:])89
90ret, out := sliceForAppend(out, len(message)+poly1305.TagSize)91if alias.AnyOverlap(out, message) {92panic("nacl: invalid buffer overlap")93}94
95// We XOR up to 32 bytes of message with the keystream generated from96// the first block.97firstMessageBlock := message98if len(firstMessageBlock) > 32 {99firstMessageBlock = firstMessageBlock[:32]100}101
102tagOut := out103out = out[poly1305.TagSize:]104for i, x := range firstMessageBlock {105out[i] = firstBlock[32+i] ^ x106}107message = message[len(firstMessageBlock):]108ciphertext := out109out = out[len(firstMessageBlock):]110
111// Now encrypt the rest.112counter[8] = 1113salsa.XORKeyStream(out, message, &counter, &subKey)114
115var tag [poly1305.TagSize]byte116poly1305.Sum(&tag, ciphertext, &poly1305Key)117copy(tagOut, tag[:])118
119return ret120}
121
122// Open authenticates and decrypts a box produced by Seal and appends the
123// message to out, which must not overlap box. The output will be Overhead
124// bytes smaller than box.
125func Open(out, box []byte, nonce *[24]byte, key *[32]byte) ([]byte, bool) {126if len(box) < Overhead {127return nil, false128}129
130var subKey [32]byte131var counter [16]byte132setup(&subKey, &counter, nonce, key)133
134// The Poly1305 key is generated by encrypting 32 bytes of zeros. Since135// Salsa20 works with 64-byte blocks, we also generate 32 bytes of136// keystream as a side effect.137var firstBlock [64]byte138salsa.XORKeyStream(firstBlock[:], firstBlock[:], &counter, &subKey)139
140var poly1305Key [32]byte141copy(poly1305Key[:], firstBlock[:])142var tag [poly1305.TagSize]byte143copy(tag[:], box)144
145if !poly1305.Verify(&tag, box[poly1305.TagSize:], &poly1305Key) {146return nil, false147}148
149ret, out := sliceForAppend(out, len(box)-Overhead)150if alias.AnyOverlap(out, box) {151panic("nacl: invalid buffer overlap")152}153
154// We XOR up to 32 bytes of box with the keystream generated from155// the first block.156box = box[Overhead:]157firstMessageBlock := box158if len(firstMessageBlock) > 32 {159firstMessageBlock = firstMessageBlock[:32]160}161for i, x := range firstMessageBlock {162out[i] = firstBlock[32+i] ^ x163}164
165box = box[len(firstMessageBlock):]166out = out[len(firstMessageBlock):]167
168// Now decrypt the rest.169counter[8] = 1170salsa.XORKeyStream(out, box, &counter, &subKey)171
172return ret, true173}
174