func (c *aead) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
if n := len(nonce); n != NonceSize {
return nil, crypto.NonceSizeError(n)
}
if len(ciphertext) < c.tagsize {
return nil, crypto.AuthenticationError{}
}
if len(dst) < len(ciphertext)-c.tagsize {
panic("dst buffer to small")
}
var Nonce [12]byte
copy(Nonce[:], nonce)
hash := ciphertext[len(ciphertext)-c.tagsize:]
ciphertext = ciphertext[:len(ciphertext)-c.tagsize]
// create the poly1305 key
var polyKey [32]byte
chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)
// authenticate the ciphertext
var tag [poly1305.TagSize]byte
authenticate(&tag, ciphertext, additionalData, &polyKey)
if subtle.ConstantTimeCompare(tag[:c.tagsize], hash[:c.tagsize]) != 1 {
return nil, crypto.AuthenticationError{}
}
// decrypt ciphertext
chacha.XORKeyStream(dst, ciphertext, &Nonce, &(c.key), 1, 20)
return dst[:len(ciphertext)], nil
}
func (c *eaxCipher) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
if n := len(nonce); n != c.blockCipher.BlockSize() {
return nil, crypto.NonceSizeError(n)
}
if len(ciphertext) < c.size {
return nil, crypto.AuthenticationError{}
}
if len(dst) < len(ciphertext)-c.mac.Size() {
panic("dst buffer to small")
}
hash := ciphertext[len(ciphertext)-c.size:]
ciphertext = ciphertext[:len(ciphertext)-c.size]
tag := make([]byte, c.mac.BlockSize())
// process nonce
tag[len(tag)-1] = nTag
c.mac.Write(tag)
c.mac.Write(nonce)
authNonce := c.mac.Sum(nil)
c.mac.Reset()
// process additional data
tag[len(tag)-1] = hTag
c.mac.Write(tag)
c.mac.Write(additionalData)
authData := c.mac.Sum(nil)
c.mac.Reset()
// process ciphertext
tag[len(tag)-1] = cTag
c.mac.Write(tag)
c.mac.Write(ciphertext)
tag = c.mac.Sum(tag[:0])
c.mac.Reset()
for i := range tag {
tag[i] ^= authData[i] ^ authNonce[i]
}
if subtle.ConstantTimeCompare(tag[:c.size], hash) != 1 {
return nil, crypto.AuthenticationError{}
}
// decrypt
n := len(ciphertext)
copy(c.ctr, authNonce) // set the ctr-mode nonce
c.ctrCrypt(dst, ciphertext)
return dst[:n], nil
}
func (c *eaxCipher) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
if n := len(nonce); n != c.blockCipher.BlockSize() {
panic(crypto.NonceSizeError(n))
}
if len(dst) < len(plaintext) {
panic("dst buffer to small")
}
tag := make([]byte, c.mac.BlockSize())
// process nonce
tag[len(tag)-1] = nTag
c.mac.Write(tag)
c.mac.Write(nonce)
authNonce := c.mac.Sum(nil)
c.mac.Reset()
// process additional data
tag[len(tag)-1] = hTag
c.mac.Write(tag)
c.mac.Write(additionalData)
authData := c.mac.Sum(nil)
c.mac.Reset()
// encrypt
n := len(plaintext)
copy(c.ctr, authNonce) // set the ctr-mode nonce
c.ctrCrypt(dst, plaintext)
// process ciphertext
tag[len(tag)-1] = cTag
c.mac.Write(tag)
c.mac.Write(dst[:n])
tag = c.mac.Sum(tag[:0])
c.mac.Reset()
for i := range tag {
tag[i] ^= authData[i] ^ authNonce[i]
}
return append(dst[:n], tag[:c.size]...)
}
func (c *aead) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
if n := len(nonce); n != NonceSize {
panic(crypto.NonceSizeError(n))
}
if len(dst) < len(plaintext)+c.tagsize {
panic("dst buffer to small")
}
var Nonce [12]byte
copy(Nonce[:], nonce)
// create the poly1305 key
var polyKey [32]byte
chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)
// encrypt the plaintext
n := len(plaintext)
chacha.XORKeyStream(dst, plaintext, &Nonce, &(c.key), 1, 20)
// authenticate the ciphertext
var tag [poly1305.TagSize]byte
authenticate(&tag, dst[:n], additionalData, &polyKey)
return append(dst[:n], tag[:c.tagsize]...)
}