VENDOR intensifies

vendor/github.com/rfjakob/eme/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 Jakob Unterwurzacher
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

vendor/github.com/rfjakob/eme/README.md

@@ -0,0 +1,105 @@
+EME for Go [![Build Status](https://travis-ci.org/rfjakob/eme.svg?branch=master)](https://travis-ci.org/rfjakob/eme) [![GoDoc](https://godoc.org/github.com/rfjakob/eme?status.svg)](https://godoc.org/github.com/rfjakob/eme) ![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)
+==========
+
+**EME** (ECB-Mix-ECB or, clearer, **Encrypt-Mix-Encrypt**) is a wide-block
+encryption mode developed by Halevi
+and Rogaway in 2003 [[eme]](#eme).
+
+EME uses multiple invocations of a block cipher to construct a new
+cipher of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
+
+Quoting from the original [[eme]](#eme) paper:
+
+> We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into
+> a tweakable enciphering scheme that acts on strings of mn bits, where m ∈ [1..n]. The mode is
+> parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used
+> to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption
+> and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of
+> modern cryptography.
+
+Figure 2 from the [[eme]](#eme) paper shows an overview of the transformation:
+
+[![Figure 2 from [eme]](paper-eme-fig2.png)](#)
+
+This is an implementation of EME in Go, complete with test vectors from IEEE [[p1619-2]](#p1619-2)
+and Halevi [[eme-32-testvec]](#eme-32-testvec).
+
+Is it patentend?
+----------------
+
+In 2007, the UC Davis has decided to abandon [[patabandon]](#patabandon)
+the patent application [[patappl]](#patappl) for EME.
+
+Related algorithms
+------------------
+
+**EME-32** is EME with the cipher set to AES and the length set to 512.
+That is, EME-32 [[eme-32-pdf]](#eme-32-pdf) is a subset of EME.
+
+**EME2**, also known as EME\* [[emestar]](#emestar), is an extended version of EME
+that has built-in handling for data that is not a multiple of 16 bytes
+long.  
+EME2 has been selected for standardization in IEEE P1619.2 [[p1619.2]](#p1619.2).
+
+References
+----------
+
+#### [eme]
+*A Parallelizable Enciphering Mode*  
+Shai Halevi, Phillip Rogaway, 28 Jul 2003  
+https://eprint.iacr.org/2003/147.pdf  
+
+Note: This is the original EME paper. EME is specified for an arbitrary
+number of block-cipher blocks. EME-32 is a concrete implementation of
+EME with a fixed length of 32 AES blocks.
+
+#### [eme-32-email]
+*Re: EME-32-AES with editorial comments*  
+Shai Halevi, 07 Jun 2005  
+http://grouper.ieee.org/groups/1619/email/msg00310.html
+
+#### [eme-32-pdf]
+*Draft Standard for Tweakable Wide-block Encryption*  
+Shai Halevi, 02 June 2005  
+http://grouper.ieee.org/groups/1619/email/pdf00020.pdf  
+
+Note: This is the latest version of the EME-32 draft that I could find. It
+includes test vectors and C source code.
+
+#### [eme-32-testvec]
+*Re: Test vectors for LRW and EME*  
+Shai Halevi, 16 Nov 2004  
+http://grouper.ieee.org/groups/1619/email/msg00218.html
+
+#### [emestar]
+*EME\*: extending EME to handle arbitrary-length messages with associated data*  
+Shai Halevi, 27 May 2004  
+https://eprint.iacr.org/2004/125.pdf
+
+#### [patabandon]
+*Re: [P1619-2] Non-awareness patent statement made by UC Davis*  
+Mat Ball, 26 Nov 2007  
+http://grouper.ieee.org/groups/1619/email-2/msg00005.html
+
+#### [patappl]
+*Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher*  
+US patent application US20040131182  
+http://www.google.com/patents/US20040131182
+
+#### [p1619-2]
+*IEEE P1619.2™/D9 Draft Standard for Wide-Block Encryption for Shared Storage Media*  
+IEEE, Dec 2008  
+http://siswg.net/index2.php?option=com_docman&task=doc_view&gid=156&Itemid=41  
+
+Note: This is a draft version. The final version is not freely available
+and must be bought from IEEE.
+
+Package Changelog
+-----------------
+
+v1.1, 2017-03-05
+* Add eme.New() / \*EMECipher convenience wrapper
+* Improve panic message and parameter wording
+
+v1.0, 2015-12-08
+* Stable release

vendor/github.com/rfjakob/eme/benchmark.bash

@@ -0,0 +1,3 @@
+#!/bin/bash -eu
+
+go test -bench=.

vendor/github.com/rfjakob/eme/eme.go

@@ -0,0 +1,206 @@
+// EME (ECB-Mix-ECB or, clearer, Encrypt-Mix-Encrypt) is a wide-block
+// encryption mode developed by Halevi and Rogaway.
+//
+// It was presented in the 2003 paper "A Parallelizable Enciphering Mode" by
+// Halevi and Rogaway.
+//
+// EME uses multiple invocations of a block cipher to construct a new cipher
+// of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
+package eme
+
+import (
+	"crypto/cipher"
+	"log"
+)
+
+type directionConst bool
+
+const (
+	// Encrypt "inputData"
+	DirectionEncrypt = directionConst(true)
+	// Decrypt "inputData"
+	DirectionDecrypt = directionConst(false)
+)
+
+// multByTwo - GF multiplication as specified in the EME-32 draft
+func multByTwo(out []byte, in []byte) {
+	if len(in) != 16 {
+		panic("len must be 16")
+	}
+	tmp := make([]byte, 16)
+
+	tmp[0] = 2 * in[0]
+	if in[15] >= 128 {
+		tmp[0] = tmp[0] ^ 135
+	}
+	for j := 1; j < 16; j++ {
+		tmp[j] = 2 * in[j]
+		if in[j-1] >= 128 {
+			tmp[j] += 1
+		}
+	}
+	copy(out, tmp)
+}
+
+func xorBlocks(out []byte, in1 []byte, in2 []byte) {
+	if len(in1) != len(in2) {
+		log.Panicf("len(in1)=%d is not equal to len(in2)=%d", len(in1), len(in2))
+	}
+
+	for i := range in1 {
+		out[i] = in1[i] ^ in2[i]
+	}
+}
+
+// aesTransform - encrypt or decrypt (according to "direction") using block
+// cipher "bc" (typically AES)
+func aesTransform(dst []byte, src []byte, direction directionConst, bc cipher.Block) {
+	if direction == DirectionEncrypt {
+		bc.Encrypt(dst, src)
+		return
+	} else if direction == DirectionDecrypt {
+		bc.Decrypt(dst, src)
+		return
+	}
+}
+
+// tabulateL - calculate L_i for messages up to a length of m cipher blocks
+func tabulateL(bc cipher.Block, m int) [][]byte {
+	/* set L0 = 2*AESenc(K; 0) */
+	eZero := make([]byte, 16)
+	Li := make([]byte, 16)
+	bc.Encrypt(Li, eZero)
+
+	LTable := make([][]byte, m)
+	// Allocate pool once and slice into m pieces in the loop
+	pool := make([]byte, m*16)
+	for i := 0; i < m; i++ {
+		multByTwo(Li, Li)
+		LTable[i] = pool[i*16 : (i+1)*16]
+		copy(LTable[i], Li)
+	}
+	return LTable
+}
+
+// Transform - EME-encrypt or EME-decrypt, according to "direction"
+// (defined in the constants DirectionEncrypt and DirectionDecrypt).
+// The data in "inputData" is en- or decrypted with the block ciper "bc" under
+// "tweak" (also known as IV).
+//
+// The tweak is used to randomize the encryption in the same way as an
+// IV.  A use of this encryption mode envisioned by the authors of the
+// algorithm was to encrypt each sector of a disk, with the tweak
+// being the sector number.  If you encipher the same data with the
+// same tweak you will get the same ciphertext.
+//
+// The result is returned in a freshly allocated slice of the same
+// size as inputData.
+//
+// Limitations:
+// * The block cipher must have block size 16 (usually AES).
+// * The size of "tweak" must be 16
+// * "inputData" must be a multiple of 16 bytes long
+// If any of these pre-conditions are not met, the function will panic.
+//
+// Note that you probably don't want to call this function directly and instead
+// use eme.New(), which provides conventient wrappers.
+func Transform(bc cipher.Block, tweak []byte, inputData []byte, direction directionConst) []byte {
+	// In the paper, the tweak is just called "T". Call it the same here to
+	// make following the paper easy.
+	T := tweak
+	// In the paper, the plaintext data is called "P" and the ciphertext is
+	// called "C". Because encryption and decryption are virtually identical,
+	// we share the code and always call the input data "P" and the output data
+	// "C", regardless of the direction.
+	P := inputData
+
+	if bc.BlockSize() != 16 {
+		log.Panicf("Using a block size other than 16 is not implemented")
+	}
+	if len(T) != 16 {
+		log.Panicf("Tweak must be 16 bytes long, is %d", len(T))
+	}
+	if len(P)%16 != 0 {
+		log.Panicf("Data P must be a multiple of 16 long, is %d", len(P))
+	}
+	m := len(P) / 16
+	if m == 0 || m > 16*8 {
+		log.Panicf("EME operates on 1 to %d block-cipher blocks, you passed %d", 16*8, m)
+	}
+
+	C := make([]byte, len(P))
+
+	LTable := tabulateL(bc, m)
+
+	PPj := make([]byte, 16)
+	for j := 0; j < m; j++ {
+		Pj := P[j*16 : (j+1)*16]
+		/* PPj = 2**(j-1)*L xor Pj */
+		xorBlocks(PPj, Pj, LTable[j])
+		/* PPPj = AESenc(K; PPj) */
+		aesTransform(C[j*16:(j+1)*16], PPj, direction, bc)
+	}
+
+	/* MP =(xorSum PPPj) xor T */
+	MP := make([]byte, 16)
+	xorBlocks(MP, C[0:16], T)
+	for j := 1; j < m; j++ {
+		xorBlocks(MP, MP, C[j*16:(j+1)*16])
+	}
+
+	/* MC = AESenc(K; MP) */
+	MC := make([]byte, 16)
+	aesTransform(MC, MP, direction, bc)
+
+	/* M = MP xor MC */
+	M := make([]byte, 16)
+	xorBlocks(M, MP, MC)
+	CCCj := make([]byte, 16)
+	for j := 1; j < m; j++ {
+		multByTwo(M, M)
+		/* CCCj = 2**(j-1)*M xor PPPj */
+		xorBlocks(CCCj, C[j*16:(j+1)*16], M)
+		copy(C[j*16:(j+1)*16], CCCj)
+	}
+
+	/* CCC1 = (xorSum CCCj) xor T xor MC */
+	CCC1 := make([]byte, 16)
+	xorBlocks(CCC1, MC, T)
+	for j := 1; j < m; j++ {
+		xorBlocks(CCC1, CCC1, C[j*16:(j+1)*16])
+	}
+	copy(C[0:16], CCC1)
+
+	for j := 0; j < m; j++ {
+		/* CCj = AES-enc(K; CCCj) */
+		aesTransform(C[j*16:(j+1)*16], C[j*16:(j+1)*16], direction, bc)
+		/* Cj = 2**(j-1)*L xor CCj */
+		xorBlocks(C[j*16:(j+1)*16], C[j*16:(j+1)*16], LTable[j])
+	}
+
+	return C
+}
+
+// EMECipher provides EME-Encryption and -Decryption functions that are more
+// convenient than calling Transform directly.
+type EMECipher struct {
+	bc cipher.Block
+}
+
+// New returns a new EMECipher object. "bc" must have a block size of 16,
+// or subsequent calls to Encrypt and Decrypt will panic.
+func New(bc cipher.Block) *EMECipher {
+	return &EMECipher{
+		bc: bc,
+	}
+}
+
+// Encrypt is equivalent to calling Transform with direction=DirectionEncrypt.
+func (e *EMECipher) Encrypt(tweak []byte, inputData []byte) []byte {
+	return Transform(e.bc, tweak, inputData, DirectionEncrypt)
+}
+
+// Decrypt is equivalent to calling Transform with direction=DirectionDecrypt.
+func (e *EMECipher) Decrypt(tweak []byte, inputData []byte) []byte {
+	return Transform(e.bc, tweak, inputData, DirectionDecrypt)
+}

vendor/github.com/rfjakob/eme/test.bash

@@ -0,0 +1,5 @@
+#!/bin/bash -eu
+
+go build
+go test . "$@"
+go tool vet -all -shadow .