aboutsummaryrefslogtreecommitdiffhomepage
path: root/vendor/golang.org
diff options
context:
space:
mode:
Diffstat (limited to 'vendor/golang.org')
-rw-r--r--vendor/golang.org/x/crypto/bcrypt/base64.go35
-rw-r--r--vendor/golang.org/x/crypto/bcrypt/bcrypt.go294
-rw-r--r--vendor/golang.org/x/crypto/blowfish/block.go159
-rw-r--r--vendor/golang.org/x/crypto/blowfish/cipher.go91
-rw-r--r--vendor/golang.org/x/crypto/blowfish/const.go199
-rw-r--r--vendor/golang.org/x/crypto/curve25519/const_amd64.h8
-rw-r--r--vendor/golang.org/x/crypto/curve25519/const_amd64.s20
-rw-r--r--vendor/golang.org/x/crypto/curve25519/cswap_amd64.s88
-rw-r--r--vendor/golang.org/x/crypto/curve25519/curve25519.go841
-rw-r--r--vendor/golang.org/x/crypto/curve25519/doc.go23
-rw-r--r--vendor/golang.org/x/crypto/curve25519/freeze_amd64.s73
-rw-r--r--vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s1377
-rw-r--r--vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go240
-rw-r--r--vendor/golang.org/x/crypto/curve25519/mul_amd64.s169
-rw-r--r--vendor/golang.org/x/crypto/curve25519/square_amd64.s132
-rw-r--r--vendor/golang.org/x/crypto/ed25519/ed25519.go181
-rw-r--r--vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go1422
-rw-r--r--vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go1771
-rw-r--r--vendor/golang.org/x/crypto/ssh/buffer.go98
-rw-r--r--vendor/golang.org/x/crypto/ssh/certs.go503
-rw-r--r--vendor/golang.org/x/crypto/ssh/channel.go633
-rw-r--r--vendor/golang.org/x/crypto/ssh/cipher.go627
-rw-r--r--vendor/golang.org/x/crypto/ssh/client.go211
-rw-r--r--vendor/golang.org/x/crypto/ssh/client_auth.go475
-rw-r--r--vendor/golang.org/x/crypto/ssh/common.go371
-rw-r--r--vendor/golang.org/x/crypto/ssh/connection.go143
-rw-r--r--vendor/golang.org/x/crypto/ssh/doc.go18
-rw-r--r--vendor/golang.org/x/crypto/ssh/handshake.go625
-rw-r--r--vendor/golang.org/x/crypto/ssh/kex.go540
-rw-r--r--vendor/golang.org/x/crypto/ssh/keys.go905
-rw-r--r--vendor/golang.org/x/crypto/ssh/mac.go61
-rw-r--r--vendor/golang.org/x/crypto/ssh/messages.go758
-rw-r--r--vendor/golang.org/x/crypto/ssh/mux.go330
-rw-r--r--vendor/golang.org/x/crypto/ssh/server.go491
-rw-r--r--vendor/golang.org/x/crypto/ssh/session.go627
-rw-r--r--vendor/golang.org/x/crypto/ssh/tcpip.go407
-rw-r--r--vendor/golang.org/x/crypto/ssh/transport.go375
37 files changed, 778 insertions, 14543 deletions
diff --git a/vendor/golang.org/x/crypto/bcrypt/base64.go b/vendor/golang.org/x/crypto/bcrypt/base64.go
new file mode 100644
index 0000000..fc31160
--- /dev/null
+++ b/vendor/golang.org/x/crypto/bcrypt/base64.go
@@ -0,0 +1,35 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package bcrypt
6
7import "encoding/base64"
8
9const alphabet = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
10
11var bcEncoding = base64.NewEncoding(alphabet)
12
13func base64Encode(src []byte) []byte {
14 n := bcEncoding.EncodedLen(len(src))
15 dst := make([]byte, n)
16 bcEncoding.Encode(dst, src)
17 for dst[n-1] == '=' {
18 n--
19 }
20 return dst[:n]
21}
22
23func base64Decode(src []byte) ([]byte, error) {
24 numOfEquals := 4 - (len(src) % 4)
25 for i := 0; i < numOfEquals; i++ {
26 src = append(src, '=')
27 }
28
29 dst := make([]byte, bcEncoding.DecodedLen(len(src)))
30 n, err := bcEncoding.Decode(dst, src)
31 if err != nil {
32 return nil, err
33 }
34 return dst[:n], nil
35}
diff --git a/vendor/golang.org/x/crypto/bcrypt/bcrypt.go b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go
new file mode 100644
index 0000000..f8b807f
--- /dev/null
+++ b/vendor/golang.org/x/crypto/bcrypt/bcrypt.go
@@ -0,0 +1,294 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// Package bcrypt implements Provos and Mazières's bcrypt adaptive hashing
6// algorithm. See http://www.usenix.org/event/usenix99/provos/provos.pdf
7package bcrypt // import "golang.org/x/crypto/bcrypt"
8
9// The code is a port of Provos and Mazières's C implementation.
10import (
11 "crypto/rand"
12 "crypto/subtle"
13 "errors"
14 "fmt"
15 "golang.org/x/crypto/blowfish"
16 "io"
17 "strconv"
18)
19
20const (
21 MinCost int = 4 // the minimum allowable cost as passed in to GenerateFromPassword
22 MaxCost int = 31 // the maximum allowable cost as passed in to GenerateFromPassword
23 DefaultCost int = 10 // the cost that will actually be set if a cost below MinCost is passed into GenerateFromPassword
24)
25
26// The error returned from CompareHashAndPassword when a password and hash do
27// not match.
28var ErrMismatchedHashAndPassword = errors.New("crypto/bcrypt: hashedPassword is not the hash of the given password")
29
30// The error returned from CompareHashAndPassword when a hash is too short to
31// be a bcrypt hash.
32var ErrHashTooShort = errors.New("crypto/bcrypt: hashedSecret too short to be a bcrypted password")
33
34// The error returned from CompareHashAndPassword when a hash was created with
35// a bcrypt algorithm newer than this implementation.
36type HashVersionTooNewError byte
37
38func (hv HashVersionTooNewError) Error() string {
39 return fmt.Sprintf("crypto/bcrypt: bcrypt algorithm version '%c' requested is newer than current version '%c'", byte(hv), majorVersion)
40}
41
42// The error returned from CompareHashAndPassword when a hash starts with something other than '$'
43type InvalidHashPrefixError byte
44
45func (ih InvalidHashPrefixError) Error() string {
46 return fmt.Sprintf("crypto/bcrypt: bcrypt hashes must start with '$', but hashedSecret started with '%c'", byte(ih))
47}
48
49type InvalidCostError int
50
51func (ic InvalidCostError) Error() string {
52 return fmt.Sprintf("crypto/bcrypt: cost %d is outside allowed range (%d,%d)", int(ic), int(MinCost), int(MaxCost))
53}
54
55const (
56 majorVersion = '2'
57 minorVersion = 'a'
58 maxSaltSize = 16
59 maxCryptedHashSize = 23
60 encodedSaltSize = 22
61 encodedHashSize = 31
62 minHashSize = 59
63)
64
65// magicCipherData is an IV for the 64 Blowfish encryption calls in
66// bcrypt(). It's the string "OrpheanBeholderScryDoubt" in big-endian bytes.
67var magicCipherData = []byte{
68 0x4f, 0x72, 0x70, 0x68,
69 0x65, 0x61, 0x6e, 0x42,
70 0x65, 0x68, 0x6f, 0x6c,
71 0x64, 0x65, 0x72, 0x53,
72 0x63, 0x72, 0x79, 0x44,
73 0x6f, 0x75, 0x62, 0x74,
74}
75
76type hashed struct {
77 hash []byte
78 salt []byte
79 cost int // allowed range is MinCost to MaxCost
80 major byte
81 minor byte
82}
83
84// GenerateFromPassword returns the bcrypt hash of the password at the given
85// cost. If the cost given is less than MinCost, the cost will be set to
86// DefaultCost, instead. Use CompareHashAndPassword, as defined in this package,
87// to compare the returned hashed password with its cleartext version.
88func GenerateFromPassword(password []byte, cost int) ([]byte, error) {
89 p, err := newFromPassword(password, cost)
90 if err != nil {
91 return nil, err
92 }
93 return p.Hash(), nil
94}
95
96// CompareHashAndPassword compares a bcrypt hashed password with its possible
97// plaintext equivalent. Returns nil on success, or an error on failure.
98func CompareHashAndPassword(hashedPassword, password []byte) error {
99 p, err := newFromHash(hashedPassword)
100 if err != nil {
101 return err
102 }
103
104 otherHash, err := bcrypt(password, p.cost, p.salt)
105 if err != nil {
106 return err
107 }
108
109 otherP := &hashed{otherHash, p.salt, p.cost, p.major, p.minor}
110 if subtle.ConstantTimeCompare(p.Hash(), otherP.Hash()) == 1 {
111 return nil
112 }
113
114 return ErrMismatchedHashAndPassword
115}
116
117// Cost returns the hashing cost used to create the given hashed
118// password. When, in the future, the hashing cost of a password system needs
119// to be increased in order to adjust for greater computational power, this
120// function allows one to establish which passwords need to be updated.
121func Cost(hashedPassword []byte) (int, error) {
122 p, err := newFromHash(hashedPassword)
123 if err != nil {
124 return 0, err
125 }
126 return p.cost, nil
127}
128
129func newFromPassword(password []byte, cost int) (*hashed, error) {
130 if cost < MinCost {
131 cost = DefaultCost
132 }
133 p := new(hashed)
134 p.major = majorVersion
135 p.minor = minorVersion
136
137 err := checkCost(cost)
138 if err != nil {
139 return nil, err
140 }
141 p.cost = cost
142
143 unencodedSalt := make([]byte, maxSaltSize)
144 _, err = io.ReadFull(rand.Reader, unencodedSalt)
145 if err != nil {
146 return nil, err
147 }
148
149 p.salt = base64Encode(unencodedSalt)
150 hash, err := bcrypt(password, p.cost, p.salt)
151 if err != nil {
152 return nil, err
153 }
154 p.hash = hash
155 return p, err
156}
157
158func newFromHash(hashedSecret []byte) (*hashed, error) {
159 if len(hashedSecret) < minHashSize {
160 return nil, ErrHashTooShort
161 }
162 p := new(hashed)
163 n, err := p.decodeVersion(hashedSecret)
164 if err != nil {
165 return nil, err
166 }
167 hashedSecret = hashedSecret[n:]
168 n, err = p.decodeCost(hashedSecret)
169 if err != nil {
170 return nil, err
171 }
172 hashedSecret = hashedSecret[n:]
173
174 // The "+2" is here because we'll have to append at most 2 '=' to the salt
175 // when base64 decoding it in expensiveBlowfishSetup().
176 p.salt = make([]byte, encodedSaltSize, encodedSaltSize+2)
177 copy(p.salt, hashedSecret[:encodedSaltSize])
178
179 hashedSecret = hashedSecret[encodedSaltSize:]
180 p.hash = make([]byte, len(hashedSecret))
181 copy(p.hash, hashedSecret)
182
183 return p, nil
184}
185
186func bcrypt(password []byte, cost int, salt []byte) ([]byte, error) {
187 cipherData := make([]byte, len(magicCipherData))
188 copy(cipherData, magicCipherData)
189
190 c, err := expensiveBlowfishSetup(password, uint32(cost), salt)
191 if err != nil {
192 return nil, err
193 }
194
195 for i := 0; i < 24; i += 8 {
196 for j := 0; j < 64; j++ {
197 c.Encrypt(cipherData[i:i+8], cipherData[i:i+8])
198 }
199 }
200
201 // Bug compatibility with C bcrypt implementations. We only encode 23 of
202 // the 24 bytes encrypted.
203 hsh := base64Encode(cipherData[:maxCryptedHashSize])
204 return hsh, nil
205}
206
207func expensiveBlowfishSetup(key []byte, cost uint32, salt []byte) (*blowfish.Cipher, error) {
208
209 csalt, err := base64Decode(salt)
210 if err != nil {
211 return nil, err
212 }
213
214 // Bug compatibility with C bcrypt implementations. They use the trailing
215 // NULL in the key string during expansion.
216 ckey := append(key, 0)
217
218 c, err := blowfish.NewSaltedCipher(ckey, csalt)
219 if err != nil {
220 return nil, err
221 }
222
223 var i, rounds uint64
224 rounds = 1 << cost
225 for i = 0; i < rounds; i++ {
226 blowfish.ExpandKey(ckey, c)
227 blowfish.ExpandKey(csalt, c)
228 }
229
230 return c, nil
231}
232
233func (p *hashed) Hash() []byte {
234 arr := make([]byte, 60)
235 arr[0] = '$'
236 arr[1] = p.major
237 n := 2
238 if p.minor != 0 {
239 arr[2] = p.minor
240 n = 3
241 }
242 arr[n] = '$'
243 n += 1
244 copy(arr[n:], []byte(fmt.Sprintf("%02d", p.cost)))
245 n += 2
246 arr[n] = '$'
247 n += 1
248 copy(arr[n:], p.salt)
249 n += encodedSaltSize
250 copy(arr[n:], p.hash)
251 n += encodedHashSize
252 return arr[:n]
253}
254
255func (p *hashed) decodeVersion(sbytes []byte) (int, error) {
256 if sbytes[0] != '$' {
257 return -1, InvalidHashPrefixError(sbytes[0])
258 }
259 if sbytes[1] > majorVersion {
260 return -1, HashVersionTooNewError(sbytes[1])
261 }
262 p.major = sbytes[1]
263 n := 3
264 if sbytes[2] != '$' {
265 p.minor = sbytes[2]
266 n++
267 }
268 return n, nil
269}
270
271// sbytes should begin where decodeVersion left off.
272func (p *hashed) decodeCost(sbytes []byte) (int, error) {
273 cost, err := strconv.Atoi(string(sbytes[0:2]))
274 if err != nil {
275 return -1, err
276 }
277 err = checkCost(cost)
278 if err != nil {
279 return -1, err
280 }
281 p.cost = cost
282 return 3, nil
283}
284
285func (p *hashed) String() string {
286 return fmt.Sprintf("&{hash: %#v, salt: %#v, cost: %d, major: %c, minor: %c}", string(p.hash), p.salt, p.cost, p.major, p.minor)
287}
288
289func checkCost(cost int) error {
290 if cost < MinCost || cost > MaxCost {
291 return InvalidCostError(cost)
292 }
293 return nil
294}
diff --git a/vendor/golang.org/x/crypto/blowfish/block.go b/vendor/golang.org/x/crypto/blowfish/block.go
new file mode 100644
index 0000000..9d80f19
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/block.go
@@ -0,0 +1,159 @@
1// Copyright 2010 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package blowfish
6
7// getNextWord returns the next big-endian uint32 value from the byte slice
8// at the given position in a circular manner, updating the position.
9func getNextWord(b []byte, pos *int) uint32 {
10 var w uint32
11 j := *pos
12 for i := 0; i < 4; i++ {
13 w = w<<8 | uint32(b[j])
14 j++
15 if j >= len(b) {
16 j = 0
17 }
18 }
19 *pos = j
20 return w
21}
22
23// ExpandKey performs a key expansion on the given *Cipher. Specifically, it
24// performs the Blowfish algorithm's key schedule which sets up the *Cipher's
25// pi and substitution tables for calls to Encrypt. This is used, primarily,
26// by the bcrypt package to reuse the Blowfish key schedule during its
27// set up. It's unlikely that you need to use this directly.
28func ExpandKey(key []byte, c *Cipher) {
29 j := 0
30 for i := 0; i < 18; i++ {
31 // Using inlined getNextWord for performance.
32 var d uint32
33 for k := 0; k < 4; k++ {
34 d = d<<8 | uint32(key[j])
35 j++
36 if j >= len(key) {
37 j = 0
38 }
39 }
40 c.p[i] ^= d
41 }
42
43 var l, r uint32
44 for i := 0; i < 18; i += 2 {
45 l, r = encryptBlock(l, r, c)
46 c.p[i], c.p[i+1] = l, r
47 }
48
49 for i := 0; i < 256; i += 2 {
50 l, r = encryptBlock(l, r, c)
51 c.s0[i], c.s0[i+1] = l, r
52 }
53 for i := 0; i < 256; i += 2 {
54 l, r = encryptBlock(l, r, c)
55 c.s1[i], c.s1[i+1] = l, r
56 }
57 for i := 0; i < 256; i += 2 {
58 l, r = encryptBlock(l, r, c)
59 c.s2[i], c.s2[i+1] = l, r
60 }
61 for i := 0; i < 256; i += 2 {
62 l, r = encryptBlock(l, r, c)
63 c.s3[i], c.s3[i+1] = l, r
64 }
65}
66
67// This is similar to ExpandKey, but folds the salt during the key
68// schedule. While ExpandKey is essentially expandKeyWithSalt with an all-zero
69// salt passed in, reusing ExpandKey turns out to be a place of inefficiency
70// and specializing it here is useful.
71func expandKeyWithSalt(key []byte, salt []byte, c *Cipher) {
72 j := 0
73 for i := 0; i < 18; i++ {
74 c.p[i] ^= getNextWord(key, &j)
75 }
76
77 j = 0
78 var l, r uint32
79 for i := 0; i < 18; i += 2 {
80 l ^= getNextWord(salt, &j)
81 r ^= getNextWord(salt, &j)
82 l, r = encryptBlock(l, r, c)
83 c.p[i], c.p[i+1] = l, r
84 }
85
86 for i := 0; i < 256; i += 2 {
87 l ^= getNextWord(salt, &j)
88 r ^= getNextWord(salt, &j)
89 l, r = encryptBlock(l, r, c)
90 c.s0[i], c.s0[i+1] = l, r
91 }
92
93 for i := 0; i < 256; i += 2 {
94 l ^= getNextWord(salt, &j)
95 r ^= getNextWord(salt, &j)
96 l, r = encryptBlock(l, r, c)
97 c.s1[i], c.s1[i+1] = l, r
98 }
99
100 for i := 0; i < 256; i += 2 {
101 l ^= getNextWord(salt, &j)
102 r ^= getNextWord(salt, &j)
103 l, r = encryptBlock(l, r, c)
104 c.s2[i], c.s2[i+1] = l, r
105 }
106
107 for i := 0; i < 256; i += 2 {
108 l ^= getNextWord(salt, &j)
109 r ^= getNextWord(salt, &j)
110 l, r = encryptBlock(l, r, c)
111 c.s3[i], c.s3[i+1] = l, r
112 }
113}
114
115func encryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
116 xl, xr := l, r
117 xl ^= c.p[0]
118 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[1]
119 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[2]
120 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[3]
121 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[4]
122 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[5]
123 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[6]
124 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[7]
125 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[8]
126 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[9]
127 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[10]
128 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[11]
129 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[12]
130 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[13]
131 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[14]
132 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[15]
133 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[16]
134 xr ^= c.p[17]
135 return xr, xl
136}
137
138func decryptBlock(l, r uint32, c *Cipher) (uint32, uint32) {
139 xl, xr := l, r
140 xl ^= c.p[17]
141 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[16]
142 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[15]
143 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[14]
144 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[13]
145 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[12]
146 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[11]
147 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[10]
148 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[9]
149 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[8]
150 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[7]
151 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[6]
152 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[5]
153 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[4]
154 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[3]
155 xr ^= ((c.s0[byte(xl>>24)] + c.s1[byte(xl>>16)]) ^ c.s2[byte(xl>>8)]) + c.s3[byte(xl)] ^ c.p[2]
156 xl ^= ((c.s0[byte(xr>>24)] + c.s1[byte(xr>>16)]) ^ c.s2[byte(xr>>8)]) + c.s3[byte(xr)] ^ c.p[1]
157 xr ^= c.p[0]
158 return xr, xl
159}
diff --git a/vendor/golang.org/x/crypto/blowfish/cipher.go b/vendor/golang.org/x/crypto/blowfish/cipher.go
new file mode 100644
index 0000000..a73954f
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/cipher.go
@@ -0,0 +1,91 @@
1// Copyright 2010 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// Package blowfish implements Bruce Schneier's Blowfish encryption algorithm.
6package blowfish // import "golang.org/x/crypto/blowfish"
7
8// The code is a port of Bruce Schneier's C implementation.
9// See http://www.schneier.com/blowfish.html.
10
11import "strconv"
12
13// The Blowfish block size in bytes.
14const BlockSize = 8
15
16// A Cipher is an instance of Blowfish encryption using a particular key.
17type Cipher struct {
18 p [18]uint32
19 s0, s1, s2, s3 [256]uint32
20}
21
22type KeySizeError int
23
24func (k KeySizeError) Error() string {
25 return "crypto/blowfish: invalid key size " + strconv.Itoa(int(k))
26}
27
28// NewCipher creates and returns a Cipher.
29// The key argument should be the Blowfish key, from 1 to 56 bytes.
30func NewCipher(key []byte) (*Cipher, error) {
31 var result Cipher
32 if k := len(key); k < 1 || k > 56 {
33 return nil, KeySizeError(k)
34 }
35 initCipher(&result)
36 ExpandKey(key, &result)
37 return &result, nil
38}
39
40// NewSaltedCipher creates a returns a Cipher that folds a salt into its key
41// schedule. For most purposes, NewCipher, instead of NewSaltedCipher, is
42// sufficient and desirable. For bcrypt compatibility, the key can be over 56
43// bytes.
44func NewSaltedCipher(key, salt []byte) (*Cipher, error) {
45 if len(salt) == 0 {
46 return NewCipher(key)
47 }
48 var result Cipher
49 if k := len(key); k < 1 {
50 return nil, KeySizeError(k)
51 }
52 initCipher(&result)
53 expandKeyWithSalt(key, salt, &result)
54 return &result, nil
55}
56
57// BlockSize returns the Blowfish block size, 8 bytes.
58// It is necessary to satisfy the Block interface in the
59// package "crypto/cipher".
60func (c *Cipher) BlockSize() int { return BlockSize }
61
62// Encrypt encrypts the 8-byte buffer src using the key k
63// and stores the result in dst.
64// Note that for amounts of data larger than a block,
65// it is not safe to just call Encrypt on successive blocks;
66// instead, use an encryption mode like CBC (see crypto/cipher/cbc.go).
67func (c *Cipher) Encrypt(dst, src []byte) {
68 l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
69 r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
70 l, r = encryptBlock(l, r, c)
71 dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l)
72 dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r)
73}
74
75// Decrypt decrypts the 8-byte buffer src using the key k
76// and stores the result in dst.
77func (c *Cipher) Decrypt(dst, src []byte) {
78 l := uint32(src[0])<<24 | uint32(src[1])<<16 | uint32(src[2])<<8 | uint32(src[3])
79 r := uint32(src[4])<<24 | uint32(src[5])<<16 | uint32(src[6])<<8 | uint32(src[7])
80 l, r = decryptBlock(l, r, c)
81 dst[0], dst[1], dst[2], dst[3] = byte(l>>24), byte(l>>16), byte(l>>8), byte(l)
82 dst[4], dst[5], dst[6], dst[7] = byte(r>>24), byte(r>>16), byte(r>>8), byte(r)
83}
84
85func initCipher(c *Cipher) {
86 copy(c.p[0:], p[0:])
87 copy(c.s0[0:], s0[0:])
88 copy(c.s1[0:], s1[0:])
89 copy(c.s2[0:], s2[0:])
90 copy(c.s3[0:], s3[0:])
91}
diff --git a/vendor/golang.org/x/crypto/blowfish/const.go b/vendor/golang.org/x/crypto/blowfish/const.go
new file mode 100644
index 0000000..8c5ee4c
--- /dev/null
+++ b/vendor/golang.org/x/crypto/blowfish/const.go
@@ -0,0 +1,199 @@
1// Copyright 2010 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// The startup permutation array and substitution boxes.
6// They are the hexadecimal digits of PI; see:
7// http://www.schneier.com/code/constants.txt.
8
9package blowfish
10
11var s0 = [256]uint32{
12 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, 0xb8e1afed, 0x6a267e96,
13 0xba7c9045, 0xf12c7f99, 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16,
14 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, 0x0d95748f, 0x728eb658,
15 0x718bcd58, 0x82154aee, 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013,
16 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, 0x8e79dcb0, 0x603a180e,
17 0x6c9e0e8b, 0xb01e8a3e, 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60,
18 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, 0x55ca396a, 0x2aab10b6,
19 0xb4cc5c34, 0x1141e8ce, 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a,
20 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, 0xafd6ba33, 0x6c24cf5c,
21 0x7a325381, 0x28958677, 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193,
22 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, 0xef845d5d, 0xe98575b1,
23 0xdc262302, 0xeb651b88, 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239,
24 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, 0x21c66842, 0xf6e96c9a,
25 0x670c9c61, 0xabd388f0, 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3,
26 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, 0xa1f1651d, 0x39af0176,
27 0x66ca593e, 0x82430e88, 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe,
28 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, 0x4ed3aa62, 0x363f7706,
29 0x1bfedf72, 0x429b023d, 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b,
30 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, 0xe3fe501a, 0xb6794c3b,
31 0x976ce0bd, 0x04c006ba, 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463,
32 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, 0x6dfc511f, 0x9b30952c,
33 0xcc814544, 0xaf5ebd09, 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3,
34 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, 0x5579c0bd, 0x1a60320a,
35 0xd6a100c6, 0x402c7279, 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8,
36 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, 0x323db5fa, 0xfd238760,
37 0x53317b48, 0x3e00df82, 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db,
38 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, 0x695b27b0, 0xbbca58c8,
39 0xe1ffa35d, 0xb8f011a0, 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b,
40 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, 0xe1ddf2da, 0xa4cb7e33,
41 0x62fb1341, 0xcee4c6e8, 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4,
42 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, 0xd08ed1d0, 0xafc725e0,
43 0x8e3c5b2f, 0x8e7594b7, 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c,
44 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, 0x2f2f2218, 0xbe0e1777,
45 0xea752dfe, 0x8b021fa1, 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299,
46 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, 0x165fa266, 0x80957705,
47 0x93cc7314, 0x211a1477, 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf,
48 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, 0x00250e2d, 0x2071b35e,
49 0x226800bb, 0x57b8e0af, 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa,
50 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, 0x83260376, 0x6295cfa9,
51 0x11c81968, 0x4e734a41, 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915,
52 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, 0x08ba6fb5, 0x571be91f,
53 0xf296ec6b, 0x2a0dd915, 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664,
54 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a,
55}
56
57var s1 = [256]uint32{
58 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, 0xad6ea6b0, 0x49a7df7d,
59 0x9cee60b8, 0x8fedb266, 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1,
60 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, 0x3f54989a, 0x5b429d65,
61 0x6b8fe4d6, 0x99f73fd6, 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1,
62 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, 0x09686b3f, 0x3ebaefc9,
63 0x3c971814, 0x6b6a70a1, 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737,
64 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, 0xb03ada37, 0xf0500c0d,
65 0xf01c1f04, 0x0200b3ff, 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd,
66 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, 0x3ae5e581, 0x37c2dadc,
67 0xc8b57634, 0x9af3dda7, 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41,
68 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, 0x4e548b38, 0x4f6db908,
69 0x6f420d03, 0xf60a04bf, 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af,
70 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, 0x5512721f, 0x2e6b7124,
71 0x501adde6, 0x9f84cd87, 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c,
72 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, 0xef1c1847, 0x3215d908,
73 0xdd433b37, 0x24c2ba16, 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd,
74 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, 0x043556f1, 0xd7a3c76b,
75 0x3c11183b, 0x5924a509, 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e,
76 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, 0x771fe71c, 0x4e3d06fa,
77 0x2965dcb9, 0x99e71d0f, 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a,
78 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, 0xf2f74ea7, 0x361d2b3d,
79 0x1939260f, 0x19c27960, 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66,
80 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, 0xc332ddef, 0xbe6c5aa5,
81 0x65582185, 0x68ab9802, 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84,
82 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, 0x13cca830, 0xeb61bd96,
83 0x0334fe1e, 0xaa0363cf, 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14,
84 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, 0x648b1eaf, 0x19bdf0ca,
85 0xa02369b9, 0x655abb50, 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7,
86 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, 0xf837889a, 0x97e32d77,
87 0x11ed935f, 0x16681281, 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99,
88 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, 0xcdb30aeb, 0x532e3054,
89 0x8fd948e4, 0x6dbc3128, 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73,
90 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, 0x45eee2b6, 0xa3aaabea,
91 0xdb6c4f15, 0xfacb4fd0, 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105,
92 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, 0xcf62a1f2, 0x5b8d2646,
93 0xfc8883a0, 0xc1c7b6a3, 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285,
94 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, 0x58428d2a, 0x0c55f5ea,
95 0x1dadf43e, 0x233f7061, 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb,
96 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, 0xa6078084, 0x19f8509e,
97 0xe8efd855, 0x61d99735, 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc,
98 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, 0xdb73dbd3, 0x105588cd,
99 0x675fda79, 0xe3674340, 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20,
100 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7,
101}
102
103var s2 = [256]uint32{
104 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, 0x411520f7, 0x7602d4f7,
105 0xbcf46b2e, 0xd4a20068, 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af,
106 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, 0x4d95fc1d, 0x96b591af,
107 0x70f4ddd3, 0x66a02f45, 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504,
108 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, 0x28507825, 0x530429f4,
109 0x0a2c86da, 0xe9b66dfb, 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee,
110 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, 0xaace1e7c, 0xd3375fec,
111 0xce78a399, 0x406b2a42, 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b,
112 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, 0x3a6efa74, 0xdd5b4332,
113 0x6841e7f7, 0xca7820fb, 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527,
114 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, 0x55a867bc, 0xa1159a58,
115 0xcca92963, 0x99e1db33, 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c,
116 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, 0x95c11548, 0xe4c66d22,
117 0x48c1133f, 0xc70f86dc, 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17,
118 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, 0x257b7834, 0x602a9c60,
119 0xdff8e8a3, 0x1f636c1b, 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115,
120 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, 0x85b2a20e, 0xe6ba0d99,
121 0xde720c8c, 0x2da2f728, 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0,
122 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, 0x0a476341, 0x992eff74,
123 0x3a6f6eab, 0xf4f8fd37, 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d,
124 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, 0xf1290dc7, 0xcc00ffa3,
125 0xb5390f92, 0x690fed0b, 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3,
126 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, 0x37392eb3, 0xcc115979,
127 0x8026e297, 0xf42e312d, 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c,
128 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, 0x1a6b1018, 0x11caedfa,
129 0x3d25bdd8, 0xe2e1c3c9, 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a,
130 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, 0x9dbc8057, 0xf0f7c086,
131 0x60787bf8, 0x6003604d, 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc,
132 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, 0x77a057be, 0xbde8ae24,
133 0x55464299, 0xbf582e61, 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2,
134 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, 0x7aeb2661, 0x8b1ddf84,
135 0x846a0e79, 0x915f95e2, 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c,
136 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, 0xb77f19b6, 0xe0a9dc09,
137 0x662d09a1, 0xc4324633, 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10,
138 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, 0xdcb7da83, 0x573906fe,
139 0xa1e2ce9b, 0x4fcd7f52, 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027,
140 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, 0xf0177a28, 0xc0f586e0,
141 0x006058aa, 0x30dc7d62, 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634,
142 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, 0x6f05e409, 0x4b7c0188,
143 0x39720a3d, 0x7c927c24, 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc,
144 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, 0x1e50ef5e, 0xb161e6f8,
145 0xa28514d9, 0x6c51133c, 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837,
146 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0,
147}
148
149var s3 = [256]uint32{
150 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, 0x5cb0679e, 0x4fa33742,
151 0xd3822740, 0x99bc9bbe, 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b,
152 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, 0x5748ab2f, 0xbc946e79,
153 0xc6a376d2, 0x6549c2c8, 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6,
154 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, 0xa1fad5f0, 0x6a2d519a,
155 0x63ef8ce2, 0x9a86ee22, 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4,
156 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, 0x2826a2f9, 0xa73a3ae1,
157 0x4ba99586, 0xef5562e9, 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59,
158 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, 0xe990fd5a, 0x9e34d797,
159 0x2cf0b7d9, 0x022b8b51, 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28,
160 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, 0xe029ac71, 0xe019a5e6,
161 0x47b0acfd, 0xed93fa9b, 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28,
162 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, 0x15056dd4, 0x88f46dba,
163 0x03a16125, 0x0564f0bd, 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a,
164 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, 0x7533d928, 0xb155fdf5,
165 0x03563482, 0x8aba3cbb, 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f,
166 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, 0xea7a90c2, 0xfb3e7bce,
167 0x5121ce64, 0x774fbe32, 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680,
168 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, 0xb39a460a, 0x6445c0dd,
169 0x586cdecf, 0x1c20c8ae, 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb,
170 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, 0x72eacea8, 0xfa6484bb,
171 0x8d6612ae, 0xbf3c6f47, 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370,
172 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, 0x4040cb08, 0x4eb4e2cc,
173 0x34d2466a, 0x0115af84, 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048,
174 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, 0x611560b1, 0xe7933fdc,
175 0xbb3a792b, 0x344525bd, 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9,
176 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, 0x1a908749, 0xd44fbd9a,
177 0xd0dadecb, 0xd50ada38, 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f,
178 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, 0xbf97222c, 0x15e6fc2a,
179 0x0f91fc71, 0x9b941525, 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1,
180 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, 0xe0ec6e0e, 0x1698db3b,
181 0x4c98a0be, 0x3278e964, 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e,
182 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, 0xdf359f8d, 0x9b992f2e,
183 0xe60b6f47, 0x0fe3f11d, 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f,
184 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, 0xf523f357, 0xa6327623,
185 0x93a83531, 0x56cccd02, 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc,
186 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, 0xe6c6c7bd, 0x327a140a,
187 0x45e1d006, 0xc3f27b9a, 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6,
188 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, 0x53113ec0, 0x1640e3d3,
189 0x38abbd60, 0x2547adf0, 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060,
190 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, 0x1948c25c, 0x02fb8a8c,
191 0x01c36ae4, 0xd6ebe1f9, 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f,
192 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6,
193}
194
195var p = [18]uint32{
196 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, 0xa4093822, 0x299f31d0,
197 0x082efa98, 0xec4e6c89, 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c,
198 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, 0x9216d5d9, 0x8979fb1b,
199}
diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.h b/vendor/golang.org/x/crypto/curve25519/const_amd64.h
deleted file mode 100644
index 80ad222..0000000
--- a/vendor/golang.org/x/crypto/curve25519/const_amd64.h
+++ /dev/null
@@ -1,8 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// This code was translated into a form compatible with 6a from the public
6// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
7
8#define REDMASK51 0x0007FFFFFFFFFFFF
diff --git a/vendor/golang.org/x/crypto/curve25519/const_amd64.s b/vendor/golang.org/x/crypto/curve25519/const_amd64.s
deleted file mode 100644
index 0ad5398..0000000
--- a/vendor/golang.org/x/crypto/curve25519/const_amd64.s
+++ /dev/null
@@ -1,20 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// This code was translated into a form compatible with 6a from the public
6// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
7
8// +build amd64,!gccgo,!appengine
9
10// These constants cannot be encoded in non-MOVQ immediates.
11// We access them directly from memory instead.
12
13DATA ·_121666_213(SB)/8, $996687872
14GLOBL ·_121666_213(SB), 8, $8
15
16DATA ·_2P0(SB)/8, $0xFFFFFFFFFFFDA
17GLOBL ·_2P0(SB), 8, $8
18
19DATA ·_2P1234(SB)/8, $0xFFFFFFFFFFFFE
20GLOBL ·_2P1234(SB), 8, $8
diff --git a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s b/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
deleted file mode 100644
index 45484d1..0000000
--- a/vendor/golang.org/x/crypto/curve25519/cswap_amd64.s
+++ /dev/null
@@ -1,88 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// This code was translated into a form compatible with 6a from the public
6// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
7
8// +build amd64,!gccgo,!appengine
9
10// func cswap(inout *[5]uint64, v uint64)
11TEXT ·cswap(SB),7,$0
12 MOVQ inout+0(FP),DI
13 MOVQ v+8(FP),SI
14
15 CMPQ SI,$1
16 MOVQ 0(DI),SI
17 MOVQ 80(DI),DX
18 MOVQ 8(DI),CX
19 MOVQ 88(DI),R8
20 MOVQ SI,R9
21 CMOVQEQ DX,SI
22 CMOVQEQ R9,DX
23 MOVQ CX,R9
24 CMOVQEQ R8,CX
25 CMOVQEQ R9,R8
26 MOVQ SI,0(DI)
27 MOVQ DX,80(DI)
28 MOVQ CX,8(DI)
29 MOVQ R8,88(DI)
30 MOVQ 16(DI),SI
31 MOVQ 96(DI),DX
32 MOVQ 24(DI),CX
33 MOVQ 104(DI),R8
34 MOVQ SI,R9
35 CMOVQEQ DX,SI
36 CMOVQEQ R9,DX
37 MOVQ CX,R9
38 CMOVQEQ R8,CX
39 CMOVQEQ R9,R8
40 MOVQ SI,16(DI)
41 MOVQ DX,96(DI)
42 MOVQ CX,24(DI)
43 MOVQ R8,104(DI)
44 MOVQ 32(DI),SI
45 MOVQ 112(DI),DX
46 MOVQ 40(DI),CX
47 MOVQ 120(DI),R8
48 MOVQ SI,R9
49 CMOVQEQ DX,SI
50 CMOVQEQ R9,DX
51 MOVQ CX,R9
52 CMOVQEQ R8,CX
53 CMOVQEQ R9,R8
54 MOVQ SI,32(DI)
55 MOVQ DX,112(DI)
56 MOVQ CX,40(DI)
57 MOVQ R8,120(DI)
58 MOVQ 48(DI),SI
59 MOVQ 128(DI),DX
60 MOVQ 56(DI),CX
61 MOVQ 136(DI),R8
62 MOVQ SI,R9
63 CMOVQEQ DX,SI
64 CMOVQEQ R9,DX
65 MOVQ CX,R9
66 CMOVQEQ R8,CX
67 CMOVQEQ R9,R8
68 MOVQ SI,48(DI)
69 MOVQ DX,128(DI)
70 MOVQ CX,56(DI)
71 MOVQ R8,136(DI)
72 MOVQ 64(DI),SI
73 MOVQ 144(DI),DX
74 MOVQ 72(DI),CX
75 MOVQ 152(DI),R8
76 MOVQ SI,R9
77 CMOVQEQ DX,SI
78 CMOVQEQ R9,DX
79 MOVQ CX,R9
80 CMOVQEQ R8,CX
81 CMOVQEQ R9,R8
82 MOVQ SI,64(DI)
83 MOVQ DX,144(DI)
84 MOVQ CX,72(DI)
85 MOVQ R8,152(DI)
86 MOVQ DI,AX
87 MOVQ SI,DX
88 RET
diff --git a/vendor/golang.org/x/crypto/curve25519/curve25519.go b/vendor/golang.org/x/crypto/curve25519/curve25519.go
deleted file mode 100644
index 6918c47..0000000
--- a/vendor/golang.org/x/crypto/curve25519/curve25519.go
+++ /dev/null
@@ -1,841 +0,0 @@
1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// We have a implementation in amd64 assembly so this code is only run on
6// non-amd64 platforms. The amd64 assembly does not support gccgo.
7// +build !amd64 gccgo appengine
8
9package curve25519
10
11// This code is a port of the public domain, "ref10" implementation of
12// curve25519 from SUPERCOP 20130419 by D. J. Bernstein.
13
14// fieldElement represents an element of the field GF(2^255 - 19). An element
15// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
16// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
17// context.
18type fieldElement [10]int32
19
20func feZero(fe *fieldElement) {
21 for i := range fe {
22 fe[i] = 0
23 }
24}
25
26func feOne(fe *fieldElement) {
27 feZero(fe)
28 fe[0] = 1
29}
30
31func feAdd(dst, a, b *fieldElement) {
32 for i := range dst {
33 dst[i] = a[i] + b[i]
34 }
35}
36
37func feSub(dst, a, b *fieldElement) {
38 for i := range dst {
39 dst[i] = a[i] - b[i]
40 }
41}
42
43func feCopy(dst, src *fieldElement) {
44 for i := range dst {
45 dst[i] = src[i]
46 }
47}
48
49// feCSwap replaces (f,g) with (g,f) if b == 1; replaces (f,g) with (f,g) if b == 0.
50//
51// Preconditions: b in {0,1}.
52func feCSwap(f, g *fieldElement, b int32) {
53 var x fieldElement
54 b = -b
55 for i := range x {
56 x[i] = b & (f[i] ^ g[i])
57 }
58
59 for i := range f {
60 f[i] ^= x[i]
61 }
62 for i := range g {
63 g[i] ^= x[i]
64 }
65}
66
67// load3 reads a 24-bit, little-endian value from in.
68func load3(in []byte) int64 {
69 var r int64
70 r = int64(in[0])
71 r |= int64(in[1]) << 8
72 r |= int64(in[2]) << 16
73 return r
74}
75
76// load4 reads a 32-bit, little-endian value from in.
77func load4(in []byte) int64 {
78 var r int64
79 r = int64(in[0])
80 r |= int64(in[1]) << 8
81 r |= int64(in[2]) << 16
82 r |= int64(in[3]) << 24
83 return r
84}
85
86func feFromBytes(dst *fieldElement, src *[32]byte) {
87 h0 := load4(src[:])
88 h1 := load3(src[4:]) << 6
89 h2 := load3(src[7:]) << 5
90 h3 := load3(src[10:]) << 3
91 h4 := load3(src[13:]) << 2
92 h5 := load4(src[16:])
93 h6 := load3(src[20:]) << 7
94 h7 := load3(src[23:]) << 5
95 h8 := load3(src[26:]) << 4
96 h9 := load3(src[29:]) << 2
97
98 var carry [10]int64
99 carry[9] = (h9 + 1<<24) >> 25
100 h0 += carry[9] * 19
101 h9 -= carry[9] << 25
102 carry[1] = (h1 + 1<<24) >> 25
103 h2 += carry[1]
104 h1 -= carry[1] << 25
105 carry[3] = (h3 + 1<<24) >> 25
106 h4 += carry[3]
107 h3 -= carry[3] << 25
108 carry[5] = (h5 + 1<<24) >> 25
109 h6 += carry[5]
110 h5 -= carry[5] << 25
111 carry[7] = (h7 + 1<<24) >> 25
112 h8 += carry[7]
113 h7 -= carry[7] << 25
114
115 carry[0] = (h0 + 1<<25) >> 26
116 h1 += carry[0]
117 h0 -= carry[0] << 26
118 carry[2] = (h2 + 1<<25) >> 26
119 h3 += carry[2]
120 h2 -= carry[2] << 26
121 carry[4] = (h4 + 1<<25) >> 26
122 h5 += carry[4]
123 h4 -= carry[4] << 26
124 carry[6] = (h6 + 1<<25) >> 26
125 h7 += carry[6]
126 h6 -= carry[6] << 26
127 carry[8] = (h8 + 1<<25) >> 26
128 h9 += carry[8]
129 h8 -= carry[8] << 26
130
131 dst[0] = int32(h0)
132 dst[1] = int32(h1)
133 dst[2] = int32(h2)
134 dst[3] = int32(h3)
135 dst[4] = int32(h4)
136 dst[5] = int32(h5)
137 dst[6] = int32(h6)
138 dst[7] = int32(h7)
139 dst[8] = int32(h8)
140 dst[9] = int32(h9)
141}
142
143// feToBytes marshals h to s.
144// Preconditions:
145// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
146//
147// Write p=2^255-19; q=floor(h/p).
148// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
149//
150// Proof:
151// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
152// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
153//
154// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
155// Then 0<y<1.
156//
157// Write r=h-pq.
158// Have 0<=r<=p-1=2^255-20.
159// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
160//
161// Write x=r+19(2^-255)r+y.
162// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
163//
164// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
165// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
166func feToBytes(s *[32]byte, h *fieldElement) {
167 var carry [10]int32
168
169 q := (19*h[9] + (1 << 24)) >> 25
170 q = (h[0] + q) >> 26
171 q = (h[1] + q) >> 25
172 q = (h[2] + q) >> 26
173 q = (h[3] + q) >> 25
174 q = (h[4] + q) >> 26
175 q = (h[5] + q) >> 25
176 q = (h[6] + q) >> 26
177 q = (h[7] + q) >> 25
178 q = (h[8] + q) >> 26
179 q = (h[9] + q) >> 25
180
181 // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
182 h[0] += 19 * q
183 // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
184
185 carry[0] = h[0] >> 26
186 h[1] += carry[0]
187 h[0] -= carry[0] << 26
188 carry[1] = h[1] >> 25
189 h[2] += carry[1]
190 h[1] -= carry[1] << 25
191 carry[2] = h[2] >> 26
192 h[3] += carry[2]
193 h[2] -= carry[2] << 26
194 carry[3] = h[3] >> 25
195 h[4] += carry[3]
196 h[3] -= carry[3] << 25
197 carry[4] = h[4] >> 26
198 h[5] += carry[4]
199 h[4] -= carry[4] << 26
200 carry[5] = h[5] >> 25
201 h[6] += carry[5]
202 h[5] -= carry[5] << 25
203 carry[6] = h[6] >> 26
204 h[7] += carry[6]
205 h[6] -= carry[6] << 26
206 carry[7] = h[7] >> 25
207 h[8] += carry[7]
208 h[7] -= carry[7] << 25
209 carry[8] = h[8] >> 26
210 h[9] += carry[8]
211 h[8] -= carry[8] << 26
212 carry[9] = h[9] >> 25
213 h[9] -= carry[9] << 25
214 // h10 = carry9
215
216 // Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
217 // Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
218 // evidently 2^255 h10-2^255 q = 0.
219 // Goal: Output h[0]+...+2^230 h[9].
220
221 s[0] = byte(h[0] >> 0)
222 s[1] = byte(h[0] >> 8)
223 s[2] = byte(h[0] >> 16)
224 s[3] = byte((h[0] >> 24) | (h[1] << 2))
225 s[4] = byte(h[1] >> 6)
226 s[5] = byte(h[1] >> 14)
227 s[6] = byte((h[1] >> 22) | (h[2] << 3))
228 s[7] = byte(h[2] >> 5)
229 s[8] = byte(h[2] >> 13)
230 s[9] = byte((h[2] >> 21) | (h[3] << 5))
231 s[10] = byte(h[3] >> 3)
232 s[11] = byte(h[3] >> 11)
233 s[12] = byte((h[3] >> 19) | (h[4] << 6))
234 s[13] = byte(h[4] >> 2)
235 s[14] = byte(h[4] >> 10)
236 s[15] = byte(h[4] >> 18)
237 s[16] = byte(h[5] >> 0)
238 s[17] = byte(h[5] >> 8)
239 s[18] = byte(h[5] >> 16)
240 s[19] = byte((h[5] >> 24) | (h[6] << 1))
241 s[20] = byte(h[6] >> 7)
242 s[21] = byte(h[6] >> 15)
243 s[22] = byte((h[6] >> 23) | (h[7] << 3))
244 s[23] = byte(h[7] >> 5)
245 s[24] = byte(h[7] >> 13)
246 s[25] = byte((h[7] >> 21) | (h[8] << 4))
247 s[26] = byte(h[8] >> 4)
248 s[27] = byte(h[8] >> 12)
249 s[28] = byte((h[8] >> 20) | (h[9] << 6))
250 s[29] = byte(h[9] >> 2)
251 s[30] = byte(h[9] >> 10)
252 s[31] = byte(h[9] >> 18)
253}
254
255// feMul calculates h = f * g
256// Can overlap h with f or g.
257//
258// Preconditions:
259// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
260// |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
261//
262// Postconditions:
263// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
264//
265// Notes on implementation strategy:
266//
267// Using schoolbook multiplication.
268// Karatsuba would save a little in some cost models.
269//
270// Most multiplications by 2 and 19 are 32-bit precomputations;
271// cheaper than 64-bit postcomputations.
272//
273// There is one remaining multiplication by 19 in the carry chain;
274// one *19 precomputation can be merged into this,
275// but the resulting data flow is considerably less clean.
276//
277// There are 12 carries below.
278// 10 of them are 2-way parallelizable and vectorizable.
279// Can get away with 11 carries, but then data flow is much deeper.
280//
281// With tighter constraints on inputs can squeeze carries into int32.
282func feMul(h, f, g *fieldElement) {
283 f0 := f[0]
284 f1 := f[1]
285 f2 := f[2]
286 f3 := f[3]
287 f4 := f[4]
288 f5 := f[5]
289 f6 := f[6]
290 f7 := f[7]
291 f8 := f[8]
292 f9 := f[9]
293 g0 := g[0]
294 g1 := g[1]
295 g2 := g[2]
296 g3 := g[3]
297 g4 := g[4]
298 g5 := g[5]
299 g6 := g[6]
300 g7 := g[7]
301 g8 := g[8]
302 g9 := g[9]
303 g1_19 := 19 * g1 // 1.4*2^29
304 g2_19 := 19 * g2 // 1.4*2^30; still ok
305 g3_19 := 19 * g3
306 g4_19 := 19 * g4
307 g5_19 := 19 * g5
308 g6_19 := 19 * g6
309 g7_19 := 19 * g7
310 g8_19 := 19 * g8
311 g9_19 := 19 * g9
312 f1_2 := 2 * f1
313 f3_2 := 2 * f3
314 f5_2 := 2 * f5
315 f7_2 := 2 * f7
316 f9_2 := 2 * f9
317 f0g0 := int64(f0) * int64(g0)
318 f0g1 := int64(f0) * int64(g1)
319 f0g2 := int64(f0) * int64(g2)
320 f0g3 := int64(f0) * int64(g3)
321 f0g4 := int64(f0) * int64(g4)
322 f0g5 := int64(f0) * int64(g5)
323 f0g6 := int64(f0) * int64(g6)
324 f0g7 := int64(f0) * int64(g7)
325 f0g8 := int64(f0) * int64(g8)
326 f0g9 := int64(f0) * int64(g9)
327 f1g0 := int64(f1) * int64(g0)
328 f1g1_2 := int64(f1_2) * int64(g1)
329 f1g2 := int64(f1) * int64(g2)
330 f1g3_2 := int64(f1_2) * int64(g3)
331 f1g4 := int64(f1) * int64(g4)
332 f1g5_2 := int64(f1_2) * int64(g5)
333 f1g6 := int64(f1) * int64(g6)
334 f1g7_2 := int64(f1_2) * int64(g7)
335 f1g8 := int64(f1) * int64(g8)
336 f1g9_38 := int64(f1_2) * int64(g9_19)
337 f2g0 := int64(f2) * int64(g0)
338 f2g1 := int64(f2) * int64(g1)
339 f2g2 := int64(f2) * int64(g2)
340 f2g3 := int64(f2) * int64(g3)
341 f2g4 := int64(f2) * int64(g4)
342 f2g5 := int64(f2) * int64(g5)
343 f2g6 := int64(f2) * int64(g6)
344 f2g7 := int64(f2) * int64(g7)
345 f2g8_19 := int64(f2) * int64(g8_19)
346 f2g9_19 := int64(f2) * int64(g9_19)
347 f3g0 := int64(f3) * int64(g0)
348 f3g1_2 := int64(f3_2) * int64(g1)
349 f3g2 := int64(f3) * int64(g2)
350 f3g3_2 := int64(f3_2) * int64(g3)
351 f3g4 := int64(f3) * int64(g4)
352 f3g5_2 := int64(f3_2) * int64(g5)
353 f3g6 := int64(f3) * int64(g6)
354 f3g7_38 := int64(f3_2) * int64(g7_19)
355 f3g8_19 := int64(f3) * int64(g8_19)
356 f3g9_38 := int64(f3_2) * int64(g9_19)
357 f4g0 := int64(f4) * int64(g0)
358 f4g1 := int64(f4) * int64(g1)
359 f4g2 := int64(f4) * int64(g2)
360 f4g3 := int64(f4) * int64(g3)
361 f4g4 := int64(f4) * int64(g4)
362 f4g5 := int64(f4) * int64(g5)
363 f4g6_19 := int64(f4) * int64(g6_19)
364 f4g7_19 := int64(f4) * int64(g7_19)
365 f4g8_19 := int64(f4) * int64(g8_19)
366 f4g9_19 := int64(f4) * int64(g9_19)
367 f5g0 := int64(f5) * int64(g0)
368 f5g1_2 := int64(f5_2) * int64(g1)
369 f5g2 := int64(f5) * int64(g2)
370 f5g3_2 := int64(f5_2) * int64(g3)
371 f5g4 := int64(f5) * int64(g4)
372 f5g5_38 := int64(f5_2) * int64(g5_19)
373 f5g6_19 := int64(f5) * int64(g6_19)
374 f5g7_38 := int64(f5_2) * int64(g7_19)
375 f5g8_19 := int64(f5) * int64(g8_19)
376 f5g9_38 := int64(f5_2) * int64(g9_19)
377 f6g0 := int64(f6) * int64(g0)
378 f6g1 := int64(f6) * int64(g1)
379 f6g2 := int64(f6) * int64(g2)
380 f6g3 := int64(f6) * int64(g3)
381 f6g4_19 := int64(f6) * int64(g4_19)
382 f6g5_19 := int64(f6) * int64(g5_19)
383 f6g6_19 := int64(f6) * int64(g6_19)
384 f6g7_19 := int64(f6) * int64(g7_19)
385 f6g8_19 := int64(f6) * int64(g8_19)
386 f6g9_19 := int64(f6) * int64(g9_19)
387 f7g0 := int64(f7) * int64(g0)
388 f7g1_2 := int64(f7_2) * int64(g1)
389 f7g2 := int64(f7) * int64(g2)
390 f7g3_38 := int64(f7_2) * int64(g3_19)
391 f7g4_19 := int64(f7) * int64(g4_19)
392 f7g5_38 := int64(f7_2) * int64(g5_19)
393 f7g6_19 := int64(f7) * int64(g6_19)
394 f7g7_38 := int64(f7_2) * int64(g7_19)
395 f7g8_19 := int64(f7) * int64(g8_19)
396 f7g9_38 := int64(f7_2) * int64(g9_19)
397 f8g0 := int64(f8) * int64(g0)
398 f8g1 := int64(f8) * int64(g1)
399 f8g2_19 := int64(f8) * int64(g2_19)
400 f8g3_19 := int64(f8) * int64(g3_19)
401 f8g4_19 := int64(f8) * int64(g4_19)
402 f8g5_19 := int64(f8) * int64(g5_19)
403 f8g6_19 := int64(f8) * int64(g6_19)
404 f8g7_19 := int64(f8) * int64(g7_19)
405 f8g8_19 := int64(f8) * int64(g8_19)
406 f8g9_19 := int64(f8) * int64(g9_19)
407 f9g0 := int64(f9) * int64(g0)
408 f9g1_38 := int64(f9_2) * int64(g1_19)
409 f9g2_19 := int64(f9) * int64(g2_19)
410 f9g3_38 := int64(f9_2) * int64(g3_19)
411 f9g4_19 := int64(f9) * int64(g4_19)
412 f9g5_38 := int64(f9_2) * int64(g5_19)
413 f9g6_19 := int64(f9) * int64(g6_19)
414 f9g7_38 := int64(f9_2) * int64(g7_19)
415 f9g8_19 := int64(f9) * int64(g8_19)
416 f9g9_38 := int64(f9_2) * int64(g9_19)
417 h0 := f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38
418 h1 := f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19
419 h2 := f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38
420 h3 := f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19
421 h4 := f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38
422 h5 := f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19
423 h6 := f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38
424 h7 := f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19
425 h8 := f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38
426 h9 := f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0
427 var carry [10]int64
428
429 // |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
430 // i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
431 // |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
432 // i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
433
434 carry[0] = (h0 + (1 << 25)) >> 26
435 h1 += carry[0]
436 h0 -= carry[0] << 26
437 carry[4] = (h4 + (1 << 25)) >> 26
438 h5 += carry[4]
439 h4 -= carry[4] << 26
440 // |h0| <= 2^25
441 // |h4| <= 2^25
442 // |h1| <= 1.51*2^58
443 // |h5| <= 1.51*2^58
444
445 carry[1] = (h1 + (1 << 24)) >> 25
446 h2 += carry[1]
447 h1 -= carry[1] << 25
448 carry[5] = (h5 + (1 << 24)) >> 25
449 h6 += carry[5]
450 h5 -= carry[5] << 25
451 // |h1| <= 2^24; from now on fits into int32
452 // |h5| <= 2^24; from now on fits into int32
453 // |h2| <= 1.21*2^59
454 // |h6| <= 1.21*2^59
455
456 carry[2] = (h2 + (1 << 25)) >> 26
457 h3 += carry[2]
458 h2 -= carry[2] << 26
459 carry[6] = (h6 + (1 << 25)) >> 26
460 h7 += carry[6]
461 h6 -= carry[6] << 26
462 // |h2| <= 2^25; from now on fits into int32 unchanged
463 // |h6| <= 2^25; from now on fits into int32 unchanged
464 // |h3| <= 1.51*2^58
465 // |h7| <= 1.51*2^58
466
467 carry[3] = (h3 + (1 << 24)) >> 25
468 h4 += carry[3]
469 h3 -= carry[3] << 25
470 carry[7] = (h7 + (1 << 24)) >> 25
471 h8 += carry[7]
472 h7 -= carry[7] << 25
473 // |h3| <= 2^24; from now on fits into int32 unchanged
474 // |h7| <= 2^24; from now on fits into int32 unchanged
475 // |h4| <= 1.52*2^33
476 // |h8| <= 1.52*2^33
477
478 carry[4] = (h4 + (1 << 25)) >> 26
479 h5 += carry[4]
480 h4 -= carry[4] << 26
481 carry[8] = (h8 + (1 << 25)) >> 26
482 h9 += carry[8]
483 h8 -= carry[8] << 26
484 // |h4| <= 2^25; from now on fits into int32 unchanged
485 // |h8| <= 2^25; from now on fits into int32 unchanged
486 // |h5| <= 1.01*2^24
487 // |h9| <= 1.51*2^58
488
489 carry[9] = (h9 + (1 << 24)) >> 25
490 h0 += carry[9] * 19
491 h9 -= carry[9] << 25
492 // |h9| <= 2^24; from now on fits into int32 unchanged
493 // |h0| <= 1.8*2^37
494
495 carry[0] = (h0 + (1 << 25)) >> 26
496 h1 += carry[0]
497 h0 -= carry[0] << 26
498 // |h0| <= 2^25; from now on fits into int32 unchanged
499 // |h1| <= 1.01*2^24
500
501 h[0] = int32(h0)
502 h[1] = int32(h1)
503 h[2] = int32(h2)
504 h[3] = int32(h3)
505 h[4] = int32(h4)
506 h[5] = int32(h5)
507 h[6] = int32(h6)
508 h[7] = int32(h7)
509 h[8] = int32(h8)
510 h[9] = int32(h9)
511}
512
513// feSquare calculates h = f*f. Can overlap h with f.
514//
515// Preconditions:
516// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
517//
518// Postconditions:
519// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
520func feSquare(h, f *fieldElement) {
521 f0 := f[0]
522 f1 := f[1]
523 f2 := f[2]
524 f3 := f[3]
525 f4 := f[4]
526 f5 := f[5]
527 f6 := f[6]
528 f7 := f[7]
529 f8 := f[8]
530 f9 := f[9]
531 f0_2 := 2 * f0
532 f1_2 := 2 * f1
533 f2_2 := 2 * f2
534 f3_2 := 2 * f3
535 f4_2 := 2 * f4
536 f5_2 := 2 * f5
537 f6_2 := 2 * f6
538 f7_2 := 2 * f7
539 f5_38 := 38 * f5 // 1.31*2^30
540 f6_19 := 19 * f6 // 1.31*2^30
541 f7_38 := 38 * f7 // 1.31*2^30
542 f8_19 := 19 * f8 // 1.31*2^30
543 f9_38 := 38 * f9 // 1.31*2^30
544 f0f0 := int64(f0) * int64(f0)
545 f0f1_2 := int64(f0_2) * int64(f1)
546 f0f2_2 := int64(f0_2) * int64(f2)
547 f0f3_2 := int64(f0_2) * int64(f3)
548 f0f4_2 := int64(f0_2) * int64(f4)
549 f0f5_2 := int64(f0_2) * int64(f5)
550 f0f6_2 := int64(f0_2) * int64(f6)
551 f0f7_2 := int64(f0_2) * int64(f7)
552 f0f8_2 := int64(f0_2) * int64(f8)
553 f0f9_2 := int64(f0_2) * int64(f9)
554 f1f1_2 := int64(f1_2) * int64(f1)
555 f1f2_2 := int64(f1_2) * int64(f2)
556 f1f3_4 := int64(f1_2) * int64(f3_2)
557 f1f4_2 := int64(f1_2) * int64(f4)
558 f1f5_4 := int64(f1_2) * int64(f5_2)
559 f1f6_2 := int64(f1_2) * int64(f6)
560 f1f7_4 := int64(f1_2) * int64(f7_2)
561 f1f8_2 := int64(f1_2) * int64(f8)
562 f1f9_76 := int64(f1_2) * int64(f9_38)
563 f2f2 := int64(f2) * int64(f2)
564 f2f3_2 := int64(f2_2) * int64(f3)
565 f2f4_2 := int64(f2_2) * int64(f4)
566 f2f5_2 := int64(f2_2) * int64(f5)
567 f2f6_2 := int64(f2_2) * int64(f6)
568 f2f7_2 := int64(f2_2) * int64(f7)
569 f2f8_38 := int64(f2_2) * int64(f8_19)
570 f2f9_38 := int64(f2) * int64(f9_38)
571 f3f3_2 := int64(f3_2) * int64(f3)
572 f3f4_2 := int64(f3_2) * int64(f4)
573 f3f5_4 := int64(f3_2) * int64(f5_2)
574 f3f6_2 := int64(f3_2) * int64(f6)
575 f3f7_76 := int64(f3_2) * int64(f7_38)
576 f3f8_38 := int64(f3_2) * int64(f8_19)
577 f3f9_76 := int64(f3_2) * int64(f9_38)
578 f4f4 := int64(f4) * int64(f4)
579 f4f5_2 := int64(f4_2) * int64(f5)
580 f4f6_38 := int64(f4_2) * int64(f6_19)
581 f4f7_38 := int64(f4) * int64(f7_38)
582 f4f8_38 := int64(f4_2) * int64(f8_19)
583 f4f9_38 := int64(f4) * int64(f9_38)
584 f5f5_38 := int64(f5) * int64(f5_38)
585 f5f6_38 := int64(f5_2) * int64(f6_19)
586 f5f7_76 := int64(f5_2) * int64(f7_38)
587 f5f8_38 := int64(f5_2) * int64(f8_19)
588 f5f9_76 := int64(f5_2) * int64(f9_38)
589 f6f6_19 := int64(f6) * int64(f6_19)
590 f6f7_38 := int64(f6) * int64(f7_38)
591 f6f8_38 := int64(f6_2) * int64(f8_19)
592 f6f9_38 := int64(f6) * int64(f9_38)
593 f7f7_38 := int64(f7) * int64(f7_38)
594 f7f8_38 := int64(f7_2) * int64(f8_19)
595 f7f9_76 := int64(f7_2) * int64(f9_38)
596 f8f8_19 := int64(f8) * int64(f8_19)
597 f8f9_38 := int64(f8) * int64(f9_38)
598 f9f9_38 := int64(f9) * int64(f9_38)
599 h0 := f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38
600 h1 := f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38
601 h2 := f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19
602 h3 := f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38
603 h4 := f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38
604 h5 := f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38
605 h6 := f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19
606 h7 := f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38
607 h8 := f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38
608 h9 := f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2
609 var carry [10]int64
610
611 carry[0] = (h0 + (1 << 25)) >> 26
612 h1 += carry[0]
613 h0 -= carry[0] << 26
614 carry[4] = (h4 + (1 << 25)) >> 26
615 h5 += carry[4]
616 h4 -= carry[4] << 26
617
618 carry[1] = (h1 + (1 << 24)) >> 25
619 h2 += carry[1]
620 h1 -= carry[1] << 25
621 carry[5] = (h5 + (1 << 24)) >> 25
622 h6 += carry[5]
623 h5 -= carry[5] << 25
624
625 carry[2] = (h2 + (1 << 25)) >> 26
626 h3 += carry[2]
627 h2 -= carry[2] << 26
628 carry[6] = (h6 + (1 << 25)) >> 26
629 h7 += carry[6]
630 h6 -= carry[6] << 26
631
632 carry[3] = (h3 + (1 << 24)) >> 25
633 h4 += carry[3]
634 h3 -= carry[3] << 25
635 carry[7] = (h7 + (1 << 24)) >> 25
636 h8 += carry[7]
637 h7 -= carry[7] << 25
638
639 carry[4] = (h4 + (1 << 25)) >> 26
640 h5 += carry[4]
641 h4 -= carry[4] << 26
642 carry[8] = (h8 + (1 << 25)) >> 26
643 h9 += carry[8]
644 h8 -= carry[8] << 26
645
646 carry[9] = (h9 + (1 << 24)) >> 25
647 h0 += carry[9] * 19
648 h9 -= carry[9] << 25
649
650 carry[0] = (h0 + (1 << 25)) >> 26
651 h1 += carry[0]
652 h0 -= carry[0] << 26
653
654 h[0] = int32(h0)
655 h[1] = int32(h1)
656 h[2] = int32(h2)
657 h[3] = int32(h3)
658 h[4] = int32(h4)
659 h[5] = int32(h5)
660 h[6] = int32(h6)
661 h[7] = int32(h7)
662 h[8] = int32(h8)
663 h[9] = int32(h9)
664}
665
666// feMul121666 calculates h = f * 121666. Can overlap h with f.
667//
668// Preconditions:
669// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
670//
671// Postconditions:
672// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
673func feMul121666(h, f *fieldElement) {
674 h0 := int64(f[0]) * 121666
675 h1 := int64(f[1]) * 121666
676 h2 := int64(f[2]) * 121666
677 h3 := int64(f[3]) * 121666
678 h4 := int64(f[4]) * 121666
679 h5 := int64(f[5]) * 121666
680 h6 := int64(f[6]) * 121666
681 h7 := int64(f[7]) * 121666
682 h8 := int64(f[8]) * 121666
683 h9 := int64(f[9]) * 121666
684 var carry [10]int64
685
686 carry[9] = (h9 + (1 << 24)) >> 25
687 h0 += carry[9] * 19
688 h9 -= carry[9] << 25
689 carry[1] = (h1 + (1 << 24)) >> 25
690 h2 += carry[1]
691 h1 -= carry[1] << 25
692 carry[3] = (h3 + (1 << 24)) >> 25
693 h4 += carry[3]
694 h3 -= carry[3] << 25
695 carry[5] = (h5 + (1 << 24)) >> 25
696 h6 += carry[5]
697 h5 -= carry[5] << 25
698 carry[7] = (h7 + (1 << 24)) >> 25
699 h8 += carry[7]
700 h7 -= carry[7] << 25
701
702 carry[0] = (h0 + (1 << 25)) >> 26
703 h1 += carry[0]
704 h0 -= carry[0] << 26
705 carry[2] = (h2 + (1 << 25)) >> 26
706 h3 += carry[2]
707 h2 -= carry[2] << 26
708 carry[4] = (h4 + (1 << 25)) >> 26
709 h5 += carry[4]
710 h4 -= carry[4] << 26
711 carry[6] = (h6 + (1 << 25)) >> 26
712 h7 += carry[6]
713 h6 -= carry[6] << 26
714 carry[8] = (h8 + (1 << 25)) >> 26
715 h9 += carry[8]
716 h8 -= carry[8] << 26
717
718 h[0] = int32(h0)
719 h[1] = int32(h1)
720 h[2] = int32(h2)
721 h[3] = int32(h3)
722 h[4] = int32(h4)
723 h[5] = int32(h5)
724 h[6] = int32(h6)
725 h[7] = int32(h7)
726 h[8] = int32(h8)
727 h[9] = int32(h9)
728}
729
730// feInvert sets out = z^-1.
731func feInvert(out, z *fieldElement) {
732 var t0, t1, t2, t3 fieldElement
733 var i int
734
735 feSquare(&t0, z)
736 for i = 1; i < 1; i++ {
737 feSquare(&t0, &t0)
738 }
739 feSquare(&t1, &t0)
740 for i = 1; i < 2; i++ {
741 feSquare(&t1, &t1)
742 }
743 feMul(&t1, z, &t1)
744 feMul(&t0, &t0, &t1)
745 feSquare(&t2, &t0)
746 for i = 1; i < 1; i++ {
747 feSquare(&t2, &t2)
748 }
749 feMul(&t1, &t1, &t2)
750 feSquare(&t2, &t1)
751 for i = 1; i < 5; i++ {
752 feSquare(&t2, &t2)
753 }
754 feMul(&t1, &t2, &t1)
755 feSquare(&t2, &t1)
756 for i = 1; i < 10; i++ {
757 feSquare(&t2, &t2)
758 }
759 feMul(&t2, &t2, &t1)
760 feSquare(&t3, &t2)
761 for i = 1; i < 20; i++ {
762 feSquare(&t3, &t3)
763 }
764 feMul(&t2, &t3, &t2)
765 feSquare(&t2, &t2)
766 for i = 1; i < 10; i++ {
767 feSquare(&t2, &t2)
768 }
769 feMul(&t1, &t2, &t1)
770 feSquare(&t2, &t1)
771 for i = 1; i < 50; i++ {
772 feSquare(&t2, &t2)
773 }
774 feMul(&t2, &t2, &t1)
775 feSquare(&t3, &t2)
776 for i = 1; i < 100; i++ {
777 feSquare(&t3, &t3)
778 }
779 feMul(&t2, &t3, &t2)
780 feSquare(&t2, &t2)
781 for i = 1; i < 50; i++ {
782 feSquare(&t2, &t2)
783 }
784 feMul(&t1, &t2, &t1)
785 feSquare(&t1, &t1)
786 for i = 1; i < 5; i++ {
787 feSquare(&t1, &t1)
788 }
789 feMul(out, &t1, &t0)
790}
791
792func scalarMult(out, in, base *[32]byte) {
793 var e [32]byte
794
795 copy(e[:], in[:])
796 e[0] &= 248
797 e[31] &= 127
798 e[31] |= 64
799
800 var x1, x2, z2, x3, z3, tmp0, tmp1 fieldElement
801 feFromBytes(&x1, base)
802 feOne(&x2)
803 feCopy(&x3, &x1)
804 feOne(&z3)
805
806 swap := int32(0)
807 for pos := 254; pos >= 0; pos-- {
808 b := e[pos/8] >> uint(pos&7)
809 b &= 1
810 swap ^= int32(b)
811 feCSwap(&x2, &x3, swap)
812 feCSwap(&z2, &z3, swap)
813 swap = int32(b)
814
815 feSub(&tmp0, &x3, &z3)
816 feSub(&tmp1, &x2, &z2)
817 feAdd(&x2, &x2, &z2)
818 feAdd(&z2, &x3, &z3)
819 feMul(&z3, &tmp0, &x2)
820 feMul(&z2, &z2, &tmp1)
821 feSquare(&tmp0, &tmp1)
822 feSquare(&tmp1, &x2)
823 feAdd(&x3, &z3, &z2)
824 feSub(&z2, &z3, &z2)
825 feMul(&x2, &tmp1, &tmp0)
826 feSub(&tmp1, &tmp1, &tmp0)
827 feSquare(&z2, &z2)
828 feMul121666(&z3, &tmp1)
829 feSquare(&x3, &x3)
830 feAdd(&tmp0, &tmp0, &z3)
831 feMul(&z3, &x1, &z2)
832 feMul(&z2, &tmp1, &tmp0)
833 }
834
835 feCSwap(&x2, &x3, swap)
836 feCSwap(&z2, &z3, swap)
837
838 feInvert(&z2, &z2)
839 feMul(&x2, &x2, &z2)
840 feToBytes(out, &x2)
841}
diff --git a/vendor/golang.org/x/crypto/curve25519/doc.go b/vendor/golang.org/x/crypto/curve25519/doc.go
deleted file mode 100644
index ebeea3c..0000000
--- a/vendor/golang.org/x/crypto/curve25519/doc.go
+++ /dev/null
@@ -1,23 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// Package curve25519 provides an implementation of scalar multiplication on
6// the elliptic curve known as curve25519. See http://cr.yp.to/ecdh.html
7package curve25519 // import "golang.org/x/crypto/curve25519"
8
9// basePoint is the x coordinate of the generator of the curve.
10var basePoint = [32]byte{9, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0}
11
12// ScalarMult sets dst to the product in*base where dst and base are the x
13// coordinates of group points and all values are in little-endian form.
14func ScalarMult(dst, in, base *[32]byte) {
15 scalarMult(dst, in, base)
16}
17
18// ScalarBaseMult sets dst to the product in*base where dst and base are the x
19// coordinates of group points, base is the standard generator and all values
20// are in little-endian form.
21func ScalarBaseMult(dst, in *[32]byte) {
22 ScalarMult(dst, in, &basePoint)
23}
diff --git a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s b/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
deleted file mode 100644
index 536479b..0000000
--- a/vendor/golang.org/x/crypto/curve25519/freeze_amd64.s
+++ /dev/null
@@ -1,73 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// This code was translated into a form compatible with 6a from the public
6// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
7
8// +build amd64,!gccgo,!appengine
9
10#include "const_amd64.h"
11
12// func freeze(inout *[5]uint64)
13TEXT ·freeze(SB),7,$0-8
14 MOVQ inout+0(FP), DI
15
16 MOVQ 0(DI),SI
17 MOVQ 8(DI),DX
18 MOVQ 16(DI),CX
19 MOVQ 24(DI),R8
20 MOVQ 32(DI),R9
21 MOVQ $REDMASK51,AX
22 MOVQ AX,R10
23 SUBQ $18,R10
24 MOVQ $3,R11
25REDUCELOOP:
26 MOVQ SI,R12
27 SHRQ $51,R12
28 ANDQ AX,SI
29 ADDQ R12,DX
30 MOVQ DX,R12
31 SHRQ $51,R12
32 ANDQ AX,DX
33 ADDQ R12,CX
34 MOVQ CX,R12
35 SHRQ $51,R12
36 ANDQ AX,CX
37 ADDQ R12,R8
38 MOVQ R8,R12
39 SHRQ $51,R12
40 ANDQ AX,R8
41 ADDQ R12,R9
42 MOVQ R9,R12
43 SHRQ $51,R12
44 ANDQ AX,R9
45 IMUL3Q $19,R12,R12
46 ADDQ R12,SI
47 SUBQ $1,R11
48 JA REDUCELOOP
49 MOVQ $1,R12
50 CMPQ R10,SI
51 CMOVQLT R11,R12
52 CMPQ AX,DX
53 CMOVQNE R11,R12
54 CMPQ AX,CX
55 CMOVQNE R11,R12
56 CMPQ AX,R8
57 CMOVQNE R11,R12
58 CMPQ AX,R9
59 CMOVQNE R11,R12
60 NEGQ R12
61 ANDQ R12,AX
62 ANDQ R12,R10
63 SUBQ R10,SI
64 SUBQ AX,DX
65 SUBQ AX,CX
66 SUBQ AX,R8
67 SUBQ AX,R9
68 MOVQ SI,0(DI)
69 MOVQ DX,8(DI)
70 MOVQ CX,16(DI)
71 MOVQ R8,24(DI)
72 MOVQ R9,32(DI)
73 RET
diff --git a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s b/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
deleted file mode 100644
index 7074e5c..0000000
--- a/vendor/golang.org/x/crypto/curve25519/ladderstep_amd64.s
+++ /dev/null
@@ -1,1377 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// This code was translated into a form compatible with 6a from the public
6// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
7
8// +build amd64,!gccgo,!appengine
9
10#include "const_amd64.h"
11
12// func ladderstep(inout *[5][5]uint64)
13TEXT ·ladderstep(SB),0,$296-8
14 MOVQ inout+0(FP),DI
15
16 MOVQ 40(DI),SI
17 MOVQ 48(DI),DX
18 MOVQ 56(DI),CX
19 MOVQ 64(DI),R8
20 MOVQ 72(DI),R9
21 MOVQ SI,AX
22 MOVQ DX,R10
23 MOVQ CX,R11
24 MOVQ R8,R12
25 MOVQ R9,R13
26 ADDQ ·_2P0(SB),AX
27 ADDQ ·_2P1234(SB),R10
28 ADDQ ·_2P1234(SB),R11
29 ADDQ ·_2P1234(SB),R12
30 ADDQ ·_2P1234(SB),R13
31 ADDQ 80(DI),SI
32 ADDQ 88(DI),DX
33 ADDQ 96(DI),CX
34 ADDQ 104(DI),R8
35 ADDQ 112(DI),R9
36 SUBQ 80(DI),AX
37 SUBQ 88(DI),R10
38 SUBQ 96(DI),R11
39 SUBQ 104(DI),R12
40 SUBQ 112(DI),R13
41 MOVQ SI,0(SP)
42 MOVQ DX,8(SP)
43 MOVQ CX,16(SP)
44 MOVQ R8,24(SP)
45 MOVQ R9,32(SP)
46 MOVQ AX,40(SP)
47 MOVQ R10,48(SP)
48 MOVQ R11,56(SP)
49 MOVQ R12,64(SP)
50 MOVQ R13,72(SP)
51 MOVQ 40(SP),AX
52 MULQ 40(SP)
53 MOVQ AX,SI
54 MOVQ DX,CX
55 MOVQ 40(SP),AX
56 SHLQ $1,AX
57 MULQ 48(SP)
58 MOVQ AX,R8
59 MOVQ DX,R9
60 MOVQ 40(SP),AX
61 SHLQ $1,AX
62 MULQ 56(SP)
63 MOVQ AX,R10
64 MOVQ DX,R11
65 MOVQ 40(SP),AX
66 SHLQ $1,AX
67 MULQ 64(SP)
68 MOVQ AX,R12
69 MOVQ DX,R13
70 MOVQ 40(SP),AX
71 SHLQ $1,AX
72 MULQ 72(SP)
73 MOVQ AX,R14
74 MOVQ DX,R15
75 MOVQ 48(SP),AX
76 MULQ 48(SP)
77 ADDQ AX,R10
78 ADCQ DX,R11
79 MOVQ 48(SP),AX
80 SHLQ $1,AX
81 MULQ 56(SP)
82 ADDQ AX,R12
83 ADCQ DX,R13
84 MOVQ 48(SP),AX
85 SHLQ $1,AX
86 MULQ 64(SP)
87 ADDQ AX,R14
88 ADCQ DX,R15
89 MOVQ 48(SP),DX
90 IMUL3Q $38,DX,AX
91 MULQ 72(SP)
92 ADDQ AX,SI
93 ADCQ DX,CX
94 MOVQ 56(SP),AX
95 MULQ 56(SP)
96 ADDQ AX,R14
97 ADCQ DX,R15
98 MOVQ 56(SP),DX
99 IMUL3Q $38,DX,AX
100 MULQ 64(SP)
101 ADDQ AX,SI
102 ADCQ DX,CX
103 MOVQ 56(SP),DX
104 IMUL3Q $38,DX,AX
105 MULQ 72(SP)
106 ADDQ AX,R8
107 ADCQ DX,R9
108 MOVQ 64(SP),DX
109 IMUL3Q $19,DX,AX
110 MULQ 64(SP)
111 ADDQ AX,R8
112 ADCQ DX,R9
113 MOVQ 64(SP),DX
114 IMUL3Q $38,DX,AX
115 MULQ 72(SP)
116 ADDQ AX,R10
117 ADCQ DX,R11
118 MOVQ 72(SP),DX
119 IMUL3Q $19,DX,AX
120 MULQ 72(SP)
121 ADDQ AX,R12
122 ADCQ DX,R13
123 MOVQ $REDMASK51,DX
124 SHLQ $13,CX:SI
125 ANDQ DX,SI
126 SHLQ $13,R9:R8
127 ANDQ DX,R8
128 ADDQ CX,R8
129 SHLQ $13,R11:R10
130 ANDQ DX,R10
131 ADDQ R9,R10
132 SHLQ $13,R13:R12
133 ANDQ DX,R12
134 ADDQ R11,R12
135 SHLQ $13,R15:R14
136 ANDQ DX,R14
137 ADDQ R13,R14
138 IMUL3Q $19,R15,CX
139 ADDQ CX,SI
140 MOVQ SI,CX
141 SHRQ $51,CX
142 ADDQ R8,CX
143 ANDQ DX,SI
144 MOVQ CX,R8
145 SHRQ $51,CX
146 ADDQ R10,CX
147 ANDQ DX,R8
148 MOVQ CX,R9
149 SHRQ $51,CX
150 ADDQ R12,CX
151 ANDQ DX,R9
152 MOVQ CX,AX
153 SHRQ $51,CX
154 ADDQ R14,CX
155 ANDQ DX,AX
156 MOVQ CX,R10
157 SHRQ $51,CX
158 IMUL3Q $19,CX,CX
159 ADDQ CX,SI
160 ANDQ DX,R10
161 MOVQ SI,80(SP)
162 MOVQ R8,88(SP)
163 MOVQ R9,96(SP)
164 MOVQ AX,104(SP)
165 MOVQ R10,112(SP)
166 MOVQ 0(SP),AX
167 MULQ 0(SP)
168 MOVQ AX,SI
169 MOVQ DX,CX
170 MOVQ 0(SP),AX
171 SHLQ $1,AX
172 MULQ 8(SP)
173 MOVQ AX,R8
174 MOVQ DX,R9
175 MOVQ 0(SP),AX
176 SHLQ $1,AX
177 MULQ 16(SP)
178 MOVQ AX,R10
179 MOVQ DX,R11
180 MOVQ 0(SP),AX
181 SHLQ $1,AX
182 MULQ 24(SP)
183 MOVQ AX,R12
184 MOVQ DX,R13
185 MOVQ 0(SP),AX
186 SHLQ $1,AX
187 MULQ 32(SP)
188 MOVQ AX,R14
189 MOVQ DX,R15
190 MOVQ 8(SP),AX
191 MULQ 8(SP)
192 ADDQ AX,R10
193 ADCQ DX,R11
194 MOVQ 8(SP),AX
195 SHLQ $1,AX
196 MULQ 16(SP)
197 ADDQ AX,R12
198 ADCQ DX,R13
199 MOVQ 8(SP),AX
200 SHLQ $1,AX
201 MULQ 24(SP)
202 ADDQ AX,R14
203 ADCQ DX,R15
204 MOVQ 8(SP),DX
205 IMUL3Q $38,DX,AX
206 MULQ 32(SP)
207 ADDQ AX,SI
208 ADCQ DX,CX
209 MOVQ 16(SP),AX
210 MULQ 16(SP)
211 ADDQ AX,R14
212 ADCQ DX,R15
213 MOVQ 16(SP),DX
214 IMUL3Q $38,DX,AX
215 MULQ 24(SP)
216 ADDQ AX,SI
217 ADCQ DX,CX
218 MOVQ 16(SP),DX
219 IMUL3Q $38,DX,AX
220 MULQ 32(SP)
221 ADDQ AX,R8
222 ADCQ DX,R9
223 MOVQ 24(SP),DX
224 IMUL3Q $19,DX,AX
225 MULQ 24(SP)
226 ADDQ AX,R8
227 ADCQ DX,R9
228 MOVQ 24(SP),DX
229 IMUL3Q $38,DX,AX
230 MULQ 32(SP)
231 ADDQ AX,R10
232 ADCQ DX,R11
233 MOVQ 32(SP),DX
234 IMUL3Q $19,DX,AX
235 MULQ 32(SP)
236 ADDQ AX,R12
237 ADCQ DX,R13
238 MOVQ $REDMASK51,DX
239 SHLQ $13,CX:SI
240 ANDQ DX,SI
241 SHLQ $13,R9:R8
242 ANDQ DX,R8
243 ADDQ CX,R8
244 SHLQ $13,R11:R10
245 ANDQ DX,R10
246 ADDQ R9,R10
247 SHLQ $13,R13:R12
248 ANDQ DX,R12
249 ADDQ R11,R12
250 SHLQ $13,R15:R14
251 ANDQ DX,R14
252 ADDQ R13,R14
253 IMUL3Q $19,R15,CX
254 ADDQ CX,SI
255 MOVQ SI,CX
256 SHRQ $51,CX
257 ADDQ R8,CX
258 ANDQ DX,SI
259 MOVQ CX,R8
260 SHRQ $51,CX
261 ADDQ R10,CX
262 ANDQ DX,R8
263 MOVQ CX,R9
264 SHRQ $51,CX
265 ADDQ R12,CX
266 ANDQ DX,R9
267 MOVQ CX,AX
268 SHRQ $51,CX
269 ADDQ R14,CX
270 ANDQ DX,AX
271 MOVQ CX,R10
272 SHRQ $51,CX
273 IMUL3Q $19,CX,CX
274 ADDQ CX,SI
275 ANDQ DX,R10
276 MOVQ SI,120(SP)
277 MOVQ R8,128(SP)
278 MOVQ R9,136(SP)
279 MOVQ AX,144(SP)
280 MOVQ R10,152(SP)
281 MOVQ SI,SI
282 MOVQ R8,DX
283 MOVQ R9,CX
284 MOVQ AX,R8
285 MOVQ R10,R9
286 ADDQ ·_2P0(SB),SI
287 ADDQ ·_2P1234(SB),DX
288 ADDQ ·_2P1234(SB),CX
289 ADDQ ·_2P1234(SB),R8
290 ADDQ ·_2P1234(SB),R9
291 SUBQ 80(SP),SI
292 SUBQ 88(SP),DX
293 SUBQ 96(SP),CX
294 SUBQ 104(SP),R8
295 SUBQ 112(SP),R9
296 MOVQ SI,160(SP)
297 MOVQ DX,168(SP)
298 MOVQ CX,176(SP)
299 MOVQ R8,184(SP)
300 MOVQ R9,192(SP)
301 MOVQ 120(DI),SI
302 MOVQ 128(DI),DX
303 MOVQ 136(DI),CX
304 MOVQ 144(DI),R8
305 MOVQ 152(DI),R9
306 MOVQ SI,AX
307 MOVQ DX,R10
308 MOVQ CX,R11
309 MOVQ R8,R12
310 MOVQ R9,R13
311 ADDQ ·_2P0(SB),AX
312 ADDQ ·_2P1234(SB),R10
313 ADDQ ·_2P1234(SB),R11
314 ADDQ ·_2P1234(SB),R12
315 ADDQ ·_2P1234(SB),R13
316 ADDQ 160(DI),SI
317 ADDQ 168(DI),DX
318 ADDQ 176(DI),CX
319 ADDQ 184(DI),R8
320 ADDQ 192(DI),R9
321 SUBQ 160(DI),AX
322 SUBQ 168(DI),R10
323 SUBQ 176(DI),R11
324 SUBQ 184(DI),R12
325 SUBQ 192(DI),R13
326 MOVQ SI,200(SP)
327 MOVQ DX,208(SP)
328 MOVQ CX,216(SP)
329 MOVQ R8,224(SP)
330 MOVQ R9,232(SP)
331 MOVQ AX,240(SP)
332 MOVQ R10,248(SP)
333 MOVQ R11,256(SP)
334 MOVQ R12,264(SP)
335 MOVQ R13,272(SP)
336 MOVQ 224(SP),SI
337 IMUL3Q $19,SI,AX
338 MOVQ AX,280(SP)
339 MULQ 56(SP)
340 MOVQ AX,SI
341 MOVQ DX,CX
342 MOVQ 232(SP),DX
343 IMUL3Q $19,DX,AX
344 MOVQ AX,288(SP)
345 MULQ 48(SP)
346 ADDQ AX,SI
347 ADCQ DX,CX
348 MOVQ 200(SP),AX
349 MULQ 40(SP)
350 ADDQ AX,SI
351 ADCQ DX,CX
352 MOVQ 200(SP),AX
353 MULQ 48(SP)
354 MOVQ AX,R8
355 MOVQ DX,R9
356 MOVQ 200(SP),AX
357 MULQ 56(SP)
358 MOVQ AX,R10
359 MOVQ DX,R11
360 MOVQ 200(SP),AX
361 MULQ 64(SP)
362 MOVQ AX,R12
363 MOVQ DX,R13
364 MOVQ 200(SP),AX
365 MULQ 72(SP)
366 MOVQ AX,R14
367 MOVQ DX,R15
368 MOVQ 208(SP),AX
369 MULQ 40(SP)
370 ADDQ AX,R8
371 ADCQ DX,R9
372 MOVQ 208(SP),AX
373 MULQ 48(SP)
374 ADDQ AX,R10
375 ADCQ DX,R11
376 MOVQ 208(SP),AX
377 MULQ 56(SP)
378 ADDQ AX,R12
379 ADCQ DX,R13
380 MOVQ 208(SP),AX
381 MULQ 64(SP)
382 ADDQ AX,R14
383 ADCQ DX,R15
384 MOVQ 208(SP),DX
385 IMUL3Q $19,DX,AX
386 MULQ 72(SP)
387 ADDQ AX,SI
388 ADCQ DX,CX
389 MOVQ 216(SP),AX
390 MULQ 40(SP)
391 ADDQ AX,R10
392 ADCQ DX,R11
393 MOVQ 216(SP),AX
394 MULQ 48(SP)
395 ADDQ AX,R12
396 ADCQ DX,R13
397 MOVQ 216(SP),AX
398 MULQ 56(SP)
399 ADDQ AX,R14
400 ADCQ DX,R15
401 MOVQ 216(SP),DX
402 IMUL3Q $19,DX,AX
403 MULQ 64(SP)
404 ADDQ AX,SI
405 ADCQ DX,CX
406 MOVQ 216(SP),DX
407 IMUL3Q $19,DX,AX
408 MULQ 72(SP)
409 ADDQ AX,R8
410 ADCQ DX,R9
411 MOVQ 224(SP),AX
412 MULQ 40(SP)
413 ADDQ AX,R12
414 ADCQ DX,R13
415 MOVQ 224(SP),AX
416 MULQ 48(SP)
417 ADDQ AX,R14
418 ADCQ DX,R15
419 MOVQ 280(SP),AX
420 MULQ 64(SP)
421 ADDQ AX,R8
422 ADCQ DX,R9
423 MOVQ 280(SP),AX
424 MULQ 72(SP)
425 ADDQ AX,R10
426 ADCQ DX,R11
427 MOVQ 232(SP),AX
428 MULQ 40(SP)
429 ADDQ AX,R14
430 ADCQ DX,R15
431 MOVQ 288(SP),AX
432 MULQ 56(SP)
433 ADDQ AX,R8
434 ADCQ DX,R9
435 MOVQ 288(SP),AX
436 MULQ 64(SP)
437 ADDQ AX,R10
438 ADCQ DX,R11
439 MOVQ 288(SP),AX
440 MULQ 72(SP)
441 ADDQ AX,R12
442 ADCQ DX,R13
443 MOVQ $REDMASK51,DX
444 SHLQ $13,CX:SI
445 ANDQ DX,SI
446 SHLQ $13,R9:R8
447 ANDQ DX,R8
448 ADDQ CX,R8
449 SHLQ $13,R11:R10
450 ANDQ DX,R10
451 ADDQ R9,R10
452 SHLQ $13,R13:R12
453 ANDQ DX,R12
454 ADDQ R11,R12
455 SHLQ $13,R15:R14
456 ANDQ DX,R14
457 ADDQ R13,R14
458 IMUL3Q $19,R15,CX
459 ADDQ CX,SI
460 MOVQ SI,CX
461 SHRQ $51,CX
462 ADDQ R8,CX
463 MOVQ CX,R8
464 SHRQ $51,CX
465 ANDQ DX,SI
466 ADDQ R10,CX
467 MOVQ CX,R9
468 SHRQ $51,CX
469 ANDQ DX,R8
470 ADDQ R12,CX
471 MOVQ CX,AX
472 SHRQ $51,CX
473 ANDQ DX,R9
474 ADDQ R14,CX
475 MOVQ CX,R10
476 SHRQ $51,CX
477 ANDQ DX,AX
478 IMUL3Q $19,CX,CX
479 ADDQ CX,SI
480 ANDQ DX,R10
481 MOVQ SI,40(SP)
482 MOVQ R8,48(SP)
483 MOVQ R9,56(SP)
484 MOVQ AX,64(SP)
485 MOVQ R10,72(SP)
486 MOVQ 264(SP),SI
487 IMUL3Q $19,SI,AX
488 MOVQ AX,200(SP)
489 MULQ 16(SP)
490 MOVQ AX,SI
491 MOVQ DX,CX
492 MOVQ 272(SP),DX
493 IMUL3Q $19,DX,AX
494 MOVQ AX,208(SP)
495 MULQ 8(SP)
496 ADDQ AX,SI
497 ADCQ DX,CX
498 MOVQ 240(SP),AX
499 MULQ 0(SP)
500 ADDQ AX,SI
501 ADCQ DX,CX
502 MOVQ 240(SP),AX
503 MULQ 8(SP)
504 MOVQ AX,R8
505 MOVQ DX,R9
506 MOVQ 240(SP),AX
507 MULQ 16(SP)
508 MOVQ AX,R10
509 MOVQ DX,R11
510 MOVQ 240(SP),AX
511 MULQ 24(SP)
512 MOVQ AX,R12
513 MOVQ DX,R13
514 MOVQ 240(SP),AX
515 MULQ 32(SP)
516 MOVQ AX,R14
517 MOVQ DX,R15
518 MOVQ 248(SP),AX
519 MULQ 0(SP)
520 ADDQ AX,R8
521 ADCQ DX,R9
522 MOVQ 248(SP),AX
523 MULQ 8(SP)
524 ADDQ AX,R10
525 ADCQ DX,R11
526 MOVQ 248(SP),AX
527 MULQ 16(SP)
528 ADDQ AX,R12
529 ADCQ DX,R13
530 MOVQ 248(SP),AX
531 MULQ 24(SP)
532 ADDQ AX,R14
533 ADCQ DX,R15
534 MOVQ 248(SP),DX
535 IMUL3Q $19,DX,AX
536 MULQ 32(SP)
537 ADDQ AX,SI
538 ADCQ DX,CX
539 MOVQ 256(SP),AX
540 MULQ 0(SP)
541 ADDQ AX,R10
542 ADCQ DX,R11
543 MOVQ 256(SP),AX
544 MULQ 8(SP)
545 ADDQ AX,R12
546 ADCQ DX,R13
547 MOVQ 256(SP),AX
548 MULQ 16(SP)
549 ADDQ AX,R14
550 ADCQ DX,R15
551 MOVQ 256(SP),DX
552 IMUL3Q $19,DX,AX
553 MULQ 24(SP)
554 ADDQ AX,SI
555 ADCQ DX,CX
556 MOVQ 256(SP),DX
557 IMUL3Q $19,DX,AX
558 MULQ 32(SP)
559 ADDQ AX,R8
560 ADCQ DX,R9
561 MOVQ 264(SP),AX
562 MULQ 0(SP)
563 ADDQ AX,R12
564 ADCQ DX,R13
565 MOVQ 264(SP),AX
566 MULQ 8(SP)
567 ADDQ AX,R14
568 ADCQ DX,R15
569 MOVQ 200(SP),AX
570 MULQ 24(SP)
571 ADDQ AX,R8
572 ADCQ DX,R9
573 MOVQ 200(SP),AX
574 MULQ 32(SP)
575 ADDQ AX,R10
576 ADCQ DX,R11
577 MOVQ 272(SP),AX
578 MULQ 0(SP)
579 ADDQ AX,R14
580 ADCQ DX,R15
581 MOVQ 208(SP),AX
582 MULQ 16(SP)
583 ADDQ AX,R8
584 ADCQ DX,R9
585 MOVQ 208(SP),AX
586 MULQ 24(SP)
587 ADDQ AX,R10
588 ADCQ DX,R11
589 MOVQ 208(SP),AX
590 MULQ 32(SP)
591 ADDQ AX,R12
592 ADCQ DX,R13
593 MOVQ $REDMASK51,DX
594 SHLQ $13,CX:SI
595 ANDQ DX,SI
596 SHLQ $13,R9:R8
597 ANDQ DX,R8
598 ADDQ CX,R8
599 SHLQ $13,R11:R10
600 ANDQ DX,R10
601 ADDQ R9,R10
602 SHLQ $13,R13:R12
603 ANDQ DX,R12
604 ADDQ R11,R12
605 SHLQ $13,R15:R14
606 ANDQ DX,R14
607 ADDQ R13,R14
608 IMUL3Q $19,R15,CX
609 ADDQ CX,SI
610 MOVQ SI,CX
611 SHRQ $51,CX
612 ADDQ R8,CX
613 MOVQ CX,R8
614 SHRQ $51,CX
615 ANDQ DX,SI
616 ADDQ R10,CX
617 MOVQ CX,R9
618 SHRQ $51,CX
619 ANDQ DX,R8
620 ADDQ R12,CX
621 MOVQ CX,AX
622 SHRQ $51,CX
623 ANDQ DX,R9
624 ADDQ R14,CX
625 MOVQ CX,R10
626 SHRQ $51,CX
627 ANDQ DX,AX
628 IMUL3Q $19,CX,CX
629 ADDQ CX,SI
630 ANDQ DX,R10
631 MOVQ SI,DX
632 MOVQ R8,CX
633 MOVQ R9,R11
634 MOVQ AX,R12
635 MOVQ R10,R13
636 ADDQ ·_2P0(SB),DX
637 ADDQ ·_2P1234(SB),CX
638 ADDQ ·_2P1234(SB),R11
639 ADDQ ·_2P1234(SB),R12
640 ADDQ ·_2P1234(SB),R13
641 ADDQ 40(SP),SI
642 ADDQ 48(SP),R8
643 ADDQ 56(SP),R9
644 ADDQ 64(SP),AX
645 ADDQ 72(SP),R10
646 SUBQ 40(SP),DX
647 SUBQ 48(SP),CX
648 SUBQ 56(SP),R11
649 SUBQ 64(SP),R12
650 SUBQ 72(SP),R13
651 MOVQ SI,120(DI)
652 MOVQ R8,128(DI)
653 MOVQ R9,136(DI)
654 MOVQ AX,144(DI)
655 MOVQ R10,152(DI)
656 MOVQ DX,160(DI)
657 MOVQ CX,168(DI)
658 MOVQ R11,176(DI)
659 MOVQ R12,184(DI)
660 MOVQ R13,192(DI)
661 MOVQ 120(DI),AX
662 MULQ 120(DI)
663 MOVQ AX,SI
664 MOVQ DX,CX
665 MOVQ 120(DI),AX
666 SHLQ $1,AX
667 MULQ 128(DI)
668 MOVQ AX,R8
669 MOVQ DX,R9
670 MOVQ 120(DI),AX
671 SHLQ $1,AX
672 MULQ 136(DI)
673 MOVQ AX,R10
674 MOVQ DX,R11
675 MOVQ 120(DI),AX
676 SHLQ $1,AX
677 MULQ 144(DI)
678 MOVQ AX,R12
679 MOVQ DX,R13
680 MOVQ 120(DI),AX
681 SHLQ $1,AX
682 MULQ 152(DI)
683 MOVQ AX,R14
684 MOVQ DX,R15
685 MOVQ 128(DI),AX
686 MULQ 128(DI)
687 ADDQ AX,R10
688 ADCQ DX,R11
689 MOVQ 128(DI),AX
690 SHLQ $1,AX
691 MULQ 136(DI)
692 ADDQ AX,R12
693 ADCQ DX,R13
694 MOVQ 128(DI),AX
695 SHLQ $1,AX
696 MULQ 144(DI)
697 ADDQ AX,R14
698 ADCQ DX,R15
699 MOVQ 128(DI),DX
700 IMUL3Q $38,DX,AX
701 MULQ 152(DI)
702 ADDQ AX,SI
703 ADCQ DX,CX
704 MOVQ 136(DI),AX
705 MULQ 136(DI)
706 ADDQ AX,R14
707 ADCQ DX,R15
708 MOVQ 136(DI),DX
709 IMUL3Q $38,DX,AX
710 MULQ 144(DI)
711 ADDQ AX,SI
712 ADCQ DX,CX
713 MOVQ 136(DI),DX
714 IMUL3Q $38,DX,AX
715 MULQ 152(DI)
716 ADDQ AX,R8
717 ADCQ DX,R9
718 MOVQ 144(DI),DX
719 IMUL3Q $19,DX,AX
720 MULQ 144(DI)
721 ADDQ AX,R8
722 ADCQ DX,R9
723 MOVQ 144(DI),DX
724 IMUL3Q $38,DX,AX
725 MULQ 152(DI)
726 ADDQ AX,R10
727 ADCQ DX,R11
728 MOVQ 152(DI),DX
729 IMUL3Q $19,DX,AX
730 MULQ 152(DI)
731 ADDQ AX,R12
732 ADCQ DX,R13
733 MOVQ $REDMASK51,DX
734 SHLQ $13,CX:SI
735 ANDQ DX,SI
736 SHLQ $13,R9:R8
737 ANDQ DX,R8
738 ADDQ CX,R8
739 SHLQ $13,R11:R10
740 ANDQ DX,R10
741 ADDQ R9,R10
742 SHLQ $13,R13:R12
743 ANDQ DX,R12
744 ADDQ R11,R12
745 SHLQ $13,R15:R14
746 ANDQ DX,R14
747 ADDQ R13,R14
748 IMUL3Q $19,R15,CX
749 ADDQ CX,SI
750 MOVQ SI,CX
751 SHRQ $51,CX
752 ADDQ R8,CX
753 ANDQ DX,SI
754 MOVQ CX,R8
755 SHRQ $51,CX
756 ADDQ R10,CX
757 ANDQ DX,R8
758 MOVQ CX,R9
759 SHRQ $51,CX
760 ADDQ R12,CX
761 ANDQ DX,R9
762 MOVQ CX,AX
763 SHRQ $51,CX
764 ADDQ R14,CX
765 ANDQ DX,AX
766 MOVQ CX,R10
767 SHRQ $51,CX
768 IMUL3Q $19,CX,CX
769 ADDQ CX,SI
770 ANDQ DX,R10
771 MOVQ SI,120(DI)
772 MOVQ R8,128(DI)
773 MOVQ R9,136(DI)
774 MOVQ AX,144(DI)
775 MOVQ R10,152(DI)
776 MOVQ 160(DI),AX
777 MULQ 160(DI)
778 MOVQ AX,SI
779 MOVQ DX,CX
780 MOVQ 160(DI),AX
781 SHLQ $1,AX
782 MULQ 168(DI)
783 MOVQ AX,R8
784 MOVQ DX,R9
785 MOVQ 160(DI),AX
786 SHLQ $1,AX
787 MULQ 176(DI)
788 MOVQ AX,R10
789 MOVQ DX,R11
790 MOVQ 160(DI),AX
791 SHLQ $1,AX
792 MULQ 184(DI)
793 MOVQ AX,R12
794 MOVQ DX,R13
795 MOVQ 160(DI),AX
796 SHLQ $1,AX
797 MULQ 192(DI)
798 MOVQ AX,R14
799 MOVQ DX,R15
800 MOVQ 168(DI),AX
801 MULQ 168(DI)
802 ADDQ AX,R10
803 ADCQ DX,R11
804 MOVQ 168(DI),AX
805 SHLQ $1,AX
806 MULQ 176(DI)
807 ADDQ AX,R12
808 ADCQ DX,R13
809 MOVQ 168(DI),AX
810 SHLQ $1,AX
811 MULQ 184(DI)
812 ADDQ AX,R14
813 ADCQ DX,R15
814 MOVQ 168(DI),DX
815 IMUL3Q $38,DX,AX
816 MULQ 192(DI)
817 ADDQ AX,SI
818 ADCQ DX,CX
819 MOVQ 176(DI),AX
820 MULQ 176(DI)
821 ADDQ AX,R14
822 ADCQ DX,R15
823 MOVQ 176(DI),DX
824 IMUL3Q $38,DX,AX
825 MULQ 184(DI)
826 ADDQ AX,SI
827 ADCQ DX,CX
828 MOVQ 176(DI),DX
829 IMUL3Q $38,DX,AX
830 MULQ 192(DI)
831 ADDQ AX,R8
832 ADCQ DX,R9
833 MOVQ 184(DI),DX
834 IMUL3Q $19,DX,AX
835 MULQ 184(DI)
836 ADDQ AX,R8
837 ADCQ DX,R9
838 MOVQ 184(DI),DX
839 IMUL3Q $38,DX,AX
840 MULQ 192(DI)
841 ADDQ AX,R10
842 ADCQ DX,R11
843 MOVQ 192(DI),DX
844 IMUL3Q $19,DX,AX
845 MULQ 192(DI)
846 ADDQ AX,R12
847 ADCQ DX,R13
848 MOVQ $REDMASK51,DX
849 SHLQ $13,CX:SI
850 ANDQ DX,SI
851 SHLQ $13,R9:R8
852 ANDQ DX,R8
853 ADDQ CX,R8
854 SHLQ $13,R11:R10
855 ANDQ DX,R10
856 ADDQ R9,R10
857 SHLQ $13,R13:R12
858 ANDQ DX,R12
859 ADDQ R11,R12
860 SHLQ $13,R15:R14
861 ANDQ DX,R14
862 ADDQ R13,R14
863 IMUL3Q $19,R15,CX
864 ADDQ CX,SI
865 MOVQ SI,CX
866 SHRQ $51,CX
867 ADDQ R8,CX
868 ANDQ DX,SI
869 MOVQ CX,R8
870 SHRQ $51,CX
871 ADDQ R10,CX
872 ANDQ DX,R8
873 MOVQ CX,R9
874 SHRQ $51,CX
875 ADDQ R12,CX
876 ANDQ DX,R9
877 MOVQ CX,AX
878 SHRQ $51,CX
879 ADDQ R14,CX
880 ANDQ DX,AX
881 MOVQ CX,R10
882 SHRQ $51,CX
883 IMUL3Q $19,CX,CX
884 ADDQ CX,SI
885 ANDQ DX,R10
886 MOVQ SI,160(DI)
887 MOVQ R8,168(DI)
888 MOVQ R9,176(DI)
889 MOVQ AX,184(DI)
890 MOVQ R10,192(DI)
891 MOVQ 184(DI),SI
892 IMUL3Q $19,SI,AX
893 MOVQ AX,0(SP)
894 MULQ 16(DI)
895 MOVQ AX,SI
896 MOVQ DX,CX
897 MOVQ 192(DI),DX
898 IMUL3Q $19,DX,AX
899 MOVQ AX,8(SP)
900 MULQ 8(DI)
901 ADDQ AX,SI
902 ADCQ DX,CX
903 MOVQ 160(DI),AX
904 MULQ 0(DI)
905 ADDQ AX,SI
906 ADCQ DX,CX
907 MOVQ 160(DI),AX
908 MULQ 8(DI)
909 MOVQ AX,R8
910 MOVQ DX,R9
911 MOVQ 160(DI),AX
912 MULQ 16(DI)
913 MOVQ AX,R10
914 MOVQ DX,R11
915 MOVQ 160(DI),AX
916 MULQ 24(DI)
917 MOVQ AX,R12
918 MOVQ DX,R13
919 MOVQ 160(DI),AX
920 MULQ 32(DI)
921 MOVQ AX,R14
922 MOVQ DX,R15
923 MOVQ 168(DI),AX
924 MULQ 0(DI)
925 ADDQ AX,R8
926 ADCQ DX,R9
927 MOVQ 168(DI),AX
928 MULQ 8(DI)
929 ADDQ AX,R10
930 ADCQ DX,R11
931 MOVQ 168(DI),AX
932 MULQ 16(DI)
933 ADDQ AX,R12
934 ADCQ DX,R13
935 MOVQ 168(DI),AX
936 MULQ 24(DI)
937 ADDQ AX,R14
938 ADCQ DX,R15
939 MOVQ 168(DI),DX
940 IMUL3Q $19,DX,AX
941 MULQ 32(DI)
942 ADDQ AX,SI
943 ADCQ DX,CX
944 MOVQ 176(DI),AX
945 MULQ 0(DI)
946 ADDQ AX,R10
947 ADCQ DX,R11
948 MOVQ 176(DI),AX
949 MULQ 8(DI)
950 ADDQ AX,R12
951 ADCQ DX,R13
952 MOVQ 176(DI),AX
953 MULQ 16(DI)
954 ADDQ AX,R14
955 ADCQ DX,R15
956 MOVQ 176(DI),DX
957 IMUL3Q $19,DX,AX
958 MULQ 24(DI)
959 ADDQ AX,SI
960 ADCQ DX,CX
961 MOVQ 176(DI),DX
962 IMUL3Q $19,DX,AX
963 MULQ 32(DI)
964 ADDQ AX,R8
965 ADCQ DX,R9
966 MOVQ 184(DI),AX
967 MULQ 0(DI)
968 ADDQ AX,R12
969 ADCQ DX,R13
970 MOVQ 184(DI),AX
971 MULQ 8(DI)
972 ADDQ AX,R14
973 ADCQ DX,R15
974 MOVQ 0(SP),AX
975 MULQ 24(DI)
976 ADDQ AX,R8
977 ADCQ DX,R9
978 MOVQ 0(SP),AX
979 MULQ 32(DI)
980 ADDQ AX,R10
981 ADCQ DX,R11
982 MOVQ 192(DI),AX
983 MULQ 0(DI)
984 ADDQ AX,R14
985 ADCQ DX,R15
986 MOVQ 8(SP),AX
987 MULQ 16(DI)
988 ADDQ AX,R8
989 ADCQ DX,R9
990 MOVQ 8(SP),AX
991 MULQ 24(DI)
992 ADDQ AX,R10
993 ADCQ DX,R11
994 MOVQ 8(SP),AX
995 MULQ 32(DI)
996 ADDQ AX,R12
997 ADCQ DX,R13
998 MOVQ $REDMASK51,DX
999 SHLQ $13,CX:SI
1000 ANDQ DX,SI
1001 SHLQ $13,R9:R8
1002 ANDQ DX,R8
1003 ADDQ CX,R8
1004 SHLQ $13,R11:R10
1005 ANDQ DX,R10
1006 ADDQ R9,R10
1007 SHLQ $13,R13:R12
1008 ANDQ DX,R12
1009 ADDQ R11,R12
1010 SHLQ $13,R15:R14
1011 ANDQ DX,R14
1012 ADDQ R13,R14
1013 IMUL3Q $19,R15,CX
1014 ADDQ CX,SI
1015 MOVQ SI,CX
1016 SHRQ $51,CX
1017 ADDQ R8,CX
1018 MOVQ CX,R8
1019 SHRQ $51,CX
1020 ANDQ DX,SI
1021 ADDQ R10,CX
1022 MOVQ CX,R9
1023 SHRQ $51,CX
1024 ANDQ DX,R8
1025 ADDQ R12,CX
1026 MOVQ CX,AX
1027 SHRQ $51,CX
1028 ANDQ DX,R9
1029 ADDQ R14,CX
1030 MOVQ CX,R10
1031 SHRQ $51,CX
1032 ANDQ DX,AX
1033 IMUL3Q $19,CX,CX
1034 ADDQ CX,SI
1035 ANDQ DX,R10
1036 MOVQ SI,160(DI)
1037 MOVQ R8,168(DI)
1038 MOVQ R9,176(DI)
1039 MOVQ AX,184(DI)
1040 MOVQ R10,192(DI)
1041 MOVQ 144(SP),SI
1042 IMUL3Q $19,SI,AX
1043 MOVQ AX,0(SP)
1044 MULQ 96(SP)
1045 MOVQ AX,SI
1046 MOVQ DX,CX
1047 MOVQ 152(SP),DX
1048 IMUL3Q $19,DX,AX
1049 MOVQ AX,8(SP)
1050 MULQ 88(SP)
1051 ADDQ AX,SI
1052 ADCQ DX,CX
1053 MOVQ 120(SP),AX
1054 MULQ 80(SP)
1055 ADDQ AX,SI
1056 ADCQ DX,CX
1057 MOVQ 120(SP),AX
1058 MULQ 88(SP)
1059 MOVQ AX,R8
1060 MOVQ DX,R9
1061 MOVQ 120(SP),AX
1062 MULQ 96(SP)
1063 MOVQ AX,R10
1064 MOVQ DX,R11
1065 MOVQ 120(SP),AX
1066 MULQ 104(SP)
1067 MOVQ AX,R12
1068 MOVQ DX,R13
1069 MOVQ 120(SP),AX
1070 MULQ 112(SP)
1071 MOVQ AX,R14
1072 MOVQ DX,R15
1073 MOVQ 128(SP),AX
1074 MULQ 80(SP)
1075 ADDQ AX,R8
1076 ADCQ DX,R9
1077 MOVQ 128(SP),AX
1078 MULQ 88(SP)
1079 ADDQ AX,R10
1080 ADCQ DX,R11
1081 MOVQ 128(SP),AX
1082 MULQ 96(SP)
1083 ADDQ AX,R12
1084 ADCQ DX,R13
1085 MOVQ 128(SP),AX
1086 MULQ 104(SP)
1087 ADDQ AX,R14
1088 ADCQ DX,R15
1089 MOVQ 128(SP),DX
1090 IMUL3Q $19,DX,AX
1091 MULQ 112(SP)
1092 ADDQ AX,SI
1093 ADCQ DX,CX
1094 MOVQ 136(SP),AX
1095 MULQ 80(SP)
1096 ADDQ AX,R10
1097 ADCQ DX,R11
1098 MOVQ 136(SP),AX
1099 MULQ 88(SP)
1100 ADDQ AX,R12
1101 ADCQ DX,R13
1102 MOVQ 136(SP),AX
1103 MULQ 96(SP)
1104 ADDQ AX,R14
1105 ADCQ DX,R15
1106 MOVQ 136(SP),DX
1107 IMUL3Q $19,DX,AX
1108 MULQ 104(SP)
1109 ADDQ AX,SI
1110 ADCQ DX,CX
1111 MOVQ 136(SP),DX
1112 IMUL3Q $19,DX,AX
1113 MULQ 112(SP)
1114 ADDQ AX,R8
1115 ADCQ DX,R9
1116 MOVQ 144(SP),AX
1117 MULQ 80(SP)
1118 ADDQ AX,R12
1119 ADCQ DX,R13
1120 MOVQ 144(SP),AX
1121 MULQ 88(SP)
1122 ADDQ AX,R14
1123 ADCQ DX,R15
1124 MOVQ 0(SP),AX
1125 MULQ 104(SP)
1126 ADDQ AX,R8
1127 ADCQ DX,R9
1128 MOVQ 0(SP),AX
1129 MULQ 112(SP)
1130 ADDQ AX,R10
1131 ADCQ DX,R11
1132 MOVQ 152(SP),AX
1133 MULQ 80(SP)
1134 ADDQ AX,R14
1135 ADCQ DX,R15
1136 MOVQ 8(SP),AX
1137 MULQ 96(SP)
1138 ADDQ AX,R8
1139 ADCQ DX,R9
1140 MOVQ 8(SP),AX
1141 MULQ 104(SP)
1142 ADDQ AX,R10
1143 ADCQ DX,R11
1144 MOVQ 8(SP),AX
1145 MULQ 112(SP)
1146 ADDQ AX,R12
1147 ADCQ DX,R13
1148 MOVQ $REDMASK51,DX
1149 SHLQ $13,CX:SI
1150 ANDQ DX,SI
1151 SHLQ $13,R9:R8
1152 ANDQ DX,R8
1153 ADDQ CX,R8
1154 SHLQ $13,R11:R10
1155 ANDQ DX,R10
1156 ADDQ R9,R10
1157 SHLQ $13,R13:R12
1158 ANDQ DX,R12
1159 ADDQ R11,R12
1160 SHLQ $13,R15:R14
1161 ANDQ DX,R14
1162 ADDQ R13,R14
1163 IMUL3Q $19,R15,CX
1164 ADDQ CX,SI
1165 MOVQ SI,CX
1166 SHRQ $51,CX
1167 ADDQ R8,CX
1168 MOVQ CX,R8
1169 SHRQ $51,CX
1170 ANDQ DX,SI
1171 ADDQ R10,CX
1172 MOVQ CX,R9
1173 SHRQ $51,CX
1174 ANDQ DX,R8
1175 ADDQ R12,CX
1176 MOVQ CX,AX
1177 SHRQ $51,CX
1178 ANDQ DX,R9
1179 ADDQ R14,CX
1180 MOVQ CX,R10
1181 SHRQ $51,CX
1182 ANDQ DX,AX
1183 IMUL3Q $19,CX,CX
1184 ADDQ CX,SI
1185 ANDQ DX,R10
1186 MOVQ SI,40(DI)
1187 MOVQ R8,48(DI)
1188 MOVQ R9,56(DI)
1189 MOVQ AX,64(DI)
1190 MOVQ R10,72(DI)
1191 MOVQ 160(SP),AX
1192 MULQ ·_121666_213(SB)
1193 SHRQ $13,AX
1194 MOVQ AX,SI
1195 MOVQ DX,CX
1196 MOVQ 168(SP),AX
1197 MULQ ·_121666_213(SB)
1198 SHRQ $13,AX
1199 ADDQ AX,CX
1200 MOVQ DX,R8
1201 MOVQ 176(SP),AX
1202 MULQ ·_121666_213(SB)
1203 SHRQ $13,AX
1204 ADDQ AX,R8
1205 MOVQ DX,R9
1206 MOVQ 184(SP),AX
1207 MULQ ·_121666_213(SB)
1208 SHRQ $13,AX
1209 ADDQ AX,R9
1210 MOVQ DX,R10
1211 MOVQ 192(SP),AX
1212 MULQ ·_121666_213(SB)
1213 SHRQ $13,AX
1214 ADDQ AX,R10
1215 IMUL3Q $19,DX,DX
1216 ADDQ DX,SI
1217 ADDQ 80(SP),SI
1218 ADDQ 88(SP),CX
1219 ADDQ 96(SP),R8
1220 ADDQ 104(SP),R9
1221 ADDQ 112(SP),R10
1222 MOVQ SI,80(DI)
1223 MOVQ CX,88(DI)
1224 MOVQ R8,96(DI)
1225 MOVQ R9,104(DI)
1226 MOVQ R10,112(DI)
1227 MOVQ 104(DI),SI
1228 IMUL3Q $19,SI,AX
1229 MOVQ AX,0(SP)
1230 MULQ 176(SP)
1231 MOVQ AX,SI
1232 MOVQ DX,CX
1233 MOVQ 112(DI),DX
1234 IMUL3Q $19,DX,AX
1235 MOVQ AX,8(SP)
1236 MULQ 168(SP)
1237 ADDQ AX,SI
1238 ADCQ DX,CX
1239 MOVQ 80(DI),AX
1240 MULQ 160(SP)
1241 ADDQ AX,SI
1242 ADCQ DX,CX
1243 MOVQ 80(DI),AX
1244 MULQ 168(SP)
1245 MOVQ AX,R8
1246 MOVQ DX,R9
1247 MOVQ 80(DI),AX
1248 MULQ 176(SP)
1249 MOVQ AX,R10
1250 MOVQ DX,R11
1251 MOVQ 80(DI),AX
1252 MULQ 184(SP)
1253 MOVQ AX,R12
1254 MOVQ DX,R13
1255 MOVQ 80(DI),AX
1256 MULQ 192(SP)
1257 MOVQ AX,R14
1258 MOVQ DX,R15
1259 MOVQ 88(DI),AX
1260 MULQ 160(SP)
1261 ADDQ AX,R8
1262 ADCQ DX,R9
1263 MOVQ 88(DI),AX
1264 MULQ 168(SP)
1265 ADDQ AX,R10
1266 ADCQ DX,R11
1267 MOVQ 88(DI),AX
1268 MULQ 176(SP)
1269 ADDQ AX,R12
1270 ADCQ DX,R13
1271 MOVQ 88(DI),AX
1272 MULQ 184(SP)
1273 ADDQ AX,R14
1274 ADCQ DX,R15
1275 MOVQ 88(DI),DX
1276 IMUL3Q $19,DX,AX
1277 MULQ 192(SP)
1278 ADDQ AX,SI
1279 ADCQ DX,CX
1280 MOVQ 96(DI),AX
1281 MULQ 160(SP)
1282 ADDQ AX,R10
1283 ADCQ DX,R11
1284 MOVQ 96(DI),AX
1285 MULQ 168(SP)
1286 ADDQ AX,R12
1287 ADCQ DX,R13
1288 MOVQ 96(DI),AX
1289 MULQ 176(SP)
1290 ADDQ AX,R14
1291 ADCQ DX,R15
1292 MOVQ 96(DI),DX
1293 IMUL3Q $19,DX,AX
1294 MULQ 184(SP)
1295 ADDQ AX,SI
1296 ADCQ DX,CX
1297 MOVQ 96(DI),DX
1298 IMUL3Q $19,DX,AX
1299 MULQ 192(SP)
1300 ADDQ AX,R8
1301 ADCQ DX,R9
1302 MOVQ 104(DI),AX
1303 MULQ 160(SP)
1304 ADDQ AX,R12
1305 ADCQ DX,R13
1306 MOVQ 104(DI),AX
1307 MULQ 168(SP)
1308 ADDQ AX,R14
1309 ADCQ DX,R15
1310 MOVQ 0(SP),AX
1311 MULQ 184(SP)
1312 ADDQ AX,R8
1313 ADCQ DX,R9
1314 MOVQ 0(SP),AX
1315 MULQ 192(SP)
1316 ADDQ AX,R10
1317 ADCQ DX,R11
1318 MOVQ 112(DI),AX
1319 MULQ 160(SP)
1320 ADDQ AX,R14
1321 ADCQ DX,R15
1322 MOVQ 8(SP),AX
1323 MULQ 176(SP)
1324 ADDQ AX,R8
1325 ADCQ DX,R9
1326 MOVQ 8(SP),AX
1327 MULQ 184(SP)
1328 ADDQ AX,R10
1329 ADCQ DX,R11
1330 MOVQ 8(SP),AX
1331 MULQ 192(SP)
1332 ADDQ AX,R12
1333 ADCQ DX,R13
1334 MOVQ $REDMASK51,DX
1335 SHLQ $13,CX:SI
1336 ANDQ DX,SI
1337 SHLQ $13,R9:R8
1338 ANDQ DX,R8
1339 ADDQ CX,R8
1340 SHLQ $13,R11:R10
1341 ANDQ DX,R10
1342 ADDQ R9,R10
1343 SHLQ $13,R13:R12
1344 ANDQ DX,R12
1345 ADDQ R11,R12
1346 SHLQ $13,R15:R14
1347 ANDQ DX,R14
1348 ADDQ R13,R14
1349 IMUL3Q $19,R15,CX
1350 ADDQ CX,SI
1351 MOVQ SI,CX
1352 SHRQ $51,CX
1353 ADDQ R8,CX
1354 MOVQ CX,R8
1355 SHRQ $51,CX
1356 ANDQ DX,SI
1357 ADDQ R10,CX
1358 MOVQ CX,R9
1359 SHRQ $51,CX
1360 ANDQ DX,R8
1361 ADDQ R12,CX
1362 MOVQ CX,AX
1363 SHRQ $51,CX
1364 ANDQ DX,R9
1365 ADDQ R14,CX
1366 MOVQ CX,R10
1367 SHRQ $51,CX
1368 ANDQ DX,AX
1369 IMUL3Q $19,CX,CX
1370 ADDQ CX,SI
1371 ANDQ DX,R10
1372 MOVQ SI,80(DI)
1373 MOVQ R8,88(DI)
1374 MOVQ R9,96(DI)
1375 MOVQ AX,104(DI)
1376 MOVQ R10,112(DI)
1377 RET
diff --git a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go b/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
deleted file mode 100644
index 5822bd5..0000000
--- a/vendor/golang.org/x/crypto/curve25519/mont25519_amd64.go
+++ /dev/null
@@ -1,240 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// +build amd64,!gccgo,!appengine
6
7package curve25519
8
9// These functions are implemented in the .s files. The names of the functions
10// in the rest of the file are also taken from the SUPERCOP sources to help
11// people following along.
12
13//go:noescape
14
15func cswap(inout *[5]uint64, v uint64)
16
17//go:noescape
18
19func ladderstep(inout *[5][5]uint64)
20
21//go:noescape
22
23func freeze(inout *[5]uint64)
24
25//go:noescape
26
27func mul(dest, a, b *[5]uint64)
28
29//go:noescape
30
31func square(out, in *[5]uint64)
32
33// mladder uses a Montgomery ladder to calculate (xr/zr) *= s.
34func mladder(xr, zr *[5]uint64, s *[32]byte) {
35 var work [5][5]uint64
36
37 work[0] = *xr
38 setint(&work[1], 1)
39 setint(&work[2], 0)
40 work[3] = *xr
41 setint(&work[4], 1)
42
43 j := uint(6)
44 var prevbit byte
45
46 for i := 31; i >= 0; i-- {
47 for j < 8 {
48 bit := ((*s)[i] >> j) & 1
49 swap := bit ^ prevbit
50 prevbit = bit
51 cswap(&work[1], uint64(swap))
52 ladderstep(&work)
53 j--
54 }
55 j = 7
56 }
57
58 *xr = work[1]
59 *zr = work[2]
60}
61
62func scalarMult(out, in, base *[32]byte) {
63 var e [32]byte
64 copy(e[:], (*in)[:])
65 e[0] &= 248
66 e[31] &= 127
67 e[31] |= 64
68
69 var t, z [5]uint64
70 unpack(&t, base)
71 mladder(&t, &z, &e)
72 invert(&z, &z)
73 mul(&t, &t, &z)
74 pack(out, &t)
75}
76
77func setint(r *[5]uint64, v uint64) {
78 r[0] = v
79 r[1] = 0
80 r[2] = 0
81 r[3] = 0
82 r[4] = 0
83}
84
85// unpack sets r = x where r consists of 5, 51-bit limbs in little-endian
86// order.
87func unpack(r *[5]uint64, x *[32]byte) {
88 r[0] = uint64(x[0]) |
89 uint64(x[1])<<8 |
90 uint64(x[2])<<16 |
91 uint64(x[3])<<24 |
92 uint64(x[4])<<32 |
93 uint64(x[5])<<40 |
94 uint64(x[6]&7)<<48
95
96 r[1] = uint64(x[6])>>3 |
97 uint64(x[7])<<5 |
98 uint64(x[8])<<13 |
99 uint64(x[9])<<21 |
100 uint64(x[10])<<29 |
101 uint64(x[11])<<37 |
102 uint64(x[12]&63)<<45
103
104 r[2] = uint64(x[12])>>6 |
105 uint64(x[13])<<2 |
106 uint64(x[14])<<10 |
107 uint64(x[15])<<18 |
108 uint64(x[16])<<26 |
109 uint64(x[17])<<34 |
110 uint64(x[18])<<42 |
111 uint64(x[19]&1)<<50
112
113 r[3] = uint64(x[19])>>1 |
114 uint64(x[20])<<7 |
115 uint64(x[21])<<15 |
116 uint64(x[22])<<23 |
117 uint64(x[23])<<31 |
118 uint64(x[24])<<39 |
119 uint64(x[25]&15)<<47
120
121 r[4] = uint64(x[25])>>4 |
122 uint64(x[26])<<4 |
123 uint64(x[27])<<12 |
124 uint64(x[28])<<20 |
125 uint64(x[29])<<28 |
126 uint64(x[30])<<36 |
127 uint64(x[31]&127)<<44
128}
129
130// pack sets out = x where out is the usual, little-endian form of the 5,
131// 51-bit limbs in x.
132func pack(out *[32]byte, x *[5]uint64) {
133 t := *x
134 freeze(&t)
135
136 out[0] = byte(t[0])
137 out[1] = byte(t[0] >> 8)
138 out[2] = byte(t[0] >> 16)
139 out[3] = byte(t[0] >> 24)
140 out[4] = byte(t[0] >> 32)
141 out[5] = byte(t[0] >> 40)
142 out[6] = byte(t[0] >> 48)
143
144 out[6] ^= byte(t[1]<<3) & 0xf8
145 out[7] = byte(t[1] >> 5)
146 out[8] = byte(t[1] >> 13)
147 out[9] = byte(t[1] >> 21)
148 out[10] = byte(t[1] >> 29)
149 out[11] = byte(t[1] >> 37)
150 out[12] = byte(t[1] >> 45)
151
152 out[12] ^= byte(t[2]<<6) & 0xc0
153 out[13] = byte(t[2] >> 2)
154 out[14] = byte(t[2] >> 10)
155 out[15] = byte(t[2] >> 18)
156 out[16] = byte(t[2] >> 26)
157 out[17] = byte(t[2] >> 34)
158 out[18] = byte(t[2] >> 42)
159 out[19] = byte(t[2] >> 50)
160
161 out[19] ^= byte(t[3]<<1) & 0xfe
162 out[20] = byte(t[3] >> 7)
163 out[21] = byte(t[3] >> 15)
164 out[22] = byte(t[3] >> 23)
165 out[23] = byte(t[3] >> 31)
166 out[24] = byte(t[3] >> 39)
167 out[25] = byte(t[3] >> 47)
168
169 out[25] ^= byte(t[4]<<4) & 0xf0
170 out[26] = byte(t[4] >> 4)
171 out[27] = byte(t[4] >> 12)
172 out[28] = byte(t[4] >> 20)
173 out[29] = byte(t[4] >> 28)
174 out[30] = byte(t[4] >> 36)
175 out[31] = byte(t[4] >> 44)
176}
177
178// invert calculates r = x^-1 mod p using Fermat's little theorem.
179func invert(r *[5]uint64, x *[5]uint64) {
180 var z2, z9, z11, z2_5_0, z2_10_0, z2_20_0, z2_50_0, z2_100_0, t [5]uint64
181
182 square(&z2, x) /* 2 */
183 square(&t, &z2) /* 4 */
184 square(&t, &t) /* 8 */
185 mul(&z9, &t, x) /* 9 */
186 mul(&z11, &z9, &z2) /* 11 */
187 square(&t, &z11) /* 22 */
188 mul(&z2_5_0, &t, &z9) /* 2^5 - 2^0 = 31 */
189
190 square(&t, &z2_5_0) /* 2^6 - 2^1 */
191 for i := 1; i < 5; i++ { /* 2^20 - 2^10 */
192 square(&t, &t)
193 }
194 mul(&z2_10_0, &t, &z2_5_0) /* 2^10 - 2^0 */
195
196 square(&t, &z2_10_0) /* 2^11 - 2^1 */
197 for i := 1; i < 10; i++ { /* 2^20 - 2^10 */
198 square(&t, &t)
199 }
200 mul(&z2_20_0, &t, &z2_10_0) /* 2^20 - 2^0 */
201
202 square(&t, &z2_20_0) /* 2^21 - 2^1 */
203 for i := 1; i < 20; i++ { /* 2^40 - 2^20 */
204 square(&t, &t)
205 }
206 mul(&t, &t, &z2_20_0) /* 2^40 - 2^0 */
207
208 square(&t, &t) /* 2^41 - 2^1 */
209 for i := 1; i < 10; i++ { /* 2^50 - 2^10 */
210 square(&t, &t)
211 }
212 mul(&z2_50_0, &t, &z2_10_0) /* 2^50 - 2^0 */
213
214 square(&t, &z2_50_0) /* 2^51 - 2^1 */
215 for i := 1; i < 50; i++ { /* 2^100 - 2^50 */
216 square(&t, &t)
217 }
218 mul(&z2_100_0, &t, &z2_50_0) /* 2^100 - 2^0 */
219
220 square(&t, &z2_100_0) /* 2^101 - 2^1 */
221 for i := 1; i < 100; i++ { /* 2^200 - 2^100 */
222 square(&t, &t)
223 }
224 mul(&t, &t, &z2_100_0) /* 2^200 - 2^0 */
225
226 square(&t, &t) /* 2^201 - 2^1 */
227 for i := 1; i < 50; i++ { /* 2^250 - 2^50 */
228 square(&t, &t)
229 }
230 mul(&t, &t, &z2_50_0) /* 2^250 - 2^0 */
231
232 square(&t, &t) /* 2^251 - 2^1 */
233 square(&t, &t) /* 2^252 - 2^2 */
234 square(&t, &t) /* 2^253 - 2^3 */
235
236 square(&t, &t) /* 2^254 - 2^4 */
237
238 square(&t, &t) /* 2^255 - 2^5 */
239 mul(r, &t, &z11) /* 2^255 - 21 */
240}
diff --git a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s b/vendor/golang.org/x/crypto/curve25519/mul_amd64.s
deleted file mode 100644
index b162e65..0000000
--- a/vendor/golang.org/x/crypto/curve25519/mul_amd64.s
+++ /dev/null
@@ -1,169 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// This code was translated into a form compatible with 6a from the public
6// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
7
8// +build amd64,!gccgo,!appengine
9
10#include "const_amd64.h"
11
12// func mul(dest, a, b *[5]uint64)
13TEXT ·mul(SB),0,$16-24
14 MOVQ dest+0(FP), DI
15 MOVQ a+8(FP), SI
16 MOVQ b+16(FP), DX
17
18 MOVQ DX,CX
19 MOVQ 24(SI),DX
20 IMUL3Q $19,DX,AX
21 MOVQ AX,0(SP)
22 MULQ 16(CX)
23 MOVQ AX,R8
24 MOVQ DX,R9
25 MOVQ 32(SI),DX
26 IMUL3Q $19,DX,AX
27 MOVQ AX,8(SP)
28 MULQ 8(CX)
29 ADDQ AX,R8
30 ADCQ DX,R9
31 MOVQ 0(SI),AX
32 MULQ 0(CX)
33 ADDQ AX,R8
34 ADCQ DX,R9
35 MOVQ 0(SI),AX
36 MULQ 8(CX)
37 MOVQ AX,R10
38 MOVQ DX,R11
39 MOVQ 0(SI),AX
40 MULQ 16(CX)
41 MOVQ AX,R12
42 MOVQ DX,R13
43 MOVQ 0(SI),AX
44 MULQ 24(CX)
45 MOVQ AX,R14
46 MOVQ DX,R15
47 MOVQ 0(SI),AX
48 MULQ 32(CX)
49 MOVQ AX,BX
50 MOVQ DX,BP
51 MOVQ 8(SI),AX
52 MULQ 0(CX)
53 ADDQ AX,R10
54 ADCQ DX,R11
55 MOVQ 8(SI),AX
56 MULQ 8(CX)
57 ADDQ AX,R12
58 ADCQ DX,R13
59 MOVQ 8(SI),AX
60 MULQ 16(CX)
61 ADDQ AX,R14
62 ADCQ DX,R15
63 MOVQ 8(SI),AX
64 MULQ 24(CX)
65 ADDQ AX,BX
66 ADCQ DX,BP
67 MOVQ 8(SI),DX
68 IMUL3Q $19,DX,AX
69 MULQ 32(CX)
70 ADDQ AX,R8
71 ADCQ DX,R9
72 MOVQ 16(SI),AX
73 MULQ 0(CX)
74 ADDQ AX,R12
75 ADCQ DX,R13
76 MOVQ 16(SI),AX
77 MULQ 8(CX)
78 ADDQ AX,R14
79 ADCQ DX,R15
80 MOVQ 16(SI),AX
81 MULQ 16(CX)
82 ADDQ AX,BX
83 ADCQ DX,BP
84 MOVQ 16(SI),DX
85 IMUL3Q $19,DX,AX
86 MULQ 24(CX)
87 ADDQ AX,R8
88 ADCQ DX,R9
89 MOVQ 16(SI),DX
90 IMUL3Q $19,DX,AX
91 MULQ 32(CX)
92 ADDQ AX,R10
93 ADCQ DX,R11
94 MOVQ 24(SI),AX
95 MULQ 0(CX)
96 ADDQ AX,R14
97 ADCQ DX,R15
98 MOVQ 24(SI),AX
99 MULQ 8(CX)
100 ADDQ AX,BX
101 ADCQ DX,BP
102 MOVQ 0(SP),AX
103 MULQ 24(CX)
104 ADDQ AX,R10
105 ADCQ DX,R11
106 MOVQ 0(SP),AX
107 MULQ 32(CX)
108 ADDQ AX,R12
109 ADCQ DX,R13
110 MOVQ 32(SI),AX
111 MULQ 0(CX)
112 ADDQ AX,BX
113 ADCQ DX,BP
114 MOVQ 8(SP),AX
115 MULQ 16(CX)
116 ADDQ AX,R10
117 ADCQ DX,R11
118 MOVQ 8(SP),AX
119 MULQ 24(CX)
120 ADDQ AX,R12
121 ADCQ DX,R13
122 MOVQ 8(SP),AX
123 MULQ 32(CX)
124 ADDQ AX,R14
125 ADCQ DX,R15
126 MOVQ $REDMASK51,SI
127 SHLQ $13,R9:R8
128 ANDQ SI,R8
129 SHLQ $13,R11:R10
130 ANDQ SI,R10
131 ADDQ R9,R10
132 SHLQ $13,R13:R12
133 ANDQ SI,R12
134 ADDQ R11,R12
135 SHLQ $13,R15:R14
136 ANDQ SI,R14
137 ADDQ R13,R14
138 SHLQ $13,BP:BX
139 ANDQ SI,BX
140 ADDQ R15,BX
141 IMUL3Q $19,BP,DX
142 ADDQ DX,R8
143 MOVQ R8,DX
144 SHRQ $51,DX
145 ADDQ R10,DX
146 MOVQ DX,CX
147 SHRQ $51,DX
148 ANDQ SI,R8
149 ADDQ R12,DX
150 MOVQ DX,R9
151 SHRQ $51,DX
152 ANDQ SI,CX
153 ADDQ R14,DX
154 MOVQ DX,AX
155 SHRQ $51,DX
156 ANDQ SI,R9
157 ADDQ BX,DX
158 MOVQ DX,R10
159 SHRQ $51,DX
160 ANDQ SI,AX
161 IMUL3Q $19,DX,DX
162 ADDQ DX,R8
163 ANDQ SI,R10
164 MOVQ R8,0(DI)
165 MOVQ CX,8(DI)
166 MOVQ R9,16(DI)
167 MOVQ AX,24(DI)
168 MOVQ R10,32(DI)
169 RET
diff --git a/vendor/golang.org/x/crypto/curve25519/square_amd64.s b/vendor/golang.org/x/crypto/curve25519/square_amd64.s
deleted file mode 100644
index 4e864a8..0000000
--- a/vendor/golang.org/x/crypto/curve25519/square_amd64.s
+++ /dev/null
@@ -1,132 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// This code was translated into a form compatible with 6a from the public
6// domain sources in SUPERCOP: http://bench.cr.yp.to/supercop.html
7
8// +build amd64,!gccgo,!appengine
9
10#include "const_amd64.h"
11
12// func square(out, in *[5]uint64)
13TEXT ·square(SB),7,$0-16
14 MOVQ out+0(FP), DI
15 MOVQ in+8(FP), SI
16
17 MOVQ 0(SI),AX
18 MULQ 0(SI)
19 MOVQ AX,CX
20 MOVQ DX,R8
21 MOVQ 0(SI),AX
22 SHLQ $1,AX
23 MULQ 8(SI)
24 MOVQ AX,R9
25 MOVQ DX,R10
26 MOVQ 0(SI),AX
27 SHLQ $1,AX
28 MULQ 16(SI)
29 MOVQ AX,R11
30 MOVQ DX,R12
31 MOVQ 0(SI),AX
32 SHLQ $1,AX
33 MULQ 24(SI)
34 MOVQ AX,R13
35 MOVQ DX,R14
36 MOVQ 0(SI),AX
37 SHLQ $1,AX
38 MULQ 32(SI)
39 MOVQ AX,R15
40 MOVQ DX,BX
41 MOVQ 8(SI),AX
42 MULQ 8(SI)
43 ADDQ AX,R11
44 ADCQ DX,R12
45 MOVQ 8(SI),AX
46 SHLQ $1,AX
47 MULQ 16(SI)
48 ADDQ AX,R13
49 ADCQ DX,R14
50 MOVQ 8(SI),AX
51 SHLQ $1,AX
52 MULQ 24(SI)
53 ADDQ AX,R15
54 ADCQ DX,BX
55 MOVQ 8(SI),DX
56 IMUL3Q $38,DX,AX
57 MULQ 32(SI)
58 ADDQ AX,CX
59 ADCQ DX,R8
60 MOVQ 16(SI),AX
61 MULQ 16(SI)
62 ADDQ AX,R15
63 ADCQ DX,BX
64 MOVQ 16(SI),DX
65 IMUL3Q $38,DX,AX
66 MULQ 24(SI)
67 ADDQ AX,CX
68 ADCQ DX,R8
69 MOVQ 16(SI),DX
70 IMUL3Q $38,DX,AX
71 MULQ 32(SI)
72 ADDQ AX,R9
73 ADCQ DX,R10
74 MOVQ 24(SI),DX
75 IMUL3Q $19,DX,AX
76 MULQ 24(SI)
77 ADDQ AX,R9
78 ADCQ DX,R10
79 MOVQ 24(SI),DX
80 IMUL3Q $38,DX,AX
81 MULQ 32(SI)
82 ADDQ AX,R11
83 ADCQ DX,R12
84 MOVQ 32(SI),DX
85 IMUL3Q $19,DX,AX
86 MULQ 32(SI)
87 ADDQ AX,R13
88 ADCQ DX,R14
89 MOVQ $REDMASK51,SI
90 SHLQ $13,R8:CX
91 ANDQ SI,CX
92 SHLQ $13,R10:R9
93 ANDQ SI,R9
94 ADDQ R8,R9
95 SHLQ $13,R12:R11
96 ANDQ SI,R11
97 ADDQ R10,R11
98 SHLQ $13,R14:R13
99 ANDQ SI,R13
100 ADDQ R12,R13
101 SHLQ $13,BX:R15
102 ANDQ SI,R15
103 ADDQ R14,R15
104 IMUL3Q $19,BX,DX
105 ADDQ DX,CX
106 MOVQ CX,DX
107 SHRQ $51,DX
108 ADDQ R9,DX
109 ANDQ SI,CX
110 MOVQ DX,R8
111 SHRQ $51,DX
112 ADDQ R11,DX
113 ANDQ SI,R8
114 MOVQ DX,R9
115 SHRQ $51,DX
116 ADDQ R13,DX
117 ANDQ SI,R9
118 MOVQ DX,AX
119 SHRQ $51,DX
120 ADDQ R15,DX
121 ANDQ SI,AX
122 MOVQ DX,R10
123 SHRQ $51,DX
124 IMUL3Q $19,DX,DX
125 ADDQ DX,CX
126 ANDQ SI,R10
127 MOVQ CX,0(DI)
128 MOVQ R8,8(DI)
129 MOVQ R9,16(DI)
130 MOVQ AX,24(DI)
131 MOVQ R10,32(DI)
132 RET
diff --git a/vendor/golang.org/x/crypto/ed25519/ed25519.go b/vendor/golang.org/x/crypto/ed25519/ed25519.go
deleted file mode 100644
index f1d9567..0000000
--- a/vendor/golang.org/x/crypto/ed25519/ed25519.go
+++ /dev/null
@@ -1,181 +0,0 @@
1// Copyright 2016 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5// Package ed25519 implements the Ed25519 signature algorithm. See
6// http://ed25519.cr.yp.to/.
7//
8// These functions are also compatible with the “Ed25519” function defined in
9// https://tools.ietf.org/html/draft-irtf-cfrg-eddsa-05.
10package ed25519
11
12// This code is a port of the public domain, “ref10” implementation of ed25519
13// from SUPERCOP.
14
15import (
16 "crypto"
17 cryptorand "crypto/rand"
18 "crypto/sha512"
19 "crypto/subtle"
20 "errors"
21 "io"
22 "strconv"
23
24 "golang.org/x/crypto/ed25519/internal/edwards25519"
25)
26
27const (
28 // PublicKeySize is the size, in bytes, of public keys as used in this package.
29 PublicKeySize = 32
30 // PrivateKeySize is the size, in bytes, of private keys as used in this package.
31 PrivateKeySize = 64
32 // SignatureSize is the size, in bytes, of signatures generated and verified by this package.
33 SignatureSize = 64
34)
35
36// PublicKey is the type of Ed25519 public keys.
37type PublicKey []byte
38
39// PrivateKey is the type of Ed25519 private keys. It implements crypto.Signer.
40type PrivateKey []byte
41
42// Public returns the PublicKey corresponding to priv.
43func (priv PrivateKey) Public() crypto.PublicKey {
44 publicKey := make([]byte, PublicKeySize)
45 copy(publicKey, priv[32:])
46 return PublicKey(publicKey)
47}
48
49// Sign signs the given message with priv.
50// Ed25519 performs two passes over messages to be signed and therefore cannot
51// handle pre-hashed messages. Thus opts.HashFunc() must return zero to
52// indicate the message hasn't been hashed. This can be achieved by passing
53// crypto.Hash(0) as the value for opts.
54func (priv PrivateKey) Sign(rand io.Reader, message []byte, opts crypto.SignerOpts) (signature []byte, err error) {
55 if opts.HashFunc() != crypto.Hash(0) {
56 return nil, errors.New("ed25519: cannot sign hashed message")
57 }
58
59 return Sign(priv, message), nil
60}
61
62// GenerateKey generates a public/private key pair using entropy from rand.
63// If rand is nil, crypto/rand.Reader will be used.
64func GenerateKey(rand io.Reader) (publicKey PublicKey, privateKey PrivateKey, err error) {
65 if rand == nil {
66 rand = cryptorand.Reader
67 }
68
69 privateKey = make([]byte, PrivateKeySize)
70 publicKey = make([]byte, PublicKeySize)
71 _, err = io.ReadFull(rand, privateKey[:32])
72 if err != nil {
73 return nil, nil, err
74 }
75
76 digest := sha512.Sum512(privateKey[:32])
77 digest[0] &= 248
78 digest[31] &= 127
79 digest[31] |= 64
80
81 var A edwards25519.ExtendedGroupElement
82 var hBytes [32]byte
83 copy(hBytes[:], digest[:])
84 edwards25519.GeScalarMultBase(&A, &hBytes)
85 var publicKeyBytes [32]byte
86 A.ToBytes(&publicKeyBytes)
87
88 copy(privateKey[32:], publicKeyBytes[:])
89 copy(publicKey, publicKeyBytes[:])
90
91 return publicKey, privateKey, nil
92}
93
94// Sign signs the message with privateKey and returns a signature. It will
95// panic if len(privateKey) is not PrivateKeySize.
96func Sign(privateKey PrivateKey, message []byte) []byte {
97 if l := len(privateKey); l != PrivateKeySize {
98 panic("ed25519: bad private key length: " + strconv.Itoa(l))
99 }
100
101 h := sha512.New()
102 h.Write(privateKey[:32])
103
104 var digest1, messageDigest, hramDigest [64]byte
105 var expandedSecretKey [32]byte
106 h.Sum(digest1[:0])
107 copy(expandedSecretKey[:], digest1[:])
108 expandedSecretKey[0] &= 248
109 expandedSecretKey[31] &= 63
110 expandedSecretKey[31] |= 64
111
112 h.Reset()
113 h.Write(digest1[32:])
114 h.Write(message)
115 h.Sum(messageDigest[:0])
116
117 var messageDigestReduced [32]byte
118 edwards25519.ScReduce(&messageDigestReduced, &messageDigest)
119 var R edwards25519.ExtendedGroupElement
120 edwards25519.GeScalarMultBase(&R, &messageDigestReduced)
121
122 var encodedR [32]byte
123 R.ToBytes(&encodedR)
124
125 h.Reset()
126 h.Write(encodedR[:])
127 h.Write(privateKey[32:])
128 h.Write(message)
129 h.Sum(hramDigest[:0])
130 var hramDigestReduced [32]byte
131 edwards25519.ScReduce(&hramDigestReduced, &hramDigest)
132
133 var s [32]byte
134 edwards25519.ScMulAdd(&s, &hramDigestReduced, &expandedSecretKey, &messageDigestReduced)
135
136 signature := make([]byte, SignatureSize)
137 copy(signature[:], encodedR[:])
138 copy(signature[32:], s[:])
139
140 return signature
141}
142
143// Verify reports whether sig is a valid signature of message by publicKey. It
144// will panic if len(publicKey) is not PublicKeySize.
145func Verify(publicKey PublicKey, message, sig []byte) bool {
146 if l := len(publicKey); l != PublicKeySize {
147 panic("ed25519: bad public key length: " + strconv.Itoa(l))
148 }
149
150 if len(sig) != SignatureSize || sig[63]&224 != 0 {
151 return false
152 }
153
154 var A edwards25519.ExtendedGroupElement
155 var publicKeyBytes [32]byte
156 copy(publicKeyBytes[:], publicKey)
157 if !A.FromBytes(&publicKeyBytes) {
158 return false
159 }
160 edwards25519.FeNeg(&A.X, &A.X)
161 edwards25519.FeNeg(&A.T, &A.T)
162
163 h := sha512.New()
164 h.Write(sig[:32])
165 h.Write(publicKey[:])
166 h.Write(message)
167 var digest [64]byte
168 h.Sum(digest[:0])
169
170 var hReduced [32]byte
171 edwards25519.ScReduce(&hReduced, &digest)
172
173 var R edwards25519.ProjectiveGroupElement
174 var b [32]byte
175 copy(b[:], sig[32:])
176 edwards25519.GeDoubleScalarMultVartime(&R, &hReduced, &A, &b)
177
178 var checkR [32]byte
179 R.ToBytes(&checkR)
180 return subtle.ConstantTimeCompare(sig[:32], checkR[:]) == 1
181}
diff --git a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
deleted file mode 100644
index e39f086..0000000
--- a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/const.go
+++ /dev/null
@@ -1,1422 +0,0 @@
1// Copyright 2016 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package edwards25519
6
7// These values are from the public domain, “ref10” implementation of ed25519
8// from SUPERCOP.
9
10// d is a constant in the Edwards curve equation.
11var d = FieldElement{
12 -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116,
13}
14
15// d2 is 2*d.
16var d2 = FieldElement{
17 -21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199,
18}
19
20// SqrtM1 is the square-root of -1 in the field.
21var SqrtM1 = FieldElement{
22 -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482,
23}
24
25// A is a constant in the Montgomery-form of curve25519.
26var A = FieldElement{
27 486662, 0, 0, 0, 0, 0, 0, 0, 0, 0,
28}
29
30// bi contains precomputed multiples of the base-point. See the Ed25519 paper
31// for a discussion about how these values are used.
32var bi = [8]PreComputedGroupElement{
33 {
34 FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
35 FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
36 FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
37 },
38 {
39 FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
40 FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
41 FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
42 },
43 {
44 FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
45 FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
46 FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
47 },
48 {
49 FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
50 FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
51 FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
52 },
53 {
54 FieldElement{-22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877},
55 FieldElement{-6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951},
56 FieldElement{4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784},
57 },
58 {
59 FieldElement{-25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436},
60 FieldElement{25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918},
61 FieldElement{23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877},
62 },
63 {
64 FieldElement{-33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800},
65 FieldElement{-25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305},
66 FieldElement{-13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300},
67 },
68 {
69 FieldElement{-3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876},
70 FieldElement{-24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619},
71 FieldElement{-3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683},
72 },
73}
74
75// base contains precomputed multiples of the base-point. See the Ed25519 paper
76// for a discussion about how these values are used.
77var base = [32][8]PreComputedGroupElement{
78 {
79 {
80 FieldElement{25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605},
81 FieldElement{-12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378},
82 FieldElement{-8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546},
83 },
84 {
85 FieldElement{-12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303},
86 FieldElement{-21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081},
87 FieldElement{26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697},
88 },
89 {
90 FieldElement{15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024},
91 FieldElement{16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574},
92 FieldElement{30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357},
93 },
94 {
95 FieldElement{-17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540},
96 FieldElement{23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397},
97 FieldElement{7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325},
98 },
99 {
100 FieldElement{10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380},
101 FieldElement{4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306},
102 FieldElement{19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942},
103 },
104 {
105 FieldElement{-15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777},
106 FieldElement{-8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737},
107 FieldElement{-18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652},
108 },
109 {
110 FieldElement{5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766},
111 FieldElement{-30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701},
112 FieldElement{28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300},
113 },
114 {
115 FieldElement{14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726},
116 FieldElement{-7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955},
117 FieldElement{27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425},
118 },
119 },
120 {
121 {
122 FieldElement{-13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171},
123 FieldElement{27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510},
124 FieldElement{17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660},
125 },
126 {
127 FieldElement{-10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639},
128 FieldElement{29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963},
129 FieldElement{5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950},
130 },
131 {
132 FieldElement{-27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568},
133 FieldElement{12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335},
134 FieldElement{25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628},
135 },
136 {
137 FieldElement{-26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007},
138 FieldElement{-2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772},
139 FieldElement{-22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653},
140 },
141 {
142 FieldElement{2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567},
143 FieldElement{13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686},
144 FieldElement{21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372},
145 },
146 {
147 FieldElement{-13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887},
148 FieldElement{-23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954},
149 FieldElement{-29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953},
150 },
151 {
152 FieldElement{24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833},
153 FieldElement{-16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532},
154 FieldElement{-22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876},
155 },
156 {
157 FieldElement{2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268},
158 FieldElement{33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214},
159 FieldElement{1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038},
160 },
161 },
162 {
163 {
164 FieldElement{6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800},
165 FieldElement{4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645},
166 FieldElement{-4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664},
167 },
168 {
169 FieldElement{1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933},
170 FieldElement{-25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182},
171 FieldElement{-17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222},
172 },
173 {
174 FieldElement{-18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991},
175 FieldElement{20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880},
176 FieldElement{9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092},
177 },
178 {
179 FieldElement{-16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295},
180 FieldElement{19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788},
181 FieldElement{8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553},
182 },
183 {
184 FieldElement{-15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026},
185 FieldElement{11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347},
186 FieldElement{-18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033},
187 },
188 {
189 FieldElement{-23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395},
190 FieldElement{-27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278},
191 FieldElement{1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890},
192 },
193 {
194 FieldElement{32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995},
195 FieldElement{-30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596},
196 FieldElement{-11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891},
197 },
198 {
199 FieldElement{31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060},
200 FieldElement{11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608},
201 FieldElement{-20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606},
202 },
203 },
204 {
205 {
206 FieldElement{7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389},
207 FieldElement{-19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016},
208 FieldElement{-11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341},
209 },
210 {
211 FieldElement{-22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505},
212 FieldElement{14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553},
213 FieldElement{-28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655},
214 },
215 {
216 FieldElement{15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220},
217 FieldElement{12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631},
218 FieldElement{-4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099},
219 },
220 {
221 FieldElement{26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556},
222 FieldElement{14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749},
223 FieldElement{236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930},
224 },
225 {
226 FieldElement{1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391},
227 FieldElement{5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253},
228 FieldElement{20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066},
229 },
230 {
231 FieldElement{24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958},
232 FieldElement{-11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082},
233 FieldElement{-28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383},
234 },
235 {
236 FieldElement{-30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521},
237 FieldElement{-11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807},
238 FieldElement{23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948},
239 },
240 {
241 FieldElement{9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134},
242 FieldElement{-32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455},
243 FieldElement{27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629},
244 },
245 },
246 {
247 {
248 FieldElement{-8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069},
249 FieldElement{-32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746},
250 FieldElement{24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919},
251 },
252 {
253 FieldElement{11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837},
254 FieldElement{8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906},
255 FieldElement{-28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771},
256 },
257 {
258 FieldElement{-25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817},
259 FieldElement{10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098},
260 FieldElement{10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409},
261 },
262 {
263 FieldElement{-12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504},
264 FieldElement{-26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727},
265 FieldElement{28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420},
266 },
267 {
268 FieldElement{-32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003},
269 FieldElement{-1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605},
270 FieldElement{-30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384},
271 },
272 {
273 FieldElement{-26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701},
274 FieldElement{-23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683},
275 FieldElement{29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708},
276 },
277 {
278 FieldElement{-3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563},
279 FieldElement{-19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260},
280 FieldElement{-5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387},
281 },
282 {
283 FieldElement{-19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672},
284 FieldElement{23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686},
285 FieldElement{-24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665},
286 },
287 },
288 {
289 {
290 FieldElement{11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182},
291 FieldElement{-31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277},
292 FieldElement{14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628},
293 },
294 {
295 FieldElement{-4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474},
296 FieldElement{-26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539},
297 FieldElement{-25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822},
298 },
299 {
300 FieldElement{-10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970},
301 FieldElement{19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756},
302 FieldElement{-24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508},
303 },
304 {
305 FieldElement{-26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683},
306 FieldElement{-10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655},
307 FieldElement{-20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158},
308 },
309 {
310 FieldElement{-4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125},
311 FieldElement{-15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839},
312 FieldElement{-20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664},
313 },
314 {
315 FieldElement{27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294},
316 FieldElement{-18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899},
317 FieldElement{-11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070},
318 },
319 {
320 FieldElement{3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294},
321 FieldElement{-15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949},
322 FieldElement{-21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083},
323 },
324 {
325 FieldElement{31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420},
326 FieldElement{-5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940},
327 FieldElement{29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396},
328 },
329 },
330 {
331 {
332 FieldElement{-12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567},
333 FieldElement{20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127},
334 FieldElement{-16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294},
335 },
336 {
337 FieldElement{-12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887},
338 FieldElement{22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964},
339 FieldElement{16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195},
340 },
341 {
342 FieldElement{9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244},
343 FieldElement{24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999},
344 FieldElement{-1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762},
345 },
346 {
347 FieldElement{-18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274},
348 FieldElement{-33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236},
349 FieldElement{-16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605},
350 },
351 {
352 FieldElement{-13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761},
353 FieldElement{-22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884},
354 FieldElement{-6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482},
355 },
356 {
357 FieldElement{-24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638},
358 FieldElement{-11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490},
359 FieldElement{-32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170},
360 },
361 {
362 FieldElement{5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736},
363 FieldElement{10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124},
364 FieldElement{-17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392},
365 },
366 {
367 FieldElement{8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029},
368 FieldElement{6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048},
369 FieldElement{28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958},
370 },
371 },
372 {
373 {
374 FieldElement{24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593},
375 FieldElement{26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071},
376 FieldElement{-11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692},
377 },
378 {
379 FieldElement{11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687},
380 FieldElement{-160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441},
381 FieldElement{-20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001},
382 },
383 {
384 FieldElement{-938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460},
385 FieldElement{-19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007},
386 FieldElement{-21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762},
387 },
388 {
389 FieldElement{15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005},
390 FieldElement{-9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674},
391 FieldElement{4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035},
392 },
393 {
394 FieldElement{7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590},
395 FieldElement{-2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957},
396 FieldElement{-30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812},
397 },
398 {
399 FieldElement{33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740},
400 FieldElement{-18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122},
401 FieldElement{-27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158},
402 },
403 {
404 FieldElement{8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885},
405 FieldElement{26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140},
406 FieldElement{19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857},
407 },
408 {
409 FieldElement{801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155},
410 FieldElement{19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260},
411 FieldElement{19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483},
412 },
413 },
414 {
415 {
416 FieldElement{-3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677},
417 FieldElement{32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815},
418 FieldElement{22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751},
419 },
420 {
421 FieldElement{-16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203},
422 FieldElement{-11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208},
423 FieldElement{1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230},
424 },
425 {
426 FieldElement{16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850},
427 FieldElement{-21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389},
428 FieldElement{-9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968},
429 },
430 {
431 FieldElement{-11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689},
432 FieldElement{14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880},
433 FieldElement{5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304},
434 },
435 {
436 FieldElement{30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632},
437 FieldElement{-3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412},
438 FieldElement{20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566},
439 },
440 {
441 FieldElement{-20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038},
442 FieldElement{-26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232},
443 FieldElement{-1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943},
444 },
445 {
446 FieldElement{17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856},
447 FieldElement{23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738},
448 FieldElement{15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971},
449 },
450 {
451 FieldElement{-27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718},
452 FieldElement{-13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697},
453 FieldElement{-11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883},
454 },
455 },
456 {
457 {
458 FieldElement{5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912},
459 FieldElement{-26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358},
460 FieldElement{3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849},
461 },
462 {
463 FieldElement{29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307},
464 FieldElement{-14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977},
465 FieldElement{-6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335},
466 },
467 {
468 FieldElement{-29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644},
469 FieldElement{-22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616},
470 FieldElement{-27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735},
471 },
472 {
473 FieldElement{-21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099},
474 FieldElement{29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341},
475 FieldElement{-936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336},
476 },
477 {
478 FieldElement{-23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646},
479 FieldElement{31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425},
480 FieldElement{-17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388},
481 },
482 {
483 FieldElement{-31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743},
484 FieldElement{-16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822},
485 FieldElement{-8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462},
486 },
487 {
488 FieldElement{18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985},
489 FieldElement{9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702},
490 FieldElement{-22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797},
491 },
492 {
493 FieldElement{21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293},
494 FieldElement{27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100},
495 FieldElement{19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688},
496 },
497 },
498 {
499 {
500 FieldElement{12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186},
501 FieldElement{2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610},
502 FieldElement{-2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707},
503 },
504 {
505 FieldElement{7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220},
506 FieldElement{915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025},
507 FieldElement{32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044},
508 },
509 {
510 FieldElement{32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992},
511 FieldElement{-4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027},
512 FieldElement{21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197},
513 },
514 {
515 FieldElement{8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901},
516 FieldElement{31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952},
517 FieldElement{19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878},
518 },
519 {
520 FieldElement{-28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390},
521 FieldElement{32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730},
522 FieldElement{2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730},
523 },
524 {
525 FieldElement{-19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180},
526 FieldElement{-30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272},
527 FieldElement{-15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715},
528 },
529 {
530 FieldElement{-22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970},
531 FieldElement{-31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772},
532 FieldElement{-17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865},
533 },
534 {
535 FieldElement{15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750},
536 FieldElement{20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373},
537 FieldElement{32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348},
538 },
539 },
540 {
541 {
542 FieldElement{9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144},
543 FieldElement{-22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195},
544 FieldElement{5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086},
545 },
546 {
547 FieldElement{-13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684},
548 FieldElement{-8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518},
549 FieldElement{-2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233},
550 },
551 {
552 FieldElement{-5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793},
553 FieldElement{-2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794},
554 FieldElement{580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435},
555 },
556 {
557 FieldElement{23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921},
558 FieldElement{13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518},
559 FieldElement{2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563},
560 },
561 {
562 FieldElement{14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278},
563 FieldElement{-27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024},
564 FieldElement{4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030},
565 },
566 {
567 FieldElement{10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783},
568 FieldElement{27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717},
569 FieldElement{6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844},
570 },
571 {
572 FieldElement{14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333},
573 FieldElement{16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048},
574 FieldElement{22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760},
575 },
576 {
577 FieldElement{-4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760},
578 FieldElement{-15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757},
579 FieldElement{-2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112},
580 },
581 },
582 {
583 {
584 FieldElement{-19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468},
585 FieldElement{3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184},
586 FieldElement{10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289},
587 },
588 {
589 FieldElement{15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066},
590 FieldElement{24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882},
591 FieldElement{13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226},
592 },
593 {
594 FieldElement{16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101},
595 FieldElement{29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279},
596 FieldElement{-6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811},
597 },
598 {
599 FieldElement{27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709},
600 FieldElement{20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714},
601 FieldElement{-2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121},
602 },
603 {
604 FieldElement{9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464},
605 FieldElement{12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847},
606 FieldElement{13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400},
607 },
608 {
609 FieldElement{4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414},
610 FieldElement{-15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158},
611 FieldElement{17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045},
612 },
613 {
614 FieldElement{-461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415},
615 FieldElement{-5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459},
616 FieldElement{-31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079},
617 },
618 {
619 FieldElement{21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412},
620 FieldElement{-20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743},
621 FieldElement{-14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836},
622 },
623 },
624 {
625 {
626 FieldElement{12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022},
627 FieldElement{18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429},
628 FieldElement{-6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065},
629 },
630 {
631 FieldElement{30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861},
632 FieldElement{10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000},
633 FieldElement{-33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101},
634 },
635 {
636 FieldElement{32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815},
637 FieldElement{29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642},
638 FieldElement{10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966},
639 },
640 {
641 FieldElement{25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574},
642 FieldElement{-21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742},
643 FieldElement{-18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689},
644 },
645 {
646 FieldElement{12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020},
647 FieldElement{-10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772},
648 FieldElement{3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982},
649 },
650 {
651 FieldElement{-14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953},
652 FieldElement{-16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218},
653 FieldElement{-17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265},
654 },
655 {
656 FieldElement{29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073},
657 FieldElement{-3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325},
658 FieldElement{-11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798},
659 },
660 {
661 FieldElement{-4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870},
662 FieldElement{-7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863},
663 FieldElement{-13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927},
664 },
665 },
666 {
667 {
668 FieldElement{-2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267},
669 FieldElement{-9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663},
670 FieldElement{22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862},
671 },
672 {
673 FieldElement{-25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673},
674 FieldElement{15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943},
675 FieldElement{15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020},
676 },
677 {
678 FieldElement{-4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238},
679 FieldElement{11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064},
680 FieldElement{14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795},
681 },
682 {
683 FieldElement{15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052},
684 FieldElement{-10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904},
685 FieldElement{29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531},
686 },
687 {
688 FieldElement{-13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979},
689 FieldElement{-5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841},
690 FieldElement{10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431},
691 },
692 {
693 FieldElement{10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324},
694 FieldElement{-31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940},
695 FieldElement{10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320},
696 },
697 {
698 FieldElement{-15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184},
699 FieldElement{14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114},
700 FieldElement{30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878},
701 },
702 {
703 FieldElement{12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784},
704 FieldElement{-2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091},
705 FieldElement{-16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585},
706 },
707 },
708 {
709 {
710 FieldElement{-8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208},
711 FieldElement{10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864},
712 FieldElement{17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661},
713 },
714 {
715 FieldElement{7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233},
716 FieldElement{26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212},
717 FieldElement{-12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525},
718 },
719 {
720 FieldElement{-24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068},
721 FieldElement{9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397},
722 FieldElement{-8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988},
723 },
724 {
725 FieldElement{5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889},
726 FieldElement{32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038},
727 FieldElement{14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697},
728 },
729 {
730 FieldElement{20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875},
731 FieldElement{-25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905},
732 FieldElement{-25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656},
733 },
734 {
735 FieldElement{11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818},
736 FieldElement{27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714},
737 FieldElement{10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203},
738 },
739 {
740 FieldElement{20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931},
741 FieldElement{-30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024},
742 FieldElement{-23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084},
743 },
744 {
745 FieldElement{-1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204},
746 FieldElement{20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817},
747 FieldElement{27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667},
748 },
749 },
750 {
751 {
752 FieldElement{11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504},
753 FieldElement{-12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768},
754 FieldElement{-19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255},
755 },
756 {
757 FieldElement{6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790},
758 FieldElement{1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438},
759 FieldElement{-22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333},
760 },
761 {
762 FieldElement{17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971},
763 FieldElement{31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905},
764 FieldElement{29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409},
765 },
766 {
767 FieldElement{12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409},
768 FieldElement{6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499},
769 FieldElement{-8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363},
770 },
771 {
772 FieldElement{28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664},
773 FieldElement{-11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324},
774 FieldElement{-21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940},
775 },
776 {
777 FieldElement{13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990},
778 FieldElement{-17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914},
779 FieldElement{-25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290},
780 },
781 {
782 FieldElement{24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257},
783 FieldElement{-6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433},
784 FieldElement{-16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236},
785 },
786 {
787 FieldElement{-12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045},
788 FieldElement{11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093},
789 FieldElement{-1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347},
790 },
791 },
792 {
793 {
794 FieldElement{-28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191},
795 FieldElement{-15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507},
796 FieldElement{-12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906},
797 },
798 {
799 FieldElement{3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018},
800 FieldElement{-16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109},
801 FieldElement{-23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926},
802 },
803 {
804 FieldElement{-24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528},
805 FieldElement{8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625},
806 FieldElement{-32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286},
807 },
808 {
809 FieldElement{2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033},
810 FieldElement{27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866},
811 FieldElement{21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896},
812 },
813 {
814 FieldElement{30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075},
815 FieldElement{26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347},
816 FieldElement{-22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437},
817 },
818 {
819 FieldElement{-5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165},
820 FieldElement{-18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588},
821 FieldElement{-32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193},
822 },
823 {
824 FieldElement{-19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017},
825 FieldElement{-28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883},
826 FieldElement{21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961},
827 },
828 {
829 FieldElement{8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043},
830 FieldElement{29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663},
831 FieldElement{-20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362},
832 },
833 },
834 {
835 {
836 FieldElement{-33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860},
837 FieldElement{2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466},
838 FieldElement{-24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063},
839 },
840 {
841 FieldElement{-26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997},
842 FieldElement{-1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295},
843 FieldElement{-13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369},
844 },
845 {
846 FieldElement{9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385},
847 FieldElement{18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109},
848 FieldElement{2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906},
849 },
850 {
851 FieldElement{4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424},
852 FieldElement{-19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185},
853 FieldElement{7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962},
854 },
855 {
856 FieldElement{-7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325},
857 FieldElement{10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593},
858 FieldElement{696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404},
859 },
860 {
861 FieldElement{-11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644},
862 FieldElement{17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801},
863 FieldElement{26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804},
864 },
865 {
866 FieldElement{-31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884},
867 FieldElement{-586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577},
868 FieldElement{-9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849},
869 },
870 {
871 FieldElement{32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473},
872 FieldElement{-8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644},
873 FieldElement{-2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319},
874 },
875 },
876 {
877 {
878 FieldElement{-11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599},
879 FieldElement{-9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768},
880 FieldElement{-27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084},
881 },
882 {
883 FieldElement{-27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328},
884 FieldElement{-15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369},
885 FieldElement{20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920},
886 },
887 {
888 FieldElement{12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815},
889 FieldElement{-32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025},
890 FieldElement{-21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397},
891 },
892 {
893 FieldElement{-20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448},
894 FieldElement{6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981},
895 FieldElement{30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165},
896 },
897 {
898 FieldElement{32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501},
899 FieldElement{17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073},
900 FieldElement{-1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861},
901 },
902 {
903 FieldElement{14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845},
904 FieldElement{-1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211},
905 FieldElement{18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870},
906 },
907 {
908 FieldElement{10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096},
909 FieldElement{33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803},
910 FieldElement{-32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168},
911 },
912 {
913 FieldElement{30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965},
914 FieldElement{-14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505},
915 FieldElement{18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598},
916 },
917 },
918 {
919 {
920 FieldElement{5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782},
921 FieldElement{5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900},
922 FieldElement{-31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479},
923 },
924 {
925 FieldElement{-12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208},
926 FieldElement{8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232},
927 FieldElement{17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719},
928 },
929 {
930 FieldElement{16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271},
931 FieldElement{-4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326},
932 FieldElement{-8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132},
933 },
934 {
935 FieldElement{14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300},
936 FieldElement{8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570},
937 FieldElement{15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670},
938 },
939 {
940 FieldElement{-2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994},
941 FieldElement{-12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913},
942 FieldElement{31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317},
943 },
944 {
945 FieldElement{-25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730},
946 FieldElement{842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096},
947 FieldElement{-4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078},
948 },
949 {
950 FieldElement{-15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411},
951 FieldElement{-19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905},
952 FieldElement{-9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654},
953 },
954 {
955 FieldElement{-28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870},
956 FieldElement{-23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498},
957 FieldElement{12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579},
958 },
959 },
960 {
961 {
962 FieldElement{14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677},
963 FieldElement{10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647},
964 FieldElement{-2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743},
965 },
966 {
967 FieldElement{-25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468},
968 FieldElement{21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375},
969 FieldElement{-25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155},
970 },
971 {
972 FieldElement{6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725},
973 FieldElement{-12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612},
974 FieldElement{-10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943},
975 },
976 {
977 FieldElement{-30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944},
978 FieldElement{30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928},
979 FieldElement{9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406},
980 },
981 {
982 FieldElement{22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139},
983 FieldElement{-8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963},
984 FieldElement{-31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693},
985 },
986 {
987 FieldElement{1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734},
988 FieldElement{-448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680},
989 FieldElement{-24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410},
990 },
991 {
992 FieldElement{-9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931},
993 FieldElement{-16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654},
994 FieldElement{22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710},
995 },
996 {
997 FieldElement{29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180},
998 FieldElement{-26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684},
999 FieldElement{-10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895},
1000 },
1001 },
1002 {
1003 {
1004 FieldElement{22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501},
1005 FieldElement{-11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413},
1006 FieldElement{6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880},
1007 },
1008 {
1009 FieldElement{-8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874},
1010 FieldElement{22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962},
1011 FieldElement{-7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899},
1012 },
1013 {
1014 FieldElement{21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152},
1015 FieldElement{9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063},
1016 FieldElement{7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080},
1017 },
1018 {
1019 FieldElement{-9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146},
1020 FieldElement{-17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183},
1021 FieldElement{-19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133},
1022 },
1023 {
1024 FieldElement{-32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421},
1025 FieldElement{-3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622},
1026 FieldElement{-4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197},
1027 },
1028 {
1029 FieldElement{2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663},
1030 FieldElement{31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753},
1031 FieldElement{4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755},
1032 },
1033 {
1034 FieldElement{-9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862},
1035 FieldElement{-26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118},
1036 FieldElement{26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171},
1037 },
1038 {
1039 FieldElement{15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380},
1040 FieldElement{16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824},
1041 FieldElement{28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270},
1042 },
1043 },
1044 {
1045 {
1046 FieldElement{-817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438},
1047 FieldElement{-31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584},
1048 FieldElement{-594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562},
1049 },
1050 {
1051 FieldElement{30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471},
1052 FieldElement{18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610},
1053 FieldElement{19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269},
1054 },
1055 {
1056 FieldElement{-30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650},
1057 FieldElement{14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369},
1058 FieldElement{19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461},
1059 },
1060 {
1061 FieldElement{30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462},
1062 FieldElement{-5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793},
1063 FieldElement{-2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218},
1064 },
1065 {
1066 FieldElement{-24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226},
1067 FieldElement{18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019},
1068 FieldElement{-15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037},
1069 },
1070 {
1071 FieldElement{31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171},
1072 FieldElement{-17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132},
1073 FieldElement{-28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841},
1074 },
1075 {
1076 FieldElement{21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181},
1077 FieldElement{-33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210},
1078 FieldElement{-1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040},
1079 },
1080 {
1081 FieldElement{3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935},
1082 FieldElement{24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105},
1083 FieldElement{-28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814},
1084 },
1085 },
1086 {
1087 {
1088 FieldElement{793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852},
1089 FieldElement{5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581},
1090 FieldElement{-4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646},
1091 },
1092 {
1093 FieldElement{10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844},
1094 FieldElement{10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025},
1095 FieldElement{27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453},
1096 },
1097 {
1098 FieldElement{-23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068},
1099 FieldElement{4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192},
1100 FieldElement{-17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921},
1101 },
1102 {
1103 FieldElement{-9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259},
1104 FieldElement{-12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426},
1105 FieldElement{-5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072},
1106 },
1107 {
1108 FieldElement{-17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305},
1109 FieldElement{13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832},
1110 FieldElement{28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943},
1111 },
1112 {
1113 FieldElement{-16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011},
1114 FieldElement{24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447},
1115 FieldElement{17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494},
1116 },
1117 {
1118 FieldElement{-28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245},
1119 FieldElement{-20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859},
1120 FieldElement{28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915},
1121 },
1122 {
1123 FieldElement{16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707},
1124 FieldElement{10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848},
1125 FieldElement{-11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224},
1126 },
1127 },
1128 {
1129 {
1130 FieldElement{-25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391},
1131 FieldElement{15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215},
1132 FieldElement{-23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101},
1133 },
1134 {
1135 FieldElement{23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713},
1136 FieldElement{21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849},
1137 FieldElement{-7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930},
1138 },
1139 {
1140 FieldElement{-29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940},
1141 FieldElement{-21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031},
1142 FieldElement{-17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404},
1143 },
1144 {
1145 FieldElement{-25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243},
1146 FieldElement{-23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116},
1147 FieldElement{-24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525},
1148 },
1149 {
1150 FieldElement{-23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509},
1151 FieldElement{-10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883},
1152 FieldElement{15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865},
1153 },
1154 {
1155 FieldElement{-3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660},
1156 FieldElement{4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273},
1157 FieldElement{-28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138},
1158 },
1159 {
1160 FieldElement{-25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560},
1161 FieldElement{-10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135},
1162 FieldElement{2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941},
1163 },
1164 {
1165 FieldElement{-4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739},
1166 FieldElement{18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756},
1167 FieldElement{-30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819},
1168 },
1169 },
1170 {
1171 {
1172 FieldElement{-6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347},
1173 FieldElement{-27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028},
1174 FieldElement{21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075},
1175 },
1176 {
1177 FieldElement{16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799},
1178 FieldElement{-2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609},
1179 FieldElement{-25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817},
1180 },
1181 {
1182 FieldElement{-23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989},
1183 FieldElement{-30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523},
1184 FieldElement{4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278},
1185 },
1186 {
1187 FieldElement{31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045},
1188 FieldElement{19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377},
1189 FieldElement{24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480},
1190 },
1191 {
1192 FieldElement{17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016},
1193 FieldElement{510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426},
1194 FieldElement{18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525},
1195 },
1196 {
1197 FieldElement{13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396},
1198 FieldElement{9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080},
1199 FieldElement{12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892},
1200 },
1201 {
1202 FieldElement{15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275},
1203 FieldElement{11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074},
1204 FieldElement{20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140},
1205 },
1206 {
1207 FieldElement{-16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717},
1208 FieldElement{-1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101},
1209 FieldElement{24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127},
1210 },
1211 },
1212 {
1213 {
1214 FieldElement{-12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632},
1215 FieldElement{-26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415},
1216 FieldElement{-31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160},
1217 },
1218 {
1219 FieldElement{31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876},
1220 FieldElement{22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625},
1221 FieldElement{-15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478},
1222 },
1223 {
1224 FieldElement{27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164},
1225 FieldElement{26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595},
1226 FieldElement{-7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248},
1227 },
1228 {
1229 FieldElement{-16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858},
1230 FieldElement{15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193},
1231 FieldElement{8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184},
1232 },
1233 {
1234 FieldElement{-18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942},
1235 FieldElement{-1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635},
1236 FieldElement{21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948},
1237 },
1238 {
1239 FieldElement{11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935},
1240 FieldElement{-25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415},
1241 FieldElement{-15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416},
1242 },
1243 {
1244 FieldElement{-7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018},
1245 FieldElement{4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778},
1246 FieldElement{366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659},
1247 },
1248 {
1249 FieldElement{-24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385},
1250 FieldElement{18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503},
1251 FieldElement{476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329},
1252 },
1253 },
1254 {
1255 {
1256 FieldElement{20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056},
1257 FieldElement{-13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838},
1258 FieldElement{24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948},
1259 },
1260 {
1261 FieldElement{-3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691},
1262 FieldElement{-15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118},
1263 FieldElement{-23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517},
1264 },
1265 {
1266 FieldElement{-20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269},
1267 FieldElement{-6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904},
1268 FieldElement{-23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589},
1269 },
1270 {
1271 FieldElement{-28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193},
1272 FieldElement{-7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910},
1273 FieldElement{-30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930},
1274 },
1275 {
1276 FieldElement{-7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667},
1277 FieldElement{25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481},
1278 FieldElement{-9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876},
1279 },
1280 {
1281 FieldElement{22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640},
1282 FieldElement{-8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278},
1283 FieldElement{-21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112},
1284 },
1285 {
1286 FieldElement{26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272},
1287 FieldElement{17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012},
1288 FieldElement{-10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221},
1289 },
1290 {
1291 FieldElement{30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046},
1292 FieldElement{13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345},
1293 FieldElement{-19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310},
1294 },
1295 },
1296 {
1297 {
1298 FieldElement{19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937},
1299 FieldElement{31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636},
1300 FieldElement{-9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008},
1301 },
1302 {
1303 FieldElement{-2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429},
1304 FieldElement{-15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576},
1305 FieldElement{31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066},
1306 },
1307 {
1308 FieldElement{-9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490},
1309 FieldElement{-12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104},
1310 FieldElement{33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053},
1311 },
1312 {
1313 FieldElement{31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275},
1314 FieldElement{-20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511},
1315 FieldElement{22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095},
1316 },
1317 {
1318 FieldElement{-28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439},
1319 FieldElement{23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939},
1320 FieldElement{-23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424},
1321 },
1322 {
1323 FieldElement{2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310},
1324 FieldElement{3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608},
1325 FieldElement{-32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079},
1326 },
1327 {
1328 FieldElement{-23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101},
1329 FieldElement{21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418},
1330 FieldElement{18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576},
1331 },
1332 {
1333 FieldElement{30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356},
1334 FieldElement{9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996},
1335 FieldElement{-26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099},
1336 },
1337 },
1338 {
1339 {
1340 FieldElement{-26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728},
1341 FieldElement{-13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658},
1342 FieldElement{-10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242},
1343 },
1344 {
1345 FieldElement{-21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001},
1346 FieldElement{-4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766},
1347 FieldElement{18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373},
1348 },
1349 {
1350 FieldElement{26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458},
1351 FieldElement{-17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628},
1352 FieldElement{-13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657},
1353 },
1354 {
1355 FieldElement{-23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062},
1356 FieldElement{25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616},
1357 FieldElement{31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014},
1358 },
1359 {
1360 FieldElement{24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383},
1361 FieldElement{-25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814},
1362 FieldElement{-20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718},
1363 },
1364 {
1365 FieldElement{30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417},
1366 FieldElement{2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222},
1367 FieldElement{33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444},
1368 },
1369 {
1370 FieldElement{-20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597},
1371 FieldElement{23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970},
1372 FieldElement{1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799},
1373 },
1374 {
1375 FieldElement{-5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647},
1376 FieldElement{13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511},
1377 FieldElement{-29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032},
1378 },
1379 },
1380 {
1381 {
1382 FieldElement{9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834},
1383 FieldElement{-23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461},
1384 FieldElement{29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062},
1385 },
1386 {
1387 FieldElement{-25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516},
1388 FieldElement{-20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547},
1389 FieldElement{-24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240},
1390 },
1391 {
1392 FieldElement{-17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038},
1393 FieldElement{-33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741},
1394 FieldElement{16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103},
1395 },
1396 {
1397 FieldElement{-19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747},
1398 FieldElement{-1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323},
1399 FieldElement{31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016},
1400 },
1401 {
1402 FieldElement{-14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373},
1403 FieldElement{15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228},
1404 FieldElement{-2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141},
1405 },
1406 {
1407 FieldElement{16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399},
1408 FieldElement{11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831},
1409 FieldElement{-185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376},
1410 },
1411 {
1412 FieldElement{-32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313},
1413 FieldElement{-18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958},
1414 FieldElement{-6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577},
1415 },
1416 {
1417 FieldElement{-22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743},
1418 FieldElement{29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684},
1419 FieldElement{-20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476},
1420 },
1421 },
1422}
diff --git a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go b/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
deleted file mode 100644
index 5f8b994..0000000
--- a/vendor/golang.org/x/crypto/ed25519/internal/edwards25519/edwards25519.go
+++ /dev/null
@@ -1,1771 +0,0 @@
1// Copyright 2016 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package edwards25519
6
7// This code is a port of the public domain, “ref10” implementation of ed25519
8// from SUPERCOP.
9
10// FieldElement represents an element of the field GF(2^255 - 19). An element
11// t, entries t[0]...t[9], represents the integer t[0]+2^26 t[1]+2^51 t[2]+2^77
12// t[3]+2^102 t[4]+...+2^230 t[9]. Bounds on each t[i] vary depending on
13// context.
14type FieldElement [10]int32
15
16var zero FieldElement
17
18func FeZero(fe *FieldElement) {
19 copy(fe[:], zero[:])
20}
21
22func FeOne(fe *FieldElement) {
23 FeZero(fe)
24 fe[0] = 1
25}
26
27func FeAdd(dst, a, b *FieldElement) {
28 dst[0] = a[0] + b[0]
29 dst[1] = a[1] + b[1]
30 dst[2] = a[2] + b[2]
31 dst[3] = a[3] + b[3]
32 dst[4] = a[4] + b[4]
33 dst[5] = a[5] + b[5]
34 dst[6] = a[6] + b[6]
35 dst[7] = a[7] + b[7]
36 dst[8] = a[8] + b[8]
37 dst[9] = a[9] + b[9]
38}
39
40func FeSub(dst, a, b *FieldElement) {
41 dst[0] = a[0] - b[0]
42 dst[1] = a[1] - b[1]
43 dst[2] = a[2] - b[2]
44 dst[3] = a[3] - b[3]
45 dst[4] = a[4] - b[4]
46 dst[5] = a[5] - b[5]
47 dst[6] = a[6] - b[6]
48 dst[7] = a[7] - b[7]
49 dst[8] = a[8] - b[8]
50 dst[9] = a[9] - b[9]
51}
52
53func FeCopy(dst, src *FieldElement) {
54 copy(dst[:], src[:])
55}
56
57// Replace (f,g) with (g,g) if b == 1;
58// replace (f,g) with (f,g) if b == 0.
59//
60// Preconditions: b in {0,1}.
61func FeCMove(f, g *FieldElement, b int32) {
62 b = -b
63 f[0] ^= b & (f[0] ^ g[0])
64 f[1] ^= b & (f[1] ^ g[1])
65 f[2] ^= b & (f[2] ^ g[2])
66 f[3] ^= b & (f[3] ^ g[3])
67 f[4] ^= b & (f[4] ^ g[4])
68 f[5] ^= b & (f[5] ^ g[5])
69 f[6] ^= b & (f[6] ^ g[6])
70 f[7] ^= b & (f[7] ^ g[7])
71 f[8] ^= b & (f[8] ^ g[8])
72 f[9] ^= b & (f[9] ^ g[9])
73}
74
75func load3(in []byte) int64 {
76 var r int64
77 r = int64(in[0])
78 r |= int64(in[1]) << 8
79 r |= int64(in[2]) << 16
80 return r
81}
82
83func load4(in []byte) int64 {
84 var r int64
85 r = int64(in[0])
86 r |= int64(in[1]) << 8
87 r |= int64(in[2]) << 16
88 r |= int64(in[3]) << 24
89 return r
90}
91
92func FeFromBytes(dst *FieldElement, src *[32]byte) {
93 h0 := load4(src[:])
94 h1 := load3(src[4:]) << 6
95 h2 := load3(src[7:]) << 5
96 h3 := load3(src[10:]) << 3
97 h4 := load3(src[13:]) << 2
98 h5 := load4(src[16:])
99 h6 := load3(src[20:]) << 7
100 h7 := load3(src[23:]) << 5
101 h8 := load3(src[26:]) << 4
102 h9 := (load3(src[29:]) & 8388607) << 2
103
104 FeCombine(dst, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
105}
106
107// FeToBytes marshals h to s.
108// Preconditions:
109// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
110//
111// Write p=2^255-19; q=floor(h/p).
112// Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
113//
114// Proof:
115// Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
116// Also have |h-2^230 h9|<2^230 so |19 2^(-255)(h-2^230 h9)|<1/4.
117//
118// Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
119// Then 0<y<1.
120//
121// Write r=h-pq.
122// Have 0<=r<=p-1=2^255-20.
123// Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
124//
125// Write x=r+19(2^-255)r+y.
126// Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
127//
128// Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
129// so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
130func FeToBytes(s *[32]byte, h *FieldElement) {
131 var carry [10]int32
132
133 q := (19*h[9] + (1 << 24)) >> 25
134 q = (h[0] + q) >> 26
135 q = (h[1] + q) >> 25
136 q = (h[2] + q) >> 26
137 q = (h[3] + q) >> 25
138 q = (h[4] + q) >> 26
139 q = (h[5] + q) >> 25
140 q = (h[6] + q) >> 26
141 q = (h[7] + q) >> 25
142 q = (h[8] + q) >> 26
143 q = (h[9] + q) >> 25
144
145 // Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20.
146 h[0] += 19 * q
147 // Goal: Output h-2^255 q, which is between 0 and 2^255-20.
148
149 carry[0] = h[0] >> 26
150 h[1] += carry[0]
151 h[0] -= carry[0] << 26
152 carry[1] = h[1] >> 25
153 h[2] += carry[1]
154 h[1] -= carry[1] << 25
155 carry[2] = h[2] >> 26
156 h[3] += carry[2]
157 h[2] -= carry[2] << 26
158 carry[3] = h[3] >> 25
159 h[4] += carry[3]
160 h[3] -= carry[3] << 25
161 carry[4] = h[4] >> 26
162 h[5] += carry[4]
163 h[4] -= carry[4] << 26
164 carry[5] = h[5] >> 25
165 h[6] += carry[5]
166 h[5] -= carry[5] << 25
167 carry[6] = h[6] >> 26
168 h[7] += carry[6]
169 h[6] -= carry[6] << 26
170 carry[7] = h[7] >> 25
171 h[8] += carry[7]
172 h[7] -= carry[7] << 25
173 carry[8] = h[8] >> 26
174 h[9] += carry[8]
175 h[8] -= carry[8] << 26
176 carry[9] = h[9] >> 25
177 h[9] -= carry[9] << 25
178 // h10 = carry9
179
180 // Goal: Output h[0]+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
181 // Have h[0]+...+2^230 h[9] between 0 and 2^255-1;
182 // evidently 2^255 h10-2^255 q = 0.
183 // Goal: Output h[0]+...+2^230 h[9].
184
185 s[0] = byte(h[0] >> 0)
186 s[1] = byte(h[0] >> 8)
187 s[2] = byte(h[0] >> 16)
188 s[3] = byte((h[0] >> 24) | (h[1] << 2))
189 s[4] = byte(h[1] >> 6)
190 s[5] = byte(h[1] >> 14)
191 s[6] = byte((h[1] >> 22) | (h[2] << 3))
192 s[7] = byte(h[2] >> 5)
193 s[8] = byte(h[2] >> 13)
194 s[9] = byte((h[2] >> 21) | (h[3] << 5))
195 s[10] = byte(h[3] >> 3)
196 s[11] = byte(h[3] >> 11)
197 s[12] = byte((h[3] >> 19) | (h[4] << 6))
198 s[13] = byte(h[4] >> 2)
199 s[14] = byte(h[4] >> 10)
200 s[15] = byte(h[4] >> 18)
201 s[16] = byte(h[5] >> 0)
202 s[17] = byte(h[5] >> 8)
203 s[18] = byte(h[5] >> 16)
204 s[19] = byte((h[5] >> 24) | (h[6] << 1))
205 s[20] = byte(h[6] >> 7)
206 s[21] = byte(h[6] >> 15)
207 s[22] = byte((h[6] >> 23) | (h[7] << 3))
208 s[23] = byte(h[7] >> 5)
209 s[24] = byte(h[7] >> 13)
210 s[25] = byte((h[7] >> 21) | (h[8] << 4))
211 s[26] = byte(h[8] >> 4)
212 s[27] = byte(h[8] >> 12)
213 s[28] = byte((h[8] >> 20) | (h[9] << 6))
214 s[29] = byte(h[9] >> 2)
215 s[30] = byte(h[9] >> 10)
216 s[31] = byte(h[9] >> 18)
217}
218
219func FeIsNegative(f *FieldElement) byte {
220 var s [32]byte
221 FeToBytes(&s, f)
222 return s[0] & 1
223}
224
225func FeIsNonZero(f *FieldElement) int32 {
226 var s [32]byte
227 FeToBytes(&s, f)
228 var x uint8
229 for _, b := range s {
230 x |= b
231 }
232 x |= x >> 4
233 x |= x >> 2
234 x |= x >> 1
235 return int32(x & 1)
236}
237
238// FeNeg sets h = -f
239//
240// Preconditions:
241// |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
242//
243// Postconditions:
244// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
245func FeNeg(h, f *FieldElement) {
246 h[0] = -f[0]
247 h[1] = -f[1]
248 h[2] = -f[2]
249 h[3] = -f[3]
250 h[4] = -f[4]
251 h[5] = -f[5]
252 h[6] = -f[6]
253 h[7] = -f[7]
254 h[8] = -f[8]
255 h[9] = -f[9]
256}
257
258func FeCombine(h *FieldElement, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
259 var c0, c1, c2, c3, c4, c5, c6, c7, c8, c9 int64
260
261 /*
262 |h0| <= (1.1*1.1*2^52*(1+19+19+19+19)+1.1*1.1*2^50*(38+38+38+38+38))
263 i.e. |h0| <= 1.2*2^59; narrower ranges for h2, h4, h6, h8
264 |h1| <= (1.1*1.1*2^51*(1+1+19+19+19+19+19+19+19+19))
265 i.e. |h1| <= 1.5*2^58; narrower ranges for h3, h5, h7, h9
266 */
267
268 c0 = (h0 + (1 << 25)) >> 26
269 h1 += c0
270 h0 -= c0 << 26
271 c4 = (h4 + (1 << 25)) >> 26
272 h5 += c4
273 h4 -= c4 << 26
274 /* |h0| <= 2^25 */
275 /* |h4| <= 2^25 */
276 /* |h1| <= 1.51*2^58 */
277 /* |h5| <= 1.51*2^58 */
278
279 c1 = (h1 + (1 << 24)) >> 25
280 h2 += c1
281 h1 -= c1 << 25
282 c5 = (h5 + (1 << 24)) >> 25
283 h6 += c5
284 h5 -= c5 << 25
285 /* |h1| <= 2^24; from now on fits into int32 */
286 /* |h5| <= 2^24; from now on fits into int32 */
287 /* |h2| <= 1.21*2^59 */
288 /* |h6| <= 1.21*2^59 */
289
290 c2 = (h2 + (1 << 25)) >> 26
291 h3 += c2
292 h2 -= c2 << 26
293 c6 = (h6 + (1 << 25)) >> 26
294 h7 += c6
295 h6 -= c6 << 26
296 /* |h2| <= 2^25; from now on fits into int32 unchanged */
297 /* |h6| <= 2^25; from now on fits into int32 unchanged */
298 /* |h3| <= 1.51*2^58 */
299 /* |h7| <= 1.51*2^58 */
300
301 c3 = (h3 + (1 << 24)) >> 25
302 h4 += c3
303 h3 -= c3 << 25
304 c7 = (h7 + (1 << 24)) >> 25
305 h8 += c7
306 h7 -= c7 << 25
307 /* |h3| <= 2^24; from now on fits into int32 unchanged */
308 /* |h7| <= 2^24; from now on fits into int32 unchanged */
309 /* |h4| <= 1.52*2^33 */
310 /* |h8| <= 1.52*2^33 */
311
312 c4 = (h4 + (1 << 25)) >> 26
313 h5 += c4
314 h4 -= c4 << 26
315 c8 = (h8 + (1 << 25)) >> 26
316 h9 += c8
317 h8 -= c8 << 26
318 /* |h4| <= 2^25; from now on fits into int32 unchanged */
319 /* |h8| <= 2^25; from now on fits into int32 unchanged */
320 /* |h5| <= 1.01*2^24 */
321 /* |h9| <= 1.51*2^58 */
322
323 c9 = (h9 + (1 << 24)) >> 25
324 h0 += c9 * 19
325 h9 -= c9 << 25
326 /* |h9| <= 2^24; from now on fits into int32 unchanged */
327 /* |h0| <= 1.8*2^37 */
328
329 c0 = (h0 + (1 << 25)) >> 26
330 h1 += c0
331 h0 -= c0 << 26
332 /* |h0| <= 2^25; from now on fits into int32 unchanged */
333 /* |h1| <= 1.01*2^24 */
334
335 h[0] = int32(h0)
336 h[1] = int32(h1)
337 h[2] = int32(h2)
338 h[3] = int32(h3)
339 h[4] = int32(h4)
340 h[5] = int32(h5)
341 h[6] = int32(h6)
342 h[7] = int32(h7)
343 h[8] = int32(h8)
344 h[9] = int32(h9)
345}
346
347// FeMul calculates h = f * g
348// Can overlap h with f or g.
349//
350// Preconditions:
351// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
352// |g| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
353//
354// Postconditions:
355// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
356//
357// Notes on implementation strategy:
358//
359// Using schoolbook multiplication.
360// Karatsuba would save a little in some cost models.
361//
362// Most multiplications by 2 and 19 are 32-bit precomputations;
363// cheaper than 64-bit postcomputations.
364//
365// There is one remaining multiplication by 19 in the carry chain;
366// one *19 precomputation can be merged into this,
367// but the resulting data flow is considerably less clean.
368//
369// There are 12 carries below.
370// 10 of them are 2-way parallelizable and vectorizable.
371// Can get away with 11 carries, but then data flow is much deeper.
372//
373// With tighter constraints on inputs, can squeeze carries into int32.
374func FeMul(h, f, g *FieldElement) {
375 f0 := int64(f[0])
376 f1 := int64(f[1])
377 f2 := int64(f[2])
378 f3 := int64(f[3])
379 f4 := int64(f[4])
380 f5 := int64(f[5])
381 f6 := int64(f[6])
382 f7 := int64(f[7])
383 f8 := int64(f[8])
384 f9 := int64(f[9])
385
386 f1_2 := int64(2 * f[1])
387 f3_2 := int64(2 * f[3])
388 f5_2 := int64(2 * f[5])
389 f7_2 := int64(2 * f[7])
390 f9_2 := int64(2 * f[9])
391
392 g0 := int64(g[0])
393 g1 := int64(g[1])
394 g2 := int64(g[2])
395 g3 := int64(g[3])
396 g4 := int64(g[4])
397 g5 := int64(g[5])
398 g6 := int64(g[6])
399 g7 := int64(g[7])
400 g8 := int64(g[8])
401 g9 := int64(g[9])
402
403 g1_19 := int64(19 * g[1]) /* 1.4*2^29 */
404 g2_19 := int64(19 * g[2]) /* 1.4*2^30; still ok */
405 g3_19 := int64(19 * g[3])
406 g4_19 := int64(19 * g[4])
407 g5_19 := int64(19 * g[5])
408 g6_19 := int64(19 * g[6])
409 g7_19 := int64(19 * g[7])
410 g8_19 := int64(19 * g[8])
411 g9_19 := int64(19 * g[9])
412
413 h0 := f0*g0 + f1_2*g9_19 + f2*g8_19 + f3_2*g7_19 + f4*g6_19 + f5_2*g5_19 + f6*g4_19 + f7_2*g3_19 + f8*g2_19 + f9_2*g1_19
414 h1 := f0*g1 + f1*g0 + f2*g9_19 + f3*g8_19 + f4*g7_19 + f5*g6_19 + f6*g5_19 + f7*g4_19 + f8*g3_19 + f9*g2_19
415 h2 := f0*g2 + f1_2*g1 + f2*g0 + f3_2*g9_19 + f4*g8_19 + f5_2*g7_19 + f6*g6_19 + f7_2*g5_19 + f8*g4_19 + f9_2*g3_19
416 h3 := f0*g3 + f1*g2 + f2*g1 + f3*g0 + f4*g9_19 + f5*g8_19 + f6*g7_19 + f7*g6_19 + f8*g5_19 + f9*g4_19
417 h4 := f0*g4 + f1_2*g3 + f2*g2 + f3_2*g1 + f4*g0 + f5_2*g9_19 + f6*g8_19 + f7_2*g7_19 + f8*g6_19 + f9_2*g5_19
418 h5 := f0*g5 + f1*g4 + f2*g3 + f3*g2 + f4*g1 + f5*g0 + f6*g9_19 + f7*g8_19 + f8*g7_19 + f9*g6_19
419 h6 := f0*g6 + f1_2*g5 + f2*g4 + f3_2*g3 + f4*g2 + f5_2*g1 + f6*g0 + f7_2*g9_19 + f8*g8_19 + f9_2*g7_19
420 h7 := f0*g7 + f1*g6 + f2*g5 + f3*g4 + f4*g3 + f5*g2 + f6*g1 + f7*g0 + f8*g9_19 + f9*g8_19
421 h8 := f0*g8 + f1_2*g7 + f2*g6 + f3_2*g5 + f4*g4 + f5_2*g3 + f6*g2 + f7_2*g1 + f8*g0 + f9_2*g9_19
422 h9 := f0*g9 + f1*g8 + f2*g7 + f3*g6 + f4*g5 + f5*g4 + f6*g3 + f7*g2 + f8*g1 + f9*g0
423
424 FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
425}
426
427func feSquare(f *FieldElement) (h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 int64) {
428 f0 := int64(f[0])
429 f1 := int64(f[1])
430 f2 := int64(f[2])
431 f3 := int64(f[3])
432 f4 := int64(f[4])
433 f5 := int64(f[5])
434 f6 := int64(f[6])
435 f7 := int64(f[7])
436 f8 := int64(f[8])
437 f9 := int64(f[9])
438 f0_2 := int64(2 * f[0])
439 f1_2 := int64(2 * f[1])
440 f2_2 := int64(2 * f[2])
441 f3_2 := int64(2 * f[3])
442 f4_2 := int64(2 * f[4])
443 f5_2 := int64(2 * f[5])
444 f6_2 := int64(2 * f[6])
445 f7_2 := int64(2 * f[7])
446 f5_38 := 38 * f5 // 1.31*2^30
447 f6_19 := 19 * f6 // 1.31*2^30
448 f7_38 := 38 * f7 // 1.31*2^30
449 f8_19 := 19 * f8 // 1.31*2^30
450 f9_38 := 38 * f9 // 1.31*2^30
451
452 h0 = f0*f0 + f1_2*f9_38 + f2_2*f8_19 + f3_2*f7_38 + f4_2*f6_19 + f5*f5_38
453 h1 = f0_2*f1 + f2*f9_38 + f3_2*f8_19 + f4*f7_38 + f5_2*f6_19
454 h2 = f0_2*f2 + f1_2*f1 + f3_2*f9_38 + f4_2*f8_19 + f5_2*f7_38 + f6*f6_19
455 h3 = f0_2*f3 + f1_2*f2 + f4*f9_38 + f5_2*f8_19 + f6*f7_38
456 h4 = f0_2*f4 + f1_2*f3_2 + f2*f2 + f5_2*f9_38 + f6_2*f8_19 + f7*f7_38
457 h5 = f0_2*f5 + f1_2*f4 + f2_2*f3 + f6*f9_38 + f7_2*f8_19
458 h6 = f0_2*f6 + f1_2*f5_2 + f2_2*f4 + f3_2*f3 + f7_2*f9_38 + f8*f8_19
459 h7 = f0_2*f7 + f1_2*f6 + f2_2*f5 + f3_2*f4 + f8*f9_38
460 h8 = f0_2*f8 + f1_2*f7_2 + f2_2*f6 + f3_2*f5_2 + f4*f4 + f9*f9_38
461 h9 = f0_2*f9 + f1_2*f8 + f2_2*f7 + f3_2*f6 + f4_2*f5
462
463 return
464}
465
466// FeSquare calculates h = f*f. Can overlap h with f.
467//
468// Preconditions:
469// |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
470//
471// Postconditions:
472// |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
473func FeSquare(h, f *FieldElement) {
474 h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
475 FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
476}
477
478// FeSquare2 sets h = 2 * f * f
479//
480// Can overlap h with f.
481//
482// Preconditions:
483// |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
484//
485// Postconditions:
486// |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
487// See fe_mul.c for discussion of implementation strategy.
488func FeSquare2(h, f *FieldElement) {
489 h0, h1, h2, h3, h4, h5, h6, h7, h8, h9 := feSquare(f)
490
491 h0 += h0
492 h1 += h1
493 h2 += h2
494 h3 += h3
495 h4 += h4
496 h5 += h5
497 h6 += h6
498 h7 += h7
499 h8 += h8
500 h9 += h9
501
502 FeCombine(h, h0, h1, h2, h3, h4, h5, h6, h7, h8, h9)
503}
504
505func FeInvert(out, z *FieldElement) {
506 var t0, t1, t2, t3 FieldElement
507 var i int
508
509 FeSquare(&t0, z) // 2^1
510 FeSquare(&t1, &t0) // 2^2
511 for i = 1; i < 2; i++ { // 2^3
512 FeSquare(&t1, &t1)
513 }
514 FeMul(&t1, z, &t1) // 2^3 + 2^0
515 FeMul(&t0, &t0, &t1) // 2^3 + 2^1 + 2^0
516 FeSquare(&t2, &t0) // 2^4 + 2^2 + 2^1
517 FeMul(&t1, &t1, &t2) // 2^4 + 2^3 + 2^2 + 2^1 + 2^0
518 FeSquare(&t2, &t1) // 5,4,3,2,1
519 for i = 1; i < 5; i++ { // 9,8,7,6,5
520 FeSquare(&t2, &t2)
521 }
522 FeMul(&t1, &t2, &t1) // 9,8,7,6,5,4,3,2,1,0
523 FeSquare(&t2, &t1) // 10..1
524 for i = 1; i < 10; i++ { // 19..10
525 FeSquare(&t2, &t2)
526 }
527 FeMul(&t2, &t2, &t1) // 19..0
528 FeSquare(&t3, &t2) // 20..1
529 for i = 1; i < 20; i++ { // 39..20
530 FeSquare(&t3, &t3)
531 }
532 FeMul(&t2, &t3, &t2) // 39..0
533 FeSquare(&t2, &t2) // 40..1
534 for i = 1; i < 10; i++ { // 49..10
535 FeSquare(&t2, &t2)
536 }
537 FeMul(&t1, &t2, &t1) // 49..0
538 FeSquare(&t2, &t1) // 50..1
539 for i = 1; i < 50; i++ { // 99..50
540 FeSquare(&t2, &t2)
541 }
542 FeMul(&t2, &t2, &t1) // 99..0
543 FeSquare(&t3, &t2) // 100..1
544 for i = 1; i < 100; i++ { // 199..100
545 FeSquare(&t3, &t3)
546 }
547 FeMul(&t2, &t3, &t2) // 199..0
548 FeSquare(&t2, &t2) // 200..1
549 for i = 1; i < 50; i++ { // 249..50
550 FeSquare(&t2, &t2)
551 }
552 FeMul(&t1, &t2, &t1) // 249..0
553 FeSquare(&t1, &t1) // 250..1
554 for i = 1; i < 5; i++ { // 254..5
555 FeSquare(&t1, &t1)
556 }
557 FeMul(out, &t1, &t0) // 254..5,3,1,0
558}
559
560func fePow22523(out, z *FieldElement) {
561 var t0, t1, t2 FieldElement
562 var i int
563
564 FeSquare(&t0, z)
565 for i = 1; i < 1; i++ {
566 FeSquare(&t0, &t0)
567 }
568 FeSquare(&t1, &t0)
569 for i = 1; i < 2; i++ {
570 FeSquare(&t1, &t1)
571 }
572 FeMul(&t1, z, &t1)
573 FeMul(&t0, &t0, &t1)
574 FeSquare(&t0, &t0)
575 for i = 1; i < 1; i++ {
576 FeSquare(&t0, &t0)
577 }
578 FeMul(&t0, &t1, &t0)
579 FeSquare(&t1, &t0)
580 for i = 1; i < 5; i++ {
581 FeSquare(&t1, &t1)
582 }
583 FeMul(&t0, &t1, &t0)
584 FeSquare(&t1, &t0)
585 for i = 1; i < 10; i++ {
586 FeSquare(&t1, &t1)
587 }
588 FeMul(&t1, &t1, &t0)
589 FeSquare(&t2, &t1)
590 for i = 1; i < 20; i++ {
591 FeSquare(&t2, &t2)
592 }
593 FeMul(&t1, &t2, &t1)
594 FeSquare(&t1, &t1)
595 for i = 1; i < 10; i++ {
596 FeSquare(&t1, &t1)
597 }
598 FeMul(&t0, &t1, &t0)
599 FeSquare(&t1, &t0)
600 for i = 1; i < 50; i++ {
601 FeSquare(&t1, &t1)
602 }
603 FeMul(&t1, &t1, &t0)
604 FeSquare(&t2, &t1)
605 for i = 1; i < 100; i++ {
606 FeSquare(&t2, &t2)
607 }
608 FeMul(&t1, &t2, &t1)
609 FeSquare(&t1, &t1)
610 for i = 1; i < 50; i++ {
611 FeSquare(&t1, &t1)
612 }
613 FeMul(&t0, &t1, &t0)
614 FeSquare(&t0, &t0)
615 for i = 1; i < 2; i++ {
616 FeSquare(&t0, &t0)
617 }
618 FeMul(out, &t0, z)
619}
620
621// Group elements are members of the elliptic curve -x^2 + y^2 = 1 + d * x^2 *
622// y^2 where d = -121665/121666.
623//
624// Several representations are used:
625// ProjectiveGroupElement: (X:Y:Z) satisfying x=X/Z, y=Y/Z
626// ExtendedGroupElement: (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
627// CompletedGroupElement: ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
628// PreComputedGroupElement: (y+x,y-x,2dxy)
629
630type ProjectiveGroupElement struct {
631 X, Y, Z FieldElement
632}
633
634type ExtendedGroupElement struct {
635 X, Y, Z, T FieldElement
636}
637
638type CompletedGroupElement struct {
639 X, Y, Z, T FieldElement
640}
641
642type PreComputedGroupElement struct {
643 yPlusX, yMinusX, xy2d FieldElement
644}
645
646type CachedGroupElement struct {
647 yPlusX, yMinusX, Z, T2d FieldElement
648}
649
650func (p *ProjectiveGroupElement) Zero() {
651 FeZero(&p.X)
652 FeOne(&p.Y)
653 FeOne(&p.Z)
654}
655
656func (p *ProjectiveGroupElement) Double(r *CompletedGroupElement) {
657 var t0 FieldElement
658
659 FeSquare(&r.X, &p.X)
660 FeSquare(&r.Z, &p.Y)
661 FeSquare2(&r.T, &p.Z)
662 FeAdd(&r.Y, &p.X, &p.Y)
663 FeSquare(&t0, &r.Y)
664 FeAdd(&r.Y, &r.Z, &r.X)
665 FeSub(&r.Z, &r.Z, &r.X)
666 FeSub(&r.X, &t0, &r.Y)
667 FeSub(&r.T, &r.T, &r.Z)
668}
669
670func (p *ProjectiveGroupElement) ToBytes(s *[32]byte) {
671 var recip, x, y FieldElement
672
673 FeInvert(&recip, &p.Z)
674 FeMul(&x, &p.X, &recip)
675 FeMul(&y, &p.Y, &recip)
676 FeToBytes(s, &y)
677 s[31] ^= FeIsNegative(&x) << 7
678}
679
680func (p *ExtendedGroupElement) Zero() {
681 FeZero(&p.X)
682 FeOne(&p.Y)
683 FeOne(&p.Z)
684 FeZero(&p.T)
685}
686
687func (p *ExtendedGroupElement) Double(r *CompletedGroupElement) {
688 var q ProjectiveGroupElement
689 p.ToProjective(&q)
690 q.Double(r)
691}
692
693func (p *ExtendedGroupElement) ToCached(r *CachedGroupElement) {
694 FeAdd(&r.yPlusX, &p.Y, &p.X)
695 FeSub(&r.yMinusX, &p.Y, &p.X)
696 FeCopy(&r.Z, &p.Z)
697 FeMul(&r.T2d, &p.T, &d2)
698}
699
700func (p *ExtendedGroupElement) ToProjective(r *ProjectiveGroupElement) {
701 FeCopy(&r.X, &p.X)
702 FeCopy(&r.Y, &p.Y)
703 FeCopy(&r.Z, &p.Z)
704}
705
706func (p *ExtendedGroupElement) ToBytes(s *[32]byte) {
707 var recip, x, y FieldElement
708
709 FeInvert(&recip, &p.Z)
710 FeMul(&x, &p.X, &recip)
711 FeMul(&y, &p.Y, &recip)
712 FeToBytes(s, &y)
713 s[31] ^= FeIsNegative(&x) << 7
714}
715
716func (p *ExtendedGroupElement) FromBytes(s *[32]byte) bool {
717 var u, v, v3, vxx, check FieldElement
718
719 FeFromBytes(&p.Y, s)
720 FeOne(&p.Z)
721 FeSquare(&u, &p.Y)
722 FeMul(&v, &u, &d)
723 FeSub(&u, &u, &p.Z) // y = y^2-1
724 FeAdd(&v, &v, &p.Z) // v = dy^2+1
725
726 FeSquare(&v3, &v)
727 FeMul(&v3, &v3, &v) // v3 = v^3
728 FeSquare(&p.X, &v3)
729 FeMul(&p.X, &p.X, &v)
730 FeMul(&p.X, &p.X, &u) // x = uv^7
731
732 fePow22523(&p.X, &p.X) // x = (uv^7)^((q-5)/8)
733 FeMul(&p.X, &p.X, &v3)
734 FeMul(&p.X, &p.X, &u) // x = uv^3(uv^7)^((q-5)/8)
735
736 var tmpX, tmp2 [32]byte
737
738 FeSquare(&vxx, &p.X)
739 FeMul(&vxx, &vxx, &v)
740 FeSub(&check, &vxx, &u) // vx^2-u
741 if FeIsNonZero(&check) == 1 {
742 FeAdd(&check, &vxx, &u) // vx^2+u
743 if FeIsNonZero(&check) == 1 {
744 return false
745 }
746 FeMul(&p.X, &p.X, &SqrtM1)
747
748 FeToBytes(&tmpX, &p.X)
749 for i, v := range tmpX {
750 tmp2[31-i] = v
751 }
752 }
753
754 if FeIsNegative(&p.X) != (s[31] >> 7) {
755 FeNeg(&p.X, &p.X)
756 }
757
758 FeMul(&p.T, &p.X, &p.Y)
759 return true
760}
761
762func (p *CompletedGroupElement) ToProjective(r *ProjectiveGroupElement) {
763 FeMul(&r.X, &p.X, &p.T)
764 FeMul(&r.Y, &p.Y, &p.Z)
765 FeMul(&r.Z, &p.Z, &p.T)
766}
767
768func (p *CompletedGroupElement) ToExtended(r *ExtendedGroupElement) {
769 FeMul(&r.X, &p.X, &p.T)
770 FeMul(&r.Y, &p.Y, &p.Z)
771 FeMul(&r.Z, &p.Z, &p.T)
772 FeMul(&r.T, &p.X, &p.Y)
773}
774
775func (p *PreComputedGroupElement) Zero() {
776 FeOne(&p.yPlusX)
777 FeOne(&p.yMinusX)
778 FeZero(&p.xy2d)
779}
780
781func geAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
782 var t0 FieldElement
783
784 FeAdd(&r.X, &p.Y, &p.X)
785 FeSub(&r.Y, &p.Y, &p.X)
786 FeMul(&r.Z, &r.X, &q.yPlusX)
787 FeMul(&r.Y, &r.Y, &q.yMinusX)
788 FeMul(&r.T, &q.T2d, &p.T)
789 FeMul(&r.X, &p.Z, &q.Z)
790 FeAdd(&t0, &r.X, &r.X)
791 FeSub(&r.X, &r.Z, &r.Y)
792 FeAdd(&r.Y, &r.Z, &r.Y)
793 FeAdd(&r.Z, &t0, &r.T)
794 FeSub(&r.T, &t0, &r.T)
795}
796
797func geSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *CachedGroupElement) {
798 var t0 FieldElement
799
800 FeAdd(&r.X, &p.Y, &p.X)
801 FeSub(&r.Y, &p.Y, &p.X)
802 FeMul(&r.Z, &r.X, &q.yMinusX)
803 FeMul(&r.Y, &r.Y, &q.yPlusX)
804 FeMul(&r.T, &q.T2d, &p.T)
805 FeMul(&r.X, &p.Z, &q.Z)
806 FeAdd(&t0, &r.X, &r.X)
807 FeSub(&r.X, &r.Z, &r.Y)
808 FeAdd(&r.Y, &r.Z, &r.Y)
809 FeSub(&r.Z, &t0, &r.T)
810 FeAdd(&r.T, &t0, &r.T)
811}
812
813func geMixedAdd(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
814 var t0 FieldElement
815
816 FeAdd(&r.X, &p.Y, &p.X)
817 FeSub(&r.Y, &p.Y, &p.X)
818 FeMul(&r.Z, &r.X, &q.yPlusX)
819 FeMul(&r.Y, &r.Y, &q.yMinusX)
820 FeMul(&r.T, &q.xy2d, &p.T)
821 FeAdd(&t0, &p.Z, &p.Z)
822 FeSub(&r.X, &r.Z, &r.Y)
823 FeAdd(&r.Y, &r.Z, &r.Y)
824 FeAdd(&r.Z, &t0, &r.T)
825 FeSub(&r.T, &t0, &r.T)
826}
827
828func geMixedSub(r *CompletedGroupElement, p *ExtendedGroupElement, q *PreComputedGroupElement) {
829 var t0 FieldElement
830
831 FeAdd(&r.X, &p.Y, &p.X)
832 FeSub(&r.Y, &p.Y, &p.X)
833 FeMul(&r.Z, &r.X, &q.yMinusX)
834 FeMul(&r.Y, &r.Y, &q.yPlusX)
835 FeMul(&r.T, &q.xy2d, &p.T)
836 FeAdd(&t0, &p.Z, &p.Z)
837 FeSub(&r.X, &r.Z, &r.Y)
838 FeAdd(&r.Y, &r.Z, &r.Y)
839 FeSub(&r.Z, &t0, &r.T)
840 FeAdd(&r.T, &t0, &r.T)
841}
842
843func slide(r *[256]int8, a *[32]byte) {
844 for i := range r {
845 r[i] = int8(1 & (a[i>>3] >> uint(i&7)))
846 }
847
848 for i := range r {
849 if r[i] != 0 {
850 for b := 1; b <= 6 && i+b < 256; b++ {
851 if r[i+b] != 0 {
852 if r[i]+(r[i+b]<<uint(b)) <= 15 {
853 r[i] += r[i+b] << uint(b)
854 r[i+b] = 0
855 } else if r[i]-(r[i+b]<<uint(b)) >= -15 {
856 r[i] -= r[i+b] << uint(b)
857 for k := i + b; k < 256; k++ {
858 if r[k] == 0 {
859 r[k] = 1
860 break
861 }
862 r[k] = 0
863 }
864 } else {
865 break
866 }
867 }
868 }
869 }
870 }
871}
872
873// GeDoubleScalarMultVartime sets r = a*A + b*B
874// where a = a[0]+256*a[1]+...+256^31 a[31].
875// and b = b[0]+256*b[1]+...+256^31 b[31].
876// B is the Ed25519 base point (x,4/5) with x positive.
877func GeDoubleScalarMultVartime(r *ProjectiveGroupElement, a *[32]byte, A *ExtendedGroupElement, b *[32]byte) {
878 var aSlide, bSlide [256]int8
879 var Ai [8]CachedGroupElement // A,3A,5A,7A,9A,11A,13A,15A
880 var t CompletedGroupElement
881 var u, A2 ExtendedGroupElement
882 var i int
883
884 slide(&aSlide, a)
885 slide(&bSlide, b)
886
887 A.ToCached(&Ai[0])
888 A.Double(&t)
889 t.ToExtended(&A2)
890
891 for i := 0; i < 7; i++ {
892 geAdd(&t, &A2, &Ai[i])
893 t.ToExtended(&u)
894 u.ToCached(&Ai[i+1])
895 }
896
897 r.Zero()
898
899 for i = 255; i >= 0; i-- {
900 if aSlide[i] != 0 || bSlide[i] != 0 {
901 break
902 }
903 }
904
905 for ; i >= 0; i-- {
906 r.Double(&t)
907
908 if aSlide[i] > 0 {
909 t.ToExtended(&u)
910 geAdd(&t, &u, &Ai[aSlide[i]/2])
911 } else if aSlide[i] < 0 {
912 t.ToExtended(&u)
913 geSub(&t, &u, &Ai[(-aSlide[i])/2])
914 }
915
916 if bSlide[i] > 0 {
917 t.ToExtended(&u)
918 geMixedAdd(&t, &u, &bi[bSlide[i]/2])
919 } else if bSlide[i] < 0 {
920 t.ToExtended(&u)
921 geMixedSub(&t, &u, &bi[(-bSlide[i])/2])
922 }
923
924 t.ToProjective(r)
925 }
926}
927
928// equal returns 1 if b == c and 0 otherwise, assuming that b and c are
929// non-negative.
930func equal(b, c int32) int32 {
931 x := uint32(b ^ c)
932 x--
933 return int32(x >> 31)
934}
935
936// negative returns 1 if b < 0 and 0 otherwise.
937func negative(b int32) int32 {
938 return (b >> 31) & 1
939}
940
941func PreComputedGroupElementCMove(t, u *PreComputedGroupElement, b int32) {
942 FeCMove(&t.yPlusX, &u.yPlusX, b)
943 FeCMove(&t.yMinusX, &u.yMinusX, b)
944 FeCMove(&t.xy2d, &u.xy2d, b)
945}
946
947func selectPoint(t *PreComputedGroupElement, pos int32, b int32) {
948 var minusT PreComputedGroupElement
949 bNegative := negative(b)
950 bAbs := b - (((-bNegative) & b) << 1)
951
952 t.Zero()
953 for i := int32(0); i < 8; i++ {
954 PreComputedGroupElementCMove(t, &base[pos][i], equal(bAbs, i+1))
955 }
956 FeCopy(&minusT.yPlusX, &t.yMinusX)
957 FeCopy(&minusT.yMinusX, &t.yPlusX)
958 FeNeg(&minusT.xy2d, &t.xy2d)
959 PreComputedGroupElementCMove(t, &minusT, bNegative)
960}
961
962// GeScalarMultBase computes h = a*B, where
963// a = a[0]+256*a[1]+...+256^31 a[31]
964// B is the Ed25519 base point (x,4/5) with x positive.
965//
966// Preconditions:
967// a[31] <= 127
968func GeScalarMultBase(h *ExtendedGroupElement, a *[32]byte) {
969 var e [64]int8
970
971 for i, v := range a {
972 e[2*i] = int8(v & 15)
973 e[2*i+1] = int8((v >> 4) & 15)
974 }
975
976 // each e[i] is between 0 and 15 and e[63] is between 0 and 7.
977
978 carry := int8(0)
979 for i := 0; i < 63; i++ {
980 e[i] += carry
981 carry = (e[i] + 8) >> 4
982 e[i] -= carry << 4
983 }
984 e[63] += carry
985 // each e[i] is between -8 and 8.
986
987 h.Zero()
988 var t PreComputedGroupElement
989 var r CompletedGroupElement
990 for i := int32(1); i < 64; i += 2 {
991 selectPoint(&t, i/2, int32(e[i]))
992 geMixedAdd(&r, h, &t)
993 r.ToExtended(h)
994 }
995
996 var s ProjectiveGroupElement
997
998 h.Double(&r)
999 r.ToProjective(&s)
1000 s.Double(&r)
1001 r.ToProjective(&s)
1002 s.Double(&r)
1003 r.ToProjective(&s)
1004 s.Double(&r)
1005 r.ToExtended(h)
1006
1007 for i := int32(0); i < 64; i += 2 {
1008 selectPoint(&t, i/2, int32(e[i]))
1009 geMixedAdd(&r, h, &t)
1010 r.ToExtended(h)
1011 }
1012}
1013
1014// The scalars are GF(2^252 + 27742317777372353535851937790883648493).
1015
1016// Input:
1017// a[0]+256*a[1]+...+256^31*a[31] = a
1018// b[0]+256*b[1]+...+256^31*b[31] = b
1019// c[0]+256*c[1]+...+256^31*c[31] = c
1020//
1021// Output:
1022// s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
1023// where l = 2^252 + 27742317777372353535851937790883648493.
1024func ScMulAdd(s, a, b, c *[32]byte) {
1025 a0 := 2097151 & load3(a[:])
1026 a1 := 2097151 & (load4(a[2:]) >> 5)
1027 a2 := 2097151 & (load3(a[5:]) >> 2)
1028 a3 := 2097151 & (load4(a[7:]) >> 7)
1029 a4 := 2097151 & (load4(a[10:]) >> 4)
1030 a5 := 2097151 & (load3(a[13:]) >> 1)
1031 a6 := 2097151 & (load4(a[15:]) >> 6)
1032 a7 := 2097151 & (load3(a[18:]) >> 3)
1033 a8 := 2097151 & load3(a[21:])
1034 a9 := 2097151 & (load4(a[23:]) >> 5)
1035 a10 := 2097151 & (load3(a[26:]) >> 2)
1036 a11 := (load4(a[28:]) >> 7)
1037 b0 := 2097151 & load3(b[:])
1038 b1 := 2097151 & (load4(b[2:]) >> 5)
1039 b2 := 2097151 & (load3(b[5:]) >> 2)
1040 b3 := 2097151 & (load4(b[7:]) >> 7)
1041 b4 := 2097151 & (load4(b[10:]) >> 4)
1042 b5 := 2097151 & (load3(b[13:]) >> 1)
1043 b6 := 2097151 & (load4(b[15:]) >> 6)
1044 b7 := 2097151 & (load3(b[18:]) >> 3)
1045 b8 := 2097151 & load3(b[21:])
1046 b9 := 2097151 & (load4(b[23:]) >> 5)
1047 b10 := 2097151 & (load3(b[26:]) >> 2)
1048 b11 := (load4(b[28:]) >> 7)
1049 c0 := 2097151 & load3(c[:])
1050 c1 := 2097151 & (load4(c[2:]) >> 5)
1051 c2 := 2097151 & (load3(c[5:]) >> 2)
1052 c3 := 2097151 & (load4(c[7:]) >> 7)
1053 c4 := 2097151 & (load4(c[10:]) >> 4)
1054 c5 := 2097151 & (load3(c[13:]) >> 1)
1055 c6 := 2097151 & (load4(c[15:]) >> 6)
1056 c7 := 2097151 & (load3(c[18:]) >> 3)
1057 c8 := 2097151 & load3(c[21:])
1058 c9 := 2097151 & (load4(c[23:]) >> 5)
1059 c10 := 2097151 & (load3(c[26:]) >> 2)
1060 c11 := (load4(c[28:]) >> 7)
1061 var carry [23]int64
1062
1063 s0 := c0 + a0*b0
1064 s1 := c1 + a0*b1 + a1*b0
1065 s2 := c2 + a0*b2 + a1*b1 + a2*b0
1066 s3 := c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0
1067 s4 := c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0
1068 s5 := c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0
1069 s6 := c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0
1070 s7 := c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0
1071 s8 := c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0
1072 s9 := c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0
1073 s10 := c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0
1074 s11 := c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0
1075 s12 := a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1
1076 s13 := a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2
1077 s14 := a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3
1078 s15 := a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4
1079 s16 := a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5
1080 s17 := a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6
1081 s18 := a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7
1082 s19 := a8*b11 + a9*b10 + a10*b9 + a11*b8
1083 s20 := a9*b11 + a10*b10 + a11*b9
1084 s21 := a10*b11 + a11*b10
1085 s22 := a11 * b11
1086 s23 := int64(0)
1087
1088 carry[0] = (s0 + (1 << 20)) >> 21
1089 s1 += carry[0]
1090 s0 -= carry[0] << 21
1091 carry[2] = (s2 + (1 << 20)) >> 21
1092 s3 += carry[2]
1093 s2 -= carry[2] << 21
1094 carry[4] = (s4 + (1 << 20)) >> 21
1095 s5 += carry[4]
1096 s4 -= carry[4] << 21
1097 carry[6] = (s6 + (1 << 20)) >> 21
1098 s7 += carry[6]
1099 s6 -= carry[6] << 21
1100 carry[8] = (s8 + (1 << 20)) >> 21
1101 s9 += carry[8]
1102 s8 -= carry[8] << 21
1103 carry[10] = (s10 + (1 << 20)) >> 21
1104 s11 += carry[10]
1105 s10 -= carry[10] << 21
1106 carry[12] = (s12 + (1 << 20)) >> 21
1107 s13 += carry[12]
1108 s12 -= carry[12] << 21
1109 carry[14] = (s14 + (1 << 20)) >> 21
1110 s15 += carry[14]
1111 s14 -= carry[14] << 21
1112 carry[16] = (s16 + (1 << 20)) >> 21
1113 s17 += carry[16]
1114 s16 -= carry[16] << 21
1115 carry[18] = (s18 + (1 << 20)) >> 21
1116 s19 += carry[18]
1117 s18 -= carry[18] << 21
1118 carry[20] = (s20 + (1 << 20)) >> 21
1119 s21 += carry[20]
1120 s20 -= carry[20] << 21
1121 carry[22] = (s22 + (1 << 20)) >> 21
1122 s23 += carry[22]
1123 s22 -= carry[22] << 21
1124
1125 carry[1] = (s1 + (1 << 20)) >> 21
1126 s2 += carry[1]
1127 s1 -= carry[1] << 21
1128 carry[3] = (s3 + (1 << 20)) >> 21
1129 s4 += carry[3]
1130 s3 -= carry[3] << 21
1131 carry[5] = (s5 + (1 << 20)) >> 21
1132 s6 += carry[5]
1133 s5 -= carry[5] << 21
1134 carry[7] = (s7 + (1 << 20)) >> 21
1135 s8 += carry[7]
1136 s7 -= carry[7] << 21
1137 carry[9] = (s9 + (1 << 20)) >> 21
1138 s10 += carry[9]
1139 s9 -= carry[9] << 21
1140 carry[11] = (s11 + (1 << 20)) >> 21
1141 s12 += carry[11]
1142 s11 -= carry[11] << 21
1143 carry[13] = (s13 + (1 << 20)) >> 21
1144 s14 += carry[13]
1145 s13 -= carry[13] << 21
1146 carry[15] = (s15 + (1 << 20)) >> 21
1147 s16 += carry[15]
1148 s15 -= carry[15] << 21
1149 carry[17] = (s17 + (1 << 20)) >> 21
1150 s18 += carry[17]
1151 s17 -= carry[17] << 21
1152 carry[19] = (s19 + (1 << 20)) >> 21
1153 s20 += carry[19]
1154 s19 -= carry[19] << 21
1155 carry[21] = (s21 + (1 << 20)) >> 21
1156 s22 += carry[21]
1157 s21 -= carry[21] << 21
1158
1159 s11 += s23 * 666643
1160 s12 += s23 * 470296
1161 s13 += s23 * 654183
1162 s14 -= s23 * 997805
1163 s15 += s23 * 136657
1164 s16 -= s23 * 683901
1165 s23 = 0
1166
1167 s10 += s22 * 666643
1168 s11 += s22 * 470296
1169 s12 += s22 * 654183
1170 s13 -= s22 * 997805
1171 s14 += s22 * 136657
1172 s15 -= s22 * 683901
1173 s22 = 0
1174
1175 s9 += s21 * 666643
1176 s10 += s21 * 470296
1177 s11 += s21 * 654183
1178 s12 -= s21 * 997805
1179 s13 += s21 * 136657
1180 s14 -= s21 * 683901
1181 s21 = 0
1182
1183 s8 += s20 * 666643
1184 s9 += s20 * 470296
1185 s10 += s20 * 654183
1186 s11 -= s20 * 997805
1187 s12 += s20 * 136657
1188 s13 -= s20 * 683901
1189 s20 = 0
1190
1191 s7 += s19 * 666643
1192 s8 += s19 * 470296
1193 s9 += s19 * 654183
1194 s10 -= s19 * 997805
1195 s11 += s19 * 136657
1196 s12 -= s19 * 683901
1197 s19 = 0
1198
1199 s6 += s18 * 666643
1200 s7 += s18 * 470296
1201 s8 += s18 * 654183
1202 s9 -= s18 * 997805
1203 s10 += s18 * 136657
1204 s11 -= s18 * 683901
1205 s18 = 0
1206
1207 carry[6] = (s6 + (1 << 20)) >> 21
1208 s7 += carry[6]
1209 s6 -= carry[6] << 21
1210 carry[8] = (s8 + (1 << 20)) >> 21
1211 s9 += carry[8]
1212 s8 -= carry[8] << 21
1213 carry[10] = (s10 + (1 << 20)) >> 21
1214 s11 += carry[10]
1215 s10 -= carry[10] << 21
1216 carry[12] = (s12 + (1 << 20)) >> 21
1217 s13 += carry[12]
1218 s12 -= carry[12] << 21
1219 carry[14] = (s14 + (1 << 20)) >> 21
1220 s15 += carry[14]
1221 s14 -= carry[14] << 21
1222 carry[16] = (s16 + (1 << 20)) >> 21
1223 s17 += carry[16]
1224 s16 -= carry[16] << 21
1225
1226 carry[7] = (s7 + (1 << 20)) >> 21
1227 s8 += carry[7]
1228 s7 -= carry[7] << 21
1229 carry[9] = (s9 + (1 << 20)) >> 21
1230 s10 += carry[9]
1231 s9 -= carry[9] << 21
1232 carry[11] = (s11 + (1 << 20)) >> 21
1233 s12 += carry[11]
1234 s11 -= carry[11] << 21
1235 carry[13] = (s13 + (1 << 20)) >> 21
1236 s14 += carry[13]
1237 s13 -= carry[13] << 21
1238 carry[15] = (s15 + (1 << 20)) >> 21
1239 s16 += carry[15]
1240 s15 -= carry[15] << 21
1241
1242 s5 += s17 * 666643
1243 s6 += s17 * 470296
1244 s7 += s17 * 654183
1245 s8 -= s17 * 997805
1246 s9 += s17 * 136657
1247 s10 -= s17 * 683901
1248 s17 = 0
1249
1250 s4 += s16 * 666643
1251 s5 += s16 * 470296
1252 s6 += s16 * 654183
1253 s7 -= s16 * 997805
1254 s8 += s16 * 136657
1255 s9 -= s16 * 683901
1256 s16 = 0
1257
1258 s3 += s15 * 666643
1259 s4 += s15 * 470296
1260 s5 += s15 * 654183
1261 s6 -= s15 * 997805
1262 s7 += s15 * 136657
1263 s8 -= s15 * 683901
1264 s15 = 0
1265
1266 s2 += s14 * 666643
1267 s3 += s14 * 470296
1268 s4 += s14 * 654183
1269 s5 -= s14 * 997805
1270 s6 += s14 * 136657
1271 s7 -= s14 * 683901
1272 s14 = 0
1273
1274 s1 += s13 * 666643
1275 s2 += s13 * 470296
1276 s3 += s13 * 654183
1277 s4 -= s13 * 997805
1278 s5 += s13 * 136657
1279 s6 -= s13 * 683901
1280 s13 = 0
1281
1282 s0 += s12 * 666643
1283 s1 += s12 * 470296
1284 s2 += s12 * 654183
1285 s3 -= s12 * 997805
1286 s4 += s12 * 136657
1287 s5 -= s12 * 683901
1288 s12 = 0
1289
1290 carry[0] = (s0 + (1 << 20)) >> 21
1291 s1 += carry[0]
1292 s0 -= carry[0] << 21
1293 carry[2] = (s2 + (1 << 20)) >> 21
1294 s3 += carry[2]
1295 s2 -= carry[2] << 21
1296 carry[4] = (s4 + (1 << 20)) >> 21
1297 s5 += carry[4]
1298 s4 -= carry[4] << 21
1299 carry[6] = (s6 + (1 << 20)) >> 21
1300 s7 += carry[6]
1301 s6 -= carry[6] << 21
1302 carry[8] = (s8 + (1 << 20)) >> 21
1303 s9 += carry[8]
1304 s8 -= carry[8] << 21
1305 carry[10] = (s10 + (1 << 20)) >> 21
1306 s11 += carry[10]
1307 s10 -= carry[10] << 21
1308
1309 carry[1] = (s1 + (1 << 20)) >> 21
1310 s2 += carry[1]
1311 s1 -= carry[1] << 21
1312 carry[3] = (s3 + (1 << 20)) >> 21
1313 s4 += carry[3]
1314 s3 -= carry[3] << 21
1315 carry[5] = (s5 + (1 << 20)) >> 21
1316 s6 += carry[5]
1317 s5 -= carry[5] << 21
1318 carry[7] = (s7 + (1 << 20)) >> 21
1319 s8 += carry[7]
1320 s7 -= carry[7] << 21
1321 carry[9] = (s9 + (1 << 20)) >> 21
1322 s10 += carry[9]
1323 s9 -= carry[9] << 21
1324 carry[11] = (s11 + (1 << 20)) >> 21
1325 s12 += carry[11]
1326 s11 -= carry[11] << 21
1327
1328 s0 += s12 * 666643
1329 s1 += s12 * 470296
1330 s2 += s12 * 654183
1331 s3 -= s12 * 997805
1332 s4 += s12 * 136657
1333 s5 -= s12 * 683901
1334 s12 = 0
1335
1336 carry[0] = s0 >> 21
1337 s1 += carry[0]
1338 s0 -= carry[0] << 21
1339 carry[1] = s1 >> 21
1340 s2 += carry[1]
1341 s1 -= carry[1] << 21
1342 carry[2] = s2 >> 21
1343 s3 += carry[2]
1344 s2 -= carry[2] << 21
1345 carry[3] = s3 >> 21
1346 s4 += carry[3]
1347 s3 -= carry[3] << 21
1348 carry[4] = s4 >> 21
1349 s5 += carry[4]
1350 s4 -= carry[4] << 21
1351 carry[5] = s5 >> 21
1352 s6 += carry[5]
1353 s5 -= carry[5] << 21
1354 carry[6] = s6 >> 21
1355 s7 += carry[6]
1356 s6 -= carry[6] << 21
1357 carry[7] = s7 >> 21
1358 s8 += carry[7]
1359 s7 -= carry[7] << 21
1360 carry[8] = s8 >> 21
1361 s9 += carry[8]
1362 s8 -= carry[8] << 21
1363 carry[9] = s9 >> 21
1364 s10 += carry[9]
1365 s9 -= carry[9] << 21
1366 carry[10] = s10 >> 21
1367 s11 += carry[10]
1368 s10 -= carry[10] << 21
1369 carry[11] = s11 >> 21
1370 s12 += carry[11]
1371 s11 -= carry[11] << 21
1372
1373 s0 += s12 * 666643
1374 s1 += s12 * 470296
1375 s2 += s12 * 654183
1376 s3 -= s12 * 997805
1377 s4 += s12 * 136657
1378 s5 -= s12 * 683901
1379 s12 = 0
1380
1381 carry[0] = s0 >> 21
1382 s1 += carry[0]
1383 s0 -= carry[0] << 21
1384 carry[1] = s1 >> 21
1385 s2 += carry[1]
1386 s1 -= carry[1] << 21
1387 carry[2] = s2 >> 21
1388 s3 += carry[2]
1389 s2 -= carry[2] << 21
1390 carry[3] = s3 >> 21
1391 s4 += carry[3]
1392 s3 -= carry[3] << 21
1393 carry[4] = s4 >> 21
1394 s5 += carry[4]
1395 s4 -= carry[4] << 21
1396 carry[5] = s5 >> 21
1397 s6 += carry[5]
1398 s5 -= carry[5] << 21
1399 carry[6] = s6 >> 21
1400 s7 += carry[6]
1401 s6 -= carry[6] << 21
1402 carry[7] = s7 >> 21
1403 s8 += carry[7]
1404 s7 -= carry[7] << 21
1405 carry[8] = s8 >> 21
1406 s9 += carry[8]
1407 s8 -= carry[8] << 21
1408 carry[9] = s9 >> 21
1409 s10 += carry[9]
1410 s9 -= carry[9] << 21
1411 carry[10] = s10 >> 21
1412 s11 += carry[10]
1413 s10 -= carry[10] << 21
1414
1415 s[0] = byte(s0 >> 0)
1416 s[1] = byte(s0 >> 8)
1417 s[2] = byte((s0 >> 16) | (s1 << 5))
1418 s[3] = byte(s1 >> 3)
1419 s[4] = byte(s1 >> 11)
1420 s[5] = byte((s1 >> 19) | (s2 << 2))
1421 s[6] = byte(s2 >> 6)
1422 s[7] = byte((s2 >> 14) | (s3 << 7))
1423 s[8] = byte(s3 >> 1)
1424 s[9] = byte(s3 >> 9)
1425 s[10] = byte((s3 >> 17) | (s4 << 4))
1426 s[11] = byte(s4 >> 4)
1427 s[12] = byte(s4 >> 12)
1428 s[13] = byte((s4 >> 20) | (s5 << 1))
1429 s[14] = byte(s5 >> 7)
1430 s[15] = byte((s5 >> 15) | (s6 << 6))
1431 s[16] = byte(s6 >> 2)
1432 s[17] = byte(s6 >> 10)
1433 s[18] = byte((s6 >> 18) | (s7 << 3))
1434 s[19] = byte(s7 >> 5)
1435 s[20] = byte(s7 >> 13)
1436 s[21] = byte(s8 >> 0)
1437 s[22] = byte(s8 >> 8)
1438 s[23] = byte((s8 >> 16) | (s9 << 5))
1439 s[24] = byte(s9 >> 3)
1440 s[25] = byte(s9 >> 11)
1441 s[26] = byte((s9 >> 19) | (s10 << 2))
1442 s[27] = byte(s10 >> 6)
1443 s[28] = byte((s10 >> 14) | (s11 << 7))
1444 s[29] = byte(s11 >> 1)
1445 s[30] = byte(s11 >> 9)
1446 s[31] = byte(s11 >> 17)
1447}
1448
1449// Input:
1450// s[0]+256*s[1]+...+256^63*s[63] = s
1451//
1452// Output:
1453// s[0]+256*s[1]+...+256^31*s[31] = s mod l
1454// where l = 2^252 + 27742317777372353535851937790883648493.
1455func ScReduce(out *[32]byte, s *[64]byte) {
1456 s0 := 2097151 & load3(s[:])
1457 s1 := 2097151 & (load4(s[2:]) >> 5)
1458 s2 := 2097151 & (load3(s[5:]) >> 2)
1459 s3 := 2097151 & (load4(s[7:]) >> 7)
1460 s4 := 2097151 & (load4(s[10:]) >> 4)
1461 s5 := 2097151 & (load3(s[13:]) >> 1)
1462 s6 := 2097151 & (load4(s[15:]) >> 6)
1463 s7 := 2097151 & (load3(s[18:]) >> 3)
1464 s8 := 2097151 & load3(s[21:])
1465 s9 := 2097151 & (load4(s[23:]) >> 5)
1466 s10 := 2097151 & (load3(s[26:]) >> 2)
1467 s11 := 2097151 & (load4(s[28:]) >> 7)
1468 s12 := 2097151 & (load4(s[31:]) >> 4)
1469 s13 := 2097151 & (load3(s[34:]) >> 1)
1470 s14 := 2097151 & (load4(s[36:]) >> 6)
1471 s15 := 2097151 & (load3(s[39:]) >> 3)
1472 s16 := 2097151 & load3(s[42:])
1473 s17 := 2097151 & (load4(s[44:]) >> 5)
1474 s18 := 2097151 & (load3(s[47:]) >> 2)
1475 s19 := 2097151 & (load4(s[49:]) >> 7)
1476 s20 := 2097151 & (load4(s[52:]) >> 4)
1477 s21 := 2097151 & (load3(s[55:]) >> 1)
1478 s22 := 2097151 & (load4(s[57:]) >> 6)
1479 s23 := (load4(s[60:]) >> 3)
1480
1481 s11 += s23 * 666643
1482 s12 += s23 * 470296
1483 s13 += s23 * 654183
1484 s14 -= s23 * 997805
1485 s15 += s23 * 136657
1486 s16 -= s23 * 683901
1487 s23 = 0
1488
1489 s10 += s22 * 666643
1490 s11 += s22 * 470296
1491 s12 += s22 * 654183
1492 s13 -= s22 * 997805
1493 s14 += s22 * 136657
1494 s15 -= s22 * 683901
1495 s22 = 0
1496
1497 s9 += s21 * 666643
1498 s10 += s21 * 470296
1499 s11 += s21 * 654183
1500 s12 -= s21 * 997805
1501 s13 += s21 * 136657
1502 s14 -= s21 * 683901
1503 s21 = 0
1504
1505 s8 += s20 * 666643
1506 s9 += s20 * 470296
1507 s10 += s20 * 654183
1508 s11 -= s20 * 997805
1509 s12 += s20 * 136657
1510 s13 -= s20 * 683901
1511 s20 = 0
1512
1513 s7 += s19 * 666643
1514 s8 += s19 * 470296
1515 s9 += s19 * 654183
1516 s10 -= s19 * 997805
1517 s11 += s19 * 136657
1518 s12 -= s19 * 683901
1519 s19 = 0
1520
1521 s6 += s18 * 666643
1522 s7 += s18 * 470296
1523 s8 += s18 * 654183
1524 s9 -= s18 * 997805
1525 s10 += s18 * 136657
1526 s11 -= s18 * 683901
1527 s18 = 0
1528
1529 var carry [17]int64
1530
1531 carry[6] = (s6 + (1 << 20)) >> 21
1532 s7 += carry[6]
1533 s6 -= carry[6] << 21
1534 carry[8] = (s8 + (1 << 20)) >> 21
1535 s9 += carry[8]
1536 s8 -= carry[8] << 21
1537 carry[10] = (s10 + (1 << 20)) >> 21
1538 s11 += carry[10]
1539 s10 -= carry[10] << 21
1540 carry[12] = (s12 + (1 << 20)) >> 21
1541 s13 += carry[12]
1542 s12 -= carry[12] << 21
1543 carry[14] = (s14 + (1 << 20)) >> 21
1544 s15 += carry[14]
1545 s14 -= carry[14] << 21
1546 carry[16] = (s16 + (1 << 20)) >> 21
1547 s17 += carry[16]
1548 s16 -= carry[16] << 21
1549
1550 carry[7] = (s7 + (1 << 20)) >> 21
1551 s8 += carry[7]
1552 s7 -= carry[7] << 21
1553 carry[9] = (s9 + (1 << 20)) >> 21
1554 s10 += carry[9]
1555 s9 -= carry[9] << 21
1556 carry[11] = (s11 + (1 << 20)) >> 21
1557 s12 += carry[11]
1558 s11 -= carry[11] << 21
1559 carry[13] = (s13 + (1 << 20)) >> 21
1560 s14 += carry[13]
1561 s13 -= carry[13] << 21
1562 carry[15] = (s15 + (1 << 20)) >> 21
1563 s16 += carry[15]
1564 s15 -= carry[15] << 21
1565
1566 s5 += s17 * 666643
1567 s6 += s17 * 470296
1568 s7 += s17 * 654183
1569 s8 -= s17 * 997805
1570 s9 += s17 * 136657
1571 s10 -= s17 * 683901
1572 s17 = 0
1573
1574 s4 += s16 * 666643
1575 s5 += s16 * 470296
1576 s6 += s16 * 654183
1577 s7 -= s16 * 997805
1578 s8 += s16 * 136657
1579 s9 -= s16 * 683901
1580 s16 = 0
1581
1582 s3 += s15 * 666643
1583 s4 += s15 * 470296
1584 s5 += s15 * 654183
1585 s6 -= s15 * 997805
1586 s7 += s15 * 136657
1587 s8 -= s15 * 683901
1588 s15 = 0
1589
1590 s2 += s14 * 666643
1591 s3 += s14 * 470296
1592 s4 += s14 * 654183
1593 s5 -= s14 * 997805
1594 s6 += s14 * 136657
1595 s7 -= s14 * 683901
1596 s14 = 0
1597
1598 s1 += s13 * 666643
1599 s2 += s13 * 470296
1600 s3 += s13 * 654183
1601 s4 -= s13 * 997805
1602 s5 += s13 * 136657
1603 s6 -= s13 * 683901
1604 s13 = 0
1605
1606 s0 += s12 * 666643
1607 s1 += s12 * 470296
1608 s2 += s12 * 654183
1609 s3 -= s12 * 997805
1610 s4 += s12 * 136657
1611 s5 -= s12 * 683901
1612 s12 = 0
1613
1614 carry[0] = (s0 + (1 << 20)) >> 21
1615 s1 += carry[0]
1616 s0 -= carry[0] << 21
1617 carry[2] = (s2 + (1 << 20)) >> 21
1618 s3 += carry[2]
1619 s2 -= carry[2] << 21
1620 carry[4] = (s4 + (1 << 20)) >> 21
1621 s5 += carry[4]
1622 s4 -= carry[4] << 21
1623 carry[6] = (s6 + (1 << 20)) >> 21
1624 s7 += carry[6]
1625 s6 -= carry[6] << 21
1626 carry[8] = (s8 + (1 << 20)) >> 21
1627 s9 += carry[8]
1628 s8 -= carry[8] << 21
1629 carry[10] = (s10 + (1 << 20)) >> 21
1630 s11 += carry[10]
1631 s10 -= carry[10] << 21
1632
1633 carry[1] = (s1 + (1 << 20)) >> 21
1634 s2 += carry[1]
1635 s1 -= carry[1] << 21
1636 carry[3] = (s3 + (1 << 20)) >> 21
1637 s4 += carry[3]
1638 s3 -= carry[3] << 21
1639 carry[5] = (s5 + (1 << 20)) >> 21
1640 s6 += carry[5]
1641 s5 -= carry[5] << 21
1642 carry[7] = (s7 + (1 << 20)) >> 21
1643 s8 += carry[7]
1644 s7 -= carry[7] << 21
1645 carry[9] = (s9 + (1 << 20)) >> 21
1646 s10 += carry[9]
1647 s9 -= carry[9] << 21
1648 carry[11] = (s11 + (1 << 20)) >> 21
1649 s12 += carry[11]
1650 s11 -= carry[11] << 21
1651
1652 s0 += s12 * 666643
1653 s1 += s12 * 470296
1654 s2 += s12 * 654183
1655 s3 -= s12 * 997805
1656 s4 += s12 * 136657
1657 s5 -= s12 * 683901
1658 s12 = 0
1659
1660 carry[0] = s0 >> 21
1661 s1 += carry[0]
1662 s0 -= carry[0] << 21
1663 carry[1] = s1 >> 21
1664 s2 += carry[1]
1665 s1 -= carry[1] << 21
1666 carry[2] = s2 >> 21
1667 s3 += carry[2]
1668 s2 -= carry[2] << 21
1669 carry[3] = s3 >> 21
1670 s4 += carry[3]
1671 s3 -= carry[3] << 21
1672 carry[4] = s4 >> 21
1673 s5 += carry[4]
1674 s4 -= carry[4] << 21
1675 carry[5] = s5 >> 21
1676 s6 += carry[5]
1677 s5 -= carry[5] << 21
1678 carry[6] = s6 >> 21
1679 s7 += carry[6]
1680 s6 -= carry[6] << 21
1681 carry[7] = s7 >> 21
1682 s8 += carry[7]
1683 s7 -= carry[7] << 21
1684 carry[8] = s8 >> 21
1685 s9 += carry[8]
1686 s8 -= carry[8] << 21
1687 carry[9] = s9 >> 21
1688 s10 += carry[9]
1689 s9 -= carry[9] << 21
1690 carry[10] = s10 >> 21
1691 s11 += carry[10]
1692 s10 -= carry[10] << 21
1693 carry[11] = s11 >> 21
1694 s12 += carry[11]
1695 s11 -= carry[11] << 21
1696
1697 s0 += s12 * 666643
1698 s1 += s12 * 470296
1699 s2 += s12 * 654183
1700 s3 -= s12 * 997805
1701 s4 += s12 * 136657
1702 s5 -= s12 * 683901
1703 s12 = 0
1704
1705 carry[0] = s0 >> 21
1706 s1 += carry[0]
1707 s0 -= carry[0] << 21
1708 carry[1] = s1 >> 21
1709 s2 += carry[1]
1710 s1 -= carry[1] << 21
1711 carry[2] = s2 >> 21
1712 s3 += carry[2]
1713 s2 -= carry[2] << 21
1714 carry[3] = s3 >> 21
1715 s4 += carry[3]
1716 s3 -= carry[3] << 21
1717 carry[4] = s4 >> 21
1718 s5 += carry[4]
1719 s4 -= carry[4] << 21
1720 carry[5] = s5 >> 21
1721 s6 += carry[5]
1722 s5 -= carry[5] << 21
1723 carry[6] = s6 >> 21
1724 s7 += carry[6]
1725 s6 -= carry[6] << 21
1726 carry[7] = s7 >> 21
1727 s8 += carry[7]
1728 s7 -= carry[7] << 21
1729 carry[8] = s8 >> 21
1730 s9 += carry[8]
1731 s8 -= carry[8] << 21
1732 carry[9] = s9 >> 21
1733 s10 += carry[9]
1734 s9 -= carry[9] << 21
1735 carry[10] = s10 >> 21
1736 s11 += carry[10]
1737 s10 -= carry[10] << 21
1738
1739 out[0] = byte(s0 >> 0)
1740 out[1] = byte(s0 >> 8)
1741 out[2] = byte((s0 >> 16) | (s1 << 5))
1742 out[3] = byte(s1 >> 3)
1743 out[4] = byte(s1 >> 11)
1744 out[5] = byte((s1 >> 19) | (s2 << 2))
1745 out[6] = byte(s2 >> 6)
1746 out[7] = byte((s2 >> 14) | (s3 << 7))
1747 out[8] = byte(s3 >> 1)
1748 out[9] = byte(s3 >> 9)
1749 out[10] = byte((s3 >> 17) | (s4 << 4))
1750 out[11] = byte(s4 >> 4)
1751 out[12] = byte(s4 >> 12)
1752 out[13] = byte((s4 >> 20) | (s5 << 1))
1753 out[14] = byte(s5 >> 7)
1754 out[15] = byte((s5 >> 15) | (s6 << 6))
1755 out[16] = byte(s6 >> 2)
1756 out[17] = byte(s6 >> 10)
1757 out[18] = byte((s6 >> 18) | (s7 << 3))
1758 out[19] = byte(s7 >> 5)
1759 out[20] = byte(s7 >> 13)
1760 out[21] = byte(s8 >> 0)
1761 out[22] = byte(s8 >> 8)
1762 out[23] = byte((s8 >> 16) | (s9 << 5))
1763 out[24] = byte(s9 >> 3)
1764 out[25] = byte(s9 >> 11)
1765 out[26] = byte((s9 >> 19) | (s10 << 2))
1766 out[27] = byte(s10 >> 6)
1767 out[28] = byte((s10 >> 14) | (s11 << 7))
1768 out[29] = byte(s11 >> 1)
1769 out[30] = byte(s11 >> 9)
1770 out[31] = byte(s11 >> 17)
1771}
diff --git a/vendor/golang.org/x/crypto/ssh/buffer.go b/vendor/golang.org/x/crypto/ssh/buffer.go
deleted file mode 100644
index 6931b51..0000000
--- a/vendor/golang.org/x/crypto/ssh/buffer.go
+++ /dev/null
@@ -1,98 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "io"
9 "sync"
10)
11
12// buffer provides a linked list buffer for data exchange
13// between producer and consumer. Theoretically the buffer is
14// of unlimited capacity as it does no allocation of its own.
15type buffer struct {
16 // protects concurrent access to head, tail and closed
17 *sync.Cond
18
19 head *element // the buffer that will be read first
20 tail *element // the buffer that will be read last
21
22 closed bool
23}
24
25// An element represents a single link in a linked list.
26type element struct {
27 buf []byte
28 next *element
29}
30
31// newBuffer returns an empty buffer that is not closed.
32func newBuffer() *buffer {
33 e := new(element)
34 b := &buffer{
35 Cond: newCond(),
36 head: e,
37 tail: e,
38 }
39 return b
40}
41
42// write makes buf available for Read to receive.
43// buf must not be modified after the call to write.
44func (b *buffer) write(buf []byte) {
45 b.Cond.L.Lock()
46 e := &element{buf: buf}
47 b.tail.next = e
48 b.tail = e
49 b.Cond.Signal()
50 b.Cond.L.Unlock()
51}
52
53// eof closes the buffer. Reads from the buffer once all
54// the data has been consumed will receive os.EOF.
55func (b *buffer) eof() error {
56 b.Cond.L.Lock()
57 b.closed = true
58 b.Cond.Signal()
59 b.Cond.L.Unlock()
60 return nil
61}
62
63// Read reads data from the internal buffer in buf. Reads will block
64// if no data is available, or until the buffer is closed.
65func (b *buffer) Read(buf []byte) (n int, err error) {
66 b.Cond.L.Lock()
67 defer b.Cond.L.Unlock()
68
69 for len(buf) > 0 {
70 // if there is data in b.head, copy it
71 if len(b.head.buf) > 0 {
72 r := copy(buf, b.head.buf)
73 buf, b.head.buf = buf[r:], b.head.buf[r:]
74 n += r
75 continue
76 }
77 // if there is a next buffer, make it the head
78 if len(b.head.buf) == 0 && b.head != b.tail {
79 b.head = b.head.next
80 continue
81 }
82
83 // if at least one byte has been copied, return
84 if n > 0 {
85 break
86 }
87
88 // if nothing was read, and there is nothing outstanding
89 // check to see if the buffer is closed.
90 if b.closed {
91 err = io.EOF
92 break
93 }
94 // out of buffers, wait for producer
95 b.Cond.Wait()
96 }
97 return
98}
diff --git a/vendor/golang.org/x/crypto/ssh/certs.go b/vendor/golang.org/x/crypto/ssh/certs.go
deleted file mode 100644
index 6331c94..0000000
--- a/vendor/golang.org/x/crypto/ssh/certs.go
+++ /dev/null
@@ -1,503 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "bytes"
9 "errors"
10 "fmt"
11 "io"
12 "net"
13 "sort"
14 "time"
15)
16
17// These constants from [PROTOCOL.certkeys] represent the algorithm names
18// for certificate types supported by this package.
19const (
20 CertAlgoRSAv01 = "ssh-rsa-cert-v01@openssh.com"
21 CertAlgoDSAv01 = "ssh-dss-cert-v01@openssh.com"
22 CertAlgoECDSA256v01 = "ecdsa-sha2-nistp256-cert-v01@openssh.com"
23 CertAlgoECDSA384v01 = "ecdsa-sha2-nistp384-cert-v01@openssh.com"
24 CertAlgoECDSA521v01 = "ecdsa-sha2-nistp521-cert-v01@openssh.com"
25 CertAlgoED25519v01 = "ssh-ed25519-cert-v01@openssh.com"
26)
27
28// Certificate types distinguish between host and user
29// certificates. The values can be set in the CertType field of
30// Certificate.
31const (
32 UserCert = 1
33 HostCert = 2
34)
35
36// Signature represents a cryptographic signature.
37type Signature struct {
38 Format string
39 Blob []byte
40}
41
42// CertTimeInfinity can be used for OpenSSHCertV01.ValidBefore to indicate that
43// a certificate does not expire.
44const CertTimeInfinity = 1<<64 - 1
45
46// An Certificate represents an OpenSSH certificate as defined in
47// [PROTOCOL.certkeys]?rev=1.8.
48type Certificate struct {
49 Nonce []byte
50 Key PublicKey
51 Serial uint64
52 CertType uint32
53 KeyId string
54 ValidPrincipals []string
55 ValidAfter uint64
56 ValidBefore uint64
57 Permissions
58 Reserved []byte
59 SignatureKey PublicKey
60 Signature *Signature
61}
62
63// genericCertData holds the key-independent part of the certificate data.
64// Overall, certificates contain an nonce, public key fields and
65// key-independent fields.
66type genericCertData struct {
67 Serial uint64
68 CertType uint32
69 KeyId string
70 ValidPrincipals []byte
71 ValidAfter uint64
72 ValidBefore uint64
73 CriticalOptions []byte
74 Extensions []byte
75 Reserved []byte
76 SignatureKey []byte
77 Signature []byte
78}
79
80func marshalStringList(namelist []string) []byte {
81 var to []byte
82 for _, name := range namelist {
83 s := struct{ N string }{name}
84 to = append(to, Marshal(&s)...)
85 }
86 return to
87}
88
89type optionsTuple struct {
90 Key string
91 Value []byte
92}
93
94type optionsTupleValue struct {
95 Value string
96}
97
98// serialize a map of critical options or extensions
99// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation,
100// we need two length prefixes for a non-empty string value
101func marshalTuples(tups map[string]string) []byte {
102 keys := make([]string, 0, len(tups))
103 for key := range tups {
104 keys = append(keys, key)
105 }
106 sort.Strings(keys)
107
108 var ret []byte
109 for _, key := range keys {
110 s := optionsTuple{Key: key}
111 if value := tups[key]; len(value) > 0 {
112 s.Value = Marshal(&optionsTupleValue{value})
113 }
114 ret = append(ret, Marshal(&s)...)
115 }
116 return ret
117}
118
119// issue #10569 - per [PROTOCOL.certkeys] and SSH implementation,
120// we need two length prefixes for a non-empty option value
121func parseTuples(in []byte) (map[string]string, error) {
122 tups := map[string]string{}
123 var lastKey string
124 var haveLastKey bool
125
126 for len(in) > 0 {
127 var key, val, extra []byte
128 var ok bool
129
130 if key, in, ok = parseString(in); !ok {
131 return nil, errShortRead
132 }
133 keyStr := string(key)
134 // according to [PROTOCOL.certkeys], the names must be in
135 // lexical order.
136 if haveLastKey && keyStr <= lastKey {
137 return nil, fmt.Errorf("ssh: certificate options are not in lexical order")
138 }
139 lastKey, haveLastKey = keyStr, true
140 // the next field is a data field, which if non-empty has a string embedded
141 if val, in, ok = parseString(in); !ok {
142 return nil, errShortRead
143 }
144 if len(val) > 0 {
145 val, extra, ok = parseString(val)
146 if !ok {
147 return nil, errShortRead
148 }
149 if len(extra) > 0 {
150 return nil, fmt.Errorf("ssh: unexpected trailing data after certificate option value")
151 }
152 tups[keyStr] = string(val)
153 } else {
154 tups[keyStr] = ""
155 }
156 }
157 return tups, nil
158}
159
160func parseCert(in []byte, privAlgo string) (*Certificate, error) {
161 nonce, rest, ok := parseString(in)
162 if !ok {
163 return nil, errShortRead
164 }
165
166 key, rest, err := parsePubKey(rest, privAlgo)
167 if err != nil {
168 return nil, err
169 }
170
171 var g genericCertData
172 if err := Unmarshal(rest, &g); err != nil {
173 return nil, err
174 }
175
176 c := &Certificate{
177 Nonce: nonce,
178 Key: key,
179 Serial: g.Serial,
180 CertType: g.CertType,
181 KeyId: g.KeyId,
182 ValidAfter: g.ValidAfter,
183 ValidBefore: g.ValidBefore,
184 }
185
186 for principals := g.ValidPrincipals; len(principals) > 0; {
187 principal, rest, ok := parseString(principals)
188 if !ok {
189 return nil, errShortRead
190 }
191 c.ValidPrincipals = append(c.ValidPrincipals, string(principal))
192 principals = rest
193 }
194
195 c.CriticalOptions, err = parseTuples(g.CriticalOptions)
196 if err != nil {
197 return nil, err
198 }
199 c.Extensions, err = parseTuples(g.Extensions)
200 if err != nil {
201 return nil, err
202 }
203 c.Reserved = g.Reserved
204 k, err := ParsePublicKey(g.SignatureKey)
205 if err != nil {
206 return nil, err
207 }
208
209 c.SignatureKey = k
210 c.Signature, rest, ok = parseSignatureBody(g.Signature)
211 if !ok || len(rest) > 0 {
212 return nil, errors.New("ssh: signature parse error")
213 }
214
215 return c, nil
216}
217
218type openSSHCertSigner struct {
219 pub *Certificate
220 signer Signer
221}
222
223// NewCertSigner returns a Signer that signs with the given Certificate, whose
224// private key is held by signer. It returns an error if the public key in cert
225// doesn't match the key used by signer.
226func NewCertSigner(cert *Certificate, signer Signer) (Signer, error) {
227 if bytes.Compare(cert.Key.Marshal(), signer.PublicKey().Marshal()) != 0 {
228 return nil, errors.New("ssh: signer and cert have different public key")
229 }
230
231 return &openSSHCertSigner{cert, signer}, nil
232}
233
234func (s *openSSHCertSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
235 return s.signer.Sign(rand, data)
236}
237
238func (s *openSSHCertSigner) PublicKey() PublicKey {
239 return s.pub
240}
241
242const sourceAddressCriticalOption = "source-address"
243
244// CertChecker does the work of verifying a certificate. Its methods
245// can be plugged into ClientConfig.HostKeyCallback and
246// ServerConfig.PublicKeyCallback. For the CertChecker to work,
247// minimally, the IsAuthority callback should be set.
248type CertChecker struct {
249 // SupportedCriticalOptions lists the CriticalOptions that the
250 // server application layer understands. These are only used
251 // for user certificates.
252 SupportedCriticalOptions []string
253
254 // IsAuthority should return true if the key is recognized as
255 // an authority. This allows for certificates to be signed by other
256 // certificates.
257 IsAuthority func(auth PublicKey) bool
258
259 // Clock is used for verifying time stamps. If nil, time.Now
260 // is used.
261 Clock func() time.Time
262
263 // UserKeyFallback is called when CertChecker.Authenticate encounters a
264 // public key that is not a certificate. It must implement validation
265 // of user keys or else, if nil, all such keys are rejected.
266 UserKeyFallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
267
268 // HostKeyFallback is called when CertChecker.CheckHostKey encounters a
269 // public key that is not a certificate. It must implement host key
270 // validation or else, if nil, all such keys are rejected.
271 HostKeyFallback func(addr string, remote net.Addr, key PublicKey) error
272
273 // IsRevoked is called for each certificate so that revocation checking
274 // can be implemented. It should return true if the given certificate
275 // is revoked and false otherwise. If nil, no certificates are
276 // considered to have been revoked.
277 IsRevoked func(cert *Certificate) bool
278}
279
280// CheckHostKey checks a host key certificate. This method can be
281// plugged into ClientConfig.HostKeyCallback.
282func (c *CertChecker) CheckHostKey(addr string, remote net.Addr, key PublicKey) error {
283 cert, ok := key.(*Certificate)
284 if !ok {
285 if c.HostKeyFallback != nil {
286 return c.HostKeyFallback(addr, remote, key)
287 }
288 return errors.New("ssh: non-certificate host key")
289 }
290 if cert.CertType != HostCert {
291 return fmt.Errorf("ssh: certificate presented as a host key has type %d", cert.CertType)
292 }
293
294 return c.CheckCert(addr, cert)
295}
296
297// Authenticate checks a user certificate. Authenticate can be used as
298// a value for ServerConfig.PublicKeyCallback.
299func (c *CertChecker) Authenticate(conn ConnMetadata, pubKey PublicKey) (*Permissions, error) {
300 cert, ok := pubKey.(*Certificate)
301 if !ok {
302 if c.UserKeyFallback != nil {
303 return c.UserKeyFallback(conn, pubKey)
304 }
305 return nil, errors.New("ssh: normal key pairs not accepted")
306 }
307
308 if cert.CertType != UserCert {
309 return nil, fmt.Errorf("ssh: cert has type %d", cert.CertType)
310 }
311
312 if err := c.CheckCert(conn.User(), cert); err != nil {
313 return nil, err
314 }
315
316 return &cert.Permissions, nil
317}
318
319// CheckCert checks CriticalOptions, ValidPrincipals, revocation, timestamp and
320// the signature of the certificate.
321func (c *CertChecker) CheckCert(principal string, cert *Certificate) error {
322 if c.IsRevoked != nil && c.IsRevoked(cert) {
323 return fmt.Errorf("ssh: certicate serial %d revoked", cert.Serial)
324 }
325
326 for opt, _ := range cert.CriticalOptions {
327 // sourceAddressCriticalOption will be enforced by
328 // serverAuthenticate
329 if opt == sourceAddressCriticalOption {
330 continue
331 }
332
333 found := false
334 for _, supp := range c.SupportedCriticalOptions {
335 if supp == opt {
336 found = true
337 break
338 }
339 }
340 if !found {
341 return fmt.Errorf("ssh: unsupported critical option %q in certificate", opt)
342 }
343 }
344
345 if len(cert.ValidPrincipals) > 0 {
346 // By default, certs are valid for all users/hosts.
347 found := false
348 for _, p := range cert.ValidPrincipals {
349 if p == principal {
350 found = true
351 break
352 }
353 }
354 if !found {
355 return fmt.Errorf("ssh: principal %q not in the set of valid principals for given certificate: %q", principal, cert.ValidPrincipals)
356 }
357 }
358
359 if !c.IsAuthority(cert.SignatureKey) {
360 return fmt.Errorf("ssh: certificate signed by unrecognized authority")
361 }
362
363 clock := c.Clock
364 if clock == nil {
365 clock = time.Now
366 }
367
368 unixNow := clock().Unix()
369 if after := int64(cert.ValidAfter); after < 0 || unixNow < int64(cert.ValidAfter) {
370 return fmt.Errorf("ssh: cert is not yet valid")
371 }
372 if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(CertTimeInfinity) && (unixNow >= before || before < 0) {
373 return fmt.Errorf("ssh: cert has expired")
374 }
375 if err := cert.SignatureKey.Verify(cert.bytesForSigning(), cert.Signature); err != nil {
376 return fmt.Errorf("ssh: certificate signature does not verify")
377 }
378
379 return nil
380}
381
382// SignCert sets c.SignatureKey to the authority's public key and stores a
383// Signature, by authority, in the certificate.
384func (c *Certificate) SignCert(rand io.Reader, authority Signer) error {
385 c.Nonce = make([]byte, 32)
386 if _, err := io.ReadFull(rand, c.Nonce); err != nil {
387 return err
388 }
389 c.SignatureKey = authority.PublicKey()
390
391 sig, err := authority.Sign(rand, c.bytesForSigning())
392 if err != nil {
393 return err
394 }
395 c.Signature = sig
396 return nil
397}
398
399var certAlgoNames = map[string]string{
400 KeyAlgoRSA: CertAlgoRSAv01,
401 KeyAlgoDSA: CertAlgoDSAv01,
402 KeyAlgoECDSA256: CertAlgoECDSA256v01,
403 KeyAlgoECDSA384: CertAlgoECDSA384v01,
404 KeyAlgoECDSA521: CertAlgoECDSA521v01,
405 KeyAlgoED25519: CertAlgoED25519v01,
406}
407
408// certToPrivAlgo returns the underlying algorithm for a certificate algorithm.
409// Panics if a non-certificate algorithm is passed.
410func certToPrivAlgo(algo string) string {
411 for privAlgo, pubAlgo := range certAlgoNames {
412 if pubAlgo == algo {
413 return privAlgo
414 }
415 }
416 panic("unknown cert algorithm")
417}
418
419func (cert *Certificate) bytesForSigning() []byte {
420 c2 := *cert
421 c2.Signature = nil
422 out := c2.Marshal()
423 // Drop trailing signature length.
424 return out[:len(out)-4]
425}
426
427// Marshal serializes c into OpenSSH's wire format. It is part of the
428// PublicKey interface.
429func (c *Certificate) Marshal() []byte {
430 generic := genericCertData{
431 Serial: c.Serial,
432 CertType: c.CertType,
433 KeyId: c.KeyId,
434 ValidPrincipals: marshalStringList(c.ValidPrincipals),
435 ValidAfter: uint64(c.ValidAfter),
436 ValidBefore: uint64(c.ValidBefore),
437 CriticalOptions: marshalTuples(c.CriticalOptions),
438 Extensions: marshalTuples(c.Extensions),
439 Reserved: c.Reserved,
440 SignatureKey: c.SignatureKey.Marshal(),
441 }
442 if c.Signature != nil {
443 generic.Signature = Marshal(c.Signature)
444 }
445 genericBytes := Marshal(&generic)
446 keyBytes := c.Key.Marshal()
447 _, keyBytes, _ = parseString(keyBytes)
448 prefix := Marshal(&struct {
449 Name string
450 Nonce []byte
451 Key []byte `ssh:"rest"`
452 }{c.Type(), c.Nonce, keyBytes})
453
454 result := make([]byte, 0, len(prefix)+len(genericBytes))
455 result = append(result, prefix...)
456 result = append(result, genericBytes...)
457 return result
458}
459
460// Type returns the key name. It is part of the PublicKey interface.
461func (c *Certificate) Type() string {
462 algo, ok := certAlgoNames[c.Key.Type()]
463 if !ok {
464 panic("unknown cert key type " + c.Key.Type())
465 }
466 return algo
467}
468
469// Verify verifies a signature against the certificate's public
470// key. It is part of the PublicKey interface.
471func (c *Certificate) Verify(data []byte, sig *Signature) error {
472 return c.Key.Verify(data, sig)
473}
474
475func parseSignatureBody(in []byte) (out *Signature, rest []byte, ok bool) {
476 format, in, ok := parseString(in)
477 if !ok {
478 return
479 }
480
481 out = &Signature{
482 Format: string(format),
483 }
484
485 if out.Blob, in, ok = parseString(in); !ok {
486 return
487 }
488
489 return out, in, ok
490}
491
492func parseSignature(in []byte) (out *Signature, rest []byte, ok bool) {
493 sigBytes, rest, ok := parseString(in)
494 if !ok {
495 return
496 }
497
498 out, trailing, ok := parseSignatureBody(sigBytes)
499 if !ok || len(trailing) > 0 {
500 return nil, nil, false
501 }
502 return
503}
diff --git a/vendor/golang.org/x/crypto/ssh/channel.go b/vendor/golang.org/x/crypto/ssh/channel.go
deleted file mode 100644
index 195530e..0000000
--- a/vendor/golang.org/x/crypto/ssh/channel.go
+++ /dev/null
@@ -1,633 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "encoding/binary"
9 "errors"
10 "fmt"
11 "io"
12 "log"
13 "sync"
14)
15
16const (
17 minPacketLength = 9
18 // channelMaxPacket contains the maximum number of bytes that will be
19 // sent in a single packet. As per RFC 4253, section 6.1, 32k is also
20 // the minimum.
21 channelMaxPacket = 1 << 15
22 // We follow OpenSSH here.
23 channelWindowSize = 64 * channelMaxPacket
24)
25
26// NewChannel represents an incoming request to a channel. It must either be
27// accepted for use by calling Accept, or rejected by calling Reject.
28type NewChannel interface {
29 // Accept accepts the channel creation request. It returns the Channel
30 // and a Go channel containing SSH requests. The Go channel must be
31 // serviced otherwise the Channel will hang.
32 Accept() (Channel, <-chan *Request, error)
33
34 // Reject rejects the channel creation request. After calling
35 // this, no other methods on the Channel may be called.
36 Reject(reason RejectionReason, message string) error
37
38 // ChannelType returns the type of the channel, as supplied by the
39 // client.
40 ChannelType() string
41
42 // ExtraData returns the arbitrary payload for this channel, as supplied
43 // by the client. This data is specific to the channel type.
44 ExtraData() []byte
45}
46
47// A Channel is an ordered, reliable, flow-controlled, duplex stream
48// that is multiplexed over an SSH connection.
49type Channel interface {
50 // Read reads up to len(data) bytes from the channel.
51 Read(data []byte) (int, error)
52
53 // Write writes len(data) bytes to the channel.
54 Write(data []byte) (int, error)
55
56 // Close signals end of channel use. No data may be sent after this
57 // call.
58 Close() error
59
60 // CloseWrite signals the end of sending in-band
61 // data. Requests may still be sent, and the other side may
62 // still send data
63 CloseWrite() error
64
65 // SendRequest sends a channel request. If wantReply is true,
66 // it will wait for a reply and return the result as a
67 // boolean, otherwise the return value will be false. Channel
68 // requests are out-of-band messages so they may be sent even
69 // if the data stream is closed or blocked by flow control.
70 // If the channel is closed before a reply is returned, io.EOF
71 // is returned.
72 SendRequest(name string, wantReply bool, payload []byte) (bool, error)
73
74 // Stderr returns an io.ReadWriter that writes to this channel
75 // with the extended data type set to stderr. Stderr may
76 // safely be read and written from a different goroutine than
77 // Read and Write respectively.
78 Stderr() io.ReadWriter
79}
80
81// Request is a request sent outside of the normal stream of
82// data. Requests can either be specific to an SSH channel, or they
83// can be global.
84type Request struct {
85 Type string
86 WantReply bool
87 Payload []byte
88
89 ch *channel
90 mux *mux
91}
92
93// Reply sends a response to a request. It must be called for all requests
94// where WantReply is true and is a no-op otherwise. The payload argument is
95// ignored for replies to channel-specific requests.
96func (r *Request) Reply(ok bool, payload []byte) error {
97 if !r.WantReply {
98 return nil
99 }
100
101 if r.ch == nil {
102 return r.mux.ackRequest(ok, payload)
103 }
104
105 return r.ch.ackRequest(ok)
106}
107
108// RejectionReason is an enumeration used when rejecting channel creation
109// requests. See RFC 4254, section 5.1.
110type RejectionReason uint32
111
112const (
113 Prohibited RejectionReason = iota + 1
114 ConnectionFailed
115 UnknownChannelType
116 ResourceShortage
117)
118
119// String converts the rejection reason to human readable form.
120func (r RejectionReason) String() string {
121 switch r {
122 case Prohibited:
123 return "administratively prohibited"
124 case ConnectionFailed:
125 return "connect failed"
126 case UnknownChannelType:
127 return "unknown channel type"
128 case ResourceShortage:
129 return "resource shortage"
130 }
131 return fmt.Sprintf("unknown reason %d", int(r))
132}
133
134func min(a uint32, b int) uint32 {
135 if a < uint32(b) {
136 return a
137 }
138 return uint32(b)
139}
140
141type channelDirection uint8
142
143const (
144 channelInbound channelDirection = iota
145 channelOutbound
146)
147
148// channel is an implementation of the Channel interface that works
149// with the mux class.
150type channel struct {
151 // R/O after creation
152 chanType string
153 extraData []byte
154 localId, remoteId uint32
155
156 // maxIncomingPayload and maxRemotePayload are the maximum
157 // payload sizes of normal and extended data packets for
158 // receiving and sending, respectively. The wire packet will
159 // be 9 or 13 bytes larger (excluding encryption overhead).
160 maxIncomingPayload uint32
161 maxRemotePayload uint32
162
163 mux *mux
164
165 // decided is set to true if an accept or reject message has been sent
166 // (for outbound channels) or received (for inbound channels).
167 decided bool
168
169 // direction contains either channelOutbound, for channels created
170 // locally, or channelInbound, for channels created by the peer.
171 direction channelDirection
172
173 // Pending internal channel messages.
174 msg chan interface{}
175
176 // Since requests have no ID, there can be only one request
177 // with WantReply=true outstanding. This lock is held by a
178 // goroutine that has such an outgoing request pending.
179 sentRequestMu sync.Mutex
180
181 incomingRequests chan *Request
182
183 sentEOF bool
184
185 // thread-safe data
186 remoteWin window
187 pending *buffer
188 extPending *buffer
189
190 // windowMu protects myWindow, the flow-control window.
191 windowMu sync.Mutex
192 myWindow uint32
193
194 // writeMu serializes calls to mux.conn.writePacket() and
195 // protects sentClose and packetPool. This mutex must be
196 // different from windowMu, as writePacket can block if there
197 // is a key exchange pending.
198 writeMu sync.Mutex
199 sentClose bool
200
201 // packetPool has a buffer for each extended channel ID to
202 // save allocations during writes.
203 packetPool map[uint32][]byte
204}
205
206// writePacket sends a packet. If the packet is a channel close, it updates
207// sentClose. This method takes the lock c.writeMu.
208func (c *channel) writePacket(packet []byte) error {
209 c.writeMu.Lock()
210 if c.sentClose {
211 c.writeMu.Unlock()
212 return io.EOF
213 }
214 c.sentClose = (packet[0] == msgChannelClose)
215 err := c.mux.conn.writePacket(packet)
216 c.writeMu.Unlock()
217 return err
218}
219
220func (c *channel) sendMessage(msg interface{}) error {
221 if debugMux {
222 log.Printf("send(%d): %#v", c.mux.chanList.offset, msg)
223 }
224
225 p := Marshal(msg)
226 binary.BigEndian.PutUint32(p[1:], c.remoteId)
227 return c.writePacket(p)
228}
229
230// WriteExtended writes data to a specific extended stream. These streams are
231// used, for example, for stderr.
232func (c *channel) WriteExtended(data []byte, extendedCode uint32) (n int, err error) {
233 if c.sentEOF {
234 return 0, io.EOF
235 }
236 // 1 byte message type, 4 bytes remoteId, 4 bytes data length
237 opCode := byte(msgChannelData)
238 headerLength := uint32(9)
239 if extendedCode > 0 {
240 headerLength += 4
241 opCode = msgChannelExtendedData
242 }
243
244 c.writeMu.Lock()
245 packet := c.packetPool[extendedCode]
246 // We don't remove the buffer from packetPool, so
247 // WriteExtended calls from different goroutines will be
248 // flagged as errors by the race detector.
249 c.writeMu.Unlock()
250
251 for len(data) > 0 {
252 space := min(c.maxRemotePayload, len(data))
253 if space, err = c.remoteWin.reserve(space); err != nil {
254 return n, err
255 }
256 if want := headerLength + space; uint32(cap(packet)) < want {
257 packet = make([]byte, want)
258 } else {
259 packet = packet[:want]
260 }
261
262 todo := data[:space]
263
264 packet[0] = opCode
265 binary.BigEndian.PutUint32(packet[1:], c.remoteId)
266 if extendedCode > 0 {
267 binary.BigEndian.PutUint32(packet[5:], uint32(extendedCode))
268 }
269 binary.BigEndian.PutUint32(packet[headerLength-4:], uint32(len(todo)))
270 copy(packet[headerLength:], todo)
271 if err = c.writePacket(packet); err != nil {
272 return n, err
273 }
274
275 n += len(todo)
276 data = data[len(todo):]
277 }
278
279 c.writeMu.Lock()
280 c.packetPool[extendedCode] = packet
281 c.writeMu.Unlock()
282
283 return n, err
284}
285
286func (c *channel) handleData(packet []byte) error {
287 headerLen := 9
288 isExtendedData := packet[0] == msgChannelExtendedData
289 if isExtendedData {
290 headerLen = 13
291 }
292 if len(packet) < headerLen {
293 // malformed data packet
294 return parseError(packet[0])
295 }
296
297 var extended uint32
298 if isExtendedData {
299 extended = binary.BigEndian.Uint32(packet[5:])
300 }
301
302 length := binary.BigEndian.Uint32(packet[headerLen-4 : headerLen])
303 if length == 0 {
304 return nil
305 }
306 if length > c.maxIncomingPayload {
307 // TODO(hanwen): should send Disconnect?
308 return errors.New("ssh: incoming packet exceeds maximum payload size")
309 }
310
311 data := packet[headerLen:]
312 if length != uint32(len(data)) {
313 return errors.New("ssh: wrong packet length")
314 }
315
316 c.windowMu.Lock()
317 if c.myWindow < length {
318 c.windowMu.Unlock()
319 // TODO(hanwen): should send Disconnect with reason?
320 return errors.New("ssh: remote side wrote too much")
321 }
322 c.myWindow -= length
323 c.windowMu.Unlock()
324
325 if extended == 1 {
326 c.extPending.write(data)
327 } else if extended > 0 {
328 // discard other extended data.
329 } else {
330 c.pending.write(data)
331 }
332 return nil
333}
334
335func (c *channel) adjustWindow(n uint32) error {
336 c.windowMu.Lock()
337 // Since myWindow is managed on our side, and can never exceed
338 // the initial window setting, we don't worry about overflow.
339 c.myWindow += uint32(n)
340 c.windowMu.Unlock()
341 return c.sendMessage(windowAdjustMsg{
342 AdditionalBytes: uint32(n),
343 })
344}
345
346func (c *channel) ReadExtended(data []byte, extended uint32) (n int, err error) {
347 switch extended {
348 case 1:
349 n, err = c.extPending.Read(data)
350 case 0:
351 n, err = c.pending.Read(data)
352 default:
353 return 0, fmt.Errorf("ssh: extended code %d unimplemented", extended)
354 }
355
356 if n > 0 {
357 err = c.adjustWindow(uint32(n))
358 // sendWindowAdjust can return io.EOF if the remote
359 // peer has closed the connection, however we want to
360 // defer forwarding io.EOF to the caller of Read until
361 // the buffer has been drained.
362 if n > 0 && err == io.EOF {
363 err = nil
364 }
365 }
366
367 return n, err
368}
369
370func (c *channel) close() {
371 c.pending.eof()
372 c.extPending.eof()
373 close(c.msg)
374 close(c.incomingRequests)
375 c.writeMu.Lock()
376 // This is not necessary for a normal channel teardown, but if
377 // there was another error, it is.
378 c.sentClose = true
379 c.writeMu.Unlock()
380 // Unblock writers.
381 c.remoteWin.close()
382}
383
384// responseMessageReceived is called when a success or failure message is
385// received on a channel to check that such a message is reasonable for the
386// given channel.
387func (c *channel) responseMessageReceived() error {
388 if c.direction == channelInbound {
389 return errors.New("ssh: channel response message received on inbound channel")
390 }
391 if c.decided {
392 return errors.New("ssh: duplicate response received for channel")
393 }
394 c.decided = true
395 return nil
396}
397
398func (c *channel) handlePacket(packet []byte) error {
399 switch packet[0] {
400 case msgChannelData, msgChannelExtendedData:
401 return c.handleData(packet)
402 case msgChannelClose:
403 c.sendMessage(channelCloseMsg{PeersId: c.remoteId})
404 c.mux.chanList.remove(c.localId)
405 c.close()
406 return nil
407 case msgChannelEOF:
408 // RFC 4254 is mute on how EOF affects dataExt messages but
409 // it is logical to signal EOF at the same time.
410 c.extPending.eof()
411 c.pending.eof()
412 return nil
413 }
414
415 decoded, err := decode(packet)
416 if err != nil {
417 return err
418 }
419
420 switch msg := decoded.(type) {
421 case *channelOpenFailureMsg:
422 if err := c.responseMessageReceived(); err != nil {
423 return err
424 }
425 c.mux.chanList.remove(msg.PeersId)
426 c.msg <- msg
427 case *channelOpenConfirmMsg:
428 if err := c.responseMessageReceived(); err != nil {
429 return err
430 }
431 if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 {
432 return fmt.Errorf("ssh: invalid MaxPacketSize %d from peer", msg.MaxPacketSize)
433 }
434 c.remoteId = msg.MyId
435 c.maxRemotePayload = msg.MaxPacketSize
436 c.remoteWin.add(msg.MyWindow)
437 c.msg <- msg
438 case *windowAdjustMsg:
439 if !c.remoteWin.add(msg.AdditionalBytes) {
440 return fmt.Errorf("ssh: invalid window update for %d bytes", msg.AdditionalBytes)
441 }
442 case *channelRequestMsg:
443 req := Request{
444 Type: msg.Request,
445 WantReply: msg.WantReply,
446 Payload: msg.RequestSpecificData,
447 ch: c,
448 }
449
450 c.incomingRequests <- &req
451 default:
452 c.msg <- msg
453 }
454 return nil
455}
456
457func (m *mux) newChannel(chanType string, direction channelDirection, extraData []byte) *channel {
458 ch := &channel{
459 remoteWin: window{Cond: newCond()},
460 myWindow: channelWindowSize,
461 pending: newBuffer(),
462 extPending: newBuffer(),
463 direction: direction,
464 incomingRequests: make(chan *Request, chanSize),
465 msg: make(chan interface{}, chanSize),
466 chanType: chanType,
467 extraData: extraData,
468 mux: m,
469 packetPool: make(map[uint32][]byte),
470 }
471 ch.localId = m.chanList.add(ch)
472 return ch
473}
474
475var errUndecided = errors.New("ssh: must Accept or Reject channel")
476var errDecidedAlready = errors.New("ssh: can call Accept or Reject only once")
477
478type extChannel struct {
479 code uint32
480 ch *channel
481}
482
483func (e *extChannel) Write(data []byte) (n int, err error) {
484 return e.ch.WriteExtended(data, e.code)
485}
486
487func (e *extChannel) Read(data []byte) (n int, err error) {
488 return e.ch.ReadExtended(data, e.code)
489}
490
491func (c *channel) Accept() (Channel, <-chan *Request, error) {
492 if c.decided {
493 return nil, nil, errDecidedAlready
494 }
495 c.maxIncomingPayload = channelMaxPacket
496 confirm := channelOpenConfirmMsg{
497 PeersId: c.remoteId,
498 MyId: c.localId,
499 MyWindow: c.myWindow,
500 MaxPacketSize: c.maxIncomingPayload,
501 }
502 c.decided = true
503 if err := c.sendMessage(confirm); err != nil {
504 return nil, nil, err
505 }
506
507 return c, c.incomingRequests, nil
508}
509
510func (ch *channel) Reject(reason RejectionReason, message string) error {
511 if ch.decided {
512 return errDecidedAlready
513 }
514 reject := channelOpenFailureMsg{
515 PeersId: ch.remoteId,
516 Reason: reason,
517 Message: message,
518 Language: "en",
519 }
520 ch.decided = true
521 return ch.sendMessage(reject)
522}
523
524func (ch *channel) Read(data []byte) (int, error) {
525 if !ch.decided {
526 return 0, errUndecided
527 }
528 return ch.ReadExtended(data, 0)
529}
530
531func (ch *channel) Write(data []byte) (int, error) {
532 if !ch.decided {
533 return 0, errUndecided
534 }
535 return ch.WriteExtended(data, 0)
536}
537
538func (ch *channel) CloseWrite() error {
539 if !ch.decided {
540 return errUndecided
541 }
542 ch.sentEOF = true
543 return ch.sendMessage(channelEOFMsg{
544 PeersId: ch.remoteId})
545}
546
547func (ch *channel) Close() error {
548 if !ch.decided {
549 return errUndecided
550 }
551
552 return ch.sendMessage(channelCloseMsg{
553 PeersId: ch.remoteId})
554}
555
556// Extended returns an io.ReadWriter that sends and receives data on the given,
557// SSH extended stream. Such streams are used, for example, for stderr.
558func (ch *channel) Extended(code uint32) io.ReadWriter {
559 if !ch.decided {
560 return nil
561 }
562 return &extChannel{code, ch}
563}
564
565func (ch *channel) Stderr() io.ReadWriter {
566 return ch.Extended(1)
567}
568
569func (ch *channel) SendRequest(name string, wantReply bool, payload []byte) (bool, error) {
570 if !ch.decided {
571 return false, errUndecided
572 }
573
574 if wantReply {
575 ch.sentRequestMu.Lock()
576 defer ch.sentRequestMu.Unlock()
577 }
578
579 msg := channelRequestMsg{
580 PeersId: ch.remoteId,
581 Request: name,
582 WantReply: wantReply,
583 RequestSpecificData: payload,
584 }
585
586 if err := ch.sendMessage(msg); err != nil {
587 return false, err
588 }
589
590 if wantReply {
591 m, ok := (<-ch.msg)
592 if !ok {
593 return false, io.EOF
594 }
595 switch m.(type) {
596 case *channelRequestFailureMsg:
597 return false, nil
598 case *channelRequestSuccessMsg:
599 return true, nil
600 default:
601 return false, fmt.Errorf("ssh: unexpected response to channel request: %#v", m)
602 }
603 }
604
605 return false, nil
606}
607
608// ackRequest either sends an ack or nack to the channel request.
609func (ch *channel) ackRequest(ok bool) error {
610 if !ch.decided {
611 return errUndecided
612 }
613
614 var msg interface{}
615 if !ok {
616 msg = channelRequestFailureMsg{
617 PeersId: ch.remoteId,
618 }
619 } else {
620 msg = channelRequestSuccessMsg{
621 PeersId: ch.remoteId,
622 }
623 }
624 return ch.sendMessage(msg)
625}
626
627func (ch *channel) ChannelType() string {
628 return ch.chanType
629}
630
631func (ch *channel) ExtraData() []byte {
632 return ch.extraData
633}
diff --git a/vendor/golang.org/x/crypto/ssh/cipher.go b/vendor/golang.org/x/crypto/ssh/cipher.go
deleted file mode 100644
index 13484ab..0000000
--- a/vendor/golang.org/x/crypto/ssh/cipher.go
+++ /dev/null
@@ -1,627 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "crypto/aes"
9 "crypto/cipher"
10 "crypto/des"
11 "crypto/rc4"
12 "crypto/subtle"
13 "encoding/binary"
14 "errors"
15 "fmt"
16 "hash"
17 "io"
18 "io/ioutil"
19)
20
21const (
22 packetSizeMultiple = 16 // TODO(huin) this should be determined by the cipher.
23
24 // RFC 4253 section 6.1 defines a minimum packet size of 32768 that implementations
25 // MUST be able to process (plus a few more kilobytes for padding and mac). The RFC
26 // indicates implementations SHOULD be able to handle larger packet sizes, but then
27 // waffles on about reasonable limits.
28 //
29 // OpenSSH caps their maxPacket at 256kB so we choose to do
30 // the same. maxPacket is also used to ensure that uint32
31 // length fields do not overflow, so it should remain well
32 // below 4G.
33 maxPacket = 256 * 1024
34)
35
36// noneCipher implements cipher.Stream and provides no encryption. It is used
37// by the transport before the first key-exchange.
38type noneCipher struct{}
39
40func (c noneCipher) XORKeyStream(dst, src []byte) {
41 copy(dst, src)
42}
43
44func newAESCTR(key, iv []byte) (cipher.Stream, error) {
45 c, err := aes.NewCipher(key)
46 if err != nil {
47 return nil, err
48 }
49 return cipher.NewCTR(c, iv), nil
50}
51
52func newRC4(key, iv []byte) (cipher.Stream, error) {
53 return rc4.NewCipher(key)
54}
55
56type streamCipherMode struct {
57 keySize int
58 ivSize int
59 skip int
60 createFunc func(key, iv []byte) (cipher.Stream, error)
61}
62
63func (c *streamCipherMode) createStream(key, iv []byte) (cipher.Stream, error) {
64 if len(key) < c.keySize {
65 panic("ssh: key length too small for cipher")
66 }
67 if len(iv) < c.ivSize {
68 panic("ssh: iv too small for cipher")
69 }
70
71 stream, err := c.createFunc(key[:c.keySize], iv[:c.ivSize])
72 if err != nil {
73 return nil, err
74 }
75
76 var streamDump []byte
77 if c.skip > 0 {
78 streamDump = make([]byte, 512)
79 }
80
81 for remainingToDump := c.skip; remainingToDump > 0; {
82 dumpThisTime := remainingToDump
83 if dumpThisTime > len(streamDump) {
84 dumpThisTime = len(streamDump)
85 }
86 stream.XORKeyStream(streamDump[:dumpThisTime], streamDump[:dumpThisTime])
87 remainingToDump -= dumpThisTime
88 }
89
90 return stream, nil
91}
92
93// cipherModes documents properties of supported ciphers. Ciphers not included
94// are not supported and will not be negotiated, even if explicitly requested in
95// ClientConfig.Crypto.Ciphers.
96var cipherModes = map[string]*streamCipherMode{
97 // Ciphers from RFC4344, which introduced many CTR-based ciphers. Algorithms
98 // are defined in the order specified in the RFC.
99 "aes128-ctr": {16, aes.BlockSize, 0, newAESCTR},
100 "aes192-ctr": {24, aes.BlockSize, 0, newAESCTR},
101 "aes256-ctr": {32, aes.BlockSize, 0, newAESCTR},
102
103 // Ciphers from RFC4345, which introduces security-improved arcfour ciphers.
104 // They are defined in the order specified in the RFC.
105 "arcfour128": {16, 0, 1536, newRC4},
106 "arcfour256": {32, 0, 1536, newRC4},
107
108 // Cipher defined in RFC 4253, which describes SSH Transport Layer Protocol.
109 // Note that this cipher is not safe, as stated in RFC 4253: "Arcfour (and
110 // RC4) has problems with weak keys, and should be used with caution."
111 // RFC4345 introduces improved versions of Arcfour.
112 "arcfour": {16, 0, 0, newRC4},
113
114 // AES-GCM is not a stream cipher, so it is constructed with a
115 // special case. If we add any more non-stream ciphers, we
116 // should invest a cleaner way to do this.
117 gcmCipherID: {16, 12, 0, nil},
118
119 // CBC mode is insecure and so is not included in the default config.
120 // (See http://www.isg.rhul.ac.uk/~kp/SandPfinal.pdf). If absolutely
121 // needed, it's possible to specify a custom Config to enable it.
122 // You should expect that an active attacker can recover plaintext if
123 // you do.
124 aes128cbcID: {16, aes.BlockSize, 0, nil},
125
126 // 3des-cbc is insecure and is disabled by default.
127 tripledescbcID: {24, des.BlockSize, 0, nil},
128}
129
130// prefixLen is the length of the packet prefix that contains the packet length
131// and number of padding bytes.
132const prefixLen = 5
133
134// streamPacketCipher is a packetCipher using a stream cipher.
135type streamPacketCipher struct {
136 mac hash.Hash
137 cipher cipher.Stream
138 etm bool
139
140 // The following members are to avoid per-packet allocations.
141 prefix [prefixLen]byte
142 seqNumBytes [4]byte
143 padding [2 * packetSizeMultiple]byte
144 packetData []byte
145 macResult []byte
146}
147
148// readPacket reads and decrypt a single packet from the reader argument.
149func (s *streamPacketCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
150 if _, err := io.ReadFull(r, s.prefix[:]); err != nil {
151 return nil, err
152 }
153
154 var encryptedPaddingLength [1]byte
155 if s.mac != nil && s.etm {
156 copy(encryptedPaddingLength[:], s.prefix[4:5])
157 s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
158 } else {
159 s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
160 }
161
162 length := binary.BigEndian.Uint32(s.prefix[0:4])
163 paddingLength := uint32(s.prefix[4])
164
165 var macSize uint32
166 if s.mac != nil {
167 s.mac.Reset()
168 binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
169 s.mac.Write(s.seqNumBytes[:])
170 if s.etm {
171 s.mac.Write(s.prefix[:4])
172 s.mac.Write(encryptedPaddingLength[:])
173 } else {
174 s.mac.Write(s.prefix[:])
175 }
176 macSize = uint32(s.mac.Size())
177 }
178
179 if length <= paddingLength+1 {
180 return nil, errors.New("ssh: invalid packet length, packet too small")
181 }
182
183 if length > maxPacket {
184 return nil, errors.New("ssh: invalid packet length, packet too large")
185 }
186
187 // the maxPacket check above ensures that length-1+macSize
188 // does not overflow.
189 if uint32(cap(s.packetData)) < length-1+macSize {
190 s.packetData = make([]byte, length-1+macSize)
191 } else {
192 s.packetData = s.packetData[:length-1+macSize]
193 }
194
195 if _, err := io.ReadFull(r, s.packetData); err != nil {
196 return nil, err
197 }
198 mac := s.packetData[length-1:]
199 data := s.packetData[:length-1]
200
201 if s.mac != nil && s.etm {
202 s.mac.Write(data)
203 }
204
205 s.cipher.XORKeyStream(data, data)
206
207 if s.mac != nil {
208 if !s.etm {
209 s.mac.Write(data)
210 }
211 s.macResult = s.mac.Sum(s.macResult[:0])
212 if subtle.ConstantTimeCompare(s.macResult, mac) != 1 {
213 return nil, errors.New("ssh: MAC failure")
214 }
215 }
216
217 return s.packetData[:length-paddingLength-1], nil
218}
219
220// writePacket encrypts and sends a packet of data to the writer argument
221func (s *streamPacketCipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
222 if len(packet) > maxPacket {
223 return errors.New("ssh: packet too large")
224 }
225
226 aadlen := 0
227 if s.mac != nil && s.etm {
228 // packet length is not encrypted for EtM modes
229 aadlen = 4
230 }
231
232 paddingLength := packetSizeMultiple - (prefixLen+len(packet)-aadlen)%packetSizeMultiple
233 if paddingLength < 4 {
234 paddingLength += packetSizeMultiple
235 }
236
237 length := len(packet) + 1 + paddingLength
238 binary.BigEndian.PutUint32(s.prefix[:], uint32(length))
239 s.prefix[4] = byte(paddingLength)
240 padding := s.padding[:paddingLength]
241 if _, err := io.ReadFull(rand, padding); err != nil {
242 return err
243 }
244
245 if s.mac != nil {
246 s.mac.Reset()
247 binary.BigEndian.PutUint32(s.seqNumBytes[:], seqNum)
248 s.mac.Write(s.seqNumBytes[:])
249
250 if s.etm {
251 // For EtM algorithms, the packet length must stay unencrypted,
252 // but the following data (padding length) must be encrypted
253 s.cipher.XORKeyStream(s.prefix[4:5], s.prefix[4:5])
254 }
255
256 s.mac.Write(s.prefix[:])
257
258 if !s.etm {
259 // For non-EtM algorithms, the algorithm is applied on unencrypted data
260 s.mac.Write(packet)
261 s.mac.Write(padding)
262 }
263 }
264
265 if !(s.mac != nil && s.etm) {
266 // For EtM algorithms, the padding length has already been encrypted
267 // and the packet length must remain unencrypted
268 s.cipher.XORKeyStream(s.prefix[:], s.prefix[:])
269 }
270
271 s.cipher.XORKeyStream(packet, packet)
272 s.cipher.XORKeyStream(padding, padding)
273
274 if s.mac != nil && s.etm {
275 // For EtM algorithms, packet and padding must be encrypted
276 s.mac.Write(packet)
277 s.mac.Write(padding)
278 }
279
280 if _, err := w.Write(s.prefix[:]); err != nil {
281 return err
282 }
283 if _, err := w.Write(packet); err != nil {
284 return err
285 }
286 if _, err := w.Write(padding); err != nil {
287 return err
288 }
289
290 if s.mac != nil {
291 s.macResult = s.mac.Sum(s.macResult[:0])
292 if _, err := w.Write(s.macResult); err != nil {
293 return err
294 }
295 }
296
297 return nil
298}
299
300type gcmCipher struct {
301 aead cipher.AEAD
302 prefix [4]byte
303 iv []byte
304 buf []byte
305}
306
307func newGCMCipher(iv, key, macKey []byte) (packetCipher, error) {
308 c, err := aes.NewCipher(key)
309 if err != nil {
310 return nil, err
311 }
312
313 aead, err := cipher.NewGCM(c)
314 if err != nil {
315 return nil, err
316 }
317
318 return &gcmCipher{
319 aead: aead,
320 iv: iv,
321 }, nil
322}
323
324const gcmTagSize = 16
325
326func (c *gcmCipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
327 // Pad out to multiple of 16 bytes. This is different from the
328 // stream cipher because that encrypts the length too.
329 padding := byte(packetSizeMultiple - (1+len(packet))%packetSizeMultiple)
330 if padding < 4 {
331 padding += packetSizeMultiple
332 }
333
334 length := uint32(len(packet) + int(padding) + 1)
335 binary.BigEndian.PutUint32(c.prefix[:], length)
336 if _, err := w.Write(c.prefix[:]); err != nil {
337 return err
338 }
339
340 if cap(c.buf) < int(length) {
341 c.buf = make([]byte, length)
342 } else {
343 c.buf = c.buf[:length]
344 }
345
346 c.buf[0] = padding
347 copy(c.buf[1:], packet)
348 if _, err := io.ReadFull(rand, c.buf[1+len(packet):]); err != nil {
349 return err
350 }
351 c.buf = c.aead.Seal(c.buf[:0], c.iv, c.buf, c.prefix[:])
352 if _, err := w.Write(c.buf); err != nil {
353 return err
354 }
355 c.incIV()
356
357 return nil
358}
359
360func (c *gcmCipher) incIV() {
361 for i := 4 + 7; i >= 4; i-- {
362 c.iv[i]++
363 if c.iv[i] != 0 {
364 break
365 }
366 }
367}
368
369func (c *gcmCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
370 if _, err := io.ReadFull(r, c.prefix[:]); err != nil {
371 return nil, err
372 }
373 length := binary.BigEndian.Uint32(c.prefix[:])
374 if length > maxPacket {
375 return nil, errors.New("ssh: max packet length exceeded.")
376 }
377
378 if cap(c.buf) < int(length+gcmTagSize) {
379 c.buf = make([]byte, length+gcmTagSize)
380 } else {
381 c.buf = c.buf[:length+gcmTagSize]
382 }
383
384 if _, err := io.ReadFull(r, c.buf); err != nil {
385 return nil, err
386 }
387
388 plain, err := c.aead.Open(c.buf[:0], c.iv, c.buf, c.prefix[:])
389 if err != nil {
390 return nil, err
391 }
392 c.incIV()
393
394 padding := plain[0]
395 if padding < 4 || padding >= 20 {
396 return nil, fmt.Errorf("ssh: illegal padding %d", padding)
397 }
398
399 if int(padding+1) >= len(plain) {
400 return nil, fmt.Errorf("ssh: padding %d too large", padding)
401 }
402 plain = plain[1 : length-uint32(padding)]
403 return plain, nil
404}
405
406// cbcCipher implements aes128-cbc cipher defined in RFC 4253 section 6.1
407type cbcCipher struct {
408 mac hash.Hash
409 macSize uint32
410 decrypter cipher.BlockMode
411 encrypter cipher.BlockMode
412
413 // The following members are to avoid per-packet allocations.
414 seqNumBytes [4]byte
415 packetData []byte
416 macResult []byte
417
418 // Amount of data we should still read to hide which
419 // verification error triggered.
420 oracleCamouflage uint32
421}
422
423func newCBCCipher(c cipher.Block, iv, key, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
424 cbc := &cbcCipher{
425 mac: macModes[algs.MAC].new(macKey),
426 decrypter: cipher.NewCBCDecrypter(c, iv),
427 encrypter: cipher.NewCBCEncrypter(c, iv),
428 packetData: make([]byte, 1024),
429 }
430 if cbc.mac != nil {
431 cbc.macSize = uint32(cbc.mac.Size())
432 }
433
434 return cbc, nil
435}
436
437func newAESCBCCipher(iv, key, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
438 c, err := aes.NewCipher(key)
439 if err != nil {
440 return nil, err
441 }
442
443 cbc, err := newCBCCipher(c, iv, key, macKey, algs)
444 if err != nil {
445 return nil, err
446 }
447
448 return cbc, nil
449}
450
451func newTripleDESCBCCipher(iv, key, macKey []byte, algs directionAlgorithms) (packetCipher, error) {
452 c, err := des.NewTripleDESCipher(key)
453 if err != nil {
454 return nil, err
455 }
456
457 cbc, err := newCBCCipher(c, iv, key, macKey, algs)
458 if err != nil {
459 return nil, err
460 }
461
462 return cbc, nil
463}
464
465func maxUInt32(a, b int) uint32 {
466 if a > b {
467 return uint32(a)
468 }
469 return uint32(b)
470}
471
472const (
473 cbcMinPacketSizeMultiple = 8
474 cbcMinPacketSize = 16
475 cbcMinPaddingSize = 4
476)
477
478// cbcError represents a verification error that may leak information.
479type cbcError string
480
481func (e cbcError) Error() string { return string(e) }
482
483func (c *cbcCipher) readPacket(seqNum uint32, r io.Reader) ([]byte, error) {
484 p, err := c.readPacketLeaky(seqNum, r)
485 if err != nil {
486 if _, ok := err.(cbcError); ok {
487 // Verification error: read a fixed amount of
488 // data, to make distinguishing between
489 // failing MAC and failing length check more
490 // difficult.
491 io.CopyN(ioutil.Discard, r, int64(c.oracleCamouflage))
492 }
493 }
494 return p, err
495}
496
497func (c *cbcCipher) readPacketLeaky(seqNum uint32, r io.Reader) ([]byte, error) {
498 blockSize := c.decrypter.BlockSize()
499
500 // Read the header, which will include some of the subsequent data in the
501 // case of block ciphers - this is copied back to the payload later.
502 // How many bytes of payload/padding will be read with this first read.
503 firstBlockLength := uint32((prefixLen + blockSize - 1) / blockSize * blockSize)
504 firstBlock := c.packetData[:firstBlockLength]
505 if _, err := io.ReadFull(r, firstBlock); err != nil {
506 return nil, err
507 }
508
509 c.oracleCamouflage = maxPacket + 4 + c.macSize - firstBlockLength
510
511 c.decrypter.CryptBlocks(firstBlock, firstBlock)
512 length := binary.BigEndian.Uint32(firstBlock[:4])
513 if length > maxPacket {
514 return nil, cbcError("ssh: packet too large")
515 }
516 if length+4 < maxUInt32(cbcMinPacketSize, blockSize) {
517 // The minimum size of a packet is 16 (or the cipher block size, whichever
518 // is larger) bytes.
519 return nil, cbcError("ssh: packet too small")
520 }
521 // The length of the packet (including the length field but not the MAC) must
522 // be a multiple of the block size or 8, whichever is larger.
523 if (length+4)%maxUInt32(cbcMinPacketSizeMultiple, blockSize) != 0 {
524 return nil, cbcError("ssh: invalid packet length multiple")
525 }
526
527 paddingLength := uint32(firstBlock[4])
528 if paddingLength < cbcMinPaddingSize || length <= paddingLength+1 {
529 return nil, cbcError("ssh: invalid packet length")
530 }
531
532 // Positions within the c.packetData buffer:
533 macStart := 4 + length
534 paddingStart := macStart - paddingLength
535
536 // Entire packet size, starting before length, ending at end of mac.
537 entirePacketSize := macStart + c.macSize
538
539 // Ensure c.packetData is large enough for the entire packet data.
540 if uint32(cap(c.packetData)) < entirePacketSize {
541 // Still need to upsize and copy, but this should be rare at runtime, only
542 // on upsizing the packetData buffer.
543 c.packetData = make([]byte, entirePacketSize)
544 copy(c.packetData, firstBlock)
545 } else {
546 c.packetData = c.packetData[:entirePacketSize]
547 }
548
549 if n, err := io.ReadFull(r, c.packetData[firstBlockLength:]); err != nil {
550 return nil, err
551 } else {
552 c.oracleCamouflage -= uint32(n)
553 }
554
555 remainingCrypted := c.packetData[firstBlockLength:macStart]
556 c.decrypter.CryptBlocks(remainingCrypted, remainingCrypted)
557
558 mac := c.packetData[macStart:]
559 if c.mac != nil {
560 c.mac.Reset()
561 binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum)
562 c.mac.Write(c.seqNumBytes[:])
563 c.mac.Write(c.packetData[:macStart])
564 c.macResult = c.mac.Sum(c.macResult[:0])
565 if subtle.ConstantTimeCompare(c.macResult, mac) != 1 {
566 return nil, cbcError("ssh: MAC failure")
567 }
568 }
569
570 return c.packetData[prefixLen:paddingStart], nil
571}
572
573func (c *cbcCipher) writePacket(seqNum uint32, w io.Writer, rand io.Reader, packet []byte) error {
574 effectiveBlockSize := maxUInt32(cbcMinPacketSizeMultiple, c.encrypter.BlockSize())
575
576 // Length of encrypted portion of the packet (header, payload, padding).
577 // Enforce minimum padding and packet size.
578 encLength := maxUInt32(prefixLen+len(packet)+cbcMinPaddingSize, cbcMinPaddingSize)
579 // Enforce block size.
580 encLength = (encLength + effectiveBlockSize - 1) / effectiveBlockSize * effectiveBlockSize
581
582 length := encLength - 4
583 paddingLength := int(length) - (1 + len(packet))
584
585 // Overall buffer contains: header, payload, padding, mac.
586 // Space for the MAC is reserved in the capacity but not the slice length.
587 bufferSize := encLength + c.macSize
588 if uint32(cap(c.packetData)) < bufferSize {
589 c.packetData = make([]byte, encLength, bufferSize)
590 } else {
591 c.packetData = c.packetData[:encLength]
592 }
593
594 p := c.packetData
595
596 // Packet header.
597 binary.BigEndian.PutUint32(p, length)
598 p = p[4:]
599 p[0] = byte(paddingLength)
600
601 // Payload.
602 p = p[1:]
603 copy(p, packet)
604
605 // Padding.
606 p = p[len(packet):]
607 if _, err := io.ReadFull(rand, p); err != nil {
608 return err
609 }
610
611 if c.mac != nil {
612 c.mac.Reset()
613 binary.BigEndian.PutUint32(c.seqNumBytes[:], seqNum)
614 c.mac.Write(c.seqNumBytes[:])
615 c.mac.Write(c.packetData)
616 // The MAC is now appended into the capacity reserved for it earlier.
617 c.packetData = c.mac.Sum(c.packetData)
618 }
619
620 c.encrypter.CryptBlocks(c.packetData[:encLength], c.packetData[:encLength])
621
622 if _, err := w.Write(c.packetData); err != nil {
623 return err
624 }
625
626 return nil
627}
diff --git a/vendor/golang.org/x/crypto/ssh/client.go b/vendor/golang.org/x/crypto/ssh/client.go
deleted file mode 100644
index c97f297..0000000
--- a/vendor/golang.org/x/crypto/ssh/client.go
+++ /dev/null
@@ -1,211 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "errors"
9 "fmt"
10 "net"
11 "sync"
12 "time"
13)
14
15// Client implements a traditional SSH client that supports shells,
16// subprocesses, port forwarding and tunneled dialing.
17type Client struct {
18 Conn
19
20 forwards forwardList // forwarded tcpip connections from the remote side
21 mu sync.Mutex
22 channelHandlers map[string]chan NewChannel
23}
24
25// HandleChannelOpen returns a channel on which NewChannel requests
26// for the given type are sent. If the type already is being handled,
27// nil is returned. The channel is closed when the connection is closed.
28func (c *Client) HandleChannelOpen(channelType string) <-chan NewChannel {
29 c.mu.Lock()
30 defer c.mu.Unlock()
31 if c.channelHandlers == nil {
32 // The SSH channel has been closed.
33 c := make(chan NewChannel)
34 close(c)
35 return c
36 }
37
38 ch := c.channelHandlers[channelType]
39 if ch != nil {
40 return nil
41 }
42
43 ch = make(chan NewChannel, chanSize)
44 c.channelHandlers[channelType] = ch
45 return ch
46}
47
48// NewClient creates a Client on top of the given connection.
49func NewClient(c Conn, chans <-chan NewChannel, reqs <-chan *Request) *Client {
50 conn := &Client{
51 Conn: c,
52 channelHandlers: make(map[string]chan NewChannel, 1),
53 }
54
55 go conn.handleGlobalRequests(reqs)
56 go conn.handleChannelOpens(chans)
57 go func() {
58 conn.Wait()
59 conn.forwards.closeAll()
60 }()
61 go conn.forwards.handleChannels(conn.HandleChannelOpen("forwarded-tcpip"))
62 return conn
63}
64
65// NewClientConn establishes an authenticated SSH connection using c
66// as the underlying transport. The Request and NewChannel channels
67// must be serviced or the connection will hang.
68func NewClientConn(c net.Conn, addr string, config *ClientConfig) (Conn, <-chan NewChannel, <-chan *Request, error) {
69 fullConf := *config
70 fullConf.SetDefaults()
71 conn := &connection{
72 sshConn: sshConn{conn: c},
73 }
74
75 if err := conn.clientHandshake(addr, &fullConf); err != nil {
76 c.Close()
77 return nil, nil, nil, fmt.Errorf("ssh: handshake failed: %v", err)
78 }
79 conn.mux = newMux(conn.transport)
80 return conn, conn.mux.incomingChannels, conn.mux.incomingRequests, nil
81}
82
83// clientHandshake performs the client side key exchange. See RFC 4253 Section
84// 7.
85func (c *connection) clientHandshake(dialAddress string, config *ClientConfig) error {
86 if config.ClientVersion != "" {
87 c.clientVersion = []byte(config.ClientVersion)
88 } else {
89 c.clientVersion = []byte(packageVersion)
90 }
91 var err error
92 c.serverVersion, err = exchangeVersions(c.sshConn.conn, c.clientVersion)
93 if err != nil {
94 return err
95 }
96
97 c.transport = newClientTransport(
98 newTransport(c.sshConn.conn, config.Rand, true /* is client */),
99 c.clientVersion, c.serverVersion, config, dialAddress, c.sshConn.RemoteAddr())
100 if err := c.transport.waitSession(); err != nil {
101 return err
102 }
103
104 c.sessionID = c.transport.getSessionID()
105 return c.clientAuthenticate(config)
106}
107
108// verifyHostKeySignature verifies the host key obtained in the key
109// exchange.
110func verifyHostKeySignature(hostKey PublicKey, result *kexResult) error {
111 sig, rest, ok := parseSignatureBody(result.Signature)
112 if len(rest) > 0 || !ok {
113 return errors.New("ssh: signature parse error")
114 }
115
116 return hostKey.Verify(result.H, sig)
117}
118
119// NewSession opens a new Session for this client. (A session is a remote
120// execution of a program.)
121func (c *Client) NewSession() (*Session, error) {
122 ch, in, err := c.OpenChannel("session", nil)
123 if err != nil {
124 return nil, err
125 }
126 return newSession(ch, in)
127}
128
129func (c *Client) handleGlobalRequests(incoming <-chan *Request) {
130 for r := range incoming {
131 // This handles keepalive messages and matches
132 // the behaviour of OpenSSH.
133 r.Reply(false, nil)
134 }
135}
136
137// handleChannelOpens channel open messages from the remote side.
138func (c *Client) handleChannelOpens(in <-chan NewChannel) {
139 for ch := range in {
140 c.mu.Lock()
141 handler := c.channelHandlers[ch.ChannelType()]
142 c.mu.Unlock()
143
144 if handler != nil {
145 handler <- ch
146 } else {
147 ch.Reject(UnknownChannelType, fmt.Sprintf("unknown channel type: %v", ch.ChannelType()))
148 }
149 }
150
151 c.mu.Lock()
152 for _, ch := range c.channelHandlers {
153 close(ch)
154 }
155 c.channelHandlers = nil
156 c.mu.Unlock()
157}
158
159// Dial starts a client connection to the given SSH server. It is a
160// convenience function that connects to the given network address,
161// initiates the SSH handshake, and then sets up a Client. For access
162// to incoming channels and requests, use net.Dial with NewClientConn
163// instead.
164func Dial(network, addr string, config *ClientConfig) (*Client, error) {
165 conn, err := net.DialTimeout(network, addr, config.Timeout)
166 if err != nil {
167 return nil, err
168 }
169 c, chans, reqs, err := NewClientConn(conn, addr, config)
170 if err != nil {
171 return nil, err
172 }
173 return NewClient(c, chans, reqs), nil
174}
175
176// A ClientConfig structure is used to configure a Client. It must not be
177// modified after having been passed to an SSH function.
178type ClientConfig struct {
179 // Config contains configuration that is shared between clients and
180 // servers.
181 Config
182
183 // User contains the username to authenticate as.
184 User string
185
186 // Auth contains possible authentication methods to use with the
187 // server. Only the first instance of a particular RFC 4252 method will
188 // be used during authentication.
189 Auth []AuthMethod
190
191 // HostKeyCallback, if not nil, is called during the cryptographic
192 // handshake to validate the server's host key. A nil HostKeyCallback
193 // implies that all host keys are accepted.
194 HostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
195
196 // ClientVersion contains the version identification string that will
197 // be used for the connection. If empty, a reasonable default is used.
198 ClientVersion string
199
200 // HostKeyAlgorithms lists the key types that the client will
201 // accept from the server as host key, in order of
202 // preference. If empty, a reasonable default is used. Any
203 // string returned from PublicKey.Type method may be used, or
204 // any of the CertAlgoXxxx and KeyAlgoXxxx constants.
205 HostKeyAlgorithms []string
206
207 // Timeout is the maximum amount of time for the TCP connection to establish.
208 //
209 // A Timeout of zero means no timeout.
210 Timeout time.Duration
211}
diff --git a/vendor/golang.org/x/crypto/ssh/client_auth.go b/vendor/golang.org/x/crypto/ssh/client_auth.go
deleted file mode 100644
index fd1ec5d..0000000
--- a/vendor/golang.org/x/crypto/ssh/client_auth.go
+++ /dev/null
@@ -1,475 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "bytes"
9 "errors"
10 "fmt"
11 "io"
12)
13
14// clientAuthenticate authenticates with the remote server. See RFC 4252.
15func (c *connection) clientAuthenticate(config *ClientConfig) error {
16 // initiate user auth session
17 if err := c.transport.writePacket(Marshal(&serviceRequestMsg{serviceUserAuth})); err != nil {
18 return err
19 }
20 packet, err := c.transport.readPacket()
21 if err != nil {
22 return err
23 }
24 var serviceAccept serviceAcceptMsg
25 if err := Unmarshal(packet, &serviceAccept); err != nil {
26 return err
27 }
28
29 // during the authentication phase the client first attempts the "none" method
30 // then any untried methods suggested by the server.
31 tried := make(map[string]bool)
32 var lastMethods []string
33
34 sessionID := c.transport.getSessionID()
35 for auth := AuthMethod(new(noneAuth)); auth != nil; {
36 ok, methods, err := auth.auth(sessionID, config.User, c.transport, config.Rand)
37 if err != nil {
38 return err
39 }
40 if ok {
41 // success
42 return nil
43 }
44 tried[auth.method()] = true
45 if methods == nil {
46 methods = lastMethods
47 }
48 lastMethods = methods
49
50 auth = nil
51
52 findNext:
53 for _, a := range config.Auth {
54 candidateMethod := a.method()
55 if tried[candidateMethod] {
56 continue
57 }
58 for _, meth := range methods {
59 if meth == candidateMethod {
60 auth = a
61 break findNext
62 }
63 }
64 }
65 }
66 return fmt.Errorf("ssh: unable to authenticate, attempted methods %v, no supported methods remain", keys(tried))
67}
68
69func keys(m map[string]bool) []string {
70 s := make([]string, 0, len(m))
71
72 for key := range m {
73 s = append(s, key)
74 }
75 return s
76}
77
78// An AuthMethod represents an instance of an RFC 4252 authentication method.
79type AuthMethod interface {
80 // auth authenticates user over transport t.
81 // Returns true if authentication is successful.
82 // If authentication is not successful, a []string of alternative
83 // method names is returned. If the slice is nil, it will be ignored
84 // and the previous set of possible methods will be reused.
85 auth(session []byte, user string, p packetConn, rand io.Reader) (bool, []string, error)
86
87 // method returns the RFC 4252 method name.
88 method() string
89}
90
91// "none" authentication, RFC 4252 section 5.2.
92type noneAuth int
93
94func (n *noneAuth) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
95 if err := c.writePacket(Marshal(&userAuthRequestMsg{
96 User: user,
97 Service: serviceSSH,
98 Method: "none",
99 })); err != nil {
100 return false, nil, err
101 }
102
103 return handleAuthResponse(c)
104}
105
106func (n *noneAuth) method() string {
107 return "none"
108}
109
110// passwordCallback is an AuthMethod that fetches the password through
111// a function call, e.g. by prompting the user.
112type passwordCallback func() (password string, err error)
113
114func (cb passwordCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
115 type passwordAuthMsg struct {
116 User string `sshtype:"50"`
117 Service string
118 Method string
119 Reply bool
120 Password string
121 }
122
123 pw, err := cb()
124 // REVIEW NOTE: is there a need to support skipping a password attempt?
125 // The program may only find out that the user doesn't have a password
126 // when prompting.
127 if err != nil {
128 return false, nil, err
129 }
130
131 if err := c.writePacket(Marshal(&passwordAuthMsg{
132 User: user,
133 Service: serviceSSH,
134 Method: cb.method(),
135 Reply: false,
136 Password: pw,
137 })); err != nil {
138 return false, nil, err
139 }
140
141 return handleAuthResponse(c)
142}
143
144func (cb passwordCallback) method() string {
145 return "password"
146}
147
148// Password returns an AuthMethod using the given password.
149func Password(secret string) AuthMethod {
150 return passwordCallback(func() (string, error) { return secret, nil })
151}
152
153// PasswordCallback returns an AuthMethod that uses a callback for
154// fetching a password.
155func PasswordCallback(prompt func() (secret string, err error)) AuthMethod {
156 return passwordCallback(prompt)
157}
158
159type publickeyAuthMsg struct {
160 User string `sshtype:"50"`
161 Service string
162 Method string
163 // HasSig indicates to the receiver packet that the auth request is signed and
164 // should be used for authentication of the request.
165 HasSig bool
166 Algoname string
167 PubKey []byte
168 // Sig is tagged with "rest" so Marshal will exclude it during
169 // validateKey
170 Sig []byte `ssh:"rest"`
171}
172
173// publicKeyCallback is an AuthMethod that uses a set of key
174// pairs for authentication.
175type publicKeyCallback func() ([]Signer, error)
176
177func (cb publicKeyCallback) method() string {
178 return "publickey"
179}
180
181func (cb publicKeyCallback) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
182 // Authentication is performed in two stages. The first stage sends an
183 // enquiry to test if each key is acceptable to the remote. The second
184 // stage attempts to authenticate with the valid keys obtained in the
185 // first stage.
186
187 signers, err := cb()
188 if err != nil {
189 return false, nil, err
190 }
191 var validKeys []Signer
192 for _, signer := range signers {
193 if ok, err := validateKey(signer.PublicKey(), user, c); ok {
194 validKeys = append(validKeys, signer)
195 } else {
196 if err != nil {
197 return false, nil, err
198 }
199 }
200 }
201
202 // methods that may continue if this auth is not successful.
203 var methods []string
204 for _, signer := range validKeys {
205 pub := signer.PublicKey()
206
207 pubKey := pub.Marshal()
208 sign, err := signer.Sign(rand, buildDataSignedForAuth(session, userAuthRequestMsg{
209 User: user,
210 Service: serviceSSH,
211 Method: cb.method(),
212 }, []byte(pub.Type()), pubKey))
213 if err != nil {
214 return false, nil, err
215 }
216
217 // manually wrap the serialized signature in a string
218 s := Marshal(sign)
219 sig := make([]byte, stringLength(len(s)))
220 marshalString(sig, s)
221 msg := publickeyAuthMsg{
222 User: user,
223 Service: serviceSSH,
224 Method: cb.method(),
225 HasSig: true,
226 Algoname: pub.Type(),
227 PubKey: pubKey,
228 Sig: sig,
229 }
230 p := Marshal(&msg)
231 if err := c.writePacket(p); err != nil {
232 return false, nil, err
233 }
234 var success bool
235 success, methods, err = handleAuthResponse(c)
236 if err != nil {
237 return false, nil, err
238 }
239 if success {
240 return success, methods, err
241 }
242 }
243 return false, methods, nil
244}
245
246// validateKey validates the key provided is acceptable to the server.
247func validateKey(key PublicKey, user string, c packetConn) (bool, error) {
248 pubKey := key.Marshal()
249 msg := publickeyAuthMsg{
250 User: user,
251 Service: serviceSSH,
252 Method: "publickey",
253 HasSig: false,
254 Algoname: key.Type(),
255 PubKey: pubKey,
256 }
257 if err := c.writePacket(Marshal(&msg)); err != nil {
258 return false, err
259 }
260
261 return confirmKeyAck(key, c)
262}
263
264func confirmKeyAck(key PublicKey, c packetConn) (bool, error) {
265 pubKey := key.Marshal()
266 algoname := key.Type()
267
268 for {
269 packet, err := c.readPacket()
270 if err != nil {
271 return false, err
272 }
273 switch packet[0] {
274 case msgUserAuthBanner:
275 // TODO(gpaul): add callback to present the banner to the user
276 case msgUserAuthPubKeyOk:
277 var msg userAuthPubKeyOkMsg
278 if err := Unmarshal(packet, &msg); err != nil {
279 return false, err
280 }
281 if msg.Algo != algoname || !bytes.Equal(msg.PubKey, pubKey) {
282 return false, nil
283 }
284 return true, nil
285 case msgUserAuthFailure:
286 return false, nil
287 default:
288 return false, unexpectedMessageError(msgUserAuthSuccess, packet[0])
289 }
290 }
291}
292
293// PublicKeys returns an AuthMethod that uses the given key
294// pairs.
295func PublicKeys(signers ...Signer) AuthMethod {
296 return publicKeyCallback(func() ([]Signer, error) { return signers, nil })
297}
298
299// PublicKeysCallback returns an AuthMethod that runs the given
300// function to obtain a list of key pairs.
301func PublicKeysCallback(getSigners func() (signers []Signer, err error)) AuthMethod {
302 return publicKeyCallback(getSigners)
303}
304
305// handleAuthResponse returns whether the preceding authentication request succeeded
306// along with a list of remaining authentication methods to try next and
307// an error if an unexpected response was received.
308func handleAuthResponse(c packetConn) (bool, []string, error) {
309 for {
310 packet, err := c.readPacket()
311 if err != nil {
312 return false, nil, err
313 }
314
315 switch packet[0] {
316 case msgUserAuthBanner:
317 // TODO: add callback to present the banner to the user
318 case msgUserAuthFailure:
319 var msg userAuthFailureMsg
320 if err := Unmarshal(packet, &msg); err != nil {
321 return false, nil, err
322 }
323 return false, msg.Methods, nil
324 case msgUserAuthSuccess:
325 return true, nil, nil
326 default:
327 return false, nil, unexpectedMessageError(msgUserAuthSuccess, packet[0])
328 }
329 }
330}
331
332// KeyboardInteractiveChallenge should print questions, optionally
333// disabling echoing (e.g. for passwords), and return all the answers.
334// Challenge may be called multiple times in a single session. After
335// successful authentication, the server may send a challenge with no
336// questions, for which the user and instruction messages should be
337// printed. RFC 4256 section 3.3 details how the UI should behave for
338// both CLI and GUI environments.
339type KeyboardInteractiveChallenge func(user, instruction string, questions []string, echos []bool) (answers []string, err error)
340
341// KeyboardInteractive returns a AuthMethod using a prompt/response
342// sequence controlled by the server.
343func KeyboardInteractive(challenge KeyboardInteractiveChallenge) AuthMethod {
344 return challenge
345}
346
347func (cb KeyboardInteractiveChallenge) method() string {
348 return "keyboard-interactive"
349}
350
351func (cb KeyboardInteractiveChallenge) auth(session []byte, user string, c packetConn, rand io.Reader) (bool, []string, error) {
352 type initiateMsg struct {
353 User string `sshtype:"50"`
354 Service string
355 Method string
356 Language string
357 Submethods string
358 }
359
360 if err := c.writePacket(Marshal(&initiateMsg{
361 User: user,
362 Service: serviceSSH,
363 Method: "keyboard-interactive",
364 })); err != nil {
365 return false, nil, err
366 }
367
368 for {
369 packet, err := c.readPacket()
370 if err != nil {
371 return false, nil, err
372 }
373
374 // like handleAuthResponse, but with less options.
375 switch packet[0] {
376 case msgUserAuthBanner:
377 // TODO: Print banners during userauth.
378 continue
379 case msgUserAuthInfoRequest:
380 // OK
381 case msgUserAuthFailure:
382 var msg userAuthFailureMsg
383 if err := Unmarshal(packet, &msg); err != nil {
384 return false, nil, err
385 }
386 return false, msg.Methods, nil
387 case msgUserAuthSuccess:
388 return true, nil, nil
389 default:
390 return false, nil, unexpectedMessageError(msgUserAuthInfoRequest, packet[0])
391 }
392
393 var msg userAuthInfoRequestMsg
394 if err := Unmarshal(packet, &msg); err != nil {
395 return false, nil, err
396 }
397
398 // Manually unpack the prompt/echo pairs.
399 rest := msg.Prompts
400 var prompts []string
401 var echos []bool
402 for i := 0; i < int(msg.NumPrompts); i++ {
403 prompt, r, ok := parseString(rest)
404 if !ok || len(r) == 0 {
405 return false, nil, errors.New("ssh: prompt format error")
406 }
407 prompts = append(prompts, string(prompt))
408 echos = append(echos, r[0] != 0)
409 rest = r[1:]
410 }
411
412 if len(rest) != 0 {
413 return false, nil, errors.New("ssh: extra data following keyboard-interactive pairs")
414 }
415
416 answers, err := cb(msg.User, msg.Instruction, prompts, echos)
417 if err != nil {
418 return false, nil, err
419 }
420
421 if len(answers) != len(prompts) {
422 return false, nil, errors.New("ssh: not enough answers from keyboard-interactive callback")
423 }
424 responseLength := 1 + 4
425 for _, a := range answers {
426 responseLength += stringLength(len(a))
427 }
428 serialized := make([]byte, responseLength)
429 p := serialized
430 p[0] = msgUserAuthInfoResponse
431 p = p[1:]
432 p = marshalUint32(p, uint32(len(answers)))
433 for _, a := range answers {
434 p = marshalString(p, []byte(a))
435 }
436
437 if err := c.writePacket(serialized); err != nil {
438 return false, nil, err
439 }
440 }
441}
442
443type retryableAuthMethod struct {
444 authMethod AuthMethod
445 maxTries int
446}
447
448func (r *retryableAuthMethod) auth(session []byte, user string, c packetConn, rand io.Reader) (ok bool, methods []string, err error) {
449 for i := 0; r.maxTries <= 0 || i < r.maxTries; i++ {
450 ok, methods, err = r.authMethod.auth(session, user, c, rand)
451 if ok || err != nil { // either success or error terminate
452 return ok, methods, err
453 }
454 }
455 return ok, methods, err
456}
457
458func (r *retryableAuthMethod) method() string {
459 return r.authMethod.method()
460}
461
462// RetryableAuthMethod is a decorator for other auth methods enabling them to
463// be retried up to maxTries before considering that AuthMethod itself failed.
464// If maxTries is <= 0, will retry indefinitely
465//
466// This is useful for interactive clients using challenge/response type
467// authentication (e.g. Keyboard-Interactive, Password, etc) where the user
468// could mistype their response resulting in the server issuing a
469// SSH_MSG_USERAUTH_FAILURE (rfc4252 #8 [password] and rfc4256 #3.4
470// [keyboard-interactive]); Without this decorator, the non-retryable
471// AuthMethod would be removed from future consideration, and never tried again
472// (and so the user would never be able to retry their entry).
473func RetryableAuthMethod(auth AuthMethod, maxTries int) AuthMethod {
474 return &retryableAuthMethod{authMethod: auth, maxTries: maxTries}
475}
diff --git a/vendor/golang.org/x/crypto/ssh/common.go b/vendor/golang.org/x/crypto/ssh/common.go
deleted file mode 100644
index 8656d0f..0000000
--- a/vendor/golang.org/x/crypto/ssh/common.go
+++ /dev/null
@@ -1,371 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "crypto"
9 "crypto/rand"
10 "fmt"
11 "io"
12 "sync"
13
14 _ "crypto/sha1"
15 _ "crypto/sha256"
16 _ "crypto/sha512"
17)
18
19// These are string constants in the SSH protocol.
20const (
21 compressionNone = "none"
22 serviceUserAuth = "ssh-userauth"
23 serviceSSH = "ssh-connection"
24)
25
26// supportedCiphers specifies the supported ciphers in preference order.
27var supportedCiphers = []string{
28 "aes128-ctr", "aes192-ctr", "aes256-ctr",
29 "aes128-gcm@openssh.com",
30 "arcfour256", "arcfour128",
31}
32
33// supportedKexAlgos specifies the supported key-exchange algorithms in
34// preference order.
35var supportedKexAlgos = []string{
36 kexAlgoCurve25519SHA256,
37 // P384 and P521 are not constant-time yet, but since we don't
38 // reuse ephemeral keys, using them for ECDH should be OK.
39 kexAlgoECDH256, kexAlgoECDH384, kexAlgoECDH521,
40 kexAlgoDH14SHA1, kexAlgoDH1SHA1,
41}
42
43// supportedKexAlgos specifies the supported host-key algorithms (i.e. methods
44// of authenticating servers) in preference order.
45var supportedHostKeyAlgos = []string{
46 CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01,
47 CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01,
48
49 KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521,
50 KeyAlgoRSA, KeyAlgoDSA,
51
52 KeyAlgoED25519,
53}
54
55// supportedMACs specifies a default set of MAC algorithms in preference order.
56// This is based on RFC 4253, section 6.4, but with hmac-md5 variants removed
57// because they have reached the end of their useful life.
58var supportedMACs = []string{
59 "hmac-sha2-256-etm@openssh.com", "hmac-sha2-256", "hmac-sha1", "hmac-sha1-96",
60}
61
62var supportedCompressions = []string{compressionNone}
63
64// hashFuncs keeps the mapping of supported algorithms to their respective
65// hashes needed for signature verification.
66var hashFuncs = map[string]crypto.Hash{
67 KeyAlgoRSA: crypto.SHA1,
68 KeyAlgoDSA: crypto.SHA1,
69 KeyAlgoECDSA256: crypto.SHA256,
70 KeyAlgoECDSA384: crypto.SHA384,
71 KeyAlgoECDSA521: crypto.SHA512,
72 CertAlgoRSAv01: crypto.SHA1,
73 CertAlgoDSAv01: crypto.SHA1,
74 CertAlgoECDSA256v01: crypto.SHA256,
75 CertAlgoECDSA384v01: crypto.SHA384,
76 CertAlgoECDSA521v01: crypto.SHA512,
77}
78
79// unexpectedMessageError results when the SSH message that we received didn't
80// match what we wanted.
81func unexpectedMessageError(expected, got uint8) error {
82 return fmt.Errorf("ssh: unexpected message type %d (expected %d)", got, expected)
83}
84
85// parseError results from a malformed SSH message.
86func parseError(tag uint8) error {
87 return fmt.Errorf("ssh: parse error in message type %d", tag)
88}
89
90func findCommon(what string, client []string, server []string) (common string, err error) {
91 for _, c := range client {
92 for _, s := range server {
93 if c == s {
94 return c, nil
95 }
96 }
97 }
98 return "", fmt.Errorf("ssh: no common algorithm for %s; client offered: %v, server offered: %v", what, client, server)
99}
100
101type directionAlgorithms struct {
102 Cipher string
103 MAC string
104 Compression string
105}
106
107// rekeyBytes returns a rekeying intervals in bytes.
108func (a *directionAlgorithms) rekeyBytes() int64 {
109 // According to RFC4344 block ciphers should rekey after
110 // 2^(BLOCKSIZE/4) blocks. For all AES flavors BLOCKSIZE is
111 // 128.
112 switch a.Cipher {
113 case "aes128-ctr", "aes192-ctr", "aes256-ctr", gcmCipherID, aes128cbcID:
114 return 16 * (1 << 32)
115
116 }
117
118 // For others, stick with RFC4253 recommendation to rekey after 1 Gb of data.
119 return 1 << 30
120}
121
122type algorithms struct {
123 kex string
124 hostKey string
125 w directionAlgorithms
126 r directionAlgorithms
127}
128
129func findAgreedAlgorithms(clientKexInit, serverKexInit *kexInitMsg) (algs *algorithms, err error) {
130 result := &algorithms{}
131
132 result.kex, err = findCommon("key exchange", clientKexInit.KexAlgos, serverKexInit.KexAlgos)
133 if err != nil {
134 return
135 }
136
137 result.hostKey, err = findCommon("host key", clientKexInit.ServerHostKeyAlgos, serverKexInit.ServerHostKeyAlgos)
138 if err != nil {
139 return
140 }
141
142 result.w.Cipher, err = findCommon("client to server cipher", clientKexInit.CiphersClientServer, serverKexInit.CiphersClientServer)
143 if err != nil {
144 return
145 }
146
147 result.r.Cipher, err = findCommon("server to client cipher", clientKexInit.CiphersServerClient, serverKexInit.CiphersServerClient)
148 if err != nil {
149 return
150 }
151
152 result.w.MAC, err = findCommon("client to server MAC", clientKexInit.MACsClientServer, serverKexInit.MACsClientServer)
153 if err != nil {
154 return
155 }
156
157 result.r.MAC, err = findCommon("server to client MAC", clientKexInit.MACsServerClient, serverKexInit.MACsServerClient)
158 if err != nil {
159 return
160 }
161
162 result.w.Compression, err = findCommon("client to server compression", clientKexInit.CompressionClientServer, serverKexInit.CompressionClientServer)
163 if err != nil {
164 return
165 }
166
167 result.r.Compression, err = findCommon("server to client compression", clientKexInit.CompressionServerClient, serverKexInit.CompressionServerClient)
168 if err != nil {
169 return
170 }
171
172 return result, nil
173}
174
175// If rekeythreshold is too small, we can't make any progress sending
176// stuff.
177const minRekeyThreshold uint64 = 256
178
179// Config contains configuration data common to both ServerConfig and
180// ClientConfig.
181type Config struct {
182 // Rand provides the source of entropy for cryptographic
183 // primitives. If Rand is nil, the cryptographic random reader
184 // in package crypto/rand will be used.
185 Rand io.Reader
186
187 // The maximum number of bytes sent or received after which a
188 // new key is negotiated. It must be at least 256. If
189 // unspecified, 1 gigabyte is used.
190 RekeyThreshold uint64
191
192 // The allowed key exchanges algorithms. If unspecified then a
193 // default set of algorithms is used.
194 KeyExchanges []string
195
196 // The allowed cipher algorithms. If unspecified then a sensible
197 // default is used.
198 Ciphers []string
199
200 // The allowed MAC algorithms. If unspecified then a sensible default
201 // is used.
202 MACs []string
203}
204
205// SetDefaults sets sensible values for unset fields in config. This is
206// exported for testing: Configs passed to SSH functions are copied and have
207// default values set automatically.
208func (c *Config) SetDefaults() {
209 if c.Rand == nil {
210 c.Rand = rand.Reader
211 }
212 if c.Ciphers == nil {
213 c.Ciphers = supportedCiphers
214 }
215 var ciphers []string
216 for _, c := range c.Ciphers {
217 if cipherModes[c] != nil {
218 // reject the cipher if we have no cipherModes definition
219 ciphers = append(ciphers, c)
220 }
221 }
222 c.Ciphers = ciphers
223
224 if c.KeyExchanges == nil {
225 c.KeyExchanges = supportedKexAlgos
226 }
227
228 if c.MACs == nil {
229 c.MACs = supportedMACs
230 }
231
232 if c.RekeyThreshold == 0 {
233 // RFC 4253, section 9 suggests rekeying after 1G.
234 c.RekeyThreshold = 1 << 30
235 }
236 if c.RekeyThreshold < minRekeyThreshold {
237 c.RekeyThreshold = minRekeyThreshold
238 }
239}
240
241// buildDataSignedForAuth returns the data that is signed in order to prove
242// possession of a private key. See RFC 4252, section 7.
243func buildDataSignedForAuth(sessionId []byte, req userAuthRequestMsg, algo, pubKey []byte) []byte {
244 data := struct {
245 Session []byte
246 Type byte
247 User string
248 Service string
249 Method string
250 Sign bool
251 Algo []byte
252 PubKey []byte
253 }{
254 sessionId,
255 msgUserAuthRequest,
256 req.User,
257 req.Service,
258 req.Method,
259 true,
260 algo,
261 pubKey,
262 }
263 return Marshal(data)
264}
265
266func appendU16(buf []byte, n uint16) []byte {
267 return append(buf, byte(n>>8), byte(n))
268}
269
270func appendU32(buf []byte, n uint32) []byte {
271 return append(buf, byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
272}
273
274func appendU64(buf []byte, n uint64) []byte {
275 return append(buf,
276 byte(n>>56), byte(n>>48), byte(n>>40), byte(n>>32),
277 byte(n>>24), byte(n>>16), byte(n>>8), byte(n))
278}
279
280func appendInt(buf []byte, n int) []byte {
281 return appendU32(buf, uint32(n))
282}
283
284func appendString(buf []byte, s string) []byte {
285 buf = appendU32(buf, uint32(len(s)))
286 buf = append(buf, s...)
287 return buf
288}
289
290func appendBool(buf []byte, b bool) []byte {
291 if b {
292 return append(buf, 1)
293 }
294 return append(buf, 0)
295}
296
297// newCond is a helper to hide the fact that there is no usable zero
298// value for sync.Cond.
299func newCond() *sync.Cond { return sync.NewCond(new(sync.Mutex)) }
300
301// window represents the buffer available to clients
302// wishing to write to a channel.
303type window struct {
304 *sync.Cond
305 win uint32 // RFC 4254 5.2 says the window size can grow to 2^32-1
306 writeWaiters int
307 closed bool
308}
309
310// add adds win to the amount of window available
311// for consumers.
312func (w *window) add(win uint32) bool {
313 // a zero sized window adjust is a noop.
314 if win == 0 {
315 return true
316 }
317 w.L.Lock()
318 if w.win+win < win {
319 w.L.Unlock()
320 return false
321 }
322 w.win += win
323 // It is unusual that multiple goroutines would be attempting to reserve
324 // window space, but not guaranteed. Use broadcast to notify all waiters
325 // that additional window is available.
326 w.Broadcast()
327 w.L.Unlock()
328 return true
329}
330
331// close sets the window to closed, so all reservations fail
332// immediately.
333func (w *window) close() {
334 w.L.Lock()
335 w.closed = true
336 w.Broadcast()
337 w.L.Unlock()
338}
339
340// reserve reserves win from the available window capacity.
341// If no capacity remains, reserve will block. reserve may
342// return less than requested.
343func (w *window) reserve(win uint32) (uint32, error) {
344 var err error
345 w.L.Lock()
346 w.writeWaiters++
347 w.Broadcast()
348 for w.win == 0 && !w.closed {
349 w.Wait()
350 }
351 w.writeWaiters--
352 if w.win < win {
353 win = w.win
354 }
355 w.win -= win
356 if w.closed {
357 err = io.EOF
358 }
359 w.L.Unlock()
360 return win, err
361}
362
363// waitWriterBlocked waits until some goroutine is blocked for further
364// writes. It is used in tests only.
365func (w *window) waitWriterBlocked() {
366 w.Cond.L.Lock()
367 for w.writeWaiters == 0 {
368 w.Cond.Wait()
369 }
370 w.Cond.L.Unlock()
371}
diff --git a/vendor/golang.org/x/crypto/ssh/connection.go b/vendor/golang.org/x/crypto/ssh/connection.go
deleted file mode 100644
index e786f2f..0000000
--- a/vendor/golang.org/x/crypto/ssh/connection.go
+++ /dev/null
@@ -1,143 +0,0 @@
1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "fmt"
9 "net"
10)
11
12// OpenChannelError is returned if the other side rejects an
13// OpenChannel request.
14type OpenChannelError struct {
15 Reason RejectionReason
16 Message string
17}
18
19func (e *OpenChannelError) Error() string {
20 return fmt.Sprintf("ssh: rejected: %s (%s)", e.Reason, e.Message)
21}
22
23// ConnMetadata holds metadata for the connection.
24type ConnMetadata interface {
25 // User returns the user ID for this connection.
26 User() string
27
28 // SessionID returns the sesson hash, also denoted by H.
29 SessionID() []byte
30
31 // ClientVersion returns the client's version string as hashed
32 // into the session ID.
33 ClientVersion() []byte
34
35 // ServerVersion returns the server's version string as hashed
36 // into the session ID.
37 ServerVersion() []byte
38
39 // RemoteAddr returns the remote address for this connection.
40 RemoteAddr() net.Addr
41
42 // LocalAddr returns the local address for this connection.
43 LocalAddr() net.Addr
44}
45
46// Conn represents an SSH connection for both server and client roles.
47// Conn is the basis for implementing an application layer, such
48// as ClientConn, which implements the traditional shell access for
49// clients.
50type Conn interface {
51 ConnMetadata
52
53 // SendRequest sends a global request, and returns the
54 // reply. If wantReply is true, it returns the response status
55 // and payload. See also RFC4254, section 4.
56 SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error)
57
58 // OpenChannel tries to open an channel. If the request is
59 // rejected, it returns *OpenChannelError. On success it returns
60 // the SSH Channel and a Go channel for incoming, out-of-band
61 // requests. The Go channel must be serviced, or the
62 // connection will hang.
63 OpenChannel(name string, data []byte) (Channel, <-chan *Request, error)
64
65 // Close closes the underlying network connection
66 Close() error
67
68 // Wait blocks until the connection has shut down, and returns the
69 // error causing the shutdown.
70 Wait() error
71
72 // TODO(hanwen): consider exposing:
73 // RequestKeyChange
74 // Disconnect
75}
76
77// DiscardRequests consumes and rejects all requests from the
78// passed-in channel.
79func DiscardRequests(in <-chan *Request) {
80 for req := range in {
81 if req.WantReply {
82 req.Reply(false, nil)
83 }
84 }
85}
86
87// A connection represents an incoming connection.
88type connection struct {
89 transport *handshakeTransport
90 sshConn
91
92 // The connection protocol.
93 *mux
94}
95
96func (c *connection) Close() error {
97 return c.sshConn.conn.Close()
98}
99
100// sshconn provides net.Conn metadata, but disallows direct reads and
101// writes.
102type sshConn struct {
103 conn net.Conn
104
105 user string
106 sessionID []byte
107 clientVersion []byte
108 serverVersion []byte
109}
110
111func dup(src []byte) []byte {
112 dst := make([]byte, len(src))
113 copy(dst, src)
114 return dst
115}
116
117func (c *sshConn) User() string {
118 return c.user
119}
120
121func (c *sshConn) RemoteAddr() net.Addr {
122 return c.conn.RemoteAddr()
123}
124
125func (c *sshConn) Close() error {
126 return c.conn.Close()
127}
128
129func (c *sshConn) LocalAddr() net.Addr {
130 return c.conn.LocalAddr()
131}
132
133func (c *sshConn) SessionID() []byte {
134 return dup(c.sessionID)
135}
136
137func (c *sshConn) ClientVersion() []byte {
138 return dup(c.clientVersion)
139}
140
141func (c *sshConn) ServerVersion() []byte {
142 return dup(c.serverVersion)
143}
diff --git a/vendor/golang.org/x/crypto/ssh/doc.go b/vendor/golang.org/x/crypto/ssh/doc.go
deleted file mode 100644
index d6be894..0000000
--- a/vendor/golang.org/x/crypto/ssh/doc.go
+++ /dev/null
@@ -1,18 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5/*
6Package ssh implements an SSH client and server.
7
8SSH is a transport security protocol, an authentication protocol and a
9family of application protocols. The most typical application level
10protocol is a remote shell and this is specifically implemented. However,
11the multiplexed nature of SSH is exposed to users that wish to support
12others.
13
14References:
15 [PROTOCOL.certkeys]: http://cvsweb.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/PROTOCOL.certkeys?rev=HEAD
16 [SSH-PARAMETERS]: http://www.iana.org/assignments/ssh-parameters/ssh-parameters.xml#ssh-parameters-1
17*/
18package ssh // import "golang.org/x/crypto/ssh"
diff --git a/vendor/golang.org/x/crypto/ssh/handshake.go b/vendor/golang.org/x/crypto/ssh/handshake.go
deleted file mode 100644
index 8de6506..0000000
--- a/vendor/golang.org/x/crypto/ssh/handshake.go
+++ /dev/null
@@ -1,625 +0,0 @@
1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "crypto/rand"
9 "errors"
10 "fmt"
11 "io"
12 "log"
13 "net"
14 "sync"
15)
16
17// debugHandshake, if set, prints messages sent and received. Key
18// exchange messages are printed as if DH were used, so the debug
19// messages are wrong when using ECDH.
20const debugHandshake = false
21
22// chanSize sets the amount of buffering SSH connections. This is
23// primarily for testing: setting chanSize=0 uncovers deadlocks more
24// quickly.
25const chanSize = 16
26
27// keyingTransport is a packet based transport that supports key
28// changes. It need not be thread-safe. It should pass through
29// msgNewKeys in both directions.
30type keyingTransport interface {
31 packetConn
32
33 // prepareKeyChange sets up a key change. The key change for a
34 // direction will be effected if a msgNewKeys message is sent
35 // or received.
36 prepareKeyChange(*algorithms, *kexResult) error
37}
38
39// handshakeTransport implements rekeying on top of a keyingTransport
40// and offers a thread-safe writePacket() interface.
41type handshakeTransport struct {
42 conn keyingTransport
43 config *Config
44
45 serverVersion []byte
46 clientVersion []byte
47
48 // hostKeys is non-empty if we are the server. In that case,
49 // it contains all host keys that can be used to sign the
50 // connection.
51 hostKeys []Signer
52
53 // hostKeyAlgorithms is non-empty if we are the client. In that case,
54 // we accept these key types from the server as host key.
55 hostKeyAlgorithms []string
56
57 // On read error, incoming is closed, and readError is set.
58 incoming chan []byte
59 readError error
60
61 mu sync.Mutex
62 writeError error
63 sentInitPacket []byte
64 sentInitMsg *kexInitMsg
65 pendingPackets [][]byte // Used when a key exchange is in progress.
66
67 // If the read loop wants to schedule a kex, it pings this
68 // channel, and the write loop will send out a kex
69 // message.
70 requestKex chan struct{}
71
72 // If the other side requests or confirms a kex, its kexInit
73 // packet is sent here for the write loop to find it.
74 startKex chan *pendingKex
75
76 // data for host key checking
77 hostKeyCallback func(hostname string, remote net.Addr, key PublicKey) error
78 dialAddress string
79 remoteAddr net.Addr
80
81 // Algorithms agreed in the last key exchange.
82 algorithms *algorithms
83
84 readPacketsLeft uint32
85 readBytesLeft int64
86
87 writePacketsLeft uint32
88 writeBytesLeft int64
89
90 // The session ID or nil if first kex did not complete yet.
91 sessionID []byte
92}
93
94type pendingKex struct {
95 otherInit []byte
96 done chan error
97}
98
99func newHandshakeTransport(conn keyingTransport, config *Config, clientVersion, serverVersion []byte) *handshakeTransport {
100 t := &handshakeTransport{
101 conn: conn,
102 serverVersion: serverVersion,
103 clientVersion: clientVersion,
104 incoming: make(chan []byte, chanSize),
105 requestKex: make(chan struct{}, 1),
106 startKex: make(chan *pendingKex, 1),
107
108 config: config,
109 }
110
111 // We always start with a mandatory key exchange.
112 t.requestKex <- struct{}{}
113 return t
114}
115
116func newClientTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ClientConfig, dialAddr string, addr net.Addr) *handshakeTransport {
117 t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
118 t.dialAddress = dialAddr
119 t.remoteAddr = addr
120 t.hostKeyCallback = config.HostKeyCallback
121 if config.HostKeyAlgorithms != nil {
122 t.hostKeyAlgorithms = config.HostKeyAlgorithms
123 } else {
124 t.hostKeyAlgorithms = supportedHostKeyAlgos
125 }
126 go t.readLoop()
127 go t.kexLoop()
128 return t
129}
130
131func newServerTransport(conn keyingTransport, clientVersion, serverVersion []byte, config *ServerConfig) *handshakeTransport {
132 t := newHandshakeTransport(conn, &config.Config, clientVersion, serverVersion)
133 t.hostKeys = config.hostKeys
134 go t.readLoop()
135 go t.kexLoop()
136 return t
137}
138
139func (t *handshakeTransport) getSessionID() []byte {
140 return t.sessionID
141}
142
143// waitSession waits for the session to be established. This should be
144// the first thing to call after instantiating handshakeTransport.
145func (t *handshakeTransport) waitSession() error {
146 p, err := t.readPacket()
147 if err != nil {
148 return err
149 }
150 if p[0] != msgNewKeys {
151 return fmt.Errorf("ssh: first packet should be msgNewKeys")
152 }
153
154 return nil
155}
156
157func (t *handshakeTransport) id() string {
158 if len(t.hostKeys) > 0 {
159 return "server"
160 }
161 return "client"
162}
163
164func (t *handshakeTransport) printPacket(p []byte, write bool) {
165 action := "got"
166 if write {
167 action = "sent"
168 }
169
170 if p[0] == msgChannelData || p[0] == msgChannelExtendedData {
171 log.Printf("%s %s data (packet %d bytes)", t.id(), action, len(p))
172 } else {
173 msg, err := decode(p)
174 log.Printf("%s %s %T %v (%v)", t.id(), action, msg, msg, err)
175 }
176}
177
178func (t *handshakeTransport) readPacket() ([]byte, error) {
179 p, ok := <-t.incoming
180 if !ok {
181 return nil, t.readError
182 }
183 return p, nil
184}
185
186func (t *handshakeTransport) readLoop() {
187 first := true
188 for {
189 p, err := t.readOnePacket(first)
190 first = false
191 if err != nil {
192 t.readError = err
193 close(t.incoming)
194 break
195 }
196 if p[0] == msgIgnore || p[0] == msgDebug {
197 continue
198 }
199 t.incoming <- p
200 }
201
202 // Stop writers too.
203 t.recordWriteError(t.readError)
204
205 // Unblock the writer should it wait for this.
206 close(t.startKex)
207
208 // Don't close t.requestKex; it's also written to from writePacket.
209}
210
211func (t *handshakeTransport) pushPacket(p []byte) error {
212 if debugHandshake {
213 t.printPacket(p, true)
214 }
215 return t.conn.writePacket(p)
216}
217
218func (t *handshakeTransport) getWriteError() error {
219 t.mu.Lock()
220 defer t.mu.Unlock()
221 return t.writeError
222}
223
224func (t *handshakeTransport) recordWriteError(err error) {
225 t.mu.Lock()
226 defer t.mu.Unlock()
227 if t.writeError == nil && err != nil {
228 t.writeError = err
229 }
230}
231
232func (t *handshakeTransport) requestKeyExchange() {
233 select {
234 case t.requestKex <- struct{}{}:
235 default:
236 // something already requested a kex, so do nothing.
237 }
238}
239
240func (t *handshakeTransport) kexLoop() {
241
242write:
243 for t.getWriteError() == nil {
244 var request *pendingKex
245 var sent bool
246
247 for request == nil || !sent {
248 var ok bool
249 select {
250 case request, ok = <-t.startKex:
251 if !ok {
252 break write
253 }
254 case <-t.requestKex:
255 break
256 }
257
258 if !sent {
259 if err := t.sendKexInit(); err != nil {
260 t.recordWriteError(err)
261 break
262 }
263 sent = true
264 }
265 }
266
267 if err := t.getWriteError(); err != nil {
268 if request != nil {
269 request.done <- err
270 }
271 break
272 }
273
274 // We're not servicing t.requestKex, but that is OK:
275 // we never block on sending to t.requestKex.
276
277 // We're not servicing t.startKex, but the remote end
278 // has just sent us a kexInitMsg, so it can't send
279 // another key change request, until we close the done
280 // channel on the pendingKex request.
281
282 err := t.enterKeyExchange(request.otherInit)
283
284 t.mu.Lock()
285 t.writeError = err
286 t.sentInitPacket = nil
287 t.sentInitMsg = nil
288 t.writePacketsLeft = packetRekeyThreshold
289 if t.config.RekeyThreshold > 0 {
290 t.writeBytesLeft = int64(t.config.RekeyThreshold)
291 } else if t.algorithms != nil {
292 t.writeBytesLeft = t.algorithms.w.rekeyBytes()
293 }
294
295 // we have completed the key exchange. Since the
296 // reader is still blocked, it is safe to clear out
297 // the requestKex channel. This avoids the situation
298 // where: 1) we consumed our own request for the
299 // initial kex, and 2) the kex from the remote side
300 // caused another send on the requestKex channel,
301 clear:
302 for {
303 select {
304 case <-t.requestKex:
305 //
306 default:
307 break clear
308 }
309 }
310
311 request.done <- t.writeError
312
313 // kex finished. Push packets that we received while
314 // the kex was in progress. Don't look at t.startKex
315 // and don't increment writtenSinceKex: if we trigger
316 // another kex while we are still busy with the last
317 // one, things will become very confusing.
318 for _, p := range t.pendingPackets {
319 t.writeError = t.pushPacket(p)
320 if t.writeError != nil {
321 break
322 }
323 }
324 t.pendingPackets = t.pendingPackets[:0]
325 t.mu.Unlock()
326 }
327
328 // drain startKex channel. We don't service t.requestKex
329 // because nobody does blocking sends there.
330 go func() {
331 for init := range t.startKex {
332 init.done <- t.writeError
333 }
334 }()
335
336 // Unblock reader.
337 t.conn.Close()
338}
339
340// The protocol uses uint32 for packet counters, so we can't let them
341// reach 1<<32. We will actually read and write more packets than
342// this, though: the other side may send more packets, and after we
343// hit this limit on writing we will send a few more packets for the
344// key exchange itself.
345const packetRekeyThreshold = (1 << 31)
346
347func (t *handshakeTransport) readOnePacket(first bool) ([]byte, error) {
348 p, err := t.conn.readPacket()
349 if err != nil {
350 return nil, err
351 }
352
353 if t.readPacketsLeft > 0 {
354 t.readPacketsLeft--
355 } else {
356 t.requestKeyExchange()
357 }
358
359 if t.readBytesLeft > 0 {
360 t.readBytesLeft -= int64(len(p))
361 } else {
362 t.requestKeyExchange()
363 }
364
365 if debugHandshake {
366 t.printPacket(p, false)
367 }
368
369 if first && p[0] != msgKexInit {
370 return nil, fmt.Errorf("ssh: first packet should be msgKexInit")
371 }
372
373 if p[0] != msgKexInit {
374 return p, nil
375 }
376
377 firstKex := t.sessionID == nil
378
379 kex := pendingKex{
380 done: make(chan error, 1),
381 otherInit: p,
382 }
383 t.startKex <- &kex
384 err = <-kex.done
385
386 if debugHandshake {
387 log.Printf("%s exited key exchange (first %v), err %v", t.id(), firstKex, err)
388 }
389
390 if err != nil {
391 return nil, err
392 }
393
394 t.readPacketsLeft = packetRekeyThreshold
395 if t.config.RekeyThreshold > 0 {
396 t.readBytesLeft = int64(t.config.RekeyThreshold)
397 } else {
398 t.readBytesLeft = t.algorithms.r.rekeyBytes()
399 }
400
401 // By default, a key exchange is hidden from higher layers by
402 // translating it into msgIgnore.
403 successPacket := []byte{msgIgnore}
404 if firstKex {
405 // sendKexInit() for the first kex waits for
406 // msgNewKeys so the authentication process is
407 // guaranteed to happen over an encrypted transport.
408 successPacket = []byte{msgNewKeys}
409 }
410
411 return successPacket, nil
412}
413
414// sendKexInit sends a key change message.
415func (t *handshakeTransport) sendKexInit() error {
416 t.mu.Lock()
417 defer t.mu.Unlock()
418 if t.sentInitMsg != nil {
419 // kexInits may be sent either in response to the other side,
420 // or because our side wants to initiate a key change, so we
421 // may have already sent a kexInit. In that case, don't send a
422 // second kexInit.
423 return nil
424 }
425
426 msg := &kexInitMsg{
427 KexAlgos: t.config.KeyExchanges,
428 CiphersClientServer: t.config.Ciphers,
429 CiphersServerClient: t.config.Ciphers,
430 MACsClientServer: t.config.MACs,
431 MACsServerClient: t.config.MACs,
432 CompressionClientServer: supportedCompressions,
433 CompressionServerClient: supportedCompressions,
434 }
435 io.ReadFull(rand.Reader, msg.Cookie[:])
436
437 if len(t.hostKeys) > 0 {
438 for _, k := range t.hostKeys {
439 msg.ServerHostKeyAlgos = append(
440 msg.ServerHostKeyAlgos, k.PublicKey().Type())
441 }
442 } else {
443 msg.ServerHostKeyAlgos = t.hostKeyAlgorithms
444 }
445 packet := Marshal(msg)
446
447 // writePacket destroys the contents, so save a copy.
448 packetCopy := make([]byte, len(packet))
449 copy(packetCopy, packet)
450
451 if err := t.pushPacket(packetCopy); err != nil {
452 return err
453 }
454
455 t.sentInitMsg = msg
456 t.sentInitPacket = packet
457
458 return nil
459}
460
461func (t *handshakeTransport) writePacket(p []byte) error {
462 switch p[0] {
463 case msgKexInit:
464 return errors.New("ssh: only handshakeTransport can send kexInit")
465 case msgNewKeys:
466 return errors.New("ssh: only handshakeTransport can send newKeys")
467 }
468
469 t.mu.Lock()
470 defer t.mu.Unlock()
471 if t.writeError != nil {
472 return t.writeError
473 }
474
475 if t.sentInitMsg != nil {
476 // Copy the packet so the writer can reuse the buffer.
477 cp := make([]byte, len(p))
478 copy(cp, p)
479 t.pendingPackets = append(t.pendingPackets, cp)
480 return nil
481 }
482
483 if t.writeBytesLeft > 0 {
484 t.writeBytesLeft -= int64(len(p))
485 } else {
486 t.requestKeyExchange()
487 }
488
489 if t.writePacketsLeft > 0 {
490 t.writePacketsLeft--
491 } else {
492 t.requestKeyExchange()
493 }
494
495 if err := t.pushPacket(p); err != nil {
496 t.writeError = err
497 }
498
499 return nil
500}
501
502func (t *handshakeTransport) Close() error {
503 return t.conn.Close()
504}
505
506func (t *handshakeTransport) enterKeyExchange(otherInitPacket []byte) error {
507 if debugHandshake {
508 log.Printf("%s entered key exchange", t.id())
509 }
510
511 otherInit := &kexInitMsg{}
512 if err := Unmarshal(otherInitPacket, otherInit); err != nil {
513 return err
514 }
515
516 magics := handshakeMagics{
517 clientVersion: t.clientVersion,
518 serverVersion: t.serverVersion,
519 clientKexInit: otherInitPacket,
520 serverKexInit: t.sentInitPacket,
521 }
522
523 clientInit := otherInit
524 serverInit := t.sentInitMsg
525 if len(t.hostKeys) == 0 {
526 clientInit, serverInit = serverInit, clientInit
527
528 magics.clientKexInit = t.sentInitPacket
529 magics.serverKexInit = otherInitPacket
530 }
531
532 var err error
533 t.algorithms, err = findAgreedAlgorithms(clientInit, serverInit)
534 if err != nil {
535 return err
536 }
537
538 // We don't send FirstKexFollows, but we handle receiving it.
539 //
540 // RFC 4253 section 7 defines the kex and the agreement method for
541 // first_kex_packet_follows. It states that the guessed packet
542 // should be ignored if the "kex algorithm and/or the host
543 // key algorithm is guessed wrong (server and client have
544 // different preferred algorithm), or if any of the other
545 // algorithms cannot be agreed upon". The other algorithms have
546 // already been checked above so the kex algorithm and host key
547 // algorithm are checked here.
548 if otherInit.FirstKexFollows && (clientInit.KexAlgos[0] != serverInit.KexAlgos[0] || clientInit.ServerHostKeyAlgos[0] != serverInit.ServerHostKeyAlgos[0]) {
549 // other side sent a kex message for the wrong algorithm,
550 // which we have to ignore.
551 if _, err := t.conn.readPacket(); err != nil {
552 return err
553 }
554 }
555
556 kex, ok := kexAlgoMap[t.algorithms.kex]
557 if !ok {
558 return fmt.Errorf("ssh: unexpected key exchange algorithm %v", t.algorithms.kex)
559 }
560
561 var result *kexResult
562 if len(t.hostKeys) > 0 {
563 result, err = t.server(kex, t.algorithms, &magics)
564 } else {
565 result, err = t.client(kex, t.algorithms, &magics)
566 }
567
568 if err != nil {
569 return err
570 }
571
572 if t.sessionID == nil {
573 t.sessionID = result.H
574 }
575 result.SessionID = t.sessionID
576
577 t.conn.prepareKeyChange(t.algorithms, result)
578 if err = t.conn.writePacket([]byte{msgNewKeys}); err != nil {
579 return err
580 }
581 if packet, err := t.conn.readPacket(); err != nil {
582 return err
583 } else if packet[0] != msgNewKeys {
584 return unexpectedMessageError(msgNewKeys, packet[0])
585 }
586
587 return nil
588}
589
590func (t *handshakeTransport) server(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
591 var hostKey Signer
592 for _, k := range t.hostKeys {
593 if algs.hostKey == k.PublicKey().Type() {
594 hostKey = k
595 }
596 }
597
598 r, err := kex.Server(t.conn, t.config.Rand, magics, hostKey)
599 return r, err
600}
601
602func (t *handshakeTransport) client(kex kexAlgorithm, algs *algorithms, magics *handshakeMagics) (*kexResult, error) {
603 result, err := kex.Client(t.conn, t.config.Rand, magics)
604 if err != nil {
605 return nil, err
606 }
607
608 hostKey, err := ParsePublicKey(result.HostKey)
609 if err != nil {
610 return nil, err
611 }
612
613 if err := verifyHostKeySignature(hostKey, result); err != nil {
614 return nil, err
615 }
616
617 if t.hostKeyCallback != nil {
618 err = t.hostKeyCallback(t.dialAddress, t.remoteAddr, hostKey)
619 if err != nil {
620 return nil, err
621 }
622 }
623
624 return result, nil
625}
diff --git a/vendor/golang.org/x/crypto/ssh/kex.go b/vendor/golang.org/x/crypto/ssh/kex.go
deleted file mode 100644
index c87fbeb..0000000
--- a/vendor/golang.org/x/crypto/ssh/kex.go
+++ /dev/null
@@ -1,540 +0,0 @@
1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "crypto"
9 "crypto/ecdsa"
10 "crypto/elliptic"
11 "crypto/rand"
12 "crypto/subtle"
13 "errors"
14 "io"
15 "math/big"
16
17 "golang.org/x/crypto/curve25519"
18)
19
20const (
21 kexAlgoDH1SHA1 = "diffie-hellman-group1-sha1"
22 kexAlgoDH14SHA1 = "diffie-hellman-group14-sha1"
23 kexAlgoECDH256 = "ecdh-sha2-nistp256"
24 kexAlgoECDH384 = "ecdh-sha2-nistp384"
25 kexAlgoECDH521 = "ecdh-sha2-nistp521"
26 kexAlgoCurve25519SHA256 = "curve25519-sha256@libssh.org"
27)
28
29// kexResult captures the outcome of a key exchange.
30type kexResult struct {
31 // Session hash. See also RFC 4253, section 8.
32 H []byte
33
34 // Shared secret. See also RFC 4253, section 8.
35 K []byte
36
37 // Host key as hashed into H.
38 HostKey []byte
39
40 // Signature of H.
41 Signature []byte
42
43 // A cryptographic hash function that matches the security
44 // level of the key exchange algorithm. It is used for
45 // calculating H, and for deriving keys from H and K.
46 Hash crypto.Hash
47
48 // The session ID, which is the first H computed. This is used
49 // to derive key material inside the transport.
50 SessionID []byte
51}
52
53// handshakeMagics contains data that is always included in the
54// session hash.
55type handshakeMagics struct {
56 clientVersion, serverVersion []byte
57 clientKexInit, serverKexInit []byte
58}
59
60func (m *handshakeMagics) write(w io.Writer) {
61 writeString(w, m.clientVersion)
62 writeString(w, m.serverVersion)
63 writeString(w, m.clientKexInit)
64 writeString(w, m.serverKexInit)
65}
66
67// kexAlgorithm abstracts different key exchange algorithms.
68type kexAlgorithm interface {
69 // Server runs server-side key agreement, signing the result
70 // with a hostkey.
71 Server(p packetConn, rand io.Reader, magics *handshakeMagics, s Signer) (*kexResult, error)
72
73 // Client runs the client-side key agreement. Caller is
74 // responsible for verifying the host key signature.
75 Client(p packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error)
76}
77
78// dhGroup is a multiplicative group suitable for implementing Diffie-Hellman key agreement.
79type dhGroup struct {
80 g, p, pMinus1 *big.Int
81}
82
83func (group *dhGroup) diffieHellman(theirPublic, myPrivate *big.Int) (*big.Int, error) {
84 if theirPublic.Cmp(bigOne) <= 0 || theirPublic.Cmp(group.pMinus1) >= 0 {
85 return nil, errors.New("ssh: DH parameter out of bounds")
86 }
87 return new(big.Int).Exp(theirPublic, myPrivate, group.p), nil
88}
89
90func (group *dhGroup) Client(c packetConn, randSource io.Reader, magics *handshakeMagics) (*kexResult, error) {
91 hashFunc := crypto.SHA1
92
93 var x *big.Int
94 for {
95 var err error
96 if x, err = rand.Int(randSource, group.pMinus1); err != nil {
97 return nil, err
98 }
99 if x.Sign() > 0 {
100 break
101 }
102 }
103
104 X := new(big.Int).Exp(group.g, x, group.p)
105 kexDHInit := kexDHInitMsg{
106 X: X,
107 }
108 if err := c.writePacket(Marshal(&kexDHInit)); err != nil {
109 return nil, err
110 }
111
112 packet, err := c.readPacket()
113 if err != nil {
114 return nil, err
115 }
116
117 var kexDHReply kexDHReplyMsg
118 if err = Unmarshal(packet, &kexDHReply); err != nil {
119 return nil, err
120 }
121
122 kInt, err := group.diffieHellman(kexDHReply.Y, x)
123 if err != nil {
124 return nil, err
125 }
126
127 h := hashFunc.New()
128 magics.write(h)
129 writeString(h, kexDHReply.HostKey)
130 writeInt(h, X)
131 writeInt(h, kexDHReply.Y)
132 K := make([]byte, intLength(kInt))
133 marshalInt(K, kInt)
134 h.Write(K)
135
136 return &kexResult{
137 H: h.Sum(nil),
138 K: K,
139 HostKey: kexDHReply.HostKey,
140 Signature: kexDHReply.Signature,
141 Hash: crypto.SHA1,
142 }, nil
143}
144
145func (group *dhGroup) Server(c packetConn, randSource io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
146 hashFunc := crypto.SHA1
147 packet, err := c.readPacket()
148 if err != nil {
149 return
150 }
151 var kexDHInit kexDHInitMsg
152 if err = Unmarshal(packet, &kexDHInit); err != nil {
153 return
154 }
155
156 var y *big.Int
157 for {
158 if y, err = rand.Int(randSource, group.pMinus1); err != nil {
159 return
160 }
161 if y.Sign() > 0 {
162 break
163 }
164 }
165
166 Y := new(big.Int).Exp(group.g, y, group.p)
167 kInt, err := group.diffieHellman(kexDHInit.X, y)
168 if err != nil {
169 return nil, err
170 }
171
172 hostKeyBytes := priv.PublicKey().Marshal()
173
174 h := hashFunc.New()
175 magics.write(h)
176 writeString(h, hostKeyBytes)
177 writeInt(h, kexDHInit.X)
178 writeInt(h, Y)
179
180 K := make([]byte, intLength(kInt))
181 marshalInt(K, kInt)
182 h.Write(K)
183
184 H := h.Sum(nil)
185
186 // H is already a hash, but the hostkey signing will apply its
187 // own key-specific hash algorithm.
188 sig, err := signAndMarshal(priv, randSource, H)
189 if err != nil {
190 return nil, err
191 }
192
193 kexDHReply := kexDHReplyMsg{
194 HostKey: hostKeyBytes,
195 Y: Y,
196 Signature: sig,
197 }
198 packet = Marshal(&kexDHReply)
199
200 err = c.writePacket(packet)
201 return &kexResult{
202 H: H,
203 K: K,
204 HostKey: hostKeyBytes,
205 Signature: sig,
206 Hash: crypto.SHA1,
207 }, nil
208}
209
210// ecdh performs Elliptic Curve Diffie-Hellman key exchange as
211// described in RFC 5656, section 4.
212type ecdh struct {
213 curve elliptic.Curve
214}
215
216func (kex *ecdh) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
217 ephKey, err := ecdsa.GenerateKey(kex.curve, rand)
218 if err != nil {
219 return nil, err
220 }
221
222 kexInit := kexECDHInitMsg{
223 ClientPubKey: elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y),
224 }
225
226 serialized := Marshal(&kexInit)
227 if err := c.writePacket(serialized); err != nil {
228 return nil, err
229 }
230
231 packet, err := c.readPacket()
232 if err != nil {
233 return nil, err
234 }
235
236 var reply kexECDHReplyMsg
237 if err = Unmarshal(packet, &reply); err != nil {
238 return nil, err
239 }
240
241 x, y, err := unmarshalECKey(kex.curve, reply.EphemeralPubKey)
242 if err != nil {
243 return nil, err
244 }
245
246 // generate shared secret
247 secret, _ := kex.curve.ScalarMult(x, y, ephKey.D.Bytes())
248
249 h := ecHash(kex.curve).New()
250 magics.write(h)
251 writeString(h, reply.HostKey)
252 writeString(h, kexInit.ClientPubKey)
253 writeString(h, reply.EphemeralPubKey)
254 K := make([]byte, intLength(secret))
255 marshalInt(K, secret)
256 h.Write(K)
257
258 return &kexResult{
259 H: h.Sum(nil),
260 K: K,
261 HostKey: reply.HostKey,
262 Signature: reply.Signature,
263 Hash: ecHash(kex.curve),
264 }, nil
265}
266
267// unmarshalECKey parses and checks an EC key.
268func unmarshalECKey(curve elliptic.Curve, pubkey []byte) (x, y *big.Int, err error) {
269 x, y = elliptic.Unmarshal(curve, pubkey)
270 if x == nil {
271 return nil, nil, errors.New("ssh: elliptic.Unmarshal failure")
272 }
273 if !validateECPublicKey(curve, x, y) {
274 return nil, nil, errors.New("ssh: public key not on curve")
275 }
276 return x, y, nil
277}
278
279// validateECPublicKey checks that the point is a valid public key for
280// the given curve. See [SEC1], 3.2.2
281func validateECPublicKey(curve elliptic.Curve, x, y *big.Int) bool {
282 if x.Sign() == 0 && y.Sign() == 0 {
283 return false
284 }
285
286 if x.Cmp(curve.Params().P) >= 0 {
287 return false
288 }
289
290 if y.Cmp(curve.Params().P) >= 0 {
291 return false
292 }
293
294 if !curve.IsOnCurve(x, y) {
295 return false
296 }
297
298 // We don't check if N * PubKey == 0, since
299 //
300 // - the NIST curves have cofactor = 1, so this is implicit.
301 // (We don't foresee an implementation that supports non NIST
302 // curves)
303 //
304 // - for ephemeral keys, we don't need to worry about small
305 // subgroup attacks.
306 return true
307}
308
309func (kex *ecdh) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
310 packet, err := c.readPacket()
311 if err != nil {
312 return nil, err
313 }
314
315 var kexECDHInit kexECDHInitMsg
316 if err = Unmarshal(packet, &kexECDHInit); err != nil {
317 return nil, err
318 }
319
320 clientX, clientY, err := unmarshalECKey(kex.curve, kexECDHInit.ClientPubKey)
321 if err != nil {
322 return nil, err
323 }
324
325 // We could cache this key across multiple users/multiple
326 // connection attempts, but the benefit is small. OpenSSH
327 // generates a new key for each incoming connection.
328 ephKey, err := ecdsa.GenerateKey(kex.curve, rand)
329 if err != nil {
330 return nil, err
331 }
332
333 hostKeyBytes := priv.PublicKey().Marshal()
334
335 serializedEphKey := elliptic.Marshal(kex.curve, ephKey.PublicKey.X, ephKey.PublicKey.Y)
336
337 // generate shared secret
338 secret, _ := kex.curve.ScalarMult(clientX, clientY, ephKey.D.Bytes())
339
340 h := ecHash(kex.curve).New()
341 magics.write(h)
342 writeString(h, hostKeyBytes)
343 writeString(h, kexECDHInit.ClientPubKey)
344 writeString(h, serializedEphKey)
345
346 K := make([]byte, intLength(secret))
347 marshalInt(K, secret)
348 h.Write(K)
349
350 H := h.Sum(nil)
351
352 // H is already a hash, but the hostkey signing will apply its
353 // own key-specific hash algorithm.
354 sig, err := signAndMarshal(priv, rand, H)
355 if err != nil {
356 return nil, err
357 }
358
359 reply := kexECDHReplyMsg{
360 EphemeralPubKey: serializedEphKey,
361 HostKey: hostKeyBytes,
362 Signature: sig,
363 }
364
365 serialized := Marshal(&reply)
366 if err := c.writePacket(serialized); err != nil {
367 return nil, err
368 }
369
370 return &kexResult{
371 H: H,
372 K: K,
373 HostKey: reply.HostKey,
374 Signature: sig,
375 Hash: ecHash(kex.curve),
376 }, nil
377}
378
379var kexAlgoMap = map[string]kexAlgorithm{}
380
381func init() {
382 // This is the group called diffie-hellman-group1-sha1 in RFC
383 // 4253 and Oakley Group 2 in RFC 2409.
384 p, _ := new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE65381FFFFFFFFFFFFFFFF", 16)
385 kexAlgoMap[kexAlgoDH1SHA1] = &dhGroup{
386 g: new(big.Int).SetInt64(2),
387 p: p,
388 pMinus1: new(big.Int).Sub(p, bigOne),
389 }
390
391 // This is the group called diffie-hellman-group14-sha1 in RFC
392 // 4253 and Oakley Group 14 in RFC 3526.
393 p, _ = new(big.Int).SetString("FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF", 16)
394
395 kexAlgoMap[kexAlgoDH14SHA1] = &dhGroup{
396 g: new(big.Int).SetInt64(2),
397 p: p,
398 pMinus1: new(big.Int).Sub(p, bigOne),
399 }
400
401 kexAlgoMap[kexAlgoECDH521] = &ecdh{elliptic.P521()}
402 kexAlgoMap[kexAlgoECDH384] = &ecdh{elliptic.P384()}
403 kexAlgoMap[kexAlgoECDH256] = &ecdh{elliptic.P256()}
404 kexAlgoMap[kexAlgoCurve25519SHA256] = &curve25519sha256{}
405}
406
407// curve25519sha256 implements the curve25519-sha256@libssh.org key
408// agreement protocol, as described in
409// https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt
410type curve25519sha256 struct{}
411
412type curve25519KeyPair struct {
413 priv [32]byte
414 pub [32]byte
415}
416
417func (kp *curve25519KeyPair) generate(rand io.Reader) error {
418 if _, err := io.ReadFull(rand, kp.priv[:]); err != nil {
419 return err
420 }
421 curve25519.ScalarBaseMult(&kp.pub, &kp.priv)
422 return nil
423}
424
425// curve25519Zeros is just an array of 32 zero bytes so that we have something
426// convenient to compare against in order to reject curve25519 points with the
427// wrong order.
428var curve25519Zeros [32]byte
429
430func (kex *curve25519sha256) Client(c packetConn, rand io.Reader, magics *handshakeMagics) (*kexResult, error) {
431 var kp curve25519KeyPair
432 if err := kp.generate(rand); err != nil {
433 return nil, err
434 }
435 if err := c.writePacket(Marshal(&kexECDHInitMsg{kp.pub[:]})); err != nil {
436 return nil, err
437 }
438
439 packet, err := c.readPacket()
440 if err != nil {
441 return nil, err
442 }
443
444 var reply kexECDHReplyMsg
445 if err = Unmarshal(packet, &reply); err != nil {
446 return nil, err
447 }
448 if len(reply.EphemeralPubKey) != 32 {
449 return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
450 }
451
452 var servPub, secret [32]byte
453 copy(servPub[:], reply.EphemeralPubKey)
454 curve25519.ScalarMult(&secret, &kp.priv, &servPub)
455 if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
456 return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
457 }
458
459 h := crypto.SHA256.New()
460 magics.write(h)
461 writeString(h, reply.HostKey)
462 writeString(h, kp.pub[:])
463 writeString(h, reply.EphemeralPubKey)
464
465 kInt := new(big.Int).SetBytes(secret[:])
466 K := make([]byte, intLength(kInt))
467 marshalInt(K, kInt)
468 h.Write(K)
469
470 return &kexResult{
471 H: h.Sum(nil),
472 K: K,
473 HostKey: reply.HostKey,
474 Signature: reply.Signature,
475 Hash: crypto.SHA256,
476 }, nil
477}
478
479func (kex *curve25519sha256) Server(c packetConn, rand io.Reader, magics *handshakeMagics, priv Signer) (result *kexResult, err error) {
480 packet, err := c.readPacket()
481 if err != nil {
482 return
483 }
484 var kexInit kexECDHInitMsg
485 if err = Unmarshal(packet, &kexInit); err != nil {
486 return
487 }
488
489 if len(kexInit.ClientPubKey) != 32 {
490 return nil, errors.New("ssh: peer's curve25519 public value has wrong length")
491 }
492
493 var kp curve25519KeyPair
494 if err := kp.generate(rand); err != nil {
495 return nil, err
496 }
497
498 var clientPub, secret [32]byte
499 copy(clientPub[:], kexInit.ClientPubKey)
500 curve25519.ScalarMult(&secret, &kp.priv, &clientPub)
501 if subtle.ConstantTimeCompare(secret[:], curve25519Zeros[:]) == 1 {
502 return nil, errors.New("ssh: peer's curve25519 public value has wrong order")
503 }
504
505 hostKeyBytes := priv.PublicKey().Marshal()
506
507 h := crypto.SHA256.New()
508 magics.write(h)
509 writeString(h, hostKeyBytes)
510 writeString(h, kexInit.ClientPubKey)
511 writeString(h, kp.pub[:])
512
513 kInt := new(big.Int).SetBytes(secret[:])
514 K := make([]byte, intLength(kInt))
515 marshalInt(K, kInt)
516 h.Write(K)
517
518 H := h.Sum(nil)
519
520 sig, err := signAndMarshal(priv, rand, H)
521 if err != nil {
522 return nil, err
523 }
524
525 reply := kexECDHReplyMsg{
526 EphemeralPubKey: kp.pub[:],
527 HostKey: hostKeyBytes,
528 Signature: sig,
529 }
530 if err := c.writePacket(Marshal(&reply)); err != nil {
531 return nil, err
532 }
533 return &kexResult{
534 H: H,
535 K: K,
536 HostKey: hostKeyBytes,
537 Signature: sig,
538 Hash: crypto.SHA256,
539 }, nil
540}
diff --git a/vendor/golang.org/x/crypto/ssh/keys.go b/vendor/golang.org/x/crypto/ssh/keys.go
deleted file mode 100644
index f38de98..0000000
--- a/vendor/golang.org/x/crypto/ssh/keys.go
+++ /dev/null
@@ -1,905 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "bytes"
9 "crypto"
10 "crypto/dsa"
11 "crypto/ecdsa"
12 "crypto/elliptic"
13 "crypto/md5"
14 "crypto/rsa"
15 "crypto/sha256"
16 "crypto/x509"
17 "encoding/asn1"
18 "encoding/base64"
19 "encoding/hex"
20 "encoding/pem"
21 "errors"
22 "fmt"
23 "io"
24 "math/big"
25 "strings"
26
27 "golang.org/x/crypto/ed25519"
28)
29
30// These constants represent the algorithm names for key types supported by this
31// package.
32const (
33 KeyAlgoRSA = "ssh-rsa"
34 KeyAlgoDSA = "ssh-dss"
35 KeyAlgoECDSA256 = "ecdsa-sha2-nistp256"
36 KeyAlgoECDSA384 = "ecdsa-sha2-nistp384"
37 KeyAlgoECDSA521 = "ecdsa-sha2-nistp521"
38 KeyAlgoED25519 = "ssh-ed25519"
39)
40
41// parsePubKey parses a public key of the given algorithm.
42// Use ParsePublicKey for keys with prepended algorithm.
43func parsePubKey(in []byte, algo string) (pubKey PublicKey, rest []byte, err error) {
44 switch algo {
45 case KeyAlgoRSA:
46 return parseRSA(in)
47 case KeyAlgoDSA:
48 return parseDSA(in)
49 case KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521:
50 return parseECDSA(in)
51 case KeyAlgoED25519:
52 return parseED25519(in)
53 case CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01, CertAlgoED25519v01:
54 cert, err := parseCert(in, certToPrivAlgo(algo))
55 if err != nil {
56 return nil, nil, err
57 }
58 return cert, nil, nil
59 }
60 return nil, nil, fmt.Errorf("ssh: unknown key algorithm: %v", algo)
61}
62
63// parseAuthorizedKey parses a public key in OpenSSH authorized_keys format
64// (see sshd(8) manual page) once the options and key type fields have been
65// removed.
66func parseAuthorizedKey(in []byte) (out PublicKey, comment string, err error) {
67 in = bytes.TrimSpace(in)
68
69 i := bytes.IndexAny(in, " \t")
70 if i == -1 {
71 i = len(in)
72 }
73 base64Key := in[:i]
74
75 key := make([]byte, base64.StdEncoding.DecodedLen(len(base64Key)))
76 n, err := base64.StdEncoding.Decode(key, base64Key)
77 if err != nil {
78 return nil, "", err
79 }
80 key = key[:n]
81 out, err = ParsePublicKey(key)
82 if err != nil {
83 return nil, "", err
84 }
85 comment = string(bytes.TrimSpace(in[i:]))
86 return out, comment, nil
87}
88
89// ParseKnownHosts parses an entry in the format of the known_hosts file.
90//
91// The known_hosts format is documented in the sshd(8) manual page. This
92// function will parse a single entry from in. On successful return, marker
93// will contain the optional marker value (i.e. "cert-authority" or "revoked")
94// or else be empty, hosts will contain the hosts that this entry matches,
95// pubKey will contain the public key and comment will contain any trailing
96// comment at the end of the line. See the sshd(8) manual page for the various
97// forms that a host string can take.
98//
99// The unparsed remainder of the input will be returned in rest. This function
100// can be called repeatedly to parse multiple entries.
101//
102// If no entries were found in the input then err will be io.EOF. Otherwise a
103// non-nil err value indicates a parse error.
104func ParseKnownHosts(in []byte) (marker string, hosts []string, pubKey PublicKey, comment string, rest []byte, err error) {
105 for len(in) > 0 {
106 end := bytes.IndexByte(in, '\n')
107 if end != -1 {
108 rest = in[end+1:]
109 in = in[:end]
110 } else {
111 rest = nil
112 }
113
114 end = bytes.IndexByte(in, '\r')
115 if end != -1 {
116 in = in[:end]
117 }
118
119 in = bytes.TrimSpace(in)
120 if len(in) == 0 || in[0] == '#' {
121 in = rest
122 continue
123 }
124
125 i := bytes.IndexAny(in, " \t")
126 if i == -1 {
127 in = rest
128 continue
129 }
130
131 // Strip out the beginning of the known_host key.
132 // This is either an optional marker or a (set of) hostname(s).
133 keyFields := bytes.Fields(in)
134 if len(keyFields) < 3 || len(keyFields) > 5 {
135 return "", nil, nil, "", nil, errors.New("ssh: invalid entry in known_hosts data")
136 }
137
138 // keyFields[0] is either "@cert-authority", "@revoked" or a comma separated
139 // list of hosts
140 marker := ""
141 if keyFields[0][0] == '@' {
142 marker = string(keyFields[0][1:])
143 keyFields = keyFields[1:]
144 }
145
146 hosts := string(keyFields[0])
147 // keyFields[1] contains the key type (e.g. “ssh-rsa”).
148 // However, that information is duplicated inside the
149 // base64-encoded key and so is ignored here.
150
151 key := bytes.Join(keyFields[2:], []byte(" "))
152 if pubKey, comment, err = parseAuthorizedKey(key); err != nil {
153 return "", nil, nil, "", nil, err
154 }
155
156 return marker, strings.Split(hosts, ","), pubKey, comment, rest, nil
157 }
158
159 return "", nil, nil, "", nil, io.EOF
160}
161
162// ParseAuthorizedKeys parses a public key from an authorized_keys
163// file used in OpenSSH according to the sshd(8) manual page.
164func ParseAuthorizedKey(in []byte) (out PublicKey, comment string, options []string, rest []byte, err error) {
165 for len(in) > 0 {
166 end := bytes.IndexByte(in, '\n')
167 if end != -1 {
168 rest = in[end+1:]
169 in = in[:end]
170 } else {
171 rest = nil
172 }
173
174 end = bytes.IndexByte(in, '\r')
175 if end != -1 {
176 in = in[:end]
177 }
178
179 in = bytes.TrimSpace(in)
180 if len(in) == 0 || in[0] == '#' {
181 in = rest
182 continue
183 }
184
185 i := bytes.IndexAny(in, " \t")
186 if i == -1 {
187 in = rest
188 continue
189 }
190
191 if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
192 return out, comment, options, rest, nil
193 }
194
195 // No key type recognised. Maybe there's an options field at
196 // the beginning.
197 var b byte
198 inQuote := false
199 var candidateOptions []string
200 optionStart := 0
201 for i, b = range in {
202 isEnd := !inQuote && (b == ' ' || b == '\t')
203 if (b == ',' && !inQuote) || isEnd {
204 if i-optionStart > 0 {
205 candidateOptions = append(candidateOptions, string(in[optionStart:i]))
206 }
207 optionStart = i + 1
208 }
209 if isEnd {
210 break
211 }
212 if b == '"' && (i == 0 || (i > 0 && in[i-1] != '\\')) {
213 inQuote = !inQuote
214 }
215 }
216 for i < len(in) && (in[i] == ' ' || in[i] == '\t') {
217 i++
218 }
219 if i == len(in) {
220 // Invalid line: unmatched quote
221 in = rest
222 continue
223 }
224
225 in = in[i:]
226 i = bytes.IndexAny(in, " \t")
227 if i == -1 {
228 in = rest
229 continue
230 }
231
232 if out, comment, err = parseAuthorizedKey(in[i:]); err == nil {
233 options = candidateOptions
234 return out, comment, options, rest, nil
235 }
236
237 in = rest
238 continue
239 }
240
241 return nil, "", nil, nil, errors.New("ssh: no key found")
242}
243
244// ParsePublicKey parses an SSH public key formatted for use in
245// the SSH wire protocol according to RFC 4253, section 6.6.
246func ParsePublicKey(in []byte) (out PublicKey, err error) {
247 algo, in, ok := parseString(in)
248 if !ok {
249 return nil, errShortRead
250 }
251 var rest []byte
252 out, rest, err = parsePubKey(in, string(algo))
253 if len(rest) > 0 {
254 return nil, errors.New("ssh: trailing junk in public key")
255 }
256
257 return out, err
258}
259
260// MarshalAuthorizedKey serializes key for inclusion in an OpenSSH
261// authorized_keys file. The return value ends with newline.
262func MarshalAuthorizedKey(key PublicKey) []byte {
263 b := &bytes.Buffer{}
264 b.WriteString(key.Type())
265 b.WriteByte(' ')
266 e := base64.NewEncoder(base64.StdEncoding, b)
267 e.Write(key.Marshal())
268 e.Close()
269 b.WriteByte('\n')
270 return b.Bytes()
271}
272
273// PublicKey is an abstraction of different types of public keys.
274type PublicKey interface {
275 // Type returns the key's type, e.g. "ssh-rsa".
276 Type() string
277
278 // Marshal returns the serialized key data in SSH wire format,
279 // with the name prefix.
280 Marshal() []byte
281
282 // Verify that sig is a signature on the given data using this
283 // key. This function will hash the data appropriately first.
284 Verify(data []byte, sig *Signature) error
285}
286
287// CryptoPublicKey, if implemented by a PublicKey,
288// returns the underlying crypto.PublicKey form of the key.
289type CryptoPublicKey interface {
290 CryptoPublicKey() crypto.PublicKey
291}
292
293// A Signer can create signatures that verify against a public key.
294type Signer interface {
295 // PublicKey returns an associated PublicKey instance.
296 PublicKey() PublicKey
297
298 // Sign returns raw signature for the given data. This method
299 // will apply the hash specified for the keytype to the data.
300 Sign(rand io.Reader, data []byte) (*Signature, error)
301}
302
303type rsaPublicKey rsa.PublicKey
304
305func (r *rsaPublicKey) Type() string {
306 return "ssh-rsa"
307}
308
309// parseRSA parses an RSA key according to RFC 4253, section 6.6.
310func parseRSA(in []byte) (out PublicKey, rest []byte, err error) {
311 var w struct {
312 E *big.Int
313 N *big.Int
314 Rest []byte `ssh:"rest"`
315 }
316 if err := Unmarshal(in, &w); err != nil {
317 return nil, nil, err
318 }
319
320 if w.E.BitLen() > 24 {
321 return nil, nil, errors.New("ssh: exponent too large")
322 }
323 e := w.E.Int64()
324 if e < 3 || e&1 == 0 {
325 return nil, nil, errors.New("ssh: incorrect exponent")
326 }
327
328 var key rsa.PublicKey
329 key.E = int(e)
330 key.N = w.N
331 return (*rsaPublicKey)(&key), w.Rest, nil
332}
333
334func (r *rsaPublicKey) Marshal() []byte {
335 e := new(big.Int).SetInt64(int64(r.E))
336 // RSA publickey struct layout should match the struct used by
337 // parseRSACert in the x/crypto/ssh/agent package.
338 wirekey := struct {
339 Name string
340 E *big.Int
341 N *big.Int
342 }{
343 KeyAlgoRSA,
344 e,
345 r.N,
346 }
347 return Marshal(&wirekey)
348}
349
350func (r *rsaPublicKey) Verify(data []byte, sig *Signature) error {
351 if sig.Format != r.Type() {
352 return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, r.Type())
353 }
354 h := crypto.SHA1.New()
355 h.Write(data)
356 digest := h.Sum(nil)
357 return rsa.VerifyPKCS1v15((*rsa.PublicKey)(r), crypto.SHA1, digest, sig.Blob)
358}
359
360func (r *rsaPublicKey) CryptoPublicKey() crypto.PublicKey {
361 return (*rsa.PublicKey)(r)
362}
363
364type dsaPublicKey dsa.PublicKey
365
366func (r *dsaPublicKey) Type() string {
367 return "ssh-dss"
368}
369
370// parseDSA parses an DSA key according to RFC 4253, section 6.6.
371func parseDSA(in []byte) (out PublicKey, rest []byte, err error) {
372 var w struct {
373 P, Q, G, Y *big.Int
374 Rest []byte `ssh:"rest"`
375 }
376 if err := Unmarshal(in, &w); err != nil {
377 return nil, nil, err
378 }
379
380 key := &dsaPublicKey{
381 Parameters: dsa.Parameters{
382 P: w.P,
383 Q: w.Q,
384 G: w.G,
385 },
386 Y: w.Y,
387 }
388 return key, w.Rest, nil
389}
390
391func (k *dsaPublicKey) Marshal() []byte {
392 // DSA publickey struct layout should match the struct used by
393 // parseDSACert in the x/crypto/ssh/agent package.
394 w := struct {
395 Name string
396 P, Q, G, Y *big.Int
397 }{
398 k.Type(),
399 k.P,
400 k.Q,
401 k.G,
402 k.Y,
403 }
404
405 return Marshal(&w)
406}
407
408func (k *dsaPublicKey) Verify(data []byte, sig *Signature) error {
409 if sig.Format != k.Type() {
410 return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, k.Type())
411 }
412 h := crypto.SHA1.New()
413 h.Write(data)
414 digest := h.Sum(nil)
415
416 // Per RFC 4253, section 6.6,
417 // The value for 'dss_signature_blob' is encoded as a string containing
418 // r, followed by s (which are 160-bit integers, without lengths or
419 // padding, unsigned, and in network byte order).
420 // For DSS purposes, sig.Blob should be exactly 40 bytes in length.
421 if len(sig.Blob) != 40 {
422 return errors.New("ssh: DSA signature parse error")
423 }
424 r := new(big.Int).SetBytes(sig.Blob[:20])
425 s := new(big.Int).SetBytes(sig.Blob[20:])
426 if dsa.Verify((*dsa.PublicKey)(k), digest, r, s) {
427 return nil
428 }
429 return errors.New("ssh: signature did not verify")
430}
431
432func (k *dsaPublicKey) CryptoPublicKey() crypto.PublicKey {
433 return (*dsa.PublicKey)(k)
434}
435
436type dsaPrivateKey struct {
437 *dsa.PrivateKey
438}
439
440func (k *dsaPrivateKey) PublicKey() PublicKey {
441 return (*dsaPublicKey)(&k.PrivateKey.PublicKey)
442}
443
444func (k *dsaPrivateKey) Sign(rand io.Reader, data []byte) (*Signature, error) {
445 h := crypto.SHA1.New()
446 h.Write(data)
447 digest := h.Sum(nil)
448 r, s, err := dsa.Sign(rand, k.PrivateKey, digest)
449 if err != nil {
450 return nil, err
451 }
452
453 sig := make([]byte, 40)
454 rb := r.Bytes()
455 sb := s.Bytes()
456
457 copy(sig[20-len(rb):20], rb)
458 copy(sig[40-len(sb):], sb)
459
460 return &Signature{
461 Format: k.PublicKey().Type(),
462 Blob: sig,
463 }, nil
464}
465
466type ecdsaPublicKey ecdsa.PublicKey
467
468func (key *ecdsaPublicKey) Type() string {
469 return "ecdsa-sha2-" + key.nistID()
470}
471
472func (key *ecdsaPublicKey) nistID() string {
473 switch key.Params().BitSize {
474 case 256:
475 return "nistp256"
476 case 384:
477 return "nistp384"
478 case 521:
479 return "nistp521"
480 }
481 panic("ssh: unsupported ecdsa key size")
482}
483
484type ed25519PublicKey ed25519.PublicKey
485
486func (key ed25519PublicKey) Type() string {
487 return KeyAlgoED25519
488}
489
490func parseED25519(in []byte) (out PublicKey, rest []byte, err error) {
491 var w struct {
492 KeyBytes []byte
493 Rest []byte `ssh:"rest"`
494 }
495
496 if err := Unmarshal(in, &w); err != nil {
497 return nil, nil, err
498 }
499
500 key := ed25519.PublicKey(w.KeyBytes)
501
502 return (ed25519PublicKey)(key), w.Rest, nil
503}
504
505func (key ed25519PublicKey) Marshal() []byte {
506 w := struct {
507 Name string
508 KeyBytes []byte
509 }{
510 KeyAlgoED25519,
511 []byte(key),
512 }
513 return Marshal(&w)
514}
515
516func (key ed25519PublicKey) Verify(b []byte, sig *Signature) error {
517 if sig.Format != key.Type() {
518 return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, key.Type())
519 }
520
521 edKey := (ed25519.PublicKey)(key)
522 if ok := ed25519.Verify(edKey, b, sig.Blob); !ok {
523 return errors.New("ssh: signature did not verify")
524 }
525
526 return nil
527}
528
529func (k ed25519PublicKey) CryptoPublicKey() crypto.PublicKey {
530 return ed25519.PublicKey(k)
531}
532
533func supportedEllipticCurve(curve elliptic.Curve) bool {
534 return curve == elliptic.P256() || curve == elliptic.P384() || curve == elliptic.P521()
535}
536
537// ecHash returns the hash to match the given elliptic curve, see RFC
538// 5656, section 6.2.1
539func ecHash(curve elliptic.Curve) crypto.Hash {
540 bitSize := curve.Params().BitSize
541 switch {
542 case bitSize <= 256:
543 return crypto.SHA256
544 case bitSize <= 384:
545 return crypto.SHA384
546 }
547 return crypto.SHA512
548}
549
550// parseECDSA parses an ECDSA key according to RFC 5656, section 3.1.
551func parseECDSA(in []byte) (out PublicKey, rest []byte, err error) {
552 var w struct {
553 Curve string
554 KeyBytes []byte
555 Rest []byte `ssh:"rest"`
556 }
557
558 if err := Unmarshal(in, &w); err != nil {
559 return nil, nil, err
560 }
561
562 key := new(ecdsa.PublicKey)
563
564 switch w.Curve {
565 case "nistp256":
566 key.Curve = elliptic.P256()
567 case "nistp384":
568 key.Curve = elliptic.P384()
569 case "nistp521":
570 key.Curve = elliptic.P521()
571 default:
572 return nil, nil, errors.New("ssh: unsupported curve")
573 }
574
575 key.X, key.Y = elliptic.Unmarshal(key.Curve, w.KeyBytes)
576 if key.X == nil || key.Y == nil {
577 return nil, nil, errors.New("ssh: invalid curve point")
578 }
579 return (*ecdsaPublicKey)(key), w.Rest, nil
580}
581
582func (key *ecdsaPublicKey) Marshal() []byte {
583 // See RFC 5656, section 3.1.
584 keyBytes := elliptic.Marshal(key.Curve, key.X, key.Y)
585 // ECDSA publickey struct layout should match the struct used by
586 // parseECDSACert in the x/crypto/ssh/agent package.
587 w := struct {
588 Name string
589 ID string
590 Key []byte
591 }{
592 key.Type(),
593 key.nistID(),
594 keyBytes,
595 }
596
597 return Marshal(&w)
598}
599
600func (key *ecdsaPublicKey) Verify(data []byte, sig *Signature) error {
601 if sig.Format != key.Type() {
602 return fmt.Errorf("ssh: signature type %s for key type %s", sig.Format, key.Type())
603 }
604
605 h := ecHash(key.Curve).New()
606 h.Write(data)
607 digest := h.Sum(nil)
608
609 // Per RFC 5656, section 3.1.2,
610 // The ecdsa_signature_blob value has the following specific encoding:
611 // mpint r
612 // mpint s
613 var ecSig struct {
614 R *big.Int
615 S *big.Int
616 }
617
618 if err := Unmarshal(sig.Blob, &ecSig); err != nil {
619 return err
620 }
621
622 if ecdsa.Verify((*ecdsa.PublicKey)(key), digest, ecSig.R, ecSig.S) {
623 return nil
624 }
625 return errors.New("ssh: signature did not verify")
626}
627
628func (k *ecdsaPublicKey) CryptoPublicKey() crypto.PublicKey {
629 return (*ecdsa.PublicKey)(k)
630}
631
632// NewSignerFromKey takes an *rsa.PrivateKey, *dsa.PrivateKey,
633// *ecdsa.PrivateKey or any other crypto.Signer and returns a corresponding
634// Signer instance. ECDSA keys must use P-256, P-384 or P-521.
635func NewSignerFromKey(key interface{}) (Signer, error) {
636 switch key := key.(type) {
637 case crypto.Signer:
638 return NewSignerFromSigner(key)
639 case *dsa.PrivateKey:
640 return &dsaPrivateKey{key}, nil
641 default:
642 return nil, fmt.Errorf("ssh: unsupported key type %T", key)
643 }
644}
645
646type wrappedSigner struct {
647 signer crypto.Signer
648 pubKey PublicKey
649}
650
651// NewSignerFromSigner takes any crypto.Signer implementation and
652// returns a corresponding Signer interface. This can be used, for
653// example, with keys kept in hardware modules.
654func NewSignerFromSigner(signer crypto.Signer) (Signer, error) {
655 pubKey, err := NewPublicKey(signer.Public())
656 if err != nil {
657 return nil, err
658 }
659
660 return &wrappedSigner{signer, pubKey}, nil
661}
662
663func (s *wrappedSigner) PublicKey() PublicKey {
664 return s.pubKey
665}
666
667func (s *wrappedSigner) Sign(rand io.Reader, data []byte) (*Signature, error) {
668 var hashFunc crypto.Hash
669
670 switch key := s.pubKey.(type) {
671 case *rsaPublicKey, *dsaPublicKey:
672 hashFunc = crypto.SHA1
673 case *ecdsaPublicKey:
674 hashFunc = ecHash(key.Curve)
675 case ed25519PublicKey:
676 default:
677 return nil, fmt.Errorf("ssh: unsupported key type %T", key)
678 }
679
680 var digest []byte
681 if hashFunc != 0 {
682 h := hashFunc.New()
683 h.Write(data)
684 digest = h.Sum(nil)
685 } else {
686 digest = data
687 }
688
689 signature, err := s.signer.Sign(rand, digest, hashFunc)
690 if err != nil {
691 return nil, err
692 }
693
694 // crypto.Signer.Sign is expected to return an ASN.1-encoded signature
695 // for ECDSA and DSA, but that's not the encoding expected by SSH, so
696 // re-encode.
697 switch s.pubKey.(type) {
698 case *ecdsaPublicKey, *dsaPublicKey:
699 type asn1Signature struct {
700 R, S *big.Int
701 }
702 asn1Sig := new(asn1Signature)
703 _, err := asn1.Unmarshal(signature, asn1Sig)
704 if err != nil {
705 return nil, err
706 }
707
708 switch s.pubKey.(type) {
709 case *ecdsaPublicKey:
710 signature = Marshal(asn1Sig)
711
712 case *dsaPublicKey:
713 signature = make([]byte, 40)
714 r := asn1Sig.R.Bytes()
715 s := asn1Sig.S.Bytes()
716 copy(signature[20-len(r):20], r)
717 copy(signature[40-len(s):40], s)
718 }
719 }
720
721 return &Signature{
722 Format: s.pubKey.Type(),
723 Blob: signature,
724 }, nil
725}
726
727// NewPublicKey takes an *rsa.PublicKey, *dsa.PublicKey, *ecdsa.PublicKey,
728// or ed25519.PublicKey returns a corresponding PublicKey instance.
729// ECDSA keys must use P-256, P-384 or P-521.
730func NewPublicKey(key interface{}) (PublicKey, error) {
731 switch key := key.(type) {
732 case *rsa.PublicKey:
733 return (*rsaPublicKey)(key), nil
734 case *ecdsa.PublicKey:
735 if !supportedEllipticCurve(key.Curve) {
736 return nil, errors.New("ssh: only P-256, P-384 and P-521 EC keys are supported.")
737 }
738 return (*ecdsaPublicKey)(key), nil
739 case *dsa.PublicKey:
740 return (*dsaPublicKey)(key), nil
741 case ed25519.PublicKey:
742 return (ed25519PublicKey)(key), nil
743 default:
744 return nil, fmt.Errorf("ssh: unsupported key type %T", key)
745 }
746}
747
748// ParsePrivateKey returns a Signer from a PEM encoded private key. It supports
749// the same keys as ParseRawPrivateKey.
750func ParsePrivateKey(pemBytes []byte) (Signer, error) {
751 key, err := ParseRawPrivateKey(pemBytes)
752 if err != nil {
753 return nil, err
754 }
755
756 return NewSignerFromKey(key)
757}
758
759// encryptedBlock tells whether a private key is
760// encrypted by examining its Proc-Type header
761// for a mention of ENCRYPTED
762// according to RFC 1421 Section 4.6.1.1.
763func encryptedBlock(block *pem.Block) bool {
764 return strings.Contains(block.Headers["Proc-Type"], "ENCRYPTED")
765}
766
767// ParseRawPrivateKey returns a private key from a PEM encoded private key. It
768// supports RSA (PKCS#1), DSA (OpenSSL), and ECDSA private keys.
769func ParseRawPrivateKey(pemBytes []byte) (interface{}, error) {
770 block, _ := pem.Decode(pemBytes)
771 if block == nil {
772 return nil, errors.New("ssh: no key found")
773 }
774
775 if encryptedBlock(block) {
776 return nil, errors.New("ssh: cannot decode encrypted private keys")
777 }
778
779 switch block.Type {
780 case "RSA PRIVATE KEY":
781 return x509.ParsePKCS1PrivateKey(block.Bytes)
782 case "EC PRIVATE KEY":
783 return x509.ParseECPrivateKey(block.Bytes)
784 case "DSA PRIVATE KEY":
785 return ParseDSAPrivateKey(block.Bytes)
786 case "OPENSSH PRIVATE KEY":
787 return parseOpenSSHPrivateKey(block.Bytes)
788 default:
789 return nil, fmt.Errorf("ssh: unsupported key type %q", block.Type)
790 }
791}
792
793// ParseDSAPrivateKey returns a DSA private key from its ASN.1 DER encoding, as
794// specified by the OpenSSL DSA man page.
795func ParseDSAPrivateKey(der []byte) (*dsa.PrivateKey, error) {
796 var k struct {
797 Version int
798 P *big.Int
799 Q *big.Int
800 G *big.Int
801 Pub *big.Int
802 Priv *big.Int
803 }
804 rest, err := asn1.Unmarshal(der, &k)
805 if err != nil {
806 return nil, errors.New("ssh: failed to parse DSA key: " + err.Error())
807 }
808 if len(rest) > 0 {
809 return nil, errors.New("ssh: garbage after DSA key")
810 }
811
812 return &dsa.PrivateKey{
813 PublicKey: dsa.PublicKey{
814 Parameters: dsa.Parameters{
815 P: k.P,
816 Q: k.Q,
817 G: k.G,
818 },
819 Y: k.Pub,
820 },
821 X: k.Priv,
822 }, nil
823}
824
825// Implemented based on the documentation at
826// https://github.com/openssh/openssh-portable/blob/master/PROTOCOL.key
827func parseOpenSSHPrivateKey(key []byte) (*ed25519.PrivateKey, error) {
828 magic := append([]byte("openssh-key-v1"), 0)
829 if !bytes.Equal(magic, key[0:len(magic)]) {
830 return nil, errors.New("ssh: invalid openssh private key format")
831 }
832 remaining := key[len(magic):]
833
834 var w struct {
835 CipherName string
836 KdfName string
837 KdfOpts string
838 NumKeys uint32
839 PubKey []byte
840 PrivKeyBlock []byte
841 }
842
843 if err := Unmarshal(remaining, &w); err != nil {
844 return nil, err
845 }
846
847 pk1 := struct {
848 Check1 uint32
849 Check2 uint32
850 Keytype string
851 Pub []byte
852 Priv []byte
853 Comment string
854 Pad []byte `ssh:"rest"`
855 }{}
856
857 if err := Unmarshal(w.PrivKeyBlock, &pk1); err != nil {
858 return nil, err
859 }
860
861 if pk1.Check1 != pk1.Check2 {
862 return nil, errors.New("ssh: checkint mismatch")
863 }
864
865 // we only handle ed25519 keys currently
866 if pk1.Keytype != KeyAlgoED25519 {
867 return nil, errors.New("ssh: unhandled key type")
868 }
869
870 for i, b := range pk1.Pad {
871 if int(b) != i+1 {
872 return nil, errors.New("ssh: padding not as expected")
873 }
874 }
875
876 if len(pk1.Priv) != ed25519.PrivateKeySize {
877 return nil, errors.New("ssh: private key unexpected length")
878 }
879
880 pk := ed25519.PrivateKey(make([]byte, ed25519.PrivateKeySize))
881 copy(pk, pk1.Priv)
882 return &pk, nil
883}
884
885// FingerprintLegacyMD5 returns the user presentation of the key's
886// fingerprint as described by RFC 4716 section 4.
887func FingerprintLegacyMD5(pubKey PublicKey) string {
888 md5sum := md5.Sum(pubKey.Marshal())
889 hexarray := make([]string, len(md5sum))
890 for i, c := range md5sum {
891 hexarray[i] = hex.EncodeToString([]byte{c})
892 }
893 return strings.Join(hexarray, ":")
894}
895
896// FingerprintSHA256 returns the user presentation of the key's
897// fingerprint as unpadded base64 encoded sha256 hash.
898// This format was introduced from OpenSSH 6.8.
899// https://www.openssh.com/txt/release-6.8
900// https://tools.ietf.org/html/rfc4648#section-3.2 (unpadded base64 encoding)
901func FingerprintSHA256(pubKey PublicKey) string {
902 sha256sum := sha256.Sum256(pubKey.Marshal())
903 hash := base64.RawStdEncoding.EncodeToString(sha256sum[:])
904 return "SHA256:" + hash
905}
diff --git a/vendor/golang.org/x/crypto/ssh/mac.go b/vendor/golang.org/x/crypto/ssh/mac.go
deleted file mode 100644
index c07a062..0000000
--- a/vendor/golang.org/x/crypto/ssh/mac.go
+++ /dev/null
@@ -1,61 +0,0 @@
1// Copyright 2012 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7// Message authentication support
8
9import (
10 "crypto/hmac"
11 "crypto/sha1"
12 "crypto/sha256"
13 "hash"
14)
15
16type macMode struct {
17 keySize int
18 etm bool
19 new func(key []byte) hash.Hash
20}
21
22// truncatingMAC wraps around a hash.Hash and truncates the output digest to
23// a given size.
24type truncatingMAC struct {
25 length int
26 hmac hash.Hash
27}
28
29func (t truncatingMAC) Write(data []byte) (int, error) {
30 return t.hmac.Write(data)
31}
32
33func (t truncatingMAC) Sum(in []byte) []byte {
34 out := t.hmac.Sum(in)
35 return out[:len(in)+t.length]
36}
37
38func (t truncatingMAC) Reset() {
39 t.hmac.Reset()
40}
41
42func (t truncatingMAC) Size() int {
43 return t.length
44}
45
46func (t truncatingMAC) BlockSize() int { return t.hmac.BlockSize() }
47
48var macModes = map[string]*macMode{
49 "hmac-sha2-256-etm@openssh.com": {32, true, func(key []byte) hash.Hash {
50 return hmac.New(sha256.New, key)
51 }},
52 "hmac-sha2-256": {32, false, func(key []byte) hash.Hash {
53 return hmac.New(sha256.New, key)
54 }},
55 "hmac-sha1": {20, false, func(key []byte) hash.Hash {
56 return hmac.New(sha1.New, key)
57 }},
58 "hmac-sha1-96": {20, false, func(key []byte) hash.Hash {
59 return truncatingMAC{12, hmac.New(sha1.New, key)}
60 }},
61}
diff --git a/vendor/golang.org/x/crypto/ssh/messages.go b/vendor/golang.org/x/crypto/ssh/messages.go
deleted file mode 100644
index e6ecd3a..0000000
--- a/vendor/golang.org/x/crypto/ssh/messages.go
+++ /dev/null
@@ -1,758 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "bytes"
9 "encoding/binary"
10 "errors"
11 "fmt"
12 "io"
13 "math/big"
14 "reflect"
15 "strconv"
16 "strings"
17)
18
19// These are SSH message type numbers. They are scattered around several
20// documents but many were taken from [SSH-PARAMETERS].
21const (
22 msgIgnore = 2
23 msgUnimplemented = 3
24 msgDebug = 4
25 msgNewKeys = 21
26
27 // Standard authentication messages
28 msgUserAuthSuccess = 52
29 msgUserAuthBanner = 53
30)
31
32// SSH messages:
33//
34// These structures mirror the wire format of the corresponding SSH messages.
35// They are marshaled using reflection with the marshal and unmarshal functions
36// in this file. The only wrinkle is that a final member of type []byte with a
37// ssh tag of "rest" receives the remainder of a packet when unmarshaling.
38
39// See RFC 4253, section 11.1.
40const msgDisconnect = 1
41
42// disconnectMsg is the message that signals a disconnect. It is also
43// the error type returned from mux.Wait()
44type disconnectMsg struct {
45 Reason uint32 `sshtype:"1"`
46 Message string
47 Language string
48}
49
50func (d *disconnectMsg) Error() string {
51 return fmt.Sprintf("ssh: disconnect, reason %d: %s", d.Reason, d.Message)
52}
53
54// See RFC 4253, section 7.1.
55const msgKexInit = 20
56
57type kexInitMsg struct {
58 Cookie [16]byte `sshtype:"20"`
59 KexAlgos []string
60 ServerHostKeyAlgos []string
61 CiphersClientServer []string
62 CiphersServerClient []string
63 MACsClientServer []string
64 MACsServerClient []string
65 CompressionClientServer []string
66 CompressionServerClient []string
67 LanguagesClientServer []string
68 LanguagesServerClient []string
69 FirstKexFollows bool
70 Reserved uint32
71}
72
73// See RFC 4253, section 8.
74
75// Diffie-Helman
76const msgKexDHInit = 30
77
78type kexDHInitMsg struct {
79 X *big.Int `sshtype:"30"`
80}
81
82const msgKexECDHInit = 30
83
84type kexECDHInitMsg struct {
85 ClientPubKey []byte `sshtype:"30"`
86}
87
88const msgKexECDHReply = 31
89
90type kexECDHReplyMsg struct {
91 HostKey []byte `sshtype:"31"`
92 EphemeralPubKey []byte
93 Signature []byte
94}
95
96const msgKexDHReply = 31
97
98type kexDHReplyMsg struct {
99 HostKey []byte `sshtype:"31"`
100 Y *big.Int
101 Signature []byte
102}
103
104// See RFC 4253, section 10.
105const msgServiceRequest = 5
106
107type serviceRequestMsg struct {
108 Service string `sshtype:"5"`
109}
110
111// See RFC 4253, section 10.
112const msgServiceAccept = 6
113
114type serviceAcceptMsg struct {
115 Service string `sshtype:"6"`
116}
117
118// See RFC 4252, section 5.
119const msgUserAuthRequest = 50
120
121type userAuthRequestMsg struct {
122 User string `sshtype:"50"`
123 Service string
124 Method string
125 Payload []byte `ssh:"rest"`
126}
127
128// Used for debug printouts of packets.
129type userAuthSuccessMsg struct {
130}
131
132// See RFC 4252, section 5.1
133const msgUserAuthFailure = 51
134
135type userAuthFailureMsg struct {
136 Methods []string `sshtype:"51"`
137 PartialSuccess bool
138}
139
140// See RFC 4256, section 3.2
141const msgUserAuthInfoRequest = 60
142const msgUserAuthInfoResponse = 61
143
144type userAuthInfoRequestMsg struct {
145 User string `sshtype:"60"`
146 Instruction string
147 DeprecatedLanguage string
148 NumPrompts uint32
149 Prompts []byte `ssh:"rest"`
150}
151
152// See RFC 4254, section 5.1.
153const msgChannelOpen = 90
154
155type channelOpenMsg struct {
156 ChanType string `sshtype:"90"`
157 PeersId uint32
158 PeersWindow uint32
159 MaxPacketSize uint32
160 TypeSpecificData []byte `ssh:"rest"`
161}
162
163const msgChannelExtendedData = 95
164const msgChannelData = 94
165
166// Used for debug print outs of packets.
167type channelDataMsg struct {
168 PeersId uint32 `sshtype:"94"`
169 Length uint32
170 Rest []byte `ssh:"rest"`
171}
172
173// See RFC 4254, section 5.1.
174const msgChannelOpenConfirm = 91
175
176type channelOpenConfirmMsg struct {
177 PeersId uint32 `sshtype:"91"`
178 MyId uint32
179 MyWindow uint32
180 MaxPacketSize uint32
181 TypeSpecificData []byte `ssh:"rest"`
182}
183
184// See RFC 4254, section 5.1.
185const msgChannelOpenFailure = 92
186
187type channelOpenFailureMsg struct {
188 PeersId uint32 `sshtype:"92"`
189 Reason RejectionReason
190 Message string
191 Language string
192}
193
194const msgChannelRequest = 98
195
196type channelRequestMsg struct {
197 PeersId uint32 `sshtype:"98"`
198 Request string
199 WantReply bool
200 RequestSpecificData []byte `ssh:"rest"`
201}
202
203// See RFC 4254, section 5.4.
204const msgChannelSuccess = 99
205
206type channelRequestSuccessMsg struct {
207 PeersId uint32 `sshtype:"99"`
208}
209
210// See RFC 4254, section 5.4.
211const msgChannelFailure = 100
212
213type channelRequestFailureMsg struct {
214 PeersId uint32 `sshtype:"100"`
215}
216
217// See RFC 4254, section 5.3
218const msgChannelClose = 97
219
220type channelCloseMsg struct {
221 PeersId uint32 `sshtype:"97"`
222}
223
224// See RFC 4254, section 5.3
225const msgChannelEOF = 96
226
227type channelEOFMsg struct {
228 PeersId uint32 `sshtype:"96"`
229}
230
231// See RFC 4254, section 4
232const msgGlobalRequest = 80
233
234type globalRequestMsg struct {
235 Type string `sshtype:"80"`
236 WantReply bool
237 Data []byte `ssh:"rest"`
238}
239
240// See RFC 4254, section 4
241const msgRequestSuccess = 81
242
243type globalRequestSuccessMsg struct {
244 Data []byte `ssh:"rest" sshtype:"81"`
245}
246
247// See RFC 4254, section 4
248const msgRequestFailure = 82
249
250type globalRequestFailureMsg struct {
251 Data []byte `ssh:"rest" sshtype:"82"`
252}
253
254// See RFC 4254, section 5.2
255const msgChannelWindowAdjust = 93
256
257type windowAdjustMsg struct {
258 PeersId uint32 `sshtype:"93"`
259 AdditionalBytes uint32
260}
261
262// See RFC 4252, section 7
263const msgUserAuthPubKeyOk = 60
264
265type userAuthPubKeyOkMsg struct {
266 Algo string `sshtype:"60"`
267 PubKey []byte
268}
269
270// typeTags returns the possible type bytes for the given reflect.Type, which
271// should be a struct. The possible values are separated by a '|' character.
272func typeTags(structType reflect.Type) (tags []byte) {
273 tagStr := structType.Field(0).Tag.Get("sshtype")
274
275 for _, tag := range strings.Split(tagStr, "|") {
276 i, err := strconv.Atoi(tag)
277 if err == nil {
278 tags = append(tags, byte(i))
279 }
280 }
281
282 return tags
283}
284
285func fieldError(t reflect.Type, field int, problem string) error {
286 if problem != "" {
287 problem = ": " + problem
288 }
289 return fmt.Errorf("ssh: unmarshal error for field %s of type %s%s", t.Field(field).Name, t.Name(), problem)
290}
291
292var errShortRead = errors.New("ssh: short read")
293
294// Unmarshal parses data in SSH wire format into a structure. The out
295// argument should be a pointer to struct. If the first member of the
296// struct has the "sshtype" tag set to a '|'-separated set of numbers
297// in decimal, the packet must start with one of those numbers. In
298// case of error, Unmarshal returns a ParseError or
299// UnexpectedMessageError.
300func Unmarshal(data []byte, out interface{}) error {
301 v := reflect.ValueOf(out).Elem()
302 structType := v.Type()
303 expectedTypes := typeTags(structType)
304
305 var expectedType byte
306 if len(expectedTypes) > 0 {
307 expectedType = expectedTypes[0]
308 }
309
310 if len(data) == 0 {
311 return parseError(expectedType)
312 }
313
314 if len(expectedTypes) > 0 {
315 goodType := false
316 for _, e := range expectedTypes {
317 if e > 0 && data[0] == e {
318 goodType = true
319 break
320 }
321 }
322 if !goodType {
323 return fmt.Errorf("ssh: unexpected message type %d (expected one of %v)", data[0], expectedTypes)
324 }
325 data = data[1:]
326 }
327
328 var ok bool
329 for i := 0; i < v.NumField(); i++ {
330 field := v.Field(i)
331 t := field.Type()
332 switch t.Kind() {
333 case reflect.Bool:
334 if len(data) < 1 {
335 return errShortRead
336 }
337 field.SetBool(data[0] != 0)
338 data = data[1:]
339 case reflect.Array:
340 if t.Elem().Kind() != reflect.Uint8 {
341 return fieldError(structType, i, "array of unsupported type")
342 }
343 if len(data) < t.Len() {
344 return errShortRead
345 }
346 for j, n := 0, t.Len(); j < n; j++ {
347 field.Index(j).Set(reflect.ValueOf(data[j]))
348 }
349 data = data[t.Len():]
350 case reflect.Uint64:
351 var u64 uint64
352 if u64, data, ok = parseUint64(data); !ok {
353 return errShortRead
354 }
355 field.SetUint(u64)
356 case reflect.Uint32:
357 var u32 uint32
358 if u32, data, ok = parseUint32(data); !ok {
359 return errShortRead
360 }
361 field.SetUint(uint64(u32))
362 case reflect.Uint8:
363 if len(data) < 1 {
364 return errShortRead
365 }
366 field.SetUint(uint64(data[0]))
367 data = data[1:]
368 case reflect.String:
369 var s []byte
370 if s, data, ok = parseString(data); !ok {
371 return fieldError(structType, i, "")
372 }
373 field.SetString(string(s))
374 case reflect.Slice:
375 switch t.Elem().Kind() {
376 case reflect.Uint8:
377 if structType.Field(i).Tag.Get("ssh") == "rest" {
378 field.Set(reflect.ValueOf(data))
379 data = nil
380 } else {
381 var s []byte
382 if s, data, ok = parseString(data); !ok {
383 return errShortRead
384 }
385 field.Set(reflect.ValueOf(s))
386 }
387 case reflect.String:
388 var nl []string
389 if nl, data, ok = parseNameList(data); !ok {
390 return errShortRead
391 }
392 field.Set(reflect.ValueOf(nl))
393 default:
394 return fieldError(structType, i, "slice of unsupported type")
395 }
396 case reflect.Ptr:
397 if t == bigIntType {
398 var n *big.Int
399 if n, data, ok = parseInt(data); !ok {
400 return errShortRead
401 }
402 field.Set(reflect.ValueOf(n))
403 } else {
404 return fieldError(structType, i, "pointer to unsupported type")
405 }
406 default:
407 return fieldError(structType, i, fmt.Sprintf("unsupported type: %v", t))
408 }
409 }
410
411 if len(data) != 0 {
412 return parseError(expectedType)
413 }
414
415 return nil
416}
417
418// Marshal serializes the message in msg to SSH wire format. The msg
419// argument should be a struct or pointer to struct. If the first
420// member has the "sshtype" tag set to a number in decimal, that
421// number is prepended to the result. If the last of member has the
422// "ssh" tag set to "rest", its contents are appended to the output.
423func Marshal(msg interface{}) []byte {
424 out := make([]byte, 0, 64)
425 return marshalStruct(out, msg)
426}
427
428func marshalStruct(out []byte, msg interface{}) []byte {
429 v := reflect.Indirect(reflect.ValueOf(msg))
430 msgTypes := typeTags(v.Type())
431 if len(msgTypes) > 0 {
432 out = append(out, msgTypes[0])
433 }
434
435 for i, n := 0, v.NumField(); i < n; i++ {
436 field := v.Field(i)
437 switch t := field.Type(); t.Kind() {
438 case reflect.Bool:
439 var v uint8
440 if field.Bool() {
441 v = 1
442 }
443 out = append(out, v)
444 case reflect.Array:
445 if t.Elem().Kind() != reflect.Uint8 {
446 panic(fmt.Sprintf("array of non-uint8 in field %d: %T", i, field.Interface()))
447 }
448 for j, l := 0, t.Len(); j < l; j++ {
449 out = append(out, uint8(field.Index(j).Uint()))
450 }
451 case reflect.Uint32:
452 out = appendU32(out, uint32(field.Uint()))
453 case reflect.Uint64:
454 out = appendU64(out, uint64(field.Uint()))
455 case reflect.Uint8:
456 out = append(out, uint8(field.Uint()))
457 case reflect.String:
458 s := field.String()
459 out = appendInt(out, len(s))
460 out = append(out, s...)
461 case reflect.Slice:
462 switch t.Elem().Kind() {
463 case reflect.Uint8:
464 if v.Type().Field(i).Tag.Get("ssh") != "rest" {
465 out = appendInt(out, field.Len())
466 }
467 out = append(out, field.Bytes()...)
468 case reflect.String:
469 offset := len(out)
470 out = appendU32(out, 0)
471 if n := field.Len(); n > 0 {
472 for j := 0; j < n; j++ {
473 f := field.Index(j)
474 if j != 0 {
475 out = append(out, ',')
476 }
477 out = append(out, f.String()...)
478 }
479 // overwrite length value
480 binary.BigEndian.PutUint32(out[offset:], uint32(len(out)-offset-4))
481 }
482 default:
483 panic(fmt.Sprintf("slice of unknown type in field %d: %T", i, field.Interface()))
484 }
485 case reflect.Ptr:
486 if t == bigIntType {
487 var n *big.Int
488 nValue := reflect.ValueOf(&n)
489 nValue.Elem().Set(field)
490 needed := intLength(n)
491 oldLength := len(out)
492
493 if cap(out)-len(out) < needed {
494 newOut := make([]byte, len(out), 2*(len(out)+needed))
495 copy(newOut, out)
496 out = newOut
497 }
498 out = out[:oldLength+needed]
499 marshalInt(out[oldLength:], n)
500 } else {
501 panic(fmt.Sprintf("pointer to unknown type in field %d: %T", i, field.Interface()))
502 }
503 }
504 }
505
506 return out
507}
508
509var bigOne = big.NewInt(1)
510
511func parseString(in []byte) (out, rest []byte, ok bool) {
512 if len(in) < 4 {
513 return
514 }
515 length := binary.BigEndian.Uint32(in)
516 in = in[4:]
517 if uint32(len(in)) < length {
518 return
519 }
520 out = in[:length]
521 rest = in[length:]
522 ok = true
523 return
524}
525
526var (
527 comma = []byte{','}
528 emptyNameList = []string{}
529)
530
531func parseNameList(in []byte) (out []string, rest []byte, ok bool) {
532 contents, rest, ok := parseString(in)
533 if !ok {
534 return
535 }
536 if len(contents) == 0 {
537 out = emptyNameList
538 return
539 }
540 parts := bytes.Split(contents, comma)
541 out = make([]string, len(parts))
542 for i, part := range parts {
543 out[i] = string(part)
544 }
545 return
546}
547
548func parseInt(in []byte) (out *big.Int, rest []byte, ok bool) {
549 contents, rest, ok := parseString(in)
550 if !ok {
551 return
552 }
553 out = new(big.Int)
554
555 if len(contents) > 0 && contents[0]&0x80 == 0x80 {
556 // This is a negative number
557 notBytes := make([]byte, len(contents))
558 for i := range notBytes {
559 notBytes[i] = ^contents[i]
560 }
561 out.SetBytes(notBytes)
562 out.Add(out, bigOne)
563 out.Neg(out)
564 } else {
565 // Positive number
566 out.SetBytes(contents)
567 }
568 ok = true
569 return
570}
571
572func parseUint32(in []byte) (uint32, []byte, bool) {
573 if len(in) < 4 {
574 return 0, nil, false
575 }
576 return binary.BigEndian.Uint32(in), in[4:], true
577}
578
579func parseUint64(in []byte) (uint64, []byte, bool) {
580 if len(in) < 8 {
581 return 0, nil, false
582 }
583 return binary.BigEndian.Uint64(in), in[8:], true
584}
585
586func intLength(n *big.Int) int {
587 length := 4 /* length bytes */
588 if n.Sign() < 0 {
589 nMinus1 := new(big.Int).Neg(n)
590 nMinus1.Sub(nMinus1, bigOne)
591 bitLen := nMinus1.BitLen()
592 if bitLen%8 == 0 {
593 // The number will need 0xff padding
594 length++
595 }
596 length += (bitLen + 7) / 8
597 } else if n.Sign() == 0 {
598 // A zero is the zero length string
599 } else {
600 bitLen := n.BitLen()
601 if bitLen%8 == 0 {
602 // The number will need 0x00 padding
603 length++
604 }
605 length += (bitLen + 7) / 8
606 }
607
608 return length
609}
610
611func marshalUint32(to []byte, n uint32) []byte {
612 binary.BigEndian.PutUint32(to, n)
613 return to[4:]
614}
615
616func marshalUint64(to []byte, n uint64) []byte {
617 binary.BigEndian.PutUint64(to, n)
618 return to[8:]
619}
620
621func marshalInt(to []byte, n *big.Int) []byte {
622 lengthBytes := to
623 to = to[4:]
624 length := 0
625
626 if n.Sign() < 0 {
627 // A negative number has to be converted to two's-complement
628 // form. So we'll subtract 1 and invert. If the
629 // most-significant-bit isn't set then we'll need to pad the
630 // beginning with 0xff in order to keep the number negative.
631 nMinus1 := new(big.Int).Neg(n)
632 nMinus1.Sub(nMinus1, bigOne)
633 bytes := nMinus1.Bytes()
634 for i := range bytes {
635 bytes[i] ^= 0xff
636 }
637 if len(bytes) == 0 || bytes[0]&0x80 == 0 {
638 to[0] = 0xff
639 to = to[1:]
640 length++
641 }
642 nBytes := copy(to, bytes)
643 to = to[nBytes:]
644 length += nBytes
645 } else if n.Sign() == 0 {
646 // A zero is the zero length string
647 } else {
648 bytes := n.Bytes()
649 if len(bytes) > 0 && bytes[0]&0x80 != 0 {
650 // We'll have to pad this with a 0x00 in order to
651 // stop it looking like a negative number.
652 to[0] = 0
653 to = to[1:]
654 length++
655 }
656 nBytes := copy(to, bytes)
657 to = to[nBytes:]
658 length += nBytes
659 }
660
661 lengthBytes[0] = byte(length >> 24)
662 lengthBytes[1] = byte(length >> 16)
663 lengthBytes[2] = byte(length >> 8)
664 lengthBytes[3] = byte(length)
665 return to
666}
667
668func writeInt(w io.Writer, n *big.Int) {
669 length := intLength(n)
670 buf := make([]byte, length)
671 marshalInt(buf, n)
672 w.Write(buf)
673}
674
675func writeString(w io.Writer, s []byte) {
676 var lengthBytes [4]byte
677 lengthBytes[0] = byte(len(s) >> 24)
678 lengthBytes[1] = byte(len(s) >> 16)
679 lengthBytes[2] = byte(len(s) >> 8)
680 lengthBytes[3] = byte(len(s))
681 w.Write(lengthBytes[:])
682 w.Write(s)
683}
684
685func stringLength(n int) int {
686 return 4 + n
687}
688
689func marshalString(to []byte, s []byte) []byte {
690 to[0] = byte(len(s) >> 24)
691 to[1] = byte(len(s) >> 16)
692 to[2] = byte(len(s) >> 8)
693 to[3] = byte(len(s))
694 to = to[4:]
695 copy(to, s)
696 return to[len(s):]
697}
698
699var bigIntType = reflect.TypeOf((*big.Int)(nil))
700
701// Decode a packet into its corresponding message.
702func decode(packet []byte) (interface{}, error) {
703 var msg interface{}
704 switch packet[0] {
705 case msgDisconnect:
706 msg = new(disconnectMsg)
707 case msgServiceRequest:
708 msg = new(serviceRequestMsg)
709 case msgServiceAccept:
710 msg = new(serviceAcceptMsg)
711 case msgKexInit:
712 msg = new(kexInitMsg)
713 case msgKexDHInit:
714 msg = new(kexDHInitMsg)
715 case msgKexDHReply:
716 msg = new(kexDHReplyMsg)
717 case msgUserAuthRequest:
718 msg = new(userAuthRequestMsg)
719 case msgUserAuthSuccess:
720 return new(userAuthSuccessMsg), nil
721 case msgUserAuthFailure:
722 msg = new(userAuthFailureMsg)
723 case msgUserAuthPubKeyOk:
724 msg = new(userAuthPubKeyOkMsg)
725 case msgGlobalRequest:
726 msg = new(globalRequestMsg)
727 case msgRequestSuccess:
728 msg = new(globalRequestSuccessMsg)
729 case msgRequestFailure:
730 msg = new(globalRequestFailureMsg)
731 case msgChannelOpen:
732 msg = new(channelOpenMsg)
733 case msgChannelData:
734 msg = new(channelDataMsg)
735 case msgChannelOpenConfirm:
736 msg = new(channelOpenConfirmMsg)
737 case msgChannelOpenFailure:
738 msg = new(channelOpenFailureMsg)
739 case msgChannelWindowAdjust:
740 msg = new(windowAdjustMsg)
741 case msgChannelEOF:
742 msg = new(channelEOFMsg)
743 case msgChannelClose:
744 msg = new(channelCloseMsg)
745 case msgChannelRequest:
746 msg = new(channelRequestMsg)
747 case msgChannelSuccess:
748 msg = new(channelRequestSuccessMsg)
749 case msgChannelFailure:
750 msg = new(channelRequestFailureMsg)
751 default:
752 return nil, unexpectedMessageError(0, packet[0])
753 }
754 if err := Unmarshal(packet, msg); err != nil {
755 return nil, err
756 }
757 return msg, nil
758}
diff --git a/vendor/golang.org/x/crypto/ssh/mux.go b/vendor/golang.org/x/crypto/ssh/mux.go
deleted file mode 100644
index 27a527c..0000000
--- a/vendor/golang.org/x/crypto/ssh/mux.go
+++ /dev/null
@@ -1,330 +0,0 @@
1// Copyright 2013 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "encoding/binary"
9 "fmt"
10 "io"
11 "log"
12 "sync"
13 "sync/atomic"
14)
15
16// debugMux, if set, causes messages in the connection protocol to be
17// logged.
18const debugMux = false
19
20// chanList is a thread safe channel list.
21type chanList struct {
22 // protects concurrent access to chans
23 sync.Mutex
24
25 // chans are indexed by the local id of the channel, which the
26 // other side should send in the PeersId field.
27 chans []*channel
28
29 // This is a debugging aid: it offsets all IDs by this
30 // amount. This helps distinguish otherwise identical
31 // server/client muxes
32 offset uint32
33}
34
35// Assigns a channel ID to the given channel.
36func (c *chanList) add(ch *channel) uint32 {
37 c.Lock()
38 defer c.Unlock()
39 for i := range c.chans {
40 if c.chans[i] == nil {
41 c.chans[i] = ch
42 return uint32(i) + c.offset
43 }
44 }
45 c.chans = append(c.chans, ch)
46 return uint32(len(c.chans)-1) + c.offset
47}
48
49// getChan returns the channel for the given ID.
50func (c *chanList) getChan(id uint32) *channel {
51 id -= c.offset
52
53 c.Lock()
54 defer c.Unlock()
55 if id < uint32(len(c.chans)) {
56 return c.chans[id]
57 }
58 return nil
59}
60
61func (c *chanList) remove(id uint32) {
62 id -= c.offset
63 c.Lock()
64 if id < uint32(len(c.chans)) {
65 c.chans[id] = nil
66 }
67 c.Unlock()
68}
69
70// dropAll forgets all channels it knows, returning them in a slice.
71func (c *chanList) dropAll() []*channel {
72 c.Lock()
73 defer c.Unlock()
74 var r []*channel
75
76 for _, ch := range c.chans {
77 if ch == nil {
78 continue
79 }
80 r = append(r, ch)
81 }
82 c.chans = nil
83 return r
84}
85
86// mux represents the state for the SSH connection protocol, which
87// multiplexes many channels onto a single packet transport.
88type mux struct {
89 conn packetConn
90 chanList chanList
91
92 incomingChannels chan NewChannel
93
94 globalSentMu sync.Mutex
95 globalResponses chan interface{}
96 incomingRequests chan *Request
97
98 errCond *sync.Cond
99 err error
100}
101
102// When debugging, each new chanList instantiation has a different
103// offset.
104var globalOff uint32
105
106func (m *mux) Wait() error {
107 m.errCond.L.Lock()
108 defer m.errCond.L.Unlock()
109 for m.err == nil {
110 m.errCond.Wait()
111 }
112 return m.err
113}
114
115// newMux returns a mux that runs over the given connection.
116func newMux(p packetConn) *mux {
117 m := &mux{
118 conn: p,
119 incomingChannels: make(chan NewChannel, chanSize),
120 globalResponses: make(chan interface{}, 1),
121 incomingRequests: make(chan *Request, chanSize),
122 errCond: newCond(),
123 }
124 if debugMux {
125 m.chanList.offset = atomic.AddUint32(&globalOff, 1)
126 }
127
128 go m.loop()
129 return m
130}
131
132func (m *mux) sendMessage(msg interface{}) error {
133 p := Marshal(msg)
134 if debugMux {
135 log.Printf("send global(%d): %#v", m.chanList.offset, msg)
136 }
137 return m.conn.writePacket(p)
138}
139
140func (m *mux) SendRequest(name string, wantReply bool, payload []byte) (bool, []byte, error) {
141 if wantReply {
142 m.globalSentMu.Lock()
143 defer m.globalSentMu.Unlock()
144 }
145
146 if err := m.sendMessage(globalRequestMsg{
147 Type: name,
148 WantReply: wantReply,
149 Data: payload,
150 }); err != nil {
151 return false, nil, err
152 }
153
154 if !wantReply {
155 return false, nil, nil
156 }
157
158 msg, ok := <-m.globalResponses
159 if !ok {
160 return false, nil, io.EOF
161 }
162 switch msg := msg.(type) {
163 case *globalRequestFailureMsg:
164 return false, msg.Data, nil
165 case *globalRequestSuccessMsg:
166 return true, msg.Data, nil
167 default:
168 return false, nil, fmt.Errorf("ssh: unexpected response to request: %#v", msg)
169 }
170}
171
172// ackRequest must be called after processing a global request that
173// has WantReply set.
174func (m *mux) ackRequest(ok bool, data []byte) error {
175 if ok {
176 return m.sendMessage(globalRequestSuccessMsg{Data: data})
177 }
178 return m.sendMessage(globalRequestFailureMsg{Data: data})
179}
180
181func (m *mux) Close() error {
182 return m.conn.Close()
183}
184
185// loop runs the connection machine. It will process packets until an
186// error is encountered. To synchronize on loop exit, use mux.Wait.
187func (m *mux) loop() {
188 var err error
189 for err == nil {
190 err = m.onePacket()
191 }
192
193 for _, ch := range m.chanList.dropAll() {
194 ch.close()
195 }
196
197 close(m.incomingChannels)
198 close(m.incomingRequests)
199 close(m.globalResponses)
200
201 m.conn.Close()
202
203 m.errCond.L.Lock()
204 m.err = err
205 m.errCond.Broadcast()
206 m.errCond.L.Unlock()
207
208 if debugMux {
209 log.Println("loop exit", err)
210 }
211}
212
213// onePacket reads and processes one packet.
214func (m *mux) onePacket() error {
215 packet, err := m.conn.readPacket()
216 if err != nil {
217 return err
218 }
219
220 if debugMux {
221 if packet[0] == msgChannelData || packet[0] == msgChannelExtendedData {
222 log.Printf("decoding(%d): data packet - %d bytes", m.chanList.offset, len(packet))
223 } else {
224 p, _ := decode(packet)
225 log.Printf("decoding(%d): %d %#v - %d bytes", m.chanList.offset, packet[0], p, len(packet))
226 }
227 }
228
229 switch packet[0] {
230 case msgChannelOpen:
231 return m.handleChannelOpen(packet)
232 case msgGlobalRequest, msgRequestSuccess, msgRequestFailure:
233 return m.handleGlobalPacket(packet)
234 }
235
236 // assume a channel packet.
237 if len(packet) < 5 {
238 return parseError(packet[0])
239 }
240 id := binary.BigEndian.Uint32(packet[1:])
241 ch := m.chanList.getChan(id)
242 if ch == nil {
243 return fmt.Errorf("ssh: invalid channel %d", id)
244 }
245
246 return ch.handlePacket(packet)
247}
248
249func (m *mux) handleGlobalPacket(packet []byte) error {
250 msg, err := decode(packet)
251 if err != nil {
252 return err
253 }
254
255 switch msg := msg.(type) {
256 case *globalRequestMsg:
257 m.incomingRequests <- &Request{
258 Type: msg.Type,
259 WantReply: msg.WantReply,
260 Payload: msg.Data,
261 mux: m,
262 }
263 case *globalRequestSuccessMsg, *globalRequestFailureMsg:
264 m.globalResponses <- msg
265 default:
266 panic(fmt.Sprintf("not a global message %#v", msg))
267 }
268
269 return nil
270}
271
272// handleChannelOpen schedules a channel to be Accept()ed.
273func (m *mux) handleChannelOpen(packet []byte) error {
274 var msg channelOpenMsg
275 if err := Unmarshal(packet, &msg); err != nil {
276 return err
277 }
278
279 if msg.MaxPacketSize < minPacketLength || msg.MaxPacketSize > 1<<31 {
280 failMsg := channelOpenFailureMsg{
281 PeersId: msg.PeersId,
282 Reason: ConnectionFailed,
283 Message: "invalid request",
284 Language: "en_US.UTF-8",
285 }
286 return m.sendMessage(failMsg)
287 }
288
289 c := m.newChannel(msg.ChanType, channelInbound, msg.TypeSpecificData)
290 c.remoteId = msg.PeersId
291 c.maxRemotePayload = msg.MaxPacketSize
292 c.remoteWin.add(msg.PeersWindow)
293 m.incomingChannels <- c
294 return nil
295}
296
297func (m *mux) OpenChannel(chanType string, extra []byte) (Channel, <-chan *Request, error) {
298 ch, err := m.openChannel(chanType, extra)
299 if err != nil {
300 return nil, nil, err
301 }
302
303 return ch, ch.incomingRequests, nil
304}
305
306func (m *mux) openChannel(chanType string, extra []byte) (*channel, error) {
307 ch := m.newChannel(chanType, channelOutbound, extra)
308
309 ch.maxIncomingPayload = channelMaxPacket
310
311 open := channelOpenMsg{
312 ChanType: chanType,
313 PeersWindow: ch.myWindow,
314 MaxPacketSize: ch.maxIncomingPayload,
315 TypeSpecificData: extra,
316 PeersId: ch.localId,
317 }
318 if err := m.sendMessage(open); err != nil {
319 return nil, err
320 }
321
322 switch msg := (<-ch.msg).(type) {
323 case *channelOpenConfirmMsg:
324 return ch, nil
325 case *channelOpenFailureMsg:
326 return nil, &OpenChannelError{msg.Reason, msg.Message}
327 default:
328 return nil, fmt.Errorf("ssh: unexpected packet in response to channel open: %T", msg)
329 }
330}
diff --git a/vendor/golang.org/x/crypto/ssh/server.go b/vendor/golang.org/x/crypto/ssh/server.go
deleted file mode 100644
index 77c84d1..0000000
--- a/vendor/golang.org/x/crypto/ssh/server.go
+++ /dev/null
@@ -1,491 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "bytes"
9 "errors"
10 "fmt"
11 "io"
12 "net"
13 "strings"
14)
15
16// The Permissions type holds fine-grained permissions that are
17// specific to a user or a specific authentication method for a
18// user. Permissions, except for "source-address", must be enforced in
19// the server application layer, after successful authentication. The
20// Permissions are passed on in ServerConn so a server implementation
21// can honor them.
22type Permissions struct {
23 // Critical options restrict default permissions. Common
24 // restrictions are "source-address" and "force-command". If
25 // the server cannot enforce the restriction, or does not
26 // recognize it, the user should not authenticate.
27 CriticalOptions map[string]string
28
29 // Extensions are extra functionality that the server may
30 // offer on authenticated connections. Common extensions are
31 // "permit-agent-forwarding", "permit-X11-forwarding". Lack of
32 // support for an extension does not preclude authenticating a
33 // user.
34 Extensions map[string]string
35}
36
37// ServerConfig holds server specific configuration data.
38type ServerConfig struct {
39 // Config contains configuration shared between client and server.
40 Config
41
42 hostKeys []Signer
43
44 // NoClientAuth is true if clients are allowed to connect without
45 // authenticating.
46 NoClientAuth bool
47
48 // PasswordCallback, if non-nil, is called when a user
49 // attempts to authenticate using a password.
50 PasswordCallback func(conn ConnMetadata, password []byte) (*Permissions, error)
51
52 // PublicKeyCallback, if non-nil, is called when a client attempts public
53 // key authentication. It must return true if the given public key is
54 // valid for the given user. For example, see CertChecker.Authenticate.
55 PublicKeyCallback func(conn ConnMetadata, key PublicKey) (*Permissions, error)
56
57 // KeyboardInteractiveCallback, if non-nil, is called when
58 // keyboard-interactive authentication is selected (RFC
59 // 4256). The client object's Challenge function should be
60 // used to query the user. The callback may offer multiple
61 // Challenge rounds. To avoid information leaks, the client
62 // should be presented a challenge even if the user is
63 // unknown.
64 KeyboardInteractiveCallback func(conn ConnMetadata, client KeyboardInteractiveChallenge) (*Permissions, error)
65
66 // AuthLogCallback, if non-nil, is called to log all authentication
67 // attempts.
68 AuthLogCallback func(conn ConnMetadata, method string, err error)
69
70 // ServerVersion is the version identification string to announce in
71 // the public handshake.
72 // If empty, a reasonable default is used.
73 // Note that RFC 4253 section 4.2 requires that this string start with
74 // "SSH-2.0-".
75 ServerVersion string
76}
77
78// AddHostKey adds a private key as a host key. If an existing host
79// key exists with the same algorithm, it is overwritten. Each server
80// config must have at least one host key.
81func (s *ServerConfig) AddHostKey(key Signer) {
82 for i, k := range s.hostKeys {
83 if k.PublicKey().Type() == key.PublicKey().Type() {
84 s.hostKeys[i] = key
85 return
86 }
87 }
88
89 s.hostKeys = append(s.hostKeys, key)
90}
91
92// cachedPubKey contains the results of querying whether a public key is
93// acceptable for a user.
94type cachedPubKey struct {
95 user string
96 pubKeyData []byte
97 result error
98 perms *Permissions
99}
100
101const maxCachedPubKeys = 16
102
103// pubKeyCache caches tests for public keys. Since SSH clients
104// will query whether a public key is acceptable before attempting to
105// authenticate with it, we end up with duplicate queries for public
106// key validity. The cache only applies to a single ServerConn.
107type pubKeyCache struct {
108 keys []cachedPubKey
109}
110
111// get returns the result for a given user/algo/key tuple.
112func (c *pubKeyCache) get(user string, pubKeyData []byte) (cachedPubKey, bool) {
113 for _, k := range c.keys {
114 if k.user == user && bytes.Equal(k.pubKeyData, pubKeyData) {
115 return k, true
116 }
117 }
118 return cachedPubKey{}, false
119}
120
121// add adds the given tuple to the cache.
122func (c *pubKeyCache) add(candidate cachedPubKey) {
123 if len(c.keys) < maxCachedPubKeys {
124 c.keys = append(c.keys, candidate)
125 }
126}
127
128// ServerConn is an authenticated SSH connection, as seen from the
129// server
130type ServerConn struct {
131 Conn
132
133 // If the succeeding authentication callback returned a
134 // non-nil Permissions pointer, it is stored here.
135 Permissions *Permissions
136}
137
138// NewServerConn starts a new SSH server with c as the underlying
139// transport. It starts with a handshake and, if the handshake is
140// unsuccessful, it closes the connection and returns an error. The
141// Request and NewChannel channels must be serviced, or the connection
142// will hang.
143func NewServerConn(c net.Conn, config *ServerConfig) (*ServerConn, <-chan NewChannel, <-chan *Request, error) {
144 fullConf := *config
145 fullConf.SetDefaults()
146 s := &connection{
147 sshConn: sshConn{conn: c},
148 }
149 perms, err := s.serverHandshake(&fullConf)
150 if err != nil {
151 c.Close()
152 return nil, nil, nil, err
153 }
154 return &ServerConn{s, perms}, s.mux.incomingChannels, s.mux.incomingRequests, nil
155}
156
157// signAndMarshal signs the data with the appropriate algorithm,
158// and serializes the result in SSH wire format.
159func signAndMarshal(k Signer, rand io.Reader, data []byte) ([]byte, error) {
160 sig, err := k.Sign(rand, data)
161 if err != nil {
162 return nil, err
163 }
164
165 return Marshal(sig), nil
166}
167
168// handshake performs key exchange and user authentication.
169func (s *connection) serverHandshake(config *ServerConfig) (*Permissions, error) {
170 if len(config.hostKeys) == 0 {
171 return nil, errors.New("ssh: server has no host keys")
172 }
173
174 if !config.NoClientAuth && config.PasswordCallback == nil && config.PublicKeyCallback == nil && config.KeyboardInteractiveCallback == nil {
175 return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
176 }
177
178 if config.ServerVersion != "" {
179 s.serverVersion = []byte(config.ServerVersion)
180 } else {
181 s.serverVersion = []byte(packageVersion)
182 }
183 var err error
184 s.clientVersion, err = exchangeVersions(s.sshConn.conn, s.serverVersion)
185 if err != nil {
186 return nil, err
187 }
188
189 tr := newTransport(s.sshConn.conn, config.Rand, false /* not client */)
190 s.transport = newServerTransport(tr, s.clientVersion, s.serverVersion, config)
191
192 if err := s.transport.waitSession(); err != nil {
193 return nil, err
194 }
195
196 // We just did the key change, so the session ID is established.
197 s.sessionID = s.transport.getSessionID()
198
199 var packet []byte
200 if packet, err = s.transport.readPacket(); err != nil {
201 return nil, err
202 }
203
204 var serviceRequest serviceRequestMsg
205 if err = Unmarshal(packet, &serviceRequest); err != nil {
206 return nil, err
207 }
208 if serviceRequest.Service != serviceUserAuth {
209 return nil, errors.New("ssh: requested service '" + serviceRequest.Service + "' before authenticating")
210 }
211 serviceAccept := serviceAcceptMsg{
212 Service: serviceUserAuth,
213 }
214 if err := s.transport.writePacket(Marshal(&serviceAccept)); err != nil {
215 return nil, err
216 }
217
218 perms, err := s.serverAuthenticate(config)
219 if err != nil {
220 return nil, err
221 }
222 s.mux = newMux(s.transport)
223 return perms, err
224}
225
226func isAcceptableAlgo(algo string) bool {
227 switch algo {
228 case KeyAlgoRSA, KeyAlgoDSA, KeyAlgoECDSA256, KeyAlgoECDSA384, KeyAlgoECDSA521, KeyAlgoED25519,
229 CertAlgoRSAv01, CertAlgoDSAv01, CertAlgoECDSA256v01, CertAlgoECDSA384v01, CertAlgoECDSA521v01:
230 return true
231 }
232 return false
233}
234
235func checkSourceAddress(addr net.Addr, sourceAddrs string) error {
236 if addr == nil {
237 return errors.New("ssh: no address known for client, but source-address match required")
238 }
239
240 tcpAddr, ok := addr.(*net.TCPAddr)
241 if !ok {
242 return fmt.Errorf("ssh: remote address %v is not an TCP address when checking source-address match", addr)
243 }
244
245 for _, sourceAddr := range strings.Split(sourceAddrs, ",") {
246 if allowedIP := net.ParseIP(sourceAddr); allowedIP != nil {
247 if allowedIP.Equal(tcpAddr.IP) {
248 return nil
249 }
250 } else {
251 _, ipNet, err := net.ParseCIDR(sourceAddr)
252 if err != nil {
253 return fmt.Errorf("ssh: error parsing source-address restriction %q: %v", sourceAddr, err)
254 }
255
256 if ipNet.Contains(tcpAddr.IP) {
257 return nil
258 }
259 }
260 }
261
262 return fmt.Errorf("ssh: remote address %v is not allowed because of source-address restriction", addr)
263}
264
265func (s *connection) serverAuthenticate(config *ServerConfig) (*Permissions, error) {
266 sessionID := s.transport.getSessionID()
267 var cache pubKeyCache
268 var perms *Permissions
269
270userAuthLoop:
271 for {
272 var userAuthReq userAuthRequestMsg
273 if packet, err := s.transport.readPacket(); err != nil {
274 return nil, err
275 } else if err = Unmarshal(packet, &userAuthReq); err != nil {
276 return nil, err
277 }
278
279 if userAuthReq.Service != serviceSSH {
280 return nil, errors.New("ssh: client attempted to negotiate for unknown service: " + userAuthReq.Service)
281 }
282
283 s.user = userAuthReq.User
284 perms = nil
285 authErr := errors.New("no auth passed yet")
286
287 switch userAuthReq.Method {
288 case "none":
289 if config.NoClientAuth {
290 authErr = nil
291 }
292 case "password":
293 if config.PasswordCallback == nil {
294 authErr = errors.New("ssh: password auth not configured")
295 break
296 }
297 payload := userAuthReq.Payload
298 if len(payload) < 1 || payload[0] != 0 {
299 return nil, parseError(msgUserAuthRequest)
300 }
301 payload = payload[1:]
302 password, payload, ok := parseString(payload)
303 if !ok || len(payload) > 0 {
304 return nil, parseError(msgUserAuthRequest)
305 }
306
307 perms, authErr = config.PasswordCallback(s, password)
308 case "keyboard-interactive":
309 if config.KeyboardInteractiveCallback == nil {
310 authErr = errors.New("ssh: keyboard-interactive auth not configubred")
311 break
312 }
313
314 prompter := &sshClientKeyboardInteractive{s}
315 perms, authErr = config.KeyboardInteractiveCallback(s, prompter.Challenge)
316 case "publickey":
317 if config.PublicKeyCallback == nil {
318 authErr = errors.New("ssh: publickey auth not configured")
319 break
320 }
321 payload := userAuthReq.Payload
322 if len(payload) < 1 {
323 return nil, parseError(msgUserAuthRequest)
324 }
325 isQuery := payload[0] == 0
326 payload = payload[1:]
327 algoBytes, payload, ok := parseString(payload)
328 if !ok {
329 return nil, parseError(msgUserAuthRequest)
330 }
331 algo := string(algoBytes)
332 if !isAcceptableAlgo(algo) {
333 authErr = fmt.Errorf("ssh: algorithm %q not accepted", algo)
334 break
335 }
336
337 pubKeyData, payload, ok := parseString(payload)
338 if !ok {
339 return nil, parseError(msgUserAuthRequest)
340 }
341
342 pubKey, err := ParsePublicKey(pubKeyData)
343 if err != nil {
344 return nil, err
345 }
346
347 candidate, ok := cache.get(s.user, pubKeyData)
348 if !ok {
349 candidate.user = s.user
350 candidate.pubKeyData = pubKeyData
351 candidate.perms, candidate.result = config.PublicKeyCallback(s, pubKey)
352 if candidate.result == nil && candidate.perms != nil && candidate.perms.CriticalOptions != nil && candidate.perms.CriticalOptions[sourceAddressCriticalOption] != "" {
353 candidate.result = checkSourceAddress(
354 s.RemoteAddr(),
355 candidate.perms.CriticalOptions[sourceAddressCriticalOption])
356 }
357 cache.add(candidate)
358 }
359
360 if isQuery {
361 // The client can query if the given public key
362 // would be okay.
363 if len(payload) > 0 {
364 return nil, parseError(msgUserAuthRequest)
365 }
366
367 if candidate.result == nil {
368 okMsg := userAuthPubKeyOkMsg{
369 Algo: algo,
370 PubKey: pubKeyData,
371 }
372 if err = s.transport.writePacket(Marshal(&okMsg)); err != nil {
373 return nil, err
374 }
375 continue userAuthLoop
376 }
377 authErr = candidate.result
378 } else {
379 sig, payload, ok := parseSignature(payload)
380 if !ok || len(payload) > 0 {
381 return nil, parseError(msgUserAuthRequest)
382 }
383 // Ensure the public key algo and signature algo
384 // are supported. Compare the private key
385 // algorithm name that corresponds to algo with
386 // sig.Format. This is usually the same, but
387 // for certs, the names differ.
388 if !isAcceptableAlgo(sig.Format) {
389 break
390 }
391 signedData := buildDataSignedForAuth(sessionID, userAuthReq, algoBytes, pubKeyData)
392
393 if err := pubKey.Verify(signedData, sig); err != nil {
394 return nil, err
395 }
396
397 authErr = candidate.result
398 perms = candidate.perms
399 }
400 default:
401 authErr = fmt.Errorf("ssh: unknown method %q", userAuthReq.Method)
402 }
403
404 if config.AuthLogCallback != nil {
405 config.AuthLogCallback(s, userAuthReq.Method, authErr)
406 }
407
408 if authErr == nil {
409 break userAuthLoop
410 }
411
412 var failureMsg userAuthFailureMsg
413 if config.PasswordCallback != nil {
414 failureMsg.Methods = append(failureMsg.Methods, "password")
415 }
416 if config.PublicKeyCallback != nil {
417 failureMsg.Methods = append(failureMsg.Methods, "publickey")
418 }
419 if config.KeyboardInteractiveCallback != nil {
420 failureMsg.Methods = append(failureMsg.Methods, "keyboard-interactive")
421 }
422
423 if len(failureMsg.Methods) == 0 {
424 return nil, errors.New("ssh: no authentication methods configured but NoClientAuth is also false")
425 }
426
427 if err := s.transport.writePacket(Marshal(&failureMsg)); err != nil {
428 return nil, err
429 }
430 }
431
432 if err := s.transport.writePacket([]byte{msgUserAuthSuccess}); err != nil {
433 return nil, err
434 }
435 return perms, nil
436}
437
438// sshClientKeyboardInteractive implements a ClientKeyboardInteractive by
439// asking the client on the other side of a ServerConn.
440type sshClientKeyboardInteractive struct {
441 *connection
442}
443
444func (c *sshClientKeyboardInteractive) Challenge(user, instruction string, questions []string, echos []bool) (answers []string, err error) {
445 if len(questions) != len(echos) {
446 return nil, errors.New("ssh: echos and questions must have equal length")
447 }
448
449 var prompts []byte
450 for i := range questions {
451 prompts = appendString(prompts, questions[i])
452 prompts = appendBool(prompts, echos[i])
453 }
454
455 if err := c.transport.writePacket(Marshal(&userAuthInfoRequestMsg{
456 Instruction: instruction,
457 NumPrompts: uint32(len(questions)),
458 Prompts: prompts,
459 })); err != nil {
460 return nil, err
461 }
462
463 packet, err := c.transport.readPacket()
464 if err != nil {
465 return nil, err
466 }
467 if packet[0] != msgUserAuthInfoResponse {
468 return nil, unexpectedMessageError(msgUserAuthInfoResponse, packet[0])
469 }
470 packet = packet[1:]
471
472 n, packet, ok := parseUint32(packet)
473 if !ok || int(n) != len(questions) {
474 return nil, parseError(msgUserAuthInfoResponse)
475 }
476
477 for i := uint32(0); i < n; i++ {
478 ans, rest, ok := parseString(packet)
479 if !ok {
480 return nil, parseError(msgUserAuthInfoResponse)
481 }
482
483 answers = append(answers, string(ans))
484 packet = rest
485 }
486 if len(packet) != 0 {
487 return nil, errors.New("ssh: junk at end of message")
488 }
489
490 return answers, nil
491}
diff --git a/vendor/golang.org/x/crypto/ssh/session.go b/vendor/golang.org/x/crypto/ssh/session.go
deleted file mode 100644
index 17e2aa8..0000000
--- a/vendor/golang.org/x/crypto/ssh/session.go
+++ /dev/null
@@ -1,627 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7// Session implements an interactive session described in
8// "RFC 4254, section 6".
9
10import (
11 "bytes"
12 "encoding/binary"
13 "errors"
14 "fmt"
15 "io"
16 "io/ioutil"
17 "sync"
18)
19
20type Signal string
21
22// POSIX signals as listed in RFC 4254 Section 6.10.
23const (
24 SIGABRT Signal = "ABRT"
25 SIGALRM Signal = "ALRM"
26 SIGFPE Signal = "FPE"
27 SIGHUP Signal = "HUP"
28 SIGILL Signal = "ILL"
29 SIGINT Signal = "INT"
30 SIGKILL Signal = "KILL"
31 SIGPIPE Signal = "PIPE"
32 SIGQUIT Signal = "QUIT"
33 SIGSEGV Signal = "SEGV"
34 SIGTERM Signal = "TERM"
35 SIGUSR1 Signal = "USR1"
36 SIGUSR2 Signal = "USR2"
37)
38
39var signals = map[Signal]int{
40 SIGABRT: 6,
41 SIGALRM: 14,
42 SIGFPE: 8,
43 SIGHUP: 1,
44 SIGILL: 4,
45 SIGINT: 2,
46 SIGKILL: 9,
47 SIGPIPE: 13,
48 SIGQUIT: 3,
49 SIGSEGV: 11,
50 SIGTERM: 15,
51}
52
53type TerminalModes map[uint8]uint32
54
55// POSIX terminal mode flags as listed in RFC 4254 Section 8.
56const (
57 tty_OP_END = 0
58 VINTR = 1
59 VQUIT = 2
60 VERASE = 3
61 VKILL = 4
62 VEOF = 5
63 VEOL = 6
64 VEOL2 = 7
65 VSTART = 8
66 VSTOP = 9
67 VSUSP = 10
68 VDSUSP = 11
69 VREPRINT = 12
70 VWERASE = 13
71 VLNEXT = 14
72 VFLUSH = 15
73 VSWTCH = 16
74 VSTATUS = 17
75 VDISCARD = 18
76 IGNPAR = 30
77 PARMRK = 31
78 INPCK = 32
79 ISTRIP = 33
80 INLCR = 34
81 IGNCR = 35
82 ICRNL = 36
83 IUCLC = 37
84 IXON = 38
85 IXANY = 39
86 IXOFF = 40
87 IMAXBEL = 41
88 ISIG = 50
89 ICANON = 51
90 XCASE = 52
91 ECHO = 53
92 ECHOE = 54
93 ECHOK = 55
94 ECHONL = 56
95 NOFLSH = 57
96 TOSTOP = 58
97 IEXTEN = 59
98 ECHOCTL = 60
99 ECHOKE = 61
100 PENDIN = 62
101 OPOST = 70
102 OLCUC = 71
103 ONLCR = 72
104 OCRNL = 73
105 ONOCR = 74
106 ONLRET = 75
107 CS7 = 90
108 CS8 = 91
109 PARENB = 92
110 PARODD = 93
111 TTY_OP_ISPEED = 128
112 TTY_OP_OSPEED = 129
113)
114
115// A Session represents a connection to a remote command or shell.
116type Session struct {
117 // Stdin specifies the remote process's standard input.
118 // If Stdin is nil, the remote process reads from an empty
119 // bytes.Buffer.
120 Stdin io.Reader
121
122 // Stdout and Stderr specify the remote process's standard
123 // output and error.
124 //
125 // If either is nil, Run connects the corresponding file
126 // descriptor to an instance of ioutil.Discard. There is a
127 // fixed amount of buffering that is shared for the two streams.
128 // If either blocks it may eventually cause the remote
129 // command to block.
130 Stdout io.Writer
131 Stderr io.Writer
132
133 ch Channel // the channel backing this session
134 started bool // true once Start, Run or Shell is invoked.
135 copyFuncs []func() error
136 errors chan error // one send per copyFunc
137
138 // true if pipe method is active
139 stdinpipe, stdoutpipe, stderrpipe bool
140
141 // stdinPipeWriter is non-nil if StdinPipe has not been called
142 // and Stdin was specified by the user; it is the write end of
143 // a pipe connecting Session.Stdin to the stdin channel.
144 stdinPipeWriter io.WriteCloser
145
146 exitStatus chan error
147}
148
149// SendRequest sends an out-of-band channel request on the SSH channel
150// underlying the session.
151func (s *Session) SendRequest(name string, wantReply bool, payload []byte) (bool, error) {
152 return s.ch.SendRequest(name, wantReply, payload)
153}
154
155func (s *Session) Close() error {
156 return s.ch.Close()
157}
158
159// RFC 4254 Section 6.4.
160type setenvRequest struct {
161 Name string
162 Value string
163}
164
165// Setenv sets an environment variable that will be applied to any
166// command executed by Shell or Run.
167func (s *Session) Setenv(name, value string) error {
168 msg := setenvRequest{
169 Name: name,
170 Value: value,
171 }
172 ok, err := s.ch.SendRequest("env", true, Marshal(&msg))
173 if err == nil && !ok {
174 err = errors.New("ssh: setenv failed")
175 }
176 return err
177}
178
179// RFC 4254 Section 6.2.
180type ptyRequestMsg struct {
181 Term string
182 Columns uint32
183 Rows uint32
184 Width uint32
185 Height uint32
186 Modelist string
187}
188
189// RequestPty requests the association of a pty with the session on the remote host.
190func (s *Session) RequestPty(term string, h, w int, termmodes TerminalModes) error {
191 var tm []byte
192 for k, v := range termmodes {
193 kv := struct {
194 Key byte
195 Val uint32
196 }{k, v}
197
198 tm = append(tm, Marshal(&kv)...)
199 }
200 tm = append(tm, tty_OP_END)
201 req := ptyRequestMsg{
202 Term: term,
203 Columns: uint32(w),
204 Rows: uint32(h),
205 Width: uint32(w * 8),
206 Height: uint32(h * 8),
207 Modelist: string(tm),
208 }
209 ok, err := s.ch.SendRequest("pty-req", true, Marshal(&req))
210 if err == nil && !ok {
211 err = errors.New("ssh: pty-req failed")
212 }
213 return err
214}
215
216// RFC 4254 Section 6.5.
217type subsystemRequestMsg struct {
218 Subsystem string
219}
220
221// RequestSubsystem requests the association of a subsystem with the session on the remote host.
222// A subsystem is a predefined command that runs in the background when the ssh session is initiated
223func (s *Session) RequestSubsystem(subsystem string) error {
224 msg := subsystemRequestMsg{
225 Subsystem: subsystem,
226 }
227 ok, err := s.ch.SendRequest("subsystem", true, Marshal(&msg))
228 if err == nil && !ok {
229 err = errors.New("ssh: subsystem request failed")
230 }
231 return err
232}
233
234// RFC 4254 Section 6.9.
235type signalMsg struct {
236 Signal string
237}
238
239// Signal sends the given signal to the remote process.
240// sig is one of the SIG* constants.
241func (s *Session) Signal(sig Signal) error {
242 msg := signalMsg{
243 Signal: string(sig),
244 }
245
246 _, err := s.ch.SendRequest("signal", false, Marshal(&msg))
247 return err
248}
249
250// RFC 4254 Section 6.5.
251type execMsg struct {
252 Command string
253}
254
255// Start runs cmd on the remote host. Typically, the remote
256// server passes cmd to the shell for interpretation.
257// A Session only accepts one call to Run, Start or Shell.
258func (s *Session) Start(cmd string) error {
259 if s.started {
260 return errors.New("ssh: session already started")
261 }
262 req := execMsg{
263 Command: cmd,
264 }
265
266 ok, err := s.ch.SendRequest("exec", true, Marshal(&req))
267 if err == nil && !ok {
268 err = fmt.Errorf("ssh: command %v failed", cmd)
269 }
270 if err != nil {
271 return err
272 }
273 return s.start()
274}
275
276// Run runs cmd on the remote host. Typically, the remote
277// server passes cmd to the shell for interpretation.
278// A Session only accepts one call to Run, Start, Shell, Output,
279// or CombinedOutput.
280//
281// The returned error is nil if the command runs, has no problems
282// copying stdin, stdout, and stderr, and exits with a zero exit
283// status.
284//
285// If the remote server does not send an exit status, an error of type
286// *ExitMissingError is returned. If the command completes
287// unsuccessfully or is interrupted by a signal, the error is of type
288// *ExitError. Other error types may be returned for I/O problems.
289func (s *Session) Run(cmd string) error {
290 err := s.Start(cmd)
291 if err != nil {
292 return err
293 }
294 return s.Wait()
295}
296
297// Output runs cmd on the remote host and returns its standard output.
298func (s *Session) Output(cmd string) ([]byte, error) {
299 if s.Stdout != nil {
300 return nil, errors.New("ssh: Stdout already set")
301 }
302 var b bytes.Buffer
303 s.Stdout = &b
304 err := s.Run(cmd)
305 return b.Bytes(), err
306}
307
308type singleWriter struct {
309 b bytes.Buffer
310 mu sync.Mutex
311}
312
313func (w *singleWriter) Write(p []byte) (int, error) {
314 w.mu.Lock()
315 defer w.mu.Unlock()
316 return w.b.Write(p)
317}
318
319// CombinedOutput runs cmd on the remote host and returns its combined
320// standard output and standard error.
321func (s *Session) CombinedOutput(cmd string) ([]byte, error) {
322 if s.Stdout != nil {
323 return nil, errors.New("ssh: Stdout already set")
324 }
325 if s.Stderr != nil {
326 return nil, errors.New("ssh: Stderr already set")
327 }
328 var b singleWriter
329 s.Stdout = &b
330 s.Stderr = &b
331 err := s.Run(cmd)
332 return b.b.Bytes(), err
333}
334
335// Shell starts a login shell on the remote host. A Session only
336// accepts one call to Run, Start, Shell, Output, or CombinedOutput.
337func (s *Session) Shell() error {
338 if s.started {
339 return errors.New("ssh: session already started")
340 }
341
342 ok, err := s.ch.SendRequest("shell", true, nil)
343 if err == nil && !ok {
344 return errors.New("ssh: could not start shell")
345 }
346 if err != nil {
347 return err
348 }
349 return s.start()
350}
351
352func (s *Session) start() error {
353 s.started = true
354
355 type F func(*Session)
356 for _, setupFd := range []F{(*Session).stdin, (*Session).stdout, (*Session).stderr} {
357 setupFd(s)
358 }
359
360 s.errors = make(chan error, len(s.copyFuncs))
361 for _, fn := range s.copyFuncs {
362 go func(fn func() error) {
363 s.errors <- fn()
364 }(fn)
365 }
366 return nil
367}
368
369// Wait waits for the remote command to exit.
370//
371// The returned error is nil if the command runs, has no problems
372// copying stdin, stdout, and stderr, and exits with a zero exit
373// status.
374//
375// If the remote server does not send an exit status, an error of type
376// *ExitMissingError is returned. If the command completes
377// unsuccessfully or is interrupted by a signal, the error is of type
378// *ExitError. Other error types may be returned for I/O problems.
379func (s *Session) Wait() error {
380 if !s.started {
381 return errors.New("ssh: session not started")
382 }
383 waitErr := <-s.exitStatus
384
385 if s.stdinPipeWriter != nil {
386 s.stdinPipeWriter.Close()
387 }
388 var copyError error
389 for _ = range s.copyFuncs {
390 if err := <-s.errors; err != nil && copyError == nil {
391 copyError = err
392 }
393 }
394 if waitErr != nil {
395 return waitErr
396 }
397 return copyError
398}
399
400func (s *Session) wait(reqs <-chan *Request) error {
401 wm := Waitmsg{status: -1}
402 // Wait for msg channel to be closed before returning.
403 for msg := range reqs {
404 switch msg.Type {
405 case "exit-status":
406 wm.status = int(binary.BigEndian.Uint32(msg.Payload))
407 case "exit-signal":
408 var sigval struct {
409 Signal string
410 CoreDumped bool
411 Error string
412 Lang string
413 }
414 if err := Unmarshal(msg.Payload, &sigval); err != nil {
415 return err
416 }
417
418 // Must sanitize strings?
419 wm.signal = sigval.Signal
420 wm.msg = sigval.Error
421 wm.lang = sigval.Lang
422 default:
423 // This handles keepalives and matches
424 // OpenSSH's behaviour.
425 if msg.WantReply {
426 msg.Reply(false, nil)
427 }
428 }
429 }
430 if wm.status == 0 {
431 return nil
432 }
433 if wm.status == -1 {
434 // exit-status was never sent from server
435 if wm.signal == "" {
436 // signal was not sent either. RFC 4254
437 // section 6.10 recommends against this
438 // behavior, but it is allowed, so we let
439 // clients handle it.
440 return &ExitMissingError{}
441 }
442 wm.status = 128
443 if _, ok := signals[Signal(wm.signal)]; ok {
444 wm.status += signals[Signal(wm.signal)]
445 }
446 }
447
448 return &ExitError{wm}
449}
450
451// ExitMissingError is returned if a session is torn down cleanly, but
452// the server sends no confirmation of the exit status.
453type ExitMissingError struct{}
454
455func (e *ExitMissingError) Error() string {
456 return "wait: remote command exited without exit status or exit signal"
457}
458
459func (s *Session) stdin() {
460 if s.stdinpipe {
461 return
462 }
463 var stdin io.Reader
464 if s.Stdin == nil {
465 stdin = new(bytes.Buffer)
466 } else {
467 r, w := io.Pipe()
468 go func() {
469 _, err := io.Copy(w, s.Stdin)
470 w.CloseWithError(err)
471 }()
472 stdin, s.stdinPipeWriter = r, w
473 }
474 s.copyFuncs = append(s.copyFuncs, func() error {
475 _, err := io.Copy(s.ch, stdin)
476 if err1 := s.ch.CloseWrite(); err == nil && err1 != io.EOF {
477 err = err1
478 }
479 return err
480 })
481}
482
483func (s *Session) stdout() {
484 if s.stdoutpipe {
485 return
486 }
487 if s.Stdout == nil {
488 s.Stdout = ioutil.Discard
489 }
490 s.copyFuncs = append(s.copyFuncs, func() error {
491 _, err := io.Copy(s.Stdout, s.ch)
492 return err
493 })
494}
495
496func (s *Session) stderr() {
497 if s.stderrpipe {
498 return
499 }
500 if s.Stderr == nil {
501 s.Stderr = ioutil.Discard
502 }
503 s.copyFuncs = append(s.copyFuncs, func() error {
504 _, err := io.Copy(s.Stderr, s.ch.Stderr())
505 return err
506 })
507}
508
509// sessionStdin reroutes Close to CloseWrite.
510type sessionStdin struct {
511 io.Writer
512 ch Channel
513}
514
515func (s *sessionStdin) Close() error {
516 return s.ch.CloseWrite()
517}
518
519// StdinPipe returns a pipe that will be connected to the
520// remote command's standard input when the command starts.
521func (s *Session) StdinPipe() (io.WriteCloser, error) {
522 if s.Stdin != nil {
523 return nil, errors.New("ssh: Stdin already set")
524 }
525 if s.started {
526 return nil, errors.New("ssh: StdinPipe after process started")
527 }
528 s.stdinpipe = true
529 return &sessionStdin{s.ch, s.ch}, nil
530}
531
532// StdoutPipe returns a pipe that will be connected to the
533// remote command's standard output when the command starts.
534// There is a fixed amount of buffering that is shared between
535// stdout and stderr streams. If the StdoutPipe reader is
536// not serviced fast enough it may eventually cause the
537// remote command to block.
538func (s *Session) StdoutPipe() (io.Reader, error) {
539 if s.Stdout != nil {
540 return nil, errors.New("ssh: Stdout already set")
541 }
542 if s.started {
543 return nil, errors.New("ssh: StdoutPipe after process started")
544 }
545 s.stdoutpipe = true
546 return s.ch, nil
547}
548
549// StderrPipe returns a pipe that will be connected to the
550// remote command's standard error when the command starts.
551// There is a fixed amount of buffering that is shared between
552// stdout and stderr streams. If the StderrPipe reader is
553// not serviced fast enough it may eventually cause the
554// remote command to block.
555func (s *Session) StderrPipe() (io.Reader, error) {
556 if s.Stderr != nil {
557 return nil, errors.New("ssh: Stderr already set")
558 }
559 if s.started {
560 return nil, errors.New("ssh: StderrPipe after process started")
561 }
562 s.stderrpipe = true
563 return s.ch.Stderr(), nil
564}
565
566// newSession returns a new interactive session on the remote host.
567func newSession(ch Channel, reqs <-chan *Request) (*Session, error) {
568 s := &Session{
569 ch: ch,
570 }
571 s.exitStatus = make(chan error, 1)
572 go func() {
573 s.exitStatus <- s.wait(reqs)
574 }()
575
576 return s, nil
577}
578
579// An ExitError reports unsuccessful completion of a remote command.
580type ExitError struct {
581 Waitmsg
582}
583
584func (e *ExitError) Error() string {
585 return e.Waitmsg.String()
586}
587
588// Waitmsg stores the information about an exited remote command
589// as reported by Wait.
590type Waitmsg struct {
591 status int
592 signal string
593 msg string
594 lang string
595}
596
597// ExitStatus returns the exit status of the remote command.
598func (w Waitmsg) ExitStatus() int {
599 return w.status
600}
601
602// Signal returns the exit signal of the remote command if
603// it was terminated violently.
604func (w Waitmsg) Signal() string {
605 return w.signal
606}
607
608// Msg returns the exit message given by the remote command
609func (w Waitmsg) Msg() string {
610 return w.msg
611}
612
613// Lang returns the language tag. See RFC 3066
614func (w Waitmsg) Lang() string {
615 return w.lang
616}
617
618func (w Waitmsg) String() string {
619 str := fmt.Sprintf("Process exited with status %v", w.status)
620 if w.signal != "" {
621 str += fmt.Sprintf(" from signal %v", w.signal)
622 }
623 if w.msg != "" {
624 str += fmt.Sprintf(". Reason was: %v", w.msg)
625 }
626 return str
627}
diff --git a/vendor/golang.org/x/crypto/ssh/tcpip.go b/vendor/golang.org/x/crypto/ssh/tcpip.go
deleted file mode 100644
index 6151241..0000000
--- a/vendor/golang.org/x/crypto/ssh/tcpip.go
+++ /dev/null
@@ -1,407 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "errors"
9 "fmt"
10 "io"
11 "math/rand"
12 "net"
13 "strconv"
14 "strings"
15 "sync"
16 "time"
17)
18
19// Listen requests the remote peer open a listening socket on
20// addr. Incoming connections will be available by calling Accept on
21// the returned net.Listener. The listener must be serviced, or the
22// SSH connection may hang.
23func (c *Client) Listen(n, addr string) (net.Listener, error) {
24 laddr, err := net.ResolveTCPAddr(n, addr)
25 if err != nil {
26 return nil, err
27 }
28 return c.ListenTCP(laddr)
29}
30
31// Automatic port allocation is broken with OpenSSH before 6.0. See
32// also https://bugzilla.mindrot.org/show_bug.cgi?id=2017. In
33// particular, OpenSSH 5.9 sends a channelOpenMsg with port number 0,
34// rather than the actual port number. This means you can never open
35// two different listeners with auto allocated ports. We work around
36// this by trying explicit ports until we succeed.
37
38const openSSHPrefix = "OpenSSH_"
39
40var portRandomizer = rand.New(rand.NewSource(time.Now().UnixNano()))
41
42// isBrokenOpenSSHVersion returns true if the given version string
43// specifies a version of OpenSSH that is known to have a bug in port
44// forwarding.
45func isBrokenOpenSSHVersion(versionStr string) bool {
46 i := strings.Index(versionStr, openSSHPrefix)
47 if i < 0 {
48 return false
49 }
50 i += len(openSSHPrefix)
51 j := i
52 for ; j < len(versionStr); j++ {
53 if versionStr[j] < '0' || versionStr[j] > '9' {
54 break
55 }
56 }
57 version, _ := strconv.Atoi(versionStr[i:j])
58 return version < 6
59}
60
61// autoPortListenWorkaround simulates automatic port allocation by
62// trying random ports repeatedly.
63func (c *Client) autoPortListenWorkaround(laddr *net.TCPAddr) (net.Listener, error) {
64 var sshListener net.Listener
65 var err error
66 const tries = 10
67 for i := 0; i < tries; i++ {
68 addr := *laddr
69 addr.Port = 1024 + portRandomizer.Intn(60000)
70 sshListener, err = c.ListenTCP(&addr)
71 if err == nil {
72 laddr.Port = addr.Port
73 return sshListener, err
74 }
75 }
76 return nil, fmt.Errorf("ssh: listen on random port failed after %d tries: %v", tries, err)
77}
78
79// RFC 4254 7.1
80type channelForwardMsg struct {
81 addr string
82 rport uint32
83}
84
85// ListenTCP requests the remote peer open a listening socket
86// on laddr. Incoming connections will be available by calling
87// Accept on the returned net.Listener.
88func (c *Client) ListenTCP(laddr *net.TCPAddr) (net.Listener, error) {
89 if laddr.Port == 0 && isBrokenOpenSSHVersion(string(c.ServerVersion())) {
90 return c.autoPortListenWorkaround(laddr)
91 }
92
93 m := channelForwardMsg{
94 laddr.IP.String(),
95 uint32(laddr.Port),
96 }
97 // send message
98 ok, resp, err := c.SendRequest("tcpip-forward", true, Marshal(&m))
99 if err != nil {
100 return nil, err
101 }
102 if !ok {
103 return nil, errors.New("ssh: tcpip-forward request denied by peer")
104 }
105
106 // If the original port was 0, then the remote side will
107 // supply a real port number in the response.
108 if laddr.Port == 0 {
109 var p struct {
110 Port uint32
111 }
112 if err := Unmarshal(resp, &p); err != nil {
113 return nil, err
114 }
115 laddr.Port = int(p.Port)
116 }
117
118 // Register this forward, using the port number we obtained.
119 ch := c.forwards.add(*laddr)
120
121 return &tcpListener{laddr, c, ch}, nil
122}
123
124// forwardList stores a mapping between remote
125// forward requests and the tcpListeners.
126type forwardList struct {
127 sync.Mutex
128 entries []forwardEntry
129}
130
131// forwardEntry represents an established mapping of a laddr on a
132// remote ssh server to a channel connected to a tcpListener.
133type forwardEntry struct {
134 laddr net.TCPAddr
135 c chan forward
136}
137
138// forward represents an incoming forwarded tcpip connection. The
139// arguments to add/remove/lookup should be address as specified in
140// the original forward-request.
141type forward struct {
142 newCh NewChannel // the ssh client channel underlying this forward
143 raddr *net.TCPAddr // the raddr of the incoming connection
144}
145
146func (l *forwardList) add(addr net.TCPAddr) chan forward {
147 l.Lock()
148 defer l.Unlock()
149 f := forwardEntry{
150 addr,
151 make(chan forward, 1),
152 }
153 l.entries = append(l.entries, f)
154 return f.c
155}
156
157// See RFC 4254, section 7.2
158type forwardedTCPPayload struct {
159 Addr string
160 Port uint32
161 OriginAddr string
162 OriginPort uint32
163}
164
165// parseTCPAddr parses the originating address from the remote into a *net.TCPAddr.
166func parseTCPAddr(addr string, port uint32) (*net.TCPAddr, error) {
167 if port == 0 || port > 65535 {
168 return nil, fmt.Errorf("ssh: port number out of range: %d", port)
169 }
170 ip := net.ParseIP(string(addr))
171 if ip == nil {
172 return nil, fmt.Errorf("ssh: cannot parse IP address %q", addr)
173 }
174 return &net.TCPAddr{IP: ip, Port: int(port)}, nil
175}
176
177func (l *forwardList) handleChannels(in <-chan NewChannel) {
178 for ch := range in {
179 var payload forwardedTCPPayload
180 if err := Unmarshal(ch.ExtraData(), &payload); err != nil {
181 ch.Reject(ConnectionFailed, "could not parse forwarded-tcpip payload: "+err.Error())
182 continue
183 }
184
185 // RFC 4254 section 7.2 specifies that incoming
186 // addresses should list the address, in string
187 // format. It is implied that this should be an IP
188 // address, as it would be impossible to connect to it
189 // otherwise.
190 laddr, err := parseTCPAddr(payload.Addr, payload.Port)
191 if err != nil {
192 ch.Reject(ConnectionFailed, err.Error())
193 continue
194 }
195 raddr, err := parseTCPAddr(payload.OriginAddr, payload.OriginPort)
196 if err != nil {
197 ch.Reject(ConnectionFailed, err.Error())
198 continue
199 }
200
201 if ok := l.forward(*laddr, *raddr, ch); !ok {
202 // Section 7.2, implementations MUST reject spurious incoming
203 // connections.
204 ch.Reject(Prohibited, "no forward for address")
205 continue
206 }
207 }
208}
209
210// remove removes the forward entry, and the channel feeding its
211// listener.
212func (l *forwardList) remove(addr net.TCPAddr) {
213 l.Lock()
214 defer l.Unlock()
215 for i, f := range l.entries {
216 if addr.IP.Equal(f.laddr.IP) && addr.Port == f.laddr.Port {
217 l.entries = append(l.entries[:i], l.entries[i+1:]...)
218 close(f.c)
219 return
220 }
221 }
222}
223
224// closeAll closes and clears all forwards.
225func (l *forwardList) closeAll() {
226 l.Lock()
227 defer l.Unlock()
228 for _, f := range l.entries {
229 close(f.c)
230 }
231 l.entries = nil
232}
233
234func (l *forwardList) forward(laddr, raddr net.TCPAddr, ch NewChannel) bool {
235 l.Lock()
236 defer l.Unlock()
237 for _, f := range l.entries {
238 if laddr.IP.Equal(f.laddr.IP) && laddr.Port == f.laddr.Port {
239 f.c <- forward{ch, &raddr}
240 return true
241 }
242 }
243 return false
244}
245
246type tcpListener struct {
247 laddr *net.TCPAddr
248
249 conn *Client
250 in <-chan forward
251}
252
253// Accept waits for and returns the next connection to the listener.
254func (l *tcpListener) Accept() (net.Conn, error) {
255 s, ok := <-l.in
256 if !ok {
257 return nil, io.EOF
258 }
259 ch, incoming, err := s.newCh.Accept()
260 if err != nil {
261 return nil, err
262 }
263 go DiscardRequests(incoming)
264
265 return &tcpChanConn{
266 Channel: ch,
267 laddr: l.laddr,
268 raddr: s.raddr,
269 }, nil
270}
271
272// Close closes the listener.
273func (l *tcpListener) Close() error {
274 m := channelForwardMsg{
275 l.laddr.IP.String(),
276 uint32(l.laddr.Port),
277 }
278
279 // this also closes the listener.
280 l.conn.forwards.remove(*l.laddr)
281 ok, _, err := l.conn.SendRequest("cancel-tcpip-forward", true, Marshal(&m))
282 if err == nil && !ok {
283 err = errors.New("ssh: cancel-tcpip-forward failed")
284 }
285 return err
286}
287
288// Addr returns the listener's network address.
289func (l *tcpListener) Addr() net.Addr {
290 return l.laddr
291}
292
293// Dial initiates a connection to the addr from the remote host.
294// The resulting connection has a zero LocalAddr() and RemoteAddr().
295func (c *Client) Dial(n, addr string) (net.Conn, error) {
296 // Parse the address into host and numeric port.
297 host, portString, err := net.SplitHostPort(addr)
298 if err != nil {
299 return nil, err
300 }
301 port, err := strconv.ParseUint(portString, 10, 16)
302 if err != nil {
303 return nil, err
304 }
305 // Use a zero address for local and remote address.
306 zeroAddr := &net.TCPAddr{
307 IP: net.IPv4zero,
308 Port: 0,
309 }
310 ch, err := c.dial(net.IPv4zero.String(), 0, host, int(port))
311 if err != nil {
312 return nil, err
313 }
314 return &tcpChanConn{
315 Channel: ch,
316 laddr: zeroAddr,
317 raddr: zeroAddr,
318 }, nil
319}
320
321// DialTCP connects to the remote address raddr on the network net,
322// which must be "tcp", "tcp4", or "tcp6". If laddr is not nil, it is used
323// as the local address for the connection.
324func (c *Client) DialTCP(n string, laddr, raddr *net.TCPAddr) (net.Conn, error) {
325 if laddr == nil {
326 laddr = &net.TCPAddr{
327 IP: net.IPv4zero,
328 Port: 0,
329 }
330 }
331 ch, err := c.dial(laddr.IP.String(), laddr.Port, raddr.IP.String(), raddr.Port)
332 if err != nil {
333 return nil, err
334 }
335 return &tcpChanConn{
336 Channel: ch,
337 laddr: laddr,
338 raddr: raddr,
339 }, nil
340}
341
342// RFC 4254 7.2
343type channelOpenDirectMsg struct {
344 raddr string
345 rport uint32
346 laddr string
347 lport uint32
348}
349
350func (c *Client) dial(laddr string, lport int, raddr string, rport int) (Channel, error) {
351 msg := channelOpenDirectMsg{
352 raddr: raddr,
353 rport: uint32(rport),
354 laddr: laddr,
355 lport: uint32(lport),
356 }
357 ch, in, err := c.OpenChannel("direct-tcpip", Marshal(&msg))
358 if err != nil {
359 return nil, err
360 }
361 go DiscardRequests(in)
362 return ch, err
363}
364
365type tcpChan struct {
366 Channel // the backing channel
367}
368
369// tcpChanConn fulfills the net.Conn interface without
370// the tcpChan having to hold laddr or raddr directly.
371type tcpChanConn struct {
372 Channel
373 laddr, raddr net.Addr
374}
375
376// LocalAddr returns the local network address.
377func (t *tcpChanConn) LocalAddr() net.Addr {
378 return t.laddr
379}
380
381// RemoteAddr returns the remote network address.
382func (t *tcpChanConn) RemoteAddr() net.Addr {
383 return t.raddr
384}
385
386// SetDeadline sets the read and write deadlines associated
387// with the connection.
388func (t *tcpChanConn) SetDeadline(deadline time.Time) error {
389 if err := t.SetReadDeadline(deadline); err != nil {
390 return err
391 }
392 return t.SetWriteDeadline(deadline)
393}
394
395// SetReadDeadline sets the read deadline.
396// A zero value for t means Read will not time out.
397// After the deadline, the error from Read will implement net.Error
398// with Timeout() == true.
399func (t *tcpChanConn) SetReadDeadline(deadline time.Time) error {
400 return errors.New("ssh: tcpChan: deadline not supported")
401}
402
403// SetWriteDeadline exists to satisfy the net.Conn interface
404// but is not implemented by this type. It always returns an error.
405func (t *tcpChanConn) SetWriteDeadline(deadline time.Time) error {
406 return errors.New("ssh: tcpChan: deadline not supported")
407}
diff --git a/vendor/golang.org/x/crypto/ssh/transport.go b/vendor/golang.org/x/crypto/ssh/transport.go
deleted file mode 100644
index f9780e0..0000000
--- a/vendor/golang.org/x/crypto/ssh/transport.go
+++ /dev/null
@@ -1,375 +0,0 @@
1// Copyright 2011 The Go Authors. All rights reserved.
2// Use of this source code is governed by a BSD-style
3// license that can be found in the LICENSE file.
4
5package ssh
6
7import (
8 "bufio"
9 "errors"
10 "io"
11 "log"
12)
13
14// debugTransport if set, will print packet types as they go over the
15// wire. No message decoding is done, to minimize the impact on timing.
16const debugTransport = false
17
18const (
19 gcmCipherID = "aes128-gcm@openssh.com"
20 aes128cbcID = "aes128-cbc"
21 tripledescbcID = "3des-cbc"
22)
23
24// packetConn represents a transport that implements packet based
25// operations.
26type packetConn interface {
27 // Encrypt and send a packet of data to the remote peer.
28 writePacket(packet []byte) error
29
30 // Read a packet from the connection. The read is blocking,
31 // i.e. if error is nil, then the returned byte slice is
32 // always non-empty.
33 readPacket() ([]byte, error)
34
35 // Close closes the write-side of the connection.
36 Close() error
37}
38
39// transport is the keyingTransport that implements the SSH packet
40// protocol.
41type transport struct {
42 reader connectionState
43 writer connectionState
44
45 bufReader *bufio.Reader
46 bufWriter *bufio.Writer
47 rand io.Reader
48 isClient bool
49 io.Closer
50}
51
52// packetCipher represents a combination of SSH encryption/MAC
53// protocol. A single instance should be used for one direction only.
54type packetCipher interface {
55 // writePacket encrypts the packet and writes it to w. The
56 // contents of the packet are generally scrambled.
57 writePacket(seqnum uint32, w io.Writer, rand io.Reader, packet []byte) error
58
59 // readPacket reads and decrypts a packet of data. The
60 // returned packet may be overwritten by future calls of
61 // readPacket.
62 readPacket(seqnum uint32, r io.Reader) ([]byte, error)
63}
64
65// connectionState represents one side (read or write) of the
66// connection. This is necessary because each direction has its own
67// keys, and can even have its own algorithms
68type connectionState struct {
69 packetCipher
70 seqNum uint32
71 dir direction
72 pendingKeyChange chan packetCipher
73}
74
75// prepareKeyChange sets up key material for a keychange. The key changes in
76// both directions are triggered by reading and writing a msgNewKey packet
77// respectively.
78func (t *transport) prepareKeyChange(algs *algorithms, kexResult *kexResult) error {
79 if ciph, err := newPacketCipher(t.reader.dir, algs.r, kexResult); err != nil {
80 return err
81 } else {
82 t.reader.pendingKeyChange <- ciph
83 }
84
85 if ciph, err := newPacketCipher(t.writer.dir, algs.w, kexResult); err != nil {
86 return err
87 } else {
88 t.writer.pendingKeyChange <- ciph
89 }
90
91 return nil
92}
93
94func (t *transport) printPacket(p []byte, write bool) {
95 if len(p) == 0 {
96 return
97 }
98 who := "server"
99 if t.isClient {
100 who = "client"
101 }
102 what := "read"
103 if write {
104 what = "write"
105 }
106
107 log.Println(what, who, p[0])
108}
109
110// Read and decrypt next packet.
111func (t *transport) readPacket() (p []byte, err error) {
112 for {
113 p, err = t.reader.readPacket(t.bufReader)
114 if err != nil {
115 break
116 }
117 if len(p) == 0 || (p[0] != msgIgnore && p[0] != msgDebug) {
118 break
119 }
120 }
121 if debugTransport {
122 t.printPacket(p, false)
123 }
124
125 return p, err
126}
127
128func (s *connectionState) readPacket(r *bufio.Reader) ([]byte, error) {
129 packet, err := s.packetCipher.readPacket(s.seqNum, r)
130 s.seqNum++
131 if err == nil && len(packet) == 0 {
132 err = errors.New("ssh: zero length packet")
133 }
134
135 if len(packet) > 0 {
136 switch packet[0] {
137 case msgNewKeys:
138 select {
139 case cipher := <-s.pendingKeyChange:
140 s.packetCipher = cipher
141 default:
142 return nil, errors.New("ssh: got bogus newkeys message.")
143 }
144
145 case msgDisconnect:
146 // Transform a disconnect message into an
147 // error. Since this is lowest level at which
148 // we interpret message types, doing it here
149 // ensures that we don't have to handle it
150 // elsewhere.
151 var msg disconnectMsg
152 if err := Unmarshal(packet, &msg); err != nil {
153 return nil, err
154 }
155 return nil, &msg
156 }
157 }
158
159 // The packet may point to an internal buffer, so copy the
160 // packet out here.
161 fresh := make([]byte, len(packet))
162 copy(fresh, packet)
163
164 return fresh, err
165}
166
167func (t *transport) writePacket(packet []byte) error {
168 if debugTransport {
169 t.printPacket(packet, true)
170 }
171 return t.writer.writePacket(t.bufWriter, t.rand, packet)
172}
173
174func (s *connectionState) writePacket(w *bufio.Writer, rand io.Reader, packet []byte) error {
175 changeKeys := len(packet) > 0 && packet[0] == msgNewKeys
176
177 err := s.packetCipher.writePacket(s.seqNum, w, rand, packet)
178 if err != nil {
179 return err
180 }
181 if err = w.Flush(); err != nil {
182 return err
183 }
184 s.seqNum++
185 if changeKeys {
186 select {
187 case cipher := <-s.pendingKeyChange:
188 s.packetCipher = cipher
189 default:
190 panic("ssh: no key material for msgNewKeys")
191 }
192 }
193 return err
194}
195
196func newTransport(rwc io.ReadWriteCloser, rand io.Reader, isClient bool) *transport {
197 t := &transport{
198 bufReader: bufio.NewReader(rwc),
199 bufWriter: bufio.NewWriter(rwc),
200 rand: rand,
201 reader: connectionState{
202 packetCipher: &streamPacketCipher{cipher: noneCipher{}},
203 pendingKeyChange: make(chan packetCipher, 1),
204 },
205 writer: connectionState{
206 packetCipher: &streamPacketCipher{cipher: noneCipher{}},
207 pendingKeyChange: make(chan packetCipher, 1),
208 },
209 Closer: rwc,
210 }
211 t.isClient = isClient
212
213 if isClient {
214 t.reader.dir = serverKeys
215 t.writer.dir = clientKeys
216 } else {
217 t.reader.dir = clientKeys
218 t.writer.dir = serverKeys
219 }
220
221 return t
222}
223
224type direction struct {
225 ivTag []byte
226 keyTag []byte
227 macKeyTag []byte
228}
229
230var (
231 serverKeys = direction{[]byte{'B'}, []byte{'D'}, []byte{'F'}}
232 clientKeys = direction{[]byte{'A'}, []byte{'C'}, []byte{'E'}}
233)
234
235// generateKeys generates key material for IV, MAC and encryption.
236func generateKeys(d direction, algs directionAlgorithms, kex *kexResult) (iv, key, macKey []byte) {
237 cipherMode := cipherModes[algs.Cipher]
238 macMode := macModes[algs.MAC]
239
240 iv = make([]byte, cipherMode.ivSize)
241 key = make([]byte, cipherMode.keySize)
242 macKey = make([]byte, macMode.keySize)
243
244 generateKeyMaterial(iv, d.ivTag, kex)
245 generateKeyMaterial(key, d.keyTag, kex)
246 generateKeyMaterial(macKey, d.macKeyTag, kex)
247 return
248}
249
250// setupKeys sets the cipher and MAC keys from kex.K, kex.H and sessionId, as
251// described in RFC 4253, section 6.4. direction should either be serverKeys
252// (to setup server->client keys) or clientKeys (for client->server keys).
253func newPacketCipher(d direction, algs directionAlgorithms, kex *kexResult) (packetCipher, error) {
254 iv, key, macKey := generateKeys(d, algs, kex)
255
256 if algs.Cipher == gcmCipherID {
257 return newGCMCipher(iv, key, macKey)
258 }
259
260 if algs.Cipher == aes128cbcID {
261 return newAESCBCCipher(iv, key, macKey, algs)
262 }
263
264 if algs.Cipher == tripledescbcID {
265 return newTripleDESCBCCipher(iv, key, macKey, algs)
266 }
267
268 c := &streamPacketCipher{
269 mac: macModes[algs.MAC].new(macKey),
270 etm: macModes[algs.MAC].etm,
271 }
272 c.macResult = make([]byte, c.mac.Size())
273
274 var err error
275 c.cipher, err = cipherModes[algs.Cipher].createStream(key, iv)
276 if err != nil {
277 return nil, err
278 }
279
280 return c, nil
281}
282
283// generateKeyMaterial fills out with key material generated from tag, K, H
284// and sessionId, as specified in RFC 4253, section 7.2.
285func generateKeyMaterial(out, tag []byte, r *kexResult) {
286 var digestsSoFar []byte
287
288 h := r.Hash.New()
289 for len(out) > 0 {
290 h.Reset()
291 h.Write(r.K)
292 h.Write(r.H)
293
294 if len(digestsSoFar) == 0 {
295 h.Write(tag)
296 h.Write(r.SessionID)
297 } else {
298 h.Write(digestsSoFar)
299 }
300
301 digest := h.Sum(nil)
302 n := copy(out, digest)
303 out = out[n:]
304 if len(out) > 0 {
305 digestsSoFar = append(digestsSoFar, digest...)
306 }
307 }
308}
309
310const packageVersion = "SSH-2.0-Go"
311
312// Sends and receives a version line. The versionLine string should
313// be US ASCII, start with "SSH-2.0-", and should not include a
314// newline. exchangeVersions returns the other side's version line.
315func exchangeVersions(rw io.ReadWriter, versionLine []byte) (them []byte, err error) {
316 // Contrary to the RFC, we do not ignore lines that don't
317 // start with "SSH-2.0-" to make the library usable with
318 // nonconforming servers.
319 for _, c := range versionLine {
320 // The spec disallows non US-ASCII chars, and
321 // specifically forbids null chars.
322 if c < 32 {
323 return nil, errors.New("ssh: junk character in version line")
324 }
325 }
326 if _, err = rw.Write(append(versionLine, '\r', '\n')); err != nil {
327 return
328 }
329
330 them, err = readVersion(rw)
331 return them, err
332}
333
334// maxVersionStringBytes is the maximum number of bytes that we'll
335// accept as a version string. RFC 4253 section 4.2 limits this at 255
336// chars
337const maxVersionStringBytes = 255
338
339// Read version string as specified by RFC 4253, section 4.2.
340func readVersion(r io.Reader) ([]byte, error) {
341 versionString := make([]byte, 0, 64)
342 var ok bool
343 var buf [1]byte
344
345 for len(versionString) < maxVersionStringBytes {
346 _, err := io.ReadFull(r, buf[:])
347 if err != nil {
348 return nil, err
349 }
350 // The RFC says that the version should be terminated with \r\n
351 // but several SSH servers actually only send a \n.
352 if buf[0] == '\n' {
353 ok = true
354 break
355 }
356
357 // non ASCII chars are disallowed, but we are lenient,
358 // since Go doesn't use null-terminated strings.
359
360 // The RFC allows a comment after a space, however,
361 // all of it (version and comments) goes into the
362 // session hash.
363 versionString = append(versionString, buf[0])
364 }
365
366 if !ok {
367 return nil, errors.New("ssh: overflow reading version string")
368 }
369
370 // There might be a '\r' on the end which we should remove.
371 if len(versionString) > 0 && versionString[len(versionString)-1] == '\r' {
372 versionString = versionString[:len(versionString)-1]
373 }
374 return versionString, nil
375}