1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 // Package xtea implements XTEA encryption, as defined in Needham and Wheeler's 6 // 1997 technical report, "Tea extensions." 7 // 8 // XTEA is a legacy cipher and its short block size makes it vulnerable to 9 // birthday bound attacks (see https://sweet32.info). It should only be used 10 // where compatibility with legacy systems, not security, is the goal. 11 // 12 // Deprecated: any new system should use AES (from crypto/aes, if necessary in 13 // an AEAD mode like crypto/cipher.NewGCM) or XChaCha20-Poly1305 (from 14 // golang.org/x/crypto/chacha20poly1305). 15 package xtea // import "golang.org/x/crypto/xtea" 16 17 // For details, see http://www.cix.co.uk/~klockstone/xtea.pdf 18 19 import "strconv" 20 21 // The XTEA block size in bytes. 22 const BlockSize = 8 23 24 // A Cipher is an instance of an XTEA cipher using a particular key. 25 type Cipher struct { 26 // table contains a series of precalculated values that are used each round. 27 table [64]uint32 28 } 29 30 type KeySizeError int 31 32 func (k KeySizeError) Error() string { 33 return "crypto/xtea: invalid key size " + strconv.Itoa(int(k)) 34 } 35 36 // NewCipher creates and returns a new Cipher. 37 // The key argument should be the XTEA key. 38 // XTEA only supports 128 bit (16 byte) keys. 39 func NewCipher(key []byte) (*Cipher, error) { 40 k := len(key) 41 switch k { 42 default: 43 return nil, KeySizeError(k) 44 case 16: 45 break 46 } 47 48 c := new(Cipher) 49 initCipher(c, key) 50 51 return c, nil 52 } 53 54 // BlockSize returns the XTEA block size, 8 bytes. 55 // It is necessary to satisfy the Block interface in the 56 // package "crypto/cipher". 57 func (c *Cipher) BlockSize() int { return BlockSize } 58 59 // Encrypt encrypts the 8 byte buffer src using the key and stores the result in dst. 60 // Note that for amounts of data larger than a block, 61 // it is not safe to just call Encrypt on successive blocks; 62 // instead, use an encryption mode like CBC (see crypto/cipher/cbc.go). 63 func (c *Cipher) Encrypt(dst, src []byte) { encryptBlock(c, dst, src) } 64 65 // Decrypt decrypts the 8 byte buffer src using the key and stores the result in dst. 66 func (c *Cipher) Decrypt(dst, src []byte) { decryptBlock(c, dst, src) } 67 68 // initCipher initializes the cipher context by creating a look up table 69 // of precalculated values that are based on the key. 70 func initCipher(c *Cipher, key []byte) { 71 // Load the key into four uint32s 72 var k [4]uint32 73 for i := 0; i < len(k); i++ { 74 j := i << 2 // Multiply by 4 75 k[i] = uint32(key[j+0])<<24 | uint32(key[j+1])<<16 | uint32(key[j+2])<<8 | uint32(key[j+3]) 76 } 77 78 // Precalculate the table 79 const delta = 0x9E3779B9 80 var sum uint32 81 82 // Two rounds of XTEA applied per loop 83 for i := 0; i < numRounds; { 84 c.table[i] = sum + k[sum&3] 85 i++ 86 sum += delta 87 c.table[i] = sum + k[(sum>>11)&3] 88 i++ 89 } 90 } 91