diff --git a/vendor/github.com/marten-seemann/chacha20/README.md b/vendor/github.com/Psiphon-Labs/chacha20/README.md similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/README.md rename to vendor/github.com/Psiphon-Labs/chacha20/README.md diff --git a/vendor/github.com/marten-seemann/chacha20/asm_arm64.s b/vendor/github.com/Psiphon-Labs/chacha20/asm_arm64.s similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/asm_arm64.s rename to vendor/github.com/Psiphon-Labs/chacha20/asm_arm64.s diff --git a/vendor/github.com/marten-seemann/chacha20/asm_ppc64le.s b/vendor/github.com/Psiphon-Labs/chacha20/asm_ppc64le.s similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/asm_ppc64le.s rename to vendor/github.com/Psiphon-Labs/chacha20/asm_ppc64le.s diff --git a/vendor/github.com/marten-seemann/chacha20/chacha_arm64.go b/vendor/github.com/Psiphon-Labs/chacha20/chacha_arm64.go similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/chacha_arm64.go rename to vendor/github.com/Psiphon-Labs/chacha20/chacha_arm64.go diff --git a/vendor/github.com/marten-seemann/chacha20/chacha_generic.go b/vendor/github.com/Psiphon-Labs/chacha20/chacha_generic.go similarity index 85% rename from vendor/github.com/marten-seemann/chacha20/chacha_generic.go rename to vendor/github.com/Psiphon-Labs/chacha20/chacha_generic.go index 8e04f30ec..612a773e6 100644 --- a/vendor/github.com/marten-seemann/chacha20/chacha_generic.go +++ b/vendor/github.com/Psiphon-Labs/chacha20/chacha_generic.go @@ -10,7 +10,7 @@ import ( "crypto/cipher" "encoding/binary" - "github.com/marten-seemann/chacha20/internal/subtle" + "github.com/Psiphon-Labs/chacha20/internal/subtle" ) // assert that *Cipher implements cipher.Stream @@ -19,11 +19,12 @@ var _ cipher.Stream = (*Cipher)(nil) // Cipher is a stateful instance of ChaCha20 using a particular key // and nonce. A *Cipher implements the cipher.Stream interface. type Cipher struct { - key [8]uint32 - counter uint32 // incremented after each block - nonce [3]uint32 - buf [bufSize]byte // buffer for unused keystream bytes - len int // number of unused keystream bytes at end of buf + key [8]uint32 + counter uint32 // incremented after each block + overflow bool + nonce [3]uint32 + buf [bufSize]byte // buffer for unused keystream bytes + len int // number of unused keystream bytes at end of buf } // New creates a new ChaCha20 stream cipher with the given key and nonce. @@ -97,7 +98,12 @@ func (s *Cipher) XORKeyStream(dst, src []byte) { return } if haveAsm { - if uint64(len(src))+uint64(s.counter)*64 > (1<<38)-64 { + + // [Psiphon] + // + // Allow up to 2^32 blocks. + + if uint64(len(src))+uint64(s.counter)*64 > (1 << 38) { panic("chacha20: counter overflow") } s.xorKeyStreamAsm(dst, src) @@ -120,6 +126,11 @@ func (s *Cipher) XORKeyStream(dst, src []byte) { n := len(src) src, dst = src[:n:n], dst[:n:n] // BCE hint for i := 0; i < n; i += 64 { + + if s.overflow { + panic("chacha20: counter overflow") + } + // calculate the remainder of the first round s0, s4, s8, s12 := quarterRound(j0, s.key[0], s.key[4], s.counter) @@ -164,7 +175,25 @@ func (s *Cipher) XORKeyStream(dst, src []byte) { // increment the counter s.counter += 1 if s.counter == 0 { - panic("chacha20: counter overflow") + + // [Psiphon] + // + // Don't panic immediately, as the counter will wrap here when it's 2^31-1, + // and that's a valid value. Do panic after overflow is set and any further + // blocks are processed. + // + // https://tools.ietf.org/html/rfc7539#section-2.3.2: ChaCha20 "limits the + // use of a single (key,nonce) combination to 2^32 blocks". + // + // The 2^31-1 counter value occurs in practise in QUIC header protection, + // https://tools.ietf.org/html/draft-ietf-quic-tls-24#section-5.4.4, which + // initializes the counter using 4 bytes of sampled ciphertext. + // + // In OpenSSL, chacha20 will operate on 2^32 blocks before applying its + // overflow logic: + // https://github.com/openssl/openssl/blob/706457b7bda7fdbab426b8dce83b318908339da4/crypto/evp/e_chacha20_poly1305.c#L94-L104. + + s.overflow = true } // pad to 64 bytes if needed diff --git a/vendor/github.com/marten-seemann/chacha20/chacha_noasm.go b/vendor/github.com/Psiphon-Labs/chacha20/chacha_noasm.go similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/chacha_noasm.go rename to vendor/github.com/Psiphon-Labs/chacha20/chacha_noasm.go diff --git a/vendor/github.com/marten-seemann/chacha20/chacha_ppc64le.go b/vendor/github.com/Psiphon-Labs/chacha20/chacha_ppc64le.go similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/chacha_ppc64le.go rename to vendor/github.com/Psiphon-Labs/chacha20/chacha_ppc64le.go diff --git a/vendor/github.com/marten-seemann/chacha20/chacha_s390x.go b/vendor/github.com/Psiphon-Labs/chacha20/chacha_s390x.go similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/chacha_s390x.go rename to vendor/github.com/Psiphon-Labs/chacha20/chacha_s390x.go diff --git a/vendor/github.com/marten-seemann/chacha20/chacha_s390x.s b/vendor/github.com/Psiphon-Labs/chacha20/chacha_s390x.s similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/chacha_s390x.s rename to vendor/github.com/Psiphon-Labs/chacha20/chacha_s390x.s diff --git a/vendor/github.com/marten-seemann/chacha20/internal/subtle/aliasing.go b/vendor/github.com/Psiphon-Labs/chacha20/internal/subtle/aliasing.go similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/internal/subtle/aliasing.go rename to vendor/github.com/Psiphon-Labs/chacha20/internal/subtle/aliasing.go diff --git a/vendor/github.com/marten-seemann/chacha20/internal/subtle/aliasing_appengine.go b/vendor/github.com/Psiphon-Labs/chacha20/internal/subtle/aliasing_appengine.go similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/internal/subtle/aliasing_appengine.go rename to vendor/github.com/Psiphon-Labs/chacha20/internal/subtle/aliasing_appengine.go diff --git a/vendor/github.com/marten-seemann/chacha20/xor.go b/vendor/github.com/Psiphon-Labs/chacha20/xor.go similarity index 100% rename from vendor/github.com/marten-seemann/chacha20/xor.go rename to vendor/github.com/Psiphon-Labs/chacha20/xor.go diff --git a/vendor/github.com/Psiphon-Labs/quic-go/internal/handshake/header_protector.go b/vendor/github.com/Psiphon-Labs/quic-go/internal/handshake/header_protector.go index 019d57036..77b33f20a 100644 --- a/vendor/github.com/Psiphon-Labs/quic-go/internal/handshake/header_protector.go +++ b/vendor/github.com/Psiphon-Labs/quic-go/internal/handshake/header_protector.go @@ -5,7 +5,7 @@ import ( "crypto/cipher" "fmt" - "github.com/marten-seemann/chacha20" + "github.com/Psiphon-Labs/chacha20" "github.com/marten-seemann/qtls" ) diff --git a/vendor/vendor.json b/vendor/vendor.json index 97f17f36c..5dd5638eb 100644 --- a/vendor/vendor.json +++ b/vendor/vendor.json @@ -20,6 +20,18 @@ "revision": "94750aa2185e6ee4217105064949acace0156564", "revisionTime": "2019-07-31T17:17:12Z" }, + { + "checksumSHA1": "C5OwxfDa6nvLoxP3WBaCp7ufW60=", + "path": "github.com/Psiphon-Labs/chacha20", + "revision": "899a4be528633ecf678f45e4f6b177d0f89b9e7c", + "revisionTime": "2020-01-28T19:13:10Z" + }, + { + "checksumSHA1": "zNTA9RmD/BcIWRfZWF/DIhULpK0=", + "path": "github.com/Psiphon-Labs/chacha20/internal/subtle", + "revision": "899a4be528633ecf678f45e4f6b177d0f89b9e7c", + "revisionTime": "2020-01-28T19:13:10Z" + }, { "checksumSHA1": "d3DwsdacdFn1/KCG/2uPV1PwR3s=", "path": "github.com/Psiphon-Labs/dns", @@ -65,8 +77,8 @@ { "checksumSHA1": "8MdwAjQlha5clFXwY1ayF4vNGAQ=", "path": "github.com/Psiphon-Labs/quic-go", - "revision": "abf539ac596a6017b6eb8904f7342da8daab8df1", - "revisionTime": "2020-01-16T02:28:06Z" + "revision": "738e15bfe6c3d7a0ccc91e2f237e5554ab6a35a6", + "revisionTime": "2020-01-28T19:39:28Z" }, { "checksumSHA1": "VMJLFpeoJ56PTQxR0wEkkiQTr1s=", @@ -340,22 +352,6 @@ "revision": "ae77be60afb1dcacde03767a8c37337fad28ac14", "revisionTime": "2017-05-10T13:15:34Z" }, - { - "checksumSHA1": "j4eMhpVKh7QbPBE/vZL+VxQwJT0=", - "path": "github.com/marten-seemann/chacha20", - "revision": "36564989294fee5f3957d3e3fbfc655e10786ec0", - "revisionTime": "2019-09-06T10:21:14Z", - "version": "v0.2.0", - "versionExact": "v0.2.0" - }, - { - "checksumSHA1": "xJ/ZPgaoP3Gd5ETWGhqufsqptuw=", - "path": "github.com/marten-seemann/chacha20/internal/subtle", - "revision": "36564989294fee5f3957d3e3fbfc655e10786ec0", - "revisionTime": "2019-09-06T10:21:14Z", - "version": "v0.2.0", - "versionExact": "v0.2.0" - }, { "checksumSHA1": "Urc++6mqm/jcr3SSL/MMN5v7Owk=", "path": "github.com/marten-seemann/qpack",