const KeySize … const NonceSize … const NonceSizeX … type Cipher … var _ … // NewUnauthenticatedCipher creates a new ChaCha20 stream cipher with the given // 32 bytes key and a 12 or 24 bytes nonce. If a nonce of 24 bytes is provided, // the XChaCha20 construction will be used. It returns an error if key or nonce // have any other length. // // Note that ChaCha20, like all stream ciphers, is not authenticated and allows // attackers to silently tamper with the plaintext. For this reason, it is more // appropriate as a building block than as a standalone encryption mechanism. // Instead, consider using package golang.org/x/crypto/chacha20poly1305. func NewUnauthenticatedCipher(key, nonce []byte) (*Cipher, error) { … } func newUnauthenticatedCipher(c *Cipher, key, nonce []byte) (*Cipher, error) { … } const j0 … const j1 … const j2 … const j3 … const blockSize … // quarterRound is the core of ChaCha20. It shuffles the bits of 4 state words. // It's executed 4 times for each of the 20 ChaCha20 rounds, operating on all 16 // words each round, in columnar or diagonal groups of 4 at a time. func quarterRound(a, b, c, d uint32) (uint32, uint32, uint32, uint32) { … } // SetCounter sets the Cipher counter. The next invocation of XORKeyStream will // behave as if (64 * counter) bytes had been encrypted so far. // // To prevent accidental counter reuse, SetCounter panics if counter is less // than the current value. // // Note that the execution time of XORKeyStream is not independent of the // counter value. func (s *Cipher) SetCounter(counter uint32) { … } // XORKeyStream XORs each byte in the given slice with a byte from the // cipher's key stream. Dst and src must overlap entirely or not at all. // // If len(dst) < len(src), XORKeyStream will panic. It is acceptable // to pass a dst bigger than src, and in that case, XORKeyStream will // only update dst[:len(src)] and will not touch the rest of dst. // // Multiple calls to XORKeyStream behave as if the concatenation of // the src buffers was passed in a single run. That is, Cipher // maintains state and does not reset at each XORKeyStream call. func (s *Cipher) XORKeyStream(dst, src []byte) { … } func (s *Cipher) xorKeyStreamBlocksGeneric(dst, src []byte) { … } // HChaCha20 uses the ChaCha20 core to generate a derived key from a 32 bytes // key and a 16 bytes nonce. It returns an error if key or nonce have any other // length. It is used as part of the XChaCha20 construction. func HChaCha20(key, nonce []byte) ([]byte, error) { … } func hChaCha20(out, key, nonce []byte) ([]byte, error) { … }