vendor/golang_org/x/crypto: revendor

This change updates the vendored copy of golang.org/x/crypto to
commit 1a580b3.

An import of golang.org/x/sys/cpu was replaced with an import of
internal/cpu as required by
#24843 (comment).

The following bash command can be used to replicate this import
update:

find `pwd` -name '*.go' -exec sed -i 's/golang\.org\/x\/sys\/cpu/internal\/cpu/g' '{}' \;

Change-Id: Ic80d361f940a96c70e4196f594d791c63421d73c
Reviewed-on: https://go-review.googlesource.com/113175
Reviewed-by: Brad Fitzpatrick <bradfitz@golang.org>

src/vendor/golang_org/x/crypto/chacha20poly1305/chacha20poly1305.go

@@ -7,6 +7,7 @@ package chacha20poly1305 // import "golang.org/x/crypto/chacha20poly1305"
 
 import (
 	"crypto/cipher"
+	"encoding/binary"
 	"errors"
 )
 
@@ -18,7 +19,7 @@ const (
 )
 
 type chacha20poly1305 struct {
-	key [32]byte
+	key [8]uint32
 }
 
 // New returns a ChaCha20-Poly1305 AEAD that uses the given, 256-bit key.
@@ -27,7 +28,14 @@ func New(key []byte) (cipher.AEAD, error) {
 		return nil, errors.New("chacha20poly1305: bad key length")
 	}
 	ret := new(chacha20poly1305)
-	copy(ret.key[:], key)
+	ret.key[0] = binary.LittleEndian.Uint32(key[0:4])
+	ret.key[1] = binary.LittleEndian.Uint32(key[4:8])
+	ret.key[2] = binary.LittleEndian.Uint32(key[8:12])
+	ret.key[3] = binary.LittleEndian.Uint32(key[12:16])
+	ret.key[4] = binary.LittleEndian.Uint32(key[16:20])
+	ret.key[5] = binary.LittleEndian.Uint32(key[20:24])
+	ret.key[6] = binary.LittleEndian.Uint32(key[24:28])
+	ret.key[7] = binary.LittleEndian.Uint32(key[28:32])
 	return ret, nil
 }
 

src/vendor/golang_org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.go

@@ -6,86 +6,39 @@
 
 package chacha20poly1305
 
-import "encoding/binary"
+import (
+	"encoding/binary"
+
+	"internal/cpu"
+)
 
 //go:noescape
 func chacha20Poly1305Open(dst []byte, key []uint32, src, ad []byte) bool
 
 //go:noescape
 func chacha20Poly1305Seal(dst []byte, key []uint32, src, ad []byte)
 
-// cpuid is implemented in chacha20poly1305_amd64.s.
-func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32)
-
-// xgetbv with ecx = 0 is implemented in chacha20poly1305_amd64.s.
-func xgetbv() (eax, edx uint32)
-
 var (
-	useASM  bool
-	useAVX2 bool
+	useASM  = cpu.X86.HasSSSE3
+	useAVX2 = cpu.X86.HasAVX2 && cpu.X86.HasBMI2
 )
 
-func init() {
-	detectCpuFeatures()
-}
-
-// detectCpuFeatures is used to detect if cpu instructions
-// used by the functions implemented in assembler in
-// chacha20poly1305_amd64.s are supported.
-func detectCpuFeatures() {
-	maxId, _, _, _ := cpuid(0, 0)
-	if maxId < 1 {
-		return
-	}
-
-	_, _, ecx1, _ := cpuid(1, 0)
-
-	haveSSSE3 := isSet(9, ecx1)
-	useASM = haveSSSE3
-
-	haveOSXSAVE := isSet(27, ecx1)
-
-	osSupportsAVX := false
-	// For XGETBV, OSXSAVE bit is required and sufficient.
-	if haveOSXSAVE {
-		eax, _ := xgetbv()
-		// Check if XMM and YMM registers have OS support.
-		osSupportsAVX = isSet(1, eax) && isSet(2, eax)
-	}
-	haveAVX := isSet(28, ecx1) && osSupportsAVX
-
-	if maxId < 7 {
-		return
-	}
-
-	_, ebx7, _, _ := cpuid(7, 0)
-	haveAVX2 := isSet(5, ebx7) && haveAVX
-	haveBMI2 := isSet(8, ebx7)
-
-	useAVX2 = haveAVX2 && haveBMI2
-}
-
-// isSet checks if bit at bitpos is set in value.
-func isSet(bitpos uint, value uint32) bool {
-	return value&(1<<bitpos) != 0
-}
-
 // setupState writes a ChaCha20 input matrix to state. See
 // https://tools.ietf.org/html/rfc7539#section-2.3.
-func setupState(state *[16]uint32, key *[32]byte, nonce []byte) {
+func setupState(state *[16]uint32, key *[8]uint32, nonce []byte) {
 	state[0] = 0x61707865
 	state[1] = 0x3320646e
 	state[2] = 0x79622d32
 	state[3] = 0x6b206574
 
-	state[4] = binary.LittleEndian.Uint32(key[:4])
-	state[5] = binary.LittleEndian.Uint32(key[4:8])
-	state[6] = binary.LittleEndian.Uint32(key[8:12])
-	state[7] = binary.LittleEndian.Uint32(key[12:16])
-	state[8] = binary.LittleEndian.Uint32(key[16:20])
-	state[9] = binary.LittleEndian.Uint32(key[20:24])
-	state[10] = binary.LittleEndian.Uint32(key[24:28])
-	state[11] = binary.LittleEndian.Uint32(key[28:32])
+	state[4] = key[0]
+	state[5] = key[1]
+	state[6] = key[2]
+	state[7] = key[3]
+	state[8] = key[4]
+	state[9] = key[5]
+	state[10] = key[6]
+	state[11] = key[7]
 
 	state[12] = 0
 	state[13] = binary.LittleEndian.Uint32(nonce[:4])

src/vendor/golang_org/x/crypto/chacha20poly1305/chacha20poly1305_amd64.s

@@ -2693,22 +2693,3 @@ sealAVX2Tail512LoopB:
 	VPERM2I128 $0x13, tmpStoreAVX2, DD3, DD0
 
 	JMP sealAVX2SealHash
-
-// func cpuid(eaxArg, ecxArg uint32) (eax, ebx, ecx, edx uint32)
-TEXT ·cpuid(SB), NOSPLIT, $0-24
-	MOVL eaxArg+0(FP), AX
-	MOVL ecxArg+4(FP), CX
-	CPUID
-	MOVL AX, eax+8(FP)
-	MOVL BX, ebx+12(FP)
-	MOVL CX, ecx+16(FP)
-	MOVL DX, edx+20(FP)
-	RET
-
-// func xgetbv() (eax, edx uint32)
-TEXT ·xgetbv(SB),NOSPLIT,$0-8
-	MOVL $0, CX
-	XGETBV
-	MOVL AX, eax+0(FP)
-	MOVL DX, edx+4(FP)
-	RET

src/vendor/golang_org/x/crypto/chacha20poly1305/chacha20poly1305_generic.go

@@ -7,7 +7,7 @@ package chacha20poly1305
 import (
 	"encoding/binary"
 
-	"golang_org/x/crypto/chacha20poly1305/internal/chacha20"
+	"golang_org/x/crypto/internal/chacha20"
 	"golang_org/x/crypto/poly1305"
 )
 
@@ -16,15 +16,17 @@ func roundTo16(n int) int {
 }
 
 func (c *chacha20poly1305) sealGeneric(dst, nonce, plaintext, additionalData []byte) []byte {
-	var counter [16]byte
-	copy(counter[4:], nonce)
+	ret, out := sliceForAppend(dst, len(plaintext)+poly1305.TagSize)
 
 	var polyKey [32]byte
-	chacha20.XORKeyStream(polyKey[:], polyKey[:], &counter, &c.key)
-
-	ret, out := sliceForAppend(dst, len(plaintext)+poly1305.TagSize)
-	counter[0] = 1
-	chacha20.XORKeyStream(out, plaintext, &counter, &c.key)
+	s := chacha20.New(c.key, [3]uint32{
+		binary.LittleEndian.Uint32(nonce[0:4]),
+		binary.LittleEndian.Uint32(nonce[4:8]),
+		binary.LittleEndian.Uint32(nonce[8:12]),
+	})
+	s.XORKeyStream(polyKey[:], polyKey[:])
+	s.Advance() // skip the next 32 bytes
+	s.XORKeyStream(out, plaintext)
 
 	polyInput := make([]byte, roundTo16(len(additionalData))+roundTo16(len(plaintext))+8+8)
 	copy(polyInput, additionalData)
@@ -44,11 +46,14 @@ func (c *chacha20poly1305) openGeneric(dst, nonce, ciphertext, additionalData []
 	copy(tag[:], ciphertext[len(ciphertext)-16:])
 	ciphertext = ciphertext[:len(ciphertext)-16]
 
-	var counter [16]byte
-	copy(counter[4:], nonce)
-
 	var polyKey [32]byte
-	chacha20.XORKeyStream(polyKey[:], polyKey[:], &counter, &c.key)
+	s := chacha20.New(c.key, [3]uint32{
+		binary.LittleEndian.Uint32(nonce[0:4]),
+		binary.LittleEndian.Uint32(nonce[4:8]),
+		binary.LittleEndian.Uint32(nonce[8:12]),
+	})
+	s.XORKeyStream(polyKey[:], polyKey[:])
+	s.Advance() // skip the next 32 bytes
 
 	polyInput := make([]byte, roundTo16(len(additionalData))+roundTo16(len(ciphertext))+8+8)
 	copy(polyInput, additionalData)
@@ -64,7 +69,6 @@ func (c *chacha20poly1305) openGeneric(dst, nonce, ciphertext, additionalData []
 		return nil, errOpen
 	}
 
-	counter[0] = 1
-	chacha20.XORKeyStream(out, ciphertext, &counter, &c.key)
+	s.XORKeyStream(out, ciphertext)
 	return ret, nil
 }

src/vendor/golang_org/x/crypto/chacha20poly1305/chacha20poly1305_vectors_test.go

@@ -7,6 +7,13 @@ package chacha20poly1305
 var chacha20Poly1305Tests = []struct {
 	plaintext, aad, key, nonce, out string
 }{
+	{
+		"",
+		"",
+		"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f",
+		"070000004041424344454647",
+		"a0784d7a4716f3feb4f64e7f4b39bf04",
+	},
 	{
 		"4c616469657320616e642047656e746c656d656e206f662074686520636c617373206f66202739393a204966204920636f756c64206f6666657220796f75206f6e6c79206f6e652074697020666f7220746865206675747572652c2073756e73637265656e20776f756c642062652069742e",
 		"50515253c0c1c2c3c4c5c6c7",