--- /dev/null
+// GoGOST -- Pure Go GOST cryptographic functions library
+// Copyright (C) 2015-2019 Sergey Matveev <stargrave@stargrave.org>
+//
+// This program is free software: you can redistribute it and/or modify
+// it under the terms of the GNU General Public License as published by
+// the Free Software Foundation, version 3 of the License.
+//
+// This program is distributed in the hope that it will be useful,
+// but WITHOUT ANY WARRANTY; without even the implied warranty of
+// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+// GNU General Public License for more details.
+//
+// You should have received a copy of the GNU General Public License
+// along with this program. If not, see <http://www.gnu.org/licenses/>.
+
+// GOST 28147-89 block cipher with ECB, CFB, CTR, MAC modes of operation.
+// RFC 5830.
+package gost28147
+
+const (
+ BlockSize = 8
+ KeySize = 32
+)
+
+// All 28147 operations are going with two 32-bit halves of the whole
+// block. nv is representation of that one half.
+type nv uint32
+
+// Cyclic 11-bit shift.
+func (n nv) shift11() nv {
+ return ((n << 11) & (1<<32 - 1)) | ((n >> (32 - 11)) & (1<<32 - 1))
+}
+
+// Seq contains iteration numbers used in the encryption function
+// itself. For example 28147 encryption and decryption process differs
+// only with this sequence.
+type Seq []uint8
+
+var (
+ SeqEncrypt = Seq([]uint8{
+ 0, 1, 2, 3, 4, 5, 6, 7,
+ 0, 1, 2, 3, 4, 5, 6, 7,
+ 0, 1, 2, 3, 4, 5, 6, 7,
+ 7, 6, 5, 4, 3, 2, 1, 0,
+ })
+ SeqDecrypt = Seq([]uint8{
+ 0, 1, 2, 3, 4, 5, 6, 7,
+ 7, 6, 5, 4, 3, 2, 1, 0,
+ 7, 6, 5, 4, 3, 2, 1, 0,
+ 7, 6, 5, 4, 3, 2, 1, 0,
+ })
+)
+
+type Cipher struct {
+ key [KeySize]byte
+ sbox *Sbox
+ x [8]nv
+}
+
+func NewCipher(key []byte, sbox *Sbox) *Cipher {
+ if len(key) != KeySize {
+ panic("invalid key size")
+ }
+ c := Cipher{sbox: sbox}
+ copy(c.key[:], key)
+ c.x = [8]nv{
+ nv(key[0]) | nv(key[1])<<8 | nv(key[2])<<16 | nv(key[3])<<24,
+ nv(key[4]) | nv(key[5])<<8 | nv(key[6])<<16 | nv(key[7])<<24,
+ nv(key[8]) | nv(key[9])<<8 | nv(key[10])<<16 | nv(key[11])<<24,
+ nv(key[12]) | nv(key[13])<<8 | nv(key[14])<<16 | nv(key[15])<<24,
+ nv(key[16]) | nv(key[17])<<8 | nv(key[18])<<16 | nv(key[19])<<24,
+ nv(key[20]) | nv(key[21])<<8 | nv(key[22])<<16 | nv(key[23])<<24,
+ nv(key[24]) | nv(key[25])<<8 | nv(key[26])<<16 | nv(key[27])<<24,
+ nv(key[28]) | nv(key[29])<<8 | nv(key[30])<<16 | nv(key[31])<<24,
+ }
+ return &c
+}
+
+func (c *Cipher) BlockSize() int {
+ return BlockSize
+}
+
+// Convert binary byte block to two 32-bit internal integers.
+func block2nvs(b []byte) (n1, n2 nv) {
+ n1 = nv(b[0]) | nv(b[1])<<8 | nv(b[2])<<16 | nv(b[3])<<24
+ n2 = nv(b[4]) | nv(b[5])<<8 | nv(b[6])<<16 | nv(b[7])<<24
+ return
+}
+
+// Convert two 32-bit internal integers to binary byte block.
+func nvs2block(n1, n2 nv, b []byte) {
+ b[0] = byte((n2 >> 0) & 255)
+ b[1] = byte((n2 >> 8) & 255)
+ b[2] = byte((n2 >> 16) & 255)
+ b[3] = byte((n2 >> 24) & 255)
+ b[4] = byte((n1 >> 0) & 255)
+ b[5] = byte((n1 >> 8) & 255)
+ b[6] = byte((n1 >> 16) & 255)
+ b[7] = byte((n1 >> 24) & 255)
+}
+
+func (c *Cipher) xcrypt(seq Seq, n1, n2 nv) (nv, nv) {
+ for _, i := range seq {
+ n1, n2 = c.sbox.k(n1+c.x[i]).shift11()^n2, n1
+ }
+ return n1, n2
+}
+
+// Encrypt single block.
+// If provided slices are shorter than the block size, then it will panic.
+func (c *Cipher) Encrypt(dst, src []byte) {
+ n1, n2 := block2nvs(src)
+ n1, n2 = c.xcrypt(SeqEncrypt, n1, n2)
+ nvs2block(n1, n2, dst)
+}
+
+// Decrypt single block.
+// If provided slices are shorter than the block size, then it will panic.
+func (c *Cipher) Decrypt(dst, src []byte) {
+ n1, n2 := block2nvs(src)
+ n1, n2 = c.xcrypt(SeqDecrypt, n1, n2)
+ nvs2block(n1, n2, dst)
+}