增加websocket支持

vendor/golang.org/x/crypto/sha3/doc.go

@@ -59,4 +59,4 @@
 // They produce output of the same length, with the same security strengths
 // against all attacks. This means, in particular, that SHA3-256 only has
 // 128-bit collision resistance, because its output length is 32 bytes.
-package sha3
+package sha3 // import "golang.org/x/crypto/sha3"

vendor/golang.org/x/crypto/sha3/hashes.go

@@ -9,7 +9,6 @@ package sha3
 // bytes.
 
 import (
-	"crypto"
 	"hash"
 )
 
@@ -17,50 +16,39 @@ import (
 // Its generic security strength is 224 bits against preimage attacks,
 // and 112 bits against collision attacks.
 func New224() hash.Hash {
-	return new224()
+	if h := new224Asm(); h != nil {
+		return h
+	}
+	return &state{rate: 144, outputLen: 28, dsbyte: 0x06}
 }
 
 // New256 creates a new SHA3-256 hash.
 // Its generic security strength is 256 bits against preimage attacks,
 // and 128 bits against collision attacks.
 func New256() hash.Hash {
-	return new256()
+	if h := new256Asm(); h != nil {
+		return h
+	}
+	return &state{rate: 136, outputLen: 32, dsbyte: 0x06}
 }
 
 // New384 creates a new SHA3-384 hash.
 // Its generic security strength is 384 bits against preimage attacks,
 // and 192 bits against collision attacks.
 func New384() hash.Hash {
-	return new384()
+	if h := new384Asm(); h != nil {
+		return h
+	}
+	return &state{rate: 104, outputLen: 48, dsbyte: 0x06}
 }
 
 // New512 creates a new SHA3-512 hash.
 // Its generic security strength is 512 bits against preimage attacks,
 // and 256 bits against collision attacks.
 func New512() hash.Hash {
-	return new512()
-}
-
-func init() {
-	crypto.RegisterHash(crypto.SHA3_224, New224)
-	crypto.RegisterHash(crypto.SHA3_256, New256)
-	crypto.RegisterHash(crypto.SHA3_384, New384)
-	crypto.RegisterHash(crypto.SHA3_512, New512)
-}
-
-func new224Generic() *state {
-	return &state{rate: 144, outputLen: 28, dsbyte: 0x06}
-}
-
-func new256Generic() *state {
-	return &state{rate: 136, outputLen: 32, dsbyte: 0x06}
-}
-
-func new384Generic() *state {
-	return &state{rate: 104, outputLen: 48, dsbyte: 0x06}
-}
-
-func new512Generic() *state {
+	if h := new512Asm(); h != nil {
+		return h
+	}
 	return &state{rate: 72, outputLen: 64, dsbyte: 0x06}
 }
 

vendor/golang.org/x/crypto/sha3/keccakf.go

@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.
 
 //go:build !amd64 || purego || !gc
+// +build !amd64 purego !gc
 
 package sha3
 

vendor/golang.org/x/crypto/sha3/keccakf_amd64.go

@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.
 
 //go:build amd64 && !purego && gc
+// +build amd64,!purego,gc
 
 package sha3
 

vendor/golang.org/x/crypto/sha3/sha3.go

@@ -23,6 +23,7 @@ const (
 type state struct {
 	// Generic sponge components.
 	a    [25]uint64 // main state of the hash
+	buf  []byte     // points into storage
 	rate int        // the number of bytes of state to use
 
 	// dsbyte contains the "domain separation" bits and the first bit of
@@ -39,8 +40,7 @@ type state struct {
 	//      Extendable-Output Functions (May 2014)"
 	dsbyte byte
 
-	i, n    int // storage[i:n] is the buffer, i is only used while squeezing
-	storage [maxRate]byte
+	storage storageBuf
 
 	// Specific to SHA-3 and SHAKE.
 	outputLen int             // the default output size in bytes
@@ -54,18 +54,24 @@ func (d *state) BlockSize() int { return d.rate }
 func (d *state) Size() int { return d.outputLen }
 
 // Reset clears the internal state by zeroing the sponge state and
-// the buffer indexes, and setting Sponge.state to absorbing.
+// the byte buffer, and setting Sponge.state to absorbing.
 func (d *state) Reset() {
 	// Zero the permutation's state.
 	for i := range d.a {
 		d.a[i] = 0
 	}
 	d.state = spongeAbsorbing
-	d.i, d.n = 0, 0
+	d.buf = d.storage.asBytes()[:0]
 }
 
 func (d *state) clone() *state {
 	ret := *d
+	if ret.state == spongeAbsorbing {
+		ret.buf = ret.storage.asBytes()[:len(ret.buf)]
+	} else {
+		ret.buf = ret.storage.asBytes()[d.rate-cap(d.buf) : d.rate]
+	}
+
 	return &ret
 }
 
@@ -76,40 +82,43 @@ func (d *state) permute() {
 	case spongeAbsorbing:
 		// If we're absorbing, we need to xor the input into the state
 		// before applying the permutation.
-		xorIn(d, d.storage[:d.rate])
-		d.n = 0
+		xorIn(d, d.buf)
+		d.buf = d.storage.asBytes()[:0]
 		keccakF1600(&d.a)
 	case spongeSqueezing:
 		// If we're squeezing, we need to apply the permutation before
 		// copying more output.
 		keccakF1600(&d.a)
-		d.i = 0
-		copyOut(d, d.storage[:d.rate])
+		d.buf = d.storage.asBytes()[:d.rate]
+		copyOut(d, d.buf)
 	}
 }
 
 // pads appends the domain separation bits in dsbyte, applies
 // the multi-bitrate 10..1 padding rule, and permutes the state.
-func (d *state) padAndPermute() {
+func (d *state) padAndPermute(dsbyte byte) {
+	if d.buf == nil {
+		d.buf = d.storage.asBytes()[:0]
+	}
 	// Pad with this instance's domain-separator bits. We know that there's
 	// at least one byte of space in d.buf because, if it were full,
 	// permute would have been called to empty it. dsbyte also contains the
 	// first one bit for the padding. See the comment in the state struct.
-	d.storage[d.n] = d.dsbyte
-	d.n++
-	for d.n < d.rate {
-		d.storage[d.n] = 0
-		d.n++
+	d.buf = append(d.buf, dsbyte)
+	zerosStart := len(d.buf)
+	d.buf = d.storage.asBytes()[:d.rate]
+	for i := zerosStart; i < d.rate; i++ {
+		d.buf[i] = 0
 	}
 	// This adds the final one bit for the padding. Because of the way that
 	// bits are numbered from the LSB upwards, the final bit is the MSB of
 	// the last byte.
-	d.storage[d.rate-1] ^= 0x80
+	d.buf[d.rate-1] ^= 0x80
 	// Apply the permutation
 	d.permute()
 	d.state = spongeSqueezing
-	d.n = d.rate
-	copyOut(d, d.storage[:d.rate])
+	d.buf = d.storage.asBytes()[:d.rate]
+	copyOut(d, d.buf)
 }
 
 // Write absorbs more data into the hash's state. It panics if any
@@ -118,25 +127,28 @@ func (d *state) Write(p []byte) (written int, err error) {
 	if d.state != spongeAbsorbing {
 		panic("sha3: Write after Read")
 	}
+	if d.buf == nil {
+		d.buf = d.storage.asBytes()[:0]
+	}
 	written = len(p)
 
 	for len(p) > 0 {
-		if d.n == 0 && len(p) >= d.rate {
+		if len(d.buf) == 0 && len(p) >= d.rate {
 			// The fast path; absorb a full "rate" bytes of input and apply the permutation.
 			xorIn(d, p[:d.rate])
 			p = p[d.rate:]
 			keccakF1600(&d.a)
 		} else {
 			// The slow path; buffer the input until we can fill the sponge, and then xor it in.
-			todo := d.rate - d.n
+			todo := d.rate - len(d.buf)
 			if todo > len(p) {
 				todo = len(p)
 			}
-			d.n += copy(d.storage[d.n:], p[:todo])
+			d.buf = append(d.buf, p[:todo]...)
 			p = p[todo:]
 
 			// If the sponge is full, apply the permutation.
-			if d.n == d.rate {
+			if len(d.buf) == d.rate {
 				d.permute()
 			}
 		}
@@ -149,19 +161,19 @@ func (d *state) Write(p []byte) (written int, err error) {
 func (d *state) Read(out []byte) (n int, err error) {
 	// If we're still absorbing, pad and apply the permutation.
 	if d.state == spongeAbsorbing {
-		d.padAndPermute()
+		d.padAndPermute(d.dsbyte)
 	}
 
 	n = len(out)
 
 	// Now, do the squeezing.
 	for len(out) > 0 {
-		n := copy(out, d.storage[d.i:d.n])
-		d.i += n
+		n := copy(out, d.buf)
+		d.buf = d.buf[n:]
 		out = out[n:]
 
 		// Apply the permutation if we've squeezed the sponge dry.
-		if d.i == d.rate {
+		if len(d.buf) == 0 {
 			d.permute()
 		}
 	}

vendor/golang.org/x/crypto/sha3/sha3_s390x.go

@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.
 
 //go:build gc && !purego
+// +build gc,!purego
 
 package sha3
 
@@ -143,12 +144,6 @@ func (s *asmState) Write(b []byte) (int, error) {
 
 // Read squeezes an arbitrary number of bytes from the sponge.
 func (s *asmState) Read(out []byte) (n int, err error) {
-	// The 'compute last message digest' instruction only stores the digest
-	// at the first operand (dst) for SHAKE functions.
-	if s.function != shake_128 && s.function != shake_256 {
-		panic("sha3: can only call Read for SHAKE functions")
-	}
-
 	n = len(out)
 
 	// need to pad if we were absorbing
@@ -208,17 +203,8 @@ func (s *asmState) Sum(b []byte) []byte {
 
 	// Hash the buffer. Note that we don't clear it because we
 	// aren't updating the state.
-	switch s.function {
-	case sha3_224, sha3_256, sha3_384, sha3_512:
-		klmd(s.function, &a, nil, s.buf)
-		return append(b, a[:s.outputLen]...)
-	case shake_128, shake_256:
-		d := make([]byte, s.outputLen, 64)
-		klmd(s.function, &a, d, s.buf)
-		return append(b, d[:s.outputLen]...)
-	default:
-		panic("sha3: unknown function")
-	}
+	klmd(s.function, &a, nil, s.buf)
+	return append(b, a[:s.outputLen]...)
 }
 
 // Reset resets the Hash to its initial state.
@@ -248,56 +234,56 @@ func (s *asmState) Clone() ShakeHash {
 	return s.clone()
 }
 
-// new224 returns an assembly implementation of SHA3-224 if available,
-// otherwise it returns a generic implementation.
-func new224() hash.Hash {
+// new224Asm returns an assembly implementation of SHA3-224 if available,
+// otherwise it returns nil.
+func new224Asm() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_224)
 	}
-	return new224Generic()
+	return nil
 }
 
-// new256 returns an assembly implementation of SHA3-256 if available,
-// otherwise it returns a generic implementation.
-func new256() hash.Hash {
+// new256Asm returns an assembly implementation of SHA3-256 if available,
+// otherwise it returns nil.
+func new256Asm() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_256)
 	}
-	return new256Generic()
+	return nil
 }
 
-// new384 returns an assembly implementation of SHA3-384 if available,
-// otherwise it returns a generic implementation.
-func new384() hash.Hash {
+// new384Asm returns an assembly implementation of SHA3-384 if available,
+// otherwise it returns nil.
+func new384Asm() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_384)
 	}
-	return new384Generic()
+	return nil
 }
 
-// new512 returns an assembly implementation of SHA3-512 if available,
-// otherwise it returns a generic implementation.
-func new512() hash.Hash {
+// new512Asm returns an assembly implementation of SHA3-512 if available,
+// otherwise it returns nil.
+func new512Asm() hash.Hash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(sha3_512)
 	}
-	return new512Generic()
+	return nil
 }
 
-// newShake128 returns an assembly implementation of SHAKE-128 if available,
-// otherwise it returns a generic implementation.
-func newShake128() ShakeHash {
+// newShake128Asm returns an assembly implementation of SHAKE-128 if available,
+// otherwise it returns nil.
+func newShake128Asm() ShakeHash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(shake_128)
 	}
-	return newShake128Generic()
+	return nil
 }
 
-// newShake256 returns an assembly implementation of SHAKE-256 if available,
-// otherwise it returns a generic implementation.
-func newShake256() ShakeHash {
+// newShake256Asm returns an assembly implementation of SHAKE-256 if available,
+// otherwise it returns nil.
+func newShake256Asm() ShakeHash {
 	if cpu.S390X.HasSHA3 {
 		return newAsmState(shake_256)
 	}
-	return newShake256Generic()
+	return nil
 }

vendor/golang.org/x/crypto/sha3/sha3_s390x.s

@@ -3,6 +3,7 @@
 // license that can be found in the LICENSE file.
 
 //go:build gc && !purego
+// +build gc,!purego
 
 #include "textflag.h"
 

vendor/golang.org/x/crypto/sha3/shake.go

@@ -115,21 +115,19 @@ func (c *state) Clone() ShakeHash {
 // Its generic security strength is 128 bits against all attacks if at
 // least 32 bytes of its output are used.
 func NewShake128() ShakeHash {
-	return newShake128()
+	if h := newShake128Asm(); h != nil {
+		return h
+	}
+	return &state{rate: rate128, outputLen: 32, dsbyte: dsbyteShake}
 }
 
 // NewShake256 creates a new SHAKE256 variable-output-length ShakeHash.
 // Its generic security strength is 256 bits against all attacks if
 // at least 64 bytes of its output are used.
 func NewShake256() ShakeHash {
-	return newShake256()
-}
-
-func newShake128Generic() *state {
-	return &state{rate: rate128, outputLen: 32, dsbyte: dsbyteShake}
-}
-
-func newShake256Generic() *state {
+	if h := newShake256Asm(); h != nil {
+		return h
+	}
 	return &state{rate: rate256, outputLen: 64, dsbyte: dsbyteShake}
 }