Use a vendor directory for repeatable builds - fixes #816

This is using godep to manage the vendor directory.

vendor/github.com/rfjakob/eme/LICENSE

@@ -0,0 +1,22 @@
+The MIT License (MIT)
+
+Copyright (c) 2015 
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.
+

vendor/github.com/rfjakob/eme/README.md

@@ -0,0 +1,80 @@
+EME for Go [![Build Status](https://drone.io/github.com/rfjakob/eme/status.png)](https://drone.io/github.com/rfjakob/eme/latest) [![GoDoc](https://godoc.org/github.com/rfjakob/eme?status.svg)](https://godoc.org/github.com/rfjakob/eme) ![MIT License](https://img.shields.io/badge/license-MIT-blue.svg)
+==========
+
+EME (ECB-Mix-ECB) is a wide-block encryption mode developed by Halevi
+and Rogaway in 2003 [eme]. (see references below)
+
+EME uses multiple invocations of a block cipher to construct a new
+cipher of bigger block size (in multiples of 16 bytes, up to 2048 bytes).
+
+Quoting from the original [eme] paper:
+
+> We describe a block-cipher mode of operation, EME, that turns an n-bit block cipher into
+> a tweakable enciphering scheme that acts on strings of mn bits, where m ∈ [1..n]. The mode is
+> parallelizable, but as serial-efficient as the non-parallelizable mode CMC [6]. EME can be used
+> to solve the disk-sector encryption problem. The algorithm entails two layers of ECB encryption
+> and a “lightweight mixing” in between. We prove EME secure, in the reduction-based sense of
+> modern cryptography.
+
+This is an implementation of EME in Go, complete with test vectors from IEEE.
+
+Is it patentend?
+----------------
+
+In 2007, the UC Davis has decided to abandon [patabandon] the patent
+application for EME [patappl].
+
+Related algorithms
+------------------
+
+**EME-32** is EME with the cipher set to AES and the length set to 512.
+That is, EME-32 [eme-32-pdf] is a subset of EME.
+
+**EME2**, also known as EME* [emestar], is an extended version of EME
+that has built-in handling for data that is not a multiple of 16 bytes
+long.  
+EME2 has been selected for standardization in IEEE P1619.2 [p1619.2].
+
+References
+----------
+
+**[eme]** *A Parallelizable Enciphering Mode*  
+Shai Halevi, Phillip Rogaway, 28 Jul 2003  
+https://eprint.iacr.org/2003/147.pdf  
+Note: This is the original EME paper. EME is specified for an arbitrary
+number of block-cipher blocks. EME-32 is a concrete implementation of
+EME with a fixed length of 32 AES blocks.
+
+**[eme-32-email]** *Re: EME-32-AES with editorial comments*  
+Shai Halevi, 07 Jun 2005  
+http://grouper.ieee.org/groups/1619/email/msg00310.html
+
+**[eme-32-pdf]** *Draft Standard for Tweakable Wide-block Encryption*  
+Shai Halevi, 02 June 2005  
+http://grouper.ieee.org/groups/1619/email/pdf00020.pdf  
+Note: This is the latest version of the EME-32 draft that I could find. It
+includes test vectors and C source code.
+
+**[eme-32-testvec]** *Re: Test vectors for LRW and EME*  
+Shai Halevi, 16 Nov 2004  
+http://grouper.ieee.org/groups/1619/email/msg00218.html
+
+**[emestar]** _EME*: extending EME to handle arbitrary-length
+messages with associated data_  
+Shai Halevi, 27 May 2004  
+https://eprint.iacr.org/2004/125.pdf
+
+**[patabandon]** *Re: [P1619-2] Non-awareness patent statement made by UC Davis*  
+Mat Ball, 26 Nov 2007  
+http://grouper.ieee.org/groups/1619/email-2/msg00005.html
+
+**[patappl]** *Block cipher mode of operation for constructing a wide-blocksize block cipher from a conventional block cipher*  
+US patent application US20040131182  
+http://www.google.com/patents/US20040131182
+
+**[p1619.2]** *IEEE P1619.2™/D9 Draft Standard for Wide-Block  
+Encryption for Shared Storage Media*  
+IEEE, Dec 2008  
+http://siswg.net/index2.php?option=com_docman&task=doc_view&gid=156&Itemid=41  
+Note: This is a draft version. The final version is not freely available
+and must be bought from IEEE.

vendor/github.com/rfjakob/eme/benchmark.bash

@@ -0,0 +1,6 @@
+#!/bin/bash
+
+set -eu
+
+go build
+go test -bench=.

vendor/github.com/rfjakob/eme/eme.go

@@ -0,0 +1,173 @@
+// EME (ECB-Mix-ECB) is a length-preserving wide-block encryption mode. It was
+// presented in the 2003 paper "A Parallelizable Enciphering Mode" by Halevi
+// and Rogaway.
+package eme
+
+import (
+	"crypto/cipher"
+	"log"
+)
+
+type directionConst bool
+
+const (
+	// Encrypt "inputData"
+	DirectionEncrypt = directionConst(true)
+	// Decrypt "inputData"
+	DirectionDecrypt = directionConst(false)
+)
+
+// multByTwo - GF multiplication as specified in the EME-32 draft
+func multByTwo(out []byte, in []byte) {
+	if len(in) != 16 {
+		panic("len must be 16")
+	}
+	tmp := make([]byte, 16)
+
+	tmp[0] = 2 * in[0]
+	if in[15] >= 128 {
+		tmp[0] = tmp[0] ^ 135
+	}
+	for j := 1; j < 16; j++ {
+		tmp[j] = 2 * in[j]
+		if in[j-1] >= 128 {
+			tmp[j] += 1
+		}
+	}
+	copy(out, tmp)
+}
+
+func xorBlocks(out []byte, in1 []byte, in2 []byte) {
+	if len(in1) != len(in2) {
+		log.Panicf("len(in1)=%d is not equal to len(in2)=%d", len(in1), len(in2))
+	}
+
+	for i := range in1 {
+		out[i] = in1[i] ^ in2[i]
+	}
+}
+
+// aesTransform - encrypt or decrypt (according to "direction") using block
+// cipher "bc" (typically AES)
+func aesTransform(dst []byte, src []byte, direction directionConst, bc cipher.Block) {
+	if direction == DirectionEncrypt {
+		bc.Encrypt(dst, src)
+		return
+	} else if direction == DirectionDecrypt {
+		bc.Decrypt(dst, src)
+		return
+	}
+}
+
+// tabulateL - calculate L_i for messages up to a length of m cipher blocks
+func tabulateL(bc cipher.Block, m int) [][]byte {
+	/* set L0 = 2*AESenc(K; 0) */
+	eZero := make([]byte, 16)
+	Li := make([]byte, 16)
+	bc.Encrypt(Li, eZero)
+
+	LTable := make([][]byte, m)
+	// Allocate pool once and slice into m pieces in the loop
+	pool := make([]byte, m*16)
+	for i := 0; i < m; i++ {
+		multByTwo(Li, Li)
+		LTable[i] = pool[i*16 : (i+1)*16]
+		copy(LTable[i], Li)
+	}
+	return LTable
+}
+
+// Transform - EME-encrypt or EME-decrypt, according to "direction"
+// (defined in the constants DirectionEncrypt and DirectionDecrypt).
+// The data in "inputData" is en- or decrypted with the block ciper "bc" under
+// "tweak" (also known as IV).
+//
+// The tweak is used to randomize the encryption in the same way as an
+// IV.  A use of this encryption mode envisioned by the authors of the
+// algorithm was to encrypt each sector of a disk, with the tweak
+// being the sector number.  If you encipher the same data with the
+// same tweak you will get the same ciphertext.
+//
+// The result is returned in a freshly allocated slice of the same
+// size as inputData.
+//
+// Limitations: This only works for ciphers with block size 16.  The
+// size of the tweak slice must also be 16. The inputData must also be
+// a multiple of 16. If any of these pre-conditions are not met, the
+// function will panic.
+func Transform(bc cipher.Block, tweak []byte, inputData []byte, direction directionConst) []byte {
+	// In the paper, the tweak is just called "T". Call it the same here to
+	// make following the paper easy.
+	T := tweak
+	// In the paper, the plaintext data is called "P" and the ciphertext is
+	// called "C". Because encryption and decryption are virtually indentical,
+	// we share the code and always call the input data "P" and the output data
+	// "C", regardless of the direction.
+	P := inputData
+
+	if bc.BlockSize() != 16 {
+		log.Panicf("Using a block size other than 16 is not implemented")
+	}
+	if len(T) != 16 {
+		log.Panicf("Tweak must be 16 bytes long, is %d", len(T))
+	}
+	if len(P)%16 != 0 {
+		log.Panicf("Data P must be a multiple of 16 long, is %d", len(P))
+	}
+	m := len(P) / 16
+	if m == 0 || m > 16*8 {
+		log.Panicf("EME operates on 1 to %d block-cipher blocks, you passed %d", 16*8, m)
+	}
+
+	C := make([]byte, len(P))
+
+	LTable := tabulateL(bc, m)
+
+	PPj := make([]byte, 16)
+	for j := 0; j < m; j++ {
+		Pj := P[j*16 : (j+1)*16]
+		/* PPj = 2**(j-1)*L xor Pj */
+		xorBlocks(PPj, Pj, LTable[j])
+		/* PPPj = AESenc(K; PPj) */
+		aesTransform(C[j*16:(j+1)*16], PPj, direction, bc)
+	}
+
+	/* MP =(xorSum PPPj) xor T */
+	MP := make([]byte, 16)
+	xorBlocks(MP, C[0:16], T)
+	for j := 1; j < m; j++ {
+		xorBlocks(MP, MP, C[j*16:(j+1)*16])
+	}
+
+	/* MC = AESenc(K; MP) */
+	MC := make([]byte, 16)
+	aesTransform(MC, MP, direction, bc)
+
+	/* M = MP xor MC */
+	M := make([]byte, 16)
+	xorBlocks(M, MP, MC)
+	CCCj := make([]byte, 16)
+	for j := 1; j < m; j++ {
+		multByTwo(M, M)
+		/* CCCj = 2**(j-1)*M xor PPPj */
+		xorBlocks(CCCj, C[j*16:(j+1)*16], M)
+		copy(C[j*16:(j+1)*16], CCCj)
+	}
+
+	/* CCC1 = (xorSum CCCj) xor T xor MC */
+	CCC1 := make([]byte, 16)
+	xorBlocks(CCC1, MC, T)
+	for j := 1; j < m; j++ {
+		xorBlocks(CCC1, CCC1, C[j*16:(j+1)*16])
+	}
+	copy(C[0:16], CCC1)
+
+	for j := 0; j < m; j++ {
+		/* CCj = AES-enc(K; CCCj) */
+		aesTransform(C[j*16:(j+1)*16], C[j*16:(j+1)*16], direction, bc)
+		/* Cj = 2**(j-1)*L xor CCj */
+		xorBlocks(C[j*16:(j+1)*16], C[j*16:(j+1)*16], LTable[j])
+	}
+
+	return C
+}