-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathXSalsa20Poly1305.cs
247 lines (223 loc) · 12.3 KB
/
XSalsa20Poly1305.cs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
using System;
using System.Collections.Generic;
using Chaos.NaCl.Internal;
using Chaos.NaCl.Internal.Salsa;
namespace Chaos.NaCl
{
public static class XSalsa20Poly1305
{
public static readonly int KeySizeInBytes = 32;
public static readonly int NonceSizeInBytes = 24;
public static readonly int MacSizeInBytes = 16;
public static byte[] Encrypt(byte[] message, byte[] key, byte[] nonce)
{
if (message == null)
throw new ArgumentNullException("message");
if (key == null)
throw new ArgumentNullException("key");
if (nonce == null)
throw new ArgumentNullException("nonce");
if (key.Length != KeySizeInBytes)
throw new ArgumentException("key.Length != 32");
if (nonce.Length != NonceSizeInBytes)
throw new ArgumentException("nonce.Length != 24");
var ciphertext = new byte[message.Length + MacSizeInBytes];
EncryptInternal(ciphertext, 0, message, 0, message.Length, key, 0, nonce, 0);
return ciphertext;
}
public static void Encrypt(ArraySegment<byte> ciphertext, ArraySegment<byte> message, ArraySegment<byte> key, ArraySegment<byte> nonce)
{
if (key.Count != KeySizeInBytes)
throw new ArgumentException("key.Length != 32");
if (nonce.Count != NonceSizeInBytes)
throw new ArgumentException("nonce.Length != 24");
if (ciphertext.Count != message.Count + MacSizeInBytes)
throw new ArgumentException("ciphertext.Count != message.Count + 16");
EncryptInternal(ciphertext.Array, ciphertext.Offset, message.Array, message.Offset, message.Count, key.Array, key.Offset, nonce.Array, nonce.Offset);
}
/// <summary>
/// Decrypts the ciphertext and verifies its authenticity
/// </summary>
/// <returns>Plaintext if MAC validation succeeds, null if the data is invalid.</returns>
public static byte[] TryDecrypt(byte[] ciphertext, byte[] key, byte[] nonce)
{
if (ciphertext == null)
throw new ArgumentNullException("ciphertext");
if (key == null)
throw new ArgumentNullException("key");
if (nonce == null)
throw new ArgumentNullException("nonce");
if (key.Length != KeySizeInBytes)
throw new ArgumentException("key.Length != 32");
if (nonce.Length != NonceSizeInBytes)
throw new ArgumentException("nonce.Length != 24");
if (ciphertext.Length < MacSizeInBytes)
return null;
var plaintext = new byte[ciphertext.Length - MacSizeInBytes];
bool success = DecryptInternal(plaintext, 0, ciphertext, 0, ciphertext.Length, key, 0, nonce, 0);
if (success)
return plaintext;
else
return null;
}
/// <summary>
/// Decrypts the ciphertext and verifies its authenticity
/// </summary>
/// <param name="message">Plaintext if authentication succeeded, all zero if authentication failed, unmodified if argument verification fails</param>
/// <param name="ciphertext"></param>
/// <param name="key">Symmetric key. Must be identical to key specified for encryption.</param>
/// <param name="nonce">Must be identical to nonce specified for encryption.</param>
/// <returns>true if ciphertext is authentic, false otherwise</returns>
public static bool TryDecrypt(ArraySegment<byte> message, ArraySegment<byte> ciphertext, ArraySegment<byte> key, ArraySegment<byte> nonce)
{
if (key.Count != KeySizeInBytes)
throw new ArgumentException("key.Length != 32");
if (nonce.Count != NonceSizeInBytes)
throw new ArgumentException("nonce.Length != 24");
if (ciphertext.Count != message.Count + MacSizeInBytes)
throw new ArgumentException("ciphertext.Count != message.Count + 16");
return DecryptInternal(message.Array, message.Offset, ciphertext.Array, ciphertext.Offset, ciphertext.Count, key.Array, key.Offset, nonce.Array, nonce.Offset);
}
private static void PrepareInternalKey(out Array16<UInt32> internalKey, byte[] key, int keyOffset, byte[] nonce, int nonceOffset)
{
internalKey.x0 = Salsa20.SalsaConst0;
internalKey.x1 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 0);
internalKey.x2 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 4);
internalKey.x3 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 8);
internalKey.x4 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 12);
internalKey.x5 = Salsa20.SalsaConst1;
internalKey.x6 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 0);
internalKey.x7 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 4);
internalKey.x8 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 8);
internalKey.x9 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 12);
internalKey.x10 = Salsa20.SalsaConst2;
internalKey.x11 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 16);
internalKey.x12 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 20);
internalKey.x13 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 24);
internalKey.x14 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 28);
internalKey.x15 = Salsa20.SalsaConst3;
SalsaCore.HSalsa(out internalKey, ref internalKey, 20);
//key
internalKey.x1 = internalKey.x0;
internalKey.x2 = internalKey.x5;
internalKey.x3 = internalKey.x10;
internalKey.x4 = internalKey.x15;
internalKey.x11 = internalKey.x6;
internalKey.x12 = internalKey.x7;
internalKey.x13 = internalKey.x8;
internalKey.x14 = internalKey.x9;
//const
internalKey.x0 = Salsa20.SalsaConst0;
internalKey.x5 = Salsa20.SalsaConst1;
internalKey.x10 = Salsa20.SalsaConst2;
internalKey.x15 = Salsa20.SalsaConst3;
//nonce
internalKey.x6 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 16);
internalKey.x7 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 20);
//offset
internalKey.x8 = 0;
internalKey.x9 = 0;
}
private static bool DecryptInternal(byte[] plaintext, int plaintextOffset, byte[] ciphertext, int ciphertextOffset, int ciphertextLength, byte[] key, int keyOffset, byte[] nonce, int nonceOffset)
{
int plaintextLength = ciphertextLength - MacSizeInBytes;
Array16<UInt32> internalKey;
PrepareInternalKey(out internalKey, key, keyOffset, nonce, nonceOffset);
Array16<UInt32> temp;
var tempBytes = new byte[64];//todo: remove allocation
// first iteration
{
SalsaCore.Salsa(out temp, ref internalKey, 20);
//first half is for Poly1305
Array8<UInt32> poly1305Key;
poly1305Key.x0 = temp.x0;
poly1305Key.x1 = temp.x1;
poly1305Key.x2 = temp.x2;
poly1305Key.x3 = temp.x3;
poly1305Key.x4 = temp.x4;
poly1305Key.x5 = temp.x5;
poly1305Key.x6 = temp.x6;
poly1305Key.x7 = temp.x7;
// compute MAC
Poly1305Donna.poly1305_auth(tempBytes, 0, ciphertext, ciphertextOffset + 16, plaintextLength, ref poly1305Key);
if (!CryptoBytes.ConstantTimeEquals(tempBytes, 0, ciphertext, ciphertextOffset, MacSizeInBytes))
{
Array.Clear(plaintext, plaintextOffset, plaintextLength);
return false;
}
// rest for the message
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 0, temp.x8);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 4, temp.x9);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 8, temp.x10);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 12, temp.x11);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 16, temp.x12);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 20, temp.x13);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 24, temp.x14);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 28, temp.x15);
int count = Math.Min(32, plaintextLength);
for (int i = 0; i < count; i++)
plaintext[plaintextOffset + i] = (byte)(ciphertext[MacSizeInBytes + ciphertextOffset + i] ^ tempBytes[i]);
}
// later iterations
int blockOffset = 32;
while (blockOffset < plaintextLength)
{
internalKey.x8++;
SalsaCore.Salsa(out temp, ref internalKey, 20);
ByteIntegerConverter.Array16StoreLittleEndian32(tempBytes, 0, ref temp);
int count = Math.Min(64, plaintextLength - blockOffset);
for (int i = 0; i < count; i++)
plaintext[plaintextOffset + blockOffset + i] = (byte)(ciphertext[16 + ciphertextOffset + blockOffset + i] ^ tempBytes[i]);
blockOffset += 64;
}
return true;
}
private static void EncryptInternal(byte[] ciphertext, int ciphertextOffset, byte[] message, int messageOffset, int messageLength, byte[] key, int keyOffset, byte[] nonce, int nonceOffset)
{
Array16<UInt32> internalKey;
PrepareInternalKey(out internalKey, key, keyOffset, nonce, nonceOffset);
Array16<UInt32> temp;
var tempBytes = new byte[64];//todo: remove allocation
Array8<UInt32> poly1305Key;
// first iteration
{
SalsaCore.Salsa(out temp, ref internalKey, 20);
//first half is for Poly1305
poly1305Key.x0 = temp.x0;
poly1305Key.x1 = temp.x1;
poly1305Key.x2 = temp.x2;
poly1305Key.x3 = temp.x3;
poly1305Key.x4 = temp.x4;
poly1305Key.x5 = temp.x5;
poly1305Key.x6 = temp.x6;
poly1305Key.x7 = temp.x7;
// second half for the message
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 0, temp.x8);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 4, temp.x9);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 8, temp.x10);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 12, temp.x11);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 16, temp.x12);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 20, temp.x13);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 24, temp.x14);
ByteIntegerConverter.StoreLittleEndian32(tempBytes, 28, temp.x15);
int count = Math.Min(32, messageLength);
for (int i = 0; i < count; i++)
ciphertext[16 + ciphertextOffset + i] = (byte)(message[messageOffset + i] ^ tempBytes[i]);
}
// later iterations
int blockOffset = 32;
while (blockOffset < messageLength)
{
internalKey.x8++;
SalsaCore.Salsa(out temp, ref internalKey, 20);
ByteIntegerConverter.Array16StoreLittleEndian32(tempBytes, 0, ref temp);
int count = Math.Min(64, messageLength - blockOffset);
for (int i = 0; i < count; i++)
ciphertext[16 + ciphertextOffset + blockOffset + i] = (byte)(message[messageOffset + blockOffset + i] ^ tempBytes[i]);
blockOffset += 64;
}
// compute MAC
Poly1305Donna.poly1305_auth(ciphertext, ciphertextOffset, ciphertext, ciphertextOffset + 16, messageLength, ref poly1305Key);
}
}
}