Exemple #1
0
        PullMsgResult ProduceWelcome(ref Msg msg)
        {
            Span <byte> cookieNonce      = stackalloc byte[Curve25519XSalsa20Poly1305.NonceLength];
            Span <byte> cookiePlaintext  = stackalloc byte[64];
            Span <byte> cookieCiphertext = stackalloc byte[64 + XSalsa20Poly1305.TagLength];

            //  Create full nonce for encryption
            //  8-byte prefix plus 16-byte random nonce
            CookieNoncePrefix.CopyTo(cookieNonce);
            using var rng = RandomNumberGenerator.Create();
#if NETSTANDARD2_1
            rng.GetBytes(cookieNonce.Slice(8));
#else
            byte[] temp = new byte[16];
            rng.GetBytes(temp);
            temp.CopyTo(cookieNonce.Slice(8));
#endif

            // Generate cookie = Box [C' + s'](t)
            m_cnClientKey.CopyTo(cookiePlaintext);
            m_cnSecretKey.CopyTo(cookiePlaintext.Slice(32));

            // Generate fresh cookie key
            rng.GetBytes(m_cookieKey);

            // Encrypt using symmetric cookie key
            using var secretBox = new XSalsa20Poly1305(m_cookieKey);
            secretBox.Encrypt(cookieCiphertext, cookiePlaintext, cookieNonce);
            cookiePlaintext.Clear();

            Span <byte> welcomeNonce      = stackalloc byte[Curve25519XSalsa20Poly1305.NonceLength];
            Span <byte> welcomePlaintext  = stackalloc byte[128];
            Span <byte> welcomeCiphertext = stackalloc byte[128 + Curve25519XSalsa20Poly1305.TagLength];

            //  Create full nonce for encryption
            //  8-byte prefix plus 16-byte random nonce
            WelcomeNoncePrefix.CopyTo(welcomeNonce);
#if NETSTANDARD2_1
            rng.GetBytes(welcomeNonce.Slice(8));
#else
            rng.GetBytes(temp);
            temp.CopyTo(welcomeNonce.Slice(8));
#endif

            // Create 144-byte Box [S' + cookie](S->C')
            m_cnPublicKey.CopyTo(welcomePlaintext);
            cookieNonce.Slice(8).CopyTo(welcomePlaintext.Slice(32));
            cookieCiphertext.CopyTo(welcomePlaintext.Slice(48));
            using var box = new Curve25519XSalsa20Poly1305(m_secretKey, m_cnClientKey);
            box.Encrypt(welcomeCiphertext, welcomePlaintext, welcomeNonce);
            welcomePlaintext.Clear();

            msg.InitPool(168); // TODO: we can save some allocation here by allocating this earlier
            Span <byte> welcome = msg;
            WelcomeLiteral.CopyTo(welcome);
            welcomeNonce.Slice(8, 16).CopyTo(welcome.Slice(8));
            welcomeCiphertext.CopyTo(welcome.Slice(24));

            return(PullMsgResult.Ok);
        }
Exemple #2
0
        PushMsgResult ProcessInitiate(ref Msg msg)
        {
            if (!CheckBasicCommandStructure(ref msg))
            {
                return(PushMsgResult.Error);
            }

            Span <byte> initiate = msg;

            if (!IsCommand("INITIATE", ref msg))
            {
                return(PushMsgResult.Error);
            }

            if (initiate.Length < 257)
            {
                return(PushMsgResult.Error);
            }

            Span <byte> cookieNonce     = stackalloc byte[Curve25519XSalsa20Poly1305.NonceLength];
            Span <byte> cookiePlaintext = stackalloc byte[64];
            Span <byte> cookieBox       = initiate.Slice(25, 80);

            CookieNoncePrefix.CopyTo(cookieNonce);
            initiate.Slice(9, 16).CopyTo(cookieNonce.Slice(8));

            using var secretBox = new XSalsa20Poly1305(m_cookieKey);
            bool decrypted = secretBox.TryDecrypt(cookiePlaintext, cookieBox, cookieNonce);

            if (!decrypted)
            {
                return(PushMsgResult.Error);
            }

            //  Check cookie plain text is as expected [C' + s']
            if (!SpanUtility.Equals(m_cnClientKey, cookiePlaintext.Slice(0, 32)) ||
                !SpanUtility.Equals(m_cnSecretKey, cookiePlaintext.Slice(32, 32)))
            {
                return(PushMsgResult.Error);
            }

            Span <byte> initiateNonce = stackalloc byte[Curve25519XSalsa20Poly1305.NonceLength];

            byte[] initiatePlaintext = new byte[msg.Size - 113];
            var    initiateBox       = initiate.Slice(113);

            InitiatieNoncePrefix.CopyTo(initiateNonce);
            initiate.Slice(105, 8).CopyTo(initiateNonce.Slice(16));
            m_peerNonce = NetworkOrderBitsConverter.ToUInt64(initiate, 105);

            using var box = new Curve25519XSalsa20Poly1305(m_cnSecretKey, m_cnClientKey);
            bool decrypt = box.TryDecrypt(initiatePlaintext, initiateBox, initiateNonce);

            if (!decrypt)
            {
                return(PushMsgResult.Error);
            }

            Span <byte> vouchNonce     = stackalloc byte[Curve25519XSalsa20Poly1305.NonceLength];
            Span <byte> vouchPlaintext = stackalloc byte[64];
            Span <byte> vouchBox       = new Span <byte>(initiatePlaintext, 48, 80);
            var         clientKey      = new Span <byte>(initiatePlaintext, 0, 32);

            VouchNoncePrefix.CopyTo(vouchNonce);
            new Span <byte>(initiatePlaintext, 32, 16).CopyTo(vouchNonce.Slice(8));

            using var box2 = new Curve25519XSalsa20Poly1305(m_cnSecretKey, clientKey);
            decrypt        = box2.TryDecrypt(vouchPlaintext, vouchBox, vouchNonce);
            if (!decrypt)
            {
                return(PushMsgResult.Error);
            }

            //  What we decrypted must be the client's short-term public key
            if (!SpanUtility.Equals(vouchPlaintext.Slice(0, 32), m_cnClientKey))
            {
                return(PushMsgResult.Error);
            }

            //  Create the session box
            m_box = new Curve25519XSalsa20Poly1305(m_cnSecretKey, m_cnClientKey);

            //  This supports the Stonehouse pattern (encryption without authentication).
            m_state = State.SendingReady;

            if (!ParseMetadata(new Span <byte>(initiatePlaintext, 128, initiatePlaintext.Length - 128 - 16)))
            {
                return(PushMsgResult.Error);
            }

            vouchPlaintext.Clear();
            Array.Clear(initiatePlaintext, 0, initiatePlaintext.Length);

            return(PushMsgResult.Ok);
        }