/// <summary>
/// Transform a message using a nonce and a secret key.
/// </summary>
/// <param name="output">Output will be written to the parameter.</param>
/// <param name="input">Input to transform</param>
/// <param name="nonce">Nonce</param>
public void Transform(Span <byte> output, ReadOnlySpan <byte> input, ReadOnlySpan <byte> nonce)
{
Span <byte> subkey = stackalloc byte[32];
HSalsa20.Transform(subkey, nonce, key, Span <byte> .Empty);
StreamSalsa20Xor.Transform(output, input, nonce.Slice(16), subkey, 0U);
}
public void HSalsa20Test1()
{
byte[] shared = new byte[32] {
0x4a, 0x5d, 0x9d, 0x5b, 0xa4, 0xce, 0x2d,
0xe1, 0x72, 0x8e, 0x3b, 0xf4, 0x80, 0x35,
0x0f, 0x25, 0xe0, 0x7e, 0x21, 0xc9, 0x47,
0xd1, 0x9e, 0x33, 0x76, 0xf0, 0x9b, 0x3c,
0x1e, 0x16, 0x17, 0x42
};
byte[] zero = new byte[32];
byte[] c = new byte[16] {
0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33,
0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b
};
byte[] firstkey = new byte[32];
HSalsa20.Transform(firstkey, zero, shared, c);
Assert.AreEqual(new byte[]
{
0x1b, 0x27, 0x55, 0x64, 0x73, 0xe9, 0x85, 0xd4
, 0x62, 0xcd, 0x51, 0x19, 0x7a, 0x9a, 0x46, 0xc7
, 0x60, 0x09, 0x54, 0x9e, 0xac, 0x64, 0x74, 0xf2
, 0x06, 0xc4, 0xee, 0x08, 0x44, 0xf6, 0x83, 0x89
}, firstkey);
}
/// <summary>
/// Create a new Curve25519XSalsa20Poly1305 and pre-calculate the shared secret from secret and public key.
/// </summary>
/// <param name="secretKey">SecretKey</param>
/// <param name="publicKey">PublicKey</param>
public Curve25519XSalsa20Poly1305(ReadOnlySpan <byte> secretKey, ReadOnlySpan <byte> publicKey)
{
ReadOnlySpan <byte> zero = stackalloc byte[16];
Span <byte> s = stackalloc byte[32];
Curve25519.ScalarMultiplication(s, secretKey, publicKey);
HSalsa20.Transform(key, zero, s, Span <byte> .Empty);
s.Clear();
}
/// <summary>
/// Verifies and decrypts a ciphertext produced by <see>
/// <cref>Encrypt</cref>
/// </see>
/// </summary>
/// <remarks>
/// Detached mode, some applications may need to store the authentication tag and
/// the encrypted message at different locations.
/// </remarks>
/// <returns>True if successfully verified and decrypted ciphertext.</returns>
public bool TryDecrypt(Span <byte> message, ReadOnlySpan <byte> cipher, ReadOnlySpan <byte> mac,
ReadOnlySpan <byte> nonce)
{
Span <byte> block0 = stackalloc byte[64];
Span <byte> subkey = stackalloc byte[Salsa20.KeyLength];
HSalsa20.Transform(subkey, nonce, key, ReadOnlySpan <byte> .Empty);
StreamSalsa20.Transform(block0.Slice(0, StreamSalsa20.KeyLength), nonce.Slice(16), subkey);
poly1305.SetKey(block0.Slice(0, Poly1305.KeyLength));
if (!poly1305.Verify(mac, cipher))
{
poly1305.Reset();
subkey.Clear();
return(false);
}
int mlen0 = cipher.Length;
if (mlen0 > 64 - ZeroBytesLength)
{
mlen0 = 64 - ZeroBytesLength;
}
for (int i = 0; i < mlen0; i++)
{
block0[ZeroBytesLength + i] = cipher[i];
}
StreamSalsa20Xor.Transform(block0, block0.Slice(0, ZeroBytesLength + mlen0), nonce.Slice(16), subkey);
for (int i = 0; i < mlen0; i++)
{
message[i] = block0[i + ZeroBytesLength];
}
if (cipher.Length > mlen0)
{
StreamSalsa20Xor.Transform(message.Slice(mlen0), cipher.Slice(mlen0), nonce.Slice(16), subkey, 1UL);
}
subkey.Clear();
poly1305.Reset();
return(true);
}
public static byte[] Encode(byte[] input, byte[] key, byte[] nonce)
{
var subNonce = new byte[16];
if (nonce.Length == 24)
{
var hNonce = new byte[16];
System.Buffer.BlockCopy(nonce, 0, hNonce, 0, 16);
System.Buffer.BlockCopy(nonce, 16, subNonce, 0, 8);
key = HSalsa20.Encode(key, hNonce);
}
else if (nonce.Length == 8)
{
System.Buffer.BlockCopy(nonce, 0, subNonce, 0, 8);
}
else
{
throw new System.ArgumentException();
}
return(NormalEncode(input, key, subNonce));
}
/// <summary>
/// Encrypts a message, with the object key and a nonce n.
/// </summary>
/// <remarks>
/// Detached mode, some applications may need to store the authentication tag and
/// the encrypted message at different locations.
/// </remarks>
/// <param name="cipher"></param>
/// <param name="mac"></param>
/// <param name="message"></param>
/// <param name="nonce"></param>
public void Encrypt(Span <byte> cipher, Span <byte> mac, ReadOnlySpan <byte> message, ReadOnlySpan <byte> nonce)
{
Span <byte> block0 = stackalloc byte[64];
Span <byte> subkey = stackalloc byte[Salsa20.KeyLength];
HSalsa20.Transform(subkey, nonce, key, ReadOnlySpan <byte> .Empty);
int mlen0 = message.Length;
if (mlen0 > 64 - ZeroBytesLength)
{
mlen0 = 64 - ZeroBytesLength;
}
for (int i = 0; i < mlen0; i++)
{
block0[i + ZeroBytesLength] = message[i];
}
StreamSalsa20Xor.Transform(block0, block0.Slice(0, mlen0 + ZeroBytesLength), nonce.Slice(16), subkey);
poly1305.SetKey(block0.Slice(0, Poly1305.KeyLength));
for (int i = 0; i < mlen0; i++)
{
cipher[i] = block0[ZeroBytesLength + i];
}
block0.Clear();
if (message.Length > mlen0)
{
StreamSalsa20Xor.Transform(cipher.Slice(mlen0), message.Slice(mlen0), nonce.Slice(16), subkey, 1UL);
}
subkey.Clear();
poly1305.Update(cipher.Slice(0, message.Length));
poly1305.Final(mac);
poly1305.Reset();
}