private void Decrypt()
{
if (m_pbData.Length == 0)
{
return;
}
if (m_mp == PbMemProt.ProtectedMemory)
{
ProtectedMemory.Unprotect(m_pbData, MemoryProtectionScope.SameProcess);
}
else if (m_mp == PbMemProt.Salsa20)
{
Salsa20Cipher s = new Salsa20Cipher(g_pbKey32,
BitConverter.GetBytes(m_lID));
s.Encrypt(m_pbData, m_pbData.Length, true);
s.Dispose();
}
else if (m_mp == PbMemProt.ExtCrypt)
{
m_fExtCrypt(m_pbData, PbCryptFlags.Decrypt, m_lID);
}
else
{
Debug.Assert(m_mp == PbMemProt.None);
}
m_mp = PbMemProt.None;
}
/// <summary>
/// Creates a cipher instance (<see cref="ChaCha20Cipher"/> or <see cref="Salsa20Cipher"/> (KeePass older as 2.35)) with the nonce and the pin as key.
/// </summary>
/// <param name="pin">The pin to use as key.</param>
/// <param name="nonce">The nonce to use as IV.</param>
/// <returns>The cipher instance.</returns>
private static CtrBlockCipher CreateCipher(byte[] pin, byte[] nonce)
{
Contract.Requires(pin != null);
Contract.Requires(nonce != null);
Contract.Ensures(Contract.Result <ChaCha20Cipher>() != null);
var key = new byte[32];
using (var h = new SHA512Managed())
{
var hashBytes = h.ComputeHash(pin);
Array.Copy(hashBytes, key, 32);
MemUtil.ZeroByteArray(hashBytes);
}
CtrBlockCipher cipher;
if (nonce.Length == 12 /*>= KeePass 2.35*/)
{
cipher = new ChaCha20Cipher(key, nonce, false);
}
else
{
cipher = new Salsa20Cipher(key, nonce);
}
MemUtil.ZeroByteArray(key);
return(cipher);
}
private static void TestSalsa20()
{
// Test values from official set 6, vector 3
byte[] pbKey = new byte[32]
{
0x0F, 0x62, 0xB5, 0x08, 0x5B, 0xAE, 0x01, 0x54,
0xA7, 0xFA, 0x4D, 0xA0, 0xF3, 0x46, 0x99, 0xEC,
0x3F, 0x92, 0xE5, 0x38, 0x8B, 0xDE, 0x31, 0x84,
0xD7, 0x2A, 0x7D, 0xD0, 0x23, 0x76, 0xC9, 0x1C
};
byte[] pbIV = new byte[8]
{
0x28, 0x8F, 0xF6, 0x5D,
0xC4, 0x2B, 0x92, 0xF9
};
byte[] pbExpected = new byte[16]
{
0x5E, 0x5E, 0x71, 0xF9, 0x01, 0x99, 0x34, 0x03,
0x04, 0xAB, 0xB2, 0x2A, 0x37, 0xB6, 0x62, 0x5B
};
byte[] pb = new byte[16];
Salsa20Cipher c = new Salsa20Cipher(pbKey, pbIV);
c.Encrypt(pb, pb.Length, false);
if (!MemUtil.ArraysEqual(pb, pbExpected))
{
throw new SecurityException("Salsa20.");
}
#if DEBUG
// Extended test in debug mode
byte[] pbExpected2 = new byte[16]
{
0xAB, 0xF3, 0x9A, 0x21, 0x0E, 0xEE, 0x89, 0x59,
0x8B, 0x71, 0x33, 0x37, 0x70, 0x56, 0xC2, 0xFE
};
byte[] pbExpected3 = new byte[16]
{
0x1B, 0xA8, 0x9D, 0xBD, 0x3F, 0x98, 0x83, 0x97,
0x28, 0xF5, 0x67, 0x91, 0xD5, 0xB7, 0xCE, 0x23
};
Random r = new Random();
int nPos = Salsa20ToPos(c, r, pb.Length, 65536);
c.Encrypt(pb, pb.Length, false);
if (!MemUtil.ArraysEqual(pb, pbExpected2))
{
throw new SecurityException("Salsa20-2.");
}
nPos = Salsa20ToPos(c, r, nPos + pb.Length, 131008);
Array.Clear(pb, 0, pb.Length);
c.Encrypt(pb, pb.Length, true);
if (!MemUtil.ArraysEqual(pb, pbExpected3))
{
throw new SecurityException("Salsa20-3.");
}
#endif
}
private void Decrypt()
{
if (passwordData.Length == 0)
{
return;
}
if (passwordMemoryProtection == PbMemProt.ProtectedMemory)
{
ProtectedMemory.Unprotect(passwordData, MemoryProtectionScope.SameProcess);
}
else if (passwordMemoryProtection == PbMemProt.Salsa20)
{
var cipher = new Salsa20Cipher(keyBytes32, BitConverter.GetBytes(longId));
cipher.Encrypt(passwordData, passwordData.Length, true);
cipher.Dispose();
}
else if (passwordMemoryProtection == PbMemProt.ExtCrypt)
{
m_fExtCrypt(passwordData, PbCryptFlags.Decrypt, longId);
}
else
{
Debug.Assert(passwordMemoryProtection == PbMemProt.None);
}
passwordMemoryProtection = PbMemProt.None;
}
public void TestSalsa20Cipher()
{
var r = CryptoRandom.NewWeakRandom();
// Test values from official set 6, vector 3
var pbKey = new byte[] {
0x0F, 0x62, 0xB5, 0x08, 0x5B, 0xAE, 0x01, 0x54,
0xA7, 0xFA, 0x4D, 0xA0, 0xF3, 0x46, 0x99, 0xEC,
0x3F, 0x92, 0xE5, 0x38, 0x8B, 0xDE, 0x31, 0x84,
0xD7, 0x2A, 0x7D, 0xD0, 0x23, 0x76, 0xC9, 0x1C
};
var pbIv = new byte[] { 0x28, 0x8F, 0xF6, 0x5D,
0xC4, 0x2B, 0x92, 0xF9 };
var pbExpected = new byte[] {
0x5E, 0x5E, 0x71, 0xF9, 0x01, 0x99, 0x34, 0x03,
0x04, 0xAB, 0xB2, 0x2A, 0x37, 0xB6, 0x62, 0x5B
};
var pb = new byte[16];
var c = new Salsa20Cipher(pbKey, pbIv);
c.Encrypt(pb, 0, pb.Length);
Assert.That(MemUtil.ArraysEqual(pb, pbExpected), Is.True);
// Extended test
var pbExpected2 = new byte[] {
0xAB, 0xF3, 0x9A, 0x21, 0x0E, 0xEE, 0x89, 0x59,
0x8B, 0x71, 0x33, 0x37, 0x70, 0x56, 0xC2, 0xFE
};
var pbExpected3 = new byte[] {
0x1B, 0xA8, 0x9D, 0xBD, 0x3F, 0x98, 0x83, 0x97,
0x28, 0xF5, 0x67, 0x91, 0xD5, 0xB7, 0xCE, 0x23
};
var nPos = Salsa20ToPos(c, r, pb.Length, 65536);
Array.Clear(pb, 0, pb.Length);
c.Encrypt(pb, 0, pb.Length);
Assert.That(MemUtil.ArraysEqual(pb, pbExpected2), Is.True);
Salsa20ToPos(c, r, nPos + pb.Length, 131008);
Array.Clear(pb, 0, pb.Length);
c.Encrypt(pb, 0, pb.Length);
Assert.That(MemUtil.ArraysEqual(pb, pbExpected3), Is.True);
var d = new Dictionary <string, bool>();
const int nRounds = 100;
for (var i = 0; i < nRounds; ++i)
{
var z = new byte[32];
c = new Salsa20Cipher(z, MemUtil.Int64ToBytes(i));
c.Encrypt(z, 0, z.Length);
d[MemUtil.ByteArrayToHexString(z)] = true;
}
Assert.That(d.Count, Is.EqualTo(nRounds));
}
private void Encrypt()
{
Debug.Assert(m_mp == PbMemProt.None);
// Nothing to do if caller didn't request protection
if (!m_bProtected)
{
return;
}
// ProtectedMemory.Protect throws for data size == 0
if (m_pbData.Length == 0)
{
return;
}
PbCryptDelegate f = g_fExtCrypt;
if (f != null)
{
f(m_pbData, PbCryptFlags.Encrypt, m_lID);
m_fExtCrypt = f;
m_mp = PbMemProt.ExtCrypt;
return;
}
if (ProtectedBinary.ProtectedMemorySupported)
{
ProtectedMemory.Protect(m_pbData, MemoryProtectionScope.SameProcess);
m_mp = PbMemProt.ProtectedMemory;
return;
}
byte[] pbKey32 = g_pbKey32;
if (pbKey32 == null)
{
pbKey32 = CryptoRandom.Instance.GetRandomBytes(32);
byte[] pbUpd = Interlocked.Exchange <byte[]>(ref g_pbKey32, pbKey32);
if (pbUpd != null)
{
pbKey32 = pbUpd;
}
}
Salsa20Cipher s = new Salsa20Cipher(pbKey32,
BitConverter.GetBytes(m_lID));
s.Encrypt(m_pbData, m_pbData.Length, true);
s.Dispose();
m_mp = PbMemProt.Salsa20;
}
private void Encrypt()
{
Debug.Assert(passwordMemoryProtection == PbMemProt.None);
if (!isProtected)
{
return;
}
if (passwordData.Length == 0)
{
return;
}
var f = encryptionDelegate;
if (f != null)
{
f(passwordData, PbCryptFlags.Encrypt, longId);
m_fExtCrypt = f;
passwordMemoryProtection = PbMemProt.ExtCrypt;
return;
}
if (ProtectedMemorySupported)
{
ProtectedMemory.Protect(passwordData, MemoryProtectionScope.SameProcess);
passwordMemoryProtection = PbMemProt.ProtectedMemory;
return;
}
var pbKey32 = keyBytes32;
if (pbKey32 == null)
{
pbKey32 = CryptoRandom.Instance.GetRandomBytes(32);
var pbUpd = Interlocked.Exchange(ref keyBytes32, pbKey32);
if (pbUpd != null)
{
pbKey32 = pbUpd;
}
}
var cipher = new Salsa20Cipher(pbKey32, BitConverter.GetBytes(longId));
cipher.Encrypt(passwordData, passwordData.Length, true);
cipher.Dispose();
passwordMemoryProtection = PbMemProt.Salsa20;
}
private static int Salsa20ToPos(Salsa20Cipher c, Random r, int nPos,
int nTargetPos)
{
var pb = new byte[512];
while (nPos < nTargetPos)
{
var x = r.Next(1, 513);
var nGen = Math.Min(nTargetPos - nPos, x);
c.Encrypt(pb, 0, nGen);
nPos += nGen;
}
return(nTargetPos);
}
private static int Salsa20ToPos(Salsa20Cipher c, Random r, int nPos,
int nTargetPos)
{
byte[] pb = new byte[512];
while (nPos < nTargetPos)
{
int x = r.Next(1, 513);
int nGen = Math.Min(nTargetPos - nPos, x);
c.Encrypt(pb, nGen, r.Next(0, 2) == 0);
nPos += nGen;
}
return(nTargetPos);
}
public static string EncryptData(byte[] pbData, byte[] pbKey32,
byte[] pbIV16)
{
byte[] pbIV8 = new byte[8];
Array.Copy(pbIV16, 0, pbIV8, 0, 8);
byte[] pbEnc = new byte[pbData.Length];
Array.Copy(pbData, pbEnc, pbData.Length);
Salsa20Cipher enc = new Salsa20Cipher(pbKey32, pbIV8);
enc.Encrypt(pbEnc, 0, pbEnc.Length);
return("s20://" + Convert.ToBase64String(pbEnc,
Base64FormattingOptions.None));
}
public Salsa20RandomGenerator(IBuffer key)
{
if (key == null)
{
throw new ArgumentNullException("key");
}
key = HashAlgorithmProvider
.OpenAlgorithm(HashAlgorithmNames.Sha256)
.HashData(key);
var iv = new byte[]
{
0xE8, 0x30, 0x09, 0x4B,
0x97, 0x20, 0x5D, 0x2A
};
_cipher = new Salsa20Cipher(key.ToArray(), iv);
}
public static byte[] DecryptData(string strData, byte[] pbKey32,
byte[] pbIV16)
{
if (!strData.StartsWith("s20://"))
{
return(null);
}
string strEnc = strData.Substring(6);
byte[] pb = Convert.FromBase64String(strEnc);
byte[] pbIV8 = new byte[8];
Array.Copy(pbIV16, 0, pbIV8, 0, 8);
Salsa20Cipher dec = new Salsa20Cipher(pbKey32, pbIV8);
dec.Encrypt(pb, 0, pb.Length);
return(pb);
}
/// <summary>
/// Construct a new cryptographically secure random stream object.
/// </summary>
/// <param name="genAlgorithm">Algorithm to use.</param>
/// <param name="pbKey">Initialization key. Must not be <c>null</c> and
/// must contain at least 1 byte.</param>
/// <exception cref="System.ArgumentNullException">Thrown if the
/// <paramref name="pbKey" /> parameter is <c>null</c>.</exception>
/// <exception cref="System.ArgumentException">Thrown if the
/// <paramref name="pbKey" /> parameter contains no bytes or the
/// algorithm is unknown.</exception>
public CryptoRandomStream(CrsAlgorithm genAlgorithm, byte[] pbKey)
{
m_crsAlgorithm = genAlgorithm;
Debug.Assert(pbKey != null); if (pbKey == null)
{
throw new ArgumentNullException("pbKey");
}
uint uKeyLen = (uint)pbKey.Length;
Debug.Assert(uKeyLen != 0); if (uKeyLen == 0)
{
throw new ArgumentException();
}
if (genAlgorithm == CrsAlgorithm.ArcFourVariant)
{
m_pbState = ComputeArcFourState(pbKey, uKeyLen);
GetRandomBytes(512); // Increases security, see cryptanalysis
}
else if (genAlgorithm == CrsAlgorithm.Salsa20)
{
SHA256Managed sha256 = new SHA256Managed();
byte[] pbKey32 = sha256.ComputeHash(pbKey);
byte[] pbIV = new byte[] { 0xE8, 0x30, 0x09, 0x4B,
0x97, 0x20, 0x5D, 0x2A }; // Unique constant
m_salsa20 = new Salsa20Cipher(pbKey32, pbIV);
}
else // Unknown algorithm
{
Debug.Assert(false);
throw new ArgumentException();
}
}
/// <summary>
/// Construct a new cryptographically secure random stream object.
/// </summary>
/// <param name="genAlgorithm">Algorithm to use.</param>
/// <param name="pbKey">Initialization key. Must not be <c>null</c> and
/// must contain at least 1 byte.</param>
/// <exception cref="System.ArgumentNullException">Thrown if the
/// <paramref name="pbKey" /> parameter is <c>null</c>.</exception>
/// <exception cref="System.ArgumentException">Thrown if the
/// <paramref name="pbKey" /> parameter contains no bytes or the
/// algorithm is unknown.</exception>
public CryptoRandomStream(CrsAlgorithm genAlgorithm, byte[] pbKey)
{
m_crsAlgorithm = genAlgorithm;
Debug.Assert(pbKey != null); if (pbKey == null)
{
throw new ArgumentNullException("pbKey");
}
uint uKeyLen = (uint)pbKey.Length;
Debug.Assert(uKeyLen != 0); if (uKeyLen == 0)
{
throw new ArgumentException();
}
if (genAlgorithm == CrsAlgorithm.ArcFourVariant)
{
// Fill the state linearly
m_pbState = new byte[256];
for (uint w = 0; w < 256; ++w)
{
m_pbState[w] = (byte)w;
}
unchecked
{
byte j = 0, t;
uint inxKey = 0;
for (uint w = 0; w < 256; ++w) // Key setup
{
j += (byte)(m_pbState[w] + pbKey[inxKey]);
t = m_pbState[0]; // Swap entries
m_pbState[0] = m_pbState[j];
m_pbState[j] = t;
++inxKey;
if (inxKey >= uKeyLen)
{
inxKey = 0;
}
}
}
GetRandomBytes(512); // Increases security, see cryptanalysis
}
else if (genAlgorithm == CrsAlgorithm.Salsa20)
{
SHA256Managed sha256 = new SHA256Managed();
byte[] pbKey32 = sha256.ComputeHash(pbKey);
byte[] pbIV = new byte[] { 0xE8, 0x30, 0x09, 0x4B,
0x97, 0x20, 0x5D, 0x2A }; // Unique constant
m_salsa20 = new Salsa20Cipher(pbKey32, pbIV);
}
else // Unknown algorithm
{
Debug.Assert(false);
throw new ArgumentException();
}
}
/// <summary>
/// Initializes a new instance of the <see cref="CryptoRandomStream"/> class.
/// Construct a new cryptographically secure random stream object.
/// </summary>
/// <param name="genAlgorithm">
/// Algorithm to use.
/// </param>
/// <param name="pbKey">
/// Initialization key. Must not be <c>null</c> and
/// must contain at least 1 byte.
/// </param>
/// <exception cref="System.ArgumentNullException">
/// Thrown if the
/// <paramref name="pbKey"/> parameter is <c>null</c>.
/// </exception>
/// <exception cref="System.ArgumentException">
/// Thrown if the
/// <paramref name="pbKey"/> parameter contains no bytes or the
/// algorithm is unknown.
/// </exception>
public CryptoRandomStream(CrsAlgorithm genAlgorithm, byte[] pbKey)
{
this.m_crsAlgorithm = genAlgorithm;
Debug.Assert(pbKey != null);
if (pbKey == null)
{
throw new ArgumentNullException("pbKey");
}
uint uKeyLen = (uint)pbKey.Length;
Debug.Assert(uKeyLen != 0);
if (uKeyLen == 0)
{
throw new ArgumentException();
}
if (genAlgorithm == CrsAlgorithm.ArcFourVariant)
{
// Fill the state linearly
this.m_pbState = new byte[256];
for (uint w = 0; w < 256; ++w)
{
this.m_pbState[w] = (byte)w;
}
unchecked
{
byte j = 0, t;
uint inxKey = 0;
for (uint w = 0; w < 256; ++w)
{
// Key setup
j += (byte)(this.m_pbState[w] + pbKey[inxKey]);
t = this.m_pbState[0]; // Swap entries
this.m_pbState[0] = this.m_pbState[j];
this.m_pbState[j] = t;
++inxKey;
if (inxKey >= uKeyLen)
{
inxKey = 0;
}
}
}
this.GetRandomBytes(512); // Increases security, see cryptanalysis
}
else if (genAlgorithm == CrsAlgorithm.Salsa20)
{
var sha256 = HashAlgorithmProvider.OpenAlgorithm(HashAlgorithmNames.Sha256);
byte[] pbKey32 = sha256.HashData(pbKey.AsBuffer()).ToArray();
byte[] pbIV = new byte[] { 0xE8, 0x30, 0x09, 0x4B, 0x97, 0x20, 0x5D, 0x2A }; // Unique constant
this.m_salsa20 = new Salsa20Cipher(pbKey32, pbIV);
}
else
{
// Unknown algorithm
Debug.Assert(false);
throw new ArgumentException();
}
}
public ISingleCipherTransform GetCipherTransformer()
{
if (m_SymAlgo == SymAlgoCode.AES256 || m_SymAlgo == SymAlgoCode.ThreeDES || m_SymAlgo == SymAlgoCode.Twofish)
{
SymmetricAlgorithm SymAlgo;
if (m_SymAlgo == SymAlgoCode.ThreeDES)
{
SymAlgo = new TripleDESCryptoServiceProvider
{
BlockSize = 64,
IV = m_IV,
KeySize = 192,
Key = m_Key,
Mode = CipherMode.CBC,
Padding = PaddingMode.None
};
}
else if (m_SymAlgo == SymAlgoCode.AES256)
{
SymAlgo = new RijndaelManaged
{
BlockSize = 128,
IV = m_IV,
KeySize = 256,
Key = m_Key,
Mode = CipherMode.CBC,
Padding = PaddingMode.None
}
}
;
else
{
SymAlgo = new TwofishManaged
{
BlockSize = 128,
IV = m_IV,
KeySize = 256,
Key = m_Key,
Mode = CipherMode.CBC,
Padding = PaddingMode.None
}
};
return(new CryptoTransformer(SymAlgo));
}
else if (m_SymAlgo == SymAlgoCode.ChaCha20 || m_SymAlgo == SymAlgoCode.Salsa20)
{
CtrBlockCipher c;
if (m_SymAlgo == SymAlgoCode.ChaCha20)
{
c = new ChaCha20Cipher(m_Key, m_IV);
}
else
{
c = new Salsa20Cipher(m_Key, m_IV);
}
return(new CtrBlockCipherTransformer(c));
}
throw new SecurityException("Invalid Algorithm");
}
/// <summary>
/// Construct a new cryptographically secure random stream object.
/// </summary>
/// <param name="a">Algorithm to use.</param>
/// <param name="pbKey">Initialization key. Must not be <c>null</c> and
/// must contain at least 1 byte.</param>
public CryptoRandomStream(CrsAlgorithm a, byte[] pbKey)
{
if (pbKey == null)
{
Debug.Assert(false); throw new ArgumentNullException("pbKey");
}
int cbKey = pbKey.Length;
if (cbKey <= 0)
{
Debug.Assert(false); // Need at least one byte
throw new ArgumentOutOfRangeException("pbKey");
}
m_crsAlgorithm = a;
if (a == CrsAlgorithm.ChaCha20)
{
byte[] pbKey32 = new byte[32];
byte[] pbIV12 = new byte[12];
using (SHA512Managed h = new SHA512Managed())
{
byte[] pbHash = h.ComputeHash(pbKey);
Array.Copy(pbHash, pbKey32, 32);
Array.Copy(pbHash, 32, pbIV12, 0, 12);
MemUtil.ZeroByteArray(pbHash);
}
m_chacha20 = new ChaCha20Cipher(pbKey32, pbIV12, true);
}
else if (a == CrsAlgorithm.Salsa20)
{
byte[] pbKey32 = CryptoUtil.HashSha256(pbKey);
byte[] pbIV8 = new byte[8] {
0xE8, 0x30, 0x09, 0x4B,
0x97, 0x20, 0x5D, 0x2A
}; // Unique constant
m_salsa20 = new Salsa20Cipher(pbKey32, pbIV8);
}
else if (a == CrsAlgorithm.ArcFourVariant)
{
// Fill the state linearly
m_pbState = new byte[256];
for (int w = 0; w < 256; ++w)
{
m_pbState[w] = (byte)w;
}
unchecked
{
byte j = 0, t;
int inxKey = 0;
for (int w = 0; w < 256; ++w) // Key setup
{
j += (byte)(m_pbState[w] + pbKey[inxKey]);
t = m_pbState[0]; // Swap entries
m_pbState[0] = m_pbState[j];
m_pbState[j] = t;
++inxKey;
if (inxKey >= cbKey)
{
inxKey = 0;
}
}
}
GetRandomBytes(512); // Increases security, see cryptanalysis
}
else // Unknown algorithm
{
Debug.Assert(false);
throw new ArgumentOutOfRangeException("a");
}
}
private static void TestSalsa20()
{
// Test values from official set 6, vector 3
byte[] pbKey = new byte[32] {
0x0F, 0x62, 0xB5, 0x08, 0x5B, 0xAE, 0x01, 0x54,
0xA7, 0xFA, 0x4D, 0xA0, 0xF3, 0x46, 0x99, 0xEC,
0x3F, 0x92, 0xE5, 0x38, 0x8B, 0xDE, 0x31, 0x84,
0xD7, 0x2A, 0x7D, 0xD0, 0x23, 0x76, 0xC9, 0x1C
};
byte[] pbIV = new byte[8] {
0x28, 0x8F, 0xF6, 0x5D,
0xC4, 0x2B, 0x92, 0xF9
};
byte[] pbExpected = new byte[16] {
0x5E, 0x5E, 0x71, 0xF9, 0x01, 0x99, 0x34, 0x03,
0x04, 0xAB, 0xB2, 0x2A, 0x37, 0xB6, 0x62, 0x5B
};
byte[] pb = new byte[16];
Salsa20Cipher c = new Salsa20Cipher(pbKey, pbIV);
c.Encrypt(pb, pb.Length, false);
if (!MemUtil.ArraysEqual(pb, pbExpected))
{
throw new SecurityException("Salsa20-1");
}
#if DEBUG
// Extended test in debug mode
byte[] pbExpected2 = new byte[16] {
0xAB, 0xF3, 0x9A, 0x21, 0x0E, 0xEE, 0x89, 0x59,
0x8B, 0x71, 0x33, 0x37, 0x70, 0x56, 0xC2, 0xFE
};
byte[] pbExpected3 = new byte[16] {
0x1B, 0xA8, 0x9D, 0xBD, 0x3F, 0x98, 0x83, 0x97,
0x28, 0xF5, 0x67, 0x91, 0xD5, 0xB7, 0xCE, 0x23
};
Random r = new Random();
int nPos = Salsa20ToPos(c, r, pb.Length, 65536);
c.Encrypt(pb, pb.Length, false);
if (!MemUtil.ArraysEqual(pb, pbExpected2))
{
throw new SecurityException("Salsa20-2");
}
nPos = Salsa20ToPos(c, r, nPos + pb.Length, 131008);
Array.Clear(pb, 0, pb.Length);
c.Encrypt(pb, pb.Length, true);
if (!MemUtil.ArraysEqual(pb, pbExpected3))
{
throw new SecurityException("Salsa20-3");
}
Dictionary <string, bool> d = new Dictionary <string, bool>();
const int nRounds = 100;
for (int i = 0; i < nRounds; ++i)
{
byte[] z = new byte[32];
c = new Salsa20Cipher(z, BitConverter.GetBytes((long)i));
c.Encrypt(z, z.Length, true);
d[MemUtil.ByteArrayToHexString(z)] = true;
}
if (d.Count != nRounds)
{
throw new SecurityException("Salsa20-4");
}
#endif
}
