-
Notifications
You must be signed in to change notification settings - Fork 24
/
Copy pathcrypto_secretstream.js
271 lines (222 loc) · 11.2 KB
/
crypto_secretstream.js
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
/* eslint-disable camelcase */
const assert = require('nanoassert')
const { randombytes_buf } = require('./randombytes')
const {
crypto_stream_chacha20_ietf,
crypto_stream_chacha20_ietf_xor,
crypto_stream_chacha20_ietf_xor_ic,
crypto_stream_chacha20_ietf_KEYBYTES
} = require('./crypto_stream_chacha20')
const { crypto_core_hchacha20, crypto_core_hchacha20_INPUTBYTES } = require('./internal/hchacha20')
const Poly1305 = require('./internal/poly1305')
const { sodium_increment, sodium_is_zero, sodium_memcmp } = require('./helpers')
const crypto_onetimeauth_poly1305_BYTES = 16
const crypto_secretstream_xchacha20poly1305_COUNTERBYTES = 4
const crypto_secretstream_xchacha20poly1305_INONCEBYTES = 8
const crypto_aead_xchacha20poly1305_ietf_KEYBYTES = 32
const crypto_secretstream_xchacha20poly1305_KEYBYTES = crypto_aead_xchacha20poly1305_ietf_KEYBYTES
const crypto_aead_xchacha20poly1305_ietf_NPUBBYTES = 24
const crypto_secretstream_xchacha20poly1305_HEADERBYTES = crypto_aead_xchacha20poly1305_ietf_NPUBBYTES
const crypto_aead_xchacha20poly1305_ietf_ABYTES = 16
const crypto_secretstream_xchacha20poly1305_ABYTES = 1 + crypto_aead_xchacha20poly1305_ietf_ABYTES
const crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX = Number.MAX_SAFE_INTEGER
const crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX = Number.MAX_SAFE_INTEGER
const crypto_secretstream_xchacha20poly1305_TAGBYTES = 1
const crypto_secretstream_xchacha20poly1305_TAG_MESSAGE = new Uint8Array([0])
const crypto_secretstream_xchacha20poly1305_TAG_PUSH = new Uint8Array([1])
const crypto_secretstream_xchacha20poly1305_TAG_REKEY = new Uint8Array([2])
const crypto_secretstream_xchacha20poly1305_TAG_FINAL = new Uint8Array([crypto_secretstream_xchacha20poly1305_TAG_PUSH | crypto_secretstream_xchacha20poly1305_TAG_REKEY])
const crypto_secretstream_xchacha20poly1305_STATEBYTES = crypto_secretstream_xchacha20poly1305_KEYBYTES +
crypto_secretstream_xchacha20poly1305_INONCEBYTES + crypto_secretstream_xchacha20poly1305_COUNTERBYTES + 8
const KEY_OFFSET = 0
const NONCE_OFFSET = crypto_secretstream_xchacha20poly1305_KEYBYTES
const PAD_OFFSET = NONCE_OFFSET + crypto_secretstream_xchacha20poly1305_INONCEBYTES + crypto_secretstream_xchacha20poly1305_COUNTERBYTES
const _pad0 = new Uint8Array(16)
function STORE64_LE (dest, int) {
let mul = 1
let i = 0
dest[0] = int & 0xFF
while (++i < 8 && (mul *= 0x100)) {
dest[i] = (int / mul) & 0xFF
}
}
function crypto_secretstream_xchacha20poly1305_counter_reset (state) {
assert(state.byteLength === crypto_secretstream_xchacha20poly1305_STATEBYTES,
'state is should be crypto_secretstream_xchacha20poly1305_STATEBYTES long')
const nonce = state.subarray(NONCE_OFFSET, PAD_OFFSET)
for (let i = 0; i < crypto_secretstream_xchacha20poly1305_COUNTERBYTES; i++) {
nonce[i] = 0
}
nonce[0] = 1
}
function crypto_secretstream_xchacha20poly1305_keygen (k) {
assert(k.length === crypto_secretstream_xchacha20poly1305_KEYBYTES)
randombytes_buf(k)
}
function crypto_secretstream_xchacha20poly1305_init_push (state, out, key) {
assert(state.byteLength === crypto_secretstream_xchacha20poly1305_STATEBYTES,
'state is should be crypto_secretstream_xchacha20poly1305_STATEBYTES long')
assert(out instanceof Uint8Array && out.length === crypto_secretstream_xchacha20poly1305_HEADERBYTES, 'out not byte array of length crypto_secretstream_xchacha20poly1305_HEADERBYTES')
assert(key instanceof Uint8Array && key.length === crypto_secretstream_xchacha20poly1305_KEYBYTES, 'key not byte array of length crypto_secretstream_xchacha20poly1305_KEYBYTES')
const k = state.subarray(KEY_OFFSET, NONCE_OFFSET)
const nonce = state.subarray(NONCE_OFFSET, PAD_OFFSET)
const pad = state.subarray(PAD_OFFSET)
randombytes_buf(out, crypto_secretstream_xchacha20poly1305_HEADERBYTES)
crypto_core_hchacha20(k, out, key, null)
crypto_secretstream_xchacha20poly1305_counter_reset(state)
for (let i = 0; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
nonce[i + crypto_secretstream_xchacha20poly1305_COUNTERBYTES] = out[i + crypto_core_hchacha20_INPUTBYTES]
}
pad.fill(0)
}
function crypto_secretstream_xchacha20poly1305_init_pull (state, _in, key) {
assert(state.byteLength === crypto_secretstream_xchacha20poly1305_STATEBYTES,
'state is should be crypto_secretstream_xchacha20poly1305_STATEBYTES long')
assert(_in instanceof Uint8Array && _in.length === crypto_secretstream_xchacha20poly1305_HEADERBYTES,
'_in not byte array of length crypto_secretstream_xchacha20poly1305_HEADERBYTES')
assert(key instanceof Uint8Array && key.length === crypto_secretstream_xchacha20poly1305_KEYBYTES,
'key not byte array of length crypto_secretstream_xchacha20poly1305_KEYBYTES')
const k = state.subarray(KEY_OFFSET, NONCE_OFFSET)
const nonce = state.subarray(NONCE_OFFSET, PAD_OFFSET)
const pad = state.subarray(PAD_OFFSET)
crypto_core_hchacha20(k, _in, key, null)
crypto_secretstream_xchacha20poly1305_counter_reset(state)
for (let i = 0; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
nonce[i + crypto_secretstream_xchacha20poly1305_COUNTERBYTES] = _in[i + crypto_core_hchacha20_INPUTBYTES]
}
pad.fill(0)
}
function crypto_secretstream_xchacha20poly1305_rekey (state) {
assert(state.byteLength === crypto_secretstream_xchacha20poly1305_STATEBYTES,
'state is should be crypto_secretstream_xchacha20poly1305_STATEBYTES long')
const k = state.subarray(KEY_OFFSET, NONCE_OFFSET)
const nonce = state.subarray(NONCE_OFFSET, PAD_OFFSET)
const new_key_and_inonce = new Uint8Array(
crypto_stream_chacha20_ietf_KEYBYTES + crypto_secretstream_xchacha20poly1305_INONCEBYTES)
let i
for (i = 0; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) {
new_key_and_inonce[i] = k[i]
}
for (i = 0; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i] =
nonce[crypto_secretstream_xchacha20poly1305_COUNTERBYTES + i]
}
crypto_stream_chacha20_ietf_xor(new_key_and_inonce, new_key_and_inonce, nonce, k)
for (i = 0; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) {
k[i] = new_key_and_inonce[i]
}
for (i = 0; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
nonce[crypto_secretstream_xchacha20poly1305_COUNTERBYTES + i] =
new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i]
}
crypto_secretstream_xchacha20poly1305_counter_reset(state)
}
function crypto_secretstream_xchacha20poly1305_push (state, out, m, ad, tag) {
assert(state.byteLength === crypto_secretstream_xchacha20poly1305_STATEBYTES,
'state is should be crypto_secretstream_xchacha20poly1305_STATEBYTES long')
if (!ad) ad = new Uint8Array(0)
const k = state.subarray(KEY_OFFSET, NONCE_OFFSET)
const nonce = state.subarray(NONCE_OFFSET, PAD_OFFSET)
const block = new Uint8Array(64)
const slen = new Uint8Array(8)
assert(crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX <=
crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX)
crypto_stream_chacha20_ietf(block, nonce, k)
const poly = new Poly1305(block)
block.fill(0)
poly.update(ad, 0, ad.byteLength)
poly.update(_pad0, 0, (0x10 - ad.byteLength) & 0xf)
block[0] = tag[0]
crypto_stream_chacha20_ietf_xor_ic(block, block, nonce, 1, k)
poly.update(block, 0, block.byteLength)
out[0] = block[0]
const c = out.subarray(1, out.byteLength)
crypto_stream_chacha20_ietf_xor_ic(c, m, nonce, 2, k)
poly.update(c, 0, m.byteLength)
poly.update(_pad0, 0, (0x10 - block.byteLength + m.byteLength) & 0xf)
STORE64_LE(slen, ad.byteLength)
poly.update(slen, 0, slen.byteLength)
STORE64_LE(slen, block.byteLength + m.byteLength)
poly.update(slen, 0, slen.byteLength)
const mac = out.subarray(1 + m.byteLength, out.byteLength)
poly.finish(mac, 0)
assert(crypto_onetimeauth_poly1305_BYTES >=
crypto_secretstream_xchacha20poly1305_INONCEBYTES)
xor_buf(nonce.subarray(crypto_secretstream_xchacha20poly1305_COUNTERBYTES, nonce.length),
mac, crypto_secretstream_xchacha20poly1305_INONCEBYTES)
sodium_increment(nonce)
if ((tag[0] & crypto_secretstream_xchacha20poly1305_TAG_REKEY) !== 0 ||
sodium_is_zero(nonce.subarray(0, crypto_secretstream_xchacha20poly1305_COUNTERBYTES))) {
crypto_secretstream_xchacha20poly1305_rekey(state)
}
return crypto_secretstream_xchacha20poly1305_ABYTES + m.byteLength
}
function crypto_secretstream_xchacha20poly1305_pull (state, m, tag, _in, ad) {
assert(state.byteLength === crypto_secretstream_xchacha20poly1305_STATEBYTES,
'state is should be crypto_secretstream_xchacha20poly1305_STATEBYTES long')
if (!ad) ad = new Uint8Array(0)
const k = state.subarray(KEY_OFFSET, NONCE_OFFSET)
const nonce = state.subarray(NONCE_OFFSET, PAD_OFFSET)
const block = new Uint8Array(64)
const slen = new Uint8Array(8)
const mac = new Uint8Array(crypto_onetimeauth_poly1305_BYTES)
assert(_in.byteLength >= crypto_secretstream_xchacha20poly1305_ABYTES,
'ciphertext is too short.')
const mlen = _in.byteLength - crypto_secretstream_xchacha20poly1305_ABYTES
crypto_stream_chacha20_ietf(block, nonce, k)
const poly = new Poly1305(block)
block.fill(0) // sodium_memzero(block, sizeof block);
poly.update(ad, 0, ad.byteLength)
poly.update(_pad0, 0, (0x10 - ad.byteLength) & 0xf)
block.fill(0) // memset(block, 0, sizeof block);
block[0] = _in[0]
crypto_stream_chacha20_ietf_xor_ic(block, block, nonce, 1, k)
tag[0] = block[0]
block[0] = _in[0]
poly.update(block, 0, block.byteLength)
const c = _in.subarray(1, _in.length)
poly.update(c, 0, mlen)
poly.update(_pad0, 0, (0x10 - block.byteLength + mlen) & 0xf)
STORE64_LE(slen, ad.byteLength)
poly.update(slen, 0, slen.byteLength)
STORE64_LE(slen, block.byteLength + m.byteLength)
poly.update(slen, 0, slen.byteLength)
poly.finish(mac, 0)
const stored_mac = _in.subarray(1 + mlen, _in.length)
if (!sodium_memcmp(mac, stored_mac)) {
mac.fill(0)
throw new Error('MAC could not be verified.')
}
crypto_stream_chacha20_ietf_xor_ic(m, c.subarray(0, m.length), nonce, 2, k)
xor_buf(nonce.subarray(crypto_secretstream_xchacha20poly1305_COUNTERBYTES, nonce.length),
mac, crypto_secretstream_xchacha20poly1305_INONCEBYTES)
sodium_increment(nonce)
if ((tag & crypto_secretstream_xchacha20poly1305_TAG_REKEY) !== 0 ||
sodium_is_zero(nonce.subarray(0, crypto_secretstream_xchacha20poly1305_COUNTERBYTES))) {
crypto_secretstream_xchacha20poly1305_rekey(state)
}
return mlen
}
function xor_buf (out, _in, n) {
for (let i = 0; i < n; i++) {
out[i] ^= _in[i]
}
}
module.exports = {
crypto_secretstream_xchacha20poly1305_keygen,
crypto_secretstream_xchacha20poly1305_init_push,
crypto_secretstream_xchacha20poly1305_init_pull,
crypto_secretstream_xchacha20poly1305_rekey,
crypto_secretstream_xchacha20poly1305_push,
crypto_secretstream_xchacha20poly1305_pull,
crypto_secretstream_xchacha20poly1305_STATEBYTES,
crypto_secretstream_xchacha20poly1305_ABYTES,
crypto_secretstream_xchacha20poly1305_HEADERBYTES,
crypto_secretstream_xchacha20poly1305_KEYBYTES,
crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX,
crypto_secretstream_xchacha20poly1305_TAGBYTES,
crypto_secretstream_xchacha20poly1305_TAG_MESSAGE,
crypto_secretstream_xchacha20poly1305_TAG_PUSH,
crypto_secretstream_xchacha20poly1305_TAG_REKEY,
crypto_secretstream_xchacha20poly1305_TAG_FINAL
}