Botan 3.9.0
Crypto and TLS for C&
sodium_secretbox.cpp
Go to the documentation of this file.
1/*
2* (C) 2019 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/sodium.h>
8
9#include <botan/mac.h>
10#include <botan/mem_ops.h>
11#include <botan/secmem.h>
12#include <botan/stream_cipher.h>
13#include <botan/internal/ct_utils.h>
14
15namespace Botan {
16
17int Sodium::crypto_secretbox_xsalsa20poly1305(
18 uint8_t ctext[], const uint8_t ptext[], size_t ptext_len, const uint8_t nonce[], const uint8_t key[]) {
19 if(ptext_len < 32) {
20 return -1;
21 }
22
23 auto salsa = StreamCipher::create_or_throw("Salsa20");
24 salsa->set_key(key, crypto_secretbox_KEYBYTES);
25 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
26
27 secure_vector<uint8_t> auth_key(32);
28 salsa->write_keystream(auth_key.data(), auth_key.size());
29
30 salsa->cipher(ptext + 32, ctext + 32, ptext_len - 32);
31
32 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
33 poly1305->set_key(auth_key);
34 poly1305->update(ctext + 32, ptext_len - 32);
35 poly1305->final(ctext + 16);
36
37 clear_mem(ctext, 16);
38 return 0;
39}
40
41int Sodium::crypto_secretbox_xsalsa20poly1305_open(
42 uint8_t ptext[], const uint8_t ctext[], size_t ctext_len, const uint8_t nonce[], const uint8_t key[]) {
43 if(ctext_len < crypto_box_curve25519xsalsa20poly1305_ZEROBYTES) {
44 return -1;
45 }
46
47 auto salsa = StreamCipher::create_or_throw("Salsa20");
48 salsa->set_key(key, crypto_secretbox_KEYBYTES);
49 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
50
51 secure_vector<uint8_t> auth_key(32);
52 salsa->write_keystream(auth_key.data(), auth_key.size());
53
54 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
55 poly1305->set_key(auth_key);
56 poly1305->update(ctext + 32, ctext_len - 32);
57 secure_vector<uint8_t> computed = poly1305->final();
58
59 if(CT::is_not_equal(computed.data(), ctext + 16, 16).as_bool()) {
60 return -1;
61 }
62
63 salsa->cipher(ctext + 32, ptext + 32, ctext_len - 32);
64
65 clear_mem(ptext, 32);
66 return 0;
67}
68
69int Sodium::crypto_secretbox_detached(uint8_t ctext[],
70 uint8_t mac[],
71 const uint8_t ptext[],
72 size_t ptext_len,
73 const uint8_t nonce[],
74 const uint8_t key[]) {
75 auto salsa = StreamCipher::create_or_throw("Salsa20");
76 salsa->set_key(key, crypto_secretbox_KEYBYTES);
77 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
78
79 secure_vector<uint8_t> auth_key(32);
80 salsa->write_keystream(auth_key.data(), auth_key.size());
81
82 salsa->cipher(ptext, ctext, ptext_len);
83
84 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
85 poly1305->set_key(auth_key);
86 poly1305->update(ctext, ptext_len);
87 poly1305->final(mac);
88
89 return 0;
90}
91
92int Sodium::crypto_secretbox_open_detached(uint8_t ptext[],
93 const uint8_t ctext[],
94 const uint8_t mac[],
95 size_t ctext_len,
96 const uint8_t nonce[],
97 const uint8_t key[]) {
98 auto salsa = StreamCipher::create_or_throw("Salsa20");
99 salsa->set_key(key, crypto_secretbox_KEYBYTES);
100 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
101
102 secure_vector<uint8_t> auth_key(32);
103 salsa->write_keystream(auth_key.data(), auth_key.size());
104
105 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
106 poly1305->set_key(auth_key);
107 poly1305->update(ctext, ctext_len);
108 secure_vector<uint8_t> computed_mac = poly1305->final();
109
110 if(!CT::is_equal(mac, computed_mac.data(), computed_mac.size()).as_bool()) {
111 return -1;
112 }
113
114 salsa->cipher(ctext, ptext, ctext_len);
115
116 return 0;
117}
118
119} // namespace Botan
Botan::MessageAuthenticationCode::create_or_throw
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
Botan::StreamCipher::create_or_throw
static std::unique_ptr< StreamCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition stream_cipher.cpp:122
Botan::CT::is_not_equal
constexpr CT::Mask< T > is_not_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:866
Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:826
Botan::Sodium::crypto_secretbox_KEYBYTES
@ crypto_secretbox_KEYBYTES
Definition sodium.h:104
Botan::Sodium::crypto_box_curve25519xsalsa20poly1305_ZEROBYTES
@ crypto_box_curve25519xsalsa20poly1305_ZEROBYTES
Definition sodium.h:58
Botan::Sodium::crypto_secretbox_NONCEBYTES
@ crypto_secretbox_NONCEBYTES
Definition sodium.h:107
Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open
int crypto_secretbox_xsalsa20poly1305_open(uint8_t ptext[], const uint8_t ctext[], size_t ctext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:41
Botan::Sodium::crypto_secretbox_open_detached
int crypto_secretbox_open_detached(uint8_t ptext[], const uint8_t ctext[], const uint8_t mac[], size_t ctext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:92
Botan::Sodium::crypto_secretbox_xsalsa20poly1305
int crypto_secretbox_xsalsa20poly1305(uint8_t ctext[], const uint8_t ptext[], size_t ptext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:17
Botan::Sodium::crypto_secretbox_detached
int crypto_secretbox_detached(uint8_t ctext[], uint8_t mac[], const uint8_t ptext[], size_t ptext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:69
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:69
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:119
Generated by doxygen 1.14.0