Botan 3.6.1
Crypto and TLS for C&
sodium_secretbox.cpp
Go to the documentation of this file.
1/*
2* (C) 2019 Jack Lloyd
3*
4* Botan is released under the Simplified BSD License (see license.txt)
5*/
6
7#include <botan/sodium.h>
8
9#include <botan/mac.h>
10#include <botan/secmem.h>
11#include <botan/stream_cipher.h>
12#include <botan/internal/ct_utils.h>
13
14namespace Botan {
15
16int Sodium::crypto_secretbox_xsalsa20poly1305(
17 uint8_t ctext[], const uint8_t ptext[], size_t ptext_len, const uint8_t nonce[], const uint8_t key[]) {
18 if(ptext_len < 32) {
19 return -1;
20 }
21
22 auto salsa = StreamCipher::create_or_throw("Salsa20");
23 salsa->set_key(key, crypto_secretbox_KEYBYTES);
24 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
25
26 secure_vector<uint8_t> auth_key(32);
27 salsa->write_keystream(auth_key.data(), auth_key.size());
28
29 salsa->cipher(ptext + 32, ctext + 32, ptext_len - 32);
30
31 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
32 poly1305->set_key(auth_key);
33 poly1305->update(ctext + 32, ptext_len - 32);
34 poly1305->final(ctext + 16);
35
36 clear_mem(ctext, 16);
37 return 0;
38}
39
40int Sodium::crypto_secretbox_xsalsa20poly1305_open(
41 uint8_t ptext[], const uint8_t ctext[], size_t ctext_len, const uint8_t nonce[], const uint8_t key[]) {
42 if(ctext_len < crypto_box_curve25519xsalsa20poly1305_ZEROBYTES) {
43 return -1;
44 }
45
46 auto salsa = StreamCipher::create_or_throw("Salsa20");
47 salsa->set_key(key, crypto_secretbox_KEYBYTES);
48 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
49
50 secure_vector<uint8_t> auth_key(32);
51 salsa->write_keystream(auth_key.data(), auth_key.size());
52
53 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
54 poly1305->set_key(auth_key);
55 poly1305->update(ctext + 32, ctext_len - 32);
56 secure_vector<uint8_t> computed = poly1305->final();
57
58 if(CT::is_not_equal(computed.data(), ctext + 16, 16).as_bool()) {
59 return -1;
60 }
61
62 salsa->cipher(ctext + 32, ptext + 32, ctext_len - 32);
63
64 clear_mem(ptext, 32);
65 return 0;
66}
67
68int Sodium::crypto_secretbox_detached(uint8_t ctext[],
69 uint8_t mac[],
70 const uint8_t ptext[],
71 size_t ptext_len,
72 const uint8_t nonce[],
73 const uint8_t key[]) {
74 auto salsa = StreamCipher::create_or_throw("Salsa20");
75 salsa->set_key(key, crypto_secretbox_KEYBYTES);
76 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
77
78 secure_vector<uint8_t> auth_key(32);
79 salsa->write_keystream(auth_key.data(), auth_key.size());
80
81 salsa->cipher(ptext, ctext, ptext_len);
82
83 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
84 poly1305->set_key(auth_key);
85 poly1305->update(ctext, ptext_len);
86 poly1305->final(mac);
87
88 return 0;
89}
90
91int Sodium::crypto_secretbox_open_detached(uint8_t ptext[],
92 const uint8_t ctext[],
93 const uint8_t mac[],
94 size_t ctext_len,
95 const uint8_t nonce[],
96 const uint8_t key[]) {
97 auto salsa = StreamCipher::create_or_throw("Salsa20");
98 salsa->set_key(key, crypto_secretbox_KEYBYTES);
99 salsa->set_iv(nonce, crypto_secretbox_NONCEBYTES);
100
101 secure_vector<uint8_t> auth_key(32);
102 salsa->write_keystream(auth_key.data(), auth_key.size());
103
104 auto poly1305 = MessageAuthenticationCode::create_or_throw("Poly1305");
105 poly1305->set_key(auth_key);
106 poly1305->update(ctext, ctext_len);
107 secure_vector<uint8_t> computed_mac = poly1305->final();
108
109 if(!CT::is_equal(mac, computed_mac.data(), computed_mac.size()).as_bool()) {
110 return -1;
111 }
112
113 salsa->cipher(ctext, ptext, ctext_len);
114
115 return 0;
116}
117
118} // namespace Botan
Botan::MessageAuthenticationCode::create_or_throw
static std::unique_ptr< MessageAuthenticationCode > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition mac.cpp:148
Botan::StreamCipher::create_or_throw
static std::unique_ptr< StreamCipher > create_or_throw(std::string_view algo_spec, std::string_view provider="")
Definition stream_cipher.cpp:122
Botan::CT::is_not_equal
constexpr CT::Mask< T > is_not_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:784
Botan::CT::is_equal
constexpr CT::Mask< T > is_equal(const T x[], const T y[], size_t len)
Definition ct_utils.h:759
Botan::Sodium::crypto_secretbox_KEYBYTES
@ crypto_secretbox_KEYBYTES
Definition sodium.h:104
Botan::Sodium::crypto_box_curve25519xsalsa20poly1305_ZEROBYTES
@ crypto_box_curve25519xsalsa20poly1305_ZEROBYTES
Definition sodium.h:58
Botan::Sodium::crypto_secretbox_NONCEBYTES
@ crypto_secretbox_NONCEBYTES
Definition sodium.h:107
Botan::Sodium::crypto_secretbox_xsalsa20poly1305_open
int crypto_secretbox_xsalsa20poly1305_open(uint8_t ptext[], const uint8_t ctext[], size_t ctext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:40
Botan::Sodium::crypto_secretbox_open_detached
int crypto_secretbox_open_detached(uint8_t ptext[], const uint8_t ctext[], const uint8_t mac[], size_t ctext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:91
Botan::Sodium::crypto_secretbox_xsalsa20poly1305
int crypto_secretbox_xsalsa20poly1305(uint8_t ctext[], const uint8_t ptext[], size_t ptext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:16
Botan::Sodium::crypto_secretbox_detached
int crypto_secretbox_detached(uint8_t ctext[], uint8_t mac[], const uint8_t ptext[], size_t ptext_len, const uint8_t nonce[], const uint8_t key[])
Definition sodium_secretbox.cpp:68
Botan::secure_vector
std::vector< T, secure_allocator< T > > secure_vector
Definition secmem.h:61
Botan::clear_mem
constexpr void clear_mem(T *ptr, size_t n)
Definition mem_ops.h:120
Generated by doxygen 1.12.0