Пример #1
0
func (c *aead) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
	if n := len(nonce); n != NonceSize {
		return nil, crypto.NonceSizeError(n)
	}
	if len(ciphertext) < c.tagsize {
		return nil, crypto.AuthenticationError{}
	}
	if len(dst) < len(ciphertext)-c.tagsize {
		panic("dst buffer to small")
	}
	var Nonce [12]byte

	copy(Nonce[:], nonce)

	hash := ciphertext[len(ciphertext)-c.tagsize:]
	ciphertext = ciphertext[:len(ciphertext)-c.tagsize]

	// create the poly1305 key
	var polyKey [32]byte
	chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)

	// authenticate the ciphertext
	var tag [poly1305.TagSize]byte
	authenticate(&tag, ciphertext, additionalData, &polyKey)
	if subtle.ConstantTimeCompare(tag[:c.tagsize], hash[:c.tagsize]) != 1 {
		return nil, crypto.AuthenticationError{}
	}

	// decrypt ciphertext
	chacha.XORKeyStream(dst, ciphertext, &Nonce, &(c.key), 1, 20)
	return dst[:len(ciphertext)], nil
}
Пример #2
0
func (c *eaxCipher) Open(dst, nonce, ciphertext, additionalData []byte) ([]byte, error) {
	if n := len(nonce); n != c.blockCipher.BlockSize() {
		return nil, crypto.NonceSizeError(n)
	}
	if len(ciphertext) < c.size {
		return nil, crypto.AuthenticationError{}
	}
	if len(dst) < len(ciphertext)-c.mac.Size() {
		panic("dst buffer to small")
	}

	hash := ciphertext[len(ciphertext)-c.size:]
	ciphertext = ciphertext[:len(ciphertext)-c.size]

	tag := make([]byte, c.mac.BlockSize())

	// process nonce
	tag[len(tag)-1] = nTag
	c.mac.Write(tag)
	c.mac.Write(nonce)
	authNonce := c.mac.Sum(nil)
	c.mac.Reset()

	// process additional data
	tag[len(tag)-1] = hTag
	c.mac.Write(tag)
	c.mac.Write(additionalData)
	authData := c.mac.Sum(nil)
	c.mac.Reset()

	// process ciphertext
	tag[len(tag)-1] = cTag
	c.mac.Write(tag)
	c.mac.Write(ciphertext)
	tag = c.mac.Sum(tag[:0])
	c.mac.Reset()

	for i := range tag {
		tag[i] ^= authData[i] ^ authNonce[i]
	}

	if subtle.ConstantTimeCompare(tag[:c.size], hash) != 1 {
		return nil, crypto.AuthenticationError{}
	}

	// decrypt
	n := len(ciphertext)
	copy(c.ctr, authNonce) // set the ctr-mode nonce
	c.ctrCrypt(dst, ciphertext)

	return dst[:n], nil
}
Пример #3
0
func (c *eaxCipher) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
	if n := len(nonce); n != c.blockCipher.BlockSize() {
		panic(crypto.NonceSizeError(n))
	}
	if len(dst) < len(plaintext) {
		panic("dst buffer to small")
	}

	tag := make([]byte, c.mac.BlockSize())

	// process nonce
	tag[len(tag)-1] = nTag
	c.mac.Write(tag)
	c.mac.Write(nonce)
	authNonce := c.mac.Sum(nil)
	c.mac.Reset()

	// process additional data
	tag[len(tag)-1] = hTag
	c.mac.Write(tag)
	c.mac.Write(additionalData)
	authData := c.mac.Sum(nil)
	c.mac.Reset()

	// encrypt
	n := len(plaintext)
	copy(c.ctr, authNonce) // set the ctr-mode nonce
	c.ctrCrypt(dst, plaintext)

	// process ciphertext
	tag[len(tag)-1] = cTag
	c.mac.Write(tag)
	c.mac.Write(dst[:n])
	tag = c.mac.Sum(tag[:0])
	c.mac.Reset()

	for i := range tag {
		tag[i] ^= authData[i] ^ authNonce[i]
	}
	return append(dst[:n], tag[:c.size]...)
}
Пример #4
0
func (c *aead) Seal(dst, nonce, plaintext, additionalData []byte) []byte {
	if n := len(nonce); n != NonceSize {
		panic(crypto.NonceSizeError(n))
	}
	if len(dst) < len(plaintext)+c.tagsize {
		panic("dst buffer to small")
	}
	var Nonce [12]byte
	copy(Nonce[:], nonce)

	// create the poly1305 key
	var polyKey [32]byte
	chacha.XORKeyStream(polyKey[:], polyKey[:], &Nonce, &(c.key), 0, 20)

	// encrypt the plaintext
	n := len(plaintext)
	chacha.XORKeyStream(dst, plaintext, &Nonce, &(c.key), 1, 20)

	// authenticate the ciphertext
	var tag [poly1305.TagSize]byte
	authenticate(&tag, dst[:n], additionalData, &polyKey)
	return append(dst[:n], tag[:c.tagsize]...)
}