mirror of
https://github.com/moparisthebest/keepass2android
synced 2024-08-13 17:03:49 -04:00
189 lines
5.3 KiB
C#
189 lines
5.3 KiB
C#
/*
|
|
KeePass Password Safe - The Open-Source Password Manager
|
|
Copyright (C) 2003-2012 Dominik Reichl <dominik.reichl@t-online.de>
|
|
|
|
This program is free software; you can redistribute it and/or modify
|
|
it under the terms of the GNU General Public License as published by
|
|
the Free Software Foundation; either version 2 of the License, or
|
|
(at your option) any later version.
|
|
|
|
This program is distributed in the hope that it will be useful,
|
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
GNU General Public License for more details.
|
|
|
|
You should have received a copy of the GNU General Public License
|
|
along with this program; if not, write to the Free Software
|
|
Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA
|
|
*/
|
|
|
|
// Implementation of the Salsa20 cipher, based on the eSTREAM submission.
|
|
|
|
using System;
|
|
using System.Diagnostics;
|
|
|
|
using KeePassLib.Utility;
|
|
|
|
namespace KeePassLib.Cryptography.Cipher
|
|
{
|
|
public sealed class Salsa20Cipher
|
|
{
|
|
private uint[] m_state = new uint[16];
|
|
private uint[] m_x = new uint[16]; // Working buffer
|
|
|
|
private byte[] m_output = new byte[64];
|
|
private int m_outputPos = 64;
|
|
|
|
private static readonly uint[] m_sigma = new uint[4]{
|
|
0x61707865, 0x3320646E, 0x79622D32, 0x6B206574
|
|
};
|
|
|
|
public Salsa20Cipher(byte[] pbKey32, byte[] pbIV8)
|
|
{
|
|
KeySetup(pbKey32);
|
|
IvSetup(pbIV8);
|
|
}
|
|
|
|
~Salsa20Cipher()
|
|
{
|
|
// Clear sensitive data
|
|
Array.Clear(m_state, 0, m_state.Length);
|
|
Array.Clear(m_x, 0, m_x.Length);
|
|
}
|
|
|
|
private void NextOutput()
|
|
{
|
|
uint[] x = m_x; // Local alias for working buffer
|
|
|
|
// Compiler/runtime might remove array bound checks after this
|
|
if(x.Length < 16) throw new InvalidOperationException();
|
|
|
|
Array.Copy(m_state, x, 16);
|
|
|
|
unchecked
|
|
{
|
|
for(int i = 0; i < 10; ++i) // (int i = 20; i > 0; i -= 2)
|
|
{
|
|
x[ 4] ^= Rotl32(x[ 0] + x[12], 7);
|
|
x[ 8] ^= Rotl32(x[ 4] + x[ 0], 9);
|
|
x[12] ^= Rotl32(x[ 8] + x[ 4], 13);
|
|
x[ 0] ^= Rotl32(x[12] + x[ 8], 18);
|
|
x[ 9] ^= Rotl32(x[ 5] + x[ 1], 7);
|
|
x[13] ^= Rotl32(x[ 9] + x[ 5], 9);
|
|
x[ 1] ^= Rotl32(x[13] + x[ 9], 13);
|
|
x[ 5] ^= Rotl32(x[ 1] + x[13], 18);
|
|
x[14] ^= Rotl32(x[10] + x[ 6], 7);
|
|
x[ 2] ^= Rotl32(x[14] + x[10], 9);
|
|
x[ 6] ^= Rotl32(x[ 2] + x[14], 13);
|
|
x[10] ^= Rotl32(x[ 6] + x[ 2], 18);
|
|
x[ 3] ^= Rotl32(x[15] + x[11], 7);
|
|
x[ 7] ^= Rotl32(x[ 3] + x[15], 9);
|
|
x[11] ^= Rotl32(x[ 7] + x[ 3], 13);
|
|
x[15] ^= Rotl32(x[11] + x[ 7], 18);
|
|
x[ 1] ^= Rotl32(x[ 0] + x[ 3], 7);
|
|
x[ 2] ^= Rotl32(x[ 1] + x[ 0], 9);
|
|
x[ 3] ^= Rotl32(x[ 2] + x[ 1], 13);
|
|
x[ 0] ^= Rotl32(x[ 3] + x[ 2], 18);
|
|
x[ 6] ^= Rotl32(x[ 5] + x[ 4], 7);
|
|
x[ 7] ^= Rotl32(x[ 6] + x[ 5], 9);
|
|
x[ 4] ^= Rotl32(x[ 7] + x[ 6], 13);
|
|
x[ 5] ^= Rotl32(x[ 4] + x[ 7], 18);
|
|
x[11] ^= Rotl32(x[10] + x[ 9], 7);
|
|
x[ 8] ^= Rotl32(x[11] + x[10], 9);
|
|
x[ 9] ^= Rotl32(x[ 8] + x[11], 13);
|
|
x[10] ^= Rotl32(x[ 9] + x[ 8], 18);
|
|
x[12] ^= Rotl32(x[15] + x[14], 7);
|
|
x[13] ^= Rotl32(x[12] + x[15], 9);
|
|
x[14] ^= Rotl32(x[13] + x[12], 13);
|
|
x[15] ^= Rotl32(x[14] + x[13], 18);
|
|
}
|
|
|
|
for(int i = 0; i < 16; ++i)
|
|
x[i] += m_state[i];
|
|
|
|
for(int i = 0; i < 16; ++i)
|
|
{
|
|
m_output[i << 2] = (byte)x[i];
|
|
m_output[(i << 2) + 1] = (byte)(x[i] >> 8);
|
|
m_output[(i << 2) + 2] = (byte)(x[i] >> 16);
|
|
m_output[(i << 2) + 3] = (byte)(x[i] >> 24);
|
|
}
|
|
|
|
m_outputPos = 0;
|
|
++m_state[8];
|
|
if(m_state[8] == 0) ++m_state[9];
|
|
}
|
|
}
|
|
|
|
private static uint Rotl32(uint x, int b)
|
|
{
|
|
unchecked
|
|
{
|
|
return ((x << b) | (x >> (32 - b)));
|
|
}
|
|
}
|
|
|
|
private static uint U8To32Little(byte[] pb, int iOffset)
|
|
{
|
|
unchecked
|
|
{
|
|
return ((uint)pb[iOffset] | ((uint)pb[iOffset + 1] << 8) |
|
|
((uint)pb[iOffset + 2] << 16) | ((uint)pb[iOffset + 3] << 24));
|
|
}
|
|
}
|
|
|
|
private void KeySetup(byte[] k)
|
|
{
|
|
if(k == null) throw new ArgumentNullException("k");
|
|
if(k.Length != 32) throw new ArgumentException();
|
|
|
|
m_state[1] = U8To32Little(k, 0);
|
|
m_state[2] = U8To32Little(k, 4);
|
|
m_state[3] = U8To32Little(k, 8);
|
|
m_state[4] = U8To32Little(k, 12);
|
|
m_state[11] = U8To32Little(k, 16);
|
|
m_state[12] = U8To32Little(k, 20);
|
|
m_state[13] = U8To32Little(k, 24);
|
|
m_state[14] = U8To32Little(k, 28);
|
|
m_state[0] = m_sigma[0];
|
|
m_state[5] = m_sigma[1];
|
|
m_state[10] = m_sigma[2];
|
|
m_state[15] = m_sigma[3];
|
|
}
|
|
|
|
private void IvSetup(byte[] pbIV)
|
|
{
|
|
if(pbIV == null) throw new ArgumentNullException("pbIV");
|
|
if(pbIV.Length != 8) throw new ArgumentException();
|
|
|
|
m_state[6] = U8To32Little(pbIV, 0);
|
|
m_state[7] = U8To32Little(pbIV, 4);
|
|
m_state[8] = 0;
|
|
m_state[9] = 0;
|
|
}
|
|
|
|
public void Encrypt(byte[] m, int nByteCount, bool bXor)
|
|
{
|
|
if(m == null) throw new ArgumentNullException("m");
|
|
if(nByteCount > m.Length) throw new ArgumentException();
|
|
|
|
int nBytesRem = nByteCount, nOffset = 0;
|
|
while(nBytesRem > 0)
|
|
{
|
|
Debug.Assert((m_outputPos >= 0) && (m_outputPos <= 64));
|
|
if(m_outputPos == 64) NextOutput();
|
|
Debug.Assert(m_outputPos < 64);
|
|
|
|
int nCopy = Math.Min(64 - m_outputPos, nBytesRem);
|
|
|
|
if(bXor) MemUtil.XorArray(m_output, m_outputPos, m, nOffset, nCopy);
|
|
else Array.Copy(m_output, m_outputPos, m, nOffset, nCopy);
|
|
|
|
m_outputPos += nCopy;
|
|
nBytesRem -= nCopy;
|
|
nOffset += nCopy;
|
|
}
|
|
}
|
|
}
|
|
}
|