int crypto_secretbox_open( unsigned char *m, const unsigned char *c,unsigned long long clen, const unsigned char *n, const unsigned char *k ) { int i; unsigned char subkey[32]; if (clen < 32) return -1; crypto_stream_xsalsa20(subkey,32,n,k); if (crypto_onetimeauth_poly1305_verify(c + 16,c + 32,clen - 32,subkey) != 0) return -1; crypto_stream_xsalsa20_xor(m,c,clen,n,k); for (i = 0;i < 32;++i) m[i] = 0; return 0; }
int crypto_secretbox_xsalsa20poly1305_open( unsigned char *m, const unsigned char *c,crypto_uint16 clen, const unsigned char *n, const unsigned char *k ) { int i; unsigned char x[32]; if (clen < 32) return -1; crypto_stream_xsalsa20(x,32,n,k); if (crypto_onetimeauth_poly1305_verify(c + 16,c + 32,clen - 32,x) != 0) return -1; crypto_stream_xsalsa20_xor(m,c,clen,n,k); for(i=0;i<32;i++) m[i] = 0; return 0; }
static int salsa208poly1305_decrypt(uint8_t *m, const uint8_t *c, const uint32_t clen, const uint8_t *n, const uint8_t *k) { uint8_t c*k[COKB]; if (clen < COB) { return -1; } int mlen = clen - COB; crypto_stream_salsa208(c*k, COKB, n, k); if (crypto_onetimeauth_poly1305_verify(c, c + COB, mlen, c*k) == 0) { return crypto_stream_salsa208_xor(m, c + COB, mlen, n, k); } return -1; }
uint8_t crypto_verifyAndDecrypt(const uint8_t* key, uint8_t* nonce, uint8_t* encrypted, uint8_t length, uint8_t* output_buf, uint8_t* mac) { uint8_t polykey[sizeof(zeros64)]; crypto_stream_chacha20_xor(polykey, zeros64, sizeof(zeros64), nonce, key, 0); uint8_t padding = (16 - length % 16) % 16; uint8_t message[length + padding + 16]; memcpy(message, encrypted, length); memset(message + length, 0, padding + 16); message[length + padding + 8] = (uint8_t)length; message[length + padding + 9] = (uint8_t)(length >> 8); if (crypto_onetimeauth_poly1305_verify(mac, message, sizeof(message), polykey) != 0) { // Fail return 0; } else { crypto_stream_chacha20_xor(output_buf, message, length, nonce, key, 1); return 1; } }
int oqs_kex_mcbits_decrypt( unsigned char *m, size_t *mlen, const unsigned char *c, unsigned long long clen, const unsigned char *sk) { int ret; int ret_verify; int ret_decrypt; unsigned char key[64]; unsigned char nonce[8] = {0}; unsigned char e[1 << (GFBITS - 3)]; // if (clen < SYND_BYTES + 16) return -1; else *mlen = clen - SYND_BYTES - 16; #define ct (c + SYND_BYTES) #define tag (ct + *mlen) ret_decrypt = decrypt(e, sk, c); //crypto_hash_keccakc1024(key, e, sizeof(e)); TODO is this ok to replace with the below? OQS_SHA3_sha3512(key, e, sizeof(e)); ret_verify = crypto_onetimeauth_poly1305_verify(tag, ct, *mlen, key + 32); crypto_stream_salsa20_xor(m, ct, *mlen, nonce, key); ret = ret_verify | ret_decrypt; #undef ct #undef tag return ret; }
main() { printf("%d\n",crypto_onetimeauth_poly1305_verify(a,c,131,rs)); return 0; }