int oqs_kex_mcbits_encrypt(
unsigned char *c, size_t *clen,
const unsigned char *m, unsigned long long mlen,
const unsigned char *pk,
OQS_RAND *r) {
unsigned char e[1 << (GFBITS - 3)];
unsigned char key[64];
unsigned char nonce[8] = {0};
//
#define ct (c + SYND_BYTES)
#define tag (ct + mlen)
encrypt(c, e, pk, r);
//crypto_hash_keccakc1024(key, e, sizeof(e)); TODO is this ok to replace with the below?
OQS_SHA3_sha3512(key, e, sizeof(e));
crypto_stream_salsa20_xor(ct, m, mlen, nonce, key);
crypto_onetimeauth_poly1305(tag, ct, mlen, key + 32);
*clen = SYND_BYTES + mlen + 16;
#undef ct
#undef tag
return 0;
}
int crypto_stream_salsa20(
unsigned char *c,crypto_uint16 clen,
const unsigned char *n,
const unsigned char *k
)
{
return crypto_stream_salsa20_xor(c,0,clen,n,k);
}
SODIUM_EXPORT int
crypto_stream_salsa20_ref_xor(unsigned char *c,
const unsigned char *m,
unsigned long long mlen,
const unsigned char *n,
const unsigned char *k)
{
return crypto_stream_salsa20_xor(c, m, mlen, n, k);
}
int crypto_stream_xor(
unsigned char *c,
const unsigned char *m,uint64_t mlen,
const unsigned char *n,
const unsigned char *k
)
{
unsigned char subkey[32];
crypto_core_hsalsa20(subkey,n,k,sigma);
return crypto_stream_salsa20_xor(c,m,mlen,n + 16,subkey);
}
int crypto_secretbox(
unsigned char *c,
const unsigned char *m,unsigned long long mlen,
const unsigned char *n,
const unsigned char *k
)
{
if (mlen < 32) return -1;
crypto_stream_salsa20_xor(c,m,mlen,n,k);
return crypto_auth_hmacsha512256(c,c + 32,mlen - 32,c);
}
static int
crypto_xsalsa20(unsigned char *c, const unsigned char *m, unsigned long long mlen,
const unsigned char *n, const unsigned char *k, int klen)
{
unsigned char subkey[32];
assert(klen == 32 || klen == 16);
if (klen < XSALSA20_CRYPTO_KEYBYTES)
crypto_core_hsalsa20(subkey,n,k,tau);
else
crypto_core_hsalsa20(subkey,n,k,sigma);
return crypto_stream_salsa20_xor(c,m,mlen,n + 16,subkey);
}
int crypto_secretbox_open(
unsigned char *m,
const unsigned char *c,unsigned long long clen,
const unsigned char *n,
const unsigned char *k
)
{
int i;
unsigned char subkey[32];
if (clen < 32) return -1;
crypto_stream_salsa20(subkey,32,n,k);
if (crypto_auth_hmacsha512256_verify(c,c + 32,clen - 32,subkey) != 0) return -1;
crypto_stream_salsa20_xor(m,c,clen,n,k);
for (i = 0;i < 32;++i) m[i] = 0;
return 0;
}
int oqs_kex_mcbits_decrypt(
unsigned char *m, size_t *mlen,
const unsigned char *c, unsigned long long clen,
const unsigned char *sk) {
int ret;
int ret_verify;
int ret_decrypt;
unsigned char key[64];
unsigned char nonce[8] = {0};
unsigned char e[1 << (GFBITS - 3)];
//
if (clen < SYND_BYTES + 16)
return -1;
else
*mlen = clen - SYND_BYTES - 16;
#define ct (c + SYND_BYTES)
#define tag (ct + *mlen)
ret_decrypt = decrypt(e, sk, c);
//crypto_hash_keccakc1024(key, e, sizeof(e)); TODO is this ok to replace with the below?
OQS_SHA3_sha3512(key, e, sizeof(e));
ret_verify = crypto_onetimeauth_poly1305_verify(tag, ct, *mlen, key + 32);
crypto_stream_salsa20_xor(m, ct, *mlen, nonce, key);
ret = ret_verify | ret_decrypt;
#undef ct
#undef tag
return ret;
}
/**
* Encipher the content without any authentication.
* Encryption is the same function as decryption.
*
* @param nonce a number which is used only once.
* @param msg a message to encipher.
* @param secret a shared secret.
*/
static inline int cipher(uint8_t nonce[8],
struct Message* msg,
uint8_t secret[20])
{
return crypto_stream_salsa20_xor(msg->bytes, msg->bytes, msg->length, nonce, secret);
}
/** XORs data with the Salsa20 cipher stream */
static bool salsa20_crypt(const fastd_cipher_state_t *state, fastd_block128_t *out, const fastd_block128_t *in, size_t len, const uint8_t *iv) {
crypto_stream_salsa20_xor(out->b, in->b, len, iv, state->key);
return true;
}