210 lines
9.6 KiB
JavaScript
210 lines
9.6 KiB
JavaScript
"use strict";
|
|
Object.defineProperty(exports, "__esModule", { value: true });
|
|
exports.secretbox = exports.xsalsa20poly1305 = exports.xsalsa20 = exports.salsa20 = exports.hsalsa = void 0;
|
|
const _assert_js_1 = require("./_assert.js");
|
|
const _arx_js_1 = require("./_arx.js");
|
|
const _poly1305_js_1 = require("./_poly1305.js");
|
|
const utils_js_1 = require("./utils.js");
|
|
// Salsa20 stream cipher was released in 2005.
|
|
// Salsa's goal was to implement AES replacement that does not rely on S-Boxes,
|
|
// which are hard to implement in a constant-time manner.
|
|
// https://cr.yp.to/snuffle.html, https://cr.yp.to/snuffle/salsafamily-20071225.pdf
|
|
/**
|
|
* Salsa20 core function.
|
|
*/
|
|
// prettier-ignore
|
|
function salsaCore(s, k, n, out, cnt, rounds = 20) {
|
|
// Based on https://cr.yp.to/salsa20.html
|
|
let y00 = s[0], y01 = k[0], y02 = k[1], y03 = k[2], // "expa" Key Key Key
|
|
y04 = k[3], y05 = s[1], y06 = n[0], y07 = n[1], // Key "nd 3" Nonce Nonce
|
|
y08 = cnt, y09 = 0, y10 = s[2], y11 = k[4], // Pos. Pos. "2-by" Key
|
|
y12 = k[5], y13 = k[6], y14 = k[7], y15 = s[3]; // Key Key Key "te k"
|
|
// Save state to temporary variables
|
|
let x00 = y00, x01 = y01, x02 = y02, x03 = y03, x04 = y04, x05 = y05, x06 = y06, x07 = y07, x08 = y08, x09 = y09, x10 = y10, x11 = y11, x12 = y12, x13 = y13, x14 = y14, x15 = y15;
|
|
for (let r = 0; r < rounds; r += 2) {
|
|
x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7);
|
|
x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9);
|
|
x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13);
|
|
x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18);
|
|
x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7);
|
|
x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9);
|
|
x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13);
|
|
x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18);
|
|
x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7);
|
|
x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9);
|
|
x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13);
|
|
x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18);
|
|
x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7);
|
|
x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9);
|
|
x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13);
|
|
x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18);
|
|
x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7);
|
|
x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9);
|
|
x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13);
|
|
x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18);
|
|
x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7);
|
|
x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9);
|
|
x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13);
|
|
x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18);
|
|
x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7);
|
|
x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9);
|
|
x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13);
|
|
x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18);
|
|
x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7);
|
|
x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9);
|
|
x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13);
|
|
x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18);
|
|
}
|
|
// Write output
|
|
let oi = 0;
|
|
out[oi++] = (y00 + x00) | 0;
|
|
out[oi++] = (y01 + x01) | 0;
|
|
out[oi++] = (y02 + x02) | 0;
|
|
out[oi++] = (y03 + x03) | 0;
|
|
out[oi++] = (y04 + x04) | 0;
|
|
out[oi++] = (y05 + x05) | 0;
|
|
out[oi++] = (y06 + x06) | 0;
|
|
out[oi++] = (y07 + x07) | 0;
|
|
out[oi++] = (y08 + x08) | 0;
|
|
out[oi++] = (y09 + x09) | 0;
|
|
out[oi++] = (y10 + x10) | 0;
|
|
out[oi++] = (y11 + x11) | 0;
|
|
out[oi++] = (y12 + x12) | 0;
|
|
out[oi++] = (y13 + x13) | 0;
|
|
out[oi++] = (y14 + x14) | 0;
|
|
out[oi++] = (y15 + x15) | 0;
|
|
}
|
|
/**
|
|
* hsalsa hashing function, used primarily in xsalsa, to hash
|
|
* key and nonce into key' and nonce'.
|
|
* Same as salsaCore, but there doesn't seem to be a way to move the block
|
|
* out without 25% performance hit.
|
|
*/
|
|
// prettier-ignore
|
|
function hsalsa(s, k, i, o32) {
|
|
let x00 = s[0], x01 = k[0], x02 = k[1], x03 = k[2], x04 = k[3], x05 = s[1], x06 = i[0], x07 = i[1], x08 = i[2], x09 = i[3], x10 = s[2], x11 = k[4], x12 = k[5], x13 = k[6], x14 = k[7], x15 = s[3];
|
|
for (let r = 0; r < 20; r += 2) {
|
|
x04 ^= (0, _arx_js_1.rotl)(x00 + x12 | 0, 7);
|
|
x08 ^= (0, _arx_js_1.rotl)(x04 + x00 | 0, 9);
|
|
x12 ^= (0, _arx_js_1.rotl)(x08 + x04 | 0, 13);
|
|
x00 ^= (0, _arx_js_1.rotl)(x12 + x08 | 0, 18);
|
|
x09 ^= (0, _arx_js_1.rotl)(x05 + x01 | 0, 7);
|
|
x13 ^= (0, _arx_js_1.rotl)(x09 + x05 | 0, 9);
|
|
x01 ^= (0, _arx_js_1.rotl)(x13 + x09 | 0, 13);
|
|
x05 ^= (0, _arx_js_1.rotl)(x01 + x13 | 0, 18);
|
|
x14 ^= (0, _arx_js_1.rotl)(x10 + x06 | 0, 7);
|
|
x02 ^= (0, _arx_js_1.rotl)(x14 + x10 | 0, 9);
|
|
x06 ^= (0, _arx_js_1.rotl)(x02 + x14 | 0, 13);
|
|
x10 ^= (0, _arx_js_1.rotl)(x06 + x02 | 0, 18);
|
|
x03 ^= (0, _arx_js_1.rotl)(x15 + x11 | 0, 7);
|
|
x07 ^= (0, _arx_js_1.rotl)(x03 + x15 | 0, 9);
|
|
x11 ^= (0, _arx_js_1.rotl)(x07 + x03 | 0, 13);
|
|
x15 ^= (0, _arx_js_1.rotl)(x11 + x07 | 0, 18);
|
|
x01 ^= (0, _arx_js_1.rotl)(x00 + x03 | 0, 7);
|
|
x02 ^= (0, _arx_js_1.rotl)(x01 + x00 | 0, 9);
|
|
x03 ^= (0, _arx_js_1.rotl)(x02 + x01 | 0, 13);
|
|
x00 ^= (0, _arx_js_1.rotl)(x03 + x02 | 0, 18);
|
|
x06 ^= (0, _arx_js_1.rotl)(x05 + x04 | 0, 7);
|
|
x07 ^= (0, _arx_js_1.rotl)(x06 + x05 | 0, 9);
|
|
x04 ^= (0, _arx_js_1.rotl)(x07 + x06 | 0, 13);
|
|
x05 ^= (0, _arx_js_1.rotl)(x04 + x07 | 0, 18);
|
|
x11 ^= (0, _arx_js_1.rotl)(x10 + x09 | 0, 7);
|
|
x08 ^= (0, _arx_js_1.rotl)(x11 + x10 | 0, 9);
|
|
x09 ^= (0, _arx_js_1.rotl)(x08 + x11 | 0, 13);
|
|
x10 ^= (0, _arx_js_1.rotl)(x09 + x08 | 0, 18);
|
|
x12 ^= (0, _arx_js_1.rotl)(x15 + x14 | 0, 7);
|
|
x13 ^= (0, _arx_js_1.rotl)(x12 + x15 | 0, 9);
|
|
x14 ^= (0, _arx_js_1.rotl)(x13 + x12 | 0, 13);
|
|
x15 ^= (0, _arx_js_1.rotl)(x14 + x13 | 0, 18);
|
|
}
|
|
let oi = 0;
|
|
o32[oi++] = x00;
|
|
o32[oi++] = x05;
|
|
o32[oi++] = x10;
|
|
o32[oi++] = x15;
|
|
o32[oi++] = x06;
|
|
o32[oi++] = x07;
|
|
o32[oi++] = x08;
|
|
o32[oi++] = x09;
|
|
}
|
|
exports.hsalsa = hsalsa;
|
|
/**
|
|
* Salsa20 from original paper.
|
|
* With 12-byte nonce, it's not safe to use fill it with random (CSPRNG), due to collision chance.
|
|
*/
|
|
exports.salsa20 = (0, _arx_js_1.createCipher)(salsaCore, {
|
|
allowShortKeys: true,
|
|
counterRight: true,
|
|
});
|
|
/**
|
|
* xsalsa20 eXtended-nonce salsa.
|
|
* With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
|
|
*/
|
|
exports.xsalsa20 = (0, _arx_js_1.createCipher)(salsaCore, {
|
|
counterRight: true,
|
|
extendNonceFn: hsalsa,
|
|
});
|
|
/**
|
|
* xsalsa20-poly1305 eXtended-nonce salsa.
|
|
* With 24-byte nonce, it's safe to use fill it with random (CSPRNG).
|
|
* Also known as secretbox from libsodium / nacl.
|
|
*/
|
|
exports.xsalsa20poly1305 = (0, utils_js_1.wrapCipher)({ blockSize: 64, nonceLength: 24, tagLength: 16 }, (key, nonce) => {
|
|
const tagLength = 16;
|
|
(0, _assert_js_1.bytes)(key, 32);
|
|
(0, _assert_js_1.bytes)(nonce, 24);
|
|
return {
|
|
encrypt: (plaintext, output) => {
|
|
(0, _assert_js_1.bytes)(plaintext);
|
|
// This is small optimization (calculate auth key with same call as encryption itself) makes it hard
|
|
// to separate tag calculation and encryption itself, since 32 byte is half-block of salsa (64 byte)
|
|
const clength = plaintext.length + 32;
|
|
if (output) {
|
|
(0, _assert_js_1.bytes)(output, clength);
|
|
}
|
|
else {
|
|
output = new Uint8Array(clength);
|
|
}
|
|
output.set(plaintext, 32);
|
|
(0, exports.xsalsa20)(key, nonce, output, output);
|
|
const authKey = output.subarray(0, 32);
|
|
const tag = (0, _poly1305_js_1.poly1305)(output.subarray(32), authKey);
|
|
// Clean auth key, even though JS provides no guarantees about memory cleaning
|
|
output.set(tag, tagLength);
|
|
output.subarray(0, tagLength).fill(0);
|
|
return output.subarray(tagLength);
|
|
},
|
|
decrypt: (ciphertext) => {
|
|
(0, _assert_js_1.bytes)(ciphertext);
|
|
const clength = ciphertext.length;
|
|
if (clength < tagLength)
|
|
throw new Error('encrypted data should be at least 16 bytes');
|
|
// Create new ciphertext array:
|
|
// auth tag auth tag from ciphertext ciphertext
|
|
// [bytes 0..16] [bytes 16..32] [bytes 32..]
|
|
// 16 instead of 32, because we already have 16 byte tag
|
|
const ciphertext_ = new Uint8Array(clength + tagLength); // alloc
|
|
ciphertext_.set(ciphertext, tagLength);
|
|
// Each xsalsa20 calls to hsalsa to calculate key, but seems not much perf difference
|
|
// Separate call to calculate authkey, since first bytes contains tag
|
|
const authKey = (0, exports.xsalsa20)(key, nonce, new Uint8Array(32)); // alloc(32)
|
|
const tag = (0, _poly1305_js_1.poly1305)(ciphertext_.subarray(32), authKey);
|
|
if (!(0, utils_js_1.equalBytes)(ciphertext_.subarray(16, 32), tag))
|
|
throw new Error('invalid tag');
|
|
const plaintext = (0, exports.xsalsa20)(key, nonce, ciphertext_); // alloc
|
|
// Clean auth key, even though JS provides no guarantees about memory cleaning
|
|
plaintext.subarray(0, 32).fill(0);
|
|
authKey.fill(0);
|
|
return plaintext.subarray(32);
|
|
},
|
|
};
|
|
});
|
|
/**
|
|
* Alias to xsalsa20poly1305, for compatibility with libsodium / nacl
|
|
*/
|
|
function secretbox(key, nonce) {
|
|
const xs = (0, exports.xsalsa20poly1305)(key, nonce);
|
|
return { seal: xs.encrypt, open: xs.decrypt };
|
|
}
|
|
exports.secretbox = secretbox;
|
|
//# sourceMappingURL=salsa.js.map
|