|
1 <?php |
|
2 |
|
3 if (!defined('SODIUM_COMPAT_AEGIS_C0')) { |
|
4 define('SODIUM_COMPAT_AEGIS_C0', "\x00\x01\x01\x02\x03\x05\x08\x0d\x15\x22\x37\x59\x90\xe9\x79\x62"); |
|
5 } |
|
6 if (!defined('SODIUM_COMPAT_AEGIS_C1')) { |
|
7 define('SODIUM_COMPAT_AEGIS_C1', "\xdb\x3d\x18\x55\x6d\xc2\x2f\xf1\x20\x11\x31\x42\x73\xb5\x28\xdd"); |
|
8 } |
|
9 |
|
10 class ParagonIE_Sodium_Core_AEGIS256 extends ParagonIE_Sodium_Core_AES |
|
11 { |
|
12 /** |
|
13 * @param string $ct |
|
14 * @param string $tag |
|
15 * @param string $ad |
|
16 * @param string $key |
|
17 * @param string $nonce |
|
18 * @return string |
|
19 * @throws SodiumException |
|
20 */ |
|
21 public static function decrypt($ct, $tag, $ad, $key, $nonce) |
|
22 { |
|
23 $state = self::init($key, $nonce); |
|
24 |
|
25 // ad_blocks = Split(ZeroPad(ad, 128), 128) |
|
26 $ad_blocks = (self::strlen($ad) + 15) >> 4; |
|
27 // for ai in ad_blocks: |
|
28 // Absorb(ai) |
|
29 for ($i = 0; $i < $ad_blocks; ++$i) { |
|
30 $ai = self::substr($ad, $i << 4, 16); |
|
31 if (self::strlen($ai) < 16) { |
|
32 $ai = str_pad($ai, 16, "\0", STR_PAD_RIGHT); |
|
33 } |
|
34 $state->absorb($ai); |
|
35 } |
|
36 |
|
37 $msg = ''; |
|
38 $cn = self::strlen($ct) & 15; |
|
39 $ct_blocks = self::strlen($ct) >> 4; |
|
40 // ct_blocks = Split(ZeroPad(ct, 128), 128) |
|
41 // cn = Tail(ct, |ct| mod 128) |
|
42 for ($i = 0; $i < $ct_blocks; ++$i) { |
|
43 $msg .= $state->dec(self::substr($ct, $i << 4, 16)); |
|
44 } |
|
45 // if cn is not empty: |
|
46 // msg = msg || DecPartial(cn) |
|
47 if ($cn) { |
|
48 $start = $ct_blocks << 4; |
|
49 $msg .= $state->decPartial(self::substr($ct, $start, $cn)); |
|
50 } |
|
51 $expected_tag = $state->finalize( |
|
52 self::strlen($ad) << 3, |
|
53 self::strlen($msg) << 3 |
|
54 ); |
|
55 if (!self::hashEquals($expected_tag, $tag)) { |
|
56 try { |
|
57 // The RFC says to erase msg, so we shall try: |
|
58 ParagonIE_Sodium_Compat::memzero($msg); |
|
59 } catch (SodiumException $ex) { |
|
60 // Do nothing if we cannot memzero |
|
61 } |
|
62 throw new SodiumException('verification failed'); |
|
63 } |
|
64 return $msg; |
|
65 } |
|
66 |
|
67 /** |
|
68 * @param string $msg |
|
69 * @param string $ad |
|
70 * @param string $key |
|
71 * @param string $nonce |
|
72 * @return array |
|
73 * @throws SodiumException |
|
74 */ |
|
75 public static function encrypt($msg, $ad, $key, $nonce) |
|
76 { |
|
77 $state = self::init($key, $nonce); |
|
78 $ad_len = self::strlen($ad); |
|
79 $msg_len = self::strlen($msg); |
|
80 $ad_blocks = ($ad_len + 15) >> 4; |
|
81 for ($i = 0; $i < $ad_blocks; ++$i) { |
|
82 $ai = self::substr($ad, $i << 4, 16); |
|
83 if (self::strlen($ai) < 16) { |
|
84 $ai = str_pad($ai, 16, "\0", STR_PAD_RIGHT); |
|
85 } |
|
86 $state->absorb($ai); |
|
87 } |
|
88 |
|
89 $ct = ''; |
|
90 $msg_blocks = ($msg_len + 15) >> 4; |
|
91 for ($i = 0; $i < $msg_blocks; ++$i) { |
|
92 $xi = self::substr($msg, $i << 4, 16); |
|
93 if (self::strlen($xi) < 16) { |
|
94 $xi = str_pad($xi, 16, "\0", STR_PAD_RIGHT); |
|
95 } |
|
96 $ct .= $state->enc($xi); |
|
97 } |
|
98 $tag = $state->finalize( |
|
99 $ad_len << 3, |
|
100 $msg_len << 3 |
|
101 ); |
|
102 return array( |
|
103 self::substr($ct, 0, $msg_len), |
|
104 $tag |
|
105 ); |
|
106 |
|
107 } |
|
108 |
|
109 /** |
|
110 * @param string $key |
|
111 * @param string $nonce |
|
112 * @return ParagonIE_Sodium_Core_AEGIS_State256 |
|
113 */ |
|
114 public static function init($key, $nonce) |
|
115 { |
|
116 return ParagonIE_Sodium_Core_AEGIS_State256::init($key, $nonce); |
|
117 } |
|
118 } |