Inicio Explorar Axuda
Rexistro Iniciar sesión
upstreams
/
SSH.NET
réplica de https://github.com/sshnet/SSH.NET.git
2
0
Fork 0
Ficheiros Incidencias 0 Wiki
Árbore: 486b69dc98
Ramas Etiquetas
SSH.NET
/
src
/
Renci.SshNet
/
Security
/
Cryptography
/
Ciphers
/
ChaCha20Poly1305Cipher.cs

ChaCha20Poly1305Cipher.cs 6.0 KB
Histórico Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157 
  1. using System;
    2. 

  2. using System.Buffers.Binary;
    3. 

  3. using System.Diagnostics;
    4. 

  4. 

  5. using Org.BouncyCastle.Crypto.Engines;
    6. 

  6. using Org.BouncyCastle.Crypto.Macs;
    7. 

  7. using Org.BouncyCastle.Crypto.Parameters;
    8. 

  8. using Org.BouncyCastle.Utilities;
    9. 

  9. 

  10. using Renci.SshNet.Common;
    11. 

  11. using Renci.SshNet.Messages.Transport;
    12. 

  12. 

  13. namespace Renci.SshNet.Security.Cryptography.Ciphers
    14. 

  14. {
    15. 

  15.     /// <summary>
    16. 

  16.     /// ChaCha20Poly1305 cipher implementation.
    17. 

  17.     /// <see href="https://datatracker.ietf.org/doc/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00"/>.
    18. 

  18.     /// </summary>
    19. 

  19.     internal sealed class ChaCha20Poly1305Cipher : SymmetricCipher
    20. 

  20.     {
    21. 

  21.         private readonly ChaCha7539Engine _aadCipher = new ChaCha7539Engine();
    22. 

  22.         private readonly ChaCha7539Engine _cipher = new ChaCha7539Engine();
    23. 

  23.         private readonly Poly1305 _mac = new Poly1305();
    24. 

  24. 

  25.         /// <summary>
    26. 

  26.         /// Gets the minimun block size.
    27. 

  27.         /// </summary>
    28. 

  28.         public override byte MinimumSize
    29. 

  29.         {
    30. 

  30.             get
    31. 

  31.             {
    32. 

  32.                 return 16;
    33. 

  33.             }
    34. 

  34.         }
    35. 

  35. 

  36.         /// <summary>
    37. 

  37.         /// Gets the tag size in bytes.
    38. 

  38.         /// Poly1305 [Poly1305], also by Daniel Bernstein, is a one-time Carter-
    39. 

  39.         /// Wegman MAC that computes a 128 bit integrity tag given a message
    40. 

  40.         /// <see href="https://datatracker.ietf.org/doc/html/draft-josefsson-ssh-chacha20-poly1305-openssh-00#section-1"/>.
    41. 

  41.         /// </summary>
    42. 

  42.         public override int TagSize
    43. 

  43.         {
    44. 

  44.             get
    45. 

  45.             {
    46. 

  46.                 return 16;
    47. 

  47.             }
    48. 

  48.         }
    49. 

  49. 

  50.         /// <summary>
    51. 

  51.         /// Initializes a new instance of the <see cref="ChaCha20Poly1305Cipher"/> class.
    52. 

  52.         /// </summary>
    53. 

  53.         /// <param name="key">The key.</param>
    54. 

  54.         public ChaCha20Poly1305Cipher(byte[] key)
    55. 

  55.             : base(key)
    56. 

  56.         {
    57. 

  57.         }
    58. 

  58. 

  59.         /// <summary>
    60. 

  60.         /// Encrypts the specified input.
    61. 

  61.         /// </summary>
    62. 

  62.         /// <param name="input">
    63. 

  63.         /// The input data with below format:
    64. 

  64.         ///   <code>
    65. 

  65.         ///   [outbound sequence field][packet length field][padding length field sz][payload][random paddings]
    66. 

  66.         ///   [----4 bytes----(offset)][------4 bytes------][----------------Plain Text---------------(length)]
    67. 

  67.         ///   </code>
    68. 

  68.         /// </param>
    69. 

  69.         /// <param name="offset">The zero-based offset in <paramref name="input"/> at which to begin encrypting.</param>
    70. 

  70.         /// <param name="length">The number of bytes to encrypt from <paramref name="input"/>.</param>
    71. 

  71.         /// <returns>
    72. 

  72.         /// The encrypted data with below format:
    73. 

  73.         ///   <code>
    74. 

  74.         ///   [packet length field][padding length field sz][payload][random paddings][Authenticated TAG]
    75. 

  75.         ///   [------4 bytes------][------------------Cipher Text--------------------][-------TAG-------]
    76. 

  76.         ///   </code>
    77. 

  77.         /// </returns>
    78. 

  78.         public override byte[] Encrypt(byte[] input, int offset, int length)
    79. 

  79.         {
    80. 

  80.             var output = new byte[length + TagSize];
    81. 

  81. 

  82.             _aadCipher.ProcessBytes(input, offset, 4, output, 0);
    83. 

  83.             _cipher.ProcessBytes(input, offset + 4, length - 4, output, 4);
    84. 

  84. 

  85.             _mac.BlockUpdate(output, 0, length);
    86. 

  86.             _ = _mac.DoFinal(output, length);
    87. 

  87. 

  88.             return output;
    89. 

  89.         }
    90. 

  90. 

  91.         /// <summary>
    92. 

  92.         /// Decrypts the first block which is packet length field.
    93. 

  93.         /// </summary>
    94. 

  94.         /// <param name="input">The encrypted packet length field.</param>
    95. 

  95.         /// <returns>The decrypted packet length field.</returns>
    96. 

  96.         public override byte[] Decrypt(byte[] input)
    97. 

  97.         {
    98. 

  98.             var output = new byte[input.Length];
    99. 

  99.             _aadCipher.ProcessBytes(input, 0, input.Length, output, 0);
    100. 

  100. 

  101.             return output;
    102. 

  102.         }
    103. 

  103. 

  104.         /// <summary>
    105. 

  105.         /// Decrypts the specified input.
    106. 

  106.         /// </summary>
    107. 

  107.         /// <param name="input">
    108. 

  108.         /// The input data with below format:
    109. 

  109.         ///   <code>
    110. 

  110.         ///   [inbound sequence field][packet length field][padding length field sz][payload][random paddings][Authenticated TAG]
    111. 

  111.         ///   [--------4 bytes-------][--4 bytes--(offset)][--------------Cipher Text----------------(length)][-------TAG-------]
    112. 

  112.         ///   </code>
    113. 

  113.         /// </param>
    114. 

  114.         /// <param name="offset">The zero-based offset in <paramref name="input"/> at which to begin decrypting and authenticating.</param>
    115. 

  115.         /// <param name="length">The number of bytes to decrypt and authenticate from <paramref name="input"/>.</param>
    116. 

  116.         /// <returns>
    117. 

  117.         /// The decrypted data with below format:
    118. 

  118.         /// <code>
    119. 

  119.         ///   [padding length field sz][payload][random paddings]
    120. 

  120.         ///   [--------------------Plain Text-------------------]
    121. 

  121.         /// </code>
    122. 

  122.         /// </returns>
    123. 

  123.         public override byte[] Decrypt(byte[] input, int offset, int length)
    124. 

  124.         {
    125. 

  125.             Debug.Assert(offset == 8, "The offset must be 8");
    126. 

  126. 

  127.             var tag = new byte[TagSize];
    128. 

  128.             _mac.BlockUpdate(input, offset - 4, length + 4);
    129. 

  129.             _ = _mac.DoFinal(tag, 0);
    130. 

  130.             if (!Arrays.FixedTimeEquals(TagSize, tag, 0, input, offset + length))
    131. 

  131.             {
    132. 

  132.                 throw new SshConnectionException("MAC error", DisconnectReason.MacError);
    133. 

  133.             }
    134. 

  134. 

  135.             var output = new byte[length];
    136. 

  136.             _cipher.ProcessBytes(input, offset, length, output, 0);
    137. 

  137. 

  138.             return output;
    139. 

  139.         }
    140. 

  140. 

  141.         internal override void SetSequenceNumber(uint sequenceNumber)
    142. 

  142.         {
    143. 

  143.             var iv = new byte[12];
    144. 

  144.             BinaryPrimitives.WriteUInt64BigEndian(iv.AsSpan(4), sequenceNumber);
    145. 

  145. 

  146.             // ChaCha20 encryption and decryption is completely
    147. 

  147.             // symmetrical, so the 'forEncryption' is
    148. 

  148.             // irrelevant. (Like 90% of stream ciphers)
    149. 

  149.             _aadCipher.Init(forEncryption: true, new ParametersWithIV(new KeyParameter(Key, 32, 32), iv));
    150. 

  150.             _cipher.Init(forEncryption: true, new ParametersWithIV(new KeyParameter(Key, 0, 32), iv));
    151. 

  151. 

  152.             var keyStream = new byte[64];
    153. 

  153.             _cipher.ProcessBytes(keyStream, 0, keyStream.Length, keyStream, 0);
    154. 

  154.             _mac.Init(new KeyParameter(keyStream, 0, 32));
    155. 

  155.         }
    156. 

  156.     }
    157. 

  157. }
    158.