1<?php
  2
  3if (!defined('SODIUM_COMPAT_AEGIS_C0')) {
  4    define('SODIUM_COMPAT_AEGIS_C0', "\x00\x01\x01\x02\x03\x05\x08\x0d\x15\x22\x37\x59\x90\xe9\x79\x62");
  5}
  6if (!defined('SODIUM_COMPAT_AEGIS_C1')) {
  7    define('SODIUM_COMPAT_AEGIS_C1', "\xdb\x3d\x18\x55\x6d\xc2\x2f\xf1\x20\x11\x31\x42\x73\xb5\x28\xdd");
  8}
  9
 10class ParagonIE_Sodium_Core_AEGIS256 extends ParagonIE_Sodium_Core_AES
 11{
 12    /**
 13     * @param string $ct
 14     * @param string $tag
 15     * @param string $ad
 16     * @param string $key
 17     * @param string $nonce
 18     * @return string
 19     * @throws SodiumException
 20     */
 21    public static function decrypt($ct, $tag, $ad, $key, $nonce)
 22    {
 23        $state = self::init($key, $nonce);
 24
 25        // ad_blocks = Split(ZeroPad(ad, 128), 128)
 26        $ad_blocks = (self::strlen($ad) + 15) >> 4;
 27        // for ai in ad_blocks:
 28        //     Absorb(ai)
 29        for ($i = 0; $i < $ad_blocks; ++$i) {
 30            $ai = self::substr($ad, $i << 4, 16);
 31            if (self::strlen($ai) < 16) {
 32                $ai = str_pad($ai, 16, "\0", STR_PAD_RIGHT);
 33            }
 34            $state->absorb($ai);
 35        }
 36
 37        $msg = '';
 38        $cn = self::strlen($ct) & 15;
 39        $ct_blocks = self::strlen($ct) >> 4;
 40        // ct_blocks = Split(ZeroPad(ct, 128), 128)
 41        // cn = Tail(ct, |ct| mod 128)
 42        for ($i = 0; $i < $ct_blocks; ++$i) {
 43            $msg .= $state->dec(self::substr($ct, $i << 4, 16));
 44        }
 45        // if cn is not empty:
 46        //   msg = msg || DecPartial(cn)
 47        if ($cn) {
 48            $start = $ct_blocks << 4;
 49            $msg .= $state->decPartial(self::substr($ct, $start, $cn));
 50        }
 51        $expected_tag = $state->finalize(
 52            self::strlen($ad) << 3,
 53            self::strlen($msg) << 3
 54        );
 55        if (!self::hashEquals($expected_tag, $tag)) {
 56            try {
 57                // The RFC says to erase msg, so we shall try:
 58                ParagonIE_Sodium_Compat::memzero($msg);
 59            } catch (SodiumException $ex) {
 60                // Do nothing if we cannot memzero
 61            }
 62            throw new SodiumException('verification failed');
 63        }
 64        return $msg;
 65    }
 66
 67    /**
 68     * @param string $msg
 69     * @param string $ad
 70     * @param string $key
 71     * @param string $nonce
 72     * @return array
 73     * @throws SodiumException
 74     */
 75    public static function encrypt($msg, $ad, $key, $nonce)
 76    {
 77        $state = self::init($key, $nonce);
 78        $ad_len = self::strlen($ad);
 79        $msg_len = self::strlen($msg);
 80        $ad_blocks = ($ad_len + 15) >> 4;
 81        for ($i = 0; $i < $ad_blocks; ++$i) {
 82            $ai = self::substr($ad, $i << 4, 16);
 83            if (self::strlen($ai) < 16) {
 84                $ai = str_pad($ai, 16, "\0", STR_PAD_RIGHT);
 85            }
 86            $state->absorb($ai);
 87        }
 88
 89        $ct = '';
 90        $msg_blocks = ($msg_len + 15) >> 4;
 91        for ($i = 0; $i < $msg_blocks; ++$i) {
 92            $xi = self::substr($msg, $i << 4, 16);
 93            if (self::strlen($xi) < 16) {
 94                $xi = str_pad($xi, 16, "\0", STR_PAD_RIGHT);
 95            }
 96            $ct .= $state->enc($xi);
 97        }
 98        $tag = $state->finalize(
 99            $ad_len << 3,
100            $msg_len << 3
101        );
102        return array(
103            self::substr($ct, 0, $msg_len),
104            $tag
105        );
106
107    }
108
109    /**
110     * @param string $key
111     * @param string $nonce
112     * @return ParagonIE_Sodium_Core_AEGIS_State256
113     */
114    public static function init($key, $nonce)
115    {
116        return ParagonIE_Sodium_Core_AEGIS_State256::init($key, $nonce);
117    }
118}
119