1<?php
2
3if (class_exists('ParagonIE_Sodium_Crypto32', false)) {
4 return;
5}
6
7/**
8 * Class ParagonIE_Sodium_Crypto
9 *
10 * ATTENTION!
11 *
12 * If you are using this library, you should be using
13 * ParagonIE_Sodium_Compat in your code, not this class.
14 */
15abstract class ParagonIE_Sodium_Crypto32
16{
17 const aead_chacha20poly1305_KEYBYTES = 32;
18 const aead_chacha20poly1305_NSECBYTES = 0;
19 const aead_chacha20poly1305_NPUBBYTES = 8;
20 const aead_chacha20poly1305_ABYTES = 16;
21
22 const aead_chacha20poly1305_IETF_KEYBYTES = 32;
23 const aead_chacha20poly1305_IETF_NSECBYTES = 0;
24 const aead_chacha20poly1305_IETF_NPUBBYTES = 12;
25 const aead_chacha20poly1305_IETF_ABYTES = 16;
26
27 const aead_xchacha20poly1305_IETF_KEYBYTES = 32;
28 const aead_xchacha20poly1305_IETF_NSECBYTES = 0;
29 const aead_xchacha20poly1305_IETF_NPUBBYTES = 24;
30 const aead_xchacha20poly1305_IETF_ABYTES = 16;
31
32 const box_curve25519xsalsa20poly1305_SEEDBYTES = 32;
33 const box_curve25519xsalsa20poly1305_PUBLICKEYBYTES = 32;
34 const box_curve25519xsalsa20poly1305_SECRETKEYBYTES = 32;
35 const box_curve25519xsalsa20poly1305_BEFORENMBYTES = 32;
36 const box_curve25519xsalsa20poly1305_NONCEBYTES = 24;
37 const box_curve25519xsalsa20poly1305_MACBYTES = 16;
38 const box_curve25519xsalsa20poly1305_BOXZEROBYTES = 16;
39 const box_curve25519xsalsa20poly1305_ZEROBYTES = 32;
40
41 const onetimeauth_poly1305_BYTES = 16;
42 const onetimeauth_poly1305_KEYBYTES = 32;
43
44 const secretbox_xsalsa20poly1305_KEYBYTES = 32;
45 const secretbox_xsalsa20poly1305_NONCEBYTES = 24;
46 const secretbox_xsalsa20poly1305_MACBYTES = 16;
47 const secretbox_xsalsa20poly1305_BOXZEROBYTES = 16;
48 const secretbox_xsalsa20poly1305_ZEROBYTES = 32;
49
50 const secretbox_xchacha20poly1305_KEYBYTES = 32;
51 const secretbox_xchacha20poly1305_NONCEBYTES = 24;
52 const secretbox_xchacha20poly1305_MACBYTES = 16;
53 const secretbox_xchacha20poly1305_BOXZEROBYTES = 16;
54 const secretbox_xchacha20poly1305_ZEROBYTES = 32;
55
56 const stream_salsa20_KEYBYTES = 32;
57
58 /**
59 * AEAD Decryption with ChaCha20-Poly1305
60 *
61 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
62 *
63 * @param string $message
64 * @param string $ad
65 * @param string $nonce
66 * @param string $key
67 * @return string
68 * @throws SodiumException
69 * @throws TypeError
70 */
71 public static function aead_chacha20poly1305_decrypt(
72 $message = '',
73 $ad = '',
74 $nonce = '',
75 $key = ''
76 ) {
77 /** @var int $len - Length of message (ciphertext + MAC) */
78 $len = ParagonIE_Sodium_Core32_Util::strlen($message);
79
80 /** @var int $clen - Length of ciphertext */
81 $clen = $len - self::aead_chacha20poly1305_ABYTES;
82
83 /** @var int $adlen - Length of associated data */
84 $adlen = ParagonIE_Sodium_Core32_Util::strlen($ad);
85
86 /** @var string $mac - Message authentication code */
87 $mac = ParagonIE_Sodium_Core32_Util::substr(
88 $message,
89 $clen,
90 self::aead_chacha20poly1305_ABYTES
91 );
92
93 /** @var string $ciphertext - The encrypted message (sans MAC) */
94 $ciphertext = ParagonIE_Sodium_Core32_Util::substr($message, 0, $clen);
95
96 /** @var string The first block of the chacha20 keystream, used as a poly1305 key */
97 $block0 = ParagonIE_Sodium_Core32_ChaCha20::stream(
98 32,
99 $nonce,
100 $key
101 );
102
103 /* Recalculate the Poly1305 authentication tag (MAC): */
104 $state = new ParagonIE_Sodium_Core32_Poly1305_State($block0);
105 try {
106 ParagonIE_Sodium_Compat::memzero($block0);
107 } catch (SodiumException $ex) {
108 $block0 = null;
109 }
110 $state->update($ad);
111 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($adlen));
112 $state->update($ciphertext);
113 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($clen));
114 $computed_mac = $state->finish();
115
116 /* Compare the given MAC with the recalculated MAC: */
117 if (!ParagonIE_Sodium_Core32_Util::verify_16($computed_mac, $mac)) {
118 throw new SodiumException('Invalid MAC');
119 }
120
121 // Here, we know that the MAC is valid, so we decrypt and return the plaintext
122 return ParagonIE_Sodium_Core32_ChaCha20::streamXorIc(
123 $ciphertext,
124 $nonce,
125 $key,
126 ParagonIE_Sodium_Core32_Util::store64_le(1)
127 );
128 }
129
130 /**
131 * AEAD Encryption with ChaCha20-Poly1305
132 *
133 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
134 *
135 * @param string $message
136 * @param string $ad
137 * @param string $nonce
138 * @param string $key
139 * @return string
140 * @throws SodiumException
141 * @throws TypeError
142 */
143 public static function aead_chacha20poly1305_encrypt(
144 $message = '',
145 $ad = '',
146 $nonce = '',
147 $key = ''
148 ) {
149 /** @var int $len - Length of the plaintext message */
150 $len = ParagonIE_Sodium_Core32_Util::strlen($message);
151
152 /** @var int $adlen - Length of the associated data */
153 $adlen = ParagonIE_Sodium_Core32_Util::strlen($ad);
154
155 /** @var string The first block of the chacha20 keystream, used as a poly1305 key */
156 $block0 = ParagonIE_Sodium_Core32_ChaCha20::stream(
157 32,
158 $nonce,
159 $key
160 );
161 $state = new ParagonIE_Sodium_Core32_Poly1305_State($block0);
162 try {
163 ParagonIE_Sodium_Compat::memzero($block0);
164 } catch (SodiumException $ex) {
165 $block0 = null;
166 }
167
168 /** @var string $ciphertext - Raw encrypted data */
169 $ciphertext = ParagonIE_Sodium_Core32_ChaCha20::streamXorIc(
170 $message,
171 $nonce,
172 $key,
173 ParagonIE_Sodium_Core32_Util::store64_le(1)
174 );
175
176 $state->update($ad);
177 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($adlen));
178 $state->update($ciphertext);
179 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($len));
180 return $ciphertext . $state->finish();
181 }
182
183 /**
184 * AEAD Decryption with ChaCha20-Poly1305, IETF mode (96-bit nonce)
185 *
186 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
187 *
188 * @param string $message
189 * @param string $ad
190 * @param string $nonce
191 * @param string $key
192 * @return string
193 * @throws SodiumException
194 * @throws TypeError
195 */
196 public static function aead_chacha20poly1305_ietf_decrypt(
197 $message = '',
198 $ad = '',
199 $nonce = '',
200 $key = ''
201 ) {
202 /** @var int $adlen - Length of associated data */
203 $adlen = ParagonIE_Sodium_Core32_Util::strlen($ad);
204
205 /** @var int $len - Length of message (ciphertext + MAC) */
206 $len = ParagonIE_Sodium_Core32_Util::strlen($message);
207
208 /** @var int $clen - Length of ciphertext */
209 $clen = $len - self::aead_chacha20poly1305_IETF_ABYTES;
210
211 /** @var string The first block of the chacha20 keystream, used as a poly1305 key */
212 $block0 = ParagonIE_Sodium_Core32_ChaCha20::ietfStream(
213 32,
214 $nonce,
215 $key
216 );
217
218 /** @var string $mac - Message authentication code */
219 $mac = ParagonIE_Sodium_Core32_Util::substr(
220 $message,
221 $len - self::aead_chacha20poly1305_IETF_ABYTES,
222 self::aead_chacha20poly1305_IETF_ABYTES
223 );
224
225 /** @var string $ciphertext - The encrypted message (sans MAC) */
226 $ciphertext = ParagonIE_Sodium_Core32_Util::substr(
227 $message,
228 0,
229 $len - self::aead_chacha20poly1305_IETF_ABYTES
230 );
231
232 /* Recalculate the Poly1305 authentication tag (MAC): */
233 $state = new ParagonIE_Sodium_Core32_Poly1305_State($block0);
234 try {
235 ParagonIE_Sodium_Compat::memzero($block0);
236 } catch (SodiumException $ex) {
237 $block0 = null;
238 }
239 $state->update($ad);
240 $state->update(str_repeat("\x00", ((0x10 - $adlen) & 0xf)));
241 $state->update($ciphertext);
242 $state->update(str_repeat("\x00", (0x10 - $clen) & 0xf));
243 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($adlen));
244 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($clen));
245 $computed_mac = $state->finish();
246
247 /* Compare the given MAC with the recalculated MAC: */
248 if (!ParagonIE_Sodium_Core32_Util::verify_16($computed_mac, $mac)) {
249 throw new SodiumException('Invalid MAC');
250 }
251
252 // Here, we know that the MAC is valid, so we decrypt and return the plaintext
253 return ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc(
254 $ciphertext,
255 $nonce,
256 $key,
257 ParagonIE_Sodium_Core32_Util::store64_le(1)
258 );
259 }
260
261 /**
262 * AEAD Encryption with ChaCha20-Poly1305, IETF mode (96-bit nonce)
263 *
264 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
265 *
266 * @param string $message
267 * @param string $ad
268 * @param string $nonce
269 * @param string $key
270 * @return string
271 * @throws SodiumException
272 * @throws TypeError
273 */
274 public static function aead_chacha20poly1305_ietf_encrypt(
275 $message = '',
276 $ad = '',
277 $nonce = '',
278 $key = ''
279 ) {
280 /** @var int $len - Length of the plaintext message */
281 $len = ParagonIE_Sodium_Core32_Util::strlen($message);
282
283 /** @var int $adlen - Length of the associated data */
284 $adlen = ParagonIE_Sodium_Core32_Util::strlen($ad);
285
286 /** @var string The first block of the chacha20 keystream, used as a poly1305 key */
287 $block0 = ParagonIE_Sodium_Core32_ChaCha20::ietfStream(
288 32,
289 $nonce,
290 $key
291 );
292 $state = new ParagonIE_Sodium_Core32_Poly1305_State($block0);
293 try {
294 ParagonIE_Sodium_Compat::memzero($block0);
295 } catch (SodiumException $ex) {
296 $block0 = null;
297 }
298
299 /** @var string $ciphertext - Raw encrypted data */
300 $ciphertext = ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc(
301 $message,
302 $nonce,
303 $key,
304 ParagonIE_Sodium_Core32_Util::store64_le(1)
305 );
306
307 $state->update($ad);
308 $state->update(str_repeat("\x00", ((0x10 - $adlen) & 0xf)));
309 $state->update($ciphertext);
310 $state->update(str_repeat("\x00", ((0x10 - $len) & 0xf)));
311 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($adlen));
312 $state->update(ParagonIE_Sodium_Core32_Util::store64_le($len));
313 return $ciphertext . $state->finish();
314 }
315
316 /**
317 * AEAD Decryption with ChaCha20-Poly1305, IETF mode (96-bit nonce)
318 *
319 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
320 *
321 * @param string $message
322 * @param string $ad
323 * @param string $nonce
324 * @param string $key
325 * @return string
326 * @throws SodiumException
327 * @throws TypeError
328 */
329 public static function aead_xchacha20poly1305_ietf_decrypt(
330 $message = '',
331 $ad = '',
332 $nonce = '',
333 $key = ''
334 ) {
335 $subkey = ParagonIE_Sodium_Core32_HChaCha20::hChaCha20(
336 ParagonIE_Sodium_Core32_Util::substr($nonce, 0, 16),
337 $key
338 );
339 $nonceLast = "\x00\x00\x00\x00" .
340 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8);
341
342 return self::aead_chacha20poly1305_ietf_decrypt($message, $ad, $nonceLast, $subkey);
343 }
344
345 /**
346 * AEAD Encryption with ChaCha20-Poly1305, IETF mode (96-bit nonce)
347 *
348 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
349 *
350 * @param string $message
351 * @param string $ad
352 * @param string $nonce
353 * @param string $key
354 * @return string
355 * @throws SodiumException
356 * @throws TypeError
357 */
358 public static function aead_xchacha20poly1305_ietf_encrypt(
359 $message = '',
360 $ad = '',
361 $nonce = '',
362 $key = ''
363 ) {
364 $subkey = ParagonIE_Sodium_Core32_HChaCha20::hChaCha20(
365 ParagonIE_Sodium_Core32_Util::substr($nonce, 0, 16),
366 $key
367 );
368 $nonceLast = "\x00\x00\x00\x00" .
369 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8);
370
371 return self::aead_chacha20poly1305_ietf_encrypt($message, $ad, $nonceLast, $subkey);
372 }
373
374 /**
375 * HMAC-SHA-512-256 (a.k.a. the leftmost 256 bits of HMAC-SHA-512)
376 *
377 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
378 *
379 * @param string $message
380 * @param string $key
381 * @return string
382 * @throws TypeError
383 */
384 public static function auth($message, $key)
385 {
386 return ParagonIE_Sodium_Core32_Util::substr(
387 hash_hmac('sha512', $message, $key, true),
388 0,
389 32
390 );
391 }
392
393 /**
394 * HMAC-SHA-512-256 validation. Constant-time via hash_equals().
395 *
396 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
397 *
398 * @param string $mac
399 * @param string $message
400 * @param string $key
401 * @return bool
402 * @throws SodiumException
403 * @throws TypeError
404 */
405 public static function auth_verify($mac, $message, $key)
406 {
407 return ParagonIE_Sodium_Core32_Util::hashEquals(
408 $mac,
409 self::auth($message, $key)
410 );
411 }
412
413 /**
414 * X25519 key exchange followed by XSalsa20Poly1305 symmetric encryption
415 *
416 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
417 *
418 * @param string $plaintext
419 * @param string $nonce
420 * @param string $keypair
421 * @return string
422 * @throws SodiumException
423 * @throws TypeError
424 */
425 public static function box($plaintext, $nonce, $keypair)
426 {
427 return self::secretbox(
428 $plaintext,
429 $nonce,
430 self::box_beforenm(
431 self::box_secretkey($keypair),
432 self::box_publickey($keypair)
433 )
434 );
435 }
436
437 /**
438 * X25519-XSalsa20-Poly1305 with one ephemeral X25519 keypair.
439 *
440 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
441 *
442 * @param string $message
443 * @param string $publicKey
444 * @return string
445 * @throws SodiumException
446 * @throws TypeError
447 */
448 public static function box_seal($message, $publicKey)
449 {
450 /** @var string $ephemeralKeypair */
451 $ephemeralKeypair = self::box_keypair();
452
453 /** @var string $ephemeralSK */
454 $ephemeralSK = self::box_secretkey($ephemeralKeypair);
455
456 /** @var string $ephemeralPK */
457 $ephemeralPK = self::box_publickey($ephemeralKeypair);
458
459 /** @var string $nonce */
460 $nonce = self::generichash(
461 $ephemeralPK . $publicKey,
462 '',
463 24
464 );
465
466 /** @var string $keypair - The combined keypair used in crypto_box() */
467 $keypair = self::box_keypair_from_secretkey_and_publickey($ephemeralSK, $publicKey);
468
469 /** @var string $ciphertext Ciphertext + MAC from crypto_box */
470 $ciphertext = self::box($message, $nonce, $keypair);
471 try {
472 ParagonIE_Sodium_Compat::memzero($ephemeralKeypair);
473 ParagonIE_Sodium_Compat::memzero($ephemeralSK);
474 ParagonIE_Sodium_Compat::memzero($nonce);
475 } catch (SodiumException $ex) {
476 $ephemeralKeypair = null;
477 $ephemeralSK = null;
478 $nonce = null;
479 }
480 return $ephemeralPK . $ciphertext;
481 }
482
483 /**
484 * Opens a message encrypted via box_seal().
485 *
486 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
487 *
488 * @param string $message
489 * @param string $keypair
490 * @return string
491 * @throws SodiumException
492 * @throws TypeError
493 */
494 public static function box_seal_open($message, $keypair)
495 {
496 /** @var string $ephemeralPK */
497 $ephemeralPK = ParagonIE_Sodium_Core32_Util::substr($message, 0, 32);
498
499 /** @var string $ciphertext (ciphertext + MAC) */
500 $ciphertext = ParagonIE_Sodium_Core32_Util::substr($message, 32);
501
502 /** @var string $secretKey */
503 $secretKey = self::box_secretkey($keypair);
504
505 /** @var string $publicKey */
506 $publicKey = self::box_publickey($keypair);
507
508 /** @var string $nonce */
509 $nonce = self::generichash(
510 $ephemeralPK . $publicKey,
511 '',
512 24
513 );
514
515 /** @var string $keypair */
516 $keypair = self::box_keypair_from_secretkey_and_publickey($secretKey, $ephemeralPK);
517
518 /** @var string $m */
519 $m = self::box_open($ciphertext, $nonce, $keypair);
520 try {
521 ParagonIE_Sodium_Compat::memzero($secretKey);
522 ParagonIE_Sodium_Compat::memzero($ephemeralPK);
523 ParagonIE_Sodium_Compat::memzero($nonce);
524 } catch (SodiumException $ex) {
525 $secretKey = null;
526 $ephemeralPK = null;
527 $nonce = null;
528 }
529 return $m;
530 }
531
532 /**
533 * Used by crypto_box() to get the crypto_secretbox() key.
534 *
535 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
536 *
537 * @param string $sk
538 * @param string $pk
539 * @return string
540 * @throws SodiumException
541 * @throws TypeError
542 */
543 public static function box_beforenm($sk, $pk)
544 {
545 return ParagonIE_Sodium_Core32_HSalsa20::hsalsa20(
546 str_repeat("\x00", 16),
547 self::scalarmult($sk, $pk)
548 );
549 }
550
551 /**
552 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
553 *
554 * @return string
555 * @throws Exception
556 * @throws SodiumException
557 * @throws TypeError
558 */
559 public static function box_keypair()
560 {
561 $sKey = random_bytes(32);
562 $pKey = self::scalarmult_base($sKey);
563 return $sKey . $pKey;
564 }
565
566 /**
567 * @param string $seed
568 * @return string
569 * @throws SodiumException
570 * @throws TypeError
571 */
572 public static function box_seed_keypair($seed)
573 {
574 $sKey = ParagonIE_Sodium_Core32_Util::substr(
575 hash('sha512', $seed, true),
576 0,
577 32
578 );
579 $pKey = self::scalarmult_base($sKey);
580 return $sKey . $pKey;
581 }
582
583 /**
584 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
585 *
586 * @param string $sKey
587 * @param string $pKey
588 * @return string
589 * @throws TypeError
590 */
591 public static function box_keypair_from_secretkey_and_publickey($sKey, $pKey)
592 {
593 return ParagonIE_Sodium_Core32_Util::substr($sKey, 0, 32) .
594 ParagonIE_Sodium_Core32_Util::substr($pKey, 0, 32);
595 }
596
597 /**
598 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
599 *
600 * @param string $keypair
601 * @return string
602 * @throws RangeException
603 * @throws TypeError
604 */
605 public static function box_secretkey($keypair)
606 {
607 if (ParagonIE_Sodium_Core32_Util::strlen($keypair) !== 64) {
608 throw new RangeException(
609 'Must be ParagonIE_Sodium_Compat::CRYPTO_BOX_KEYPAIRBYTES bytes long.'
610 );
611 }
612 return ParagonIE_Sodium_Core32_Util::substr($keypair, 0, 32);
613 }
614
615 /**
616 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
617 *
618 * @param string $keypair
619 * @return string
620 * @throws RangeException
621 * @throws TypeError
622 */
623 public static function box_publickey($keypair)
624 {
625 if (ParagonIE_Sodium_Core32_Util::strlen($keypair) !== ParagonIE_Sodium_Compat::CRYPTO_BOX_KEYPAIRBYTES) {
626 throw new RangeException(
627 'Must be ParagonIE_Sodium_Compat::CRYPTO_BOX_KEYPAIRBYTES bytes long.'
628 );
629 }
630 return ParagonIE_Sodium_Core32_Util::substr($keypair, 32, 32);
631 }
632
633 /**
634 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
635 *
636 * @param string $sKey
637 * @return string
638 * @throws RangeException
639 * @throws SodiumException
640 * @throws TypeError
641 */
642 public static function box_publickey_from_secretkey($sKey)
643 {
644 if (ParagonIE_Sodium_Core32_Util::strlen($sKey) !== ParagonIE_Sodium_Compat::CRYPTO_BOX_SECRETKEYBYTES) {
645 throw new RangeException(
646 'Must be ParagonIE_Sodium_Compat::CRYPTO_BOX_SECRETKEYBYTES bytes long.'
647 );
648 }
649 return self::scalarmult_base($sKey);
650 }
651
652 /**
653 * Decrypt a message encrypted with box().
654 *
655 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
656 *
657 * @param string $ciphertext
658 * @param string $nonce
659 * @param string $keypair
660 * @return string
661 * @throws SodiumException
662 * @throws TypeError
663 */
664 public static function box_open($ciphertext, $nonce, $keypair)
665 {
666 return self::secretbox_open(
667 $ciphertext,
668 $nonce,
669 self::box_beforenm(
670 self::box_secretkey($keypair),
671 self::box_publickey($keypair)
672 )
673 );
674 }
675
676 /**
677 * Calculate a BLAKE2b hash.
678 *
679 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
680 *
681 * @param string $message
682 * @param string|null $key
683 * @param int $outlen
684 * @return string
685 * @throws RangeException
686 * @throws SodiumException
687 * @throws TypeError
688 */
689 public static function generichash($message, $key = '', $outlen = 32)
690 {
691 // This ensures that ParagonIE_Sodium_Core32_BLAKE2b::$iv is initialized
692 ParagonIE_Sodium_Core32_BLAKE2b::pseudoConstructor();
693
694 $k = null;
695 if (!empty($key)) {
696 /** @var SplFixedArray $k */
697 $k = ParagonIE_Sodium_Core32_BLAKE2b::stringToSplFixedArray($key);
698 if ($k->count() > ParagonIE_Sodium_Core32_BLAKE2b::KEYBYTES) {
699 throw new RangeException('Invalid key size');
700 }
701 }
702
703 /** @var SplFixedArray $in */
704 $in = ParagonIE_Sodium_Core32_BLAKE2b::stringToSplFixedArray($message);
705
706 /** @var SplFixedArray $ctx */
707 $ctx = ParagonIE_Sodium_Core32_BLAKE2b::init($k, $outlen);
708 ParagonIE_Sodium_Core32_BLAKE2b::update($ctx, $in, $in->count());
709
710 /** @var SplFixedArray $out */
711 $out = new SplFixedArray($outlen);
712 $out = ParagonIE_Sodium_Core32_BLAKE2b::finish($ctx, $out);
713
714 /** @var array<int, int> */
715 $outArray = $out->toArray();
716 return ParagonIE_Sodium_Core32_Util::intArrayToString($outArray);
717 }
718
719 /**
720 * Finalize a BLAKE2b hashing context, returning the hash.
721 *
722 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
723 *
724 * @param string $ctx
725 * @param int $outlen
726 * @return string
727 * @throws SodiumException
728 * @throws TypeError
729 */
730 public static function generichash_final($ctx, $outlen = 32)
731 {
732 if (!is_string($ctx)) {
733 throw new TypeError('Context must be a string');
734 }
735 $out = new SplFixedArray($outlen);
736
737 /** @var SplFixedArray $context */
738 $context = ParagonIE_Sodium_Core32_BLAKE2b::stringToContext($ctx);
739
740 /** @var SplFixedArray $out */
741 $out = ParagonIE_Sodium_Core32_BLAKE2b::finish($context, $out);
742
743 /** @var array<int, int> */
744 $outArray = $out->toArray();
745 return ParagonIE_Sodium_Core32_Util::intArrayToString($outArray);
746 }
747
748 /**
749 * Initialize a hashing context for BLAKE2b.
750 *
751 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
752 *
753 * @param string $key
754 * @param int $outputLength
755 * @return string
756 * @throws RangeException
757 * @throws SodiumException
758 * @throws TypeError
759 */
760 public static function generichash_init($key = '', $outputLength = 32)
761 {
762 // This ensures that ParagonIE_Sodium_Core32_BLAKE2b::$iv is initialized
763 ParagonIE_Sodium_Core32_BLAKE2b::pseudoConstructor();
764
765 $k = null;
766 if (!empty($key)) {
767 $k = ParagonIE_Sodium_Core32_BLAKE2b::stringToSplFixedArray($key);
768 if ($k->count() > ParagonIE_Sodium_Core32_BLAKE2b::KEYBYTES) {
769 throw new RangeException('Invalid key size');
770 }
771 }
772
773 /** @var SplFixedArray $ctx */
774 $ctx = ParagonIE_Sodium_Core32_BLAKE2b::init($k, $outputLength);
775
776 return ParagonIE_Sodium_Core32_BLAKE2b::contextToString($ctx);
777 }
778
779 /**
780 * Initialize a hashing context for BLAKE2b.
781 *
782 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
783 *
784 * @param string $key
785 * @param int $outputLength
786 * @param string $salt
787 * @param string $personal
788 * @return string
789 * @throws RangeException
790 * @throws SodiumException
791 * @throws TypeError
792 */
793 public static function generichash_init_salt_personal(
794 $key = '',
795 $outputLength = 32,
796 $salt = '',
797 $personal = ''
798 ) {
799 // This ensures that ParagonIE_Sodium_Core32_BLAKE2b::$iv is initialized
800 ParagonIE_Sodium_Core32_BLAKE2b::pseudoConstructor();
801
802 $k = null;
803 if (!empty($key)) {
804 $k = ParagonIE_Sodium_Core32_BLAKE2b::stringToSplFixedArray($key);
805 if ($k->count() > ParagonIE_Sodium_Core32_BLAKE2b::KEYBYTES) {
806 throw new RangeException('Invalid key size');
807 }
808 }
809 if (!empty($salt)) {
810 $s = ParagonIE_Sodium_Core32_BLAKE2b::stringToSplFixedArray($salt);
811 } else {
812 $s = null;
813 }
814 if (!empty($salt)) {
815 $p = ParagonIE_Sodium_Core32_BLAKE2b::stringToSplFixedArray($personal);
816 } else {
817 $p = null;
818 }
819
820 /** @var SplFixedArray $ctx */
821 $ctx = ParagonIE_Sodium_Core32_BLAKE2b::init($k, $outputLength, $s, $p);
822
823 return ParagonIE_Sodium_Core32_BLAKE2b::contextToString($ctx);
824 }
825
826 /**
827 * Update a hashing context for BLAKE2b with $message
828 *
829 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
830 *
831 * @param string $ctx
832 * @param string $message
833 * @return string
834 * @throws SodiumException
835 * @throws TypeError
836 */
837 public static function generichash_update($ctx, $message)
838 {
839 // This ensures that ParagonIE_Sodium_Core32_BLAKE2b::$iv is initialized
840 ParagonIE_Sodium_Core32_BLAKE2b::pseudoConstructor();
841
842 /** @var SplFixedArray $context */
843 $context = ParagonIE_Sodium_Core32_BLAKE2b::stringToContext($ctx);
844
845 /** @var SplFixedArray $in */
846 $in = ParagonIE_Sodium_Core32_BLAKE2b::stringToSplFixedArray($message);
847
848 ParagonIE_Sodium_Core32_BLAKE2b::update($context, $in, $in->count());
849
850 return ParagonIE_Sodium_Core32_BLAKE2b::contextToString($context);
851 }
852
853 /**
854 * Libsodium's crypto_kx().
855 *
856 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
857 *
858 * @param string $my_sk
859 * @param string $their_pk
860 * @param string $client_pk
861 * @param string $server_pk
862 * @return string
863 * @throws SodiumException
864 * @throws TypeError
865 */
866 public static function keyExchange($my_sk, $their_pk, $client_pk, $server_pk)
867 {
868 return self::generichash(
869 self::scalarmult($my_sk, $their_pk) .
870 $client_pk .
871 $server_pk
872 );
873 }
874
875 /**
876 * ECDH over Curve25519
877 *
878 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
879 *
880 * @param string $sKey
881 * @param string $pKey
882 * @return string
883 *
884 * @throws SodiumException
885 * @throws TypeError
886 */
887 public static function scalarmult($sKey, $pKey)
888 {
889 $q = ParagonIE_Sodium_Core32_X25519::crypto_scalarmult_curve25519_ref10($sKey, $pKey);
890 self::scalarmult_throw_if_zero($q);
891 return $q;
892 }
893
894 /**
895 * ECDH over Curve25519, using the basepoint.
896 * Used to get a secret key from a public key.
897 *
898 * @param string $secret
899 * @return string
900 *
901 * @throws SodiumException
902 * @throws TypeError
903 */
904 public static function scalarmult_base($secret)
905 {
906 $q = ParagonIE_Sodium_Core32_X25519::crypto_scalarmult_curve25519_ref10_base($secret);
907 self::scalarmult_throw_if_zero($q);
908 return $q;
909 }
910
911 /**
912 * This throws an Error if a zero public key was passed to the function.
913 *
914 * @param string $q
915 * @return void
916 * @throws SodiumException
917 * @throws TypeError
918 */
919 protected static function scalarmult_throw_if_zero($q)
920 {
921 $d = 0;
922 for ($i = 0; $i < self::box_curve25519xsalsa20poly1305_SECRETKEYBYTES; ++$i) {
923 $d |= ParagonIE_Sodium_Core32_Util::chrToInt($q[$i]);
924 }
925
926 /* branch-free variant of === 0 */
927 if (-(1 & (($d - 1) >> 8))) {
928 throw new SodiumException('Zero public key is not allowed');
929 }
930 }
931
932 /**
933 * XSalsa20-Poly1305 authenticated symmetric-key encryption.
934 *
935 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
936 *
937 * @param string $plaintext
938 * @param string $nonce
939 * @param string $key
940 * @return string
941 * @throws SodiumException
942 * @throws TypeError
943 */
944 public static function secretbox($plaintext, $nonce, $key)
945 {
946 /** @var string $subkey */
947 $subkey = ParagonIE_Sodium_Core32_HSalsa20::hsalsa20($nonce, $key);
948
949 /** @var string $block0 */
950 $block0 = str_repeat("\x00", 32);
951
952 /** @var int $mlen - Length of the plaintext message */
953 $mlen = ParagonIE_Sodium_Core32_Util::strlen($plaintext);
954 $mlen0 = $mlen;
955 if ($mlen0 > 64 - self::secretbox_xsalsa20poly1305_ZEROBYTES) {
956 $mlen0 = 64 - self::secretbox_xsalsa20poly1305_ZEROBYTES;
957 }
958 $block0 .= ParagonIE_Sodium_Core32_Util::substr($plaintext, 0, $mlen0);
959
960 /** @var string $block0 */
961 $block0 = ParagonIE_Sodium_Core32_Salsa20::salsa20_xor(
962 $block0,
963 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8),
964 $subkey
965 );
966
967 /** @var string $c */
968 $c = ParagonIE_Sodium_Core32_Util::substr(
969 $block0,
970 self::secretbox_xsalsa20poly1305_ZEROBYTES
971 );
972 if ($mlen > $mlen0) {
973 $c .= ParagonIE_Sodium_Core32_Salsa20::salsa20_xor_ic(
974 ParagonIE_Sodium_Core32_Util::substr(
975 $plaintext,
976 self::secretbox_xsalsa20poly1305_ZEROBYTES
977 ),
978 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8),
979 1,
980 $subkey
981 );
982 }
983 $state = new ParagonIE_Sodium_Core32_Poly1305_State(
984 ParagonIE_Sodium_Core32_Util::substr(
985 $block0,
986 0,
987 self::onetimeauth_poly1305_KEYBYTES
988 )
989 );
990 try {
991 ParagonIE_Sodium_Compat::memzero($block0);
992 ParagonIE_Sodium_Compat::memzero($subkey);
993 } catch (SodiumException $ex) {
994 $block0 = null;
995 $subkey = null;
996 }
997
998 $state->update($c);
999
1000 /** @var string $c - MAC || ciphertext */
1001 $c = $state->finish() . $c;
1002 unset($state);
1003
1004 return $c;
1005 }
1006
1007 /**
1008 * Decrypt a ciphertext generated via secretbox().
1009 *
1010 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
1011 *
1012 * @param string $ciphertext
1013 * @param string $nonce
1014 * @param string $key
1015 * @return string
1016 * @throws SodiumException
1017 * @throws TypeError
1018 */
1019 public static function secretbox_open($ciphertext, $nonce, $key)
1020 {
1021 /** @var string $mac */
1022 $mac = ParagonIE_Sodium_Core32_Util::substr(
1023 $ciphertext,
1024 0,
1025 self::secretbox_xsalsa20poly1305_MACBYTES
1026 );
1027
1028 /** @var string $c */
1029 $c = ParagonIE_Sodium_Core32_Util::substr(
1030 $ciphertext,
1031 self::secretbox_xsalsa20poly1305_MACBYTES
1032 );
1033
1034 /** @var int $clen */
1035 $clen = ParagonIE_Sodium_Core32_Util::strlen($c);
1036
1037 /** @var string $subkey */
1038 $subkey = ParagonIE_Sodium_Core32_HSalsa20::hsalsa20($nonce, $key);
1039
1040 /** @var string $block0 */
1041 $block0 = ParagonIE_Sodium_Core32_Salsa20::salsa20(
1042 64,
1043 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8),
1044 $subkey
1045 );
1046 $verified = ParagonIE_Sodium_Core32_Poly1305::onetimeauth_verify(
1047 $mac,
1048 $c,
1049 ParagonIE_Sodium_Core32_Util::substr($block0, 0, 32)
1050 );
1051 if (!$verified) {
1052 try {
1053 ParagonIE_Sodium_Compat::memzero($subkey);
1054 } catch (SodiumException $ex) {
1055 $subkey = null;
1056 }
1057 throw new SodiumException('Invalid MAC');
1058 }
1059
1060 /** @var string $m - Decrypted message */
1061 $m = ParagonIE_Sodium_Core32_Util::xorStrings(
1062 ParagonIE_Sodium_Core32_Util::substr($block0, self::secretbox_xsalsa20poly1305_ZEROBYTES),
1063 ParagonIE_Sodium_Core32_Util::substr($c, 0, self::secretbox_xsalsa20poly1305_ZEROBYTES)
1064 );
1065 if ($clen > self::secretbox_xsalsa20poly1305_ZEROBYTES) {
1066 // We had more than 1 block, so let's continue to decrypt the rest.
1067 $m .= ParagonIE_Sodium_Core32_Salsa20::salsa20_xor_ic(
1068 ParagonIE_Sodium_Core32_Util::substr(
1069 $c,
1070 self::secretbox_xsalsa20poly1305_ZEROBYTES
1071 ),
1072 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8),
1073 1,
1074 (string) $subkey
1075 );
1076 }
1077 return $m;
1078 }
1079
1080 /**
1081 * XChaCha20-Poly1305 authenticated symmetric-key encryption.
1082 *
1083 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
1084 *
1085 * @param string $plaintext
1086 * @param string $nonce
1087 * @param string $key
1088 * @return string
1089 * @throws SodiumException
1090 * @throws TypeError
1091 */
1092 public static function secretbox_xchacha20poly1305($plaintext, $nonce, $key)
1093 {
1094 /** @var string $subkey */
1095 $subkey = ParagonIE_Sodium_Core32_HChaCha20::hChaCha20(
1096 ParagonIE_Sodium_Core32_Util::substr($nonce, 0, 16),
1097 $key
1098 );
1099 $nonceLast = ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8);
1100
1101 /** @var string $block0 */
1102 $block0 = str_repeat("\x00", 32);
1103
1104 /** @var int $mlen - Length of the plaintext message */
1105 $mlen = ParagonIE_Sodium_Core32_Util::strlen($plaintext);
1106 $mlen0 = $mlen;
1107 if ($mlen0 > 64 - self::secretbox_xchacha20poly1305_ZEROBYTES) {
1108 $mlen0 = 64 - self::secretbox_xchacha20poly1305_ZEROBYTES;
1109 }
1110 $block0 .= ParagonIE_Sodium_Core32_Util::substr($plaintext, 0, $mlen0);
1111
1112 /** @var string $block0 */
1113 $block0 = ParagonIE_Sodium_Core32_ChaCha20::streamXorIc(
1114 $block0,
1115 $nonceLast,
1116 $subkey
1117 );
1118
1119 /** @var string $c */
1120 $c = ParagonIE_Sodium_Core32_Util::substr(
1121 $block0,
1122 self::secretbox_xchacha20poly1305_ZEROBYTES
1123 );
1124 if ($mlen > $mlen0) {
1125 $c .= ParagonIE_Sodium_Core32_ChaCha20::streamXorIc(
1126 ParagonIE_Sodium_Core32_Util::substr(
1127 $plaintext,
1128 self::secretbox_xchacha20poly1305_ZEROBYTES
1129 ),
1130 $nonceLast,
1131 $subkey,
1132 ParagonIE_Sodium_Core32_Util::store64_le(1)
1133 );
1134 }
1135 $state = new ParagonIE_Sodium_Core32_Poly1305_State(
1136 ParagonIE_Sodium_Core32_Util::substr(
1137 $block0,
1138 0,
1139 self::onetimeauth_poly1305_KEYBYTES
1140 )
1141 );
1142 try {
1143 ParagonIE_Sodium_Compat::memzero($block0);
1144 ParagonIE_Sodium_Compat::memzero($subkey);
1145 } catch (SodiumException $ex) {
1146 $block0 = null;
1147 $subkey = null;
1148 }
1149
1150 $state->update($c);
1151
1152 /** @var string $c - MAC || ciphertext */
1153 $c = $state->finish() . $c;
1154 unset($state);
1155
1156 return $c;
1157 }
1158
1159 /**
1160 * Decrypt a ciphertext generated via secretbox_xchacha20poly1305().
1161 *
1162 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
1163 *
1164 * @param string $ciphertext
1165 * @param string $nonce
1166 * @param string $key
1167 * @return string
1168 * @throws SodiumException
1169 * @throws TypeError
1170 */
1171 public static function secretbox_xchacha20poly1305_open($ciphertext, $nonce, $key)
1172 {
1173 /** @var string $mac */
1174 $mac = ParagonIE_Sodium_Core32_Util::substr(
1175 $ciphertext,
1176 0,
1177 self::secretbox_xchacha20poly1305_MACBYTES
1178 );
1179
1180 /** @var string $c */
1181 $c = ParagonIE_Sodium_Core32_Util::substr(
1182 $ciphertext,
1183 self::secretbox_xchacha20poly1305_MACBYTES
1184 );
1185
1186 /** @var int $clen */
1187 $clen = ParagonIE_Sodium_Core32_Util::strlen($c);
1188
1189 /** @var string $subkey */
1190 $subkey = ParagonIE_Sodium_Core32_HChaCha20::hchacha20($nonce, $key);
1191
1192 /** @var string $block0 */
1193 $block0 = ParagonIE_Sodium_Core32_ChaCha20::stream(
1194 64,
1195 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8),
1196 $subkey
1197 );
1198 $verified = ParagonIE_Sodium_Core32_Poly1305::onetimeauth_verify(
1199 $mac,
1200 $c,
1201 ParagonIE_Sodium_Core32_Util::substr($block0, 0, 32)
1202 );
1203
1204 if (!$verified) {
1205 try {
1206 ParagonIE_Sodium_Compat::memzero($subkey);
1207 } catch (SodiumException $ex) {
1208 $subkey = null;
1209 }
1210 throw new SodiumException('Invalid MAC');
1211 }
1212
1213 /** @var string $m - Decrypted message */
1214 $m = ParagonIE_Sodium_Core32_Util::xorStrings(
1215 ParagonIE_Sodium_Core32_Util::substr($block0, self::secretbox_xchacha20poly1305_ZEROBYTES),
1216 ParagonIE_Sodium_Core32_Util::substr($c, 0, self::secretbox_xchacha20poly1305_ZEROBYTES)
1217 );
1218
1219 if ($clen > self::secretbox_xchacha20poly1305_ZEROBYTES) {
1220 // We had more than 1 block, so let's continue to decrypt the rest.
1221 $m .= ParagonIE_Sodium_Core32_ChaCha20::streamXorIc(
1222 ParagonIE_Sodium_Core32_Util::substr(
1223 $c,
1224 self::secretbox_xchacha20poly1305_ZEROBYTES
1225 ),
1226 ParagonIE_Sodium_Core32_Util::substr($nonce, 16, 8),
1227 (string) $subkey,
1228 ParagonIE_Sodium_Core32_Util::store64_le(1)
1229 );
1230 }
1231 return $m;
1232 }
1233
1234 /**
1235 * @param string $key
1236 * @return array<int, string> Returns a state and a header.
1237 * @throws Exception
1238 * @throws SodiumException
1239 */
1240 public static function secretstream_xchacha20poly1305_init_push($key)
1241 {
1242 # randombytes_buf(out, crypto_secretstream_xchacha20poly1305_HEADERBYTES);
1243 $out = random_bytes(24);
1244
1245 # crypto_core_hchacha20(state->k, out, k, NULL);
1246 $subkey = ParagonIE_Sodium_Core32_HChaCha20::hChaCha20($out, $key);
1247 $state = new ParagonIE_Sodium_Core32_SecretStream_State(
1248 $subkey,
1249 ParagonIE_Sodium_Core32_Util::substr($out, 16, 8) . str_repeat("\0", 4)
1250 );
1251
1252 # _crypto_secretstream_xchacha20poly1305_counter_reset(state);
1253 $state->counterReset();
1254
1255 # memcpy(STATE_INONCE(state), out + crypto_core_hchacha20_INPUTBYTES,
1256 # crypto_secretstream_xchacha20poly1305_INONCEBYTES);
1257 # memset(state->_pad, 0, sizeof state->_pad);
1258 return array(
1259 $state->toString(),
1260 $out
1261 );
1262 }
1263
1264 /**
1265 * @param string $key
1266 * @param string $header
1267 * @return string Returns a state.
1268 * @throws Exception
1269 */
1270 public static function secretstream_xchacha20poly1305_init_pull($key, $header)
1271 {
1272 # crypto_core_hchacha20(state->k, in, k, NULL);
1273 $subkey = ParagonIE_Sodium_Core32_HChaCha20::hChaCha20(
1274 ParagonIE_Sodium_Core32_Util::substr($header, 0, 16),
1275 $key
1276 );
1277 $state = new ParagonIE_Sodium_Core32_SecretStream_State(
1278 $subkey,
1279 ParagonIE_Sodium_Core32_Util::substr($header, 16)
1280 );
1281 $state->counterReset();
1282 # memcpy(STATE_INONCE(state), in + crypto_core_hchacha20_INPUTBYTES,
1283 # crypto_secretstream_xchacha20poly1305_INONCEBYTES);
1284 # memset(state->_pad, 0, sizeof state->_pad);
1285 # return 0;
1286 return $state->toString();
1287 }
1288
1289 /**
1290 * @param string $state
1291 * @param string $msg
1292 * @param string $aad
1293 * @param int $tag
1294 * @return string
1295 * @throws SodiumException
1296 */
1297 public static function secretstream_xchacha20poly1305_push(&$state, $msg, $aad = '', $tag = 0)
1298 {
1299 $st = ParagonIE_Sodium_Core32_SecretStream_State::fromString($state);
1300 # crypto_onetimeauth_poly1305_state poly1305_state;
1301 # unsigned char block[64U];
1302 # unsigned char slen[8U];
1303 # unsigned char *c;
1304 # unsigned char *mac;
1305
1306 $msglen = ParagonIE_Sodium_Core32_Util::strlen($msg);
1307 $aadlen = ParagonIE_Sodium_Core32_Util::strlen($aad);
1308
1309 if ((($msglen + 63) >> 6) > 0xfffffffe) {
1310 throw new SodiumException(
1311 'message cannot be larger than SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_MESSAGEBYTES_MAX bytes'
1312 );
1313 }
1314
1315 # if (outlen_p != NULL) {
1316 # *outlen_p = 0U;
1317 # }
1318 # if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) {
1319 # sodium_misuse();
1320 # }
1321
1322 # crypto_stream_chacha20_ietf(block, sizeof block, state->nonce, state->k);
1323 # crypto_onetimeauth_poly1305_init(&poly1305_state, block);
1324 # sodium_memzero(block, sizeof block);
1325 $auth = new ParagonIE_Sodium_Core32_Poly1305_State(
1326 ParagonIE_Sodium_Core32_ChaCha20::ietfStream(32, $st->getCombinedNonce(), $st->getKey())
1327 );
1328
1329 # crypto_onetimeauth_poly1305_update(&poly1305_state, ad, adlen);
1330 $auth->update($aad);
1331
1332 # crypto_onetimeauth_poly1305_update(&poly1305_state, _pad0,
1333 # (0x10 - adlen) & 0xf);
1334 $auth->update(str_repeat("\0", ((0x10 - $aadlen) & 0xf)));
1335
1336 # memset(block, 0, sizeof block);
1337 # block[0] = tag;
1338 # crypto_stream_chacha20_ietf_xor_ic(block, block, sizeof block,
1339 # state->nonce, 1U, state->k);
1340 $block = ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc(
1341 ParagonIE_Sodium_Core32_Util::intToChr($tag) . str_repeat("\0", 63),
1342 $st->getCombinedNonce(),
1343 $st->getKey(),
1344 ParagonIE_Sodium_Core32_Util::store64_le(1)
1345 );
1346
1347 # crypto_onetimeauth_poly1305_update(&poly1305_state, block, sizeof block);
1348 $auth->update($block);
1349
1350 # out[0] = block[0];
1351 $out = $block[0];
1352 # c = out + (sizeof tag);
1353 # crypto_stream_chacha20_ietf_xor_ic(c, m, mlen, state->nonce, 2U, state->k);
1354 $cipher = ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc(
1355 $msg,
1356 $st->getCombinedNonce(),
1357 $st->getKey(),
1358 ParagonIE_Sodium_Core32_Util::store64_le(2)
1359 );
1360
1361 # crypto_onetimeauth_poly1305_update(&poly1305_state, c, mlen);
1362 $auth->update($cipher);
1363
1364 $out .= $cipher;
1365 unset($cipher);
1366
1367 # crypto_onetimeauth_poly1305_update
1368 # (&poly1305_state, _pad0, (0x10 - (sizeof block) + mlen) & 0xf);
1369 $auth->update(str_repeat("\0", ((0x10 - 64 + $msglen) & 0xf)));
1370
1371 # STORE64_LE(slen, (uint64_t) adlen);
1372 $slen = ParagonIE_Sodium_Core32_Util::store64_le($aadlen);
1373
1374 # crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
1375 $auth->update($slen);
1376
1377 # STORE64_LE(slen, (sizeof block) + mlen);
1378 $slen = ParagonIE_Sodium_Core32_Util::store64_le(64 + $msglen);
1379
1380 # crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
1381 $auth->update($slen);
1382
1383 # mac = c + mlen;
1384 # crypto_onetimeauth_poly1305_final(&poly1305_state, mac);
1385 $mac = $auth->finish();
1386 $out .= $mac;
1387
1388 # sodium_memzero(&poly1305_state, sizeof poly1305_state);
1389 unset($auth);
1390
1391
1392 # XOR_BUF(STATE_INONCE(state), mac,
1393 # crypto_secretstream_xchacha20poly1305_INONCEBYTES);
1394 $st->xorNonce($mac);
1395
1396 # sodium_increment(STATE_COUNTER(state),
1397 # crypto_secretstream_xchacha20poly1305_COUNTERBYTES);
1398 $st->incrementCounter();
1399 // Overwrite by reference:
1400 $state = $st->toString();
1401
1402 /** @var bool $rekey */
1403 $rekey = ($tag & ParagonIE_Sodium_Compat::CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_REKEY) !== 0;
1404 # if ((tag & crypto_secretstream_xchacha20poly1305_TAG_REKEY) != 0 ||
1405 # sodium_is_zero(STATE_COUNTER(state),
1406 # crypto_secretstream_xchacha20poly1305_COUNTERBYTES)) {
1407 # crypto_secretstream_xchacha20poly1305_rekey(state);
1408 # }
1409 if ($rekey || $st->needsRekey()) {
1410 // DO REKEY
1411 self::secretstream_xchacha20poly1305_rekey($state);
1412 }
1413 # if (outlen_p != NULL) {
1414 # *outlen_p = crypto_secretstream_xchacha20poly1305_ABYTES + mlen;
1415 # }
1416 return $out;
1417 }
1418
1419 /**
1420 * @param string $state
1421 * @param string $cipher
1422 * @param string $aad
1423 * @return bool|array{0: string, 1: int}
1424 * @throws SodiumException
1425 */
1426 public static function secretstream_xchacha20poly1305_pull(&$state, $cipher, $aad = '')
1427 {
1428 $st = ParagonIE_Sodium_Core32_SecretStream_State::fromString($state);
1429
1430 $cipherlen = ParagonIE_Sodium_Core32_Util::strlen($cipher);
1431 # mlen = inlen - crypto_secretstream_xchacha20poly1305_ABYTES;
1432 $msglen = $cipherlen - ParagonIE_Sodium_Compat::CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_ABYTES;
1433 $aadlen = ParagonIE_Sodium_Core32_Util::strlen($aad);
1434
1435 # if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) {
1436 # sodium_misuse();
1437 # }
1438 if ((($msglen + 63) >> 6) > 0xfffffffe) {
1439 throw new SodiumException(
1440 'message cannot be larger than SODIUM_CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_MESSAGEBYTES_MAX bytes'
1441 );
1442 }
1443
1444 # crypto_stream_chacha20_ietf(block, sizeof block, state->nonce, state->k);
1445 # crypto_onetimeauth_poly1305_init(&poly1305_state, block);
1446 # sodium_memzero(block, sizeof block);
1447 $auth = new ParagonIE_Sodium_Core32_Poly1305_State(
1448 ParagonIE_Sodium_Core32_ChaCha20::ietfStream(32, $st->getCombinedNonce(), $st->getKey())
1449 );
1450
1451 # crypto_onetimeauth_poly1305_update(&poly1305_state, ad, adlen);
1452 $auth->update($aad);
1453
1454 # crypto_onetimeauth_poly1305_update(&poly1305_state, _pad0,
1455 # (0x10 - adlen) & 0xf);
1456 $auth->update(str_repeat("\0", ((0x10 - $aadlen) & 0xf)));
1457
1458
1459 # memset(block, 0, sizeof block);
1460 # block[0] = in[0];
1461 # crypto_stream_chacha20_ietf_xor_ic(block, block, sizeof block,
1462 # state->nonce, 1U, state->k);
1463 $block = ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc(
1464 $cipher[0] . str_repeat("\0", 63),
1465 $st->getCombinedNonce(),
1466 $st->getKey(),
1467 ParagonIE_Sodium_Core32_Util::store64_le(1)
1468 );
1469 # tag = block[0];
1470 # block[0] = in[0];
1471 # crypto_onetimeauth_poly1305_update(&poly1305_state, block, sizeof block);
1472 $tag = ParagonIE_Sodium_Core32_Util::chrToInt($block[0]);
1473 $block[0] = $cipher[0];
1474 $auth->update($block);
1475
1476
1477 # c = in + (sizeof tag);
1478 # crypto_onetimeauth_poly1305_update(&poly1305_state, c, mlen);
1479 $auth->update(ParagonIE_Sodium_Core32_Util::substr($cipher, 1, $msglen));
1480
1481 # crypto_onetimeauth_poly1305_update
1482 # (&poly1305_state, _pad0, (0x10 - (sizeof block) + mlen) & 0xf);
1483 $auth->update(str_repeat("\0", ((0x10 - 64 + $msglen) & 0xf)));
1484
1485 # STORE64_LE(slen, (uint64_t) adlen);
1486 # crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
1487 $slen = ParagonIE_Sodium_Core32_Util::store64_le($aadlen);
1488 $auth->update($slen);
1489
1490 # STORE64_LE(slen, (sizeof block) + mlen);
1491 # crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
1492 $slen = ParagonIE_Sodium_Core32_Util::store64_le(64 + $msglen);
1493 $auth->update($slen);
1494
1495 # crypto_onetimeauth_poly1305_final(&poly1305_state, mac);
1496 # sodium_memzero(&poly1305_state, sizeof poly1305_state);
1497 $mac = $auth->finish();
1498
1499 # stored_mac = c + mlen;
1500 # if (sodium_memcmp(mac, stored_mac, sizeof mac) != 0) {
1501 # sodium_memzero(mac, sizeof mac);
1502 # return -1;
1503 # }
1504
1505 $stored = ParagonIE_Sodium_Core32_Util::substr($cipher, $msglen + 1, 16);
1506 if (!ParagonIE_Sodium_Core32_Util::hashEquals($mac, $stored)) {
1507 return false;
1508 }
1509
1510 # crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, state->nonce, 2U, state->k);
1511 $out = ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc(
1512 ParagonIE_Sodium_Core32_Util::substr($cipher, 1, $msglen),
1513 $st->getCombinedNonce(),
1514 $st->getKey(),
1515 ParagonIE_Sodium_Core32_Util::store64_le(2)
1516 );
1517
1518 # XOR_BUF(STATE_INONCE(state), mac,
1519 # crypto_secretstream_xchacha20poly1305_INONCEBYTES);
1520 $st->xorNonce($mac);
1521
1522 # sodium_increment(STATE_COUNTER(state),
1523 # crypto_secretstream_xchacha20poly1305_COUNTERBYTES);
1524 $st->incrementCounter();
1525
1526 # if ((tag & crypto_secretstream_xchacha20poly1305_TAG_REKEY) != 0 ||
1527 # sodium_is_zero(STATE_COUNTER(state),
1528 # crypto_secretstream_xchacha20poly1305_COUNTERBYTES)) {
1529 # crypto_secretstream_xchacha20poly1305_rekey(state);
1530 # }
1531
1532 // Overwrite by reference:
1533 $state = $st->toString();
1534
1535 /** @var bool $rekey */
1536 $rekey = ($tag & ParagonIE_Sodium_Compat::CRYPTO_SECRETSTREAM_XCHACHA20POLY1305_TAG_REKEY) !== 0;
1537 if ($rekey || $st->needsRekey()) {
1538 // DO REKEY
1539 self::secretstream_xchacha20poly1305_rekey($state);
1540 }
1541 return array($out, $tag);
1542 }
1543
1544 /**
1545 * @param string $state
1546 * @return void
1547 * @throws SodiumException
1548 */
1549 public static function secretstream_xchacha20poly1305_rekey(&$state)
1550 {
1551 $st = ParagonIE_Sodium_Core32_SecretStream_State::fromString($state);
1552 # unsigned char new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES +
1553 # crypto_secretstream_xchacha20poly1305_INONCEBYTES];
1554 # size_t i;
1555 # for (i = 0U; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) {
1556 # new_key_and_inonce[i] = state->k[i];
1557 # }
1558 $new_key_and_inonce = $st->getKey();
1559
1560 # for (i = 0U; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
1561 # new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i] =
1562 # STATE_INONCE(state)[i];
1563 # }
1564 $new_key_and_inonce .= ParagonIE_Sodium_Core32_Util::substR($st->getNonce(), 0, 8);
1565
1566 # crypto_stream_chacha20_ietf_xor(new_key_and_inonce, new_key_and_inonce,
1567 # sizeof new_key_and_inonce,
1568 # state->nonce, state->k);
1569
1570 $st->rekey(ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc(
1571 $new_key_and_inonce,
1572 $st->getCombinedNonce(),
1573 $st->getKey(),
1574 ParagonIE_Sodium_Core32_Util::store64_le(0)
1575 ));
1576
1577 # for (i = 0U; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) {
1578 # state->k[i] = new_key_and_inonce[i];
1579 # }
1580 # for (i = 0U; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
1581 # STATE_INONCE(state)[i] =
1582 # new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i];
1583 # }
1584 # _crypto_secretstream_xchacha20poly1305_counter_reset(state);
1585 $st->counterReset();
1586
1587 $state = $st->toString();
1588 }
1589
1590 /**
1591 * Detached Ed25519 signature.
1592 *
1593 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
1594 *
1595 * @param string $message
1596 * @param string $sk
1597 * @return string
1598 * @throws SodiumException
1599 * @throws TypeError
1600 */
1601 public static function sign_detached($message, $sk)
1602 {
1603 return ParagonIE_Sodium_Core32_Ed25519::sign_detached($message, $sk);
1604 }
1605
1606 /**
1607 * Attached Ed25519 signature. (Returns a signed message.)
1608 *
1609 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
1610 *
1611 * @param string $message
1612 * @param string $sk
1613 * @return string
1614 * @throws SodiumException
1615 * @throws TypeError
1616 */
1617 public static function sign($message, $sk)
1618 {
1619 return ParagonIE_Sodium_Core32_Ed25519::sign($message, $sk);
1620 }
1621
1622 /**
1623 * Opens a signed message. If valid, returns the message.
1624 *
1625 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
1626 *
1627 * @param string $signedMessage
1628 * @param string $pk
1629 * @return string
1630 * @throws SodiumException
1631 * @throws TypeError
1632 */
1633 public static function sign_open($signedMessage, $pk)
1634 {
1635 return ParagonIE_Sodium_Core32_Ed25519::sign_open($signedMessage, $pk);
1636 }
1637
1638 /**
1639 * Verify a detached signature of a given message and public key.
1640 *
1641 * @internal Do not use this directly. Use ParagonIE_Sodium_Compat.
1642 *
1643 * @param string $signature
1644 * @param string $message
1645 * @param string $pk
1646 * @return bool
1647 * @throws SodiumException
1648 * @throws TypeError
1649 */
1650 public static function sign_verify_detached($signature, $message, $pk)
1651 {
1652 return ParagonIE_Sodium_Core32_Ed25519::verify_detached($signature, $message, $pk);
1653 }
1654}
1655