WordPoints /
wordpoints
| @@ 192-255 (lines=64) @@ | ||
| 189 | * @return string |
|
| 190 | * @throws Error |
|
| 191 | */ |
|
| 192 | public static function aead_chacha20poly1305_ietf_decrypt( |
|
| 193 | $message = '', |
|
| 194 | $ad = '', |
|
| 195 | $nonce = '', |
|
| 196 | $key = '' |
|
| 197 | ) { |
|
| 198 | /** @var int $adlen - Length of associated data */ |
|
| 199 | $adlen = ParagonIE_Sodium_Core_Util::strlen($ad); |
|
| 200 | ||
| 201 | /** @var int $len - Length of message (ciphertext + MAC) */ |
|
| 202 | $len = ParagonIE_Sodium_Core_Util::strlen($message); |
|
| 203 | ||
| 204 | /** @var int $clen - Length of ciphertext */ |
|
| 205 | $clen = $len - self::aead_chacha20poly1305_IETF_ABYTES; |
|
| 206 | ||
| 207 | /** @var string The first block of the chacha20 keystream, used as a poly1305 key */ |
|
| 208 | $block0 = ParagonIE_Sodium_Core_ChaCha20::ietfStream( |
|
| 209 | 32, |
|
| 210 | $nonce, |
|
| 211 | $key |
|
| 212 | ); |
|
| 213 | ||
| 214 | /** @var string $mac - Message authentication code */ |
|
| 215 | $mac = ParagonIE_Sodium_Core_Util::substr( |
|
| 216 | $message, |
|
| 217 | $len - self::aead_chacha20poly1305_IETF_ABYTES, |
|
| 218 | self::aead_chacha20poly1305_IETF_ABYTES |
|
| 219 | ); |
|
| 220 | ||
| 221 | /** @var string $ciphertext - The encrypted message (sans MAC) */ |
|
| 222 | $ciphertext = ParagonIE_Sodium_Core_Util::substr( |
|
| 223 | $message, |
|
| 224 | 0, |
|
| 225 | $len - self::aead_chacha20poly1305_IETF_ABYTES |
|
| 226 | ); |
|
| 227 | ||
| 228 | /* Recalculate the Poly1305 authentication tag (MAC): */ |
|
| 229 | $state = new ParagonIE_Sodium_Core_Poly1305_State($block0); |
|
| 230 | try { |
|
| 231 | ParagonIE_Sodium_Compat::memzero($block0); |
|
| 232 | } catch (Error $ex) { |
|
| 233 | $block0 = null; |
|
| 234 | } |
|
| 235 | $state->update($ad); |
|
| 236 | $state->update(str_repeat("\x00", ((0x10 - $adlen) & 0xf))); |
|
| 237 | $state->update($ciphertext); |
|
| 238 | $state->update(str_repeat("\x00", (0x10 - $clen) & 0xf)); |
|
| 239 | $state->update(ParagonIE_Sodium_Core_Util::store64_le($adlen)); |
|
| 240 | $state->update(ParagonIE_Sodium_Core_Util::store64_le($clen)); |
|
| 241 | $computed_mac = $state->finish(); |
|
| 242 | ||
| 243 | /* Compare the given MAC with the recalculated MAC: */ |
|
| 244 | if (!ParagonIE_Sodium_Core_Util::verify_16($computed_mac, $mac)) { |
|
| 245 | throw new Error('Invalid MAC'); |
|
| 246 | } |
|
| 247 | ||
| 248 | // Here, we know that the MAC is valid, so we decrypt and return the plaintext |
|
| 249 | return ParagonIE_Sodium_Core_ChaCha20::ietfStreamXorIc( |
|
| 250 | $ciphertext, |
|
| 251 | $nonce, |
|
| 252 | $key, |
|
| 253 | ParagonIE_Sodium_Core_Util::store64_le(1) |
|
| 254 | ); |
|
| 255 | } |
|
| 256 | ||
| 257 | /** |
|
| 258 | * AEAD Encryption with ChaCha20-Poly1305, IETF mode (96-bit nonce) |
|
| @@ 192-255 (lines=64) @@ | ||
| 189 | * @return string |
|
| 190 | * @throws Error |
|
| 191 | */ |
|
| 192 | public static function aead_chacha20poly1305_ietf_decrypt( |
|
| 193 | $message = '', |
|
| 194 | $ad = '', |
|
| 195 | $nonce = '', |
|
| 196 | $key = '' |
|
| 197 | ) { |
|
| 198 | /** @var int $adlen - Length of associated data */ |
|
| 199 | $adlen = ParagonIE_Sodium_Core32_Util::strlen($ad); |
|
| 200 | ||
| 201 | /** @var int $len - Length of message (ciphertext + MAC) */ |
|
| 202 | $len = ParagonIE_Sodium_Core32_Util::strlen($message); |
|
| 203 | ||
| 204 | /** @var int $clen - Length of ciphertext */ |
|
| 205 | $clen = $len - self::aead_chacha20poly1305_IETF_ABYTES; |
|
| 206 | ||
| 207 | /** @var string The first block of the chacha20 keystream, used as a poly1305 key */ |
|
| 208 | $block0 = ParagonIE_Sodium_Core32_ChaCha20::ietfStream( |
|
| 209 | 32, |
|
| 210 | $nonce, |
|
| 211 | $key |
|
| 212 | ); |
|
| 213 | ||
| 214 | /** @var string $mac - Message authentication code */ |
|
| 215 | $mac = ParagonIE_Sodium_Core32_Util::substr( |
|
| 216 | $message, |
|
| 217 | $len - self::aead_chacha20poly1305_IETF_ABYTES, |
|
| 218 | self::aead_chacha20poly1305_IETF_ABYTES |
|
| 219 | ); |
|
| 220 | ||
| 221 | /** @var string $ciphertext - The encrypted message (sans MAC) */ |
|
| 222 | $ciphertext = ParagonIE_Sodium_Core32_Util::substr( |
|
| 223 | $message, |
|
| 224 | 0, |
|
| 225 | $len - self::aead_chacha20poly1305_IETF_ABYTES |
|
| 226 | ); |
|
| 227 | ||
| 228 | /* Recalculate the Poly1305 authentication tag (MAC): */ |
|
| 229 | $state = new ParagonIE_Sodium_Core32_Poly1305_State($block0); |
|
| 230 | try { |
|
| 231 | ParagonIE_Sodium_Compat::memzero($block0); |
|
| 232 | } catch (Error $ex) { |
|
| 233 | $block0 = null; |
|
| 234 | } |
|
| 235 | $state->update($ad); |
|
| 236 | $state->update(str_repeat("\x00", ((0x10 - $adlen) & 0xf))); |
|
| 237 | $state->update($ciphertext); |
|
| 238 | $state->update(str_repeat("\x00", (0x10 - $clen) & 0xf)); |
|
| 239 | $state->update(ParagonIE_Sodium_Core32_Util::store64_le($adlen)); |
|
| 240 | $state->update(ParagonIE_Sodium_Core32_Util::store64_le($clen)); |
|
| 241 | $computed_mac = $state->finish(); |
|
| 242 | ||
| 243 | /* Compare the given MAC with the recalculated MAC: */ |
|
| 244 | if (!ParagonIE_Sodium_Core32_Util::verify_16($computed_mac, $mac)) { |
|
| 245 | throw new Error('Invalid MAC'); |
|
| 246 | } |
|
| 247 | ||
| 248 | // Here, we know that the MAC is valid, so we decrypt and return the plaintext |
|
| 249 | return ParagonIE_Sodium_Core32_ChaCha20::ietfStreamXorIc( |
|
| 250 | $ciphertext, |
|
| 251 | $nonce, |
|
| 252 | $key, |
|
| 253 | ParagonIE_Sodium_Core32_Util::store64_le(1) |
|
| 254 | ); |
|
| 255 | } |
|
| 256 | ||
| 257 | /** |
|
| 258 | * AEAD Encryption with ChaCha20-Poly1305, IETF mode (96-bit nonce) |
|
