صفحهٔ اصلی گشت‌و‌گذار راهنما
ثبت نام ورود
slambb
/
smart-bow-infrared
1
0
انشعاب 0
پرونده‌ها مشکلات 0 درخواست واکشی 0 ویکی
شاخه: NineAxisInfrared
شاخه‌ها تگ‌ها
smart-bow-infra...
/
Assets
/
ThirdAssets
/
Best HTTP (Pro)
/
BestHTTP
/
SecureProtocol
/
crypto
/
macs
/
Poly1305.cs

Poly1305.cs 10 KB
لینک دائمی تاريخچه خام

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297 
  1. #if !BESTHTTP_DISABLE_ALTERNATE_SSL && (!UNITY_WEBGL || UNITY_EDITOR)
    2. 

  2. #pragma warning disable
    3. 

  3. using System;
    4. 

  4. 

  5. using BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Generators;
    6. 

  6. using BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Parameters;
    7. 

  7. using BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Utilities;
    8. 

  8. 

  9. namespace BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Macs
    10. 

  10. {
    11. 

  11. 

  12.     /// <summary>
    13. 

  13.     /// Poly1305 message authentication code, designed by D. J. Bernstein.
    14. 

  14.     /// </summary>
    15. 

  15.     /// <remarks>
    16. 

  16.     /// Poly1305 computes a 128-bit (16 bytes) authenticator, using a 128 bit nonce and a 256 bit key
    17. 

  17.     /// consisting of a 128 bit key applied to an underlying cipher, and a 128 bit key (with 106
    18. 

  18.     /// effective key bits) used in the authenticator.
    19. 

  19.     /// 
    20. 

  20.     /// The polynomial calculation in this implementation is adapted from the public domain <a
    21. 

  21.     /// href="https://github.com/floodyberry/poly1305-donna">poly1305-donna-unrolled</a> C implementation
    22. 

  22.     /// by Andrew M (@floodyberry).
    23. 

  23.     /// </remarks>
    24. 

  24.     /// <seealso cref="BestHTTP.SecureProtocol.Org.BouncyCastle.Crypto.Generators.Poly1305KeyGenerator"/>
    25. 

  25.     public class Poly1305
    26. 

  26.         : IMac
    27. 

  27.     {
    28. 

  28.         private const int BlockSize = 16;
    29. 

  29. 

  30.         private readonly IBlockCipher cipher;
    31. 

  31. 

  32.         private readonly byte[] singleByte = new byte[1];
    33. 

  33. 

  34.         // Initialised state
    35. 

  35. 

  36.         /** Polynomial key */
    37. 

  37.         private uint r0, r1, r2, r3, r4;
    38. 

  38. 

  39.         /** Precomputed 5 * r[1..4] */
    40. 

  40.         private uint s1, s2, s3, s4;
    41. 

  41. 

  42.         /** Encrypted nonce */
    43. 

  43.         private uint k0, k1, k2, k3;
    44. 

  44. 

  45.         // Accumulating state
    46. 

  46. 

  47.         /** Current block of buffered input */
    48. 

  48.         private byte[] currentBlock = new byte[BlockSize];
    49. 

  49. 

  50.         /** Current offset in input buffer */
    51. 

  51.         private int currentBlockOffset = 0;
    52. 

  52. 

  53.         /** Polynomial accumulator */
    54. 

  54.         private uint h0, h1, h2, h3, h4;
    55. 

  55. 

  56.         /**
    57. 

  57.          * Constructs a Poly1305 MAC, where the key passed to init() will be used directly.
    58. 

  58.          */
    59. 

  59.         public Poly1305()
    60. 

  60.         {
    61. 

  61.             this.cipher = null;
    62. 

  62.         }
    63. 

  63. 

  64.         /**
    65. 

  65.          * Constructs a Poly1305 MAC, using a 128 bit block cipher.
    66. 

  66.          */
    67. 

  67.         public Poly1305(IBlockCipher cipher)
    68. 

  68.         {
    69. 

  69.             if (cipher.GetBlockSize() != BlockSize)
    70. 

  70.             {
    71. 

  71.                 throw new ArgumentException("Poly1305 requires a 128 bit block cipher.");
    72. 

  72.             }
    73. 

  73.             this.cipher = cipher;
    74. 

  74.         }
    75. 

  75. 

  76.         /// <summary>
    77. 

  77.         /// Initialises the Poly1305 MAC.
    78. 

  78.         /// </summary>
    79. 

  79.         /// <param name="parameters">a {@link ParametersWithIV} containing a 128 bit nonce and a {@link KeyParameter} with
    80. 

  80.         ///          a 256 bit key complying to the {@link Poly1305KeyGenerator Poly1305 key format}.</param>
    81. 

  81.         public void Init(ICipherParameters parameters)
    82. 

  82.         {
    83. 

  83.             byte[] nonce = null;
    84. 

  84. 

  85.             if (cipher != null)
    86. 

  86.             {
    87. 

  87.                 if (!(parameters is ParametersWithIV))
    88. 

  88.                     throw new ArgumentException("Poly1305 requires an IV when used with a block cipher.", "parameters");
    89. 

  89. 

  90.                 ParametersWithIV ivParams = (ParametersWithIV)parameters;
    91. 

  91.                 nonce = ivParams.GetIV();
    92. 

  92.                 parameters = ivParams.Parameters;
    93. 

  93.             }
    94. 

  94. 

  95.             if (!(parameters is KeyParameter))
    96. 

  96.                 throw new ArgumentException("Poly1305 requires a key.");
    97. 

  97. 

  98.             KeyParameter keyParams = (KeyParameter)parameters;
    99. 

  99. 

  100.             SetKey(keyParams.GetKey(), nonce);
    101. 

  101. 

  102.             Reset();
    103. 

  103.         }
    104. 

  104. 

  105.         private void SetKey(byte[] key, byte[] nonce)
    106. 

  106.         {
    107. 

  107.             if (key.Length != 32)
    108. 

  108.                 throw new ArgumentException("Poly1305 key must be 256 bits.");
    109. 

  109. 

  110.             if (cipher != null && (nonce == null || nonce.Length != BlockSize))
    111. 

  111.                 throw new ArgumentException("Poly1305 requires a 128 bit IV.");
    112. 

  112. 

  113.             // Extract r portion of key (and "clamp" the values)
    114. 

  114.             uint t0 = Pack.LE_To_UInt32(key, 0);
    115. 

  115.             uint t1 = Pack.LE_To_UInt32(key, 4);
    116. 

  116.             uint t2 = Pack.LE_To_UInt32(key, 8);
    117. 

  117.             uint t3 = Pack.LE_To_UInt32(key, 12);
    118. 

  118. 

  119.             // NOTE: The masks perform the key "clamping" implicitly
    120. 

  120.             r0 =   t0                      & 0x03FFFFFFU;
    121. 

  121.             r1 = ((t0 >> 26) | (t1 <<  6)) & 0x03FFFF03U;
    122. 

  122.             r2 = ((t1 >> 20) | (t2 << 12)) & 0x03FFC0FFU;
    123. 

  123.             r3 = ((t2 >> 14) | (t3 << 18)) & 0x03F03FFFU;
    124. 

  124.             r4 =  (t3 >>  8)               & 0x000FFFFFU;
    125. 

  125. 

  126.             // Precompute multipliers
    127. 

  127.             s1 = r1 * 5;
    128. 

  128.             s2 = r2 * 5;
    129. 

  129.             s3 = r3 * 5;
    130. 

  130.             s4 = r4 * 5;
    131. 

  131. 

  132.             byte[] kBytes;
    133. 

  133.             int kOff;
    134. 

  134. 

  135.             if (cipher == null)
    136. 

  136.             {
    137. 

  137.                 kBytes = key;
    138. 

  138.                 kOff = BlockSize;
    139. 

  139.             }
    140. 

  140.             else
    141. 

  141.             {
    142. 

  142.                 // Compute encrypted nonce
    143. 

  143.                 kBytes = new byte[BlockSize];
    144. 

  144.                 kOff = 0;
    145. 

  145. 

  146.                 cipher.Init(true, new KeyParameter(key, BlockSize, BlockSize));
    147. 

  147.                 cipher.ProcessBlock(nonce, 0, kBytes, 0);
    148. 

  148.             }
    149. 

  149. 

  150.             k0 = Pack.LE_To_UInt32(kBytes, kOff + 0);
    151. 

  151.             k1 = Pack.LE_To_UInt32(kBytes, kOff + 4);
    152. 

  152.             k2 = Pack.LE_To_UInt32(kBytes, kOff + 8);
    153. 

  153.             k3 = Pack.LE_To_UInt32(kBytes, kOff + 12);
    154. 

  154.         }
    155. 

  155. 

  156.         public string AlgorithmName
    157. 

  157.         {
    158. 

  158.             get { return cipher == null ? "Poly1305" : "Poly1305-" + cipher.AlgorithmName; }
    159. 

  159.         }
    160. 

  160. 

  161.         public int GetMacSize()
    162. 

  162.         {
    163. 

  163.             return BlockSize;
    164. 

  164.         }
    165. 

  165. 

  166.         public void Update(byte input)
    167. 

  167.         {
    168. 

  168.             singleByte[0] = input;
    169. 

  169.             BlockUpdate(singleByte, 0, 1);
    170. 

  170.         }
    171. 

  171. 

  172.         public void BlockUpdate(byte[] input, int inOff, int len)
    173. 

  173.         {
    174. 

  174.             int copied = 0;
    175. 

  175.             while (len > copied)
    176. 

  176.             {
    177. 

  177.                 if (currentBlockOffset == BlockSize)
    178. 

  178.                 {
    179. 

  179.                     ProcessBlock();
    180. 

  180.                     currentBlockOffset = 0;
    181. 

  181.                 }
    182. 

  182. 

  183.                 int toCopy = System.Math.Min((len - copied), BlockSize - currentBlockOffset);
    184. 

  184.                 Array.Copy(input, copied + inOff, currentBlock, currentBlockOffset, toCopy);
    185. 

  185.                 copied += toCopy;
    186. 

  186.                 currentBlockOffset += toCopy;
    187. 

  187.             }
    188. 

  188. 

  189.         }
    190. 

  190. 

  191.         private void ProcessBlock()
    192. 

  192.         {
    193. 

  193.             if (currentBlockOffset < BlockSize)
    194. 

  194.             {
    195. 

  195.                 currentBlock[currentBlockOffset] = 1;
    196. 

  196.                 for (int i = currentBlockOffset + 1; i < BlockSize; i++)
    197. 

  197.                 {
    198. 

  198.                     currentBlock[i] = 0;
    199. 

  199.                 }
    200. 

  200.             }
    201. 

  201. 

  202.             ulong t0 = Pack.LE_To_UInt32(currentBlock, 0);
    203. 

  203.             ulong t1 = Pack.LE_To_UInt32(currentBlock, 4);
    204. 

  204.             ulong t2 = Pack.LE_To_UInt32(currentBlock, 8);
    205. 

  205.             ulong t3 = Pack.LE_To_UInt32(currentBlock, 12);
    206. 

  206. 

  207.             h0 += (uint)(t0 & 0x3ffffffU);
    208. 

  208.             h1 += (uint)((((t1 << 32) | t0) >> 26) & 0x3ffffff);
    209. 

  209.             h2 += (uint)((((t2 << 32) | t1) >> 20) & 0x3ffffff);
    210. 

  210.             h3 += (uint)((((t3 << 32) | t2) >> 14) & 0x3ffffff);
    211. 

  211.             h4 += (uint)(t3 >> 8);
    212. 

  212. 

  213.             if (currentBlockOffset == BlockSize)
    214. 

  214.             {
    215. 

  215.                 h4 += (1 << 24);
    216. 

  216.             }
    217. 

  217. 

  218.             ulong tp0 = mul32x32_64(h0,r0) + mul32x32_64(h1,s4) + mul32x32_64(h2,s3) + mul32x32_64(h3,s2) + mul32x32_64(h4,s1);
    219. 

  219.             ulong tp1 = mul32x32_64(h0,r1) + mul32x32_64(h1,r0) + mul32x32_64(h2,s4) + mul32x32_64(h3,s3) + mul32x32_64(h4,s2);
    220. 

  220.             ulong tp2 = mul32x32_64(h0,r2) + mul32x32_64(h1,r1) + mul32x32_64(h2,r0) + mul32x32_64(h3,s4) + mul32x32_64(h4,s3);
    221. 

  221.             ulong tp3 = mul32x32_64(h0,r3) + mul32x32_64(h1,r2) + mul32x32_64(h2,r1) + mul32x32_64(h3,r0) + mul32x32_64(h4,s4);
    222. 

  222.             ulong tp4 = mul32x32_64(h0,r4) + mul32x32_64(h1,r3) + mul32x32_64(h2,r2) + mul32x32_64(h3,r1) + mul32x32_64(h4,r0);
    223. 

  223. 

  224.             h0 = (uint)tp0 & 0x3ffffff; tp1 += (tp0 >> 26);
    225. 

  225.             h1 = (uint)tp1 & 0x3ffffff; tp2 += (tp1 >> 26);
    226. 

  226.             h2 = (uint)tp2 & 0x3ffffff; tp3 += (tp2 >> 26);
    227. 

  227.             h3 = (uint)tp3 & 0x3ffffff; tp4 += (tp3 >> 26);
    228. 

  228.             h4 = (uint)tp4 & 0x3ffffff;
    229. 

  229.             h0 += (uint)(tp4 >> 26) * 5;
    230. 

  230.             h1 += (h0 >> 26); h0 &= 0x3ffffff;
    231. 

  231.         }
    232. 

  232. 

  233.         public int DoFinal(byte[] output, int outOff)
    234. 

  234.         {
    235. 

  235.             Check.DataLength(output, outOff, BlockSize, "Output buffer is too short.");
    236. 

  236. 

  237.             if (currentBlockOffset > 0)
    238. 

  238.             {
    239. 

  239.                 // Process padded block
    240. 

  240.                 ProcessBlock();
    241. 

  241.             }
    242. 

  242. 

  243.             h1 += (h0 >> 26); h0 &= 0x3ffffff;
    244. 

  244.             h2 += (h1 >> 26); h1 &= 0x3ffffff;
    245. 

  245.             h3 += (h2 >> 26); h2 &= 0x3ffffff;
    246. 

  246.             h4 += (h3 >> 26); h3 &= 0x3ffffff;
    247. 

  247.             h0 += (h4 >> 26) * 5; h4 &= 0x3ffffff;
    248. 

  248.             h1 += (h0 >> 26); h0 &= 0x3ffffff;
    249. 

  249. 

  250.             uint g0, g1, g2, g3, g4, b;
    251. 

  251.             g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff;
    252. 

  252.             g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff;
    253. 

  253.             g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff;
    254. 

  254.             g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff;
    255. 

  255.             g4 = h4 + b - (1 << 26);
    256. 

  256. 

  257.             b = (g4 >> 31) - 1;
    258. 

  258.             uint nb = ~b;
    259. 

  259.             h0 = (h0 & nb) | (g0 & b);
    260. 

  260.             h1 = (h1 & nb) | (g1 & b);
    261. 

  261.             h2 = (h2 & nb) | (g2 & b);
    262. 

  262.             h3 = (h3 & nb) | (g3 & b);
    263. 

  263.             h4 = (h4 & nb) | (g4 & b);
    264. 

  264. 

  265.             ulong f0, f1, f2, f3;
    266. 

  266.             f0 = ((h0      ) | (h1 << 26)) + (ulong)k0;
    267. 

  267.             f1 = ((h1 >> 6 ) | (h2 << 20)) + (ulong)k1;
    268. 

  268.             f2 = ((h2 >> 12) | (h3 << 14)) + (ulong)k2;
    269. 

  269.             f3 = ((h3 >> 18) | (h4 << 8 )) + (ulong)k3;
    270. 

  270. 

  271.             Pack.UInt32_To_LE((uint)f0, output, outOff);
    272. 

  272.             f1 += (f0 >> 32);
    273. 

  273.             Pack.UInt32_To_LE((uint)f1, output, outOff + 4);
    274. 

  274.             f2 += (f1 >> 32);
    275. 

  275.             Pack.UInt32_To_LE((uint)f2, output, outOff + 8);
    276. 

  276.             f3 += (f2 >> 32);
    277. 

  277.             Pack.UInt32_To_LE((uint)f3, output, outOff + 12);
    278. 

  278. 

  279.             Reset();
    280. 

  280.             return BlockSize;
    281. 

  281.         }
    282. 

  282. 

  283.         public void Reset()
    284. 

  284.         {
    285. 

  285.             currentBlockOffset = 0;
    286. 

  286. 

  287.             h0 = h1 = h2 = h3 = h4 = 0;
    288. 

  288.         }
    289. 

  289. 

  290.         private static ulong mul32x32_64(uint i1, uint i2)
    291. 

  291.         {
    292. 

  292.             return ((ulong)i1) * i2;
    293. 

  293.         }
    294. 

  294.     }
    295. 

  295. }
    296. 

  296. #pragma warning restore
    297. 

  297. #endif
    298.