add HSalsa20 implementation based on bouncy castle

crossbario · Feb 26, 2024 · 492a7f1 · 492a7f1
1 parent fbdd505
commit 492a7f1
Show file tree

Hide file tree

Showing 3 changed files with 65 additions and 148 deletions.
diff --git a/autobahn/src/main/java/xbr/network/crypto/HSalsa20.java b/autobahn/src/main/java/xbr/network/crypto/HSalsa20.java
@@ -0,0 +1,61 @@
+package xbr.network.crypto;
+
+import java.nio.charset.StandardCharsets;
+import org.bouncycastle.crypto.engines.Salsa20Engine;
+import org.bouncycastle.util.Pack;
+
+/** An implementation of the HSalsa20 hash based on the Bouncy Castle Salsa20 core. */
+class HSalsa20 {
+
+    private static final byte[] SIGMA = "expand 32-byte k".getBytes(StandardCharsets.US_ASCII);
+    private static final int SIGMA_0 = Pack.littleEndianToInt(SIGMA, 0);
+    private static final int SIGMA_4 = Pack.littleEndianToInt(SIGMA, 4);
+    private static final int SIGMA_8 = Pack.littleEndianToInt(SIGMA, 8);
+    private static final int SIGMA_12 = Pack.littleEndianToInt(SIGMA, 12);
+
+    static void hsalsa20(byte[] out, byte[] in, byte[] k) {
+        final int[] x = new int[16];
+
+        final int in0 = Pack.littleEndianToInt(in, 0);
+        final int in4 = Pack.littleEndianToInt(in, 4);
+        final int in8 = Pack.littleEndianToInt(in, 8);
+        final int in12 = Pack.littleEndianToInt(in, 12);
+
+        x[0] = SIGMA_0;
+        x[1] = Pack.littleEndianToInt(k, 0);
+        x[2] = Pack.littleEndianToInt(k, 4);
+        x[3] = Pack.littleEndianToInt(k, 8);
+        x[4] = Pack.littleEndianToInt(k, 12);
+        x[5] = SIGMA_4;
+        x[6] = in0;
+        x[7] = in4;
+        x[8] = in8;
+        x[9] = in12;
+        x[10] = SIGMA_8;
+        x[11] = Pack.littleEndianToInt(k, 16);
+        x[12] = Pack.littleEndianToInt(k, 20);
+        x[13] = Pack.littleEndianToInt(k, 24);
+        x[14] = Pack.littleEndianToInt(k, 28);
+        x[15] = SIGMA_12;
+
+        Salsa20Engine.salsaCore(20, x, x);
+
+        x[0] -= SIGMA_0;
+        x[5] -= SIGMA_4;
+        x[10] -= SIGMA_8;
+        x[15] -= SIGMA_12;
+        x[6] -= in0;
+        x[7] -= in4;
+        x[8] -= in8;
+        x[9] -= in12;
+
+        Pack.intToLittleEndian(x[0], out, 0);
+        Pack.intToLittleEndian(x[5], out, 4);
+        Pack.intToLittleEndian(x[10], out, 8);
+        Pack.intToLittleEndian(x[15], out, 12);
+        Pack.intToLittleEndian(x[6], out, 16);
+        Pack.intToLittleEndian(x[7], out, 20);
+        Pack.intToLittleEndian(x[8], out, 24);
+        Pack.intToLittleEndian(x[9], out, 28);
+    }
+}
diff --git a/autobahn/src/main/java/xbr/network/crypto/Salsa.java b/autobahn/src/main/java/xbr/network/crypto/Salsa.java
diff --git a/autobahn/src/main/java/xbr/network/crypto/SealedBox.java b/autobahn/src/main/java/xbr/network/crypto/SealedBox.java
@@ -83,8 +83,10 @@ public byte[] computeSharedSecret(byte[] publicKey, byte[] privateKey) {
         // compute the raw shared secret
         X25519.scalarMult(privateKey, 0, publicKey, 0, sharedSecret, 0);
         // encrypt the shared secret
-        byte[] nonce = new byte[32];
-        return Salsa.HSalsa20(nonce, sharedSecret, Salsa.SIGMA);
+        byte[] key = new byte[32];
+        byte[] HSALSA20_SEED = new byte[16];
+        HSalsa20.hsalsa20(key, HSALSA20_SEED, sharedSecret);
+        return key;
     }
 
     public byte[] decrypt(byte[] message) {