mysql-net
diff --git a/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/CryptoBytes.cs
Lines changed: 190 additions & 0 deletions b/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/CryptoBytes.cs
Lines changed: 190 additions & 0 deletions
diff --git a/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/Ed25519.cs
Lines changed: 112 additions & 0 deletions b/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/Ed25519.cs
Lines changed: 112 additions & 0 deletions
diff --git a/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/Internal/Array16.cs
Lines changed: 27 additions & 0 deletions b/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/Internal/Array16.cs
Lines changed: 27 additions & 0 deletions
diff --git a/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/Internal/Array8.cs
Lines changed: 18 additions & 0 deletions b/‎src/MySqlConnector.Authentication.Ed25519/Chaos.NaCl/Internal/Array8.cs
Lines changed: 18 additions & 0 deletions
@@ -0,0 +1,190 @@
+using System;
+using System.Runtime.CompilerServices;
+
+namespace Chaos.NaCl
+{
+	internal static class CryptoBytes
+	{
+		public static bool ConstantTimeEquals(byte[] x, byte[] y)
+		{
+			if (x == null)
+				throw new ArgumentNullException("x");
+			if (y == null)
+				throw new ArgumentNullException("y");
+			if (x.Length != y.Length)
+				throw new ArgumentException("x.Length must equal y.Length");
+			return InternalConstantTimeEquals(x, 0, y, 0, x.Length) != 0;
+		}
+
+		public static bool ConstantTimeEquals(ArraySegment<byte> x, ArraySegment<byte> y)
+		{
+			if (x.Array == null)
+				throw new ArgumentNullException("x.Array");
+			if (y.Array == null)
+				throw new ArgumentNullException("y.Array");
+			if (x.Count != y.Count)
+				throw new ArgumentException("x.Count must equal y.Count");
+
+			return InternalConstantTimeEquals(x.Array, x.Offset, y.Array, y.Offset, x.Count) != 0;
+		}
+
+		public static bool ConstantTimeEquals(byte[] x, int xOffset, byte[] y, int yOffset, int length)
+		{
+			if (x == null)
+				throw new ArgumentNullException("x");
+			if (xOffset < 0)
+				throw new ArgumentOutOfRangeException("xOffset", "xOffset < 0");
+			if (y == null)
+				throw new ArgumentNullException("y");
+			if (yOffset < 0)
+				throw new ArgumentOutOfRangeException("yOffset", "yOffset < 0");
+			if (length < 0)
+				throw new ArgumentOutOfRangeException("length", "length < 0");
+			if (x.Length - xOffset < length)
+				throw new ArgumentException("xOffset + length > x.Length");
+			if (y.Length - yOffset < length)
+				throw new ArgumentException("yOffset + length > y.Length");
+
+			return InternalConstantTimeEquals(x, xOffset, y, yOffset, length) != 0;
+		}
+
+		private static uint InternalConstantTimeEquals(byte[] x, int xOffset, byte[] y, int yOffset, int length)
+		{
+			int differentbits = 0;
+			for (int i = 0; i < length; i++)
+				differentbits |= x[xOffset + i] ^ y[yOffset + i];
+			return (1 & (unchecked((uint) differentbits - 1) >> 8));
+		}
+
+		public static void Wipe(byte[] data)
+		{
+			if (data == null)
+				throw new ArgumentNullException("data");
+			InternalWipe(data, 0, data.Length);
+		}
+
+		public static void Wipe(byte[] data, int offset, int count)
+		{
+			if (data == null)
+				throw new ArgumentNullException("data");
+			if (offset < 0)
+				throw new ArgumentOutOfRangeException("offset");
+			if (count < 0)
+				throw new ArgumentOutOfRangeException("count", "Requires count >= 0");
+			if ((uint) offset + (uint) count > (uint) data.Length)
+				throw new ArgumentException("Requires offset + count <= data.Length");
+			InternalWipe(data, offset, count);
+		}
+
+		public static void Wipe(ArraySegment<byte> data)
+		{
+			if (data.Array == null)
+				throw new ArgumentNullException("data.Array");
+			InternalWipe(data.Array, data.Offset, data.Count);
+		}
+
+		// Secure wiping is hard
+		// * the GC can move around and copy memory
+		//   Perhaps this can be avoided by using unmanaged memory or by fixing the position of the array in memory
+		// * Swap files and error dumps can contain secret information
+		//   It seems possible to lock memory in RAM, no idea about error dumps
+		// * Compiler could optimize out the wiping if it knows that data won't be read back
+		//   I hope this is enough, suppressing inlining
+		//   but perhaps `RtlSecureZeroMemory` is needed
+		[MethodImpl(MethodImplOptions.NoInlining)]
+		internal static void InternalWipe(byte[] data, int offset, int count)
+		{
+			Array.Clear(data, offset, count);
+		}
+
+		// shallow wipe of structs
+		[MethodImpl(MethodImplOptions.NoInlining)]
+		internal static void InternalWipe<T>(ref T data)
+			where T : struct
+		{
+			data = default(T);
+		}
+
+		// constant time hex conversion
+		// see http://stackoverflow.com/a/14333437/445517
+		//
+		// An explanation of the weird bit fiddling:
+		//
+		// 1. `bytes[i] >> 4` extracts the high nibble of a byte  
+		//   `bytes[i] & 0xF` extracts the low nibble of a byte
+		// 2. `b - 10`  
+		//    is `< 0` for values `b < 10`, which will become a decimal digit  
+		//    is `>= 0` for values `b > 10`, which will become a letter from `A` to `F`.
+		// 3. Using `i >> 31` on a signed 32 bit integer extracts the sign, thanks to sign extension.
+		//    It will be `-1` for `i < 0` and `0` for `i >= 0`.
+		// 4. Combining 2) and 3), shows that `(b-10)>>31` will be `0` for letters and `-1` for digits.
+		// 5. Looking at the case for letters, the last summand becomes `0`, and `b` is in the range 10 to 15. We want to map it to `A`(65) to `F`(70), which implies adding 55 (`'A'-10`).
+		// 6. Looking at the case for digits, we want to adapt the last summand so it maps `b` from the range 0 to 9 to the range `0`(48) to `9`(57). This means it needs to become -7 (`'0' - 55`).  
+		// Now we could just multiply with 7. But since -1 is represented by all bits being 1, we can instead use `& -7` since `(0 & -7) == 0` and `(-1 & -7) == -7`.
+		//
+		// Some further considerations:
+		//
+		// * I didn't use a second loop variable to index into `c`, since measurement shows that calculating it from `i` is cheaper. 
+		// * Using exactly `i < bytes.Length` as upper bound of the loop allows the JITter to eliminate bounds checks on `bytes[i]`, so I chose that variant.
+		// * Making `b` an int avoids unnecessary conversions from and to byte.
+		public static string ToHexStringUpper(byte[] data)
+		{
+			if (data == null)
+				return null;
+			char[] c = new char[data.Length * 2];
+			int b;
+			for (int i = 0; i < data.Length; i++)
+			{
+				b = data[i] >> 4;
+				c[i * 2] = (char) (55 + b + (((b - 10) >> 31) & -7));
+				b = data[i] & 0xF;
+				c[i * 2 + 1] = (char) (55 + b + (((b - 10) >> 31) & -7));
+			}
+			return new string(c);
+		}
+
+		// Explanation is similar to ToHexStringUpper
+		// constant 55 -> 87 and -7 -> -39 to compensate for the offset 32 between lowercase and uppercase letters
+		public static string ToHexStringLower(byte[] data)
+		{
+			if (data == null)
+				return null;
+			char[] c = new char[data.Length * 2];
+			int b;
+			for (int i = 0; i < data.Length; i++)
+			{
+				b = data[i] >> 4;
+				c[i * 2] = (char) (87 + b + (((b - 10) >> 31) & -39));
+				b = data[i] & 0xF;
+				c[i * 2 + 1] = (char) (87 + b + (((b - 10) >> 31) & -39));
+			}
+			return new string(c);
+		}
+
+		public static byte[] FromHexString(string hexString)
+		{
+			if (hexString == null)
+				return null;
+			if (hexString.Length % 2 != 0)
+				throw new FormatException("The hex string is invalid because it has an odd length");
+			var result = new byte[hexString.Length / 2];
+			for (int i = 0; i < result.Length; i++)
+				result[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16);
+			return result;
+		}
+
+		public static string ToBase64String(byte[] data)
+		{
+			if (data == null)
+				return null;
+			return Convert.ToBase64String(data);
+		}
+
+		public static byte[] FromBase64String(string s)
+		{
+			if (s == null)
+				return null;
+			return Convert.FromBase64String(s);
+		}
+	}
+}
@@ -0,0 +1,112 @@
+using System;
+using System.Security.Cryptography;
+using Chaos.NaCl.Internal.Ed25519Ref10;
+
+namespace Chaos.NaCl
+{
+	internal static class Ed25519
+	{
+		public static readonly int PublicKeySizeInBytes = 32;
+		public static readonly int SignatureSizeInBytes = 64;
+		public static readonly int ExpandedPrivateKeySizeInBytes = 32 * 2;
+		public static readonly int PrivateKeySeedSizeInBytes = 32;
+		public static readonly int SharedKeySizeInBytes = 32;
+
+		public static bool Verify(ArraySegment<byte> signature, ArraySegment<byte> message, ArraySegment<byte> publicKey)
+		{
+			if (signature.Count != SignatureSizeInBytes)
+				throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Count");
+			if (publicKey.Count != PublicKeySizeInBytes)
+				throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Count");
+			return Ed25519Operations.crypto_sign_verify(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, publicKey.Array, publicKey.Offset);
+		}
+
+		public static bool Verify(byte[] signature, byte[] message, byte[] publicKey)
+		{
+			if (signature == null)
+				throw new ArgumentNullException("signature");
+			if (message == null)
+				throw new ArgumentNullException("message");
+			if (publicKey == null)
+				throw new ArgumentNullException("publicKey");
+			if (signature.Length != SignatureSizeInBytes)
+				throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Length");
+			if (publicKey.Length != PublicKeySizeInBytes)
+				throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Length");
+			return Ed25519Operations.crypto_sign_verify(signature, 0, message, 0, message.Length, publicKey, 0);
+		}
+
+		public static void Sign(ArraySegment<byte> signature, ArraySegment<byte> message, ArraySegment<byte> expandedPrivateKey)
+		{
+			if (signature.Array == null)
+				throw new ArgumentNullException("signature.Array");
+			if (signature.Count != SignatureSizeInBytes)
+				throw new ArgumentException("signature.Count");
+			if (expandedPrivateKey.Array == null)
+				throw new ArgumentNullException("expandedPrivateKey.Array");
+			if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes)
+				throw new ArgumentException("expandedPrivateKey.Count");
+			if (message.Array == null)
+				throw new ArgumentNullException("message.Array");
+			Ed25519Operations.crypto_sign2(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, expandedPrivateKey.Array, expandedPrivateKey.Offset);
+		}
+
+		public static byte[] Sign(byte[] message, byte[] expandedPrivateKey)
+		{
+			var signature = new byte[SignatureSizeInBytes];
+			Sign(new ArraySegment<byte>(signature), new ArraySegment<byte>(message), new ArraySegment<byte>(expandedPrivateKey));
+			return signature;
+		}
+
+		public static byte[] PublicKeyFromSeed(byte[] privateKeySeed)
+		{
+			byte[] privateKey;
+			byte[] publicKey;
+			KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed);
+			CryptoBytes.Wipe(privateKey);
+			return publicKey;
+		}
+
+		public static byte[] ExpandedPrivateKeyFromSeed(byte[] privateKeySeed)
+		{
+			byte[] privateKey;
+			byte[] publicKey;
+			KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed);
+			CryptoBytes.Wipe(publicKey);
+			return privateKey;
+		}
+		
+		public static void KeyPairFromSeed(out byte[] publicKey, out byte[] expandedPrivateKey, byte[] privateKeySeed)
+		{
+			if (privateKeySeed == null)
+				throw new ArgumentNullException("privateKeySeed");
+			if (privateKeySeed.Length != PrivateKeySeedSizeInBytes)
+				throw new ArgumentException("privateKeySeed");
+			var pk = new byte[PublicKeySizeInBytes];
+			var sk = new byte[ExpandedPrivateKeySizeInBytes];
+			Ed25519Operations.crypto_sign_keypair(pk, 0, sk, 0, privateKeySeed, 0);
+			publicKey = pk;
+			expandedPrivateKey = sk;
+		}
+
+		public static void KeyPairFromSeed(ArraySegment<byte> publicKey, ArraySegment<byte> expandedPrivateKey, ArraySegment<byte> privateKeySeed)
+		{
+			if (publicKey.Array == null)
+				throw new ArgumentNullException("publicKey.Array");
+			if (expandedPrivateKey.Array == null)
+				throw new ArgumentNullException("expandedPrivateKey.Array");
+			if (privateKeySeed.Array == null)
+				throw new ArgumentNullException("privateKeySeed.Array");
+			if (publicKey.Count != PublicKeySizeInBytes)
+				throw new ArgumentException("publicKey.Count");
+			if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes)
+				throw new ArgumentException("expandedPrivateKey.Count");
+			if (privateKeySeed.Count != PrivateKeySeedSizeInBytes)
+				throw new ArgumentException("privateKeySeed.Count");
+			Ed25519Operations.crypto_sign_keypair(
+				publicKey.Array, publicKey.Offset,
+				expandedPrivateKey.Array, expandedPrivateKey.Offset,
+				privateKeySeed.Array, privateKeySeed.Offset);
+		}
+	}
+}
@@ -0,0 +1,27 @@
+using System;
+using System.Collections.Generic;
+
+namespace Chaos.NaCl.Internal
+{
+	// Array16<UInt32> Salsa20 state
+	// Array16<UInt64> SHA-512 block
+	internal struct Array16<T>
+	{
+		public T x0;
+		public T x1;
+		public T x2;
+		public T x3;
+		public T x4;
+		public T x5;
+		public T x6;
+		public T x7;
+		public T x8;
+		public T x9;
+		public T x10;
+		public T x11;
+		public T x12;
+		public T x13;
+		public T x14;
+		public T x15;
+	}
+}
@@ -0,0 +1,18 @@
+using System;
+
+namespace Chaos.NaCl.Internal
+{
+	// Array8<UInt32> Poly1305 key
+	// Array8<UInt64> SHA-512 state/output
+	internal struct Array8<T>
+	{
+		public T x0;
+		public T x1;
+		public T x2;
+		public T x3;
+		public T x4;
+		public T x5;
+		public T x6;
+		public T x7;
+	}
+}