sshnet
diff --git a/‎THIRD-PARTY-NOTICES.TXT
Lines changed: 29 additions & 0 deletions b/‎THIRD-PARTY-NOTICES.TXT
Lines changed: 29 additions & 0 deletions
diff --git a/‎src/Renci.SshNet/Renci.SshNet.csproj
Lines changed: 64 additions & 1 deletion b/‎src/Renci.SshNet/Renci.SshNet.csproj
Lines changed: 64 additions & 1 deletion
diff --git a/‎src/Renci.SshNet/Security/Chaos.NaCl/CryptoBytes.cs
Lines changed: 190 additions & 0 deletions b/‎src/Renci.SshNet/Security/Chaos.NaCl/CryptoBytes.cs
Lines changed: 190 additions & 0 deletions
@@ -24,3 +24,32 @@ FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
 COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
 IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
 CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+License notice for Chaos.NaCl
+-------------------------------
+
+https://github.com/CodesInChaos/Chaos.NaCl
+
+Public domain
+
+C# port + code by Christian Winnerlein (CodesInChaos)
+
+Poly1305 in c
+        written by Andrew M. (floodyberry)
+        original license: MIT or PUBLIC DOMAIN
+        https://github.com/floodyberry/poly1305-donna/blob/master/poly1305-donna-unrolled.c
+
+Curve25519 and Ed25519 in c
+        written by Dan Bernstein (djb)
+        public domain
+        from Ref10 in SUPERCOP http://bench.cr.yp.to/supercop.html
+
+(H)Salsa20 in c
+        written by Dan Bernstein (djb)
+        public domain
+        from SUPERCOP http://bench.cr.yp.to/supercop.html
+
+SHA512
+        written by Christian Winnerlein (CodesInChaos)
+        public domain
+        directly from the specification
@@ -240,6 +240,67 @@
     <Compile Include="Security\BouncyCastle\util\Integers.cs" />
     <Compile Include="Security\BouncyCastle\util\MemoableResetException.cs" />
     <Compile Include="Security\BouncyCastle\util\Times.cs" />
+    <Compile Include="Security\Chaos.NaCl\CryptoBytes.cs" />
+    <Compile Include="Security\Chaos.NaCl\Ed25519.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Array16.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Array8.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\ByteIntegerConverter.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\base.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\base2.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\d.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\d2.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_0.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_1.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_add.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_cmov.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_cswap.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_frombytes.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_invert.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_isnegative.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_isnonzero.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_mul.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_mul121666.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_neg.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_pow22523.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_sq.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_sq2.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_sub.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\fe_tobytes.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\FieldElement.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_add.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_double_scalarmult.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_frombytes.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_madd.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_msub.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p1p1_to_p2.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p1p1_to_p3.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p2_0.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p2_dbl.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p3_0.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p3_dbl.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p3_tobytes.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p3_to_cached.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_p3_to_p2.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_precomp_0.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_scalarmult_base.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_sub.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\ge_tobytes.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\GroupElement.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\keypair.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\open.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\scalarmult.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\sc_clamp.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\sc_mul_add.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\sc_reduce.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\sign.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Ed25519Ref10\sqrtm1.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\InternalAssert.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Poly1305Donna.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Salsa\Salsa20.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Salsa\SalsaCore.cs" />
+    <Compile Include="Security\Chaos.NaCl\Internal\Sha512Internal.cs" />
+    <Compile Include="Security\Chaos.NaCl\MontgomeryCurve25519.cs" />
+    <Compile Include="Security\Chaos.NaCl\Sha512.cs" />
     <Compile Include="Security\Cryptography\HMACMD5.cs" />
     <Compile Include="Security\Cryptography\HMACSHA1.cs" />
     <Compile Include="Security\Cryptography\HMACSHA256.cs" />
@@ -540,6 +601,8 @@
   </ItemGroup>
   <ItemGroup>
     <Content Include="Documentation\SshNet.shfbproj" />
+    <Content Include="Security\Chaos.NaCl\Internal\Salsa\replace regex.txt" />
+    <Content Include="Security\Chaos.NaCl\License.txt" />
   </ItemGroup>
   <Import Project="$(MSBuildToolsPath)\Microsoft.CSharp.targets" />
   <!-- To modify your build process, add your task inside one of the targets below and uncomment it. 
@@ -549,4 +612,4 @@
   <Target Name="AfterBuild">
   </Target>
   -->
-</Project>
+</Project>
@@ -0,0 +1,190 @@
+using System;
+using System.Runtime.CompilerServices;
+
+namespace Renci.SshNet.Security.Chaos.NaCl
+{
+    internal static class CryptoBytes
+    {
+        internal static bool ConstantTimeEquals(byte[] x, byte[] y)
+        {
+            if (x == null)
+                throw new ArgumentNullException("x");
+            if (y == null)
+                throw new ArgumentNullException("y");
+            if (x.Length != y.Length)
+                throw new ArgumentException("x.Length must equal y.Length");
+            return InternalConstantTimeEquals(x, 0, y, 0, x.Length) != 0;
+        }
+
+        internal static bool ConstantTimeEquals(ArraySegment<byte> x, ArraySegment<byte> y)
+        {
+            if (x.Array == null)
+                throw new ArgumentNullException("x.Array");
+            if (y.Array == null)
+                throw new ArgumentNullException("y.Array");
+            if (x.Count != y.Count)
+                throw new ArgumentException("x.Count must equal y.Count");
+
+            return InternalConstantTimeEquals(x.Array, x.Offset, y.Array, y.Offset, x.Count) != 0;
+        }
+
+        internal static bool ConstantTimeEquals(byte[] x, int xOffset, byte[] y, int yOffset, int length)
+        {
+            if (x == null)
+                throw new ArgumentNullException("x");
+            if (xOffset < 0)
+                throw new ArgumentOutOfRangeException("xOffset", "xOffset < 0");
+            if (y == null)
+                throw new ArgumentNullException("y");
+            if (yOffset < 0)
+                throw new ArgumentOutOfRangeException("yOffset", "yOffset < 0");
+            if (length < 0)
+                throw new ArgumentOutOfRangeException("length", "length < 0");
+            if (x.Length - xOffset < length)
+                throw new ArgumentException("xOffset + length > x.Length");
+            if (y.Length - yOffset < length)
+                throw new ArgumentException("yOffset + length > y.Length");
+
+            return InternalConstantTimeEquals(x, xOffset, y, yOffset, length) != 0;
+        }
+
+        private static uint InternalConstantTimeEquals(byte[] x, int xOffset, byte[] y, int yOffset, int length)
+        {
+            int differentbits = 0;
+            for (int i = 0; i < length; i++)
+                differentbits |= x[xOffset + i] ^ y[yOffset + i];
+            return (1 & (unchecked((uint)differentbits - 1) >> 8));
+        }
+
+        internal static void Wipe(byte[] data)
+        {
+            if (data == null)
+                throw new ArgumentNullException("data");
+            InternalWipe(data, 0, data.Length);
+        }
+
+        internal static void Wipe(byte[] data, int offset, int count)
+        {
+            if (data == null)
+                throw new ArgumentNullException("data");
+            if (offset < 0)
+                throw new ArgumentOutOfRangeException("offset");
+            if (count < 0)
+                throw new ArgumentOutOfRangeException("count", "Requires count >= 0");
+            if ((uint)offset + (uint)count > (uint)data.Length)
+                throw new ArgumentException("Requires offset + count <= data.Length");
+            InternalWipe(data, offset, count);
+        }
+
+        internal static void Wipe(ArraySegment<byte> data)
+        {
+            if (data.Array == null)
+                throw new ArgumentNullException("data.Array");
+            InternalWipe(data.Array, data.Offset, data.Count);
+        }
+
+        // Secure wiping is hard
+        // * the GC can move around and copy memory
+        //   Perhaps this can be avoided by using unmanaged memory or by fixing the position of the array in memory
+        // * Swap files and error dumps can contain secret information
+        //   It seems possible to lock memory in RAM, no idea about error dumps
+        // * Compiler could optimize out the wiping if it knows that data won't be read back
+        //   I hope this is enough, suppressing inlining
+        //   but perhaps `RtlSecureZeroMemory` is needed
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        internal static void InternalWipe(byte[] data, int offset, int count)
+        {
+            Array.Clear(data, offset, count);
+        }
+
+        // shallow wipe of structs
+        [MethodImpl(MethodImplOptions.NoInlining)]
+        internal static void InternalWipe<T>(ref T data)
+            where T : struct
+        {
+            data = default(T);
+        }
+
+        // constant time hex conversion
+        // see http://stackoverflow.com/a/14333437/445517
+        //
+        // An explanation of the weird bit fiddling:
+        //
+        // 1. `bytes[i] >> 4` extracts the high nibble of a byte  
+        //   `bytes[i] & 0xF` extracts the low nibble of a byte
+        // 2. `b - 10`  
+        //    is `< 0` for values `b < 10`, which will become a decimal digit  
+        //    is `>= 0` for values `b > 10`, which will become a letter from `A` to `F`.
+        // 3. Using `i >> 31` on a signed 32 bit integer extracts the sign, thanks to sign extension.
+        //    It will be `-1` for `i < 0` and `0` for `i >= 0`.
+        // 4. Combining 2) and 3), shows that `(b-10)>>31` will be `0` for letters and `-1` for digits.
+        // 5. Looking at the case for letters, the last summand becomes `0`, and `b` is in the range 10 to 15. We want to map it to `A`(65) to `F`(70), which implies adding 55 (`'A'-10`).
+        // 6. Looking at the case for digits, we want to adapt the last summand so it maps `b` from the range 0 to 9 to the range `0`(48) to `9`(57). This means it needs to become -7 (`'0' - 55`).  
+        // Now we could just multiply with 7. But since -1 is represented by all bits being 1, we can instead use `& -7` since `(0 & -7) == 0` and `(-1 & -7) == -7`.
+        //
+        // Some further considerations:
+        //
+        // * I didn't use a second loop variable to index into `c`, since measurement shows that calculating it from `i` is cheaper. 
+        // * Using exactly `i < bytes.Length` as upper bound of the loop allows the JITter to eliminate bounds checks on `bytes[i]`, so I chose that variant.
+        // * Making `b` an int avoids unnecessary conversions from and to byte.
+        internal static string ToHexStringUpper(byte[] data)
+        {
+            if (data == null)
+                return null;
+            char[] c = new char[data.Length * 2];
+            int b;
+            for (int i = 0; i < data.Length; i++)
+            {
+                b = data[i] >> 4;
+                c[i * 2] = (char)(55 + b + (((b - 10) >> 31) & -7));
+                b = data[i] & 0xF;
+                c[i * 2 + 1] = (char)(55 + b + (((b - 10) >> 31) & -7));
+            }
+            return new string(c);
+        }
+
+        // Explanation is similar to ToHexStringUpper
+        // constant 55 -> 87 and -7 -> -39 to compensate for the offset 32 between lowercase and uppercase letters
+        internal static string ToHexStringLower(byte[] data)
+        {
+            if (data == null)
+                return null;
+            char[] c = new char[data.Length * 2];
+            int b;
+            for (int i = 0; i < data.Length; i++)
+            {
+                b = data[i] >> 4;
+                c[i * 2] = (char)(87 + b + (((b - 10) >> 31) & -39));
+                b = data[i] & 0xF;
+                c[i * 2 + 1] = (char)(87 + b + (((b - 10) >> 31) & -39));
+            }
+            return new string(c);
+        }
+
+        internal static byte[] FromHexString(string hexString)
+        {
+            if (hexString == null)
+                return null;
+            if (hexString.Length % 2 != 0)
+                throw new FormatException("The hex string is invalid because it has an odd length");
+            var result = new byte[hexString.Length / 2];
+            for (int i = 0; i < result.Length; i++)
+                result[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16);
+            return result;
+        }
+
+        internal static string ToBase64String(byte[] data)
+        {
+            if (data == null)
+                return null;
+            return Convert.ToBase64String(data);
+        }
+
+        internal static byte[] FromBase64String(string s)
+        {
+            if (s == null)
+                return null;
+            return Convert.FromBase64String(s);
+        }
+    }
+}