From 8e97510fd2be67a634e9c43e42f9c964e5f53ec2 Mon Sep 17 00:00:00 2001 From: Styris Date: Tue, 26 Nov 2024 15:35:19 -0800 Subject: [PATCH] Update keygen --- .gitignore | 1 + src/Jumper.sln | 6 + src/Jumper.sln.DotSettings.user | 11 - src/Jumper/Jumper.csproj | 5 +- src/SshNet.Keygen/Chaos.NaCl/CryptoBytes.cs | 190 +++ src/SshNet.Keygen/Chaos.NaCl/Ed25519.cs | 147 ++ .../Chaos.NaCl/Internal/Array16.cs | 27 + .../Chaos.NaCl/Internal/Array8.cs | 18 + .../Internal/ByteIntegerConverter.cs | 416 +++++ .../Internal/Ed25519Ref10/FieldElement.cs | 36 + .../Internal/Ed25519Ref10/GroupElement.cs | 63 + .../Chaos.NaCl/Internal/Ed25519Ref10/base.cs | 1357 +++++++++++++++++ .../Chaos.NaCl/Internal/Ed25519Ref10/base2.cs | 50 + .../Chaos.NaCl/Internal/Ed25519Ref10/d.cs | 9 + .../Chaos.NaCl/Internal/Ed25519Ref10/d2.cs | 9 + .../Chaos.NaCl/Internal/Ed25519Ref10/fe_0.cs | 12 + .../Chaos.NaCl/Internal/Ed25519Ref10/fe_1.cs | 13 + .../Internal/Ed25519Ref10/fe_add.cs | 63 + .../Internal/Ed25519Ref10/fe_cmov.cs | 70 + .../Internal/Ed25519Ref10/fe_cswap.cs | 78 + .../Internal/Ed25519Ref10/fe_frombytes.cs | 122 ++ .../Internal/Ed25519Ref10/fe_invert.cs | 179 +++ .../Internal/Ed25519Ref10/fe_isnegative.cs | 22 + .../Internal/Ed25519Ref10/fe_isnonzero.cs | 37 + .../Internal/Ed25519Ref10/fe_mul.cs | 258 ++++ .../Internal/Ed25519Ref10/fe_mul121666.cs | 76 + .../Internal/Ed25519Ref10/fe_neg.cs | 50 + .../Internal/Ed25519Ref10/fe_pow22523.cs | 175 +++ .../Chaos.NaCl/Internal/Ed25519Ref10/fe_sq.cs | 153 ++ .../Internal/Ed25519Ref10/fe_sq2.cs | 164 ++ .../Internal/Ed25519Ref10/fe_sub.cs | 63 + .../Internal/Ed25519Ref10/fe_tobytes.cs | 154 ++ .../Internal/Ed25519Ref10/ge_add.cs | 113 ++ .../Ed25519Ref10/ge_double_scalarmult.cs | 118 ++ .../Internal/Ed25519Ref10/ge_frombytes.cs | 54 + .../Internal/Ed25519Ref10/ge_madd.cs | 105 ++ .../Internal/Ed25519Ref10/ge_msub.cs | 104 ++ .../Internal/Ed25519Ref10/ge_p1p1_to_p2.cs | 18 + .../Internal/Ed25519Ref10/ge_p1p1_to_p3.cs | 18 + .../Internal/Ed25519Ref10/ge_p2_0.cs | 14 + .../Internal/Ed25519Ref10/ge_p2_dbl.cs | 90 ++ .../Internal/Ed25519Ref10/ge_p3_0.cs | 15 + .../Internal/Ed25519Ref10/ge_p3_dbl.cs | 17 + .../Internal/Ed25519Ref10/ge_p3_to_cached.cs | 18 + .../Internal/Ed25519Ref10/ge_p3_to_p2.cs | 17 + .../Internal/Ed25519Ref10/ge_p3_tobytes.cs | 20 + .../Internal/Ed25519Ref10/ge_precomp_0.cs | 14 + .../Ed25519Ref10/ge_scalarmult_base.cs | 113 ++ .../Internal/Ed25519Ref10/ge_sub.cs | 114 ++ .../Internal/Ed25519Ref10/ge_tobytes.cs | 20 + .../Internal/Ed25519Ref10/keypair.cs | 23 + .../Chaos.NaCl/Internal/Ed25519Ref10/open.cs | 80 + .../Internal/Ed25519Ref10/sc_clamp.cs | 14 + .../Internal/Ed25519Ref10/sc_mul_add.cs | 374 +++++ .../Internal/Ed25519Ref10/sc_reduce.cs | 263 ++++ .../Internal/Ed25519Ref10/scalarmult.cs | 205 +++ .../Chaos.NaCl/Internal/Ed25519Ref10/sign.cs | 81 + .../Internal/Ed25519Ref10/sqrtm1.cs | 9 + .../Chaos.NaCl/Internal/InternalAssert.cs | 13 + .../Chaos.NaCl/Internal/Poly1305Donna.cs | 154 ++ .../Chaos.NaCl/Internal/Salsa/Salsa20.cs | 45 + .../Chaos.NaCl/Internal/Salsa/SalsaCore.cs | 263 ++++ .../Internal/Salsa/replace regex.txt | 2 + .../Chaos.NaCl/Internal/Sha512Internal.cs | 447 ++++++ .../Chaos.NaCl/MontgomeryCurve25519.cs | 142 ++ src/SshNet.Keygen/Chaos.NaCl/OneTimeAuth.cs | 19 + src/SshNet.Keygen/Chaos.NaCl/Poly1305.cs | 97 ++ src/SshNet.Keygen/Chaos.NaCl/Sha512.cs | 132 ++ .../Chaos.NaCl/XSalsa20Poly1305.cs | 247 +++ .../Extensions/BinaryWriterExtension.cs | 56 + src/SshNet.Keygen/Extensions/ByteExtension.cs | 32 + .../Extensions/EcdsaExtension.cs | 61 + src/SshNet.Keygen/Extensions/KeyExtension.cs | 329 ++++ .../Extensions/PrivateKeyFileExtension.cs | 122 ++ .../Extensions/StringExtension.cs | 17 + src/SshNet.Keygen/GeneratedPrivateKey.cs | 32 + src/SshNet.Keygen/SshKey.cs | 150 ++ src/SshNet.Keygen/SshKeyEncryption/Bcrypt.cs | 956 ++++++++++++ .../SshKeyEncryption/ISshKeyEncryption.cs | 27 + .../SshKeyEncryption/PuttyV3Encryption.cs | 26 + .../SshKeyEncryptionAes256.cs | 185 +++ .../SshKeyEncryptionAlgorithm.cs | 84 + .../SshKeyEncryption/SshKeyEncryptionNone.cs | 49 + src/SshNet.Keygen/SshKeyFormat.cs | 9 + src/SshNet.Keygen/SshKeyGenerateInfo.cs | 54 + src/SshNet.Keygen/SshKeyType.cs | 9 + src/SshNet.Keygen/SshNet.Keygen.csproj | 45 + 87 files changed, 9857 insertions(+), 12 deletions(-) delete mode 100644 src/Jumper.sln.DotSettings.user create mode 100644 src/SshNet.Keygen/Chaos.NaCl/CryptoBytes.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Ed25519.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Array16.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Array8.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/ByteIntegerConverter.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/FieldElement.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/GroupElement.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base2.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d2.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_0.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_1.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_add.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cmov.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cswap.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_frombytes.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_invert.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_isnegative.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_isnonzero.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul121666.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_neg.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_pow22523.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sq.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sq2.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sub.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_tobytes.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_add.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_double_scalarmult.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_frombytes.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_madd.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_msub.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p1p1_to_p2.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p1p1_to_p3.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p2_0.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p2_dbl.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p3_0.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p3_dbl.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p3_to_cached.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p3_to_p2.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_p3_tobytes.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_precomp_0.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_scalarmult_base.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_sub.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_tobytes.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/keypair.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/open.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sc_clamp.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sc_mul_add.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sc_reduce.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/scalarmult.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sign.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sqrtm1.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/InternalAssert.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Poly1305Donna.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/Salsa20.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/SalsaCore.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/replace regex.txt create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Internal/Sha512Internal.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/MontgomeryCurve25519.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/OneTimeAuth.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Poly1305.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/Sha512.cs create mode 100644 src/SshNet.Keygen/Chaos.NaCl/XSalsa20Poly1305.cs create mode 100644 src/SshNet.Keygen/Extensions/BinaryWriterExtension.cs create mode 100644 src/SshNet.Keygen/Extensions/ByteExtension.cs create mode 100644 src/SshNet.Keygen/Extensions/EcdsaExtension.cs create mode 100644 src/SshNet.Keygen/Extensions/KeyExtension.cs create mode 100644 src/SshNet.Keygen/Extensions/PrivateKeyFileExtension.cs create mode 100644 src/SshNet.Keygen/Extensions/StringExtension.cs create mode 100644 src/SshNet.Keygen/GeneratedPrivateKey.cs create mode 100644 src/SshNet.Keygen/SshKey.cs create mode 100644 src/SshNet.Keygen/SshKeyEncryption/Bcrypt.cs create mode 100644 src/SshNet.Keygen/SshKeyEncryption/ISshKeyEncryption.cs create mode 100644 src/SshNet.Keygen/SshKeyEncryption/PuttyV3Encryption.cs create mode 100644 src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAes256.cs create mode 100644 src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAlgorithm.cs create mode 100644 src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionNone.cs create mode 100644 src/SshNet.Keygen/SshKeyFormat.cs create mode 100644 src/SshNet.Keygen/SshKeyGenerateInfo.cs create mode 100644 src/SshNet.Keygen/SshKeyType.cs create mode 100644 src/SshNet.Keygen/SshNet.Keygen.csproj diff --git a/.gitignore b/.gitignore index 52d26ef..67d65f7 100644 --- a/.gitignore +++ b/.gitignore @@ -3,3 +3,4 @@ obj bin !Packaging/DPKG/usr/bin ppa-private-key.asc +*.DotSettings.user \ No newline at end of file diff --git a/src/Jumper.sln b/src/Jumper.sln index 73717f4..c9c05c6 100644 --- a/src/Jumper.sln +++ b/src/Jumper.sln @@ -6,6 +6,8 @@ Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PostInstallScript", "PostIn EndProject Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "PostRemoveScript", "PostRemoveScript\PostRemoveScript.csproj", "{4071FA63-3C60-49C9-BE4D-487C8C1041F1}" EndProject +Project("{FAE04EC0-301F-11D3-BF4B-00C04F79EFBC}") = "SshNet.Keygen", "SshNet.Keygen\SshNet.Keygen.csproj", "{6A2CC913-DE7D-40E2-AB18-BAC59CE16181}" +EndProject Global GlobalSection(SolutionConfigurationPlatforms) = preSolution Debug|x64 = Debug|x64 @@ -24,5 +26,9 @@ Global {4071FA63-3C60-49C9-BE4D-487C8C1041F1}.Debug|x64.Build.0 = Debug|Any CPU {4071FA63-3C60-49C9-BE4D-487C8C1041F1}.Release|x64.ActiveCfg = Release|Any CPU {4071FA63-3C60-49C9-BE4D-487C8C1041F1}.Release|x64.Build.0 = Release|Any CPU + {6A2CC913-DE7D-40E2-AB18-BAC59CE16181}.Debug|x64.ActiveCfg = Debug|Any CPU + {6A2CC913-DE7D-40E2-AB18-BAC59CE16181}.Debug|x64.Build.0 = Debug|Any CPU + {6A2CC913-DE7D-40E2-AB18-BAC59CE16181}.Release|x64.ActiveCfg = Release|Any CPU + {6A2CC913-DE7D-40E2-AB18-BAC59CE16181}.Release|x64.Build.0 = Release|Any CPU EndGlobalSection EndGlobal diff --git a/src/Jumper.sln.DotSettings.user b/src/Jumper.sln.DotSettings.user deleted file mode 100644 index 4b037be..0000000 --- a/src/Jumper.sln.DotSettings.user +++ /dev/null @@ -1,11 +0,0 @@ - - ForceIncluded - ForceIncluded - ForceIncluded - ForceIncluded - ForceIncluded - ForceIncluded - ForceIncluded - <AssemblyExplorer> - <Assembly Path="C:\Users\Styris\.nuget\packages\konscious.security.cryptography.argon2\1.3.0\lib\net6.0\Konscious.Security.Cryptography.Argon2.dll" /> -</AssemblyExplorer> \ No newline at end of file diff --git a/src/Jumper/Jumper.csproj b/src/Jumper/Jumper.csproj index 46e373c..b4aece1 100644 --- a/src/Jumper/Jumper.csproj +++ b/src/Jumper/Jumper.csproj @@ -33,7 +33,6 @@ - @@ -56,4 +55,8 @@ + + + + diff --git a/src/SshNet.Keygen/Chaos.NaCl/CryptoBytes.cs b/src/SshNet.Keygen/Chaos.NaCl/CryptoBytes.cs new file mode 100644 index 0000000..477576d --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/CryptoBytes.cs @@ -0,0 +1,190 @@ +using System; +using System.Runtime.CompilerServices; + +namespace Chaos.NaCl +{ + public static class CryptoBytes + { + public static bool ConstantTimeEquals(byte[] x, byte[] y) + { + if (x == null) + throw new ArgumentNullException("x"); + if (y == null) + throw new ArgumentNullException("y"); + if (x.Length != y.Length) + throw new ArgumentException("x.Length must equal y.Length"); + return InternalConstantTimeEquals(x, 0, y, 0, x.Length) != 0; + } + + public static bool ConstantTimeEquals(ArraySegment x, ArraySegment y) + { + if (x.Array == null) + throw new ArgumentNullException("x.Array"); + if (y.Array == null) + throw new ArgumentNullException("y.Array"); + if (x.Count != y.Count) + throw new ArgumentException("x.Count must equal y.Count"); + + return InternalConstantTimeEquals(x.Array, x.Offset, y.Array, y.Offset, x.Count) != 0; + } + + public static bool ConstantTimeEquals(byte[] x, int xOffset, byte[] y, int yOffset, int length) + { + if (x == null) + throw new ArgumentNullException("x"); + if (xOffset < 0) + throw new ArgumentOutOfRangeException("xOffset", "xOffset < 0"); + if (y == null) + throw new ArgumentNullException("y"); + if (yOffset < 0) + throw new ArgumentOutOfRangeException("yOffset", "yOffset < 0"); + if (length < 0) + throw new ArgumentOutOfRangeException("length", "length < 0"); + if (x.Length - xOffset < length) + throw new ArgumentException("xOffset + length > x.Length"); + if (y.Length - yOffset < length) + throw new ArgumentException("yOffset + length > y.Length"); + + return InternalConstantTimeEquals(x, xOffset, y, yOffset, length) != 0; + } + + private static uint InternalConstantTimeEquals(byte[] x, int xOffset, byte[] y, int yOffset, int length) + { + int differentbits = 0; + for (int i = 0; i < length; i++) + differentbits |= x[xOffset + i] ^ y[yOffset + i]; + return (1 & (unchecked((uint)differentbits - 1) >> 8)); + } + + public static void Wipe(byte[] data) + { + if (data == null) + throw new ArgumentNullException("data"); + InternalWipe(data, 0, data.Length); + } + + public static void Wipe(byte[] data, int offset, int count) + { + if (data == null) + throw new ArgumentNullException("data"); + if (offset < 0) + throw new ArgumentOutOfRangeException("offset"); + if (count < 0) + throw new ArgumentOutOfRangeException("count", "Requires count >= 0"); + if ((uint)offset + (uint)count > (uint)data.Length) + throw new ArgumentException("Requires offset + count <= data.Length"); + InternalWipe(data, offset, count); + } + + public static void Wipe(ArraySegment data) + { + if (data.Array == null) + throw new ArgumentNullException("data.Array"); + InternalWipe(data.Array, data.Offset, data.Count); + } + + // Secure wiping is hard + // * the GC can move around and copy memory + // Perhaps this can be avoided by using unmanaged memory or by fixing the position of the array in memory + // * Swap files and error dumps can contain secret information + // It seems possible to lock memory in RAM, no idea about error dumps + // * Compiler could optimize out the wiping if it knows that data won't be read back + // I hope this is enough, suppressing inlining + // but perhaps `RtlSecureZeroMemory` is needed + [MethodImpl(MethodImplOptions.NoInlining)] + internal static void InternalWipe(byte[] data, int offset, int count) + { + Array.Clear(data, offset, count); + } + + // shallow wipe of structs + [MethodImpl(MethodImplOptions.NoInlining)] + internal static void InternalWipe(ref T data) + where T : struct + { + data = default(T); + } + + // constant time hex conversion + // see http://stackoverflow.com/a/14333437/445517 + // + // An explanation of the weird bit fiddling: + // + // 1. `bytes[i] >> 4` extracts the high nibble of a byte + // `bytes[i] & 0xF` extracts the low nibble of a byte + // 2. `b - 10` + // is `< 0` for values `b < 10`, which will become a decimal digit + // is `>= 0` for values `b > 10`, which will become a letter from `A` to `F`. + // 3. Using `i >> 31` on a signed 32 bit integer extracts the sign, thanks to sign extension. + // It will be `-1` for `i < 0` and `0` for `i >= 0`. + // 4. Combining 2) and 3), shows that `(b-10)>>31` will be `0` for letters and `-1` for digits. + // 5. Looking at the case for letters, the last summand becomes `0`, and `b` is in the range 10 to 15. We want to map it to `A`(65) to `F`(70), which implies adding 55 (`'A'-10`). + // 6. Looking at the case for digits, we want to adapt the last summand so it maps `b` from the range 0 to 9 to the range `0`(48) to `9`(57). This means it needs to become -7 (`'0' - 55`). + // Now we could just multiply with 7. But since -1 is represented by all bits being 1, we can instead use `& -7` since `(0 & -7) == 0` and `(-1 & -7) == -7`. + // + // Some further considerations: + // + // * I didn't use a second loop variable to index into `c`, since measurement shows that calculating it from `i` is cheaper. + // * Using exactly `i < bytes.Length` as upper bound of the loop allows the JITter to eliminate bounds checks on `bytes[i]`, so I chose that variant. + // * Making `b` an int avoids unnecessary conversions from and to byte. + public static string ToHexStringUpper(byte[] data) + { + if (data == null) + return null; + char[] c = new char[data.Length * 2]; + int b; + for (int i = 0; i < data.Length; i++) + { + b = data[i] >> 4; + c[i * 2] = (char)(55 + b + (((b - 10) >> 31) & -7)); + b = data[i] & 0xF; + c[i * 2 + 1] = (char)(55 + b + (((b - 10) >> 31) & -7)); + } + return new string(c); + } + + // Explanation is similar to ToHexStringUpper + // constant 55 -> 87 and -7 -> -39 to compensate for the offset 32 between lowercase and uppercase letters + public static string ToHexStringLower(byte[] data) + { + if (data == null) + return null; + char[] c = new char[data.Length * 2]; + int b; + for (int i = 0; i < data.Length; i++) + { + b = data[i] >> 4; + c[i * 2] = (char)(87 + b + (((b - 10) >> 31) & -39)); + b = data[i] & 0xF; + c[i * 2 + 1] = (char)(87 + b + (((b - 10) >> 31) & -39)); + } + return new string(c); + } + + public static byte[] FromHexString(string hexString) + { + if (hexString == null) + return null; + if (hexString.Length % 2 != 0) + throw new FormatException("The hex string is invalid because it has an odd length"); + var result = new byte[hexString.Length / 2]; + for (int i = 0; i < result.Length; i++) + result[i] = Convert.ToByte(hexString.Substring(i * 2, 2), 16); + return result; + } + + public static string ToBase64String(byte[] data) + { + if (data == null) + return null; + return Convert.ToBase64String(data); + } + + public static byte[] FromBase64String(string s) + { + if (s == null) + return null; + return Convert.FromBase64String(s); + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Ed25519.cs b/src/SshNet.Keygen/Chaos.NaCl/Ed25519.cs new file mode 100644 index 0000000..451be28 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Ed25519.cs @@ -0,0 +1,147 @@ +using System; +using Chaos.NaCl.Internal.Ed25519Ref10; + +namespace Chaos.NaCl +{ + public static class Ed25519 + { + public static readonly int PublicKeySizeInBytes = 32; + public static readonly int SignatureSizeInBytes = 64; + public static readonly int ExpandedPrivateKeySizeInBytes = 32 * 2; + public static readonly int PrivateKeySeedSizeInBytes = 32; + public static readonly int SharedKeySizeInBytes = 32; + + public static bool Verify(ArraySegment signature, ArraySegment message, ArraySegment publicKey) + { + if (signature.Count != SignatureSizeInBytes) + throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Count"); + if (publicKey.Count != PublicKeySizeInBytes) + throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Count"); + return Ed25519Operations.crypto_sign_verify(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, publicKey.Array, publicKey.Offset); + } + + public static bool Verify(byte[] signature, byte[] message, byte[] publicKey) + { + if (signature == null) + throw new ArgumentNullException("signature"); + if (message == null) + throw new ArgumentNullException("message"); + if (publicKey == null) + throw new ArgumentNullException("publicKey"); + if (signature.Length != SignatureSizeInBytes) + throw new ArgumentException(string.Format("Signature size must be {0}", SignatureSizeInBytes), "signature.Length"); + if (publicKey.Length != PublicKeySizeInBytes) + throw new ArgumentException(string.Format("Public key size must be {0}", PublicKeySizeInBytes), "publicKey.Length"); + return Ed25519Operations.crypto_sign_verify(signature, 0, message, 0, message.Length, publicKey, 0); + } + + public static void Sign(ArraySegment signature, ArraySegment message, ArraySegment expandedPrivateKey) + { + if (signature.Array == null) + throw new ArgumentNullException("signature.Array"); + if (signature.Count != SignatureSizeInBytes) + throw new ArgumentException("signature.Count"); + if (expandedPrivateKey.Array == null) + throw new ArgumentNullException("expandedPrivateKey.Array"); + if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes) + throw new ArgumentException("expandedPrivateKey.Count"); + if (message.Array == null) + throw new ArgumentNullException("message.Array"); + Ed25519Operations.crypto_sign2(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, expandedPrivateKey.Array, expandedPrivateKey.Offset); + } + + public static byte[] Sign(byte[] message, byte[] expandedPrivateKey) + { + var signature = new byte[SignatureSizeInBytes]; + Sign(new ArraySegment(signature), new ArraySegment(message), new ArraySegment(expandedPrivateKey)); + return signature; + } + + public static byte[] PublicKeyFromSeed(byte[] privateKeySeed) + { + byte[] privateKey; + byte[] publicKey; + KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed); + CryptoBytes.Wipe(privateKey); + return publicKey; + } + + public static byte[] ExpandedPrivateKeyFromSeed(byte[] privateKeySeed) + { + byte[] privateKey; + byte[] publicKey; + KeyPairFromSeed(out publicKey, out privateKey, privateKeySeed); + CryptoBytes.Wipe(publicKey); + return privateKey; + } + + public static void KeyPairFromSeed(out byte[] publicKey, out byte[] expandedPrivateKey, byte[] privateKeySeed) + { + if (privateKeySeed == null) + throw new ArgumentNullException("privateKeySeed"); + if (privateKeySeed.Length != PrivateKeySeedSizeInBytes) + throw new ArgumentException("privateKeySeed"); + var pk = new byte[PublicKeySizeInBytes]; + var sk = new byte[ExpandedPrivateKeySizeInBytes]; + Ed25519Operations.crypto_sign_keypair(pk, 0, sk, 0, privateKeySeed, 0); + publicKey = pk; + expandedPrivateKey = sk; + } + + public static void KeyPairFromSeed(ArraySegment publicKey, ArraySegment expandedPrivateKey, ArraySegment privateKeySeed) + { + if (publicKey.Array == null) + throw new ArgumentNullException("publicKey.Array"); + if (expandedPrivateKey.Array == null) + throw new ArgumentNullException("expandedPrivateKey.Array"); + if (privateKeySeed.Array == null) + throw new ArgumentNullException("privateKeySeed.Array"); + if (publicKey.Count != PublicKeySizeInBytes) + throw new ArgumentException("publicKey.Count"); + if (expandedPrivateKey.Count != ExpandedPrivateKeySizeInBytes) + throw new ArgumentException("expandedPrivateKey.Count"); + if (privateKeySeed.Count != PrivateKeySeedSizeInBytes) + throw new ArgumentException("privateKeySeed.Count"); + Ed25519Operations.crypto_sign_keypair( + publicKey.Array, publicKey.Offset, + expandedPrivateKey.Array, expandedPrivateKey.Offset, + privateKeySeed.Array, privateKeySeed.Offset); + } + + [Obsolete("Needs more testing")] + public static byte[] KeyExchange(byte[] publicKey, byte[] privateKey) + { + var sharedKey = new byte[SharedKeySizeInBytes]; + KeyExchange(new ArraySegment(sharedKey), new ArraySegment(publicKey), new ArraySegment(privateKey)); + return sharedKey; + } + + [Obsolete("Needs more testing")] + public static void KeyExchange(ArraySegment sharedKey, ArraySegment publicKey, ArraySegment privateKey) + { + if (sharedKey.Array == null) + throw new ArgumentNullException("sharedKey.Array"); + if (publicKey.Array == null) + throw new ArgumentNullException("publicKey.Array"); + if (privateKey.Array == null) + throw new ArgumentNullException("privateKey"); + if (sharedKey.Count != 32) + throw new ArgumentException("sharedKey.Count != 32"); + if (publicKey.Count != 32) + throw new ArgumentException("publicKey.Count != 32"); + if (privateKey.Count != 64) + throw new ArgumentException("privateKey.Count != 64"); + + FieldElement montgomeryX, edwardsY, edwardsZ, sharedMontgomeryX; + FieldOperations.fe_frombytes(out edwardsY, publicKey.Array, publicKey.Offset); + FieldOperations.fe_1(out edwardsZ); + MontgomeryCurve25519.EdwardsToMontgomeryX(out montgomeryX, ref edwardsY, ref edwardsZ); + byte[] h = Sha512.Hash(privateKey.Array, privateKey.Offset, 32);//ToDo: Remove alloc + ScalarOperations.sc_clamp(h, 0); + MontgomeryOperations.scalarmult(out sharedMontgomeryX, h, 0, ref montgomeryX); + CryptoBytes.Wipe(h); + FieldOperations.fe_tobytes(sharedKey.Array, sharedKey.Offset, ref sharedMontgomeryX); + MontgomeryCurve25519.KeyExchangeOutputHashNaCl(sharedKey.Array, sharedKey.Offset); + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Array16.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Array16.cs new file mode 100644 index 0000000..082bf06 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Array16.cs @@ -0,0 +1,27 @@ +using System; +using System.Collections.Generic; + +namespace Chaos.NaCl.Internal +{ + // Array16 Salsa20 state + // Array16 SHA-512 block + internal struct Array16 + { + public T x0; + public T x1; + public T x2; + public T x3; + public T x4; + public T x5; + public T x6; + public T x7; + public T x8; + public T x9; + public T x10; + public T x11; + public T x12; + public T x13; + public T x14; + public T x15; + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Array8.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Array8.cs new file mode 100644 index 0000000..f3bc50d --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Array8.cs @@ -0,0 +1,18 @@ +using System; + +namespace Chaos.NaCl.Internal +{ + // Array8 Poly1305 key + // Array8 SHA-512 state/output + internal struct Array8 + { + public T x0; + public T x1; + public T x2; + public T x3; + public T x4; + public T x5; + public T x6; + public T x7; + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/ByteIntegerConverter.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/ByteIntegerConverter.cs new file mode 100644 index 0000000..c90aa5b --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/ByteIntegerConverter.cs @@ -0,0 +1,416 @@ +using System; +using System.Collections.Generic; + +namespace Chaos.NaCl.Internal +{ + // Loops? Arrays? Never heard of that stuff + // Library avoids unnecessary heap allocations and unsafe code + // so this ugly code becomes necessary :( + internal static class ByteIntegerConverter + { + #region Individual + + public static UInt32 LoadLittleEndian32(byte[] buf, int offset) + { + return + (UInt32)(buf[offset + 0]) + | (((UInt32)(buf[offset + 1])) << 8) + | (((UInt32)(buf[offset + 2])) << 16) + | (((UInt32)(buf[offset + 3])) << 24); + } + + public static void StoreLittleEndian32(byte[] buf, int offset, UInt32 value) + { + buf[offset + 0] = unchecked((byte)value); + buf[offset + 1] = unchecked((byte)(value >> 8)); + buf[offset + 2] = unchecked((byte)(value >> 16)); + buf[offset + 3] = unchecked((byte)(value >> 24)); + } + + public static UInt64 LoadBigEndian64(byte[] buf, int offset) + { + return + (UInt64)(buf[offset + 7]) + | (((UInt64)(buf[offset + 6])) << 8) + | (((UInt64)(buf[offset + 5])) << 16) + | (((UInt64)(buf[offset + 4])) << 24) + | (((UInt64)(buf[offset + 3])) << 32) + | (((UInt64)(buf[offset + 2])) << 40) + | (((UInt64)(buf[offset + 1])) << 48) + | (((UInt64)(buf[offset + 0])) << 56); + } + + public static void StoreBigEndian64(byte[] buf, int offset, UInt64 value) + { + buf[offset + 7] = unchecked((byte)value); + buf[offset + 6] = unchecked((byte)(value >> 8)); + buf[offset + 5] = unchecked((byte)(value >> 16)); + buf[offset + 4] = unchecked((byte)(value >> 24)); + buf[offset + 3] = unchecked((byte)(value >> 32)); + buf[offset + 2] = unchecked((byte)(value >> 40)); + buf[offset + 1] = unchecked((byte)(value >> 48)); + buf[offset + 0] = unchecked((byte)(value >> 56)); + } + + /*public static void XorLittleEndian32(byte[] buf, int offset, UInt32 value) + { + buf[offset + 0] ^= (byte)value; + buf[offset + 1] ^= (byte)(value >> 8); + buf[offset + 2] ^= (byte)(value >> 16); + buf[offset + 3] ^= (byte)(value >> 24); + }*/ + + /*public static void XorLittleEndian32(byte[] output, int outputOffset, byte[] input, int inputOffset, UInt32 value) + { + output[outputOffset + 0] = (byte)(input[inputOffset + 0] ^ value); + output[outputOffset + 1] = (byte)(input[inputOffset + 1] ^ (value >> 8)); + output[outputOffset + 2] = (byte)(input[inputOffset + 2] ^ (value >> 16)); + output[outputOffset + 3] = (byte)(input[inputOffset + 3] ^ (value >> 24)); + }*/ + + #endregion + + #region Array8 + + public static void Array8LoadLittleEndian32(out Array8 output, byte[] input, int inputOffset) + { + output.x0 = LoadLittleEndian32(input, inputOffset + 0); + output.x1 = LoadLittleEndian32(input, inputOffset + 4); + output.x2 = LoadLittleEndian32(input, inputOffset + 8); + output.x3 = LoadLittleEndian32(input, inputOffset + 12); + output.x4 = LoadLittleEndian32(input, inputOffset + 16); + output.x5 = LoadLittleEndian32(input, inputOffset + 20); + output.x6 = LoadLittleEndian32(input, inputOffset + 24); + output.x7 = LoadLittleEndian32(input, inputOffset + 28); + } + + /* public static void Array8LoadLittleEndian32(out Array8 output, byte[] input, int inputOffset, int inputLength) + { + #if DEBUG + if (inputLength <= 0) + throw new ArgumentException(); + #endif + int inputEnd = inputOffset + inputLength; + UInt32 highestInt; + switch (inputLength & 3) + { + case 1: + highestInt = input[inputEnd - 1]; + break; + case 2: + highestInt = (uint)( + (input[inputEnd - 1] << 8) | + (input[inputEnd - 2])); + break; + case 3: + highestInt = (uint)( + (input[inputEnd - 1] << 16) | + (input[inputEnd - 2] << 8) | + (input[inputEnd - 3])); + break; + case 0: + highestInt = (uint)( + (input[inputEnd - 1] << 24) | + (input[inputEnd - 2] << 16) | + (input[inputEnd - 3] << 8) | + (input[inputEnd - 4])); + break; + default: + throw new InvalidOperationException(); + } + switch ((inputLength - 1) >> 2) + { + case 7: + output.x7 = highestInt; + output.x6 = LoadLittleEndian32(input, inputOffset + 6 * 4); + output.x5 = LoadLittleEndian32(input, inputOffset + 5 * 4); + output.x4 = LoadLittleEndian32(input, inputOffset + 4 * 4); + output.x3 = LoadLittleEndian32(input, inputOffset + 3 * 4); + output.x2 = LoadLittleEndian32(input, inputOffset + 2 * 4); + output.x1 = LoadLittleEndian32(input, inputOffset + 1 * 4); + output.x0 = LoadLittleEndian32(input, inputOffset + 0 * 4); + return; + case 6: + output.x7 = 0; + output.x6 = highestInt; + output.x5 = LoadLittleEndian32(input, inputOffset + 5 * 4); + output.x4 = LoadLittleEndian32(input, inputOffset + 4 * 4); + output.x3 = LoadLittleEndian32(input, inputOffset + 3 * 4); + output.x2 = LoadLittleEndian32(input, inputOffset + 2 * 4); + output.x1 = LoadLittleEndian32(input, inputOffset + 1 * 4); + output.x0 = LoadLittleEndian32(input, inputOffset + 0 * 4); + return; + case 5: + output.x7 = 0; + output.x6 = 0; + output.x5 = highestInt; + output.x4 = LoadLittleEndian32(input, inputOffset + 4 * 4); + output.x3 = LoadLittleEndian32(input, inputOffset + 3 * 4); + output.x2 = LoadLittleEndian32(input, inputOffset + 2 * 4); + output.x1 = LoadLittleEndian32(input, inputOffset + 1 * 4); + output.x0 = LoadLittleEndian32(input, inputOffset + 0 * 4); + return; + case 4: + output.x7 = 0; + output.x6 = 0; + output.x5 = 0; + output.x4 = highestInt; + output.x3 = LoadLittleEndian32(input, inputOffset + 3 * 4); + output.x2 = LoadLittleEndian32(input, inputOffset + 2 * 4); + output.x1 = LoadLittleEndian32(input, inputOffset + 1 * 4); + output.x0 = LoadLittleEndian32(input, inputOffset + 0 * 4); + return; + case 3: + output.x7 = 0; + output.x6 = 0; + output.x5 = 0; + output.x4 = 0; + output.x3 = highestInt; + output.x2 = LoadLittleEndian32(input, inputOffset + 2 * 4); + output.x1 = LoadLittleEndian32(input, inputOffset + 1 * 4); + output.x0 = LoadLittleEndian32(input, inputOffset + 0 * 4); + return; + case 2: + output.x7 = 0; + output.x6 = 0; + output.x5 = 0; + output.x4 = 0; + output.x3 = 0; + output.x2 = highestInt; + output.x1 = LoadLittleEndian32(input, inputOffset + 1 * 4); + output.x0 = LoadLittleEndian32(input, inputOffset + 0 * 4); + return; + case 1: + output.x7 = 0; + output.x6 = 0; + output.x5 = 0; + output.x4 = 0; + output.x3 = 0; + output.x2 = 0; + output.x1 = highestInt; + output.x0 = LoadLittleEndian32(input, inputOffset + 0 * 4); + return; + case 0: + output.x7 = 0; + output.x6 = 0; + output.x5 = 0; + output.x4 = 0; + output.x3 = 0; + output.x2 = 0; + output.x1 = 0; + output.x0 = highestInt; + return; + default: + throw new InvalidOperationException(); + } + }*/ + + /*public static void Array8XorLittleEndian(byte[] output, int outputOffset, byte[] input, int inputOffset, ref Array8 keyStream, int length) + { +#if DEBUG + InternalAssert(length > 0); +#endif + int outputEnd = outputOffset + length; + UInt32 highestInt; + switch ((length - 1) >> 2) + { + case 7: + highestInt = keyStream.x7; + XorLittleEndian32(output, outputOffset + 6 * 4, input, inputOffset + 6 * 4, keyStream.x6); + XorLittleEndian32(output, outputOffset + 5 * 4, input, inputOffset + 6 * 4, keyStream.x5); + XorLittleEndian32(output, outputOffset + 4 * 4, input, inputOffset + 6 * 4, keyStream.x4); + XorLittleEndian32(output, outputOffset + 3 * 4, input, inputOffset + 6 * 4, keyStream.x3); + XorLittleEndian32(output, outputOffset + 2 * 4, input, inputOffset + 6 * 4, keyStream.x2); + XorLittleEndian32(output, outputOffset + 1 * 4, input, inputOffset + 6 * 4, keyStream.x1); + XorLittleEndian32(output, outputOffset + 0 * 4, input, inputOffset + 6 * 4, keyStream.x0); + break; + case 6: + highestInt = keyStream.x6; + XorLittleEndian32(output, outputOffset + 5 * 4, input, inputOffset + 6 * 4, keyStream.x5); + XorLittleEndian32(output, outputOffset + 4 * 4, input, inputOffset + 6 * 4, keyStream.x4); + XorLittleEndian32(output, outputOffset + 3 * 4, input, inputOffset + 6 * 4, keyStream.x3); + XorLittleEndian32(output, outputOffset + 2 * 4, input, inputOffset + 6 * 4, keyStream.x2); + XorLittleEndian32(output, outputOffset + 1 * 4, input, inputOffset + 6 * 4, keyStream.x1); + XorLittleEndian32(output, outputOffset + 0 * 4, input, inputOffset + 6 * 4, keyStream.x0); + break; + case 5: + highestInt = keyStream.x5; + XorLittleEndian32(output, outputOffset + 4 * 4, input, inputOffset + 6 * 4, keyStream.x4); + XorLittleEndian32(output, outputOffset + 3 * 4, input, inputOffset + 6 * 4, keyStream.x3); + XorLittleEndian32(output, outputOffset + 2 * 4, input, inputOffset + 6 * 4, keyStream.x2); + XorLittleEndian32(output, outputOffset + 1 * 4, input, inputOffset + 6 * 4, keyStream.x1); + XorLittleEndian32(output, outputOffset + 0 * 4, input, inputOffset + 6 * 4, keyStream.x0); + break; + case 4: + highestInt = keyStream.x4; + XorLittleEndian32(output, outputOffset + 3 * 4, input, inputOffset + 6 * 4, keyStream.x3); + XorLittleEndian32(output, outputOffset + 2 * 4, input, inputOffset + 6 * 4, keyStream.x2); + XorLittleEndian32(output, outputOffset + 1 * 4, input, inputOffset + 6 * 4, keyStream.x1); + XorLittleEndian32(output, outputOffset + 0 * 4, input, inputOffset + 6 * 4, keyStream.x0); + break; + case 3: + highestInt = keyStream.x3; + XorLittleEndian32(output, outputOffset + 2 * 4, input, inputOffset + 6 * 4, keyStream.x2); + XorLittleEndian32(output, outputOffset + 1 * 4, input, inputOffset + 6 * 4, keyStream.x1); + XorLittleEndian32(output, outputOffset + 0 * 4, input, inputOffset + 6 * 4, keyStream.x0); + break; + case 2: + highestInt = keyStream.x2; + XorLittleEndian32(output, outputOffset + 1 * 4, input, inputOffset + 6 * 4, keyStream.x1); + XorLittleEndian32(output, outputOffset + 0 * 4, input, inputOffset + 6 * 4, keyStream.x0); + break; + case 1: + highestInt = keyStream.x1; + XorLittleEndian32(output, outputOffset + 0 * 4, input, inputOffset + 6 * 4, keyStream.x0); + break; + case 0: + highestInt = keyStream.x0; + break; + default: + throw new InvalidOperationException(); + } + switch (length & 3) + { + case 1: + output[outputEnd - 1] ^= (byte)highestInt; + break; + case 2: + output[outputEnd - 1] ^= (byte)(highestInt >> 8); + output[outputEnd - 2] ^= (byte)highestInt; + break; + case 3: + output[outputEnd - 1] ^= (byte)(highestInt >> 16); + output[outputEnd - 2] ^= (byte)(highestInt >> 8); + output[outputEnd - 3] ^= (byte)highestInt; + break; + case 0: + output[outputEnd - 1] ^= (byte)(highestInt >> 24); + output[outputEnd - 2] ^= (byte)(highestInt >> 16); + output[outputEnd - 3] ^= (byte)(highestInt >> 8); + output[outputEnd - 4] ^= (byte)highestInt; + break; + default: + throw new InvalidOperationException(); + } + }*/ + + /*public static void Array8StoreLittleEndian32(byte[] output, int outputOffset, ref Array8 input) + { + StoreLittleEndian32(output, outputOffset + 0, input.x0); + StoreLittleEndian32(output, outputOffset + 4, input.x1); + StoreLittleEndian32(output, outputOffset + 8, input.x2); + StoreLittleEndian32(output, outputOffset + 12, input.x3); + StoreLittleEndian32(output, outputOffset + 16, input.x4); + StoreLittleEndian32(output, outputOffset + 20, input.x5); + StoreLittleEndian32(output, outputOffset + 24, input.x6); + StoreLittleEndian32(output, outputOffset + 28, input.x7); + }*/ + #endregion + + public static void Array16LoadBigEndian64(out Array16 output, byte[] input, int inputOffset) + { + output.x0 = LoadBigEndian64(input, inputOffset + 0); + output.x1 = LoadBigEndian64(input, inputOffset + 8); + output.x2 = LoadBigEndian64(input, inputOffset + 16); + output.x3 = LoadBigEndian64(input, inputOffset + 24); + output.x4 = LoadBigEndian64(input, inputOffset + 32); + output.x5 = LoadBigEndian64(input, inputOffset + 40); + output.x6 = LoadBigEndian64(input, inputOffset + 48); + output.x7 = LoadBigEndian64(input, inputOffset + 56); + output.x8 = LoadBigEndian64(input, inputOffset + 64); + output.x9 = LoadBigEndian64(input, inputOffset + 72); + output.x10 = LoadBigEndian64(input, inputOffset + 80); + output.x11 = LoadBigEndian64(input, inputOffset + 88); + output.x12 = LoadBigEndian64(input, inputOffset + 96); + output.x13 = LoadBigEndian64(input, inputOffset + 104); + output.x14 = LoadBigEndian64(input, inputOffset + 112); + output.x15 = LoadBigEndian64(input, inputOffset + 120); + } + + // ToDo: Only used in tests. Remove? + public static void Array16LoadLittleEndian32(out Array16 output, byte[] input, int inputOffset) + { + output.x0 = LoadLittleEndian32(input, inputOffset + 0); + output.x1 = LoadLittleEndian32(input, inputOffset + 4); + output.x2 = LoadLittleEndian32(input, inputOffset + 8); + output.x3 = LoadLittleEndian32(input, inputOffset + 12); + output.x4 = LoadLittleEndian32(input, inputOffset + 16); + output.x5 = LoadLittleEndian32(input, inputOffset + 20); + output.x6 = LoadLittleEndian32(input, inputOffset + 24); + output.x7 = LoadLittleEndian32(input, inputOffset + 28); + output.x8 = LoadLittleEndian32(input, inputOffset + 32); + output.x9 = LoadLittleEndian32(input, inputOffset + 36); + output.x10 = LoadLittleEndian32(input, inputOffset + 40); + output.x11 = LoadLittleEndian32(input, inputOffset + 44); + output.x12 = LoadLittleEndian32(input, inputOffset + 48); + output.x13 = LoadLittleEndian32(input, inputOffset + 52); + output.x14 = LoadLittleEndian32(input, inputOffset + 56); + output.x15 = LoadLittleEndian32(input, inputOffset + 60); + } + + /*public static void Array16LoadLittleEndian32(out Array16 output, byte[] input, int inputOffset, int inputLength) + { + Array8 temp; + if (inputLength > 32) + { + output.x0 = LoadLittleEndian32(input, inputOffset + 0); + output.x1 = LoadLittleEndian32(input, inputOffset + 4); + output.x2 = LoadLittleEndian32(input, inputOffset + 8); + output.x3 = LoadLittleEndian32(input, inputOffset + 12); + output.x4 = LoadLittleEndian32(input, inputOffset + 16); + output.x5 = LoadLittleEndian32(input, inputOffset + 20); + output.x6 = LoadLittleEndian32(input, inputOffset + 24); + output.x7 = LoadLittleEndian32(input, inputOffset + 28); + Array8LoadLittleEndian32(out temp, input, inputOffset + 32, inputLength - 32); + output.x8 = temp.x0; + output.x9 = temp.x1; + output.x10 = temp.x2; + output.x11 = temp.x3; + output.x12 = temp.x4; + output.x13 = temp.x5; + output.x14 = temp.x6; + output.x15 = temp.x7; + } + else + { + Array8LoadLittleEndian32(out temp, input, inputOffset, inputLength); + output.x0 = temp.x0; + output.x1 = temp.x1; + output.x2 = temp.x2; + output.x3 = temp.x3; + output.x4 = temp.x4; + output.x5 = temp.x5; + output.x6 = temp.x6; + output.x7 = temp.x7; + output.x8 = 0; + output.x9 = 0; + output.x10 = 0; + output.x11 = 0; + output.x12 = 0; + output.x13 = 0; + output.x14 = 0; + output.x15 = 0; + } + }*/ + + public static void Array16StoreLittleEndian32(byte[] output, int outputOffset, ref Array16 input) + { + StoreLittleEndian32(output, outputOffset + 0, input.x0); + StoreLittleEndian32(output, outputOffset + 4, input.x1); + StoreLittleEndian32(output, outputOffset + 8, input.x2); + StoreLittleEndian32(output, outputOffset + 12, input.x3); + StoreLittleEndian32(output, outputOffset + 16, input.x4); + StoreLittleEndian32(output, outputOffset + 20, input.x5); + StoreLittleEndian32(output, outputOffset + 24, input.x6); + StoreLittleEndian32(output, outputOffset + 28, input.x7); + StoreLittleEndian32(output, outputOffset + 32, input.x8); + StoreLittleEndian32(output, outputOffset + 36, input.x9); + StoreLittleEndian32(output, outputOffset + 40, input.x10); + StoreLittleEndian32(output, outputOffset + 44, input.x11); + StoreLittleEndian32(output, outputOffset + 48, input.x12); + StoreLittleEndian32(output, outputOffset + 52, input.x13); + StoreLittleEndian32(output, outputOffset + 56, input.x14); + StoreLittleEndian32(output, outputOffset + 60, input.x15); + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/FieldElement.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/FieldElement.cs new file mode 100644 index 0000000..5a5c785 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/FieldElement.cs @@ -0,0 +1,36 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal struct FieldElement + { + internal int x0; + internal int x1; + internal int x2; + internal int x3; + internal int x4; + internal int x5; + internal int x6; + internal int x7; + internal int x8; + internal int x9; + + //public static readonly FieldElement Zero = new FieldElement(); + //public static readonly FieldElement One = new FieldElement() { x0 = 1 }; + + internal FieldElement(params int[] elements) + { + InternalAssert.Assert(elements.Length == 10, "elements.Length != 10"); + x0 = elements[0]; + x1 = elements[1]; + x2 = elements[2]; + x3 = elements[3]; + x4 = elements[4]; + x5 = elements[5]; + x6 = elements[6]; + x7 = elements[7]; + x8 = elements[8]; + x9 = elements[9]; + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/GroupElement.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/GroupElement.cs new file mode 100644 index 0000000..abeaca8 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/GroupElement.cs @@ -0,0 +1,63 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + /* + ge means group element. + + Here the group is the set of pairs (x,y) of field elements (see fe.h) + satisfying -x^2 + y^2 = 1 + d x^2y^2 + where d = -121665/121666. + + Representations: + ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z + ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT + ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T + ge_precomp (Duif): (y+x,y-x,2dxy) + */ + + internal struct GroupElementP2 + { + public FieldElement X; + public FieldElement Y; + public FieldElement Z; + } ; + + internal struct GroupElementP3 + { + public FieldElement X; + public FieldElement Y; + public FieldElement Z; + public FieldElement T; + } ; + + internal struct GroupElementP1P1 + { + public FieldElement X; + public FieldElement Y; + public FieldElement Z; + public FieldElement T; + } ; + + internal struct GroupElementPreComp + { + public FieldElement yplusx; + public FieldElement yminusx; + public FieldElement xy2d; + + public GroupElementPreComp(FieldElement yplusx, FieldElement yminusx, FieldElement xy2d) + { + this.yplusx = yplusx; + this.yminusx = yminusx; + this.xy2d = xy2d; + } + } ; + + internal struct GroupElementCached + { + public FieldElement YplusX; + public FieldElement YminusX; + public FieldElement Z; + public FieldElement T2d; + } ; +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base.cs new file mode 100644 index 0000000..5627e9c --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base.cs @@ -0,0 +1,1357 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class LookupTables + { + /* base[i][j] = (j+1)*256^i*B */ + //32*8 + internal static GroupElementPreComp[][] Base = new GroupElementPreComp[][] + { + new[]{ + new GroupElementPreComp( + new FieldElement( 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 ), + new FieldElement( -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 ), + new FieldElement( -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546 ) + ), + new GroupElementPreComp( + new FieldElement( -12815894,-12976347,-21581243,11784320,-25355658,-2750717,-11717903,-3814571,-358445,-10211303 ), + new FieldElement( -21703237,6903825,27185491,6451973,-29577724,-9554005,-15616551,11189268,-26829678,-5319081 ), + new FieldElement( 26966642,11152617,32442495,15396054,14353839,-12752335,-3128826,-9541118,-15472047,-4166697 ) + ), + new GroupElementPreComp( + new FieldElement( 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024 ), + new FieldElement( 16568933,4717097,-11556148,-1102322,15682896,-11807043,16354577,-11775962,7689662,11199574 ), + new FieldElement( 30464156,-5976125,-11779434,-15670865,23220365,15915852,7512774,10017326,-17749093,-9920357 ) + ), + new GroupElementPreComp( + new FieldElement( -17036878,13921892,10945806,-6033431,27105052,-16084379,-28926210,15006023,3284568,-6276540 ), + new FieldElement( 23599295,-8306047,-11193664,-7687416,13236774,10506355,7464579,9656445,13059162,10374397 ), + new FieldElement( 7798556,16710257,3033922,2874086,28997861,2835604,32406664,-3839045,-641708,-101325 ) + ), + new GroupElementPreComp( + new FieldElement( 10861363,11473154,27284546,1981175,-30064349,12577861,32867885,14515107,-15438304,10819380 ), + new FieldElement( 4708026,6336745,20377586,9066809,-11272109,6594696,-25653668,12483688,-12668491,5581306 ), + new FieldElement( 19563160,16186464,-29386857,4097519,10237984,-4348115,28542350,13850243,-23678021,-15815942 ) + ), + new GroupElementPreComp( + new FieldElement( -15371964,-12862754,32573250,4720197,-26436522,5875511,-19188627,-15224819,-9818940,-12085777 ), + new FieldElement( -8549212,109983,15149363,2178705,22900618,4543417,3044240,-15689887,1762328,14866737 ), + new FieldElement( -18199695,-15951423,-10473290,1707278,-17185920,3916101,-28236412,3959421,27914454,4383652 ) + ), + new GroupElementPreComp( + new FieldElement( 5153746,9909285,1723747,-2777874,30523605,5516873,19480852,5230134,-23952439,-15175766 ), + new FieldElement( -30269007,-3463509,7665486,10083793,28475525,1649722,20654025,16520125,30598449,7715701 ), + new FieldElement( 28881845,14381568,9657904,3680757,-20181635,7843316,-31400660,1370708,29794553,-1409300 ) + ), + new GroupElementPreComp( + new FieldElement( 14499471,-2729599,-33191113,-4254652,28494862,14271267,30290735,10876454,-33154098,2381726 ), + new FieldElement( -7195431,-2655363,-14730155,462251,-27724326,3941372,-6236617,3696005,-32300832,15351955 ), + new FieldElement( 27431194,8222322,16448760,-3907995,-18707002,11938355,-32961401,-2970515,29551813,10109425 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -13657040,-13155431,-31283750,11777098,21447386,6519384,-2378284,-1627556,10092783,-4764171 ), + new FieldElement( 27939166,14210322,4677035,16277044,-22964462,-12398139,-32508754,12005538,-17810127,12803510 ), + new FieldElement( 17228999,-15661624,-1233527,300140,-1224870,-11714777,30364213,-9038194,18016357,4397660 ) + ), + new GroupElementPreComp( + new FieldElement( -10958843,-7690207,4776341,-14954238,27850028,-15602212,-26619106,14544525,-17477504,982639 ), + new FieldElement( 29253598,15796703,-2863982,-9908884,10057023,3163536,7332899,-4120128,-21047696,9934963 ), + new FieldElement( 5793303,16271923,-24131614,-10116404,29188560,1206517,-14747930,4559895,-30123922,-10897950 ) + ), + new GroupElementPreComp( + new FieldElement( -27643952,-11493006,16282657,-11036493,28414021,-15012264,24191034,4541697,-13338309,5500568 ), + new FieldElement( 12650548,-1497113,9052871,11355358,-17680037,-8400164,-17430592,12264343,10874051,13524335 ), + new FieldElement( 25556948,-3045990,714651,2510400,23394682,-10415330,33119038,5080568,-22528059,5376628 ) + ), + new GroupElementPreComp( + new FieldElement( -26088264,-4011052,-17013699,-3537628,-6726793,1920897,-22321305,-9447443,4535768,1569007 ), + new FieldElement( -2255422,14606630,-21692440,-8039818,28430649,8775819,-30494562,3044290,31848280,12543772 ), + new FieldElement( -22028579,2943893,-31857513,6777306,13784462,-4292203,-27377195,-2062731,7718482,14474653 ) + ), + new GroupElementPreComp( + new FieldElement( 2385315,2454213,-22631320,46603,-4437935,-15680415,656965,-7236665,24316168,-5253567 ), + new FieldElement( 13741529,10911568,-33233417,-8603737,-20177830,-1033297,33040651,-13424532,-20729456,8321686 ), + new FieldElement( 21060490,-2212744,15712757,-4336099,1639040,10656336,23845965,-11874838,-9984458,608372 ) + ), + new GroupElementPreComp( + new FieldElement( -13672732,-15087586,-10889693,-7557059,-6036909,11305547,1123968,-6780577,27229399,23887 ), + new FieldElement( -23244140,-294205,-11744728,14712571,-29465699,-2029617,12797024,-6440308,-1633405,16678954 ), + new FieldElement( -29500620,4770662,-16054387,14001338,7830047,9564805,-1508144,-4795045,-17169265,4904953 ) + ), + new GroupElementPreComp( + new FieldElement( 24059557,14617003,19037157,-15039908,19766093,-14906429,5169211,16191880,2128236,-4326833 ), + new FieldElement( -16981152,4124966,-8540610,-10653797,30336522,-14105247,-29806336,916033,-6882542,-2986532 ), + new FieldElement( -22630907,12419372,-7134229,-7473371,-16478904,16739175,285431,2763829,15736322,4143876 ) + ), + new GroupElementPreComp( + new FieldElement( 2379352,11839345,-4110402,-5988665,11274298,794957,212801,-14594663,23527084,-16458268 ), + new FieldElement( 33431127,-11130478,-17838966,-15626900,8909499,8376530,-32625340,4087881,-15188911,-14416214 ), + new FieldElement( 1767683,7197987,-13205226,-2022635,-13091350,448826,5799055,4357868,-4774191,-16323038 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 6721966,13833823,-23523388,-1551314,26354293,-11863321,23365147,-3949732,7390890,2759800 ), + new FieldElement( 4409041,2052381,23373853,10530217,7676779,-12885954,21302353,-4264057,1244380,-12919645 ), + new FieldElement( -4421239,7169619,4982368,-2957590,30256825,-2777540,14086413,9208236,15886429,16489664 ) + ), + new GroupElementPreComp( + new FieldElement( 1996075,10375649,14346367,13311202,-6874135,-16438411,-13693198,398369,-30606455,-712933 ), + new FieldElement( -25307465,9795880,-2777414,14878809,-33531835,14780363,13348553,12076947,-30836462,5113182 ), + new FieldElement( -17770784,11797796,31950843,13929123,-25888302,12288344,-30341101,-7336386,13847711,5387222 ) + ), + new GroupElementPreComp( + new FieldElement( -18582163,-3416217,17824843,-2340966,22744343,-10442611,8763061,3617786,-19600662,10370991 ), + new FieldElement( 20246567,-14369378,22358229,-543712,18507283,-10413996,14554437,-8746092,32232924,16763880 ), + new FieldElement( 9648505,10094563,26416693,14745928,-30374318,-6472621,11094161,15689506,3140038,-16510092 ) + ), + new GroupElementPreComp( + new FieldElement( -16160072,5472695,31895588,4744994,8823515,10365685,-27224800,9448613,-28774454,366295 ), + new FieldElement( 19153450,11523972,-11096490,-6503142,-24647631,5420647,28344573,8041113,719605,11671788 ), + new FieldElement( 8678025,2694440,-6808014,2517372,4964326,11152271,-15432916,-15266516,27000813,-10195553 ) + ), + new GroupElementPreComp( + new FieldElement( -15157904,7134312,8639287,-2814877,-7235688,10421742,564065,5336097,6750977,-14521026 ), + new FieldElement( 11836410,-3979488,26297894,16080799,23455045,15735944,1695823,-8819122,8169720,16220347 ), + new FieldElement( -18115838,8653647,17578566,-6092619,-8025777,-16012763,-11144307,-2627664,-5990708,-14166033 ) + ), + new GroupElementPreComp( + new FieldElement( -23308498,-10968312,15213228,-10081214,-30853605,-11050004,27884329,2847284,2655861,1738395 ), + new FieldElement( -27537433,-14253021,-25336301,-8002780,-9370762,8129821,21651608,-3239336,-19087449,-11005278 ), + new FieldElement( 1533110,3437855,23735889,459276,29970501,11335377,26030092,5821408,10478196,8544890 ) + ), + new GroupElementPreComp( + new FieldElement( 32173121,-16129311,24896207,3921497,22579056,-3410854,19270449,12217473,17789017,-3395995 ), + new FieldElement( -30552961,-2228401,-15578829,-10147201,13243889,517024,15479401,-3853233,30460520,1052596 ), + new FieldElement( -11614875,13323618,32618793,8175907,-15230173,12596687,27491595,-4612359,3179268,-9478891 ) + ), + new GroupElementPreComp( + new FieldElement( 31947069,-14366651,-4640583,-15339921,-15125977,-6039709,-14756777,-16411740,19072640,-9511060 ), + new FieldElement( 11685058,11822410,3158003,-13952594,33402194,-4165066,5977896,-5215017,473099,5040608 ), + new FieldElement( -20290863,8198642,-27410132,11602123,1290375,-2799760,28326862,1721092,-19558642,-3131606 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 7881532,10687937,7578723,7738378,-18951012,-2553952,21820786,8076149,-27868496,11538389 ), + new FieldElement( -19935666,3899861,18283497,-6801568,-15728660,-11249211,8754525,7446702,-5676054,5797016 ), + new FieldElement( -11295600,-3793569,-15782110,-7964573,12708869,-8456199,2014099,-9050574,-2369172,-5877341 ) + ), + new GroupElementPreComp( + new FieldElement( -22472376,-11568741,-27682020,1146375,18956691,16640559,1192730,-3714199,15123619,10811505 ), + new FieldElement( 14352098,-3419715,-18942044,10822655,32750596,4699007,-70363,15776356,-28886779,-11974553 ), + new FieldElement( -28241164,-8072475,-4978962,-5315317,29416931,1847569,-20654173,-16484855,4714547,-9600655 ) + ), + new GroupElementPreComp( + new FieldElement( 15200332,8368572,19679101,15970074,-31872674,1959451,24611599,-4543832,-11745876,12340220 ), + new FieldElement( 12876937,-10480056,33134381,6590940,-6307776,14872440,9613953,8241152,15370987,9608631 ), + new FieldElement( -4143277,-12014408,8446281,-391603,4407738,13629032,-7724868,15866074,-28210621,-8814099 ) + ), + new GroupElementPreComp( + new FieldElement( 26660628,-15677655,8393734,358047,-7401291,992988,-23904233,858697,20571223,8420556 ), + new FieldElement( 14620715,13067227,-15447274,8264467,14106269,15080814,33531827,12516406,-21574435,-12476749 ), + new FieldElement( 236881,10476226,57258,-14677024,6472998,2466984,17258519,7256740,8791136,15069930 ) + ), + new GroupElementPreComp( + new FieldElement( 1276410,-9371918,22949635,-16322807,-23493039,-5702186,14711875,4874229,-30663140,-2331391 ), + new FieldElement( 5855666,4990204,-13711848,7294284,-7804282,1924647,-1423175,-7912378,-33069337,9234253 ), + new FieldElement( 20590503,-9018988,31529744,-7352666,-2706834,10650548,31559055,-11609587,18979186,13396066 ) + ), + new GroupElementPreComp( + new FieldElement( 24474287,4968103,22267082,4407354,24063882,-8325180,-18816887,13594782,33514650,7021958 ), + new FieldElement( -11566906,-6565505,-21365085,15928892,-26158305,4315421,-25948728,-3916677,-21480480,12868082 ), + new FieldElement( -28635013,13504661,19988037,-2132761,21078225,6443208,-21446107,2244500,-12455797,-8089383 ) + ), + new GroupElementPreComp( + new FieldElement( -30595528,13793479,-5852820,319136,-25723172,-6263899,33086546,8957937,-15233648,5540521 ), + new FieldElement( -11630176,-11503902,-8119500,-7643073,2620056,1022908,-23710744,-1568984,-16128528,-14962807 ), + new FieldElement( 23152971,775386,27395463,14006635,-9701118,4649512,1689819,892185,-11513277,-15205948 ) + ), + new GroupElementPreComp( + new FieldElement( 9770129,9586738,26496094,4324120,1556511,-3550024,27453819,4763127,-19179614,5867134 ), + new FieldElement( -32765025,1927590,31726409,-4753295,23962434,-16019500,27846559,5931263,-29749703,-16108455 ), + new FieldElement( 27461885,-2977536,22380810,1815854,-23033753,-3031938,7283490,-15148073,-19526700,7734629 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -8010264,-9590817,-11120403,6196038,29344158,-13430885,7585295,-3176626,18549497,15302069 ), + new FieldElement( -32658337,-6171222,-7672793,-11051681,6258878,13504381,10458790,-6418461,-8872242,8424746 ), + new FieldElement( 24687205,8613276,-30667046,-3233545,1863892,-1830544,19206234,7134917,-11284482,-828919 ) + ), + new GroupElementPreComp( + new FieldElement( 11334899,-9218022,8025293,12707519,17523892,-10476071,10243738,-14685461,-5066034,16498837 ), + new FieldElement( 8911542,6887158,-9584260,-6958590,11145641,-9543680,17303925,-14124238,6536641,10543906 ), + new FieldElement( -28946384,15479763,-17466835,568876,-1497683,11223454,-2669190,-16625574,-27235709,8876771 ) + ), + new GroupElementPreComp( + new FieldElement( -25742899,-12566864,-15649966,-846607,-33026686,-796288,-33481822,15824474,-604426,-9039817 ), + new FieldElement( 10330056,70051,7957388,-9002667,9764902,15609756,27698697,-4890037,1657394,3084098 ), + new FieldElement( 10477963,-7470260,12119566,-13250805,29016247,-5365589,31280319,14396151,-30233575,15272409 ) + ), + new GroupElementPreComp( + new FieldElement( -12288309,3169463,28813183,16658753,25116432,-5630466,-25173957,-12636138,-25014757,1950504 ), + new FieldElement( -26180358,9489187,11053416,-14746161,-31053720,5825630,-8384306,-8767532,15341279,8373727 ), + new FieldElement( 28685821,7759505,-14378516,-12002860,-31971820,4079242,298136,-10232602,-2878207,15190420 ) + ), + new GroupElementPreComp( + new FieldElement( -32932876,13806336,-14337485,-15794431,-24004620,10940928,8669718,2742393,-26033313,-6875003 ), + new FieldElement( -1580388,-11729417,-25979658,-11445023,-17411874,-10912854,9291594,-16247779,-12154742,6048605 ), + new FieldElement( -30305315,14843444,1539301,11864366,20201677,1900163,13934231,5128323,11213262,9168384 ) + ), + new GroupElementPreComp( + new FieldElement( -26280513,11007847,19408960,-940758,-18592965,-4328580,-5088060,-11105150,20470157,-16398701 ), + new FieldElement( -23136053,9282192,14855179,-15390078,-7362815,-14408560,-22783952,14461608,14042978,5230683 ), + new FieldElement( 29969567,-2741594,-16711867,-8552442,9175486,-2468974,21556951,3506042,-5933891,-12449708 ) + ), + new GroupElementPreComp( + new FieldElement( -3144746,8744661,19704003,4581278,-20430686,6830683,-21284170,8971513,-28539189,15326563 ), + new FieldElement( -19464629,10110288,-17262528,-3503892,-23500387,1355669,-15523050,15300988,-20514118,9168260 ), + new FieldElement( -5353335,4488613,-23803248,16314347,7780487,-15638939,-28948358,9601605,33087103,-9011387 ) + ), + new GroupElementPreComp( + new FieldElement( -19443170,-15512900,-20797467,-12445323,-29824447,10229461,-27444329,-15000531,-5996870,15664672 ), + new FieldElement( 23294591,-16632613,-22650781,-8470978,27844204,11461195,13099750,-2460356,18151676,13417686 ), + new FieldElement( -24722913,-4176517,-31150679,5988919,-26858785,6685065,1661597,-12551441,15271676,-15452665 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 11433042,-13228665,8239631,-5279517,-1985436,-725718,-18698764,2167544,-6921301,-13440182 ), + new FieldElement( -31436171,15575146,30436815,12192228,-22463353,9395379,-9917708,-8638997,12215110,12028277 ), + new FieldElement( 14098400,6555944,23007258,5757252,-15427832,-12950502,30123440,4617780,-16900089,-655628 ) + ), + new GroupElementPreComp( + new FieldElement( -4026201,-15240835,11893168,13718664,-14809462,1847385,-15819999,10154009,23973261,-12684474 ), + new FieldElement( -26531820,-3695990,-1908898,2534301,-31870557,-16550355,18341390,-11419951,32013174,-10103539 ), + new FieldElement( -25479301,10876443,-11771086,-14625140,-12369567,1838104,21911214,6354752,4425632,-837822 ) + ), + new GroupElementPreComp( + new FieldElement( -10433389,-14612966,22229858,-3091047,-13191166,776729,-17415375,-12020462,4725005,14044970 ), + new FieldElement( 19268650,-7304421,1555349,8692754,-21474059,-9910664,6347390,-1411784,-19522291,-16109756 ), + new FieldElement( -24864089,12986008,-10898878,-5558584,-11312371,-148526,19541418,8180106,9282262,10282508 ) + ), + new GroupElementPreComp( + new FieldElement( -26205082,4428547,-8661196,-13194263,4098402,-14165257,15522535,8372215,5542595,-10702683 ), + new FieldElement( -10562541,14895633,26814552,-16673850,-17480754,-2489360,-2781891,6993761,-18093885,10114655 ), + new FieldElement( -20107055,-929418,31422704,10427861,-7110749,6150669,-29091755,-11529146,25953725,-106158 ) + ), + new GroupElementPreComp( + new FieldElement( -4234397,-8039292,-9119125,3046000,2101609,-12607294,19390020,6094296,-3315279,12831125 ), + new FieldElement( -15998678,7578152,5310217,14408357,-33548620,-224739,31575954,6326196,7381791,-2421839 ), + new FieldElement( -20902779,3296811,24736065,-16328389,18374254,7318640,6295303,8082724,-15362489,12339664 ) + ), + new GroupElementPreComp( + new FieldElement( 27724736,2291157,6088201,-14184798,1792727,5857634,13848414,15768922,25091167,14856294 ), + new FieldElement( -18866652,8331043,24373479,8541013,-701998,-9269457,12927300,-12695493,-22182473,-9012899 ), + new FieldElement( -11423429,-5421590,11632845,3405020,30536730,-11674039,-27260765,13866390,30146206,9142070 ) + ), + new GroupElementPreComp( + new FieldElement( 3924129,-15307516,-13817122,-10054960,12291820,-668366,-27702774,9326384,-8237858,4171294 ), + new FieldElement( -15921940,16037937,6713787,16606682,-21612135,2790944,26396185,3731949,345228,-5462949 ), + new FieldElement( -21327538,13448259,25284571,1143661,20614966,-8849387,2031539,-12391231,-16253183,-13582083 ) + ), + new GroupElementPreComp( + new FieldElement( 31016211,-16722429,26371392,-14451233,-5027349,14854137,17477601,3842657,28012650,-16405420 ), + new FieldElement( -5075835,9368966,-8562079,-4600902,-15249953,6970560,-9189873,16292057,-8867157,3507940 ), + new FieldElement( 29439664,3537914,23333589,6997794,-17555561,-11018068,-15209202,-15051267,-9164929,6580396 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -12185861,-7679788,16438269,10826160,-8696817,-6235611,17860444,-9273846,-2095802,9304567 ), + new FieldElement( 20714564,-4336911,29088195,7406487,11426967,-5095705,14792667,-14608617,5289421,-477127 ), + new FieldElement( -16665533,-10650790,-6160345,-13305760,9192020,-1802462,17271490,12349094,26939669,-3752294 ) + ), + new GroupElementPreComp( + new FieldElement( -12889898,9373458,31595848,16374215,21471720,13221525,-27283495,-12348559,-3698806,117887 ), + new FieldElement( 22263325,-6560050,3984570,-11174646,-15114008,-566785,28311253,5358056,-23319780,541964 ), + new FieldElement( 16259219,3261970,2309254,-15534474,-16885711,-4581916,24134070,-16705829,-13337066,-13552195 ) + ), + new GroupElementPreComp( + new FieldElement( 9378160,-13140186,-22845982,-12745264,28198281,-7244098,-2399684,-717351,690426,14876244 ), + new FieldElement( 24977353,-314384,-8223969,-13465086,28432343,-1176353,-13068804,-12297348,-22380984,6618999 ), + new FieldElement( -1538174,11685646,12944378,13682314,-24389511,-14413193,8044829,-13817328,32239829,-5652762 ) + ), + new GroupElementPreComp( + new FieldElement( -18603066,4762990,-926250,8885304,-28412480,-3187315,9781647,-10350059,32779359,5095274 ), + new FieldElement( -33008130,-5214506,-32264887,-3685216,9460461,-9327423,-24601656,14506724,21639561,-2630236 ), + new FieldElement( -16400943,-13112215,25239338,15531969,3987758,-4499318,-1289502,-6863535,17874574,558605 ) + ), + new GroupElementPreComp( + new FieldElement( -13600129,10240081,9171883,16131053,-20869254,9599700,33499487,5080151,2085892,5119761 ), + new FieldElement( -22205145,-2519528,-16381601,414691,-25019550,2170430,30634760,-8363614,-31999993,-5759884 ), + new FieldElement( -6845704,15791202,8550074,-1312654,29928809,-12092256,27534430,-7192145,-22351378,12961482 ) + ), + new GroupElementPreComp( + new FieldElement( -24492060,-9570771,10368194,11582341,-23397293,-2245287,16533930,8206996,-30194652,-5159638 ), + new FieldElement( -11121496,-3382234,2307366,6362031,-135455,8868177,-16835630,7031275,7589640,8945490 ), + new FieldElement( -32152748,8917967,6661220,-11677616,-1192060,-15793393,7251489,-11182180,24099109,-14456170 ) + ), + new GroupElementPreComp( + new FieldElement( 5019558,-7907470,4244127,-14714356,-26933272,6453165,-19118182,-13289025,-6231896,-10280736 ), + new FieldElement( 10853594,10721687,26480089,5861829,-22995819,1972175,-1866647,-10557898,-3363451,-6441124 ), + new FieldElement( -17002408,5906790,221599,-6563147,7828208,-13248918,24362661,-2008168,-13866408,7421392 ) + ), + new GroupElementPreComp( + new FieldElement( 8139927,-6546497,32257646,-5890546,30375719,1886181,-21175108,15441252,28826358,-4123029 ), + new FieldElement( 6267086,9695052,7709135,-16603597,-32869068,-1886135,14795160,-7840124,13746021,-1742048 ), + new FieldElement( 28584902,7787108,-6732942,-15050729,22846041,-7571236,-3181936,-363524,4771362,-8419958 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 24949256,6376279,-27466481,-8174608,-18646154,-9930606,33543569,-12141695,3569627,11342593 ), + new FieldElement( 26514989,4740088,27912651,3697550,19331575,-11472339,6809886,4608608,7325975,-14801071 ), + new FieldElement( -11618399,-14554430,-24321212,7655128,-1369274,5214312,-27400540,10258390,-17646694,-8186692 ) + ), + new GroupElementPreComp( + new FieldElement( 11431204,15823007,26570245,14329124,18029990,4796082,-31446179,15580664,9280358,-3973687 ), + new FieldElement( -160783,-10326257,-22855316,-4304997,-20861367,-13621002,-32810901,-11181622,-15545091,4387441 ), + new FieldElement( -20799378,12194512,3937617,-5805892,-27154820,9340370,-24513992,8548137,20617071,-7482001 ) + ), + new GroupElementPreComp( + new FieldElement( -938825,-3930586,-8714311,16124718,24603125,-6225393,-13775352,-11875822,24345683,10325460 ), + new FieldElement( -19855277,-1568885,-22202708,8714034,14007766,6928528,16318175,-1010689,4766743,3552007 ), + new FieldElement( -21751364,-16730916,1351763,-803421,-4009670,3950935,3217514,14481909,10988822,-3994762 ) + ), + new GroupElementPreComp( + new FieldElement( 15564307,-14311570,3101243,5684148,30446780,-8051356,12677127,-6505343,-8295852,13296005 ), + new FieldElement( -9442290,6624296,-30298964,-11913677,-4670981,-2057379,31521204,9614054,-30000824,12074674 ), + new FieldElement( 4771191,-135239,14290749,-13089852,27992298,14998318,-1413936,-1556716,29832613,-16391035 ) + ), + new GroupElementPreComp( + new FieldElement( 7064884,-7541174,-19161962,-5067537,-18891269,-2912736,25825242,5293297,-27122660,13101590 ), + new FieldElement( -2298563,2439670,-7466610,1719965,-27267541,-16328445,32512469,-5317593,-30356070,-4190957 ), + new FieldElement( -30006540,10162316,-33180176,3981723,-16482138,-13070044,14413974,9515896,19568978,9628812 ) + ), + new GroupElementPreComp( + new FieldElement( 33053803,199357,15894591,1583059,27380243,-4580435,-17838894,-6106839,-6291786,3437740 ), + new FieldElement( -18978877,3884493,19469877,12726490,15913552,13614290,-22961733,70104,7463304,4176122 ), + new FieldElement( -27124001,10659917,11482427,-16070381,12771467,-6635117,-32719404,-5322751,24216882,5944158 ) + ), + new GroupElementPreComp( + new FieldElement( 8894125,7450974,-2664149,-9765752,-28080517,-12389115,19345746,14680796,11632993,5847885 ), + new FieldElement( 26942781,-2315317,9129564,-4906607,26024105,11769399,-11518837,6367194,-9727230,4782140 ), + new FieldElement( 19916461,-4828410,-22910704,-11414391,25606324,-5972441,33253853,8220911,6358847,-1873857 ) + ), + new GroupElementPreComp( + new FieldElement( 801428,-2081702,16569428,11065167,29875704,96627,7908388,-4480480,-13538503,1387155 ), + new FieldElement( 19646058,5720633,-11416706,12814209,11607948,12749789,14147075,15156355,-21866831,11835260 ), + new FieldElement( 19299512,1155910,28703737,14890794,2925026,7269399,26121523,15467869,-26560550,5052483 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -3017432,10058206,1980837,3964243,22160966,12322533,-6431123,-12618185,12228557,-7003677 ), + new FieldElement( 32944382,14922211,-22844894,5188528,21913450,-8719943,4001465,13238564,-6114803,8653815 ), + new FieldElement( 22865569,-4652735,27603668,-12545395,14348958,8234005,24808405,5719875,28483275,2841751 ) + ), + new GroupElementPreComp( + new FieldElement( -16420968,-1113305,-327719,-12107856,21886282,-15552774,-1887966,-315658,19932058,-12739203 ), + new FieldElement( -11656086,10087521,-8864888,-5536143,-19278573,-3055912,3999228,13239134,-4777469,-13910208 ), + new FieldElement( 1382174,-11694719,17266790,9194690,-13324356,9720081,20403944,11284705,-14013818,3093230 ) + ), + new GroupElementPreComp( + new FieldElement( 16650921,-11037932,-1064178,1570629,-8329746,7352753,-302424,16271225,-24049421,-6691850 ), + new FieldElement( -21911077,-5927941,-4611316,-5560156,-31744103,-10785293,24123614,15193618,-21652117,-16739389 ), + new FieldElement( -9935934,-4289447,-25279823,4372842,2087473,10399484,31870908,14690798,17361620,11864968 ) + ), + new GroupElementPreComp( + new FieldElement( -11307610,6210372,13206574,5806320,-29017692,-13967200,-12331205,-7486601,-25578460,-16240689 ), + new FieldElement( 14668462,-12270235,26039039,15305210,25515617,4542480,10453892,6577524,9145645,-6443880 ), + new FieldElement( 5974874,3053895,-9433049,-10385191,-31865124,3225009,-7972642,3936128,-5652273,-3050304 ) + ), + new GroupElementPreComp( + new FieldElement( 30625386,-4729400,-25555961,-12792866,-20484575,7695099,17097188,-16303496,-27999779,1803632 ), + new FieldElement( -3553091,9865099,-5228566,4272701,-5673832,-16689700,14911344,12196514,-21405489,7047412 ), + new FieldElement( 20093277,9920966,-11138194,-5343857,13161587,12044805,-32856851,4124601,-32343828,-10257566 ) + ), + new GroupElementPreComp( + new FieldElement( -20788824,14084654,-13531713,7842147,19119038,-13822605,4752377,-8714640,-21679658,2288038 ), + new FieldElement( -26819236,-3283715,29965059,3039786,-14473765,2540457,29457502,14625692,-24819617,12570232 ), + new FieldElement( -1063558,-11551823,16920318,12494842,1278292,-5869109,-21159943,-3498680,-11974704,4724943 ) + ), + new GroupElementPreComp( + new FieldElement( 17960970,-11775534,-4140968,-9702530,-8876562,-1410617,-12907383,-8659932,-29576300,1903856 ), + new FieldElement( 23134274,-14279132,-10681997,-1611936,20684485,15770816,-12989750,3190296,26955097,14109738 ), + new FieldElement( 15308788,5320727,-30113809,-14318877,22902008,7767164,29425325,-11277562,31960942,11934971 ) + ), + new GroupElementPreComp( + new FieldElement( -27395711,8435796,4109644,12222639,-24627868,14818669,20638173,4875028,10491392,1379718 ), + new FieldElement( -13159415,9197841,3875503,-8936108,-1383712,-5879801,33518459,16176658,21432314,12180697 ), + new FieldElement( -11787308,11500838,13787581,-13832590,-22430679,10140205,1465425,12689540,-10301319,-13872883 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 5414091,-15386041,-21007664,9643570,12834970,1186149,-2622916,-1342231,26128231,6032912 ), + new FieldElement( -26337395,-13766162,32496025,-13653919,17847801,-12669156,3604025,8316894,-25875034,-10437358 ), + new FieldElement( 3296484,6223048,24680646,-12246460,-23052020,5903205,-8862297,-4639164,12376617,3188849 ) + ), + new GroupElementPreComp( + new FieldElement( 29190488,-14659046,27549113,-1183516,3520066,-10697301,32049515,-7309113,-16109234,-9852307 ), + new FieldElement( -14744486,-9309156,735818,-598978,-20407687,-5057904,25246078,-15795669,18640741,-960977 ), + new FieldElement( -6928835,-16430795,10361374,5642961,4910474,12345252,-31638386,-494430,10530747,1053335 ) + ), + new GroupElementPreComp( + new FieldElement( -29265967,-14186805,-13538216,-12117373,-19457059,-10655384,-31462369,-2948985,24018831,15026644 ), + new FieldElement( -22592535,-3145277,-2289276,5953843,-13440189,9425631,25310643,13003497,-2314791,-15145616 ), + new FieldElement( -27419985,-603321,-8043984,-1669117,-26092265,13987819,-27297622,187899,-23166419,-2531735 ) + ), + new GroupElementPreComp( + new FieldElement( -21744398,-13810475,1844840,5021428,-10434399,-15911473,9716667,16266922,-5070217,726099 ), + new FieldElement( 29370922,-6053998,7334071,-15342259,9385287,2247707,-13661962,-4839461,30007388,-15823341 ), + new FieldElement( -936379,16086691,23751945,-543318,-1167538,-5189036,9137109,730663,9835848,4555336 ) + ), + new GroupElementPreComp( + new FieldElement( -23376435,1410446,-22253753,-12899614,30867635,15826977,17693930,544696,-11985298,12422646 ), + new FieldElement( 31117226,-12215734,-13502838,6561947,-9876867,-12757670,-5118685,-4096706,29120153,13924425 ), + new FieldElement( -17400879,-14233209,19675799,-2734756,-11006962,-5858820,-9383939,-11317700,7240931,-237388 ) + ), + new GroupElementPreComp( + new FieldElement( -31361739,-11346780,-15007447,-5856218,-22453340,-12152771,1222336,4389483,3293637,-15551743 ), + new FieldElement( -16684801,-14444245,11038544,11054958,-13801175,-3338533,-24319580,7733547,12796905,-6335822 ), + new FieldElement( -8759414,-10817836,-25418864,10783769,-30615557,-9746811,-28253339,3647836,3222231,-11160462 ) + ), + new GroupElementPreComp( + new FieldElement( 18606113,1693100,-25448386,-15170272,4112353,10045021,23603893,-2048234,-7550776,2484985 ), + new FieldElement( 9255317,-3131197,-12156162,-1004256,13098013,-9214866,16377220,-2102812,-19802075,-3034702 ), + new FieldElement( -22729289,7496160,-5742199,11329249,19991973,-3347502,-31718148,9936966,-30097688,-10618797 ) + ), + new GroupElementPreComp( + new FieldElement( 21878590,-5001297,4338336,13643897,-3036865,13160960,19708896,5415497,-7360503,-4109293 ), + new FieldElement( 27736861,10103576,12500508,8502413,-3413016,-9633558,10436918,-1550276,-23659143,-8132100 ), + new FieldElement( 19492550,-12104365,-29681976,-852630,-3208171,12403437,30066266,8367329,13243957,8709688 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 12015105,2801261,28198131,10151021,24818120,-4743133,-11194191,-5645734,5150968,7274186 ), + new FieldElement( 2831366,-12492146,1478975,6122054,23825128,-12733586,31097299,6083058,31021603,-9793610 ), + new FieldElement( -2529932,-2229646,445613,10720828,-13849527,-11505937,-23507731,16354465,15067285,-14147707 ) + ), + new GroupElementPreComp( + new FieldElement( 7840942,14037873,-33364863,15934016,-728213,-3642706,21403988,1057586,-19379462,-12403220 ), + new FieldElement( 915865,-16469274,15608285,-8789130,-24357026,6060030,-17371319,8410997,-7220461,16527025 ), + new FieldElement( 32922597,-556987,20336074,-16184568,10903705,-5384487,16957574,52992,23834301,6588044 ) + ), + new GroupElementPreComp( + new FieldElement( 32752030,11232950,3381995,-8714866,22652988,-10744103,17159699,16689107,-20314580,-1305992 ), + new FieldElement( -4689649,9166776,-25710296,-10847306,11576752,12733943,7924251,-2752281,1976123,-7249027 ), + new FieldElement( 21251222,16309901,-2983015,-6783122,30810597,12967303,156041,-3371252,12331345,-8237197 ) + ), + new GroupElementPreComp( + new FieldElement( 8651614,-4477032,-16085636,-4996994,13002507,2950805,29054427,-5106970,10008136,-4667901 ), + new FieldElement( 31486080,15114593,-14261250,12951354,14369431,-7387845,16347321,-13662089,8684155,-10532952 ), + new FieldElement( 19443825,11385320,24468943,-9659068,-23919258,2187569,-26263207,-6086921,31316348,14219878 ) + ), + new GroupElementPreComp( + new FieldElement( -28594490,1193785,32245219,11392485,31092169,15722801,27146014,6992409,29126555,9207390 ), + new FieldElement( 32382935,1110093,18477781,11028262,-27411763,-7548111,-4980517,10843782,-7957600,-14435730 ), + new FieldElement( 2814918,7836403,27519878,-7868156,-20894015,-11553689,-21494559,8550130,28346258,1994730 ) + ), + new GroupElementPreComp( + new FieldElement( -19578299,8085545,-14000519,-3948622,2785838,-16231307,-19516951,7174894,22628102,8115180 ), + new FieldElement( -30405132,955511,-11133838,-15078069,-32447087,-13278079,-25651578,3317160,-9943017,930272 ), + new FieldElement( -15303681,-6833769,28856490,1357446,23421993,1057177,24091212,-1388970,-22765376,-10650715 ) + ), + new GroupElementPreComp( + new FieldElement( -22751231,-5303997,-12907607,-12768866,-15811511,-7797053,-14839018,-16554220,-1867018,8398970 ), + new FieldElement( -31969310,2106403,-4736360,1362501,12813763,16200670,22981545,-6291273,18009408,-15772772 ), + new FieldElement( -17220923,-9545221,-27784654,14166835,29815394,7444469,29551787,-3727419,19288549,1325865 ) + ), + new GroupElementPreComp( + new FieldElement( 15100157,-15835752,-23923978,-1005098,-26450192,15509408,12376730,-3479146,33166107,-8042750 ), + new FieldElement( 20909231,13023121,-9209752,16251778,-5778415,-8094914,12412151,10018715,2213263,-13878373 ), + new FieldElement( 32529814,-11074689,30361439,-16689753,-9135940,1513226,22922121,6382134,-5766928,8371348 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 9923462,11271500,12616794,3544722,-29998368,-1721626,12891687,-8193132,-26442943,10486144 ), + new FieldElement( -22597207,-7012665,8587003,-8257861,4084309,-12970062,361726,2610596,-23921530,-11455195 ), + new FieldElement( 5408411,-1136691,-4969122,10561668,24145918,14240566,31319731,-4235541,19985175,-3436086 ) + ), + new GroupElementPreComp( + new FieldElement( -13994457,16616821,14549246,3341099,32155958,13648976,-17577068,8849297,65030,8370684 ), + new FieldElement( -8320926,-12049626,31204563,5839400,-20627288,-1057277,-19442942,6922164,12743482,-9800518 ), + new FieldElement( -2361371,12678785,28815050,4759974,-23893047,4884717,23783145,11038569,18800704,255233 ) + ), + new GroupElementPreComp( + new FieldElement( -5269658,-1773886,13957886,7990715,23132995,728773,13393847,9066957,19258688,-14753793 ), + new FieldElement( -2936654,-10827535,-10432089,14516793,-3640786,4372541,-31934921,2209390,-1524053,2055794 ), + new FieldElement( 580882,16705327,5468415,-2683018,-30926419,-14696000,-7203346,-8994389,-30021019,7394435 ) + ), + new GroupElementPreComp( + new FieldElement( 23838809,1822728,-15738443,15242727,8318092,-3733104,-21672180,-3492205,-4821741,14799921 ), + new FieldElement( 13345610,9759151,3371034,-16137791,16353039,8577942,31129804,13496856,-9056018,7402518 ), + new FieldElement( 2286874,-4435931,-20042458,-2008336,-13696227,5038122,11006906,-15760352,8205061,1607563 ) + ), + new GroupElementPreComp( + new FieldElement( 14414086,-8002132,3331830,-3208217,22249151,-5594188,18364661,-2906958,30019587,-9029278 ), + new FieldElement( -27688051,1585953,-10775053,931069,-29120221,-11002319,-14410829,12029093,9944378,8024 ), + new FieldElement( 4368715,-3709630,29874200,-15022983,-20230386,-11410704,-16114594,-999085,-8142388,5640030 ) + ), + new GroupElementPreComp( + new FieldElement( 10299610,13746483,11661824,16234854,7630238,5998374,9809887,-16694564,15219798,-14327783 ), + new FieldElement( 27425505,-5719081,3055006,10660664,23458024,595578,-15398605,-1173195,-18342183,9742717 ), + new FieldElement( 6744077,2427284,26042789,2720740,-847906,1118974,32324614,7406442,12420155,1994844 ) + ), + new GroupElementPreComp( + new FieldElement( 14012521,-5024720,-18384453,-9578469,-26485342,-3936439,-13033478,-10909803,24319929,-6446333 ), + new FieldElement( 16412690,-4507367,10772641,15929391,-17068788,-4658621,10555945,-10484049,-30102368,-4739048 ), + new FieldElement( 22397382,-7767684,-9293161,-12792868,17166287,-9755136,-27333065,6199366,21880021,-12250760 ) + ), + new GroupElementPreComp( + new FieldElement( -4283307,5368523,-31117018,8163389,-30323063,3209128,16557151,8890729,8840445,4957760 ), + new FieldElement( -15447727,709327,-6919446,-10870178,-29777922,6522332,-21720181,12130072,-14796503,5005757 ), + new FieldElement( -2114751,-14308128,23019042,15765735,-25269683,6002752,10183197,-13239326,-16395286,-2176112 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -19025756,1632005,13466291,-7995100,-23640451,16573537,-32013908,-3057104,22208662,2000468 ), + new FieldElement( 3065073,-1412761,-25598674,-361432,-17683065,-5703415,-8164212,11248527,-3691214,-7414184 ), + new FieldElement( 10379208,-6045554,8877319,1473647,-29291284,-12507580,16690915,2553332,-3132688,16400289 ) + ), + new GroupElementPreComp( + new FieldElement( 15716668,1254266,-18472690,7446274,-8448918,6344164,-22097271,-7285580,26894937,9132066 ), + new FieldElement( 24158887,12938817,11085297,-8177598,-28063478,-4457083,-30576463,64452,-6817084,-2692882 ), + new FieldElement( 13488534,7794716,22236231,5989356,25426474,-12578208,2350710,-3418511,-4688006,2364226 ) + ), + new GroupElementPreComp( + new FieldElement( 16335052,9132434,25640582,6678888,1725628,8517937,-11807024,-11697457,15445875,-7798101 ), + new FieldElement( 29004207,-7867081,28661402,-640412,-12794003,-7943086,31863255,-4135540,-278050,-15759279 ), + new FieldElement( -6122061,-14866665,-28614905,14569919,-10857999,-3591829,10343412,-6976290,-29828287,-10815811 ) + ), + new GroupElementPreComp( + new FieldElement( 27081650,3463984,14099042,-4517604,1616303,-6205604,29542636,15372179,17293797,960709 ), + new FieldElement( 20263915,11434237,-5765435,11236810,13505955,-10857102,-16111345,6493122,-19384511,7639714 ), + new FieldElement( -2830798,-14839232,25403038,-8215196,-8317012,-16173699,18006287,-16043750,29994677,-15808121 ) + ), + new GroupElementPreComp( + new FieldElement( 9769828,5202651,-24157398,-13631392,-28051003,-11561624,-24613141,-13860782,-31184575,709464 ), + new FieldElement( 12286395,13076066,-21775189,-1176622,-25003198,4057652,-32018128,-8890874,16102007,13205847 ), + new FieldElement( 13733362,5599946,10557076,3195751,-5557991,8536970,-25540170,8525972,10151379,10394400 ) + ), + new GroupElementPreComp( + new FieldElement( 4024660,-16137551,22436262,12276534,-9099015,-2686099,19698229,11743039,-33302334,8934414 ), + new FieldElement( -15879800,-4525240,-8580747,-2934061,14634845,-698278,-9449077,3137094,-11536886,11721158 ), + new FieldElement( 17555939,-5013938,8268606,2331751,-22738815,9761013,9319229,8835153,-9205489,-1280045 ) + ), + new GroupElementPreComp( + new FieldElement( -461409,-7830014,20614118,16688288,-7514766,-4807119,22300304,505429,6108462,-6183415 ), + new FieldElement( -5070281,12367917,-30663534,3234473,32617080,-8422642,29880583,-13483331,-26898490,-7867459 ), + new FieldElement( -31975283,5726539,26934134,10237677,-3173717,-605053,24199304,3795095,7592688,-14992079 ) + ), + new GroupElementPreComp( + new FieldElement( 21594432,-14964228,17466408,-4077222,32537084,2739898,6407723,12018833,-28256052,4298412 ), + new FieldElement( -20650503,-11961496,-27236275,570498,3767144,-1717540,13891942,-1569194,13717174,10805743 ), + new FieldElement( -14676630,-15644296,15287174,11927123,24177847,-8175568,-796431,14860609,-26938930,-5863836 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 12962541,5311799,-10060768,11658280,18855286,-7954201,13286263,-12808704,-4381056,9882022 ), + new FieldElement( 18512079,11319350,-20123124,15090309,18818594,5271736,-22727904,3666879,-23967430,-3299429 ), + new FieldElement( -6789020,-3146043,16192429,13241070,15898607,-14206114,-10084880,-6661110,-2403099,5276065 ) + ), + new GroupElementPreComp( + new FieldElement( 30169808,-5317648,26306206,-11750859,27814964,7069267,7152851,3684982,1449224,13082861 ), + new FieldElement( 10342826,3098505,2119311,193222,25702612,12233820,23697382,15056736,-21016438,-8202000 ), + new FieldElement( -33150110,3261608,22745853,7948688,19370557,-15177665,-26171976,6482814,-10300080,-11060101 ) + ), + new GroupElementPreComp( + new FieldElement( 32869458,-5408545,25609743,15678670,-10687769,-15471071,26112421,2521008,-22664288,6904815 ), + new FieldElement( 29506923,4457497,3377935,-9796444,-30510046,12935080,1561737,3841096,-29003639,-6657642 ), + new FieldElement( 10340844,-6630377,-18656632,-2278430,12621151,-13339055,30878497,-11824370,-25584551,5181966 ) + ), + new GroupElementPreComp( + new FieldElement( 25940115,-12658025,17324188,-10307374,-8671468,15029094,24396252,-16450922,-2322852,-12388574 ), + new FieldElement( -21765684,9916823,-1300409,4079498,-1028346,11909559,1782390,12641087,20603771,-6561742 ), + new FieldElement( -18882287,-11673380,24849422,11501709,13161720,-4768874,1925523,11914390,4662781,7820689 ) + ), + new GroupElementPreComp( + new FieldElement( 12241050,-425982,8132691,9393934,32846760,-1599620,29749456,12172924,16136752,15264020 ), + new FieldElement( -10349955,-14680563,-8211979,2330220,-17662549,-14545780,10658213,6671822,19012087,3772772 ), + new FieldElement( 3753511,-3421066,10617074,2028709,14841030,-6721664,28718732,-15762884,20527771,12988982 ) + ), + new GroupElementPreComp( + new FieldElement( -14822485,-5797269,-3707987,12689773,-898983,-10914866,-24183046,-10564943,3299665,-12424953 ), + new FieldElement( -16777703,-15253301,-9642417,4978983,3308785,8755439,6943197,6461331,-25583147,8991218 ), + new FieldElement( -17226263,1816362,-1673288,-6086439,31783888,-8175991,-32948145,7417950,-30242287,1507265 ) + ), + new GroupElementPreComp( + new FieldElement( 29692663,6829891,-10498800,4334896,20945975,-11906496,-28887608,8209391,14606362,-10647073 ), + new FieldElement( -3481570,8707081,32188102,5672294,22096700,1711240,-33020695,9761487,4170404,-2085325 ), + new FieldElement( -11587470,14855945,-4127778,-1531857,-26649089,15084046,22186522,16002000,-14276837,-8400798 ) + ), + new GroupElementPreComp( + new FieldElement( -4811456,13761029,-31703877,-2483919,-3312471,7869047,-7113572,-9620092,13240845,10965870 ), + new FieldElement( -7742563,-8256762,-14768334,-13656260,-23232383,12387166,4498947,14147411,29514390,4302863 ), + new FieldElement( -13413405,-12407859,20757302,-13801832,14785143,8976368,-5061276,-2144373,17846988,-13971927 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -2244452,-754728,-4597030,-1066309,-6247172,1455299,-21647728,-9214789,-5222701,12650267 ), + new FieldElement( -9906797,-16070310,21134160,12198166,-27064575,708126,387813,13770293,-19134326,10958663 ), + new FieldElement( 22470984,12369526,23446014,-5441109,-21520802,-9698723,-11772496,-11574455,-25083830,4271862 ) + ), + new GroupElementPreComp( + new FieldElement( -25169565,-10053642,-19909332,15361595,-5984358,2159192,75375,-4278529,-32526221,8469673 ), + new FieldElement( 15854970,4148314,-8893890,7259002,11666551,13824734,-30531198,2697372,24154791,-9460943 ), + new FieldElement( 15446137,-15806644,29759747,14019369,30811221,-9610191,-31582008,12840104,24913809,9815020 ) + ), + new GroupElementPreComp( + new FieldElement( -4709286,-5614269,-31841498,-12288893,-14443537,10799414,-9103676,13438769,18735128,9466238 ), + new FieldElement( 11933045,9281483,5081055,-5183824,-2628162,-4905629,-7727821,-10896103,-22728655,16199064 ), + new FieldElement( 14576810,379472,-26786533,-8317236,-29426508,-10812974,-102766,1876699,30801119,2164795 ) + ), + new GroupElementPreComp( + new FieldElement( 15995086,3199873,13672555,13712240,-19378835,-4647646,-13081610,-15496269,-13492807,1268052 ), + new FieldElement( -10290614,-3659039,-3286592,10948818,23037027,3794475,-3470338,-12600221,-17055369,3565904 ), + new FieldElement( 29210088,-9419337,-5919792,-4952785,10834811,-13327726,-16512102,-10820713,-27162222,-14030531 ) + ), + new GroupElementPreComp( + new FieldElement( -13161890,15508588,16663704,-8156150,-28349942,9019123,-29183421,-3769423,2244111,-14001979 ), + new FieldElement( -5152875,-3800936,-9306475,-6071583,16243069,14684434,-25673088,-16180800,13491506,4641841 ), + new FieldElement( 10813417,643330,-19188515,-728916,30292062,-16600078,27548447,-7721242,14476989,-12767431 ) + ), + new GroupElementPreComp( + new FieldElement( 10292079,9984945,6481436,8279905,-7251514,7032743,27282937,-1644259,-27912810,12651324 ), + new FieldElement( -31185513,-813383,22271204,11835308,10201545,15351028,17099662,3988035,21721536,-3148940 ), + new FieldElement( 10202177,-6545839,-31373232,-9574638,-32150642,-8119683,-12906320,3852694,13216206,14842320 ) + ), + new GroupElementPreComp( + new FieldElement( -15815640,-10601066,-6538952,-7258995,-6984659,-6581778,-31500847,13765824,-27434397,9900184 ), + new FieldElement( 14465505,-13833331,-32133984,-14738873,-27443187,12990492,33046193,15796406,-7051866,-8040114 ), + new FieldElement( 30924417,-8279620,6359016,-12816335,16508377,9071735,-25488601,15413635,9524356,-7018878 ) + ), + new GroupElementPreComp( + new FieldElement( 12274201,-13175547,32627641,-1785326,6736625,13267305,5237659,-5109483,15663516,4035784 ), + new FieldElement( -2951309,8903985,17349946,601635,-16432815,-4612556,-13732739,-15889334,-22258478,4659091 ), + new FieldElement( -16916263,-4952973,-30393711,-15158821,20774812,15897498,5736189,15026997,-2178256,-13455585 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -8858980,-2219056,28571666,-10155518,-474467,-10105698,-3801496,278095,23440562,-290208 ), + new FieldElement( 10226241,-5928702,15139956,120818,-14867693,5218603,32937275,11551483,-16571960,-7442864 ), + new FieldElement( 17932739,-12437276,-24039557,10749060,11316803,7535897,22503767,5561594,-3646624,3898661 ) + ), + new GroupElementPreComp( + new FieldElement( 7749907,-969567,-16339731,-16464,-25018111,15122143,-1573531,7152530,21831162,1245233 ), + new FieldElement( 26958459,-14658026,4314586,8346991,-5677764,11960072,-32589295,-620035,-30402091,-16716212 ), + new FieldElement( -12165896,9166947,33491384,13673479,29787085,13096535,6280834,14587357,-22338025,13987525 ) + ), + new GroupElementPreComp( + new FieldElement( -24349909,7778775,21116000,15572597,-4833266,-5357778,-4300898,-5124639,-7469781,-2858068 ), + new FieldElement( 9681908,-6737123,-31951644,13591838,-6883821,386950,31622781,6439245,-14581012,4091397 ), + new FieldElement( -8426427,1470727,-28109679,-1596990,3978627,-5123623,-19622683,12092163,29077877,-14741988 ) + ), + new GroupElementPreComp( + new FieldElement( 5269168,-6859726,-13230211,-8020715,25932563,1763552,-5606110,-5505881,-20017847,2357889 ), + new FieldElement( 32264008,-15407652,-5387735,-1160093,-2091322,-3946900,23104804,-12869908,5727338,189038 ), + new FieldElement( 14609123,-8954470,-6000566,-16622781,-14577387,-7743898,-26745169,10942115,-25888931,-14884697 ) + ), + new GroupElementPreComp( + new FieldElement( 20513500,5557931,-15604613,7829531,26413943,-2019404,-21378968,7471781,13913677,-5137875 ), + new FieldElement( -25574376,11967826,29233242,12948236,-6754465,4713227,-8940970,14059180,12878652,8511905 ), + new FieldElement( -25656801,3393631,-2955415,-7075526,-2250709,9366908,-30223418,6812974,5568676,-3127656 ) + ), + new GroupElementPreComp( + new FieldElement( 11630004,12144454,2116339,13606037,27378885,15676917,-17408753,-13504373,-14395196,8070818 ), + new FieldElement( 27117696,-10007378,-31282771,-5570088,1127282,12772488,-29845906,10483306,-11552749,-1028714 ), + new FieldElement( 10637467,-5688064,5674781,1072708,-26343588,-6982302,-1683975,9177853,-27493162,15431203 ) + ), + new GroupElementPreComp( + new FieldElement( 20525145,10892566,-12742472,12779443,-29493034,16150075,-28240519,14943142,-15056790,-7935931 ), + new FieldElement( -30024462,5626926,-551567,-9981087,753598,11981191,25244767,-3239766,-3356550,9594024 ), + new FieldElement( -23752644,2636870,-5163910,-10103818,585134,7877383,11345683,-6492290,13352335,-10977084 ) + ), + new GroupElementPreComp( + new FieldElement( -1931799,-5407458,3304649,-12884869,17015806,-4877091,-29783850,-7752482,-13215537,-319204 ), + new FieldElement( 20239939,6607058,6203985,3483793,-18386976,-779229,-20723742,15077870,-22750759,14523817 ), + new FieldElement( 27406042,-6041657,27423596,-4497394,4996214,10002360,-28842031,-4545494,-30172742,-4805667 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 11374242,12660715,17861383,-12540833,10935568,1099227,-13886076,-9091740,-27727044,11358504 ), + new FieldElement( -12730809,10311867,1510375,10778093,-2119455,-9145702,32676003,11149336,-26123651,4985768 ), + new FieldElement( -19096303,341147,-6197485,-239033,15756973,-8796662,-983043,13794114,-19414307,-15621255 ) + ), + new GroupElementPreComp( + new FieldElement( 6490081,11940286,25495923,-7726360,8668373,-8751316,3367603,6970005,-1691065,-9004790 ), + new FieldElement( 1656497,13457317,15370807,6364910,13605745,8362338,-19174622,-5475723,-16796596,-5031438 ), + new FieldElement( -22273315,-13524424,-64685,-4334223,-18605636,-10921968,-20571065,-7007978,-99853,-10237333 ) + ), + new GroupElementPreComp( + new FieldElement( 17747465,10039260,19368299,-4050591,-20630635,-16041286,31992683,-15857976,-29260363,-5511971 ), + new FieldElement( 31932027,-4986141,-19612382,16366580,22023614,88450,11371999,-3744247,4882242,-10626905 ), + new FieldElement( 29796507,37186,19818052,10115756,-11829032,3352736,18551198,3272828,-5190932,-4162409 ) + ), + new GroupElementPreComp( + new FieldElement( 12501286,4044383,-8612957,-13392385,-32430052,5136599,-19230378,-3529697,330070,-3659409 ), + new FieldElement( 6384877,2899513,17807477,7663917,-2358888,12363165,25366522,-8573892,-271295,12071499 ), + new FieldElement( -8365515,-4042521,25133448,-4517355,-6211027,2265927,-32769618,1936675,-5159697,3829363 ) + ), + new GroupElementPreComp( + new FieldElement( 28425966,-5835433,-577090,-4697198,-14217555,6870930,7921550,-6567787,26333140,14267664 ), + new FieldElement( -11067219,11871231,27385719,-10559544,-4585914,-11189312,10004786,-8709488,-21761224,8930324 ), + new FieldElement( -21197785,-16396035,25654216,-1725397,12282012,11008919,1541940,4757911,-26491501,-16408940 ) + ), + new GroupElementPreComp( + new FieldElement( 13537262,-7759490,-20604840,10961927,-5922820,-13218065,-13156584,6217254,-15943699,13814990 ), + new FieldElement( -17422573,15157790,18705543,29619,24409717,-260476,27361681,9257833,-1956526,-1776914 ), + new FieldElement( -25045300,-10191966,15366585,15166509,-13105086,8423556,-29171540,12361135,-18685978,4578290 ) + ), + new GroupElementPreComp( + new FieldElement( 24579768,3711570,1342322,-11180126,-27005135,14124956,-22544529,14074919,21964432,8235257 ), + new FieldElement( -6528613,-2411497,9442966,-5925588,12025640,-1487420,-2981514,-1669206,13006806,2355433 ), + new FieldElement( -16304899,-13605259,-6632427,-5142349,16974359,-10911083,27202044,1719366,1141648,-12796236 ) + ), + new GroupElementPreComp( + new FieldElement( -12863944,-13219986,-8318266,-11018091,-6810145,-4843894,13475066,-3133972,32674895,13715045 ), + new FieldElement( 11423335,-5468059,32344216,8962751,24989809,9241752,-13265253,16086212,-28740881,-15642093 ), + new FieldElement( -1409668,12530728,-6368726,10847387,19531186,-14132160,-11709148,7791794,-27245943,4383347 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -28970898,5271447,-1266009,-9736989,-12455236,16732599,-4862407,-4906449,27193557,6245191 ), + new FieldElement( -15193956,5362278,-1783893,2695834,4960227,12840725,23061898,3260492,22510453,8577507 ), + new FieldElement( -12632451,11257346,-32692994,13548177,-721004,10879011,31168030,13952092,-29571492,-3635906 ) + ), + new GroupElementPreComp( + new FieldElement( 3877321,-9572739,32416692,5405324,-11004407,-13656635,3759769,11935320,5611860,8164018 ), + new FieldElement( -16275802,14667797,15906460,12155291,-22111149,-9039718,32003002,-8832289,5773085,-8422109 ), + new FieldElement( -23788118,-8254300,1950875,8937633,18686727,16459170,-905725,12376320,31632953,190926 ) + ), + new GroupElementPreComp( + new FieldElement( -24593607,-16138885,-8423991,13378746,14162407,6901328,-8288749,4508564,-25341555,-3627528 ), + new FieldElement( 8884438,-5884009,6023974,10104341,-6881569,-4941533,18722941,-14786005,-1672488,827625 ), + new FieldElement( -32720583,-16289296,-32503547,7101210,13354605,2659080,-1800575,-14108036,-24878478,1541286 ) + ), + new GroupElementPreComp( + new FieldElement( 2901347,-1117687,3880376,-10059388,-17620940,-3612781,-21802117,-3567481,20456845,-1885033 ), + new FieldElement( 27019610,12299467,-13658288,-1603234,-12861660,-4861471,-19540150,-5016058,29439641,15138866 ), + new FieldElement( 21536104,-6626420,-32447818,-10690208,-22408077,5175814,-5420040,-16361163,7779328,109896 ) + ), + new GroupElementPreComp( + new FieldElement( 30279744,14648750,-8044871,6425558,13639621,-743509,28698390,12180118,23177719,-554075 ), + new FieldElement( 26572847,3405927,-31701700,12890905,-19265668,5335866,-6493768,2378492,4439158,-13279347 ), + new FieldElement( -22716706,3489070,-9225266,-332753,18875722,-1140095,14819434,-12731527,-17717757,-5461437 ) + ), + new GroupElementPreComp( + new FieldElement( -5056483,16566551,15953661,3767752,-10436499,15627060,-820954,2177225,8550082,-15114165 ), + new FieldElement( -18473302,16596775,-381660,15663611,22860960,15585581,-27844109,-3582739,-23260460,-8428588 ), + new FieldElement( -32480551,15707275,-8205912,-5652081,29464558,2713815,-22725137,15860482,-21902570,1494193 ) + ), + new GroupElementPreComp( + new FieldElement( -19562091,-14087393,-25583872,-9299552,13127842,759709,21923482,16529112,8742704,12967017 ), + new FieldElement( -28464899,1553205,32536856,-10473729,-24691605,-406174,-8914625,-2933896,-29903758,15553883 ), + new FieldElement( 21877909,3230008,9881174,10539357,-4797115,2841332,11543572,14513274,19375923,-12647961 ) + ), + new GroupElementPreComp( + new FieldElement( 8832269,-14495485,13253511,5137575,5037871,4078777,24880818,-6222716,2862653,9455043 ), + new FieldElement( 29306751,5123106,20245049,-14149889,9592566,8447059,-2077124,-2990080,15511449,4789663 ), + new FieldElement( -20679756,7004547,8824831,-9434977,-4045704,-3750736,-5754762,108893,23513200,16652362 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -33256173,4144782,-4476029,-6579123,10770039,-7155542,-6650416,-12936300,-18319198,10212860 ), + new FieldElement( 2756081,8598110,7383731,-6859892,22312759,-1105012,21179801,2600940,-9988298,-12506466 ), + new FieldElement( -24645692,13317462,-30449259,-15653928,21365574,-10869657,11344424,864440,-2499677,-16710063 ) + ), + new GroupElementPreComp( + new FieldElement( -26432803,6148329,-17184412,-14474154,18782929,-275997,-22561534,211300,2719757,4940997 ), + new FieldElement( -1323882,3911313,-6948744,14759765,-30027150,7851207,21690126,8518463,26699843,5276295 ), + new FieldElement( -13149873,-6429067,9396249,365013,24703301,-10488939,1321586,149635,-15452774,7159369 ) + ), + new GroupElementPreComp( + new FieldElement( 9987780,-3404759,17507962,9505530,9731535,-2165514,22356009,8312176,22477218,-8403385 ), + new FieldElement( 18155857,-16504990,19744716,9006923,15154154,-10538976,24256460,-4864995,-22548173,9334109 ), + new FieldElement( 2986088,-4911893,10776628,-3473844,10620590,-7083203,-21413845,14253545,-22587149,536906 ) + ), + new GroupElementPreComp( + new FieldElement( 4377756,8115836,24567078,15495314,11625074,13064599,7390551,10589625,10838060,-15420424 ), + new FieldElement( -19342404,867880,9277171,-3218459,-14431572,-1986443,19295826,-15796950,6378260,699185 ), + new FieldElement( 7895026,4057113,-7081772,-13077756,-17886831,-323126,-716039,15693155,-5045064,-13373962 ) + ), + new GroupElementPreComp( + new FieldElement( -7737563,-5869402,-14566319,-7406919,11385654,13201616,31730678,-10962840,-3918636,-9669325 ), + new FieldElement( 10188286,-15770834,-7336361,13427543,22223443,14896287,30743455,7116568,-21786507,5427593 ), + new FieldElement( 696102,13206899,27047647,-10632082,15285305,-9853179,10798490,-4578720,19236243,12477404 ) + ), + new GroupElementPreComp( + new FieldElement( -11229439,11243796,-17054270,-8040865,-788228,-8167967,-3897669,11180504,-23169516,7733644 ), + new FieldElement( 17800790,-14036179,-27000429,-11766671,23887827,3149671,23466177,-10538171,10322027,15313801 ), + new FieldElement( 26246234,11968874,32263343,-5468728,6830755,-13323031,-15794704,-101982,-24449242,10890804 ) + ), + new GroupElementPreComp( + new FieldElement( -31365647,10271363,-12660625,-6267268,16690207,-13062544,-14982212,16484931,25180797,-5334884 ), + new FieldElement( -586574,10376444,-32586414,-11286356,19801893,10997610,2276632,9482883,316878,13820577 ), + new FieldElement( -9882808,-4510367,-2115506,16457136,-11100081,11674996,30756178,-7515054,30696930,-3712849 ) + ), + new GroupElementPreComp( + new FieldElement( 32988917,-9603412,12499366,7910787,-10617257,-11931514,-7342816,-9985397,-32349517,7392473 ), + new FieldElement( -8855661,15927861,9866406,-3649411,-2396914,-16655781,-30409476,-9134995,25112947,-2926644 ), + new FieldElement( -2504044,-436966,25621774,-5678772,15085042,-5479877,-24884878,-13526194,5537438,-13914319 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -11225584,2320285,-9584280,10149187,-33444663,5808648,-14876251,-1729667,31234590,6090599 ), + new FieldElement( -9633316,116426,26083934,2897444,-6364437,-2688086,609721,15878753,-6970405,-9034768 ), + new FieldElement( -27757857,247744,-15194774,-9002551,23288161,-10011936,-23869595,6503646,20650474,1804084 ) + ), + new GroupElementPreComp( + new FieldElement( -27589786,15456424,8972517,8469608,15640622,4439847,3121995,-10329713,27842616,-202328 ), + new FieldElement( -15306973,2839644,22530074,10026331,4602058,5048462,28248656,5031932,-11375082,12714369 ), + new FieldElement( 20807691,-7270825,29286141,11421711,-27876523,-13868230,-21227475,1035546,-19733229,12796920 ) + ), + new GroupElementPreComp( + new FieldElement( 12076899,-14301286,-8785001,-11848922,-25012791,16400684,-17591495,-12899438,3480665,-15182815 ), + new FieldElement( -32361549,5457597,28548107,7833186,7303070,-11953545,-24363064,-15921875,-33374054,2771025 ), + new FieldElement( -21389266,421932,26597266,6860826,22486084,-6737172,-17137485,-4210226,-24552282,15673397 ) + ), + new GroupElementPreComp( + new FieldElement( -20184622,2338216,19788685,-9620956,-4001265,-8740893,-20271184,4733254,3727144,-12934448 ), + new FieldElement( 6120119,814863,-11794402,-622716,6812205,-15747771,2019594,7975683,31123697,-10958981 ), + new FieldElement( 30069250,-11435332,30434654,2958439,18399564,-976289,12296869,9204260,-16432438,9648165 ) + ), + new GroupElementPreComp( + new FieldElement( 32705432,-1550977,30705658,7451065,-11805606,9631813,3305266,5248604,-26008332,-11377501 ), + new FieldElement( 17219865,2375039,-31570947,-5575615,-19459679,9219903,294711,15298639,2662509,-16297073 ), + new FieldElement( -1172927,-7558695,-4366770,-4287744,-21346413,-8434326,32087529,-1222777,32247248,-14389861 ) + ), + new GroupElementPreComp( + new FieldElement( 14312628,1221556,17395390,-8700143,-4945741,-8684635,-28197744,-9637817,-16027623,-13378845 ), + new FieldElement( -1428825,-9678990,-9235681,6549687,-7383069,-468664,23046502,9803137,17597934,2346211 ), + new FieldElement( 18510800,15337574,26171504,981392,-22241552,7827556,-23491134,-11323352,3059833,-11782870 ) + ), + new GroupElementPreComp( + new FieldElement( 10141598,6082907,17829293,-1947643,9830092,13613136,-25556636,-5544586,-33502212,3592096 ), + new FieldElement( 33114168,-15889352,-26525686,-13343397,33076705,8716171,1151462,1521897,-982665,-6837803 ), + new FieldElement( -32939165,-4255815,23947181,-324178,-33072974,-12305637,-16637686,3891704,26353178,693168 ) + ), + new GroupElementPreComp( + new FieldElement( 30374239,1595580,-16884039,13186931,4600344,406904,9585294,-400668,31375464,14369965 ), + new FieldElement( -14370654,-7772529,1510301,6434173,-18784789,-6262728,32732230,-13108839,17901441,16011505 ), + new FieldElement( 18171223,-11934626,-12500402,15197122,-11038147,-15230035,-19172240,-16046376,8764035,12309598 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 5975908,-5243188,-19459362,-9681747,-11541277,14015782,-23665757,1228319,17544096,-10593782 ), + new FieldElement( 5811932,-1715293,3442887,-2269310,-18367348,-8359541,-18044043,-15410127,-5565381,12348900 ), + new FieldElement( -31399660,11407555,25755363,6891399,-3256938,14872274,-24849353,8141295,-10632534,-585479 ) + ), + new GroupElementPreComp( + new FieldElement( -12675304,694026,-5076145,13300344,14015258,-14451394,-9698672,-11329050,30944593,1130208 ), + new FieldElement( 8247766,-6710942,-26562381,-7709309,-14401939,-14648910,4652152,2488540,23550156,-271232 ), + new FieldElement( 17294316,-3788438,7026748,15626851,22990044,113481,2267737,-5908146,-408818,-137719 ) + ), + new GroupElementPreComp( + new FieldElement( 16091085,-16253926,18599252,7340678,2137637,-1221657,-3364161,14550936,3260525,-7166271 ), + new FieldElement( -4910104,-13332887,18550887,10864893,-16459325,-7291596,-23028869,-13204905,-12748722,2701326 ), + new FieldElement( -8574695,16099415,4629974,-16340524,-20786213,-6005432,-10018363,9276971,11329923,1862132 ) + ), + new GroupElementPreComp( + new FieldElement( 14763076,-15903608,-30918270,3689867,3511892,10313526,-21951088,12219231,-9037963,-940300 ), + new FieldElement( 8894987,-3446094,6150753,3013931,301220,15693451,-31981216,-2909717,-15438168,11595570 ), + new FieldElement( 15214962,3537601,-26238722,-14058872,4418657,-15230761,13947276,10730794,-13489462,-4363670 ) + ), + new GroupElementPreComp( + new FieldElement( -2538306,7682793,32759013,263109,-29984731,-7955452,-22332124,-10188635,977108,699994 ), + new FieldElement( -12466472,4195084,-9211532,550904,-15565337,12917920,19118110,-439841,-30534533,-14337913 ), + new FieldElement( 31788461,-14507657,4799989,7372237,8808585,-14747943,9408237,-10051775,12493932,-5409317 ) + ), + new GroupElementPreComp( + new FieldElement( -25680606,5260744,-19235809,-6284470,-3695942,16566087,27218280,2607121,29375955,6024730 ), + new FieldElement( 842132,-2794693,-4763381,-8722815,26332018,-12405641,11831880,6985184,-9940361,2854096 ), + new FieldElement( -4847262,-7969331,2516242,-5847713,9695691,-7221186,16512645,960770,12121869,16648078 ) + ), + new GroupElementPreComp( + new FieldElement( -15218652,14667096,-13336229,2013717,30598287,-464137,-31504922,-7882064,20237806,2838411 ), + new FieldElement( -19288047,4453152,15298546,-16178388,22115043,-15972604,12544294,-13470457,1068881,-12499905 ), + new FieldElement( -9558883,-16518835,33238498,13506958,30505848,-1114596,-8486907,-2630053,12521378,4845654 ) + ), + new GroupElementPreComp( + new FieldElement( -28198521,10744108,-2958380,10199664,7759311,-13088600,3409348,-873400,-6482306,-12885870 ), + new FieldElement( -23561822,6230156,-20382013,10655314,-24040585,-11621172,10477734,-1240216,-3113227,13974498 ), + new FieldElement( 12966261,15550616,-32038948,-1615346,21025980,-629444,5642325,7188737,18895762,12629579 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 14741879,-14946887,22177208,-11721237,1279741,8058600,11758140,789443,32195181,3895677 ), + new FieldElement( 10758205,15755439,-4509950,9243698,-4879422,6879879,-2204575,-3566119,-8982069,4429647 ), + new FieldElement( -2453894,15725973,-20436342,-10410672,-5803908,-11040220,-7135870,-11642895,18047436,-15281743 ) + ), + new GroupElementPreComp( + new FieldElement( -25173001,-11307165,29759956,11776784,-22262383,-15820455,10993114,-12850837,-17620701,-9408468 ), + new FieldElement( 21987233,700364,-24505048,14972008,-7774265,-5718395,32155026,2581431,-29958985,8773375 ), + new FieldElement( -25568350,454463,-13211935,16126715,25240068,8594567,20656846,12017935,-7874389,-13920155 ) + ), + new GroupElementPreComp( + new FieldElement( 6028182,6263078,-31011806,-11301710,-818919,2461772,-31841174,-5468042,-1721788,-2776725 ), + new FieldElement( -12278994,16624277,987579,-5922598,32908203,1248608,7719845,-4166698,28408820,6816612 ), + new FieldElement( -10358094,-8237829,19549651,-12169222,22082623,16147817,20613181,13982702,-10339570,5067943 ) + ), + new GroupElementPreComp( + new FieldElement( -30505967,-3821767,12074681,13582412,-19877972,2443951,-19719286,12746132,5331210,-10105944 ), + new FieldElement( 30528811,3601899,-1957090,4619785,-27361822,-15436388,24180793,-12570394,27679908,-1648928 ), + new FieldElement( 9402404,-13957065,32834043,10838634,-26580150,-13237195,26653274,-8685565,22611444,-12715406 ) + ), + new GroupElementPreComp( + new FieldElement( 22190590,1118029,22736441,15130463,-30460692,-5991321,19189625,-4648942,4854859,6622139 ), + new FieldElement( -8310738,-2953450,-8262579,-3388049,-10401731,-271929,13424426,-3567227,26404409,13001963 ), + new FieldElement( -31241838,-15415700,-2994250,8939346,11562230,-12840670,-26064365,-11621720,-15405155,11020693 ) + ), + new GroupElementPreComp( + new FieldElement( 1866042,-7949489,-7898649,-10301010,12483315,13477547,3175636,-12424163,28761762,1406734 ), + new FieldElement( -448555,-1777666,13018551,3194501,-9580420,-11161737,24760585,-4347088,25577411,-13378680 ), + new FieldElement( -24290378,4759345,-690653,-1852816,2066747,10693769,-29595790,9884936,-9368926,4745410 ) + ), + new GroupElementPreComp( + new FieldElement( -9141284,6049714,-19531061,-4341411,-31260798,9944276,-15462008,-11311852,10931924,-11931931 ), + new FieldElement( -16561513,14112680,-8012645,4817318,-8040464,-11414606,-22853429,10856641,-20470770,13434654 ), + new FieldElement( 22759489,-10073434,-16766264,-1871422,13637442,-10168091,1765144,-12654326,28445307,-5364710 ) + ), + new GroupElementPreComp( + new FieldElement( 29875063,12493613,2795536,-3786330,1710620,15181182,-10195717,-8788675,9074234,1167180 ), + new FieldElement( -26205683,11014233,-9842651,-2635485,-26908120,7532294,-18716888,-9535498,3843903,9367684 ), + new FieldElement( -10969595,-6403711,9591134,9582310,11349256,108879,16235123,8601684,-139197,4242895 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 22092954,-13191123,-2042793,-11968512,32186753,-11517388,-6574341,2470660,-27417366,16625501 ), + new FieldElement( -11057722,3042016,13770083,-9257922,584236,-544855,-7770857,2602725,-27351616,14247413 ), + new FieldElement( 6314175,-10264892,-32772502,15957557,-10157730,168750,-8618807,14290061,27108877,-1180880 ) + ), + new GroupElementPreComp( + new FieldElement( -8586597,-7170966,13241782,10960156,-32991015,-13794596,33547976,-11058889,-27148451,981874 ), + new FieldElement( 22833440,9293594,-32649448,-13618667,-9136966,14756819,-22928859,-13970780,-10479804,-16197962 ), + new FieldElement( -7768587,3326786,-28111797,10783824,19178761,14905060,22680049,13906969,-15933690,3797899 ) + ), + new GroupElementPreComp( + new FieldElement( 21721356,-4212746,-12206123,9310182,-3882239,-13653110,23740224,-2709232,20491983,-8042152 ), + new FieldElement( 9209270,-15135055,-13256557,-6167798,-731016,15289673,25947805,15286587,30997318,-6703063 ), + new FieldElement( 7392032,16618386,23946583,-8039892,-13265164,-1533858,-14197445,-2321576,17649998,-250080 ) + ), + new GroupElementPreComp( + new FieldElement( -9301088,-14193827,30609526,-3049543,-25175069,-1283752,-15241566,-9525724,-2233253,7662146 ), + new FieldElement( -17558673,1763594,-33114336,15908610,-30040870,-12174295,7335080,-8472199,-3174674,3440183 ), + new FieldElement( -19889700,-5977008,-24111293,-9688870,10799743,-16571957,40450,-4431835,4862400,1133 ) + ), + new GroupElementPreComp( + new FieldElement( -32856209,-7873957,-5422389,14860950,-16319031,7956142,7258061,311861,-30594991,-7379421 ), + new FieldElement( -3773428,-1565936,28985340,7499440,24445838,9325937,29727763,16527196,18278453,15405622 ), + new FieldElement( -4381906,8508652,-19898366,-3674424,-5984453,15149970,-13313598,843523,-21875062,13626197 ) + ), + new GroupElementPreComp( + new FieldElement( 2281448,-13487055,-10915418,-2609910,1879358,16164207,-10783882,3953792,13340839,15928663 ), + new FieldElement( 31727126,-7179855,-18437503,-8283652,2875793,-16390330,-25269894,-7014826,-23452306,5964753 ), + new FieldElement( 4100420,-5959452,-17179337,6017714,-18705837,12227141,-26684835,11344144,2538215,-7570755 ) + ), + new GroupElementPreComp( + new FieldElement( -9433605,6123113,11159803,-2156608,30016280,14966241,-20474983,1485421,-629256,-15958862 ), + new FieldElement( -26804558,4260919,11851389,9658551,-32017107,16367492,-20205425,-13191288,11659922,-11115118 ), + new FieldElement( 26180396,10015009,-30844224,-8581293,5418197,9480663,2231568,-10170080,33100372,-1306171 ) + ), + new GroupElementPreComp( + new FieldElement( 15121113,-5201871,-10389905,15427821,-27509937,-15992507,21670947,4486675,-5931810,-14466380 ), + new FieldElement( 16166486,-9483733,-11104130,6023908,-31926798,-1364923,2340060,-16254968,-10735770,-10039824 ), + new FieldElement( 28042865,-3557089,-12126526,12259706,-3717498,-6945899,6766453,-8689599,18036436,5803270 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -817581,6763912,11803561,1585585,10958447,-2671165,23855391,4598332,-6159431,-14117438 ), + new FieldElement( -31031306,-14256194,17332029,-2383520,31312682,-5967183,696309,50292,-20095739,11763584 ), + new FieldElement( -594563,-2514283,-32234153,12643980,12650761,14811489,665117,-12613632,-19773211,-10713562 ) + ), + new GroupElementPreComp( + new FieldElement( 30464590,-11262872,-4127476,-12734478,19835327,-7105613,-24396175,2075773,-17020157,992471 ), + new FieldElement( 18357185,-6994433,7766382,16342475,-29324918,411174,14578841,8080033,-11574335,-10601610 ), + new FieldElement( 19598397,10334610,12555054,2555664,18821899,-10339780,21873263,16014234,26224780,16452269 ) + ), + new GroupElementPreComp( + new FieldElement( -30223925,5145196,5944548,16385966,3976735,2009897,-11377804,-7618186,-20533829,3698650 ), + new FieldElement( 14187449,3448569,-10636236,-10810935,-22663880,-3433596,7268410,-10890444,27394301,12015369 ), + new FieldElement( 19695761,16087646,28032085,12999827,6817792,11427614,20244189,-1312777,-13259127,-3402461 ) + ), + new GroupElementPreComp( + new FieldElement( 30860103,12735208,-1888245,-4699734,-16974906,2256940,-8166013,12298312,-8550524,-10393462 ), + new FieldElement( -5719826,-11245325,-1910649,15569035,26642876,-7587760,-5789354,-15118654,-4976164,12651793 ), + new FieldElement( -2848395,9953421,11531313,-5282879,26895123,-12697089,-13118820,-16517902,9768698,-2533218 ) + ), + new GroupElementPreComp( + new FieldElement( -24719459,1894651,-287698,-4704085,15348719,-8156530,32767513,12765450,4940095,10678226 ), + new FieldElement( 18860224,15980149,-18987240,-1562570,-26233012,-11071856,-7843882,13944024,-24372348,16582019 ), + new FieldElement( -15504260,4970268,-29893044,4175593,-20993212,-2199756,-11704054,15444560,-11003761,7989037 ) + ), + new GroupElementPreComp( + new FieldElement( 31490452,5568061,-2412803,2182383,-32336847,4531686,-32078269,6200206,-19686113,-14800171 ), + new FieldElement( -17308668,-15879940,-31522777,-2831,-32887382,16375549,8680158,-16371713,28550068,-6857132 ), + new FieldElement( -28126887,-5688091,16837845,-1820458,-6850681,12700016,-30039981,4364038,1155602,5988841 ) + ), + new GroupElementPreComp( + new FieldElement( 21890435,-13272907,-12624011,12154349,-7831873,15300496,23148983,-4470481,24618407,8283181 ), + new FieldElement( -33136107,-10512751,9975416,6841041,-31559793,16356536,3070187,-7025928,1466169,10740210 ), + new FieldElement( -1509399,-15488185,-13503385,-10655916,32799044,909394,-13938903,-5779719,-32164649,-15327040 ) + ), + new GroupElementPreComp( + new FieldElement( 3960823,-14267803,-28026090,-15918051,-19404858,13146868,15567327,951507,-3260321,-573935 ), + new FieldElement( 24740841,5052253,-30094131,8961361,25877428,6165135,-24368180,14397372,-7380369,-6144105 ), + new FieldElement( -28888365,3510803,-28103278,-1158478,-11238128,-10631454,-15441463,-14453128,-1625486,-6494814 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 793299,-9230478,8836302,-6235707,-27360908,-2369593,33152843,-4885251,-9906200,-621852 ), + new FieldElement( 5666233,525582,20782575,-8038419,-24538499,14657740,16099374,1468826,-6171428,-15186581 ), + new FieldElement( -4859255,-3779343,-2917758,-6748019,7778750,11688288,-30404353,-9871238,-1558923,-9863646 ) + ), + new GroupElementPreComp( + new FieldElement( 10896332,-7719704,824275,472601,-19460308,3009587,25248958,14783338,-30581476,-15757844 ), + new FieldElement( 10566929,12612572,-31944212,11118703,-12633376,12362879,21752402,8822496,24003793,14264025 ), + new FieldElement( 27713862,-7355973,-11008240,9227530,27050101,2504721,23886875,-13117525,13958495,-5732453 ) + ), + new GroupElementPreComp( + new FieldElement( -23481610,4867226,-27247128,3900521,29838369,-8212291,-31889399,-10041781,7340521,-15410068 ), + new FieldElement( 4646514,-8011124,-22766023,-11532654,23184553,8566613,31366726,-1381061,-15066784,-10375192 ), + new FieldElement( -17270517,12723032,-16993061,14878794,21619651,-6197576,27584817,3093888,-8843694,3849921 ) + ), + new GroupElementPreComp( + new FieldElement( -9064912,2103172,25561640,-15125738,-5239824,9582958,32477045,-9017955,5002294,-15550259 ), + new FieldElement( -12057553,-11177906,21115585,-13365155,8808712,-12030708,16489530,13378448,-25845716,12741426 ), + new FieldElement( -5946367,10645103,-30911586,15390284,-3286982,-7118677,24306472,15852464,28834118,-7646072 ) + ), + new GroupElementPreComp( + new FieldElement( -17335748,-9107057,-24531279,9434953,-8472084,-583362,-13090771,455841,20461858,5491305 ), + new FieldElement( 13669248,-16095482,-12481974,-10203039,-14569770,-11893198,-24995986,11293807,-28588204,-9421832 ), + new FieldElement( 28497928,6272777,-33022994,14470570,8906179,-1225630,18504674,-14165166,29867745,-8795943 ) + ), + new GroupElementPreComp( + new FieldElement( -16207023,13517196,-27799630,-13697798,24009064,-6373891,-6367600,-13175392,22853429,-4012011 ), + new FieldElement( 24191378,16712145,-13931797,15217831,14542237,1646131,18603514,-11037887,12876623,-2112447 ), + new FieldElement( 17902668,4518229,-411702,-2829247,26878217,5258055,-12860753,608397,16031844,3723494 ) + ), + new GroupElementPreComp( + new FieldElement( -28632773,12763728,-20446446,7577504,33001348,-13017745,17558842,-7872890,23896954,-4314245 ), + new FieldElement( -20005381,-12011952,31520464,605201,2543521,5991821,-2945064,7229064,-9919646,-8826859 ), + new FieldElement( 28816045,298879,-28165016,-15920938,19000928,-1665890,-12680833,-2949325,-18051778,-2082915 ) + ), + new GroupElementPreComp( + new FieldElement( 16000882,-344896,3493092,-11447198,-29504595,-13159789,12577740,16041268,-19715240,7847707 ), + new FieldElement( 10151868,10572098,27312476,7922682,14825339,4723128,-32855931,-6519018,-10020567,3852848 ), + new FieldElement( -11430470,15697596,-21121557,-4420647,5386314,15063598,16514493,-15932110,29330899,-15076224 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -25499735,-4378794,-15222908,-6901211,16615731,2051784,3303702,15490,-27548796,12314391 ), + new FieldElement( 15683520,-6003043,18109120,-9980648,15337968,-5997823,-16717435,15921866,16103996,-3731215 ), + new FieldElement( -23169824,-10781249,13588192,-1628807,-3798557,-1074929,-19273607,5402699,-29815713,-9841101 ) + ), + new GroupElementPreComp( + new FieldElement( 23190676,2384583,-32714340,3462154,-29903655,-1529132,-11266856,8911517,-25205859,2739713 ), + new FieldElement( 21374101,-3554250,-33524649,9874411,15377179,11831242,-33529904,6134907,4931255,11987849 ), + new FieldElement( -7732,-2978858,-16223486,7277597,105524,-322051,-31480539,13861388,-30076310,10117930 ) + ), + new GroupElementPreComp( + new FieldElement( -29501170,-10744872,-26163768,13051539,-25625564,5089643,-6325503,6704079,12890019,15728940 ), + new FieldElement( -21972360,-11771379,-951059,-4418840,14704840,2695116,903376,-10428139,12885167,8311031 ), + new FieldElement( -17516482,5352194,10384213,-13811658,7506451,13453191,26423267,4384730,1888765,-5435404 ) + ), + new GroupElementPreComp( + new FieldElement( -25817338,-3107312,-13494599,-3182506,30896459,-13921729,-32251644,-12707869,-19464434,-3340243 ), + new FieldElement( -23607977,-2665774,-526091,4651136,5765089,4618330,6092245,14845197,17151279,-9854116 ), + new FieldElement( -24830458,-12733720,-15165978,10367250,-29530908,-265356,22825805,-7087279,-16866484,16176525 ) + ), + new GroupElementPreComp( + new FieldElement( -23583256,6564961,20063689,3798228,-4740178,7359225,2006182,-10363426,-28746253,-10197509 ), + new FieldElement( -10626600,-4486402,-13320562,-5125317,3432136,-6393229,23632037,-1940610,32808310,1099883 ), + new FieldElement( 15030977,5768825,-27451236,-2887299,-6427378,-15361371,-15277896,-6809350,2051441,-15225865 ) + ), + new GroupElementPreComp( + new FieldElement( -3362323,-7239372,7517890,9824992,23555850,295369,5148398,-14154188,-22686354,16633660 ), + new FieldElement( 4577086,-16752288,13249841,-15304328,19958763,-14537274,18559670,-10759549,8402478,-9864273 ), + new FieldElement( -28406330,-1051581,-26790155,-907698,-17212414,-11030789,9453451,-14980072,17983010,9967138 ) + ), + new GroupElementPreComp( + new FieldElement( -25762494,6524722,26585488,9969270,24709298,1220360,-1677990,7806337,17507396,3651560 ), + new FieldElement( -10420457,-4118111,14584639,15971087,-15768321,8861010,26556809,-5574557,-18553322,-11357135 ), + new FieldElement( 2839101,14284142,4029895,3472686,14402957,12689363,-26642121,8459447,-5605463,-7621941 ) + ), + new GroupElementPreComp( + new FieldElement( -4839289,-3535444,9744961,2871048,25113978,3187018,-25110813,-849066,17258084,-7977739 ), + new FieldElement( 18164541,-10595176,-17154882,-1542417,19237078,-9745295,23357533,-15217008,26908270,12150756 ), + new FieldElement( -30264870,-7647865,5112249,-7036672,-1499807,-6974257,43168,-5537701,-32302074,16215819 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -6898905,9824394,-12304779,-4401089,-31397141,-6276835,32574489,12532905,-7503072,-8675347 ), + new FieldElement( -27343522,-16515468,-27151524,-10722951,946346,16291093,254968,7168080,21676107,-1943028 ), + new FieldElement( 21260961,-8424752,-16831886,-11920822,-23677961,3968121,-3651949,-6215466,-3556191,-7913075 ) + ), + new GroupElementPreComp( + new FieldElement( 16544754,13250366,-16804428,15546242,-4583003,12757258,-2462308,-8680336,-18907032,-9662799 ), + new FieldElement( -2415239,-15577728,18312303,4964443,-15272530,-12653564,26820651,16690659,25459437,-4564609 ), + new FieldElement( -25144690,11425020,28423002,-11020557,-6144921,-15826224,9142795,-2391602,-6432418,-1644817 ) + ), + new GroupElementPreComp( + new FieldElement( -23104652,6253476,16964147,-3768872,-25113972,-12296437,-27457225,-16344658,6335692,7249989 ), + new FieldElement( -30333227,13979675,7503222,-12368314,-11956721,-4621693,-30272269,2682242,25993170,-12478523 ), + new FieldElement( 4364628,5930691,32304656,-10044554,-8054781,15091131,22857016,-10598955,31820368,15075278 ) + ), + new GroupElementPreComp( + new FieldElement( 31879134,-8918693,17258761,90626,-8041836,-4917709,24162788,-9650886,-17970238,12833045 ), + new FieldElement( 19073683,14851414,-24403169,-11860168,7625278,11091125,-19619190,2074449,-9413939,14905377 ), + new FieldElement( 24483667,-11935567,-2518866,-11547418,-1553130,15355506,-25282080,9253129,27628530,-7555480 ) + ), + new GroupElementPreComp( + new FieldElement( 17597607,8340603,19355617,552187,26198470,-3176583,4593324,-9157582,-14110875,15297016 ), + new FieldElement( 510886,14337390,-31785257,16638632,6328095,2713355,-20217417,-11864220,8683221,2921426 ), + new FieldElement( 18606791,11874196,27155355,-5281482,-24031742,6265446,-25178240,-1278924,4674690,13890525 ) + ), + new GroupElementPreComp( + new FieldElement( 13609624,13069022,-27372361,-13055908,24360586,9592974,14977157,9835105,4389687,288396 ), + new FieldElement( 9922506,-519394,13613107,5883594,-18758345,-434263,-12304062,8317628,23388070,16052080 ), + new FieldElement( 12720016,11937594,-31970060,-5028689,26900120,8561328,-20155687,-11632979,-14754271,-10812892 ) + ), + new GroupElementPreComp( + new FieldElement( 15961858,14150409,26716931,-665832,-22794328,13603569,11829573,7467844,-28822128,929275 ), + new FieldElement( 11038231,-11582396,-27310482,-7316562,-10498527,-16307831,-23479533,-9371869,-21393143,2465074 ), + new FieldElement( 20017163,-4323226,27915242,1529148,12396362,15675764,13817261,-9658066,2463391,-4622140 ) + ), + new GroupElementPreComp( + new FieldElement( -16358878,-12663911,-12065183,4996454,-1256422,1073572,9583558,12851107,4003896,12673717 ), + new FieldElement( -1731589,-15155870,-3262930,16143082,19294135,13385325,14741514,-9103726,7903886,2348101 ), + new FieldElement( 24536016,-16515207,12715592,-3862155,1511293,10047386,-3842346,-7129159,-28377538,10048127 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -12622226,-6204820,30718825,2591312,-10617028,12192840,18873298,-7297090,-32297756,15221632 ), + new FieldElement( -26478122,-11103864,11546244,-1852483,9180880,7656409,-21343950,2095755,29769758,6593415 ), + new FieldElement( -31994208,-2907461,4176912,3264766,12538965,-868111,26312345,-6118678,30958054,8292160 ) + ), + new GroupElementPreComp( + new FieldElement( 31429822,-13959116,29173532,15632448,12174511,-2760094,32808831,3977186,26143136,-3148876 ), + new FieldElement( 22648901,1402143,-22799984,13746059,7936347,365344,-8668633,-1674433,-3758243,-2304625 ), + new FieldElement( -15491917,8012313,-2514730,-12702462,-23965846,-10254029,-1612713,-1535569,-16664475,8194478 ) + ), + new GroupElementPreComp( + new FieldElement( 27338066,-7507420,-7414224,10140405,-19026427,-6589889,27277191,8855376,28572286,3005164 ), + new FieldElement( 26287124,4821776,25476601,-4145903,-3764513,-15788984,-18008582,1182479,-26094821,-13079595 ), + new FieldElement( -7171154,3178080,23970071,6201893,-17195577,-4489192,-21876275,-13982627,32208683,-1198248 ) + ), + new GroupElementPreComp( + new FieldElement( -16657702,2817643,-10286362,14811298,6024667,13349505,-27315504,-10497842,-27672585,-11539858 ), + new FieldElement( 15941029,-9405932,-21367050,8062055,31876073,-238629,-15278393,-1444429,15397331,-4130193 ), + new FieldElement( 8934485,-13485467,-23286397,-13423241,-32446090,14047986,31170398,-1441021,-27505566,15087184 ) + ), + new GroupElementPreComp( + new FieldElement( -18357243,-2156491,24524913,-16677868,15520427,-6360776,-15502406,11461896,16788528,-5868942 ), + new FieldElement( -1947386,16013773,21750665,3714552,-17401782,-16055433,-3770287,-10323320,31322514,-11615635 ), + new FieldElement( 21426655,-5650218,-13648287,-5347537,-28812189,-4920970,-18275391,-14621414,13040862,-12112948 ) + ), + new GroupElementPreComp( + new FieldElement( 11293895,12478086,-27136401,15083750,-29307421,14748872,14555558,-13417103,1613711,4896935 ), + new FieldElement( -25894883,15323294,-8489791,-8057900,25967126,-13425460,2825960,-4897045,-23971776,-11267415 ), + new FieldElement( -15924766,-5229880,-17443532,6410664,3622847,10243618,20615400,12405433,-23753030,-8436416 ) + ), + new GroupElementPreComp( + new FieldElement( -7091295,12556208,-20191352,9025187,-17072479,4333801,4378436,2432030,23097949,-566018 ), + new FieldElement( 4565804,-16025654,20084412,-7842817,1724999,189254,24767264,10103221,-18512313,2424778 ), + new FieldElement( 366633,-11976806,8173090,-6890119,30788634,5745705,-7168678,1344109,-3642553,12412659 ) + ), + new GroupElementPreComp( + new FieldElement( -24001791,7690286,14929416,-168257,-32210835,-13412986,24162697,-15326504,-3141501,11179385 ), + new FieldElement( 18289522,-14724954,8056945,16430056,-21729724,7842514,-6001441,-1486897,-18684645,-11443503 ), + new FieldElement( 476239,6601091,-6152790,-9723375,17503545,-4863900,27672959,13403813,11052904,5219329 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 20678546,-8375738,-32671898,8849123,-5009758,14574752,31186971,-3973730,9014762,-8579056 ), + new FieldElement( -13644050,-10350239,-15962508,5075808,-1514661,-11534600,-33102500,9160280,8473550,-3256838 ), + new FieldElement( 24900749,14435722,17209120,-15292541,-22592275,9878983,-7689309,-16335821,-24568481,11788948 ) + ), + new GroupElementPreComp( + new FieldElement( -3118155,-11395194,-13802089,14797441,9652448,-6845904,-20037437,10410733,-24568470,-1458691 ), + new FieldElement( -15659161,16736706,-22467150,10215878,-9097177,7563911,11871841,-12505194,-18513325,8464118 ), + new FieldElement( -23400612,8348507,-14585951,-861714,-3950205,-6373419,14325289,8628612,33313881,-8370517 ) + ), + new GroupElementPreComp( + new FieldElement( -20186973,-4967935,22367356,5271547,-1097117,-4788838,-24805667,-10236854,-8940735,-5818269 ), + new FieldElement( -6948785,-1795212,-32625683,-16021179,32635414,-7374245,15989197,-12838188,28358192,-4253904 ), + new FieldElement( -23561781,-2799059,-32351682,-1661963,-9147719,10429267,-16637684,4072016,-5351664,5596589 ) + ), + new GroupElementPreComp( + new FieldElement( -28236598,-3390048,12312896,6213178,3117142,16078565,29266239,2557221,1768301,15373193 ), + new FieldElement( -7243358,-3246960,-4593467,-7553353,-127927,-912245,-1090902,-4504991,-24660491,3442910 ), + new FieldElement( -30210571,5124043,14181784,8197961,18964734,-11939093,22597931,7176455,-18585478,13365930 ) + ), + new GroupElementPreComp( + new FieldElement( -7877390,-1499958,8324673,4690079,6261860,890446,24538107,-8570186,-9689599,-3031667 ), + new FieldElement( 25008904,-10771599,-4305031,-9638010,16265036,15721635,683793,-11823784,15723479,-15163481 ), + new FieldElement( -9660625,12374379,-27006999,-7026148,-7724114,-12314514,11879682,5400171,519526,-1235876 ) + ), + new GroupElementPreComp( + new FieldElement( 22258397,-16332233,-7869817,14613016,-22520255,-2950923,-20353881,7315967,16648397,7605640 ), + new FieldElement( -8081308,-8464597,-8223311,9719710,19259459,-15348212,23994942,-5281555,-9468848,4763278 ), + new FieldElement( -21699244,9220969,-15730624,1084137,-25476107,-2852390,31088447,-7764523,-11356529,728112 ) + ), + new GroupElementPreComp( + new FieldElement( 26047220,-11751471,-6900323,-16521798,24092068,9158119,-4273545,-12555558,-29365436,-5498272 ), + new FieldElement( 17510331,-322857,5854289,8403524,17133918,-3112612,-28111007,12327945,10750447,10014012 ), + new FieldElement( -10312768,3936952,9156313,-8897683,16498692,-994647,-27481051,-666732,3424691,7540221 ) + ), + new GroupElementPreComp( + new FieldElement( 30322361,-6964110,11361005,-4143317,7433304,4989748,-7071422,-16317219,-9244265,15258046 ), + new FieldElement( 13054562,-2779497,19155474,469045,-12482797,4566042,5631406,2711395,1062915,-5136345 ), + new FieldElement( -19240248,-11254599,-29509029,-7499965,-5835763,13005411,-6066489,12194497,32960380,1459310 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 19852034,7027924,23669353,10020366,8586503,-6657907,394197,-6101885,18638003,-11174937 ), + new FieldElement( 31395534,15098109,26581030,8030562,-16527914,-5007134,9012486,-7584354,-6643087,-5442636 ), + new FieldElement( -9192165,-2347377,-1997099,4529534,25766844,607986,-13222,9677543,-32294889,-6456008 ) + ), + new GroupElementPreComp( + new FieldElement( -2444496,-149937,29348902,8186665,1873760,12489863,-30934579,-7839692,-7852844,-8138429 ), + new FieldElement( -15236356,-15433509,7766470,746860,26346930,-10221762,-27333451,10754588,-9431476,5203576 ), + new FieldElement( 31834314,14135496,-770007,5159118,20917671,-16768096,-7467973,-7337524,31809243,7347066 ) + ), + new GroupElementPreComp( + new FieldElement( -9606723,-11874240,20414459,13033986,13716524,-11691881,19797970,-12211255,15192876,-2087490 ), + new FieldElement( -12663563,-2181719,1168162,-3804809,26747877,-14138091,10609330,12694420,33473243,-13382104 ), + new FieldElement( 33184999,11180355,15832085,-11385430,-1633671,225884,15089336,-11023903,-6135662,14480053 ) + ), + new GroupElementPreComp( + new FieldElement( 31308717,-5619998,31030840,-1897099,15674547,-6582883,5496208,13685227,27595050,8737275 ), + new FieldElement( -20318852,-15150239,10933843,-16178022,8335352,-7546022,-31008351,-12610604,26498114,66511 ), + new FieldElement( 22644454,-8761729,-16671776,4884562,-3105614,-13559366,30540766,-4286747,-13327787,-7515095 ) + ), + new GroupElementPreComp( + new FieldElement( -28017847,9834845,18617207,-2681312,-3401956,-13307506,8205540,13585437,-17127465,15115439 ), + new FieldElement( 23711543,-672915,31206561,-8362711,6164647,-9709987,-33535882,-1426096,8236921,16492939 ), + new FieldElement( -23910559,-13515526,-26299483,-4503841,25005590,-7687270,19574902,10071562,6708380,-6222424 ) + ), + new GroupElementPreComp( + new FieldElement( 2101391,-4930054,19702731,2367575,-15427167,1047675,5301017,9328700,29955601,-11678310 ), + new FieldElement( 3096359,9271816,-21620864,-15521844,-14847996,-7592937,-25892142,-12635595,-9917575,6216608 ), + new FieldElement( -32615849,338663,-25195611,2510422,-29213566,-13820213,24822830,-6146567,-26767480,7525079 ) + ), + new GroupElementPreComp( + new FieldElement( -23066649,-13985623,16133487,-7896178,-3389565,778788,-910336,-2782495,-19386633,11994101 ), + new FieldElement( 21691500,-13624626,-641331,-14367021,3285881,-3483596,-25064666,9718258,-7477437,13381418 ), + new FieldElement( 18445390,-4202236,14979846,11622458,-1727110,-3582980,23111648,-6375247,28535282,15779576 ) + ), + new GroupElementPreComp( + new FieldElement( 30098053,3089662,-9234387,16662135,-21306940,11308411,-14068454,12021730,9955285,-16303356 ), + new FieldElement( 9734894,-14576830,-7473633,-9138735,2060392,11313496,-18426029,9924399,20194861,13380996 ), + new FieldElement( -26378102,-7965207,-22167821,15789297,-18055342,-6168792,-1984914,15707771,26342023,10146099 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( -26016874,-219943,21339191,-41388,19745256,-2878700,-29637280,2227040,21612326,-545728 ), + new FieldElement( -13077387,1184228,23562814,-5970442,-20351244,-6348714,25764461,12243797,-20856566,11649658 ), + new FieldElement( -10031494,11262626,27384172,2271902,26947504,-15997771,39944,6114064,33514190,2333242 ) + ), + new GroupElementPreComp( + new FieldElement( -21433588,-12421821,8119782,7219913,-21830522,-9016134,-6679750,-12670638,24350578,-13450001 ), + new FieldElement( -4116307,-11271533,-23886186,4843615,-30088339,690623,-31536088,-10406836,8317860,12352766 ), + new FieldElement( 18200138,-14475911,-33087759,-2696619,-23702521,-9102511,-23552096,-2287550,20712163,6719373 ) + ), + new GroupElementPreComp( + new FieldElement( 26656208,6075253,-7858556,1886072,-28344043,4262326,11117530,-3763210,26224235,-3297458 ), + new FieldElement( -17168938,-14854097,-3395676,-16369877,-19954045,14050420,21728352,9493610,18620611,-16428628 ), + new FieldElement( -13323321,13325349,11432106,5964811,18609221,6062965,-5269471,-9725556,-30701573,-16479657 ) + ), + new GroupElementPreComp( + new FieldElement( -23860538,-11233159,26961357,1640861,-32413112,-16737940,12248509,-5240639,13735342,1934062 ), + new FieldElement( 25089769,6742589,17081145,-13406266,21909293,-16067981,-15136294,-3765346,-21277997,5473616 ), + new FieldElement( 31883677,-7961101,1083432,-11572403,22828471,13290673,-7125085,12469656,29111212,-5451014 ) + ), + new GroupElementPreComp( + new FieldElement( 24244947,-15050407,-26262976,2791540,-14997599,16666678,24367466,6388839,-10295587,452383 ), + new FieldElement( -25640782,-3417841,5217916,16224624,19987036,-4082269,-24236251,-5915248,15766062,8407814 ), + new FieldElement( -20406999,13990231,15495425,16395525,5377168,15166495,-8917023,-4388953,-8067909,2276718 ) + ), + new GroupElementPreComp( + new FieldElement( 30157918,12924066,-17712050,9245753,19895028,3368142,-23827587,5096219,22740376,-7303417 ), + new FieldElement( 2041139,-14256350,7783687,13876377,-25946985,-13352459,24051124,13742383,-15637599,13295222 ), + new FieldElement( 33338237,-8505733,12532113,7977527,9106186,-1715251,-17720195,-4612972,-4451357,-14669444 ) + ), + new GroupElementPreComp( + new FieldElement( -20045281,5454097,-14346548,6447146,28862071,1883651,-2469266,-4141880,7770569,9620597 ), + new FieldElement( 23208068,7979712,33071466,8149229,1758231,-10834995,30945528,-1694323,-33502340,-14767970 ), + new FieldElement( 1439958,-16270480,-1079989,-793782,4625402,10647766,-5043801,1220118,30494170,-11440799 ) + ), + new GroupElementPreComp( + new FieldElement( -5037580,-13028295,-2970559,-3061767,15640974,-6701666,-26739026,926050,-1684339,-13333647 ), + new FieldElement( 13908495,-3549272,30919928,-6273825,-21521863,7989039,9021034,9078865,3353509,4033511 ), + new FieldElement( -29663431,-15113610,32259991,-344482,24295849,-12912123,23161163,8839127,27485041,7356032 ) + ), + }, + new[]{ + new GroupElementPreComp( + new FieldElement( 9661027,705443,11980065,-5370154,-1628543,14661173,-6346142,2625015,28431036,-16771834 ), + new FieldElement( -23839233,-8311415,-25945511,7480958,-17681669,-8354183,-22545972,14150565,15970762,4099461 ), + new FieldElement( 29262576,16756590,26350592,-8793563,8529671,-11208050,13617293,-9937143,11465739,8317062 ) + ), + new GroupElementPreComp( + new FieldElement( -25493081,-6962928,32500200,-9419051,-23038724,-2302222,14898637,3848455,20969334,-5157516 ), + new FieldElement( -20384450,-14347713,-18336405,13884722,-33039454,2842114,-21610826,-3649888,11177095,14989547 ), + new FieldElement( -24496721,-11716016,16959896,2278463,12066309,10137771,13515641,2581286,-28487508,9930240 ) + ), + new GroupElementPreComp( + new FieldElement( -17751622,-2097826,16544300,-13009300,-15914807,-14949081,18345767,-13403753,16291481,-5314038 ), + new FieldElement( -33229194,2553288,32678213,9875984,8534129,6889387,-9676774,6957617,4368891,9788741 ), + new FieldElement( 16660756,7281060,-10830758,12911820,20108584,-8101676,-21722536,-8613148,16250552,-11111103 ) + ), + new GroupElementPreComp( + new FieldElement( -19765507,2390526,-16551031,14161980,1905286,6414907,4689584,10604807,-30190403,4782747 ), + new FieldElement( -1354539,14736941,-7367442,-13292886,7710542,-14155590,-9981571,4383045,22546403,437323 ), + new FieldElement( 31665577,-12180464,-16186830,1491339,-18368625,3294682,27343084,2786261,-30633590,-14097016 ) + ), + new GroupElementPreComp( + new FieldElement( -14467279,-683715,-33374107,7448552,19294360,14334329,-19690631,2355319,-19284671,-6114373 ), + new FieldElement( 15121312,-15796162,6377020,-6031361,-10798111,-12957845,18952177,15496498,-29380133,11754228 ), + new FieldElement( -2637277,-13483075,8488727,-14303896,12728761,-1622493,7141596,11724556,22761615,-10134141 ) + ), + new GroupElementPreComp( + new FieldElement( 16918416,11729663,-18083579,3022987,-31015732,-13339659,-28741185,-12227393,32851222,11717399 ), + new FieldElement( 11166634,7338049,-6722523,4531520,-29468672,-7302055,31474879,3483633,-1193175,-4030831 ), + new FieldElement( -185635,9921305,31456609,-13536438,-12013818,13348923,33142652,6546660,-19985279,-3948376 ) + ), + new GroupElementPreComp( + new FieldElement( -32460596,11266712,-11197107,-7899103,31703694,3855903,-8537131,-12833048,-30772034,-15486313 ), + new FieldElement( -18006477,12709068,3991746,-6479188,-21491523,-10550425,-31135347,-16049879,10928917,3011958 ), + new FieldElement( -6957757,-15594337,31696059,334240,29576716,14796075,-30831056,-12805180,18008031,10258577 ) + ), + new GroupElementPreComp( + new FieldElement( -22448644,15655569,7018479,-4410003,-30314266,-1201591,-1853465,1367120,25127874,6671743 ), + new FieldElement( 29701166,-14373934,-10878120,9279288,-17568,13127210,21382910,11042292,25838796,4642684 ), + new FieldElement( -20430234,14955537,-24126347,8124619,-5369288,-5990470,30468147,-13900640,18423289,4177476 ) + ) + } + }; + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base2.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base2.cs new file mode 100644 index 0000000..03676e5 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/base2.cs @@ -0,0 +1,50 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class LookupTables + { + internal static readonly GroupElementPreComp[] Base2 = new GroupElementPreComp[]{ + new GroupElementPreComp( + new FieldElement( 25967493,-14356035,29566456,3660896,-12694345,4014787,27544626,-11754271,-6079156,2047605 ), + new FieldElement( -12545711,934262,-2722910,3049990,-727428,9406986,12720692,5043384,19500929,-15469378 ), + new FieldElement( -8738181,4489570,9688441,-14785194,10184609,-12363380,29287919,11864899,-24514362,-4438546 ) + ), + new GroupElementPreComp( + new FieldElement( 15636291,-9688557,24204773,-7912398,616977,-16685262,27787600,-14772189,28944400,-1550024 ), + new FieldElement( 16568933,4717097,-11556148,-1102322,15682896,-11807043,16354577,-11775962,7689662,11199574 ), + new FieldElement( 30464156,-5976125,-11779434,-15670865,23220365,15915852,7512774,10017326,-17749093,-9920357 ) + ), + new GroupElementPreComp( + new FieldElement( 10861363,11473154,27284546,1981175,-30064349,12577861,32867885,14515107,-15438304,10819380 ), + new FieldElement( 4708026,6336745,20377586,9066809,-11272109,6594696,-25653668,12483688,-12668491,5581306 ), + new FieldElement( 19563160,16186464,-29386857,4097519,10237984,-4348115,28542350,13850243,-23678021,-15815942 ) + ), + new GroupElementPreComp( + new FieldElement( 5153746,9909285,1723747,-2777874,30523605,5516873,19480852,5230134,-23952439,-15175766 ), + new FieldElement( -30269007,-3463509,7665486,10083793,28475525,1649722,20654025,16520125,30598449,7715701 ), + new FieldElement( 28881845,14381568,9657904,3680757,-20181635,7843316,-31400660,1370708,29794553,-1409300 ) + ), + new GroupElementPreComp( + new FieldElement( -22518993,-6692182,14201702,-8745502,-23510406,8844726,18474211,-1361450,-13062696,13821877 ), + new FieldElement( -6455177,-7839871,3374702,-4740862,-27098617,-10571707,31655028,-7212327,18853322,-14220951 ), + new FieldElement( 4566830,-12963868,-28974889,-12240689,-7602672,-2830569,-8514358,-10431137,2207753,-3209784 ) + ), + new GroupElementPreComp( + new FieldElement( -25154831,-4185821,29681144,7868801,-6854661,-9423865,-12437364,-663000,-31111463,-16132436 ), + new FieldElement( 25576264,-2703214,7349804,-11814844,16472782,9300885,3844789,15725684,171356,6466918 ), + new FieldElement( 23103977,13316479,9739013,-16149481,817875,-15038942,8965339,-14088058,-30714912,16193877 ) + ), + new GroupElementPreComp( + new FieldElement( -33521811,3180713,-2394130,14003687,-16903474,-16270840,17238398,4729455,-18074513,9256800 ), + new FieldElement( -25182317,-4174131,32336398,5036987,-21236817,11360617,22616405,9761698,-19827198,630305 ), + new FieldElement( -13720693,2639453,-24237460,-7406481,9494427,-5774029,-6554551,-15960994,-2449256,-14291300 ) + ), + new GroupElementPreComp( + new FieldElement( -3151181,-5046075,9282714,6866145,-31907062,-863023,-18940575,15033784,25105118,-7894876 ), + new FieldElement( -24326370,15950226,-31801215,-14592823,-11662737,-5090925,1573892,-2625887,2198790,-15804619 ), + new FieldElement( -3099351,10324967,-2241613,7453183,-5446979,-2735503,-13812022,-16236442,-32461234,-12290683 ) + ) + }; + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d.cs new file mode 100644 index 0000000..9a9343a --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d.cs @@ -0,0 +1,9 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class LookupTables + { + internal static FieldElement d = new FieldElement(-10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116); + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d2.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d2.cs new file mode 100644 index 0000000..7479311 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/d2.cs @@ -0,0 +1,9 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class LookupTables + { + internal static FieldElement d2 = new FieldElement(-21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199); + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_0.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_0.cs new file mode 100644 index 0000000..f207532 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_0.cs @@ -0,0 +1,12 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + public static void fe_0(out FieldElement h) + { + h = default(FieldElement); + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_1.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_1.cs new file mode 100644 index 0000000..822ea59 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_1.cs @@ -0,0 +1,13 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + public static void fe_1(out FieldElement h) + { + h = default(FieldElement); + h.x0 = 1; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_add.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_add.cs new file mode 100644 index 0000000..a5c2fb7 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_add.cs @@ -0,0 +1,63 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* + h = f + g + Can overlap h with f or g. + + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + + Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + //void fe_add(fe h,const fe f,const fe g) + internal static void fe_add(out FieldElement h, ref FieldElement f, ref FieldElement g) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int32 g0 = g.x0; + Int32 g1 = g.x1; + Int32 g2 = g.x2; + Int32 g3 = g.x3; + Int32 g4 = g.x4; + Int32 g5 = g.x5; + Int32 g6 = g.x6; + Int32 g7 = g.x7; + Int32 g8 = g.x8; + Int32 g9 = g.x9; + Int32 h0 = f0 + g0; + Int32 h1 = f1 + g1; + Int32 h2 = f2 + g2; + Int32 h3 = f3 + g3; + Int32 h4 = f4 + g4; + Int32 h5 = f5 + g5; + Int32 h6 = f6 + g6; + Int32 h7 = f7 + g7; + Int32 h8 = f8 + g8; + Int32 h9 = f9 + g9; + h.x0 = h0; + h.x1 = h1; + h.x2 = h2; + h.x3 = h3; + h.x4 = h4; + h.x5 = h5; + h.x6 = h6; + h.x7 = h7; + h.x8 = h8; + h.x9 = h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cmov.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cmov.cs new file mode 100644 index 0000000..039905b --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cmov.cs @@ -0,0 +1,70 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* + Replace (f,g) with (g,g) if b == 1; + replace (f,g) with (f,g) if b == 0. + + Preconditions: b in {0,1}. + */ + + //void fe_cmov(fe f,const fe g,unsigned int b) + internal static void fe_cmov(ref FieldElement f, ref FieldElement g, int b) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int32 g0 = g.x0; + Int32 g1 = g.x1; + Int32 g2 = g.x2; + Int32 g3 = g.x3; + Int32 g4 = g.x4; + Int32 g5 = g.x5; + Int32 g6 = g.x6; + Int32 g7 = g.x7; + Int32 g8 = g.x8; + Int32 g9 = g.x9; + Int32 x0 = f0 ^ g0; + Int32 x1 = f1 ^ g1; + Int32 x2 = f2 ^ g2; + Int32 x3 = f3 ^ g3; + Int32 x4 = f4 ^ g4; + Int32 x5 = f5 ^ g5; + Int32 x6 = f6 ^ g6; + Int32 x7 = f7 ^ g7; + Int32 x8 = f8 ^ g8; + Int32 x9 = f9 ^ g9; + b = -b; + x0 &= b; + x1 &= b; + x2 &= b; + x3 &= b; + x4 &= b; + x5 &= b; + x6 &= b; + x7 &= b; + x8 &= b; + x9 &= b; + f.x0 = f0 ^ x0; + f.x1 = f1 ^ x1; + f.x2 = f2 ^ x2; + f.x3 = f3 ^ x3; + f.x4 = f4 ^ x4; + f.x5 = f5 ^ x5; + f.x6 = f6 ^ x6; + f.x7 = f7 ^ x7; + f.x8 = f8 ^ x8; + f.x9 = f9 ^ x9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cswap.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cswap.cs new file mode 100644 index 0000000..b28bf20 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_cswap.cs @@ -0,0 +1,78 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* + Replace (f,g) with (g,f) if b == 1; + replace (f,g) with (f,g) if b == 0. + + Preconditions: b in {0,1}. + */ + public static void fe_cswap(ref FieldElement f, ref FieldElement g, uint b) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int32 g0 = g.x0; + Int32 g1 = g.x1; + Int32 g2 = g.x2; + Int32 g3 = g.x3; + Int32 g4 = g.x4; + Int32 g5 = g.x5; + Int32 g6 = g.x6; + Int32 g7 = g.x7; + Int32 g8 = g.x8; + Int32 g9 = g.x9; + Int32 x0 = f0 ^ g0; + Int32 x1 = f1 ^ g1; + Int32 x2 = f2 ^ g2; + Int32 x3 = f3 ^ g3; + Int32 x4 = f4 ^ g4; + Int32 x5 = f5 ^ g5; + Int32 x6 = f6 ^ g6; + Int32 x7 = f7 ^ g7; + Int32 x8 = f8 ^ g8; + Int32 x9 = f9 ^ g9; + int negb = unchecked((int)-b); + x0 &= negb; + x1 &= negb; + x2 &= negb; + x3 &= negb; + x4 &= negb; + x5 &= negb; + x6 &= negb; + x7 &= negb; + x8 &= negb; + x9 &= negb; + f.x0 = f0 ^ x0; + f.x1 = f1 ^ x1; + f.x2 = f2 ^ x2; + f.x3 = f3 ^ x3; + f.x4 = f4 ^ x4; + f.x5 = f5 ^ x5; + f.x6 = f6 ^ x6; + f.x7 = f7 ^ x7; + f.x8 = f8 ^ x8; + f.x9 = f9 ^ x9; + g.x0 = g0 ^ x0; + g.x1 = g1 ^ x1; + g.x2 = g2 ^ x2; + g.x3 = g3 ^ x3; + g.x4 = g4 ^ x4; + g.x5 = g5 ^ x5; + g.x6 = g6 ^ x6; + g.x7 = g7 ^ x7; + g.x8 = g8 ^ x8; + g.x9 = g9 ^ x9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_frombytes.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_frombytes.cs new file mode 100644 index 0000000..49afb18 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_frombytes.cs @@ -0,0 +1,122 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + private static Int64 load_3(byte[] data, int offset) + { + uint result; + result = (uint)data[offset + 0]; + result |= (uint)data[offset + 1] << 8; + result |= (uint)data[offset + 2] << 16; + return (Int64)(UInt64)result; + } + + private static Int64 load_4(byte[] data, int offset) + { + uint result; + result = (uint)data[offset + 0]; + result |= (uint)data[offset + 1] << 8; + result |= (uint)data[offset + 2] << 16; + result |= (uint)data[offset + 3] << 24; + return (Int64)(UInt64)result; + } + + // Ignores top bit of h. + internal static void fe_frombytes(out FieldElement h, byte[] data, int offset) + { + Int64 h0 = load_4(data, offset); + Int64 h1 = load_3(data, offset + 4) << 6; + Int64 h2 = load_3(data, offset + 7) << 5; + Int64 h3 = load_3(data, offset + 10) << 3; + Int64 h4 = load_3(data, offset + 13) << 2; + Int64 h5 = load_4(data, offset + 16); + Int64 h6 = load_3(data, offset + 20) << 7; + Int64 h7 = load_3(data, offset + 23) << 5; + Int64 h8 = load_3(data, offset + 26) << 4; + Int64 h9 = (load_3(data, offset + 29) & 8388607) << 2; + Int64 carry0; + Int64 carry1; + Int64 carry2; + Int64 carry3; + Int64 carry4; + Int64 carry5; + Int64 carry6; + Int64 carry7; + Int64 carry8; + Int64 carry9; + + carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + h.x0 = (int)h0; + h.x1 = (int)h1; + h.x2 = (int)h2; + h.x3 = (int)h3; + h.x4 = (int)h4; + h.x5 = (int)h5; + h.x6 = (int)h6; + h.x7 = (int)h7; + h.x8 = (int)h8; + h.x9 = (int)h9; + } + + // does NOT ignore top bit + internal static void fe_frombytes2(out FieldElement h, byte[] data, int offset) + { + Int64 h0 = load_4(data, offset); + Int64 h1 = load_3(data, offset + 4) << 6; + Int64 h2 = load_3(data, offset + 7) << 5; + Int64 h3 = load_3(data, offset + 10) << 3; + Int64 h4 = load_3(data, offset + 13) << 2; + Int64 h5 = load_4(data, offset + 16); + Int64 h6 = load_3(data, offset + 20) << 7; + Int64 h7 = load_3(data, offset + 23) << 5; + Int64 h8 = load_3(data, offset + 26) << 4; + Int64 h9 = load_3(data, offset + 29) << 2; + Int64 carry0; + Int64 carry1; + Int64 carry2; + Int64 carry3; + Int64 carry4; + Int64 carry5; + Int64 carry6; + Int64 carry7; + Int64 carry8; + Int64 carry9; + + carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + h.x0 = (int)h0; + h.x1 = (int)h1; + h.x2 = (int)h2; + h.x3 = (int)h3; + h.x4 = (int)h4; + h.x5 = (int)h5; + h.x6 = (int)h6; + h.x7 = (int)h7; + h.x8 = (int)h8; + h.x9 = (int)h9; + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_invert.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_invert.cs new file mode 100644 index 0000000..697fcc4 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_invert.cs @@ -0,0 +1,179 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + internal static void fe_invert(out FieldElement result, ref FieldElement z) + { + FieldElement t0; + FieldElement t1; + FieldElement t2; + FieldElement t3; + int i; + + /* qhasm: fe z1 */ + + /* qhasm: fe z2 */ + + /* qhasm: fe z8 */ + + /* qhasm: fe z9 */ + + /* qhasm: fe z11 */ + + /* qhasm: fe z22 */ + + /* qhasm: fe z_5_0 */ + + /* qhasm: fe z_10_5 */ + + /* qhasm: fe z_10_0 */ + + /* qhasm: fe z_20_10 */ + + /* qhasm: fe z_20_0 */ + + /* qhasm: fe z_40_20 */ + + /* qhasm: fe z_40_0 */ + + /* qhasm: fe z_50_10 */ + + /* qhasm: fe z_50_0 */ + + /* qhasm: fe z_100_50 */ + + /* qhasm: fe z_100_0 */ + + /* qhasm: fe z_200_100 */ + + /* qhasm: fe z_200_0 */ + + /* qhasm: fe z_250_50 */ + + /* qhasm: fe z_250_0 */ + + /* qhasm: fe z_255_5 */ + + /* qhasm: fe z_255_21 */ + + /* qhasm: enter pow225521 */ + + /* qhasm: z2 = z1^2^1 */ + /* asm 1: fe_sq(>z2=fe#1,z2=fe#1,>z2=fe#1); */ + /* asm 2: fe_sq(>z2=t0,z2=t0,>z2=t0); */ + fe_sq(out t0, ref z); //for (i = 1; i < 1; ++i) fe_sq(out t0, ref t0); + + /* qhasm: z8 = z2^2^2 */ + /* asm 1: fe_sq(>z8=fe#2,z8=fe#2,>z8=fe#2); */ + /* asm 2: fe_sq(>z8=t1,z8=t1,>z8=t1); */ + fe_sq(out t1, ref t0); for (i = 1; i < 2; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z9 = z1*z8 */ + /* asm 1: fe_mul(>z9=fe#2,z9=t1,z11=fe#1,z11=t0,z22=fe#3,z22=fe#3,>z22=fe#3); */ + /* asm 2: fe_sq(>z22=t2,z22=t2,>z22=t2); */ + fe_sq(out t2, ref t0); //for (i = 1; i < 1; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_5_0 = z9*z22 */ + /* asm 1: fe_mul(>z_5_0=fe#2,z_5_0=t1,z_10_5=fe#3,z_10_5=fe#3,>z_10_5=fe#3); */ + /* asm 2: fe_sq(>z_10_5=t2,z_10_5=t2,>z_10_5=t2); */ + fe_sq(out t2, ref t1); for (i = 1; i < 5; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_10_0 = z_10_5*z_5_0 */ + /* asm 1: fe_mul(>z_10_0=fe#2,z_10_0=t1,z_20_10=fe#3,z_20_10=fe#3,>z_20_10=fe#3); */ + /* asm 2: fe_sq(>z_20_10=t2,z_20_10=t2,>z_20_10=t2); */ + fe_sq(out t2, ref t1); for (i = 1; i < 10; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_20_0 = z_20_10*z_10_0 */ + /* asm 1: fe_mul(>z_20_0=fe#3,z_20_0=t2,z_40_20=fe#4,z_40_20=fe#4,>z_40_20=fe#4); */ + /* asm 2: fe_sq(>z_40_20=t3,z_40_20=t3,>z_40_20=t3); */ + fe_sq(out t3, ref t2); for (i = 1; i < 20; ++i) fe_sq(out t3, ref t3); + + /* qhasm: z_40_0 = z_40_20*z_20_0 */ + /* asm 1: fe_mul(>z_40_0=fe#3,z_40_0=t2,z_50_10=fe#3,z_50_10=fe#3,>z_50_10=fe#3); */ + /* asm 2: fe_sq(>z_50_10=t2,z_50_10=t2,>z_50_10=t2); */ + fe_sq(out t2, ref t2); for (i = 1; i < 10; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_50_0 = z_50_10*z_10_0 */ + /* asm 1: fe_mul(>z_50_0=fe#2,z_50_0=t1,z_100_50=fe#3,z_100_50=fe#3,>z_100_50=fe#3); */ + /* asm 2: fe_sq(>z_100_50=t2,z_100_50=t2,>z_100_50=t2); */ + fe_sq(out t2, ref t1); for (i = 1; i < 50; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_100_0 = z_100_50*z_50_0 */ + /* asm 1: fe_mul(>z_100_0=fe#3,z_100_0=t2,z_200_100=fe#4,z_200_100=fe#4,>z_200_100=fe#4); */ + /* asm 2: fe_sq(>z_200_100=t3,z_200_100=t3,>z_200_100=t3); */ + fe_sq(out t3, ref t2); for (i = 1; i < 100; ++i) fe_sq(out t3, ref t3); + + /* qhasm: z_200_0 = z_200_100*z_100_0 */ + /* asm 1: fe_mul(>z_200_0=fe#3,z_200_0=t2,z_250_50=fe#3,z_250_50=fe#3,>z_250_50=fe#3); */ + /* asm 2: fe_sq(>z_250_50=t2,z_250_50=t2,>z_250_50=t2); */ + fe_sq(out t2, ref t2); for (i = 1; i < 50; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_250_0 = z_250_50*z_50_0 */ + /* asm 1: fe_mul(>z_250_0=fe#2,z_250_0=t1,z_255_5=fe#2,z_255_5=fe#2,>z_255_5=fe#2); */ + /* asm 2: fe_sq(>z_255_5=t1,z_255_5=t1,>z_255_5=t1); */ + fe_sq(out t1, ref t1); for (i = 1; i < 5; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z_255_21 = z_255_5*z11 */ + /* asm 1: fe_mul(>z_255_21=fe#12,z_255_21=out,> 31) ^ 1); + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul.cs new file mode 100644 index 0000000..d3c755b --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul.cs @@ -0,0 +1,258 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* + h = f * g + Can overlap h with f or g. + + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + + /* + Notes on implementation strategy: + + Using schoolbook multiplication. + Karatsuba would save a little in some cost models. + + Most multiplications by 2 and 19 are 32-bit precomputations; + cheaper than 64-bit postcomputations. + + There is one remaining multiplication by 19 in the carry chain; + one *19 precomputation can be merged into this, + but the resulting data flow is considerably less clean. + + There are 12 carries below. + 10 of them are 2-way parallelizable and vectorizable. + Can get away with 11 carries, but then data flow is much deeper. + + With tighter constraints on inputs can squeeze carries into int32. + */ + + internal static void fe_mul(out FieldElement h, ref FieldElement f, ref FieldElement g) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int32 g0 = g.x0; + Int32 g1 = g.x1; + Int32 g2 = g.x2; + Int32 g3 = g.x3; + Int32 g4 = g.x4; + Int32 g5 = g.x5; + Int32 g6 = g.x6; + Int32 g7 = g.x7; + Int32 g8 = g.x8; + Int32 g9 = g.x9; + Int32 g1_19 = 19 * g1; /* 1.959375*2^29 */ + Int32 g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ + Int32 g3_19 = 19 * g3; + Int32 g4_19 = 19 * g4; + Int32 g5_19 = 19 * g5; + Int32 g6_19 = 19 * g6; + Int32 g7_19 = 19 * g7; + Int32 g8_19 = 19 * g8; + Int32 g9_19 = 19 * g9; + Int32 f1_2 = 2 * f1; + Int32 f3_2 = 2 * f3; + Int32 f5_2 = 2 * f5; + Int32 f7_2 = 2 * f7; + Int32 f9_2 = 2 * f9; + Int64 f0g0 = f0 * (Int64)g0; + Int64 f0g1 = f0 * (Int64)g1; + Int64 f0g2 = f0 * (Int64)g2; + Int64 f0g3 = f0 * (Int64)g3; + Int64 f0g4 = f0 * (Int64)g4; + Int64 f0g5 = f0 * (Int64)g5; + Int64 f0g6 = f0 * (Int64)g6; + Int64 f0g7 = f0 * (Int64)g7; + Int64 f0g8 = f0 * (Int64)g8; + Int64 f0g9 = f0 * (Int64)g9; + Int64 f1g0 = f1 * (Int64)g0; + Int64 f1g1_2 = f1_2 * (Int64)g1; + Int64 f1g2 = f1 * (Int64)g2; + Int64 f1g3_2 = f1_2 * (Int64)g3; + Int64 f1g4 = f1 * (Int64)g4; + Int64 f1g5_2 = f1_2 * (Int64)g5; + Int64 f1g6 = f1 * (Int64)g6; + Int64 f1g7_2 = f1_2 * (Int64)g7; + Int64 f1g8 = f1 * (Int64)g8; + Int64 f1g9_38 = f1_2 * (Int64)g9_19; + Int64 f2g0 = f2 * (Int64)g0; + Int64 f2g1 = f2 * (Int64)g1; + Int64 f2g2 = f2 * (Int64)g2; + Int64 f2g3 = f2 * (Int64)g3; + Int64 f2g4 = f2 * (Int64)g4; + Int64 f2g5 = f2 * (Int64)g5; + Int64 f2g6 = f2 * (Int64)g6; + Int64 f2g7 = f2 * (Int64)g7; + Int64 f2g8_19 = f2 * (Int64)g8_19; + Int64 f2g9_19 = f2 * (Int64)g9_19; + Int64 f3g0 = f3 * (Int64)g0; + Int64 f3g1_2 = f3_2 * (Int64)g1; + Int64 f3g2 = f3 * (Int64)g2; + Int64 f3g3_2 = f3_2 * (Int64)g3; + Int64 f3g4 = f3 * (Int64)g4; + Int64 f3g5_2 = f3_2 * (Int64)g5; + Int64 f3g6 = f3 * (Int64)g6; + Int64 f3g7_38 = f3_2 * (Int64)g7_19; + Int64 f3g8_19 = f3 * (Int64)g8_19; + Int64 f3g9_38 = f3_2 * (Int64)g9_19; + Int64 f4g0 = f4 * (Int64)g0; + Int64 f4g1 = f4 * (Int64)g1; + Int64 f4g2 = f4 * (Int64)g2; + Int64 f4g3 = f4 * (Int64)g3; + Int64 f4g4 = f4 * (Int64)g4; + Int64 f4g5 = f4 * (Int64)g5; + Int64 f4g6_19 = f4 * (Int64)g6_19; + Int64 f4g7_19 = f4 * (Int64)g7_19; + Int64 f4g8_19 = f4 * (Int64)g8_19; + Int64 f4g9_19 = f4 * (Int64)g9_19; + Int64 f5g0 = f5 * (Int64)g0; + Int64 f5g1_2 = f5_2 * (Int64)g1; + Int64 f5g2 = f5 * (Int64)g2; + Int64 f5g3_2 = f5_2 * (Int64)g3; + Int64 f5g4 = f5 * (Int64)g4; + Int64 f5g5_38 = f5_2 * (Int64)g5_19; + Int64 f5g6_19 = f5 * (Int64)g6_19; + Int64 f5g7_38 = f5_2 * (Int64)g7_19; + Int64 f5g8_19 = f5 * (Int64)g8_19; + Int64 f5g9_38 = f5_2 * (Int64)g9_19; + Int64 f6g0 = f6 * (Int64)g0; + Int64 f6g1 = f6 * (Int64)g1; + Int64 f6g2 = f6 * (Int64)g2; + Int64 f6g3 = f6 * (Int64)g3; + Int64 f6g4_19 = f6 * (Int64)g4_19; + Int64 f6g5_19 = f6 * (Int64)g5_19; + Int64 f6g6_19 = f6 * (Int64)g6_19; + Int64 f6g7_19 = f6 * (Int64)g7_19; + Int64 f6g8_19 = f6 * (Int64)g8_19; + Int64 f6g9_19 = f6 * (Int64)g9_19; + Int64 f7g0 = f7 * (Int64)g0; + Int64 f7g1_2 = f7_2 * (Int64)g1; + Int64 f7g2 = f7 * (Int64)g2; + Int64 f7g3_38 = f7_2 * (Int64)g3_19; + Int64 f7g4_19 = f7 * (Int64)g4_19; + Int64 f7g5_38 = f7_2 * (Int64)g5_19; + Int64 f7g6_19 = f7 * (Int64)g6_19; + Int64 f7g7_38 = f7_2 * (Int64)g7_19; + Int64 f7g8_19 = f7 * (Int64)g8_19; + Int64 f7g9_38 = f7_2 * (Int64)g9_19; + Int64 f8g0 = f8 * (Int64)g0; + Int64 f8g1 = f8 * (Int64)g1; + Int64 f8g2_19 = f8 * (Int64)g2_19; + Int64 f8g3_19 = f8 * (Int64)g3_19; + Int64 f8g4_19 = f8 * (Int64)g4_19; + Int64 f8g5_19 = f8 * (Int64)g5_19; + Int64 f8g6_19 = f8 * (Int64)g6_19; + Int64 f8g7_19 = f8 * (Int64)g7_19; + Int64 f8g8_19 = f8 * (Int64)g8_19; + Int64 f8g9_19 = f8 * (Int64)g9_19; + Int64 f9g0 = f9 * (Int64)g0; + Int64 f9g1_38 = f9_2 * (Int64)g1_19; + Int64 f9g2_19 = f9 * (Int64)g2_19; + Int64 f9g3_38 = f9_2 * (Int64)g3_19; + Int64 f9g4_19 = f9 * (Int64)g4_19; + Int64 f9g5_38 = f9_2 * (Int64)g5_19; + Int64 f9g6_19 = f9 * (Int64)g6_19; + Int64 f9g7_38 = f9_2 * (Int64)g7_19; + Int64 f9g8_19 = f9 * (Int64)g8_19; + Int64 f9g9_38 = f9_2 * (Int64)g9_19; + Int64 h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38; + Int64 h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19; + Int64 h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38; + Int64 h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19; + Int64 h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38; + Int64 h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19; + Int64 h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38; + Int64 h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19; + Int64 h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38; + Int64 h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0; + Int64 carry0; + Int64 carry1; + Int64 carry2; + Int64 carry3; + Int64 carry4; + Int64 carry5; + Int64 carry6; + Int64 carry7; + Int64 carry8; + Int64 carry9; + + /* + |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) + i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 + |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) + i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 + */ + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + /* |h0| <= 2^25 */ + /* |h4| <= 2^25 */ + /* |h1| <= 1.71*2^59 */ + /* |h5| <= 1.71*2^59 */ + + carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + /* |h1| <= 2^24; from now on fits into int32 */ + /* |h5| <= 2^24; from now on fits into int32 */ + /* |h2| <= 1.41*2^60 */ + /* |h6| <= 1.41*2^60 */ + + carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + /* |h2| <= 2^25; from now on fits into int32 unchanged */ + /* |h6| <= 2^25; from now on fits into int32 unchanged */ + /* |h3| <= 1.71*2^59 */ + /* |h7| <= 1.71*2^59 */ + + carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + /* |h3| <= 2^24; from now on fits into int32 unchanged */ + /* |h7| <= 2^24; from now on fits into int32 unchanged */ + /* |h4| <= 1.72*2^34 */ + /* |h8| <= 1.41*2^60 */ + + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + /* |h4| <= 2^25; from now on fits into int32 unchanged */ + /* |h8| <= 2^25; from now on fits into int32 unchanged */ + /* |h5| <= 1.01*2^24 */ + /* |h9| <= 1.71*2^59 */ + + carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + /* |h9| <= 2^24; from now on fits into int32 unchanged */ + /* |h0| <= 1.1*2^39 */ + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + /* |h0| <= 2^25; from now on fits into int32 unchanged */ + /* |h1| <= 1.01*2^24 */ + + h.x0 = (Int32)h0; + h.x1 = (Int32)h1; + h.x2 = (Int32)h2; + h.x3 = (Int32)h3; + h.x4 = (Int32)h4; + h.x5 = (Int32)h5; + h.x6 = (Int32)h6; + h.x7 = (Int32)h7; + h.x8 = (Int32)h8; + h.x9 = (Int32)h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul121666.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul121666.cs new file mode 100644 index 0000000..9132527 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_mul121666.cs @@ -0,0 +1,76 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + + /* + h = f * 121666 + Can overlap h with f. + + Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + + Postconditions: + |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + */ + + public static void fe_mul121666(out FieldElement h, ref FieldElement f) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int64 h0 = f0 * (Int64)121666; + Int64 h1 = f1 * (Int64)121666; + Int64 h2 = f2 * (Int64)121666; + Int64 h3 = f3 * (Int64)121666; + Int64 h4 = f4 * (Int64)121666; + Int64 h5 = f5 * (Int64)121666; + Int64 h6 = f6 * (Int64)121666; + Int64 h7 = f7 * (Int64)121666; + Int64 h8 = f8 * (Int64)121666; + Int64 h9 = f9 * (Int64)121666; + Int64 carry0; + Int64 carry1; + Int64 carry2; + Int64 carry3; + Int64 carry4; + Int64 carry5; + Int64 carry6; + Int64 carry7; + Int64 carry8; + Int64 carry9; + + carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + h.x0 = (int)h0; + h.x1 = (int)h1; + h.x2 = (int)h2; + h.x3 = (int)h3; + h.x4 = (int)h4; + h.x5 = (int)h5; + h.x6 = (int)h6; + h.x7 = (int)h7; + h.x8 = (int)h8; + h.x9 = (int)h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_neg.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_neg.cs new file mode 100644 index 0000000..64665ec --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_neg.cs @@ -0,0 +1,50 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* + h = -f + + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + + Postconditions: + |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + */ + internal static void fe_neg(out FieldElement h, ref FieldElement f) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int32 h0 = -f0; + Int32 h1 = -f1; + Int32 h2 = -f2; + Int32 h3 = -f3; + Int32 h4 = -f4; + Int32 h5 = -f5; + Int32 h6 = -f6; + Int32 h7 = -f7; + Int32 h8 = -f8; + Int32 h9 = -f9; + h.x0 = h0; + h.x1 = h1; + h.x2 = h2; + h.x3 = h3; + h.x4 = h4; + h.x5 = h5; + h.x6 = h6; + h.x7 = h7; + h.x8 = h8; + h.x9 = h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_pow22523.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_pow22523.cs new file mode 100644 index 0000000..5018f6d --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_pow22523.cs @@ -0,0 +1,175 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + internal static void fe_pow22523(out FieldElement result, ref FieldElement z) + { + FieldElement t0; + FieldElement t1; + FieldElement t2; + int i; + + /* qhasm: fe z1 */ + + /* qhasm: fe z2 */ + + /* qhasm: fe z8 */ + + /* qhasm: fe z9 */ + + /* qhasm: fe z11 */ + + /* qhasm: fe z22 */ + + /* qhasm: fe z_5_0 */ + + /* qhasm: fe z_10_5 */ + + /* qhasm: fe z_10_0 */ + + /* qhasm: fe z_20_10 */ + + /* qhasm: fe z_20_0 */ + + /* qhasm: fe z_40_20 */ + + /* qhasm: fe z_40_0 */ + + /* qhasm: fe z_50_10 */ + + /* qhasm: fe z_50_0 */ + + /* qhasm: fe z_100_50 */ + + /* qhasm: fe z_100_0 */ + + /* qhasm: fe z_200_100 */ + + /* qhasm: fe z_200_0 */ + + /* qhasm: fe z_250_50 */ + + /* qhasm: fe z_250_0 */ + + /* qhasm: fe z_252_2 */ + + /* qhasm: fe z_252_3 */ + + /* qhasm: enter pow22523 */ + + /* qhasm: z2 = z1^2^1 */ + /* asm 1: fe_sq(>z2=fe#1,z2=fe#1,>z2=fe#1); */ + /* asm 2: fe_sq(>z2=t0,z2=t0,>z2=t0); */ + fe_sq(out t0, ref z); //for (i = 1; i < 1; ++i) fe_sq(out t0, ref t0); + + /* qhasm: z8 = z2^2^2 */ + /* asm 1: fe_sq(>z8=fe#2,z8=fe#2,>z8=fe#2); */ + /* asm 2: fe_sq(>z8=t1,z8=t1,>z8=t1); */ + fe_sq(out t1, ref t0); for (i = 1; i < 2; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z9 = z1*z8 */ + /* asm 1: fe_mul(>z9=fe#2,z9=t1,z11=fe#1,z11=t0,z22=fe#1,z22=fe#1,>z22=fe#1); */ + /* asm 2: fe_sq(>z22=t0,z22=t0,>z22=t0); */ + fe_sq(out t0, ref t0); //for (i = 1; i < 1; ++i) fe_sq(out t0, ref t0); + + /* qhasm: z_5_0 = z9*z22 */ + /* asm 1: fe_mul(>z_5_0=fe#1,z_5_0=t0,z_10_5=fe#2,z_10_5=fe#2,>z_10_5=fe#2); */ + /* asm 2: fe_sq(>z_10_5=t1,z_10_5=t1,>z_10_5=t1); */ + fe_sq(out t1, ref t0); for (i = 1; i < 5; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z_10_0 = z_10_5*z_5_0 */ + /* asm 1: fe_mul(>z_10_0=fe#1,z_10_0=t0,z_20_10=fe#2,z_20_10=fe#2,>z_20_10=fe#2); */ + /* asm 2: fe_sq(>z_20_10=t1,z_20_10=t1,>z_20_10=t1); */ + fe_sq(out t1, ref t0); for (i = 1; i < 10; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z_20_0 = z_20_10*z_10_0 */ + /* asm 1: fe_mul(>z_20_0=fe#2,z_20_0=t1,z_40_20=fe#3,z_40_20=fe#3,>z_40_20=fe#3); */ + /* asm 2: fe_sq(>z_40_20=t2,z_40_20=t2,>z_40_20=t2); */ + fe_sq(out t2, ref t1); for (i = 1; i < 20; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_40_0 = z_40_20*z_20_0 */ + /* asm 1: fe_mul(>z_40_0=fe#2,z_40_0=t1,z_50_10=fe#2,z_50_10=fe#2,>z_50_10=fe#2); */ + /* asm 2: fe_sq(>z_50_10=t1,z_50_10=t1,>z_50_10=t1); */ + fe_sq(out t1, ref t1); for (i = 1; i < 10; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z_50_0 = z_50_10*z_10_0 */ + /* asm 1: fe_mul(>z_50_0=fe#1,z_50_0=t0,z_100_50=fe#2,z_100_50=fe#2,>z_100_50=fe#2); */ + /* asm 2: fe_sq(>z_100_50=t1,z_100_50=t1,>z_100_50=t1); */ + fe_sq(out t1, ref t0); for (i = 1; i < 50; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z_100_0 = z_100_50*z_50_0 */ + /* asm 1: fe_mul(>z_100_0=fe#2,z_100_0=t1,z_200_100=fe#3,z_200_100=fe#3,>z_200_100=fe#3); */ + /* asm 2: fe_sq(>z_200_100=t2,z_200_100=t2,>z_200_100=t2); */ + fe_sq(out t2, ref t1); for (i = 1; i < 100; ++i) fe_sq(out t2, ref t2); + + /* qhasm: z_200_0 = z_200_100*z_100_0 */ + /* asm 1: fe_mul(>z_200_0=fe#2,z_200_0=t1,z_250_50=fe#2,z_250_50=fe#2,>z_250_50=fe#2); */ + /* asm 2: fe_sq(>z_250_50=t1,z_250_50=t1,>z_250_50=t1); */ + fe_sq(out t1, ref t1); for (i = 1; i < 50; ++i) fe_sq(out t1, ref t1); + + /* qhasm: z_250_0 = z_250_50*z_50_0 */ + /* asm 1: fe_mul(>z_250_0=fe#1,z_250_0=t0,z_252_2=fe#1,z_252_2=fe#1,>z_252_2=fe#1); */ + /* asm 2: fe_sq(>z_252_2=t0,z_252_2=t0,>z_252_2=t0); */ + fe_sq(out t0, ref t0); for (i = 1; i < 2; ++i) fe_sq(out t0, ref t0); + + /* qhasm: z_252_3 = z_252_2*z1 */ + /* asm 1: fe_mul(>z_252_3=fe#12,z_252_3=out,> 26; h1 += carry0; h0 -= carry0 << 26; + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + + carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + + carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + + carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + + h.x0 = (Int32)h0; + h.x1 = (Int32)h1; + h.x2 = (Int32)h2; + h.x3 = (Int32)h3; + h.x4 = (Int32)h4; + h.x5 = (Int32)h5; + h.x6 = (Int32)h6; + h.x7 = (Int32)h7; + h.x8 = (Int32)h8; + h.x9 = (Int32)h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sq2.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sq2.cs new file mode 100644 index 0000000..40913bb --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sq2.cs @@ -0,0 +1,164 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* +h = 2 * f * f +Can overlap h with f. + +Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + +Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. +*/ + + /* + See fe_mul.c for discussion of implementation strategy. + */ + internal static void fe_sq2(out FieldElement h, ref FieldElement f) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int32 f0_2 = 2 * f0; + Int32 f1_2 = 2 * f1; + Int32 f2_2 = 2 * f2; + Int32 f3_2 = 2 * f3; + Int32 f4_2 = 2 * f4; + Int32 f5_2 = 2 * f5; + Int32 f6_2 = 2 * f6; + Int32 f7_2 = 2 * f7; + Int32 f5_38 = 38 * f5; /* 1.959375*2^30 */ + Int32 f6_19 = 19 * f6; /* 1.959375*2^30 */ + Int32 f7_38 = 38 * f7; /* 1.959375*2^30 */ + Int32 f8_19 = 19 * f8; /* 1.959375*2^30 */ + Int32 f9_38 = 38 * f9; /* 1.959375*2^30 */ + Int64 f0f0 = f0 * (Int64)f0; + Int64 f0f1_2 = f0_2 * (Int64)f1; + Int64 f0f2_2 = f0_2 * (Int64)f2; + Int64 f0f3_2 = f0_2 * (Int64)f3; + Int64 f0f4_2 = f0_2 * (Int64)f4; + Int64 f0f5_2 = f0_2 * (Int64)f5; + Int64 f0f6_2 = f0_2 * (Int64)f6; + Int64 f0f7_2 = f0_2 * (Int64)f7; + Int64 f0f8_2 = f0_2 * (Int64)f8; + Int64 f0f9_2 = f0_2 * (Int64)f9; + Int64 f1f1_2 = f1_2 * (Int64)f1; + Int64 f1f2_2 = f1_2 * (Int64)f2; + Int64 f1f3_4 = f1_2 * (Int64)f3_2; + Int64 f1f4_2 = f1_2 * (Int64)f4; + Int64 f1f5_4 = f1_2 * (Int64)f5_2; + Int64 f1f6_2 = f1_2 * (Int64)f6; + Int64 f1f7_4 = f1_2 * (Int64)f7_2; + Int64 f1f8_2 = f1_2 * (Int64)f8; + Int64 f1f9_76 = f1_2 * (Int64)f9_38; + Int64 f2f2 = f2 * (Int64)f2; + Int64 f2f3_2 = f2_2 * (Int64)f3; + Int64 f2f4_2 = f2_2 * (Int64)f4; + Int64 f2f5_2 = f2_2 * (Int64)f5; + Int64 f2f6_2 = f2_2 * (Int64)f6; + Int64 f2f7_2 = f2_2 * (Int64)f7; + Int64 f2f8_38 = f2_2 * (Int64)f8_19; + Int64 f2f9_38 = f2 * (Int64)f9_38; + Int64 f3f3_2 = f3_2 * (Int64)f3; + Int64 f3f4_2 = f3_2 * (Int64)f4; + Int64 f3f5_4 = f3_2 * (Int64)f5_2; + Int64 f3f6_2 = f3_2 * (Int64)f6; + Int64 f3f7_76 = f3_2 * (Int64)f7_38; + Int64 f3f8_38 = f3_2 * (Int64)f8_19; + Int64 f3f9_76 = f3_2 * (Int64)f9_38; + Int64 f4f4 = f4 * (Int64)f4; + Int64 f4f5_2 = f4_2 * (Int64)f5; + Int64 f4f6_38 = f4_2 * (Int64)f6_19; + Int64 f4f7_38 = f4 * (Int64)f7_38; + Int64 f4f8_38 = f4_2 * (Int64)f8_19; + Int64 f4f9_38 = f4 * (Int64)f9_38; + Int64 f5f5_38 = f5 * (Int64)f5_38; + Int64 f5f6_38 = f5_2 * (Int64)f6_19; + Int64 f5f7_76 = f5_2 * (Int64)f7_38; + Int64 f5f8_38 = f5_2 * (Int64)f8_19; + Int64 f5f9_76 = f5_2 * (Int64)f9_38; + Int64 f6f6_19 = f6 * (Int64)f6_19; + Int64 f6f7_38 = f6 * (Int64)f7_38; + Int64 f6f8_38 = f6_2 * (Int64)f8_19; + Int64 f6f9_38 = f6 * (Int64)f9_38; + Int64 f7f7_38 = f7 * (Int64)f7_38; + Int64 f7f8_38 = f7_2 * (Int64)f8_19; + Int64 f7f9_76 = f7_2 * (Int64)f9_38; + Int64 f8f8_19 = f8 * (Int64)f8_19; + Int64 f8f9_38 = f8 * (Int64)f9_38; + Int64 f9f9_38 = f9 * (Int64)f9_38; + Int64 h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + Int64 h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + Int64 h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + Int64 h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + Int64 h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + Int64 h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + Int64 h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + Int64 h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + Int64 h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + Int64 h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; + Int64 carry0; + Int64 carry1; + Int64 carry2; + Int64 carry3; + Int64 carry4; + Int64 carry5; + Int64 carry6; + Int64 carry7; + Int64 carry8; + Int64 carry9; + + h0 += h0; + h1 += h1; + h2 += h2; + h3 += h3; + h4 += h4; + h5 += h5; + h6 += h6; + h7 += h7; + h8 += h8; + h9 += h9; + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + + carry1 = (h1 + (Int64)(1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry5 = (h5 + (Int64)(1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + + carry2 = (h2 + (Int64)(1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry6 = (h6 + (Int64)(1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + + carry3 = (h3 + (Int64)(1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry7 = (h7 + (Int64)(1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry4 = (h4 + (Int64)(1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry8 = (h8 + (Int64)(1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + carry9 = (h9 + (Int64)(1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + + carry0 = (h0 + (Int64)(1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + + h.x0 = (Int32)h0; + h.x1 = (Int32)h1; + h.x2 = (Int32)h2; + h.x3 = (Int32)h3; + h.x4 = (Int32)h4; + h.x5 = (Int32)h5; + h.x6 = (Int32)h6; + h.x7 = (Int32)h7; + h.x8 = (Int32)h8; + h.x9 = (Int32)h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sub.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sub.cs new file mode 100644 index 0000000..4de0e6c --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_sub.cs @@ -0,0 +1,63 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* + h = f - g + Can overlap h with f or g. + + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + + Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + + internal static void fe_sub(out FieldElement h, ref FieldElement f, ref FieldElement g) + { + Int32 f0 = f.x0; + Int32 f1 = f.x1; + Int32 f2 = f.x2; + Int32 f3 = f.x3; + Int32 f4 = f.x4; + Int32 f5 = f.x5; + Int32 f6 = f.x6; + Int32 f7 = f.x7; + Int32 f8 = f.x8; + Int32 f9 = f.x9; + Int32 g0 = g.x0; + Int32 g1 = g.x1; + Int32 g2 = g.x2; + Int32 g3 = g.x3; + Int32 g4 = g.x4; + Int32 g5 = g.x5; + Int32 g6 = g.x6; + Int32 g7 = g.x7; + Int32 g8 = g.x8; + Int32 g9 = g.x9; + Int32 h0 = f0 - g0; + Int32 h1 = f1 - g1; + Int32 h2 = f2 - g2; + Int32 h3 = f3 - g3; + Int32 h4 = f4 - g4; + Int32 h5 = f5 - g5; + Int32 h6 = f6 - g6; + Int32 h7 = f7 - g7; + Int32 h8 = f8 - g8; + Int32 h9 = f9 - g9; + h.x0 = h0; + h.x1 = h1; + h.x2 = h2; + h.x3 = h3; + h.x4 = h4; + h.x5 = h5; + h.x6 = h6; + h.x7 = h7; + h.x8 = h8; + h.x9 = h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_tobytes.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_tobytes.cs new file mode 100644 index 0000000..9a36a8f --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/fe_tobytes.cs @@ -0,0 +1,154 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class FieldOperations + { + /* + Preconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + + Write p=2^255-19; q=floor(h/p). + Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). + + Proof: + Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. + Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. + + Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). + Then 0> 0); + s[offset + 1] = (byte) (h0 >> 8); + s[offset + 2] = (byte) (h0 >> 16); + s[offset + 3] = (byte) ((h0 >> 24) | (h1 << 2)); + s[offset + 4] = (byte) (h1 >> 6); + s[offset + 5] = (byte) (h1 >> 14); + s[offset + 6] = (byte) ((h1 >> 22) | (h2 << 3)); + s[offset + 7] = (byte) (h2 >> 5); + s[offset + 8] = (byte) (h2 >> 13); + s[offset + 9] = (byte) ((h2 >> 21) | (h3 << 5)); + s[offset + 10] = (byte) (h3 >> 3); + s[offset + 11] = (byte) (h3 >> 11); + s[offset + 12] = (byte) ((h3 >> 19) | (h4 << 6)); + s[offset + 13] = (byte) (h4 >> 2); + s[offset + 14] = (byte) (h4 >> 10); + s[offset + 15] = (byte) (h4 >> 18); + s[offset + 16] = (byte) (h5 >> 0); + s[offset + 17] = (byte) (h5 >> 8); + s[offset + 18] = (byte) (h5 >> 16); + s[offset + 19] = (byte) ((h5 >> 24) | (h6 << 1)); + s[offset + 20] = (byte) (h6 >> 7); + s[offset + 21] = (byte) (h6 >> 15); + s[offset + 22] = (byte) ((h6 >> 23) | (h7 << 3)); + s[offset + 23] = (byte) (h7 >> 5); + s[offset + 24] = (byte) (h7 >> 13); + s[offset + 25] = (byte) ((h7 >> 21) | (h8 << 4)); + s[offset + 26] = (byte) (h8 >> 4); + s[offset + 27] = (byte) (h8 >> 12); + s[offset + 28] = (byte) ((h8 >> 20) | (h9 << 6)); + s[offset + 29] = (byte) (h9 >> 2); + s[offset + 30] = (byte) (h9 >> 10); + s[offset + 31] = (byte) (h9 >> 18); + } + } + + internal static void fe_reduce(out FieldElement hr, ref FieldElement h) + { + Int32 h0 = h.x0; + Int32 h1 = h.x1; + Int32 h2 = h.x2; + Int32 h3 = h.x3; + Int32 h4 = h.x4; + Int32 h5 = h.x5; + Int32 h6 = h.x6; + Int32 h7 = h.x7; + Int32 h8 = h.x8; + Int32 h9 = h.x9; + Int32 q; + Int32 carry0; + Int32 carry1; + Int32 carry2; + Int32 carry3; + Int32 carry4; + Int32 carry5; + Int32 carry6; + Int32 carry7; + Int32 carry8; + Int32 carry9; + + q = (19 * h9 + (((Int32)1) << 24)) >> 25; + q = (h0 + q) >> 26; + q = (h1 + q) >> 25; + q = (h2 + q) >> 26; + q = (h3 + q) >> 25; + q = (h4 + q) >> 26; + q = (h5 + q) >> 25; + q = (h6 + q) >> 26; + q = (h7 + q) >> 25; + q = (h8 + q) >> 26; + q = (h9 + q) >> 25; + + /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ + h0 += 19 * q; + /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ + + carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 << 26; + carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 << 25; + carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 << 26; + carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 << 25; + carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 << 26; + carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 << 25; + carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 << 26; + carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 << 25; + carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 << 26; + carry9 = h9 >> 25; h9 -= carry9 << 25; + /* h10 = carry9 */ + + hr.x0 = h0; + hr.x1 = h1; + hr.x2 = h2; + hr.x3 = h3; + hr.x4 = h4; + hr.x5 = h5; + hr.x6 = h6; + hr.x7 = h7; + hr.x8 = h8; + hr.x9 = h9; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_add.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_add.cs new file mode 100644 index 0000000..f80a817 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_add.cs @@ -0,0 +1,113 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class GroupOperations + { + /* + r = p + q + */ + + internal static void ge_add(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q) + { + FieldElement t0; + + /* qhasm: enter GroupElementadd */ + + /* qhasm: fe X1 */ + + /* qhasm: fe Y1 */ + + /* qhasm: fe Z1 */ + + /* qhasm: fe Z2 */ + + /* qhasm: fe T1 */ + + /* qhasm: fe ZZ */ + + /* qhasm: fe YpX2 */ + + /* qhasm: fe YmX2 */ + + /* qhasm: fe T2d2 */ + + /* qhasm: fe X3 */ + + /* qhasm: fe Y3 */ + + /* qhasm: fe Z3 */ + + /* qhasm: fe T3 */ + + /* qhasm: fe YpX1 */ + + /* qhasm: fe YmX1 */ + + /* qhasm: fe A */ + + /* qhasm: fe B */ + + /* qhasm: fe C */ + + /* qhasm: fe D */ + + /* qhasm: YpX1 = Y1+X1 */ + /* asm 1: fe_add(>YpX1=fe#1,YpX1=r.X,YmX1=fe#2,YmX1=r.Y,A=fe#3,A=r.Z,B=fe#2,B=r.Y,C=fe#4,C=r.T,ZZ=fe#1,ZZ=r.X,D=fe#5,D=t0,X3=fe#1,X3=r.X,Y3=fe#2,Y3=r.Y,Z3=fe#3,Z3=r.Z,T3=fe#4,T3=r.T,> 3] >> (i & 7))); + + for (i = 0; i < 256; ++i) + if (r[i] != 0) + { + for (b = 1; b <= 6 && i + b < 256; ++b) + { + if (r[i + b] != 0) + { + if (r[i] + (r[i + b] << b) <= 15) + { + r[i] += (sbyte)(r[i + b] << b); r[i + b] = 0; + } + else if (r[i] - (r[i + b] << b) >= -15) + { + r[i] -= (sbyte)(r[i + b] << b); + for (k = i + b; k < 256; ++k) + { + if (r[k] == 0) + { + r[k] = 1; + break; + } + r[k] = 0; + } + } + else + break; + } + } + } + + } + + /* + r = a * A + b * B + where a = a[0]+256*a[1]+...+256^31 a[31]. + and b = b[0]+256*b[1]+...+256^31 b[31]. + B is the Ed25519 base point (x,4/5) with x positive. + */ + + public static void ge_double_scalarmult_vartime(out GroupElementP2 r, byte[] a, ref GroupElementP3 A, byte[] b) + { + GroupElementPreComp[] Bi = LookupTables.Base2; + // todo: Perhaps remove these allocations? + sbyte[] aslide = new sbyte[256]; + sbyte[] bslide = new sbyte[256]; + GroupElementCached[] Ai = new GroupElementCached[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ + GroupElementP1P1 t; + GroupElementP3 u; + GroupElementP3 A2; + int i; + + slide(aslide, a); + slide(bslide, b); + + ge_p3_to_cached(out Ai[0], ref A); + ge_p3_dbl(out t, ref A); ge_p1p1_to_p3(out A2, ref t); + ge_add(out t, ref A2, ref Ai[0]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[1], ref u); + ge_add(out t, ref A2, ref Ai[1]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[2], ref u); + ge_add(out t, ref A2, ref Ai[2]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[3], ref u); + ge_add(out t, ref A2, ref Ai[3]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[4], ref u); + ge_add(out t, ref A2, ref Ai[4]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[5], ref u); + ge_add(out t, ref A2, ref Ai[5]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[6], ref u); + ge_add(out t, ref A2, ref Ai[6]); ge_p1p1_to_p3(out u, ref t); ge_p3_to_cached(out Ai[7], ref u); + + ge_p2_0(out r); + + for (i = 255; i >= 0; --i) + { + if ((aslide[i] != 0) || (bslide[i] != 0)) break; + } + + for (; i >= 0; --i) + { + ge_p2_dbl(out t, ref r); + + if (aslide[i] > 0) + { + ge_p1p1_to_p3(out u, ref t); + ge_add(out t, ref u, ref Ai[aslide[i] / 2]); + } + else if (aslide[i] < 0) + { + ge_p1p1_to_p3(out u, ref t); + ge_sub(out t, ref u, ref Ai[(-aslide[i]) / 2]); + } + + if (bslide[i] > 0) + { + ge_p1p1_to_p3(out u, ref t); + ge_madd(out t, ref u, ref Bi[bslide[i] / 2]); + } + else if (bslide[i] < 0) + { + ge_p1p1_to_p3(out u, ref t); + ge_msub(out t, ref u, ref Bi[(-bslide[i]) / 2]); + } + + ge_p1p1_to_p2(out r, ref t); + } + } + + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_frombytes.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_frombytes.cs new file mode 100644 index 0000000..6ec8dc4 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_frombytes.cs @@ -0,0 +1,54 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class GroupOperations + { + public static int ge_frombytes_negate_vartime(out GroupElementP3 h, byte[] data, int offset) + { + FieldElement u; + FieldElement v; + FieldElement v3; + FieldElement vxx; + FieldElement check; + + FieldOperations.fe_frombytes(out h.Y, data, offset); + FieldOperations.fe_1(out h.Z); + FieldOperations.fe_sq(out u, ref h.Y); + FieldOperations.fe_mul(out v, ref u, ref LookupTables.d); + FieldOperations.fe_sub(out u, ref u, ref h.Z); /* u = y^2-1 */ + FieldOperations.fe_add(out v, ref v, ref h.Z); /* v = dy^2+1 */ + + FieldOperations.fe_sq(out v3, ref v); + FieldOperations.fe_mul(out v3, ref v3, ref v); /* v3 = v^3 */ + FieldOperations.fe_sq(out h.X, ref v3); + FieldOperations.fe_mul(out h.X, ref h.X, ref v); + FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^7 */ + + FieldOperations.fe_pow22523(out h.X, ref h.X); /* x = (uv^7)^((q-5)/8) */ + FieldOperations.fe_mul(out h.X, ref h.X, ref v3); + FieldOperations.fe_mul(out h.X, ref h.X, ref u); /* x = uv^3(uv^7)^((q-5)/8) */ + + FieldOperations.fe_sq(out vxx, ref h.X); + FieldOperations.fe_mul(out vxx, ref vxx, ref v); + FieldOperations.fe_sub(out check, ref vxx, ref u); /* vx^2-u */ + if (FieldOperations.fe_isnonzero(ref check) != 0) + { + FieldOperations.fe_add(out check, ref vxx, ref u); /* vx^2+u */ + if (FieldOperations.fe_isnonzero(ref check) != 0) + { + h = default(GroupElementP3); + return -1; + } + FieldOperations.fe_mul(out h.X, ref h.X, ref LookupTables.sqrtm1); + } + + if (FieldOperations.fe_isnegative(ref h.X) == (data[offset + 31] >> 7)) + FieldOperations.fe_neg(out h.X, ref h.X); + + FieldOperations.fe_mul(out h.T, ref h.X, ref h.Y); + return 0; + } + + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_madd.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_madd.cs new file mode 100644 index 0000000..de80fa6 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_madd.cs @@ -0,0 +1,105 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class GroupOperations + { + /* + r = p + q + */ + public static void ge_madd(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementPreComp q) + { + FieldElement t0; + + /* qhasm: enter ge_madd */ + + /* qhasm: fe X1 */ + + /* qhasm: fe Y1 */ + + /* qhasm: fe Z1 */ + + /* qhasm: fe T1 */ + + /* qhasm: fe ypx2 */ + + /* qhasm: fe ymx2 */ + + /* qhasm: fe xy2d2 */ + + /* qhasm: fe X3 */ + + /* qhasm: fe Y3 */ + + /* qhasm: fe Z3 */ + + /* qhasm: fe T3 */ + + /* qhasm: fe YpX1 */ + + /* qhasm: fe YmX1 */ + + /* qhasm: fe A */ + + /* qhasm: fe B */ + + /* qhasm: fe C */ + + /* qhasm: fe D */ + + /* qhasm: YpX1 = Y1+X1 */ + /* asm 1: fe_add(>YpX1=fe#1,YpX1=r.X,YmX1=fe#2,YmX1=r.Y,A=fe#3,A=r.Z,B=fe#2,B=r.Y,C=fe#4,C=r.T,D=fe#5,D=t0,X3=fe#1,X3=r.X,Y3=fe#2,Y3=r.Y,Z3=fe#3,Z3=r.Z,T3=fe#4,T3=r.T,YpX1=fe#1,YpX1=r.X,YmX1=fe#2,YmX1=r.Y,A=fe#3,A=r.Z,B=fe#2,B=r.Y,C=fe#4,C=r.T,D=fe#5,D=t0,X3=fe#1,X3=r.X,Y3=fe#2,Y3=r.Y,Z3=fe#3,Z3=r.Z,T3=fe#4,T3=r.T,XX=fe#1,XX=r.X,YY=fe#3,YY=r.Z,B=fe#4,B=r.T,A=fe#2,A=r.Y,AA=fe#5,AA=t0,Y3=fe#2,Y3=r.Y,Z3=fe#3,Z3=r.Z,X3=fe#1,X3=r.X,T3=fe#4,T3=r.T,>= 31; /* 1: yes; 0: no */ + return (byte)y; + } + + static byte negative(sbyte b) + { + ulong x = unchecked((ulong)(long)b); /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ + x >>= 63; /* 1: yes; 0: no */ + return (byte)x; + } + + static void cmov(ref GroupElementPreComp t, ref GroupElementPreComp u, byte b) + { + FieldOperations.fe_cmov(ref t.yplusx, ref u.yplusx, b); + FieldOperations.fe_cmov(ref t.yminusx, ref u.yminusx, b); + FieldOperations.fe_cmov(ref t.xy2d, ref u.xy2d, b); + } + + static void select(out GroupElementPreComp t, int pos, sbyte b) + { + GroupElementPreComp minust; + byte bnegative = negative(b); + byte babs = (byte)(b - (((-bnegative) & b) << 1)); + + ge_precomp_0(out t); + var table = LookupTables.Base[pos]; + cmov(ref t, ref table[0], equal(babs, 1)); + cmov(ref t, ref table[1], equal(babs, 2)); + cmov(ref t, ref table[2], equal(babs, 3)); + cmov(ref t, ref table[3], equal(babs, 4)); + cmov(ref t, ref table[4], equal(babs, 5)); + cmov(ref t, ref table[5], equal(babs, 6)); + cmov(ref t, ref table[6], equal(babs, 7)); + cmov(ref t, ref table[7], equal(babs, 8)); + minust.yplusx = t.yminusx; + minust.yminusx = t.yplusx; + FieldOperations.fe_neg(out minust.xy2d, ref t.xy2d); + cmov(ref t, ref minust, bnegative); + } + + /* + h = a * B + where a = a[0]+256*a[1]+...+256^31 a[31] + B is the Ed25519 base point (x,4/5) with x positive. + + Preconditions: + a[31] <= 127 + */ + + public static void ge_scalarmult_base(out GroupElementP3 h, byte[] a, int offset) + { + // todo: Perhaps remove this allocation + sbyte[] e = new sbyte[64]; + sbyte carry; + GroupElementP1P1 r; + GroupElementP2 s; + GroupElementPreComp t; + int i; + + for (i = 0; i < 32; ++i) + { + e[2 * i + 0] = (sbyte)((a[offset + i] >> 0) & 15); + e[2 * i + 1] = (sbyte)((a[offset + i] >> 4) & 15); + } + /* each e[i] is between 0 and 15 */ + /* e[63] is between 0 and 7 */ + + carry = 0; + for (i = 0; i < 63; ++i) + { + e[i] += carry; + carry = (sbyte)(e[i] + 8); + carry >>= 4; + e[i] -= (sbyte)(carry << 4); + } + e[63] += carry; + /* each e[i] is between -8 and 8 */ + + ge_p3_0(out h); + for (i = 1; i < 64; i += 2) + { + select(out t, i / 2, e[i]); + ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r); + } + + ge_p3_dbl(out r, ref h); ge_p1p1_to_p2(out s, ref r); + ge_p2_dbl(out r, ref s); ge_p1p1_to_p2(out s, ref r); + ge_p2_dbl(out r, ref s); ge_p1p1_to_p2(out s, ref r); + ge_p2_dbl(out r, ref s); ge_p1p1_to_p3(out h, ref r); + + for (i = 0; i < 64; i += 2) + { + select(out t, i / 2, e[i]); + ge_madd(out r, ref h, ref t); ge_p1p1_to_p3(out h, ref r); + } + } + + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_sub.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_sub.cs new file mode 100644 index 0000000..0965b53 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/ge_sub.cs @@ -0,0 +1,114 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class GroupOperations + { + /* + r = p - q + */ + + public static void ge_sub(out GroupElementP1P1 r, ref GroupElementP3 p, ref GroupElementCached q) + { + FieldElement t0; + + /* qhasm: enter ge_sub */ + + /* qhasm: fe X1 */ + + /* qhasm: fe Y1 */ + + /* qhasm: fe Z1 */ + + /* qhasm: fe Z2 */ + + /* qhasm: fe T1 */ + + /* qhasm: fe ZZ */ + + /* qhasm: fe YpX2 */ + + /* qhasm: fe YmX2 */ + + /* qhasm: fe T2d2 */ + + /* qhasm: fe X3 */ + + /* qhasm: fe Y3 */ + + /* qhasm: fe Z3 */ + + /* qhasm: fe T3 */ + + /* qhasm: fe YpX1 */ + + /* qhasm: fe YmX1 */ + + /* qhasm: fe A */ + + /* qhasm: fe B */ + + /* qhasm: fe C */ + + /* qhasm: fe D */ + + /* qhasm: YpX1 = Y1+X1 */ + /* asm 1: fe_add(>YpX1=fe#1,YpX1=r.X,YmX1=fe#2,YmX1=r.Y,A=fe#3,A=r.Z,B=fe#2,B=r.Y,C=fe#4,C=r.T,ZZ=fe#1,ZZ=r.X,D=fe#5,D=t0,X3=fe#1,X3=r.X,Y3=fe#2,Y3=r.Y,Z3=fe#3,Z3=r.Z,T3=fe#4,T3=r.T,> 5); + Int64 a2 = 2097151 & (load_3(a, 5) >> 2); + Int64 a3 = 2097151 & (load_4(a, 7) >> 7); + Int64 a4 = 2097151 & (load_4(a, 10) >> 4); + Int64 a5 = 2097151 & (load_3(a, 13) >> 1); + Int64 a6 = 2097151 & (load_4(a, 15) >> 6); + Int64 a7 = 2097151 & (load_3(a, 18) >> 3); + Int64 a8 = 2097151 & load_3(a, 21); + Int64 a9 = 2097151 & (load_4(a, 23) >> 5); + Int64 a10 = 2097151 & (load_3(a, 26) >> 2); + Int64 a11 = (load_4(a, 28) >> 7); + Int64 b0 = 2097151 & load_3(b, 0); + Int64 b1 = 2097151 & (load_4(b, 2) >> 5); + Int64 b2 = 2097151 & (load_3(b, 5) >> 2); + Int64 b3 = 2097151 & (load_4(b, 7) >> 7); + Int64 b4 = 2097151 & (load_4(b, 10) >> 4); + Int64 b5 = 2097151 & (load_3(b, 13) >> 1); + Int64 b6 = 2097151 & (load_4(b, 15) >> 6); + Int64 b7 = 2097151 & (load_3(b, 18) >> 3); + Int64 b8 = 2097151 & load_3(b, 21); + Int64 b9 = 2097151 & (load_4(b, 23) >> 5); + Int64 b10 = 2097151 & (load_3(b, 26) >> 2); + Int64 b11 = (load_4(b, 28) >> 7); + Int64 c0 = 2097151 & load_3(c, 0); + Int64 c1 = 2097151 & (load_4(c, 2) >> 5); + Int64 c2 = 2097151 & (load_3(c, 5) >> 2); + Int64 c3 = 2097151 & (load_4(c, 7) >> 7); + Int64 c4 = 2097151 & (load_4(c, 10) >> 4); + Int64 c5 = 2097151 & (load_3(c, 13) >> 1); + Int64 c6 = 2097151 & (load_4(c, 15) >> 6); + Int64 c7 = 2097151 & (load_3(c, 18) >> 3); + Int64 c8 = 2097151 & load_3(c, 21); + Int64 c9 = 2097151 & (load_4(c, 23) >> 5); + Int64 c10 = 2097151 & (load_3(c, 26) >> 2); + Int64 c11 = (load_4(c, 28) >> 7); + Int64 s0; + Int64 s1; + Int64 s2; + Int64 s3; + Int64 s4; + Int64 s5; + Int64 s6; + Int64 s7; + Int64 s8; + Int64 s9; + Int64 s10; + Int64 s11; + Int64 s12; + Int64 s13; + Int64 s14; + Int64 s15; + Int64 s16; + Int64 s17; + Int64 s18; + Int64 s19; + Int64 s20; + Int64 s21; + Int64 s22; + Int64 s23; + Int64 carry0; + Int64 carry1; + Int64 carry2; + Int64 carry3; + Int64 carry4; + Int64 carry5; + Int64 carry6; + Int64 carry7; + Int64 carry8; + Int64 carry9; + Int64 carry10; + Int64 carry11; + Int64 carry12; + Int64 carry13; + Int64 carry14; + Int64 carry15; + Int64 carry16; + Int64 carry17; + Int64 carry18; + Int64 carry19; + Int64 carry20; + Int64 carry21; + Int64 carry22; + + s0 = c0 + a0 * b0; + s1 = c1 + a0 * b1 + a1 * b0; + s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0; + s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0; + s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0; + s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0; + s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0; + s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0; + s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0; + s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0; + s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0; + s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0; + s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1; + s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2; + s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3; + s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4; + s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5; + s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6; + s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7; + s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8; + s20 = a9 * b11 + a10 * b10 + a11 * b9; + s21 = a10 * b11 + a11 * b10; + s22 = a11 * b11; + s23 = 0; + + carry0 = (s0 + (1 << 20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21; + carry18 = (s18 + (1 << 20)) >> 21; s19 += carry18; s18 -= carry18 << 21; + carry20 = (s20 + (1 << 20)) >> 21; s21 += carry20; s20 -= carry20 << 21; + carry22 = (s22 + (1 << 20)) >> 21; s23 += carry22; s22 -= carry22 << 21; + + carry1 = (s1 + (1 << 20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; s16 += carry15; s15 -= carry15 << 21; + carry17 = (s17 + (1 << 20)) >> 21; s18 += carry17; s17 -= carry17 << 21; + carry19 = (s19 + (1 << 20)) >> 21; s20 += carry19; s19 -= carry19 << 21; + carry21 = (s21 + (1 << 20)) >> 21; s22 += carry21; s21 -= carry21 << 21; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + s23 = 0; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + s22 = 0; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + s21 = 0; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + s20 = 0; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + s19 = 0; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + s18 = 0; + + carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21; + + carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; s16 += carry15; s15 -= carry15 << 21; + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + s17 = 0; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + s16 = 0; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + s15 = 0; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + s14 = 0; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + s13 = 0; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (1 << 20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + + carry1 = (s1 + (1 << 20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + + unchecked + { + s[0] = (byte)(s0 >> 0); + s[1] = (byte)(s0 >> 8); + s[2] = (byte)((s0 >> 16) | (s1 << 5)); + s[3] = (byte)(s1 >> 3); + s[4] = (byte)(s1 >> 11); + s[5] = (byte)((s1 >> 19) | (s2 << 2)); + s[6] = (byte)(s2 >> 6); + s[7] = (byte)((s2 >> 14) | (s3 << 7)); + s[8] = (byte)(s3 >> 1); + s[9] = (byte)(s3 >> 9); + s[10] = (byte)((s3 >> 17) | (s4 << 4)); + s[11] = (byte)(s4 >> 4); + s[12] = (byte)(s4 >> 12); + s[13] = (byte)((s4 >> 20) | (s5 << 1)); + s[14] = (byte)(s5 >> 7); + s[15] = (byte)((s5 >> 15) | (s6 << 6)); + s[16] = (byte)(s6 >> 2); + s[17] = (byte)(s6 >> 10); + s[18] = (byte)((s6 >> 18) | (s7 << 3)); + s[19] = (byte)(s7 >> 5); + s[20] = (byte)(s7 >> 13); + s[21] = (byte)(s8 >> 0); + s[22] = (byte)(s8 >> 8); + s[23] = (byte)((s8 >> 16) | (s9 << 5)); + s[24] = (byte)(s9 >> 3); + s[25] = (byte)(s9 >> 11); + s[26] = (byte)((s9 >> 19) | (s10 << 2)); + s[27] = (byte)(s10 >> 6); + s[28] = (byte)((s10 >> 14) | (s11 << 7)); + s[29] = (byte)(s11 >> 1); + s[30] = (byte)(s11 >> 9); + s[31] = (byte)(s11 >> 17); + } + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sc_reduce.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sc_reduce.cs new file mode 100644 index 0000000..493bf5a --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/sc_reduce.cs @@ -0,0 +1,263 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + internal static partial class ScalarOperations + { + /* + Input: + s[0]+256*s[1]+...+256^63*s[63] = s + + Output: + s[0]+256*s[1]+...+256^31*s[31] = s mod l + where l = 2^252 + 27742317777372353535851937790883648493. + Overwrites s in place. + */ + + public static void sc_reduce(byte[] s) + { + Int64 s0 = 2097151 & load_3(s, 0); + Int64 s1 = 2097151 & (load_4(s, 2) >> 5); + Int64 s2 = 2097151 & (load_3(s, 5) >> 2); + Int64 s3 = 2097151 & (load_4(s, 7) >> 7); + Int64 s4 = 2097151 & (load_4(s, 10) >> 4); + Int64 s5 = 2097151 & (load_3(s, 13) >> 1); + Int64 s6 = 2097151 & (load_4(s, 15) >> 6); + Int64 s7 = 2097151 & (load_3(s, 18) >> 3); + Int64 s8 = 2097151 & load_3(s, 21); + Int64 s9 = 2097151 & (load_4(s, 23) >> 5); + Int64 s10 = 2097151 & (load_3(s, 26) >> 2); + Int64 s11 = 2097151 & (load_4(s, 28) >> 7); + Int64 s12 = 2097151 & (load_4(s, 31) >> 4); + Int64 s13 = 2097151 & (load_3(s, 34) >> 1); + Int64 s14 = 2097151 & (load_4(s, 36) >> 6); + Int64 s15 = 2097151 & (load_3(s, 39) >> 3); + Int64 s16 = 2097151 & load_3(s, 42); + Int64 s17 = 2097151 & (load_4(s, 44) >> 5); + Int64 s18 = 2097151 & (load_3(s, 47) >> 2); + Int64 s19 = 2097151 & (load_4(s, 49) >> 7); + Int64 s20 = 2097151 & (load_4(s, 52) >> 4); + Int64 s21 = 2097151 & (load_3(s, 55) >> 1); + Int64 s22 = 2097151 & (load_4(s, 57) >> 6); + Int64 s23 = (load_4(s, 60) >> 3); + Int64 carry0; + Int64 carry1; + Int64 carry2; + Int64 carry3; + Int64 carry4; + Int64 carry5; + Int64 carry6; + Int64 carry7; + Int64 carry8; + Int64 carry9; + Int64 carry10; + Int64 carry11; + Int64 carry12; + Int64 carry13; + Int64 carry14; + Int64 carry15; + Int64 carry16; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + s23 = 0; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + s22 = 0; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + s21 = 0; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + s20 = 0; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + s19 = 0; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + s18 = 0; + + carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; s13 += carry12; s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; s15 += carry14; s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; s17 += carry16; s16 -= carry16 << 21; + + carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; s14 += carry13; s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; s16 += carry15; s15 -= carry15 << 21; + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + s17 = 0; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + s16 = 0; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + s15 = 0; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + s14 = 0; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + s13 = 0; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (1 << 20)) >> 21; s1 += carry0; s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; s3 += carry2; s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; s5 += carry4; s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; s7 += carry6; s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; s9 += carry8; s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; s11 += carry10; s10 -= carry10 << 21; + + carry1 = (s1 + (1 << 20)) >> 21; s2 += carry1; s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; s4 += carry3; s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; s6 += carry5; s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; s8 += carry7; s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; s10 += carry9; s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 << 21; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 << 21; + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 << 21; + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 << 21; + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 << 21; + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 << 21; + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 << 21; + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 << 21; + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 << 21; + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 << 21; + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 << 21; + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 << 21; + + unchecked + { + s[0] = (byte)(s0 >> 0); + s[1] = (byte)(s0 >> 8); + s[2] = (byte)((s0 >> 16) | (s1 << 5)); + s[3] = (byte)(s1 >> 3); + s[4] = (byte)(s1 >> 11); + s[5] = (byte)((s1 >> 19) | (s2 << 2)); + s[6] = (byte)(s2 >> 6); + s[7] = (byte)((s2 >> 14) | (s3 << 7)); + s[8] = (byte)(s3 >> 1); + s[9] = (byte)(s3 >> 9); + s[10] = (byte)((s3 >> 17) | (s4 << 4)); + s[11] = (byte)(s4 >> 4); + s[12] = (byte)(s4 >> 12); + s[13] = (byte)((s4 >> 20) | (s5 << 1)); + s[14] = (byte)(s5 >> 7); + s[15] = (byte)((s5 >> 15) | (s6 << 6)); + s[16] = (byte)(s6 >> 2); + s[17] = (byte)(s6 >> 10); + s[18] = (byte)((s6 >> 18) | (s7 << 3)); + s[19] = (byte)(s7 >> 5); + s[20] = (byte)(s7 >> 13); + s[21] = (byte)(s8 >> 0); + s[22] = (byte)(s8 >> 8); + s[23] = (byte)((s8 >> 16) | (s9 << 5)); + s[24] = (byte)(s9 >> 3); + s[25] = (byte)(s9 >> 11); + s[26] = (byte)((s9 >> 19) | (s10 << 2)); + s[27] = (byte)(s10 >> 6); + s[28] = (byte)((s10 >> 14) | (s11 << 7)); + s[29] = (byte)(s11 >> 1); + s[30] = (byte)(s11 >> 9); + s[31] = (byte)(s11 >> 17); + } + } + + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/scalarmult.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/scalarmult.cs new file mode 100644 index 0000000..b0b1247 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Ed25519Ref10/scalarmult.cs @@ -0,0 +1,205 @@ +using System; + +namespace Chaos.NaCl.Internal.Ed25519Ref10 +{ + public static class MontgomeryOperations + { + public static void scalarmult( + byte[] q, int qoffset, + byte[] n, int noffset, + byte[] p, int poffset) + { + FieldElement p0; + FieldElement q0; + FieldOperations.fe_frombytes2(out p0, p, poffset); + scalarmult(out q0, n, noffset, ref p0); + FieldOperations.fe_tobytes(q, qoffset, ref q0); + } + + internal static void scalarmult( + out FieldElement q, + byte[] n, int noffset, + ref FieldElement p) + { + byte[] e = new byte[32];//ToDo: remove allocation + UInt32 i; + FieldElement x1; + FieldElement x2; + FieldElement z2; + FieldElement x3; + FieldElement z3; + FieldElement tmp0; + FieldElement tmp1; + int pos; + UInt32 swap; + UInt32 b; + + for (i = 0; i < 32; ++i) + e[i] = n[noffset + i]; + ScalarOperations.sc_clamp(e, 0); + x1 = p; + FieldOperations.fe_1(out x2); + FieldOperations.fe_0(out z2); + x3 = x1; + FieldOperations.fe_1(out z3); + + swap = 0; + for (pos = 254; pos >= 0; --pos) + { + b = (uint)(e[pos / 8] >> (pos & 7)); + b &= 1; + swap ^= b; + FieldOperations.fe_cswap(ref x2, ref x3, swap); + FieldOperations.fe_cswap(ref z2, ref z3, swap); + swap = b; + /* qhasm: fe X2 */ + + /* qhasm: fe Z2 */ + + /* qhasm: fe X3 */ + + /* qhasm: fe Z3 */ + + /* qhasm: fe X4 */ + + /* qhasm: fe Z4 */ + + /* qhasm: fe X5 */ + + /* qhasm: fe Z5 */ + + /* qhasm: fe A */ + + /* qhasm: fe B */ + + /* qhasm: fe C */ + + /* qhasm: fe D */ + + /* qhasm: fe E */ + + /* qhasm: fe AA */ + + /* qhasm: fe BB */ + + /* qhasm: fe DA */ + + /* qhasm: fe CB */ + + /* qhasm: fe t0 */ + + /* qhasm: fe t1 */ + + /* qhasm: fe t2 */ + + /* qhasm: fe t3 */ + + /* qhasm: fe t4 */ + + /* qhasm: enter ladder */ + + /* qhasm: D = X3-Z3 */ + /* asm 1: fe_sub(>D=fe#5,D=tmp0,B=fe#6,B=tmp1,A=fe#1,A=x2,C=fe#2,C=z2,DA=fe#4,DA=z3,CB=fe#2,CB=z2,BB=fe#5,BB=tmp0,AA=fe#6,AA=tmp1,t0=fe#3,t0=x3,t1=fe#2,t1=z2,X4=fe#1,X4=x2,E=fe#6,E=tmp1,t2=fe#2,t2=z2,t3=fe#4,t3=z3,X5=fe#3,X5=x3,t4=fe#5,t4=tmp0,Z5=fe#4,x1,Z5=z3,x1,Z4=fe#2,Z4=z2, key) + { + UInt32 t0, t1, t2, t3; + UInt32 h0, h1, h2, h3, h4; + UInt32 r0, r1, r2, r3, r4; + UInt32 s1, s2, s3, s4; + UInt32 b, nb; + int j; + UInt64 tt0, tt1, tt2, tt3, tt4; + UInt64 f0, f1, f2, f3; + UInt32 g0, g1, g2, g3, g4; + UInt64 c; + + /* clamp key */ + t0 = key.x0; + t1 = key.x1; + t2 = key.x2; + t3 = key.x3; + + /* precompute multipliers */ + r0 = t0 & 0x3ffffff; t0 >>= 26; t0 |= t1 << 6; + r1 = t0 & 0x3ffff03; t1 >>= 20; t1 |= t2 << 12; + r2 = t1 & 0x3ffc0ff; t2 >>= 14; t2 |= t3 << 18; + r3 = t2 & 0x3f03fff; t3 >>= 8; + r4 = t3 & 0x00fffff; + + s1 = r1 * 5; + s2 = r2 * 5; + s3 = r3 * 5; + s4 = r4 * 5; + + /* init state */ + h0 = 0; + h1 = 0; + h2 = 0; + h3 = 0; + h4 = 0; + + /* full blocks */ + if (mLength < 16) + goto poly1305_donna_atmost15bytes; + + poly1305_donna_16bytes: + mStart += 16; + mLength -= 16; + + t0 = ByteIntegerConverter.LoadLittleEndian32(m, mStart - 16); + t1 = ByteIntegerConverter.LoadLittleEndian32(m, mStart - 12); + t2 = ByteIntegerConverter.LoadLittleEndian32(m, mStart - 8); + t3 = ByteIntegerConverter.LoadLittleEndian32(m, mStart - 4); + + //todo: looks like these can be simplified a bit + h0 += t0 & 0x3ffffff; + h1 += (uint)(((((UInt64)t1 << 32) | t0) >> 26) & 0x3ffffff); + h2 += (uint)(((((UInt64)t2 << 32) | t1) >> 20) & 0x3ffffff); + h3 += (uint)(((((UInt64)t3 << 32) | t2) >> 14) & 0x3ffffff); + h4 += (t3 >> 8) | (1 << 24); + + + poly1305_donna_mul: + tt0 = (ulong)h0 * r0 + (ulong)h1 * s4 + (ulong)h2 * s3 + (ulong)h3 * s2 + (ulong)h4 * s1; + tt1 = (ulong)h0 * r1 + (ulong)h1 * r0 + (ulong)h2 * s4 + (ulong)h3 * s3 + (ulong)h4 * s2; + tt2 = (ulong)h0 * r2 + (ulong)h1 * r1 + (ulong)h2 * r0 + (ulong)h3 * s4 + (ulong)h4 * s3; + tt3 = (ulong)h0 * r3 + (ulong)h1 * r2 + (ulong)h2 * r1 + (ulong)h3 * r0 + (ulong)h4 * s4; + tt4 = (ulong)h0 * r4 + (ulong)h1 * r3 + (ulong)h2 * r2 + (ulong)h3 * r1 + (ulong)h4 * r0; + + unchecked + { + h0 = (UInt32)tt0 & 0x3ffffff; c = (tt0 >> 26); + tt1 += c; h1 = (UInt32)tt1 & 0x3ffffff; b = (UInt32)(tt1 >> 26); + tt2 += b; h2 = (UInt32)tt2 & 0x3ffffff; b = (UInt32)(tt2 >> 26); + tt3 += b; h3 = (UInt32)tt3 & 0x3ffffff; b = (UInt32)(tt3 >> 26); + tt4 += b; h4 = (UInt32)tt4 & 0x3ffffff; b = (UInt32)(tt4 >> 26); + } + h0 += b * 5; + + if (mLength >= 16) + goto poly1305_donna_16bytes; + + /* final bytes */ + poly1305_donna_atmost15bytes: + if (mLength == 0) + goto poly1305_donna_finish; + + byte[] mp = new byte[16];//todo remove allocation + + for (j = 0; j < mLength; j++) + mp[j] = m[mStart + j]; + mp[j++] = 1; + for (; j < 16; j++) + mp[j] = 0; + mLength = 0; + + t0 = ByteIntegerConverter.LoadLittleEndian32(mp, 0); + t1 = ByteIntegerConverter.LoadLittleEndian32(mp, 4); + t2 = ByteIntegerConverter.LoadLittleEndian32(mp, 8); + t3 = ByteIntegerConverter.LoadLittleEndian32(mp, 12); + CryptoBytes.Wipe(mp); + + h0 += t0 & 0x3ffffff; + h1 += (uint)(((((UInt64)t1 << 32) | t0) >> 26) & 0x3ffffff); + h2 += (uint)(((((UInt64)t2 << 32) | t1) >> 20) & 0x3ffffff); + h3 += (uint)(((((UInt64)t3 << 32) | t2) >> 14) & 0x3ffffff); + h4 += t3 >> 8; + + goto poly1305_donna_mul; + + poly1305_donna_finish: + b = h0 >> 26; h0 = h0 & 0x3ffffff; + h1 += b; b = h1 >> 26; h1 = h1 & 0x3ffffff; + h2 += b; b = h2 >> 26; h2 = h2 & 0x3ffffff; + h3 += b; b = h3 >> 26; h3 = h3 & 0x3ffffff; + h4 += b; b = h4 >> 26; h4 = h4 & 0x3ffffff; + h0 += b * 5; + + g0 = h0 + 5; b = g0 >> 26; g0 &= 0x3ffffff; + g1 = h1 + b; b = g1 >> 26; g1 &= 0x3ffffff; + g2 = h2 + b; b = g2 >> 26; g2 &= 0x3ffffff; + g3 = h3 + b; b = g3 >> 26; g3 &= 0x3ffffff; + g4 = unchecked(h4 + b - (1 << 26)); + + b = (g4 >> 31) - 1; + nb = ~b; + h0 = (h0 & nb) | (g0 & b); + h1 = (h1 & nb) | (g1 & b); + h2 = (h2 & nb) | (g2 & b); + h3 = (h3 & nb) | (g3 & b); + h4 = (h4 & nb) | (g4 & b); + + f0 = ((h0) | (h1 << 26)) + (UInt64)key.x4; + f1 = ((h1 >> 6) | (h2 << 20)) + (UInt64)key.x5; + f2 = ((h2 >> 12) | (h3 << 14)) + (UInt64)key.x6; + f3 = ((h3 >> 18) | (h4 << 8)) + (UInt64)key.x7; + + unchecked + { + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 0, (uint)f0); f1 += (f0 >> 32); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 4, (uint)f1); f2 += (f1 >> 32); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 8, (uint)f2); f3 += (f2 >> 32); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 12, (uint)f3); + } + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/Salsa20.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/Salsa20.cs new file mode 100644 index 0000000..4578f64 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/Salsa20.cs @@ -0,0 +1,45 @@ +using System; +using System.Collections.Generic; + +namespace Chaos.NaCl.Internal.Salsa +{ + internal class Salsa20 + { + public const uint SalsaConst0 = 0x61707865; + public const uint SalsaConst1 = 0x3320646e; + public const uint SalsaConst2 = 0x79622d32; + public const uint SalsaConst3 = 0x6b206574; + + public static void HSalsa20(byte[] output, int outputOffset, byte[] key, int keyOffset, byte[] nonce, int nonceOffset) + { + Array16 state; + state.x0 = SalsaConst0; + state.x1 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 0); + state.x2 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 4); + state.x3 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 8); + state.x4 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 12); + state.x5 = SalsaConst1; + state.x6 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 0); + state.x7 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 4); + state.x8 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 8); + state.x9 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 12); + state.x10 = SalsaConst2; + state.x11 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 16); + state.x12 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 20); + state.x13 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 24); + state.x14 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 28); + state.x15 = SalsaConst3; + + SalsaCore.HSalsa(out state, ref state, 20); + + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 0, state.x0); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 4, state.x5); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 8, state.x10); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 12, state.x15); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 16, state.x6); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 20, state.x7); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 24, state.x8); + ByteIntegerConverter.StoreLittleEndian32(output, outputOffset + 28, state.x9); + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/SalsaCore.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/SalsaCore.cs new file mode 100644 index 0000000..8e3ecad --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/SalsaCore.cs @@ -0,0 +1,263 @@ +using System; +using System.Collections.Generic; + +namespace Chaos.NaCl.Internal.Salsa +{ + internal static class SalsaCore + { + public static void HSalsa(out Array16 output, ref Array16 input, int rounds) + { + InternalAssert.Assert(rounds % 2 == 0, "Number of salsa rounds must be even"); + + int doubleRounds = rounds / 2; + + UInt32 x0 = input.x0; + UInt32 x1 = input.x1; + UInt32 x2 = input.x2; + UInt32 x3 = input.x3; + UInt32 x4 = input.x4; + UInt32 x5 = input.x5; + UInt32 x6 = input.x6; + UInt32 x7 = input.x7; + UInt32 x8 = input.x8; + UInt32 x9 = input.x9; + UInt32 x10 = input.x10; + UInt32 x11 = input.x11; + UInt32 x12 = input.x12; + UInt32 x13 = input.x13; + UInt32 x14 = input.x14; + UInt32 x15 = input.x15; + + unchecked + { + for (int i = 0; i < doubleRounds; i++) + { + UInt32 y; + + // row 0 + y = x0 + x12; + x4 ^= (y << 7) | (y >> (32 - 7)); + y = x4 + x0; + x8 ^= (y << 9) | (y >> (32 - 9)); + y = x8 + x4; + x12 ^= (y << 13) | (y >> (32 - 13)); + y = x12 + x8; + x0 ^= (y << 18) | (y >> (32 - 18)); + + // row 1 + y = x5 + x1; + x9 ^= (y << 7) | (y >> (32 - 7)); + y = x9 + x5; + x13 ^= (y << 9) | (y >> (32 - 9)); + y = x13 + x9; + x1 ^= (y << 13) | (y >> (32 - 13)); + y = x1 + x13; + x5 ^= (y << 18) | (y >> (32 - 18)); + + // row 2 + y = x10 + x6; + x14 ^= (y << 7) | (y >> (32 - 7)); + y = x14 + x10; + x2 ^= (y << 9) | (y >> (32 - 9)); + y = x2 + x14; + x6 ^= (y << 13) | (y >> (32 - 13)); + y = x6 + x2; + x10 ^= (y << 18) | (y >> (32 - 18)); + + // row 3 + y = x15 + x11; + x3 ^= (y << 7) | (y >> (32 - 7)); + y = x3 + x15; + x7 ^= (y << 9) | (y >> (32 - 9)); + y = x7 + x3; + x11 ^= (y << 13) | (y >> (32 - 13)); + y = x11 + x7; + x15 ^= (y << 18) | (y >> (32 - 18)); + + // column 0 + y = x0 + x3; + x1 ^= (y << 7) | (y >> (32 - 7)); + y = x1 + x0; + x2 ^= (y << 9) | (y >> (32 - 9)); + y = x2 + x1; + x3 ^= (y << 13) | (y >> (32 - 13)); + y = x3 + x2; + x0 ^= (y << 18) | (y >> (32 - 18)); + + // column 1 + y = x5 + x4; + x6 ^= (y << 7) | (y >> (32 - 7)); + y = x6 + x5; + x7 ^= (y << 9) | (y >> (32 - 9)); + y = x7 + x6; + x4 ^= (y << 13) | (y >> (32 - 13)); + y = x4 + x7; + x5 ^= (y << 18) | (y >> (32 - 18)); + + // column 2 + y = x10 + x9; + x11 ^= (y << 7) | (y >> (32 - 7)); + y = x11 + x10; + x8 ^= (y << 9) | (y >> (32 - 9)); + y = x8 + x11; + x9 ^= (y << 13) | (y >> (32 - 13)); + y = x9 + x8; + x10 ^= (y << 18) | (y >> (32 - 18)); + + // column 3 + y = x15 + x14; + x12 ^= (y << 7) | (y >> (32 - 7)); + y = x12 + x15; + x13 ^= (y << 9) | (y >> (32 - 9)); + y = x13 + x12; + x14 ^= (y << 13) | (y >> (32 - 13)); + y = x14 + x13; + x15 ^= (y << 18) | (y >> (32 - 18)); + } + } + + output.x0 = x0; + output.x1 = x1; + output.x2 = x2; + output.x3 = x3; + output.x4 = x4; + output.x5 = x5; + output.x6 = x6; + output.x7 = x7; + output.x8 = x8; + output.x9 = x9; + output.x10 = x10; + output.x11 = x11; + output.x12 = x12; + output.x13 = x13; + output.x14 = x14; + output.x15 = x15; + } + + public static void Salsa(out Array16 output, ref Array16 input, int rounds) + { + Array16 temp; + HSalsa(out temp, ref input, rounds); + unchecked + { + output.x0 = temp.x0 + input.x0; + output.x1 = temp.x1 + input.x1; + output.x2 = temp.x2 + input.x2; + output.x3 = temp.x3 + input.x3; + output.x4 = temp.x4 + input.x4; + output.x5 = temp.x5 + input.x5; + output.x6 = temp.x6 + input.x6; + output.x7 = temp.x7 + input.x7; + output.x8 = temp.x8 + input.x8; + output.x9 = temp.x9 + input.x9; + output.x10 = temp.x10 + input.x10; + output.x11 = temp.x11 + input.x11; + output.x12 = temp.x12 + input.x12; + output.x13 = temp.x13 + input.x13; + output.x14 = temp.x14 + input.x14; + output.x15 = temp.x15 + input.x15; + } + } + + /*public static void SalsaCore(int[] output, int outputOffset, int[] input, int inputOffset, int rounds) + { + if (rounds % 2 != 0) + throw new ArgumentException("rounds must be even"); + } + + +static void store_littleendian(unsigned char *x,uint32 u) +{ + x[0] = u; u >>= 8; + x[1] = u; u >>= 8; + x[2] = u; u >>= 8; + x[3] = u; +} + + public static void HSalsaCore(int[] output, int outputOffset, int[] input, int inputOffset, int rounds) + { + if (rounds % 2 != 0) + throw new ArgumentException("rounds must be even"); + static uint32 rotate(uint32 u,int c) +{ + return (u << c) | (u >> (32 - c)); +} + + + +int crypto_core( + unsigned char *out, + const unsigned char *in, + const unsigned char *k, + const unsigned char *c +) +{ + uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + int i; + + x0 = load_littleendian(c + 0); + x1 = load_littleendian(k + 0); + x2 = load_littleendian(k + 4); + x3 = load_littleendian(k + 8); + x4 = load_littleendian(k + 12); + x5 = load_littleendian(c + 4); + x6 = load_littleendian(in + 0); + x7 = load_littleendian(in + 4); + x8 = load_littleendian(in + 8); + x9 = load_littleendian(in + 12); + x10 = load_littleendian(c + 8); + x11 = load_littleendian(k + 16); + x12 = load_littleendian(k + 20); + x13 = load_littleendian(k + 24); + x14 = load_littleendian(k + 28); + x15 = load_littleendian(c + 12); + + for (i = ROUNDS;i > 0;i -= 2) { + x4 ^= rotate( x0+x12, 7); + x8 ^= rotate( x4+ x0, 9); + x12 ^= rotate( x8+ x4,13); + x0 ^= rotate(x12+ x8,18); + x9 ^= rotate( x5+ x1, 7); + x13 ^= rotate( x9+ x5, 9); + x1 ^= rotate(x13+ x9,13); + x5 ^= rotate( x1+x13,18); + x14 ^= rotate(x10+ x6, 7); + x2 ^= rotate(x14+x10, 9); + x6 ^= rotate( x2+x14,13); + x10 ^= rotate( x6+ x2,18); + x3 ^= rotate(x15+x11, 7); + x7 ^= rotate( x3+x15, 9); + x11 ^= rotate( x7+ x3,13); + x15 ^= rotate(x11+ x7,18); + x1 ^= rotate( x0+ x3, 7); + x2 ^= rotate( x1+ x0, 9); + x3 ^= rotate( x2+ x1,13); + x0 ^= rotate( x3+ x2,18); + x6 ^= rotate( x5+ x4, 7); + x7 ^= rotate( x6+ x5, 9); + x4 ^= rotate( x7+ x6,13); + x5 ^= rotate( x4+ x7,18); + x11 ^= rotate(x10+ x9, 7); + x8 ^= rotate(x11+x10, 9); + x9 ^= rotate( x8+x11,13); + x10 ^= rotate( x9+ x8,18); + x12 ^= rotate(x15+x14, 7); + x13 ^= rotate(x12+x15, 9); + x14 ^= rotate(x13+x12,13); + x15 ^= rotate(x14+x13,18); + } + + store_littleendian(out + 0,x0); + store_littleendian(out + 4,x5); + store_littleendian(out + 8,x10); + store_littleendian(out + 12,x15); + store_littleendian(out + 16,x6); + store_littleendian(out + 20,x7); + store_littleendian(out + 24,x8); + store_littleendian(out + 28,x9); + + return 0; +}*/ + + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/replace regex.txt b/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/replace regex.txt new file mode 100644 index 0000000..f485689 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Salsa/replace regex.txt @@ -0,0 +1,2 @@ +x(\d+) ^= rotate\((.+), (\d+)\); +y = \2;\r\nx\1 ^= (y << \3) | (y >> (32 - \3)); \ No newline at end of file diff --git a/src/SshNet.Keygen/Chaos.NaCl/Internal/Sha512Internal.cs b/src/SshNet.Keygen/Chaos.NaCl/Internal/Sha512Internal.cs new file mode 100644 index 0000000..37670d0 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Internal/Sha512Internal.cs @@ -0,0 +1,447 @@ +using System; +using System.Collections.Generic; + +namespace Chaos.NaCl.Internal +{ + internal static class Sha512Internal + { + private static readonly UInt64[] K = new UInt64[] + { + 0x428a2f98d728ae22,0x7137449123ef65cd,0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc, + 0x3956c25bf348b538,0x59f111f1b605d019,0x923f82a4af194f9b,0xab1c5ed5da6d8118, + 0xd807aa98a3030242,0x12835b0145706fbe,0x243185be4ee4b28c,0x550c7dc3d5ffb4e2, + 0x72be5d74f27b896f,0x80deb1fe3b1696b1,0x9bdc06a725c71235,0xc19bf174cf692694, + 0xe49b69c19ef14ad2,0xefbe4786384f25e3,0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65, + 0x2de92c6f592b0275,0x4a7484aa6ea6e483,0x5cb0a9dcbd41fbd4,0x76f988da831153b5, + 0x983e5152ee66dfab,0xa831c66d2db43210,0xb00327c898fb213f,0xbf597fc7beef0ee4, + 0xc6e00bf33da88fc2,0xd5a79147930aa725,0x06ca6351e003826f,0x142929670a0e6e70, + 0x27b70a8546d22ffc,0x2e1b21385c26c926,0x4d2c6dfc5ac42aed,0x53380d139d95b3df, + 0x650a73548baf63de,0x766a0abb3c77b2a8,0x81c2c92e47edaee6,0x92722c851482353b, + 0xa2bfe8a14cf10364,0xa81a664bbc423001,0xc24b8b70d0f89791,0xc76c51a30654be30, + 0xd192e819d6ef5218,0xd69906245565a910,0xf40e35855771202a,0x106aa07032bbd1b8, + 0x19a4c116b8d2d0c8,0x1e376c085141ab53,0x2748774cdf8eeb99,0x34b0bcb5e19b48a8, + 0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb,0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3, + 0x748f82ee5defb2fc,0x78a5636f43172f60,0x84c87814a1f0ab72,0x8cc702081a6439ec, + 0x90befffa23631e28,0xa4506cebde82bde9,0xbef9a3f7b2c67915,0xc67178f2e372532b, + 0xca273eceea26619c,0xd186b8c721c0c207,0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178, + 0x06f067aa72176fba,0x0a637dc5a2c898a6,0x113f9804bef90dae,0x1b710b35131c471b, + 0x28db77f523047d84,0x32caab7b40c72493,0x3c9ebe0a15c9bebc,0x431d67c49c100d4c, + 0x4cc5d4becb3e42b6,0x597f299cfc657e2a,0x5fcb6fab3ad6faec,0x6c44198c4a475817 + }; + + internal static void Sha512Init(out Array8 state) + { + state.x0 = 0x6a09e667f3bcc908; + state.x1 = 0xbb67ae8584caa73b; + state.x2 = 0x3c6ef372fe94f82b; + state.x3 = 0xa54ff53a5f1d36f1; + state.x4 = 0x510e527fade682d1; + state.x5 = 0x9b05688c2b3e6c1f; + state.x6 = 0x1f83d9abfb41bd6b; + state.x7 = 0x5be0cd19137e2179; + } + + internal static void Core(out Array8 outputState, ref Array8 inputState, ref Array16 input) + { + unchecked + { + UInt64 a = inputState.x0; + UInt64 b = inputState.x1; + UInt64 c = inputState.x2; + UInt64 d = inputState.x3; + UInt64 e = inputState.x4; + UInt64 f = inputState.x5; + UInt64 g = inputState.x6; + UInt64 h = inputState.x7; + + UInt64 w0 = input.x0; + UInt64 w1 = input.x1; + UInt64 w2 = input.x2; + UInt64 w3 = input.x3; + UInt64 w4 = input.x4; + UInt64 w5 = input.x5; + UInt64 w6 = input.x6; + UInt64 w7 = input.x7; + UInt64 w8 = input.x8; + UInt64 w9 = input.x9; + UInt64 w10 = input.x10; + UInt64 w11 = input.x11; + UInt64 w12 = input.x12; + UInt64 w13 = input.x13; + UInt64 w14 = input.x14; + UInt64 w15 = input.x15; + + int t = 0; + while (true) + { + ulong t1, t2; + + {//0 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w0; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//1 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w1; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//2 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w2; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//3 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w3; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//4 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w4; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//5 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w5; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//6 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w6; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//7 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w7; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//8 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w8; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//9 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w9; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//10 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w10; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//11 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w11; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//12 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w12; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//13 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w13; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//14 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w14; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + {//15 + t1 = h + + ((e >> 14) ^ (e << (64 - 14)) ^ (e >> 18) ^ (e << (64 - 18)) ^ (e >> 41) ^ (e << (64 - 41))) + + //Sigma1(e) + ((e & f) ^ (~e & g)) + //Ch(e,f,g) + K[t] + w15; + t2 = ((a >> 28) ^ (a << (64 - 28)) ^ (a >> 34) ^ (a << (64 - 34)) ^ (a >> 39) ^ (a << (64 - 39))) + + //Sigma0(a) + ((a & b) ^ (a & c) ^ (b & c)); //Maj(a,b,c) + h = g; + g = f; + f = e; + e = d + t1; + d = c; + c = b; + b = a; + a = t1 + t2; + t++; + } + if (t == 80) + break; + + w0 += ((w14 >> 19) ^ (w14 << (64 - 19)) ^ (w14 >> 61) ^ (w14 << (64 - 61)) ^ (w14 >> 6)) + + w9 + + ((w1 >> 1) ^ (w1 << (64 - 1)) ^ (w1 >> 8) ^ (w1 << (64 - 8)) ^ (w1 >> 7)); + w1 += ((w15 >> 19) ^ (w15 << (64 - 19)) ^ (w15 >> 61) ^ (w15 << (64 - 61)) ^ (w15 >> 6)) + + w10 + + ((w2 >> 1) ^ (w2 << (64 - 1)) ^ (w2 >> 8) ^ (w2 << (64 - 8)) ^ (w2 >> 7)); + w2 += ((w0 >> 19) ^ (w0 << (64 - 19)) ^ (w0 >> 61) ^ (w0 << (64 - 61)) ^ (w0 >> 6)) + + w11 + + ((w3 >> 1) ^ (w3 << (64 - 1)) ^ (w3 >> 8) ^ (w3 << (64 - 8)) ^ (w3 >> 7)); + w3 += ((w1 >> 19) ^ (w1 << (64 - 19)) ^ (w1 >> 61) ^ (w1 << (64 - 61)) ^ (w1 >> 6)) + + w12 + + ((w4 >> 1) ^ (w4 << (64 - 1)) ^ (w4 >> 8) ^ (w4 << (64 - 8)) ^ (w4 >> 7)); + w4 += ((w2 >> 19) ^ (w2 << (64 - 19)) ^ (w2 >> 61) ^ (w2 << (64 - 61)) ^ (w2 >> 6)) + + w13 + + ((w5 >> 1) ^ (w5 << (64 - 1)) ^ (w5 >> 8) ^ (w5 << (64 - 8)) ^ (w5 >> 7)); + w5 += ((w3 >> 19) ^ (w3 << (64 - 19)) ^ (w3 >> 61) ^ (w3 << (64 - 61)) ^ (w3 >> 6)) + + w14 + + ((w6 >> 1) ^ (w6 << (64 - 1)) ^ (w6 >> 8) ^ (w6 << (64 - 8)) ^ (w6 >> 7)); + w6 += ((w4 >> 19) ^ (w4 << (64 - 19)) ^ (w4 >> 61) ^ (w4 << (64 - 61)) ^ (w4 >> 6)) + + w15 + + ((w7 >> 1) ^ (w7 << (64 - 1)) ^ (w7 >> 8) ^ (w7 << (64 - 8)) ^ (w7 >> 7)); + w7 += ((w5 >> 19) ^ (w5 << (64 - 19)) ^ (w5 >> 61) ^ (w5 << (64 - 61)) ^ (w5 >> 6)) + + w0 + + ((w8 >> 1) ^ (w8 << (64 - 1)) ^ (w8 >> 8) ^ (w8 << (64 - 8)) ^ (w8 >> 7)); + w8 += ((w6 >> 19) ^ (w6 << (64 - 19)) ^ (w6 >> 61) ^ (w6 << (64 - 61)) ^ (w6 >> 6)) + + w1 + + ((w9 >> 1) ^ (w9 << (64 - 1)) ^ (w9 >> 8) ^ (w9 << (64 - 8)) ^ (w9 >> 7)); + w9 += ((w7 >> 19) ^ (w7 << (64 - 19)) ^ (w7 >> 61) ^ (w7 << (64 - 61)) ^ (w7 >> 6)) + + w2 + + ((w10 >> 1) ^ (w10 << (64 - 1)) ^ (w10 >> 8) ^ (w10 << (64 - 8)) ^ (w10 >> 7)); + w10 += ((w8 >> 19) ^ (w8 << (64 - 19)) ^ (w8 >> 61) ^ (w8 << (64 - 61)) ^ (w8 >> 6)) + + w3 + + ((w11 >> 1) ^ (w11 << (64 - 1)) ^ (w11 >> 8) ^ (w11 << (64 - 8)) ^ (w11 >> 7)); + w11 += ((w9 >> 19) ^ (w9 << (64 - 19)) ^ (w9 >> 61) ^ (w9 << (64 - 61)) ^ (w9 >> 6)) + + w4 + + ((w12 >> 1) ^ (w12 << (64 - 1)) ^ (w12 >> 8) ^ (w12 << (64 - 8)) ^ (w12 >> 7)); + w12 += ((w10 >> 19) ^ (w10 << (64 - 19)) ^ (w10 >> 61) ^ (w10 << (64 - 61)) ^ (w10 >> 6)) + + w5 + + ((w13 >> 1) ^ (w13 << (64 - 1)) ^ (w13 >> 8) ^ (w13 << (64 - 8)) ^ (w13 >> 7)); + w13 += ((w11 >> 19) ^ (w11 << (64 - 19)) ^ (w11 >> 61) ^ (w11 << (64 - 61)) ^ (w11 >> 6)) + + w6 + + ((w14 >> 1) ^ (w14 << (64 - 1)) ^ (w14 >> 8) ^ (w14 << (64 - 8)) ^ (w14 >> 7)); + w14 += ((w12 >> 19) ^ (w12 << (64 - 19)) ^ (w12 >> 61) ^ (w12 << (64 - 61)) ^ (w12 >> 6)) + + w7 + + ((w15 >> 1) ^ (w15 << (64 - 1)) ^ (w15 >> 8) ^ (w15 << (64 - 8)) ^ (w15 >> 7)); + w15 += ((w13 >> 19) ^ (w13 << (64 - 19)) ^ (w13 >> 61) ^ (w13 << (64 - 61)) ^ (w13 >> 6)) + + w8 + + ((w0 >> 1) ^ (w0 << (64 - 1)) ^ (w0 >> 8) ^ (w0 << (64 - 8)) ^ (w0 >> 7)); + } + + outputState.x0 = inputState.x0 + a; + outputState.x1 = inputState.x1 + b; + outputState.x2 = inputState.x2 + c; + outputState.x3 = inputState.x3 + d; + outputState.x4 = inputState.x4 + e; + outputState.x5 = inputState.x5 + f; + outputState.x6 = inputState.x6 + g; + outputState.x7 = inputState.x7 + h; + } + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/MontgomeryCurve25519.cs b/src/SshNet.Keygen/Chaos.NaCl/MontgomeryCurve25519.cs new file mode 100644 index 0000000..562521f --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/MontgomeryCurve25519.cs @@ -0,0 +1,142 @@ +using System; +using System.Collections.Generic; +using Chaos.NaCl.Internal; +using Chaos.NaCl.Internal.Ed25519Ref10; +using Chaos.NaCl.Internal.Salsa; + +namespace Chaos.NaCl +{ + // This class is mainly for compatibility with NaCl's Curve25519 implementation + // If you don't need that compatibility, use Ed25519.KeyExchange + public static class MontgomeryCurve25519 + { + public static readonly int PublicKeySizeInBytes = 32; + public static readonly int PrivateKeySizeInBytes = 32; + public static readonly int SharedKeySizeInBytes = 32; + + public static byte[] GetPublicKey(byte[] privateKey) + { + if (privateKey == null) + throw new ArgumentNullException("privateKey"); + if (privateKey.Length != PrivateKeySizeInBytes) + throw new ArgumentException("privateKey.Length must be 32"); + var publicKey = new byte[32]; + GetPublicKey(new ArraySegment(publicKey), new ArraySegment(privateKey)); + return publicKey; + } + + static readonly byte[] _basePoint = new byte[32] + { + 9, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0 ,0, 0, 0, 0, 0, + 0, 0, 0 ,0, 0, 0, 0, 0, + 0, 0, 0 ,0, 0, 0, 0, 0 + }; + + public static void GetPublicKey(ArraySegment publicKey, ArraySegment privateKey) + { + if (publicKey.Array == null) + throw new ArgumentNullException("publicKey.Array"); + if (privateKey.Array == null) + throw new ArgumentNullException("privateKey.Array"); + if (publicKey.Count != PublicKeySizeInBytes) + throw new ArgumentException("privateKey.Count must be 32"); + if (privateKey.Count != PrivateKeySizeInBytes) + throw new ArgumentException("privateKey.Count must be 32"); + + // hack: abusing publicKey as temporary storage + // todo: remove hack + for (int i = 0; i < 32; i++) + { + publicKey.Array[publicKey.Offset + i] = privateKey.Array[privateKey.Offset + i]; + } + ScalarOperations.sc_clamp(publicKey.Array, publicKey.Offset); + + GroupElementP3 A; + GroupOperations.ge_scalarmult_base(out A, publicKey.Array, publicKey.Offset); + FieldElement publicKeyFE; + EdwardsToMontgomeryX(out publicKeyFE, ref A.Y, ref A.Z); + FieldOperations.fe_tobytes(publicKey.Array, publicKey.Offset, ref publicKeyFE); + } + + // hashes like the Curve25519 paper says + internal static void KeyExchangeOutputHashCurve25519Paper(byte[] sharedKey, int offset) + { + //c = Curve25519output + const UInt32 c0 = 'C' | 'u' << 8 | 'r' << 16 | (UInt32)'v' << 24; + const UInt32 c1 = 'e' | '2' << 8 | '5' << 16 | (UInt32)'5' << 24; + const UInt32 c2 = '1' | '9' << 8 | 'o' << 16 | (UInt32)'u' << 24; + const UInt32 c3 = 't' | 'p' << 8 | 'u' << 16 | (UInt32)'t' << 24; + + Array16 salsaState; + salsaState.x0 = c0; + salsaState.x1 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 0); + salsaState.x2 = 0; + salsaState.x3 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 4); + salsaState.x4 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 8); + salsaState.x5 = c1; + salsaState.x6 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 12); + salsaState.x7 = 0; + salsaState.x8 = 0; + salsaState.x9 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 16); + salsaState.x10 = c2; + salsaState.x11 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 20); + salsaState.x12 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 24); + salsaState.x13 = 0; + salsaState.x14 = ByteIntegerConverter.LoadLittleEndian32(sharedKey, offset + 28); + salsaState.x15 = c3; + SalsaCore.Salsa(out salsaState, ref salsaState, 20); + + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 0, salsaState.x0); + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 4, salsaState.x1); + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 8, salsaState.x2); + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 12, salsaState.x3); + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 16, salsaState.x4); + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 20, salsaState.x5); + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 24, salsaState.x6); + ByteIntegerConverter.StoreLittleEndian32(sharedKey, offset + 28, salsaState.x7); + } + + private static readonly byte[] _zero16 = new byte[16]; + + // hashes like the NaCl paper says instead i.e. HSalsa(x,0) + internal static void KeyExchangeOutputHashNaCl(byte[] sharedKey, int offset) + { + Salsa20.HSalsa20(sharedKey, offset, sharedKey, offset, _zero16, 0); + } + + public static byte[] KeyExchange(byte[] publicKey, byte[] privateKey) + { + var sharedKey = new byte[SharedKeySizeInBytes]; + KeyExchange(new ArraySegment(sharedKey), new ArraySegment(publicKey), new ArraySegment(privateKey)); + return sharedKey; + } + + public static void KeyExchange(ArraySegment sharedKey, ArraySegment publicKey, ArraySegment privateKey) + { + if (sharedKey.Array == null) + throw new ArgumentNullException("sharedKey.Array"); + if (publicKey.Array == null) + throw new ArgumentNullException("publicKey.Array"); + if (privateKey.Array == null) + throw new ArgumentNullException("privateKey"); + if (sharedKey.Count != 32) + throw new ArgumentException("sharedKey.Count != 32"); + if (publicKey.Count != 32) + throw new ArgumentException("publicKey.Count != 32"); + if (privateKey.Count != 32) + throw new ArgumentException("privateKey.Count != 32"); + MontgomeryOperations.scalarmult(sharedKey.Array, sharedKey.Offset, privateKey.Array, privateKey.Offset, publicKey.Array, publicKey.Offset); + KeyExchangeOutputHashNaCl(sharedKey.Array, sharedKey.Offset); + } + + internal static void EdwardsToMontgomeryX(out FieldElement montgomeryX, ref FieldElement edwardsY, ref FieldElement edwardsZ) + { + FieldElement tempX, tempZ; + FieldOperations.fe_add(out tempX, ref edwardsZ, ref edwardsY); + FieldOperations.fe_sub(out tempZ, ref edwardsZ, ref edwardsY); + FieldOperations.fe_invert(out tempZ, ref tempZ); + FieldOperations.fe_mul(out montgomeryX, ref tempX, ref tempZ); + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/OneTimeAuth.cs b/src/SshNet.Keygen/Chaos.NaCl/OneTimeAuth.cs new file mode 100644 index 0000000..805e691 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/OneTimeAuth.cs @@ -0,0 +1,19 @@ +using System; + +namespace Chaos.NaCl +{ + public abstract class OneTimeAuth + { + private static readonly Poly1305 _poly1305 = new Poly1305(); + + public abstract int KeySizeInBytes { get; } + public abstract int SignatureSizeInBytes { get; } + + public abstract byte[] Sign(byte[] message, byte[] key); + public abstract void Sign(ArraySegment signature, ArraySegment message, ArraySegment key); + public abstract bool Verify(byte[] signature, byte[] message, byte[] key); + public abstract bool Verify(ArraySegment signature, ArraySegment message, ArraySegment key); + + public static OneTimeAuth Poly1305 { get { return _poly1305; } } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Poly1305.cs b/src/SshNet.Keygen/Chaos.NaCl/Poly1305.cs new file mode 100644 index 0000000..4febd08 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Poly1305.cs @@ -0,0 +1,97 @@ +using System; +using System.Collections.Generic; +using Chaos.NaCl.Internal; + +namespace Chaos.NaCl +{ + internal sealed class Poly1305 : OneTimeAuth + { + public override int KeySizeInBytes + { + get { return 32; } + } + + public override int SignatureSizeInBytes + { + get { return 16; } + } + + [Obsolete("Needs more testing")] + public override byte[] Sign(byte[] message, byte[] key) + { + if (message == null) + throw new ArgumentNullException("message"); + if (key == null) + throw new ArgumentNullException("key"); + if (key.Length != 32) + throw new ArgumentException("Invalid key size", "key"); + + var result = new byte[16]; + Array8 internalKey; + ByteIntegerConverter.Array8LoadLittleEndian32(out internalKey, key, 0); + Poly1305Donna.poly1305_auth(result, 0, message, 0, message.Length, ref internalKey); + return result; + } + + [Obsolete("Needs more testing")] + public override void Sign(ArraySegment signature, ArraySegment message, ArraySegment key) + { + if (signature.Array == null) + throw new ArgumentNullException("signature.Array"); + if (message.Array == null) + throw new ArgumentNullException("message.Array"); + if (key.Array == null) + throw new ArgumentNullException("key.Array"); + if (key.Count != 32) + throw new ArgumentException("Invalid key size", "key"); + if (signature.Count != 16) + throw new ArgumentException("Invalid signature size", "signature"); + + Array8 internalKey; + ByteIntegerConverter.Array8LoadLittleEndian32(out internalKey, key.Array, key.Offset); + Poly1305Donna.poly1305_auth(signature.Array, signature.Offset, message.Array, message.Offset, message.Count, ref internalKey); + } + + [Obsolete("Needs more testing")] + public override bool Verify(byte[] signature, byte[] message, byte[] key) + { + if (signature == null) + throw new ArgumentNullException("signature"); + if (message == null) + throw new ArgumentNullException("message"); + if (key == null) + throw new ArgumentNullException("key"); + if (signature.Length != 16) + throw new ArgumentException("Invalid signature size", "signature"); + if (key.Length != 32) + throw new ArgumentException("Invalid key size", "key"); + + var tempBytes = new byte[16];//todo: remove allocation + Array8 internalKey; + ByteIntegerConverter.Array8LoadLittleEndian32(out internalKey, key, 0); + Poly1305Donna.poly1305_auth(tempBytes, 0, message, 0, message.Length, ref internalKey); + return CryptoBytes.ConstantTimeEquals(tempBytes, signature); + } + + [Obsolete("Needs more testing")] + public override bool Verify(ArraySegment signature, ArraySegment message, ArraySegment key) + { + if (signature.Array == null) + throw new ArgumentNullException("signature.Array"); + if (message.Array == null) + throw new ArgumentNullException("message.Array"); + if (key.Array == null) + throw new ArgumentNullException("key.Array"); + if (key.Count != 32) + throw new ArgumentException("Invalid key size", "key"); + if (signature.Count != 16) + throw new ArgumentException("Invalid signature size", "signature"); + + var tempBytes = new byte[16];//todo: remove allocation + Array8 internalKey; + ByteIntegerConverter.Array8LoadLittleEndian32(out internalKey, key.Array, key.Offset); + Poly1305Donna.poly1305_auth(tempBytes, 0, message.Array, message.Offset, message.Count, ref internalKey); + return CryptoBytes.ConstantTimeEquals(new ArraySegment(tempBytes), signature); + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/Sha512.cs b/src/SshNet.Keygen/Chaos.NaCl/Sha512.cs new file mode 100644 index 0000000..60d7046 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/Sha512.cs @@ -0,0 +1,132 @@ +using System; +using System.Collections.Generic; +using Chaos.NaCl.Internal; + +namespace Chaos.NaCl +{ + public class Sha512 + { + private Array8 _state; + private readonly byte[] _buffer; + private ulong _totalBytes; + public const int BlockSize = 128; + private static readonly byte[] _padding = new byte[] { 0x80 }; + + public Sha512() + { + _buffer = new byte[BlockSize];//todo: remove allocation + Init(); + } + + public void Init() + { + Sha512Internal.Sha512Init(out _state); + _totalBytes = 0; + } + + public void Update(ArraySegment data) + { + if (data.Array == null) + throw new ArgumentNullException("data.Array"); + Update(data.Array, data.Offset, data.Count); + } + + public void Update(byte[] data, int offset, int count) + { + if (data == null) + throw new ArgumentNullException("data"); + if (offset < 0) + throw new ArgumentOutOfRangeException("offset"); + if (count < 0) + throw new ArgumentOutOfRangeException("count"); + if (data.Length - offset < count) + throw new ArgumentException("Requires offset + count <= data.Length"); + + Array16 block; + int bytesInBuffer = (int)_totalBytes & (BlockSize - 1); + _totalBytes += (uint)count; + + if (_totalBytes >= ulong.MaxValue / 8) + throw new InvalidOperationException("Too much data"); + // Fill existing buffer + if (bytesInBuffer != 0) + { + var toCopy = Math.Min(BlockSize - bytesInBuffer, count); + Buffer.BlockCopy(data, offset, _buffer, bytesInBuffer, toCopy); + offset += toCopy; + count -= toCopy; + bytesInBuffer += toCopy; + if (bytesInBuffer == BlockSize) + { + ByteIntegerConverter.Array16LoadBigEndian64(out block, _buffer, 0); + Sha512Internal.Core(out _state, ref _state, ref block); + CryptoBytes.InternalWipe(_buffer, 0, _buffer.Length); + bytesInBuffer = 0; + } + } + // Hash complete blocks without copying + while (count >= BlockSize) + { + ByteIntegerConverter.Array16LoadBigEndian64(out block, data, offset); + Sha512Internal.Core(out _state, ref _state, ref block); + offset += BlockSize; + count -= BlockSize; + } + // Copy remainder into buffer + if (count > 0) + { + Buffer.BlockCopy(data, offset, _buffer, bytesInBuffer, count); + } + } + + public void Finish(ArraySegment output) + { + if (output.Array == null) + throw new ArgumentNullException("output.Array"); + if (output.Count != 64) + throw new ArgumentException("output.Count must be 64"); + + Update(_padding, 0, _padding.Length); + Array16 block; + ByteIntegerConverter.Array16LoadBigEndian64(out block, _buffer, 0); + CryptoBytes.InternalWipe(_buffer, 0, _buffer.Length); + int bytesInBuffer = (int)_totalBytes & (BlockSize - 1); + if (bytesInBuffer > BlockSize - 16) + { + Sha512Internal.Core(out _state, ref _state, ref block); + block = default(Array16); + } + block.x15 = (_totalBytes - 1) * 8; + Sha512Internal.Core(out _state, ref _state, ref block); + + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 0, _state.x0); + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 8, _state.x1); + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 16, _state.x2); + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 24, _state.x3); + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 32, _state.x4); + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 40, _state.x5); + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 48, _state.x6); + ByteIntegerConverter.StoreBigEndian64(output.Array, output.Offset + 56, _state.x7); + _state = default(Array8); + } + + public byte[] Finish() + { + var result = new byte[64]; + Finish(new ArraySegment(result)); + return result; + } + + public static byte[] Hash(byte[] data) + { + return Hash(data, 0, data.Length); + } + + public static byte[] Hash(byte[] data, int offset, int count) + { + var hasher = new Sha512(); + hasher.Update(data, offset, count); + return hasher.Finish(); + } + } +} diff --git a/src/SshNet.Keygen/Chaos.NaCl/XSalsa20Poly1305.cs b/src/SshNet.Keygen/Chaos.NaCl/XSalsa20Poly1305.cs new file mode 100644 index 0000000..4523e44 --- /dev/null +++ b/src/SshNet.Keygen/Chaos.NaCl/XSalsa20Poly1305.cs @@ -0,0 +1,247 @@ +using System; +using System.Collections.Generic; +using Chaos.NaCl.Internal; +using Chaos.NaCl.Internal.Salsa; + +namespace Chaos.NaCl +{ + public static class XSalsa20Poly1305 + { + public static readonly int KeySizeInBytes = 32; + public static readonly int NonceSizeInBytes = 24; + public static readonly int MacSizeInBytes = 16; + + public static byte[] Encrypt(byte[] message, byte[] key, byte[] nonce) + { + if (message == null) + throw new ArgumentNullException("message"); + if (key == null) + throw new ArgumentNullException("key"); + if (nonce == null) + throw new ArgumentNullException("nonce"); + if (key.Length != KeySizeInBytes) + throw new ArgumentException("key.Length != 32"); + if (nonce.Length != NonceSizeInBytes) + throw new ArgumentException("nonce.Length != 24"); + + var ciphertext = new byte[message.Length + MacSizeInBytes]; + EncryptInternal(ciphertext, 0, message, 0, message.Length, key, 0, nonce, 0); + return ciphertext; + } + + public static void Encrypt(ArraySegment ciphertext, ArraySegment message, ArraySegment key, ArraySegment nonce) + { + if (key.Count != KeySizeInBytes) + throw new ArgumentException("key.Length != 32"); + if (nonce.Count != NonceSizeInBytes) + throw new ArgumentException("nonce.Length != 24"); + if (ciphertext.Count != message.Count + MacSizeInBytes) + throw new ArgumentException("ciphertext.Count != message.Count + 16"); + EncryptInternal(ciphertext.Array, ciphertext.Offset, message.Array, message.Offset, message.Count, key.Array, key.Offset, nonce.Array, nonce.Offset); + } + + /// + /// Decrypts the ciphertext and verifies its authenticity + /// + /// Plaintext if MAC validation succeeds, null if the data is invalid. + public static byte[] TryDecrypt(byte[] ciphertext, byte[] key, byte[] nonce) + { + if (ciphertext == null) + throw new ArgumentNullException("ciphertext"); + if (key == null) + throw new ArgumentNullException("key"); + if (nonce == null) + throw new ArgumentNullException("nonce"); + if (key.Length != KeySizeInBytes) + throw new ArgumentException("key.Length != 32"); + if (nonce.Length != NonceSizeInBytes) + throw new ArgumentException("nonce.Length != 24"); + + if (ciphertext.Length < MacSizeInBytes) + return null; + var plaintext = new byte[ciphertext.Length - MacSizeInBytes]; + bool success = DecryptInternal(plaintext, 0, ciphertext, 0, ciphertext.Length, key, 0, nonce, 0); + if (success) + return plaintext; + else + return null; + } + + /// + /// Decrypts the ciphertext and verifies its authenticity + /// + /// Plaintext if authentication succeeded, all zero if authentication failed, unmodified if argument verification fails + /// + /// Symmetric key. Must be identical to key specified for encryption. + /// Must be identical to nonce specified for encryption. + /// true if ciphertext is authentic, false otherwise + public static bool TryDecrypt(ArraySegment message, ArraySegment ciphertext, ArraySegment key, ArraySegment nonce) + { + if (key.Count != KeySizeInBytes) + throw new ArgumentException("key.Length != 32"); + if (nonce.Count != NonceSizeInBytes) + throw new ArgumentException("nonce.Length != 24"); + if (ciphertext.Count != message.Count + MacSizeInBytes) + throw new ArgumentException("ciphertext.Count != message.Count + 16"); + + return DecryptInternal(message.Array, message.Offset, ciphertext.Array, ciphertext.Offset, ciphertext.Count, key.Array, key.Offset, nonce.Array, nonce.Offset); + } + + private static void PrepareInternalKey(out Array16 internalKey, byte[] key, int keyOffset, byte[] nonce, int nonceOffset) + { + internalKey.x0 = Salsa20.SalsaConst0; + internalKey.x1 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 0); + internalKey.x2 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 4); + internalKey.x3 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 8); + internalKey.x4 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 12); + internalKey.x5 = Salsa20.SalsaConst1; + internalKey.x6 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 0); + internalKey.x7 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 4); + internalKey.x8 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 8); + internalKey.x9 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 12); + internalKey.x10 = Salsa20.SalsaConst2; + internalKey.x11 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 16); + internalKey.x12 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 20); + internalKey.x13 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 24); + internalKey.x14 = ByteIntegerConverter.LoadLittleEndian32(key, keyOffset + 28); + internalKey.x15 = Salsa20.SalsaConst3; + SalsaCore.HSalsa(out internalKey, ref internalKey, 20); + + //key + internalKey.x1 = internalKey.x0; + internalKey.x2 = internalKey.x5; + internalKey.x3 = internalKey.x10; + internalKey.x4 = internalKey.x15; + internalKey.x11 = internalKey.x6; + internalKey.x12 = internalKey.x7; + internalKey.x13 = internalKey.x8; + internalKey.x14 = internalKey.x9; + //const + internalKey.x0 = Salsa20.SalsaConst0; + internalKey.x5 = Salsa20.SalsaConst1; + internalKey.x10 = Salsa20.SalsaConst2; + internalKey.x15 = Salsa20.SalsaConst3; + //nonce + internalKey.x6 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 16); + internalKey.x7 = ByteIntegerConverter.LoadLittleEndian32(nonce, nonceOffset + 20); + //offset + internalKey.x8 = 0; + internalKey.x9 = 0; + } + + private static bool DecryptInternal(byte[] plaintext, int plaintextOffset, byte[] ciphertext, int ciphertextOffset, int ciphertextLength, byte[] key, int keyOffset, byte[] nonce, int nonceOffset) + { + int plaintextLength = ciphertextLength - MacSizeInBytes; + Array16 internalKey; + PrepareInternalKey(out internalKey, key, keyOffset, nonce, nonceOffset); + + Array16 temp; + var tempBytes = new byte[64];//todo: remove allocation + + // first iteration + { + SalsaCore.Salsa(out temp, ref internalKey, 20); + + //first half is for Poly1305 + Array8 poly1305Key; + poly1305Key.x0 = temp.x0; + poly1305Key.x1 = temp.x1; + poly1305Key.x2 = temp.x2; + poly1305Key.x3 = temp.x3; + poly1305Key.x4 = temp.x4; + poly1305Key.x5 = temp.x5; + poly1305Key.x6 = temp.x6; + poly1305Key.x7 = temp.x7; + + // compute MAC + Poly1305Donna.poly1305_auth(tempBytes, 0, ciphertext, ciphertextOffset + 16, plaintextLength, ref poly1305Key); + if (!CryptoBytes.ConstantTimeEquals(tempBytes, 0, ciphertext, ciphertextOffset, MacSizeInBytes)) + { + Array.Clear(plaintext, plaintextOffset, plaintextLength); + return false; + } + + // rest for the message + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 0, temp.x8); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 4, temp.x9); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 8, temp.x10); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 12, temp.x11); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 16, temp.x12); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 20, temp.x13); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 24, temp.x14); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 28, temp.x15); + int count = Math.Min(32, plaintextLength); + for (int i = 0; i < count; i++) + plaintext[plaintextOffset + i] = (byte)(ciphertext[MacSizeInBytes + ciphertextOffset + i] ^ tempBytes[i]); + } + + // later iterations + int blockOffset = 32; + while (blockOffset < plaintextLength) + { + internalKey.x8++; + SalsaCore.Salsa(out temp, ref internalKey, 20); + ByteIntegerConverter.Array16StoreLittleEndian32(tempBytes, 0, ref temp); + int count = Math.Min(64, plaintextLength - blockOffset); + for (int i = 0; i < count; i++) + plaintext[plaintextOffset + blockOffset + i] = (byte)(ciphertext[16 + ciphertextOffset + blockOffset + i] ^ tempBytes[i]); + blockOffset += 64; + } + return true; + } + + private static void EncryptInternal(byte[] ciphertext, int ciphertextOffset, byte[] message, int messageOffset, int messageLength, byte[] key, int keyOffset, byte[] nonce, int nonceOffset) + { + Array16 internalKey; + PrepareInternalKey(out internalKey, key, keyOffset, nonce, nonceOffset); + + Array16 temp; + var tempBytes = new byte[64];//todo: remove allocation + Array8 poly1305Key; + + // first iteration + { + SalsaCore.Salsa(out temp, ref internalKey, 20); + + //first half is for Poly1305 + poly1305Key.x0 = temp.x0; + poly1305Key.x1 = temp.x1; + poly1305Key.x2 = temp.x2; + poly1305Key.x3 = temp.x3; + poly1305Key.x4 = temp.x4; + poly1305Key.x5 = temp.x5; + poly1305Key.x6 = temp.x6; + poly1305Key.x7 = temp.x7; + + // second half for the message + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 0, temp.x8); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 4, temp.x9); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 8, temp.x10); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 12, temp.x11); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 16, temp.x12); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 20, temp.x13); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 24, temp.x14); + ByteIntegerConverter.StoreLittleEndian32(tempBytes, 28, temp.x15); + int count = Math.Min(32, messageLength); + for (int i = 0; i < count; i++) + ciphertext[16 + ciphertextOffset + i] = (byte)(message[messageOffset + i] ^ tempBytes[i]); + } + + // later iterations + int blockOffset = 32; + while (blockOffset < messageLength) + { + internalKey.x8++; + SalsaCore.Salsa(out temp, ref internalKey, 20); + ByteIntegerConverter.Array16StoreLittleEndian32(tempBytes, 0, ref temp); + int count = Math.Min(64, messageLength - blockOffset); + for (int i = 0; i < count; i++) + ciphertext[16 + ciphertextOffset + blockOffset + i] = (byte)(message[messageOffset + blockOffset + i] ^ tempBytes[i]); + blockOffset += 64; + } + + // compute MAC + Poly1305Donna.poly1305_auth(ciphertext, ciphertextOffset, ciphertext, ciphertextOffset + 16, messageLength, ref poly1305Key); + } + } +} diff --git a/src/SshNet.Keygen/Extensions/BinaryWriterExtension.cs b/src/SshNet.Keygen/Extensions/BinaryWriterExtension.cs new file mode 100644 index 0000000..1794f98 --- /dev/null +++ b/src/SshNet.Keygen/Extensions/BinaryWriterExtension.cs @@ -0,0 +1,56 @@ +using System; +using System.IO; +using System.Numerics; +using System.Text; +using Renci.SshNet.Common; + +namespace SshNet.Keygen.Extensions +{ + internal static class BinaryWriterExtension + { + public static void EncodeNullTerminatedString(this BinaryWriter writer, string str) + { + writer.Write(Encoding.ASCII.GetBytes(str)); + writer.Write('\0'); + } + + public static void EncodeBinary(this BinaryWriter writer, string str) + { + EncodeBinary(writer, Encoding.ASCII.GetBytes(str)); + } + + public static void EncodeBinary(this BinaryWriter writer, MemoryStream str) + { + EncodeBinary(writer, str.ToArray()); + } + + public static void EncodeBinary(this BinaryWriter writer, byte[] str) + { + EncodeUInt(writer, (uint)str.Length); + writer.Write(str); + } + + public static void EncodeBinary(this BinaryWriter writer, BigInteger bigInteger) + { + var data = bigInteger.ToByteArray().Reverse(); + EncodeUInt(writer, (uint)data.Length); + writer.Write(data); + } + + public static void EncodeUInt(this BinaryWriter writer, uint i) + { + var data = BitConverter.GetBytes(i); + if (BitConverter.IsLittleEndian) + Array.Reverse(data); + writer.Write(data); + } + + public static void EncodeInt(this BinaryWriter writer, int i) + { + var data = BitConverter.GetBytes(i); + if (BitConverter.IsLittleEndian) + Array.Reverse(data); + writer.Write(data); + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Extensions/ByteExtension.cs b/src/SshNet.Keygen/Extensions/ByteExtension.cs new file mode 100644 index 0000000..ed647c0 --- /dev/null +++ b/src/SshNet.Keygen/Extensions/ByteExtension.cs @@ -0,0 +1,32 @@ +using System; +using System.Numerics; +using Renci.SshNet.Common; + +namespace SshNet.Keygen.Extensions +{ + internal static class ByteExtension + { + public static BigInteger ToBigInteger2(this byte[] data) + { + if ((data[0] & (1 << 7)) == 0) + return data.ToBigInteger(); + var buf = new byte[data.Length + 1]; + Buffer.BlockCopy(data, 0, buf, 1, data.Length); + data = buf; + return data.ToBigInteger(); + } + + public static BigInteger ToBigInteger(this byte[] data) + { + var reversed = new byte[data.Length]; + Buffer.BlockCopy(data, 0, reversed, 0, data.Length); + return new BigInteger(reversed.Reverse()); + } + + public static T[] Reverse(this T[] array) + { + Array.Reverse(array); + return array; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Extensions/EcdsaExtension.cs b/src/SshNet.Keygen/Extensions/EcdsaExtension.cs new file mode 100644 index 0000000..5fd80c5 --- /dev/null +++ b/src/SshNet.Keygen/Extensions/EcdsaExtension.cs @@ -0,0 +1,61 @@ +using System; +using System.Security.Cryptography; + +namespace SshNet.Keygen.Extensions +{ + internal static class EcdsaExtension + { + private static byte[] UncompressedCoords(byte[] qx, byte[] qy) + { + var q = new byte[1 + qx.Length + qy.Length]; + Buffer.SetByte(q, 0, 4); + Buffer.BlockCopy(qx, 0, q, 1, qx.Length); + Buffer.BlockCopy(qy, 0, q, qx.Length + 1, qy.Length); + return q; + } + +#if NETSTANDARD + // EcParameters.Curve.Oid.FriendlyName returns different values if OpenSSL or Windows-Crypto + public static string EcCurveNameSshCompat(this ECDsa ecdsa) + { + return ecdsa.KeySize switch + { + 256 => "nistp256", + 384 => "nistp384", + 521 => "nistp521", + _ => throw new CryptographicException($"Unsupported KeyLength: {ecdsa.KeySize}") + }; + } + + public static byte[] UncompressedCoords(this ECParameters ecdsaParameters) + { + var qx = ecdsaParameters.Q.X; + var qy = ecdsaParameters.Q.Y; + return UncompressedCoords(qx, qy); + } +#else + public enum KeyBlobMagicNumber + { + BCRYPT_ECDSA_PRIVATE_P256_MAGIC = 0x32534345, + BCRYPT_ECDSA_PRIVATE_P384_MAGIC = 0x34534345, + BCRYPT_ECDSA_PRIVATE_P521_MAGIC = 0x36534345 + } + + public static string EcCurveNameSshCompat(this ECDsaCng ecdsa, KeyBlobMagicNumber magic) + { + return magic switch + { + KeyBlobMagicNumber.BCRYPT_ECDSA_PRIVATE_P256_MAGIC => "nistp256", + KeyBlobMagicNumber.BCRYPT_ECDSA_PRIVATE_P384_MAGIC => "nistp384", + KeyBlobMagicNumber.BCRYPT_ECDSA_PRIVATE_P521_MAGIC => "nistp521", + _ => throw new CryptographicException($"Unexpected Curve Magic: {magic}") + }; + } + + public static byte[] UncompressedCoords(this ECDsaCng ecdsa, byte[] qx, byte[] qy) + { + return UncompressedCoords(qx, qy); + } +#endif + } +} diff --git a/src/SshNet.Keygen/Extensions/KeyExtension.cs b/src/SshNet.Keygen/Extensions/KeyExtension.cs new file mode 100644 index 0000000..bbfc010 --- /dev/null +++ b/src/SshNet.Keygen/Extensions/KeyExtension.cs @@ -0,0 +1,329 @@ +using System; +using System.IO; +using System.Security.Cryptography; +using System.Text; +using Renci.SshNet.Security; +using SshNet.Keygen.SshKeyEncryption; + +namespace SshNet.Keygen.Extensions +{ + public static class KeyExtension + { + #region Fingerprint + + internal static string Fingerprint(this Key key) + { + return key.Fingerprint(SshKeyGenerateInfo.DefaultHashAlgorithmName); + } + + internal static string Fingerprint(this Key key, SshKeyHashAlgorithmName hashAlgorithm) + { + using var pubStream = new MemoryStream(); + using var pubWriter = new BinaryWriter(pubStream); + key.PublicKeyData(pubWriter); + + using var hash = SshKeyHashAlgorithm.Create(hashAlgorithm); + var pubKeyHash = hash.ComputeHash(pubStream.ToArray()); + + var base64 = hashAlgorithm == SshKeyHashAlgorithmName.MD5 + ? BitConverter.ToString(pubKeyHash).ToLower().Replace('-', ':') + : Convert.ToBase64String(pubKeyHash, 0, pubKeyHash.Length).TrimEnd('='); + + return $"{key.KeyLength} {SshKeyHashAlgorithm.HashAlgorithmName(hashAlgorithm)}:{base64} {key.Comment} ({key.KeyName()})"; + } + + #endregion + + internal static string ToPublic(this Key key) + { + using var pubStream = new MemoryStream(); + using var pubWriter = new BinaryWriter(pubStream); + key.PublicKeyData(pubWriter); + + var base64 = Convert.ToBase64String(pubStream.ToArray()); + return $"{key} {base64} {key.Comment ?? ""}\n"; + } + + #region OpenSshFormat + + internal static string ToOpenSshFormat(this Key key) + { + return key.ToOpenSshFormat(SshKeyGenerateInfo.DefaultSshKeyEncryption); + } + + internal static string ToOpenSshFormat(this Key key, ISshKeyEncryption encryption) + { + var s = new StringWriter(); + s.Write("-----BEGIN OPENSSH PRIVATE KEY-----\n"); + s.Write(key.OpensshPrivateKeyData(encryption)); + s.Write("-----END OPENSSH PRIVATE KEY-----\n"); + return s.ToString(); + } + + private static string KeyName(this Key key) + { + switch (key.ToString()) + { + case "ssh-ed25519": + return "ED25519"; + case "ssh-rsa": + return "RSA"; + case "ecdsa-sha2-nistp256": + // Fallthrough + case "ecdsa-sha2-nistp384": + // Fallthrough + case "ecdsa-sha2-nistp521": + return "ECDSA"; + default: + throw new NotSupportedException($"Unsupported KeyType: {key}"); + } + } + + private static string OpensshPrivateKeyData(this Key key, ISshKeyEncryption encryption) + { + using var stream = new MemoryStream(); + using var writer = new BinaryWriter(stream); + + writer.EncodeNullTerminatedString("openssh-key-v1"); // Auth Magic + writer.EncodeBinary(encryption.CipherName); + writer.EncodeBinary(encryption.KdfName); + writer.EncodeBinary(encryption.KdfOptions()); + writer.EncodeUInt(1); // Number of Keys + + // public key in ssh-format + using var pubStream = new MemoryStream(); + using var pubWriter = new BinaryWriter(pubStream); + key.PublicKeyData(pubWriter); + writer.EncodeBinary(pubStream); + + // private key + using var privStream = new MemoryStream(); + using var privWriter = new BinaryWriter(privStream); + + var rnd = new Random().Next(0, int.MaxValue); + privWriter.EncodeInt(rnd); // check-int1 + privWriter.EncodeInt(rnd); // check-int2 + privWriter.EncodeBinary(key.ToString()); + switch (key.ToString()) + { + case "ssh-ed25519": + var ed25519 = (ED25519Key)key; + privWriter.EncodeBinary(ed25519.PublicKey); + privWriter.EncodeBinary(ed25519.PrivateKey); + break; + case "ssh-rsa": + var rsa = (RsaKey)key; + privWriter.EncodeBinary(rsa.Modulus); + privWriter.EncodeBinary(rsa.Exponent); + privWriter.EncodeBinary(rsa.D); + privWriter.EncodeBinary(rsa.InverseQ); + privWriter.EncodeBinary(rsa.P); + privWriter.EncodeBinary(rsa.Q); + break; + case "ecdsa-sha2-nistp256": + // Fallthrough + case "ecdsa-sha2-nistp384": + // Fallthrough + case "ecdsa-sha2-nistp521": + var ecdsa = (EcdsaKey)key; + var publicKey = ecdsa.Public; + privWriter.EncodeBinary(publicKey[0]); + privWriter.EncodeBinary(publicKey[1]); + privWriter.EncodeBinary(ecdsa.PrivateKey.ToBigInteger2()); + break; + default: + throw new NotSupportedException($"Unsupported KeyType: {key}"); + } + // comment + privWriter.EncodeBinary(key.Comment); + + // private key padding (1, 2, 3, ...) + var pad = 0; + while (privStream.Length % encryption.BlockSize != 0) + { + privWriter.Write((byte)++pad); + } + + writer.EncodeBinary(encryption.Encrypt(privStream.ToArray())); + + // Content as Base64 + var base64 = Convert.ToBase64String(stream.ToArray()).ToCharArray(); + var pem = new StringWriter(); + for (var i = 0; i < base64.Length; i += 70) + { + pem.Write(base64, i, Math.Min(70, base64.Length - i)); + pem.Write("\n"); + } + + return pem.ToString(); + } + + #endregion + + #region PuttyFormat + + internal static string ToPuttyPublicFormat(this Key key) + { + using var pubStream = new MemoryStream(); + using var pubWriter = new BinaryWriter(pubStream); + key.PublicKeyData(pubWriter); + + var s = new StringWriter(); + s.Write("---- BEGIN SSH2 PUBLIC KEY ----\n"); + s.Write($"Comment: \"{key.Comment}\"\n"); + s.Write(Convert.ToBase64String(pubStream.ToArray()).FormatNewLines(64) + "\n"); + s.Write("---- END SSH2 PUBLIC KEY ----\n"); + return s.ToString(); + } + + internal static string ToPuttyFormat(this Key key, SshKeyFormat sshKeyFormat) + { + return key.ToPuttyFormat(SshKeyGenerateInfo.DefaultSshKeyEncryption, sshKeyFormat); + } + + internal static string ToPuttyFormat(this Key key, ISshKeyEncryption encryption, SshKeyFormat sshKeyFormat) + { + if (sshKeyFormat is not SshKeyFormat.PuTTYv2 and not SshKeyFormat.PuTTYv3) + throw new NotSupportedException($"Unsupported PuTTY Key Format {sshKeyFormat}"); + + // Public Key + using var pubStream = new MemoryStream(); + using var pubWriter = new BinaryWriter(pubStream); + key.PublicKeyData(pubWriter); + + var publicBase64String = Convert.ToBase64String(pubStream.ToArray()).FormatNewLines(64); + + // Private Key + using var privStream = new MemoryStream(); + using var privWriter = new BinaryWriter(privStream); + switch (key.ToString()) + { + case "ssh-ed25519": + var ed25519 = (ED25519Key)key; + privWriter.EncodeBinary(ed25519.PrivateKey); + break; + case "ssh-rsa": + var rsa = (RsaKey)key; + privWriter.EncodeBinary(rsa.D); + privWriter.EncodeBinary(rsa.P); + privWriter.EncodeBinary(rsa.Q); + privWriter.EncodeBinary(rsa.InverseQ); + break; + case "ecdsa-sha2-nistp256": + // Fallthrough + case "ecdsa-sha2-nistp384": + // Fallthrough + case "ecdsa-sha2-nistp521": + var ecdsa = (EcdsaKey)key; + privWriter.EncodeBinary(ecdsa.PrivateKey.ToBigInteger2()); + break; + default: + throw new NotSupportedException($"Unsupported KeyType: {key}"); + } + + // private key padding (1, 2, 3, ...) + var pad = 0; + while (privStream.Length % 16 != 0) + { + privWriter.Write((byte)++pad); + } + + // MAC + using var macStream = new MemoryStream(); + using var macWriter = new BinaryWriter(macStream); + macWriter.EncodeBinary(key.ToString()); + macWriter.EncodeBinary(encryption.CipherName); + macWriter.EncodeBinary(key.Comment); + macWriter.EncodeBinary(pubStream); + macWriter.EncodeBinary(privStream); + + var hashData = macStream.ToArray(); + + string privateBase64String; + PuttyV3Encryption? puttyV3Encryption = null; + byte[] macHash = new byte[0]; + if (sshKeyFormat is SshKeyFormat.PuTTYv2) + { + byte[] encrypted = encryption.PuttyV2Encrypt(privStream.ToArray()); + privateBase64String = Convert.ToBase64String(encrypted).FormatNewLines(64); + + using var sha1 = SHA1.Create(); + var macKey = sha1.ComputeHash(Encoding.ASCII.GetBytes("putty-private-key-file-mac-key" + encryption.Passphrase)); + using var hmac = new HMACSHA1(macKey); + macHash = hmac.ComputeHash(hashData); + } + else + { + puttyV3Encryption = encryption.PuttyV3Encrypt(privStream.ToArray()); + privateBase64String = Convert.ToBase64String(puttyV3Encryption.Result).FormatNewLines(64); + + using var hmac = new HMACSHA256(puttyV3Encryption.MacKey); + macHash = hmac.ComputeHash(hashData); + } + + var s = new StringWriter(); + if (sshKeyFormat is SshKeyFormat.PuTTYv2) + { + s.Write($"PuTTY-User-Key-File-2: {key}\n"); + s.Write($"Encryption: {encryption.CipherName}\n"); + s.Write($"Comment: {key.Comment}\n"); + s.Write($"Public-Lines: {publicBase64String.Split('\n').Length}\n"); + s.Write($"{publicBase64String}\n"); + s.Write($"Private-Lines: {privateBase64String.Split('\n').Length}\n"); + s.Write($"{privateBase64String}\n"); + s.Write($"Private-MAC: {BitConverter.ToString(macHash).Replace("-", "").ToLower()}\n"); + return s.ToString(); + } + + s.Write($"PuTTY-User-Key-File-3: {key}\n"); + s.Write($"Encryption: {encryption.CipherName}\n"); + s.Write($"Comment: {key.Comment}\n"); + s.Write($"Public-Lines: {publicBase64String.Split('\n').Length}\n"); + s.Write($"{publicBase64String}\n"); + if (puttyV3Encryption?.Salt is not null) + { + s.Write($"Key-Derivation: {puttyV3Encryption.KeyDerivation}\n"); + s.Write($"Argon2-Memory: {puttyV3Encryption.MemorySize}\n"); + s.Write($"Argon2-Passes: {puttyV3Encryption.Iterations}\n"); + s.Write($"Argon2-Parallelism: {puttyV3Encryption.DegreeOfParallelism}\n"); + s.Write($"Argon2-Salt: {BitConverter.ToString(puttyV3Encryption.Salt).Replace("-", "").ToLower()}\n"); + } + s.Write($"Private-Lines: {privateBase64String.Split('\n').Length}\n"); + s.Write($"{privateBase64String}\n"); + s.Write($"Private-MAC: {BitConverter.ToString(macHash).Replace("-", "").ToLower()}\n"); + + return s.ToString(); + } + + #endregion + + private static void PublicKeyData(this Key key, BinaryWriter writer) + { + writer.EncodeBinary(key.ToString()); + switch (key.ToString()) + { + case "ssh-ed25519": + var ed25519 = (ED25519Key)key; + writer.EncodeBinary(ed25519.PublicKey); + break; + case "ssh-rsa": + var rsa = (RsaKey)key; + writer.EncodeBinary(rsa.Exponent); + writer.EncodeBinary(rsa.Modulus); + break; + case "ecdsa-sha2-nistp256": + // Fallthrough + case "ecdsa-sha2-nistp384": + // Fallthrough + case "ecdsa-sha2-nistp521": + var ecdsa = (EcdsaKey)key; + var publicKey = ecdsa.Public; + writer.EncodeBinary(publicKey[0]); + writer.EncodeBinary(publicKey[1]); + break; + default: + throw new NotSupportedException($"Unsupported KeyType: {key}"); + } + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Extensions/PrivateKeyFileExtension.cs b/src/SshNet.Keygen/Extensions/PrivateKeyFileExtension.cs new file mode 100644 index 0000000..af3b359 --- /dev/null +++ b/src/SshNet.Keygen/Extensions/PrivateKeyFileExtension.cs @@ -0,0 +1,122 @@ +using System.Linq; +using Renci.SshNet; +using Renci.SshNet.Security; +using SshNet.Keygen.SshKeyEncryption; + +namespace SshNet.Keygen.Extensions +{ + public static class PrivateKeyFileExtension + { + #region Fingerprint + + public static string Fingerprint(this IPrivateKeySource keyFile) + { + return keyFile.Fingerprint(SshKeyGenerateInfo.DefaultHashAlgorithmName); + } + + public static string Fingerprint(this IPrivateKeySource keyFile, SshKeyHashAlgorithmName hashAlgorithm) + { + return ((KeyHostAlgorithm) keyFile.HostKeyAlgorithms.First()).Key.Fingerprint(hashAlgorithm); + } + + #endregion + + #region Public + + public static string ToPublic(this IPrivateKeySource keyFile) + { + var keyFormat = SshKeyGenerateInfo.DefaultSshKeyFormat; + if (keyFile is GeneratedPrivateKey generatedPrivateKey) + keyFormat = generatedPrivateKey.Info.KeyFormat; + + return keyFile.ToPublic(keyFormat); + } + + public static string ToPublic(this IPrivateKeySource keyFile, SshKeyFormat sshKeyFormat) + { + return sshKeyFormat is SshKeyFormat.PuTTYv2 or SshKeyFormat.PuTTYv3 + ? keyFile.ToPuttyPublicFormat() + : ((KeyHostAlgorithm) keyFile.HostKeyAlgorithms.First()).Key.ToPublic(); + } + + public static string ToOpenSshPublicFormat(this IPrivateKeySource keyFile) + { + return keyFile.ToPublic(SshKeyFormat.OpenSSH); + } + + public static string ToPuttyPublicFormat(this IPrivateKeySource keyFile) + { + return ((KeyHostAlgorithm) keyFile.HostKeyAlgorithms.First()).Key.ToPuttyPublicFormat(); + } + + #endregion + + #region OpenSshFormat + + public static string ToOpenSshFormat(this IPrivateKeySource keyFile) + { + var encryption = SshKeyGenerateInfo.DefaultSshKeyEncryption; + if (keyFile is GeneratedPrivateKey generatedPrivateKey) + encryption = generatedPrivateKey.Info.Encryption; + + return keyFile.ToOpenSshFormat(encryption); + } + + public static string ToOpenSshFormat(this IPrivateKeySource keyFile, string passphrase) + { + return keyFile.ToOpenSshFormat(new SshKeyEncryptionAes256(passphrase)); + } + + public static string ToOpenSshFormat(this IPrivateKeySource keyFile, ISshKeyEncryption encryption) + { + return ((KeyHostAlgorithm) keyFile.HostKeyAlgorithms.First()).Key.ToOpenSshFormat(encryption); + } + + #endregion + + #region PuttyFormat + + public static string ToPuttyFormat(this IPrivateKeySource keyFile) + { + var sshKeyFormat = SshKeyFormat.PuTTYv3; + if (keyFile is GeneratedPrivateKey generatedPrivateKey) + { + if (generatedPrivateKey.Info.KeyFormat is SshKeyFormat.PuTTYv2 or SshKeyFormat.PuTTYv3) + sshKeyFormat = generatedPrivateKey.Info.KeyFormat; + } + + return keyFile.ToPuttyFormat(sshKeyFormat); + } + + public static string ToPuttyFormat(this IPrivateKeySource keyFile, string passphrase) + { + return keyFile.ToPuttyFormat(new SshKeyEncryptionAes256(passphrase), SshKeyFormat.PuTTYv3); + } + + public static string ToPuttyFormat(this IPrivateKeySource keyFile, string passphrase, SshKeyFormat sshKeyFormat) + { + return keyFile.ToPuttyFormat(new SshKeyEncryptionAes256(passphrase), sshKeyFormat); + } + + public static string ToPuttyFormat(this IPrivateKeySource keyFile, SshKeyFormat sshKeyFormat) + { + var encryption = SshKeyGenerateInfo.DefaultSshKeyEncryption; + if (keyFile is GeneratedPrivateKey generatedPrivateKey) + encryption = generatedPrivateKey.Info.Encryption; + + return keyFile.ToPuttyFormat(encryption, sshKeyFormat); + } + + public static string ToPuttyFormat(this IPrivateKeySource keyFile, ISshKeyEncryption encryption) + { + return keyFile.ToPuttyFormat(encryption, SshKeyFormat.PuTTYv3); + } + + public static string ToPuttyFormat(this IPrivateKeySource keyFile, ISshKeyEncryption encryption, SshKeyFormat sshKeyFormat) + { + return ((KeyHostAlgorithm) keyFile.HostKeyAlgorithms.First()).Key.ToPuttyFormat(encryption, sshKeyFormat); + } + + #endregion + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/Extensions/StringExtension.cs b/src/SshNet.Keygen/Extensions/StringExtension.cs new file mode 100644 index 0000000..6828f89 --- /dev/null +++ b/src/SshNet.Keygen/Extensions/StringExtension.cs @@ -0,0 +1,17 @@ +using System.Text; + +namespace SshNet.Keygen.Extensions +{ + internal static class StringExtension + { + internal static string FormatNewLines(this string str, int count) + { + var sb = new StringBuilder(str); + for (var i = count; i < sb.Length; i+=count+1) + { + sb.Insert(i, "\n"); + } + return sb.ToString(); + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/GeneratedPrivateKey.cs b/src/SshNet.Keygen/GeneratedPrivateKey.cs new file mode 100644 index 0000000..0da0ebf --- /dev/null +++ b/src/SshNet.Keygen/GeneratedPrivateKey.cs @@ -0,0 +1,32 @@ +using System.Collections.Generic; +using System.Security.Cryptography; +using Renci.SshNet; +using Renci.SshNet.Security; +using Renci.SshNet.Security.Cryptography; + +namespace SshNet.Keygen +{ + public class GeneratedPrivateKey : IPrivateKeySource + { + private readonly List _hostAlgorithms = new(); + + public IReadOnlyCollection HostKeyAlgorithms => _hostAlgorithms; + + public Key Key { get; } + + public SshKeyGenerateInfo Info { get; } + + public GeneratedPrivateKey(Key key, SshKeyGenerateInfo info) + { + Key = key; + Info = info; + + _hostAlgorithms.Add(new KeyHostAlgorithm(key.ToString(), key)); + + if (Key is not RsaKey rsaKey) + return; + _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-512", key, new RsaDigitalSignature(rsaKey, HashAlgorithmName.SHA512))); + _hostAlgorithms.Add(new KeyHostAlgorithm("rsa-sha2-256", key, new RsaDigitalSignature(rsaKey, HashAlgorithmName.SHA256))); + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKey.cs b/src/SshNet.Keygen/SshKey.cs new file mode 100644 index 0000000..e961975 --- /dev/null +++ b/src/SshNet.Keygen/SshKey.cs @@ -0,0 +1,150 @@ +using System; +using System.IO; +using System.Security.Cryptography; +using Chaos.NaCl; +using Renci.SshNet.Security; +using SshNet.Keygen.Extensions; + +namespace SshNet.Keygen +{ + public static class SshKey + { + public static GeneratedPrivateKey Generate(string path, FileMode mode) + { + return Generate(path, mode, new SshKeyGenerateInfo()); + } + + public static GeneratedPrivateKey Generate(string path, FileMode mode, SshKeyGenerateInfo info) + { + using var file = File.Open(path, mode, FileAccess.Write); + return Generate(file, info); + } + + public static GeneratedPrivateKey Generate(Stream stream, SshKeyGenerateInfo info) + { + using var writer = new StreamWriter(stream); + + var key = Generate(info); + switch (info.KeyFormat) + { + case SshKeyFormat.OpenSSH: + writer.Write(key.ToOpenSshFormat(info.Encryption)); + break; + case SshKeyFormat.PuTTYv2: + case SshKeyFormat.PuTTYv3: + writer.Write(key.ToPuttyFormat(info.Encryption, info.KeyFormat)); + break; + default: + throw new NotSupportedException($"Not supported Key Format {info.KeyFormat}"); + } + return key; + } + + public static GeneratedPrivateKey Generate() + { + return Generate(new SshKeyGenerateInfo()); + } + + public static GeneratedPrivateKey Generate(SshKeyGenerateInfo info) + { + Key key; + switch (info.KeyType) + { + case SshKeyType.ED25519: + { + using var rngCsp = new RNGCryptoServiceProvider(); + var seed = new byte[Ed25519.PrivateKeySeedSizeInBytes]; + rngCsp.GetBytes(seed); + Ed25519.KeyPairFromSeed(out _, out var edKey, seed); + key = new ED25519Key(edKey.Reverse()); + break; + } + case SshKeyType.RSA: + { + using var rsa = CreateRSA(info.KeyLength); + var rsaParameters = rsa.ExportParameters(true); + + key = new RsaKey( + rsaParameters.Modulus.ToBigInteger2().ToByteArray().Reverse().ToBigInteger(), + rsaParameters.Exponent.ToBigInteger2().ToByteArray().Reverse().ToBigInteger(), + rsaParameters.D.ToBigInteger2().ToByteArray().Reverse().ToBigInteger(), + rsaParameters.P.ToBigInteger2().ToByteArray().Reverse().ToBigInteger(), + rsaParameters.Q.ToBigInteger2().ToByteArray().Reverse().ToBigInteger(), + rsaParameters.InverseQ.ToBigInteger2().ToByteArray().Reverse().ToBigInteger() + ); + break; + } + case SshKeyType.ECDSA: + { +#if NETSTANDARD + var curve = info.KeyLength switch + { + 256 => ECCurve.CreateFromFriendlyName("nistp256"), + 384 => ECCurve.CreateFromFriendlyName("nistp384"), + 521 => ECCurve.CreateFromFriendlyName("nistp521"), + _ => throw new CryptographicException("Unsupported KeyLength") + }; + + using var ecdsa = ECDsa.Create(); + if (ecdsa is null) + throw new CryptographicException("Unable to generate ECDSA"); + ecdsa.GenerateKey(curve); + var ecdsaParameters = ecdsa.ExportParameters(true); + + key = new EcdsaKey( + ecdsa.EcCurveNameSshCompat(), + ecdsaParameters.UncompressedCoords(), + ecdsaParameters.D + ); +#else + using var ecdsa = new ECDsaCng(info.KeyLength); + var keyBlob = ecdsa.Key.Export(CngKeyBlobFormat.EccPrivateBlob); + using var stream = new MemoryStream(keyBlob); + using var reader = new BinaryReader(stream); + var magic = (EcdsaExtension.KeyBlobMagicNumber)reader.ReadInt32(); + var coordLength = reader.ReadInt32(); + var qx = reader.ReadBytes(coordLength); + var qy = reader.ReadBytes(coordLength); + var d = reader.ReadBytes(coordLength); + + key = new EcdsaKey( + ecdsa.EcCurveNameSshCompat(magic), + ecdsa.UncompressedCoords(qx, qy), + d + ); +#endif + break; + } + default: + throw new NotSupportedException($"Unsupported KeyType: {info.KeyType}"); + } + + key.Comment = info.Comment; + return new GeneratedPrivateKey(key, info); + } + + private static RSA CreateRSA(int keySize) + { +#if NET40 + var rsa = new RSACryptoServiceProvider(keySize); + var keySizes = rsa.LegalKeySizes[0]; + if (keySize < keySizes.MinSize || keySize > keySizes.MaxSize) + { + throw new CryptographicException($"Illegal Key Size: {keySize}"); + } + return rsa; +#else + var rsa = RSA.Create(); + + if (rsa is RSACryptoServiceProvider) + { + rsa.Dispose(); + return new RSACng(keySize); + } + + rsa.KeySize = keySize; + return rsa; +#endif + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyEncryption/Bcrypt.cs b/src/SshNet.Keygen/SshKeyEncryption/Bcrypt.cs new file mode 100644 index 0000000..d2f6a7d --- /dev/null +++ b/src/SshNet.Keygen/SshKeyEncryption/Bcrypt.cs @@ -0,0 +1,956 @@ +// +// Copyright (c) 2006 Damien Miller +// Copyright (c) 2010 Ryan D. Emerle +// +// Permission to use, copy, modify, and distribute this software for any +// purpose with or without fee is hereby granted, provided that the above +// copyright notice and this permission notice appear in all copies. +// +// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES +// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF +// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR +// ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES +// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN +// ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF +// OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + +using System; +using System.Diagnostics; +using System.Security.Cryptography; +using System.Text; +using Renci.SshNet.Abstractions; + +namespace SshNet.Keygen.SshKeyEncryption +{ + /// BCrypt implementation. + /// + /// + /// BCrypt implements OpenBSD-style Blowfish password hashing using the scheme described in + /// "A Future- + /// Adaptable Password Scheme" by Niels Provos and David Mazieres. + /// + /// + /// This password hashing system tries to thwart off-line password cracking using a + /// computationally-intensive hashing algorithm, based on Bruce Schneier's Blowfish cipher. + /// The work factor of the algorithm is parameterised, so it can be increased as computers + /// get faster. + /// + /// + /// Usage is really simple. To hash a password for the first time, call the method with a random salt, like this: + /// + /// string pw_hash = BCrypt.HashPassword(plain_password); + /// + /// To check whether a plaintext password matches one that has been hashed previously, + /// use the method: + /// + /// + /// if (BCrypt.Verify(candidate_password, stored_hash)) + /// Console.WriteLine("It matches"); + /// else + /// Console.WriteLine("It does not match"); + /// + /// + /// The method takes an optional parameter (workFactor) that + /// determines the computational complexity of the hashing: + /// + /// + /// string strong_salt = BCrypt.GenerateSalt(10); + /// string stronger_salt = BCrypt.GenerateSalt(12); + /// + /// + /// The amount of work increases exponentially (2^workFactor), so each increment is twice + /// as much work. The default workFactor is 10, and the valid range is 4 to 31. + /// + /// + internal sealed class BCrypt + { + // BCrypt parameters + private const int GENSALT_DEFAULT_LOG2_ROUNDS = 10; + private const int BCRYPT_SALT_LEN = 16; + + // Blowfish parameters + private const int BLOWFISH_NUM_ROUNDS = 16; + + // Initial contents of key schedule + private static readonly uint[] _POrig = { + 0x243f6a88, 0x85a308d3, 0x13198a2e, 0x03707344, + 0xa4093822, 0x299f31d0, 0x082efa98, 0xec4e6c89, + 0x452821e6, 0x38d01377, 0xbe5466cf, 0x34e90c6c, + 0xc0ac29b7, 0xc97c50dd, 0x3f84d5b5, 0xb5470917, + 0x9216d5d9, 0x8979fb1b + }; + + private static readonly uint[] _SOrig = { + 0xd1310ba6, 0x98dfb5ac, 0x2ffd72db, 0xd01adfb7, + 0xb8e1afed, 0x6a267e96, 0xba7c9045, 0xf12c7f99, + 0x24a19947, 0xb3916cf7, 0x0801f2e2, 0x858efc16, + 0x636920d8, 0x71574e69, 0xa458fea3, 0xf4933d7e, + 0x0d95748f, 0x728eb658, 0x718bcd58, 0x82154aee, + 0x7b54a41d, 0xc25a59b5, 0x9c30d539, 0x2af26013, + 0xc5d1b023, 0x286085f0, 0xca417918, 0xb8db38ef, + 0x8e79dcb0, 0x603a180e, 0x6c9e0e8b, 0xb01e8a3e, + 0xd71577c1, 0xbd314b27, 0x78af2fda, 0x55605c60, + 0xe65525f3, 0xaa55ab94, 0x57489862, 0x63e81440, + 0x55ca396a, 0x2aab10b6, 0xb4cc5c34, 0x1141e8ce, + 0xa15486af, 0x7c72e993, 0xb3ee1411, 0x636fbc2a, + 0x2ba9c55d, 0x741831f6, 0xce5c3e16, 0x9b87931e, + 0xafd6ba33, 0x6c24cf5c, 0x7a325381, 0x28958677, + 0x3b8f4898, 0x6b4bb9af, 0xc4bfe81b, 0x66282193, + 0x61d809cc, 0xfb21a991, 0x487cac60, 0x5dec8032, + 0xef845d5d, 0xe98575b1, 0xdc262302, 0xeb651b88, + 0x23893e81, 0xd396acc5, 0x0f6d6ff3, 0x83f44239, + 0x2e0b4482, 0xa4842004, 0x69c8f04a, 0x9e1f9b5e, + 0x21c66842, 0xf6e96c9a, 0x670c9c61, 0xabd388f0, + 0x6a51a0d2, 0xd8542f68, 0x960fa728, 0xab5133a3, + 0x6eef0b6c, 0x137a3be4, 0xba3bf050, 0x7efb2a98, + 0xa1f1651d, 0x39af0176, 0x66ca593e, 0x82430e88, + 0x8cee8619, 0x456f9fb4, 0x7d84a5c3, 0x3b8b5ebe, + 0xe06f75d8, 0x85c12073, 0x401a449f, 0x56c16aa6, + 0x4ed3aa62, 0x363f7706, 0x1bfedf72, 0x429b023d, + 0x37d0d724, 0xd00a1248, 0xdb0fead3, 0x49f1c09b, + 0x075372c9, 0x80991b7b, 0x25d479d8, 0xf6e8def7, + 0xe3fe501a, 0xb6794c3b, 0x976ce0bd, 0x04c006ba, + 0xc1a94fb6, 0x409f60c4, 0x5e5c9ec2, 0x196a2463, + 0x68fb6faf, 0x3e6c53b5, 0x1339b2eb, 0x3b52ec6f, + 0x6dfc511f, 0x9b30952c, 0xcc814544, 0xaf5ebd09, + 0xbee3d004, 0xde334afd, 0x660f2807, 0x192e4bb3, + 0xc0cba857, 0x45c8740f, 0xd20b5f39, 0xb9d3fbdb, + 0x5579c0bd, 0x1a60320a, 0xd6a100c6, 0x402c7279, + 0x679f25fe, 0xfb1fa3cc, 0x8ea5e9f8, 0xdb3222f8, + 0x3c7516df, 0xfd616b15, 0x2f501ec8, 0xad0552ab, + 0x323db5fa, 0xfd238760, 0x53317b48, 0x3e00df82, + 0x9e5c57bb, 0xca6f8ca0, 0x1a87562e, 0xdf1769db, + 0xd542a8f6, 0x287effc3, 0xac6732c6, 0x8c4f5573, + 0x695b27b0, 0xbbca58c8, 0xe1ffa35d, 0xb8f011a0, + 0x10fa3d98, 0xfd2183b8, 0x4afcb56c, 0x2dd1d35b, + 0x9a53e479, 0xb6f84565, 0xd28e49bc, 0x4bfb9790, + 0xe1ddf2da, 0xa4cb7e33, 0x62fb1341, 0xcee4c6e8, + 0xef20cada, 0x36774c01, 0xd07e9efe, 0x2bf11fb4, + 0x95dbda4d, 0xae909198, 0xeaad8e71, 0x6b93d5a0, + 0xd08ed1d0, 0xafc725e0, 0x8e3c5b2f, 0x8e7594b7, + 0x8ff6e2fb, 0xf2122b64, 0x8888b812, 0x900df01c, + 0x4fad5ea0, 0x688fc31c, 0xd1cff191, 0xb3a8c1ad, + 0x2f2f2218, 0xbe0e1777, 0xea752dfe, 0x8b021fa1, + 0xe5a0cc0f, 0xb56f74e8, 0x18acf3d6, 0xce89e299, + 0xb4a84fe0, 0xfd13e0b7, 0x7cc43b81, 0xd2ada8d9, + 0x165fa266, 0x80957705, 0x93cc7314, 0x211a1477, + 0xe6ad2065, 0x77b5fa86, 0xc75442f5, 0xfb9d35cf, + 0xebcdaf0c, 0x7b3e89a0, 0xd6411bd3, 0xae1e7e49, + 0x00250e2d, 0x2071b35e, 0x226800bb, 0x57b8e0af, + 0x2464369b, 0xf009b91e, 0x5563911d, 0x59dfa6aa, + 0x78c14389, 0xd95a537f, 0x207d5ba2, 0x02e5b9c5, + 0x83260376, 0x6295cfa9, 0x11c81968, 0x4e734a41, + 0xb3472dca, 0x7b14a94a, 0x1b510052, 0x9a532915, + 0xd60f573f, 0xbc9bc6e4, 0x2b60a476, 0x81e67400, + 0x08ba6fb5, 0x571be91f, 0xf296ec6b, 0x2a0dd915, + 0xb6636521, 0xe7b9f9b6, 0xff34052e, 0xc5855664, + 0x53b02d5d, 0xa99f8fa1, 0x08ba4799, 0x6e85076a, + 0x4b7a70e9, 0xb5b32944, 0xdb75092e, 0xc4192623, + 0xad6ea6b0, 0x49a7df7d, 0x9cee60b8, 0x8fedb266, + 0xecaa8c71, 0x699a17ff, 0x5664526c, 0xc2b19ee1, + 0x193602a5, 0x75094c29, 0xa0591340, 0xe4183a3e, + 0x3f54989a, 0x5b429d65, 0x6b8fe4d6, 0x99f73fd6, + 0xa1d29c07, 0xefe830f5, 0x4d2d38e6, 0xf0255dc1, + 0x4cdd2086, 0x8470eb26, 0x6382e9c6, 0x021ecc5e, + 0x09686b3f, 0x3ebaefc9, 0x3c971814, 0x6b6a70a1, + 0x687f3584, 0x52a0e286, 0xb79c5305, 0xaa500737, + 0x3e07841c, 0x7fdeae5c, 0x8e7d44ec, 0x5716f2b8, + 0xb03ada37, 0xf0500c0d, 0xf01c1f04, 0x0200b3ff, + 0xae0cf51a, 0x3cb574b2, 0x25837a58, 0xdc0921bd, + 0xd19113f9, 0x7ca92ff6, 0x94324773, 0x22f54701, + 0x3ae5e581, 0x37c2dadc, 0xc8b57634, 0x9af3dda7, + 0xa9446146, 0x0fd0030e, 0xecc8c73e, 0xa4751e41, + 0xe238cd99, 0x3bea0e2f, 0x3280bba1, 0x183eb331, + 0x4e548b38, 0x4f6db908, 0x6f420d03, 0xf60a04bf, + 0x2cb81290, 0x24977c79, 0x5679b072, 0xbcaf89af, + 0xde9a771f, 0xd9930810, 0xb38bae12, 0xdccf3f2e, + 0x5512721f, 0x2e6b7124, 0x501adde6, 0x9f84cd87, + 0x7a584718, 0x7408da17, 0xbc9f9abc, 0xe94b7d8c, + 0xec7aec3a, 0xdb851dfa, 0x63094366, 0xc464c3d2, + 0xef1c1847, 0x3215d908, 0xdd433b37, 0x24c2ba16, + 0x12a14d43, 0x2a65c451, 0x50940002, 0x133ae4dd, + 0x71dff89e, 0x10314e55, 0x81ac77d6, 0x5f11199b, + 0x043556f1, 0xd7a3c76b, 0x3c11183b, 0x5924a509, + 0xf28fe6ed, 0x97f1fbfa, 0x9ebabf2c, 0x1e153c6e, + 0x86e34570, 0xeae96fb1, 0x860e5e0a, 0x5a3e2ab3, + 0x771fe71c, 0x4e3d06fa, 0x2965dcb9, 0x99e71d0f, + 0x803e89d6, 0x5266c825, 0x2e4cc978, 0x9c10b36a, + 0xc6150eba, 0x94e2ea78, 0xa5fc3c53, 0x1e0a2df4, + 0xf2f74ea7, 0x361d2b3d, 0x1939260f, 0x19c27960, + 0x5223a708, 0xf71312b6, 0xebadfe6e, 0xeac31f66, + 0xe3bc4595, 0xa67bc883, 0xb17f37d1, 0x018cff28, + 0xc332ddef, 0xbe6c5aa5, 0x65582185, 0x68ab9802, + 0xeecea50f, 0xdb2f953b, 0x2aef7dad, 0x5b6e2f84, + 0x1521b628, 0x29076170, 0xecdd4775, 0x619f1510, + 0x13cca830, 0xeb61bd96, 0x0334fe1e, 0xaa0363cf, + 0xb5735c90, 0x4c70a239, 0xd59e9e0b, 0xcbaade14, + 0xeecc86bc, 0x60622ca7, 0x9cab5cab, 0xb2f3846e, + 0x648b1eaf, 0x19bdf0ca, 0xa02369b9, 0x655abb50, + 0x40685a32, 0x3c2ab4b3, 0x319ee9d5, 0xc021b8f7, + 0x9b540b19, 0x875fa099, 0x95f7997e, 0x623d7da8, + 0xf837889a, 0x97e32d77, 0x11ed935f, 0x16681281, + 0x0e358829, 0xc7e61fd6, 0x96dedfa1, 0x7858ba99, + 0x57f584a5, 0x1b227263, 0x9b83c3ff, 0x1ac24696, + 0xcdb30aeb, 0x532e3054, 0x8fd948e4, 0x6dbc3128, + 0x58ebf2ef, 0x34c6ffea, 0xfe28ed61, 0xee7c3c73, + 0x5d4a14d9, 0xe864b7e3, 0x42105d14, 0x203e13e0, + 0x45eee2b6, 0xa3aaabea, 0xdb6c4f15, 0xfacb4fd0, + 0xc742f442, 0xef6abbb5, 0x654f3b1d, 0x41cd2105, + 0xd81e799e, 0x86854dc7, 0xe44b476a, 0x3d816250, + 0xcf62a1f2, 0x5b8d2646, 0xfc8883a0, 0xc1c7b6a3, + 0x7f1524c3, 0x69cb7492, 0x47848a0b, 0x5692b285, + 0x095bbf00, 0xad19489d, 0x1462b174, 0x23820e00, + 0x58428d2a, 0x0c55f5ea, 0x1dadf43e, 0x233f7061, + 0x3372f092, 0x8d937e41, 0xd65fecf1, 0x6c223bdb, + 0x7cde3759, 0xcbee7460, 0x4085f2a7, 0xce77326e, + 0xa6078084, 0x19f8509e, 0xe8efd855, 0x61d99735, + 0xa969a7aa, 0xc50c06c2, 0x5a04abfc, 0x800bcadc, + 0x9e447a2e, 0xc3453484, 0xfdd56705, 0x0e1e9ec9, + 0xdb73dbd3, 0x105588cd, 0x675fda79, 0xe3674340, + 0xc5c43465, 0x713e38d8, 0x3d28f89e, 0xf16dff20, + 0x153e21e7, 0x8fb03d4a, 0xe6e39f2b, 0xdb83adf7, + 0xe93d5a68, 0x948140f7, 0xf64c261c, 0x94692934, + 0x411520f7, 0x7602d4f7, 0xbcf46b2e, 0xd4a20068, + 0xd4082471, 0x3320f46a, 0x43b7d4b7, 0x500061af, + 0x1e39f62e, 0x97244546, 0x14214f74, 0xbf8b8840, + 0x4d95fc1d, 0x96b591af, 0x70f4ddd3, 0x66a02f45, + 0xbfbc09ec, 0x03bd9785, 0x7fac6dd0, 0x31cb8504, + 0x96eb27b3, 0x55fd3941, 0xda2547e6, 0xabca0a9a, + 0x28507825, 0x530429f4, 0x0a2c86da, 0xe9b66dfb, + 0x68dc1462, 0xd7486900, 0x680ec0a4, 0x27a18dee, + 0x4f3ffea2, 0xe887ad8c, 0xb58ce006, 0x7af4d6b6, + 0xaace1e7c, 0xd3375fec, 0xce78a399, 0x406b2a42, + 0x20fe9e35, 0xd9f385b9, 0xee39d7ab, 0x3b124e8b, + 0x1dc9faf7, 0x4b6d1856, 0x26a36631, 0xeae397b2, + 0x3a6efa74, 0xdd5b4332, 0x6841e7f7, 0xca7820fb, + 0xfb0af54e, 0xd8feb397, 0x454056ac, 0xba489527, + 0x55533a3a, 0x20838d87, 0xfe6ba9b7, 0xd096954b, + 0x55a867bc, 0xa1159a58, 0xcca92963, 0x99e1db33, + 0xa62a4a56, 0x3f3125f9, 0x5ef47e1c, 0x9029317c, + 0xfdf8e802, 0x04272f70, 0x80bb155c, 0x05282ce3, + 0x95c11548, 0xe4c66d22, 0x48c1133f, 0xc70f86dc, + 0x07f9c9ee, 0x41041f0f, 0x404779a4, 0x5d886e17, + 0x325f51eb, 0xd59bc0d1, 0xf2bcc18f, 0x41113564, + 0x257b7834, 0x602a9c60, 0xdff8e8a3, 0x1f636c1b, + 0x0e12b4c2, 0x02e1329e, 0xaf664fd1, 0xcad18115, + 0x6b2395e0, 0x333e92e1, 0x3b240b62, 0xeebeb922, + 0x85b2a20e, 0xe6ba0d99, 0xde720c8c, 0x2da2f728, + 0xd0127845, 0x95b794fd, 0x647d0862, 0xe7ccf5f0, + 0x5449a36f, 0x877d48fa, 0xc39dfd27, 0xf33e8d1e, + 0x0a476341, 0x992eff74, 0x3a6f6eab, 0xf4f8fd37, + 0xa812dc60, 0xa1ebddf8, 0x991be14c, 0xdb6e6b0d, + 0xc67b5510, 0x6d672c37, 0x2765d43b, 0xdcd0e804, + 0xf1290dc7, 0xcc00ffa3, 0xb5390f92, 0x690fed0b, + 0x667b9ffb, 0xcedb7d9c, 0xa091cf0b, 0xd9155ea3, + 0xbb132f88, 0x515bad24, 0x7b9479bf, 0x763bd6eb, + 0x37392eb3, 0xcc115979, 0x8026e297, 0xf42e312d, + 0x6842ada7, 0xc66a2b3b, 0x12754ccc, 0x782ef11c, + 0x6a124237, 0xb79251e7, 0x06a1bbe6, 0x4bfb6350, + 0x1a6b1018, 0x11caedfa, 0x3d25bdd8, 0xe2e1c3c9, + 0x44421659, 0x0a121386, 0xd90cec6e, 0xd5abea2a, + 0x64af674e, 0xda86a85f, 0xbebfe988, 0x64e4c3fe, + 0x9dbc8057, 0xf0f7c086, 0x60787bf8, 0x6003604d, + 0xd1fd8346, 0xf6381fb0, 0x7745ae04, 0xd736fccc, + 0x83426b33, 0xf01eab71, 0xb0804187, 0x3c005e5f, + 0x77a057be, 0xbde8ae24, 0x55464299, 0xbf582e61, + 0x4e58f48f, 0xf2ddfda2, 0xf474ef38, 0x8789bdc2, + 0x5366f9c3, 0xc8b38e74, 0xb475f255, 0x46fcd9b9, + 0x7aeb2661, 0x8b1ddf84, 0x846a0e79, 0x915f95e2, + 0x466e598e, 0x20b45770, 0x8cd55591, 0xc902de4c, + 0xb90bace1, 0xbb8205d0, 0x11a86248, 0x7574a99e, + 0xb77f19b6, 0xe0a9dc09, 0x662d09a1, 0xc4324633, + 0xe85a1f02, 0x09f0be8c, 0x4a99a025, 0x1d6efe10, + 0x1ab93d1d, 0x0ba5a4df, 0xa186f20f, 0x2868f169, + 0xdcb7da83, 0x573906fe, 0xa1e2ce9b, 0x4fcd7f52, + 0x50115e01, 0xa70683fa, 0xa002b5c4, 0x0de6d027, + 0x9af88c27, 0x773f8641, 0xc3604c06, 0x61a806b5, + 0xf0177a28, 0xc0f586e0, 0x006058aa, 0x30dc7d62, + 0x11e69ed7, 0x2338ea63, 0x53c2dd94, 0xc2c21634, + 0xbbcbee56, 0x90bcb6de, 0xebfc7da1, 0xce591d76, + 0x6f05e409, 0x4b7c0188, 0x39720a3d, 0x7c927c24, + 0x86e3725f, 0x724d9db9, 0x1ac15bb4, 0xd39eb8fc, + 0xed545578, 0x08fca5b5, 0xd83d7cd3, 0x4dad0fc4, + 0x1e50ef5e, 0xb161e6f8, 0xa28514d9, 0x6c51133c, + 0x6fd5c7e7, 0x56e14ec4, 0x362abfce, 0xddc6c837, + 0xd79a3234, 0x92638212, 0x670efa8e, 0x406000e0, + 0x3a39ce37, 0xd3faf5cf, 0xabc27737, 0x5ac52d1b, + 0x5cb0679e, 0x4fa33742, 0xd3822740, 0x99bc9bbe, + 0xd5118e9d, 0xbf0f7315, 0xd62d1c7e, 0xc700c47b, + 0xb78c1b6b, 0x21a19045, 0xb26eb1be, 0x6a366eb4, + 0x5748ab2f, 0xbc946e79, 0xc6a376d2, 0x6549c2c8, + 0x530ff8ee, 0x468dde7d, 0xd5730a1d, 0x4cd04dc6, + 0x2939bbdb, 0xa9ba4650, 0xac9526e8, 0xbe5ee304, + 0xa1fad5f0, 0x6a2d519a, 0x63ef8ce2, 0x9a86ee22, + 0xc089c2b8, 0x43242ef6, 0xa51e03aa, 0x9cf2d0a4, + 0x83c061ba, 0x9be96a4d, 0x8fe51550, 0xba645bd6, + 0x2826a2f9, 0xa73a3ae1, 0x4ba99586, 0xef5562e9, + 0xc72fefd3, 0xf752f7da, 0x3f046f69, 0x77fa0a59, + 0x80e4a915, 0x87b08601, 0x9b09e6ad, 0x3b3ee593, + 0xe990fd5a, 0x9e34d797, 0x2cf0b7d9, 0x022b8b51, + 0x96d5ac3a, 0x017da67d, 0xd1cf3ed6, 0x7c7d2d28, + 0x1f9f25cf, 0xadf2b89b, 0x5ad6b472, 0x5a88f54c, + 0xe029ac71, 0xe019a5e6, 0x47b0acfd, 0xed93fa9b, + 0xe8d3c48d, 0x283b57cc, 0xf8d56629, 0x79132e28, + 0x785f0191, 0xed756055, 0xf7960e44, 0xe3d35e8c, + 0x15056dd4, 0x88f46dba, 0x03a16125, 0x0564f0bd, + 0xc3eb9e15, 0x3c9057a2, 0x97271aec, 0xa93a072a, + 0x1b3f6d9b, 0x1e6321f5, 0xf59c66fb, 0x26dcf319, + 0x7533d928, 0xb155fdf5, 0x03563482, 0x8aba3cbb, + 0x28517711, 0xc20ad9f8, 0xabcc5167, 0xccad925f, + 0x4de81751, 0x3830dc8e, 0x379d5862, 0x9320f991, + 0xea7a90c2, 0xfb3e7bce, 0x5121ce64, 0x774fbe32, + 0xa8b6e37e, 0xc3293d46, 0x48de5369, 0x6413e680, + 0xa2ae0810, 0xdd6db224, 0x69852dfd, 0x09072166, + 0xb39a460a, 0x6445c0dd, 0x586cdecf, 0x1c20c8ae, + 0x5bbef7dd, 0x1b588d40, 0xccd2017f, 0x6bb4e3bb, + 0xdda26a7e, 0x3a59ff45, 0x3e350a44, 0xbcb4cdd5, + 0x72eacea8, 0xfa6484bb, 0x8d6612ae, 0xbf3c6f47, + 0xd29be463, 0x542f5d9e, 0xaec2771b, 0xf64e6370, + 0x740e0d8d, 0xe75b1357, 0xf8721671, 0xaf537d5d, + 0x4040cb08, 0x4eb4e2cc, 0x34d2466a, 0x0115af84, + 0xe1b00428, 0x95983a1d, 0x06b89fb4, 0xce6ea048, + 0x6f3f3b82, 0x3520ab82, 0x011a1d4b, 0x277227f8, + 0x611560b1, 0xe7933fdc, 0xbb3a792b, 0x344525bd, + 0xa08839e1, 0x51ce794b, 0x2f32c9b7, 0xa01fbac9, + 0xe01cc87e, 0xbcc7d1f6, 0xcf0111c3, 0xa1e8aac7, + 0x1a908749, 0xd44fbd9a, 0xd0dadecb, 0xd50ada38, + 0x0339c32a, 0xc6913667, 0x8df9317c, 0xe0b12b4f, + 0xf79e59b7, 0x43f5bb3a, 0xf2d519ff, 0x27d9459c, + 0xbf97222c, 0x15e6fc2a, 0x0f91fc71, 0x9b941525, + 0xfae59361, 0xceb69ceb, 0xc2a86459, 0x12baa8d1, + 0xb6c1075e, 0xe3056a0c, 0x10d25065, 0xcb03a442, + 0xe0ec6e0e, 0x1698db3b, 0x4c98a0be, 0x3278e964, + 0x9f1f9532, 0xe0d392df, 0xd3a0342b, 0x8971f21e, + 0x1b0a7441, 0x4ba3348c, 0xc5be7120, 0xc37632d8, + 0xdf359f8d, 0x9b992f2e, 0xe60b6f47, 0x0fe3f11d, + 0xe54cda54, 0x1edad891, 0xce6279cf, 0xcd3e7e6f, + 0x1618b166, 0xfd2c1d05, 0x848fd2c5, 0xf6fb2299, + 0xf523f357, 0xa6327623, 0x93a83531, 0x56cccd02, + 0xacf08162, 0x5a75ebb5, 0x6e163697, 0x88d273cc, + 0xde966292, 0x81b949d0, 0x4c50901b, 0x71c65614, + 0xe6c6c7bd, 0x327a140a, 0x45e1d006, 0xc3f27b9a, + 0xc9aa53fd, 0x62a80f00, 0xbb25bfe2, 0x35bdd2f6, + 0x71126905, 0xb2040222, 0xb6cbcf7c, 0xcd769c2b, + 0x53113ec0, 0x1640e3d3, 0x38abbd60, 0x2547adf0, + 0xba38209c, 0xf746ce76, 0x77afa1c5, 0x20756060, + 0x85cbfe4e, 0x8ae88dd8, 0x7aaaf9b0, 0x4cf9aa7e, + 0x1948c25c, 0x02fb8a8c, 0x01c36ae4, 0xd6ebe1f9, + 0x90d4f869, 0xa65cdea0, 0x3f09252d, 0xc208e69f, + 0xb74e6132, 0xce77e25b, 0x578fdfe3, 0x3ac372e6 + }; + + // OpenBSD IV: "OxychromaticBlowfishSwatDynamite" in big endian + private static readonly uint[] _OpenBsdIv = new uint[] { + 0x4f787963, 0x68726f6d, 0x61746963, 0x426c6f77, + 0x66697368, 0x53776174, 0x44796e61, 0x6d697465, + }; + + // bcrypt IV: "OrpheanBeholderScryDoubt" + private static readonly uint[] _BfCryptCiphertext = { + 0x4f727068, 0x65616e42, 0x65686f6c, + 0x64657253, 0x63727944, 0x6f756274 + }; + + // Table for Base64 encoding + private static readonly char[] _Base64Code = { + '.', '/', 'A', 'B', 'C', 'D', 'E', 'F', 'G', 'H', 'I', 'J', + 'K', 'L', 'M', 'N', 'O', 'P', 'Q', 'R', 'S', 'T', 'U', 'V', + 'W', 'X', 'Y', 'Z', 'a', 'b', 'c', 'd', 'e', 'f', 'g', 'h', + 'i', 'j', 'k', 'l', 'm', 'n', 'o', 'p', 'q', 'r', 's', 't', + 'u', 'v', 'w', 'x', 'y', 'z', '0', '1', '2', '3', '4', '5', + '6', '7', '8', '9' + }; + + // Table for Base64 decoding + private static readonly int[] _Index64 = { + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, -1, -1, -1, -1, + -1, -1, -1, -1, -1, -1, 0, 1, 54, 55, + 56, 57, 58, 59, 60, 61, 62, 63, -1, -1, + -1, -1, -1, -1, -1, 2, 3, 4, 5, 6, + 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, + 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, + -1, -1, -1, -1, -1, -1, 28, 29, 30, + 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, + 41, 42, 43, 44, 45, 46, 47, 48, 49, 50, + 51, 52, 53, -1, -1, -1, -1, -1 + }; + + // Expanded Blowfish key + private uint[] _P; + private uint[] _S; + + /// + /// Hash a string using the OpenBSD bcrypt scheme and a salt generated by . + /// + /// Just an alias for HashPassword. + /// The string to hash. + /// The hashed string. + public static string HashString(string source) + { + return HashPassword(source); + } + + /// + /// Hash a string using the OpenBSD bcrypt scheme and a salt generated by . + /// + /// Just an alias for HashPassword. + /// The string to hash. + /// The log2 of the number of rounds of hashing to apply - the work + /// factor therefore increases as 2^workFactor. + /// The hashed string. + public static string HashString(string source, int workFactor) + { + return HashPassword(source, GenerateSalt(workFactor)); + } + + /// + /// Hash a password using the OpenBSD bcrypt scheme and a salt generated by . + /// + /// The password to hash. + /// The hashed password. + public static string HashPassword(string input) + { + return HashPassword(input, GenerateSalt()); + } + + /// + /// Hash a password using the OpenBSD bcrypt scheme and a salt generated by using the given . + /// + /// The password to hash. + /// The log2 of the number of rounds of hashing to apply - the work + /// factor therefore increases as 2^workFactor. + /// The hashed password. + public static string HashPassword(string input, int workFactor) + { + return HashPassword(input, GenerateSalt(workFactor)); + } + + /// Hash a password using the OpenBSD bcrypt scheme. + /// Thrown when one or more arguments have unsupported or + /// illegal values. + /// The password to hash. + /// the salt to hash with (perhaps generated using BCrypt.gensalt). + /// The hashed password + public static string HashPassword(string input, string salt) + { + if (input == null) + throw new ArgumentNullException("input"); + + if (string.IsNullOrEmpty(salt)) + throw new ArgumentException("Invalid salt", "salt"); + + // Determinthe starting offset and validate the salt + int startingOffset; + char minor = (char)0; + if (salt[0] != '$' || salt[1] != '2') + throw new SaltParseException("Invalid salt version"); + if (salt[2] == '$') + startingOffset = 3; + else + { + minor = salt[2]; + if (minor != 'a' || salt[3] != '$') + throw new SaltParseException("Invalid salt revision"); + startingOffset = 4; + } + + // Extract number of rounds + if (salt[startingOffset + 2] > '$') + throw new SaltParseException("Missing salt rounds"); + + // Extract details from salt + int logRounds = Convert.ToInt32(salt.Substring(startingOffset, 2)); + string extractedSalt = salt.Substring(startingOffset + 3, 22); + + byte[] inputBytes = Encoding.UTF8.GetBytes((input + (minor >= 'a' ? "\0" : ""))); + byte[] saltBytes = DecodeBase64(extractedSalt, BCRYPT_SALT_LEN); + + BCrypt bCrypt = new BCrypt(); + byte[] hashed = bCrypt.CryptRaw(inputBytes, saltBytes, logRounds); + + // Generate result string + StringBuilder result = new StringBuilder(); + result.Append("$2"); + if (minor >= 'a') + result.Append(minor); + result.AppendFormat("${0:00}$", logRounds); + result.Append(EncodeBase64(saltBytes, saltBytes.Length)); + result.Append(EncodeBase64(hashed, (_BfCryptCiphertext.Length * 4) - 1)); + return result.ToString(); + } + + /// + /// Generate a salt for use with the method. + /// + /// The log2 of the number of rounds of hashing to apply - the work + /// factor therefore increases as 2**workFactor. + /// A base64 encoded salt value. + public static string GenerateSalt(int workFactor) + { + if (workFactor < 4 || workFactor > 31) + throw new ArgumentOutOfRangeException("workFactor", "The work factor must be between 4 and 31 (inclusive)"); + + byte[] rnd = new byte[BCRYPT_SALT_LEN]; +#if FEATURE_RNG_CREATE + RandomNumberGenerator rng = RandomNumberGenerator.Create(); +#elif FEATURE_RNG_CSP + RNGCryptoServiceProvider rng = new RNGCryptoServiceProvider(); +#endif +#if FEATURE_RNG_CREATE || FEATURE_RNG_CSP + rng.GetBytes(rnd); +#endif + + StringBuilder rs = new StringBuilder(); + rs.AppendFormat("$2a${0:00}$", workFactor); + rs.Append(EncodeBase64(rnd, rnd.Length)); + return rs.ToString(); + } + + /// + /// Generate a salt for use with the method + /// selecting a reasonable default for the number of hashing rounds to apply. + /// + /// A base64 encoded salt value. + public static string GenerateSalt() + { + return GenerateSalt(GENSALT_DEFAULT_LOG2_ROUNDS); + } + + /// + /// Verifies that the hash of the given matches the provided + /// + /// + /// The text to verify. + /// The previously-hashed password. + /// true if the passwords match, false otherwise. + public static bool Verify(string text, string hash) + { + return hash == HashPassword(text, hash); + } + + /// + /// Encode a byte array using bcrypt's slightly-modified base64 encoding scheme. Note that this + /// is *not* compatible with the standard MIME-base64 encoding. + /// + /// Thrown when one or more arguments have unsupported or + /// illegal values. + /// The byte array to encode. + /// The number of bytes to encode. + /// Base64-encoded string. + private static string EncodeBase64(byte[] byteArray, int length) + { + if (length <= 0 || length > byteArray.Length) + throw new ArgumentException("Invalid length", "length"); + + int off = 0; + StringBuilder rs = new StringBuilder(); + while (off < length) + { + int c1 = byteArray[off++] & 0xff; + rs.Append(_Base64Code[(c1 >> 2) & 0x3f]); + c1 = (c1 & 0x03) << 4; + if (off >= length) + { + rs.Append(_Base64Code[c1 & 0x3f]); + break; + } + int c2 = byteArray[off++] & 0xff; + c1 |= (c2 >> 4) & 0x0f; + rs.Append(_Base64Code[c1 & 0x3f]); + c1 = (c2 & 0x0f) << 2; + if (off >= length) + { + rs.Append(_Base64Code[c1 & 0x3f]); + break; + } + c2 = byteArray[off++] & 0xff; + c1 |= (c2 >> 6) & 0x03; + rs.Append(_Base64Code[c1 & 0x3f]); + rs.Append(_Base64Code[c2 & 0x3f]); + } + return rs.ToString(); + } + + /// + /// Decode a string encoded using bcrypt's base64 scheme to a byte array. Note that this is *not* + /// compatible with the standard MIME-base64 encoding. + /// + /// Thrown when one or more arguments have unsupported or + /// illegal values. + /// The string to decode. + /// The maximum bytes to decode. + /// The decoded byte array. + private static byte[] DecodeBase64(string encodedstring, int maximumBytes) + { + int position = 0, + sourceLength = encodedstring.Length, + outputLength = 0; + + if (maximumBytes <= 0) + throw new ArgumentException("Invalid maximum bytes value", "maximumBytes"); + + // TODO: update to use a List - it's only ever 16 bytes, so it's not a big deal + StringBuilder rs = new StringBuilder(); + while (position < sourceLength - 1 && outputLength < maximumBytes) + { + int c1 = Char64(encodedstring[position++]); + int c2 = Char64(encodedstring[position++]); + if (c1 == -1 || c2 == -1) + break; + + rs.Append((char)((c1 << 2) | ((c2 & 0x30) >> 4))); + if (++outputLength >= maximumBytes || position >= sourceLength) + break; + + int c3 = Char64(encodedstring[position++]); + if (c3 == -1) + break; + + rs.Append((char)(((c2 & 0x0f) << 4) | ((c3 & 0x3c) >> 2))); + if (++outputLength >= maximumBytes || position >= sourceLength) + break; + + int c4 = Char64(encodedstring[position++]); + rs.Append((char)(((c3 & 0x03) << 6) | c4)); + + ++outputLength; + } + + byte[] ret = new byte[outputLength]; + for (position = 0; position < outputLength; position++) + ret[position] = (byte)rs[position]; + return ret; + } + + /// + /// Look up the 3 bits base64-encoded by the specified character, range-checking against + /// conversion table. + /// + /// The base64-encoded value. + /// The decoded value of x. + private static int Char64(char character) + { + if (character < 0 || character > _Index64.Length) + return -1; + return _Index64[character]; + } + + /// Blowfish encipher a single 64-bit block encoded as two 32-bit halves. + /// An array containing the two 32-bit half blocks. + /// The position in the array of the blocks. + private void Encipher(uint[] blockArray, int offset) + { + uint round, + n, + block = blockArray[offset], + r = blockArray[offset + 1]; + + block ^= _P[0]; + for (round = 0; round <= BLOWFISH_NUM_ROUNDS - 2;) + { + // Feistel substitution on left word + n = _S[(block >> 24) & 0xff]; + n += _S[0x100 | ((block >> 16) & 0xff)]; + n ^= _S[0x200 | ((block >> 8) & 0xff)]; + n += _S[0x300 | (block & 0xff)]; + r ^= n ^ _P[++round]; + + // Feistel substitution on right word + n = _S[(r >> 24) & 0xff]; + n += _S[0x100 | ((r >> 16) & 0xff)]; + n ^= _S[0x200 | ((r >> 8) & 0xff)]; + n += _S[0x300 | (r & 0xff)]; + block ^= n ^ _P[++round]; + } + blockArray[offset] = r ^ _P[BLOWFISH_NUM_ROUNDS + 1]; + blockArray[offset + 1] = block; + } + + /// Cycically extract a word of key material. + /// The string to extract the data from. + /// [in,out] The current offset. + /// The next word of material from data. + private static uint StreamToWord(byte[] data, ref int offset) + { + int i; + uint word = 0; + + for (i = 0; i < 4; i++) + { + word = (word << 8) | (uint)(data[offset] & 0xff); + offset = (offset + 1) % data.Length; + } + return word; + } + + /// Initializes the Blowfish key schedule. + private void InitializeKey() + { + _P = new uint[_POrig.Length]; + _S = new uint[_SOrig.Length]; + Array.Copy(_POrig, _P, _POrig.Length); + Array.Copy(_SOrig, _S, _SOrig.Length); + } + + /// Key the Blowfish cipher. + /// The key byte array. + private void Key(byte[] keyBytes) + { + int i; + int koffp = 0; + uint[] lr = { 0, 0 }; + int plen = _P.Length, slen = _S.Length; + + for (i = 0; i < plen; i++) + _P[i] = _P[i] ^ StreamToWord(keyBytes, ref koffp); + + for (i = 0; i < plen; i += 2) + { + Encipher(lr, 0); + _P[i] = lr[0]; + _P[i + 1] = lr[1]; + } + + for (i = 0; i < slen; i += 2) + { + Encipher(lr, 0); + _S[i] = lr[0]; + _S[i + 1] = lr[1]; + } + } + + /// + /// Perform the "enhanced key schedule" step described by Provos and Mazieres in "A Future- + /// Adaptable Password Scheme" http://www.openbsd.org/papers/bcrypt-paper.ps. + /// + /// Salt byte array. + /// Input byte array. + private void EKSKey(byte[] saltBytes, byte[] inputBytes) + { + int i; + int passwordOffset = 0, + saltOffset = 0; + uint[] lr = { 0, 0 }; + int plen = _P.Length, slen = _S.Length; + + for (i = 0; i < plen; i++) + _P[i] = _P[i] ^ StreamToWord(inputBytes, ref passwordOffset); + + for (i = 0; i < plen; i += 2) + { + lr[0] ^= StreamToWord(saltBytes, ref saltOffset); + lr[1] ^= StreamToWord(saltBytes, ref saltOffset); + Encipher(lr, 0); + _P[i] = lr[0]; + _P[i + 1] = lr[1]; + } + + for (i = 0; i < slen; i += 2) + { + lr[0] ^= StreamToWord(saltBytes, ref saltOffset); + lr[1] ^= StreamToWord(saltBytes, ref saltOffset); + Encipher(lr, 0); + _S[i] = lr[0]; + _S[i + 1] = lr[1]; + } + } + + /// Perform the central hashing step in the bcrypt scheme. + /// Thrown when one or more arguments have unsupported or + /// illegal values. + /// The input byte array to hash. + /// The salt byte array to hash with. + /// The binary logarithm of the number of rounds of hashing to apply. + /// A byte array containing the hashed result. + private byte[] CryptRaw(byte[] inputBytes, byte[] saltBytes, int logRounds) + { + uint[] cdata = new uint[_BfCryptCiphertext.Length]; + Array.Copy(_BfCryptCiphertext, cdata, _BfCryptCiphertext.Length); + int clen = cdata.Length; + + if (logRounds < 4 || logRounds > 31) + throw new ArgumentException("Bad number of rounds", "logRounds"); + + if (saltBytes.Length != BCRYPT_SALT_LEN) + throw new ArgumentException("Bad salt Length", "saltBytes"); + + uint rounds = 1u << logRounds; + Debug.Assert(rounds > 0, "Rounds must be > 0"); // We overflowed rounds at 31 - added safety check + + InitializeKey(); + EKSKey(saltBytes, inputBytes); + + for (int i = 0; i < rounds; i++) + { + Key(inputBytes); + Key(saltBytes); + } + + for (int i = 0; i < 64; i++) + { + for (int j = 0; j < (clen >> 1); j++) + Encipher(cdata, j << 1); + } + + byte[] ret = new byte[clen * 4]; + for (int i = 0, j = 0; i < clen; i++) + { + ret[j++] = (byte)((cdata[i] >> 24) & 0xff); + ret[j++] = (byte)((cdata[i] >> 16) & 0xff); + ret[j++] = (byte)((cdata[i] >> 8) & 0xff); + ret[j++] = (byte)(cdata[i] & 0xff); + } + return ret; + } + + /** + * Compatibility with new OpenBSD function. + * Ported from SSHJ library (https://github.com/hierynomus/sshj) + */ + public void Hash(byte[] hpass, byte[] hsalt, byte[] output) + { + InitializeKey(); + EKSKey(hsalt, hpass); + for (int i = 0; i < 64; i++) + { + Key(hsalt); + Key(hpass); + } + + uint[] buf = new uint[_OpenBsdIv.Length]; + Array.Copy(_OpenBsdIv, 0, buf, 0, _OpenBsdIv.Length); + for (int i = 0; i < 8; i += 2) + { + for (int j = 0; j < 64; j++) + { + Encipher(buf, i); + } + } + + for (int i = 0, j = 0; i < buf.Length; i++) + { + // Output of this is little endian + output[j++] = (byte)(buf[i] & 0xff); + output[j++] = (byte)((buf[i] >> 8) & 0xff); + output[j++] = (byte)((buf[i] >> 16) & 0xff); + output[j++] = (byte)((buf[i] >> 24) & 0xff); + } + } + + /// + /// Applies the Bcrypt kdf to derive a key and iv from the passphrase, + /// the key/iv are returned in the output variable. + /// Ported from the SSHJ library. https://github.com/hierynomus/sshj + /// + /// + /// + /// + /// + public void Pbkdf(byte[] password, byte[] salt, int rounds, byte[] output) + { + using (var sha512 = new Security.Cryptography.SHA512()) + { + int nblocks = (output.Length + 31) / 32; + byte[] hpass = sha512.ComputeHash(password); + + byte[] hsalt = new byte[64]; + byte[] block_b = new byte[4]; + byte[] outBytes = new byte[32]; + byte[] tmp = new byte[32]; + for (int block = 1; block <= nblocks; block++) + { + // Block count is in big endian + block_b[0] = (byte)((block >> 24) & 0xFF); + block_b[1] = (byte)((block >> 16) & 0xFF); + block_b[2] = (byte)((block >> 8) & 0xFF); + block_b[3] = (byte)(block & 0xFF); + + hsalt = sha512.ComputeHash(AppendArrays(salt, block_b)); + Hash(hpass, hsalt, outBytes); + Array.Copy(outBytes, 0, tmp, 0, outBytes.Length); + + for (int round = 1; round < rounds; round++) + { + hsalt = sha512.ComputeHash(tmp); + Hash(hpass, hsalt, tmp); + + for (int i = 0; i < tmp.Length; i++) + { + outBytes[i] ^= tmp[i]; + } + } + + for (int i = 0; i < outBytes.Length; i++) + { + int idx = i * nblocks + (block - 1); + if (idx < output.Length) + { + output[idx] = outBytes[i]; + } + } + } + } + } + + /// + /// Appends multiple byte arrays into one array. + /// + /// + /// + /// + private byte[] AppendArrays(byte[] b1, params byte[][] others) + { + //from https://stackoverflow.com/questions/46534429/how-to-convert-java-messagedigest-with-two-update-statements-to-c-sharp + int n = b1.Length; + foreach (var other in others) + { + n += other.Length; + } + + var result = new byte[n]; + + n = 0; + Array.Copy(b1, 0, result, n, b1.Length); + n += b1.Length; + foreach (var other in others) + { + Array.Copy(other, 0, result, n, other.Length); + n += other.Length; + } + + return result; + } + + /// Exception for signalling parse errors. + public class SaltParseException : Exception + { + /// Default constructor. + public SaltParseException() + { + } + + /// Initializes a new instance of . + /// The message. + public SaltParseException(string message) + : base(message) + { + } + + /// Initializes a new instance of . + /// The message. + /// The inner exception. + public SaltParseException(string message, Exception innerException) + : base(message, innerException) + { + } + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyEncryption/ISshKeyEncryption.cs b/src/SshNet.Keygen/SshKeyEncryption/ISshKeyEncryption.cs new file mode 100644 index 0000000..854fdbf --- /dev/null +++ b/src/SshNet.Keygen/SshKeyEncryption/ISshKeyEncryption.cs @@ -0,0 +1,27 @@ +namespace SshNet.Keygen.SshKeyEncryption +{ + public interface ISshKeyEncryption + { + public string CipherName { get; } + + public string KdfName { get; } + + public int BlockSize { get; } + + public string Passphrase { get; } + + public byte[] KdfOptions(); + + public byte[] Encrypt(byte[] data); + + public byte[] Encrypt(byte[] data, int offset, int length); + + public byte[] PuttyV2Encrypt(byte[] data); + + public byte[] PuttyV2Encrypt(byte[] data, int offset, int length); + + public PuttyV3Encryption PuttyV3Encrypt(byte[] data); + + public PuttyV3Encryption PuttyV3Encrypt(byte[] data, int offset, int length); + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyEncryption/PuttyV3Encryption.cs b/src/SshNet.Keygen/SshKeyEncryption/PuttyV3Encryption.cs new file mode 100644 index 0000000..7c48abe --- /dev/null +++ b/src/SshNet.Keygen/SshKeyEncryption/PuttyV3Encryption.cs @@ -0,0 +1,26 @@ +namespace SshNet.Keygen.SshKeyEncryption +{ + public enum ArgonKeyDerivation + { + Argon2d, + Argon2i, + Argon2id + } + + public class PuttyV3Encryption + { + internal byte[]? Result; + internal byte[] MacKey; + internal byte[]? Salt; + + public ArgonKeyDerivation KeyDerivation = ArgonKeyDerivation.Argon2id; + public int DegreeOfParallelism = 1; + public int MemorySize = 8192; + public int Iterations = 22; + + public PuttyV3Encryption() + { + MacKey = new byte[0]; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAes256.cs b/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAes256.cs new file mode 100644 index 0000000..43024cc --- /dev/null +++ b/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAes256.cs @@ -0,0 +1,185 @@ +using System; +using System.Collections.Generic; +using System.IO; +using System.Security.Cryptography; +using System.Text; +using Konscious.Security.Cryptography; +using Renci.SshNet.Security.Cryptography.Ciphers; +using Renci.SshNet.Security.Cryptography.Ciphers.Modes; +using Renci.SshNet.Security.Cryptography.Ciphers.Paddings; +using SshNet.Keygen.Extensions; + +namespace SshNet.Keygen.SshKeyEncryption +{ + public enum Aes256Mode + { + CBC, + CTR + } + + public class SshKeyEncryptionAes256 : ISshKeyEncryption + { + public string CipherName => $"aes256-{_mode.ToString().ToLower()}"; + public string KdfName => "bcrypt"; + public int BlockSize => 16; + public string Passphrase => _passphrase; + public PuttyV3Encryption PuttyV3Encryption => _puttyV3Encryption; + + private const int SaltLen = 16; + private const int Rounds = 16; + private Aes256Mode _mode; + private readonly byte[] _passPhraseBytes; + private readonly byte[] _salt; + private readonly string _passphrase; + private readonly PuttyV3Encryption _puttyV3Encryption; + + public SshKeyEncryptionAes256(string passphrase, PuttyV3Encryption? puttyV3Encryption = null) + { + _passphrase = passphrase; + _passPhraseBytes = Encoding.ASCII.GetBytes(passphrase); + _salt = new byte[SaltLen]; + _puttyV3Encryption = puttyV3Encryption ?? new PuttyV3Encryption(); + } + + public SshKeyEncryptionAes256(string passphrase, Aes256Mode mode, PuttyV3Encryption? puttyV3Encryption = null) + : this(passphrase, puttyV3Encryption) + { + _mode = mode; + } + + public byte[] KdfOptions() + { + using var stream = new MemoryStream(); + using var writer = new BinaryWriter(stream); + using var rng = new RNGCryptoServiceProvider(); + rng.GetBytes(_salt); + writer.EncodeBinary(_salt); + writer.EncodeUInt(Rounds); + return stream.ToArray(); + } + + public byte[] Encrypt(byte[] data) + { + var keyiv = new byte[48]; + new BCrypt().Pbkdf(_passPhraseBytes, _salt, Rounds, keyiv); + var key = new byte[32]; + var iv = new byte[16]; + Array.Copy(keyiv, 0, key, 0, 32); + Array.Copy(keyiv, 32, iv, 0, 16); + + AesCipher cipher; + switch(_mode) + { + case Aes256Mode.CBC: + cipher = new AesCipher(key, iv, AesCipherMode.CBC); + break; + default: + _mode = Aes256Mode.CTR; + cipher = new AesCipher(key, iv, AesCipherMode.CTR); + break; + } + + return cipher.Encrypt(data); + } + + public byte[] Encrypt(byte[] data, int offset, int length) + { + var buffer = new byte[length]; + Array.Copy(data, offset, buffer, 0, length); + return Encrypt(buffer); + } + + public byte[] PuttyV2Encrypt(byte[] data) + { + using var sha1 = SHA1.Create(); + + var cipherKeyList = new List(); + var counter = 0; + do { + var counterBytes = BitConverter.GetBytes(counter++); + if (BitConverter.IsLittleEndian) + Array.Reverse(counterBytes); + + var hashBytes = new byte[counterBytes.Length + _passPhraseBytes.Length]; + Buffer.BlockCopy(counterBytes, 0, hashBytes, 0, counterBytes.Length); + Buffer.BlockCopy(_passPhraseBytes, 0, hashBytes, counterBytes.Length, _passPhraseBytes.Length); + + var hash = sha1.ComputeHash(hashBytes); + cipherKeyList.AddRange(hash); + } while (cipherKeyList.Count < 32); + + var cipherKey = new byte[32]; + Array.Copy(cipherKeyList.ToArray(), 0, cipherKey, 0, 32); + + AesCipher cipher; + switch(_mode) + { + case Aes256Mode.CTR: + throw new NotSupportedException($"Unsupported AES Mode: {_mode}"); + default: + _mode = Aes256Mode.CBC; + cipher = new AesCipher(cipherKey, new byte[cipherKey.Length], AesCipherMode.CBC); + break; + } + return cipher.Encrypt(data); + } + + public byte[] PuttyV2Encrypt(byte[] data, int offset, int length) + { + var buffer = new byte[length]; + Array.Copy(data, offset, buffer, 0, length); + return PuttyV2Encrypt(buffer); + } + + public PuttyV3Encryption PuttyV3Encrypt(byte[] data) + { + Argon2 argon2 = _puttyV3Encryption.KeyDerivation switch + { + ArgonKeyDerivation.Argon2d => new Argon2d(_passPhraseBytes), + ArgonKeyDerivation.Argon2i => new Argon2i(_passPhraseBytes), + ArgonKeyDerivation.Argon2id => new Argon2id(_passPhraseBytes), + _ => throw new NotSupportedException($"Encryption Key Derivation {_puttyV3Encryption.KeyDerivation} is not supported.") + }; + + argon2.DegreeOfParallelism = _puttyV3Encryption.DegreeOfParallelism; + argon2.MemorySize = _puttyV3Encryption.MemorySize; + argon2.Iterations = _puttyV3Encryption.Iterations; + + using var rng = new RNGCryptoServiceProvider(); + rng.GetBytes(_salt); + argon2.Salt = _salt; + _puttyV3Encryption.Salt = _salt; + + var cipherKeyComplete = argon2.GetBytes(80); + var cipherKey = new byte[32]; + var crcIv = new byte[16]; + var macKey = new byte[32]; + Buffer.BlockCopy(cipherKeyComplete, 0, cipherKey, 0, cipherKey.Length); + Buffer.BlockCopy(cipherKeyComplete, 32, crcIv, 0, crcIv.Length); + Buffer.BlockCopy(cipherKeyComplete, 48, macKey, 0, macKey.Length); + + AesCipher cipher; + switch(_mode) + { + case Aes256Mode.CTR: + throw new NotSupportedException($"Unsupported AES Mode: {_mode}"); + default: + _mode = Aes256Mode.CBC; + cipher = new AesCipher(cipherKey, crcIv, AesCipherMode.CBC); + break; + } + + _puttyV3Encryption.Result = cipher.Encrypt(data); + _puttyV3Encryption.MacKey = macKey; + + return _puttyV3Encryption; + } + + public PuttyV3Encryption PuttyV3Encrypt(byte[] data, int offset, int length) + { + var buffer = new byte[length]; + Array.Copy(data, offset, buffer, 0, length); + return PuttyV3Encrypt(buffer); + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAlgorithm.cs b/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAlgorithm.cs new file mode 100644 index 0000000..a0c2b82 --- /dev/null +++ b/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionAlgorithm.cs @@ -0,0 +1,84 @@ +using System; +using System.Security.Cryptography; + +namespace SshNet.Keygen.SshKeyEncryption +{ + public enum SshKeyHashAlgorithmName + { + MD5, + SHA1, + SHA256, + SHA384, + SHA512 + } + + internal static class SshKeyHashAlgorithm + { + public static string HashAlgorithmName(SshKeyHashAlgorithmName algorithmName) + { + return algorithmName switch + { + SshKeyHashAlgorithmName.MD5 => "MD5", + SshKeyHashAlgorithmName.SHA1 => "SHA1", + SshKeyHashAlgorithmName.SHA256 => "SHA256", + SshKeyHashAlgorithmName.SHA384 => "SHA384", + SshKeyHashAlgorithmName.SHA512 => "SHA512", + _ => throw new NotSupportedException($"Unknown Algorithm: {algorithmName}") + }; + } + + public static HashAlgorithm Create(SshKeyHashAlgorithmName algorithmName) + { + return algorithmName switch + { + SshKeyHashAlgorithmName.MD5 => CreateMD5(), + SshKeyHashAlgorithmName.SHA1 => CreateSHA1(), + SshKeyHashAlgorithmName.SHA256 => CreateSHA256(), + SshKeyHashAlgorithmName.SHA384 => CreateSHA384(), + SshKeyHashAlgorithmName.SHA512 => CreateSHA512(), + _ => throw new NotSupportedException($"Unknown Algorithm: {algorithmName}") + }; + } + + private static MD5 CreateMD5() + { + return MD5.Create(); + } + + private static SHA1 CreateSHA1() + { +#if NET40 + return new SHA1Managed(); +#else + return SHA1.Create(); +#endif + } + + private static SHA256 CreateSHA256() + { +#if NET40 + return new SHA256Managed(); +#else + return SHA256.Create(); +#endif + } + + private static SHA384 CreateSHA384() + { +#if NET40 + return new SHA384Managed(); +#else + return SHA384.Create(); +#endif + } + + private static SHA512 CreateSHA512() + { +#if NET40 + return new SHA512Managed(); +#else + return SHA512.Create(); +#endif + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionNone.cs b/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionNone.cs new file mode 100644 index 0000000..0d4d086 --- /dev/null +++ b/src/SshNet.Keygen/SshKeyEncryption/SshKeyEncryptionNone.cs @@ -0,0 +1,49 @@ +using System; + +namespace SshNet.Keygen.SshKeyEncryption +{ + public class SshKeyEncryptionNone : ISshKeyEncryption + { + public string CipherName => "none"; + public string KdfName => "none"; + public int BlockSize => 8; + public string Passphrase => ""; + + public byte[] KdfOptions() + { + return new byte[] { }; + } + + public byte[] Encrypt(byte[] data) + { + return data; + } + + public byte[] Encrypt(byte[] data, int offset, int length) + { + var buffer = new byte[length]; + Buffer.BlockCopy(data, offset, buffer, 0, length); + return Encrypt(buffer); + } + + public byte[] PuttyV2Encrypt(byte[] data) + { + return Encrypt(data); + } + + public byte[] PuttyV2Encrypt(byte[] data, int offset, int length) + { + return Encrypt(data, offset, length); + } + + public PuttyV3Encryption PuttyV3Encrypt(byte[] data) + { + return new PuttyV3Encryption { Result = Encrypt(data) }; + } + + public PuttyV3Encryption PuttyV3Encrypt(byte[] data, int offset, int length) + { + return new PuttyV3Encryption { Result = Encrypt(data, offset, length) }; + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyFormat.cs b/src/SshNet.Keygen/SshKeyFormat.cs new file mode 100644 index 0000000..0dabac3 --- /dev/null +++ b/src/SshNet.Keygen/SshKeyFormat.cs @@ -0,0 +1,9 @@ +namespace SshNet.Keygen +{ + public enum SshKeyFormat + { + OpenSSH, + PuTTYv2, + PuTTYv3, + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyGenerateInfo.cs b/src/SshNet.Keygen/SshKeyGenerateInfo.cs new file mode 100644 index 0000000..a617cc9 --- /dev/null +++ b/src/SshNet.Keygen/SshKeyGenerateInfo.cs @@ -0,0 +1,54 @@ +using System; +using SshNet.Keygen.SshKeyEncryption; + +namespace SshNet.Keygen +{ + public class SshKeyGenerateInfo + { + public const SshKeyHashAlgorithmName DefaultHashAlgorithmName = SshKeyHashAlgorithmName.SHA256; + + public static readonly ISshKeyEncryption DefaultSshKeyEncryption = new SshKeyEncryptionNone(); + + public static readonly string DefaultSshKeyComment = $"{Environment.UserName}@{Environment.MachineName}"; + + public const SshKeyFormat DefaultSshKeyFormat = SshKeyFormat.OpenSSH; + + public const SshKeyType DefaultSshKeyType = SshKeyType.RSA; + + public const int DefaultEcdsaSshKeyLength = 256; + + public const int DefaultEd25519SshKeyLength = 256; + + public const int DefaultRsaSshKeyLength = 2048; + + public ISshKeyEncryption Encryption { get; set; } + + public string Comment { get; set; } + + public SshKeyFormat KeyFormat { get; set; } + + public int KeyLength { get; set; } + + public SshKeyType KeyType { get; set; } + + public SshKeyGenerateInfo(SshKeyType keyType = DefaultSshKeyType) + { + Encryption = DefaultSshKeyEncryption; + Comment = DefaultSshKeyComment; + KeyFormat = DefaultSshKeyFormat; + KeyType = keyType; + switch (KeyType) + { + case SshKeyType.RSA: + KeyLength = DefaultRsaSshKeyLength; + break; + case SshKeyType.ECDSA: + KeyLength = DefaultEcdsaSshKeyLength; + break; + case SshKeyType.ED25519: + KeyLength = DefaultEd25519SshKeyLength; + break; + } + } + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshKeyType.cs b/src/SshNet.Keygen/SshKeyType.cs new file mode 100644 index 0000000..ff2984f --- /dev/null +++ b/src/SshNet.Keygen/SshKeyType.cs @@ -0,0 +1,9 @@ +namespace SshNet.Keygen +{ + public enum SshKeyType + { + RSA, + ECDSA, + ED25519 + } +} \ No newline at end of file diff --git a/src/SshNet.Keygen/SshNet.Keygen.csproj b/src/SshNet.Keygen/SshNet.Keygen.csproj new file mode 100644 index 0000000..a39afd9 --- /dev/null +++ b/src/SshNet.Keygen/SshNet.Keygen.csproj @@ -0,0 +1,45 @@ + + + 9 + enable + SshNet.Keygen + 2024.0.0.2 + $(Version) + ssh;scp;sftp + SSH.NET Extension to generate and export Authentication Keys in OpenSSH and PuTTY Format. + https://github.com/darinkes/SshNet.Keygen/releases/tag/$(PackageVersion) + Copyright (c) 2021 - 2024 Stefan Rinkes + MIT + https://github.com/darinkes/SshNet.Keygen/ + false + darinkes + false + net8.0 + Debug;Release + x64 + linux-x64 + en + + + + None + false + true + false + + + + full + + + + + Chaos.Nacl\%(RecursiveDir)%(Filename)%(Extension) + + + + + + + +