Index: .fossil-settings/ignore-glob ================================================================== --- .fossil-settings/ignore-glob +++ .fossil-settings/ignore-glob @@ -1,10 +1,8 @@ nano.so nano.o randombytes.o -blake2b.o -tweetnacl.o nano.syms nano.vers nano.tcl.h Makefile pkgIndex.tcl-shared @@ -15,13 +13,10 @@ config.sub configure install-sh config.log config.status -tweetnacl -build/tweetnacl/out -build/tweetnacl/INST -blake2b -build/blake2b/out -build/blake2b/INST +argon2 +build/argon2/out +build/argon2/INST build/work build/tcl Index: Makefile.in ================================================================== --- Makefile.in +++ Makefile.in @@ -1,10 +1,10 @@ CC := @CC@ AR := @AR@ RANLIB := @RANLIB@ CFLAGS := @CFLAGS@ @SHOBJFLAGS@ -CPPFLAGS := -I. -I@srcdir@ -I@srcdir@/tweetnacl/ -I@srcdir@/blake2b/ -DNACL_ED25519_BLAKE2B=1 @CPPFLAGS@ @SHOBJCPPFLAGS@ @DEFS@ @TCL_DEFS@ +CPPFLAGS := -I. -I@srcdir@ -I@srcdir@/monocypher/ -I@srcdir@/argon2/ @CPPFLAGS@ @SHOBJCPPFLAGS@ @DEFS@ @TCL_DEFS@ LDFLAGS := @LDFLAGS@ LIBS := @LIBS@ SHOBJLDFLAGS := @SHOBJLDFLAGS@ VPATH := @srcdir@ srcdir := @srcdir@ @@ -20,12 +20,12 @@ export CC CFLAGS CPPFLAGS all: @EXTENSION_TARGET@ pkgIndex.tcl ifeq (@TCLEXT_BUILD@,shared) -@EXTENSION_TARGET@: tweetnacl.o blake2b.o randombytes.o nano.o Makefile - $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(SHOBJLDFLAGS) -o @EXTENSION_TARGET@ nano.o randombytes.o tweetnacl.o blake2b.o $(LIBS) +@EXTENSION_TARGET@: monocypher.o argon2.o randombytes.o nano.o Makefile + $(CC) $(CPPFLAGS) $(CFLAGS) $(LDFLAGS) $(SHOBJLDFLAGS) -o @EXTENSION_TARGET@ nano.o randombytes.o monocypher.o argon2.o $(LIBS) -@WEAKENSYMS@ @EXTENSION_TARGET@ -@REMOVESYMS@ @EXTENSION_TARGET@ else @EXTENSION_TARGET@: nano-amalgamation.o Makefile -@WEAKENSYMS@ nano-amalgamation.o @@ -34,28 +34,28 @@ -$(RANLIB) @EXTENSION_TARGET@ endif # The amalgamation is used when compiling statically so that the same ABI can be exposed # to upstream projects rather than requiring them to filter out our symbols -nano-amalgamation.c: @srcdir@/nano.c @srcdir@/randombytes.c @srcdir@/tweetnacl/tweetnacl.c @srcdir@/blake2b/blake2b.c Makefile +nano-amalgamation.c: @srcdir@/nano.c @srcdir@/randombytes.c @srcdir@/monocypher/monocypher.c @srcdir@/argon2.c Makefile rm -f nano-amalgamation.c - cat @srcdir@/nano.c @srcdir@/randombytes.c @srcdir@/tweetnacl/tweetnacl.c @srcdir@/blake2b/blake2b.c > nano-amalgamation.c + cat @srcdir@/nano.c @srcdir@/randombytes.c @srcdir@/monocypher/monocypher.c @srcdir@/argon2/argon2.c > nano-amalgamation.c -nano-amalgamation.o: nano-amalgamation.c @srcdir@/tweetnacl/tweetnacl.h @srcdir@/blake2b/blake2.h @srcdir@/randombytes.h nano.tcl.h @srcdir@/blake2b/blake2-impl.h Makefile +nano-amalgamation.o: nano-amalgamation.c @srcdir@/monocypher/monocypher.h @srcdir@/argon2/argon2.h @srcdir@/randombytes.h nano.tcl.h Makefile $(CC) $(CPPFLAGS) $(CFLAGS) -o nano-amalgamation.o -c nano-amalgamation.c -nano.o: @srcdir@/nano.c @srcdir@/tweetnacl/tweetnacl.h @srcdir@/blake2b/blake2.h @srcdir@/randombytes.h nano.tcl.h Makefile +nano.o: @srcdir@/nano.c @srcdir@/monocypher/monocypher.h @srcdir@/argon2/argon2.h @srcdir@/randombytes.h nano.tcl.h Makefile $(CC) $(CPPFLAGS) $(CFLAGS) -o nano.o -c @srcdir@/nano.c randombytes.o: @srcdir@/randombytes.c @srcdir@/randombytes.h $(CC) $(CPPFLAGS) $(CFLAGS) -o randombytes.o -c @srcdir@/randombytes.c -tweetnacl.o: @srcdir@/tweetnacl/tweetnacl.c @srcdir@/tweetnacl/tweetnacl.h - $(CC) $(CPPFLAGS) $(CFLAGS) -o tweetnacl.o -c @srcdir@/tweetnacl/tweetnacl.c +monocypher.o: @srcdir@/monocypher/monocypher.c @srcdir@/monocypher/monocypher.h + $(CC) $(CPPFLAGS) $(CFLAGS) -o monocypher.o -c @srcdir@/monocypher/monocypher.c -blake2b.o: @srcdir@/blake2b/blake2b.c @srcdir@/blake2b/blake2.h @srcdir@/blake2b/blake2-impl.h - $(CC) $(CPPFLAGS) $(CFLAGS) -o blake2b.o -c @srcdir@/blake2b/blake2b.c +argon2.o: @srcdir@/argon2/argon2.c @srcdir@/argon2/argon2.h + $(CC) $(CPPFLAGS) $(CFLAGS) -o argon2.o -c @srcdir@/argon2/argon2.c pkgIndex.tcl: pkgIndex.tcl-@TCLEXT_BUILD@ cp pkgIndex.tcl-@TCLEXT_BUILD@ pkgIndex.tcl nano.tcl.h: @srcdir@/nano.tcl Makefile @@ -83,13 +83,13 @@ $(INSTALL_DATA) @srcdir@/nano.man '$(DESTDIR)$(PACKAGE_INSTALL_DIR)' clean: rm -f nano-amalgamation.c nano-amalgamation.o rm -f @EXTENSION_TARGET@ nano.o nano.gcda nano.gcno - rm -f blake2b.o tweetnacl.o randombytes.o - rm -f blake2b.gcda tweetnacl.gcda randombytes.gcda - rm -f blake2b.gcno tweetnacl.gcno randombytes.gcno + rm -f argon2.o monocypher.o randombytes.o + rm -f argon2.gcda monocypher.gcda randombytes.gcda + rm -f argon2.gcno monocypher.gcno randombytes.gcno rm -f nano-coverage.info distclean: clean rm -f Makefile pkgIndex.tcl-shared pkgIndex.tcl-static nano.syms rm -f pkgIndex.tcl @@ -98,10 +98,9 @@ rm -rf coverage.dir mrproper: distclean rm -f @srcdir@/configure @srcdir@/aclocal.m4 @srcdir@/config.guess @srcdir@/config.sub @srcdir@/install-sh rm -f @srcdir@/nano.vers - rm -rf @srcdir@/tweetnacl @srcdir@/blake2b - $(MAKE) -C @srcdir@/build/tweetnacl distclean - $(MAKE) -C @srcdir@/build/blake2b distclean + rm -rf @srcdir@/argon2 + $(MAKE) -C @srcdir@/build/argon2 distclean .PHONY: all test clean distclean mrproper Index: autogen.sh ================================================================== --- autogen.sh +++ autogen.sh @@ -77,17 +77,13 @@ autoconf rm -rf autom4te.cache -# Assemble tweetnacl -rm -rf tweetnacl -make -C build/tweetnacl install PREFIX="$(pwd)/tweetnacl" - -# Assemble blake2b -rm -rf blake2b -make -C build/blake2b install PREFIX="$(pwd)/blake2b" +# Assemble argon2 +rm -rf argon2 +make -C build/argon2 install PREFIX="$(pwd)/argon2" # Assemble version script rm -f nano.vers ( echo '{' ADDED build/argon2/Makefile Index: build/argon2/Makefile ================================================================== --- /dev/null +++ build/argon2/Makefile @@ -0,0 +1,36 @@ +PREFIX := $(shell pwd)/INST + +all: out/argon2.c out/argon2.h + +out/argon2.c: src/ref.c src/core.c src/blake2b.c monocypher-blake2b.h + mkdir -p out + echo '#define ARGON2_NO_THREADS 1' > out/argon2.c.new + echo '#define ARGON2_INTERNAL_ONLY 1' >> out/argon2.c.new + cat monocypher-blake2b.h >> out/argon2.c.new + sed '/^#include "core\.h"/ d;/#include "blake2/ d;/#include "thread\.h"/ d' src/ref.c >> out/argon2.c.new + sed '/#include "blake2/d;/#include/ b;/Argon2 Team - Begin Code/,/Argon2 Team - End Code/ b;d' src/blake2b.c >> out/argon2.c.new + sed '/^#include "core\.h"/ d;/#include "blake2/ d;/#include "thread\.h"/ d' src/core.c >> out/argon2.c.new + mv out/argon2.c.new out/argon2.c + +out/argon2.h: src/argon2.h src/blamka-round-ref.h src/core.h + mkdir -p out + cat src/argon2.h > out/argon2.h.new.1 + echo '#ifdef ARGON2_INTERNAL_ONLY' >> out/argon2.h.new.1 + cat src/blamka-round-ref.h src/core.h >> out/argon2.h.new.1 + echo '#endif' >> out/argon2.h.new.1 + sed '/#include "argon2\.h"/ d;/#include "blake2/ d' out/argon2.h.new.1 > out/argon2.h.new.2 + rm -f out/argon2.h.new.1 + mv out/argon2.h.new.2 out/argon2.h + +install: out/argon2.c out/argon2.h + mkdir -p '$(PREFIX)' + cp out/argon2.c out/argon2.h '$(PREFIX)' + +clean: + rm -f out/argon2.c out/argon2.h + rm -f out/argon2.c.new out/argon2.h.new.1 out/argon2.h.new.2 + -rmdir out + +distclean: clean + +.PHONY: all install clean distclean ADDED build/argon2/monocypher-blake2b.h Index: build/argon2/monocypher-blake2b.h ================================================================== --- /dev/null +++ build/argon2/monocypher-blake2b.h @@ -0,0 +1,60 @@ +#define crypto_hash(out, in, inlen) crypto_blake2b(out, in, inlen) +#define blake2b(out, outlen, in, inlen, key, keylen) 0, crypto_blake2b_general(out, outlen, key, keylen, in, inlen) +#define blake2b_state crypto_blake2b_ctx +#define blake2b_init(ctx, outlen) 0; crypto_blake2b_general_init(ctx, outlen, NULL, 0) +#define blake2b_update(ctx, in, inlen) 0; crypto_blake2b_update(ctx, in, inlen) +#define blake2b_final(ctx, out, ignore1) 0; crypto_blake2b_final(ctx, out) +#define BLAKE2_INLINE +#define BLAKE2B_OUTBYTES 64 +#include +#include "monocypher.h" +static BLAKE2_INLINE uint64_t rotr64(uint64_t x, uint64_t n) { return (x >> n) ^ (x << (64 - n)); } +static BLAKE2_INLINE void store32( void *dst, uint32_t w ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + memcpy(dst, &w, sizeof w); +#else + uint8_t *p = ( uint8_t * )dst; + p[0] = (uint8_t)(w >> 0); + p[1] = (uint8_t)(w >> 8); + p[2] = (uint8_t)(w >> 16); + p[3] = (uint8_t)(w >> 24); +#endif +} + +static BLAKE2_INLINE void store64( void *dst, uint64_t w ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + memcpy(dst, &w, sizeof w); +#else + uint8_t *p = ( uint8_t * )dst; + p[0] = (uint8_t)(w >> 0); + p[1] = (uint8_t)(w >> 8); + p[2] = (uint8_t)(w >> 16); + p[3] = (uint8_t)(w >> 24); + p[4] = (uint8_t)(w >> 32); + p[5] = (uint8_t)(w >> 40); + p[6] = (uint8_t)(w >> 48); + p[7] = (uint8_t)(w >> 56); +#endif +} + +static BLAKE2_INLINE uint64_t load64( const void *src ) +{ +#if defined(NATIVE_LITTLE_ENDIAN) + uint64_t w; + memcpy(&w, src, sizeof w); + return w; +#else + const uint8_t *p = ( const uint8_t * )src; + return (( uint64_t )( p[0] ) << 0) | + (( uint64_t )( p[1] ) << 8) | + (( uint64_t )( p[2] ) << 16) | + (( uint64_t )( p[3] ) << 24) | + (( uint64_t )( p[4] ) << 32) | + (( uint64_t )( p[5] ) << 40) | + (( uint64_t )( p[6] ) << 48) | + (( uint64_t )( p[7] ) << 56) ; +#endif +} + ADDED build/argon2/src/argon2.h Index: build/argon2/src/argon2.h ================================================================== --- /dev/null +++ build/argon2/src/argon2.h @@ -0,0 +1,437 @@ +/* + * Argon2 reference source code package - reference C implementations + * + * Copyright 2015 + * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves + * + * You may use this work under the terms of a Creative Commons CC0 1.0 + * License/Waiver or the Apache Public License 2.0, at your option. The terms of + * these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * You should have received a copy of both of these licenses along with this + * software. If not, they may be obtained at the above URLs. + */ + +#ifndef ARGON2_H +#define ARGON2_H + +#include +#include +#include + +#if defined(__cplusplus) +extern "C" { +#endif + +/* Symbols visibility control */ +#ifdef A2_VISCTL +#define ARGON2_PUBLIC __attribute__((visibility("default"))) +#define ARGON2_LOCAL __attribute__ ((visibility ("hidden"))) +#elif _MSC_VER +#define ARGON2_PUBLIC __declspec(dllexport) +#define ARGON2_LOCAL +#else +#define ARGON2_PUBLIC +#define ARGON2_LOCAL +#endif + +/* + * Argon2 input parameter restrictions + */ + +/* Minimum and maximum number of lanes (degree of parallelism) */ +#define ARGON2_MIN_LANES UINT32_C(1) +#define ARGON2_MAX_LANES UINT32_C(0xFFFFFF) + +/* Minimum and maximum number of threads */ +#define ARGON2_MIN_THREADS UINT32_C(1) +#define ARGON2_MAX_THREADS UINT32_C(0xFFFFFF) + +/* Number of synchronization points between lanes per pass */ +#define ARGON2_SYNC_POINTS UINT32_C(4) + +/* Minimum and maximum digest size in bytes */ +#define ARGON2_MIN_OUTLEN UINT32_C(4) +#define ARGON2_MAX_OUTLEN UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum number of memory blocks (each of BLOCK_SIZE bytes) */ +#define ARGON2_MIN_MEMORY (2 * ARGON2_SYNC_POINTS) /* 2 blocks per slice */ + +#define ARGON2_MIN(a, b) ((a) < (b) ? (a) : (b)) +/* Max memory size is addressing-space/2, topping at 2^32 blocks (4 TB) */ +#define ARGON2_MAX_MEMORY_BITS \ + ARGON2_MIN(UINT32_C(32), (sizeof(void *) * CHAR_BIT - 10 - 1)) +#define ARGON2_MAX_MEMORY \ + ARGON2_MIN(UINT32_C(0xFFFFFFFF), UINT64_C(1) << ARGON2_MAX_MEMORY_BITS) + +/* Minimum and maximum number of passes */ +#define ARGON2_MIN_TIME UINT32_C(1) +#define ARGON2_MAX_TIME UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum password length in bytes */ +#define ARGON2_MIN_PWD_LENGTH UINT32_C(0) +#define ARGON2_MAX_PWD_LENGTH UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum associated data length in bytes */ +#define ARGON2_MIN_AD_LENGTH UINT32_C(0) +#define ARGON2_MAX_AD_LENGTH UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum salt length in bytes */ +#define ARGON2_MIN_SALT_LENGTH UINT32_C(8) +#define ARGON2_MAX_SALT_LENGTH UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum key length in bytes */ +#define ARGON2_MIN_SECRET UINT32_C(0) +#define ARGON2_MAX_SECRET UINT32_C(0xFFFFFFFF) + +/* Flags to determine which fields are securely wiped (default = no wipe). */ +#define ARGON2_DEFAULT_FLAGS UINT32_C(0) +#define ARGON2_FLAG_CLEAR_PASSWORD (UINT32_C(1) << 0) +#define ARGON2_FLAG_CLEAR_SECRET (UINT32_C(1) << 1) + +/* Global flag to determine if we are wiping internal memory buffers. This flag + * is defined in core.c and defaults to 1 (wipe internal memory). */ +extern int FLAG_clear_internal_memory; + +/* Error codes */ +typedef enum Argon2_ErrorCodes { + ARGON2_OK = 0, + + ARGON2_OUTPUT_PTR_NULL = -1, + + ARGON2_OUTPUT_TOO_SHORT = -2, + ARGON2_OUTPUT_TOO_LONG = -3, + + ARGON2_PWD_TOO_SHORT = -4, + ARGON2_PWD_TOO_LONG = -5, + + ARGON2_SALT_TOO_SHORT = -6, + ARGON2_SALT_TOO_LONG = -7, + + ARGON2_AD_TOO_SHORT = -8, + ARGON2_AD_TOO_LONG = -9, + + ARGON2_SECRET_TOO_SHORT = -10, + ARGON2_SECRET_TOO_LONG = -11, + + ARGON2_TIME_TOO_SMALL = -12, + ARGON2_TIME_TOO_LARGE = -13, + + ARGON2_MEMORY_TOO_LITTLE = -14, + ARGON2_MEMORY_TOO_MUCH = -15, + + ARGON2_LANES_TOO_FEW = -16, + ARGON2_LANES_TOO_MANY = -17, + + ARGON2_PWD_PTR_MISMATCH = -18, /* NULL ptr with non-zero length */ + ARGON2_SALT_PTR_MISMATCH = -19, /* NULL ptr with non-zero length */ + ARGON2_SECRET_PTR_MISMATCH = -20, /* NULL ptr with non-zero length */ + ARGON2_AD_PTR_MISMATCH = -21, /* NULL ptr with non-zero length */ + + ARGON2_MEMORY_ALLOCATION_ERROR = -22, + + ARGON2_FREE_MEMORY_CBK_NULL = -23, + ARGON2_ALLOCATE_MEMORY_CBK_NULL = -24, + + ARGON2_INCORRECT_PARAMETER = -25, + ARGON2_INCORRECT_TYPE = -26, + + ARGON2_OUT_PTR_MISMATCH = -27, + + ARGON2_THREADS_TOO_FEW = -28, + ARGON2_THREADS_TOO_MANY = -29, + + ARGON2_MISSING_ARGS = -30, + + ARGON2_ENCODING_FAIL = -31, + + ARGON2_DECODING_FAIL = -32, + + ARGON2_THREAD_FAIL = -33, + + ARGON2_DECODING_LENGTH_FAIL = -34, + + ARGON2_VERIFY_MISMATCH = -35 +} argon2_error_codes; + +/* Memory allocator types --- for external allocation */ +typedef int (*allocate_fptr)(uint8_t **memory, size_t bytes_to_allocate); +typedef void (*deallocate_fptr)(uint8_t *memory, size_t bytes_to_allocate); + +/* Argon2 external data structures */ + +/* + ***** + * Context: structure to hold Argon2 inputs: + * output array and its length, + * password and its length, + * salt and its length, + * secret and its length, + * associated data and its length, + * number of passes, amount of used memory (in KBytes, can be rounded up a bit) + * number of parallel threads that will be run. + * All the parameters above affect the output hash value. + * Additionally, two function pointers can be provided to allocate and + * deallocate the memory (if NULL, memory will be allocated internally). + * Also, three flags indicate whether to erase password, secret as soon as they + * are pre-hashed (and thus not needed anymore), and the entire memory + ***** + * Simplest situation: you have output array out[8], password is stored in + * pwd[32], salt is stored in salt[16], you do not have keys nor associated + * data. You need to spend 1 GB of RAM and you run 5 passes of Argon2d with + * 4 parallel lanes. + * You want to erase the password, but you're OK with last pass not being + * erased. You want to use the default memory allocator. + * Then you initialize: + Argon2_Context(out,8,pwd,32,salt,16,NULL,0,NULL,0,5,1<<20,4,4,NULL,NULL,true,false,false,false) + */ +typedef struct Argon2_Context { + uint8_t *out; /* output array */ + uint32_t outlen; /* digest length */ + + uint8_t *pwd; /* password array */ + uint32_t pwdlen; /* password length */ + + uint8_t *salt; /* salt array */ + uint32_t saltlen; /* salt length */ + + uint8_t *secret; /* key array */ + uint32_t secretlen; /* key length */ + + uint8_t *ad; /* associated data array */ + uint32_t adlen; /* associated data length */ + + uint32_t t_cost; /* number of passes */ + uint32_t m_cost; /* amount of memory requested (KB) */ + uint32_t lanes; /* number of lanes */ + uint32_t threads; /* maximum number of threads */ + + uint32_t version; /* version number */ + + allocate_fptr allocate_cbk; /* pointer to memory allocator */ + deallocate_fptr free_cbk; /* pointer to memory deallocator */ + + uint32_t flags; /* array of bool options */ +} argon2_context; + +/* Argon2 primitive type */ +typedef enum Argon2_type { + Argon2_d = 0, + Argon2_i = 1, + Argon2_id = 2 +} argon2_type; + +/* Version of the algorithm */ +typedef enum Argon2_version { + ARGON2_VERSION_10 = 0x10, + ARGON2_VERSION_13 = 0x13, + ARGON2_VERSION_NUMBER = ARGON2_VERSION_13 +} argon2_version; + +/* + * Function that gives the string representation of an argon2_type. + * @param type The argon2_type that we want the string for + * @param uppercase Whether the string should have the first letter uppercase + * @return NULL if invalid type, otherwise the string representation. + */ +ARGON2_PUBLIC const char *argon2_type2string(argon2_type type, int uppercase); + +/* + * Function that performs memory-hard hashing with certain degree of parallelism + * @param context Pointer to the Argon2 internal structure + * @return Error code if smth is wrong, ARGON2_OK otherwise + */ +ARGON2_PUBLIC int argon2_ctx(argon2_context *context, argon2_type type); + +/** + * Hashes a password with Argon2i, producing an encoded hash + * @param t_cost Number of iterations + * @param m_cost Sets memory usage to m_cost kibibytes + * @param parallelism Number of threads and compute lanes + * @param pwd Pointer to password + * @param pwdlen Password size in bytes + * @param salt Pointer to salt + * @param saltlen Salt size in bytes + * @param hashlen Desired length of the hash in bytes + * @param encoded Buffer where to write the encoded hash + * @param encodedlen Size of the buffer (thus max size of the encoded hash) + * @pre Different parallelism levels will give different results + * @pre Returns ARGON2_OK if successful + */ +ARGON2_PUBLIC int argon2i_hash_encoded(const uint32_t t_cost, + const uint32_t m_cost, + const uint32_t parallelism, + const void *pwd, const size_t pwdlen, + const void *salt, const size_t saltlen, + const size_t hashlen, char *encoded, + const size_t encodedlen); + +/** + * Hashes a password with Argon2i, producing a raw hash at @hash + * @param t_cost Number of iterations + * @param m_cost Sets memory usage to m_cost kibibytes + * @param parallelism Number of threads and compute lanes + * @param pwd Pointer to password + * @param pwdlen Password size in bytes + * @param salt Pointer to salt + * @param saltlen Salt size in bytes + * @param hash Buffer where to write the raw hash - updated by the function + * @param hashlen Desired length of the hash in bytes + * @pre Different parallelism levels will give different results + * @pre Returns ARGON2_OK if successful + */ +ARGON2_PUBLIC int argon2i_hash_raw(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, void *hash, + const size_t hashlen); + +ARGON2_PUBLIC int argon2d_hash_encoded(const uint32_t t_cost, + const uint32_t m_cost, + const uint32_t parallelism, + const void *pwd, const size_t pwdlen, + const void *salt, const size_t saltlen, + const size_t hashlen, char *encoded, + const size_t encodedlen); + +ARGON2_PUBLIC int argon2d_hash_raw(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, void *hash, + const size_t hashlen); + +ARGON2_PUBLIC int argon2id_hash_encoded(const uint32_t t_cost, + const uint32_t m_cost, + const uint32_t parallelism, + const void *pwd, const size_t pwdlen, + const void *salt, const size_t saltlen, + const size_t hashlen, char *encoded, + const size_t encodedlen); + +ARGON2_PUBLIC int argon2id_hash_raw(const uint32_t t_cost, + const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, void *hash, + const size_t hashlen); + +/* generic function underlying the above ones */ +ARGON2_PUBLIC int argon2_hash(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, void *hash, + const size_t hashlen, char *encoded, + const size_t encodedlen, argon2_type type, + const uint32_t version); + +/** + * Verifies a password against an encoded string + * Encoded string is restricted as in validate_inputs() + * @param encoded String encoding parameters, salt, hash + * @param pwd Pointer to password + * @pre Returns ARGON2_OK if successful + */ +ARGON2_PUBLIC int argon2i_verify(const char *encoded, const void *pwd, + const size_t pwdlen); + +ARGON2_PUBLIC int argon2d_verify(const char *encoded, const void *pwd, + const size_t pwdlen); + +ARGON2_PUBLIC int argon2id_verify(const char *encoded, const void *pwd, + const size_t pwdlen); + +/* generic function underlying the above ones */ +ARGON2_PUBLIC int argon2_verify(const char *encoded, const void *pwd, + const size_t pwdlen, argon2_type type); + +/** + * Argon2d: Version of Argon2 that picks memory blocks depending + * on the password and salt. Only for side-channel-free + * environment!! + ***** + * @param context Pointer to current Argon2 context + * @return Zero if successful, a non zero error code otherwise + */ +ARGON2_PUBLIC int argon2d_ctx(argon2_context *context); + +/** + * Argon2i: Version of Argon2 that picks memory blocks + * independent on the password and salt. Good for side-channels, + * but worse w.r.t. tradeoff attacks if only one pass is used. + ***** + * @param context Pointer to current Argon2 context + * @return Zero if successful, a non zero error code otherwise + */ +ARGON2_PUBLIC int argon2i_ctx(argon2_context *context); + +/** + * Argon2id: Version of Argon2 where the first half-pass over memory is + * password-independent, the rest are password-dependent (on the password and + * salt). OK against side channels (they reduce to 1/2-pass Argon2i), and + * better with w.r.t. tradeoff attacks (similar to Argon2d). + ***** + * @param context Pointer to current Argon2 context + * @return Zero if successful, a non zero error code otherwise + */ +ARGON2_PUBLIC int argon2id_ctx(argon2_context *context); + +/** + * Verify if a given password is correct for Argon2d hashing + * @param context Pointer to current Argon2 context + * @param hash The password hash to verify. The length of the hash is + * specified by the context outlen member + * @return Zero if successful, a non zero error code otherwise + */ +ARGON2_PUBLIC int argon2d_verify_ctx(argon2_context *context, const char *hash); + +/** + * Verify if a given password is correct for Argon2i hashing + * @param context Pointer to current Argon2 context + * @param hash The password hash to verify. The length of the hash is + * specified by the context outlen member + * @return Zero if successful, a non zero error code otherwise + */ +ARGON2_PUBLIC int argon2i_verify_ctx(argon2_context *context, const char *hash); + +/** + * Verify if a given password is correct for Argon2id hashing + * @param context Pointer to current Argon2 context + * @param hash The password hash to verify. The length of the hash is + * specified by the context outlen member + * @return Zero if successful, a non zero error code otherwise + */ +ARGON2_PUBLIC int argon2id_verify_ctx(argon2_context *context, + const char *hash); + +/* generic function underlying the above ones */ +ARGON2_PUBLIC int argon2_verify_ctx(argon2_context *context, const char *hash, + argon2_type type); + +/** + * Get the associated error message for given error code + * @return The error message associated with the given error code + */ +ARGON2_PUBLIC const char *argon2_error_message(int error_code); + +/** + * Returns the encoded hash length for the given input parameters + * @param t_cost Number of iterations + * @param m_cost Memory usage in kibibytes + * @param parallelism Number of threads; used to compute lanes + * @param saltlen Salt size in bytes + * @param hashlen Hash size in bytes + * @param type The argon2_type that we want the encoded length for + * @return The encoded hash length in bytes + */ +ARGON2_PUBLIC size_t argon2_encodedlen(uint32_t t_cost, uint32_t m_cost, + uint32_t parallelism, uint32_t saltlen, + uint32_t hashlen, argon2_type type); + +#if defined(__cplusplus) +} +#endif + +#endif ADDED build/argon2/src/blake2b.c Index: build/argon2/src/blake2b.c ================================================================== --- /dev/null +++ build/argon2/src/blake2b.c @@ -0,0 +1,390 @@ +/* + * Argon2 reference source code package - reference C implementations + * + * Copyright 2015 + * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves + * + * You may use this work under the terms of a Creative Commons CC0 1.0 + * License/Waiver or the Apache Public License 2.0, at your option. The terms of + * these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * You should have received a copy of both of these licenses along with this + * software. If not, they may be obtained at the above URLs. + */ + +#include +#include +#include + +#include "blake2.h" +#include "blake2-impl.h" + +static const uint64_t blake2b_IV[8] = { + UINT64_C(0x6a09e667f3bcc908), UINT64_C(0xbb67ae8584caa73b), + UINT64_C(0x3c6ef372fe94f82b), UINT64_C(0xa54ff53a5f1d36f1), + UINT64_C(0x510e527fade682d1), UINT64_C(0x9b05688c2b3e6c1f), + UINT64_C(0x1f83d9abfb41bd6b), UINT64_C(0x5be0cd19137e2179)}; + +static const unsigned int blake2b_sigma[12][16] = { + {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}, + {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3}, + {11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4}, + {7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8}, + {9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13}, + {2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9}, + {12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11}, + {13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10}, + {6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5}, + {10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0}, + {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15}, + {14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3}, +}; + +static BLAKE2_INLINE void blake2b_set_lastnode(blake2b_state *S) { + S->f[1] = (uint64_t)-1; +} + +static BLAKE2_INLINE void blake2b_set_lastblock(blake2b_state *S) { + if (S->last_node) { + blake2b_set_lastnode(S); + } + S->f[0] = (uint64_t)-1; +} + +static BLAKE2_INLINE void blake2b_increment_counter(blake2b_state *S, + uint64_t inc) { + S->t[0] += inc; + S->t[1] += (S->t[0] < inc); +} + +static BLAKE2_INLINE void blake2b_invalidate_state(blake2b_state *S) { + clear_internal_memory(S, sizeof(*S)); /* wipe */ + blake2b_set_lastblock(S); /* invalidate for further use */ +} + +static BLAKE2_INLINE void blake2b_init0(blake2b_state *S) { + memset(S, 0, sizeof(*S)); + memcpy(S->h, blake2b_IV, sizeof(S->h)); +} + +int blake2b_init_param(blake2b_state *S, const blake2b_param *P) { + const unsigned char *p = (const unsigned char *)P; + unsigned int i; + + if (NULL == P || NULL == S) { + return -1; + } + + blake2b_init0(S); + /* IV XOR Parameter Block */ + for (i = 0; i < 8; ++i) { + S->h[i] ^= load64(&p[i * sizeof(S->h[i])]); + } + S->outlen = P->digest_length; + return 0; +} + +/* Sequential blake2b initialization */ +int blake2b_init(blake2b_state *S, size_t outlen) { + blake2b_param P; + + if (S == NULL) { + return -1; + } + + if ((outlen == 0) || (outlen > BLAKE2B_OUTBYTES)) { + blake2b_invalidate_state(S); + return -1; + } + + /* Setup Parameter Block for unkeyed BLAKE2 */ + P.digest_length = (uint8_t)outlen; + P.key_length = 0; + P.fanout = 1; + P.depth = 1; + P.leaf_length = 0; + P.node_offset = 0; + P.node_depth = 0; + P.inner_length = 0; + memset(P.reserved, 0, sizeof(P.reserved)); + memset(P.salt, 0, sizeof(P.salt)); + memset(P.personal, 0, sizeof(P.personal)); + + return blake2b_init_param(S, &P); +} + +int blake2b_init_key(blake2b_state *S, size_t outlen, const void *key, + size_t keylen) { + blake2b_param P; + + if (S == NULL) { + return -1; + } + + if ((outlen == 0) || (outlen > BLAKE2B_OUTBYTES)) { + blake2b_invalidate_state(S); + return -1; + } + + if ((key == 0) || (keylen == 0) || (keylen > BLAKE2B_KEYBYTES)) { + blake2b_invalidate_state(S); + return -1; + } + + /* Setup Parameter Block for keyed BLAKE2 */ + P.digest_length = (uint8_t)outlen; + P.key_length = (uint8_t)keylen; + P.fanout = 1; + P.depth = 1; + P.leaf_length = 0; + P.node_offset = 0; + P.node_depth = 0; + P.inner_length = 0; + memset(P.reserved, 0, sizeof(P.reserved)); + memset(P.salt, 0, sizeof(P.salt)); + memset(P.personal, 0, sizeof(P.personal)); + + if (blake2b_init_param(S, &P) < 0) { + blake2b_invalidate_state(S); + return -1; + } + + { + uint8_t block[BLAKE2B_BLOCKBYTES]; + memset(block, 0, BLAKE2B_BLOCKBYTES); + memcpy(block, key, keylen); + blake2b_update(S, block, BLAKE2B_BLOCKBYTES); + /* Burn the key from stack */ + clear_internal_memory(block, BLAKE2B_BLOCKBYTES); + } + return 0; +} + +static void blake2b_compress(blake2b_state *S, const uint8_t *block) { + uint64_t m[16]; + uint64_t v[16]; + unsigned int i, r; + + for (i = 0; i < 16; ++i) { + m[i] = load64(block + i * sizeof(m[i])); + } + + for (i = 0; i < 8; ++i) { + v[i] = S->h[i]; + } + + v[8] = blake2b_IV[0]; + v[9] = blake2b_IV[1]; + v[10] = blake2b_IV[2]; + v[11] = blake2b_IV[3]; + v[12] = blake2b_IV[4] ^ S->t[0]; + v[13] = blake2b_IV[5] ^ S->t[1]; + v[14] = blake2b_IV[6] ^ S->f[0]; + v[15] = blake2b_IV[7] ^ S->f[1]; + +#define G(r, i, a, b, c, d) \ + do { \ + a = a + b + m[blake2b_sigma[r][2 * i + 0]]; \ + d = rotr64(d ^ a, 32); \ + c = c + d; \ + b = rotr64(b ^ c, 24); \ + a = a + b + m[blake2b_sigma[r][2 * i + 1]]; \ + d = rotr64(d ^ a, 16); \ + c = c + d; \ + b = rotr64(b ^ c, 63); \ + } while ((void)0, 0) + +#define ROUND(r) \ + do { \ + G(r, 0, v[0], v[4], v[8], v[12]); \ + G(r, 1, v[1], v[5], v[9], v[13]); \ + G(r, 2, v[2], v[6], v[10], v[14]); \ + G(r, 3, v[3], v[7], v[11], v[15]); \ + G(r, 4, v[0], v[5], v[10], v[15]); \ + G(r, 5, v[1], v[6], v[11], v[12]); \ + G(r, 6, v[2], v[7], v[8], v[13]); \ + G(r, 7, v[3], v[4], v[9], v[14]); \ + } while ((void)0, 0) + + for (r = 0; r < 12; ++r) { + ROUND(r); + } + + for (i = 0; i < 8; ++i) { + S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; + } + +#undef G +#undef ROUND +} + +int blake2b_update(blake2b_state *S, const void *in, size_t inlen) { + const uint8_t *pin = (const uint8_t *)in; + + if (inlen == 0) { + return 0; + } + + /* Sanity check */ + if (S == NULL || in == NULL) { + return -1; + } + + /* Is this a reused state? */ + if (S->f[0] != 0) { + return -1; + } + + if (S->buflen + inlen > BLAKE2B_BLOCKBYTES) { + /* Complete current block */ + size_t left = S->buflen; + size_t fill = BLAKE2B_BLOCKBYTES - left; + memcpy(&S->buf[left], pin, fill); + blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); + blake2b_compress(S, S->buf); + S->buflen = 0; + inlen -= fill; + pin += fill; + /* Avoid buffer copies when possible */ + while (inlen > BLAKE2B_BLOCKBYTES) { + blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); + blake2b_compress(S, pin); + inlen -= BLAKE2B_BLOCKBYTES; + pin += BLAKE2B_BLOCKBYTES; + } + } + memcpy(&S->buf[S->buflen], pin, inlen); + S->buflen += (unsigned int)inlen; + return 0; +} + +int blake2b_final(blake2b_state *S, void *out, size_t outlen) { + uint8_t buffer[BLAKE2B_OUTBYTES] = {0}; + unsigned int i; + + /* Sanity checks */ + if (S == NULL || out == NULL || outlen < S->outlen) { + return -1; + } + + /* Is this a reused state? */ + if (S->f[0] != 0) { + return -1; + } + + blake2b_increment_counter(S, S->buflen); + blake2b_set_lastblock(S); + memset(&S->buf[S->buflen], 0, BLAKE2B_BLOCKBYTES - S->buflen); /* Padding */ + blake2b_compress(S, S->buf); + + for (i = 0; i < 8; ++i) { /* Output full hash to temp buffer */ + store64(buffer + sizeof(S->h[i]) * i, S->h[i]); + } + + memcpy(out, buffer, S->outlen); + clear_internal_memory(buffer, sizeof(buffer)); + clear_internal_memory(S->buf, sizeof(S->buf)); + clear_internal_memory(S->h, sizeof(S->h)); + return 0; +} + +int blake2b(void *out, size_t outlen, const void *in, size_t inlen, + const void *key, size_t keylen) { + blake2b_state S; + int ret = -1; + + /* Verify parameters */ + if (NULL == in && inlen > 0) { + goto fail; + } + + if (NULL == out || outlen == 0 || outlen > BLAKE2B_OUTBYTES) { + goto fail; + } + + if ((NULL == key && keylen > 0) || keylen > BLAKE2B_KEYBYTES) { + goto fail; + } + + if (keylen > 0) { + if (blake2b_init_key(&S, outlen, key, keylen) < 0) { + goto fail; + } + } else { + if (blake2b_init(&S, outlen) < 0) { + goto fail; + } + } + + if (blake2b_update(&S, in, inlen) < 0) { + goto fail; + } + ret = blake2b_final(&S, out, outlen); + +fail: + clear_internal_memory(&S, sizeof(S)); + return ret; +} + +/* Argon2 Team - Begin Code */ +int blake2b_long(void *pout, size_t outlen, const void *in, size_t inlen) { + uint8_t *out = (uint8_t *)pout; + blake2b_state blake_state; + uint8_t outlen_bytes[sizeof(uint32_t)] = {0}; + int ret = -1; + + if (outlen > UINT32_MAX) { + goto fail; + } + + /* Ensure little-endian byte order! */ + store32(outlen_bytes, (uint32_t)outlen); + +#define TRY(statement) \ + do { \ + ret = statement; \ + if (ret < 0) { \ + goto fail; \ + } \ + } while ((void)0, 0) + + if (outlen <= BLAKE2B_OUTBYTES) { + TRY(blake2b_init(&blake_state, outlen)); + TRY(blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes))); + TRY(blake2b_update(&blake_state, in, inlen)); + TRY(blake2b_final(&blake_state, out, outlen)); + } else { + uint32_t toproduce; + uint8_t out_buffer[BLAKE2B_OUTBYTES]; + uint8_t in_buffer[BLAKE2B_OUTBYTES]; + TRY(blake2b_init(&blake_state, BLAKE2B_OUTBYTES)); + TRY(blake2b_update(&blake_state, outlen_bytes, sizeof(outlen_bytes))); + TRY(blake2b_update(&blake_state, in, inlen)); + TRY(blake2b_final(&blake_state, out_buffer, BLAKE2B_OUTBYTES)); + memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2); + out += BLAKE2B_OUTBYTES / 2; + toproduce = (uint32_t)outlen - BLAKE2B_OUTBYTES / 2; + + while (toproduce > BLAKE2B_OUTBYTES) { + memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES); + TRY(blake2b(out_buffer, BLAKE2B_OUTBYTES, in_buffer, + BLAKE2B_OUTBYTES, NULL, 0)); + memcpy(out, out_buffer, BLAKE2B_OUTBYTES / 2); + out += BLAKE2B_OUTBYTES / 2; + toproduce -= BLAKE2B_OUTBYTES / 2; + } + + memcpy(in_buffer, out_buffer, BLAKE2B_OUTBYTES); + TRY(blake2b(out_buffer, toproduce, in_buffer, BLAKE2B_OUTBYTES, NULL, + 0)); + memcpy(out, out_buffer, toproduce); + } +fail: + clear_internal_memory(&blake_state, sizeof(blake_state)); + return ret; +#undef TRY +} +/* Argon2 Team - End Code */ ADDED build/argon2/src/blamka-round-ref.h Index: build/argon2/src/blamka-round-ref.h ================================================================== --- /dev/null +++ build/argon2/src/blamka-round-ref.h @@ -0,0 +1,56 @@ +/* + * Argon2 reference source code package - reference C implementations + * + * Copyright 2015 + * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves + * + * You may use this work under the terms of a Creative Commons CC0 1.0 + * License/Waiver or the Apache Public License 2.0, at your option. The terms of + * these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * You should have received a copy of both of these licenses along with this + * software. If not, they may be obtained at the above URLs. + */ + +#ifndef BLAKE_ROUND_MKA_H +#define BLAKE_ROUND_MKA_H + +#include "blake2.h" +#include "blake2-impl.h" + +/* designed by the Lyra PHC team */ +static BLAKE2_INLINE uint64_t fBlaMka(uint64_t x, uint64_t y) { + const uint64_t m = UINT64_C(0xFFFFFFFF); + const uint64_t xy = (x & m) * (y & m); + return x + y + 2 * xy; +} + +#define G(a, b, c, d) \ + do { \ + a = fBlaMka(a, b); \ + d = rotr64(d ^ a, 32); \ + c = fBlaMka(c, d); \ + b = rotr64(b ^ c, 24); \ + a = fBlaMka(a, b); \ + d = rotr64(d ^ a, 16); \ + c = fBlaMka(c, d); \ + b = rotr64(b ^ c, 63); \ + } while ((void)0, 0) + +#define BLAKE2_ROUND_NOMSG(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, \ + v12, v13, v14, v15) \ + do { \ + G(v0, v4, v8, v12); \ + G(v1, v5, v9, v13); \ + G(v2, v6, v10, v14); \ + G(v3, v7, v11, v15); \ + G(v0, v5, v10, v15); \ + G(v1, v6, v11, v12); \ + G(v2, v7, v8, v13); \ + G(v3, v4, v9, v14); \ + } while ((void)0, 0) + +#endif ADDED build/argon2/src/core.c Index: build/argon2/src/core.c ================================================================== --- /dev/null +++ build/argon2/src/core.c @@ -0,0 +1,634 @@ +/* + * Argon2 reference source code package - reference C implementations + * + * Copyright 2015 + * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves + * + * You may use this work under the terms of a Creative Commons CC0 1.0 + * License/Waiver or the Apache Public License 2.0, at your option. The terms of + * these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * You should have received a copy of both of these licenses along with this + * software. If not, they may be obtained at the above URLs. + */ + +/*For memory wiping*/ +#ifdef _MSC_VER +#include +#include /* For SecureZeroMemory */ +#endif +#if defined __STDC_LIB_EXT1__ +#define __STDC_WANT_LIB_EXT1__ 1 +#endif +#define VC_GE_2005(version) (version >= 1400) + +#include +#include +#include + +#include "core.h" +#include "thread.h" +#include "blake2/blake2.h" +#include "blake2/blake2-impl.h" + +#ifdef GENKAT +#include "genkat.h" +#endif + +#if defined(__clang__) +#if __has_attribute(optnone) +#define NOT_OPTIMIZED __attribute__((optnone)) +#endif +#elif defined(__GNUC__) +#define GCC_VERSION \ + (__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__) +#if GCC_VERSION >= 40400 +#define NOT_OPTIMIZED __attribute__((optimize("O0"))) +#endif +#endif +#ifndef NOT_OPTIMIZED +#define NOT_OPTIMIZED +#endif + +/***************Instance and Position constructors**********/ +void init_block_value(block *b, uint8_t in) { memset(b->v, in, sizeof(b->v)); } + +void copy_block(block *dst, const block *src) { + memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK); +} + +void xor_block(block *dst, const block *src) { + int i; + for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { + dst->v[i] ^= src->v[i]; + } +} + +static void load_block(block *dst, const void *input) { + unsigned i; + for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { + dst->v[i] = load64((const uint8_t *)input + i * sizeof(dst->v[i])); + } +} + +static void store_block(void *output, const block *src) { + unsigned i; + for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { + store64((uint8_t *)output + i * sizeof(src->v[i]), src->v[i]); + } +} + +/***************Memory functions*****************/ + +int allocate_memory(const argon2_context *context, uint8_t **memory, + size_t num, size_t size) { + size_t memory_size = num*size; + if (memory == NULL) { + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + + /* 1. Check for multiplication overflow */ + if (size != 0 && memory_size / size != num) { + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + + /* 2. Try to allocate with appropriate allocator */ + if (context->allocate_cbk) { + (context->allocate_cbk)(memory, memory_size); + } else { + *memory = malloc(memory_size); + } + + if (*memory == NULL) { + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + + return ARGON2_OK; +} + +void free_memory(const argon2_context *context, uint8_t *memory, + size_t num, size_t size) { + size_t memory_size = num*size; + clear_internal_memory(memory, memory_size); + if (context->free_cbk) { + (context->free_cbk)(memory, memory_size); + } else { + free(memory); + } +} + +void NOT_OPTIMIZED secure_wipe_memory(void *v, size_t n) { +#if defined(_MSC_VER) && VC_GE_2005(_MSC_VER) + SecureZeroMemory(v, n); +#elif defined memset_s + memset_s(v, n, 0, n); +#elif defined(__OpenBSD__) + explicit_bzero(v, n); +#else + static void *(*const volatile memset_sec)(void *, int, size_t) = &memset; + memset_sec(v, 0, n); +#endif +} + +/* Memory clear flag defaults to true. */ +int FLAG_clear_internal_memory = 1; +void clear_internal_memory(void *v, size_t n) { + if (FLAG_clear_internal_memory && v) { + secure_wipe_memory(v, n); + } +} + +void finalize(const argon2_context *context, argon2_instance_t *instance) { + if (context != NULL && instance != NULL) { + block blockhash; + uint32_t l; + + copy_block(&blockhash, instance->memory + instance->lane_length - 1); + + /* XOR the last blocks */ + for (l = 1; l < instance->lanes; ++l) { + uint32_t last_block_in_lane = + l * instance->lane_length + (instance->lane_length - 1); + xor_block(&blockhash, instance->memory + last_block_in_lane); + } + + /* Hash the result */ + { + uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE]; + store_block(blockhash_bytes, &blockhash); + blake2b_long(context->out, context->outlen, blockhash_bytes, + ARGON2_BLOCK_SIZE); + /* clear blockhash and blockhash_bytes */ + clear_internal_memory(blockhash.v, ARGON2_BLOCK_SIZE); + clear_internal_memory(blockhash_bytes, ARGON2_BLOCK_SIZE); + } + +#ifdef GENKAT + print_tag(context->out, context->outlen); +#endif + + free_memory(context, (uint8_t *)instance->memory, + instance->memory_blocks, sizeof(block)); + } +} + +uint32_t index_alpha(const argon2_instance_t *instance, + const argon2_position_t *position, uint32_t pseudo_rand, + int same_lane) { + /* + * Pass 0: + * This lane : all already finished segments plus already constructed + * blocks in this segment + * Other lanes : all already finished segments + * Pass 1+: + * This lane : (SYNC_POINTS - 1) last segments plus already constructed + * blocks in this segment + * Other lanes : (SYNC_POINTS - 1) last segments + */ + uint32_t reference_area_size; + uint64_t relative_position; + uint32_t start_position, absolute_position; + + if (0 == position->pass) { + /* First pass */ + if (0 == position->slice) { + /* First slice */ + reference_area_size = + position->index - 1; /* all but the previous */ + } else { + if (same_lane) { + /* The same lane => add current segment */ + reference_area_size = + position->slice * instance->segment_length + + position->index - 1; + } else { + reference_area_size = + position->slice * instance->segment_length + + ((position->index == 0) ? (-1) : 0); + } + } + } else { + /* Second pass */ + if (same_lane) { + reference_area_size = instance->lane_length - + instance->segment_length + position->index - + 1; + } else { + reference_area_size = instance->lane_length - + instance->segment_length + + ((position->index == 0) ? (-1) : 0); + } + } + + /* 1.2.4. Mapping pseudo_rand to 0.. and produce + * relative position */ + relative_position = pseudo_rand; + relative_position = relative_position * relative_position >> 32; + relative_position = reference_area_size - 1 - + (reference_area_size * relative_position >> 32); + + /* 1.2.5 Computing starting position */ + start_position = 0; + + if (0 != position->pass) { + start_position = (position->slice == ARGON2_SYNC_POINTS - 1) + ? 0 + : (position->slice + 1) * instance->segment_length; + } + + /* 1.2.6. Computing absolute position */ + absolute_position = (start_position + relative_position) % + instance->lane_length; /* absolute position */ + return absolute_position; +} + +/* Single-threaded version for p=1 case */ +static int fill_memory_blocks_st(argon2_instance_t *instance) { + uint32_t r, s, l; + + for (r = 0; r < instance->passes; ++r) { + for (s = 0; s < ARGON2_SYNC_POINTS; ++s) { + for (l = 0; l < instance->lanes; ++l) { + argon2_position_t position = {r, l, (uint8_t)s, 0}; + fill_segment(instance, position); + } + } +#ifdef GENKAT + internal_kat(instance, r); /* Print all memory blocks */ +#endif + } + return ARGON2_OK; +} + +#if !defined(ARGON2_NO_THREADS) + +#ifdef _WIN32 +static unsigned __stdcall fill_segment_thr(void *thread_data) +#else +static void *fill_segment_thr(void *thread_data) +#endif +{ + argon2_thread_data *my_data = thread_data; + fill_segment(my_data->instance_ptr, my_data->pos); + argon2_thread_exit(); + return 0; +} + +/* Multi-threaded version for p > 1 case */ +static int fill_memory_blocks_mt(argon2_instance_t *instance) { + uint32_t r, s; + argon2_thread_handle_t *thread = NULL; + argon2_thread_data *thr_data = NULL; + int rc = ARGON2_OK; + + /* 1. Allocating space for threads */ + thread = calloc(instance->lanes, sizeof(argon2_thread_handle_t)); + if (thread == NULL) { + rc = ARGON2_MEMORY_ALLOCATION_ERROR; + goto fail; + } + + thr_data = calloc(instance->lanes, sizeof(argon2_thread_data)); + if (thr_data == NULL) { + rc = ARGON2_MEMORY_ALLOCATION_ERROR; + goto fail; + } + + for (r = 0; r < instance->passes; ++r) { + for (s = 0; s < ARGON2_SYNC_POINTS; ++s) { + uint32_t l; + + /* 2. Calling threads */ + for (l = 0; l < instance->lanes; ++l) { + argon2_position_t position; + + /* 2.1 Join a thread if limit is exceeded */ + if (l >= instance->threads) { + if (argon2_thread_join(thread[l - instance->threads])) { + rc = ARGON2_THREAD_FAIL; + goto fail; + } + } + + /* 2.2 Create thread */ + position.pass = r; + position.lane = l; + position.slice = (uint8_t)s; + position.index = 0; + thr_data[l].instance_ptr = + instance; /* preparing the thread input */ + memcpy(&(thr_data[l].pos), &position, + sizeof(argon2_position_t)); + if (argon2_thread_create(&thread[l], &fill_segment_thr, + (void *)&thr_data[l])) { + rc = ARGON2_THREAD_FAIL; + goto fail; + } + + /* fill_segment(instance, position); */ + /*Non-thread equivalent of the lines above */ + } + + /* 3. Joining remaining threads */ + for (l = instance->lanes - instance->threads; l < instance->lanes; + ++l) { + if (argon2_thread_join(thread[l])) { + rc = ARGON2_THREAD_FAIL; + goto fail; + } + } + } + +#ifdef GENKAT + internal_kat(instance, r); /* Print all memory blocks */ +#endif + } + +fail: + if (thread != NULL) { + free(thread); + } + if (thr_data != NULL) { + free(thr_data); + } + return rc; +} + +#endif /* ARGON2_NO_THREADS */ + +int fill_memory_blocks(argon2_instance_t *instance) { + if (instance == NULL || instance->lanes == 0) { + return ARGON2_INCORRECT_PARAMETER; + } +#if defined(ARGON2_NO_THREADS) + return fill_memory_blocks_st(instance); +#else + return instance->threads == 1 ? + fill_memory_blocks_st(instance) : fill_memory_blocks_mt(instance); +#endif +} + +int validate_inputs(const argon2_context *context) { + if (NULL == context) { + return ARGON2_INCORRECT_PARAMETER; + } + + if (NULL == context->out) { + return ARGON2_OUTPUT_PTR_NULL; + } + + /* Validate output length */ + if (ARGON2_MIN_OUTLEN > context->outlen) { + return ARGON2_OUTPUT_TOO_SHORT; + } + + if (ARGON2_MAX_OUTLEN < context->outlen) { + return ARGON2_OUTPUT_TOO_LONG; + } + + /* Validate password (required param) */ + if (NULL == context->pwd) { + if (0 != context->pwdlen) { + return ARGON2_PWD_PTR_MISMATCH; + } + } + + if (ARGON2_MIN_PWD_LENGTH > context->pwdlen) { + return ARGON2_PWD_TOO_SHORT; + } + + if (ARGON2_MAX_PWD_LENGTH < context->pwdlen) { + return ARGON2_PWD_TOO_LONG; + } + + /* Validate salt (required param) */ + if (NULL == context->salt) { + if (0 != context->saltlen) { + return ARGON2_SALT_PTR_MISMATCH; + } + } + + if (ARGON2_MIN_SALT_LENGTH > context->saltlen) { + return ARGON2_SALT_TOO_SHORT; + } + + if (ARGON2_MAX_SALT_LENGTH < context->saltlen) { + return ARGON2_SALT_TOO_LONG; + } + + /* Validate secret (optional param) */ + if (NULL == context->secret) { + if (0 != context->secretlen) { + return ARGON2_SECRET_PTR_MISMATCH; + } + } else { + if (ARGON2_MIN_SECRET > context->secretlen) { + return ARGON2_SECRET_TOO_SHORT; + } + if (ARGON2_MAX_SECRET < context->secretlen) { + return ARGON2_SECRET_TOO_LONG; + } + } + + /* Validate associated data (optional param) */ + if (NULL == context->ad) { + if (0 != context->adlen) { + return ARGON2_AD_PTR_MISMATCH; + } + } else { + if (ARGON2_MIN_AD_LENGTH > context->adlen) { + return ARGON2_AD_TOO_SHORT; + } + if (ARGON2_MAX_AD_LENGTH < context->adlen) { + return ARGON2_AD_TOO_LONG; + } + } + + /* Validate memory cost */ + if (ARGON2_MIN_MEMORY > context->m_cost) { + return ARGON2_MEMORY_TOO_LITTLE; + } + + if (ARGON2_MAX_MEMORY < context->m_cost) { + return ARGON2_MEMORY_TOO_MUCH; + } + + if (context->m_cost < 8 * context->lanes) { + return ARGON2_MEMORY_TOO_LITTLE; + } + + /* Validate time cost */ + if (ARGON2_MIN_TIME > context->t_cost) { + return ARGON2_TIME_TOO_SMALL; + } + + if (ARGON2_MAX_TIME < context->t_cost) { + return ARGON2_TIME_TOO_LARGE; + } + + /* Validate lanes */ + if (ARGON2_MIN_LANES > context->lanes) { + return ARGON2_LANES_TOO_FEW; + } + + if (ARGON2_MAX_LANES < context->lanes) { + return ARGON2_LANES_TOO_MANY; + } + + /* Validate threads */ + if (ARGON2_MIN_THREADS > context->threads) { + return ARGON2_THREADS_TOO_FEW; + } + + if (ARGON2_MAX_THREADS < context->threads) { + return ARGON2_THREADS_TOO_MANY; + } + + if (NULL != context->allocate_cbk && NULL == context->free_cbk) { + return ARGON2_FREE_MEMORY_CBK_NULL; + } + + if (NULL == context->allocate_cbk && NULL != context->free_cbk) { + return ARGON2_ALLOCATE_MEMORY_CBK_NULL; + } + + return ARGON2_OK; +} + +void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance) { + uint32_t l; + /* Make the first and second block in each lane as G(H0||0||i) or + G(H0||1||i) */ + uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE]; + for (l = 0; l < instance->lanes; ++l) { + + store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 0); + store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH + 4, l); + blake2b_long(blockhash_bytes, ARGON2_BLOCK_SIZE, blockhash, + ARGON2_PREHASH_SEED_LENGTH); + load_block(&instance->memory[l * instance->lane_length + 0], + blockhash_bytes); + + store32(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 1); + blake2b_long(blockhash_bytes, ARGON2_BLOCK_SIZE, blockhash, + ARGON2_PREHASH_SEED_LENGTH); + load_block(&instance->memory[l * instance->lane_length + 1], + blockhash_bytes); + } + clear_internal_memory(blockhash_bytes, ARGON2_BLOCK_SIZE); +} + +void initial_hash(uint8_t *blockhash, argon2_context *context, + argon2_type type) { + blake2b_state BlakeHash; + uint8_t value[sizeof(uint32_t)]; + + if (NULL == context || NULL == blockhash) { + return; + } + + blake2b_init(&BlakeHash, ARGON2_PREHASH_DIGEST_LENGTH); + + store32(&value, context->lanes); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + store32(&value, context->outlen); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + store32(&value, context->m_cost); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + store32(&value, context->t_cost); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + store32(&value, context->version); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + store32(&value, (uint32_t)type); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + store32(&value, context->pwdlen); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + if (context->pwd != NULL) { + blake2b_update(&BlakeHash, (const uint8_t *)context->pwd, + context->pwdlen); + + if (context->flags & ARGON2_FLAG_CLEAR_PASSWORD) { + secure_wipe_memory(context->pwd, context->pwdlen); + context->pwdlen = 0; + } + } + + store32(&value, context->saltlen); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + if (context->salt != NULL) { + blake2b_update(&BlakeHash, (const uint8_t *)context->salt, + context->saltlen); + } + + store32(&value, context->secretlen); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + if (context->secret != NULL) { + blake2b_update(&BlakeHash, (const uint8_t *)context->secret, + context->secretlen); + + if (context->flags & ARGON2_FLAG_CLEAR_SECRET) { + secure_wipe_memory(context->secret, context->secretlen); + context->secretlen = 0; + } + } + + store32(&value, context->adlen); + blake2b_update(&BlakeHash, (const uint8_t *)&value, sizeof(value)); + + if (context->ad != NULL) { + blake2b_update(&BlakeHash, (const uint8_t *)context->ad, + context->adlen); + } + + blake2b_final(&BlakeHash, blockhash, ARGON2_PREHASH_DIGEST_LENGTH); +} + +int initialize(argon2_instance_t *instance, argon2_context *context) { + uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH]; + int result = ARGON2_OK; + + if (instance == NULL || context == NULL) + return ARGON2_INCORRECT_PARAMETER; + instance->context_ptr = context; + + /* 1. Memory allocation */ + result = allocate_memory(context, (uint8_t **)&(instance->memory), + instance->memory_blocks, sizeof(block)); + if (result != ARGON2_OK) { + return result; + } + + /* 2. Initial hashing */ + /* H_0 + 8 extra bytes to produce the first blocks */ + /* uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH]; */ + /* Hashing all inputs */ + initial_hash(blockhash, context, instance->type); + /* Zeroing 8 extra bytes */ + clear_internal_memory(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, + ARGON2_PREHASH_SEED_LENGTH - + ARGON2_PREHASH_DIGEST_LENGTH); + +#ifdef GENKAT + initial_kat(blockhash, context, instance->type); +#endif + + /* 3. Creating first blocks, we always have at least two blocks in a slice + */ + fill_first_blocks(blockhash, instance); + /* Clearing the hash */ + clear_internal_memory(blockhash, ARGON2_PREHASH_SEED_LENGTH); + + return ARGON2_OK; +} ADDED build/argon2/src/core.h Index: build/argon2/src/core.h ================================================================== --- /dev/null +++ build/argon2/src/core.h @@ -0,0 +1,228 @@ +/* + * Argon2 reference source code package - reference C implementations + * + * Copyright 2015 + * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves + * + * You may use this work under the terms of a Creative Commons CC0 1.0 + * License/Waiver or the Apache Public License 2.0, at your option. The terms of + * these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * You should have received a copy of both of these licenses along with this + * software. If not, they may be obtained at the above URLs. + */ + +#ifndef ARGON2_CORE_H +#define ARGON2_CORE_H + +#include "argon2.h" + +#define CONST_CAST(x) (x)(uintptr_t) + +/**********************Argon2 internal constants*******************************/ + +enum argon2_core_constants { + /* Memory block size in bytes */ + ARGON2_BLOCK_SIZE = 1024, + ARGON2_QWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 8, + ARGON2_OWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 16, + ARGON2_HWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 32, + ARGON2_512BIT_WORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 64, + + /* Number of pseudo-random values generated by one call to Blake in Argon2i + to + generate reference block positions */ + ARGON2_ADDRESSES_IN_BLOCK = 128, + + /* Pre-hashing digest length and its extension*/ + ARGON2_PREHASH_DIGEST_LENGTH = 64, + ARGON2_PREHASH_SEED_LENGTH = 72 +}; + +/*************************Argon2 internal data types***********************/ + +/* + * Structure for the (1KB) memory block implemented as 128 64-bit words. + * Memory blocks can be copied, XORed. Internal words can be accessed by [] (no + * bounds checking). + */ +typedef struct block_ { uint64_t v[ARGON2_QWORDS_IN_BLOCK]; } block; + +/*****************Functions that work with the block******************/ + +/* Initialize each byte of the block with @in */ +void init_block_value(block *b, uint8_t in); + +/* Copy block @src to block @dst */ +void copy_block(block *dst, const block *src); + +/* XOR @src onto @dst bytewise */ +void xor_block(block *dst, const block *src); + +/* + * Argon2 instance: memory pointer, number of passes, amount of memory, type, + * and derived values. + * Used to evaluate the number and location of blocks to construct in each + * thread + */ +typedef struct Argon2_instance_t { + block *memory; /* Memory pointer */ + uint32_t version; + uint32_t passes; /* Number of passes */ + uint32_t memory_blocks; /* Number of blocks in memory */ + uint32_t segment_length; + uint32_t lane_length; + uint32_t lanes; + uint32_t threads; + argon2_type type; + int print_internals; /* whether to print the memory blocks */ + argon2_context *context_ptr; /* points back to original context */ +} argon2_instance_t; + +/* + * Argon2 position: where we construct the block right now. Used to distribute + * work between threads. + */ +typedef struct Argon2_position_t { + uint32_t pass; + uint32_t lane; + uint8_t slice; + uint32_t index; +} argon2_position_t; + +/*Struct that holds the inputs for thread handling FillSegment*/ +typedef struct Argon2_thread_data { + argon2_instance_t *instance_ptr; + argon2_position_t pos; +} argon2_thread_data; + +/*************************Argon2 core functions********************************/ + +/* Allocates memory to the given pointer, uses the appropriate allocator as + * specified in the context. Total allocated memory is num*size. + * @param context argon2_context which specifies the allocator + * @param memory pointer to the pointer to the memory + * @param size the size in bytes for each element to be allocated + * @param num the number of elements to be allocated + * @return ARGON2_OK if @memory is a valid pointer and memory is allocated + */ +int allocate_memory(const argon2_context *context, uint8_t **memory, + size_t num, size_t size); + +/* + * Frees memory at the given pointer, uses the appropriate deallocator as + * specified in the context. Also cleans the memory using clear_internal_memory. + * @param context argon2_context which specifies the deallocator + * @param memory pointer to buffer to be freed + * @param size the size in bytes for each element to be deallocated + * @param num the number of elements to be deallocated + */ +void free_memory(const argon2_context *context, uint8_t *memory, + size_t num, size_t size); + +/* Function that securely cleans the memory. This ignores any flags set + * regarding clearing memory. Usually one just calls clear_internal_memory. + * @param mem Pointer to the memory + * @param s Memory size in bytes + */ +void secure_wipe_memory(void *v, size_t n); + +/* Function that securely clears the memory if FLAG_clear_internal_memory is + * set. If the flag isn't set, this function does nothing. + * @param mem Pointer to the memory + * @param s Memory size in bytes + */ +void clear_internal_memory(void *v, size_t n); + +/* + * Computes absolute position of reference block in the lane following a skewed + * distribution and using a pseudo-random value as input + * @param instance Pointer to the current instance + * @param position Pointer to the current position + * @param pseudo_rand 32-bit pseudo-random value used to determine the position + * @param same_lane Indicates if the block will be taken from the current lane. + * If so we can reference the current segment + * @pre All pointers must be valid + */ +uint32_t index_alpha(const argon2_instance_t *instance, + const argon2_position_t *position, uint32_t pseudo_rand, + int same_lane); + +/* + * Function that validates all inputs against predefined restrictions and return + * an error code + * @param context Pointer to current Argon2 context + * @return ARGON2_OK if everything is all right, otherwise one of error codes + * (all defined in + */ +int validate_inputs(const argon2_context *context); + +/* + * Hashes all the inputs into @a blockhash[PREHASH_DIGEST_LENGTH], clears + * password and secret if needed + * @param context Pointer to the Argon2 internal structure containing memory + * pointer, and parameters for time and space requirements. + * @param blockhash Buffer for pre-hashing digest + * @param type Argon2 type + * @pre @a blockhash must have at least @a PREHASH_DIGEST_LENGTH bytes + * allocated + */ +void initial_hash(uint8_t *blockhash, argon2_context *context, + argon2_type type); + +/* + * Function creates first 2 blocks per lane + * @param instance Pointer to the current instance + * @param blockhash Pointer to the pre-hashing digest + * @pre blockhash must point to @a PREHASH_SEED_LENGTH allocated values + */ +void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance); + +/* + * Function allocates memory, hashes the inputs with Blake, and creates first + * two blocks. Returns the pointer to the main memory with 2 blocks per lane + * initialized + * @param context Pointer to the Argon2 internal structure containing memory + * pointer, and parameters for time and space requirements. + * @param instance Current Argon2 instance + * @return Zero if successful, -1 if memory failed to allocate. @context->state + * will be modified if successful. + */ +int initialize(argon2_instance_t *instance, argon2_context *context); + +/* + * XORing the last block of each lane, hashing it, making the tag. Deallocates + * the memory. + * @param context Pointer to current Argon2 context (use only the out parameters + * from it) + * @param instance Pointer to current instance of Argon2 + * @pre instance->state must point to necessary amount of memory + * @pre context->out must point to outlen bytes of memory + * @pre if context->free_cbk is not NULL, it should point to a function that + * deallocates memory + */ +void finalize(const argon2_context *context, argon2_instance_t *instance); + +/* + * Function that fills the segment using previous segments also from other + * threads + * @param context current context + * @param instance Pointer to the current instance + * @param position Current position + * @pre all block pointers must be valid + */ +void fill_segment(const argon2_instance_t *instance, + argon2_position_t position); + +/* + * Function that fills the entire memory t_cost times based on the first two + * blocks in each lane + * @param instance Pointer to the current instance + * @return ARGON2_OK if successful, @context->state + */ +int fill_memory_blocks(argon2_instance_t *instance); + +#endif ADDED build/argon2/src/ref.c Index: build/argon2/src/ref.c ================================================================== --- /dev/null +++ build/argon2/src/ref.c @@ -0,0 +1,194 @@ +/* + * Argon2 reference source code package - reference C implementations + * + * Copyright 2015 + * Daniel Dinu, Dmitry Khovratovich, Jean-Philippe Aumasson, and Samuel Neves + * + * You may use this work under the terms of a Creative Commons CC0 1.0 + * License/Waiver or the Apache Public License 2.0, at your option. The terms of + * these licenses can be found at: + * + * - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 + * - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 + * + * You should have received a copy of both of these licenses along with this + * software. If not, they may be obtained at the above URLs. + */ + +#include +#include +#include + +#include "argon2.h" +#include "core.h" + +#include "blake2/blamka-round-ref.h" +#include "blake2/blake2-impl.h" +#include "blake2/blake2.h" + + +/* + * Function fills a new memory block and optionally XORs the old block over the new one. + * @next_block must be initialized. + * @param prev_block Pointer to the previous block + * @param ref_block Pointer to the reference block + * @param next_block Pointer to the block to be constructed + * @param with_xor Whether to XOR into the new block (1) or just overwrite (0) + * @pre all block pointers must be valid + */ +static void fill_block(const block *prev_block, const block *ref_block, + block *next_block, int with_xor) { + block blockR, block_tmp; + unsigned i; + + copy_block(&blockR, ref_block); + xor_block(&blockR, prev_block); + copy_block(&block_tmp, &blockR); + /* Now blockR = ref_block + prev_block and block_tmp = ref_block + prev_block */ + if (with_xor) { + /* Saving the next block contents for XOR over: */ + xor_block(&block_tmp, next_block); + /* Now blockR = ref_block + prev_block and + block_tmp = ref_block + prev_block + next_block */ + } + + /* Apply Blake2 on columns of 64-bit words: (0,1,...,15) , then + (16,17,..31)... finally (112,113,...127) */ + for (i = 0; i < 8; ++i) { + BLAKE2_ROUND_NOMSG( + blockR.v[16 * i], blockR.v[16 * i + 1], blockR.v[16 * i + 2], + blockR.v[16 * i + 3], blockR.v[16 * i + 4], blockR.v[16 * i + 5], + blockR.v[16 * i + 6], blockR.v[16 * i + 7], blockR.v[16 * i + 8], + blockR.v[16 * i + 9], blockR.v[16 * i + 10], blockR.v[16 * i + 11], + blockR.v[16 * i + 12], blockR.v[16 * i + 13], blockR.v[16 * i + 14], + blockR.v[16 * i + 15]); + } + + /* Apply Blake2 on rows of 64-bit words: (0,1,16,17,...112,113), then + (2,3,18,19,...,114,115).. finally (14,15,30,31,...,126,127) */ + for (i = 0; i < 8; i++) { + BLAKE2_ROUND_NOMSG( + blockR.v[2 * i], blockR.v[2 * i + 1], blockR.v[2 * i + 16], + blockR.v[2 * i + 17], blockR.v[2 * i + 32], blockR.v[2 * i + 33], + blockR.v[2 * i + 48], blockR.v[2 * i + 49], blockR.v[2 * i + 64], + blockR.v[2 * i + 65], blockR.v[2 * i + 80], blockR.v[2 * i + 81], + blockR.v[2 * i + 96], blockR.v[2 * i + 97], blockR.v[2 * i + 112], + blockR.v[2 * i + 113]); + } + + copy_block(next_block, &block_tmp); + xor_block(next_block, &blockR); +} + +static void next_addresses(block *address_block, block *input_block, + const block *zero_block) { + input_block->v[6]++; + fill_block(zero_block, input_block, address_block, 0); + fill_block(zero_block, address_block, address_block, 0); +} + +void fill_segment(const argon2_instance_t *instance, + argon2_position_t position) { + block *ref_block = NULL, *curr_block = NULL; + block address_block, input_block, zero_block; + uint64_t pseudo_rand, ref_index, ref_lane; + uint32_t prev_offset, curr_offset; + uint32_t starting_index; + uint32_t i; + int data_independent_addressing; + + if (instance == NULL) { + return; + } + + data_independent_addressing = + (instance->type == Argon2_i) || + (instance->type == Argon2_id && (position.pass == 0) && + (position.slice < ARGON2_SYNC_POINTS / 2)); + + if (data_independent_addressing) { + init_block_value(&zero_block, 0); + init_block_value(&input_block, 0); + + input_block.v[0] = position.pass; + input_block.v[1] = position.lane; + input_block.v[2] = position.slice; + input_block.v[3] = instance->memory_blocks; + input_block.v[4] = instance->passes; + input_block.v[5] = instance->type; + } + + starting_index = 0; + + if ((0 == position.pass) && (0 == position.slice)) { + starting_index = 2; /* we have already generated the first two blocks */ + + /* Don't forget to generate the first block of addresses: */ + if (data_independent_addressing) { + next_addresses(&address_block, &input_block, &zero_block); + } + } + + /* Offset of the current block */ + curr_offset = position.lane * instance->lane_length + + position.slice * instance->segment_length + starting_index; + + if (0 == curr_offset % instance->lane_length) { + /* Last block in this lane */ + prev_offset = curr_offset + instance->lane_length - 1; + } else { + /* Previous block */ + prev_offset = curr_offset - 1; + } + + for (i = starting_index; i < instance->segment_length; + ++i, ++curr_offset, ++prev_offset) { + /*1.1 Rotating prev_offset if needed */ + if (curr_offset % instance->lane_length == 1) { + prev_offset = curr_offset - 1; + } + + /* 1.2 Computing the index of the reference block */ + /* 1.2.1 Taking pseudo-random value from the previous block */ + if (data_independent_addressing) { + if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) { + next_addresses(&address_block, &input_block, &zero_block); + } + pseudo_rand = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK]; + } else { + pseudo_rand = instance->memory[prev_offset].v[0]; + } + + /* 1.2.2 Computing the lane of the reference block */ + ref_lane = ((pseudo_rand >> 32)) % instance->lanes; + + if ((position.pass == 0) && (position.slice == 0)) { + /* Can not reference other lanes yet */ + ref_lane = position.lane; + } + + /* 1.2.3 Computing the number of possible reference block within the + * lane. + */ + position.index = i; + ref_index = index_alpha(instance, &position, pseudo_rand & 0xFFFFFFFF, + ref_lane == position.lane); + + /* 2 Creating a new block */ + ref_block = + instance->memory + instance->lane_length * ref_lane + ref_index; + curr_block = instance->memory + curr_offset; + if (ARGON2_VERSION_10 == instance->version) { + /* version 1.2.1 and earlier: overwrite, not XOR */ + fill_block(instance->memory + prev_offset, ref_block, curr_block, 0); + } else { + if(0 == position.pass) { + fill_block(instance->memory + prev_offset, ref_block, + curr_block, 0); + } else { + fill_block(instance->memory + prev_offset, ref_block, + curr_block, 1); + } + } + } +} DELETED build/blake2b/Makefile Index: build/blake2b/Makefile ================================================================== --- build/blake2b/Makefile +++ /dev/null @@ -1,27 +0,0 @@ -PREFIX := $(shell pwd)/INST - -all: out/blake2b.c out/blake2.h out/blake2-impl.h - -out/blake2b.c: src/blake2b-ref.c blake2-nacl.c - mkdir -p out - cat src/blake2b-ref.c blake2-nacl.c > out/blake2b.c - -out/blake2.h: src/blake2.h blake2-nacl.h - mkdir -p out - cat src/blake2.h blake2-nacl.h > out/blake2.h - -out/blake2-impl.h: src/blake2-impl.h - mkdir -p out - cp src/blake2-impl.h out - -install: out/blake2b.c out/blake2.h out/blake2-impl.h - mkdir -p '$(PREFIX)' - cp out/blake2b.c out/blake2.h out/blake2-impl.h '$(PREFIX)' - -clean: - rm -f out/blake2b.c out/blake2.h out/blake2-impl.h - -rmdir out - -distclean: clean - -.PHONY: all install clean distclean DELETED build/blake2b/blake2-nacl.c Index: build/blake2b/blake2-nacl.c ================================================================== --- build/blake2b/blake2-nacl.c +++ /dev/null @@ -1,6 +0,0 @@ -#if defined(NACL_ED25519_BLAKE2B) -int crypto_hash_blake2b( unsigned char *out, const unsigned char *in, unsigned long long inlen ) -{ - return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 ); -} -#endif DELETED build/blake2b/blake2-nacl.h Index: build/blake2b/blake2-nacl.h ================================================================== --- build/blake2b/blake2-nacl.h +++ /dev/null @@ -1,20 +0,0 @@ -#if defined(NACL_ED25519_BLAKE2B) -#ifndef BLAKE2_NACL_H -#define BLAKE2_NACL_H 1 -#define crypto_hash_PRIMITIVE "blake2b" -#define crypto_hash_BYTES crypto_hash_blake2b_BYTES -#define crypto_hash_IMPLEMENTATION crypto_hash_blake2b_IMPLEMENTATION -#define crypto_hash_VERSION crypto_hash_blake2b_VERSION -#define crypto_hash_blake2b_BYTES 64 -#define crypto_hash_blake2b_VERSION "-" -#define crypto_hash_blake2b_IMPLEMENTATION "blake2b-ref" -#define crypto_hash crypto_hash_blake2b -#if defined(__cplusplus) -extern "C" { -#endif -int crypto_hash_blake2b(unsigned char *,const unsigned char *,unsigned long long); -#if defined(__cplusplus) -} -#endif -#endif -#endif DELETED build/blake2b/src/blake2-impl.h Index: build/blake2b/src/blake2-impl.h ================================================================== --- build/blake2b/src/blake2-impl.h +++ /dev/null @@ -1,160 +0,0 @@ -/* - BLAKE2 reference source code package - reference C implementations - - Copyright 2012, Samuel Neves . You may use this under the - terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at - your option. The terms of these licenses can be found at: - - - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 - - OpenSSL license : https://www.openssl.org/source/license.html - - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 - - More information about the BLAKE2 hash function can be found at - https://blake2.net. -*/ -#ifndef BLAKE2_IMPL_H -#define BLAKE2_IMPL_H - -#include -#include - -#if !defined(__cplusplus) && (!defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L) - #if defined(_MSC_VER) - #define BLAKE2_INLINE __inline - #elif defined(__GNUC__) - #define BLAKE2_INLINE __inline__ - #else - #define BLAKE2_INLINE - #endif -#else - #define BLAKE2_INLINE inline -#endif - -static BLAKE2_INLINE uint32_t load32( const void *src ) -{ -#if defined(NATIVE_LITTLE_ENDIAN) - uint32_t w; - memcpy(&w, src, sizeof w); - return w; -#else - const uint8_t *p = ( const uint8_t * )src; - return (( uint32_t )( p[0] ) << 0) | - (( uint32_t )( p[1] ) << 8) | - (( uint32_t )( p[2] ) << 16) | - (( uint32_t )( p[3] ) << 24) ; -#endif -} - -static BLAKE2_INLINE uint64_t load64( const void *src ) -{ -#if defined(NATIVE_LITTLE_ENDIAN) - uint64_t w; - memcpy(&w, src, sizeof w); - return w; -#else - const uint8_t *p = ( const uint8_t * )src; - return (( uint64_t )( p[0] ) << 0) | - (( uint64_t )( p[1] ) << 8) | - (( uint64_t )( p[2] ) << 16) | - (( uint64_t )( p[3] ) << 24) | - (( uint64_t )( p[4] ) << 32) | - (( uint64_t )( p[5] ) << 40) | - (( uint64_t )( p[6] ) << 48) | - (( uint64_t )( p[7] ) << 56) ; -#endif -} - -static BLAKE2_INLINE uint16_t load16( const void *src ) -{ -#if defined(NATIVE_LITTLE_ENDIAN) - uint16_t w; - memcpy(&w, src, sizeof w); - return w; -#else - const uint8_t *p = ( const uint8_t * )src; - return (( uint16_t )( p[0] ) << 0) | - (( uint16_t )( p[1] ) << 8) ; -#endif -} - -static BLAKE2_INLINE void store16( void *dst, uint16_t w ) -{ -#if defined(NATIVE_LITTLE_ENDIAN) - memcpy(dst, &w, sizeof w); -#else - uint8_t *p = ( uint8_t * )dst; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; -#endif -} - -static BLAKE2_INLINE void store32( void *dst, uint32_t w ) -{ -#if defined(NATIVE_LITTLE_ENDIAN) - memcpy(dst, &w, sizeof w); -#else - uint8_t *p = ( uint8_t * )dst; - p[0] = (uint8_t)(w >> 0); - p[1] = (uint8_t)(w >> 8); - p[2] = (uint8_t)(w >> 16); - p[3] = (uint8_t)(w >> 24); -#endif -} - -static BLAKE2_INLINE void store64( void *dst, uint64_t w ) -{ -#if defined(NATIVE_LITTLE_ENDIAN) - memcpy(dst, &w, sizeof w); -#else - uint8_t *p = ( uint8_t * )dst; - p[0] = (uint8_t)(w >> 0); - p[1] = (uint8_t)(w >> 8); - p[2] = (uint8_t)(w >> 16); - p[3] = (uint8_t)(w >> 24); - p[4] = (uint8_t)(w >> 32); - p[5] = (uint8_t)(w >> 40); - p[6] = (uint8_t)(w >> 48); - p[7] = (uint8_t)(w >> 56); -#endif -} - -static BLAKE2_INLINE uint64_t load48( const void *src ) -{ - const uint8_t *p = ( const uint8_t * )src; - return (( uint64_t )( p[0] ) << 0) | - (( uint64_t )( p[1] ) << 8) | - (( uint64_t )( p[2] ) << 16) | - (( uint64_t )( p[3] ) << 24) | - (( uint64_t )( p[4] ) << 32) | - (( uint64_t )( p[5] ) << 40) ; -} - -static BLAKE2_INLINE void store48( void *dst, uint64_t w ) -{ - uint8_t *p = ( uint8_t * )dst; - p[0] = (uint8_t)(w >> 0); - p[1] = (uint8_t)(w >> 8); - p[2] = (uint8_t)(w >> 16); - p[3] = (uint8_t)(w >> 24); - p[4] = (uint8_t)(w >> 32); - p[5] = (uint8_t)(w >> 40); -} - -static BLAKE2_INLINE uint32_t rotr32( const uint32_t w, const unsigned c ) -{ - return ( w >> c ) | ( w << ( 32 - c ) ); -} - -static BLAKE2_INLINE uint64_t rotr64( const uint64_t w, const unsigned c ) -{ - return ( w >> c ) | ( w << ( 64 - c ) ); -} - -/* prevents compiler optimizing out memset() */ -static BLAKE2_INLINE void secure_zero_memory(void *v, size_t n) -{ - static void *(*const volatile memset_v)(void *, int, size_t) = &memset; - memset_v(v, 0, n); -} - -#endif DELETED build/blake2b/src/blake2.h Index: build/blake2b/src/blake2.h ================================================================== --- build/blake2b/src/blake2.h +++ /dev/null @@ -1,195 +0,0 @@ -/* - BLAKE2 reference source code package - reference C implementations - - Copyright 2012, Samuel Neves . You may use this under the - terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at - your option. The terms of these licenses can be found at: - - - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 - - OpenSSL license : https://www.openssl.org/source/license.html - - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 - - More information about the BLAKE2 hash function can be found at - https://blake2.net. -*/ -#ifndef BLAKE2_H -#define BLAKE2_H - -#include -#include - -#if defined(_MSC_VER) -#define BLAKE2_PACKED(x) __pragma(pack(push, 1)) x __pragma(pack(pop)) -#else -#define BLAKE2_PACKED(x) x __attribute__((packed)) -#endif - -#if defined(__cplusplus) -extern "C" { -#endif - - enum blake2s_constant - { - BLAKE2S_BLOCKBYTES = 64, - BLAKE2S_OUTBYTES = 32, - BLAKE2S_KEYBYTES = 32, - BLAKE2S_SALTBYTES = 8, - BLAKE2S_PERSONALBYTES = 8 - }; - - enum blake2b_constant - { - BLAKE2B_BLOCKBYTES = 128, - BLAKE2B_OUTBYTES = 64, - BLAKE2B_KEYBYTES = 64, - BLAKE2B_SALTBYTES = 16, - BLAKE2B_PERSONALBYTES = 16 - }; - - typedef struct blake2s_state__ - { - uint32_t h[8]; - uint32_t t[2]; - uint32_t f[2]; - uint8_t buf[BLAKE2S_BLOCKBYTES]; - size_t buflen; - size_t outlen; - uint8_t last_node; - } blake2s_state; - - typedef struct blake2b_state__ - { - uint64_t h[8]; - uint64_t t[2]; - uint64_t f[2]; - uint8_t buf[BLAKE2B_BLOCKBYTES]; - size_t buflen; - size_t outlen; - uint8_t last_node; - } blake2b_state; - - typedef struct blake2sp_state__ - { - blake2s_state S[8][1]; - blake2s_state R[1]; - uint8_t buf[8 * BLAKE2S_BLOCKBYTES]; - size_t buflen; - size_t outlen; - } blake2sp_state; - - typedef struct blake2bp_state__ - { - blake2b_state S[4][1]; - blake2b_state R[1]; - uint8_t buf[4 * BLAKE2B_BLOCKBYTES]; - size_t buflen; - size_t outlen; - } blake2bp_state; - - - BLAKE2_PACKED(struct blake2s_param__ - { - uint8_t digest_length; /* 1 */ - uint8_t key_length; /* 2 */ - uint8_t fanout; /* 3 */ - uint8_t depth; /* 4 */ - uint32_t leaf_length; /* 8 */ - uint32_t node_offset; /* 12 */ - uint16_t xof_length; /* 14 */ - uint8_t node_depth; /* 15 */ - uint8_t inner_length; /* 16 */ - /* uint8_t reserved[0]; */ - uint8_t salt[BLAKE2S_SALTBYTES]; /* 24 */ - uint8_t personal[BLAKE2S_PERSONALBYTES]; /* 32 */ - }); - - typedef struct blake2s_param__ blake2s_param; - - BLAKE2_PACKED(struct blake2b_param__ - { - uint8_t digest_length; /* 1 */ - uint8_t key_length; /* 2 */ - uint8_t fanout; /* 3 */ - uint8_t depth; /* 4 */ - uint32_t leaf_length; /* 8 */ - uint32_t node_offset; /* 12 */ - uint32_t xof_length; /* 16 */ - uint8_t node_depth; /* 17 */ - uint8_t inner_length; /* 18 */ - uint8_t reserved[14]; /* 32 */ - uint8_t salt[BLAKE2B_SALTBYTES]; /* 48 */ - uint8_t personal[BLAKE2B_PERSONALBYTES]; /* 64 */ - }); - - typedef struct blake2b_param__ blake2b_param; - - typedef struct blake2xs_state__ - { - blake2s_state S[1]; - blake2s_param P[1]; - } blake2xs_state; - - typedef struct blake2xb_state__ - { - blake2b_state S[1]; - blake2b_param P[1]; - } blake2xb_state; - - /* Padded structs result in a compile-time error */ - enum { - BLAKE2_DUMMY_1 = 1/(sizeof(blake2s_param) == BLAKE2S_OUTBYTES), - BLAKE2_DUMMY_2 = 1/(sizeof(blake2b_param) == BLAKE2B_OUTBYTES) - }; - - /* Streaming API */ - int blake2s_init( blake2s_state *S, size_t outlen ); - int blake2s_init_key( blake2s_state *S, size_t outlen, const void *key, size_t keylen ); - int blake2s_init_param( blake2s_state *S, const blake2s_param *P ); - int blake2s_update( blake2s_state *S, const void *in, size_t inlen ); - int blake2s_final( blake2s_state *S, void *out, size_t outlen ); - - int blake2b_init( blake2b_state *S, size_t outlen ); - int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen ); - int blake2b_init_param( blake2b_state *S, const blake2b_param *P ); - int blake2b_update( blake2b_state *S, const void *in, size_t inlen ); - int blake2b_final( blake2b_state *S, void *out, size_t outlen ); - - int blake2sp_init( blake2sp_state *S, size_t outlen ); - int blake2sp_init_key( blake2sp_state *S, size_t outlen, const void *key, size_t keylen ); - int blake2sp_update( blake2sp_state *S, const void *in, size_t inlen ); - int blake2sp_final( blake2sp_state *S, void *out, size_t outlen ); - - int blake2bp_init( blake2bp_state *S, size_t outlen ); - int blake2bp_init_key( blake2bp_state *S, size_t outlen, const void *key, size_t keylen ); - int blake2bp_update( blake2bp_state *S, const void *in, size_t inlen ); - int blake2bp_final( blake2bp_state *S, void *out, size_t outlen ); - - /* Variable output length API */ - int blake2xs_init( blake2xs_state *S, const size_t outlen ); - int blake2xs_init_key( blake2xs_state *S, const size_t outlen, const void *key, size_t keylen ); - int blake2xs_update( blake2xs_state *S, const void *in, size_t inlen ); - int blake2xs_final(blake2xs_state *S, void *out, size_t outlen); - - int blake2xb_init( blake2xb_state *S, const size_t outlen ); - int blake2xb_init_key( blake2xb_state *S, const size_t outlen, const void *key, size_t keylen ); - int blake2xb_update( blake2xb_state *S, const void *in, size_t inlen ); - int blake2xb_final(blake2xb_state *S, void *out, size_t outlen); - - /* Simple API */ - int blake2s( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); - int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); - - int blake2sp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); - int blake2bp( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); - - int blake2xs( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); - int blake2xb( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); - - /* This is simply an alias for blake2b */ - int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ); - -#if defined(__cplusplus) -} -#endif - -#endif DELETED build/blake2b/src/blake2b-ref.c Index: build/blake2b/src/blake2b-ref.c ================================================================== --- build/blake2b/src/blake2b-ref.c +++ /dev/null @@ -1,379 +0,0 @@ -/* - BLAKE2 reference source code package - reference C implementations - - Copyright 2012, Samuel Neves . You may use this under the - terms of the CC0, the OpenSSL Licence, or the Apache Public License 2.0, at - your option. The terms of these licenses can be found at: - - - CC0 1.0 Universal : http://creativecommons.org/publicdomain/zero/1.0 - - OpenSSL license : https://www.openssl.org/source/license.html - - Apache 2.0 : http://www.apache.org/licenses/LICENSE-2.0 - - More information about the BLAKE2 hash function can be found at - https://blake2.net. -*/ - -#include -#include -#include - -#include "blake2.h" -#include "blake2-impl.h" - -static const uint64_t blake2b_IV[8] = -{ - 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, - 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, - 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, - 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL -}; - -static const uint8_t blake2b_sigma[12][16] = -{ - { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , - { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , - { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , - { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , - { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , - { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , - { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , - { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , - { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , - { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , - { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , - { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } -}; - - -static void blake2b_set_lastnode( blake2b_state *S ) -{ - S->f[1] = (uint64_t)-1; -} - -/* Some helper functions, not necessarily useful */ -static int blake2b_is_lastblock( const blake2b_state *S ) -{ - return S->f[0] != 0; -} - -static void blake2b_set_lastblock( blake2b_state *S ) -{ - if( S->last_node ) blake2b_set_lastnode( S ); - - S->f[0] = (uint64_t)-1; -} - -static void blake2b_increment_counter( blake2b_state *S, const uint64_t inc ) -{ - S->t[0] += inc; - S->t[1] += ( S->t[0] < inc ); -} - -static void blake2b_init0( blake2b_state *S ) -{ - size_t i; - memset( S, 0, sizeof( blake2b_state ) ); - - for( i = 0; i < 8; ++i ) S->h[i] = blake2b_IV[i]; -} - -/* init xors IV with input parameter block */ -int blake2b_init_param( blake2b_state *S, const blake2b_param *P ) -{ - const uint8_t *p = ( const uint8_t * )( P ); - size_t i; - - blake2b_init0( S ); - - /* IV XOR ParamBlock */ - for( i = 0; i < 8; ++i ) - S->h[i] ^= load64( p + sizeof( S->h[i] ) * i ); - - S->outlen = P->digest_length; - return 0; -} - - - -int blake2b_init( blake2b_state *S, size_t outlen ) -{ - blake2b_param P[1]; - - if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1; - - P->digest_length = (uint8_t)outlen; - P->key_length = 0; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store32( &P->node_offset, 0 ); - store32( &P->xof_length, 0 ); - P->node_depth = 0; - P->inner_length = 0; - memset( P->reserved, 0, sizeof( P->reserved ) ); - memset( P->salt, 0, sizeof( P->salt ) ); - memset( P->personal, 0, sizeof( P->personal ) ); - return blake2b_init_param( S, P ); -} - - -int blake2b_init_key( blake2b_state *S, size_t outlen, const void *key, size_t keylen ) -{ - blake2b_param P[1]; - - if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) return -1; - - if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) return -1; - - P->digest_length = (uint8_t)outlen; - P->key_length = (uint8_t)keylen; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store32( &P->node_offset, 0 ); - store32( &P->xof_length, 0 ); - P->node_depth = 0; - P->inner_length = 0; - memset( P->reserved, 0, sizeof( P->reserved ) ); - memset( P->salt, 0, sizeof( P->salt ) ); - memset( P->personal, 0, sizeof( P->personal ) ); - - if( blake2b_init_param( S, P ) < 0 ) return -1; - - { - uint8_t block[BLAKE2B_BLOCKBYTES]; - memset( block, 0, BLAKE2B_BLOCKBYTES ); - memcpy( block, key, keylen ); - blake2b_update( S, block, BLAKE2B_BLOCKBYTES ); - secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */ - } - return 0; -} - -#define G(r,i,a,b,c,d) \ - do { \ - a = a + b + m[blake2b_sigma[r][2*i+0]]; \ - d = rotr64(d ^ a, 32); \ - c = c + d; \ - b = rotr64(b ^ c, 24); \ - a = a + b + m[blake2b_sigma[r][2*i+1]]; \ - d = rotr64(d ^ a, 16); \ - c = c + d; \ - b = rotr64(b ^ c, 63); \ - } while(0) - -#define ROUND(r) \ - do { \ - G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ - G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ - G(r,2,v[ 2],v[ 6],v[10],v[14]); \ - G(r,3,v[ 3],v[ 7],v[11],v[15]); \ - G(r,4,v[ 0],v[ 5],v[10],v[15]); \ - G(r,5,v[ 1],v[ 6],v[11],v[12]); \ - G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ - G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ - } while(0) - -static void blake2b_compress( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ) -{ - uint64_t m[16]; - uint64_t v[16]; - size_t i; - - for( i = 0; i < 16; ++i ) { - m[i] = load64( block + i * sizeof( m[i] ) ); - } - - for( i = 0; i < 8; ++i ) { - v[i] = S->h[i]; - } - - v[ 8] = blake2b_IV[0]; - v[ 9] = blake2b_IV[1]; - v[10] = blake2b_IV[2]; - v[11] = blake2b_IV[3]; - v[12] = blake2b_IV[4] ^ S->t[0]; - v[13] = blake2b_IV[5] ^ S->t[1]; - v[14] = blake2b_IV[6] ^ S->f[0]; - v[15] = blake2b_IV[7] ^ S->f[1]; - - ROUND( 0 ); - ROUND( 1 ); - ROUND( 2 ); - ROUND( 3 ); - ROUND( 4 ); - ROUND( 5 ); - ROUND( 6 ); - ROUND( 7 ); - ROUND( 8 ); - ROUND( 9 ); - ROUND( 10 ); - ROUND( 11 ); - - for( i = 0; i < 8; ++i ) { - S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; - } -} - -#undef G -#undef ROUND - -int blake2b_update( blake2b_state *S, const void *pin, size_t inlen ) -{ - const unsigned char * in = (const unsigned char *)pin; - if( inlen > 0 ) - { - size_t left = S->buflen; - size_t fill = BLAKE2B_BLOCKBYTES - left; - if( inlen > fill ) - { - S->buflen = 0; - memcpy( S->buf + left, in, fill ); /* Fill buffer */ - blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES ); - blake2b_compress( S, S->buf ); /* Compress */ - in += fill; inlen -= fill; - while(inlen > BLAKE2B_BLOCKBYTES) { - blake2b_increment_counter(S, BLAKE2B_BLOCKBYTES); - blake2b_compress( S, in ); - in += BLAKE2B_BLOCKBYTES; - inlen -= BLAKE2B_BLOCKBYTES; - } - } - memcpy( S->buf + S->buflen, in, inlen ); - S->buflen += inlen; - } - return 0; -} - -int blake2b_final( blake2b_state *S, void *out, size_t outlen ) -{ - uint8_t buffer[BLAKE2B_OUTBYTES] = {0}; - size_t i; - - if( out == NULL || outlen < S->outlen ) - return -1; - - if( blake2b_is_lastblock( S ) ) - return -1; - - blake2b_increment_counter( S, S->buflen ); - blake2b_set_lastblock( S ); - memset( S->buf + S->buflen, 0, BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */ - blake2b_compress( S, S->buf ); - - for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */ - store64( buffer + sizeof( S->h[i] ) * i, S->h[i] ); - - memcpy( out, buffer, S->outlen ); - secure_zero_memory(buffer, sizeof(buffer)); - return 0; -} - -/* inlen, at least, should be uint64_t. Others can be size_t. */ -int blake2b( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) -{ - blake2b_state S[1]; - - /* Verify parameters */ - if ( NULL == in && inlen > 0 ) return -1; - - if ( NULL == out ) return -1; - - if( NULL == key && keylen > 0 ) return -1; - - if( !outlen || outlen > BLAKE2B_OUTBYTES ) return -1; - - if( keylen > BLAKE2B_KEYBYTES ) return -1; - - if( keylen > 0 ) - { - if( blake2b_init_key( S, outlen, key, keylen ) < 0 ) return -1; - } - else - { - if( blake2b_init( S, outlen ) < 0 ) return -1; - } - - blake2b_update( S, ( const uint8_t * )in, inlen ); - blake2b_final( S, out, outlen ); - return 0; -} - -int blake2( void *out, size_t outlen, const void *in, size_t inlen, const void *key, size_t keylen ) { - return blake2b(out, outlen, in, inlen, key, keylen); -} - -#if defined(SUPERCOP) -int crypto_hash( unsigned char *out, unsigned char *in, unsigned long long inlen ) -{ - return blake2b( out, BLAKE2B_OUTBYTES, in, inlen, NULL, 0 ); -} -#endif - -#if defined(BLAKE2B_SELFTEST) -#include -#include "blake2-kat.h" -int main( void ) -{ - uint8_t key[BLAKE2B_KEYBYTES]; - uint8_t buf[BLAKE2_KAT_LENGTH]; - size_t i, step; - - for( i = 0; i < BLAKE2B_KEYBYTES; ++i ) - key[i] = ( uint8_t )i; - - for( i = 0; i < BLAKE2_KAT_LENGTH; ++i ) - buf[i] = ( uint8_t )i; - - /* Test simple API */ - for( i = 0; i < BLAKE2_KAT_LENGTH; ++i ) - { - uint8_t hash[BLAKE2B_OUTBYTES]; - blake2b( hash, BLAKE2B_OUTBYTES, buf, i, key, BLAKE2B_KEYBYTES ); - - if( 0 != memcmp( hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES ) ) - { - goto fail; - } - } - - /* Test streaming API */ - for(step = 1; step < BLAKE2B_BLOCKBYTES; ++step) { - for (i = 0; i < BLAKE2_KAT_LENGTH; ++i) { - uint8_t hash[BLAKE2B_OUTBYTES]; - blake2b_state S; - uint8_t * p = buf; - size_t mlen = i; - int err = 0; - - if( (err = blake2b_init_key(&S, BLAKE2B_OUTBYTES, key, BLAKE2B_KEYBYTES)) < 0 ) { - goto fail; - } - - while (mlen >= step) { - if ( (err = blake2b_update(&S, p, step)) < 0 ) { - goto fail; - } - mlen -= step; - p += step; - } - if ( (err = blake2b_update(&S, p, mlen)) < 0) { - goto fail; - } - if ( (err = blake2b_final(&S, hash, BLAKE2B_OUTBYTES)) < 0) { - goto fail; - } - - if (0 != memcmp(hash, blake2b_keyed_kat[i], BLAKE2B_OUTBYTES)) { - goto fail; - } - } - } - - puts( "ok" ); - return 0; -fail: - puts("error"); - return -1; -} -#endif DELETED build/tweetnacl/Makefile Index: build/tweetnacl/Makefile ================================================================== --- build/tweetnacl/Makefile +++ /dev/null @@ -1,39 +0,0 @@ -PREFIX := $(shell pwd)/INST - -all: out/tweetnacl.c out/tweetnacl.h - -tweetnacl.h.new: src/tweetnacl.h - rm -f tweetnacl.h.new tweetnacl.h - cp src/tweetnacl.h tweetnacl.h.new - -tweetnacl.c.new: src/tweetnacl.c - rm -f tweetnacl.c.new tweetnacl.c - cp src/tweetnacl.c tweetnacl.c.new - -out/tweetnacl.c: tweetnacl.c.new tweetnacl.h.new patches/tweetnacl-ed25519blake2b.diff patches/tweetnacl-derivepubkey.diff - mkdir -p out - rm -f tweetnacl.c tweetnacl.h - patch -p1 < patches/tweetnacl-ed25519blake2b.diff || ( rm -f tweetnacl.c.new tweetnacl.h.new; exit 1 ) - patch -p1 < patches/tweetnacl-derivepubkey.diff || ( rm -f tweetnacl.c.new tweetnacl.h.new; exit 1 ) - rm -f tweetnacl.c.new.orig tweetnacl.h.new.orig - mv tweetnacl.h.new tweetnacl.h - mv tweetnacl.c.new tweetnacl.c - mv tweetnacl.c out - -out/tweetnacl.h: out/tweetnacl.c - mv tweetnacl.h out - -install: out/tweetnacl.c out/tweetnacl.h - mkdir -p '$(PREFIX)' - cp out/tweetnacl.c out/tweetnacl.h '$(PREFIX)' - -clean: - rm -f tweetnacl.c.new.orig tweetnacl.h.new.orig - rm -f tweetnacl.h.new tweetnacl.h - rm -f tweetnacl.c.new tweetnacl.c - rm -f out/tweetnacl.c out/tweetnacl.h - -rmdir out - -distclean: clean - -.PHONY: all install clean distclean DELETED build/tweetnacl/patches/tweetnacl-derivepubkey.diff Index: build/tweetnacl/patches/tweetnacl-derivepubkey.diff ================================================================== --- build/tweetnacl/patches/tweetnacl-derivepubkey.diff +++ /dev/null @@ -1,44 +0,0 @@ -diff -uNr a/tweetnacl.c.new b/tweetnacl.c.new ---- a/tweetnacl.c.new 2018-07-01 15:49:55.377820017 -0500 -+++ b/tweetnacl.c.new 2018-07-02 00:47:35.564231900 -0500 -@@ -653,13 +653,15 @@ - scalarmult(p,q,s); - } - --int crypto_sign_keypair(u8 *pk, u8 *sk) -+int crypto_sign_keypair(u8 *pk, u8 *sk, u8 generate_sk) - { - u8 d[64]; - gf p[4]; - int i; - -- randombytes(sk, 32); -+ if (generate_sk) { -+ randombytes(sk, 32); -+ } - crypto_hash(d, sk, 32); - d[0] &= 248; - d[31] &= 127; -@@ -668,7 +670,9 @@ - scalarbase(p,d); - pack(pk,p); - -- FOR(i,32) sk[32 + i] = pk[i]; -+ if (generate_sk) { -+ FOR(i,32) sk[32 + i] = pk[i]; -+ } - return 0; - } - -diff -uNr a/tweetnacl.h.new b/tweetnacl.h.new ---- a/tweetnacl.h.new 2018-07-01 15:49:55.377820017 -0500 -+++ b/tweetnacl.h.new 2018-07-02 00:47:06.814232424 -0500 -@@ -211,7 +211,7 @@ - #define crypto_sign_ed25519_tweet_SECRETKEYBYTES 64 - extern int crypto_sign_ed25519_tweet(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); - extern int crypto_sign_ed25519_tweet_open(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); --extern int crypto_sign_ed25519_tweet_keypair(unsigned char *,unsigned char *); -+extern int crypto_sign_ed25519_tweet_keypair(unsigned char *,unsigned char *, unsigned char); - #define crypto_sign_ed25519_tweet_VERSION "-" - #define crypto_sign_ed25519 crypto_sign_ed25519_tweet - #define crypto_sign_ed25519_open crypto_sign_ed25519_tweet_open DELETED build/tweetnacl/patches/tweetnacl-ed25519blake2b.diff Index: build/tweetnacl/patches/tweetnacl-ed25519blake2b.diff ================================================================== --- build/tweetnacl/patches/tweetnacl-ed25519blake2b.diff +++ /dev/null @@ -1,65 +0,0 @@ ---- a/tweetnacl.c.new -+++ b/tweetnacl.c.new -@@ -32,12 +32,14 @@ - return (u<<8)|x[0]; - } - -+#ifndef NACL_ED25519_BLAKE2B - static u64 dl64(const u8 *x) - { - u64 i,u=0; - FOR(i,8) u=(u<<8)|x[i]; - return u; - } -+#endif - - sv st32(u8 *x,u32 u) - { -@@ -45,11 +47,13 @@ - FOR(i,4) { x[i] = u; u >>= 8; } - } - -+#ifndef NACL_ED25519_BLAKE2B - sv ts64(u8 *x,u64 u) - { - int i; - for (i = 7;i >= 0;--i) { x[i] = u; u >>= 8; } - } -+#endif - - static int vn(const u8 *x,const u8 *y,int n) - { -@@ -484,6 +488,7 @@ - return crypto_box_open_afternm(m,c,d,n,k); - } - -+#ifndef NACL_ED25519_BLAKE2B - static u64 R(u64 x,int c) { return (x >> c) | (x << (64 - c)); } - static u64 Ch(u64 x,u64 y,u64 z) { return (x & y) ^ (~x & z); } - static u64 Maj(u64 x,u64 y,u64 z) { return (x & y) ^ (x & z) ^ (y & z); } -@@ -584,6 +589,7 @@ - - return 0; - } -+#endif - - sv add(gf p[4],gf q[4]) - { ---- a/tweetnacl.h.new -+++ b/tweetnacl.h.new -@@ -118,11 +118,15 @@ - #define crypto_hashblocks_sha256_BLOCKBYTES crypto_hashblocks_sha256_tweet_BLOCKBYTES - #define crypto_hashblocks_sha256_VERSION crypto_hashblocks_sha256_tweet_VERSION - #define crypto_hashblocks_sha256_IMPLEMENTATION "crypto_hashblocks/sha256/tweet" -+#ifndef NACL_ED25519_BLAKE2B - #define crypto_hash_PRIMITIVE "sha512" - #define crypto_hash crypto_hash_sha512 - #define crypto_hash_BYTES crypto_hash_sha512_BYTES - #define crypto_hash_IMPLEMENTATION crypto_hash_sha512_IMPLEMENTATION - #define crypto_hash_VERSION crypto_hash_sha512_VERSION -+#else -+#include "blake2.h" -+#endif - #define crypto_hash_sha512_tweet_BYTES 64 - extern int crypto_hash_sha512_tweet(unsigned char *,const unsigned char *,unsigned long long); - #define crypto_hash_sha512_tweet_VERSION "-" DELETED build/tweetnacl/src/tweetnacl.c Index: build/tweetnacl/src/tweetnacl.c ================================================================== --- build/tweetnacl/src/tweetnacl.c +++ /dev/null @@ -1,809 +0,0 @@ -#include "tweetnacl.h" -#define FOR(i,n) for (i = 0;i < n;++i) -#define sv static void - -typedef unsigned char u8; -typedef unsigned long u32; -typedef unsigned long long u64; -typedef long long i64; -typedef i64 gf[16]; -extern void randombytes(u8 *,u64); - -static const u8 - _0[16], - _9[32] = {9}; -static const gf - gf0, - gf1 = {1}, - _121665 = {0xDB41,1}, - D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203}, - D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406}, - X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169}, - Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666}, - I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83}; - -static u32 L32(u32 x,int c) { return (x << c) | ((x&0xffffffff) >> (32 - c)); } - -static u32 ld32(const u8 *x) -{ - u32 u = x[3]; - u = (u<<8)|x[2]; - u = (u<<8)|x[1]; - return (u<<8)|x[0]; -} - -static u64 dl64(const u8 *x) -{ - u64 i,u=0; - FOR(i,8) u=(u<<8)|x[i]; - return u; -} - -sv st32(u8 *x,u32 u) -{ - int i; - FOR(i,4) { x[i] = u; u >>= 8; } -} - -sv ts64(u8 *x,u64 u) -{ - int i; - for (i = 7;i >= 0;--i) { x[i] = u; u >>= 8; } -} - -static int vn(const u8 *x,const u8 *y,int n) -{ - u32 i,d = 0; - FOR(i,n) d |= x[i]^y[i]; - return (1 & ((d - 1) >> 8)) - 1; -} - -int crypto_verify_16(const u8 *x,const u8 *y) -{ - return vn(x,y,16); -} - -int crypto_verify_32(const u8 *x,const u8 *y) -{ - return vn(x,y,32); -} - -sv core(u8 *out,const u8 *in,const u8 *k,const u8 *c,int h) -{ - u32 w[16],x[16],y[16],t[4]; - int i,j,m; - - FOR(i,4) { - x[5*i] = ld32(c+4*i); - x[1+i] = ld32(k+4*i); - x[6+i] = ld32(in+4*i); - x[11+i] = ld32(k+16+4*i); - } - - FOR(i,16) y[i] = x[i]; - - FOR(i,20) { - FOR(j,4) { - FOR(m,4) t[m] = x[(5*j+4*m)%16]; - t[1] ^= L32(t[0]+t[3], 7); - t[2] ^= L32(t[1]+t[0], 9); - t[3] ^= L32(t[2]+t[1],13); - t[0] ^= L32(t[3]+t[2],18); - FOR(m,4) w[4*j+(j+m)%4] = t[m]; - } - FOR(m,16) x[m] = w[m]; - } - - if (h) { - FOR(i,16) x[i] += y[i]; - FOR(i,4) { - x[5*i] -= ld32(c+4*i); - x[6+i] -= ld32(in+4*i); - } - FOR(i,4) { - st32(out+4*i,x[5*i]); - st32(out+16+4*i,x[6+i]); - } - } else - FOR(i,16) st32(out + 4 * i,x[i] + y[i]); -} - -int crypto_core_salsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c) -{ - core(out,in,k,c,0); - return 0; -} - -int crypto_core_hsalsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c) -{ - core(out,in,k,c,1); - return 0; -} - -static const u8 sigma[16] = "expand 32-byte k"; - -int crypto_stream_salsa20_xor(u8 *c,const u8 *m,u64 b,const u8 *n,const u8 *k) -{ - u8 z[16],x[64]; - u32 u,i; - if (!b) return 0; - FOR(i,16) z[i] = 0; - FOR(i,8) z[i] = n[i]; - while (b >= 64) { - crypto_core_salsa20(x,z,k,sigma); - FOR(i,64) c[i] = (m?m[i]:0) ^ x[i]; - u = 1; - for (i = 8;i < 16;++i) { - u += (u32) z[i]; - z[i] = u; - u >>= 8; - } - b -= 64; - c += 64; - if (m) m += 64; - } - if (b) { - crypto_core_salsa20(x,z,k,sigma); - FOR(i,b) c[i] = (m?m[i]:0) ^ x[i]; - } - return 0; -} - -int crypto_stream_salsa20(u8 *c,u64 d,const u8 *n,const u8 *k) -{ - return crypto_stream_salsa20_xor(c,0,d,n,k); -} - -int crypto_stream(u8 *c,u64 d,const u8 *n,const u8 *k) -{ - u8 s[32]; - crypto_core_hsalsa20(s,n,k,sigma); - return crypto_stream_salsa20(c,d,n+16,s); -} - -int crypto_stream_xor(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k) -{ - u8 s[32]; - crypto_core_hsalsa20(s,n,k,sigma); - return crypto_stream_salsa20_xor(c,m,d,n+16,s); -} - -sv add1305(u32 *h,const u32 *c) -{ - u32 j,u = 0; - FOR(j,17) { - u += h[j] + c[j]; - h[j] = u & 255; - u >>= 8; - } -} - -static const u32 minusp[17] = { - 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 252 -} ; - -int crypto_onetimeauth(u8 *out,const u8 *m,u64 n,const u8 *k) -{ - u32 s,i,j,u,x[17],r[17],h[17],c[17],g[17]; - - FOR(j,17) r[j]=h[j]=0; - FOR(j,16) r[j]=k[j]; - r[3]&=15; - r[4]&=252; - r[7]&=15; - r[8]&=252; - r[11]&=15; - r[12]&=252; - r[15]&=15; - - while (n > 0) { - FOR(j,17) c[j] = 0; - for (j = 0;(j < 16) && (j < n);++j) c[j] = m[j]; - c[j] = 1; - m += j; n -= j; - add1305(h,c); - FOR(i,17) { - x[i] = 0; - FOR(j,17) x[i] += h[j] * ((j <= i) ? r[i - j] : 320 * r[i + 17 - j]); - } - FOR(i,17) h[i] = x[i]; - u = 0; - FOR(j,16) { - u += h[j]; - h[j] = u & 255; - u >>= 8; - } - u += h[16]; h[16] = u & 3; - u = 5 * (u >> 2); - FOR(j,16) { - u += h[j]; - h[j] = u & 255; - u >>= 8; - } - u += h[16]; h[16] = u; - } - - FOR(j,17) g[j] = h[j]; - add1305(h,minusp); - s = -(h[16] >> 7); - FOR(j,17) h[j] ^= s & (g[j] ^ h[j]); - - FOR(j,16) c[j] = k[j + 16]; - c[16] = 0; - add1305(h,c); - FOR(j,16) out[j] = h[j]; - return 0; -} - -int crypto_onetimeauth_verify(const u8 *h,const u8 *m,u64 n,const u8 *k) -{ - u8 x[16]; - crypto_onetimeauth(x,m,n,k); - return crypto_verify_16(h,x); -} - -int crypto_secretbox(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k) -{ - int i; - if (d < 32) return -1; - crypto_stream_xor(c,m,d,n,k); - crypto_onetimeauth(c + 16,c + 32,d - 32,c); - FOR(i,16) c[i] = 0; - return 0; -} - -int crypto_secretbox_open(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *k) -{ - int i; - u8 x[32]; - if (d < 32) return -1; - crypto_stream(x,32,n,k); - if (crypto_onetimeauth_verify(c + 16,c + 32,d - 32,x) != 0) return -1; - crypto_stream_xor(m,c,d,n,k); - FOR(i,32) m[i] = 0; - return 0; -} - -sv set25519(gf r, const gf a) -{ - int i; - FOR(i,16) r[i]=a[i]; -} - -sv car25519(gf o) -{ - int i; - i64 c; - FOR(i,16) { - o[i]+=(1LL<<16); - c=o[i]>>16; - o[(i+1)*(i<15)]+=c-1+37*(c-1)*(i==15); - o[i]-=c<<16; - } -} - -sv sel25519(gf p,gf q,int b) -{ - i64 t,i,c=~(b-1); - FOR(i,16) { - t= c&(p[i]^q[i]); - p[i]^=t; - q[i]^=t; - } -} - -sv pack25519(u8 *o,const gf n) -{ - int i,j,b; - gf m,t; - FOR(i,16) t[i]=n[i]; - car25519(t); - car25519(t); - car25519(t); - FOR(j,2) { - m[0]=t[0]-0xffed; - for(i=1;i<15;i++) { - m[i]=t[i]-0xffff-((m[i-1]>>16)&1); - m[i-1]&=0xffff; - } - m[15]=t[15]-0x7fff-((m[14]>>16)&1); - b=(m[15]>>16)&1; - m[14]&=0xffff; - sel25519(t,m,1-b); - } - FOR(i,16) { - o[2*i]=t[i]&0xff; - o[2*i+1]=t[i]>>8; - } -} - -static int neq25519(const gf a, const gf b) -{ - u8 c[32],d[32]; - pack25519(c,a); - pack25519(d,b); - return crypto_verify_32(c,d); -} - -static u8 par25519(const gf a) -{ - u8 d[32]; - pack25519(d,a); - return d[0]&1; -} - -sv unpack25519(gf o, const u8 *n) -{ - int i; - FOR(i,16) o[i]=n[2*i]+((i64)n[2*i+1]<<8); - o[15]&=0x7fff; -} - -sv A(gf o,const gf a,const gf b) -{ - int i; - FOR(i,16) o[i]=a[i]+b[i]; -} - -sv Z(gf o,const gf a,const gf b) -{ - int i; - FOR(i,16) o[i]=a[i]-b[i]; -} - -sv M(gf o,const gf a,const gf b) -{ - i64 i,j,t[31]; - FOR(i,31) t[i]=0; - FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j]; - FOR(i,15) t[i]+=38*t[i+16]; - FOR(i,16) o[i]=t[i]; - car25519(o); - car25519(o); -} - -sv S(gf o,const gf a) -{ - M(o,a,a); -} - -sv inv25519(gf o,const gf i) -{ - gf c; - int a; - FOR(a,16) c[a]=i[a]; - for(a=253;a>=0;a--) { - S(c,c); - if(a!=2&&a!=4) M(c,c,i); - } - FOR(a,16) o[a]=c[a]; -} - -sv pow2523(gf o,const gf i) -{ - gf c; - int a; - FOR(a,16) c[a]=i[a]; - for(a=250;a>=0;a--) { - S(c,c); - if(a!=1) M(c,c,i); - } - FOR(a,16) o[a]=c[a]; -} - -int crypto_scalarmult(u8 *q,const u8 *n,const u8 *p) -{ - u8 z[32]; - i64 x[80],r,i; - gf a,b,c,d,e,f; - FOR(i,31) z[i]=n[i]; - z[31]=(n[31]&127)|64; - z[0]&=248; - unpack25519(x,p); - FOR(i,16) { - b[i]=x[i]; - d[i]=a[i]=c[i]=0; - } - a[0]=d[0]=1; - for(i=254;i>=0;--i) { - r=(z[i>>3]>>(i&7))&1; - sel25519(a,b,r); - sel25519(c,d,r); - A(e,a,c); - Z(a,a,c); - A(c,b,d); - Z(b,b,d); - S(d,e); - S(f,a); - M(a,c,a); - M(c,b,e); - A(e,a,c); - Z(a,a,c); - S(b,a); - Z(c,d,f); - M(a,c,_121665); - A(a,a,d); - M(c,c,a); - M(a,d,f); - M(d,b,x); - S(b,e); - sel25519(a,b,r); - sel25519(c,d,r); - } - FOR(i,16) { - x[i+16]=a[i]; - x[i+32]=c[i]; - x[i+48]=b[i]; - x[i+64]=d[i]; - } - inv25519(x+32,x+32); - M(x+16,x+16,x+32); - pack25519(q,x+16); - return 0; -} - -int crypto_scalarmult_base(u8 *q,const u8 *n) -{ - return crypto_scalarmult(q,n,_9); -} - -int crypto_box_keypair(u8 *y,u8 *x) -{ - randombytes(x,32); - return crypto_scalarmult_base(y,x); -} - -int crypto_box_beforenm(u8 *k,const u8 *y,const u8 *x) -{ - u8 s[32]; - crypto_scalarmult(s,x,y); - return crypto_core_hsalsa20(k,_0,s,sigma); -} - -int crypto_box_afternm(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *k) -{ - return crypto_secretbox(c,m,d,n,k); -} - -int crypto_box_open_afternm(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *k) -{ - return crypto_secretbox_open(m,c,d,n,k); -} - -int crypto_box(u8 *c,const u8 *m,u64 d,const u8 *n,const u8 *y,const u8 *x) -{ - u8 k[32]; - crypto_box_beforenm(k,y,x); - return crypto_box_afternm(c,m,d,n,k); -} - -int crypto_box_open(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *y,const u8 *x) -{ - u8 k[32]; - crypto_box_beforenm(k,y,x); - return crypto_box_open_afternm(m,c,d,n,k); -} - -static u64 R(u64 x,int c) { return (x >> c) | (x << (64 - c)); } -static u64 Ch(u64 x,u64 y,u64 z) { return (x & y) ^ (~x & z); } -static u64 Maj(u64 x,u64 y,u64 z) { return (x & y) ^ (x & z) ^ (y & z); } -static u64 Sigma0(u64 x) { return R(x,28) ^ R(x,34) ^ R(x,39); } -static u64 Sigma1(u64 x) { return R(x,14) ^ R(x,18) ^ R(x,41); } -static u64 sigma0(u64 x) { return R(x, 1) ^ R(x, 8) ^ (x >> 7); } -static u64 sigma1(u64 x) { return R(x,19) ^ R(x,61) ^ (x >> 6); } - -static const u64 K[80] = -{ - 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL, - 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL, - 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL, - 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL, - 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL, - 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL, - 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL, - 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL, - 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL, - 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL, - 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL, - 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL, - 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL, - 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL, - 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL, - 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL, - 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL, - 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL, - 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL, - 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL -}; - -int crypto_hashblocks(u8 *x,const u8 *m,u64 n) -{ - u64 z[8],b[8],a[8],w[16],t; - int i,j; - - FOR(i,8) z[i] = a[i] = dl64(x + 8 * i); - - while (n >= 128) { - FOR(i,16) w[i] = dl64(m + 8 * i); - - FOR(i,80) { - FOR(j,8) b[j] = a[j]; - t = a[7] + Sigma1(a[4]) + Ch(a[4],a[5],a[6]) + K[i] + w[i%16]; - b[7] = t + Sigma0(a[0]) + Maj(a[0],a[1],a[2]); - b[3] += t; - FOR(j,8) a[(j+1)%8] = b[j]; - if (i%16 == 15) - FOR(j,16) - w[j] += w[(j+9)%16] + sigma0(w[(j+1)%16]) + sigma1(w[(j+14)%16]); - } - - FOR(i,8) { a[i] += z[i]; z[i] = a[i]; } - - m += 128; - n -= 128; - } - - FOR(i,8) ts64(x+8*i,z[i]); - - return n; -} - -static const u8 iv[64] = { - 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, - 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, - 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, - 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, - 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, - 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, - 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, - 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 -} ; - -int crypto_hash(u8 *out,const u8 *m,u64 n) -{ - u8 h[64],x[256]; - u64 i,b = n; - - FOR(i,64) h[i] = iv[i]; - - crypto_hashblocks(h,m,n); - m += n; - n &= 127; - m -= n; - - FOR(i,256) x[i] = 0; - FOR(i,n) x[i] = m[i]; - x[n] = 128; - - n = 256-128*(n<112); - x[n-9] = b >> 61; - ts64(x+n-8,b<<3); - crypto_hashblocks(h,x,n); - - FOR(i,64) out[i] = h[i]; - - return 0; -} - -sv add(gf p[4],gf q[4]) -{ - gf a,b,c,d,t,e,f,g,h; - - Z(a, p[1], p[0]); - Z(t, q[1], q[0]); - M(a, a, t); - A(b, p[0], p[1]); - A(t, q[0], q[1]); - M(b, b, t); - M(c, p[3], q[3]); - M(c, c, D2); - M(d, p[2], q[2]); - A(d, d, d); - Z(e, b, a); - Z(f, d, c); - A(g, d, c); - A(h, b, a); - - M(p[0], e, f); - M(p[1], h, g); - M(p[2], g, f); - M(p[3], e, h); -} - -sv cswap(gf p[4],gf q[4],u8 b) -{ - int i; - FOR(i,4) - sel25519(p[i],q[i],b); -} - -sv pack(u8 *r,gf p[4]) -{ - gf tx, ty, zi; - inv25519(zi, p[2]); - M(tx, p[0], zi); - M(ty, p[1], zi); - pack25519(r, ty); - r[31] ^= par25519(tx) << 7; -} - -sv scalarmult(gf p[4],gf q[4],const u8 *s) -{ - int i; - set25519(p[0],gf0); - set25519(p[1],gf1); - set25519(p[2],gf1); - set25519(p[3],gf0); - for (i = 255;i >= 0;--i) { - u8 b = (s[i/8]>>(i&7))&1; - cswap(p,q,b); - add(q,p); - add(p,p); - cswap(p,q,b); - } -} - -sv scalarbase(gf p[4],const u8 *s) -{ - gf q[4]; - set25519(q[0],X); - set25519(q[1],Y); - set25519(q[2],gf1); - M(q[3],X,Y); - scalarmult(p,q,s); -} - -int crypto_sign_keypair(u8 *pk, u8 *sk) -{ - u8 d[64]; - gf p[4]; - int i; - - randombytes(sk, 32); - crypto_hash(d, sk, 32); - d[0] &= 248; - d[31] &= 127; - d[31] |= 64; - - scalarbase(p,d); - pack(pk,p); - - FOR(i,32) sk[32 + i] = pk[i]; - return 0; -} - -static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10}; - -sv modL(u8 *r,i64 x[64]) -{ - i64 carry,i,j; - for (i = 63;i >= 32;--i) { - carry = 0; - for (j = i - 32;j < i - 12;++j) { - x[j] += carry - 16 * x[i] * L[j - (i - 32)]; - carry = (x[j] + 128) >> 8; - x[j] -= carry << 8; - } - x[j] += carry; - x[i] = 0; - } - carry = 0; - FOR(j,32) { - x[j] += carry - (x[31] >> 4) * L[j]; - carry = x[j] >> 8; - x[j] &= 255; - } - FOR(j,32) x[j] -= carry * L[j]; - FOR(i,32) { - x[i+1] += x[i] >> 8; - r[i] = x[i] & 255; - } -} - -sv reduce(u8 *r) -{ - i64 x[64],i; - FOR(i,64) x[i] = (u64) r[i]; - FOR(i,64) r[i] = 0; - modL(r,x); -} - -int crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 n,const u8 *sk) -{ - u8 d[64],h[64],r[64]; - i64 i,j,x[64]; - gf p[4]; - - crypto_hash(d, sk, 32); - d[0] &= 248; - d[31] &= 127; - d[31] |= 64; - - *smlen = n+64; - FOR(i,n) sm[64 + i] = m[i]; - FOR(i,32) sm[32 + i] = d[32 + i]; - - crypto_hash(r, sm+32, n+32); - reduce(r); - scalarbase(p,r); - pack(sm,p); - - FOR(i,32) sm[i+32] = sk[i+32]; - crypto_hash(h,sm,n + 64); - reduce(h); - - FOR(i,64) x[i] = 0; - FOR(i,32) x[i] = (u64) r[i]; - FOR(i,32) FOR(j,32) x[i+j] += h[i] * (u64) d[j]; - modL(sm + 32,x); - - return 0; -} - -static int unpackneg(gf r[4],const u8 p[32]) -{ - gf t, chk, num, den, den2, den4, den6; - set25519(r[2],gf1); - unpack25519(r[1],p); - S(num,r[1]); - M(den,num,D); - Z(num,num,r[2]); - A(den,r[2],den); - - S(den2,den); - S(den4,den2); - M(den6,den4,den2); - M(t,den6,num); - M(t,t,den); - - pow2523(t,t); - M(t,t,num); - M(t,t,den); - M(t,t,den); - M(r[0],t,den); - - S(chk,r[0]); - M(chk,chk,den); - if (neq25519(chk, num)) M(r[0],r[0],I); - - S(chk,r[0]); - M(chk,chk,den); - if (neq25519(chk, num)) return -1; - - if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]); - - M(r[3],r[0],r[1]); - return 0; -} - -int crypto_sign_open(u8 *m,u64 *mlen,const u8 *sm,u64 n,const u8 *pk) -{ - int i; - u8 t[32],h[64]; - gf p[4],q[4]; - - *mlen = -1; - if (n < 64) return -1; - - if (unpackneg(q,pk)) return -1; - - FOR(i,n) m[i] = sm[i]; - FOR(i,32) m[i+32] = pk[i]; - crypto_hash(h,m,n); - reduce(h); - scalarmult(p,q,h); - - scalarbase(q,sm + 32); - add(p,q); - pack(t,p); - - n -= 64; - if (crypto_verify_32(sm, t)) { - FOR(i,n) m[i] = 0; - return -1; - } - - FOR(i,n) m[i] = sm[i + 64]; - *mlen = n; - return 0; -} DELETED build/tweetnacl/src/tweetnacl.h Index: build/tweetnacl/src/tweetnacl.h ================================================================== --- build/tweetnacl/src/tweetnacl.h +++ /dev/null @@ -1,272 +0,0 @@ -#ifndef TWEETNACL_H -#define TWEETNACL_H -#define crypto_auth_PRIMITIVE "hmacsha512256" -#define crypto_auth crypto_auth_hmacsha512256 -#define crypto_auth_verify crypto_auth_hmacsha512256_verify -#define crypto_auth_BYTES crypto_auth_hmacsha512256_BYTES -#define crypto_auth_KEYBYTES crypto_auth_hmacsha512256_KEYBYTES -#define crypto_auth_IMPLEMENTATION crypto_auth_hmacsha512256_IMPLEMENTATION -#define crypto_auth_VERSION crypto_auth_hmacsha512256_VERSION -#define crypto_auth_hmacsha512256_tweet_BYTES 32 -#define crypto_auth_hmacsha512256_tweet_KEYBYTES 32 -extern int crypto_auth_hmacsha512256_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); -extern int crypto_auth_hmacsha512256_tweet_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); -#define crypto_auth_hmacsha512256_tweet_VERSION "-" -#define crypto_auth_hmacsha512256 crypto_auth_hmacsha512256_tweet -#define crypto_auth_hmacsha512256_verify crypto_auth_hmacsha512256_tweet_verify -#define crypto_auth_hmacsha512256_BYTES crypto_auth_hmacsha512256_tweet_BYTES -#define crypto_auth_hmacsha512256_KEYBYTES crypto_auth_hmacsha512256_tweet_KEYBYTES -#define crypto_auth_hmacsha512256_VERSION crypto_auth_hmacsha512256_tweet_VERSION -#define crypto_auth_hmacsha512256_IMPLEMENTATION "crypto_auth/hmacsha512256/tweet" -#define crypto_box_PRIMITIVE "curve25519xsalsa20poly1305" -#define crypto_box crypto_box_curve25519xsalsa20poly1305 -#define crypto_box_open crypto_box_curve25519xsalsa20poly1305_open -#define crypto_box_keypair crypto_box_curve25519xsalsa20poly1305_keypair -#define crypto_box_beforenm crypto_box_curve25519xsalsa20poly1305_beforenm -#define crypto_box_afternm crypto_box_curve25519xsalsa20poly1305_afternm -#define crypto_box_open_afternm crypto_box_curve25519xsalsa20poly1305_open_afternm -#define crypto_box_PUBLICKEYBYTES crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES -#define crypto_box_SECRETKEYBYTES crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES -#define crypto_box_BEFORENMBYTES crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES -#define crypto_box_NONCEBYTES crypto_box_curve25519xsalsa20poly1305_NONCEBYTES -#define crypto_box_ZEROBYTES crypto_box_curve25519xsalsa20poly1305_ZEROBYTES -#define crypto_box_BOXZEROBYTES crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES -#define crypto_box_IMPLEMENTATION crypto_box_curve25519xsalsa20poly1305_IMPLEMENTATION -#define crypto_box_VERSION crypto_box_curve25519xsalsa20poly1305_VERSION -#define crypto_box_curve25519xsalsa20poly1305_tweet_PUBLICKEYBYTES 32 -#define crypto_box_curve25519xsalsa20poly1305_tweet_SECRETKEYBYTES 32 -#define crypto_box_curve25519xsalsa20poly1305_tweet_BEFORENMBYTES 32 -#define crypto_box_curve25519xsalsa20poly1305_tweet_NONCEBYTES 24 -#define crypto_box_curve25519xsalsa20poly1305_tweet_ZEROBYTES 32 -#define crypto_box_curve25519xsalsa20poly1305_tweet_BOXZEROBYTES 16 -extern int crypto_box_curve25519xsalsa20poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *,const unsigned char *); -extern int crypto_box_curve25519xsalsa20poly1305_tweet_open(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *,const unsigned char *); -extern int crypto_box_curve25519xsalsa20poly1305_tweet_keypair(unsigned char *,unsigned char *); -extern int crypto_box_curve25519xsalsa20poly1305_tweet_beforenm(unsigned char *,const unsigned char *,const unsigned char *); -extern int crypto_box_curve25519xsalsa20poly1305_tweet_afternm(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -extern int crypto_box_curve25519xsalsa20poly1305_tweet_open_afternm(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -#define crypto_box_curve25519xsalsa20poly1305_tweet_VERSION "-" -#define crypto_box_curve25519xsalsa20poly1305 crypto_box_curve25519xsalsa20poly1305_tweet -#define crypto_box_curve25519xsalsa20poly1305_open crypto_box_curve25519xsalsa20poly1305_tweet_open -#define crypto_box_curve25519xsalsa20poly1305_keypair crypto_box_curve25519xsalsa20poly1305_tweet_keypair -#define crypto_box_curve25519xsalsa20poly1305_beforenm crypto_box_curve25519xsalsa20poly1305_tweet_beforenm -#define crypto_box_curve25519xsalsa20poly1305_afternm crypto_box_curve25519xsalsa20poly1305_tweet_afternm -#define crypto_box_curve25519xsalsa20poly1305_open_afternm crypto_box_curve25519xsalsa20poly1305_tweet_open_afternm -#define crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES crypto_box_curve25519xsalsa20poly1305_tweet_PUBLICKEYBYTES -#define crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES crypto_box_curve25519xsalsa20poly1305_tweet_SECRETKEYBYTES -#define crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES crypto_box_curve25519xsalsa20poly1305_tweet_BEFORENMBYTES -#define crypto_box_curve25519xsalsa20poly1305_NONCEBYTES crypto_box_curve25519xsalsa20poly1305_tweet_NONCEBYTES -#define crypto_box_curve25519xsalsa20poly1305_ZEROBYTES crypto_box_curve25519xsalsa20poly1305_tweet_ZEROBYTES -#define crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES crypto_box_curve25519xsalsa20poly1305_tweet_BOXZEROBYTES -#define crypto_box_curve25519xsalsa20poly1305_VERSION crypto_box_curve25519xsalsa20poly1305_tweet_VERSION -#define crypto_box_curve25519xsalsa20poly1305_IMPLEMENTATION "crypto_box/curve25519xsalsa20poly1305/tweet" -#define crypto_core_PRIMITIVE "salsa20" -#define crypto_core crypto_core_salsa20 -#define crypto_core_OUTPUTBYTES crypto_core_salsa20_OUTPUTBYTES -#define crypto_core_INPUTBYTES crypto_core_salsa20_INPUTBYTES -#define crypto_core_KEYBYTES crypto_core_salsa20_KEYBYTES -#define crypto_core_CONSTBYTES crypto_core_salsa20_CONSTBYTES -#define crypto_core_IMPLEMENTATION crypto_core_salsa20_IMPLEMENTATION -#define crypto_core_VERSION crypto_core_salsa20_VERSION -#define crypto_core_salsa20_tweet_OUTPUTBYTES 64 -#define crypto_core_salsa20_tweet_INPUTBYTES 16 -#define crypto_core_salsa20_tweet_KEYBYTES 32 -#define crypto_core_salsa20_tweet_CONSTBYTES 16 -extern int crypto_core_salsa20_tweet(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); -#define crypto_core_salsa20_tweet_VERSION "-" -#define crypto_core_salsa20 crypto_core_salsa20_tweet -#define crypto_core_salsa20_OUTPUTBYTES crypto_core_salsa20_tweet_OUTPUTBYTES -#define crypto_core_salsa20_INPUTBYTES crypto_core_salsa20_tweet_INPUTBYTES -#define crypto_core_salsa20_KEYBYTES crypto_core_salsa20_tweet_KEYBYTES -#define crypto_core_salsa20_CONSTBYTES crypto_core_salsa20_tweet_CONSTBYTES -#define crypto_core_salsa20_VERSION crypto_core_salsa20_tweet_VERSION -#define crypto_core_salsa20_IMPLEMENTATION "crypto_core/salsa20/tweet" -#define crypto_core_hsalsa20_tweet_OUTPUTBYTES 32 -#define crypto_core_hsalsa20_tweet_INPUTBYTES 16 -#define crypto_core_hsalsa20_tweet_KEYBYTES 32 -#define crypto_core_hsalsa20_tweet_CONSTBYTES 16 -extern int crypto_core_hsalsa20_tweet(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *); -#define crypto_core_hsalsa20_tweet_VERSION "-" -#define crypto_core_hsalsa20 crypto_core_hsalsa20_tweet -#define crypto_core_hsalsa20_OUTPUTBYTES crypto_core_hsalsa20_tweet_OUTPUTBYTES -#define crypto_core_hsalsa20_INPUTBYTES crypto_core_hsalsa20_tweet_INPUTBYTES -#define crypto_core_hsalsa20_KEYBYTES crypto_core_hsalsa20_tweet_KEYBYTES -#define crypto_core_hsalsa20_CONSTBYTES crypto_core_hsalsa20_tweet_CONSTBYTES -#define crypto_core_hsalsa20_VERSION crypto_core_hsalsa20_tweet_VERSION -#define crypto_core_hsalsa20_IMPLEMENTATION "crypto_core/hsalsa20/tweet" -#define crypto_hashblocks_PRIMITIVE "sha512" -#define crypto_hashblocks crypto_hashblocks_sha512 -#define crypto_hashblocks_STATEBYTES crypto_hashblocks_sha512_STATEBYTES -#define crypto_hashblocks_BLOCKBYTES crypto_hashblocks_sha512_BLOCKBYTES -#define crypto_hashblocks_IMPLEMENTATION crypto_hashblocks_sha512_IMPLEMENTATION -#define crypto_hashblocks_VERSION crypto_hashblocks_sha512_VERSION -#define crypto_hashblocks_sha512_tweet_STATEBYTES 64 -#define crypto_hashblocks_sha512_tweet_BLOCKBYTES 128 -extern int crypto_hashblocks_sha512_tweet(unsigned char *,const unsigned char *,unsigned long long); -#define crypto_hashblocks_sha512_tweet_VERSION "-" -#define crypto_hashblocks_sha512 crypto_hashblocks_sha512_tweet -#define crypto_hashblocks_sha512_STATEBYTES crypto_hashblocks_sha512_tweet_STATEBYTES -#define crypto_hashblocks_sha512_BLOCKBYTES crypto_hashblocks_sha512_tweet_BLOCKBYTES -#define crypto_hashblocks_sha512_VERSION crypto_hashblocks_sha512_tweet_VERSION -#define crypto_hashblocks_sha512_IMPLEMENTATION "crypto_hashblocks/sha512/tweet" -#define crypto_hashblocks_sha256_tweet_STATEBYTES 32 -#define crypto_hashblocks_sha256_tweet_BLOCKBYTES 64 -extern int crypto_hashblocks_sha256_tweet(unsigned char *,const unsigned char *,unsigned long long); -#define crypto_hashblocks_sha256_tweet_VERSION "-" -#define crypto_hashblocks_sha256 crypto_hashblocks_sha256_tweet -#define crypto_hashblocks_sha256_STATEBYTES crypto_hashblocks_sha256_tweet_STATEBYTES -#define crypto_hashblocks_sha256_BLOCKBYTES crypto_hashblocks_sha256_tweet_BLOCKBYTES -#define crypto_hashblocks_sha256_VERSION crypto_hashblocks_sha256_tweet_VERSION -#define crypto_hashblocks_sha256_IMPLEMENTATION "crypto_hashblocks/sha256/tweet" -#define crypto_hash_PRIMITIVE "sha512" -#define crypto_hash crypto_hash_sha512 -#define crypto_hash_BYTES crypto_hash_sha512_BYTES -#define crypto_hash_IMPLEMENTATION crypto_hash_sha512_IMPLEMENTATION -#define crypto_hash_VERSION crypto_hash_sha512_VERSION -#define crypto_hash_sha512_tweet_BYTES 64 -extern int crypto_hash_sha512_tweet(unsigned char *,const unsigned char *,unsigned long long); -#define crypto_hash_sha512_tweet_VERSION "-" -#define crypto_hash_sha512 crypto_hash_sha512_tweet -#define crypto_hash_sha512_BYTES crypto_hash_sha512_tweet_BYTES -#define crypto_hash_sha512_VERSION crypto_hash_sha512_tweet_VERSION -#define crypto_hash_sha512_IMPLEMENTATION "crypto_hash/sha512/tweet" -#define crypto_hash_sha256_tweet_BYTES 32 -extern int crypto_hash_sha256_tweet(unsigned char *,const unsigned char *,unsigned long long); -#define crypto_hash_sha256_tweet_VERSION "-" -#define crypto_hash_sha256 crypto_hash_sha256_tweet -#define crypto_hash_sha256_BYTES crypto_hash_sha256_tweet_BYTES -#define crypto_hash_sha256_VERSION crypto_hash_sha256_tweet_VERSION -#define crypto_hash_sha256_IMPLEMENTATION "crypto_hash/sha256/tweet" -#define crypto_onetimeauth_PRIMITIVE "poly1305" -#define crypto_onetimeauth crypto_onetimeauth_poly1305 -#define crypto_onetimeauth_verify crypto_onetimeauth_poly1305_verify -#define crypto_onetimeauth_BYTES crypto_onetimeauth_poly1305_BYTES -#define crypto_onetimeauth_KEYBYTES crypto_onetimeauth_poly1305_KEYBYTES -#define crypto_onetimeauth_IMPLEMENTATION crypto_onetimeauth_poly1305_IMPLEMENTATION -#define crypto_onetimeauth_VERSION crypto_onetimeauth_poly1305_VERSION -#define crypto_onetimeauth_poly1305_tweet_BYTES 16 -#define crypto_onetimeauth_poly1305_tweet_KEYBYTES 32 -extern int crypto_onetimeauth_poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); -extern int crypto_onetimeauth_poly1305_tweet_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); -#define crypto_onetimeauth_poly1305_tweet_VERSION "-" -#define crypto_onetimeauth_poly1305 crypto_onetimeauth_poly1305_tweet -#define crypto_onetimeauth_poly1305_verify crypto_onetimeauth_poly1305_tweet_verify -#define crypto_onetimeauth_poly1305_BYTES crypto_onetimeauth_poly1305_tweet_BYTES -#define crypto_onetimeauth_poly1305_KEYBYTES crypto_onetimeauth_poly1305_tweet_KEYBYTES -#define crypto_onetimeauth_poly1305_VERSION crypto_onetimeauth_poly1305_tweet_VERSION -#define crypto_onetimeauth_poly1305_IMPLEMENTATION "crypto_onetimeauth/poly1305/tweet" -#define crypto_scalarmult_PRIMITIVE "curve25519" -#define crypto_scalarmult crypto_scalarmult_curve25519 -#define crypto_scalarmult_base crypto_scalarmult_curve25519_base -#define crypto_scalarmult_BYTES crypto_scalarmult_curve25519_BYTES -#define crypto_scalarmult_SCALARBYTES crypto_scalarmult_curve25519_SCALARBYTES -#define crypto_scalarmult_IMPLEMENTATION crypto_scalarmult_curve25519_IMPLEMENTATION -#define crypto_scalarmult_VERSION crypto_scalarmult_curve25519_VERSION -#define crypto_scalarmult_curve25519_tweet_BYTES 32 -#define crypto_scalarmult_curve25519_tweet_SCALARBYTES 32 -extern int crypto_scalarmult_curve25519_tweet(unsigned char *,const unsigned char *,const unsigned char *); -extern int crypto_scalarmult_curve25519_tweet_base(unsigned char *,const unsigned char *); -#define crypto_scalarmult_curve25519_tweet_VERSION "-" -#define crypto_scalarmult_curve25519 crypto_scalarmult_curve25519_tweet -#define crypto_scalarmult_curve25519_base crypto_scalarmult_curve25519_tweet_base -#define crypto_scalarmult_curve25519_BYTES crypto_scalarmult_curve25519_tweet_BYTES -#define crypto_scalarmult_curve25519_SCALARBYTES crypto_scalarmult_curve25519_tweet_SCALARBYTES -#define crypto_scalarmult_curve25519_VERSION crypto_scalarmult_curve25519_tweet_VERSION -#define crypto_scalarmult_curve25519_IMPLEMENTATION "crypto_scalarmult/curve25519/tweet" -#define crypto_secretbox_PRIMITIVE "xsalsa20poly1305" -#define crypto_secretbox crypto_secretbox_xsalsa20poly1305 -#define crypto_secretbox_open crypto_secretbox_xsalsa20poly1305_open -#define crypto_secretbox_KEYBYTES crypto_secretbox_xsalsa20poly1305_KEYBYTES -#define crypto_secretbox_NONCEBYTES crypto_secretbox_xsalsa20poly1305_NONCEBYTES -#define crypto_secretbox_ZEROBYTES crypto_secretbox_xsalsa20poly1305_ZEROBYTES -#define crypto_secretbox_BOXZEROBYTES crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES -#define crypto_secretbox_IMPLEMENTATION crypto_secretbox_xsalsa20poly1305_IMPLEMENTATION -#define crypto_secretbox_VERSION crypto_secretbox_xsalsa20poly1305_VERSION -#define crypto_secretbox_xsalsa20poly1305_tweet_KEYBYTES 32 -#define crypto_secretbox_xsalsa20poly1305_tweet_NONCEBYTES 24 -#define crypto_secretbox_xsalsa20poly1305_tweet_ZEROBYTES 32 -#define crypto_secretbox_xsalsa20poly1305_tweet_BOXZEROBYTES 16 -extern int crypto_secretbox_xsalsa20poly1305_tweet(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -extern int crypto_secretbox_xsalsa20poly1305_tweet_open(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -#define crypto_secretbox_xsalsa20poly1305_tweet_VERSION "-" -#define crypto_secretbox_xsalsa20poly1305 crypto_secretbox_xsalsa20poly1305_tweet -#define crypto_secretbox_xsalsa20poly1305_open crypto_secretbox_xsalsa20poly1305_tweet_open -#define crypto_secretbox_xsalsa20poly1305_KEYBYTES crypto_secretbox_xsalsa20poly1305_tweet_KEYBYTES -#define crypto_secretbox_xsalsa20poly1305_NONCEBYTES crypto_secretbox_xsalsa20poly1305_tweet_NONCEBYTES -#define crypto_secretbox_xsalsa20poly1305_ZEROBYTES crypto_secretbox_xsalsa20poly1305_tweet_ZEROBYTES -#define crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES crypto_secretbox_xsalsa20poly1305_tweet_BOXZEROBYTES -#define crypto_secretbox_xsalsa20poly1305_VERSION crypto_secretbox_xsalsa20poly1305_tweet_VERSION -#define crypto_secretbox_xsalsa20poly1305_IMPLEMENTATION "crypto_secretbox/xsalsa20poly1305/tweet" -#define crypto_sign_PRIMITIVE "ed25519" -#define crypto_sign crypto_sign_ed25519 -#define crypto_sign_open crypto_sign_ed25519_open -#define crypto_sign_keypair crypto_sign_ed25519_keypair -#define crypto_sign_BYTES crypto_sign_ed25519_BYTES -#define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES -#define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES -#define crypto_sign_IMPLEMENTATION crypto_sign_ed25519_IMPLEMENTATION -#define crypto_sign_VERSION crypto_sign_ed25519_VERSION -#define crypto_sign_ed25519_tweet_BYTES 64 -#define crypto_sign_ed25519_tweet_PUBLICKEYBYTES 32 -#define crypto_sign_ed25519_tweet_SECRETKEYBYTES 64 -extern int crypto_sign_ed25519_tweet(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); -extern int crypto_sign_ed25519_tweet_open(unsigned char *,unsigned long long *,const unsigned char *,unsigned long long,const unsigned char *); -extern int crypto_sign_ed25519_tweet_keypair(unsigned char *,unsigned char *); -#define crypto_sign_ed25519_tweet_VERSION "-" -#define crypto_sign_ed25519 crypto_sign_ed25519_tweet -#define crypto_sign_ed25519_open crypto_sign_ed25519_tweet_open -#define crypto_sign_ed25519_keypair crypto_sign_ed25519_tweet_keypair -#define crypto_sign_ed25519_BYTES crypto_sign_ed25519_tweet_BYTES -#define crypto_sign_ed25519_PUBLICKEYBYTES crypto_sign_ed25519_tweet_PUBLICKEYBYTES -#define crypto_sign_ed25519_SECRETKEYBYTES crypto_sign_ed25519_tweet_SECRETKEYBYTES -#define crypto_sign_ed25519_VERSION crypto_sign_ed25519_tweet_VERSION -#define crypto_sign_ed25519_IMPLEMENTATION "crypto_sign/ed25519/tweet" -#define crypto_stream_PRIMITIVE "xsalsa20" -#define crypto_stream crypto_stream_xsalsa20 -#define crypto_stream_xor crypto_stream_xsalsa20_xor -#define crypto_stream_KEYBYTES crypto_stream_xsalsa20_KEYBYTES -#define crypto_stream_NONCEBYTES crypto_stream_xsalsa20_NONCEBYTES -#define crypto_stream_IMPLEMENTATION crypto_stream_xsalsa20_IMPLEMENTATION -#define crypto_stream_VERSION crypto_stream_xsalsa20_VERSION -#define crypto_stream_xsalsa20_tweet_KEYBYTES 32 -#define crypto_stream_xsalsa20_tweet_NONCEBYTES 24 -extern int crypto_stream_xsalsa20_tweet(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -extern int crypto_stream_xsalsa20_tweet_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -#define crypto_stream_xsalsa20_tweet_VERSION "-" -#define crypto_stream_xsalsa20 crypto_stream_xsalsa20_tweet -#define crypto_stream_xsalsa20_xor crypto_stream_xsalsa20_tweet_xor -#define crypto_stream_xsalsa20_KEYBYTES crypto_stream_xsalsa20_tweet_KEYBYTES -#define crypto_stream_xsalsa20_NONCEBYTES crypto_stream_xsalsa20_tweet_NONCEBYTES -#define crypto_stream_xsalsa20_VERSION crypto_stream_xsalsa20_tweet_VERSION -#define crypto_stream_xsalsa20_IMPLEMENTATION "crypto_stream/xsalsa20/tweet" -#define crypto_stream_salsa20_tweet_KEYBYTES 32 -#define crypto_stream_salsa20_tweet_NONCEBYTES 8 -extern int crypto_stream_salsa20_tweet(unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -extern int crypto_stream_salsa20_tweet_xor(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *,const unsigned char *); -#define crypto_stream_salsa20_tweet_VERSION "-" -#define crypto_stream_salsa20 crypto_stream_salsa20_tweet -#define crypto_stream_salsa20_xor crypto_stream_salsa20_tweet_xor -#define crypto_stream_salsa20_KEYBYTES crypto_stream_salsa20_tweet_KEYBYTES -#define crypto_stream_salsa20_NONCEBYTES crypto_stream_salsa20_tweet_NONCEBYTES -#define crypto_stream_salsa20_VERSION crypto_stream_salsa20_tweet_VERSION -#define crypto_stream_salsa20_IMPLEMENTATION "crypto_stream/salsa20/tweet" -#define crypto_verify_PRIMITIVE "16" -#define crypto_verify crypto_verify_16 -#define crypto_verify_BYTES crypto_verify_16_BYTES -#define crypto_verify_IMPLEMENTATION crypto_verify_16_IMPLEMENTATION -#define crypto_verify_VERSION crypto_verify_16_VERSION -#define crypto_verify_16_tweet_BYTES 16 -extern int crypto_verify_16_tweet(const unsigned char *,const unsigned char *); -#define crypto_verify_16_tweet_VERSION "-" -#define crypto_verify_16 crypto_verify_16_tweet -#define crypto_verify_16_BYTES crypto_verify_16_tweet_BYTES -#define crypto_verify_16_VERSION crypto_verify_16_tweet_VERSION -#define crypto_verify_16_IMPLEMENTATION "crypto_verify/16/tweet" -#define crypto_verify_32_tweet_BYTES 32 -extern int crypto_verify_32_tweet(const unsigned char *,const unsigned char *); -#define crypto_verify_32_tweet_VERSION "-" -#define crypto_verify_32 crypto_verify_32_tweet -#define crypto_verify_32_BYTES crypto_verify_32_tweet_BYTES -#define crypto_verify_32_VERSION crypto_verify_32_tweet_VERSION -#define crypto_verify_32_IMPLEMENTATION "crypto_verify/32/tweet" -#endif ADDED monocypher/monocypher.c Index: monocypher/monocypher.c ================================================================== --- /dev/null +++ monocypher/monocypher.c @@ -0,0 +1,2100 @@ +#include "monocypher.h" + +///////////////// +/// Utilities /// +///////////////// + +// By default, EdDSA signatures use blake2b. SHA-512 is provided as an +// option for full ed25519 compatibility. To use with SHA-512, compile +// with option -DED25519_SHA512 and provide the "sha512" header. +#ifdef ED25519_SHA512 + #define HASH crypto_sha512 +#else + #define HASH crypto_blake2b +#endif +#define COMBINE1(x, y) x ## y +#define COMBINE2(x, y) COMBINE1(x, y) +#define HASH_CTX COMBINE2(HASH, _ctx) +#define HASH_INIT COMBINE2(HASH, _init) +#define HASH_UPDATE COMBINE2(HASH, _update) +#define HASH_FINAL COMBINE2(HASH, _final) + +#define FOR(i, start, end) for (size_t (i) = (start); (i) < (end); (i)++) +#define WIPE_CTX(ctx) crypto_wipe(ctx , sizeof(*(ctx))) +#define WIPE_BUFFER(buffer) crypto_wipe(buffer, sizeof(buffer)) +#define MIN(a, b) ((a) <= (b) ? (a) : (b)) +#define ALIGN(x, block_size) ((~(x) + 1) & ((block_size) - 1)) +typedef int8_t i8; +typedef uint8_t u8; +typedef uint32_t u32; +typedef int32_t i32; +typedef int64_t i64; +typedef uint64_t u64; + +static const u8 zero[128] = {0}; + +static u32 load24_le(const u8 s[3]) +{ + return (u32)s[0] + | ((u32)s[1] << 8) + | ((u32)s[2] << 16); +} + +static u32 load32_le(const u8 s[4]) +{ + return (u32)s[0] + | ((u32)s[1] << 8) + | ((u32)s[2] << 16) + | ((u32)s[3] << 24); +} + +static u64 load64_le(const u8 s[8]) +{ + return load32_le(s) | ((u64)load32_le(s+4) << 32); +} + +static void store32_le(u8 out[4], u32 in) +{ + out[0] = in & 0xff; + out[1] = (in >> 8) & 0xff; + out[2] = (in >> 16) & 0xff; + out[3] = (in >> 24) & 0xff; +} + +static void store64_le(u8 out[8], u64 in) +{ + store32_le(out , (u32)in ); + store32_le(out + 4, in >> 32); +} + +static u64 rotr64(u64 x, u64 n) { return (x >> n) ^ (x << (64 - n)); } +static u32 rotl32(u32 x, u32 n) { return (x << n) ^ (x >> (32 - n)); } + +static int neq0(u64 diff) +{ // constant time comparison to zero + // return diff != 0 ? -1 : 0 + u64 half = (diff >> 32) | ((u32)diff); + return (1 & ((half - 1) >> 32)) - 1; +} + +static u64 x16(const u8 a[16], const u8 b[16]) +{ + return (load64_le(a + 0) ^ load64_le(b + 0)) + | (load64_le(a + 8) ^ load64_le(b + 8)); +} +static u64 x32(const u8 a[16],const u8 b[16]){return x16(a,b)| x16(a+16, b+16);} +static u64 x64(const u8 a[64],const u8 b[64]){return x32(a,b)| x32(a+32, b+32);} +int crypto_verify16(const u8 a[16], const u8 b[16]){ return neq0(x16(a, b)); } +int crypto_verify32(const u8 a[32], const u8 b[32]){ return neq0(x32(a, b)); } +int crypto_verify64(const u8 a[64], const u8 b[64]){ return neq0(x64(a, b)); } + +static int zerocmp32(const u8 p[32]) +{ + return crypto_verify32(p, zero); +} + +void crypto_wipe(void *secret, size_t size) +{ + volatile u8 *v_secret = (u8*)secret; + FOR (i, 0, size) { + v_secret[i] = 0; + } +} + +///////////////// +/// Chacha 20 /// +///////////////// +#define QUARTERROUND(a, b, c, d) \ + a += b; d = rotl32(d ^ a, 16); \ + c += d; b = rotl32(b ^ c, 12); \ + a += b; d = rotl32(d ^ a, 8); \ + c += d; b = rotl32(b ^ c, 7) + +static void chacha20_rounds(u32 out[16], const u32 in[16]) +{ + // The temporary variables make Chacha20 10% faster. + u32 t0 = in[ 0]; u32 t1 = in[ 1]; u32 t2 = in[ 2]; u32 t3 = in[ 3]; + u32 t4 = in[ 4]; u32 t5 = in[ 5]; u32 t6 = in[ 6]; u32 t7 = in[ 7]; + u32 t8 = in[ 8]; u32 t9 = in[ 9]; u32 t10 = in[10]; u32 t11 = in[11]; + u32 t12 = in[12]; u32 t13 = in[13]; u32 t14 = in[14]; u32 t15 = in[15]; + + FOR (i, 0, 10) { // 20 rounds, 2 rounds per loop. + QUARTERROUND(t0, t4, t8 , t12); // column 0 + QUARTERROUND(t1, t5, t9 , t13); // column 1 + QUARTERROUND(t2, t6, t10, t14); // column 2 + QUARTERROUND(t3, t7, t11, t15); // column 3 + QUARTERROUND(t0, t5, t10, t15); // diagonal 0 + QUARTERROUND(t1, t6, t11, t12); // diagonal 1 + QUARTERROUND(t2, t7, t8 , t13); // diagonal 2 + QUARTERROUND(t3, t4, t9 , t14); // diagonal 3 + } + out[ 0] = t0; out[ 1] = t1; out[ 2] = t2; out[ 3] = t3; + out[ 4] = t4; out[ 5] = t5; out[ 6] = t6; out[ 7] = t7; + out[ 8] = t8; out[ 9] = t9; out[10] = t10; out[11] = t11; + out[12] = t12; out[13] = t13; out[14] = t14; out[15] = t15; +} + +static void chacha20_init_key(crypto_chacha_ctx *ctx, const u8 key[32]) +{ + // constant + ctx->input[0] = load32_le((u8*)"expa"); + ctx->input[1] = load32_le((u8*)"nd 3"); + ctx->input[2] = load32_le((u8*)"2-by"); + ctx->input[3] = load32_le((u8*)"te k"); + // key + FOR (i, 0, 8) { + ctx->input[i+4] = load32_le(key + i*4); + } +} + +static u8 chacha20_pool_byte(crypto_chacha_ctx *ctx) +{ + u32 pool_word = ctx->pool[ctx->pool_idx >> 2]; + u8 pool_byte = pool_word >> (8*(ctx->pool_idx & 3)); + ctx->pool_idx++; + return pool_byte; +} + +// Fill the pool if needed, update the counters +static void chacha20_refill_pool(crypto_chacha_ctx *ctx) +{ + chacha20_rounds(ctx->pool, ctx->input); + FOR (j, 0, 16) { + ctx->pool[j] += ctx->input[j]; + } + ctx->pool_idx = 0; + ctx->input[12]++; + if (ctx->input[12] == 0) { + ctx->input[13]++; + } +} + +void crypto_chacha20_H(u8 out[32], const u8 key[32], const u8 in[16]) +{ + crypto_chacha_ctx ctx; + chacha20_init_key(&ctx, key); + FOR (i, 0, 4) { + ctx.input[i+12] = load32_le(in + i*4); + } + u32 buffer[16]; + chacha20_rounds(buffer, ctx.input); + // prevents reversal of the rounds by revealing only half of the buffer. + FOR (i, 0, 4) { + store32_le(out + i*4, buffer[i ]); // constant + store32_le(out + 16 + i*4, buffer[i + 12]); // counter and nonce + } + WIPE_CTX(&ctx); + WIPE_BUFFER(buffer); +} + +static void chacha20_encrypt(crypto_chacha_ctx *ctx, + u8 *cipher_text, + const u8 *plain_text, + size_t text_size) +{ + FOR (i, 0, text_size) { + if (ctx->pool_idx == 64) { + chacha20_refill_pool(ctx); + } + u8 plain = 0; + if (plain_text != 0) { + plain = *plain_text; + plain_text++; + } + *cipher_text = chacha20_pool_byte(ctx) ^ plain; + cipher_text++; + } +} + +void crypto_chacha20_init(crypto_chacha_ctx *ctx, + const u8 key[32], + const u8 nonce[8]) +{ + chacha20_init_key (ctx, key); // key + crypto_chacha20_set_ctr(ctx, 0 ); // counter + ctx->input[14] = load32_le(nonce + 0); // nonce + ctx->input[15] = load32_le(nonce + 4); // nonce +} + +void crypto_chacha20_x_init(crypto_chacha_ctx *ctx, + const u8 key[32], + const u8 nonce[24]) +{ + u8 derived_key[32]; + crypto_chacha20_H(derived_key, key, nonce); + crypto_chacha20_init(ctx, derived_key, nonce + 16); + WIPE_BUFFER(derived_key); +} + +void crypto_chacha20_set_ctr(crypto_chacha_ctx *ctx, u64 ctr) +{ + ctx->input[12] = ctr & 0xffffffff; + ctx->input[13] = ctr >> 32; + ctx->pool_idx = 64; // The random pool (re)starts empty +} + +void crypto_chacha20_encrypt(crypto_chacha_ctx *ctx, + u8 *cipher_text, + const u8 *plain_text, + size_t text_size) +{ + // Align ourselves with block boundaries + size_t align = MIN(ALIGN(ctx->pool_idx, 64), text_size); + chacha20_encrypt(ctx, cipher_text, plain_text, align); + if (plain_text != 0) { + plain_text += align; + } + cipher_text += align; + text_size -= align; + + // Process the message block by block + FOR (i, 0, text_size >> 6) { // number of blocks + chacha20_refill_pool(ctx); + if (plain_text != 0) { + FOR (j, 0, 16) { + u32 plain = load32_le(plain_text); + store32_le(cipher_text, ctx->pool[j] ^ plain); + plain_text += 4; + cipher_text += 4; + } + } else { + FOR (j, 0, 16) { + store32_le(cipher_text, ctx->pool[j]); + cipher_text += 4; + } + } + ctx->pool_idx = 64; + } + text_size &= 63; + + // remaining bytes + chacha20_encrypt(ctx, cipher_text, plain_text, text_size); +} + +void crypto_chacha20_stream(crypto_chacha_ctx *ctx, + uint8_t *stream, size_t size) +{ + crypto_chacha20_encrypt(ctx, stream, 0, size); +} + + +///////////////// +/// Poly 1305 /// +///////////////// + +// h = (h + c) * r +// preconditions: +// ctx->h <= 4_ffffffff_ffffffff_ffffffff_ffffffff +// ctx->c <= 1_ffffffff_ffffffff_ffffffff_ffffffff +// ctx->r <= 0ffffffc_0ffffffc_0ffffffc_0fffffff +// Postcondition: +// ctx->h <= 4_ffffffff_ffffffff_ffffffff_ffffffff +static void poly_block(crypto_poly1305_ctx *ctx) +{ + // s = h + c, without carry propagation + const u64 s0 = ctx->h[0] + (u64)ctx->c[0]; // s0 <= 1_fffffffe + const u64 s1 = ctx->h[1] + (u64)ctx->c[1]; // s1 <= 1_fffffffe + const u64 s2 = ctx->h[2] + (u64)ctx->c[2]; // s2 <= 1_fffffffe + const u64 s3 = ctx->h[3] + (u64)ctx->c[3]; // s3 <= 1_fffffffe + const u32 s4 = ctx->h[4] + ctx->c[4]; // s4 <= 5 + + // Local all the things! + const u32 r0 = ctx->r[0]; // r0 <= 0fffffff + const u32 r1 = ctx->r[1]; // r1 <= 0ffffffc + const u32 r2 = ctx->r[2]; // r2 <= 0ffffffc + const u32 r3 = ctx->r[3]; // r3 <= 0ffffffc + const u32 rr0 = (r0 >> 2) * 5; // rr0 <= 13fffffb // lose 2 bits... + const u32 rr1 = (r1 >> 2) + r1; // rr1 <= 13fffffb // rr1 == (r1 >> 2) * 5 + const u32 rr2 = (r2 >> 2) + r2; // rr2 <= 13fffffb // rr1 == (r2 >> 2) * 5 + const u32 rr3 = (r3 >> 2) + r3; // rr3 <= 13fffffb // rr1 == (r3 >> 2) * 5 + + // (h + c) * r, without carry propagation + const u64 x0 = s0*r0 + s1*rr3 + s2*rr2 + s3*rr1 +s4*rr0;//<=97ffffe007fffff8 + const u64 x1 = s0*r1 + s1*r0 + s2*rr3 + s3*rr2 +s4*rr1;//<=8fffffe20ffffff6 + const u64 x2 = s0*r2 + s1*r1 + s2*r0 + s3*rr3 +s4*rr2;//<=87ffffe417fffff4 + const u64 x3 = s0*r3 + s1*r2 + s2*r1 + s3*r0 +s4*rr3;//<=7fffffe61ffffff2 + const u32 x4 = s4 * (r0 & 3); // ...recover 2 bits //<= f + + // partial reduction modulo 2^130 - 5 + const u32 u5 = x4 + (x3 >> 32); // u5 <= 7ffffff5 + const u64 u0 = (u5 >> 2) * 5 + (x0 & 0xffffffff); + const u64 u1 = (u0 >> 32) + (x1 & 0xffffffff) + (x0 >> 32); + const u64 u2 = (u1 >> 32) + (x2 & 0xffffffff) + (x1 >> 32); + const u64 u3 = (u2 >> 32) + (x3 & 0xffffffff) + (x2 >> 32); + const u64 u4 = (u3 >> 32) + (u5 & 3); + + // Update the hash + ctx->h[0] = u0 & 0xffffffff; // u0 <= 1_9ffffff0 + ctx->h[1] = u1 & 0xffffffff; // u1 <= 1_97ffffe0 + ctx->h[2] = u2 & 0xffffffff; // u2 <= 1_8fffffe2 + ctx->h[3] = u3 & 0xffffffff; // u3 <= 1_87ffffe4 + ctx->h[4] = (u32)u4; // u4 <= 4 +} + +// (re-)initializes the input counter and input buffer +static void poly_clear_c(crypto_poly1305_ctx *ctx) +{ + ctx->c[0] = 0; + ctx->c[1] = 0; + ctx->c[2] = 0; + ctx->c[3] = 0; + ctx->c_idx = 0; +} + +static void poly_take_input(crypto_poly1305_ctx *ctx, u8 input) +{ + size_t word = ctx->c_idx >> 2; + size_t byte = ctx->c_idx & 3; + ctx->c[word] |= (u32)input << (byte * 8); + ctx->c_idx++; +} + +static void poly_update(crypto_poly1305_ctx *ctx, + const u8 *message, size_t message_size) +{ + FOR (i, 0, message_size) { + poly_take_input(ctx, message[i]); + if (ctx->c_idx == 16) { + poly_block(ctx); + poly_clear_c(ctx); + } + } +} + +void crypto_poly1305_init(crypto_poly1305_ctx *ctx, const u8 key[32]) +{ + // Initial hash is zero + FOR (i, 0, 5) { + ctx->h[i] = 0; + } + // add 2^130 to every input block + ctx->c[4] = 1; + poly_clear_c(ctx); + // load r and pad (r has some of its bits cleared) + FOR (i, 0, 1) { ctx->r [0] = load32_le(key ) & 0x0fffffff; } + FOR (i, 1, 4) { ctx->r [i] = load32_le(key + i*4 ) & 0x0ffffffc; } + FOR (i, 0, 4) { ctx->pad[i] = load32_le(key + i*4 + 16); } +} + +void crypto_poly1305_update(crypto_poly1305_ctx *ctx, + const u8 *message, size_t message_size) +{ + // Align ourselves with block boundaries + size_t align = MIN(ALIGN(ctx->c_idx, 16), message_size); + poly_update(ctx, message, align); + message += align; + message_size -= align; + + // Process the message block by block + size_t nb_blocks = message_size >> 4; + FOR (i, 0, nb_blocks) { + ctx->c[0] = load32_le(message + 0); + ctx->c[1] = load32_le(message + 4); + ctx->c[2] = load32_le(message + 8); + ctx->c[3] = load32_le(message + 12); + poly_block(ctx); + message += 16; + } + if (nb_blocks > 0) { + poly_clear_c(ctx); + } + message_size &= 15; + + // remaining bytes + poly_update(ctx, message, message_size); +} + +void crypto_poly1305_final(crypto_poly1305_ctx *ctx, u8 mac[16]) +{ + // Process the last block (if any) + if (ctx->c_idx != 0) { + // move the final 1 according to remaining input length + // (We may add less than 2^130 to the last input block) + ctx->c[4] = 0; + poly_take_input(ctx, 1); + // one last hash update + poly_block(ctx); + } + + // check if we should subtract 2^130-5 by performing the + // corresponding carry propagation. + const u64 u0 = (u64)5 + ctx->h[0]; // <= 1_00000004 + const u64 u1 = (u0 >> 32) + ctx->h[1]; // <= 1_00000000 + const u64 u2 = (u1 >> 32) + ctx->h[2]; // <= 1_00000000 + const u64 u3 = (u2 >> 32) + ctx->h[3]; // <= 1_00000000 + const u64 u4 = (u3 >> 32) + ctx->h[4]; // <= 5 + // u4 indicates how many times we should subtract 2^130-5 (0 or 1) + + // h + pad, minus 2^130-5 if u4 exceeds 3 + const u64 uu0 = (u4 >> 2) * 5 + ctx->h[0] + ctx->pad[0]; // <= 2_00000003 + const u64 uu1 = (uu0 >> 32) + ctx->h[1] + ctx->pad[1]; // <= 2_00000000 + const u64 uu2 = (uu1 >> 32) + ctx->h[2] + ctx->pad[2]; // <= 2_00000000 + const u64 uu3 = (uu2 >> 32) + ctx->h[3] + ctx->pad[3]; // <= 2_00000000 + + store32_le(mac , (u32)uu0); + store32_le(mac + 4, (u32)uu1); + store32_le(mac + 8, (u32)uu2); + store32_le(mac + 12, (u32)uu3); + + WIPE_CTX(ctx); +} + +void crypto_poly1305(u8 mac[16], const u8 *message, + size_t message_size, const u8 key[32]) +{ + crypto_poly1305_ctx ctx; + crypto_poly1305_init (&ctx, key); + crypto_poly1305_update(&ctx, message, message_size); + crypto_poly1305_final (&ctx, mac); +} + +//////////////// +/// Blake2 b /// +//////////////// +static const u64 iv[8] = { + 0x6a09e667f3bcc908, 0xbb67ae8584caa73b, + 0x3c6ef372fe94f82b, 0xa54ff53a5f1d36f1, + 0x510e527fade682d1, 0x9b05688c2b3e6c1f, + 0x1f83d9abfb41bd6b, 0x5be0cd19137e2179, +}; + +// increment the input offset +static void blake2b_incr(crypto_blake2b_ctx *ctx) +{ + u64 *x = ctx->input_offset; + size_t y = ctx->input_idx; + x[0] += y; + if (x[0] < y) { + x[1]++; + } +} + +static void blake2b_compress(crypto_blake2b_ctx *ctx, int is_last_block) +{ + static const u8 sigma[12][16] = { + { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 }, + { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 }, + { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 }, + { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 }, + { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 }, + { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 }, + { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 }, + { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 }, + { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 }, + { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13, 0 }, + }; + + // init work vector + u64 v0 = ctx->hash[0]; u64 v8 = iv[0]; + u64 v1 = ctx->hash[1]; u64 v9 = iv[1]; + u64 v2 = ctx->hash[2]; u64 v10 = iv[2]; + u64 v3 = ctx->hash[3]; u64 v11 = iv[3]; + u64 v4 = ctx->hash[4]; u64 v12 = iv[4] ^ ctx->input_offset[0]; + u64 v5 = ctx->hash[5]; u64 v13 = iv[5] ^ ctx->input_offset[1]; + u64 v6 = ctx->hash[6]; u64 v14 = iv[6] ^ is_last_block; + u64 v7 = ctx->hash[7]; u64 v15 = iv[7]; + + // mangle work vector + uint64_t *input = ctx->input; +#define BLAKE2_G(v, a, b, c, d, x, y) \ + v##a += v##b + x; v##d = rotr64(v##d ^ v##a, 32); \ + v##c += v##d; v##b = rotr64(v##b ^ v##c, 24); \ + v##a += v##b + y; v##d = rotr64(v##d ^ v##a, 16); \ + v##c += v##d; v##b = rotr64(v##b ^ v##c, 63); +#define BLAKE2_ROUND(i) \ + BLAKE2_G(v, 0, 4, 8, 12, input[sigma[i][ 0]], input[sigma[i][ 1]]);\ + BLAKE2_G(v, 1, 5, 9, 13, input[sigma[i][ 2]], input[sigma[i][ 3]]);\ + BLAKE2_G(v, 2, 6, 10, 14, input[sigma[i][ 4]], input[sigma[i][ 5]]);\ + BLAKE2_G(v, 3, 7, 11, 15, input[sigma[i][ 6]], input[sigma[i][ 7]]);\ + BLAKE2_G(v, 0, 5, 10, 15, input[sigma[i][ 8]], input[sigma[i][ 9]]);\ + BLAKE2_G(v, 1, 6, 11, 12, input[sigma[i][10]], input[sigma[i][11]]);\ + BLAKE2_G(v, 2, 7, 8, 13, input[sigma[i][12]], input[sigma[i][13]]);\ + BLAKE2_G(v, 3, 4, 9, 14, input[sigma[i][14]], input[sigma[i][15]]) + + BLAKE2_ROUND(0); BLAKE2_ROUND(1); BLAKE2_ROUND(2); BLAKE2_ROUND(3); + BLAKE2_ROUND(4); BLAKE2_ROUND(5); BLAKE2_ROUND(6); BLAKE2_ROUND(7); + BLAKE2_ROUND(8); BLAKE2_ROUND(9); BLAKE2_ROUND(0); BLAKE2_ROUND(1); + + // update hash + ctx->hash[0] ^= v0 ^ v8; + ctx->hash[1] ^= v1 ^ v9; + ctx->hash[2] ^= v2 ^ v10; + ctx->hash[3] ^= v3 ^ v11; + ctx->hash[4] ^= v4 ^ v12; + ctx->hash[5] ^= v5 ^ v13; + ctx->hash[6] ^= v6 ^ v14; + ctx->hash[7] ^= v7 ^ v15; +} + +static void blake2b_set_input(crypto_blake2b_ctx *ctx, u8 input, size_t index) +{ + if (index == 0) { + FOR (i, 0, 16) { + ctx->input[i] = 0; + } + } + size_t word = index >> 3; + size_t byte = index & 7; + ctx->input[word] |= (u64)input << (byte << 3); + +} + +static void blake2b_end_block(crypto_blake2b_ctx *ctx) +{ + if (ctx->input_idx == 128) { // If buffer is full, + blake2b_incr(ctx); // update the input offset + blake2b_compress(ctx, 0); // and compress the (not last) block + ctx->input_idx = 0; + } +} + +static void blake2b_update(crypto_blake2b_ctx *ctx, + const u8 *message, size_t message_size) +{ + FOR (i, 0, message_size) { + blake2b_end_block(ctx); + blake2b_set_input(ctx, message[i], ctx->input_idx); + ctx->input_idx++; + } +} + +void crypto_blake2b_general_init(crypto_blake2b_ctx *ctx, size_t hash_size, + const u8 *key, size_t key_size) +{ + // initial hash + FOR (i, 0, 8) { + ctx->hash[i] = iv[i]; + } + ctx->hash[0] ^= 0x01010000 ^ (key_size << 8) ^ hash_size; + + ctx->input_offset[0] = 0; // begining of the input, no offset + ctx->input_offset[1] = 0; // begining of the input, no offset + ctx->hash_size = hash_size; // remember the hash size we want + ctx->input_idx = 0; + + // if there is a key, the first block is that key (padded with zeroes) + if (key_size > 0) { + crypto_blake2b_update(ctx, key , key_size); + crypto_blake2b_update(ctx, zero, 128 - key_size); + } +} + +void crypto_blake2b_init(crypto_blake2b_ctx *ctx) +{ + crypto_blake2b_general_init(ctx, 64, 0, 0); +} + +void crypto_blake2b_update(crypto_blake2b_ctx *ctx, + const u8 *message, size_t message_size) +{ + // Align ourselves with block boundaries + size_t align = MIN(ALIGN(ctx->input_idx, 128), message_size); + blake2b_update(ctx, message, align); + message += align; + message_size -= align; + + // Process the message block by block + FOR (i, 0, message_size >> 7) { // number of blocks + blake2b_end_block(ctx); + FOR (j, 0, 16) { + ctx->input[j] = load64_le(message + j*8); + } + message += 128; + ctx->input_idx = 128; + } + message_size &= 127; + + // remaining bytes + blake2b_update(ctx, message, message_size); +} + +void crypto_blake2b_final(crypto_blake2b_ctx *ctx, u8 *hash) +{ + // Pad the end of the block with zeroes + FOR (i, ctx->input_idx, 128) { + blake2b_set_input(ctx, 0, i); + } + blake2b_incr(ctx); // update the input offset + blake2b_compress(ctx, -1); // compress the last block + size_t nb_words = ctx->hash_size >> 3; + FOR (i, 0, nb_words) { + store64_le(hash + i*8, ctx->hash[i]); + } + FOR (i, nb_words * 8, ctx->hash_size) { + hash[i] = (ctx->hash[i >> 3] >> (8 * (i & 7))) & 0xff; + } + WIPE_CTX(ctx); +} + +void crypto_blake2b_general(u8 *hash , size_t hash_size, + const u8 *key , size_t key_size, + const u8 *message, size_t message_size) +{ + crypto_blake2b_ctx ctx; + crypto_blake2b_general_init(&ctx, hash_size, key, key_size); + crypto_blake2b_update(&ctx, message, message_size); + crypto_blake2b_final(&ctx, hash); +} + +void crypto_blake2b(u8 hash[64], const u8 *message, size_t message_size) +{ + crypto_blake2b_general(hash, 64, 0, 0, message, message_size); +} + + +//////////////// +/// Argon2 i /// +//////////////// +// references to R, Z, Q etc. come from the spec + +// Argon2 operates on 1024 byte blocks. +typedef struct { u64 a[128]; } block; + +static void wipe_block(block *b) +{ + volatile u64* a = b->a; + FOR (i, 0, 128) { + a[i] = 0; + } +} + +// updates a blake2 hash with a 32 bit word, little endian. +static void blake_update_32(crypto_blake2b_ctx *ctx, u32 input) +{ + u8 buf[4]; + store32_le(buf, input); + crypto_blake2b_update(ctx, buf, 4); + WIPE_BUFFER(buf); +} + +static void load_block(block *b, const u8 bytes[1024]) +{ + FOR (i, 0, 128) { + b->a[i] = load64_le(bytes + i*8); + } +} + +static void store_block(u8 bytes[1024], const block *b) +{ + FOR (i, 0, 128) { + store64_le(bytes + i*8, b->a[i]); + } +} + +static void copy_block(block *o,const block*in){FOR(i,0,128)o->a[i] = in->a[i];} +static void xor_block(block *o,const block*in){FOR(i,0,128)o->a[i]^= in->a[i];} + +// Hash with a virtually unlimited digest size. +// Doesn't extract more entropy than the base hash function. +// Mainly used for filling a whole kilobyte block with pseudo-random bytes. +// (One could use a stream cipher with a seed hash as the key, but +// this would introduce another dependency —and point of failure.) +static void extended_hash(u8 *digest, u32 digest_size, + const u8 *input , u32 input_size) +{ + crypto_blake2b_ctx ctx; + crypto_blake2b_general_init(&ctx, MIN(digest_size, 64), 0, 0); + blake_update_32 (&ctx, digest_size); + crypto_blake2b_update (&ctx, input, input_size); + crypto_blake2b_final (&ctx, digest); + + if (digest_size > 64) { + // the conversion to u64 avoids integer overflow on + // ludicrously big hash sizes. + u32 r = (((u64)digest_size + 31) >> 5) - 2; + u32 i = 1; + u32 in = 0; + u32 out = 32; + while (i < r) { + // Input and output overlap. This is intentional + crypto_blake2b(digest + out, digest + in, 64); + i += 1; + in += 32; + out += 32; + } + crypto_blake2b_general(digest + out, digest_size - (32 * r), + 0, 0, // no key + digest + in , 64); + } +} + +#define LSB(x) ((x) & 0xffffffff) +#define G(a, b, c, d) \ + a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 32); \ + c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 24); \ + a += b + 2 * LSB(a) * LSB(b); d ^= a; d = rotr64(d, 16); \ + c += d + 2 * LSB(c) * LSB(d); b ^= c; b = rotr64(b, 63) +#define ROUND(v0, v1, v2, v3, v4, v5, v6, v7, \ + v8, v9, v10, v11, v12, v13, v14, v15) \ + G(v0, v4, v8, v12); G(v1, v5, v9, v13); \ + G(v2, v6, v10, v14); G(v3, v7, v11, v15); \ + G(v0, v5, v10, v15); G(v1, v6, v11, v12); \ + G(v2, v7, v8, v13); G(v3, v4, v9, v14) + +// Core of the compression function G. Computes Z from R in place. +static void g_rounds(block *work_block) +{ + // column rounds (work_block = Q) + for (int i = 0; i < 128; i += 16) { + ROUND(work_block->a[i ], work_block->a[i + 1], + work_block->a[i + 2], work_block->a[i + 3], + work_block->a[i + 4], work_block->a[i + 5], + work_block->a[i + 6], work_block->a[i + 7], + work_block->a[i + 8], work_block->a[i + 9], + work_block->a[i + 10], work_block->a[i + 11], + work_block->a[i + 12], work_block->a[i + 13], + work_block->a[i + 14], work_block->a[i + 15]); + } + // row rounds (work_block = Z) + for (int i = 0; i < 16; i += 2) { + ROUND(work_block->a[i ], work_block->a[i + 1], + work_block->a[i + 16], work_block->a[i + 17], + work_block->a[i + 32], work_block->a[i + 33], + work_block->a[i + 48], work_block->a[i + 49], + work_block->a[i + 64], work_block->a[i + 65], + work_block->a[i + 80], work_block->a[i + 81], + work_block->a[i + 96], work_block->a[i + 97], + work_block->a[i + 112], work_block->a[i + 113]); + } +} + +// The compression function G (copy version for the first pass) +static void g_copy(block *result, const block *x, const block *y, block* tmp) +{ + copy_block(tmp , x ); // tmp = X + xor_block (tmp , y ); // tmp = X ^ Y = R + copy_block(result, tmp); // result = R (only difference with g_xor) + g_rounds (tmp); // tmp = Z + xor_block (result, tmp); // result = R ^ Z +} + +// The compression function G (xor version for subsequent passes) +static void g_xor(block *result, const block *x, const block *y, block *tmp) +{ + copy_block(tmp , x ); // tmp = X + xor_block (tmp , y ); // tmp = X ^ Y = R + xor_block (result, tmp); // result = R ^ old (only difference with g_copy) + g_rounds (tmp); // tmp = Z + xor_block (result, tmp); // result = R ^ old ^ Z +} + +// unary version of the compression function. +// The missing argument is implied zero. +// Does the transformation in place. +static void unary_g(block *work_block) +{ + // work_block == R + block tmp; + copy_block(&tmp, work_block); // tmp = R + g_rounds(work_block); // work_block = Z + xor_block(work_block, &tmp); // work_block = Z ^ R + wipe_block(&tmp); +} + +// Argon2i uses a kind of stream cipher to determine which reference +// block it will take to synthesise the next block. This context hold +// that stream's state. (It's very similar to Chacha20. The block b +// is anologous to Chacha's own pool) +typedef struct { + block b; + u32 pass_number; + u32 slice_number; + u32 nb_blocks; + u32 nb_iterations; + u32 ctr; + u32 offset; +} gidx_ctx; + +// The block in the context will determine array indices. To avoid +// timing attacks, it only depends on public information. No looking +// at a previous block to seed the next. This makes offline attacks +// easier, but timing attacks are the bigger threat in many settings. +static void gidx_refresh(gidx_ctx *ctx) +{ + // seed the begining of the block... + ctx->b.a[0] = ctx->pass_number; + ctx->b.a[1] = 0; // lane number (we have only one) + ctx->b.a[2] = ctx->slice_number; + ctx->b.a[3] = ctx->nb_blocks; + ctx->b.a[4] = ctx->nb_iterations; + ctx->b.a[5] = 1; // type: Argon2i + ctx->b.a[6] = ctx->ctr; + FOR (i, 7, 128) { ctx->b.a[i] = 0; } // ...then zero the rest out + + // Shuffle the block thus: ctx->b = G((G(ctx->b, zero)), zero) + // (G "square" function), to get cheap pseudo-random numbers. + unary_g(&ctx->b); + unary_g(&ctx->b); +} + +static void gidx_init(gidx_ctx *ctx, + u32 pass_number, u32 slice_number, + u32 nb_blocks, u32 nb_iterations) +{ + ctx->pass_number = pass_number; + ctx->slice_number = slice_number; + ctx->nb_blocks = nb_blocks; + ctx->nb_iterations = nb_iterations; + ctx->ctr = 0; + + // Offset from the begining of the segment. For the first slice + // of the first pass, we start at the *third* block, so the offset + // starts at 2, not 0. + if (pass_number != 0 || slice_number != 0) { + ctx->offset = 0; + } else { + ctx->offset = 2; + ctx->ctr++; // Compensates for missed lazy creation + gidx_refresh(ctx); // at the start of gidx_next() + } +} + +static u32 gidx_next(gidx_ctx *ctx) +{ + // lazily creates the offset block we need + if ((ctx->offset & 127) == 0) { + ctx->ctr++; + gidx_refresh(ctx); + } + u32 index = ctx->offset & 127; // save index for current call + u32 offset = ctx->offset; // save offset for current call + ctx->offset++; // update offset for next call + + // Computes the area size. + // Pass 0 : all already finished segments plus already constructed + // blocks in this segment + // Pass 1+: 3 last segments plus already constructed + // blocks in this segment. THE SPEC SUGGESTS OTHERWISE. + // I CONFORM TO THE REFERENCE IMPLEMENTATION. + int first_pass = ctx->pass_number == 0; + u32 slice_size = ctx->nb_blocks >> 2; + u32 nb_segments = first_pass ? ctx->slice_number : 3; + u32 area_size = nb_segments * slice_size + offset - 1; + + // Computes the starting position of the reference area. + // CONTRARY TO WHAT THE SPEC SUGGESTS, IT STARTS AT THE + // NEXT SEGMENT, NOT THE NEXT BLOCK. + u32 next_slice = ((ctx->slice_number + 1) & 3) * slice_size; + u32 start_pos = first_pass ? 0 : next_slice; + + // Generate offset from J1 (no need for J2, there's only one lane) + u64 j1 = ctx->b.a[index] & 0xffffffff; // pseudo-random number + u64 x = (j1 * j1) >> 32; + u64 y = (area_size * x) >> 32; + u64 z = (area_size - 1) - y; + return (start_pos + z) % ctx->nb_blocks; +} + +// Main algorithm +void crypto_argon2i_general(u8 *hash, u32 hash_size, + void *work_area, u32 nb_blocks, + u32 nb_iterations, + const u8 *password, u32 password_size, + const u8 *salt, u32 salt_size, + const u8 *key, u32 key_size, + const u8 *ad, u32 ad_size) +{ + // work area seen as blocks (must be suitably aligned) + block *blocks = (block*)work_area; + { + crypto_blake2b_ctx ctx; + crypto_blake2b_init(&ctx); + + blake_update_32 (&ctx, 1 ); // p: number of threads + blake_update_32 (&ctx, hash_size ); + blake_update_32 (&ctx, nb_blocks ); + blake_update_32 (&ctx, nb_iterations); + blake_update_32 (&ctx, 0x13 ); // v: version number + blake_update_32 (&ctx, 1 ); // y: Argon2i + blake_update_32 (&ctx, password_size); + crypto_blake2b_update(&ctx, password, password_size); + blake_update_32 (&ctx, salt_size); + crypto_blake2b_update(&ctx, salt, salt_size); + blake_update_32 (&ctx, key_size); + crypto_blake2b_update(&ctx, key, key_size); + blake_update_32 (&ctx, ad_size); + crypto_blake2b_update(&ctx, ad, ad_size); + + u8 initial_hash[72]; // 64 bytes plus 2 words for future hashes + crypto_blake2b_final(&ctx, initial_hash); + + // fill first 2 blocks + block tmp_block; + u8 hash_area[1024]; + store32_le(initial_hash + 64, 0); // first additional word + store32_le(initial_hash + 68, 0); // second additional word + extended_hash(hash_area, 1024, initial_hash, 72); + load_block(&tmp_block, hash_area); + copy_block(blocks, &tmp_block); + + store32_le(initial_hash + 64, 1); // slight modification + extended_hash(hash_area, 1024, initial_hash, 72); + load_block(&tmp_block, hash_area); + copy_block(blocks + 1, &tmp_block); + + WIPE_BUFFER(initial_hash); + WIPE_BUFFER(hash_area); + wipe_block(&tmp_block); + } + + // Actual number of blocks + nb_blocks -= nb_blocks & 3; // round down to 4 p (p == 1 thread) + const u32 segment_size = nb_blocks >> 2; + + // fill (then re-fill) the rest of the blocks + block tmp; + gidx_ctx ctx; + FOR (pass_number, 0, nb_iterations) { + int first_pass = pass_number == 0; + + FOR (segment, 0, 4) { + gidx_init(&ctx, (u32)pass_number, (u32)segment, + nb_blocks, nb_iterations); + + // On the first segment of the first pass, + // blocks 0 and 1 are already filled. + // We use the offset to skip them. + u32 start_offset = first_pass && segment == 0 ? 2 : 0; + u32 segment_start = (u32)segment * segment_size + start_offset; + u32 segment_end = ((u32)segment + 1) * segment_size; + FOR (current_block, segment_start, segment_end) { + u32 reference_block = gidx_next(&ctx); + u32 previous_block = current_block == 0 + ? nb_blocks - 1 + : (u32)current_block - 1; + block *c = blocks + current_block; + block *p = blocks + previous_block; + block *r = blocks + reference_block; + if (first_pass) { g_copy(c, p, r, &tmp); } + else { g_xor (c, p, r, &tmp); } + } + } + } + wipe_block(&ctx.b); + wipe_block(&tmp); + // hash the very last block with H' into the output hash + u8 final_block[1024]; + store_block(final_block, blocks + (nb_blocks - 1)); + extended_hash(hash, hash_size, final_block, 1024); + WIPE_BUFFER(final_block); + + // wipe work area + volatile u64 *p = (u64*)work_area; + FOR (i, 0, 128 * nb_blocks) { + p[i] = 0; + } +} + +void crypto_argon2i(u8 *hash, u32 hash_size, + void *work_area, u32 nb_blocks, + u32 nb_iterations, + const u8 *password, u32 password_size, + const u8 *salt, u32 salt_size) +{ + crypto_argon2i_general(hash, hash_size, + work_area, nb_blocks, nb_iterations, + password, password_size, + salt , salt_size, + 0, 0, 0, 0); +} + + + +//////////////////////////////////// +/// Arithmetic modulo 2^255 - 19 /// +//////////////////////////////////// +// Taken from Supercop's ref10 implementation. +// A bit bigger than TweetNaCl, over 4 times faster. + +// field element +typedef i32 fe[10]; + +static void fe_0(fe h) { FOR(i, 0, 10) h[i] = 0; } +static void fe_1(fe h) { h[0] = 1; FOR(i, 1, 10) h[i] = 0; } + +static void fe_copy(fe h,const fe f ){FOR(i,0,10) h[i] = f[i]; } +static void fe_neg (fe h,const fe f ){FOR(i,0,10) h[i] = -f[i]; } +static void fe_add (fe h,const fe f,const fe g){FOR(i,0,10) h[i] = f[i] + g[i];} +static void fe_sub (fe h,const fe f,const fe g){FOR(i,0,10) h[i] = f[i] - g[i];} + +static void fe_cswap(fe f, fe g, int b) +{ + FOR (i, 0, 10) { + i32 x = (f[i] ^ g[i]) & -b; + f[i] = f[i] ^ x; + g[i] = g[i] ^ x; + } +} + +static void fe_ccopy(fe f, const fe g, int b) +{ + FOR (i, 0, 10) { + i32 x = (f[i] ^ g[i]) & -b; + f[i] = f[i] ^ x; + } +} + +#define FE_CARRY \ + i64 c0, c1, c2, c3, c4, c5, c6, c7, c8, c9; \ + c9 = (t9 + (i64) (1<<24)) >> 25; t0 += c9 * 19; t9 -= c9 * (1 << 25); \ + c1 = (t1 + (i64) (1<<24)) >> 25; t2 += c1; t1 -= c1 * (1 << 25); \ + c3 = (t3 + (i64) (1<<24)) >> 25; t4 += c3; t3 -= c3 * (1 << 25); \ + c5 = (t5 + (i64) (1<<24)) >> 25; t6 += c5; t5 -= c5 * (1 << 25); \ + c7 = (t7 + (i64) (1<<24)) >> 25; t8 += c7; t7 -= c7 * (1 << 25); \ + c0 = (t0 + (i64) (1<<25)) >> 26; t1 += c0; t0 -= c0 * (1 << 26); \ + c2 = (t2 + (i64) (1<<25)) >> 26; t3 += c2; t2 -= c2 * (1 << 26); \ + c4 = (t4 + (i64) (1<<25)) >> 26; t5 += c4; t4 -= c4 * (1 << 26); \ + c6 = (t6 + (i64) (1<<25)) >> 26; t7 += c6; t6 -= c6 * (1 << 26); \ + c8 = (t8 + (i64) (1<<25)) >> 26; t9 += c8; t8 -= c8 * (1 << 26); \ + h[0]=(i32)t0; h[1]=(i32)t1; h[2]=(i32)t2; h[3]=(i32)t3; h[4]=(i32)t4; \ + h[5]=(i32)t5; h[6]=(i32)t6; h[7]=(i32)t7; h[8]=(i32)t8; h[9]=(i32)t9 + +static void fe_frombytes(fe h, const u8 s[32]) +{ + i64 t0 = load32_le(s); + i64 t1 = load24_le(s + 4) << 6; + i64 t2 = load24_le(s + 7) << 5; + i64 t3 = load24_le(s + 10) << 3; + i64 t4 = load24_le(s + 13) << 2; + i64 t5 = load32_le(s + 16); + i64 t6 = load24_le(s + 20) << 7; + i64 t7 = load24_le(s + 23) << 5; + i64 t8 = load24_le(s + 26) << 4; + i64 t9 = (load24_le(s + 29) & 8388607) << 2; + FE_CARRY; +} + +static void fe_mul_small(fe h, const fe f, i32 g) +{ + i64 t0 = f[0] * (i64) g; i64 t1 = f[1] * (i64) g; + i64 t2 = f[2] * (i64) g; i64 t3 = f[3] * (i64) g; + i64 t4 = f[4] * (i64) g; i64 t5 = f[5] * (i64) g; + i64 t6 = f[6] * (i64) g; i64 t7 = f[7] * (i64) g; + i64 t8 = f[8] * (i64) g; i64 t9 = f[9] * (i64) g; + FE_CARRY; +} +static void fe_mul121666(fe h, const fe f) { fe_mul_small(h, f, 121666); } + +static void fe_mul(fe h, const fe f, const fe g) +{ + // Everything is unrolled and put in temporary variables. + // We could roll the loop, but that would make curve25519 twice as slow. + i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; + i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; + i32 g0 = g[0]; i32 g1 = g[1]; i32 g2 = g[2]; i32 g3 = g[3]; i32 g4 = g[4]; + i32 g5 = g[5]; i32 g6 = g[6]; i32 g7 = g[7]; i32 g8 = g[8]; i32 g9 = g[9]; + i32 F1 = f1*2; i32 F3 = f3*2; i32 F5 = f5*2; i32 F7 = f7*2; i32 F9 = f9*2; + i32 G1 = g1*19; i32 G2 = g2*19; i32 G3 = g3*19; + i32 G4 = g4*19; i32 G5 = g5*19; i32 G6 = g6*19; + i32 G7 = g7*19; i32 G8 = g8*19; i32 G9 = g9*19; + + i64 h0 = f0*(i64)g0 + F1*(i64)G9 + f2*(i64)G8 + F3*(i64)G7 + f4*(i64)G6 + + F5*(i64)G5 + f6*(i64)G4 + F7*(i64)G3 + f8*(i64)G2 + F9*(i64)G1; + i64 h1 = f0*(i64)g1 + f1*(i64)g0 + f2*(i64)G9 + f3*(i64)G8 + f4*(i64)G7 + + f5*(i64)G6 + f6*(i64)G5 + f7*(i64)G4 + f8*(i64)G3 + f9*(i64)G2; + i64 h2 = f0*(i64)g2 + F1*(i64)g1 + f2*(i64)g0 + F3*(i64)G9 + f4*(i64)G8 + + F5*(i64)G7 + f6*(i64)G6 + F7*(i64)G5 + f8*(i64)G4 + F9*(i64)G3; + i64 h3 = f0*(i64)g3 + f1*(i64)g2 + f2*(i64)g1 + f3*(i64)g0 + f4*(i64)G9 + + f5*(i64)G8 + f6*(i64)G7 + f7*(i64)G6 + f8*(i64)G5 + f9*(i64)G4; + i64 h4 = f0*(i64)g4 + F1*(i64)g3 + f2*(i64)g2 + F3*(i64)g1 + f4*(i64)g0 + + F5*(i64)G9 + f6*(i64)G8 + F7*(i64)G7 + f8*(i64)G6 + F9*(i64)G5; + i64 h5 = f0*(i64)g5 + f1*(i64)g4 + f2*(i64)g3 + f3*(i64)g2 + f4*(i64)g1 + + f5*(i64)g0 + f6*(i64)G9 + f7*(i64)G8 + f8*(i64)G7 + f9*(i64)G6; + i64 h6 = f0*(i64)g6 + F1*(i64)g5 + f2*(i64)g4 + F3*(i64)g3 + f4*(i64)g2 + + F5*(i64)g1 + f6*(i64)g0 + F7*(i64)G9 + f8*(i64)G8 + F9*(i64)G7; + i64 h7 = f0*(i64)g7 + f1*(i64)g6 + f2*(i64)g5 + f3*(i64)g4 + f4*(i64)g3 + + f5*(i64)g2 + f6*(i64)g1 + f7*(i64)g0 + f8*(i64)G9 + f9*(i64)G8; + i64 h8 = f0*(i64)g8 + F1*(i64)g7 + f2*(i64)g6 + F3*(i64)g5 + f4*(i64)g4 + + F5*(i64)g3 + f6*(i64)g2 + F7*(i64)g1 + f8*(i64)g0 + F9*(i64)G9; + i64 h9 = f0*(i64)g9 + f1*(i64)g8 + f2*(i64)g7 + f3*(i64)g6 + f4*(i64)g5 + + f5*(i64)g4 + f6*(i64)g3 + f7*(i64)g2 + f8*(i64)g1 + f9*(i64)g0; + +#define CARRY \ + i64 c0, c1, c2, c3, c4, c5, c6, c7, c8, c9; \ + c0 = (h0 + (i64) (1<<25)) >> 26; h1 += c0; h0 -= c0 * (1 << 26); \ + c4 = (h4 + (i64) (1<<25)) >> 26; h5 += c4; h4 -= c4 * (1 << 26); \ + c1 = (h1 + (i64) (1<<24)) >> 25; h2 += c1; h1 -= c1 * (1 << 25); \ + c5 = (h5 + (i64) (1<<24)) >> 25; h6 += c5; h5 -= c5 * (1 << 25); \ + c2 = (h2 + (i64) (1<<25)) >> 26; h3 += c2; h2 -= c2 * (1 << 26); \ + c6 = (h6 + (i64) (1<<25)) >> 26; h7 += c6; h6 -= c6 * (1 << 26); \ + c3 = (h3 + (i64) (1<<24)) >> 25; h4 += c3; h3 -= c3 * (1 << 25); \ + c7 = (h7 + (i64) (1<<24)) >> 25; h8 += c7; h7 -= c7 * (1 << 25); \ + c4 = (h4 + (i64) (1<<25)) >> 26; h5 += c4; h4 -= c4 * (1 << 26); \ + c8 = (h8 + (i64) (1<<25)) >> 26; h9 += c8; h8 -= c8 * (1 << 26); \ + c9 = (h9 + (i64) (1<<24)) >> 25; h0 += c9 * 19; h9 -= c9 * (1 << 25); \ + c0 = (h0 + (i64) (1<<25)) >> 26; h1 += c0; h0 -= c0 * (1 << 26); \ + h[0]=(i32)h0; h[1]=(i32)h1; h[2]=(i32)h2; h[3]=(i32)h3; h[4]=(i32)h4; \ + h[5]=(i32)h5; h[6]=(i32)h6; h[7]=(i32)h7; h[8]=(i32)h8; h[9]=(i32)h9; \ + + CARRY; +} + +// we could use fe_mul() for this, but this is significantly faster +static void fe_sq(fe h, const fe f) +{ + i32 f0 = f[0]; i32 f1 = f[1]; i32 f2 = f[2]; i32 f3 = f[3]; i32 f4 = f[4]; + i32 f5 = f[5]; i32 f6 = f[6]; i32 f7 = f[7]; i32 f8 = f[8]; i32 f9 = f[9]; + i32 f0_2 = f0*2; i32 f1_2 = f1*2; i32 f2_2 = f2*2; i32 f3_2 = f3*2; + i32 f4_2 = f4*2; i32 f5_2 = f5*2; i32 f6_2 = f6*2; i32 f7_2 = f7*2; + i32 f5_38 = f5*38; i32 f6_19 = f6*19; i32 f7_38 = f7*38; + i32 f8_19 = f8*19; i32 f9_38 = f9*38; + + i64 h0 = f0 *(i64)f0 + f1_2*(i64)f9_38 + f2_2*(i64)f8_19 + + f3_2*(i64)f7_38 + f4_2*(i64)f6_19 + f5 *(i64)f5_38; + i64 h1 = f0_2*(i64)f1 + f2 *(i64)f9_38 + f3_2*(i64)f8_19 + + f4 *(i64)f7_38 + f5_2*(i64)f6_19; + i64 h2 = f0_2*(i64)f2 + f1_2*(i64)f1 + f3_2*(i64)f9_38 + + f4_2*(i64)f8_19 + f5_2*(i64)f7_38 + f6 *(i64)f6_19; + i64 h3 = f0_2*(i64)f3 + f1_2*(i64)f2 + f4 *(i64)f9_38 + + f5_2*(i64)f8_19 + f6 *(i64)f7_38; + i64 h4 = f0_2*(i64)f4 + f1_2*(i64)f3_2 + f2 *(i64)f2 + + f5_2*(i64)f9_38 + f6_2*(i64)f8_19 + f7 *(i64)f7_38; + i64 h5 = f0_2*(i64)f5 + f1_2*(i64)f4 + f2_2*(i64)f3 + + f6 *(i64)f9_38 + f7_2*(i64)f8_19; + i64 h6 = f0_2*(i64)f6 + f1_2*(i64)f5_2 + f2_2*(i64)f4 + + f3_2*(i64)f3 + f7_2*(i64)f9_38 + f8 *(i64)f8_19; + i64 h7 = f0_2*(i64)f7 + f1_2*(i64)f6 + f2_2*(i64)f5 + + f3_2*(i64)f4 + f8 *(i64)f9_38; + i64 h8 = f0_2*(i64)f8 + f1_2*(i64)f7_2 + f2_2*(i64)f6 + + f3_2*(i64)f5_2 + f4 *(i64)f4 + f9 *(i64)f9_38; + i64 h9 = f0_2*(i64)f9 + f1_2*(i64)f8 + f2_2*(i64)f7 + + f3_2*(i64)f6 + f4 *(i64)f5_2; + + CARRY; +} + +static void fe_sq2(fe h, const fe f) +{ + fe_sq(h, f); + fe_mul_small(h, h, 2); +} + +// This could be simplified, but it would be slower +static void fe_invert(fe out, const fe z) +{ + fe t0, t1, t2, t3; + fe_sq(t0, z ); + fe_sq(t1, t0); + fe_sq(t1, t1); + fe_mul(t1, z, t1); + fe_mul(t0, t0, t1); + fe_sq(t2, t0); fe_mul(t1 , t1, t2); + fe_sq(t2, t1); FOR (i, 1, 5) fe_sq(t2, t2); fe_mul(t1 , t2, t1); + fe_sq(t2, t1); FOR (i, 1, 10) fe_sq(t2, t2); fe_mul(t2 , t2, t1); + fe_sq(t3, t2); FOR (i, 1, 20) fe_sq(t3, t3); fe_mul(t2 , t3, t2); + fe_sq(t2, t2); FOR (i, 1, 10) fe_sq(t2, t2); fe_mul(t1 , t2, t1); + fe_sq(t2, t1); FOR (i, 1, 50) fe_sq(t2, t2); fe_mul(t2 , t2, t1); + fe_sq(t3, t2); FOR (i, 1, 100) fe_sq(t3, t3); fe_mul(t2 , t3, t2); + fe_sq(t2, t2); FOR (i, 1, 50) fe_sq(t2, t2); fe_mul(t1 , t2, t1); + fe_sq(t1, t1); FOR (i, 1, 5) fe_sq(t1, t1); fe_mul(out, t1, t0); + WIPE_BUFFER(t0); + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); + WIPE_BUFFER(t3); +} + +// This could be simplified, but it would be slower +static void fe_pow22523(fe out, const fe z) +{ + fe t0, t1, t2; + fe_sq(t0, z); + fe_sq(t1,t0); fe_sq(t1, t1); fe_mul(t1, z, t1); + fe_mul(t0, t0, t1); + fe_sq(t0, t0); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 5) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t1, t1, t0); + fe_sq(t2, t1); FOR (i, 1, 20) fe_sq(t2, t2); fe_mul(t1, t2, t1); + fe_sq(t1, t1); FOR (i, 1, 10) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t1, t0); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t1, t1, t0); + fe_sq(t2, t1); FOR (i, 1, 100) fe_sq(t2, t2); fe_mul(t1, t2, t1); + fe_sq(t1, t1); FOR (i, 1, 50) fe_sq(t1, t1); fe_mul(t0, t1, t0); + fe_sq(t0, t0); FOR (i, 1, 2) fe_sq(t0, t0); fe_mul(out, t0, z); + WIPE_BUFFER(t0); + WIPE_BUFFER(t1); + WIPE_BUFFER(t2); +} + +static void fe_tobytes(u8 s[32], const fe h) +{ + i32 t[10]; + FOR (i, 0, 10) { + t[i] = h[i]; + } + i32 q = (19 * t[9] + (((i32) 1) << 24)) >> 25; + FOR (i, 0, 5) { + q += t[2*i ]; q >>= 26; + q += t[2*i+1]; q >>= 25; + } + t[0] += 19 * q; + + i32 c0 = t[0] >> 26; t[1] += c0; t[0] -= c0 * (1 << 26); + i32 c1 = t[1] >> 25; t[2] += c1; t[1] -= c1 * (1 << 25); + i32 c2 = t[2] >> 26; t[3] += c2; t[2] -= c2 * (1 << 26); + i32 c3 = t[3] >> 25; t[4] += c3; t[3] -= c3 * (1 << 25); + i32 c4 = t[4] >> 26; t[5] += c4; t[4] -= c4 * (1 << 26); + i32 c5 = t[5] >> 25; t[6] += c5; t[5] -= c5 * (1 << 25); + i32 c6 = t[6] >> 26; t[7] += c6; t[6] -= c6 * (1 << 26); + i32 c7 = t[7] >> 25; t[8] += c7; t[7] -= c7 * (1 << 25); + i32 c8 = t[8] >> 26; t[9] += c8; t[8] -= c8 * (1 << 26); + i32 c9 = t[9] >> 25; t[9] -= c9 * (1 << 25); + + store32_le(s + 0, ((u32)t[0] >> 0) | ((u32)t[1] << 26)); + store32_le(s + 4, ((u32)t[1] >> 6) | ((u32)t[2] << 19)); + store32_le(s + 8, ((u32)t[2] >> 13) | ((u32)t[3] << 13)); + store32_le(s + 12, ((u32)t[3] >> 19) | ((u32)t[4] << 6)); + store32_le(s + 16, ((u32)t[5] >> 0) | ((u32)t[6] << 25)); + store32_le(s + 20, ((u32)t[6] >> 7) | ((u32)t[7] << 19)); + store32_le(s + 24, ((u32)t[7] >> 13) | ((u32)t[8] << 12)); + store32_le(s + 28, ((u32)t[8] >> 20) | ((u32)t[9] << 6)); + + WIPE_BUFFER(t); +} + +// Parity check. Returns 0 if even, 1 if odd +static int fe_isnegative(const fe f) +{ + u8 s[32]; + fe_tobytes(s, f); + u8 isneg = s[0] & 1; + WIPE_BUFFER(s); + return isneg; +} + +static int fe_isnonzero(const fe f) +{ + u8 s[32]; + fe_tobytes(s, f); + u8 isnonzero = zerocmp32(s); + WIPE_BUFFER(s); + return isnonzero; +} + +/////////////// +/// X-25519 /// Taken from Supercop's ref10 implementation. +/////////////// + +static void trim_scalar(u8 s[32]) +{ + s[ 0] &= 248; + s[31] &= 127; + s[31] |= 64; +} + +static int scalar_bit(const u8 s[32], int i) { return (s[i>>3] >> (i&7)) & 1; } + +int crypto_x25519(u8 raw_shared_secret[32], + const u8 your_secret_key [32], + const u8 their_public_key [32]) +{ + // computes the scalar product + fe x1; + fe_frombytes(x1, their_public_key); + + // restrict the possible scalar values + u8 e[32]; + FOR (i, 0, 32) { + e[i] = your_secret_key[i]; + } + trim_scalar(e); + + // computes the actual scalar product (the result is in x2 and z2) + fe x2, z2, x3, z3, t0, t1; + // Montgomery ladder + // In projective coordinates, to avoid divisons: x = X / Z + // We don't care about the y coordinate, it's only 1 bit of information + fe_1(x2); fe_0(z2); // "zero" point + fe_copy(x3, x1); fe_1(z3); // "one" point + int swap = 0; + for (int pos = 254; pos >= 0; --pos) { + // constant time conditional swap before ladder step + int b = scalar_bit(e, pos); + swap ^= b; // xor trick avoids swapping at the end of the loop + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + swap = b; // anticipates one last swap after the loop + + // Montgomery ladder step: replaces (P2, P3) by (P2*2, P2+P3) + // with differential addition + fe_sub(t0, x3, z3); fe_sub(t1, x2, z2); fe_add(x2, x2, z2); + fe_add(z2, x3, z3); fe_mul(z3, t0, x2); fe_mul(z2, z2, t1); + fe_sq (t0, t1 ); fe_sq (t1, x2 ); fe_add(x3, z3, z2); + fe_sub(z2, z3, z2); fe_mul(x2, t1, t0); fe_sub(t1, t1, t0); + fe_sq (z2, z2 ); fe_mul121666(z3, t1); fe_sq (x3, x3 ); + fe_add(t0, t0, z3); fe_mul(z3, x1, z2); fe_mul(z2, t1, t0); + } + // last swap is necessary to compensate for the xor trick + // Note: after this swap, P3 == P2 + P1. + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + + // normalises the coordinates: x == X / Z + fe_invert(z2, z2); + fe_mul(x2, x2, z2); + fe_tobytes(raw_shared_secret, x2); + + WIPE_BUFFER(x1); WIPE_BUFFER(e ); + WIPE_BUFFER(x2); WIPE_BUFFER(z2); + WIPE_BUFFER(x3); WIPE_BUFFER(z3); + WIPE_BUFFER(t0); WIPE_BUFFER(t1); + + // Returns -1 if the output is all zero + // (happens with some malicious public keys) + return -1 - zerocmp32(raw_shared_secret); +} + +void crypto_x25519_public_key(u8 public_key[32], + const u8 secret_key[32]) +{ + static const u8 base_point[32] = {9}; + crypto_x25519(public_key, secret_key, base_point); +} + +/////////////// +/// Ed25519 /// +/////////////// + +static const u64 L[32] = { 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10}; + +static void modL(u8 *r, i64 x[64]) +{ + for (unsigned i = 63; i >= 32; i--) { + i64 carry = 0; + FOR (j, i-32, i-12) { + x[j] += carry - 16 * x[i] * L[j - (i - 32)]; + carry = (x[j] + 128) >> 8; + x[j] -= carry * (1 << 8); + } + x[i-12] += carry; + x[i] = 0; + } + i64 carry = 0; + FOR (i, 0, 32) { + x[i] += carry - (x[31] >> 4) * L[i]; + carry = x[i] >> 8; + x[i] &= 255; + } + FOR (i, 0, 32) { + x[i] -= carry * L[i]; + } + FOR (i, 0, 32) { + x[i+1] += x[i] >> 8; + r[i ] = x[i] & 255; + } +} + +static void reduce(u8 r[64]) +{ + i64 x[64]; + FOR (i, 0, 64) { + x[i] = (u64) r[i]; + r[i] = 0; + } + modL(r, x); + WIPE_BUFFER(x); +} + +// r = (a * b) + c +static void mul_add(u8 r[32], const u8 a[32], const u8 b[32], const u8 c[32]) +{ + i64 s[64]; + FOR (i, 0, 32) { s[i] = (u64) c[i]; } + FOR (i, 32, 64) { s[i] = 0; } + FOR (i, 0, 32) { + FOR (j, 0, 32) { + s[i+j] += a[i] * (u64) b[j]; + } + } + modL(r, s); + WIPE_BUFFER(s); +} + +static int is_above_L(const u8 a[32]) +{ + for (int i = 31; i >= 0; i--) { + if (a[i] > L[i]) { return 1; } + if (a[i] < L[i]) { return 0; } + } + return 1; +} + +// Point in a twisted Edwards curve, +// in extended projective coordinates. +// x = X/Z, y = Y/Z, T = XY/Z +typedef struct { fe X; fe Y; fe Z; fe T; } ge; +typedef struct { fe Yp; fe Ym; fe Z; fe T2; } ge_cached; + +static void ge_zero(ge *p) +{ + fe_0(p->X); + fe_1(p->Y); + fe_1(p->Z); + fe_0(p->T); +} + +static void ge_tobytes(u8 s[32], const ge *h) +{ + fe recip, x, y; + fe_invert(recip, h->Z); + fe_mul(x, h->X, recip); + fe_mul(y, h->Y, recip); + fe_tobytes(s, y); + s[31] ^= fe_isnegative(x) << 7; + + WIPE_BUFFER(recip); + WIPE_BUFFER(x); + WIPE_BUFFER(y); +} + +// Variable time! s must not be secret! +static int ge_frombytes_neg_vartime(ge *h, const u8 s[32]) +{ + static const fe d = { + -10913610, 13857413, -15372611, 6949391, 114729, + -8787816, -6275908, -3247719, -18696448, -12055116 + } ; + static const fe sqrtm1 = { + -32595792, -7943725, 9377950, 3500415, 12389472, + -272473, -25146209, -2005654, 326686, 11406482 + } ; + fe u, v, v3, vxx, check; // no secret, no wipe + fe_frombytes(h->Y, s); + fe_1(h->Z); + fe_sq(u, h->Y); // y^2 + fe_mul(v, u, d); + fe_sub(u, u, h->Z); // u = y^2-1 + fe_add(v, v, h->Z); // v = dy^2+1 + + fe_sq(v3, v); + fe_mul(v3, v3, v); // v3 = v^3 + fe_sq(h->X, v3); + fe_mul(h->X, h->X, v); + fe_mul(h->X, h->X, u); // x = uv^7 + + fe_pow22523(h->X, h->X); // x = (uv^7)^((q-5)/8) + fe_mul(h->X, h->X, v3); + fe_mul(h->X, h->X, u); // x = uv^3(uv^7)^((q-5)/8) + + fe_sq(vxx, h->X); + fe_mul(vxx, vxx, v); + fe_sub(check, vxx, u); // vx^2-u + if (fe_isnonzero(check)) { + fe_add(check, vxx, u); // vx^2+u + if (fe_isnonzero(check)) { + return -1; + } + fe_mul(h->X, h->X, sqrtm1); + } + if (fe_isnegative(h->X) == (s[31] >> 7)) { + fe_neg(h->X, h->X); + } + fe_mul(h->T, h->X, h->Y); + return 0; +} + +static void ge_cache(ge_cached *c, const ge *p) +{ + static const fe D2 = { // - 2 * 121665 / 121666 + -21827239, -5839606, -30745221, 13898782, 229458, + 15978800, -12551817, -6495438, 29715968, 9444199 + }; + fe_add (c->Yp, p->Y, p->X); + fe_sub (c->Ym, p->Y, p->X); + fe_copy(c->Z , p->Z ); + fe_mul (c->T2, p->T, D2 ); +} + +static void ge_add(ge *s, const ge *p, const ge_cached *q) +{ + fe a, b; // not used to process secrets, no need to wipe + fe_add(a , p->Y, p->X ); + fe_sub(b , p->Y, p->X ); + fe_mul(a , a , q->Yp); + fe_mul(b , b , q->Ym); + fe_add(s->Y, a , b ); + fe_sub(s->X, a , b ); + + fe_add(s->Z, p->Z, p->Z ); + fe_mul(s->Z, s->Z, q->Z ); + fe_mul(s->T, p->T, q->T2); + fe_add(a , s->Z, s->T ); + fe_sub(b , s->Z, s->T ); + + fe_mul(s->T, s->X, s->Y); + fe_mul(s->X, s->X, b ); + fe_mul(s->Y, s->Y, a ); + fe_mul(s->Z, a , b ); +} + +static void ge_sub(ge *s, const ge *p, const ge_cached *q) +{ + ge_cached neg; + fe_copy(neg.Ym, q->Yp); + fe_copy(neg.Yp, q->Ym); + fe_copy(neg.Z , q->Z ); + fe_neg (neg.T2, q->T2); + ge_add(s, p, &neg); +} + +static void ge_madd(ge *s, const ge *p, const fe yp, const fe ym, const fe t2, + fe a, fe b) +{ + fe_add(a , p->Y, p->X ); + fe_sub(b , p->Y, p->X ); + fe_mul(a , a , yp ); + fe_mul(b , b , ym ); + fe_add(s->Y, a , b ); + fe_sub(s->X, a , b ); + + fe_add(s->Z, p->Z, p->Z ); + fe_mul(s->T, p->T, t2 ); + fe_add(a , s->Z, s->T ); + fe_sub(b , s->Z, s->T ); + + fe_mul(s->T, s->X, s->Y); + fe_mul(s->X, s->X, b ); + fe_mul(s->Y, s->Y, a ); + fe_mul(s->Z, a , b ); +} + +static void ge_double(ge *s, const ge *p, ge *q) +{ + fe_sq (q->X, p->X); + fe_sq (q->Y, p->Y); + fe_sq2(q->Z, p->Z); + fe_add(q->T, p->X, p->Y); + fe_sq (s->T, q->T); + fe_add(q->T, q->Y, q->X); + fe_sub(q->Y, q->Y, q->X); + fe_sub(q->X, s->T, q->T); + fe_sub(q->Z, q->Z, q->Y); + + fe_mul(s->X, q->X , q->Z); + fe_mul(s->Y, q->T , q->Y); + fe_mul(s->Z, q->Y , q->Z); + fe_mul(s->T, q->X , q->T); +} + +// Compute signed sliding windows (either 0, or odd numbers between -15 and 15) +static void slide(i8 adds[258], const u8 scalar[32]) +{ + FOR (i, 0, 256) { adds[i] = scalar_bit(scalar, i); } + FOR (i, 256, 258) { adds[i] = 0; } + FOR (i, 0, 254) { + if (adds[i] != 0) { + // base value of the 5-bit window + FOR (j, 1, 5) { + adds[i ] |= adds[i+j] << j; + adds[i+j] = 0; + } + if (adds[i] > 16) { + // go back to [-15, 15], propagate carry. + adds[i] -= 32; + int j = i + 5; + while (adds[j] != 0) { + adds[j] = 0; + j++; + } + adds[j] = 1; + } + } + } +} + +// Look up table for sliding windows +static void ge_precompute(ge_cached lut[8], const ge *P1) +{ + ge P2, tmp; + ge_double(&P2, P1, &tmp); + ge_cache(&lut[0], P1); + FOR (i, 0, 7) { + ge_add(&tmp, &P2, &lut[i]); + ge_cache(&lut[i+1], &tmp); + } +} + +// Could be a function, but the macro avoids some overhead. +#define LUT_ADD(sum, lut, adds, i) \ + if (adds[i] > 0) { ge_add(sum, sum, &lut[ adds[i] / 2]); } \ + if (adds[i] < 0) { ge_sub(sum, sum, &lut[-adds[i] / 2]); } + +// Variable time! P, sP, and sB must not be secret! +static void ge_double_scalarmult_vartime(ge *sum, const ge *P, + u8 p[32], u8 b[32]) +{ + static const fe X = { -14297830, -7645148, 16144683, -16471763, 27570974, + -2696100, -26142465, 8378389, 20764389, 8758491 }; + static const fe Y = { -26843541, -6710886, 13421773, -13421773, 26843546, + 6710886, -13421773, 13421773, -26843546, -6710886 }; + ge B; + fe_copy(B.X, X); + fe_copy(B.Y, Y); + fe_1 (B.Z); + fe_mul (B.T, X, Y); + + // cached points for addition + ge_cached cP[8]; ge_precompute(cP, P); + ge_cached cB[8]; ge_precompute(cB, &B); + i8 p_adds[258]; slide(p_adds, p); + i8 b_adds[258]; slide(b_adds, b); + + // Avoid the first doublings + int i = 253; + while (i >= 0 && + p_adds[i] == 0 && + b_adds[i] == 0) { + i--; + } + + // Merged double and add ladder + ge_zero(sum); + LUT_ADD(sum, cP, p_adds, i); + LUT_ADD(sum, cB, b_adds, i); + i--; + while (i >= 0) { + ge_double(sum, sum, &B); // B is no longer used, we can overwrite it + LUT_ADD(sum, cP, p_adds, i); + LUT_ADD(sum, cB, b_adds, i); + i--; + } +} + +// 5-bit signed comb in cached format (Niels coordinates, Z=1) +static const fe comb_Yp[16] = { + {2615675, 9989699, 17617367, -13953520, -8802803, + 1447286, -8909978, -270892, -12199203, -11617247}, + {-1271192, 4785266, -29856067, -6036322, -10435381, + 15493337, 20321440, -6036064, 15902131, 13420909}, + {-26170888, -12891603, 9568996, -6197816, 26424622, + 16308973, -4518568, -3771275, -15522557, 3991142}, + {-25875044, 1958396, 19442242, -9809943, -26099408, + -18589, -30794750, -14100910, 4971028, -10535388}, + {-13896937, -7357727, -12131124, 617289, -33188817, + 10080542, 6402555, 10779157, 1176712, 2472642}, + {71503, 12662254, -17008072, -8370006, 23408384, + -12897959, 32287612, 11241906, -16724175, 15336924}, + {27397666, 4059848, 23573959, 8868915, -10602416, + -10456346, -22812831, -9666299, 31810345, -2695469}, + {-3418193, -694531, 2320482, -11850408, -1981947, + -9606132, 23743894, 3933038, -25004889, -4478918}, + {-4448372, 5537982, -4805580, 14016777, 15544316, + 16039459, -7143453, -8003716, -21904564, 8443777}, + {32495180, 15749868, 2195406, -15542321, -3213890, + -4030779, -2915317, 12751449, -1872493, 11926798}, + {26779741, 12553580, -24344000, -4071926, -19447556, + -13464636, 21989468, 7826656, -17344881, 10055954}, + {5848288, -1639207, -10452929, -11760637, 6484174, + -5895268, -11561603, 587105, -19220796, 14378222}, + {32050187, 12536702, 9206308, -10016828, -13333241, + -4276403, -24225594, 14562479, -31803624, -9967812}, + {23536033, -6219361, 199701, 4574817, 30045793, + 7163081, -2244033, 883497, 10960746, -14779481}, + {-8143354, -11558749, 15772067, 14293390, 5914956, + -16702904, -7410985, 7536196, 6155087, 16571424}, + {6211591, -11166015, 24568352, 2768318, -10822221, + 11922793, 33211827, 3852290, -13160369, -8855385}, +}; +static const fe comb_Ym[16] = { + {8873912, 14981221, 13714139, 6923085, 25481101, + 4243739, 4646647, -203847, 9015725, -16205935}, + {-1827892, 15407265, 2351140, -11810728, 28403158, + -1487103, -15057287, -4656433, -3780118, -1145998}, + {-30623162, -11845055, -11327147, -16008347, 17564978, + -1449578, -20580262, 14113978, 29643661, 15580734}, + {-15109423, 13348938, -14756006, 14132355, 30481360, + 1830723, -240510, 9371801, -13907882, 8024264}, + {25119567, 5628696, 10185251, -9279452, 683770, + -14523112, -7982879, -16450545, 1431333, -13253541}, + {-8390493, 1276691, 19008763, -12736675, -9249429, + -12526388, 17434195, -13761261, 18962694, -1227728}, + {26361856, -12366343, 8941415, 15163068, 7069802, + -7240693, -18656349, 8167008, 31106064, -1670658}, + {-5677136, -11012483, -1246680, -6422709, 14772010, + 1829629, -11724154, -15914279, -18177362, 1301444}, + {937094, 12383516, -22597284, 7580462, -18767748, + 13813292, -2323566, 13503298, 11510849, -10561992}, + {28028043, 14715827, -6558532, -1773240, 27563607, + -9374554, 3201863, 8865591, -16953001, 7659464}, + {13628467, 5701368, 4674031, 11935670, 11461401, + 10699118, 31846435, -114971, -8269924, -14777505}, + {-22124018, -12859127, 11966893, 1617732, 30972446, + -14350095, -21822286, 8369862, -29443219, -15378798}, + {290131, -471434, 8840522, -2654851, 25963762, + -11578288, -7227978, 13847103, 30641797, 6003514}, + {-23547482, -11475166, -11913550, 9374455, 22813401, + -5707910, 26635288, 9199956, 20574690, 2061147}, + {9715324, 7036821, -17981446, -11505533, 26555178, + -3571571, 5697062, -14128022, 2795223, 9694380}, + {14864569, -6319076, -3080, -8151104, 4994948, + -1572144, -41927, 9269803, 13881712, -13439497}, +}; +static const fe comb_T2[16] = { + {-18494317, 2686822, 18449263, -13905325, 5966562, + -3368714, 2738304, -8583315, 15987143, 12180258}, + {-33336513, -13705917, -18473364, -5039204, -4268481, + -4136039, -8192211, -2935105, -19354402, 5995895}, + {-19753139, -1729018, 21880604, 13471713, 28315373, + -8530159, -17492688, 11730577, -8790216, 3942124}, + {17278020, 3905045, 29577748, 11151940, 18451761, + -6801382, 31480073, -13819665, 26308905, 10868496}, + {26937294, 3313561, 28601532, -3497112, -22814130, + 11073654, 8956359, -16757370, 13465868, 16623983}, + {-5468054, 6059101, -31275300, 2469124, 26532937, + 8152142, 6423741, -11427054, -15537747, -10938247}, + {-11303505, -9659620, -12354748, -9331434, 19501116, + -9146390, -841918, -5315657, 8903828, 8839982}, + {16603354, -215859, 1591180, 3775832, -705596, + -13913449, 26574704, 14963118, 19649719, 6562441}, + {33188866, -12232360, -24929148, -6133828, 21818432, + 11040754, -3041582, -3524558, -29364727, -10264096}, + {-20704194, -12560423, -1235774, -785473, 13240395, + 4831780, -472624, -3796899, 25480903, -15422283}, + {-2204347, -16313180, -21388048, 7520851, -8697745, + -14460961, 20894017, 12210317, -475249, -2319102}, + {-16407882, 4940236, -21194947, 10781753, 22248400, + 14425368, 14866511, -7552907, 12148703, -7885797}, + {16376744, 15908865, -30663553, 4663134, -30882819, + -10105163, 19294784, -10800440, -33259252, 2563437}, + {30208741, 11594088, -15145888, 15073872, 5279309, + -9651774, 8273234, 4796404, -31270809, -13316433}, + {-17802574, 14455251, 27149077, -7832700, -29163160, + -7246767, 17498491, -4216079, 31788733, -14027536}, + {-25233439, -9389070, -6618212, -3268087, -521386, + -7350198, 21035059, -14970947, 25910190, 11122681}, +}; + +static void ge_scalarmult_base(ge *p, const u8 scalar[32]) +{ + // 5-bits signed comb, from Mike Hamburg's + // Fast and compact elliptic-curve cryptography (2012) + static const u8 half_mod_L[32] = { // 1 / 2 modulo L + 0xf7, 0xe9, 0x7a, 0x2e, 0x8d, 0x31, 0x09, 0x2c, + 0x6b, 0xce, 0x7b, 0x51, 0xef, 0x7c, 0x6f, 0x0a, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08, + }; + static const u8 half_ones[32] = { // (2^255 - 1) / 2 modulo L + 0x42, 0x9a, 0xa3, 0xba, 0x23, 0xa5, 0xbf, 0xcb, + 0x11, 0x5b, 0x9d, 0xc5, 0x74, 0x95, 0xf3, 0xb6, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x07, + }; + // All bits set form: 1 means 1, 0 means -1 + u8 s_scalar[32]; + mul_add(s_scalar, scalar, half_mod_L, half_ones); + + // Double and add ladder + fe yp, ym, t2, n2, a, b; // temporaries for addition + ge dbl; // temporary for doublings + ge_zero(p); + for (int i = 50; i >= 0; i--) { + if (i < 50) { + ge_double(p, p, &dbl); + } + fe_1(yp); + fe_1(ym); + fe_0(t2); + u8 teeth = scalar_bit(s_scalar, i) + + (scalar_bit(s_scalar, i + 51) << 1) + + (scalar_bit(s_scalar, i + 102) << 2) + + (scalar_bit(s_scalar, i + 153) << 3) + + (scalar_bit(s_scalar, i + 204) << 4); + u8 high = teeth >> 4; + u8 index = (teeth ^ (high - 1)) & 15; + FOR (j, 0, 16) { + i32 select = 1 & (((j ^ index) - 1) >> 8); + fe_ccopy(yp, comb_Yp[j], select); + fe_ccopy(ym, comb_Ym[j], select); + fe_ccopy(t2, comb_T2[j], select); + } + + fe_neg(n2, t2); + fe_cswap(t2, n2, high); + fe_cswap(yp, ym, high); + ge_madd(p, p, ym, yp, n2, a, b); + } + WIPE_CTX(&dbl); + WIPE_BUFFER(a); WIPE_BUFFER(yp); WIPE_BUFFER(t2); + WIPE_BUFFER(b); WIPE_BUFFER(ym); WIPE_BUFFER(n2); + WIPE_BUFFER(s_scalar); +} + +void crypto_sign_public_key(u8 public_key[32], + const u8 secret_key[32]) +{ + u8 a[64]; + HASH(a, secret_key, 32); + trim_scalar(a); + ge A; + ge_scalarmult_base(&A, a); + ge_tobytes(public_key, &A); + WIPE_BUFFER(a); + WIPE_CTX(&A); +} + +void crypto_sign_init_first_pass(crypto_sign_ctx *ctx, + const u8 secret_key[32], + const u8 public_key[32]) +{ + u8 *a = ctx->buf; + u8 *prefix = ctx->buf + 32; + HASH(a, secret_key, 32); + trim_scalar(a); + + if (public_key == 0) { + crypto_sign_public_key(ctx->pk, secret_key); + } else { + FOR (i, 0, 32) { + ctx->pk[i] = public_key[i]; + } + } + + // Constructs the "random" nonce from the secret key and message. + // An actual random number would work just fine, and would save us + // the trouble of hashing the message twice. If we did that + // however, the user could fuck it up and reuse the nonce. + HASH_INIT (&ctx->hash); + HASH_UPDATE(&ctx->hash, prefix , 32); +} + +void crypto_sign_update(crypto_sign_ctx *ctx, const u8 *msg, size_t msg_size) +{ + HASH_UPDATE(&ctx->hash, msg, msg_size); +} + +void crypto_sign_init_second_pass(crypto_sign_ctx *ctx) +{ + u8 *r = ctx->buf + 32; + u8 *half_sig = ctx->buf + 64; + HASH_FINAL(&ctx->hash, r); + reduce(r); + + // first half of the signature = "random" nonce times basepoint + ge R; + ge_scalarmult_base(&R, r); + ge_tobytes(half_sig, &R); + WIPE_CTX(&R); + + // Hash R, the public key, and the message together. + // It cannot be done in parallel with the first hash. + HASH_INIT (&ctx->hash); + HASH_UPDATE(&ctx->hash, half_sig, 32); + HASH_UPDATE(&ctx->hash, ctx->pk , 32); +} + +void crypto_sign_final(crypto_sign_ctx *ctx, u8 signature[64]) +{ + u8 *a = ctx->buf; + u8 *r = ctx->buf + 32; + u8 *half_sig = ctx->buf + 64; + u8 h_ram[64]; + HASH_FINAL(&ctx->hash, h_ram); + reduce(h_ram); // reduce the hash modulo L + FOR (i, 0, 32) { + signature[i] = half_sig[i]; + } + mul_add(signature + 32, h_ram, a, r); // s = h_ram * a + r + WIPE_CTX(ctx); + WIPE_BUFFER(h_ram); +} + +void crypto_sign(u8 signature[64], + const u8 secret_key[32], + const u8 public_key[32], + const u8 *message, size_t message_size) +{ + crypto_sign_ctx ctx; + crypto_sign_init_first_pass (&ctx, secret_key, public_key); + crypto_sign_update (&ctx, message, message_size); + crypto_sign_init_second_pass(&ctx); + crypto_sign_update (&ctx, message, message_size); + crypto_sign_final (&ctx, signature); +} + +void crypto_check_init(crypto_check_ctx *ctx, + const u8 signature[64], + const u8 public_key[32]) +{ + FOR (i, 0, 64) { ctx->sig[i] = signature [i]; } + FOR (i, 0, 32) { ctx->pk [i] = public_key[i]; } + HASH_INIT (&ctx->hash); + HASH_UPDATE(&ctx->hash, signature , 32); + HASH_UPDATE(&ctx->hash, public_key, 32); +} + +void crypto_check_update(crypto_check_ctx *ctx, const u8 *msg, size_t msg_size) +{ + HASH_UPDATE(&ctx->hash, msg , msg_size); +} + +int crypto_check_final(crypto_check_ctx *ctx) +{ + ge diff, A; + u8 h_ram[64], R_check[32]; + u8 *s = ctx->sig + 32; // s + u8 *R = ctx->sig; // R + if (ge_frombytes_neg_vartime(&A, ctx->pk) || + is_above_L(s)) { // prevent s malleability + return -1; + } + HASH_FINAL(&ctx->hash, h_ram); + reduce(h_ram); + ge_double_scalarmult_vartime(&diff, &A, h_ram, s); + ge_tobytes(R_check, &diff); // R_check = s*B - h_ram*A + return crypto_verify32(R, R_check); // R == R_check ? OK : fail + // No secret, no wipe +} + +int crypto_check(const u8 signature[64], + const u8 public_key[32], + const u8 *message, size_t message_size) +{ + crypto_check_ctx ctx; + crypto_check_init(&ctx, signature, public_key); + crypto_check_update(&ctx, message, message_size); + return crypto_check_final(&ctx); +} + +//////////////////// +/// Key exchange /// +//////////////////// +int crypto_key_exchange(u8 shared_key[32], + const u8 your_secret_key [32], + const u8 their_public_key[32]) +{ + u8 raw_shared_secret[32]; + int status = crypto_x25519(raw_shared_secret, + your_secret_key, their_public_key); + crypto_chacha20_H(shared_key, raw_shared_secret, zero); + WIPE_BUFFER(raw_shared_secret); + return status; +} + +//////////////////////////////// +/// Authenticated encryption /// +//////////////////////////////// +static void lock_ad_padding(crypto_lock_ctx *ctx) +{ + if (ctx->ad_phase) { + ctx->ad_phase = 0; + crypto_poly1305_update(&ctx->poly, zero, ALIGN(ctx->ad_size, 16)); + } +} + +void crypto_lock_init(crypto_lock_ctx *ctx, + const u8 key[32], const u8 nonce[24]) +{ + u8 auth_key[64]; // "Wasting" the whole Chacha block is faster + ctx->ad_phase = 1; + ctx->ad_size = 0; + ctx->message_size = 0; + crypto_chacha20_x_init(&ctx->chacha, key, nonce); + crypto_chacha20_stream(&ctx->chacha, auth_key, 64); + crypto_poly1305_init (&ctx->poly , auth_key); + WIPE_BUFFER(auth_key); +} + +void crypto_lock_auth_ad(crypto_lock_ctx *ctx, const u8 *msg, size_t msg_size) +{ + crypto_poly1305_update(&ctx->poly, msg, msg_size); + ctx->ad_size += msg_size; +} + +void crypto_lock_auth_message(crypto_lock_ctx *ctx, + const u8 *cipher_text, size_t text_size) +{ + lock_ad_padding(ctx); + ctx->message_size += text_size; + crypto_poly1305_update(&ctx->poly, cipher_text, text_size); +} + +void crypto_lock_update(crypto_lock_ctx *ctx, u8 *cipher_text, + const u8 *plain_text, size_t text_size) +{ + crypto_chacha20_encrypt(&ctx->chacha, cipher_text, plain_text, text_size); + crypto_lock_auth_message(ctx, cipher_text, text_size); +} + +void crypto_lock_final(crypto_lock_ctx *ctx, u8 mac[16]) +{ + lock_ad_padding(ctx); + u8 sizes[16]; // Not secret, not wiped + store64_le(sizes + 0, ctx->ad_size); + store64_le(sizes + 8, ctx->message_size); + crypto_poly1305_update(&ctx->poly, zero, ALIGN(ctx->message_size, 16)); + crypto_poly1305_update(&ctx->poly, sizes, 16); + crypto_poly1305_final (&ctx->poly, mac); + WIPE_CTX(ctx); +} + +void crypto_unlock_update(crypto_lock_ctx *ctx, u8 *plain_text, + const u8 *cipher_text, size_t text_size) +{ + crypto_unlock_auth_message(ctx, cipher_text, text_size); + crypto_chacha20_encrypt(&ctx->chacha, plain_text, cipher_text, text_size); +} + +int crypto_unlock_final(crypto_lock_ctx *ctx, const u8 mac[16]) +{ + u8 real_mac[16]; + crypto_lock_final(ctx, real_mac); + int mismatch = crypto_verify16(real_mac, mac); + WIPE_BUFFER(real_mac); + return mismatch; +} + +void crypto_lock_aead(u8 mac[16], + u8 *cipher_text, + const u8 key[32], + const u8 nonce[24], + const u8 *ad , size_t ad_size, + const u8 *plain_text, size_t text_size) +{ + crypto_lock_ctx ctx; + crypto_lock_init (&ctx, key, nonce); + crypto_lock_auth_ad(&ctx, ad, ad_size); + crypto_lock_update (&ctx, cipher_text, plain_text, text_size); + crypto_lock_final (&ctx, mac); +} + +int crypto_unlock_aead(u8 *plain_text, + const u8 key[32], + const u8 nonce[24], + const u8 mac[16], + const u8 *ad , size_t ad_size, + const u8 *cipher_text, size_t text_size) +{ + crypto_unlock_ctx ctx; + crypto_unlock_init (&ctx, key, nonce); + crypto_unlock_auth_ad (&ctx, ad, ad_size); + crypto_unlock_auth_message(&ctx, cipher_text, text_size); + crypto_chacha_ctx chacha_ctx = ctx.chacha; // avoid the wiping... + if (crypto_unlock_final(&ctx, mac)) { // ...that occurs here + WIPE_CTX(&chacha_ctx); + return -1; // reject forgeries before wasting our time decrypting + } + crypto_chacha20_encrypt(&chacha_ctx, plain_text, cipher_text, text_size); + WIPE_CTX(&chacha_ctx); + return 0; +} + +void crypto_lock(u8 mac[16], + u8 *cipher_text, + const u8 key[32], + const u8 nonce[24], + const u8 *plain_text, size_t text_size) +{ + crypto_lock_aead(mac, cipher_text, key, nonce, 0, 0, plain_text, text_size); +} + +int crypto_unlock(u8 *plain_text, + const u8 key[32], + const u8 nonce[24], + const u8 mac[16], + const u8 *cipher_text, size_t text_size) +{ + return crypto_unlock_aead(plain_text, key, nonce, mac, 0, 0, + cipher_text, text_size); +} ADDED monocypher/monocypher.h Index: monocypher/monocypher.h ================================================================== --- /dev/null +++ monocypher/monocypher.h @@ -0,0 +1,280 @@ +#ifndef MONOCYPHER_H +#define MONOCYPHER_H + +#include +#include + +//////////////////////// +/// Type definitions /// +//////////////////////// + +// Do not rely on the size or content on any of those types, +// they may change without notice. + +// Chacha20 +typedef struct { + uint32_t input[16]; // current input, unencrypted + uint32_t pool [16]; // last input, encrypted + size_t pool_idx; // pointer to random_pool +} crypto_chacha_ctx; + +// Poly1305 +typedef struct { + uint32_t r[4]; // constant multiplier (from the secret key) + uint32_t h[5]; // accumulated hash + uint32_t c[5]; // chunk of the message + uint32_t pad[4]; // random number added at the end (from the secret key) + size_t c_idx; // How many bytes are there in the chunk. +} crypto_poly1305_ctx; + +// Authenticated encryption +typedef struct { + crypto_chacha_ctx chacha; + crypto_poly1305_ctx poly; + uint64_t ad_size; + uint64_t message_size; + int ad_phase; +} crypto_lock_ctx; +#define crypto_unlock_ctx crypto_lock_ctx + +// Hash (Blake2b) +typedef struct { + uint64_t hash[8]; + uint64_t input_offset[2]; + uint64_t input[16]; + size_t input_idx; + size_t hash_size; +} crypto_blake2b_ctx; + +// Signatures (EdDSA) +#ifdef ED25519_SHA512 + #include "sha512.h" + typedef crypto_sha512_ctx crypto_hash_ctx; +#else + typedef crypto_blake2b_ctx crypto_hash_ctx; +#endif +typedef struct { + crypto_hash_ctx hash; + uint8_t buf[96]; + uint8_t pk [32]; +} crypto_sign_ctx; +typedef struct { + crypto_hash_ctx hash; + uint8_t sig[64]; + uint8_t pk [32]; +} crypto_check_ctx; + + +//////////////////////////// +/// High level interface /// +//////////////////////////// + +// Constant time comparisons +// ------------------------- + +// Return 0 if a and b are equal, -1 otherwise +int crypto_verify16(const uint8_t a[16], const uint8_t b[16]); +int crypto_verify32(const uint8_t a[32], const uint8_t b[32]); +int crypto_verify64(const uint8_t a[64], const uint8_t b[64]); + +// Erase sensitive data +// -------------------- + +// Please erase all copies +void crypto_wipe(void *secret, size_t size); + + +// Authenticated encryption +// ------------------------ + +// Direct interface +void crypto_lock(uint8_t mac[16], + uint8_t *cipher_text, + const uint8_t key[32], + const uint8_t nonce[24], + const uint8_t *plain_text, size_t text_size); +int crypto_unlock(uint8_t *plain_text, + const uint8_t key[32], + const uint8_t nonce[24], + const uint8_t mac[16], + const uint8_t *cipher_text, size_t text_size); + +// Direct interface with additional data +void crypto_lock_aead(uint8_t mac[16], + uint8_t *cipher_text, + const uint8_t key[32], + const uint8_t nonce[24], + const uint8_t *ad , size_t ad_size, + const uint8_t *plain_text, size_t text_size); +int crypto_unlock_aead(uint8_t *plain_text, + const uint8_t key[32], + const uint8_t nonce[24], + const uint8_t mac[16], + const uint8_t *ad , size_t ad_size, + const uint8_t *cipher_text, size_t text_size); + +// Incremental interface (encryption) +void crypto_lock_init(crypto_lock_ctx *ctx, + const uint8_t key[32], + const uint8_t nonce[24]); +void crypto_lock_auth_ad(crypto_lock_ctx *ctx, + const uint8_t *message, + size_t message_size); +void crypto_lock_auth_message(crypto_lock_ctx *ctx, + const uint8_t *cipher_text, size_t text_size); +void crypto_lock_update(crypto_lock_ctx *ctx, + uint8_t *cipher_text, + const uint8_t *plain_text, + size_t text_size); +void crypto_lock_final(crypto_lock_ctx *ctx, uint8_t mac[16]); + +// Incremental interface (decryption) +#define crypto_unlock_init crypto_lock_init +#define crypto_unlock_auth_ad crypto_lock_auth_ad +#define crypto_unlock_auth_message crypto_lock_auth_message +void crypto_unlock_update(crypto_unlock_ctx *ctx, + uint8_t *plain_text, + const uint8_t *cipher_text, + size_t text_size); +int crypto_unlock_final(crypto_unlock_ctx *ctx, const uint8_t mac[16]); + + +// General purpose hash (Blake2b) +// ------------------------------ + +// Direct interface +void crypto_blake2b(uint8_t hash[64], + const uint8_t *message, size_t message_size); + +void crypto_blake2b_general(uint8_t *hash , size_t hash_size, + const uint8_t *key , size_t key_size, // optional + const uint8_t *message , size_t message_size); + +// Incremental interface +void crypto_blake2b_init (crypto_blake2b_ctx *ctx); +void crypto_blake2b_update(crypto_blake2b_ctx *ctx, + const uint8_t *message, size_t message_size); +void crypto_blake2b_final (crypto_blake2b_ctx *ctx, uint8_t *hash); + +void crypto_blake2b_general_init(crypto_blake2b_ctx *ctx, size_t hash_size, + const uint8_t *key, size_t key_size); + + +// Password key derivation (Argon2 i) +// ---------------------------------- +void crypto_argon2i(uint8_t *hash, uint32_t hash_size, // >= 4 + void *work_area, uint32_t nb_blocks, // >= 8 + uint32_t nb_iterations, // >= 1 + const uint8_t *password, uint32_t password_size, + const uint8_t *salt, uint32_t salt_size); + +void crypto_argon2i_general(uint8_t *hash, uint32_t hash_size,// >= 4 + void *work_area, uint32_t nb_blocks,// >= 8 + uint32_t nb_iterations, // >= 1 + const uint8_t *password, uint32_t password_size, + const uint8_t *salt, uint32_t salt_size,// >= 8 + const uint8_t *key, uint32_t key_size, + const uint8_t *ad, uint32_t ad_size); + + +// Key exchange (x25519 + HChacha20) +// --------------------------------- +#define crypto_key_exchange_public_key crypto_x25519_public_key +int crypto_key_exchange(uint8_t shared_key [32], + const uint8_t your_secret_key [32], + const uint8_t their_public_key[32]); + + +// Signatures (EdDSA with curve25519 + Blake2b) +// -------------------------------------------- + +// Generate public key +void crypto_sign_public_key(uint8_t public_key[32], + const uint8_t secret_key[32]); + +// Direct interface +void crypto_sign(uint8_t signature [64], + const uint8_t secret_key[32], + const uint8_t public_key[32], // optional, may be 0 + const uint8_t *message, size_t message_size); +int crypto_check(const uint8_t signature [64], + const uint8_t public_key[32], + const uint8_t *message, size_t message_size); + +// Incremental interface for signatures (2 passes) +void crypto_sign_init_first_pass(crypto_sign_ctx *ctx, + const uint8_t secret_key[32], + const uint8_t public_key[32]); +void crypto_sign_update(crypto_sign_ctx *ctx, + const uint8_t *message, size_t message_size); +void crypto_sign_init_second_pass(crypto_sign_ctx *ctx); +// use crypto_sign_update() again. +void crypto_sign_final(crypto_sign_ctx *ctx, uint8_t signature[64]); + +// Incremental interface for verification (1 pass) +void crypto_check_init (crypto_check_ctx *ctx, + const uint8_t signature[64], + const uint8_t public_key[32]); +void crypto_check_update(crypto_check_ctx *ctx, + const uint8_t *message, size_t message_size); +int crypto_check_final (crypto_check_ctx *ctx); + + +//////////////////////////// +/// Low level primitives /// +//////////////////////////// + +// For experts only. You have been warned. + + +// Chacha20 +// -------- + +// Specialised hash. +void crypto_chacha20_H(uint8_t out[32], + const uint8_t key[32], + const uint8_t in [16]); + +void crypto_chacha20_init(crypto_chacha_ctx *ctx, + const uint8_t key[32], + const uint8_t nonce[8]); + +void crypto_chacha20_x_init(crypto_chacha_ctx *ctx, + const uint8_t key[32], + const uint8_t nonce[24]); + +void crypto_chacha20_set_ctr(crypto_chacha_ctx *ctx, uint64_t ctr); + +void crypto_chacha20_encrypt(crypto_chacha_ctx *ctx, + uint8_t *cipher_text, + const uint8_t *plain_text, + size_t text_size); + +void crypto_chacha20_stream(crypto_chacha_ctx *ctx, + uint8_t *stream, size_t size); + + +// Poly 1305 +// --------- + +// Direct interface +void crypto_poly1305(uint8_t mac[16], + const uint8_t *message, size_t message_size, + const uint8_t key[32]); + +// Incremental interface +void crypto_poly1305_init (crypto_poly1305_ctx *ctx, const uint8_t key[32]); +void crypto_poly1305_update(crypto_poly1305_ctx *ctx, + const uint8_t *message, size_t message_size); +void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]); + + +// X-25519 +// ------- +void crypto_x25519_public_key(uint8_t public_key[32], + const uint8_t secret_key[32]); +int crypto_x25519(uint8_t raw_shared_secret[32], + const uint8_t your_secret_key [32], + const uint8_t their_public_key [32]); + +#endif // MONOCYPHER_H ADDED monocypher/version Index: monocypher/version ================================================================== --- /dev/null +++ monocypher/version @@ -0,0 +1,1 @@ +2.0.5 Index: nano.c ================================================================== --- nano.c +++ nano.c @@ -1,5 +1,8 @@ +/* XXX:TODO: OpenMP support is currently incomplete */ +#undef NANO_TCL_HAVE_OPENMP + #include #include #include #include #include @@ -7,17 +10,17 @@ #ifdef NANO_TCL_HAVE_OPENMP # include #endif #include "randombytes.h" -#include "tweetnacl.h" -#include "blake2.h" +#include "monocypher.h" +#include "argon2.h" -#define NANO_SECRET_KEY_LENGTH (crypto_sign_SECRETKEYBYTES - crypto_sign_PUBLICKEYBYTES) -#define NANO_PUBLIC_KEY_LENGTH (crypto_sign_PUBLICKEYBYTES) +#define NANO_SECRET_KEY_LENGTH 32 +#define NANO_PUBLIC_KEY_LENGTH 32 #define NANO_BLOCK_HASH_LENGTH 32 -#define NANO_BLOCK_SIGNATURE_LENGTH crypto_sign_BYTES +#define NANO_BLOCK_SIGNATURE_LENGTH 64 #define NANO_WORK_VALUE_LENGTH 8 #define NANO_WORK_HASH_LENGTH 8 #define NANO_WORK_DEFAULT_MIN 0xffffffc000000000LLU #define TclNano_AttemptAlloc(x) ((void *) Tcl_AttemptAlloc(x)) @@ -51,56 +54,46 @@ if (tclcmd_ret != TCL_OK) { \ return(tclcmd_ret); \ } static unsigned char *nano_parse_secret_key(Tcl_Obj *secret_key_only_obj, int *out_key_length) { - unsigned char *secret_key, *public_key, *secret_key_only; - int secret_key_length, secret_key_only_length; + unsigned char *public_key, *secret_key_only; + int public_key_length, secret_key_only_length; secret_key_only = Tcl_GetByteArrayFromObj(secret_key_only_obj, &secret_key_only_length); if (secret_key_only_length != NANO_SECRET_KEY_LENGTH) { return(NULL); } - if ((NANO_SECRET_KEY_LENGTH + NANO_PUBLIC_KEY_LENGTH) != crypto_sign_SECRETKEYBYTES) { - return(NULL); - } - - secret_key_length = crypto_sign_SECRETKEYBYTES; - secret_key = TclNano_AttemptAlloc(secret_key_length); - if (!secret_key) { - return(NULL); - } - - memcpy(secret_key, secret_key_only, secret_key_only_length); - public_key = secret_key + secret_key_only_length; - crypto_sign_keypair(public_key, secret_key, 0); - - *out_key_length = secret_key_length; - return(secret_key); -} - -static int nano_tcl_generate_keypair(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { - unsigned char secret_key[crypto_sign_SECRETKEYBYTES], public_key[crypto_sign_PUBLICKEYBYTES]; - unsigned char *seed, *buffer, buffer_s[NANO_SECRET_KEY_LENGTH + 4]; - long seed_index; - int seed_length, buffer_length; - int csk_ret, tglfo_ret; + public_key_length = NANO_PUBLIC_KEY_LENGTH; + public_key = TclNano_AttemptAlloc(public_key_length); + if (!public_key) { + return(NULL); + } + + crypto_sign_public_key(public_key, secret_key_only); + + *out_key_length = public_key_length; + return(public_key); +} + +static int nano_tcl_generate_keypair(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { + unsigned char secret_key[NANO_SECRET_KEY_LENGTH], public_key[NANO_PUBLIC_KEY_LENGTH]; + unsigned char *seed, *buffer, buffer_s[NANO_SECRET_KEY_LENGTH + 4]; + long seed_index; + int seed_length, buffer_length; + int tglfo_ret; if (objc != 1 && objc != 3) { Tcl_WrongNumArgs(interp, 1, objv, "?seed index?"); return(TCL_ERROR); } if (objc == 1) { - csk_ret = crypto_sign_keypair(public_key, secret_key, 1); - if (csk_ret != 0) { - Tcl_SetResult(interp, "Internal error", NULL); - - return(TCL_ERROR); - } + randombytes(secret_key, NANO_SECRET_KEY_LENGTH); + crypto_sign_public_key(public_key, secret_key); } else { seed = Tcl_GetByteArrayFromObj(objv[1], &seed_length); if (seed_length != NANO_SECRET_KEY_LENGTH) { Tcl_SetResult(interp, "Seed is not the right size", NULL); @@ -127,11 +120,11 @@ buffer[1] = (seed_index >> 16) & 0xff; buffer[2] = (seed_index >> 8) & 0xff; buffer[3] = seed_index & 0xff; buffer -= seed_length; - blake2b(secret_key, NANO_SECRET_KEY_LENGTH, buffer, buffer_length, NULL, 0); + crypto_blake2b_general(secret_key, NANO_SECRET_KEY_LENGTH, NULL, 0, buffer, buffer_length); } Tcl_SetObjResult(interp, Tcl_NewByteArrayObj(secret_key, NANO_SECRET_KEY_LENGTH)); return(TCL_OK); @@ -184,11 +177,11 @@ Tcl_SetResult(interp, "Internal error", NULL); return(TCL_ERROR); } - crypto_sign_keypair(public_key, secret_key, 0); + crypto_sign_public_key(public_key, secret_key); Tcl_SetObjResult(interp, Tcl_NewByteArrayObj(public_key, public_key_length)); TclNano_Free(public_key); @@ -197,71 +190,63 @@ /* NOTREACH */ clientData = clientData; } static int nano_tcl_sign_detached(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { - int cs_ret; - unsigned char *signature, *data, *secret_key; + unsigned char *signature, *data, *secret_key, *public_key; unsigned long long signature_length; - int data_length, secret_key_length; + int data_length, public_key_length, secret_key_length; if (objc != 3) { Tcl_WrongNumArgs(interp, 1, objv, "data secretKey"); return(TCL_ERROR); } data = Tcl_GetByteArrayFromObj(objv[1], &data_length); - signature_length = data_length + NANO_BLOCK_SIGNATURE_LENGTH; - if (signature_length >= UINT_MAX) { - Tcl_SetResult(interp, "Input message too long", NULL); + signature_length = NANO_BLOCK_SIGNATURE_LENGTH; + + secret_key = Tcl_GetByteArrayFromObj(objv[2], &secret_key_length); + if (secret_key_length != NANO_SECRET_KEY_LENGTH) { + Tcl_SetResult(interp, "Secret key is not the right size", NULL); return(TCL_ERROR); } - secret_key = nano_parse_secret_key(objv[2], &secret_key_length); + public_key = nano_parse_secret_key(objv[2], &public_key_length); if (!secret_key) { Tcl_SetResult(interp, "Secret key is not the right size", NULL); return(TCL_ERROR); } signature = TclNano_AttemptAlloc(signature_length); if (!signature) { - TclNano_Free(secret_key); + TclNano_Free(public_key); Tcl_SetResult(interp, "Unable to allocate memory", NULL); return(TCL_ERROR); } - cs_ret = crypto_sign(signature, &signature_length, data, data_length, secret_key); - if (cs_ret != 0) { - TclNano_Free(secret_key); - TclNano_Free(signature); - - Tcl_SetResult(interp, "crypto_sign failed", NULL); - - return(TCL_ERROR); - } + crypto_sign(signature, secret_key, public_key, data, data_length); Tcl_SetObjResult(interp, Tcl_NewByteArrayObj(signature, NANO_BLOCK_SIGNATURE_LENGTH)); TclNano_Free(signature); - TclNano_Free(secret_key); + TclNano_Free(public_key); return(TCL_OK); /* NOTREACH */ clientData = clientData; } static int nano_tcl_verify_detached(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { - int cso_ret; - unsigned char *signature, *data, *signed_data, *verify_data, *public_key; - int signature_length, data_length, signed_data_length, verify_data_length, public_key_length; - unsigned long long verify_data_length_nacl; + int cc_ret; + unsigned char *signature, *data, *public_key; + int signature_length, data_length, public_key_length; int result; if (objc != 4) { Tcl_WrongNumArgs(interp, 1, objv, "data signature publicKey"); @@ -281,49 +266,61 @@ Tcl_SetResult(interp, "Public key is not the right size", NULL); return(TCL_ERROR); } - signed_data_length = data_length + signature_length; - signed_data = TclNano_AttemptAlloc(signed_data_length); - if (!signed_data) { - Tcl_SetResult(interp, "Internal error", NULL); - - return(TCL_ERROR); - } - - memcpy(signed_data, signature, signature_length); - memcpy(signed_data + signature_length, data, data_length); - - verify_data_length = signed_data_length; - verify_data = TclNano_AttemptAlloc(verify_data_length); - if (!verify_data) { - TclNano_Free(verify_data); - - Tcl_SetResult(interp, "Internal error", NULL); - - return(TCL_ERROR); - } - - verify_data_length_nacl = verify_data_length; - cso_ret = crypto_sign_open(verify_data, &verify_data_length_nacl, signed_data, signed_data_length, public_key); + cc_ret = crypto_check(signature, public_key, data, data_length); result = 0; - if (cso_ret == 0) { + if (!cc_ret) { result = 1; } - TclNano_Free(signed_data); - TclNano_Free(verify_data); - Tcl_SetObjResult(interp, Tcl_NewBooleanObj(result)); return(TCL_OK); /* NOTREACH */ clientData = clientData; } +#if 0 +static int nano_tcl_derive_key_from_password(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { + argon2_context argon2_context_item; + + if (objc != 2) { + Tcl_WrongNumArgs(interp, 1, objv, "password"); + + return(TCL_ERROR); + } + +unsigned char password[] = {0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01, 0x01} +unsigned char salt[] = {0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02, 0x02} +unsigned char secret[] = {0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03, 0x03} +unsigned char ad[] = {0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04, 0x04} +unsigned char phd[] = {0x24, 0xfd, 0xe9, 0x5a, 0x9d, 0xf5, 0x49, 0xd0, 0x02, 0xbd, 0x21, 0xb8, 0xb3, 0x45, 0x57, 0xe0, 0xf2, 0x53, 0x03, 0xd6, 0x53, 0x12, 0xf4, 0xc0, 0x7e, 0x1b, 0x0f, 0x12, 0x75, 0xb3, 0xe9, 0xd9, 0x45, 0xe9, 0x7b, 0x66, 0xbf, 0xe4, 0x27, 0x20, 0x6e, 0xca, 0xc7, 0xea, 0x2f, 0xfb, 0x1b, 0xe2, 0xc8, 0x3a, 0x15, 0xa6, 0x64, 0xb2, 0x4b, 0x4f, 0x6b, 0xc3, 0x34, 0x0d, 0x24, 0x89, 0x0b, 0x13} +unsigned char final_tag[] = {0xf8, 0x7c, 0x95, 0x96, 0xbd, 0xbf, 0x75, 0x0b, 0xfb, 0x35, 0x3a, 0x89, 0x70, 0xe5, 0x44, 0x1a, 0x70, 0x24, 0x3e, 0xb4, 0x90, 0x30, 0xdf, 0xe2, 0x74, 0xd9, 0xad, 0x4e, 0x37, 0x0e, 0x38, 0x9b} + +argon2_context_item.pwd = password; +argon2_context_item.pwdlen = sizeof(password); +argon2_context_item.salt = salt; +argon2_context_item.saltlen = sizeof(salt); +argon2_context_item.secret = secret; +argon2_context_item.secretlen = sizeof(secret); +argon2_context_item.ad = ad; +argon2_context_item.adlen = sizeof(ad); +argon2_context_item.t_cost = 3; +argon2_context_item.m_cost = 16; +argon2_context_item.lanes = 4; +argon2_context_item.threads = 4; +argon2_context_item.version = ARGON2_VERSION_NUMBER; +argon2_context_item.allocate_cbk = NULL; +argon2_context_item.free_cbk = NULL; +argon2_context_item.flags = 0; + +} +#endif + static int nano_tcl_hash_data(ClientData clientData, Tcl_Interp *interp, int objc, Tcl_Obj *const objv[]) { unsigned char *data, result[NANO_BLOCK_SIGNATURE_LENGTH]; int tgifo_ret; int data_length, result_length; @@ -344,16 +341,16 @@ Tcl_SetResult(interp, "Hash length too large", NULL); return(TCL_ERROR); } - blake2b(result, result_length, data, data_length, NULL, 0); + crypto_blake2b_general(result, result_length, NULL, 0, data, data_length); } else { /* * Default to the same as the cryptographic primitive */ - crypto_hash(result, data, data_length); + crypto_blake2b(result, data, data_length); result_length = NANO_BLOCK_SIGNATURE_LENGTH; } Tcl_SetObjResult(interp, Tcl_NewByteArrayObj(result, result_length)); @@ -364,41 +361,25 @@ } static int nano_validate_work(const unsigned char *blockhash, const unsigned char *work, uint64_t workMin) { unsigned char workReversed[NANO_WORK_VALUE_LENGTH], workCheck[NANO_WORK_HASH_LENGTH]; unsigned int idxIn, idxOut; - blake2b_state workhash_state; + crypto_blake2b_ctx workhash_state; uint64_t workValue; - int blake2_ret; idxIn = sizeof(workReversed) - 1; idxOut = 0; while (idxOut < sizeof(workReversed)) { workReversed[idxOut] = work[idxIn]; idxOut++; idxIn--; } - blake2_ret = blake2b_init(&workhash_state, sizeof(workCheck)); - if (blake2_ret != 0) { - return(0); - } - - blake2_ret = blake2b_update(&workhash_state, workReversed, sizeof(workReversed)); - if (blake2_ret != 0) { - return(0); - } - - blake2_ret = blake2b_update(&workhash_state, blockhash, NANO_BLOCK_HASH_LENGTH); - if (blake2_ret != 0) { - return(0); - } - - blake2_ret = blake2b_final(&workhash_state, workCheck, sizeof(workCheck)); - if (blake2_ret != 0) { - return(0); - } + crypto_blake2b_general_init(&workhash_state, sizeof(workCheck), NULL, 0); + crypto_blake2b_update(&workhash_state, workReversed, sizeof(workReversed)); + crypto_blake2b_update(&workhash_state, blockhash, NANO_BLOCK_HASH_LENGTH); + crypto_blake2b_final(&workhash_state, workCheck); workValue = 0; for (idxIn = sizeof(workCheck); idxIn > 0; idxIn--) { workValue <<= 8; workValue |= workCheck[idxIn - 1]; @@ -417,11 +398,11 @@ unsigned int offset; int work_valid; memcpy(work, blockhash, sizeof(work)); -#pragma omp target map(tofrom:work) +/* XXX:TODO: INCOMPLETE OpenMP support #pragma omp target map(tofrom:work) */ while (1) { work_valid = nano_validate_work(blockhash, work, workMin); if (work_valid) { break; } @@ -626,10 +607,11 @@ TclNano_CreateObjCommand(interp, "::nano::internal::generateSeed", nano_tcl_generate_seed); TclNano_CreateObjCommand(interp, "::nano::internal::publicKey", nano_tcl_secret_key_to_public_key); TclNano_CreateObjCommand(interp, "::nano::internal::signDetached", nano_tcl_sign_detached); TclNano_CreateObjCommand(interp, "::nano::internal::verifyDetached", nano_tcl_verify_detached); TclNano_CreateObjCommand(interp, "::nano::internal::hashData", nano_tcl_hash_data); +// TclNano_CreateObjCommand(interp, "::nano::internal::deriveKeyFromPassword", nano_tcl_derive_key_from_password); TclNano_CreateObjCommand(interp, "::nano::internal::validateWork", nano_tcl_validate_work); TclNano_CreateObjCommand(interp, "::nano::internal::generateWork", nano_tcl_generate_work); TclNano_CreateObjCommand(interp, "::nano::internal::randomBytes", nano_tcl_random_bytes); TclNano_Eval(interp, nanoInitScript);