From 642252bda689af3d4f782311e2be77deb18922fb Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Wed, 18 Sep 2019 10:09:51 +0100 Subject: [PATCH 1/8] depends: add chacha20 reference implementation from libsodium --- depends/CMakeLists.txt | 14 + .../crypto_stream/chacha20/ref/chacha20_ref.c | 312 +++++ .../crypto_stream/chacha20/ref/chacha20_ref.h | 8 + .../crypto_stream/chacha20/stream_chacha20.c | 184 +++ .../crypto_stream/chacha20/stream_chacha20.h | 22 + depends/libsodium/include/sodium/core.h | 28 + .../include/sodium/crypto_aead_aegis256.h | 96 ++ .../include/sodium/crypto_aead_aes256gcm.h | 179 +++ .../sodium/crypto_aead_chacha20poly1305.h | 180 +++ .../sodium/crypto_aead_xchacha20poly1305.h | 100 ++ .../libsodium/include/sodium/crypto_auth.h | 46 + .../include/sodium/crypto_auth_hmacsha256.h | 70 ++ .../include/sodium/crypto_auth_hmacsha512.h | 68 ++ .../sodium/crypto_auth_hmacsha512256.h | 65 + depends/libsodium/include/sodium/crypto_box.h | 177 +++ .../crypto_box_curve25519xchacha20poly1305.h | 164 +++ .../crypto_box_curve25519xsalsa20poly1305.h | 112 ++ .../include/sodium/crypto_core_ed25519.h | 100 ++ .../include/sodium/crypto_core_hchacha20.h | 36 + .../include/sodium/crypto_core_hsalsa20.h | 36 + .../include/sodium/crypto_core_ristretto255.h | 100 ++ .../include/sodium/crypto_core_salsa20.h | 36 + .../include/sodium/crypto_core_salsa2012.h | 36 + .../include/sodium/crypto_core_salsa208.h | 40 + .../include/sodium/crypto_generichash.h | 84 ++ .../sodium/crypto_generichash_blake2b.h | 118 ++ .../libsodium/include/sodium/crypto_hash.h | 40 + .../include/sodium/crypto_hash_sha256.h | 60 + .../include/sodium/crypto_hash_sha512.h | 60 + depends/libsodium/include/sodium/crypto_kdf.h | 53 + .../include/sodium/crypto_kdf_blake2b.h | 44 + depends/libsodium/include/sodium/crypto_kx.h | 66 ++ .../include/sodium/crypto_onetimeauth.h | 65 + .../sodium/crypto_onetimeauth_poly1305.h | 72 ++ .../libsodium/include/sodium/crypto_pwhash.h | 147 +++ .../include/sodium/crypto_pwhash_argon2i.h | 122 ++ .../include/sodium/crypto_pwhash_argon2id.h | 122 ++ .../crypto_pwhash_scryptsalsa208sha256.h | 120 ++ .../include/sodium/crypto_scalarmult.h | 46 + .../sodium/crypto_scalarmult_curve25519.h | 42 + .../sodium/crypto_scalarmult_ed25519.h | 51 + .../sodium/crypto_scalarmult_ristretto255.h | 43 + .../include/sodium/crypto_secretbox.h | 93 ++ .../crypto_secretbox_xchacha20poly1305.h | 70 ++ .../crypto_secretbox_xsalsa20poly1305.h | 69 ++ .../crypto_secretstream_xchacha20poly1305.h | 108 ++ .../include/sodium/crypto_shorthash.h | 41 + .../sodium/crypto_shorthash_siphash24.h | 50 + .../libsodium/include/sodium/crypto_sign.h | 107 ++ .../include/sodium/crypto_sign_ed25519.h | 124 ++ .../crypto_sign_edwards25519sha512batch.h | 55 + .../libsodium/include/sodium/crypto_stream.h | 59 + .../include/sodium/crypto_stream_chacha20.h | 106 ++ .../include/sodium/crypto_stream_salsa20.h | 61 + .../include/sodium/crypto_stream_salsa2012.h | 53 + .../include/sodium/crypto_stream_salsa208.h | 56 + .../include/sodium/crypto_stream_xchacha20.h | 61 + .../include/sodium/crypto_stream_xsalsa20.h | 61 + .../include/sodium/crypto_verify_16.h | 23 + .../include/sodium/crypto_verify_32.h | 23 + .../include/sodium/crypto_verify_64.h | 23 + depends/libsodium/include/sodium/export.h | 57 + .../sodium/private/chacha20_ietf_ext.h | 18 + .../libsodium/include/sodium/private/common.h | 263 +++++ .../include/sodium/private/ed25519_ref10.h | 144 +++ .../sodium/private/ed25519_ref10_fe_25_5.h | 1051 +++++++++++++++++ .../sodium/private/ed25519_ref10_fe_51.h | 519 ++++++++ .../include/sodium/private/implementations.h | 13 + .../libsodium/include/sodium/private/mutex.h | 9 + .../libsodium/include/sodium/private/quirks.h | 81 ++ .../include/sodium/private/sse2_64_32.h | 50 + .../libsodium/include/sodium/randombytes.h | 72 ++ .../sodium/randombytes_internal_random.h | 22 + .../include/sodium/randombytes_sysrandom.h | 19 + depends/libsodium/include/sodium/runtime.h | 52 + depends/libsodium/include/sodium/utils.h | 185 +++ depends/libsodium/randombytes/randombytes.c | 199 ++++ .../sysrandom/randombytes_sysrandom.c | 396 +++++++ depends/libsodium/sodium/core.c | 214 ++++ depends/libsodium/sodium/runtime.c | 309 +++++ depends/libsodium/sodium/utils.c | 839 +++++++++++++ 81 files changed, 9319 insertions(+) create mode 100644 depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c create mode 100644 depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.h create mode 100644 depends/libsodium/crypto_stream/chacha20/stream_chacha20.c create mode 100644 depends/libsodium/crypto_stream/chacha20/stream_chacha20.h create mode 100644 depends/libsodium/include/sodium/core.h create mode 100644 depends/libsodium/include/sodium/crypto_aead_aegis256.h create mode 100644 depends/libsodium/include/sodium/crypto_aead_aes256gcm.h create mode 100644 depends/libsodium/include/sodium/crypto_aead_chacha20poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_auth.h create mode 100644 depends/libsodium/include/sodium/crypto_auth_hmacsha256.h create mode 100644 depends/libsodium/include/sodium/crypto_auth_hmacsha512.h create mode 100644 depends/libsodium/include/sodium/crypto_auth_hmacsha512256.h create mode 100644 depends/libsodium/include/sodium/crypto_box.h create mode 100644 depends/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_core_ed25519.h create mode 100644 depends/libsodium/include/sodium/crypto_core_hchacha20.h create mode 100644 depends/libsodium/include/sodium/crypto_core_hsalsa20.h create mode 100644 depends/libsodium/include/sodium/crypto_core_ristretto255.h create mode 100644 depends/libsodium/include/sodium/crypto_core_salsa20.h create mode 100644 depends/libsodium/include/sodium/crypto_core_salsa2012.h create mode 100644 depends/libsodium/include/sodium/crypto_core_salsa208.h create mode 100644 depends/libsodium/include/sodium/crypto_generichash.h create mode 100644 depends/libsodium/include/sodium/crypto_generichash_blake2b.h create mode 100644 depends/libsodium/include/sodium/crypto_hash.h create mode 100644 depends/libsodium/include/sodium/crypto_hash_sha256.h create mode 100644 depends/libsodium/include/sodium/crypto_hash_sha512.h create mode 100644 depends/libsodium/include/sodium/crypto_kdf.h create mode 100644 depends/libsodium/include/sodium/crypto_kdf_blake2b.h create mode 100644 depends/libsodium/include/sodium/crypto_kx.h create mode 100644 depends/libsodium/include/sodium/crypto_onetimeauth.h create mode 100644 depends/libsodium/include/sodium/crypto_onetimeauth_poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_pwhash.h create mode 100644 depends/libsodium/include/sodium/crypto_pwhash_argon2i.h create mode 100644 depends/libsodium/include/sodium/crypto_pwhash_argon2id.h create mode 100644 depends/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h create mode 100644 depends/libsodium/include/sodium/crypto_scalarmult.h create mode 100644 depends/libsodium/include/sodium/crypto_scalarmult_curve25519.h create mode 100644 depends/libsodium/include/sodium/crypto_scalarmult_ed25519.h create mode 100644 depends/libsodium/include/sodium/crypto_scalarmult_ristretto255.h create mode 100644 depends/libsodium/include/sodium/crypto_secretbox.h create mode 100644 depends/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h create mode 100644 depends/libsodium/include/sodium/crypto_shorthash.h create mode 100644 depends/libsodium/include/sodium/crypto_shorthash_siphash24.h create mode 100644 depends/libsodium/include/sodium/crypto_sign.h create mode 100644 depends/libsodium/include/sodium/crypto_sign_ed25519.h create mode 100644 depends/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h create mode 100644 depends/libsodium/include/sodium/crypto_stream.h create mode 100644 depends/libsodium/include/sodium/crypto_stream_chacha20.h create mode 100644 depends/libsodium/include/sodium/crypto_stream_salsa20.h create mode 100644 depends/libsodium/include/sodium/crypto_stream_salsa2012.h create mode 100644 depends/libsodium/include/sodium/crypto_stream_salsa208.h create mode 100644 depends/libsodium/include/sodium/crypto_stream_xchacha20.h create mode 100644 depends/libsodium/include/sodium/crypto_stream_xsalsa20.h create mode 100644 depends/libsodium/include/sodium/crypto_verify_16.h create mode 100644 depends/libsodium/include/sodium/crypto_verify_32.h create mode 100644 depends/libsodium/include/sodium/crypto_verify_64.h create mode 100644 depends/libsodium/include/sodium/export.h create mode 100644 depends/libsodium/include/sodium/private/chacha20_ietf_ext.h create mode 100644 depends/libsodium/include/sodium/private/common.h create mode 100644 depends/libsodium/include/sodium/private/ed25519_ref10.h create mode 100644 depends/libsodium/include/sodium/private/ed25519_ref10_fe_25_5.h create mode 100644 depends/libsodium/include/sodium/private/ed25519_ref10_fe_51.h create mode 100644 depends/libsodium/include/sodium/private/implementations.h create mode 100644 depends/libsodium/include/sodium/private/mutex.h create mode 100644 depends/libsodium/include/sodium/private/quirks.h create mode 100644 depends/libsodium/include/sodium/private/sse2_64_32.h create mode 100644 depends/libsodium/include/sodium/randombytes.h create mode 100644 depends/libsodium/include/sodium/randombytes_internal_random.h create mode 100644 depends/libsodium/include/sodium/randombytes_sysrandom.h create mode 100644 depends/libsodium/include/sodium/runtime.h create mode 100644 depends/libsodium/include/sodium/utils.h create mode 100644 depends/libsodium/randombytes/randombytes.c create mode 100644 depends/libsodium/randombytes/sysrandom/randombytes_sysrandom.c create mode 100644 depends/libsodium/sodium/core.c create mode 100644 depends/libsodium/sodium/runtime.c create mode 100644 depends/libsodium/sodium/utils.c diff --git a/depends/CMakeLists.txt b/depends/CMakeLists.txt index 3790dc6d8..24daae7b9 100644 --- a/depends/CMakeLists.txt +++ b/depends/CMakeLists.txt @@ -11,3 +11,17 @@ set_target_properties(ff PROPERTIES COMPILE_FLAGS add_library(blake2 blake2/sse/blake2b.c) target_include_directories(blake2 PUBLIC blake2/sse) + +file(GLOB_RECURSE SODIUM_SOURCE libsodium/**.c) +add_library(sodium ${SODIUM_SOURCE}) +target_include_directories( + sodium + + PUBLIC + libsodium/include + + PRIVATE + libsodium/include/sodium + libsodium/crypto_stream/chacha20 + ) +target_compile_definitions(sodium PRIVATE DEV_MODE=1 CONFIGURED=1) diff --git a/depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c b/depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c new file mode 100644 index 000000000..5616e163f --- /dev/null +++ b/depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c @@ -0,0 +1,312 @@ + +/* + chacha-merged.c version 20080118 + D. J. Bernstein + Public domain. + */ + +#include +#include +#include + +#include "core.h" +#include "crypto_stream_chacha20.h" +#include "private/common.h" +#include "utils.h" + +#include "stream_chacha20.h" +#include "chacha20_ref.h" + +struct chacha_ctx { + uint32_t input[16]; +}; + +typedef struct chacha_ctx chacha_ctx; + +#define U32C(v) (v##U) + +#define U32V(v) ((uint32_t)(v) &U32C(0xFFFFFFFF)) + +#define ROTATE(v, c) (ROTL32(v, c)) +#define XOR(v, w) ((v) ^ (w)) +#define PLUS(v, w) (U32V((v) + (w))) +#define PLUSONE(v) (PLUS((v), 1)) + +#define QUARTERROUND(a, b, c, d) \ + a = PLUS(a, b); \ + d = ROTATE(XOR(d, a), 16); \ + c = PLUS(c, d); \ + b = ROTATE(XOR(b, c), 12); \ + a = PLUS(a, b); \ + d = ROTATE(XOR(d, a), 8); \ + c = PLUS(c, d); \ + b = ROTATE(XOR(b, c), 7); + +static void +chacha_keysetup(chacha_ctx *ctx, const uint8_t *k) +{ + ctx->input[0] = U32C(0x61707865); + ctx->input[1] = U32C(0x3320646e); + ctx->input[2] = U32C(0x79622d32); + ctx->input[3] = U32C(0x6b206574); + ctx->input[4] = LOAD32_LE(k + 0); + ctx->input[5] = LOAD32_LE(k + 4); + ctx->input[6] = LOAD32_LE(k + 8); + ctx->input[7] = LOAD32_LE(k + 12); + ctx->input[8] = LOAD32_LE(k + 16); + ctx->input[9] = LOAD32_LE(k + 20); + ctx->input[10] = LOAD32_LE(k + 24); + ctx->input[11] = LOAD32_LE(k + 28); +} + +static void +chacha_ivsetup(chacha_ctx *ctx, const uint8_t *iv, const uint8_t *counter) +{ + ctx->input[12] = counter == NULL ? 0 : LOAD32_LE(counter + 0); + ctx->input[13] = counter == NULL ? 0 : LOAD32_LE(counter + 4); + ctx->input[14] = LOAD32_LE(iv + 0); + ctx->input[15] = LOAD32_LE(iv + 4); +} + +static void +chacha_ietf_ivsetup(chacha_ctx *ctx, const uint8_t *iv, const uint8_t *counter) +{ + ctx->input[12] = counter == NULL ? 0 : LOAD32_LE(counter); + ctx->input[13] = LOAD32_LE(iv + 0); + ctx->input[14] = LOAD32_LE(iv + 4); + ctx->input[15] = LOAD32_LE(iv + 8); +} + +static void +chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c, + unsigned long long bytes) +{ + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, + x15; + uint32_t j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, + j15; + uint8_t *ctarget = NULL; + uint8_t tmp[64]; + unsigned int i; + + if (!bytes) { + return; /* LCOV_EXCL_LINE */ + } + j0 = ctx->input[0]; + j1 = ctx->input[1]; + j2 = ctx->input[2]; + j3 = ctx->input[3]; + j4 = ctx->input[4]; + j5 = ctx->input[5]; + j6 = ctx->input[6]; + j7 = ctx->input[7]; + j8 = ctx->input[8]; + j9 = ctx->input[9]; + j10 = ctx->input[10]; + j11 = ctx->input[11]; + j12 = ctx->input[12]; + j13 = ctx->input[13]; + j14 = ctx->input[14]; + j15 = ctx->input[15]; + + for (;;) { + if (bytes < 64) { + memset(tmp, 0, 64); + for (i = 0; i < bytes; ++i) { + tmp[i] = m[i]; + } + m = tmp; + ctarget = c; + c = tmp; + } + x0 = j0; + x1 = j1; + x2 = j2; + x3 = j3; + x4 = j4; + x5 = j5; + x6 = j6; + x7 = j7; + x8 = j8; + x9 = j9; + x10 = j10; + x11 = j11; + x12 = j12; + x13 = j13; + x14 = j14; + x15 = j15; + for (i = 20; i > 0; i -= 2) { + QUARTERROUND(x0, x4, x8, x12) + QUARTERROUND(x1, x5, x9, x13) + QUARTERROUND(x2, x6, x10, x14) + QUARTERROUND(x3, x7, x11, x15) + QUARTERROUND(x0, x5, x10, x15) + QUARTERROUND(x1, x6, x11, x12) + QUARTERROUND(x2, x7, x8, x13) + QUARTERROUND(x3, x4, x9, x14) + } + x0 = PLUS(x0, j0); + x1 = PLUS(x1, j1); + x2 = PLUS(x2, j2); + x3 = PLUS(x3, j3); + x4 = PLUS(x4, j4); + x5 = PLUS(x5, j5); + x6 = PLUS(x6, j6); + x7 = PLUS(x7, j7); + x8 = PLUS(x8, j8); + x9 = PLUS(x9, j9); + x10 = PLUS(x10, j10); + x11 = PLUS(x11, j11); + x12 = PLUS(x12, j12); + x13 = PLUS(x13, j13); + x14 = PLUS(x14, j14); + x15 = PLUS(x15, j15); + + x0 = XOR(x0, LOAD32_LE(m + 0)); + x1 = XOR(x1, LOAD32_LE(m + 4)); + x2 = XOR(x2, LOAD32_LE(m + 8)); + x3 = XOR(x3, LOAD32_LE(m + 12)); + x4 = XOR(x4, LOAD32_LE(m + 16)); + x5 = XOR(x5, LOAD32_LE(m + 20)); + x6 = XOR(x6, LOAD32_LE(m + 24)); + x7 = XOR(x7, LOAD32_LE(m + 28)); + x8 = XOR(x8, LOAD32_LE(m + 32)); + x9 = XOR(x9, LOAD32_LE(m + 36)); + x10 = XOR(x10, LOAD32_LE(m + 40)); + x11 = XOR(x11, LOAD32_LE(m + 44)); + x12 = XOR(x12, LOAD32_LE(m + 48)); + x13 = XOR(x13, LOAD32_LE(m + 52)); + x14 = XOR(x14, LOAD32_LE(m + 56)); + x15 = XOR(x15, LOAD32_LE(m + 60)); + + j12 = PLUSONE(j12); + /* LCOV_EXCL_START */ + if (!j12) { + j13 = PLUSONE(j13); + } + /* LCOV_EXCL_STOP */ + + STORE32_LE(c + 0, x0); + STORE32_LE(c + 4, x1); + STORE32_LE(c + 8, x2); + STORE32_LE(c + 12, x3); + STORE32_LE(c + 16, x4); + STORE32_LE(c + 20, x5); + STORE32_LE(c + 24, x6); + STORE32_LE(c + 28, x7); + STORE32_LE(c + 32, x8); + STORE32_LE(c + 36, x9); + STORE32_LE(c + 40, x10); + STORE32_LE(c + 44, x11); + STORE32_LE(c + 48, x12); + STORE32_LE(c + 52, x13); + STORE32_LE(c + 56, x14); + STORE32_LE(c + 60, x15); + + if (bytes <= 64) { + if (bytes < 64) { + for (i = 0; i < (unsigned int) bytes; ++i) { + ctarget[i] = c[i]; /* ctarget cannot be NULL */ + } + } + ctx->input[12] = j12; + ctx->input[13] = j13; + + return; + } + bytes -= 64; + c += 64; + m += 64; + } +} + +static int +stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n, + const unsigned char *k) +{ + struct chacha_ctx ctx; + + if (!clen) { + return 0; + } + COMPILER_ASSERT(crypto_stream_chacha20_KEYBYTES == 256 / 8); + chacha_keysetup(&ctx, k); + chacha_ivsetup(&ctx, n, NULL); + memset(c, 0, clen); + chacha20_encrypt_bytes(&ctx, c, c, clen); + sodium_memzero(&ctx, sizeof ctx); + + return 0; +} + +static int +stream_ietf_ext_ref(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) +{ + struct chacha_ctx ctx; + + if (!clen) { + return 0; + } + COMPILER_ASSERT(crypto_stream_chacha20_KEYBYTES == 256 / 8); + chacha_keysetup(&ctx, k); + chacha_ietf_ivsetup(&ctx, n, NULL); + memset(c, 0, clen); + chacha20_encrypt_bytes(&ctx, c, c, clen); + sodium_memzero(&ctx, sizeof ctx); + + return 0; +} + +static int +stream_ref_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, uint64_t ic, + const unsigned char *k) +{ + struct chacha_ctx ctx; + uint8_t ic_bytes[8]; + uint32_t ic_high; + uint32_t ic_low; + + if (!mlen) { + return 0; + } + ic_high = U32V(ic >> 32); + ic_low = U32V(ic); + STORE32_LE(&ic_bytes[0], ic_low); + STORE32_LE(&ic_bytes[4], ic_high); + chacha_keysetup(&ctx, k); + chacha_ivsetup(&ctx, n, ic_bytes); + chacha20_encrypt_bytes(&ctx, m, c, mlen); + sodium_memzero(&ctx, sizeof ctx); + + return 0; +} + +int +stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + uint32_t ic, const unsigned char *k) +{ + struct chacha_ctx ctx; + uint8_t ic_bytes[4]; + + if (!mlen) { + return 0; + } + STORE32_LE(ic_bytes, ic); + chacha_keysetup(&ctx, k); + chacha_ietf_ivsetup(&ctx, n, ic_bytes); + chacha20_encrypt_bytes(&ctx, m, c, mlen); + sodium_memzero(&ctx, sizeof ctx); + + return 0; +} + +struct crypto_stream_chacha20_implementation + crypto_stream_chacha20_ref_implementation = { + SODIUM_C99(.stream =) stream_ref, + SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref, + SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic, + SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic + }; diff --git a/depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.h b/depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.h new file mode 100644 index 000000000..6ac480755 --- /dev/null +++ b/depends/libsodium/crypto_stream/chacha20/ref/chacha20_ref.h @@ -0,0 +1,8 @@ + +#include + +#include "../stream_chacha20.h" +#include "crypto_stream_chacha20.h" + +extern struct crypto_stream_chacha20_implementation + crypto_stream_chacha20_ref_implementation; diff --git a/depends/libsodium/crypto_stream/chacha20/stream_chacha20.c b/depends/libsodium/crypto_stream/chacha20/stream_chacha20.c new file mode 100644 index 000000000..427c3fb08 --- /dev/null +++ b/depends/libsodium/crypto_stream/chacha20/stream_chacha20.c @@ -0,0 +1,184 @@ +#include "crypto_stream_chacha20.h" +#include "core.h" +#include "private/chacha20_ietf_ext.h" +#include "private/common.h" +#include "private/implementations.h" +#include "randombytes.h" +#include "runtime.h" +#include "stream_chacha20.h" + +#include "ref/chacha20_ref.h" +#if defined(HAVE_AVX2INTRIN_H) && defined(HAVE_EMMINTRIN_H) && \ + defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H) +# include "dolbeau/chacha20_dolbeau-avx2.h" +#endif +#if defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H) +# include "dolbeau/chacha20_dolbeau-ssse3.h" +#endif + +static const crypto_stream_chacha20_implementation *implementation = + &crypto_stream_chacha20_ref_implementation; + +size_t +crypto_stream_chacha20_keybytes(void) { + return crypto_stream_chacha20_KEYBYTES; +} + +size_t +crypto_stream_chacha20_noncebytes(void) { + return crypto_stream_chacha20_NONCEBYTES; +} + +size_t +crypto_stream_chacha20_messagebytes_max(void) +{ + return crypto_stream_chacha20_MESSAGEBYTES_MAX; +} + +size_t +crypto_stream_chacha20_ietf_keybytes(void) { + return crypto_stream_chacha20_ietf_KEYBYTES; +} + +size_t +crypto_stream_chacha20_ietf_noncebytes(void) { + return crypto_stream_chacha20_ietf_NONCEBYTES; +} + +size_t +crypto_stream_chacha20_ietf_messagebytes_max(void) +{ + return crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX; +} + +int +crypto_stream_chacha20(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) +{ + if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream(c, clen, n, k); +} + +int +crypto_stream_chacha20_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint64_t ic, + const unsigned char *k) +{ + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_xor_ic(c, m, mlen, n, ic, k); +} + +int +crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) +{ + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_xor_ic(c, m, mlen, n, 0U, k); +} + +int +crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) +{ + if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_ietf_ext(c, clen, n, k); +} + +int +crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k) +{ + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, ic, k); +} + +static int +crypto_stream_chacha20_ietf_ext_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) +{ + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, 0U, k); +} + +int +crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) +{ + if (clen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return crypto_stream_chacha20_ietf_ext(c, clen, n, k); +} + +int +crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k) +{ + if ((unsigned long long) ic > + (64ULL * (1ULL << 32)) / 64ULL - (mlen + 63ULL) / 64ULL) { + sodium_misuse(); + } + return crypto_stream_chacha20_ietf_ext_xor_ic(c, m, mlen, n, ic, k); +} + +int +crypto_stream_chacha20_ietf_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) +{ + if (mlen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return crypto_stream_chacha20_ietf_ext_xor(c, m, mlen, n, k); +} + +void +crypto_stream_chacha20_ietf_keygen(unsigned char k[crypto_stream_chacha20_ietf_KEYBYTES]) +{ + randombytes_buf(k, crypto_stream_chacha20_ietf_KEYBYTES); +} + +void +crypto_stream_chacha20_keygen(unsigned char k[crypto_stream_chacha20_KEYBYTES]) +{ + randombytes_buf(k, crypto_stream_chacha20_KEYBYTES); +} + +int +_crypto_stream_chacha20_pick_best_implementation(void) +{ + implementation = &crypto_stream_chacha20_ref_implementation; +#if defined(HAVE_AVX2INTRIN_H) && defined(HAVE_EMMINTRIN_H) && \ + defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H) + if (sodium_runtime_has_avx2()) { + implementation = &crypto_stream_chacha20_dolbeau_avx2_implementation; + return 0; + } +#endif +#if defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H) + if (sodium_runtime_has_ssse3()) { + implementation = &crypto_stream_chacha20_dolbeau_ssse3_implementation; + return 0; + } +#endif + return 0; +} diff --git a/depends/libsodium/crypto_stream/chacha20/stream_chacha20.h b/depends/libsodium/crypto_stream/chacha20/stream_chacha20.h new file mode 100644 index 000000000..40f782f41 --- /dev/null +++ b/depends/libsodium/crypto_stream/chacha20/stream_chacha20.h @@ -0,0 +1,22 @@ + +#ifndef stream_chacha20_H +#define stream_chacha20_H + +#include + +typedef struct crypto_stream_chacha20_implementation { + int (*stream)(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k); + int (*stream_ietf_ext)(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k); + int (*stream_xor_ic)(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint64_t ic, + const unsigned char *k); + int (*stream_ietf_ext_xor_ic)(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k); +} crypto_stream_chacha20_implementation; + +#endif diff --git a/depends/libsodium/include/sodium/core.h b/depends/libsodium/include/sodium/core.h new file mode 100644 index 000000000..dd088d2ca --- /dev/null +++ b/depends/libsodium/include/sodium/core.h @@ -0,0 +1,28 @@ + +#ifndef sodium_core_H +#define sodium_core_H + +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +SODIUM_EXPORT +int sodium_init(void) + __attribute__ ((warn_unused_result)); + +/* ---- */ + +SODIUM_EXPORT +int sodium_set_misuse_handler(void (*handler)(void)); + +SODIUM_EXPORT +void sodium_misuse(void) + __attribute__ ((noreturn)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_aead_aegis256.h b/depends/libsodium/include/sodium/crypto_aead_aegis256.h new file mode 100644 index 000000000..32e768969 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_aead_aegis256.h @@ -0,0 +1,96 @@ +#ifndef crypto_aead_aegis256_H +#define crypto_aead_aegis256_H + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +SODIUM_EXPORT +int crypto_aead_aegis256_is_available(void); + +#define crypto_aead_aegis256_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_aead_aegis256_keybytes(void); + +#define crypto_aead_aegis256_NSECBYTES 0U +SODIUM_EXPORT +size_t crypto_aead_aegis256_nsecbytes(void); + +#define crypto_aead_aegis256_NPUBBYTES 32U +SODIUM_EXPORT +size_t crypto_aead_aegis256_npubbytes(void); + +#define crypto_aead_aegis256_ABYTES 16U +SODIUM_EXPORT +size_t crypto_aead_aegis256_abytes(void); + +#define crypto_aead_aegis256_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_aegis256_ABYTES, \ + (1ULL << 61) - 1) +SODIUM_EXPORT +size_t crypto_aead_aegis256_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_aead_aegis256_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_aegis256_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_aegis256_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 9, 10))); + +SODIUM_EXPORT +int crypto_aead_aegis256_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9))); + +SODIUM_EXPORT +void crypto_aead_aegis256_keygen(unsigned char k[crypto_aead_aegis256_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_aead_aes256gcm.h b/depends/libsodium/include/sodium/crypto_aead_aes256gcm.h new file mode 100644 index 000000000..9baeb3f19 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_aead_aes256gcm.h @@ -0,0 +1,179 @@ +#ifndef crypto_aead_aes256gcm_H +#define crypto_aead_aes256gcm_H + +/* + * WARNING: Despite being the most popular AEAD construction due to its + * use in TLS, safely using AES-GCM in a different context is tricky. + * + * No more than ~ 350 GB of input data should be encrypted with a given key. + * This is for ~ 16 KB messages -- Actual figures vary according to + * message sizes. + * + * In addition, nonces are short and repeated nonces would totally destroy + * the security of this scheme. + * + * Nonces should thus come from atomic counters, which can be difficult to + * set up in a distributed environment. + * + * Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*() + * instead. It doesn't have any of these limitations. + * Or, if you don't need to authenticate additional data, just stick to + * crypto_secretbox(). + */ + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +SODIUM_EXPORT +int crypto_aead_aes256gcm_is_available(void); + +#define crypto_aead_aes256gcm_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_aead_aes256gcm_keybytes(void); + +#define crypto_aead_aes256gcm_NSECBYTES 0U +SODIUM_EXPORT +size_t crypto_aead_aes256gcm_nsecbytes(void); + +#define crypto_aead_aes256gcm_NPUBBYTES 12U +SODIUM_EXPORT +size_t crypto_aead_aes256gcm_npubbytes(void); + +#define crypto_aead_aes256gcm_ABYTES 16U +SODIUM_EXPORT +size_t crypto_aead_aes256gcm_abytes(void); + +#define crypto_aead_aes256gcm_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_aes256gcm_ABYTES, \ + (16ULL * ((1ULL << 32) - 2ULL))) +SODIUM_EXPORT +size_t crypto_aead_aes256gcm_messagebytes_max(void); + +typedef struct CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state_ { + unsigned char opaque[512]; +} crypto_aead_aes256gcm_state; + +SODIUM_EXPORT +size_t crypto_aead_aes256gcm_statebytes(void); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 9, 10))); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9))); + +/* -- Precomputation interface -- */ + +SODIUM_EXPORT +int crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) + __attribute__ ((nonnull(1, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) + __attribute__ ((nonnull(1, 2, 9, 10))); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9))); + +SODIUM_EXPORT +void crypto_aead_aes256gcm_keygen(unsigned char k[crypto_aead_aes256gcm_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_aead_chacha20poly1305.h b/depends/libsodium/include/sodium/crypto_aead_chacha20poly1305.h new file mode 100644 index 000000000..5d671df14 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_aead_chacha20poly1305.h @@ -0,0 +1,180 @@ +#ifndef crypto_aead_chacha20poly1305_H +#define crypto_aead_chacha20poly1305_H + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +/* -- IETF ChaCha20-Poly1305 construction with a 96-bit nonce and a 32-bit internal counter -- */ + +#define crypto_aead_chacha20poly1305_ietf_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_keybytes(void); + +#define crypto_aead_chacha20poly1305_ietf_NSECBYTES 0U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_nsecbytes(void); + +#define crypto_aead_chacha20poly1305_ietf_NPUBBYTES 12U + +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_npubbytes(void); + +#define crypto_aead_chacha20poly1305_ietf_ABYTES 16U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_abytes(void); + +#define crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES, \ + (64ULL * ((1ULL << 32) - 1ULL))) +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 9, 10))); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9))); + +SODIUM_EXPORT +void crypto_aead_chacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_chacha20poly1305_ietf_KEYBYTES]) + __attribute__ ((nonnull)); + +/* -- Original ChaCha20-Poly1305 construction with a 64-bit nonce and a 64-bit internal counter -- */ + +#define crypto_aead_chacha20poly1305_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_keybytes(void); + +#define crypto_aead_chacha20poly1305_NSECBYTES 0U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_nsecbytes(void); + +#define crypto_aead_chacha20poly1305_NPUBBYTES 8U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_npubbytes(void); + +#define crypto_aead_chacha20poly1305_ABYTES 16U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_abytes(void); + +#define crypto_aead_chacha20poly1305_MESSAGEBYTES_MAX \ + (SODIUM_SIZE_MAX - crypto_aead_chacha20poly1305_ABYTES) +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 9, 10))); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9))); + +SODIUM_EXPORT +void crypto_aead_chacha20poly1305_keygen(unsigned char k[crypto_aead_chacha20poly1305_KEYBYTES]) + __attribute__ ((nonnull)); + +/* Aliases */ + +#define crypto_aead_chacha20poly1305_IETF_KEYBYTES crypto_aead_chacha20poly1305_ietf_KEYBYTES +#define crypto_aead_chacha20poly1305_IETF_NSECBYTES crypto_aead_chacha20poly1305_ietf_NSECBYTES +#define crypto_aead_chacha20poly1305_IETF_NPUBBYTES crypto_aead_chacha20poly1305_ietf_NPUBBYTES +#define crypto_aead_chacha20poly1305_IETF_ABYTES crypto_aead_chacha20poly1305_ietf_ABYTES +#define crypto_aead_chacha20poly1305_IETF_MESSAGEBYTES_MAX crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h b/depends/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h new file mode 100644 index 000000000..6643b0cbf --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h @@ -0,0 +1,100 @@ +#ifndef crypto_aead_xchacha20poly1305_H +#define crypto_aead_xchacha20poly1305_H + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_aead_xchacha20poly1305_ietf_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_aead_xchacha20poly1305_ietf_keybytes(void); + +#define crypto_aead_xchacha20poly1305_ietf_NSECBYTES 0U +SODIUM_EXPORT +size_t crypto_aead_xchacha20poly1305_ietf_nsecbytes(void); + +#define crypto_aead_xchacha20poly1305_ietf_NPUBBYTES 24U +SODIUM_EXPORT +size_t crypto_aead_xchacha20poly1305_ietf_npubbytes(void); + +#define crypto_aead_xchacha20poly1305_ietf_ABYTES 16U +SODIUM_EXPORT +size_t crypto_aead_xchacha20poly1305_ietf_abytes(void); + +#define crypto_aead_xchacha20poly1305_ietf_MESSAGEBYTES_MAX \ + (SODIUM_SIZE_MAX - crypto_aead_xchacha20poly1305_ietf_ABYTES) +SODIUM_EXPORT +size_t crypto_aead_xchacha20poly1305_ietf_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_aead_xchacha20poly1305_ietf_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(4, 8, 9))); + +SODIUM_EXPORT +int crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 9, 10))); + +SODIUM_EXPORT +int crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5, 8, 9))); + +SODIUM_EXPORT +void crypto_aead_xchacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_xchacha20poly1305_ietf_KEYBYTES]) + __attribute__ ((nonnull)); + +/* Aliases */ + +#define crypto_aead_xchacha20poly1305_IETF_KEYBYTES crypto_aead_xchacha20poly1305_ietf_KEYBYTES +#define crypto_aead_xchacha20poly1305_IETF_NSECBYTES crypto_aead_xchacha20poly1305_ietf_NSECBYTES +#define crypto_aead_xchacha20poly1305_IETF_NPUBBYTES crypto_aead_xchacha20poly1305_ietf_NPUBBYTES +#define crypto_aead_xchacha20poly1305_IETF_ABYTES crypto_aead_xchacha20poly1305_ietf_ABYTES +#define crypto_aead_xchacha20poly1305_IETF_MESSAGEBYTES_MAX crypto_aead_xchacha20poly1305_ietf_MESSAGEBYTES_MAX + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_auth.h b/depends/libsodium/include/sodium/crypto_auth.h new file mode 100644 index 000000000..540aee0e8 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_auth.h @@ -0,0 +1,46 @@ +#ifndef crypto_auth_H +#define crypto_auth_H + +#include + +#include "crypto_auth_hmacsha512256.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_auth_BYTES crypto_auth_hmacsha512256_BYTES +SODIUM_EXPORT +size_t crypto_auth_bytes(void); + +#define crypto_auth_KEYBYTES crypto_auth_hmacsha512256_KEYBYTES +SODIUM_EXPORT +size_t crypto_auth_keybytes(void); + +#define crypto_auth_PRIMITIVE "hmacsha512256" +SODIUM_EXPORT +const char *crypto_auth_primitive(void); + +SODIUM_EXPORT +int crypto_auth(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) + __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_auth_verify(const unsigned char *h, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +void crypto_auth_keygen(unsigned char k[crypto_auth_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_auth_hmacsha256.h b/depends/libsodium/include/sodium/crypto_auth_hmacsha256.h new file mode 100644 index 000000000..3da864c7d --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_auth_hmacsha256.h @@ -0,0 +1,70 @@ +#ifndef crypto_auth_hmacsha256_H +#define crypto_auth_hmacsha256_H + +#include +#include "crypto_hash_sha256.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_auth_hmacsha256_BYTES 32U +SODIUM_EXPORT +size_t crypto_auth_hmacsha256_bytes(void); + +#define crypto_auth_hmacsha256_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_auth_hmacsha256_keybytes(void); + +SODIUM_EXPORT +int crypto_auth_hmacsha256(unsigned char *out, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_auth_hmacsha256_verify(const unsigned char *h, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +/* ------------------------------------------------------------------------- */ + +typedef struct crypto_auth_hmacsha256_state { + crypto_hash_sha256_state ictx; + crypto_hash_sha256_state octx; +} crypto_auth_hmacsha256_state; + +SODIUM_EXPORT +size_t crypto_auth_hmacsha256_statebytes(void); + +SODIUM_EXPORT +int crypto_auth_hmacsha256_init(crypto_auth_hmacsha256_state *state, + const unsigned char *key, + size_t keylen) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_auth_hmacsha256_update(crypto_auth_hmacsha256_state *state, + const unsigned char *in, + unsigned long long inlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state, + unsigned char *out) __attribute__ ((nonnull)); + + +SODIUM_EXPORT +void crypto_auth_hmacsha256_keygen(unsigned char k[crypto_auth_hmacsha256_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_auth_hmacsha512.h b/depends/libsodium/include/sodium/crypto_auth_hmacsha512.h new file mode 100644 index 000000000..d992cb816 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_auth_hmacsha512.h @@ -0,0 +1,68 @@ +#ifndef crypto_auth_hmacsha512_H +#define crypto_auth_hmacsha512_H + +#include +#include "crypto_hash_sha512.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_auth_hmacsha512_BYTES 64U +SODIUM_EXPORT +size_t crypto_auth_hmacsha512_bytes(void); + +#define crypto_auth_hmacsha512_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_auth_hmacsha512_keybytes(void); + +SODIUM_EXPORT +int crypto_auth_hmacsha512(unsigned char *out, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_verify(const unsigned char *h, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +/* ------------------------------------------------------------------------- */ + +typedef struct crypto_auth_hmacsha512_state { + crypto_hash_sha512_state ictx; + crypto_hash_sha512_state octx; +} crypto_auth_hmacsha512_state; + +SODIUM_EXPORT +size_t crypto_auth_hmacsha512_statebytes(void); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state, + const unsigned char *key, + size_t keylen) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_update(crypto_auth_hmacsha512_state *state, + const unsigned char *in, + unsigned long long inlen) __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state, + unsigned char *out) __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_auth_hmacsha512_keygen(unsigned char k[crypto_auth_hmacsha512_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_auth_hmacsha512256.h b/depends/libsodium/include/sodium/crypto_auth_hmacsha512256.h new file mode 100644 index 000000000..3fb526389 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_auth_hmacsha512256.h @@ -0,0 +1,65 @@ +#ifndef crypto_auth_hmacsha512256_H +#define crypto_auth_hmacsha512256_H + +#include +#include "crypto_auth_hmacsha512.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_auth_hmacsha512256_BYTES 32U +SODIUM_EXPORT +size_t crypto_auth_hmacsha512256_bytes(void); + +#define crypto_auth_hmacsha512256_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_auth_hmacsha512256_keybytes(void); + +SODIUM_EXPORT +int crypto_auth_hmacsha512256(unsigned char *out, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_auth_hmacsha512256_verify(const unsigned char *h, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +/* ------------------------------------------------------------------------- */ + +typedef crypto_auth_hmacsha512_state crypto_auth_hmacsha512256_state; + +SODIUM_EXPORT +size_t crypto_auth_hmacsha512256_statebytes(void); + +SODIUM_EXPORT +int crypto_auth_hmacsha512256_init(crypto_auth_hmacsha512256_state *state, + const unsigned char *key, + size_t keylen) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_auth_hmacsha512256_update(crypto_auth_hmacsha512256_state *state, + const unsigned char *in, + unsigned long long inlen) __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_auth_hmacsha512256_final(crypto_auth_hmacsha512256_state *state, + unsigned char *out) __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_auth_hmacsha512256_keygen(unsigned char k[crypto_auth_hmacsha512256_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_box.h b/depends/libsodium/include/sodium/crypto_box.h new file mode 100644 index 000000000..e060dd29f --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_box.h @@ -0,0 +1,177 @@ +#ifndef crypto_box_H +#define crypto_box_H + +/* + * THREAD SAFETY: crypto_box_keypair() is thread-safe, + * provided that sodium_init() was called before. + * + * Other functions are always thread-safe. + */ + +#include + +#include "crypto_box_curve25519xsalsa20poly1305.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_box_SEEDBYTES crypto_box_curve25519xsalsa20poly1305_SEEDBYTES +SODIUM_EXPORT +size_t crypto_box_seedbytes(void); + +#define crypto_box_PUBLICKEYBYTES crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES +SODIUM_EXPORT +size_t crypto_box_publickeybytes(void); + +#define crypto_box_SECRETKEYBYTES crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES +SODIUM_EXPORT +size_t crypto_box_secretkeybytes(void); + +#define crypto_box_NONCEBYTES crypto_box_curve25519xsalsa20poly1305_NONCEBYTES +SODIUM_EXPORT +size_t crypto_box_noncebytes(void); + +#define crypto_box_MACBYTES crypto_box_curve25519xsalsa20poly1305_MACBYTES +SODIUM_EXPORT +size_t crypto_box_macbytes(void); + +#define crypto_box_MESSAGEBYTES_MAX crypto_box_curve25519xsalsa20poly1305_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_box_messagebytes_max(void); + +#define crypto_box_PRIMITIVE "curve25519xsalsa20poly1305" +SODIUM_EXPORT +const char *crypto_box_primitive(void); + +SODIUM_EXPORT +int crypto_box_seed_keypair(unsigned char *pk, unsigned char *sk, + const unsigned char *seed) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_keypair(unsigned char *pk, unsigned char *sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_easy(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *pk, const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_open_easy(unsigned char *m, const unsigned char *c, + unsigned long long clen, const unsigned char *n, + const unsigned char *pk, const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_detached(unsigned char *c, unsigned char *mac, + const unsigned char *m, unsigned long long mlen, + const unsigned char *n, const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 2, 5, 6, 7))); + +SODIUM_EXPORT +int crypto_box_open_detached(unsigned char *m, const unsigned char *c, + const unsigned char *mac, + unsigned long long clen, + const unsigned char *n, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6, 7))); + +/* -- Precomputation interface -- */ + +#define crypto_box_BEFORENMBYTES crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES +SODIUM_EXPORT +size_t crypto_box_beforenmbytes(void); + +SODIUM_EXPORT +int crypto_box_beforenm(unsigned char *k, const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_easy_afternm(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_box_open_easy_afternm(unsigned char *m, const unsigned char *c, + unsigned long long clen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +SODIUM_EXPORT +int crypto_box_detached_afternm(unsigned char *c, unsigned char *mac, + const unsigned char *m, unsigned long long mlen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull(1, 2, 5, 6))); + +SODIUM_EXPORT +int crypto_box_open_detached_afternm(unsigned char *m, const unsigned char *c, + const unsigned char *mac, + unsigned long long clen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6))); + +/* -- Ephemeral SK interface -- */ + +#define crypto_box_SEALBYTES (crypto_box_PUBLICKEYBYTES + crypto_box_MACBYTES) +SODIUM_EXPORT +size_t crypto_box_sealbytes(void); + +SODIUM_EXPORT +int crypto_box_seal(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *pk) + __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_box_seal_open(unsigned char *m, const unsigned char *c, + unsigned long long clen, + const unsigned char *pk, const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +/* -- NaCl compatibility interface ; Requires padding -- */ + +#define crypto_box_ZEROBYTES crypto_box_curve25519xsalsa20poly1305_ZEROBYTES +SODIUM_EXPORT +size_t crypto_box_zerobytes(void); + +#define crypto_box_BOXZEROBYTES crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES +SODIUM_EXPORT +size_t crypto_box_boxzerobytes(void); + +SODIUM_EXPORT +int crypto_box(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *pk, const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_open(unsigned char *m, const unsigned char *c, + unsigned long long clen, const unsigned char *n, + const unsigned char *pk, const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_afternm(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_box_open_afternm(unsigned char *m, const unsigned char *c, + unsigned long long clen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h b/depends/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h new file mode 100644 index 000000000..26a3d31ef --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h @@ -0,0 +1,164 @@ + +#ifndef crypto_box_curve25519xchacha20poly1305_H +#define crypto_box_curve25519xchacha20poly1305_H + +#include +#include "crypto_stream_xchacha20.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_box_curve25519xchacha20poly1305_SEEDBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_seedbytes(void); + +#define crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_publickeybytes(void); + +#define crypto_box_curve25519xchacha20poly1305_SECRETKEYBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_secretkeybytes(void); + +#define crypto_box_curve25519xchacha20poly1305_BEFORENMBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_beforenmbytes(void); + +#define crypto_box_curve25519xchacha20poly1305_NONCEBYTES 24U +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_noncebytes(void); + +#define crypto_box_curve25519xchacha20poly1305_MACBYTES 16U +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_macbytes(void); + +#define crypto_box_curve25519xchacha20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xchacha20_MESSAGEBYTES_MAX - crypto_box_curve25519xchacha20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_seed_keypair(unsigned char *pk, + unsigned char *sk, + const unsigned char *seed) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_keypair(unsigned char *pk, + unsigned char *sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_easy(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_open_easy(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *n, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_detached(unsigned char *c, + unsigned char *mac, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 2, 5, 6, 7))); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_open_detached(unsigned char *m, + const unsigned char *c, + const unsigned char *mac, + unsigned long long clen, + const unsigned char *n, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6, 7))); + +/* -- Precomputation interface -- */ + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_beforenm(unsigned char *k, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_easy_afternm(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_open_easy_afternm(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_detached_afternm(unsigned char *c, + unsigned char *mac, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 5, 6))); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_open_detached_afternm(unsigned char *m, + const unsigned char *c, + const unsigned char *mac, + unsigned long long clen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6))); + +/* -- Ephemeral SK interface -- */ + +#define crypto_box_curve25519xchacha20poly1305_SEALBYTES \ + (crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES + \ + crypto_box_curve25519xchacha20poly1305_MACBYTES) + +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_sealbytes(void); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_seal(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *pk) + __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_seal_open(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h b/depends/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h new file mode 100644 index 000000000..e733f4999 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h @@ -0,0 +1,112 @@ +#ifndef crypto_box_curve25519xsalsa20poly1305_H +#define crypto_box_curve25519xsalsa20poly1305_H + +#include +#include "crypto_stream_xsalsa20.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_box_curve25519xsalsa20poly1305_SEEDBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_seedbytes(void); + +#define crypto_box_curve25519xsalsa20poly1305_PUBLICKEYBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_publickeybytes(void); + +#define crypto_box_curve25519xsalsa20poly1305_SECRETKEYBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_secretkeybytes(void); + +#define crypto_box_curve25519xsalsa20poly1305_BEFORENMBYTES 32U +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_beforenmbytes(void); + +#define crypto_box_curve25519xsalsa20poly1305_NONCEBYTES 24U +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_noncebytes(void); + +#define crypto_box_curve25519xsalsa20poly1305_MACBYTES 16U +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_macbytes(void); + +/* Only for the libsodium API - The NaCl compatibility API would require BOXZEROBYTES extra bytes */ +#define crypto_box_curve25519xsalsa20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xsalsa20_MESSAGEBYTES_MAX - crypto_box_curve25519xsalsa20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_seed_keypair(unsigned char *pk, + unsigned char *sk, + const unsigned char *seed) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_keypair(unsigned char *pk, + unsigned char *sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_beforenm(unsigned char *k, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +/* -- NaCl compatibility interface ; Requires padding -- */ + +#define crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES 16U +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_boxzerobytes(void); + +#define crypto_box_curve25519xsalsa20poly1305_ZEROBYTES \ + (crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES + \ + crypto_box_curve25519xsalsa20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_zerobytes(void); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_open(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *n, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5, 6))); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_afternm(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_open_afternm(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_core_ed25519.h b/depends/libsodium/include/sodium/crypto_core_ed25519.h new file mode 100644 index 000000000..3eae00c45 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_core_ed25519.h @@ -0,0 +1,100 @@ +#ifndef crypto_core_ed25519_H +#define crypto_core_ed25519_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_ed25519_BYTES 32 +SODIUM_EXPORT +size_t crypto_core_ed25519_bytes(void); + +#define crypto_core_ed25519_UNIFORMBYTES 32 +SODIUM_EXPORT +size_t crypto_core_ed25519_uniformbytes(void); + +#define crypto_core_ed25519_HASHBYTES 64 +SODIUM_EXPORT +size_t crypto_core_ed25519_hashbytes(void); + +#define crypto_core_ed25519_SCALARBYTES 32 +SODIUM_EXPORT +size_t crypto_core_ed25519_scalarbytes(void); + +#define crypto_core_ed25519_NONREDUCEDSCALARBYTES 64 +SODIUM_EXPORT +size_t crypto_core_ed25519_nonreducedscalarbytes(void); + +SODIUM_EXPORT +int crypto_core_ed25519_is_valid_point(const unsigned char *p) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ed25519_add(unsigned char *r, + const unsigned char *p, const unsigned char *q) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ed25519_sub(unsigned char *r, + const unsigned char *p, const unsigned char *q) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ed25519_from_hash(unsigned char *p, const unsigned char *h) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ed25519_random(unsigned char *p) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ed25519_scalar_random(unsigned char *r) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ed25519_scalar_invert(unsigned char *recip, const unsigned char *s) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ed25519_scalar_negate(unsigned char *neg, const unsigned char *s) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ed25519_scalar_complement(unsigned char *comp, const unsigned char *s) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ed25519_scalar_add(unsigned char *z, const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ed25519_scalar_sub(unsigned char *z, const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ed25519_scalar_mul(unsigned char *z, const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + +/* + * The interval `s` is sampled from should be at least 317 bits to ensure almost + * uniformity of `r` over `L`. + */ +SODIUM_EXPORT +void crypto_core_ed25519_scalar_reduce(unsigned char *r, const unsigned char *s) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_core_hchacha20.h b/depends/libsodium/include/sodium/crypto_core_hchacha20.h new file mode 100644 index 000000000..ece141b09 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_core_hchacha20.h @@ -0,0 +1,36 @@ +#ifndef crypto_core_hchacha20_H +#define crypto_core_hchacha20_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_hchacha20_OUTPUTBYTES 32U +SODIUM_EXPORT +size_t crypto_core_hchacha20_outputbytes(void); + +#define crypto_core_hchacha20_INPUTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_hchacha20_inputbytes(void); + +#define crypto_core_hchacha20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_core_hchacha20_keybytes(void); + +#define crypto_core_hchacha20_CONSTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_hchacha20_constbytes(void); + +SODIUM_EXPORT +int crypto_core_hchacha20(unsigned char *out, const unsigned char *in, + const unsigned char *k, const unsigned char *c) + __attribute__ ((nonnull(1, 2, 3))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_core_hsalsa20.h b/depends/libsodium/include/sodium/crypto_core_hsalsa20.h new file mode 100644 index 000000000..4bf7a4878 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_core_hsalsa20.h @@ -0,0 +1,36 @@ +#ifndef crypto_core_hsalsa20_H +#define crypto_core_hsalsa20_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_hsalsa20_OUTPUTBYTES 32U +SODIUM_EXPORT +size_t crypto_core_hsalsa20_outputbytes(void); + +#define crypto_core_hsalsa20_INPUTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_hsalsa20_inputbytes(void); + +#define crypto_core_hsalsa20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_core_hsalsa20_keybytes(void); + +#define crypto_core_hsalsa20_CONSTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_hsalsa20_constbytes(void); + +SODIUM_EXPORT +int crypto_core_hsalsa20(unsigned char *out, const unsigned char *in, + const unsigned char *k, const unsigned char *c) + __attribute__ ((nonnull(1, 2, 3))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_core_ristretto255.h b/depends/libsodium/include/sodium/crypto_core_ristretto255.h new file mode 100644 index 000000000..f2820e557 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_core_ristretto255.h @@ -0,0 +1,100 @@ +#ifndef crypto_core_ristretto255_H +#define crypto_core_ristretto255_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_ristretto255_BYTES 32 +SODIUM_EXPORT +size_t crypto_core_ristretto255_bytes(void); + +#define crypto_core_ristretto255_HASHBYTES 64 +SODIUM_EXPORT +size_t crypto_core_ristretto255_hashbytes(void); + +#define crypto_core_ristretto255_SCALARBYTES 32 +SODIUM_EXPORT +size_t crypto_core_ristretto255_scalarbytes(void); + +#define crypto_core_ristretto255_NONREDUCEDSCALARBYTES 64 +SODIUM_EXPORT +size_t crypto_core_ristretto255_nonreducedscalarbytes(void); + +SODIUM_EXPORT +int crypto_core_ristretto255_is_valid_point(const unsigned char *p) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ristretto255_add(unsigned char *r, + const unsigned char *p, const unsigned char *q) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ristretto255_sub(unsigned char *r, + const unsigned char *p, const unsigned char *q) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ristretto255_from_hash(unsigned char *p, + const unsigned char *r) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ristretto255_random(unsigned char *p) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_random(unsigned char *r) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_core_ristretto255_scalar_invert(unsigned char *recip, + const unsigned char *s) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_negate(unsigned char *neg, + const unsigned char *s) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_complement(unsigned char *comp, + const unsigned char *s) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_add(unsigned char *z, + const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_sub(unsigned char *z, + const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_mul(unsigned char *z, + const unsigned char *x, + const unsigned char *y) + __attribute__ ((nonnull)); + +/* + * The interval `s` is sampled from should be at least 317 bits to ensure almost + * uniformity of `r` over `L`. + */ +SODIUM_EXPORT +void crypto_core_ristretto255_scalar_reduce(unsigned char *r, + const unsigned char *s) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_core_salsa20.h b/depends/libsodium/include/sodium/crypto_core_salsa20.h new file mode 100644 index 000000000..bd79fd9f5 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_core_salsa20.h @@ -0,0 +1,36 @@ +#ifndef crypto_core_salsa20_H +#define crypto_core_salsa20_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_salsa20_OUTPUTBYTES 64U +SODIUM_EXPORT +size_t crypto_core_salsa20_outputbytes(void); + +#define crypto_core_salsa20_INPUTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_salsa20_inputbytes(void); + +#define crypto_core_salsa20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_core_salsa20_keybytes(void); + +#define crypto_core_salsa20_CONSTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_salsa20_constbytes(void); + +SODIUM_EXPORT +int crypto_core_salsa20(unsigned char *out, const unsigned char *in, + const unsigned char *k, const unsigned char *c) + __attribute__ ((nonnull(1, 2, 3))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_core_salsa2012.h b/depends/libsodium/include/sodium/crypto_core_salsa2012.h new file mode 100644 index 000000000..05957591c --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_core_salsa2012.h @@ -0,0 +1,36 @@ +#ifndef crypto_core_salsa2012_H +#define crypto_core_salsa2012_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_salsa2012_OUTPUTBYTES 64U +SODIUM_EXPORT +size_t crypto_core_salsa2012_outputbytes(void); + +#define crypto_core_salsa2012_INPUTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_salsa2012_inputbytes(void); + +#define crypto_core_salsa2012_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_core_salsa2012_keybytes(void); + +#define crypto_core_salsa2012_CONSTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_salsa2012_constbytes(void); + +SODIUM_EXPORT +int crypto_core_salsa2012(unsigned char *out, const unsigned char *in, + const unsigned char *k, const unsigned char *c) + __attribute__ ((nonnull(1, 2, 3))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_core_salsa208.h b/depends/libsodium/include/sodium/crypto_core_salsa208.h new file mode 100644 index 000000000..d2f216af2 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_core_salsa208.h @@ -0,0 +1,40 @@ +#ifndef crypto_core_salsa208_H +#define crypto_core_salsa208_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_salsa208_OUTPUTBYTES 64U +SODIUM_EXPORT +size_t crypto_core_salsa208_outputbytes(void) + __attribute__ ((deprecated)); + +#define crypto_core_salsa208_INPUTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_salsa208_inputbytes(void) + __attribute__ ((deprecated)); + +#define crypto_core_salsa208_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_core_salsa208_keybytes(void) + __attribute__ ((deprecated)); + +#define crypto_core_salsa208_CONSTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_salsa208_constbytes(void) + __attribute__ ((deprecated)); + +SODIUM_EXPORT +int crypto_core_salsa208(unsigned char *out, const unsigned char *in, + const unsigned char *k, const unsigned char *c) + __attribute__ ((nonnull(1, 2, 3))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_generichash.h b/depends/libsodium/include/sodium/crypto_generichash.h new file mode 100644 index 000000000..d897e5d26 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_generichash.h @@ -0,0 +1,84 @@ +#ifndef crypto_generichash_H +#define crypto_generichash_H + +#include + +#include "crypto_generichash_blake2b.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_generichash_BYTES_MIN crypto_generichash_blake2b_BYTES_MIN +SODIUM_EXPORT +size_t crypto_generichash_bytes_min(void); + +#define crypto_generichash_BYTES_MAX crypto_generichash_blake2b_BYTES_MAX +SODIUM_EXPORT +size_t crypto_generichash_bytes_max(void); + +#define crypto_generichash_BYTES crypto_generichash_blake2b_BYTES +SODIUM_EXPORT +size_t crypto_generichash_bytes(void); + +#define crypto_generichash_KEYBYTES_MIN crypto_generichash_blake2b_KEYBYTES_MIN +SODIUM_EXPORT +size_t crypto_generichash_keybytes_min(void); + +#define crypto_generichash_KEYBYTES_MAX crypto_generichash_blake2b_KEYBYTES_MAX +SODIUM_EXPORT +size_t crypto_generichash_keybytes_max(void); + +#define crypto_generichash_KEYBYTES crypto_generichash_blake2b_KEYBYTES +SODIUM_EXPORT +size_t crypto_generichash_keybytes(void); + +#define crypto_generichash_PRIMITIVE "blake2b" +SODIUM_EXPORT +const char *crypto_generichash_primitive(void); + +/* + * Important when writing bindings for other programming languages: + * the state address should be 64-bytes aligned. + */ +typedef crypto_generichash_blake2b_state crypto_generichash_state; + +SODIUM_EXPORT +size_t crypto_generichash_statebytes(void); + +SODIUM_EXPORT +int crypto_generichash(unsigned char *out, size_t outlen, + const unsigned char *in, unsigned long long inlen, + const unsigned char *key, size_t keylen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_init(crypto_generichash_state *state, + const unsigned char *key, + const size_t keylen, const size_t outlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_update(crypto_generichash_state *state, + const unsigned char *in, + unsigned long long inlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_final(crypto_generichash_state *state, + unsigned char *out, const size_t outlen) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_generichash_keygen(unsigned char k[crypto_generichash_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_generichash_blake2b.h b/depends/libsodium/include/sodium/crypto_generichash_blake2b.h new file mode 100644 index 000000000..fee9d8ad1 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_generichash_blake2b.h @@ -0,0 +1,118 @@ +#ifndef crypto_generichash_blake2b_H +#define crypto_generichash_blake2b_H + +#include +#include +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) +# pragma pack(1) +#else +# pragma pack(push, 1) +#endif + +typedef struct CRYPTO_ALIGN(64) crypto_generichash_blake2b_state { + unsigned char opaque[384]; +} crypto_generichash_blake2b_state; + +#if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) +# pragma pack() +#else +# pragma pack(pop) +#endif + +#define crypto_generichash_blake2b_BYTES_MIN 16U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_bytes_min(void); + +#define crypto_generichash_blake2b_BYTES_MAX 64U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_bytes_max(void); + +#define crypto_generichash_blake2b_BYTES 32U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_bytes(void); + +#define crypto_generichash_blake2b_KEYBYTES_MIN 16U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_keybytes_min(void); + +#define crypto_generichash_blake2b_KEYBYTES_MAX 64U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_keybytes_max(void); + +#define crypto_generichash_blake2b_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_keybytes(void); + +#define crypto_generichash_blake2b_SALTBYTES 16U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_saltbytes(void); + +#define crypto_generichash_blake2b_PERSONALBYTES 16U +SODIUM_EXPORT +size_t crypto_generichash_blake2b_personalbytes(void); + +SODIUM_EXPORT +size_t crypto_generichash_blake2b_statebytes(void); + +SODIUM_EXPORT +int crypto_generichash_blake2b(unsigned char *out, size_t outlen, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *key, size_t keylen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_blake2b_salt_personal(unsigned char *out, size_t outlen, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *key, + size_t keylen, + const unsigned char *salt, + const unsigned char *personal) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_blake2b_init(crypto_generichash_blake2b_state *state, + const unsigned char *key, + const size_t keylen, const size_t outlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_blake2b_init_salt_personal(crypto_generichash_blake2b_state *state, + const unsigned char *key, + const size_t keylen, const size_t outlen, + const unsigned char *salt, + const unsigned char *personal) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_blake2b_update(crypto_generichash_blake2b_state *state, + const unsigned char *in, + unsigned long long inlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_generichash_blake2b_final(crypto_generichash_blake2b_state *state, + unsigned char *out, + const size_t outlen) __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_generichash_blake2b_keygen(unsigned char k[crypto_generichash_blake2b_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_hash.h b/depends/libsodium/include/sodium/crypto_hash.h new file mode 100644 index 000000000..8752f9caf --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_hash.h @@ -0,0 +1,40 @@ +#ifndef crypto_hash_H +#define crypto_hash_H + +/* + * WARNING: Unless you absolutely need to use SHA512 for interoperatibility, + * purposes, you might want to consider crypto_generichash() instead. + * Unlike SHA512, crypto_generichash() is not vulnerable to length + * extension attacks. + */ + +#include + +#include "crypto_hash_sha512.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_hash_BYTES crypto_hash_sha512_BYTES +SODIUM_EXPORT +size_t crypto_hash_bytes(void); + +SODIUM_EXPORT +int crypto_hash(unsigned char *out, const unsigned char *in, + unsigned long long inlen) __attribute__ ((nonnull(1))); + +#define crypto_hash_PRIMITIVE "sha512" +SODIUM_EXPORT +const char *crypto_hash_primitive(void) + __attribute__ ((warn_unused_result)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_hash_sha256.h b/depends/libsodium/include/sodium/crypto_hash_sha256.h new file mode 100644 index 000000000..b18217e18 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_hash_sha256.h @@ -0,0 +1,60 @@ +#ifndef crypto_hash_sha256_H +#define crypto_hash_sha256_H + +/* + * WARNING: Unless you absolutely need to use SHA256 for interoperatibility, + * purposes, you might want to consider crypto_generichash() instead. + * Unlike SHA256, crypto_generichash() is not vulnerable to length + * extension attacks. + */ + +#include +#include +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +typedef struct crypto_hash_sha256_state { + uint32_t state[8]; + uint64_t count; + uint8_t buf[64]; +} crypto_hash_sha256_state; + +SODIUM_EXPORT +size_t crypto_hash_sha256_statebytes(void); + +#define crypto_hash_sha256_BYTES 32U +SODIUM_EXPORT +size_t crypto_hash_sha256_bytes(void); + +SODIUM_EXPORT +int crypto_hash_sha256(unsigned char *out, const unsigned char *in, + unsigned long long inlen) __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_hash_sha256_init(crypto_hash_sha256_state *state) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_hash_sha256_update(crypto_hash_sha256_state *state, + const unsigned char *in, + unsigned long long inlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_hash_sha256_final(crypto_hash_sha256_state *state, + unsigned char *out) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_hash_sha512.h b/depends/libsodium/include/sodium/crypto_hash_sha512.h new file mode 100644 index 000000000..8efa7193a --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_hash_sha512.h @@ -0,0 +1,60 @@ +#ifndef crypto_hash_sha512_H +#define crypto_hash_sha512_H + +/* + * WARNING: Unless you absolutely need to use SHA512 for interoperatibility, + * purposes, you might want to consider crypto_generichash() instead. + * Unlike SHA512, crypto_generichash() is not vulnerable to length + * extension attacks. + */ + +#include +#include +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +typedef struct crypto_hash_sha512_state { + uint64_t state[8]; + uint64_t count[2]; + uint8_t buf[128]; +} crypto_hash_sha512_state; + +SODIUM_EXPORT +size_t crypto_hash_sha512_statebytes(void); + +#define crypto_hash_sha512_BYTES 64U +SODIUM_EXPORT +size_t crypto_hash_sha512_bytes(void); + +SODIUM_EXPORT +int crypto_hash_sha512(unsigned char *out, const unsigned char *in, + unsigned long long inlen) __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_hash_sha512_init(crypto_hash_sha512_state *state) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_hash_sha512_update(crypto_hash_sha512_state *state, + const unsigned char *in, + unsigned long long inlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_hash_sha512_final(crypto_hash_sha512_state *state, + unsigned char *out) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_kdf.h b/depends/libsodium/include/sodium/crypto_kdf.h new file mode 100644 index 000000000..ac2fc6183 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_kdf.h @@ -0,0 +1,53 @@ +#ifndef crypto_kdf_H +#define crypto_kdf_H + +#include +#include + +#include "crypto_kdf_blake2b.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_kdf_BYTES_MIN crypto_kdf_blake2b_BYTES_MIN +SODIUM_EXPORT +size_t crypto_kdf_bytes_min(void); + +#define crypto_kdf_BYTES_MAX crypto_kdf_blake2b_BYTES_MAX +SODIUM_EXPORT +size_t crypto_kdf_bytes_max(void); + +#define crypto_kdf_CONTEXTBYTES crypto_kdf_blake2b_CONTEXTBYTES +SODIUM_EXPORT +size_t crypto_kdf_contextbytes(void); + +#define crypto_kdf_KEYBYTES crypto_kdf_blake2b_KEYBYTES +SODIUM_EXPORT +size_t crypto_kdf_keybytes(void); + +#define crypto_kdf_PRIMITIVE "blake2b" +SODIUM_EXPORT +const char *crypto_kdf_primitive(void) + __attribute__ ((warn_unused_result)); + +SODIUM_EXPORT +int crypto_kdf_derive_from_key(unsigned char *subkey, size_t subkey_len, + uint64_t subkey_id, + const char ctx[crypto_kdf_CONTEXTBYTES], + const unsigned char key[crypto_kdf_KEYBYTES]) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_kdf_keygen(unsigned char k[crypto_kdf_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_kdf_blake2b.h b/depends/libsodium/include/sodium/crypto_kdf_blake2b.h new file mode 100644 index 000000000..3ae47dd32 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_kdf_blake2b.h @@ -0,0 +1,44 @@ +#ifndef crypto_kdf_blake2b_H +#define crypto_kdf_blake2b_H + +#include +#include + +#include "crypto_kdf_blake2b.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_kdf_blake2b_BYTES_MIN 16 +SODIUM_EXPORT +size_t crypto_kdf_blake2b_bytes_min(void); + +#define crypto_kdf_blake2b_BYTES_MAX 64 +SODIUM_EXPORT +size_t crypto_kdf_blake2b_bytes_max(void); + +#define crypto_kdf_blake2b_CONTEXTBYTES 8 +SODIUM_EXPORT +size_t crypto_kdf_blake2b_contextbytes(void); + +#define crypto_kdf_blake2b_KEYBYTES 32 +SODIUM_EXPORT +size_t crypto_kdf_blake2b_keybytes(void); + +SODIUM_EXPORT +int crypto_kdf_blake2b_derive_from_key(unsigned char *subkey, size_t subkey_len, + uint64_t subkey_id, + const char ctx[crypto_kdf_blake2b_CONTEXTBYTES], + const unsigned char key[crypto_kdf_blake2b_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_kx.h b/depends/libsodium/include/sodium/crypto_kx.h new file mode 100644 index 000000000..347132c32 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_kx.h @@ -0,0 +1,66 @@ +#ifndef crypto_kx_H +#define crypto_kx_H + +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_kx_PUBLICKEYBYTES 32 +SODIUM_EXPORT +size_t crypto_kx_publickeybytes(void); + +#define crypto_kx_SECRETKEYBYTES 32 +SODIUM_EXPORT +size_t crypto_kx_secretkeybytes(void); + +#define crypto_kx_SEEDBYTES 32 +SODIUM_EXPORT +size_t crypto_kx_seedbytes(void); + +#define crypto_kx_SESSIONKEYBYTES 32 +SODIUM_EXPORT +size_t crypto_kx_sessionkeybytes(void); + +#define crypto_kx_PRIMITIVE "x25519blake2b" +SODIUM_EXPORT +const char *crypto_kx_primitive(void); + +SODIUM_EXPORT +int crypto_kx_seed_keypair(unsigned char pk[crypto_kx_PUBLICKEYBYTES], + unsigned char sk[crypto_kx_SECRETKEYBYTES], + const unsigned char seed[crypto_kx_SEEDBYTES]) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_kx_keypair(unsigned char pk[crypto_kx_PUBLICKEYBYTES], + unsigned char sk[crypto_kx_SECRETKEYBYTES]) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_kx_client_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES], + unsigned char tx[crypto_kx_SESSIONKEYBYTES], + const unsigned char client_pk[crypto_kx_PUBLICKEYBYTES], + const unsigned char client_sk[crypto_kx_SECRETKEYBYTES], + const unsigned char server_pk[crypto_kx_PUBLICKEYBYTES]) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 4, 5))); + +SODIUM_EXPORT +int crypto_kx_server_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES], + unsigned char tx[crypto_kx_SESSIONKEYBYTES], + const unsigned char server_pk[crypto_kx_PUBLICKEYBYTES], + const unsigned char server_sk[crypto_kx_SECRETKEYBYTES], + const unsigned char client_pk[crypto_kx_PUBLICKEYBYTES]) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 4, 5))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_onetimeauth.h b/depends/libsodium/include/sodium/crypto_onetimeauth.h new file mode 100644 index 000000000..7cd7b0706 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_onetimeauth.h @@ -0,0 +1,65 @@ +#ifndef crypto_onetimeauth_H +#define crypto_onetimeauth_H + +#include + +#include "crypto_onetimeauth_poly1305.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +typedef crypto_onetimeauth_poly1305_state crypto_onetimeauth_state; + +SODIUM_EXPORT +size_t crypto_onetimeauth_statebytes(void); + +#define crypto_onetimeauth_BYTES crypto_onetimeauth_poly1305_BYTES +SODIUM_EXPORT +size_t crypto_onetimeauth_bytes(void); + +#define crypto_onetimeauth_KEYBYTES crypto_onetimeauth_poly1305_KEYBYTES +SODIUM_EXPORT +size_t crypto_onetimeauth_keybytes(void); + +#define crypto_onetimeauth_PRIMITIVE "poly1305" +SODIUM_EXPORT +const char *crypto_onetimeauth_primitive(void); + +SODIUM_EXPORT +int crypto_onetimeauth(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) + __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_onetimeauth_verify(const unsigned char *h, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_onetimeauth_init(crypto_onetimeauth_state *state, + const unsigned char *key) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_onetimeauth_update(crypto_onetimeauth_state *state, + const unsigned char *in, + unsigned long long inlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_onetimeauth_final(crypto_onetimeauth_state *state, + unsigned char *out) __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_onetimeauth_keygen(unsigned char k[crypto_onetimeauth_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_onetimeauth_poly1305.h b/depends/libsodium/include/sodium/crypto_onetimeauth_poly1305.h new file mode 100644 index 000000000..f3e34d86d --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_onetimeauth_poly1305.h @@ -0,0 +1,72 @@ +#ifndef crypto_onetimeauth_poly1305_H +#define crypto_onetimeauth_poly1305_H + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#include +#include +#include + +#include + +#include "export.h" + +typedef struct CRYPTO_ALIGN(16) crypto_onetimeauth_poly1305_state { + unsigned char opaque[256]; +} crypto_onetimeauth_poly1305_state; + +SODIUM_EXPORT +size_t crypto_onetimeauth_poly1305_statebytes(void); + +#define crypto_onetimeauth_poly1305_BYTES 16U +SODIUM_EXPORT +size_t crypto_onetimeauth_poly1305_bytes(void); + +#define crypto_onetimeauth_poly1305_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_onetimeauth_poly1305_keybytes(void); + +SODIUM_EXPORT +int crypto_onetimeauth_poly1305(unsigned char *out, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) + __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_onetimeauth_poly1305_verify(const unsigned char *h, + const unsigned char *in, + unsigned long long inlen, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_onetimeauth_poly1305_init(crypto_onetimeauth_poly1305_state *state, + const unsigned char *key) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_onetimeauth_poly1305_update(crypto_onetimeauth_poly1305_state *state, + const unsigned char *in, + unsigned long long inlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_onetimeauth_poly1305_final(crypto_onetimeauth_poly1305_state *state, + unsigned char *out) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_onetimeauth_poly1305_keygen(unsigned char k[crypto_onetimeauth_poly1305_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_pwhash.h b/depends/libsodium/include/sodium/crypto_pwhash.h new file mode 100644 index 000000000..585a993ef --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_pwhash.h @@ -0,0 +1,147 @@ +#ifndef crypto_pwhash_H +#define crypto_pwhash_H + +#include + +#include "crypto_pwhash_argon2i.h" +#include "crypto_pwhash_argon2id.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_pwhash_ALG_ARGON2I13 crypto_pwhash_argon2i_ALG_ARGON2I13 +SODIUM_EXPORT +int crypto_pwhash_alg_argon2i13(void); + +#define crypto_pwhash_ALG_ARGON2ID13 crypto_pwhash_argon2id_ALG_ARGON2ID13 +SODIUM_EXPORT +int crypto_pwhash_alg_argon2id13(void); + +#define crypto_pwhash_ALG_DEFAULT crypto_pwhash_ALG_ARGON2ID13 +SODIUM_EXPORT +int crypto_pwhash_alg_default(void); + +#define crypto_pwhash_BYTES_MIN crypto_pwhash_argon2id_BYTES_MIN +SODIUM_EXPORT +size_t crypto_pwhash_bytes_min(void); + +#define crypto_pwhash_BYTES_MAX crypto_pwhash_argon2id_BYTES_MAX +SODIUM_EXPORT +size_t crypto_pwhash_bytes_max(void); + +#define crypto_pwhash_PASSWD_MIN crypto_pwhash_argon2id_PASSWD_MIN +SODIUM_EXPORT +size_t crypto_pwhash_passwd_min(void); + +#define crypto_pwhash_PASSWD_MAX crypto_pwhash_argon2id_PASSWD_MAX +SODIUM_EXPORT +size_t crypto_pwhash_passwd_max(void); + +#define crypto_pwhash_SALTBYTES crypto_pwhash_argon2id_SALTBYTES +SODIUM_EXPORT +size_t crypto_pwhash_saltbytes(void); + +#define crypto_pwhash_STRBYTES crypto_pwhash_argon2id_STRBYTES +SODIUM_EXPORT +size_t crypto_pwhash_strbytes(void); + +#define crypto_pwhash_STRPREFIX crypto_pwhash_argon2id_STRPREFIX +SODIUM_EXPORT +const char *crypto_pwhash_strprefix(void); + +#define crypto_pwhash_OPSLIMIT_MIN crypto_pwhash_argon2id_OPSLIMIT_MIN +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_min(void); + +#define crypto_pwhash_OPSLIMIT_MAX crypto_pwhash_argon2id_OPSLIMIT_MAX +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_max(void); + +#define crypto_pwhash_MEMLIMIT_MIN crypto_pwhash_argon2id_MEMLIMIT_MIN +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_min(void); + +#define crypto_pwhash_MEMLIMIT_MAX crypto_pwhash_argon2id_MEMLIMIT_MAX +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_max(void); + +#define crypto_pwhash_OPSLIMIT_INTERACTIVE crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_interactive(void); + +#define crypto_pwhash_MEMLIMIT_INTERACTIVE crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_interactive(void); + +#define crypto_pwhash_OPSLIMIT_MODERATE crypto_pwhash_argon2id_OPSLIMIT_MODERATE +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_moderate(void); + +#define crypto_pwhash_MEMLIMIT_MODERATE crypto_pwhash_argon2id_MEMLIMIT_MODERATE +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_moderate(void); + +#define crypto_pwhash_OPSLIMIT_SENSITIVE crypto_pwhash_argon2id_OPSLIMIT_SENSITIVE +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_sensitive(void); + +#define crypto_pwhash_MEMLIMIT_SENSITIVE crypto_pwhash_argon2id_MEMLIMIT_SENSITIVE +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_sensitive(void); + +/* + * With this function, do not forget to store all parameters, including the + * algorithm identifier in order to produce deterministic output. + * The crypto_pwhash_* definitions, including crypto_pwhash_ALG_DEFAULT, + * may change. + */ +SODIUM_EXPORT +int crypto_pwhash(unsigned char * const out, unsigned long long outlen, + const char * const passwd, unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, size_t memlimit, int alg) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +/* + * The output string already includes all the required parameters, including + * the algorithm identifier. The string is all that has to be stored in + * order to verify a password. + */ +SODIUM_EXPORT +int crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit, int alg) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_str_needs_rehash(const char str[crypto_pwhash_STRBYTES], + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#define crypto_pwhash_PRIMITIVE "argon2i" +SODIUM_EXPORT +const char *crypto_pwhash_primitive(void) + __attribute__ ((warn_unused_result)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_pwhash_argon2i.h b/depends/libsodium/include/sodium/crypto_pwhash_argon2i.h new file mode 100644 index 000000000..88ff6221d --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_pwhash_argon2i.h @@ -0,0 +1,122 @@ +#ifndef crypto_pwhash_argon2i_H +#define crypto_pwhash_argon2i_H + +#include +#include +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_pwhash_argon2i_ALG_ARGON2I13 1 +SODIUM_EXPORT +int crypto_pwhash_argon2i_alg_argon2i13(void); + +#define crypto_pwhash_argon2i_BYTES_MIN 16U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_bytes_min(void); + +#define crypto_pwhash_argon2i_BYTES_MAX SODIUM_MIN(SODIUM_SIZE_MAX, 4294967295U) +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_bytes_max(void); + +#define crypto_pwhash_argon2i_PASSWD_MIN 0U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_passwd_min(void); + +#define crypto_pwhash_argon2i_PASSWD_MAX 4294967295U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_passwd_max(void); + +#define crypto_pwhash_argon2i_SALTBYTES 16U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_saltbytes(void); + +#define crypto_pwhash_argon2i_STRBYTES 128U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_strbytes(void); + +#define crypto_pwhash_argon2i_STRPREFIX "$argon2i$" +SODIUM_EXPORT +const char *crypto_pwhash_argon2i_strprefix(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_MIN 3U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_min(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_MAX 4294967295U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_max(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_MIN 8192U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_min(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_MAX \ + ((SIZE_MAX >= 4398046510080U) ? 4398046510080U : (SIZE_MAX >= 2147483648U) ? 2147483648U : 32768U) +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_max(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE 4U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_interactive(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE 33554432U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_interactive(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_MODERATE 6U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_moderate(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_MODERATE 134217728U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_moderate(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_SENSITIVE 8U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_sensitive(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_SENSITIVE 536870912U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_sensitive(void); + +SODIUM_EXPORT +int crypto_pwhash_argon2i(unsigned char * const out, + unsigned long long outlen, + const char * const passwd, + unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, size_t memlimit, + int alg) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_argon2i_str(char out[crypto_pwhash_argon2i_STRBYTES], + const char * const passwd, + unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_argon2i_str_needs_rehash(const char str[crypto_pwhash_argon2i_STRBYTES], + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_pwhash_argon2id.h b/depends/libsodium/include/sodium/crypto_pwhash_argon2id.h new file mode 100644 index 000000000..7183abd18 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_pwhash_argon2id.h @@ -0,0 +1,122 @@ +#ifndef crypto_pwhash_argon2id_H +#define crypto_pwhash_argon2id_H + +#include +#include +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_pwhash_argon2id_ALG_ARGON2ID13 2 +SODIUM_EXPORT +int crypto_pwhash_argon2id_alg_argon2id13(void); + +#define crypto_pwhash_argon2id_BYTES_MIN 16U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_bytes_min(void); + +#define crypto_pwhash_argon2id_BYTES_MAX SODIUM_MIN(SODIUM_SIZE_MAX, 4294967295U) +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_bytes_max(void); + +#define crypto_pwhash_argon2id_PASSWD_MIN 0U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_passwd_min(void); + +#define crypto_pwhash_argon2id_PASSWD_MAX 4294967295U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_passwd_max(void); + +#define crypto_pwhash_argon2id_SALTBYTES 16U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_saltbytes(void); + +#define crypto_pwhash_argon2id_STRBYTES 128U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_strbytes(void); + +#define crypto_pwhash_argon2id_STRPREFIX "$argon2id$" +SODIUM_EXPORT +const char *crypto_pwhash_argon2id_strprefix(void); + +#define crypto_pwhash_argon2id_OPSLIMIT_MIN 1U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_opslimit_min(void); + +#define crypto_pwhash_argon2id_OPSLIMIT_MAX 4294967295U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_opslimit_max(void); + +#define crypto_pwhash_argon2id_MEMLIMIT_MIN 8192U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_memlimit_min(void); + +#define crypto_pwhash_argon2id_MEMLIMIT_MAX \ + ((SIZE_MAX >= 4398046510080U) ? 4398046510080U : (SIZE_MAX >= 2147483648U) ? 2147483648U : 32768U) +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_memlimit_max(void); + +#define crypto_pwhash_argon2id_OPSLIMIT_INTERACTIVE 2U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_opslimit_interactive(void); + +#define crypto_pwhash_argon2id_MEMLIMIT_INTERACTIVE 67108864U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_memlimit_interactive(void); + +#define crypto_pwhash_argon2id_OPSLIMIT_MODERATE 3U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_opslimit_moderate(void); + +#define crypto_pwhash_argon2id_MEMLIMIT_MODERATE 268435456U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_memlimit_moderate(void); + +#define crypto_pwhash_argon2id_OPSLIMIT_SENSITIVE 4U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_opslimit_sensitive(void); + +#define crypto_pwhash_argon2id_MEMLIMIT_SENSITIVE 1073741824U +SODIUM_EXPORT +size_t crypto_pwhash_argon2id_memlimit_sensitive(void); + +SODIUM_EXPORT +int crypto_pwhash_argon2id(unsigned char * const out, + unsigned long long outlen, + const char * const passwd, + unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, size_t memlimit, + int alg) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_argon2id_str(char out[crypto_pwhash_argon2id_STRBYTES], + const char * const passwd, + unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_argon2id_str_verify(const char str[crypto_pwhash_argon2id_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_argon2id_str_needs_rehash(const char str[crypto_pwhash_argon2id_STRBYTES], + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h b/depends/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h new file mode 100644 index 000000000..5c0bf7d39 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h @@ -0,0 +1,120 @@ +#ifndef crypto_pwhash_scryptsalsa208sha256_H +#define crypto_pwhash_scryptsalsa208sha256_H + +#include +#include +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_pwhash_scryptsalsa208sha256_BYTES_MIN 16U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_bytes_min(void); + +#define crypto_pwhash_scryptsalsa208sha256_BYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX, 0x1fffffffe0ULL) +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_bytes_max(void); + +#define crypto_pwhash_scryptsalsa208sha256_PASSWD_MIN 0U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_passwd_min(void); + +#define crypto_pwhash_scryptsalsa208sha256_PASSWD_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_passwd_max(void); + +#define crypto_pwhash_scryptsalsa208sha256_SALTBYTES 32U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_saltbytes(void); + +#define crypto_pwhash_scryptsalsa208sha256_STRBYTES 102U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_strbytes(void); + +#define crypto_pwhash_scryptsalsa208sha256_STRPREFIX "$7$" +SODIUM_EXPORT +const char *crypto_pwhash_scryptsalsa208sha256_strprefix(void); + +#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_MIN 32768U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_opslimit_min(void); + +#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_MAX 4294967295U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_opslimit_max(void); + +#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_MIN 16777216U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_memlimit_min(void); + +#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_MAX \ + SODIUM_MIN(SIZE_MAX, 68719476736ULL) +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_memlimit_max(void); + +#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE 524288U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void); + +#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE 16777216U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_memlimit_interactive(void); + +#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE 33554432U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive(void); + +#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE 1073741824U +SODIUM_EXPORT +size_t crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive(void); + +SODIUM_EXPORT +int crypto_pwhash_scryptsalsa208sha256(unsigned char * const out, + unsigned long long outlen, + const char * const passwd, + unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, + size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES], + const char * const passwd, + unsigned long long passwdlen, + unsigned long long opslimit, + size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen, + const uint8_t * salt, size_t saltlen, + uint64_t N, uint32_t r, uint32_t p, + uint8_t * buf, size_t buflen) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_pwhash_scryptsalsa208sha256_str_needs_rehash(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES], + unsigned long long opslimit, + size_t memlimit) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_scalarmult.h b/depends/libsodium/include/sodium/crypto_scalarmult.h new file mode 100644 index 000000000..1c6858537 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_scalarmult.h @@ -0,0 +1,46 @@ +#ifndef crypto_scalarmult_H +#define crypto_scalarmult_H + +#include + +#include "crypto_scalarmult_curve25519.h" +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_scalarmult_BYTES crypto_scalarmult_curve25519_BYTES +SODIUM_EXPORT +size_t crypto_scalarmult_bytes(void); + +#define crypto_scalarmult_SCALARBYTES crypto_scalarmult_curve25519_SCALARBYTES +SODIUM_EXPORT +size_t crypto_scalarmult_scalarbytes(void); + +#define crypto_scalarmult_PRIMITIVE "curve25519" +SODIUM_EXPORT +const char *crypto_scalarmult_primitive(void); + +SODIUM_EXPORT +int crypto_scalarmult_base(unsigned char *q, const unsigned char *n) + __attribute__ ((nonnull)); + +/* + * NOTE: Do not use the result of this function directly for key exchange. + * + * Hash the result with the public keys in order to compute a shared + * secret key: H(q || client_pk || server_pk) + * + * Or unless this is not an option, use the crypto_kx() API instead. + */ +SODIUM_EXPORT +int crypto_scalarmult(unsigned char *q, const unsigned char *n, + const unsigned char *p) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_scalarmult_curve25519.h b/depends/libsodium/include/sodium/crypto_scalarmult_curve25519.h new file mode 100644 index 000000000..60e9d0c5a --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_scalarmult_curve25519.h @@ -0,0 +1,42 @@ +#ifndef crypto_scalarmult_curve25519_H +#define crypto_scalarmult_curve25519_H + +#include + +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_scalarmult_curve25519_BYTES 32U +SODIUM_EXPORT +size_t crypto_scalarmult_curve25519_bytes(void); + +#define crypto_scalarmult_curve25519_SCALARBYTES 32U +SODIUM_EXPORT +size_t crypto_scalarmult_curve25519_scalarbytes(void); + +/* + * NOTE: Do not use the result of this function directly for key exchange. + * + * Hash the result with the public keys in order to compute a shared + * secret key: H(q || client_pk || server_pk) + * + * Or unless this is not an option, use the crypto_kx() API instead. + */ +SODIUM_EXPORT +int crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n, + const unsigned char *p) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_scalarmult_curve25519_base(unsigned char *q, + const unsigned char *n) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_scalarmult_ed25519.h b/depends/libsodium/include/sodium/crypto_scalarmult_ed25519.h new file mode 100644 index 000000000..2dfa4d707 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_scalarmult_ed25519.h @@ -0,0 +1,51 @@ + +#ifndef crypto_scalarmult_ed25519_H +#define crypto_scalarmult_ed25519_H + +#include + +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_scalarmult_ed25519_BYTES 32U +SODIUM_EXPORT +size_t crypto_scalarmult_ed25519_bytes(void); + +#define crypto_scalarmult_ed25519_SCALARBYTES 32U +SODIUM_EXPORT +size_t crypto_scalarmult_ed25519_scalarbytes(void); + +/* + * NOTE: Do not use the result of this function directly for key exchange. + * + * Hash the result with the public keys in order to compute a shared + * secret key: H(q || client_pk || server_pk) + * + * Or unless this is not an option, use the crypto_kx() API instead. + */ +SODIUM_EXPORT +int crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n, + const unsigned char *p) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_scalarmult_ed25519_noclamp(unsigned char *q, const unsigned char *n, + const unsigned char *p) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_scalarmult_ed25519_base(unsigned char *q, const unsigned char *n) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_scalarmult_ed25519_base_noclamp(unsigned char *q, const unsigned char *n) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_scalarmult_ristretto255.h b/depends/libsodium/include/sodium/crypto_scalarmult_ristretto255.h new file mode 100644 index 000000000..40a45ccef --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_scalarmult_ristretto255.h @@ -0,0 +1,43 @@ + +#ifndef crypto_scalarmult_ristretto255_H +#define crypto_scalarmult_ristretto255_H + +#include + +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_scalarmult_ristretto255_BYTES 32U +SODIUM_EXPORT +size_t crypto_scalarmult_ristretto255_bytes(void); + +#define crypto_scalarmult_ristretto255_SCALARBYTES 32U +SODIUM_EXPORT +size_t crypto_scalarmult_ristretto255_scalarbytes(void); + +/* + * NOTE: Do not use the result of this function directly for key exchange. + * + * Hash the result with the public keys in order to compute a shared + * secret key: H(q || client_pk || server_pk) + * + * Or unless this is not an option, use the crypto_kx() API instead. + */ +SODIUM_EXPORT +int crypto_scalarmult_ristretto255(unsigned char *q, const unsigned char *n, + const unsigned char *p) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_scalarmult_ristretto255_base(unsigned char *q, + const unsigned char *n) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_secretbox.h b/depends/libsodium/include/sodium/crypto_secretbox.h new file mode 100644 index 000000000..1d3709db1 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_secretbox.h @@ -0,0 +1,93 @@ +#ifndef crypto_secretbox_H +#define crypto_secretbox_H + +#include + +#include "crypto_secretbox_xsalsa20poly1305.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_secretbox_KEYBYTES crypto_secretbox_xsalsa20poly1305_KEYBYTES +SODIUM_EXPORT +size_t crypto_secretbox_keybytes(void); + +#define crypto_secretbox_NONCEBYTES crypto_secretbox_xsalsa20poly1305_NONCEBYTES +SODIUM_EXPORT +size_t crypto_secretbox_noncebytes(void); + +#define crypto_secretbox_MACBYTES crypto_secretbox_xsalsa20poly1305_MACBYTES +SODIUM_EXPORT +size_t crypto_secretbox_macbytes(void); + +#define crypto_secretbox_PRIMITIVE "xsalsa20poly1305" +SODIUM_EXPORT +const char *crypto_secretbox_primitive(void); + +#define crypto_secretbox_MESSAGEBYTES_MAX crypto_secretbox_xsalsa20poly1305_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_secretbox_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_secretbox_easy(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_secretbox_open_easy(unsigned char *m, const unsigned char *c, + unsigned long long clen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +SODIUM_EXPORT +int crypto_secretbox_detached(unsigned char *c, unsigned char *mac, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 5, 6))); + +SODIUM_EXPORT +int crypto_secretbox_open_detached(unsigned char *m, + const unsigned char *c, + const unsigned char *mac, + unsigned long long clen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6))); + +SODIUM_EXPORT +void crypto_secretbox_keygen(unsigned char k[crypto_secretbox_KEYBYTES]) + __attribute__ ((nonnull)); + +/* -- NaCl compatibility interface ; Requires padding -- */ + +#define crypto_secretbox_ZEROBYTES crypto_secretbox_xsalsa20poly1305_ZEROBYTES +SODIUM_EXPORT +size_t crypto_secretbox_zerobytes(void); + +#define crypto_secretbox_BOXZEROBYTES crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES +SODIUM_EXPORT +size_t crypto_secretbox_boxzerobytes(void); + +SODIUM_EXPORT +int crypto_secretbox(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_secretbox_open(unsigned char *m, const unsigned char *c, + unsigned long long clen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h b/depends/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h new file mode 100644 index 000000000..6ec674e31 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h @@ -0,0 +1,70 @@ +#ifndef crypto_secretbox_xchacha20poly1305_H +#define crypto_secretbox_xchacha20poly1305_H + +#include +#include "crypto_stream_xchacha20.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_secretbox_xchacha20poly1305_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_secretbox_xchacha20poly1305_keybytes(void); + +#define crypto_secretbox_xchacha20poly1305_NONCEBYTES 24U +SODIUM_EXPORT +size_t crypto_secretbox_xchacha20poly1305_noncebytes(void); + +#define crypto_secretbox_xchacha20poly1305_MACBYTES 16U +SODIUM_EXPORT +size_t crypto_secretbox_xchacha20poly1305_macbytes(void); + +#define crypto_secretbox_xchacha20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xchacha20_MESSAGEBYTES_MAX - crypto_secretbox_xchacha20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_secretbox_xchacha20poly1305_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_secretbox_xchacha20poly1305_easy(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_secretbox_xchacha20poly1305_open_easy(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +SODIUM_EXPORT +int crypto_secretbox_xchacha20poly1305_detached(unsigned char *c, + unsigned char *mac, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull(1, 2, 5, 6))); + +SODIUM_EXPORT +int crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m, + const unsigned char *c, + const unsigned char *mac, + unsigned long long clen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 3, 5, 6))); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h b/depends/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h new file mode 100644 index 000000000..be0874cba --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h @@ -0,0 +1,69 @@ +#ifndef crypto_secretbox_xsalsa20poly1305_H +#define crypto_secretbox_xsalsa20poly1305_H + +#include +#include "crypto_stream_xsalsa20.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_secretbox_xsalsa20poly1305_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_keybytes(void); + +#define crypto_secretbox_xsalsa20poly1305_NONCEBYTES 24U +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_noncebytes(void); + +#define crypto_secretbox_xsalsa20poly1305_MACBYTES 16U +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_macbytes(void); + +/* Only for the libsodium API - The NaCl compatibility API would require BOXZEROBYTES extra bytes */ +#define crypto_secretbox_xsalsa20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xsalsa20_MESSAGEBYTES_MAX - crypto_secretbox_xsalsa20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_secretbox_xsalsa20poly1305(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull(1, 4, 5))); + +SODIUM_EXPORT +int crypto_secretbox_xsalsa20poly1305_open(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *n, + const unsigned char *k) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(2, 4, 5))); + +SODIUM_EXPORT +void crypto_secretbox_xsalsa20poly1305_keygen(unsigned char k[crypto_secretbox_xsalsa20poly1305_KEYBYTES]) + __attribute__ ((nonnull)); + +/* -- NaCl compatibility interface ; Requires padding -- */ + +#define crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES 16U +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_boxzerobytes(void); + +#define crypto_secretbox_xsalsa20poly1305_ZEROBYTES \ + (crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES + \ + crypto_secretbox_xsalsa20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_zerobytes(void); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h b/depends/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h new file mode 100644 index 000000000..b22e4e931 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h @@ -0,0 +1,108 @@ +#ifndef crypto_secretstream_xchacha20poly1305_H +#define crypto_secretstream_xchacha20poly1305_H + +#include + +#include "crypto_aead_xchacha20poly1305.h" +#include "crypto_stream_chacha20.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_secretstream_xchacha20poly1305_ABYTES \ + (1U + crypto_aead_xchacha20poly1305_ietf_ABYTES) +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_abytes(void); + +#define crypto_secretstream_xchacha20poly1305_HEADERBYTES \ + crypto_aead_xchacha20poly1305_ietf_NPUBBYTES +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_headerbytes(void); + +#define crypto_secretstream_xchacha20poly1305_KEYBYTES \ + crypto_aead_xchacha20poly1305_ietf_KEYBYTES +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_keybytes(void); + +#define crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX - crypto_secretstream_xchacha20poly1305_ABYTES, \ + (64ULL * ((1ULL << 32) - 2ULL))) +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_messagebytes_max(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_MESSAGE 0x00 +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_message(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_PUSH 0x01 +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_push(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_REKEY 0x02 +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_rekey(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_FINAL \ + (crypto_secretstream_xchacha20poly1305_TAG_PUSH | \ + crypto_secretstream_xchacha20poly1305_TAG_REKEY) +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_final(void); + +typedef struct crypto_secretstream_xchacha20poly1305_state { + unsigned char k[crypto_stream_chacha20_ietf_KEYBYTES]; + unsigned char nonce[crypto_stream_chacha20_ietf_NONCEBYTES]; + unsigned char _pad[8]; +} crypto_secretstream_xchacha20poly1305_state; + +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_statebytes(void); + +SODIUM_EXPORT +void crypto_secretstream_xchacha20poly1305_keygen + (unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_init_push + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char header[crypto_secretstream_xchacha20poly1305_HEADERBYTES], + const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_push + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *c, unsigned long long *clen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, unsigned char tag) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_init_pull + (crypto_secretstream_xchacha20poly1305_state *state, + const unsigned char header[crypto_secretstream_xchacha20poly1305_HEADERBYTES], + const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_pull + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +void crypto_secretstream_xchacha20poly1305_rekey + (crypto_secretstream_xchacha20poly1305_state *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_shorthash.h b/depends/libsodium/include/sodium/crypto_shorthash.h new file mode 100644 index 000000000..fecaa88bd --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_shorthash.h @@ -0,0 +1,41 @@ +#ifndef crypto_shorthash_H +#define crypto_shorthash_H + +#include + +#include "crypto_shorthash_siphash24.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_shorthash_BYTES crypto_shorthash_siphash24_BYTES +SODIUM_EXPORT +size_t crypto_shorthash_bytes(void); + +#define crypto_shorthash_KEYBYTES crypto_shorthash_siphash24_KEYBYTES +SODIUM_EXPORT +size_t crypto_shorthash_keybytes(void); + +#define crypto_shorthash_PRIMITIVE "siphash24" +SODIUM_EXPORT +const char *crypto_shorthash_primitive(void); + +SODIUM_EXPORT +int crypto_shorthash(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) + __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +void crypto_shorthash_keygen(unsigned char k[crypto_shorthash_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_shorthash_siphash24.h b/depends/libsodium/include/sodium/crypto_shorthash_siphash24.h new file mode 100644 index 000000000..1e6f72a62 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_shorthash_siphash24.h @@ -0,0 +1,50 @@ +#ifndef crypto_shorthash_siphash24_H +#define crypto_shorthash_siphash24_H + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +/* -- 64-bit output -- */ + +#define crypto_shorthash_siphash24_BYTES 8U +SODIUM_EXPORT +size_t crypto_shorthash_siphash24_bytes(void); + +#define crypto_shorthash_siphash24_KEYBYTES 16U +SODIUM_EXPORT +size_t crypto_shorthash_siphash24_keybytes(void); + +SODIUM_EXPORT +int crypto_shorthash_siphash24(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) + __attribute__ ((nonnull(1, 4))); + +#ifndef SODIUM_LIBRARY_MINIMAL +/* -- 128-bit output -- */ + +#define crypto_shorthash_siphashx24_BYTES 16U +SODIUM_EXPORT +size_t crypto_shorthash_siphashx24_bytes(void); + +#define crypto_shorthash_siphashx24_KEYBYTES 16U +SODIUM_EXPORT +size_t crypto_shorthash_siphashx24_keybytes(void); + +SODIUM_EXPORT +int crypto_shorthash_siphashx24(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) + __attribute__ ((nonnull(1, 4))); +#endif + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_sign.h b/depends/libsodium/include/sodium/crypto_sign.h new file mode 100644 index 000000000..f5fafb123 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_sign.h @@ -0,0 +1,107 @@ +#ifndef crypto_sign_H +#define crypto_sign_H + +/* + * THREAD SAFETY: crypto_sign_keypair() is thread-safe, + * provided that sodium_init() was called before. + * + * Other functions, including crypto_sign_seed_keypair() are always thread-safe. + */ + +#include + +#include "crypto_sign_ed25519.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +typedef crypto_sign_ed25519ph_state crypto_sign_state; + +SODIUM_EXPORT +size_t crypto_sign_statebytes(void); + +#define crypto_sign_BYTES crypto_sign_ed25519_BYTES +SODIUM_EXPORT +size_t crypto_sign_bytes(void); + +#define crypto_sign_SEEDBYTES crypto_sign_ed25519_SEEDBYTES +SODIUM_EXPORT +size_t crypto_sign_seedbytes(void); + +#define crypto_sign_PUBLICKEYBYTES crypto_sign_ed25519_PUBLICKEYBYTES +SODIUM_EXPORT +size_t crypto_sign_publickeybytes(void); + +#define crypto_sign_SECRETKEYBYTES crypto_sign_ed25519_SECRETKEYBYTES +SODIUM_EXPORT +size_t crypto_sign_secretkeybytes(void); + +#define crypto_sign_MESSAGEBYTES_MAX crypto_sign_ed25519_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_sign_messagebytes_max(void); + +#define crypto_sign_PRIMITIVE "ed25519" +SODIUM_EXPORT +const char *crypto_sign_primitive(void); + +SODIUM_EXPORT +int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk, + const unsigned char *seed) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign(unsigned char *sm, unsigned long long *smlen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *sk) __attribute__ ((nonnull(1, 5))); + +SODIUM_EXPORT +int crypto_sign_open(unsigned char *m, unsigned long long *mlen_p, + const unsigned char *sm, unsigned long long smlen, + const unsigned char *pk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5))); + +SODIUM_EXPORT +int crypto_sign_detached(unsigned char *sig, unsigned long long *siglen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *sk) __attribute__ ((nonnull(1, 5))); + +SODIUM_EXPORT +int crypto_sign_verify_detached(const unsigned char *sig, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *pk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_sign_init(crypto_sign_state *state); + +SODIUM_EXPORT +int crypto_sign_update(crypto_sign_state *state, + const unsigned char *m, unsigned long long mlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_sign_final_create(crypto_sign_state *state, unsigned char *sig, + unsigned long long *siglen_p, + const unsigned char *sk) + __attribute__ ((nonnull(1, 2, 4))); + +SODIUM_EXPORT +int crypto_sign_final_verify(crypto_sign_state *state, const unsigned char *sig, + const unsigned char *pk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_sign_ed25519.h b/depends/libsodium/include/sodium/crypto_sign_ed25519.h new file mode 100644 index 000000000..0fdac42d3 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_sign_ed25519.h @@ -0,0 +1,124 @@ +#ifndef crypto_sign_ed25519_H +#define crypto_sign_ed25519_H + +#include +#include "crypto_hash_sha512.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +typedef struct crypto_sign_ed25519ph_state { + crypto_hash_sha512_state hs; +} crypto_sign_ed25519ph_state; + +SODIUM_EXPORT +size_t crypto_sign_ed25519ph_statebytes(void); + +#define crypto_sign_ed25519_BYTES 64U +SODIUM_EXPORT +size_t crypto_sign_ed25519_bytes(void); + +#define crypto_sign_ed25519_SEEDBYTES 32U +SODIUM_EXPORT +size_t crypto_sign_ed25519_seedbytes(void); + +#define crypto_sign_ed25519_PUBLICKEYBYTES 32U +SODIUM_EXPORT +size_t crypto_sign_ed25519_publickeybytes(void); + +#define crypto_sign_ed25519_SECRETKEYBYTES (32U + 32U) +SODIUM_EXPORT +size_t crypto_sign_ed25519_secretkeybytes(void); + +#define crypto_sign_ed25519_MESSAGEBYTES_MAX (SODIUM_SIZE_MAX - crypto_sign_ed25519_BYTES) +SODIUM_EXPORT +size_t crypto_sign_ed25519_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_sign_ed25519(unsigned char *sm, unsigned long long *smlen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *sk) + __attribute__ ((nonnull(1, 5))); + +SODIUM_EXPORT +int crypto_sign_ed25519_open(unsigned char *m, unsigned long long *mlen_p, + const unsigned char *sm, unsigned long long smlen, + const unsigned char *pk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(3, 5))); + +SODIUM_EXPORT +int crypto_sign_ed25519_detached(unsigned char *sig, + unsigned long long *siglen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *sk) + __attribute__ ((nonnull(1, 5))); + +SODIUM_EXPORT +int crypto_sign_ed25519_verify_detached(const unsigned char *sig, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *pk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull(1, 4))); + +SODIUM_EXPORT +int crypto_sign_ed25519_keypair(unsigned char *pk, unsigned char *sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, + const unsigned char *seed) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, + const unsigned char *ed25519_pk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk, + const unsigned char *ed25519_sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_ed25519_sk_to_seed(unsigned char *seed, + const unsigned char *sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_ed25519ph_init(crypto_sign_ed25519ph_state *state) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_sign_ed25519ph_update(crypto_sign_ed25519ph_state *state, + const unsigned char *m, + unsigned long long mlen) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int crypto_sign_ed25519ph_final_create(crypto_sign_ed25519ph_state *state, + unsigned char *sig, + unsigned long long *siglen_p, + const unsigned char *sk) + __attribute__ ((nonnull(1, 2, 4))); + +SODIUM_EXPORT +int crypto_sign_ed25519ph_final_verify(crypto_sign_ed25519ph_state *state, + const unsigned char *sig, + const unsigned char *pk) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h b/depends/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h new file mode 100644 index 000000000..eed158aa8 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h @@ -0,0 +1,55 @@ +#ifndef crypto_sign_edwards25519sha512batch_H +#define crypto_sign_edwards25519sha512batch_H + +/* + * WARNING: This construction was a prototype, which should not be used + * any more in new projects. + * + * crypto_sign_edwards25519sha512batch is provided for applications + * initially built with NaCl, but as recommended by the author of this + * construction, new applications should use ed25519 instead. + * + * In Sodium, you should use the high-level crypto_sign_*() functions instead. + */ + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_sign_edwards25519sha512batch_BYTES 64U +#define crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES 32U +#define crypto_sign_edwards25519sha512batch_SECRETKEYBYTES (32U + 32U) +#define crypto_sign_edwards25519sha512batch_MESSAGEBYTES_MAX (SODIUM_SIZE_MAX - crypto_sign_edwards25519sha512batch_BYTES) + +SODIUM_EXPORT +int crypto_sign_edwards25519sha512batch(unsigned char *sm, + unsigned long long *smlen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *sk) + __attribute__ ((deprecated)) __attribute__ ((nonnull(1, 5))); + +SODIUM_EXPORT +int crypto_sign_edwards25519sha512batch_open(unsigned char *m, + unsigned long long *mlen_p, + const unsigned char *sm, + unsigned long long smlen, + const unsigned char *pk) + __attribute__ ((deprecated)) __attribute__ ((nonnull(3, 5))); + +SODIUM_EXPORT +int crypto_sign_edwards25519sha512batch_keypair(unsigned char *pk, + unsigned char *sk) + __attribute__ ((deprecated)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_stream.h b/depends/libsodium/include/sodium/crypto_stream.h new file mode 100644 index 000000000..88dab5f61 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_stream.h @@ -0,0 +1,59 @@ +#ifndef crypto_stream_H +#define crypto_stream_H + +/* + * WARNING: This is just a stream cipher. It is NOT authenticated encryption. + * While it provides some protection against eavesdropping, it does NOT + * provide any security against active attacks. + * Unless you know what you're doing, what you are looking for is probably + * the crypto_box functions. + */ + +#include + +#include "crypto_stream_xsalsa20.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_stream_KEYBYTES crypto_stream_xsalsa20_KEYBYTES +SODIUM_EXPORT +size_t crypto_stream_keybytes(void); + +#define crypto_stream_NONCEBYTES crypto_stream_xsalsa20_NONCEBYTES +SODIUM_EXPORT +size_t crypto_stream_noncebytes(void); + +#define crypto_stream_MESSAGEBYTES_MAX crypto_stream_xsalsa20_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_stream_messagebytes_max(void); + +#define crypto_stream_PRIMITIVE "xsalsa20" +SODIUM_EXPORT +const char *crypto_stream_primitive(void); + +SODIUM_EXPORT +int crypto_stream(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_keygen(unsigned char k[crypto_stream_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_stream_chacha20.h b/depends/libsodium/include/sodium/crypto_stream_chacha20.h new file mode 100644 index 000000000..408897558 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_stream_chacha20.h @@ -0,0 +1,106 @@ +#ifndef crypto_stream_chacha20_H +#define crypto_stream_chacha20_H + +/* + * WARNING: This is just a stream cipher. It is NOT authenticated encryption. + * While it provides some protection against eavesdropping, it does NOT + * provide any security against active attacks. + * Unless you know what you're doing, what you are looking for is probably + * the crypto_box functions. + */ + +#include +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_stream_chacha20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_stream_chacha20_keybytes(void); + +#define crypto_stream_chacha20_NONCEBYTES 8U +SODIUM_EXPORT +size_t crypto_stream_chacha20_noncebytes(void); + +#define crypto_stream_chacha20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_chacha20_messagebytes_max(void); + +/* ChaCha20 with a 64-bit nonce and a 64-bit counter, as originally designed */ + +SODIUM_EXPORT +int crypto_stream_chacha20(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_chacha20_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint64_t ic, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_chacha20_keygen(unsigned char k[crypto_stream_chacha20_KEYBYTES]) + __attribute__ ((nonnull)); + +/* ChaCha20 with a 96-bit nonce and a 32-bit counter (IETF) */ + +#define crypto_stream_chacha20_ietf_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_stream_chacha20_ietf_keybytes(void); + +#define crypto_stream_chacha20_ietf_NONCEBYTES 12U +SODIUM_EXPORT +size_t crypto_stream_chacha20_ietf_noncebytes(void); + +#define crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX, 64ULL * (1ULL << 32)) +SODIUM_EXPORT +size_t crypto_stream_chacha20_ietf_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_chacha20_ietf_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_chacha20_ietf_keygen(unsigned char k[crypto_stream_chacha20_ietf_KEYBYTES]) + __attribute__ ((nonnull)); + +/* Aliases */ + +#define crypto_stream_chacha20_IETF_KEYBYTES crypto_stream_chacha20_ietf_KEYBYTES +#define crypto_stream_chacha20_IETF_NONCEBYTES crypto_stream_chacha20_ietf_NONCEBYTES +#define crypto_stream_chacha20_IETF_MESSAGEBYTES_MAX crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_stream_salsa20.h b/depends/libsodium/include/sodium/crypto_stream_salsa20.h new file mode 100644 index 000000000..45b3b3e34 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_stream_salsa20.h @@ -0,0 +1,61 @@ +#ifndef crypto_stream_salsa20_H +#define crypto_stream_salsa20_H + +/* + * WARNING: This is just a stream cipher. It is NOT authenticated encryption. + * While it provides some protection against eavesdropping, it does NOT + * provide any security against active attacks. + * Unless you know what you're doing, what you are looking for is probably + * the crypto_box functions. + */ + +#include +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_stream_salsa20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_stream_salsa20_keybytes(void); + +#define crypto_stream_salsa20_NONCEBYTES 8U +SODIUM_EXPORT +size_t crypto_stream_salsa20_noncebytes(void); + +#define crypto_stream_salsa20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_salsa20_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_stream_salsa20(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_salsa20_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_salsa20_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint64_t ic, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_salsa20_keygen(unsigned char k[crypto_stream_salsa20_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_stream_salsa2012.h b/depends/libsodium/include/sodium/crypto_stream_salsa2012.h new file mode 100644 index 000000000..6c5d303ca --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_stream_salsa2012.h @@ -0,0 +1,53 @@ +#ifndef crypto_stream_salsa2012_H +#define crypto_stream_salsa2012_H + +/* + * WARNING: This is just a stream cipher. It is NOT authenticated encryption. + * While it provides some protection against eavesdropping, it does NOT + * provide any security against active attacks. + * Unless you know what you're doing, what you are looking for is probably + * the crypto_box functions. + */ + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_stream_salsa2012_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_stream_salsa2012_keybytes(void); + +#define crypto_stream_salsa2012_NONCEBYTES 8U +SODIUM_EXPORT +size_t crypto_stream_salsa2012_noncebytes(void); + +#define crypto_stream_salsa2012_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_salsa2012_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_stream_salsa2012(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_salsa2012_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_salsa2012_keygen(unsigned char k[crypto_stream_salsa2012_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_stream_salsa208.h b/depends/libsodium/include/sodium/crypto_stream_salsa208.h new file mode 100644 index 000000000..d574f3047 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_stream_salsa208.h @@ -0,0 +1,56 @@ +#ifndef crypto_stream_salsa208_H +#define crypto_stream_salsa208_H + +/* + * WARNING: This is just a stream cipher. It is NOT authenticated encryption. + * While it provides some protection against eavesdropping, it does NOT + * provide any security against active attacks. + * Unless you know what you're doing, what you are looking for is probably + * the crypto_box functions. + */ + +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_stream_salsa208_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_stream_salsa208_keybytes(void) + __attribute__ ((deprecated)); + +#define crypto_stream_salsa208_NONCEBYTES 8U +SODIUM_EXPORT +size_t crypto_stream_salsa208_noncebytes(void) + __attribute__ ((deprecated)); + +#define crypto_stream_salsa208_MESSAGEBYTES_MAX SODIUM_SIZE_MAX + SODIUM_EXPORT +size_t crypto_stream_salsa208_messagebytes_max(void) + __attribute__ ((deprecated)); + +SODIUM_EXPORT +int crypto_stream_salsa208(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((deprecated)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_salsa208_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((deprecated)) __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_salsa208_keygen(unsigned char k[crypto_stream_salsa208_KEYBYTES]) + __attribute__ ((deprecated)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_stream_xchacha20.h b/depends/libsodium/include/sodium/crypto_stream_xchacha20.h new file mode 100644 index 000000000..c4002db00 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_stream_xchacha20.h @@ -0,0 +1,61 @@ +#ifndef crypto_stream_xchacha20_H +#define crypto_stream_xchacha20_H + +/* + * WARNING: This is just a stream cipher. It is NOT authenticated encryption. + * While it provides some protection against eavesdropping, it does NOT + * provide any security against active attacks. + * Unless you know what you're doing, what you are looking for is probably + * the crypto_box functions. + */ + +#include +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_stream_xchacha20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_stream_xchacha20_keybytes(void); + +#define crypto_stream_xchacha20_NONCEBYTES 24U +SODIUM_EXPORT +size_t crypto_stream_xchacha20_noncebytes(void); + +#define crypto_stream_xchacha20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_xchacha20_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_stream_xchacha20(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_xchacha20_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_xchacha20_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint64_t ic, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_xchacha20_keygen(unsigned char k[crypto_stream_xchacha20_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_stream_xsalsa20.h b/depends/libsodium/include/sodium/crypto_stream_xsalsa20.h new file mode 100644 index 000000000..20034e346 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_stream_xsalsa20.h @@ -0,0 +1,61 @@ +#ifndef crypto_stream_xsalsa20_H +#define crypto_stream_xsalsa20_H + +/* + * WARNING: This is just a stream cipher. It is NOT authenticated encryption. + * While it provides some protection against eavesdropping, it does NOT + * provide any security against active attacks. + * Unless you know what you're doing, what you are looking for is probably + * the crypto_box functions. + */ + +#include +#include +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_stream_xsalsa20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_stream_xsalsa20_keybytes(void); + +#define crypto_stream_xsalsa20_NONCEBYTES 24U +SODIUM_EXPORT +size_t crypto_stream_xsalsa20_noncebytes(void); + +#define crypto_stream_xsalsa20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_xsalsa20_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_stream_xsalsa20(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_xsalsa20_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int crypto_stream_xsalsa20_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint64_t ic, + const unsigned char *k) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void crypto_stream_xsalsa20_keygen(unsigned char k[crypto_stream_xsalsa20_KEYBYTES]) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_verify_16.h b/depends/libsodium/include/sodium/crypto_verify_16.h new file mode 100644 index 000000000..7b9c8077a --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_verify_16.h @@ -0,0 +1,23 @@ +#ifndef crypto_verify_16_H +#define crypto_verify_16_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_verify_16_BYTES 16U +SODIUM_EXPORT +size_t crypto_verify_16_bytes(void); + +SODIUM_EXPORT +int crypto_verify_16(const unsigned char *x, const unsigned char *y) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_verify_32.h b/depends/libsodium/include/sodium/crypto_verify_32.h new file mode 100644 index 000000000..9b0f4529f --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_verify_32.h @@ -0,0 +1,23 @@ +#ifndef crypto_verify_32_H +#define crypto_verify_32_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_verify_32_BYTES 32U +SODIUM_EXPORT +size_t crypto_verify_32_bytes(void); + +SODIUM_EXPORT +int crypto_verify_32(const unsigned char *x, const unsigned char *y) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/crypto_verify_64.h b/depends/libsodium/include/sodium/crypto_verify_64.h new file mode 100644 index 000000000..c83b73025 --- /dev/null +++ b/depends/libsodium/include/sodium/crypto_verify_64.h @@ -0,0 +1,23 @@ +#ifndef crypto_verify_64_H +#define crypto_verify_64_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_verify_64_BYTES 64U +SODIUM_EXPORT +size_t crypto_verify_64_bytes(void); + +SODIUM_EXPORT +int crypto_verify_64(const unsigned char *x, const unsigned char *y) + __attribute__ ((warn_unused_result)) __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/export.h b/depends/libsodium/include/sodium/export.h new file mode 100644 index 000000000..a0074fc9c --- /dev/null +++ b/depends/libsodium/include/sodium/export.h @@ -0,0 +1,57 @@ + +#ifndef sodium_export_H +#define sodium_export_H + +#include +#include +#include + +#if !defined(__clang__) && !defined(__GNUC__) +# ifdef __attribute__ +# undef __attribute__ +# endif +# define __attribute__(a) +#endif + +#ifdef SODIUM_STATIC +# define SODIUM_EXPORT +# define SODIUM_EXPORT_WEAK +#else +# if defined(_MSC_VER) +# ifdef SODIUM_DLL_EXPORT +# define SODIUM_EXPORT __declspec(dllexport) +# else +# define SODIUM_EXPORT __declspec(dllimport) +# endif +# else +# if defined(__SUNPRO_C) +# ifndef __GNU_C__ +# define SODIUM_EXPORT __attribute__ (visibility(__global)) +# else +# define SODIUM_EXPORT __attribute__ __global +# endif +# elif defined(_MSG_VER) +# define SODIUM_EXPORT extern __declspec(dllexport) +# else +# define SODIUM_EXPORT __attribute__ ((visibility ("default"))) +# endif +# endif +# if defined(__ELF__) && !defined(SODIUM_DISABLE_WEAK_FUNCTIONS) +# define SODIUM_EXPORT_WEAK SODIUM_EXPORT __attribute__((weak)) +# else +# define SODIUM_EXPORT_WEAK SODIUM_EXPORT +# endif +#endif + +#ifndef CRYPTO_ALIGN +# if defined(__INTEL_COMPILER) || defined(_MSC_VER) +# define CRYPTO_ALIGN(x) __declspec(align(x)) +# else +# define CRYPTO_ALIGN(x) __attribute__ ((aligned(x))) +# endif +#endif + +#define SODIUM_MIN(A, B) ((A) < (B) ? (A) : (B)) +#define SODIUM_SIZE_MAX SODIUM_MIN(UINT64_MAX, SIZE_MAX) + +#endif diff --git a/depends/libsodium/include/sodium/private/chacha20_ietf_ext.h b/depends/libsodium/include/sodium/private/chacha20_ietf_ext.h new file mode 100644 index 000000000..8024b59cc --- /dev/null +++ b/depends/libsodium/include/sodium/private/chacha20_ietf_ext.h @@ -0,0 +1,18 @@ +#ifndef chacha20_ietf_ext_H +#define chacha20_ietf_ext_H + +#include + +#include "private/quirks.h" + +/* The ietf_ext variant allows the internal counter to overflow into the IV */ + +int crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k); + +int crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k); +#endif + diff --git a/depends/libsodium/include/sodium/private/common.h b/depends/libsodium/include/sodium/private/common.h new file mode 100644 index 000000000..2ea7a1b25 --- /dev/null +++ b/depends/libsodium/include/sodium/private/common.h @@ -0,0 +1,263 @@ +#ifndef common_H +#define common_H 1 + +#if !defined(_MSC_VER) && !defined(DEV_MODE) && 1 +# warning *** This is unstable, untested, development code. +# warning It might not compile. It might not work as expected. +# warning It might be totally insecure. +# warning Do not use this except if you are planning to contribute code. +# warning Use releases available at https://download.libsodium.org/libsodium/releases/ instead. +# warning Alternatively, use the "stable" branch in the git repository. +#endif + +#if !defined(_MSC_VER) && (!defined(CONFIGURED) || CONFIGURED != 1) +# warning *** The library is being compiled using an undocumented method. +# warning This is not supported. It has not been tested, it might not +# warning work as expected, and performance is likely to be suboptimal. +#endif + +#include +#include +#include + +#include "private/quirks.h" + +#define COMPILER_ASSERT(X) (void) sizeof(char[(X) ? 1 : -1]) + +#ifdef HAVE_TI_MODE +# if defined(__SIZEOF_INT128__) +typedef unsigned __int128 uint128_t; +# else +typedef unsigned uint128_t __attribute__((mode(TI))); +# endif +#endif + +#define ROTL32(X, B) rotl32((X), (B)) +static inline uint32_t +rotl32(const uint32_t x, const int b) +{ + return (x << b) | (x >> (32 - b)); +} + +#define ROTL64(X, B) rotl64((X), (B)) +static inline uint64_t +rotl64(const uint64_t x, const int b) +{ + return (x << b) | (x >> (64 - b)); +} + +#define ROTR32(X, B) rotr32((X), (B)) +static inline uint32_t +rotr32(const uint32_t x, const int b) +{ + return (x >> b) | (x << (32 - b)); +} + +#define ROTR64(X, B) rotr64((X), (B)) +static inline uint64_t +rotr64(const uint64_t x, const int b) +{ + return (x >> b) | (x << (64 - b)); +} + +#define LOAD64_LE(SRC) load64_le(SRC) +static inline uint64_t +load64_le(const uint8_t src[8]) +{ +#ifdef NATIVE_LITTLE_ENDIAN + uint64_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint64_t w = (uint64_t) src[0]; + w |= (uint64_t) src[1] << 8; + w |= (uint64_t) src[2] << 16; + w |= (uint64_t) src[3] << 24; + w |= (uint64_t) src[4] << 32; + w |= (uint64_t) src[5] << 40; + w |= (uint64_t) src[6] << 48; + w |= (uint64_t) src[7] << 56; + return w; +#endif +} + +#define STORE64_LE(DST, W) store64_le((DST), (W)) +static inline void +store64_le(uint8_t dst[8], uint64_t w) +{ +#ifdef NATIVE_LITTLE_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[0] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[3] = (uint8_t) w; w >>= 8; + dst[4] = (uint8_t) w; w >>= 8; + dst[5] = (uint8_t) w; w >>= 8; + dst[6] = (uint8_t) w; w >>= 8; + dst[7] = (uint8_t) w; +#endif +} + +#define LOAD32_LE(SRC) load32_le(SRC) +static inline uint32_t +load32_le(const uint8_t src[4]) +{ +#ifdef NATIVE_LITTLE_ENDIAN + uint32_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint32_t w = (uint32_t) src[0]; + w |= (uint32_t) src[1] << 8; + w |= (uint32_t) src[2] << 16; + w |= (uint32_t) src[3] << 24; + return w; +#endif +} + +#define STORE32_LE(DST, W) store32_le((DST), (W)) +static inline void +store32_le(uint8_t dst[4], uint32_t w) +{ +#ifdef NATIVE_LITTLE_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[0] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[3] = (uint8_t) w; +#endif +} + +/* ----- */ + +#define LOAD64_BE(SRC) load64_be(SRC) +static inline uint64_t +load64_be(const uint8_t src[8]) +{ +#ifdef NATIVE_BIG_ENDIAN + uint64_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint64_t w = (uint64_t) src[7]; + w |= (uint64_t) src[6] << 8; + w |= (uint64_t) src[5] << 16; + w |= (uint64_t) src[4] << 24; + w |= (uint64_t) src[3] << 32; + w |= (uint64_t) src[2] << 40; + w |= (uint64_t) src[1] << 48; + w |= (uint64_t) src[0] << 56; + return w; +#endif +} + +#define STORE64_BE(DST, W) store64_be((DST), (W)) +static inline void +store64_be(uint8_t dst[8], uint64_t w) +{ +#ifdef NATIVE_BIG_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[7] = (uint8_t) w; w >>= 8; + dst[6] = (uint8_t) w; w >>= 8; + dst[5] = (uint8_t) w; w >>= 8; + dst[4] = (uint8_t) w; w >>= 8; + dst[3] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[0] = (uint8_t) w; +#endif +} + +#define LOAD32_BE(SRC) load32_be(SRC) +static inline uint32_t +load32_be(const uint8_t src[4]) +{ +#ifdef NATIVE_BIG_ENDIAN + uint32_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint32_t w = (uint32_t) src[3]; + w |= (uint32_t) src[2] << 8; + w |= (uint32_t) src[1] << 16; + w |= (uint32_t) src[0] << 24; + return w; +#endif +} + +#define STORE32_BE(DST, W) store32_be((DST), (W)) +static inline void +store32_be(uint8_t dst[4], uint32_t w) +{ +#ifdef NATIVE_BIG_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[3] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[0] = (uint8_t) w; +#endif +} + +#define XOR_BUF(OUT, IN, N) xor_buf((OUT), (IN), (N)) +static inline void +xor_buf(unsigned char *out, const unsigned char *in, size_t n) +{ + size_t i; + + for (i = 0; i < n; i++) { + out[i] ^= in[i]; + } +} + +#if !defined(__clang__) && !defined(__GNUC__) +# ifdef __attribute__ +# undef __attribute__ +# endif +# define __attribute__(a) +#endif + +#ifndef CRYPTO_ALIGN +# if defined(__INTEL_COMPILER) || defined(_MSC_VER) +# define CRYPTO_ALIGN(x) __declspec(align(x)) +# else +# define CRYPTO_ALIGN(x) __attribute__ ((aligned(x))) +# endif +#endif + +#if defined(_MSC_VER) && \ + (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86)) + +# include + +# define HAVE_INTRIN_H 1 +# define HAVE_MMINTRIN_H 1 +# define HAVE_EMMINTRIN_H 1 +# define HAVE_PMMINTRIN_H 1 +# define HAVE_TMMINTRIN_H 1 +# define HAVE_SMMINTRIN_H 1 +# define HAVE_AVXINTRIN_H 1 +# if _MSC_VER >= 1600 +# define HAVE_WMMINTRIN_H 1 +# endif +# if _MSC_VER >= 1700 && defined(_M_X64) +# define HAVE_AVX2INTRIN_H 1 +# endif +#elif defined(HAVE_INTRIN_H) +# include +#endif + +#ifdef HAVE_LIBCTGRIND +extern void ct_poison (const void *, size_t); +extern void ct_unpoison(const void *, size_t); +# define POISON(X, L) ct_poison((X), (L)) +# define UNPOISON(X, L) ct_unpoison((X), (L)) +#else +# define POISON(X, L) (void) 0 +# define UNPOISON(X, L) (void) 0 +#endif + +#endif diff --git a/depends/libsodium/include/sodium/private/ed25519_ref10.h b/depends/libsodium/include/sodium/private/ed25519_ref10.h new file mode 100644 index 000000000..0d3bd3737 --- /dev/null +++ b/depends/libsodium/include/sodium/private/ed25519_ref10.h @@ -0,0 +1,144 @@ +#ifndef ed25519_ref10_H +#define ed25519_ref10_H + +#include +#include + +#include "private/quirks.h" + +/* + fe means field element. + Here the field is \Z/(2^255-19). + */ + +#ifdef HAVE_TI_MODE +typedef uint64_t fe25519[5]; +#else +typedef int32_t fe25519[10]; +#endif + +void fe25519_invert(fe25519 out, const fe25519 z); +void fe25519_frombytes(fe25519 h, const unsigned char *s); +void fe25519_tobytes(unsigned char *s, const fe25519 h); + +#ifdef HAVE_TI_MODE +# include "ed25519_ref10_fe_51.h" +#else +# include "ed25519_ref10_fe_25_5.h" +#endif + + +/* + ge means group element. + + Here the group is the set of pairs (x,y) of field elements + satisfying -x^2 + y^2 = 1 + d x^2y^2 + where d = -121665/121666. + + Representations: + ge25519_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z + ge25519_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT + ge25519_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T + ge25519_precomp (Duif): (y+x,y-x,2dxy) + */ + +typedef struct { + fe25519 X; + fe25519 Y; + fe25519 Z; +} ge25519_p2; + +typedef struct { + fe25519 X; + fe25519 Y; + fe25519 Z; + fe25519 T; +} ge25519_p3; + +typedef struct { + fe25519 X; + fe25519 Y; + fe25519 Z; + fe25519 T; +} ge25519_p1p1; + +typedef struct { + fe25519 yplusx; + fe25519 yminusx; + fe25519 xy2d; +} ge25519_precomp; + +typedef struct { + fe25519 YplusX; + fe25519 YminusX; + fe25519 Z; + fe25519 T2d; +} ge25519_cached; + +void ge25519_tobytes(unsigned char *s, const ge25519_p2 *h); + +void ge25519_p3_tobytes(unsigned char *s, const ge25519_p3 *h); + +int ge25519_frombytes(ge25519_p3 *h, const unsigned char *s); + +int ge25519_frombytes_negate_vartime(ge25519_p3 *h, const unsigned char *s); + +void ge25519_p3_to_cached(ge25519_cached *r, const ge25519_p3 *p); + +void ge25519_p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p); + +void ge25519_p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p); + +void ge25519_add(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q); + +void ge25519_sub(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q); + +void ge25519_scalarmult_base(ge25519_p3 *h, const unsigned char *a); + +void ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a, + const ge25519_p3 *A, + const unsigned char *b); + +void ge25519_scalarmult(ge25519_p3 *h, const unsigned char *a, + const ge25519_p3 *p); + +int ge25519_is_canonical(const unsigned char *s); + +int ge25519_is_on_curve(const ge25519_p3 *p); + +int ge25519_is_on_main_subgroup(const ge25519_p3 *p); + +int ge25519_has_small_order(const unsigned char s[32]); + +void ge25519_from_uniform(unsigned char s[32], const unsigned char r[32]); + +void ge25519_from_hash(unsigned char s[32], const unsigned char h[64]); + +/* + Ristretto group + */ + +int ristretto255_frombytes(ge25519_p3 *h, const unsigned char *s); + +void ristretto255_p3_tobytes(unsigned char *s, const ge25519_p3 *h); + +void ristretto255_from_hash(unsigned char s[32], const unsigned char h[64]); + +/* + The set of scalars is \Z/l + where l = 2^252 + 27742317777372353535851937790883648493. + */ + +void sc25519_invert(unsigned char recip[32], const unsigned char s[32]); + +void sc25519_reduce(unsigned char s[64]); + +void sc25519_mul(unsigned char s[32], const unsigned char a[32], + const unsigned char b[32]); + +void sc25519_muladd(unsigned char s[32], const unsigned char a[32], + const unsigned char b[32], const unsigned char c[32]); + +int sc25519_is_canonical(const unsigned char s[32]); + +#endif diff --git a/depends/libsodium/include/sodium/private/ed25519_ref10_fe_25_5.h b/depends/libsodium/include/sodium/private/ed25519_ref10_fe_25_5.h new file mode 100644 index 000000000..a20801f45 --- /dev/null +++ b/depends/libsodium/include/sodium/private/ed25519_ref10_fe_25_5.h @@ -0,0 +1,1051 @@ +#include + +#include "private/common.h" +#include "private/quirks.h" +#include "utils.h" + +/* + h = 0 + */ + +static inline void +fe25519_0(fe25519 h) +{ + memset(&h[0], 0, 10 * sizeof h[0]); +} + +/* + h = 1 + */ + +static inline void +fe25519_1(fe25519 h) +{ + h[0] = 1; + h[1] = 0; + memset(&h[2], 0, 8 * sizeof h[0]); +} + +/* + h = f + g + Can overlap h with f or g. + * + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * + Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +static inline void +fe25519_add(fe25519 h, const fe25519 f, const fe25519 g) +{ + int32_t h0 = f[0] + g[0]; + int32_t h1 = f[1] + g[1]; + int32_t h2 = f[2] + g[2]; + int32_t h3 = f[3] + g[3]; + int32_t h4 = f[4] + g[4]; + int32_t h5 = f[5] + g[5]; + int32_t h6 = f[6] + g[6]; + int32_t h7 = f[7] + g[7]; + int32_t h8 = f[8] + g[8]; + int32_t h9 = f[9] + g[9]; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* + h = f - g + Can overlap h with f or g. + * + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * + Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +static void +fe25519_sub(fe25519 h, const fe25519 f, const fe25519 g) +{ + int32_t h0 = f[0] - g[0]; + int32_t h1 = f[1] - g[1]; + int32_t h2 = f[2] - g[2]; + int32_t h3 = f[3] - g[3]; + int32_t h4 = f[4] - g[4]; + int32_t h5 = f[5] - g[5]; + int32_t h6 = f[6] - g[6]; + int32_t h7 = f[7] - g[7]; + int32_t h8 = f[8] - g[8]; + int32_t h9 = f[9] - g[9]; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* + h = -f + * + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * + Postconditions: + |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + */ + +static inline void +fe25519_neg(fe25519 h, const fe25519 f) +{ + int32_t h0 = -f[0]; + int32_t h1 = -f[1]; + int32_t h2 = -f[2]; + int32_t h3 = -f[3]; + int32_t h4 = -f[4]; + int32_t h5 = -f[5]; + int32_t h6 = -f[6]; + int32_t h7 = -f[7]; + int32_t h8 = -f[8]; + int32_t h9 = -f[9]; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* + Replace (f,g) with (g,g) if b == 1; + replace (f,g) with (f,g) if b == 0. + * + Preconditions: b in {0,1}. + */ + +static void +fe25519_cmov(fe25519 f, const fe25519 g, unsigned int b) +{ + const uint32_t mask = (uint32_t) (-(int32_t) b); + + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + + int32_t x0 = f0 ^ g[0]; + int32_t x1 = f1 ^ g[1]; + int32_t x2 = f2 ^ g[2]; + int32_t x3 = f3 ^ g[3]; + int32_t x4 = f4 ^ g[4]; + int32_t x5 = f5 ^ g[5]; + int32_t x6 = f6 ^ g[6]; + int32_t x7 = f7 ^ g[7]; + int32_t x8 = f8 ^ g[8]; + int32_t x9 = f9 ^ g[9]; + + x0 &= mask; + x1 &= mask; + x2 &= mask; + x3 &= mask; + x4 &= mask; + x5 &= mask; + x6 &= mask; + x7 &= mask; + x8 &= mask; + x9 &= mask; + + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; + f[5] = f5 ^ x5; + f[6] = f6 ^ x6; + f[7] = f7 ^ x7; + f[8] = f8 ^ x8; + f[9] = f9 ^ x9; +} + +static void +fe25519_cswap(fe25519 f, fe25519 g, unsigned int b) +{ + const uint32_t mask = (uint32_t) (-(int64_t) b); + + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + + int32_t x0 = f0 ^ g0; + int32_t x1 = f1 ^ g1; + int32_t x2 = f2 ^ g2; + int32_t x3 = f3 ^ g3; + int32_t x4 = f4 ^ g4; + int32_t x5 = f5 ^ g5; + int32_t x6 = f6 ^ g6; + int32_t x7 = f7 ^ g7; + int32_t x8 = f8 ^ g8; + int32_t x9 = f9 ^ g9; + + x0 &= mask; + x1 &= mask; + x2 &= mask; + x3 &= mask; + x4 &= mask; + x5 &= mask; + x6 &= mask; + x7 &= mask; + x8 &= mask; + x9 &= mask; + + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; + f[5] = f5 ^ x5; + f[6] = f6 ^ x6; + f[7] = f7 ^ x7; + f[8] = f8 ^ x8; + f[9] = f9 ^ x9; + + g[0] = g0 ^ x0; + g[1] = g1 ^ x1; + g[2] = g2 ^ x2; + g[3] = g3 ^ x3; + g[4] = g4 ^ x4; + g[5] = g5 ^ x5; + g[6] = g6 ^ x6; + g[7] = g7 ^ x7; + g[8] = g8 ^ x8; + g[9] = g9 ^ x9; +} + +/* + h = f + */ + +static inline void +fe25519_copy(fe25519 h, const fe25519 f) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + + h[0] = f0; + h[1] = f1; + h[2] = f2; + h[3] = f3; + h[4] = f4; + h[5] = f5; + h[6] = f6; + h[7] = f7; + h[8] = f8; + h[9] = f9; +} + +/* + return 1 if f is in {1,3,5,...,q-2} + return 0 if f is in {0,2,4,...,q-1} + + Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +static inline int +fe25519_isnegative(const fe25519 f) +{ + unsigned char s[32]; + + fe25519_tobytes(s, f); + + return s[0] & 1; +} + +/* + return 1 if f == 0 + return 0 if f != 0 + + Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +static inline int +fe25519_iszero(const fe25519 f) +{ + unsigned char s[32]; + + fe25519_tobytes(s, f); + + return sodium_is_zero(s, 32); +} + +/* + h = f * g + Can overlap h with f or g. + * + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + +/* + Notes on implementation strategy: + * + Using schoolbook multiplication. + Karatsuba would save a little in some cost models. + * + Most multiplications by 2 and 19 are 32-bit precomputations; + cheaper than 64-bit postcomputations. + * + There is one remaining multiplication by 19 in the carry chain; + one *19 precomputation can be merged into this, + but the resulting data flow is considerably less clean. + * + There are 12 carries below. + 10 of them are 2-way parallelizable and vectorizable. + Can get away with 11 carries, but then data flow is much deeper. + * + With tighter constraints on inputs can squeeze carries into int32. + */ + +static void +fe25519_mul(fe25519 h, const fe25519 f, const fe25519 g) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + + int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ + int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ + int32_t g3_19 = 19 * g3; + int32_t g4_19 = 19 * g4; + int32_t g5_19 = 19 * g5; + int32_t g6_19 = 19 * g6; + int32_t g7_19 = 19 * g7; + int32_t g8_19 = 19 * g8; + int32_t g9_19 = 19 * g9; + int32_t f1_2 = 2 * f1; + int32_t f3_2 = 2 * f3; + int32_t f5_2 = 2 * f5; + int32_t f7_2 = 2 * f7; + int32_t f9_2 = 2 * f9; + + int64_t f0g0 = f0 * (int64_t) g0; + int64_t f0g1 = f0 * (int64_t) g1; + int64_t f0g2 = f0 * (int64_t) g2; + int64_t f0g3 = f0 * (int64_t) g3; + int64_t f0g4 = f0 * (int64_t) g4; + int64_t f0g5 = f0 * (int64_t) g5; + int64_t f0g6 = f0 * (int64_t) g6; + int64_t f0g7 = f0 * (int64_t) g7; + int64_t f0g8 = f0 * (int64_t) g8; + int64_t f0g9 = f0 * (int64_t) g9; + int64_t f1g0 = f1 * (int64_t) g0; + int64_t f1g1_2 = f1_2 * (int64_t) g1; + int64_t f1g2 = f1 * (int64_t) g2; + int64_t f1g3_2 = f1_2 * (int64_t) g3; + int64_t f1g4 = f1 * (int64_t) g4; + int64_t f1g5_2 = f1_2 * (int64_t) g5; + int64_t f1g6 = f1 * (int64_t) g6; + int64_t f1g7_2 = f1_2 * (int64_t) g7; + int64_t f1g8 = f1 * (int64_t) g8; + int64_t f1g9_38 = f1_2 * (int64_t) g9_19; + int64_t f2g0 = f2 * (int64_t) g0; + int64_t f2g1 = f2 * (int64_t) g1; + int64_t f2g2 = f2 * (int64_t) g2; + int64_t f2g3 = f2 * (int64_t) g3; + int64_t f2g4 = f2 * (int64_t) g4; + int64_t f2g5 = f2 * (int64_t) g5; + int64_t f2g6 = f2 * (int64_t) g6; + int64_t f2g7 = f2 * (int64_t) g7; + int64_t f2g8_19 = f2 * (int64_t) g8_19; + int64_t f2g9_19 = f2 * (int64_t) g9_19; + int64_t f3g0 = f3 * (int64_t) g0; + int64_t f3g1_2 = f3_2 * (int64_t) g1; + int64_t f3g2 = f3 * (int64_t) g2; + int64_t f3g3_2 = f3_2 * (int64_t) g3; + int64_t f3g4 = f3 * (int64_t) g4; + int64_t f3g5_2 = f3_2 * (int64_t) g5; + int64_t f3g6 = f3 * (int64_t) g6; + int64_t f3g7_38 = f3_2 * (int64_t) g7_19; + int64_t f3g8_19 = f3 * (int64_t) g8_19; + int64_t f3g9_38 = f3_2 * (int64_t) g9_19; + int64_t f4g0 = f4 * (int64_t) g0; + int64_t f4g1 = f4 * (int64_t) g1; + int64_t f4g2 = f4 * (int64_t) g2; + int64_t f4g3 = f4 * (int64_t) g3; + int64_t f4g4 = f4 * (int64_t) g4; + int64_t f4g5 = f4 * (int64_t) g5; + int64_t f4g6_19 = f4 * (int64_t) g6_19; + int64_t f4g7_19 = f4 * (int64_t) g7_19; + int64_t f4g8_19 = f4 * (int64_t) g8_19; + int64_t f4g9_19 = f4 * (int64_t) g9_19; + int64_t f5g0 = f5 * (int64_t) g0; + int64_t f5g1_2 = f5_2 * (int64_t) g1; + int64_t f5g2 = f5 * (int64_t) g2; + int64_t f5g3_2 = f5_2 * (int64_t) g3; + int64_t f5g4 = f5 * (int64_t) g4; + int64_t f5g5_38 = f5_2 * (int64_t) g5_19; + int64_t f5g6_19 = f5 * (int64_t) g6_19; + int64_t f5g7_38 = f5_2 * (int64_t) g7_19; + int64_t f5g8_19 = f5 * (int64_t) g8_19; + int64_t f5g9_38 = f5_2 * (int64_t) g9_19; + int64_t f6g0 = f6 * (int64_t) g0; + int64_t f6g1 = f6 * (int64_t) g1; + int64_t f6g2 = f6 * (int64_t) g2; + int64_t f6g3 = f6 * (int64_t) g3; + int64_t f6g4_19 = f6 * (int64_t) g4_19; + int64_t f6g5_19 = f6 * (int64_t) g5_19; + int64_t f6g6_19 = f6 * (int64_t) g6_19; + int64_t f6g7_19 = f6 * (int64_t) g7_19; + int64_t f6g8_19 = f6 * (int64_t) g8_19; + int64_t f6g9_19 = f6 * (int64_t) g9_19; + int64_t f7g0 = f7 * (int64_t) g0; + int64_t f7g1_2 = f7_2 * (int64_t) g1; + int64_t f7g2 = f7 * (int64_t) g2; + int64_t f7g3_38 = f7_2 * (int64_t) g3_19; + int64_t f7g4_19 = f7 * (int64_t) g4_19; + int64_t f7g5_38 = f7_2 * (int64_t) g5_19; + int64_t f7g6_19 = f7 * (int64_t) g6_19; + int64_t f7g7_38 = f7_2 * (int64_t) g7_19; + int64_t f7g8_19 = f7 * (int64_t) g8_19; + int64_t f7g9_38 = f7_2 * (int64_t) g9_19; + int64_t f8g0 = f8 * (int64_t) g0; + int64_t f8g1 = f8 * (int64_t) g1; + int64_t f8g2_19 = f8 * (int64_t) g2_19; + int64_t f8g3_19 = f8 * (int64_t) g3_19; + int64_t f8g4_19 = f8 * (int64_t) g4_19; + int64_t f8g5_19 = f8 * (int64_t) g5_19; + int64_t f8g6_19 = f8 * (int64_t) g6_19; + int64_t f8g7_19 = f8 * (int64_t) g7_19; + int64_t f8g8_19 = f8 * (int64_t) g8_19; + int64_t f8g9_19 = f8 * (int64_t) g9_19; + int64_t f9g0 = f9 * (int64_t) g0; + int64_t f9g1_38 = f9_2 * (int64_t) g1_19; + int64_t f9g2_19 = f9 * (int64_t) g2_19; + int64_t f9g3_38 = f9_2 * (int64_t) g3_19; + int64_t f9g4_19 = f9 * (int64_t) g4_19; + int64_t f9g5_38 = f9_2 * (int64_t) g5_19; + int64_t f9g6_19 = f9 * (int64_t) g6_19; + int64_t f9g7_38 = f9_2 * (int64_t) g7_19; + int64_t f9g8_19 = f9 * (int64_t) g8_19; + int64_t f9g9_38 = f9_2 * (int64_t) g9_19; + + int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38; + int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + + f7g4_19 + f8g3_19 + f9g2_19; + int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + + f7g5_38 + f8g4_19 + f9g3_38; + int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + + f7g6_19 + f8g5_19 + f9g4_19; + int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + + f7g7_38 + f8g6_19 + f9g5_38; + int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + + f8g7_19 + f9g6_19; + int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + + f7g9_38 + f8g8_19 + f9g7_38; + int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + + f8g9_19 + f9g8_19; + int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + + f8g0 + f9g9_38; + int64_t h9 = + f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0; + + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + /* + |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) + i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 + |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) + i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 + */ + + carry0 = (h0 + (int64_t)(1L << 25)) >> 26; + h1 += carry0; + h0 -= carry0 * ((uint64_t) 1L << 26); + carry4 = (h4 + (int64_t)(1L << 25)) >> 26; + h5 += carry4; + h4 -= carry4 * ((uint64_t) 1L << 26); + /* |h0| <= 2^25 */ + /* |h4| <= 2^25 */ + /* |h1| <= 1.71*2^59 */ + /* |h5| <= 1.71*2^59 */ + + carry1 = (h1 + (int64_t)(1L << 24)) >> 25; + h2 += carry1; + h1 -= carry1 * ((uint64_t) 1L << 25); + carry5 = (h5 + (int64_t)(1L << 24)) >> 25; + h6 += carry5; + h5 -= carry5 * ((uint64_t) 1L << 25); + /* |h1| <= 2^24; from now on fits into int32 */ + /* |h5| <= 2^24; from now on fits into int32 */ + /* |h2| <= 1.41*2^60 */ + /* |h6| <= 1.41*2^60 */ + + carry2 = (h2 + (int64_t)(1L << 25)) >> 26; + h3 += carry2; + h2 -= carry2 * ((uint64_t) 1L << 26); + carry6 = (h6 + (int64_t)(1L << 25)) >> 26; + h7 += carry6; + h6 -= carry6 * ((uint64_t) 1L << 26); + /* |h2| <= 2^25; from now on fits into int32 unchanged */ + /* |h6| <= 2^25; from now on fits into int32 unchanged */ + /* |h3| <= 1.71*2^59 */ + /* |h7| <= 1.71*2^59 */ + + carry3 = (h3 + (int64_t)(1L << 24)) >> 25; + h4 += carry3; + h3 -= carry3 * ((uint64_t) 1L << 25); + carry7 = (h7 + (int64_t)(1L << 24)) >> 25; + h8 += carry7; + h7 -= carry7 * ((uint64_t) 1L << 25); + /* |h3| <= 2^24; from now on fits into int32 unchanged */ + /* |h7| <= 2^24; from now on fits into int32 unchanged */ + /* |h4| <= 1.72*2^34 */ + /* |h8| <= 1.41*2^60 */ + + carry4 = (h4 + (int64_t)(1L << 25)) >> 26; + h5 += carry4; + h4 -= carry4 * ((uint64_t) 1L << 26); + carry8 = (h8 + (int64_t)(1L << 25)) >> 26; + h9 += carry8; + h8 -= carry8 * ((uint64_t) 1L << 26); + /* |h4| <= 2^25; from now on fits into int32 unchanged */ + /* |h8| <= 2^25; from now on fits into int32 unchanged */ + /* |h5| <= 1.01*2^24 */ + /* |h9| <= 1.71*2^59 */ + + carry9 = (h9 + (int64_t)(1L << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 * ((uint64_t) 1L << 25); + /* |h9| <= 2^24; from now on fits into int32 unchanged */ + /* |h0| <= 1.1*2^39 */ + + carry0 = (h0 + (int64_t)(1L << 25)) >> 26; + h1 += carry0; + h0 -= carry0 * ((uint64_t) 1L << 26); + /* |h0| <= 2^25; from now on fits into int32 unchanged */ + /* |h1| <= 1.01*2^24 */ + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + +/* + h = f * f + Can overlap h with f. + * + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + +static void +fe25519_sq(fe25519 h, const fe25519 f) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + + int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; + + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry0 = (h0 + (int64_t)(1L << 25)) >> 26; + h1 += carry0; + h0 -= carry0 * ((uint64_t) 1L << 26); + carry4 = (h4 + (int64_t)(1L << 25)) >> 26; + h5 += carry4; + h4 -= carry4 * ((uint64_t) 1L << 26); + + carry1 = (h1 + (int64_t)(1L << 24)) >> 25; + h2 += carry1; + h1 -= carry1 * ((uint64_t) 1L << 25); + carry5 = (h5 + (int64_t)(1L << 24)) >> 25; + h6 += carry5; + h5 -= carry5 * ((uint64_t) 1L << 25); + + carry2 = (h2 + (int64_t)(1L << 25)) >> 26; + h3 += carry2; + h2 -= carry2 * ((uint64_t) 1L << 26); + carry6 = (h6 + (int64_t)(1L << 25)) >> 26; + h7 += carry6; + h6 -= carry6 * ((uint64_t) 1L << 26); + + carry3 = (h3 + (int64_t)(1L << 24)) >> 25; + h4 += carry3; + h3 -= carry3 * ((uint64_t) 1L << 25); + carry7 = (h7 + (int64_t)(1L << 24)) >> 25; + h8 += carry7; + h7 -= carry7 * ((uint64_t) 1L << 25); + + carry4 = (h4 + (int64_t)(1L << 25)) >> 26; + h5 += carry4; + h4 -= carry4 * ((uint64_t) 1L << 26); + carry8 = (h8 + (int64_t)(1L << 25)) >> 26; + h9 += carry8; + h8 -= carry8 * ((uint64_t) 1L << 26); + + carry9 = (h9 + (int64_t)(1L << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 * ((uint64_t) 1L << 25); + + carry0 = (h0 + (int64_t)(1L << 25)) >> 26; + h1 += carry0; + h0 -= carry0 * ((uint64_t) 1L << 26); + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + +/* + h = 2 * f * f + Can overlap h with f. + * + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + +static void +fe25519_sq2(fe25519 h, const fe25519 f) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + + int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; + + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + h0 += h0; + h1 += h1; + h2 += h2; + h3 += h3; + h4 += h4; + h5 += h5; + h6 += h6; + h7 += h7; + h8 += h8; + h9 += h9; + + carry0 = (h0 + (int64_t)(1L << 25)) >> 26; + h1 += carry0; + h0 -= carry0 * ((uint64_t) 1L << 26); + carry4 = (h4 + (int64_t)(1L << 25)) >> 26; + h5 += carry4; + h4 -= carry4 * ((uint64_t) 1L << 26); + + carry1 = (h1 + (int64_t)(1L << 24)) >> 25; + h2 += carry1; + h1 -= carry1 * ((uint64_t) 1L << 25); + carry5 = (h5 + (int64_t)(1L << 24)) >> 25; + h6 += carry5; + h5 -= carry5 * ((uint64_t) 1L << 25); + + carry2 = (h2 + (int64_t)(1L << 25)) >> 26; + h3 += carry2; + h2 -= carry2 * ((uint64_t) 1L << 26); + carry6 = (h6 + (int64_t)(1L << 25)) >> 26; + h7 += carry6; + h6 -= carry6 * ((uint64_t) 1L << 26); + + carry3 = (h3 + (int64_t)(1L << 24)) >> 25; + h4 += carry3; + h3 -= carry3 * ((uint64_t) 1L << 25); + carry7 = (h7 + (int64_t)(1L << 24)) >> 25; + h8 += carry7; + h7 -= carry7 * ((uint64_t) 1L << 25); + + carry4 = (h4 + (int64_t)(1L << 25)) >> 26; + h5 += carry4; + h4 -= carry4 * ((uint64_t) 1L << 26); + carry8 = (h8 + (int64_t)(1L << 25)) >> 26; + h9 += carry8; + h8 -= carry8 * ((uint64_t) 1L << 26); + + carry9 = (h9 + (int64_t)(1L << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 * ((uint64_t) 1L << 25); + + carry0 = (h0 + (int64_t)(1L << 25)) >> 26; + h1 += carry0; + h0 -= carry0 * ((uint64_t) 1L << 26); + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + +static void +fe25519_scalar_product(fe25519 h, const fe25519 f, uint32_t n) +{ + int64_t sn = (int64_t) n; + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int64_t h0 = f0 * sn; + int64_t h1 = f1 * sn; + int64_t h2 = f2 * sn; + int64_t h3 = f3 * sn; + int64_t h4 = f4 * sn; + int64_t h5 = f5 * sn; + int64_t h6 = f6 * sn; + int64_t h7 = f7 * sn; + int64_t h8 = f8 * sn; + int64_t h9 = f9 * sn; + int64_t carry0, carry1, carry2, carry3, carry4, carry5, carry6, carry7, + carry8, carry9; + + carry9 = (h9 + ((int64_t) 1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 * ((int64_t) 1 << 25); + carry1 = (h1 + ((int64_t) 1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 * ((int64_t) 1 << 25); + carry3 = (h3 + ((int64_t) 1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 * ((int64_t) 1 << 25); + carry5 = (h5 + ((int64_t) 1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 * ((int64_t) 1 << 25); + carry7 = (h7 + ((int64_t) 1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 * ((int64_t) 1 << 25); + + carry0 = (h0 + ((int64_t) 1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 * ((int64_t) 1 << 26); + carry2 = (h2 + ((int64_t) 1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 * ((int64_t) 1 << 26); + carry4 = (h4 + ((int64_t) 1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 * ((int64_t) 1 << 26); + carry6 = (h6 + ((int64_t) 1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 * ((int64_t) 1 << 26); + carry8 = (h8 + ((int64_t) 1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 * ((int64_t) 1 << 26); + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} diff --git a/depends/libsodium/include/sodium/private/ed25519_ref10_fe_51.h b/depends/libsodium/include/sodium/private/ed25519_ref10_fe_51.h new file mode 100644 index 000000000..6a5c01218 --- /dev/null +++ b/depends/libsodium/include/sodium/private/ed25519_ref10_fe_51.h @@ -0,0 +1,519 @@ +#include + +#include "private/common.h" +#include "private/quirks.h" +#include "utils.h" + +/* + h = 0 + */ + +static inline void +fe25519_0(fe25519 h) +{ + memset(&h[0], 0, 5 * sizeof h[0]); +} + +/* + h = 1 + */ + +static inline void +fe25519_1(fe25519 h) +{ + h[0] = 1; + memset(&h[1], 0, 4 * sizeof h[0]); +} + +/* + h = f + g + Can overlap h with f or g. + */ + +static inline void +fe25519_add(fe25519 h, const fe25519 f, const fe25519 g) +{ + uint64_t h0 = f[0] + g[0]; + uint64_t h1 = f[1] + g[1]; + uint64_t h2 = f[2] + g[2]; + uint64_t h3 = f[3] + g[3]; + uint64_t h4 = f[4] + g[4]; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; +} + +/* + h = f - g + */ + +static void +fe25519_sub(fe25519 h, const fe25519 f, const fe25519 g) +{ + const uint64_t mask = 0x7ffffffffffffULL; + uint64_t h0, h1, h2, h3, h4; + + h0 = g[0]; + h1 = g[1]; + h2 = g[2]; + h3 = g[3]; + h4 = g[4]; + + h1 += h0 >> 51; + h0 &= mask; + h2 += h1 >> 51; + h1 &= mask; + h3 += h2 >> 51; + h2 &= mask; + h4 += h3 >> 51; + h3 &= mask; + h0 += 19ULL * (h4 >> 51); + h4 &= mask; + + h0 = (f[0] + 0xfffffffffffdaULL) - h0; + h1 = (f[1] + 0xffffffffffffeULL) - h1; + h2 = (f[2] + 0xffffffffffffeULL) - h2; + h3 = (f[3] + 0xffffffffffffeULL) - h3; + h4 = (f[4] + 0xffffffffffffeULL) - h4; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; +} + +/* + h = -f + */ + +static inline void +fe25519_neg(fe25519 h, const fe25519 f) +{ + fe25519 zero; + + fe25519_0(zero); + fe25519_sub(h, zero, f); +} + +/* + Replace (f,g) with (g,g) if b == 1; + replace (f,g) with (f,g) if b == 0. + * + Preconditions: b in {0,1}. + */ + +static void +fe25519_cmov(fe25519 f, const fe25519 g, unsigned int b) +{ + const uint64_t mask = (uint64_t) (-(int64_t) b); + + uint64_t f0 = f[0]; + uint64_t f1 = f[1]; + uint64_t f2 = f[2]; + uint64_t f3 = f[3]; + uint64_t f4 = f[4]; + + uint64_t x0 = f0 ^ g[0]; + uint64_t x1 = f1 ^ g[1]; + uint64_t x2 = f2 ^ g[2]; + uint64_t x3 = f3 ^ g[3]; + uint64_t x4 = f4 ^ g[4]; + + x0 &= mask; + x1 &= mask; + x2 &= mask; + x3 &= mask; + x4 &= mask; + + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; +} + +/* +Replace (f,g) with (g,f) if b == 1; +replace (f,g) with (f,g) if b == 0. + +Preconditions: b in {0,1}. +*/ + +static void +fe25519_cswap(fe25519 f, fe25519 g, unsigned int b) +{ + const uint64_t mask = (uint64_t) (-(int64_t) b); + + uint64_t f0 = f[0]; + uint64_t f1 = f[1]; + uint64_t f2 = f[2]; + uint64_t f3 = f[3]; + uint64_t f4 = f[4]; + + uint64_t g0 = g[0]; + uint64_t g1 = g[1]; + uint64_t g2 = g[2]; + uint64_t g3 = g[3]; + uint64_t g4 = g[4]; + + uint64_t x0 = f0 ^ g0; + uint64_t x1 = f1 ^ g1; + uint64_t x2 = f2 ^ g2; + uint64_t x3 = f3 ^ g3; + uint64_t x4 = f4 ^ g4; + + x0 &= mask; + x1 &= mask; + x2 &= mask; + x3 &= mask; + x4 &= mask; + + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; + + g[0] = g0 ^ x0; + g[1] = g1 ^ x1; + g[2] = g2 ^ x2; + g[3] = g3 ^ x3; + g[4] = g4 ^ x4; +} + +/* + h = f + */ + +static inline void +fe25519_copy(fe25519 h, const fe25519 f) +{ + uint64_t f0 = f[0]; + uint64_t f1 = f[1]; + uint64_t f2 = f[2]; + uint64_t f3 = f[3]; + uint64_t f4 = f[4]; + + h[0] = f0; + h[1] = f1; + h[2] = f2; + h[3] = f3; + h[4] = f4; +} + +/* + return 1 if f is in {1,3,5,...,q-2} + return 0 if f is in {0,2,4,...,q-1} + */ + +static inline int +fe25519_isnegative(const fe25519 f) +{ + unsigned char s[32]; + + fe25519_tobytes(s, f); + + return s[0] & 1; +} + +/* + return 1 if f == 0 + return 0 if f != 0 + */ + +static inline int +fe25519_iszero(const fe25519 f) +{ + unsigned char s[32]; + + fe25519_tobytes(s, f); + + return sodium_is_zero(s, 32); +} + +/* + h = f * g + Can overlap h with f or g. + */ + +static void +fe25519_mul(fe25519 h, const fe25519 f, const fe25519 g) +{ + const uint64_t mask = 0x7ffffffffffffULL; + uint128_t r0, r1, r2, r3, r4, carry; + uint64_t f0, f1, f2, f3, f4; + uint64_t f1_19, f2_19, f3_19, f4_19; + uint64_t g0, g1, g2, g3, g4; + uint64_t r00, r01, r02, r03, r04; + + f0 = f[0]; + f1 = f[1]; + f2 = f[2]; + f3 = f[3]; + f4 = f[4]; + + g0 = g[0]; + g1 = g[1]; + g2 = g[2]; + g3 = g[3]; + g4 = g[4]; + + f1_19 = 19ULL * f1; + f2_19 = 19ULL * f2; + f3_19 = 19ULL * f3; + f4_19 = 19ULL * f4; + + r0 = ((uint128_t) f0 ) * ((uint128_t) g0); + r0 += ((uint128_t) f1_19) * ((uint128_t) g4); + r0 += ((uint128_t) f2_19) * ((uint128_t) g3); + r0 += ((uint128_t) f3_19) * ((uint128_t) g2); + r0 += ((uint128_t) f4_19) * ((uint128_t) g1); + + r1 = ((uint128_t) f0 ) * ((uint128_t) g1); + r1 += ((uint128_t) f1 ) * ((uint128_t) g0); + r1 += ((uint128_t) f2_19) * ((uint128_t) g4); + r1 += ((uint128_t) f3_19) * ((uint128_t) g3); + r1 += ((uint128_t) f4_19) * ((uint128_t) g2); + + r2 = ((uint128_t) f0 ) * ((uint128_t) g2); + r2 += ((uint128_t) f1 ) * ((uint128_t) g1); + r2 += ((uint128_t) f2 ) * ((uint128_t) g0); + r2 += ((uint128_t) f3_19) * ((uint128_t) g4); + r2 += ((uint128_t) f4_19) * ((uint128_t) g3); + + r3 = ((uint128_t) f0 ) * ((uint128_t) g3); + r3 += ((uint128_t) f1 ) * ((uint128_t) g2); + r3 += ((uint128_t) f2 ) * ((uint128_t) g1); + r3 += ((uint128_t) f3 ) * ((uint128_t) g0); + r3 += ((uint128_t) f4_19) * ((uint128_t) g4); + + r4 = ((uint128_t) f0 ) * ((uint128_t) g4); + r4 += ((uint128_t) f1 ) * ((uint128_t) g3); + r4 += ((uint128_t) f2 ) * ((uint128_t) g2); + r4 += ((uint128_t) f3 ) * ((uint128_t) g1); + r4 += ((uint128_t) f4 ) * ((uint128_t) g0); + + r00 = ((uint64_t) r0) & mask; + carry = r0 >> 51; + r1 += carry; + r01 = ((uint64_t) r1) & mask; + carry = r1 >> 51; + r2 += carry; + r02 = ((uint64_t) r2) & mask; + carry = r2 >> 51; + r3 += carry; + r03 = ((uint64_t) r3) & mask; + carry = r3 >> 51; + r4 += carry; + r04 = ((uint64_t) r4) & mask; + carry = r4 >> 51; + r00 += 19ULL * (uint64_t) carry; + carry = r00 >> 51; + r00 &= mask; + r01 += (uint64_t) carry; + carry = r01 >> 51; + r01 &= mask; + r02 += (uint64_t) carry; + + h[0] = r00; + h[1] = r01; + h[2] = r02; + h[3] = r03; + h[4] = r04; +} + +/* + h = f * f + Can overlap h with f. + */ + +static void +fe25519_sq(fe25519 h, const fe25519 f) +{ + const uint64_t mask = 0x7ffffffffffffULL; + uint128_t r0, r1, r2, r3, r4, carry; + uint64_t f0, f1, f2, f3, f4; + uint64_t f0_2, f1_2, f1_38, f2_38, f3_38, f3_19, f4_19; + uint64_t r00, r01, r02, r03, r04; + + f0 = f[0]; + f1 = f[1]; + f2 = f[2]; + f3 = f[3]; + f4 = f[4]; + + f0_2 = f0 << 1; + f1_2 = f1 << 1; + + f1_38 = 38ULL * f1; + f2_38 = 38ULL * f2; + f3_38 = 38ULL * f3; + + f3_19 = 19ULL * f3; + f4_19 = 19ULL * f4; + + r0 = ((uint128_t) f0 ) * ((uint128_t) f0); + r0 += ((uint128_t) f1_38) * ((uint128_t) f4); + r0 += ((uint128_t) f2_38) * ((uint128_t) f3); + + r1 = ((uint128_t) f0_2 ) * ((uint128_t) f1); + r1 += ((uint128_t) f2_38) * ((uint128_t) f4); + r1 += ((uint128_t) f3_19) * ((uint128_t) f3); + + r2 = ((uint128_t) f0_2 ) * ((uint128_t) f2); + r2 += ((uint128_t) f1 ) * ((uint128_t) f1); + r2 += ((uint128_t) f3_38) * ((uint128_t) f4); + + r3 = ((uint128_t) f0_2 ) * ((uint128_t) f3); + r3 += ((uint128_t) f1_2 ) * ((uint128_t) f2); + r3 += ((uint128_t) f4_19) * ((uint128_t) f4); + + r4 = ((uint128_t) f0_2 ) * ((uint128_t) f4); + r4 += ((uint128_t) f1_2 ) * ((uint128_t) f3); + r4 += ((uint128_t) f2 ) * ((uint128_t) f2); + + r00 = ((uint64_t) r0) & mask; + carry = r0 >> 51; + r1 += carry; + r01 = ((uint64_t) r1) & mask; + carry = r1 >> 51; + r2 += carry; + r02 = ((uint64_t) r2) & mask; + carry = r2 >> 51; + r3 += carry; + r03 = ((uint64_t) r3) & mask; + carry = r3 >> 51; + r4 += carry; + r04 = ((uint64_t) r4) & mask; + carry = r4 >> 51; + r00 += 19ULL * (uint64_t) carry; + carry = r00 >> 51; + r00 &= mask; + r01 += (uint64_t) carry; + carry = r01 >> 51; + r01 &= mask; + r02 += (uint64_t) carry; + + h[0] = r00; + h[1] = r01; + h[2] = r02; + h[3] = r03; + h[4] = r04; +} + +/* + h = 2 * f * f + Can overlap h with f. +*/ + +static void +fe25519_sq2(fe25519 h, const fe25519 f) +{ + const uint64_t mask = 0x7ffffffffffffULL; + uint128_t r0, r1, r2, r3, r4, carry; + uint64_t f0, f1, f2, f3, f4; + uint64_t f0_2, f1_2, f1_38, f2_38, f3_38, f3_19, f4_19; + uint64_t r00, r01, r02, r03, r04; + + f0 = f[0]; + f1 = f[1]; + f2 = f[2]; + f3 = f[3]; + f4 = f[4]; + + f0_2 = f0 << 1; + f1_2 = f1 << 1; + + f1_38 = 38ULL * f1; + f2_38 = 38ULL * f2; + f3_38 = 38ULL * f3; + + f3_19 = 19ULL * f3; + f4_19 = 19ULL * f4; + + r0 = ((uint128_t) f0 ) * ((uint128_t) f0); + r0 += ((uint128_t) f1_38) * ((uint128_t) f4); + r0 += ((uint128_t) f2_38) * ((uint128_t) f3); + + r1 = ((uint128_t) f0_2 ) * ((uint128_t) f1); + r1 += ((uint128_t) f2_38) * ((uint128_t) f4); + r1 += ((uint128_t) f3_19) * ((uint128_t) f3); + + r2 = ((uint128_t) f0_2 ) * ((uint128_t) f2); + r2 += ((uint128_t) f1 ) * ((uint128_t) f1); + r2 += ((uint128_t) f3_38) * ((uint128_t) f4); + + r3 = ((uint128_t) f0_2 ) * ((uint128_t) f3); + r3 += ((uint128_t) f1_2 ) * ((uint128_t) f2); + r3 += ((uint128_t) f4_19) * ((uint128_t) f4); + + r4 = ((uint128_t) f0_2 ) * ((uint128_t) f4); + r4 += ((uint128_t) f1_2 ) * ((uint128_t) f3); + r4 += ((uint128_t) f2 ) * ((uint128_t) f2); + + r0 <<= 1; + r1 <<= 1; + r2 <<= 1; + r3 <<= 1; + r4 <<= 1; + + r00 = ((uint64_t) r0) & mask; + carry = r0 >> 51; + r1 += carry; + r01 = ((uint64_t) r1) & mask; + carry = r1 >> 51; + r2 += carry; + r02 = ((uint64_t) r2) & mask; + carry = r2 >> 51; + r3 += carry; + r03 = ((uint64_t) r3) & mask; + carry = r3 >> 51; + r4 += carry; + r04 = ((uint64_t) r4) & mask; + carry = r4 >> 51; + r00 += 19ULL * (uint64_t) carry; + carry = r00 >> 51; + r00 &= mask; + r01 += (uint64_t) carry; + carry = r01 >> 51; + r01 &= mask; + r02 += (uint64_t) carry; + + h[0] = r00; + h[1] = r01; + h[2] = r02; + h[3] = r03; + h[4] = r04; +} + +static void +fe25519_scalar_product(fe25519 h, const fe25519 f, uint32_t n) +{ + const uint64_t mask = 0x7ffffffffffffULL; + uint128_t a; + uint128_t sn = (uint128_t) n; + uint64_t h0, h1, h2, h3, h4; + + a = f[0] * sn; + h0 = ((uint64_t) a) & mask; + a = f[1] * sn + ((uint64_t) (a >> 51)); + h1 = ((uint64_t) a) & mask; + a = f[2] * sn + ((uint64_t) (a >> 51)); + h2 = ((uint64_t) a) & mask; + a = f[3] * sn + ((uint64_t) (a >> 51)); + h3 = ((uint64_t) a) & mask; + a = f[4] * sn + ((uint64_t) (a >> 51)); + h4 = ((uint64_t) a) & mask; + + h0 += (a >> 51) * 19ULL; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; +} diff --git a/depends/libsodium/include/sodium/private/implementations.h b/depends/libsodium/include/sodium/private/implementations.h new file mode 100644 index 000000000..613bf7809 --- /dev/null +++ b/depends/libsodium/include/sodium/private/implementations.h @@ -0,0 +1,13 @@ +#ifndef implementations_H +#define implementations_H + +#include "private/quirks.h" + +int _crypto_generichash_blake2b_pick_best_implementation(void); +int _crypto_onetimeauth_poly1305_pick_best_implementation(void); +int _crypto_pwhash_argon2_pick_best_implementation(void); +int _crypto_scalarmult_curve25519_pick_best_implementation(void); +int _crypto_stream_chacha20_pick_best_implementation(void); +int _crypto_stream_salsa20_pick_best_implementation(void); + +#endif diff --git a/depends/libsodium/include/sodium/private/mutex.h b/depends/libsodium/include/sodium/private/mutex.h new file mode 100644 index 000000000..cd2346c7a --- /dev/null +++ b/depends/libsodium/include/sodium/private/mutex.h @@ -0,0 +1,9 @@ +#ifndef mutex_H +#define mutex_H 1 + +#include "private/quirks.h" + +extern int sodium_crit_enter(void); +extern int sodium_crit_leave(void); + +#endif diff --git a/depends/libsodium/include/sodium/private/quirks.h b/depends/libsodium/include/sodium/private/quirks.h new file mode 100644 index 000000000..858548daa --- /dev/null +++ b/depends/libsodium/include/sodium/private/quirks.h @@ -0,0 +1,81 @@ +/* This is an automatically generated file */ + +#ifndef quirks_H +#ifndef NO_QUIRKS + +#define argon2_ctx _sodium_argon2_ctx +#define argon2_decode_string _sodium_argon2_decode_string +#define argon2_encode_string _sodium_argon2_encode_string +#define argon2_fill_memory_blocks _sodium_argon2_fill_memory_blocks +#define argon2_fill_segment_avx2 _sodium_argon2_fill_segment_avx2 +#define argon2_fill_segment_avx512f _sodium_argon2_fill_segment_avx512f +#define argon2_fill_segment_ref _sodium_argon2_fill_segment_ref +#define argon2_fill_segment_ssse3 _sodium_argon2_fill_segment_ssse3 +#define argon2_finalize _sodium_argon2_finalize +#define argon2_hash _sodium_argon2_hash +#define argon2_initialize _sodium_argon2_initialize +#define argon2_validate_inputs _sodium_argon2_validate_inputs +#define argon2_verify _sodium_argon2_verify +#define argon2i_hash_encoded _sodium_argon2i_hash_encoded +#define argon2i_hash_raw _sodium_argon2i_hash_raw +#define argon2i_verify _sodium_argon2i_verify +#define argon2id_hash_encoded _sodium_argon2id_hash_encoded +#define argon2id_hash_raw _sodium_argon2id_hash_raw +#define argon2id_verify _sodium_argon2id_verify +#define blake2b _sodium_blake2b +#define blake2b_compress_avx2 _sodium_blake2b_compress_avx2 +#define blake2b_compress_ref _sodium_blake2b_compress_ref +#define blake2b_compress_sse41 _sodium_blake2b_compress_sse41 +#define blake2b_compress_ssse3 _sodium_blake2b_compress_ssse3 +#define blake2b_final _sodium_blake2b_final +#define blake2b_init _sodium_blake2b_init +#define blake2b_init_key _sodium_blake2b_init_key +#define blake2b_init_key_salt_personal _sodium_blake2b_init_key_salt_personal +#define blake2b_init_param _sodium_blake2b_init_param +#define blake2b_init_salt_personal _sodium_blake2b_init_salt_personal +#define blake2b_long _sodium_blake2b_long +#define blake2b_pick_best_implementation _sodium_blake2b_pick_best_implementation +#define blake2b_salt_personal _sodium_blake2b_salt_personal +#define blake2b_update _sodium_blake2b_update +#define escrypt_PBKDF2_SHA256 _sodium_escrypt_PBKDF2_SHA256 +#define escrypt_alloc_region _sodium_escrypt_alloc_region +#define escrypt_free_local _sodium_escrypt_free_local +#define escrypt_free_region _sodium_escrypt_free_region +#define escrypt_gensalt_r _sodium_escrypt_gensalt_r +#define escrypt_init_local _sodium_escrypt_init_local +#define escrypt_kdf_nosse _sodium_escrypt_kdf_nosse +#define escrypt_kdf_sse _sodium_escrypt_kdf_sse +#define escrypt_parse_setting _sodium_escrypt_parse_setting +#define escrypt_r _sodium_escrypt_r +#define fe25519_frombytes _sodium_fe25519_frombytes +#define fe25519_invert _sodium_fe25519_invert +#define fe25519_tobytes _sodium_fe25519_tobytes +#define ge25519_add _sodium_ge25519_add +#define ge25519_double_scalarmult_vartime _sodium_ge25519_double_scalarmult_vartime +#define ge25519_from_hash _sodium_ge25519_from_hash +#define ge25519_from_uniform _sodium_ge25519_from_uniform +#define ge25519_frombytes _sodium_ge25519_frombytes +#define ge25519_frombytes_negate_vartime _sodium_ge25519_frombytes_negate_vartime +#define ge25519_has_small_order _sodium_ge25519_has_small_order +#define ge25519_is_canonical _sodium_ge25519_is_canonical +#define ge25519_is_on_curve _sodium_ge25519_is_on_curve +#define ge25519_is_on_main_subgroup _sodium_ge25519_is_on_main_subgroup +#define ge25519_p1p1_to_p2 _sodium_ge25519_p1p1_to_p2 +#define ge25519_p1p1_to_p3 _sodium_ge25519_p1p1_to_p3 +#define ge25519_p3_to_cached _sodium_ge25519_p3_to_cached +#define ge25519_p3_tobytes _sodium_ge25519_p3_tobytes +#define ge25519_scalarmult _sodium_ge25519_scalarmult +#define ge25519_scalarmult_base _sodium_ge25519_scalarmult_base +#define ge25519_sub _sodium_ge25519_sub +#define ge25519_tobytes _sodium_ge25519_tobytes +#define ristretto255_from_hash _sodium_ristretto255_from_hash +#define ristretto255_frombytes _sodium_ristretto255_frombytes +#define ristretto255_p3_tobytes _sodium_ristretto255_p3_tobytes +#define sc25519_invert _sodium_sc25519_invert +#define sc25519_is_canonical _sodium_sc25519_is_canonical +#define sc25519_mul _sodium_sc25519_mul +#define sc25519_muladd _sodium_sc25519_muladd +#define sc25519_reduce _sodium_sc25519_reduce + +#endif +#endif diff --git a/depends/libsodium/include/sodium/private/sse2_64_32.h b/depends/libsodium/include/sodium/private/sse2_64_32.h new file mode 100644 index 000000000..fc994bd1a --- /dev/null +++ b/depends/libsodium/include/sodium/private/sse2_64_32.h @@ -0,0 +1,50 @@ +#ifndef sse2_64_32_H +#define sse2_64_32_H 1 + +#include "private/common.h" + +#ifdef HAVE_INTRIN_H +# include +#endif + +#if defined(HAVE_EMMINTRIN_H) && \ + !(defined(__amd64) || defined(__amd64__) || defined(__x86_64__) || \ + defined(_M_X64) || defined(_M_AMD64)) + +# include +# include + +# ifndef _mm_set_epi64x +# define _mm_set_epi64x(Q0, Q1) sodium__mm_set_epi64x((Q0), (Q1)) +static inline __m128i +sodium__mm_set_epi64x(int64_t q1, int64_t q0) +{ + union { int64_t as64; int32_t as32[2]; } x0, x1; + x0.as64 = q0; x1.as64 = q1; + return _mm_set_epi32(x1.as32[1], x1.as32[0], x0.as32[1], x0.as32[0]); +} +# endif + +# ifndef _mm_set1_epi64x +# define _mm_set1_epi64x(Q) sodium__mm_set1_epi64x(Q) +static inline __m128i +sodium__mm_set1_epi64x(int64_t q) +{ + return _mm_set_epi64x(q, q); +} +# endif + +# ifndef _mm_cvtsi64_si128 +# define _mm_cvtsi64_si128(Q) sodium__mm_cvtsi64_si128(Q) +static inline __m128i +sodium__mm_cvtsi64_si128(int64_t q) +{ + union { int64_t as64; int32_t as32[2]; } x; + x.as64 = q; + return _mm_setr_epi32(x.as32[0], x.as32[1], 0, 0); +} +# endif + +#endif + +#endif diff --git a/depends/libsodium/include/sodium/randombytes.h b/depends/libsodium/include/sodium/randombytes.h new file mode 100644 index 000000000..a03cc6572 --- /dev/null +++ b/depends/libsodium/include/sodium/randombytes.h @@ -0,0 +1,72 @@ + +#ifndef randombytes_H +#define randombytes_H + +#include +#include + +#include + +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +typedef struct randombytes_implementation { + const char *(*implementation_name)(void); /* required */ + uint32_t (*random)(void); /* required */ + void (*stir)(void); /* optional */ + uint32_t (*uniform)(const uint32_t upper_bound); /* optional, a default implementation will be used if NULL */ + void (*buf)(void * const buf, const size_t size); /* required */ + int (*close)(void); /* optional */ +} randombytes_implementation; + +#define randombytes_BYTES_MAX SODIUM_MIN(SODIUM_SIZE_MAX, 0xffffffffUL) + +#define randombytes_SEEDBYTES 32U +SODIUM_EXPORT +size_t randombytes_seedbytes(void); + +SODIUM_EXPORT +void randombytes_buf(void * const buf, const size_t size) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +void randombytes_buf_deterministic(void * const buf, const size_t size, + const unsigned char seed[randombytes_SEEDBYTES]) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +uint32_t randombytes_random(void); + +SODIUM_EXPORT +uint32_t randombytes_uniform(const uint32_t upper_bound); + +SODIUM_EXPORT +void randombytes_stir(void); + +SODIUM_EXPORT +int randombytes_close(void); + +SODIUM_EXPORT +int randombytes_set_implementation(randombytes_implementation *impl) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +const char *randombytes_implementation_name(void); + +/* -- NaCl compatibility interface -- */ + +SODIUM_EXPORT +void randombytes(unsigned char * const buf, const unsigned long long buf_len) + __attribute__ ((nonnull)); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/randombytes_internal_random.h b/depends/libsodium/include/sodium/randombytes_internal_random.h new file mode 100644 index 000000000..2b2b7d6ed --- /dev/null +++ b/depends/libsodium/include/sodium/randombytes_internal_random.h @@ -0,0 +1,22 @@ + +#ifndef randombytes_internal_random_H +#define randombytes_internal_random_H + +#include "export.h" +#include "randombytes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +SODIUM_EXPORT +extern struct randombytes_implementation randombytes_internal_implementation; + +/* Backwards compatibility with libsodium < 1.0.18 */ +#define randombytes_salsa20_implementation randombytes_internal_implementation + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/randombytes_sysrandom.h b/depends/libsodium/include/sodium/randombytes_sysrandom.h new file mode 100644 index 000000000..9e27b674c --- /dev/null +++ b/depends/libsodium/include/sodium/randombytes_sysrandom.h @@ -0,0 +1,19 @@ + +#ifndef randombytes_sysrandom_H +#define randombytes_sysrandom_H + +#include "export.h" +#include "randombytes.h" + +#ifdef __cplusplus +extern "C" { +#endif + +SODIUM_EXPORT +extern struct randombytes_implementation randombytes_sysrandom_implementation; + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/runtime.h b/depends/libsodium/include/sodium/runtime.h new file mode 100644 index 000000000..7f15d58e7 --- /dev/null +++ b/depends/libsodium/include/sodium/runtime.h @@ -0,0 +1,52 @@ + +#ifndef sodium_runtime_H +#define sodium_runtime_H + +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_neon(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_sse2(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_sse3(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_ssse3(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_sse41(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_avx(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_avx2(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_avx512f(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_pclmul(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_aesni(void); + +SODIUM_EXPORT_WEAK +int sodium_runtime_has_rdrand(void); + +/* ------------------------------------------------------------------------- */ + +int _sodium_runtime_get_cpu_features(void); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/include/sodium/utils.h b/depends/libsodium/include/sodium/utils.h new file mode 100644 index 000000000..14a008942 --- /dev/null +++ b/depends/libsodium/include/sodium/utils.h @@ -0,0 +1,185 @@ + +#ifndef sodium_utils_H +#define sodium_utils_H + +#include + +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef SODIUM_C99 +# if defined(__cplusplus) || !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L +# define SODIUM_C99(X) +# else +# define SODIUM_C99(X) X +# endif +#endif + +SODIUM_EXPORT +void sodium_memzero(void * const pnt, const size_t len); + +SODIUM_EXPORT +void sodium_stackzero(const size_t len); + +/* + * WARNING: sodium_memcmp() must be used to verify if two secret keys + * are equal, in constant time. + * It returns 0 if the keys are equal, and -1 if they differ. + * This function is not designed for lexicographical comparisons. + */ +SODIUM_EXPORT +int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len) + __attribute__ ((warn_unused_result)); + +/* + * sodium_compare() returns -1 if b1_ < b2_, 1 if b1_ > b2_ and 0 if b1_ == b2_ + * It is suitable for lexicographical comparisons, or to compare nonces + * and counters stored in little-endian format. + * However, it is slower than sodium_memcmp(). + */ +SODIUM_EXPORT +int sodium_compare(const unsigned char *b1_, const unsigned char *b2_, + size_t len) __attribute__ ((warn_unused_result)); + +SODIUM_EXPORT +int sodium_is_zero(const unsigned char *n, const size_t nlen); + +SODIUM_EXPORT +void sodium_increment(unsigned char *n, const size_t nlen); + +SODIUM_EXPORT +void sodium_add(unsigned char *a, const unsigned char *b, const size_t len); + +SODIUM_EXPORT +void sodium_sub(unsigned char *a, const unsigned char *b, const size_t len); + +SODIUM_EXPORT +char *sodium_bin2hex(char * const hex, const size_t hex_maxlen, + const unsigned char * const bin, const size_t bin_len) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int sodium_hex2bin(unsigned char * const bin, const size_t bin_maxlen, + const char * const hex, const size_t hex_len, + const char * const ignore, size_t * const bin_len, + const char ** const hex_end) + __attribute__ ((nonnull(1))); + +#define sodium_base64_VARIANT_ORIGINAL 1 +#define sodium_base64_VARIANT_ORIGINAL_NO_PADDING 3 +#define sodium_base64_VARIANT_URLSAFE 5 +#define sodium_base64_VARIANT_URLSAFE_NO_PADDING 7 + +/* + * Computes the required length to encode BIN_LEN bytes as a base64 string + * using the given variant. The computed length includes a trailing \0. + */ +#define sodium_base64_ENCODED_LEN(BIN_LEN, VARIANT) \ + (((BIN_LEN) / 3U) * 4U + \ + ((((BIN_LEN) - ((BIN_LEN) / 3U) * 3U) | (((BIN_LEN) - ((BIN_LEN) / 3U) * 3U) >> 1)) & 1U) * \ + (4U - (~((((VARIANT) & 2U) >> 1) - 1U) & (3U - ((BIN_LEN) - ((BIN_LEN) / 3U) * 3U)))) + 1U) + +SODIUM_EXPORT +size_t sodium_base64_encoded_len(const size_t bin_len, const int variant); + +SODIUM_EXPORT +char *sodium_bin2base64(char * const b64, const size_t b64_maxlen, + const unsigned char * const bin, const size_t bin_len, + const int variant) __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int sodium_base642bin(unsigned char * const bin, const size_t bin_maxlen, + const char * const b64, const size_t b64_len, + const char * const ignore, size_t * const bin_len, + const char ** const b64_end, const int variant) + __attribute__ ((nonnull(1))); + +SODIUM_EXPORT +int sodium_mlock(void * const addr, const size_t len) + __attribute__ ((nonnull)); + +SODIUM_EXPORT +int sodium_munlock(void * const addr, const size_t len) + __attribute__ ((nonnull)); + +/* WARNING: sodium_malloc() and sodium_allocarray() are not general-purpose + * allocation functions. + * + * They return a pointer to a region filled with 0xd0 bytes, immediately + * followed by a guard page. + * As a result, accessing a single byte after the requested allocation size + * will intentionally trigger a segmentation fault. + * + * A canary and an additional guard page placed before the beginning of the + * region may also kill the process if a buffer underflow is detected. + * + * The memory layout is: + * [unprotected region size (read only)][guard page (no access)][unprotected pages (read/write)][guard page (no access)] + * With the layout of the unprotected pages being: + * [optional padding][16-bytes canary][user region] + * + * However: + * - These functions are significantly slower than standard functions + * - Each allocation requires 3 or 4 additional pages + * - The returned address will not be aligned if the allocation size is not + * a multiple of the required alignment. For this reason, these functions + * are designed to store data, such as secret keys and messages. + * + * sodium_malloc() can be used to allocate any libsodium data structure. + * + * The crypto_generichash_state structure is packed and its length is + * either 357 or 361 bytes. For this reason, when using sodium_malloc() to + * allocate a crypto_generichash_state structure, padding must be added in + * order to ensure proper alignment. crypto_generichash_statebytes() + * returns the rounded up structure size, and should be prefered to sizeof(): + * state = sodium_malloc(crypto_generichash_statebytes()); + */ + +SODIUM_EXPORT +void *sodium_malloc(const size_t size) + __attribute__ ((malloc)); + +SODIUM_EXPORT +void *sodium_allocarray(size_t count, size_t size) + __attribute__ ((malloc)); + +SODIUM_EXPORT +void sodium_free(void *ptr); + +SODIUM_EXPORT +int sodium_mprotect_noaccess(void *ptr) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int sodium_mprotect_readonly(void *ptr) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int sodium_mprotect_readwrite(void *ptr) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int sodium_mshield(void *ptr) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int sodium_munshield(void *ptr) __attribute__ ((nonnull)); + +SODIUM_EXPORT +int sodium_pad(size_t *padded_buflen_p, unsigned char *buf, + size_t unpadded_buflen, size_t blocksize, size_t max_buflen) + __attribute__ ((nonnull(2))); + +SODIUM_EXPORT +int sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf, + size_t padded_buflen, size_t blocksize) + __attribute__ ((nonnull(2))); + +/* -------- */ + +int _sodium_alloc_init(void); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/depends/libsodium/randombytes/randombytes.c b/depends/libsodium/randombytes/randombytes.c new file mode 100644 index 000000000..8ac085fc1 --- /dev/null +++ b/depends/libsodium/randombytes/randombytes.c @@ -0,0 +1,199 @@ + +#include +#include +#include +#include + +#include + +#ifdef __EMSCRIPTEN__ +# include +#endif + +#include "core.h" +#include "crypto_stream_chacha20.h" +#include "randombytes.h" +#ifndef RANDOMBYTES_CUSTOM_IMPLEMENTATION +# ifdef RANDOMBYTES_DEFAULT_IMPLEMENTATION +# include "randombytes_internal.h" +# endif +# include "randombytes_sysrandom.h" +#endif +#include "private/common.h" + +/* C++Builder defines a "random" macro */ +#undef random + +static const randombytes_implementation *implementation; + +#ifndef RANDOMBYTES_DEFAULT_IMPLEMENTATION +# ifdef __EMSCRIPTEN__ +# define RANDOMBYTES_DEFAULT_IMPLEMENTATION NULL +# else +# define RANDOMBYTES_DEFAULT_IMPLEMENTATION &randombytes_sysrandom_implementation; +# endif +#endif + +static void +randombytes_init_if_needed(void) +{ + if (implementation == NULL) { + implementation = RANDOMBYTES_DEFAULT_IMPLEMENTATION; + randombytes_stir(); + } +} + +int +randombytes_set_implementation(randombytes_implementation *impl) +{ + implementation = impl; + + return 0; +} + +const char * +randombytes_implementation_name(void) +{ +#ifndef __EMSCRIPTEN__ + randombytes_init_if_needed(); + return implementation->implementation_name(); +#else + return "js"; +#endif +} + +uint32_t +randombytes_random(void) +{ +#ifndef __EMSCRIPTEN__ + randombytes_init_if_needed(); + return implementation->random(); +#else + return EM_ASM_INT_V({ + return Module.getRandomValue(); + }); +#endif +} + +void +randombytes_stir(void) +{ +#ifndef __EMSCRIPTEN__ + randombytes_init_if_needed(); + if (implementation->stir != NULL) { + implementation->stir(); + } +#else + EM_ASM({ + if (Module.getRandomValue === undefined) { + try { + var window_ = 'object' === typeof window ? window : self; + var crypto_ = typeof window_.crypto !== 'undefined' ? window_.crypto : window_.msCrypto; + var randomValuesStandard = function() { + var buf = new Uint32Array(1); + crypto_.getRandomValues(buf); + return buf[0] >>> 0; + }; + randomValuesStandard(); + Module.getRandomValue = randomValuesStandard; + } catch (e) { + try { + var crypto = require('crypto'); + var randomValueNodeJS = function() { + var buf = crypto['randomBytes'](4); + return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0; + }; + randomValueNodeJS(); + Module.getRandomValue = randomValueNodeJS; + } catch (e) { + throw 'No secure random number generator found'; + } + } + } + }); +#endif +} + +uint32_t +randombytes_uniform(const uint32_t upper_bound) +{ + uint32_t min; + uint32_t r; + +#ifndef __EMSCRIPTEN__ + randombytes_init_if_needed(); + if (implementation->uniform != NULL) { + return implementation->uniform(upper_bound); + } +#endif + if (upper_bound < 2) { + return 0; + } + min = (1U + ~upper_bound) % upper_bound; /* = 2**32 mod upper_bound */ + do { + r = randombytes_random(); + } while (r < min); + /* r is now clamped to a set whose size mod upper_bound == 0 + * the worst case (2**31+1) requires ~ 2 attempts */ + + return r % upper_bound; +} + +void +randombytes_buf(void * const buf, const size_t size) +{ +#ifndef __EMSCRIPTEN__ + randombytes_init_if_needed(); + if (size > (size_t) 0U) { + implementation->buf(buf, size); + } +#else + unsigned char *p = (unsigned char *) buf; + size_t i; + + for (i = (size_t) 0U; i < size; i++) { + p[i] = (unsigned char) randombytes_random(); + } +#endif +} + +void +randombytes_buf_deterministic(void * const buf, const size_t size, + const unsigned char seed[randombytes_SEEDBYTES]) +{ + static const unsigned char nonce[crypto_stream_chacha20_ietf_NONCEBYTES] = { + 'L', 'i', 'b', 's', 'o', 'd', 'i', 'u', 'm', 'D', 'R', 'G' + }; + + COMPILER_ASSERT(randombytes_SEEDBYTES == crypto_stream_chacha20_ietf_KEYBYTES); +#if SIZE_MAX > 0x4000000000ULL + COMPILER_ASSERT(randombytes_BYTES_MAX <= 0x4000000000ULL); + if (size > 0x4000000000ULL) { + sodium_misuse(); + } +#endif + crypto_stream_chacha20_ietf((unsigned char *) buf, (unsigned long long) size, + nonce, seed); +} + +size_t +randombytes_seedbytes(void) +{ + return randombytes_SEEDBYTES; +} + +int +randombytes_close(void) +{ + if (implementation != NULL && implementation->close != NULL) { + return implementation->close(); + } + return 0; +} + +void +randombytes(unsigned char * const buf, const unsigned long long buf_len) +{ + assert(buf_len <= SIZE_MAX); + randombytes_buf(buf, (size_t) buf_len); +} diff --git a/depends/libsodium/randombytes/sysrandom/randombytes_sysrandom.c b/depends/libsodium/randombytes/sysrandom/randombytes_sysrandom.c new file mode 100644 index 000000000..6657e8e65 --- /dev/null +++ b/depends/libsodium/randombytes/sysrandom/randombytes_sysrandom.c @@ -0,0 +1,396 @@ + +#include +#include +#include +#include +#include +#include +#ifndef _WIN32 +# include +#endif +#include + +#include +#ifndef _WIN32 +# include +# include +#endif +#ifdef __linux__ +# define _LINUX_SOURCE +#endif +#ifdef HAVE_SYS_RANDOM_H +# include +#endif +#ifdef __linux__ +# ifdef HAVE_GETRANDOM +# define HAVE_LINUX_COMPATIBLE_GETRANDOM +# else +# include +# if defined(SYS_getrandom) && defined(__NR_getrandom) +# define getrandom(B, S, F) syscall(SYS_getrandom, (B), (int) (S), (F)) +# define HAVE_LINUX_COMPATIBLE_GETRANDOM +# endif +# endif +#elif defined(__FreeBSD__) +# include +# if defined(__FreeBSD_version) && __FreeBSD_version >= 1200000 +# define HAVE_LINUX_COMPATIBLE_GETRANDOM +# endif +#endif +#if !defined(NO_BLOCKING_RANDOM_POLL) && defined(__linux__) +# define BLOCK_ON_DEV_RANDOM +#endif +#ifdef BLOCK_ON_DEV_RANDOM +# include +#endif + +#include "core.h" +#include "private/common.h" +#include "randombytes.h" +#include "randombytes_sysrandom.h" +#include "utils.h" + +#ifdef _WIN32 +/* `RtlGenRandom` is used over `CryptGenRandom` on Microsoft Windows based systems: + * - `CryptGenRandom` requires pulling in `CryptoAPI` which causes unnecessary + * memory overhead if this API is not being used for other purposes + * - `RtlGenRandom` is thus called directly instead. A detailed explanation + * can be found here: https://blogs.msdn.microsoft.com/michael_howard/2005/01/14/cryptographically-secure-random-number-on-windows-without-using-cryptoapi/ + * + * In spite of the disclaimer on the `RtlGenRandom` documentation page that was + * written back in the Windows XP days, this function is here to stay. The CRT + * function `rand_s()` directly depends on it, so touching it would break many + * applications released since Windows XP. + * + * Also note that Rust, Firefox and BoringSSL (thus, Google Chrome and everything + * based on Chromium) also depend on it, and that libsodium allows the RNG to be + * replaced without patching nor recompiling the library. + */ +# include +# define RtlGenRandom SystemFunction036 +# if defined(__cplusplus) +extern "C" +# endif +BOOLEAN NTAPI RtlGenRandom(PVOID RandomBuffer, ULONG RandomBufferLength); +# pragma comment(lib, "advapi32.lib") +#endif + +#if defined(__OpenBSD__) || defined(__CloudABI__) || defined(__wasi__) +# define HAVE_SAFE_ARC4RANDOM 1 +#endif + +#ifndef SSIZE_MAX +# define SSIZE_MAX (SIZE_MAX / 2 - 1) +#endif + +#ifdef HAVE_SAFE_ARC4RANDOM + +static uint32_t +randombytes_sysrandom(void) +{ + return arc4random(); +} + +static void +randombytes_sysrandom_stir(void) +{ +} + +static void +randombytes_sysrandom_buf(void * const buf, const size_t size) +{ + arc4random_buf(buf, size); +} + +static int +randombytes_sysrandom_close(void) +{ + return 0; +} + +#else /* HAVE_SAFE_ARC4RANDOM */ + +typedef struct SysRandom_ { + int random_data_source_fd; + int initialized; + int getrandom_available; +} SysRandom; + +static SysRandom stream = { + SODIUM_C99(.random_data_source_fd =) -1, + SODIUM_C99(.initialized =) 0, + SODIUM_C99(.getrandom_available =) 0 +}; + +# ifndef _WIN32 +static ssize_t +safe_read(const int fd, void * const buf_, size_t size) +{ + unsigned char *buf = (unsigned char *) buf_; + ssize_t readnb; + + assert(size > (size_t) 0U); + assert(size <= SSIZE_MAX); + do { + while ((readnb = read(fd, buf, size)) < (ssize_t) 0 && + (errno == EINTR || errno == EAGAIN)); /* LCOV_EXCL_LINE */ + if (readnb < (ssize_t) 0) { + return readnb; /* LCOV_EXCL_LINE */ + } + if (readnb == (ssize_t) 0) { + break; /* LCOV_EXCL_LINE */ + } + size -= (size_t) readnb; + buf += readnb; + } while (size > (ssize_t) 0); + + return (ssize_t) (buf - (unsigned char *) buf_); +} + +# ifdef BLOCK_ON_DEV_RANDOM +static int +randombytes_block_on_dev_random(void) +{ + struct pollfd pfd; + int fd; + int pret; + + fd = open("/dev/random", O_RDONLY); + if (fd == -1) { + return 0; + } + pfd.fd = fd; + pfd.events = POLLIN; + pfd.revents = 0; + do { + pret = poll(&pfd, 1, -1); + } while (pret < 0 && (errno == EINTR || errno == EAGAIN)); + if (pret != 1) { + (void) close(fd); + errno = EIO; + return -1; + } + return close(fd); +} +# endif /* BLOCK_ON_DEV_RANDOM */ + +static int +randombytes_sysrandom_random_dev_open(void) +{ +/* LCOV_EXCL_START */ + struct stat st; + static const char *devices[] = { +# ifndef USE_BLOCKING_RANDOM + "/dev/urandom", +# endif + "/dev/random", NULL + }; + const char **device = devices; + int fd; + +# ifdef BLOCK_ON_DEV_RANDOM + if (randombytes_block_on_dev_random() != 0) { + return -1; + } +# endif + do { + fd = open(*device, O_RDONLY); + if (fd != -1) { + if (fstat(fd, &st) == 0 && +# ifdef __COMPCERT__ + 1 +# elif defined(S_ISNAM) + (S_ISNAM(st.st_mode) || S_ISCHR(st.st_mode)) +# else + S_ISCHR(st.st_mode) +# endif + ) { +# if defined(F_SETFD) && defined(FD_CLOEXEC) + (void) fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC); +# endif + return fd; + } + (void) close(fd); + } else if (errno == EINTR) { + continue; + } + device++; + } while (*device != NULL); + + errno = EIO; + return -1; +/* LCOV_EXCL_STOP */ +} + +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM +static int +_randombytes_linux_getrandom(void * const buf, const size_t size) +{ + int readnb; + + assert(size <= 256U); + do { + readnb = getrandom(buf, size, 0); + } while (readnb < 0 && (errno == EINTR || errno == EAGAIN)); + + return (readnb == (int) size) - 1; +} + +static int +randombytes_linux_getrandom(void * const buf_, size_t size) +{ + unsigned char *buf = (unsigned char *) buf_; + size_t chunk_size = 256U; + + do { + if (size < chunk_size) { + chunk_size = size; + assert(chunk_size > (size_t) 0U); + } + if (_randombytes_linux_getrandom(buf, chunk_size) != 0) { + return -1; + } + size -= chunk_size; + buf += chunk_size; + } while (size > (size_t) 0U); + + return 0; +} +# endif /* HAVE_LINUX_COMPATIBLE_GETRANDOM */ + +static void +randombytes_sysrandom_init(void) +{ + const int errno_save = errno; + +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM + { + unsigned char fodder[16]; + + if (randombytes_linux_getrandom(fodder, sizeof fodder) == 0) { + stream.getrandom_available = 1; + errno = errno_save; + return; + } + stream.getrandom_available = 0; + } +# endif + + if ((stream.random_data_source_fd = + randombytes_sysrandom_random_dev_open()) == -1) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } + errno = errno_save; +} + +# else /* _WIN32 */ + +static void +randombytes_sysrandom_init(void) +{ +} +# endif /* _WIN32 */ + +static void +randombytes_sysrandom_stir(void) +{ + if (stream.initialized == 0) { + randombytes_sysrandom_init(); + stream.initialized = 1; + } +} + +static void +randombytes_sysrandom_stir_if_needed(void) +{ + if (stream.initialized == 0) { + randombytes_sysrandom_stir(); + } +} + +static int +randombytes_sysrandom_close(void) +{ + int ret = -1; + +# ifndef _WIN32 + if (stream.random_data_source_fd != -1 && + close(stream.random_data_source_fd) == 0) { + stream.random_data_source_fd = -1; + stream.initialized = 0; + ret = 0; + } +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM + if (stream.getrandom_available != 0) { + ret = 0; + } +# endif +# else /* _WIN32 */ + if (stream.initialized != 0) { + stream.initialized = 0; + ret = 0; + } +# endif /* _WIN32 */ + return ret; +} + +static void +randombytes_sysrandom_buf(void * const buf, const size_t size) +{ + randombytes_sysrandom_stir_if_needed(); +# if defined(ULLONG_MAX) && defined(SIZE_MAX) +# if SIZE_MAX > ULLONG_MAX + /* coverity[result_independent_of_operands] */ + assert(size <= ULLONG_MAX); +# endif +# endif +# ifndef _WIN32 +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM + if (stream.getrandom_available != 0) { + if (randombytes_linux_getrandom(buf, size) != 0) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } + return; + } +# endif + if (stream.random_data_source_fd == -1 || + safe_read(stream.random_data_source_fd, buf, size) != (ssize_t) size) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } +# else /* _WIN32 */ + COMPILER_ASSERT(randombytes_BYTES_MAX <= 0xffffffffUL); + if (size > (size_t) 0xffffffffUL) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } + if (! RtlGenRandom((PVOID) buf, (ULONG) size)) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } +# endif /* _WIN32 */ +} + +static uint32_t +randombytes_sysrandom(void) +{ + uint32_t r; + + randombytes_sysrandom_buf(&r, sizeof r); + + return r; +} + +#endif /* HAVE_SAFE_ARC4RANDOM */ + +static const char * +randombytes_sysrandom_implementation_name(void) +{ + return "sysrandom"; +} + +struct randombytes_implementation randombytes_sysrandom_implementation = { + SODIUM_C99(.implementation_name =) randombytes_sysrandom_implementation_name, + SODIUM_C99(.random =) randombytes_sysrandom, + SODIUM_C99(.stir =) randombytes_sysrandom_stir, + SODIUM_C99(.uniform =) NULL, + SODIUM_C99(.buf =) randombytes_sysrandom_buf, + SODIUM_C99(.close =) randombytes_sysrandom_close +}; diff --git a/depends/libsodium/sodium/core.c b/depends/libsodium/sodium/core.c new file mode 100644 index 000000000..3c8d1a5a0 --- /dev/null +++ b/depends/libsodium/sodium/core.c @@ -0,0 +1,214 @@ + +#include +#include +#include +#include +#ifdef _WIN32 +# include +#elif defined(HAVE_PTHREAD) +# include +#endif + +#include "core.h" +#include "crypto_generichash.h" +#include "crypto_onetimeauth.h" +#include "crypto_scalarmult.h" +#include "crypto_stream_chacha20.h" +#include "crypto_stream_salsa20.h" +#include "randombytes.h" +#include "runtime.h" +#include "utils.h" +#include "private/implementations.h" +#include "private/mutex.h" + +static volatile int initialized; +static volatile int locked; + +int +sodium_init(void) +{ + if (sodium_crit_enter() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + if (initialized != 0) { + if (sodium_crit_leave() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + return 1; + } + _sodium_runtime_get_cpu_features(); + randombytes_stir(); + _sodium_alloc_init(); + /* _crypto_pwhash_argon2_pick_best_implementation(); */ + /* _crypto_generichash_blake2b_pick_best_implementation(); */ + /* _crypto_onetimeauth_poly1305_pick_best_implementation(); */ + /* _crypto_scalarmult_curve25519_pick_best_implementation(); */ + /* _crypto_stream_chacha20_pick_best_implementation(); */ + /* _crypto_stream_salsa20_pick_best_implementation(); */ + initialized = 1; + if (sodium_crit_leave() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + return 0; +} + +#ifdef _WIN32 + +static CRITICAL_SECTION _sodium_lock; +static volatile LONG _sodium_lock_initialized; + +int +_sodium_crit_init(void) +{ + LONG status = 0L; + + while ((status = InterlockedCompareExchange(&_sodium_lock_initialized, + 1L, 0L)) == 1L) { + Sleep(0); + } + + switch (status) { + case 0L: + InitializeCriticalSection(&_sodium_lock); + return InterlockedExchange(&_sodium_lock_initialized, 2L) == 1L ? 0 : -1; + case 2L: + return 0; + default: /* should never be reached */ + return -1; + } +} + +int +sodium_crit_enter(void) +{ + if (_sodium_crit_init() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + EnterCriticalSection(&_sodium_lock); + assert(locked == 0); + locked = 1; + + return 0; +} + +int +sodium_crit_leave(void) +{ + if (locked == 0) { +# ifdef EPERM + errno = EPERM; +# endif + return -1; + } + locked = 0; + LeaveCriticalSection(&_sodium_lock); + + return 0; +} + +#elif defined(HAVE_PTHREAD) && !defined(__EMSCRIPTEN__) + +static pthread_mutex_t _sodium_lock = PTHREAD_MUTEX_INITIALIZER; + +int +sodium_crit_enter(void) +{ + int ret; + + if ((ret = pthread_mutex_lock(&_sodium_lock)) == 0) { + assert(locked == 0); + locked = 1; + } + return ret; +} + +int +sodium_crit_leave(void) +{ + if (locked == 0) { +# ifdef EPERM + errno = EPERM; +# endif + return -1; + } + locked = 0; + + return pthread_mutex_unlock(&_sodium_lock); +} + +#elif defined(HAVE_ATOMIC_OPS) && !defined(__EMSCRIPTEN__) + +static volatile int _sodium_lock; + +int +sodium_crit_enter(void) +{ +# ifdef HAVE_NANOSLEEP + struct timespec q; + memset(&q, 0, sizeof q); +# endif + while (__sync_lock_test_and_set(&_sodium_lock, 1) != 0) { +# ifdef HAVE_NANOSLEEP + (void) nanosleep(&q, NULL); +# elif defined(__x86_64__) || defined(__i386__) + __asm__ __volatile__ ("pause"); +# endif + } + return 0; +} + +int +sodium_crit_leave(void) +{ + __sync_lock_release(&_sodium_lock); + + return 0; +} + +#else + +int +sodium_crit_enter(void) +{ + return 0; +} + +int +sodium_crit_leave(void) +{ + return 0; +} + +#endif + +static void (*_misuse_handler)(void); + +void +sodium_misuse(void) +{ + void (*handler)(void); + + (void) sodium_crit_leave(); + if (sodium_crit_enter() == 0) { + handler = _misuse_handler; + if (handler != NULL) { + handler(); + } + } +/* LCOV_EXCL_START */ + abort(); +} +/* LCOV_EXCL_STOP */ + +int +sodium_set_misuse_handler(void (*handler)(void)) +{ + if (sodium_crit_enter() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + _misuse_handler = handler; + if (sodium_crit_leave() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + return 0; +} diff --git a/depends/libsodium/sodium/runtime.c b/depends/libsodium/sodium/runtime.c new file mode 100644 index 000000000..9dfe54f84 --- /dev/null +++ b/depends/libsodium/sodium/runtime.c @@ -0,0 +1,309 @@ +#include +#include +#ifdef HAVE_ANDROID_GETCPUFEATURES +# include +#endif + +#include "private/common.h" +#include "runtime.h" + +typedef struct CPUFeatures_ { + int initialized; + int has_neon; + int has_sse2; + int has_sse3; + int has_ssse3; + int has_sse41; + int has_avx; + int has_avx2; + int has_avx512f; + int has_pclmul; + int has_aesni; + int has_rdrand; +} CPUFeatures; + +static CPUFeatures _cpu_features; + +#define CPUID_EBX_AVX2 0x00000020 +#define CPUID_EBX_AVX512F 0x00010000 + +#define CPUID_ECX_SSE3 0x00000001 +#define CPUID_ECX_PCLMUL 0x00000002 +#define CPUID_ECX_SSSE3 0x00000200 +#define CPUID_ECX_SSE41 0x00080000 +#define CPUID_ECX_AESNI 0x02000000 +#define CPUID_ECX_XSAVE 0x04000000 +#define CPUID_ECX_OSXSAVE 0x08000000 +#define CPUID_ECX_AVX 0x10000000 +#define CPUID_ECX_RDRAND 0x40000000 + +#define CPUID_EDX_SSE2 0x04000000 + +#define XCR0_SSE 0x00000002 +#define XCR0_AVX 0x00000004 +#define XCR0_OPMASK 0x00000020 +#define XCR0_ZMM_HI256 0x00000040 +#define XCR0_HI16_ZMM 0x00000080 + +static int +_sodium_runtime_arm_cpu_features(CPUFeatures * const cpu_features) +{ +#ifndef __arm__ + cpu_features->has_neon = 0; + return -1; +#else +# ifdef __APPLE__ +# ifdef __ARM_NEON__ + cpu_features->has_neon = 1; +# else + cpu_features->has_neon = 0; +# endif +# elif defined(HAVE_ANDROID_GETCPUFEATURES) && \ + defined(ANDROID_CPU_ARM_FEATURE_NEON) + cpu_features->has_neon = + (android_getCpuFeatures() & ANDROID_CPU_ARM_FEATURE_NEON) != 0x0; +# else + cpu_features->has_neon = 0; +# endif + return 0; +#endif +} + +static void +_cpuid(unsigned int cpu_info[4U], const unsigned int cpu_info_type) +{ +#if defined(_MSC_VER) && \ + (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86)) + __cpuid((int *) cpu_info, cpu_info_type); +#elif defined(HAVE_CPUID) + cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0; +# ifdef __i386__ + __asm__ __volatile__( + "pushfl; pushfl; " + "popl %0; " + "movl %0, %1; xorl %2, %0; " + "pushl %0; " + "popfl; pushfl; popl %0; popfl" + : "=&r"(cpu_info[0]), "=&r"(cpu_info[1]) + : "i"(0x200000)); + if (((cpu_info[0] ^ cpu_info[1]) & 0x200000) == 0x0) { + return; /* LCOV_EXCL_LINE */ + } +# endif +# ifdef __i386__ + __asm__ __volatile__("xchgl %%ebx, %k1; cpuid; xchgl %%ebx, %k1" + : "=a"(cpu_info[0]), "=&r"(cpu_info[1]), + "=c"(cpu_info[2]), "=d"(cpu_info[3]) + : "0"(cpu_info_type), "2"(0U)); +# elif defined(__x86_64__) + __asm__ __volatile__("xchgq %%rbx, %q1; cpuid; xchgq %%rbx, %q1" + : "=a"(cpu_info[0]), "=&r"(cpu_info[1]), + "=c"(cpu_info[2]), "=d"(cpu_info[3]) + : "0"(cpu_info_type), "2"(0U)); +# else + __asm__ __volatile__("cpuid" + : "=a"(cpu_info[0]), "=b"(cpu_info[1]), + "=c"(cpu_info[2]), "=d"(cpu_info[3]) + : "0"(cpu_info_type), "2"(0U)); +# endif +#else + (void) cpu_info_type; + cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0; +#endif +} + +static int +_sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features) +{ + unsigned int cpu_info[4]; + unsigned int id; + uint32_t xcr0 = 0U; + + _cpuid(cpu_info, 0x0); + if ((id = cpu_info[0]) == 0U) { + return -1; /* LCOV_EXCL_LINE */ + } + _cpuid(cpu_info, 0x00000001); +#ifdef HAVE_EMMINTRIN_H + cpu_features->has_sse2 = ((cpu_info[3] & CPUID_EDX_SSE2) != 0x0); +#else + cpu_features->has_sse2 = 0; +#endif + +#ifdef HAVE_PMMINTRIN_H + cpu_features->has_sse3 = ((cpu_info[2] & CPUID_ECX_SSE3) != 0x0); +#else + cpu_features->has_sse3 = 0; +#endif + +#ifdef HAVE_TMMINTRIN_H + cpu_features->has_ssse3 = ((cpu_info[2] & CPUID_ECX_SSSE3) != 0x0); +#else + cpu_features->has_ssse3 = 0; +#endif + +#ifdef HAVE_SMMINTRIN_H + cpu_features->has_sse41 = ((cpu_info[2] & CPUID_ECX_SSE41) != 0x0); +#else + cpu_features->has_sse41 = 0; +#endif + + cpu_features->has_avx = 0; + + (void) xcr0; +#ifdef HAVE_AVXINTRIN_H + if ((cpu_info[2] & (CPUID_ECX_AVX | CPUID_ECX_XSAVE | CPUID_ECX_OSXSAVE)) == + (CPUID_ECX_AVX | CPUID_ECX_XSAVE | CPUID_ECX_OSXSAVE)) { + xcr0 = 0U; +# if defined(HAVE__XGETBV) || \ + (defined(_MSC_VER) && defined(_XCR_XFEATURE_ENABLED_MASK) && _MSC_FULL_VER >= 160040219) + xcr0 = (uint32_t) _xgetbv(0); +# elif defined(_MSC_VER) && defined(_M_IX86) + /* + * Visual Studio documentation states that eax/ecx/edx don't need to + * be preserved in inline assembly code. But that doesn't seem to + * always hold true on Visual Studio 2010. + */ + __asm { + push eax + push ecx + push edx + xor ecx, ecx + _asm _emit 0x0f _asm _emit 0x01 _asm _emit 0xd0 + mov xcr0, eax + pop edx + pop ecx + pop eax + } +# elif defined(HAVE_AVX_ASM) + __asm__ __volatile__(".byte 0x0f, 0x01, 0xd0" /* XGETBV */ + : "=a"(xcr0) + : "c"((uint32_t) 0U) + : "%edx"); +# endif + if ((xcr0 & (XCR0_SSE | XCR0_AVX)) == (XCR0_SSE | XCR0_AVX)) { + cpu_features->has_avx = 1; + } + } +#endif + + cpu_features->has_avx2 = 0; +#ifdef HAVE_AVX2INTRIN_H + if (cpu_features->has_avx) { + unsigned int cpu_info7[4]; + + _cpuid(cpu_info7, 0x00000007); + cpu_features->has_avx2 = ((cpu_info7[1] & CPUID_EBX_AVX2) != 0x0); + } +#endif + + cpu_features->has_avx512f = 0; +#ifdef HAVE_AVX512FINTRIN_H + if (cpu_features->has_avx2) { + unsigned int cpu_info7[4]; + + _cpuid(cpu_info7, 0x00000007); + /* LCOV_EXCL_START */ + if ((cpu_info7[1] & CPUID_EBX_AVX512F) == CPUID_EBX_AVX512F && + (xcr0 & (XCR0_OPMASK | XCR0_ZMM_HI256 | XCR0_HI16_ZMM)) + == (XCR0_OPMASK | XCR0_ZMM_HI256 | XCR0_HI16_ZMM)) { + cpu_features->has_avx512f = 1; + } + /* LCOV_EXCL_STOP */ + } +#endif + +#ifdef HAVE_WMMINTRIN_H + cpu_features->has_pclmul = ((cpu_info[2] & CPUID_ECX_PCLMUL) != 0x0); + cpu_features->has_aesni = ((cpu_info[2] & CPUID_ECX_AESNI) != 0x0); +#else + cpu_features->has_pclmul = 0; + cpu_features->has_aesni = 0; +#endif + +#ifdef HAVE_RDRAND + cpu_features->has_rdrand = ((cpu_info[2] & CPUID_ECX_RDRAND) != 0x0); +#else + cpu_features->has_rdrand = 0; +#endif + + return 0; +} + +int +_sodium_runtime_get_cpu_features(void) +{ + int ret = -1; + + ret &= _sodium_runtime_arm_cpu_features(&_cpu_features); + ret &= _sodium_runtime_intel_cpu_features(&_cpu_features); + _cpu_features.initialized = 1; + + return ret; +} + +int +sodium_runtime_has_neon(void) +{ + return _cpu_features.has_neon; +} + +int +sodium_runtime_has_sse2(void) +{ + return _cpu_features.has_sse2; +} + +int +sodium_runtime_has_sse3(void) +{ + return _cpu_features.has_sse3; +} + +int +sodium_runtime_has_ssse3(void) +{ + return _cpu_features.has_ssse3; +} + +int +sodium_runtime_has_sse41(void) +{ + return _cpu_features.has_sse41; +} + +int +sodium_runtime_has_avx(void) +{ + return _cpu_features.has_avx; +} + +int +sodium_runtime_has_avx2(void) +{ + return _cpu_features.has_avx2; +} + +int +sodium_runtime_has_avx512f(void) +{ + return _cpu_features.has_avx512f; +} + +int +sodium_runtime_has_pclmul(void) +{ + return _cpu_features.has_pclmul; +} + +int +sodium_runtime_has_aesni(void) +{ + return _cpu_features.has_aesni; +} + +int +sodium_runtime_has_rdrand(void) +{ + return _cpu_features.has_rdrand; +} diff --git a/depends/libsodium/sodium/utils.c b/depends/libsodium/sodium/utils.c new file mode 100644 index 000000000..92560939e --- /dev/null +++ b/depends/libsodium/sodium/utils.c @@ -0,0 +1,839 @@ +#ifndef __STDC_WANT_LIB_EXT1__ +# define __STDC_WANT_LIB_EXT1__ 1 +#endif +#include +#include +#include +#include +#include +#include +#include +#include + +#ifdef HAVE_SYS_MMAN_H +# include +#endif + +#ifdef _WIN32 +# include +# include +#else +# include +#endif + +#ifndef HAVE_C_VARARRAYS +# ifdef HAVE_ALLOCA_H +# include +# elif !defined(alloca) +# if defined(__clang__) || defined(__GNUC__) +# define alloca __builtin_alloca +# elif defined _AIX +# define alloca __alloca +# elif defined _MSC_VER +# include +# define alloca _alloca +# else +# include +# ifdef __cplusplus +extern "C" +# endif +void *alloca (size_t); +# endif +# endif +#endif + +#include "core.h" +#include "crypto_generichash.h" +#include "crypto_stream.h" +#include "randombytes.h" +#include "private/common.h" +#include "utils.h" + +#ifndef ENOSYS +# define ENOSYS ENXIO +#endif + +#if defined(_WIN32) && \ + (!defined(WINAPI_FAMILY) || WINAPI_FAMILY == WINAPI_FAMILY_DESKTOP_APP) +# define WINAPI_DESKTOP +#endif + +#define CANARY_SIZE 16U +#define GARBAGE_VALUE 0xdb + +#define SHIELDING_PREKEY_SIZE 16384U + +#ifndef MAP_NOCORE +# ifdef MAP_CONCEAL +# define MAP_NOCORE MAP_CONCEAL +# else +# define MAP_NOCORE 0 +# endif +#endif +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) +# define MAP_ANON MAP_ANONYMOUS +#endif +#if defined(WINAPI_DESKTOP) || (defined(MAP_ANON) && defined(HAVE_MMAP)) || \ + defined(HAVE_POSIX_MEMALIGN) +# define HAVE_ALIGNED_MALLOC +#endif +#if defined(HAVE_MPROTECT) && \ + !(defined(PROT_NONE) && defined(PROT_READ) && defined(PROT_WRITE)) +# undef HAVE_MPROTECT +#endif +#if defined(HAVE_ALIGNED_MALLOC) && \ + (defined(WINAPI_DESKTOP) || defined(HAVE_MPROTECT)) +# define HAVE_PAGE_PROTECTION +#endif +#if !defined(MADV_DODUMP) && defined(MADV_CORE) +# define MADV_DODUMP MADV_CORE +# define MADV_DONTDUMP MADV_NOCORE +#endif + +static size_t page_size; +static unsigned char canary[CANARY_SIZE]; +static unsigned char shielding_prekey[SHIELDING_PREKEY_SIZE]; + +/* LCOV_EXCL_START */ +#ifdef HAVE_WEAK_SYMBOLS +__attribute__((weak)) void +_sodium_dummy_symbol_to_prevent_memzero_lto(void *const pnt, + const size_t len); +__attribute__((weak)) void +_sodium_dummy_symbol_to_prevent_memzero_lto(void *const pnt, + const size_t len) +{ + (void) pnt; /* LCOV_EXCL_LINE */ + (void) len; /* LCOV_EXCL_LINE */ +} +#endif +/* LCOV_EXCL_STOP */ + +void +sodium_memzero(void * const pnt, const size_t len) +{ +#ifdef _WIN32 + SecureZeroMemory(pnt, len); +#elif defined(HAVE_MEMSET_S) + if (len > 0U && memset_s(pnt, (rsize_t) len, 0, (rsize_t) len) != 0) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } +#elif defined(HAVE_EXPLICIT_BZERO) + explicit_bzero(pnt, len); +#elif defined(HAVE_EXPLICIT_MEMSET) + explicit_memset(pnt, 0, len); +#elif HAVE_WEAK_SYMBOLS + if (len > 0U) { + memset(pnt, 0, len); + _sodium_dummy_symbol_to_prevent_memzero_lto(pnt, len); + } +# ifdef HAVE_INLINE_ASM + __asm__ __volatile__ ("" : : "r"(pnt) : "memory"); +# endif +#else + volatile unsigned char *volatile pnt_ = + (volatile unsigned char *volatile) pnt; + size_t i = (size_t) 0U; + + while (i < len) { + pnt_[i++] = 0U; + } +#endif +} + +void +sodium_stackzero(const size_t len) +{ +#ifdef HAVE_C_VARARRAYS + unsigned char fodder[len]; + sodium_memzero(fodder, len); +#elif HAVE_ALLOCA + sodium_memzero(alloca(len), len); +#endif +} + +#ifdef HAVE_WEAK_SYMBOLS +__attribute__((weak)) void +_sodium_dummy_symbol_to_prevent_memcmp_lto(const unsigned char *b1, + const unsigned char *b2, + const size_t len); +__attribute__((weak)) void +_sodium_dummy_symbol_to_prevent_memcmp_lto(const unsigned char *b1, + const unsigned char *b2, + const size_t len) +{ + (void) b1; + (void) b2; + (void) len; +} +#endif + +int +sodium_memcmp(const void *const b1_, const void *const b2_, size_t len) +{ +#ifdef HAVE_WEAK_SYMBOLS + const unsigned char *b1 = (const unsigned char *) b1_; + const unsigned char *b2 = (const unsigned char *) b2_; +#else + const volatile unsigned char *volatile b1 = + (const volatile unsigned char *volatile) b1_; + const volatile unsigned char *volatile b2 = + (const volatile unsigned char *volatile) b2_; +#endif + size_t i; + volatile unsigned char d = 0U; + +#if HAVE_WEAK_SYMBOLS + _sodium_dummy_symbol_to_prevent_memcmp_lto(b1, b2, len); +#endif + for (i = 0U; i < len; i++) { + d |= b1[i] ^ b2[i]; + } + return (1 & ((d - 1) >> 8)) - 1; +} + +#ifdef HAVE_WEAK_SYMBOLS +__attribute__((weak)) void +_sodium_dummy_symbol_to_prevent_compare_lto(const unsigned char *b1, + const unsigned char *b2, + const size_t len); +__attribute__((weak)) void +_sodium_dummy_symbol_to_prevent_compare_lto(const unsigned char *b1, + const unsigned char *b2, + const size_t len) +{ + (void) b1; + (void) b2; + (void) len; +} +#endif + +int +sodium_compare(const unsigned char *b1_, const unsigned char *b2_, size_t len) +{ +#ifdef HAVE_WEAK_SYMBOLS + const unsigned char *b1 = b1_; + const unsigned char *b2 = b2_; +#else + const volatile unsigned char *volatile b1 = + (const volatile unsigned char *volatile) b1_; + const volatile unsigned char *volatile b2 = + (const volatile unsigned char *volatile) b2_; +#endif + size_t i; + volatile unsigned char gt = 0U; + volatile unsigned char eq = 1U; + uint16_t x1, x2; + +#if HAVE_WEAK_SYMBOLS + _sodium_dummy_symbol_to_prevent_compare_lto(b1, b2, len); +#endif + i = len; + while (i != 0U) { + i--; + x1 = b1[i]; + x2 = b2[i]; + gt |= ((x2 - x1) >> 8) & eq; + eq &= ((x2 ^ x1) - 1) >> 8; + } + return (int) (gt + gt + eq) - 1; +} + +int +sodium_is_zero(const unsigned char *n, const size_t nlen) +{ + size_t i; + volatile unsigned char d = 0U; + + for (i = 0U; i < nlen; i++) { + d |= n[i]; + } + return 1 & ((d - 1) >> 8); +} + +void +sodium_increment(unsigned char *n, const size_t nlen) +{ + size_t i = 0U; + uint_fast16_t c = 1U; + +#ifdef HAVE_AMD64_ASM + uint64_t t64, t64_2; + uint32_t t32; + + if (nlen == 12U) { + __asm__ __volatile__( + "xorq %[t64], %[t64] \n" + "xorl %[t32], %[t32] \n" + "stc \n" + "adcq %[t64], (%[out]) \n" + "adcl %[t32], 8(%[out]) \n" + : [t64] "=&r"(t64), [t32] "=&r"(t32) + : [out] "D"(n) + : "memory", "flags", "cc"); + return; + } else if (nlen == 24U) { + __asm__ __volatile__( + "movq $1, %[t64] \n" + "xorq %[t64_2], %[t64_2] \n" + "addq %[t64], (%[out]) \n" + "adcq %[t64_2], 8(%[out]) \n" + "adcq %[t64_2], 16(%[out]) \n" + : [t64] "=&r"(t64), [t64_2] "=&r"(t64_2) + : [out] "D"(n) + : "memory", "flags", "cc"); + return; + } else if (nlen == 8U) { + __asm__ __volatile__("incq (%[out]) \n" + : + : [out] "D"(n) + : "memory", "flags", "cc"); + return; + } +#endif + for (; i < nlen; i++) { + c += (uint_fast16_t) n[i]; + n[i] = (unsigned char) c; + c >>= 8; + } +} + +void +sodium_add(unsigned char *a, const unsigned char *b, const size_t len) +{ + size_t i; + uint_fast16_t c = 0U; + +#ifdef HAVE_AMD64_ASM + uint64_t t64, t64_2, t64_3; + uint32_t t32; + + if (len == 12U) { + __asm__ __volatile__( + "movq (%[in]), %[t64] \n" + "movl 8(%[in]), %[t32] \n" + "addq %[t64], (%[out]) \n" + "adcl %[t32], 8(%[out]) \n" + : [t64] "=&r"(t64), [t32] "=&r"(t32) + : [in] "S"(b), [out] "D"(a) + : "memory", "flags", "cc"); + return; + } else if (len == 24U) { + __asm__ __volatile__( + "movq (%[in]), %[t64] \n" + "movq 8(%[in]), %[t64_2] \n" + "movq 16(%[in]), %[t64_3] \n" + "addq %[t64], (%[out]) \n" + "adcq %[t64_2], 8(%[out]) \n" + "adcq %[t64_3], 16(%[out]) \n" + : [t64] "=&r"(t64), [t64_2] "=&r"(t64_2), [t64_3] "=&r"(t64_3) + : [in] "S"(b), [out] "D"(a) + : "memory", "flags", "cc"); + return; + } else if (len == 8U) { + __asm__ __volatile__( + "movq (%[in]), %[t64] \n" + "addq %[t64], (%[out]) \n" + : [t64] "=&r"(t64) + : [in] "S"(b), [out] "D"(a) + : "memory", "flags", "cc"); + return; + } +#endif + for (i = 0U; i < len; i++) { + c += (uint_fast16_t) a[i] + (uint_fast16_t) b[i]; + a[i] = (unsigned char) c; + c >>= 8; + } +} + +void +sodium_sub(unsigned char *a, const unsigned char *b, const size_t len) +{ + uint_fast16_t c = 0U; + size_t i; + +#ifdef HAVE_AMD64_ASM + uint64_t t64_1, t64_2, t64_3, t64_4; + uint64_t t64_5, t64_6, t64_7, t64_8; + uint32_t t32; + + if (len == 64U) { + __asm__ __volatile__( + "movq (%[in]), %[t64_1] \n" + "movq 8(%[in]), %[t64_2] \n" + "movq 16(%[in]), %[t64_3] \n" + "movq 24(%[in]), %[t64_4] \n" + "movq 32(%[in]), %[t64_5] \n" + "movq 40(%[in]), %[t64_6] \n" + "movq 48(%[in]), %[t64_7] \n" + "movq 56(%[in]), %[t64_8] \n" + "subq %[t64_1], (%[out]) \n" + "sbbq %[t64_2], 8(%[out]) \n" + "sbbq %[t64_3], 16(%[out]) \n" + "sbbq %[t64_4], 24(%[out]) \n" + "sbbq %[t64_5], 32(%[out]) \n" + "sbbq %[t64_6], 40(%[out]) \n" + "sbbq %[t64_7], 48(%[out]) \n" + "sbbq %[t64_8], 56(%[out]) \n" + : [t64_1] "=&r"(t64_1), [t64_2] "=&r"(t64_2), [t64_3] "=&r"(t64_3), [t64_4] "=&r"(t64_4), + [t64_5] "=&r"(t64_5), [t64_6] "=&r"(t64_6), [t64_7] "=&r"(t64_7), [t64_8] "=&r"(t64_8) + : [in] "S"(b), [out] "D"(a) + : "memory", "flags", "cc"); + return; + } +#endif + for (i = 0U; i < len; i++) { + c = (uint_fast16_t) a[i] - (uint_fast16_t) b[i] - c; + a[i] = (unsigned char) c; + c = (c >> 8) & 1U; + } +} + +int +_sodium_alloc_init(void) +{ +#ifdef HAVE_ALIGNED_MALLOC +# if defined(_SC_PAGESIZE) + long page_size_ = sysconf(_SC_PAGESIZE); + if (page_size_ > 0L) { + page_size = (size_t) page_size_; + } +# elif defined(WINAPI_DESKTOP) + SYSTEM_INFO si; + GetSystemInfo(&si); + page_size = (size_t) si.dwPageSize; +# endif + if (page_size < CANARY_SIZE || page_size < sizeof(size_t)) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } +#endif + COMPILER_ASSERT(sizeof shielding_prekey >= randombytes_SEEDBYTES); + randombytes_buf(shielding_prekey, randombytes_SEEDBYTES); + randombytes_buf_deterministic(canary, sizeof canary, shielding_prekey); + shielding_prekey[0] ^= 0x01; + randombytes_buf_deterministic(shielding_prekey, sizeof shielding_prekey, shielding_prekey); + + return 0; +} + +int +sodium_mlock(void *const addr, const size_t len) +{ +#if defined(MADV_DONTDUMP) && defined(HAVE_MADVISE) + (void) madvise(addr, len, MADV_DONTDUMP); +#endif +#ifdef HAVE_MLOCK + return mlock(addr, len); +#elif defined(WINAPI_DESKTOP) + return -(VirtualLock(addr, len) == 0); +#else + errno = ENOSYS; + return -1; +#endif +} + +int +sodium_munlock(void *const addr, const size_t len) +{ + sodium_memzero(addr, len); +#if defined(MADV_DODUMP) && defined(HAVE_MADVISE) + (void) madvise(addr, len, MADV_DODUMP); +#endif +#ifdef HAVE_MLOCK + return munlock(addr, len); +#elif defined(WINAPI_DESKTOP) + return -(VirtualUnlock(addr, len) == 0); +#else + errno = ENOSYS; + return -1; +#endif +} + +static int +_mprotect_noaccess(void *ptr, size_t size) +{ +#ifdef HAVE_MPROTECT + return mprotect(ptr, size, PROT_NONE); +#elif defined(WINAPI_DESKTOP) + DWORD old; + return -(VirtualProtect(ptr, size, PAGE_NOACCESS, &old) == 0); +#else + errno = ENOSYS; + return -1; +#endif +} + +static int +_mprotect_readonly(void *ptr, size_t size) +{ +#ifdef HAVE_MPROTECT + return mprotect(ptr, size, PROT_READ); +#elif defined(WINAPI_DESKTOP) + DWORD old; + return -(VirtualProtect(ptr, size, PAGE_READONLY, &old) == 0); +#else + errno = ENOSYS; + return -1; +#endif +} + +static int +_mprotect_readwrite(void *ptr, size_t size) +{ +#ifdef HAVE_MPROTECT + return mprotect(ptr, size, PROT_READ | PROT_WRITE); +#elif defined(WINAPI_DESKTOP) + DWORD old; + return -(VirtualProtect(ptr, size, PAGE_READWRITE, &old) == 0); +#else + errno = ENOSYS; + return -1; +#endif +} + +#ifdef HAVE_ALIGNED_MALLOC + +__attribute__((noreturn)) static void +_out_of_bounds(void) +{ +# ifndef __wasm__ +# ifdef SIGSEGV + raise(SIGSEGV); +# elif defined(SIGKILL) + raise(SIGKILL); +# endif +# endif + abort(); /* not something we want any higher-level API to catch */ +} /* LCOV_EXCL_LINE */ + +static inline size_t +_page_round(const size_t size) +{ + const size_t page_mask = page_size - 1U; + + return (size + page_mask) & ~page_mask; +} + +static __attribute__((malloc)) unsigned char * +_alloc_aligned(const size_t size) +{ + void *ptr; + +# if defined(MAP_ANON) && defined(HAVE_MMAP) + if ((ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, + MAP_ANON | MAP_PRIVATE | MAP_NOCORE, -1, 0)) == + MAP_FAILED) { + ptr = NULL; /* LCOV_EXCL_LINE */ + } /* LCOV_EXCL_LINE */ +# elif defined(HAVE_POSIX_MEMALIGN) + if (posix_memalign(&ptr, page_size, size) != 0) { + ptr = NULL; /* LCOV_EXCL_LINE */ + } /* LCOV_EXCL_LINE */ +# elif defined(WINAPI_DESKTOP) + ptr = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); +# else +# error Bug +# endif + return (unsigned char *) ptr; +} + +static void +_free_aligned(unsigned char *const ptr, const size_t size) +{ +# if defined(MAP_ANON) && defined(HAVE_MMAP) + (void) munmap(ptr, size); +# elif defined(HAVE_POSIX_MEMALIGN) + free(ptr); +# elif defined(WINAPI_DESKTOP) + VirtualFree(ptr, 0U, MEM_RELEASE); +# else +# error Bug +#endif +} + +static unsigned char * +_unprotected_ptr_from_user_ptr(void *const ptr) +{ + uintptr_t unprotected_ptr_u; + unsigned char *canary_ptr; + size_t page_mask; + + canary_ptr = ((unsigned char *) ptr) - sizeof canary; + page_mask = page_size - 1U; + unprotected_ptr_u = ((uintptr_t) canary_ptr & (uintptr_t) ~page_mask); + if (unprotected_ptr_u <= page_size * 2U) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } + return (unsigned char *) unprotected_ptr_u; +} + +#endif /* HAVE_ALIGNED_MALLOC */ + +#ifndef HAVE_ALIGNED_MALLOC +static __attribute__((malloc)) void * +_sodium_malloc(const size_t size) +{ + return malloc(size > (size_t) 0U ? size : (size_t) 1U); +} +#else +static __attribute__((malloc)) void * +_sodium_malloc(const size_t size) +{ + void *user_ptr; + unsigned char *base_ptr; + unsigned char *canary_ptr; + unsigned char *unprotected_ptr; + size_t size_with_canary; + size_t total_size; + size_t unprotected_size; + + if (size >= (size_t) SIZE_MAX - page_size * 4U) { + errno = ENOMEM; + return NULL; + } + if (page_size <= sizeof canary || page_size < sizeof unprotected_size) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } + size_with_canary = (sizeof canary) + size; + unprotected_size = _page_round(size_with_canary); + total_size = page_size + page_size + unprotected_size + page_size; + if ((base_ptr = _alloc_aligned(total_size)) == NULL) { + return NULL; /* LCOV_EXCL_LINE */ + } + unprotected_ptr = base_ptr + page_size * 2U; + _mprotect_noaccess(base_ptr + page_size, page_size); +# ifndef HAVE_PAGE_PROTECTION + memcpy(unprotected_ptr + unprotected_size, canary, sizeof canary); +# endif + _mprotect_noaccess(unprotected_ptr + unprotected_size, page_size); + sodium_mlock(unprotected_ptr, unprotected_size); + canary_ptr = + unprotected_ptr + _page_round(size_with_canary) - size_with_canary; + user_ptr = canary_ptr + sizeof canary; + memcpy(canary_ptr, canary, sizeof canary); + memcpy(base_ptr, &unprotected_size, sizeof unprotected_size); + _mprotect_readonly(base_ptr, page_size); + assert(_unprotected_ptr_from_user_ptr(user_ptr) == unprotected_ptr); + + return user_ptr; +} +#endif /* !HAVE_ALIGNED_MALLOC */ + +__attribute__((malloc)) void * +sodium_malloc(const size_t size) +{ + void *ptr; + + if ((ptr = _sodium_malloc(size)) == NULL) { + return NULL; + } + memset(ptr, (int) GARBAGE_VALUE, size); + + return ptr; +} + +__attribute__((malloc)) void * +sodium_allocarray(size_t count, size_t size) +{ + if (count > (size_t) 0U && size >= (size_t) SIZE_MAX / count) { + errno = ENOMEM; + return NULL; + } + return sodium_malloc(count * size); +} + +#ifndef HAVE_ALIGNED_MALLOC +void +sodium_free(void *ptr) +{ + free(ptr); +} +#else +void +sodium_free(void *ptr) +{ + unsigned char *base_ptr; + unsigned char *canary_ptr; + unsigned char *unprotected_ptr; + size_t total_size; + size_t unprotected_size; + + if (ptr == NULL) { + return; + } + canary_ptr = ((unsigned char *) ptr) - sizeof canary; + unprotected_ptr = _unprotected_ptr_from_user_ptr(ptr); + base_ptr = unprotected_ptr - page_size * 2U; + memcpy(&unprotected_size, base_ptr, sizeof unprotected_size); + total_size = page_size + page_size + unprotected_size + page_size; + _mprotect_readwrite(base_ptr, total_size); + if (sodium_memcmp(canary_ptr, canary, sizeof canary) != 0) { + _out_of_bounds(); + } +# ifndef HAVE_PAGE_PROTECTION + if (sodium_memcmp(unprotected_ptr + unprotected_size, canary, + sizeof canary) != 0) { + _out_of_bounds(); + } +# endif + sodium_munlock(unprotected_ptr, unprotected_size); + _free_aligned(base_ptr, total_size); +} +#endif /* HAVE_ALIGNED_MALLOC */ + +#ifndef HAVE_PAGE_PROTECTION +static int +_sodium_mprotect(void *ptr, int (*cb)(void *ptr, size_t size)) +{ + (void) ptr; + (void) cb; + errno = ENOSYS; + return -1; +} +#else +static int +_sodium_mprotect(void *ptr, int (*cb)(void *ptr, size_t size)) +{ + unsigned char *base_ptr; + unsigned char *unprotected_ptr; + size_t unprotected_size; + + unprotected_ptr = _unprotected_ptr_from_user_ptr(ptr); + base_ptr = unprotected_ptr - page_size * 2U; + memcpy(&unprotected_size, base_ptr, sizeof unprotected_size); + + return cb(unprotected_ptr, unprotected_size); +} +#endif + +int +sodium_mprotect_noaccess(void *ptr) +{ + return _sodium_mprotect(ptr, _mprotect_noaccess); +} + +int +sodium_mprotect_readonly(void *ptr) +{ + return _sodium_mprotect(ptr, _mprotect_readonly); +} + +int +sodium_mprotect_readwrite(void *ptr) +{ + return _sodium_mprotect(ptr, _mprotect_readwrite); +} + +#ifndef HAVE_PAGE_PROTECTION +int +sodium_mshield(void *ptr) +{ + (void) ptr; + errno = ENOSYS; + return -1; +} +#else +int +sodium_mshield(void *ptr) +{ + unsigned char shielding_key[crypto_stream_KEYBYTES]; + unsigned char nonce[crypto_stream_NONCEBYTES]; + unsigned char *base_ptr; + unsigned char *unprotected_ptr; + size_t unprotected_size; + + unprotected_ptr = _unprotected_ptr_from_user_ptr(ptr); + base_ptr = unprotected_ptr - page_size * 2U; + memcpy(&unprotected_size, base_ptr, sizeof unprotected_size); + + crypto_generichash(shielding_key, sizeof shielding_key, + shielding_prekey, sizeof shielding_prekey, NULL, 0); + COMPILER_ASSERT(sizeof nonce >= (sizeof unprotected_ptr) + (sizeof unprotected_size)); + memset(nonce, 0, sizeof nonce); + memcpy(nonce, &unprotected_ptr, sizeof unprotected_ptr); + memcpy(nonce + sizeof unprotected_ptr, &unprotected_size, sizeof unprotected_size); + crypto_stream_xor(unprotected_ptr, unprotected_ptr, unprotected_size, nonce, shielding_key); + sodium_memzero(shielding_key, sizeof shielding_key); + sodium_memzero(nonce, sizeof nonce); + + return 0; +} +#endif + +int +sodium_munshield(void *ptr) +{ + return sodium_mshield(ptr); +} + +int +sodium_pad(size_t *padded_buflen_p, unsigned char *buf, + size_t unpadded_buflen, size_t blocksize, size_t max_buflen) +{ + unsigned char *tail; + size_t i; + size_t xpadlen; + size_t xpadded_len; + volatile unsigned char mask; + unsigned char barrier_mask; + + if (blocksize <= 0U) { + return -1; + } + xpadlen = blocksize - 1U; + if ((blocksize & (blocksize - 1U)) == 0U) { + xpadlen -= unpadded_buflen & (blocksize - 1U); + } else { + xpadlen -= unpadded_buflen % blocksize; + } + if ((size_t) SIZE_MAX - unpadded_buflen <= xpadlen) { + sodium_misuse(); + } + xpadded_len = unpadded_buflen + xpadlen; + if (xpadded_len >= max_buflen) { + return -1; + } + tail = &buf[xpadded_len]; + if (padded_buflen_p != NULL) { + *padded_buflen_p = xpadded_len + 1U; + } + mask = 0U; + for (i = 0; i < blocksize; i++) { + barrier_mask = (unsigned char) (((i ^ xpadlen) - 1U) + >> ((sizeof(size_t) - 1) * CHAR_BIT)); + *(tail - i) = ((*(tail - i)) & mask) | (0x80 & barrier_mask); + mask |= barrier_mask; + } + return 0; +} + +int +sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf, + size_t padded_buflen, size_t blocksize) +{ + const unsigned char *tail; + unsigned char acc = 0U; + unsigned char c; + unsigned char valid = 0U; + volatile size_t pad_len = 0U; + size_t i; + size_t is_barrier; + + if (padded_buflen < blocksize || blocksize <= 0U) { + return -1; + } + tail = &buf[padded_buflen - 1U]; + + for (i = 0U; i < blocksize; i++) { + c = *(tail - i); + is_barrier = + (( (acc - 1U) & (pad_len - 1U) & ((c ^ 0x80) - 1U) ) >> 8) & 1U; + acc |= c; + pad_len |= i & (1U + ~is_barrier); + valid |= (unsigned char) is_barrier; + } + *unpadded_buflen_p = padded_buflen - 1U - pad_len; + + return (int) (valid - 1U); +} From 51b56b9868d84698abaf53fb19b0643f55e949ba Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Wed, 18 Sep 2019 10:13:46 +0100 Subject: [PATCH 2/8] mpc: rng implementation to match powersoftau and phase2 --- src/CMakeLists.txt | 6 ++- src/snarks/groth16/mpc/chacha_rng.cpp | 74 +++++++++++++++++++++++++++ src/snarks/groth16/mpc/chacha_rng.h | 0 src/snarks/groth16/mpc/chacha_rng.hpp | 29 +++++++++++ src/test/mpc_test.cpp | 30 +++++++++++ 5 files changed, 138 insertions(+), 1 deletion(-) create mode 100644 src/snarks/groth16/mpc/chacha_rng.cpp create mode 100644 src/snarks/groth16/mpc/chacha_rng.h create mode 100644 src/snarks/groth16/mpc/chacha_rng.hpp diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index be0178044..b91d4bb89 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -67,6 +67,9 @@ include_directories( ${PROJECT_BINARY_DIR} ) # blake2 library get_target_property(blake2_INCLUDE_DIRS blake2 INTERFACE_INCLUDE_DIRECTORIES) +# libsodium library +get_target_property(sodium_INCLUDE_DIRS sodium INTERFACE_INCLUDE_DIRECTORIES) + # zeth library file( GLOB_RECURSE @@ -92,8 +95,9 @@ target_include_directories( ${DEPENDS_DIR}/libsnark/depends/libff ${DEPENDS_DIR}/libsnark/depends/libfqfft ${blake2_INCLUDE_DIRS} + ${sodium_INCLUDE_DIRS} ) -target_link_libraries(zeth snark blake2) +target_link_libraries(zeth snark blake2 sodium) # prover_server executable file( diff --git a/src/snarks/groth16/mpc/chacha_rng.cpp b/src/snarks/groth16/mpc/chacha_rng.cpp new file mode 100644 index 000000000..887b22ab1 --- /dev/null +++ b/src/snarks/groth16/mpc/chacha_rng.cpp @@ -0,0 +1,74 @@ +#include "snarks/groth16/mpc/chacha_rng.hpp" + +#include +#include + +// Reference implementation of chacha20 in libsodium +extern "C" int stream_ietf_ext_ref_xor_ic( + uint8_t *c, + const uint8_t *m, + size_t mlen, + const uint8_t *n, + uint32_t ic, + const uint8_t *k); + +namespace libzeth +{ + +chacha_rng::chacha_rng(const void *seed, size_t seed_size) + : data_used(sizeof(data)) +{ + seed_size = std::min(seed_size, sizeof(key)); + memcpy(key, seed, seed_size); + if (seed_size < sizeof(key)) { + memset(((uint8_t *)key) + seed_size, 0, sizeof(key) - seed_size); + } + memset(iv, 0, sizeof(iv)); +} + +void chacha_rng::random(void *const output, size_t output_size) +{ + memset(output, 0, output_size); + + uint8_t *target = (uint8_t *)output; + while (output_size > 0) { + if (data_used == sizeof(data)) { + populate(); + } + + const size_t data_remaining = sizeof(data) - data_used; + const size_t to_write = std::min(data_remaining, output_size); + + memcpy(target, &data[data_used], to_write); + data_used += to_write; + target += to_write; + output_size -= to_write; + } +} + +void chacha_rng::populate() +{ + memset(data, 0, sizeof(data)); + stream_ietf_ext_ref_xor_ic( + // crypto_stream_chacha20_ietf_xor_ic( + (uint8_t *)data, + (uint8_t *)data, + sizeof(data), + (const uint8_t *)&iv[1], + iv[0], + (const uint8_t *)&key[0]); + + data_used = 0; + if (++iv[0] != 0) { + return; + } + if (++iv[1] != 0) { + return; + } + if (++iv[2] != 0) { + return; + } + ++iv[3]; +} + +} // namespace libzeth diff --git a/src/snarks/groth16/mpc/chacha_rng.h b/src/snarks/groth16/mpc/chacha_rng.h new file mode 100644 index 000000000..e69de29bb diff --git a/src/snarks/groth16/mpc/chacha_rng.hpp b/src/snarks/groth16/mpc/chacha_rng.hpp new file mode 100644 index 000000000..2afe315d8 --- /dev/null +++ b/src/snarks/groth16/mpc/chacha_rng.hpp @@ -0,0 +1,29 @@ +#ifndef __ZETH__SNARKS_GROTH16_MPC_CHACHA_RNG_HPP__ +#define __ZETH__SNARKS_GROTH16_MPC_CHACHA_RNG_HPP__ + +#include +#include + +namespace libzeth +{ + +// Random number generator matching the implementation used by zcash +// powersoftau and phase2. +class chacha_rng +{ +public: + chacha_rng(const void *seed, size_t seed_size); + void random(void *output, size_t output_size); + +private: + void populate(); + + uint32_t key[8]; + uint32_t iv[4]; + uint8_t data[64]; + size_t data_used; +}; + +} // namespace libzeth + +#endif // __ZETH__SNARKS_GROTH16_MPC_CHACHA_RNG_HPP__ diff --git a/src/test/mpc_test.cpp b/src/test/mpc_test.cpp index 0d8e9cf29..4c03d54ec 100644 --- a/src/test/mpc_test.cpp +++ b/src/test/mpc_test.cpp @@ -1,6 +1,7 @@ #include "circuit-wrapper.hpp" #include "circuits/sha256/sha256_ethereum.hpp" #include "snarks/groth16/evaluator_from_lagrange.hpp" +#include "snarks/groth16/mpc/chacha_rng.hpp" #include "snarks/groth16/mpc_phase2.hpp" #include "snarks/groth16/mpc_utils.hpp" #include "snarks/groth16/multi_exp.hpp" @@ -54,6 +55,35 @@ static srs_mpc_phase2_accumulator dummy_initial_accumulator( std::move(L_g1)); } +TEST(MPCTests, ChaChaRng) +{ + // expect_output is generated by the ChaChaRng implementation used in the + // zcash powersoftau and phase2 Rust code. + + const std::string seed = hexadecimal_str_to_binary_str( + "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"); + const std::string expect_output_0 = hexadecimal_str_to_binary_str( + "1fbc70a0206f844bb7b62ace04d25ee4de8a512b608ea1fdf2269c36f4eafb"); + const std::string expect_output_1 = hexadecimal_str_to_binary_str( + "7f5941a5cd2fbe3da5c1579ec2d6fdcfd2f474bb4c93b5be09294045cb69dfe2"); + const std::string expect_output_2 = hexadecimal_str_to_binary_str( + "6a10e6ac34b7180858b9964b082e617446477164a623066dc0d6b8da37b67351" + "c00b43600b984a6d637503e25aae1719b1f0df6a315d0dc9cf0210b1d8d77e13"); + + chacha_rng rng(seed.data(), seed.size()); + uint8_t output[64]; + + auto check_output = [&](const std::string expect_out, std::string label) { + rng.random(&output[0], expect_out.size()); + ASSERT_EQ(0, memcmp(expect_out.data(), output, expect_out.size())) + << label; + }; + + check_output(expect_output_0, "expect_output_0"); + check_output(expect_output_1, "expect_output_1"); + check_output(expect_output_2, "expect_output_2"); +} + TEST(MPCTests, LinearCombination) { // Compute the small test qap first, in order to extract the From 63d9063cb90dcb017c7d20d4e87bcf02ba3cffeb Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Wed, 18 Sep 2019 16:32:16 +0100 Subject: [PATCH 3/8] mpc: generate g2 using chacha_rng --- src/snarks/groth16/mpc_phase2.hpp | 5 +-- src/snarks/groth16/mpc_phase2.tcc | 52 ++++++++++++++++--------------- src/test/mpc_test.cpp | 52 +++++++++++++++++++++++-------- 3 files changed, 67 insertions(+), 42 deletions(-) diff --git a/src/snarks/groth16/mpc_phase2.hpp b/src/snarks/groth16/mpc_phase2.hpp index a9471eee6..87ea17615 100644 --- a/src/snarks/groth16/mpc_phase2.hpp +++ b/src/snarks/groth16/mpc_phase2.hpp @@ -171,10 +171,7 @@ template class srs_mpc_phase2_response // Phase2 functions template -libff::G2 srs_mpc_compute_r_g2( - const libff::G1 &s_g1, - const libff::G1 &s_delta_j_g1, - const srs_mpc_hash_t digest); +libff::G2 srs_mpc_compute_r_g2(const srs_mpc_hash_t digest); /// Given the output from the linear combination of the L1 layer of the SRS /// circuit, compute the starting parameters for Phase 2 (the MPC for C2 diff --git a/src/snarks/groth16/mpc_phase2.tcc b/src/snarks/groth16/mpc_phase2.tcc index ff0a1cbd1..6374b7bab 100644 --- a/src/snarks/groth16/mpc_phase2.tcc +++ b/src/snarks/groth16/mpc_phase2.tcc @@ -2,6 +2,7 @@ #define __ZETH_SNARKS_GROTH16_MPC_PHASE2_TCC__ #include "libff/common/rng.hpp" +#include "snarks/groth16/mpc/chacha_rng.hpp" #include "snarks/groth16/mpc_phase2.hpp" #include "snarks/groth16/mpc_utils.hpp" #include "snarks/groth16/powersoftau_utils.hpp" @@ -248,31 +249,34 @@ srs_mpc_phase2_response srs_mpc_phase2_response::read( return response; } +template &modulus> +void srs_mpc_compute_fr( + const srs_mpc_hash_t transcript_digest, libff::Fp_model &out_fr) +{ + // Fill a U512 with random data and compute the representation mod m. + libff::bigint<2 * n> random; + libff::bigint _quotient; + + chacha_rng rng(transcript_digest, sizeof(srs_mpc_hash_t)); + rng.random(random.data, sizeof(random)); + mpn_tdiv_qr( + _quotient.data, + out_fr.mont_repr.data, + 0, + random.data, + 2 * n, + modulus.data, + n); +} + /// Deterministically choose a value $r$ in G2, given some $s$ and $s_delta_j$ /// in G1, and the current transcript digest. template -libff::G2 srs_mpc_compute_r_g2( - const libff::G1 &s_g1, - const libff::G1 &s_delta_j_g1, - const srs_mpc_hash_t transcript_digest) +libff::G2 srs_mpc_compute_r_g2(const srs_mpc_hash_t transcript_digest) { - // h = H( : : ) - srs_mpc_hash_t h; - { - hash_ostream hs; - hs.write((const char *)transcript_digest, sizeof(srs_mpc_hash_t)); - hs << s_g1; - hs << s_delta_j_g1; - hs.get_hash(h); - } - - // TODO: Use chacha RNG seeded with first 128 bits from - // transcript_digest, similarly to "Phase2" code. - - // For now, use randomization from libff. - const uint64_t idx = *(const uint64_t *)h; - libff::Fr v = libff::SHA512_rng>(idx); - return v * libff::G2::one(); + libff::Fr fr; + srs_mpc_compute_fr(transcript_digest, fr); + return fr * libff::G2::one(); } template @@ -326,8 +330,7 @@ srs_mpc_phase2_publickey srs_mpc_phase2_compute_public_key( const libff::G1 new_delta_g1 = delta_j * last_delta; const libff::G1 s_g1 = libff::G1::random_element(); const libff::G1 s_delta_j_g1 = delta_j * s_g1; - const libff::G2 r_g2 = - srs_mpc_compute_r_g2(s_g1, s_delta_j_g1, transcript_digest); + const libff::G2 r_g2 = srs_mpc_compute_r_g2(transcript_digest); const libff::G2 r_delta_j_g2 = delta_j * r_g2; libff::leave_block("call to srs_mpc_phase2_compute_public_key"); @@ -343,8 +346,7 @@ bool srs_mpc_phase2_verify_publickey( { const libff::G1 &s_g1 = publickey.s_g1; const libff::G1 &s_delta_j_g1 = publickey.s_delta_j_g1; - out_r_g2 = srs_mpc_compute_r_g2( - s_g1, s_delta_j_g1, publickey.transcript_digest); + out_r_g2 = srs_mpc_compute_r_g2(publickey.transcript_digest); const libff::G2 &r_delta_j_g2 = publickey.r_delta_j_g2; const libff::G1 &new_delta_g1 = publickey.new_delta_g1; diff --git a/src/test/mpc_test.cpp b/src/test/mpc_test.cpp index 4c03d54ec..e9513a77c 100644 --- a/src/test/mpc_test.cpp +++ b/src/test/mpc_test.cpp @@ -84,6 +84,40 @@ TEST(MPCTests, ChaChaRng) check_output(expect_output_2, "expect_output_2"); } +TEST(MPCTests, HashToG2) +{ + srs_mpc_hash_t hash; + const std::string seed = hexadecimal_str_to_binary_str( + "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef" + "0123456789abcdef0123456789abcdef0123456789abcdef0123456789abcdef"); + memcpy(hash, seed.data(), sizeof(srs_mpc_hash_t)); + + Fr expect_fr; + { + std::istringstream ss( + hexadecimal_str_to_binary_str("20e70f3b594e4a9bd78e7d23f796f3bce4de" + "92af13adf10beffe2cf84b59e2ad")); + read_powersoftau_fr(ss, expect_fr); + } + + G2 expect_g2; + { + std::istringstream ss(hexadecimal_str_to_binary_str( + "04048fb80ba85a814f6ca7db7194da6c71fa7d8b7aa05b49ce315c96c20b916ab" + "36544a6656acae3f5a7da00ca96dfe5b9c4bcec736f75cf85a27fab44f426df28" + "0532af644ab533ca189739ae2d908b95d643051f6692286eca126ad4c65275def" + "8e0f6b24ebb57b415e59b465dc7f3f823c615434955b96f7f3f5ba4f7505e43")); + read_powersoftau_g2(ss, expect_g2); + } + + Fr fr; + srs_mpc_compute_fr(hash, fr); + G2 g2 = srs_mpc_compute_r_g2(hash); + + ASSERT_EQ(expect_fr, fr); + ASSERT_EQ(expect_g2, g2); +} + TEST(MPCTests, LinearCombination) { // Compute the small test qap first, in order to extract the @@ -674,19 +708,14 @@ TEST(MPCTests, Phase2HashToG2) { // Check that independently created source values (at different locations // in memory) give the same result. - const size_t seed = 9; - const G1 s_0 = Fr(seed - 1) * G1::one(); - const G1 s_1 = Fr(seed - 1) * G1::one(); - const G1 s_delta_j_0 = Fr(seed - 2) * s_0; - const G1 s_delta_j_1 = Fr(seed - 2) * s_1; const uint8_t empty[0]{}; srs_mpc_hash_t hash_0; srs_mpc_compute_hash(hash_0, empty, 0); srs_mpc_hash_t hash_1; srs_mpc_compute_hash(hash_1, empty, 0); - G2 g2_0 = srs_mpc_compute_r_g2(s_0, s_delta_j_0, hash_0); - G2 g2_1 = srs_mpc_compute_r_g2(s_1, s_delta_j_1, hash_1); + G2 g2_0 = srs_mpc_compute_r_g2(hash_0); + G2 g2_1 = srs_mpc_compute_r_g2(hash_1); ASSERT_EQ(g2_0, g2_1); } @@ -703,8 +732,7 @@ TEST(MPCTests, Phase2PublicKeyGeneration) srs_mpc_phase2_compute_public_key( hash, last_secret * G1::one(), secret); - const libff::G2 r_g2 = - srs_mpc_compute_r_g2(publickey.s_g1, publickey.s_delta_j_g1, hash); + const libff::G2 r_g2 = srs_mpc_compute_r_g2(hash); ASSERT_EQ( 0, memcmp(hash, publickey.transcript_digest, sizeof(srs_mpc_hash_t))); @@ -779,10 +807,8 @@ TEST(MPCTests, Phase2UpdateVerification) { srs_mpc_phase2_response response = srs_mpc_phase2_compute_response(challenge, secret); - const libff::G2 r_g2 = srs_mpc_compute_r_g2( - response.publickey.s_g1, - response.publickey.s_delta_j_g1, - response.publickey.transcript_digest); + const libff::G2 r_g2 = + srs_mpc_compute_r_g2(response.publickey.transcript_digest); response.publickey.r_delta_j_g2 = invalid_secret * r_g2; ASSERT_FALSE(srs_mpc_phase2_verify_response(challenge, response)); } From c5e1fb55a70f9048f69481b3e557be653ce3b88a Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Wed, 18 Sep 2019 18:07:29 +0100 Subject: [PATCH 4/8] mpc: improve contribution randomness (including user input) --- scripts/test_mpc | 3 ++ src/mpc/mpc_phase2_contribute.cpp | 49 +++++++++++++++++++++++++++---- src/snarks/groth16/mpc_phase2.hpp | 7 ++++- src/snarks/groth16/mpc_phase2.tcc | 10 +++---- src/test/mpc_test.cpp | 12 ++++---- 5 files changed, 64 insertions(+), 17 deletions(-) diff --git a/scripts/test_mpc b/scripts/test_mpc index d76d01d0c..fa868cf79 100755 --- a/scripts/test_mpc +++ b/scripts/test_mpc @@ -44,6 +44,7 @@ ${MPC} linear-combination --out ${linear_combination_file} \ ${MPC} phase2-begin --out ${challenge_0_file} ${linear_combination_file} ${MPC} phase2-contribute \ + --skip-user-input \ --digest ${response_digest_1_file} \ --out ${response_1_file} ${challenge_0_file} ${MPC} phase2-verify-contribution \ @@ -52,6 +53,7 @@ ${MPC} phase2-verify-contribution \ ${challenge_0_file} ${response_1_file} ${MPC} phase2-contribute \ + --skip-user-input \ --digest ${response_digest_2_file} \ --out ${response_2_file} ${challenge_1_file} ${MPC} phase2-verify-contribution \ @@ -60,6 +62,7 @@ ${MPC} phase2-verify-contribution \ ${challenge_1_file} ${response_2_file} ${MPC} phase2-contribute \ + --skip-user-input \ --digest ${response_digest_3_file} \ --out ${response_3_file} ${challenge_2_file} ${MPC} phase2-verify-contribution \ diff --git a/src/mpc/mpc_phase2_contribute.cpp b/src/mpc/mpc_phase2_contribute.cpp index 792cd4f4a..88168843a 100644 --- a/src/mpc/mpc_phase2_contribute.cpp +++ b/src/mpc/mpc_phase2_contribute.cpp @@ -11,14 +11,16 @@ namespace // $0 phase2-contribute [] // // Options: -// --out Response output file (mpc-response.bin) -// --digest Write contribution hash to file. +// --out Response output file (mpc-response.bin) +// --digest Write contribution hash to file. +// --skip-user-input Use only ststem randomness class mpc_phase2_contribute : public subcommand { private: std::string challenge_file; std::string out_file; std::string digest; + bool skip_user_input; public: mpc_phase2_contribute() @@ -26,6 +28,7 @@ class mpc_phase2_contribute : public subcommand , challenge_file() , out_file() , digest() + , skip_user_input(false) { } @@ -41,7 +44,8 @@ class mpc_phase2_contribute : public subcommand "Reponse output file (mpc-response.bin)")( "digest", po::value(), - "Write contribution digest to file"); + "Write contribution digest to file")( + "skip-user-input", "Use only system randomness"); all_options.add(options).add_options()( "challenge_file", po::value(), "challenge file"); pos.add("challenge_file", 1); @@ -57,6 +61,7 @@ class mpc_phase2_contribute : public subcommand out_file = vm.count("out") ? vm["out"].as() : trusted_setup_file("mpc-response.bin"); digest = vm.count("digest") ? vm["digest"].as() : ""; + skip_user_input = (bool)vm.count("skip-user-input"); } void subcommand_usage() override @@ -71,6 +76,7 @@ class mpc_phase2_contribute : public subcommand std::cout << "challenge_file: " << challenge_file << "\n"; std::cout << "out_file: " << out_file << std::endl; std::cout << "digest: " << digest << std::endl; + std::cout << "skip_user_input: " << skip_user_input << std::endl; } libff::enter_block("Load challenge file"); @@ -82,8 +88,7 @@ class mpc_phase2_contribute : public subcommand libff::leave_block("Load challenge file"); libff::enter_block("Computing randomness"); - // TODO: determine strategy for this. - libff::Fr contribution = libff::Fr::random_element(); + libff::Fr contribution = get_randomness(); libff::leave_block("Computing randomness"); libff::enter_block("Computing response"); @@ -113,6 +118,40 @@ class mpc_phase2_contribute : public subcommand return 0; } + + libff::Fr get_randomness() + { + using random_word = std::random_device::result_type; + + std::random_device rd; + hash_ostream hs; + uint64_t buf[4]; + const size_t buf_size_in_words = sizeof(buf) / sizeof(random_word); + + // 1024 bytes of system randomness, + for (size_t i = 0; i < 1024 / sizeof(buf); ++i) { + random_word *words = (random_word *)&buf; + for (size_t i = 0; i < buf_size_in_words; ++i) { + words[i] = rd(); + } + hs.write((const char *)&buf, sizeof(buf)); + } + + if (!skip_user_input) { + std::cout << "Enter some random text and press [ENTER] ..." + << std::endl; + std::string user_input; + std::getline(std::cin, user_input); + hs << user_input; + } + + srs_mpc_hash_t digest; + hs.get_hash(digest); + + libff::Fr randomness; + srs_mpc_digest_to_fp(digest, randomness); + return randomness; + } }; } // namespace diff --git a/src/snarks/groth16/mpc_phase2.hpp b/src/snarks/groth16/mpc_phase2.hpp index 87ea17615..625d60f26 100644 --- a/src/snarks/groth16/mpc_phase2.hpp +++ b/src/snarks/groth16/mpc_phase2.hpp @@ -170,8 +170,13 @@ template class srs_mpc_phase2_response // Phase2 functions +template &modulus> +void srs_mpc_digest_to_fp( + const srs_mpc_hash_t transcript_digest, + libff::Fp_model &out_fr); + template -libff::G2 srs_mpc_compute_r_g2(const srs_mpc_hash_t digest); +libff::G2 srs_mpc_digest_to_g2(const srs_mpc_hash_t digest); /// Given the output from the linear combination of the L1 layer of the SRS /// circuit, compute the starting parameters for Phase 2 (the MPC for C2 diff --git a/src/snarks/groth16/mpc_phase2.tcc b/src/snarks/groth16/mpc_phase2.tcc index 6374b7bab..0bc6d85d3 100644 --- a/src/snarks/groth16/mpc_phase2.tcc +++ b/src/snarks/groth16/mpc_phase2.tcc @@ -250,7 +250,7 @@ srs_mpc_phase2_response srs_mpc_phase2_response::read( } template &modulus> -void srs_mpc_compute_fr( +void srs_mpc_digest_to_fp( const srs_mpc_hash_t transcript_digest, libff::Fp_model &out_fr) { // Fill a U512 with random data and compute the representation mod m. @@ -272,10 +272,10 @@ void srs_mpc_compute_fr( /// Deterministically choose a value $r$ in G2, given some $s$ and $s_delta_j$ /// in G1, and the current transcript digest. template -libff::G2 srs_mpc_compute_r_g2(const srs_mpc_hash_t transcript_digest) +libff::G2 srs_mpc_digest_to_g2(const srs_mpc_hash_t transcript_digest) { libff::Fr fr; - srs_mpc_compute_fr(transcript_digest, fr); + srs_mpc_digest_to_fp(transcript_digest, fr); return fr * libff::G2::one(); } @@ -330,7 +330,7 @@ srs_mpc_phase2_publickey srs_mpc_phase2_compute_public_key( const libff::G1 new_delta_g1 = delta_j * last_delta; const libff::G1 s_g1 = libff::G1::random_element(); const libff::G1 s_delta_j_g1 = delta_j * s_g1; - const libff::G2 r_g2 = srs_mpc_compute_r_g2(transcript_digest); + const libff::G2 r_g2 = srs_mpc_digest_to_g2(transcript_digest); const libff::G2 r_delta_j_g2 = delta_j * r_g2; libff::leave_block("call to srs_mpc_phase2_compute_public_key"); @@ -346,7 +346,7 @@ bool srs_mpc_phase2_verify_publickey( { const libff::G1 &s_g1 = publickey.s_g1; const libff::G1 &s_delta_j_g1 = publickey.s_delta_j_g1; - out_r_g2 = srs_mpc_compute_r_g2(publickey.transcript_digest); + out_r_g2 = srs_mpc_digest_to_g2(publickey.transcript_digest); const libff::G2 &r_delta_j_g2 = publickey.r_delta_j_g2; const libff::G1 &new_delta_g1 = publickey.new_delta_g1; diff --git a/src/test/mpc_test.cpp b/src/test/mpc_test.cpp index e9513a77c..379022bcc 100644 --- a/src/test/mpc_test.cpp +++ b/src/test/mpc_test.cpp @@ -111,8 +111,8 @@ TEST(MPCTests, HashToG2) } Fr fr; - srs_mpc_compute_fr(hash, fr); - G2 g2 = srs_mpc_compute_r_g2(hash); + srs_mpc_digest_to_fp(hash, fr); + G2 g2 = srs_mpc_digest_to_g2(hash); ASSERT_EQ(expect_fr, fr); ASSERT_EQ(expect_g2, g2); @@ -714,8 +714,8 @@ TEST(MPCTests, Phase2HashToG2) srs_mpc_hash_t hash_1; srs_mpc_compute_hash(hash_1, empty, 0); - G2 g2_0 = srs_mpc_compute_r_g2(hash_0); - G2 g2_1 = srs_mpc_compute_r_g2(hash_1); + G2 g2_0 = srs_mpc_digest_to_g2(hash_0); + G2 g2_1 = srs_mpc_digest_to_g2(hash_1); ASSERT_EQ(g2_0, g2_1); } @@ -732,7 +732,7 @@ TEST(MPCTests, Phase2PublicKeyGeneration) srs_mpc_phase2_compute_public_key( hash, last_secret * G1::one(), secret); - const libff::G2 r_g2 = srs_mpc_compute_r_g2(hash); + const libff::G2 r_g2 = srs_mpc_digest_to_g2(hash); ASSERT_EQ( 0, memcmp(hash, publickey.transcript_digest, sizeof(srs_mpc_hash_t))); @@ -808,7 +808,7 @@ TEST(MPCTests, Phase2UpdateVerification) srs_mpc_phase2_response response = srs_mpc_phase2_compute_response(challenge, secret); const libff::G2 r_g2 = - srs_mpc_compute_r_g2(response.publickey.transcript_digest); + srs_mpc_digest_to_g2(response.publickey.transcript_digest); response.publickey.r_delta_j_g2 = invalid_secret * r_g2; ASSERT_FALSE(srs_mpc_phase2_verify_response(challenge, response)); } From c5072be87a148a55241883cb4371227e8205967f Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Wed, 18 Sep 2019 12:29:38 +0100 Subject: [PATCH 5/8] rearrange source code --- scripts/test_mpc | 2 +- src/CMakeLists.txt | 25 +++---------------- src/mpc/CMakeLists.txt | 20 +++++++++++++++ src/mpc/{ => cli}/mpc_common.cpp | 0 src/mpc/{ => cli}/mpc_common.hpp | 0 src/mpc/{ => cli}/mpc_create_keypair.cpp | 6 ++--- src/mpc/{ => cli}/mpc_dummy_phase2.cpp | 4 +-- src/mpc/{ => cli}/mpc_linear_combination.cpp | 4 +-- src/mpc/{ => cli}/mpc_main.cpp | 0 src/mpc/{ => cli}/mpc_main.hpp | 0 src/mpc/{ => cli}/mpc_phase2_begin.cpp | 4 +-- src/mpc/{ => cli}/mpc_phase2_contribute.cpp | 2 +- .../mpc_phase2_verify_contribution.cpp | 2 +- .../mpc_phase2_verify_transcript.cpp | 2 +- src/{ => mpc}/test/mpc_test_cli.cpp | 0 src/pot_process/pot_process.cpp | 2 +- src/snarks/groth16/{ => api}/response.hpp | 2 +- src/snarks/groth16/{ => api}/response.tcc | 0 src/snarks/groth16/{ => core}/computation.hpp | 2 +- src/snarks/groth16/{ => core}/computation.tcc | 0 src/snarks/groth16/{ => core}/helpers.hpp | 2 +- src/snarks/groth16/{ => core}/helpers.tcc | 0 .../{ => mpc}/evaluator_from_lagrange.hpp | 0 .../{ => mpc}/evaluator_from_lagrange.tcc | 0 src/snarks/groth16/{ => mpc}/mpc_utils.hpp | 2 +- src/snarks/groth16/{ => mpc}/mpc_utils.tcc | 1 + src/snarks/groth16/{ => mpc}/multi_exp.hpp | 2 +- src/snarks/groth16/{ => mpc}/multi_exp.tcc | 2 +- .../{mpc_phase2.cpp => mpc/phase2.cpp} | 2 +- .../{mpc_phase2.hpp => mpc/phase2.hpp} | 2 +- .../{mpc_phase2.tcc => mpc/phase2.tcc} | 7 +++--- .../groth16/{ => mpc}/powersoftau_utils.cpp | 0 .../groth16/{ => mpc}/powersoftau_utils.hpp | 2 +- .../groth16/{ => mpc}/powersoftau_utils.tcc | 2 +- src/snarks/pghr13/{ => core}/computation.hpp | 0 src/snarks/pghr13/{ => core}/computation.tcc | 0 src/snarks/pghr13/{ => core}/helpers.hpp | 0 src/snarks/pghr13/{ => core}/helpers.tcc | 0 src/snarks/pghr13/{ => core}/response.hpp | 0 src/snarks/pghr13/{ => core}/response.tcc | 0 src/snarks_api_imports.hpp | 4 +-- src/snarks_core_imports.hpp | 12 ++++----- src/test/mpc_test.cpp | 10 ++++---- src/test/powersoftau_test.cpp | 4 +-- src/util.tcc | 2 ++ 45 files changed, 69 insertions(+), 64 deletions(-) create mode 100644 src/mpc/CMakeLists.txt rename src/mpc/{ => cli}/mpc_common.cpp (100%) rename src/mpc/{ => cli}/mpc_common.hpp (100%) rename src/mpc/{ => cli}/mpc_create_keypair.cpp (97%) rename src/mpc/{ => cli}/mpc_dummy_phase2.cpp (97%) rename src/mpc/{ => cli}/mpc_linear_combination.cpp (98%) rename src/mpc/{ => cli}/mpc_main.cpp (100%) rename src/mpc/{ => cli}/mpc_main.hpp (100%) rename src/mpc/{ => cli}/mpc_phase2_begin.cpp (97%) rename src/mpc/{ => cli}/mpc_phase2_contribute.cpp (99%) rename src/mpc/{ => cli}/mpc_phase2_verify_contribution.cpp (99%) rename src/mpc/{ => cli}/mpc_phase2_verify_transcript.cpp (99%) rename src/{ => mpc}/test/mpc_test_cli.cpp (100%) rename src/snarks/groth16/{ => api}/response.hpp (95%) rename src/snarks/groth16/{ => api}/response.tcc (100%) rename src/snarks/groth16/{ => core}/computation.hpp (94%) rename src/snarks/groth16/{ => core}/computation.tcc (100%) rename src/snarks/groth16/{ => core}/helpers.hpp (96%) rename src/snarks/groth16/{ => core}/helpers.tcc (100%) rename src/snarks/groth16/{ => mpc}/evaluator_from_lagrange.hpp (100%) rename src/snarks/groth16/{ => mpc}/evaluator_from_lagrange.tcc (100%) rename src/snarks/groth16/{ => mpc}/mpc_utils.hpp (98%) rename src/snarks/groth16/{ => mpc}/mpc_utils.tcc (99%) rename src/snarks/groth16/{ => mpc}/multi_exp.hpp (93%) rename src/snarks/groth16/{ => mpc}/multi_exp.tcc (96%) rename src/snarks/groth16/{mpc_phase2.cpp => mpc/phase2.cpp} (99%) rename src/snarks/groth16/{mpc_phase2.hpp => mpc/phase2.hpp} (99%) rename src/snarks/groth16/{mpc_phase2.tcc => mpc/phase2.tcc} (99%) rename src/snarks/groth16/{ => mpc}/powersoftau_utils.cpp (100%) rename src/snarks/groth16/{ => mpc}/powersoftau_utils.hpp (99%) rename src/snarks/groth16/{ => mpc}/powersoftau_utils.tcc (99%) rename src/snarks/pghr13/{ => core}/computation.hpp (100%) rename src/snarks/pghr13/{ => core}/computation.tcc (100%) rename src/snarks/pghr13/{ => core}/helpers.hpp (100%) rename src/snarks/pghr13/{ => core}/helpers.tcc (100%) rename src/snarks/pghr13/{ => core}/response.hpp (100%) rename src/snarks/pghr13/{ => core}/response.tcc (100%) diff --git a/scripts/test_mpc b/scripts/test_mpc index fa868cf79..a76fd18f6 100755 --- a/scripts/test_mpc +++ b/scripts/test_mpc @@ -4,7 +4,7 @@ set -x set -e POT="build/src/pot-process" -MPC="build/src/mpc-test" +MPC="build/src/mpc/mpc-test" QAP_DEGREE=8 pot_file=_test_pot-${QAP_DEGREE}.bin diff --git a/src/CMakeLists.txt b/src/CMakeLists.txt index b91d4bb89..a3865cb13 100644 --- a/src/CMakeLists.txt +++ b/src/CMakeLists.txt @@ -64,10 +64,10 @@ include_directories( ${Boost_INCLUDE_DIR} ) # so that we will find zethConfig.h include_directories( ${PROJECT_BINARY_DIR} ) -# blake2 library +# blake2 library headers get_target_property(blake2_INCLUDE_DIRS blake2 INTERFACE_INCLUDE_DIRECTORIES) -# libsodium library +# libsodium headers get_target_property(sodium_INCLUDE_DIRS sodium INTERFACE_INCLUDE_DIRECTORIES) # zeth library @@ -126,25 +126,6 @@ target_link_libraries( ${Boost_PROGRAM_OPTIONS_LIBRARY} ) -# mpc library -file(GLOB MPC_LIB_SOURCE mpc/mpc_*.?pp mpc/mpc_*.tcc) -add_library(libmpc ${MPC_LIB_SOURCE}) -target_include_directories(libmpc PUBLIC mpc) -target_link_libraries( - libmpc - zeth - ${Boost_SYSTEM_LIBRARY} - ${Boost_PROGRAM_OPTIONS_LIBRARY} -) - -# mpc utility executable -add_executable(mpc mpc/mpc.cpp) -target_link_libraries(mpc libmpc) - -# mpc test utility -add_executable(mpc-test test/mpc_test_cli.cpp) -target_link_libraries(mpc-test libmpc) - ## Tests include(CTest) @@ -191,3 +172,5 @@ target_link_libraries( ${Boost_SYSTEM_LIBRARY} ${Boost_FILESYSTEM_LIBRARY} ) + +add_subdirectory(mpc) diff --git a/src/mpc/CMakeLists.txt b/src/mpc/CMakeLists.txt new file mode 100644 index 000000000..88b33b7a1 --- /dev/null +++ b/src/mpc/CMakeLists.txt @@ -0,0 +1,20 @@ +# Build for mpc utilities + +# library of mpc subcommands +file(GLOB MPC_CLI_SOURCE cli/*.?pp mpc/*.tcc) +add_library(mpc-cli ${MPC_CLI_SOURCE}) +target_include_directories(mpc-cli PUBLIC cli) +target_link_libraries( + mpc-cli + zeth + ${Boost_SYSTEM_LIBRARY} + ${Boost_PROGRAM_OPTIONS_LIBRARY} +) + +# mpc administrator executable +add_executable(mpc mpc.cpp) +target_link_libraries(mpc mpc-cli) + +# mpc test utility +add_executable(mpc-test test/mpc_test_cli.cpp) +target_link_libraries(mpc-test mpc-cli) diff --git a/src/mpc/mpc_common.cpp b/src/mpc/cli/mpc_common.cpp similarity index 100% rename from src/mpc/mpc_common.cpp rename to src/mpc/cli/mpc_common.cpp diff --git a/src/mpc/mpc_common.hpp b/src/mpc/cli/mpc_common.hpp similarity index 100% rename from src/mpc/mpc_common.hpp rename to src/mpc/cli/mpc_common.hpp diff --git a/src/mpc/mpc_create_keypair.cpp b/src/mpc/cli/mpc_create_keypair.cpp similarity index 97% rename from src/mpc/mpc_create_keypair.cpp rename to src/mpc/cli/mpc_create_keypair.cpp index d95fe5e48..bec9e7526 100644 --- a/src/mpc/mpc_create_keypair.cpp +++ b/src/mpc/cli/mpc_create_keypair.cpp @@ -1,7 +1,7 @@ #include "mpc_common.hpp" -#include "snarks/groth16/mpc_phase2.hpp" -#include "snarks/groth16/mpc_utils.hpp" -#include "snarks/groth16/powersoftau_utils.hpp" +#include "snarks/groth16/mpc/mpc_utils.hpp" +#include "snarks/groth16/mpc/phase2.hpp" +#include "snarks/groth16/mpc/powersoftau_utils.hpp" #include "util.hpp" #include diff --git a/src/mpc/mpc_dummy_phase2.cpp b/src/mpc/cli/mpc_dummy_phase2.cpp similarity index 97% rename from src/mpc/mpc_dummy_phase2.cpp rename to src/mpc/cli/mpc_dummy_phase2.cpp index bb5a58311..59d3536ad 100644 --- a/src/mpc/mpc_dummy_phase2.cpp +++ b/src/mpc/cli/mpc_dummy_phase2.cpp @@ -1,6 +1,6 @@ #include "mpc_common.hpp" -#include "snarks/groth16/mpc_phase2.hpp" -#include "snarks/groth16/mpc_utils.hpp" +#include "snarks/groth16/mpc/mpc_utils.hpp" +#include "snarks/groth16/mpc/phase2.hpp" #include "util.hpp" #include "zeth.h" diff --git a/src/mpc/mpc_linear_combination.cpp b/src/mpc/cli/mpc_linear_combination.cpp similarity index 98% rename from src/mpc/mpc_linear_combination.cpp rename to src/mpc/cli/mpc_linear_combination.cpp index 62f9b52ab..e074c6377 100644 --- a/src/mpc/mpc_linear_combination.cpp +++ b/src/mpc/cli/mpc_linear_combination.cpp @@ -1,6 +1,6 @@ #include "mpc_common.hpp" -#include "snarks/groth16/mpc_utils.hpp" -#include "snarks/groth16/powersoftau_utils.hpp" +#include "snarks/groth16/mpc/mpc_utils.hpp" +#include "snarks/groth16/mpc/powersoftau_utils.hpp" #include "util.hpp" #include diff --git a/src/mpc/mpc_main.cpp b/src/mpc/cli/mpc_main.cpp similarity index 100% rename from src/mpc/mpc_main.cpp rename to src/mpc/cli/mpc_main.cpp diff --git a/src/mpc/mpc_main.hpp b/src/mpc/cli/mpc_main.hpp similarity index 100% rename from src/mpc/mpc_main.hpp rename to src/mpc/cli/mpc_main.hpp diff --git a/src/mpc/mpc_phase2_begin.cpp b/src/mpc/cli/mpc_phase2_begin.cpp similarity index 97% rename from src/mpc/mpc_phase2_begin.cpp rename to src/mpc/cli/mpc_phase2_begin.cpp index 814d2b5a7..0655ee3e3 100644 --- a/src/mpc/mpc_phase2_begin.cpp +++ b/src/mpc/cli/mpc_phase2_begin.cpp @@ -1,6 +1,6 @@ #include "mpc_common.hpp" -#include "snarks/groth16/mpc_phase2.hpp" -#include "snarks/groth16/mpc_utils.hpp" +#include "snarks/groth16/mpc/mpc_utils.hpp" +#include "snarks/groth16/mpc/phase2.hpp" #include #include diff --git a/src/mpc/mpc_phase2_contribute.cpp b/src/mpc/cli/mpc_phase2_contribute.cpp similarity index 99% rename from src/mpc/mpc_phase2_contribute.cpp rename to src/mpc/cli/mpc_phase2_contribute.cpp index 88168843a..645b7bfdd 100644 --- a/src/mpc/mpc_phase2_contribute.cpp +++ b/src/mpc/cli/mpc_phase2_contribute.cpp @@ -1,5 +1,5 @@ #include "mpc_common.hpp" -#include "snarks/groth16/mpc_phase2.hpp" +#include "snarks/groth16/mpc/phase2.hpp" using namespace libzeth; namespace po = boost::program_options; diff --git a/src/mpc/mpc_phase2_verify_contribution.cpp b/src/mpc/cli/mpc_phase2_verify_contribution.cpp similarity index 99% rename from src/mpc/mpc_phase2_verify_contribution.cpp rename to src/mpc/cli/mpc_phase2_verify_contribution.cpp index f3ae0c782..a4d89d884 100644 --- a/src/mpc/mpc_phase2_verify_contribution.cpp +++ b/src/mpc/cli/mpc_phase2_verify_contribution.cpp @@ -1,5 +1,5 @@ #include "mpc_common.hpp" -#include "snarks/groth16/mpc_phase2.hpp" +#include "snarks/groth16/mpc/phase2.hpp" using namespace libzeth; namespace po = boost::program_options; diff --git a/src/mpc/mpc_phase2_verify_transcript.cpp b/src/mpc/cli/mpc_phase2_verify_transcript.cpp similarity index 99% rename from src/mpc/mpc_phase2_verify_transcript.cpp rename to src/mpc/cli/mpc_phase2_verify_transcript.cpp index 8b30873c1..03d594a7c 100644 --- a/src/mpc/mpc_phase2_verify_transcript.cpp +++ b/src/mpc/cli/mpc_phase2_verify_transcript.cpp @@ -1,5 +1,5 @@ #include "mpc_common.hpp" -#include "snarks/groth16/mpc_phase2.hpp" +#include "snarks/groth16/mpc/phase2.hpp" #include #include diff --git a/src/test/mpc_test_cli.cpp b/src/mpc/test/mpc_test_cli.cpp similarity index 100% rename from src/test/mpc_test_cli.cpp rename to src/mpc/test/mpc_test_cli.cpp diff --git a/src/pot_process/pot_process.cpp b/src/pot_process/pot_process.cpp index 1fc17c5d1..237c837d7 100644 --- a/src/pot_process/pot_process.cpp +++ b/src/pot_process/pot_process.cpp @@ -1,7 +1,7 @@ /// Small utility to check powersoftau output and to compute the evaluation of /// Lagrange polynomials at tau. -#include "snarks/groth16/powersoftau_utils.hpp" +#include "snarks/groth16/mpc/powersoftau_utils.hpp" #include #include diff --git a/src/snarks/groth16/response.hpp b/src/snarks/groth16/api/response.hpp similarity index 95% rename from src/snarks/groth16/response.hpp rename to src/snarks/groth16/api/response.hpp index a427dfda0..423f4d6a5 100644 --- a/src/snarks/groth16/response.hpp +++ b/src/snarks/groth16/api/response.hpp @@ -24,6 +24,6 @@ void PrepareVerifyingKeyResponse( VerificationKey *message); } // namespace libzeth -#include "snarks/groth16/response.tcc" +#include "response.tcc" #endif // __ZETH_RESPONSE_HPP__ diff --git a/src/snarks/groth16/response.tcc b/src/snarks/groth16/api/response.tcc similarity index 100% rename from src/snarks/groth16/response.tcc rename to src/snarks/groth16/api/response.tcc diff --git a/src/snarks/groth16/computation.hpp b/src/snarks/groth16/core/computation.hpp similarity index 94% rename from src/snarks/groth16/computation.hpp rename to src/snarks/groth16/core/computation.hpp index 8b17693bc..9cdc3e4b5 100644 --- a/src/snarks/groth16/computation.hpp +++ b/src/snarks/groth16/core/computation.hpp @@ -26,6 +26,6 @@ bool verify( } // namespace libzeth -#include "snarks/groth16/computation.tcc" +#include "snarks/groth16/core/computation.tcc" #endif // __ZETH_COMPUTATION_HPP__ diff --git a/src/snarks/groth16/computation.tcc b/src/snarks/groth16/core/computation.tcc similarity index 100% rename from src/snarks/groth16/computation.tcc rename to src/snarks/groth16/core/computation.tcc diff --git a/src/snarks/groth16/helpers.hpp b/src/snarks/groth16/core/helpers.hpp similarity index 96% rename from src/snarks/groth16/helpers.hpp rename to src/snarks/groth16/core/helpers.hpp index c7c271e84..1fdf90dbc 100644 --- a/src/snarks/groth16/helpers.hpp +++ b/src/snarks/groth16/core/helpers.hpp @@ -37,6 +37,6 @@ void proofToJson( libsnark::r1cs_gg_ppzksnark_proof proof, boost::filesystem::path path); } // namespace libzeth -#include "snarks/groth16/helpers.tcc" +#include "snarks/groth16/core/helpers.tcc" #endif // __ZETH_HELPERS_HPP__ diff --git a/src/snarks/groth16/helpers.tcc b/src/snarks/groth16/core/helpers.tcc similarity index 100% rename from src/snarks/groth16/helpers.tcc rename to src/snarks/groth16/core/helpers.tcc diff --git a/src/snarks/groth16/evaluator_from_lagrange.hpp b/src/snarks/groth16/mpc/evaluator_from_lagrange.hpp similarity index 100% rename from src/snarks/groth16/evaluator_from_lagrange.hpp rename to src/snarks/groth16/mpc/evaluator_from_lagrange.hpp diff --git a/src/snarks/groth16/evaluator_from_lagrange.tcc b/src/snarks/groth16/mpc/evaluator_from_lagrange.tcc similarity index 100% rename from src/snarks/groth16/evaluator_from_lagrange.tcc rename to src/snarks/groth16/mpc/evaluator_from_lagrange.tcc diff --git a/src/snarks/groth16/mpc_utils.hpp b/src/snarks/groth16/mpc/mpc_utils.hpp similarity index 98% rename from src/snarks/groth16/mpc_utils.hpp rename to src/snarks/groth16/mpc/mpc_utils.hpp index 4944cc0fe..877c306d8 100644 --- a/src/snarks/groth16/mpc_utils.hpp +++ b/src/snarks/groth16/mpc/mpc_utils.hpp @@ -71,6 +71,6 @@ srs_mpc_layer_L1 mpc_compute_linearcombination( } // namespace libzeth -#include "snarks/groth16/mpc_utils.tcc" +#include "snarks/groth16/mpc/mpc_utils.tcc" #endif // __ZETH_SNARKS_GROTH16_MPC_UTILS_HPP__ diff --git a/src/snarks/groth16/mpc_utils.tcc b/src/snarks/groth16/mpc/mpc_utils.tcc similarity index 99% rename from src/snarks/groth16/mpc_utils.tcc rename to src/snarks/groth16/mpc/mpc_utils.tcc index 644a98ea7..9badf698d 100644 --- a/src/snarks/groth16/mpc_utils.tcc +++ b/src/snarks/groth16/mpc/mpc_utils.tcc @@ -4,6 +4,7 @@ #include "evaluator_from_lagrange.hpp" #include "mpc_utils.hpp" #include "multi_exp.hpp" +#include "phase2.hpp" #include "util.hpp" #include diff --git a/src/snarks/groth16/multi_exp.hpp b/src/snarks/groth16/mpc/multi_exp.hpp similarity index 93% rename from src/snarks/groth16/multi_exp.hpp rename to src/snarks/groth16/mpc/multi_exp.hpp index ca1388895..6daa605ae 100644 --- a/src/snarks/groth16/multi_exp.hpp +++ b/src/snarks/groth16/mpc/multi_exp.hpp @@ -19,6 +19,6 @@ GroupT multi_exp( } // namespace libzeth -#include "snarks/groth16/multi_exp.tcc" +#include "snarks/groth16/mpc/multi_exp.tcc" #endif // __ZETH_SNARKS_GRPOTH16_MULTI_EXP_HPP__ diff --git a/src/snarks/groth16/multi_exp.tcc b/src/snarks/groth16/mpc/multi_exp.tcc similarity index 96% rename from src/snarks/groth16/multi_exp.tcc rename to src/snarks/groth16/mpc/multi_exp.tcc index e7a541fe1..eea38df81 100644 --- a/src/snarks/groth16/multi_exp.tcc +++ b/src/snarks/groth16/mpc/multi_exp.tcc @@ -1,7 +1,7 @@ #ifndef __ZETH_SNARKS_GROTH16_MULTI_EXP_TCC__ #define __ZETH_SNARKS_GROTH16_MULTI_EXP_TCC__ -#include "snarks/groth16/multi_exp.hpp" +#include "snarks/groth16/mpc/multi_exp.hpp" namespace libzeth { diff --git a/src/snarks/groth16/mpc_phase2.cpp b/src/snarks/groth16/mpc/phase2.cpp similarity index 99% rename from src/snarks/groth16/mpc_phase2.cpp rename to src/snarks/groth16/mpc/phase2.cpp index 6b59a06f1..cf9a6dc96 100644 --- a/src/snarks/groth16/mpc_phase2.cpp +++ b/src/snarks/groth16/mpc/phase2.cpp @@ -1,4 +1,4 @@ -#include "snarks/groth16/mpc_phase2.hpp" +#include "snarks/groth16/mpc/phase2.hpp" namespace libzeth { diff --git a/src/snarks/groth16/mpc_phase2.hpp b/src/snarks/groth16/mpc/phase2.hpp similarity index 99% rename from src/snarks/groth16/mpc_phase2.hpp rename to src/snarks/groth16/mpc/phase2.hpp index 625d60f26..b1038e89c 100644 --- a/src/snarks/groth16/mpc_phase2.hpp +++ b/src/snarks/groth16/mpc/phase2.hpp @@ -340,6 +340,6 @@ libsnark::r1cs_gg_ppzksnark_keypair mpc_read_keypair(std::istream &in); } // namespace libzeth -#include "snarks/groth16/mpc_phase2.tcc" +#include "snarks/groth16/mpc/phase2.tcc" #endif // __ZETH_SNARKS_GROTH16_MPC_PHASE2_HPP__ diff --git a/src/snarks/groth16/mpc_phase2.tcc b/src/snarks/groth16/mpc/phase2.tcc similarity index 99% rename from src/snarks/groth16/mpc_phase2.tcc rename to src/snarks/groth16/mpc/phase2.tcc index 0bc6d85d3..c2b135288 100644 --- a/src/snarks/groth16/mpc_phase2.tcc +++ b/src/snarks/groth16/mpc/phase2.tcc @@ -1,11 +1,10 @@ #ifndef __ZETH_SNARKS_GROTH16_MPC_PHASE2_TCC__ #define __ZETH_SNARKS_GROTH16_MPC_PHASE2_TCC__ +#include "chacha_rng.hpp" #include "libff/common/rng.hpp" -#include "snarks/groth16/mpc/chacha_rng.hpp" -#include "snarks/groth16/mpc_phase2.hpp" -#include "snarks/groth16/mpc_utils.hpp" -#include "snarks/groth16/powersoftau_utils.hpp" +#include "mpc_utils.hpp" +#include "powersoftau_utils.hpp" #include "util.hpp" namespace libzeth diff --git a/src/snarks/groth16/powersoftau_utils.cpp b/src/snarks/groth16/mpc/powersoftau_utils.cpp similarity index 100% rename from src/snarks/groth16/powersoftau_utils.cpp rename to src/snarks/groth16/mpc/powersoftau_utils.cpp diff --git a/src/snarks/groth16/powersoftau_utils.hpp b/src/snarks/groth16/mpc/powersoftau_utils.hpp similarity index 99% rename from src/snarks/groth16/powersoftau_utils.hpp rename to src/snarks/groth16/mpc/powersoftau_utils.hpp index cf6d8693a..ee1311f47 100644 --- a/src/snarks/groth16/powersoftau_utils.hpp +++ b/src/snarks/groth16/mpc/powersoftau_utils.hpp @@ -170,6 +170,6 @@ srs_lagrange_evaluations powersoftau_compute_lagrange_evaluations( } // namespace libzeth -#include "snarks/groth16/powersoftau_utils.tcc" +#include "snarks/groth16/mpc/powersoftau_utils.tcc" #endif // __ZETH_SNARKS_GROTH_POWERSOFTAU_UTILS_HPP__ diff --git a/src/snarks/groth16/powersoftau_utils.tcc b/src/snarks/groth16/mpc/powersoftau_utils.tcc similarity index 99% rename from src/snarks/groth16/powersoftau_utils.tcc rename to src/snarks/groth16/mpc/powersoftau_utils.tcc index 911bfbca0..0fcebf124 100644 --- a/src/snarks/groth16/powersoftau_utils.tcc +++ b/src/snarks/groth16/mpc/powersoftau_utils.tcc @@ -1,7 +1,7 @@ #ifndef __ZETH_SNARKS_GROTH16_POWERSOFTAU_UTILS_TCC__ #define __ZETH_SNARKS_GROTH16_POWERSOFTAU_UTILS_TCC__ -#include "snarks/groth16/powersoftau_utils.hpp" +#include "snarks/groth16/mpc/powersoftau_utils.hpp" #include "util.hpp" #include diff --git a/src/snarks/pghr13/computation.hpp b/src/snarks/pghr13/core/computation.hpp similarity index 100% rename from src/snarks/pghr13/computation.hpp rename to src/snarks/pghr13/core/computation.hpp diff --git a/src/snarks/pghr13/computation.tcc b/src/snarks/pghr13/core/computation.tcc similarity index 100% rename from src/snarks/pghr13/computation.tcc rename to src/snarks/pghr13/core/computation.tcc diff --git a/src/snarks/pghr13/helpers.hpp b/src/snarks/pghr13/core/helpers.hpp similarity index 100% rename from src/snarks/pghr13/helpers.hpp rename to src/snarks/pghr13/core/helpers.hpp diff --git a/src/snarks/pghr13/helpers.tcc b/src/snarks/pghr13/core/helpers.tcc similarity index 100% rename from src/snarks/pghr13/helpers.tcc rename to src/snarks/pghr13/core/helpers.tcc diff --git a/src/snarks/pghr13/response.hpp b/src/snarks/pghr13/core/response.hpp similarity index 100% rename from src/snarks/pghr13/response.hpp rename to src/snarks/pghr13/core/response.hpp diff --git a/src/snarks/pghr13/response.tcc b/src/snarks/pghr13/core/response.tcc similarity index 100% rename from src/snarks/pghr13/response.tcc rename to src/snarks/pghr13/core/response.tcc diff --git a/src/snarks_api_imports.hpp b/src/snarks_api_imports.hpp index 0db7c21e7..1f2de91ec 100644 --- a/src/snarks_api_imports.hpp +++ b/src/snarks_api_imports.hpp @@ -2,9 +2,9 @@ #define __ZETH_SNARKS_API_IMPORTS_HPP__ #ifdef ZKSNARK_PGHR13 -#include "snarks/pghr13/response.hpp" +#include "snarks/pghr13/api/response.hpp" #elif ZKSNARK_GROTH16 -#include "snarks/groth16/response.hpp" +#include "snarks/groth16/api/response.hpp" #else #error You must define one of the SNARK_* symbols indicated into the CMakelists.txt file. #endif diff --git a/src/snarks_core_imports.hpp b/src/snarks_core_imports.hpp index 9859245fa..5738f9db2 100644 --- a/src/snarks_core_imports.hpp +++ b/src/snarks_core_imports.hpp @@ -2,13 +2,13 @@ #define __ZETH_SNARKS_CORE_IMPORTS_HPP__ #ifdef ZKSNARK_PGHR13 -#include "snarks/pghr13/computation.hpp" -#include "snarks/pghr13/helpers.hpp" +#include "snarks/pghr13/core/computation.hpp" +#include "snarks/pghr13/core/helpers.hpp" #elif ZKSNARK_GROTH16 -#include "snarks/groth16/computation.hpp" -#include "snarks/groth16/helpers.hpp" -#include "snarks/groth16/mpc_phase2.hpp" -#include "snarks/groth16/mpc_utils.hpp" +#include "snarks/groth16/core/computation.hpp" +#include "snarks/groth16/core/helpers.hpp" +#include "snarks/groth16/mpc/mpc_utils.hpp" +#include "snarks/groth16/mpc/phase2.hpp" #else #error You must define one of the SNARK_* symbols indicated into the CMakelists.txt file. #endif diff --git a/src/test/mpc_test.cpp b/src/test/mpc_test.cpp index 379022bcc..87d412fd8 100644 --- a/src/test/mpc_test.cpp +++ b/src/test/mpc_test.cpp @@ -1,11 +1,11 @@ #include "circuit-wrapper.hpp" #include "circuits/sha256/sha256_ethereum.hpp" -#include "snarks/groth16/evaluator_from_lagrange.hpp" #include "snarks/groth16/mpc/chacha_rng.hpp" -#include "snarks/groth16/mpc_phase2.hpp" -#include "snarks/groth16/mpc_utils.hpp" -#include "snarks/groth16/multi_exp.hpp" -#include "snarks/groth16/powersoftau_utils.hpp" +#include "snarks/groth16/mpc/evaluator_from_lagrange.hpp" +#include "snarks/groth16/mpc/mpc_utils.hpp" +#include "snarks/groth16/mpc/multi_exp.hpp" +#include "snarks/groth16/mpc/phase2.hpp" +#include "snarks/groth16/mpc/powersoftau_utils.hpp" #include "test/simple_test.hpp" #include "util.hpp" diff --git a/src/test/powersoftau_test.cpp b/src/test/powersoftau_test.cpp index 92099200a..56f430e4d 100644 --- a/src/test/powersoftau_test.cpp +++ b/src/test/powersoftau_test.cpp @@ -1,6 +1,6 @@ -#include "snarks/groth16/evaluator_from_lagrange.hpp" -#include "snarks/groth16/powersoftau_utils.hpp" +#include "snarks/groth16/mpc/evaluator_from_lagrange.hpp" +#include "snarks/groth16/mpc/powersoftau_utils.hpp" #include "util.hpp" #include diff --git a/src/util.tcc b/src/util.tcc index 18425665b..34a8e76b2 100644 --- a/src/util.tcc +++ b/src/util.tcc @@ -1,6 +1,8 @@ #ifndef __ZETH_UTIL_TCC__ #define __ZETH_UTIL_TCC__ +#include "util.hpp" + namespace libzeth { From f638f90c8872102446903d71be51369f7e7b8e62 Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Wed, 18 Sep 2019 13:00:56 +0100 Subject: [PATCH 6/8] mpc: create separate administrator and client tools --- src/mpc/CMakeLists.txt | 4 ++ src/mpc/cli/mpc_common.cpp | 79 ++++++++++++++++++++++++++++ src/mpc/cli/mpc_common.hpp | 23 +++++++- src/mpc/cli/mpc_main.cpp | 98 ----------------------------------- src/mpc/cli/mpc_main.hpp | 14 ----- src/mpc/mpc.cpp | 13 ++++- src/mpc/mpc_client.cpp | 31 +++++++++++ src/mpc/test/mpc_test_cli.cpp | 13 ++++- 8 files changed, 158 insertions(+), 117 deletions(-) delete mode 100644 src/mpc/cli/mpc_main.cpp delete mode 100644 src/mpc/cli/mpc_main.hpp create mode 100644 src/mpc/mpc_client.cpp diff --git a/src/mpc/CMakeLists.txt b/src/mpc/CMakeLists.txt index 88b33b7a1..423c6490b 100644 --- a/src/mpc/CMakeLists.txt +++ b/src/mpc/CMakeLists.txt @@ -15,6 +15,10 @@ target_link_libraries( add_executable(mpc mpc.cpp) target_link_libraries(mpc mpc-cli) +# mpc client executable +add_executable(mpc-client mpc_client.cpp) +target_link_libraries(mpc-client mpc-cli) + # mpc test utility add_executable(mpc-test test/mpc_test_cli.cpp) target_link_libraries(mpc-test mpc-cli) diff --git a/src/mpc/cli/mpc_common.cpp b/src/mpc/cli/mpc_common.cpp index fe3a9237e..1bc6c6b20 100644 --- a/src/mpc/cli/mpc_common.cpp +++ b/src/mpc/cli/mpc_common.cpp @@ -66,3 +66,82 @@ void subcommand::usage(const po::options_description &options) subcommand_usage(); std::cout << options << std::endl; } + +int mpc_main( + int argc, + char **argv, + const std::map &commands, + ProtoboardInitFn pb_init) +{ + ppT::init_public_params(); + po::options_description global(""); + global.add_options()("help,h", "This help")("verbose,v", "Verbose output"); + + po::options_description all(""); + all.add(global).add_options()( + "command", po::value(), "Command to execute")( + "subargs", + po::value>(), + "Arguments to command"); + + po::positional_options_description pos; + pos.add("command", 1).add("subargs", -1); + + auto usage = [&argv, &global, &commands]() { + std::cout << "Usage:\n" + << " " << argv[0] + << " [] ...\n\n" + << global; + + std::cout << "\nCommands:\n"; + for (const auto &cmd : commands) { + std::cout << " " << cmd.first; + } + std::cout << std::endl; + }; + + try { + po::variables_map vm; + po::parsed_options parsed = po::command_line_parser(argc, argv) + .options(all) + .positional(pos) + .allow_unregistered() + .run(); + po::store(parsed, vm); + + if (vm.count("help")) { + usage(); + return 0; + } + + const bool verbose = (bool)vm.count("verbose"); + if (!verbose) { + libff::inhibit_profiling_info = true; + libff::inhibit_profiling_counters = true; + } + + if (0 == vm.count("command")) { + std::cerr << "error: no command specified\n"; + usage(); + return 1; + } + + const std::string command(vm["command"].as()); + std::vector subargs = + po::collect_unrecognized(parsed.options, po::include_positional); + subargs[0] = std::string(argv[0]) + " " + subargs[0]; + + subcommand *sub = commands.find(command)->second; + if (sub == nullptr) { + throw po::error("invalid command"); + } + + sub->set_global_options(verbose, pb_init); + return sub->execute(subargs); + } catch (po::error &error) { + std::cerr << " ERROR: " << error.what() << std::endl; + usage(); + } + + return 1; +} diff --git a/src/mpc/cli/mpc_common.hpp b/src/mpc/cli/mpc_common.hpp index c09bdd984..4221cf8ac 100644 --- a/src/mpc/cli/mpc_common.hpp +++ b/src/mpc/cli/mpc_common.hpp @@ -1,13 +1,19 @@ #ifndef __ZETH_MPC_MPC_COMMON_HPP__ #define __ZETH_MPC_MPC_COMMON_HPP__ -#include "mpc_main.hpp" +#include "include_libsnark.hpp" #include #include +#include #include #include +using ppT = libff::default_ec_pp; +using FieldT = libff::Fr; + +using ProtoboardInitFn = std::function &)>; + class subcommand { protected: @@ -49,4 +55,19 @@ template inline T read_from_file(const std::string &file_name) return T::read(in); } +extern subcommand *mpc_linear_combination_cmd; +extern subcommand *mpc_dummy_phase2_cmd; +extern subcommand *mpc_phase2_begin_cmd; +extern subcommand *mpc_phase2_contribute_cmd; +extern subcommand *mpc_phase2_verify_contribution_cmd; +extern subcommand *mpc_phase2_verify_transcript_cmd; +extern subcommand *mpc_create_keypair_cmd; + +/// Main entry point into the mpc command for a given circuit. +int mpc_main( + int argc, + char **argv, + const std::map &commands, + ProtoboardInitFn pb_init); + #endif // __ZETH_MPC_MPC_COMMON_HPP__ diff --git a/src/mpc/cli/mpc_main.cpp b/src/mpc/cli/mpc_main.cpp deleted file mode 100644 index 0ef91790c..000000000 --- a/src/mpc/cli/mpc_main.cpp +++ /dev/null @@ -1,98 +0,0 @@ -#include "mpc_common.hpp" - -#include - -namespace po = boost::program_options; - -extern subcommand *mpc_linear_combination_cmd; -extern subcommand *mpc_dummy_phase2_cmd; -extern subcommand *mpc_phase2_begin_cmd; -extern subcommand *mpc_phase2_contribute_cmd; -extern subcommand *mpc_phase2_verify_contribution_cmd; -extern subcommand *mpc_phase2_verify_transcript_cmd; -extern subcommand *mpc_create_keypair_cmd; - -int mpc_main(int argc, char **argv, ProtoboardInitFn pb_init) -{ - ppT::init_public_params(); - po::options_description global(""); - global.add_options()("help,h", "This help")("verbose,v", "Verbose output"); - - po::options_description all(""); - all.add(global).add_options()( - "command", po::value(), "Command to execute")( - "subargs", - po::value>(), - "Arguments to command"); - - po::positional_options_description pos; - pos.add("command", 1).add("subargs", -1); - - const std::map commands{ - {"linear-combination", mpc_linear_combination_cmd}, - {"dummy-phase2", mpc_dummy_phase2_cmd}, - {"phase2-begin", mpc_phase2_begin_cmd}, - {"phase2-contribute", mpc_phase2_contribute_cmd}, - {"phase2-verify-contribution", mpc_phase2_verify_contribution_cmd}, - {"phase2-verify-transcript", mpc_phase2_verify_transcript_cmd}, - {"create-keypair", mpc_create_keypair_cmd}, - }; - - auto usage = [&argv, &global, &commands]() { - std::cout << "Usage:\n" - << " " << argv[0] - << " [] ...\n\n" - << global; - - std::cout << "\nCommands:\n"; - for (const auto &cmd : commands) { - std::cout << " " << cmd.first; - } - std::cout << std::endl; - }; - - try { - po::variables_map vm; - po::parsed_options parsed = po::command_line_parser(argc, argv) - .options(all) - .positional(pos) - .allow_unregistered() - .run(); - po::store(parsed, vm); - - if (vm.count("help")) { - usage(); - return 0; - } - - const bool verbose = (bool)vm.count("verbose"); - if (!verbose) { - libff::inhibit_profiling_info = true; - libff::inhibit_profiling_counters = true; - } - - if (0 == vm.count("command")) { - std::cerr << "error: no command specified\n"; - usage(); - return 1; - } - - const std::string command(vm["command"].as()); - std::vector subargs = - po::collect_unrecognized(parsed.options, po::include_positional); - subargs[0] = std::string(argv[0]) + " " + subargs[0]; - - subcommand *sub = commands.find(command)->second; - if (sub == nullptr) { - throw po::error("invalid command"); - } - - sub->set_global_options(verbose, pb_init); - return sub->execute(subargs); - } catch (po::error &error) { - std::cerr << " ERROR: " << error.what() << std::endl; - usage(); - } - - return 1; -} diff --git a/src/mpc/cli/mpc_main.hpp b/src/mpc/cli/mpc_main.hpp deleted file mode 100644 index c7c4f0db4..000000000 --- a/src/mpc/cli/mpc_main.hpp +++ /dev/null @@ -1,14 +0,0 @@ -#ifndef __ZETH_MPC_MPC_MAIN_HPP__ -#define __ZETH_MPC_MPC_MAIN_HPP__ - -#include "include_libsnark.hpp" - -using ppT = libff::default_ec_pp; -using FieldT = libff::Fr; - -using ProtoboardInitFn = std::function &)>; - -/// Main entry point into the mpc command for a given circuit. -int mpc_main(int argc, char **argv, ProtoboardInitFn pb_init); - -#endif // __ZETH_MPC_MPC_COMMON_HPP__ diff --git a/src/mpc/mpc.cpp b/src/mpc/mpc.cpp index 6d9e2be80..49dccaa60 100644 --- a/src/mpc/mpc.cpp +++ b/src/mpc/mpc.cpp @@ -1,5 +1,5 @@ #include "circuit-wrapper.hpp" -#include "mpc_main.hpp" +#include "mpc_common.hpp" void zeth_protoboard(libsnark::protoboard &pb) { @@ -18,5 +18,14 @@ void zeth_protoboard(libsnark::protoboard &pb) int main(int argc, char **argv) { - return mpc_main(argc, argv, zeth_protoboard); + const std::map commands{ + {"linear-combination", mpc_linear_combination_cmd}, + {"dummy-phase2", mpc_dummy_phase2_cmd}, + {"phase2-begin", mpc_phase2_begin_cmd}, + {"phase2-contribute", mpc_phase2_contribute_cmd}, + {"phase2-verify-contribution", mpc_phase2_verify_contribution_cmd}, + {"phase2-verify-transcript", mpc_phase2_verify_transcript_cmd}, + {"create-keypair", mpc_create_keypair_cmd}, + }; + return mpc_main(argc, argv, commands, zeth_protoboard); } diff --git a/src/mpc/mpc_client.cpp b/src/mpc/mpc_client.cpp new file mode 100644 index 000000000..1d2dbeb6e --- /dev/null +++ b/src/mpc/mpc_client.cpp @@ -0,0 +1,31 @@ +// Utility for executing operations that are only required by "clients" (that +// is, participants in the MPC that only contribute and potentially validate +// the final transcript. + +#include "circuit-wrapper.hpp" +#include "mpc_common.hpp" + +void zeth_protoboard(libsnark::protoboard &pb) +{ + using HashTreeT = MiMC_mp_gadget; + using HashT = sha256_ethereum; + + joinsplit_gadget< + FieldT, + HashT, + HashTreeT, + ZETH_NUM_JS_INPUTS, + ZETH_NUM_JS_OUTPUTS> + js(pb); + js.generate_r1cs_constraints(); +} + +int main(int argc, char **argv) +{ + const std::map commands{ + {"phase2-contribute", mpc_phase2_contribute_cmd}, + {"phase2-verify-transcript", mpc_phase2_verify_transcript_cmd}, + {"create-keypair", mpc_create_keypair_cmd}, + }; + return mpc_main(argc, argv, commands, zeth_protoboard); +} diff --git a/src/mpc/test/mpc_test_cli.cpp b/src/mpc/test/mpc_test_cli.cpp index a550b62ad..60427b402 100644 --- a/src/mpc/test/mpc_test_cli.cpp +++ b/src/mpc/test/mpc_test_cli.cpp @@ -1,4 +1,4 @@ -#include "mpc_main.hpp" +#include "mpc_common.hpp" #include "test/simple_test.hpp" void simple_protoboard(libsnark::protoboard &pb) @@ -8,5 +8,14 @@ void simple_protoboard(libsnark::protoboard &pb) int main(int argc, char **argv) { - return mpc_main(argc, argv, simple_protoboard); + const std::map commands{ + {"linear-combination", mpc_linear_combination_cmd}, + {"dummy-phase2", mpc_dummy_phase2_cmd}, + {"phase2-begin", mpc_phase2_begin_cmd}, + {"phase2-contribute", mpc_phase2_contribute_cmd}, + {"phase2-verify-contribution", mpc_phase2_verify_contribution_cmd}, + {"phase2-verify-transcript", mpc_phase2_verify_transcript_cmd}, + {"create-keypair", mpc_create_keypair_cmd}, + }; + return mpc_main(argc, argv, commands, simple_protoboard); } From 60934f857e8519e236ea8c14bc221303b7558ac7 Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Wed, 18 Sep 2019 19:07:53 +0100 Subject: [PATCH 7/8] ci: faster builds for non-PR commits --- scripts/ci | 23 ++++++++++++++++++----- 1 file changed, 18 insertions(+), 5 deletions(-) diff --git a/scripts/ci b/scripts/ci index f4c2d8a80..f963e28c2 100755 --- a/scripts/ci +++ b/scripts/ci @@ -25,6 +25,7 @@ function command_tests() { function build() { build_type=$1 + full=$2 # Enable warnings-as-errors cxx_flags="-Werror" @@ -41,7 +42,9 @@ function build() { fi cmake_flags="-DCMAKE_BUILD_TYPE=${build_type}" - # cmake_flags="${cmake_flags} -DFAST_TESTS_ONLY=ON" + if ! [ "1" == "${full}" ] ; then + cmake_flags="${cmake_flags} -DFAST_TESTS_ONLY=ON" + fi . setup_env.sh mkdir -p build @@ -57,11 +60,21 @@ function build() { } function ci() { - build $1 + build $1 $2 command_tests } -if [ "${CI_CHECK_FORMAT}" == "1" ] ; then +build_type=$1 +full_build=$2 +if [ "" == "${full_build}" ] ; then + if [ "false" == "${TRAVIS_PULL_REQUEST}" ] || [ "" == "${TRAVIS_PULL_REQUEST}" ] ; then + full_build=0 + else + full_build=1 + fi +fi + +if [ "1" == "${CI_CHECK_FORMAT}" ] ; then format_check fi @@ -70,7 +83,7 @@ fi if [ "${CI_USE_DOCKER}" == "1" ] ; then docker pull clearmatics/zeth-base:latest docker build -f Dockerfile-zeth -t zeth-dev . - docker run -t -p 50051:50051 --name zeth zeth-dev:latest $0 $@ + docker run -t -p 50051:50051 --name zeth zeth-dev:latest $0 ${build_type} ${full_build} else - ci $@ + ci $build_type ${build_type} ${full_build} fi From 12dcec92445530954d101bba285fbf22e956beed Mon Sep 17 00:00:00 2001 From: Duncan Tebbs Date: Thu, 19 Sep 2019 10:23:57 +0100 Subject: [PATCH 8/8] move type definitions to a single file, shared by all executables --- src/circuit_types.hpp | 23 +++++++++++++++++++++++ src/circuits/sha256/sha256_ethereum.hpp | 6 ------ src/mpc/cli/mpc_common.hpp | 5 +---- src/mpc/mpc.cpp | 3 --- src/mpc/mpc_client.cpp | 3 --- src/pot_process/pot_process.cpp | 2 +- src/prover_server/prover_server.cpp | 10 +--------- src/snarks/groth16/core/helpers.hpp | 5 ----- src/snarks/pghr13/core/helpers.hpp | 4 ---- src/test/commitments_test.cpp | 9 +++++---- src/test/mpc_test.cpp | 2 +- src/types/merkle_tree_field.hpp | 3 --- src/util_api.hpp | 2 -- 13 files changed, 32 insertions(+), 45 deletions(-) create mode 100644 src/circuit_types.hpp diff --git a/src/circuit_types.hpp b/src/circuit_types.hpp new file mode 100644 index 000000000..089a7abb1 --- /dev/null +++ b/src/circuit_types.hpp @@ -0,0 +1,23 @@ +#ifndef __ZETH_CIRCUIT_TYPES_HPP__ +#define __ZETH_CIRCUIT_TYPES_HPP__ + +#include "circuit-wrapper.hpp" +#include "include_libsnark.hpp" + +// Types that must be common across all executable, defined once here. Outside +// of tests, these should not be set anywhere else in the code. Do not include +// this file in code that is generic (parameterized on ppT or FieldT). + +// Use the pairing from build configuration +using ppT = libff::default_ec_pp; + +// Field type for the pairing. +using FieldT = libff::Fr; + +// Primary hash function +using HashT = sha256_ethereum; + +// Hash function to be used in the Merkle Tree +using HashTreeT = MiMC_mp_gadget; + +#endif // __ZETH_CIRCUIT_TYPES_HPP__ diff --git a/src/circuits/sha256/sha256_ethereum.hpp b/src/circuits/sha256/sha256_ethereum.hpp index 0eb86acf6..cf35e7c60 100644 --- a/src/circuits/sha256/sha256_ethereum.hpp +++ b/src/circuits/sha256/sha256_ethereum.hpp @@ -19,12 +19,6 @@ #include #include -// See: -// https://github.com/scipr-lab/libff/blob/master/libff/common/default_types/ec_pp.hpp -// We need to set the right curve as a flag during the compilation, and the -// right curve is going to be picked if we use the default_ec_pp as a FieldT` -// typedef libff::Fr FieldT; - namespace libzeth { diff --git a/src/mpc/cli/mpc_common.hpp b/src/mpc/cli/mpc_common.hpp index 4221cf8ac..0e14554ed 100644 --- a/src/mpc/cli/mpc_common.hpp +++ b/src/mpc/cli/mpc_common.hpp @@ -1,7 +1,7 @@ #ifndef __ZETH_MPC_MPC_COMMON_HPP__ #define __ZETH_MPC_MPC_COMMON_HPP__ -#include "include_libsnark.hpp" +#include "circuit_types.hpp" #include #include @@ -9,9 +9,6 @@ #include #include -using ppT = libff::default_ec_pp; -using FieldT = libff::Fr; - using ProtoboardInitFn = std::function &)>; class subcommand diff --git a/src/mpc/mpc.cpp b/src/mpc/mpc.cpp index 49dccaa60..61336e043 100644 --- a/src/mpc/mpc.cpp +++ b/src/mpc/mpc.cpp @@ -3,9 +3,6 @@ void zeth_protoboard(libsnark::protoboard &pb) { - using HashTreeT = MiMC_mp_gadget; - using HashT = sha256_ethereum; - joinsplit_gadget< FieldT, HashT, diff --git a/src/mpc/mpc_client.cpp b/src/mpc/mpc_client.cpp index 1d2dbeb6e..1217a0699 100644 --- a/src/mpc/mpc_client.cpp +++ b/src/mpc/mpc_client.cpp @@ -7,9 +7,6 @@ void zeth_protoboard(libsnark::protoboard &pb) { - using HashTreeT = MiMC_mp_gadget; - using HashT = sha256_ethereum; - joinsplit_gadget< FieldT, HashT, diff --git a/src/pot_process/pot_process.cpp b/src/pot_process/pot_process.cpp index 237c837d7..ca48649c9 100644 --- a/src/pot_process/pot_process.cpp +++ b/src/pot_process/pot_process.cpp @@ -1,6 +1,7 @@ /// Small utility to check powersoftau output and to compute the evaluation of /// Lagrange polynomials at tau. +#include "circuit_types.hpp" #include "snarks/groth16/mpc/powersoftau_utils.hpp" #include @@ -8,7 +9,6 @@ using namespace libzeth; namespace po = boost::program_options; -using ppT = libff::default_ec_pp; // ----------------------------------------------------------------------------- // cli_options diff --git a/src/prover_server/prover_server.cpp b/src/prover_server/prover_server.cpp index 3acd9c852..73f838136 100644 --- a/src/prover_server/prover_server.cpp +++ b/src/prover_server/prover_server.cpp @@ -1,3 +1,4 @@ +#include "circuit_types.hpp" #include "libsnark_helpers/libsnark_helpers.hpp" #include "snarks_alias.hpp" #include "util.hpp" @@ -50,15 +51,6 @@ using proverpkg::Prover; using proverpkg::PackedDigest; using proverpkg::ProofInputs; -// Instantiate the templates with the right types -// Instantiated from the curve specified in the CMakelists.txt -typedef libff::default_ec_pp ppT; -typedef libff::Fr FieldT; -// Hash used in the merkle tree -typedef MiMC_mp_gadget HashTreeT; -// Hash used for the commitments and PRFs -typedef sha256_ethereum HashT; - class ProverImpl final : public Prover::Service { private: diff --git a/src/snarks/groth16/core/helpers.hpp b/src/snarks/groth16/core/helpers.hpp index 1fdf90dbc..c7d7ce0e8 100644 --- a/src/snarks/groth16/core/helpers.hpp +++ b/src/snarks/groth16/core/helpers.hpp @@ -7,11 +7,6 @@ #include #include -// We instantiate the ppT (public parameters Template with the public paramaters -// of the curve we use (alt_bn128)) -typedef libff::default_ec_pp ppT; // We use the public parameters of the - // alt_bn_128 curve to do our operations - namespace libzeth { diff --git a/src/snarks/pghr13/core/helpers.hpp b/src/snarks/pghr13/core/helpers.hpp index 70d6e8f2e..7d08282fc 100644 --- a/src/snarks/pghr13/core/helpers.hpp +++ b/src/snarks/pghr13/core/helpers.hpp @@ -7,10 +7,6 @@ #include #include -// We instantiate the ppT (public parameters Template with the public paramaters -// of the curve we use (alt_bn128)) -typedef libff::default_ec_pp ppT; - namespace libzeth { diff --git a/src/test/commitments_test.cpp b/src/test/commitments_test.cpp index c8a3e8923..dfc600e02 100644 --- a/src/test/commitments_test.cpp +++ b/src/test/commitments_test.cpp @@ -20,9 +20,10 @@ using namespace libzeth; // Instantiation of the templates for the tests typedef libff::default_ec_pp ppT; -typedef libff::Fr FieldT; // Should be alt_bn128 in the CMakeLists.txt -typedef sha256_ethereum - HashT; // We use our hash function to do the tests +// Should be alt_bn128 in the CMakeLists.txt +typedef libff::Fr FieldT; +// We use our hash function to do the tests +typedef sha256_ethereum HashT; namespace { @@ -603,4 +604,4 @@ int main(int argc, char **argv) ppT::init_public_params(); ::testing::InitGoogleTest(&argc, argv); return RUN_ALL_TESTS(); -} \ No newline at end of file +} diff --git a/src/test/mpc_test.cpp b/src/test/mpc_test.cpp index 87d412fd8..8344e8456 100644 --- a/src/test/mpc_test.cpp +++ b/src/test/mpc_test.cpp @@ -1,4 +1,4 @@ -#include "circuit-wrapper.hpp" +#include "circuit_types.hpp" #include "circuits/sha256/sha256_ethereum.hpp" #include "snarks/groth16/mpc/chacha_rng.hpp" #include "snarks/groth16/mpc/evaluator_from_lagrange.hpp" diff --git a/src/types/merkle_tree_field.hpp b/src/types/merkle_tree_field.hpp index 5b0cc889b..cf519b33b 100644 --- a/src/types/merkle_tree_field.hpp +++ b/src/types/merkle_tree_field.hpp @@ -26,9 +26,6 @@ namespace libzeth // class offers methods to retrieve the root of the Merkle tree and to // obtain the authentication paths for (the value at) a given address. -// typedef FieldT merkle_authentication_node; -// typedef std::vector merkle_authentication_path; - template class merkle_tree_field { diff --git a/src/util_api.hpp b/src/util_api.hpp index 1c8be0239..4a97c8eac 100644 --- a/src/util_api.hpp +++ b/src/util_api.hpp @@ -10,8 +10,6 @@ #include -typedef libff::default_ec_pp ppT; - namespace libzeth {