diff options
| author | Micah Anderson <micah@riseup.net> | 2014-11-11 11:18:18 -0500 |
|---|---|---|
| committer | Micah Anderson <micah@riseup.net> | 2014-11-11 11:18:18 -0500 |
| commit | c73b6c9ba513fea3e18b696e659049df69931171 (patch) | |
| tree | a001cd6acbecead76b9a55f324278e8d077fe3d5 /src | |
| parent | eabdc6e3d62550679476899dd861c23b63937142 (diff) | |
update to 1.0.0-1 version of the package
Diffstat (limited to 'src')
58 files changed, 644 insertions, 2966 deletions
diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 4c6260a..869c439 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -224,14 +224,6 @@ libsodium_la_SOURCES += \ crypto_stream/aes128ctr/portable/stream_aes128ctr.c \ crypto_stream/aes128ctr/portable/types.h \ crypto_stream/aes128ctr/portable/xor_afternm_aes128ctr.c \ - crypto_stream/aes256estream/hongjun/aes-table.h \ - crypto_stream/aes256estream/hongjun/aes-table-be.h \ - crypto_stream/aes256estream/hongjun/aes-table-le.h \ - crypto_stream/aes256estream/hongjun/aes256-ctr.c \ - crypto_stream/aes256estream/hongjun/aes256.h \ - crypto_stream/aes256estream/stream_aes256estream_api.c \ - crypto_stream/aes256estream/hongjun/api.h \ - crypto_stream/aes256estream/hongjun/ecrypt-sync.h \ crypto_stream/salsa2012/stream_salsa2012_api.c \ crypto_stream/salsa2012/ref/api.h \ crypto_stream/salsa2012/ref/stream_salsa2012.c \ @@ -239,8 +231,7 @@ libsodium_la_SOURCES += \ crypto_stream/salsa208/stream_salsa208_api.c \ crypto_stream/salsa208/ref/api.h \ crypto_stream/salsa208/ref/stream_salsa208.c \ - crypto_stream/salsa208/ref/xor_salsa208.c \ - sodium/compat.c + crypto_stream/salsa208/ref/xor_salsa208.c endif libsodium_la_LDFLAGS = \ diff --git a/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c b/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c index 3439cb3..945efe3 100644 --- a/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c +++ b/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c @@ -37,6 +37,7 @@ crypto_aead_chacha20poly1305_encrypt(unsigned char *c, unsigned char slen[8U]; (void) nsec; +/* LCOV_EXCL_START */ #ifdef ULONG_LONG_MAX if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ABYTES) { if (clen != NULL) { @@ -45,6 +46,7 @@ crypto_aead_chacha20poly1305_encrypt(unsigned char *c, return -1; } #endif +/* LCOV_EXCL_STOP */ crypto_stream_chacha20(block0, sizeof block0, npub, k); crypto_onetimeauth_poly1305_init(&state, block0); diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c index b6cf489..be9d34f 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c @@ -1,9 +1,11 @@ #include "api.h" #include "crypto_verify_32.h" +#include "utils.h" int crypto_auth_verify(const unsigned char *h,const unsigned char *in,unsigned long long inlen,const unsigned char *k) { unsigned char correct[32]; crypto_auth(correct,in,inlen,k); - return crypto_verify_32(h,correct); + return crypto_verify_32(h,correct) | (-(h - correct == 0)) | + sodium_memcmp(correct,h,32); } diff --git a/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c b/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c index fccdc1a..28e0dfb 100644 --- a/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c +++ b/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c @@ -1,10 +1,12 @@ #include "api.h" #include "crypto_verify_64.h" +#include "utils.h" int crypto_auth_verify(const unsigned char *h, const unsigned char *in, unsigned long long inlen, const unsigned char *k) { unsigned char correct[64]; crypto_auth(correct,in,inlen,k); - return crypto_verify_64(h,correct); + return crypto_verify_64(h,correct) | (-(h - correct == 0)) | + sodium_memcmp(correct,h,64); } diff --git a/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c b/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c index 1e6e18d..6c263f3 100644 --- a/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c +++ b/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c @@ -1,10 +1,12 @@ #include "api.h" #include "crypto_verify_32.h" +#include "utils.h" int crypto_auth_verify(const unsigned char *h, const unsigned char *in, unsigned long long inlen, const unsigned char *k) { unsigned char correct[32]; crypto_auth(correct,in,inlen,k); - return crypto_verify_32(h,correct); + return crypto_verify_32(h,correct) | (-(h - correct == 0)) | + sodium_memcmp(correct,h,32); } diff --git a/src/libsodium/crypto_auth/try.c b/src/libsodium/crypto_auth/try.c deleted file mode 100644 index c2f2c80..0000000 --- a/src/libsodium/crypto_auth/try.c +++ /dev/null @@ -1,119 +0,0 @@ -/* - * crypto_auth/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "crypto_hash_sha256.h" -#include "crypto_auth.h" -#include "utils.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_auth_IMPLEMENTATION; - -#define MAXTEST_BYTES 10000 -#define CHECKSUM_BYTES 4096 -#define TUNE_BYTES 1536 - -static unsigned char *h; -static unsigned char *m; -static unsigned char *k; -static unsigned char *h2; -static unsigned char *m2; -static unsigned char *k2; - -void preallocate(void) -{ -} - -void allocate(void) -{ - h = alignedcalloc(crypto_auth_BYTES); - m = alignedcalloc(MAXTEST_BYTES); - k = alignedcalloc(crypto_auth_KEYBYTES); - h2 = alignedcalloc(crypto_auth_BYTES); - m2 = alignedcalloc(MAXTEST_BYTES + crypto_auth_BYTES); - k2 = alignedcalloc(crypto_auth_KEYBYTES + crypto_auth_BYTES); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_auth(h,m,TUNE_BYTES,k); - crypto_auth_verify(h,m,TUNE_BYTES,k); -} - -char checksum[crypto_auth_BYTES * 2 + 1]; - -const char *checksum_compute(void) -{ - long long i; - long long j; - - for (i = 0;i < CHECKSUM_BYTES;++i) { - long long mlen = i; - long long klen = crypto_auth_KEYBYTES; - long long hlen = crypto_auth_BYTES; - - for (j = -16;j < 0;++j) h[j] = rand(); - for (j = -16;j < 0;++j) k[j] = rand(); - for (j = -16;j < 0;++j) m[j] = rand(); - for (j = hlen;j < hlen + 16;++j) h[j] = rand(); - for (j = klen;j < klen + 16;++j) k[j] = rand(); - for (j = mlen;j < mlen + 16;++j) m[j] = rand(); - for (j = -16;j < hlen + 16;++j) h2[j] = h[j]; - for (j = -16;j < klen + 16;++j) k2[j] = k[j]; - for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; - - if (crypto_auth(h,m,mlen,k) != 0) return "crypto_auth returns nonzero"; - - for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_auth overwrites k"; - for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_auth overwrites m"; - for (j = -16;j < 0;++j) if (h[j] != h2[j]) return "crypto_auth writes before output"; - for (j = hlen;j < hlen + 16;++j) if (h[j] != h2[j]) return "crypto_auth writes after output"; - - for (j = -16;j < 0;++j) h[j] = rand(); - for (j = -16;j < 0;++j) k[j] = rand(); - for (j = -16;j < 0;++j) m[j] = rand(); - for (j = hlen;j < hlen + 16;++j) h[j] = rand(); - for (j = klen;j < klen + 16;++j) k[j] = rand(); - for (j = mlen;j < mlen + 16;++j) m[j] = rand(); - for (j = -16;j < hlen + 16;++j) h2[j] = h[j]; - for (j = -16;j < klen + 16;++j) k2[j] = k[j]; - for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; - - if (crypto_auth(m2,m2,mlen,k) != 0) return "crypto_auth returns nonzero"; - for (j = 0;j < hlen;++j) if (m2[j] != h[j]) return "crypto_auth does not handle m overlap"; - for (j = 0;j < hlen;++j) m2[j] = m[j]; - if (crypto_auth(k2,m2,mlen,k2) != 0) return "crypto_auth returns nonzero"; - for (j = 0;j < hlen;++j) if (k2[j] != h[j]) return "crypto_auth does not handle k overlap"; - for (j = 0;j < hlen;++j) k2[j] = k[j]; - - if (crypto_auth_verify(h,m,mlen,k) != 0) return "crypto_auth_verify returns nonzero"; - - for (j = -16;j < hlen + 16;++j) if (h[j] != h2[j]) return "crypto_auth overwrites h"; - for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_auth overwrites k"; - for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_auth overwrites m"; - - crypto_hash_sha256(h2,h,hlen); - for (j = 0;j < klen;++j) k[j] ^= h2[j % 32]; - if (crypto_auth(h,m,mlen,k) != 0) return "crypto_auth returns nonzero"; - if (crypto_auth_verify(h,m,mlen,k) != 0) return "crypto_auth_verify returns nonzero"; - - crypto_hash_sha256(h2,h,hlen); - for (j = 0;j < mlen;++j) m[j] ^= h2[j % 32]; - m[mlen] = h2[0]; - } - if (crypto_auth(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_auth returns nonzero"; - if (crypto_auth_verify(h,m,CHECKSUM_BYTES,k) != 0) return "crypto_auth_verify returns nonzero"; - - sodium_bin2hex(checksum, sizeof checksum, h, crypto_auth_BYTES); - - return 0; -} diff --git a/src/libsodium/crypto_box/crypto_box_easy.c b/src/libsodium/crypto_box/crypto_box_easy.c index 7224f24..7f39e22 100644 --- a/src/libsodium/crypto_box/crypto_box_easy.c +++ b/src/libsodium/crypto_box/crypto_box_easy.c @@ -1,4 +1,8 @@ +#include <limits.h> +#include <stdint.h> +#include <stdlib.h> + #include "crypto_box.h" #include "crypto_secretbox.h" #include "utils.h" @@ -26,6 +30,9 @@ crypto_box_easy(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *pk, const unsigned char *sk) { + if (mlen > SIZE_MAX - crypto_box_MACBYTES) { + return -1; + } return crypto_box_detached(c + crypto_box_MACBYTES, c, m, mlen, n, pk, sk); } diff --git a/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/keypair_curve25519xsalsa20poly1305.c b/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/keypair_curve25519xsalsa20poly1305.c index 88183ea..e2a03fa 100644 --- a/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/keypair_curve25519xsalsa20poly1305.c +++ b/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/keypair_curve25519xsalsa20poly1305.c @@ -22,6 +22,6 @@ int crypto_box_keypair( unsigned char *sk ) { - randombytes(sk,32); + randombytes_buf(sk,32); return crypto_scalarmult_curve25519_base(pk,sk); } diff --git a/src/libsodium/crypto_box/try.c b/src/libsodium/crypto_box/try.c deleted file mode 100644 index 5f4b7cb..0000000 --- a/src/libsodium/crypto_box/try.c +++ /dev/null @@ -1,195 +0,0 @@ -/* - * crypto_box/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "crypto_box.h" -#include "utils.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_box_IMPLEMENTATION; - -#define MAXTEST_BYTES 10000 -#define CHECKSUM_BYTES 4096 -#define TUNE_BYTES 1536 - -static unsigned char *ska; -static unsigned char *pka; -static unsigned char *skb; -static unsigned char *pkb; -static unsigned char *s; -static unsigned char *n; -static unsigned char *m; -static unsigned char *c; -static unsigned char *t; -static unsigned char *ska2; -static unsigned char *pka2; -static unsigned char *skb2; -static unsigned char *pkb2; -static unsigned char *s2; -static unsigned char *n2; -static unsigned char *m2; -static unsigned char *c2; -static unsigned char *t2; - -#define sklen crypto_box_SECRETKEYBYTES -#define pklen crypto_box_PUBLICKEYBYTES -#define nlen crypto_box_NONCEBYTES -#define slen crypto_box_BEFORENMBYTES - -void preallocate(void) -{ -} - -void allocate(void) -{ - ska = alignedcalloc(sklen); - pka = alignedcalloc(pklen); - skb = alignedcalloc(sklen); - pkb = alignedcalloc(pklen); - n = alignedcalloc(nlen); - m = alignedcalloc(MAXTEST_BYTES + crypto_box_ZEROBYTES); - c = alignedcalloc(MAXTEST_BYTES + crypto_box_ZEROBYTES); - t = alignedcalloc(MAXTEST_BYTES + crypto_box_ZEROBYTES); - s = alignedcalloc(slen); - ska2 = alignedcalloc(sklen); - pka2 = alignedcalloc(pklen); - skb2 = alignedcalloc(sklen); - pkb2 = alignedcalloc(pklen); - n2 = alignedcalloc(nlen); - m2 = alignedcalloc(MAXTEST_BYTES + crypto_box_ZEROBYTES); - c2 = alignedcalloc(MAXTEST_BYTES + crypto_box_ZEROBYTES); - t2 = alignedcalloc(MAXTEST_BYTES + crypto_box_ZEROBYTES); - s2 = alignedcalloc(slen); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_box(c,m,TUNE_BYTES + crypto_box_ZEROBYTES,n,pka,skb); - crypto_box_open(t,c,TUNE_BYTES + crypto_box_ZEROBYTES,n,pkb,ska); -} - -char checksum[nlen * 2 + 1]; - -const char *checksum_compute(void) -{ - long long i; - long long j; - - if (crypto_box_keypair(pka,ska) != 0) return "crypto_box_keypair returns nonzero"; - if (crypto_box_keypair(pkb,skb) != 0) return "crypto_box_keypair returns nonzero"; - - for (j = 0;j < crypto_box_ZEROBYTES;++j) m[j] = 0; - - for (i = 0;i < CHECKSUM_BYTES;++i) { - long long mlen = i + crypto_box_ZEROBYTES; - long long tlen = i + crypto_box_ZEROBYTES; - long long clen = i + crypto_box_ZEROBYTES; - - for (j = -16;j < 0;++j) ska[j] = rand(); - for (j = -16;j < 0;++j) skb[j] = rand(); - for (j = -16;j < 0;++j) pka[j] = rand(); - for (j = -16;j < 0;++j) pkb[j] = rand(); - for (j = -16;j < 0;++j) m[j] = rand(); - for (j = -16;j < 0;++j) n[j] = rand(); - - for (j = sklen;j < sklen + 16;++j) ska[j] = rand(); - for (j = sklen;j < sklen + 16;++j) skb[j] = rand(); - for (j = pklen;j < pklen + 16;++j) pka[j] = rand(); - for (j = pklen;j < pklen + 16;++j) pkb[j] = rand(); - for (j = mlen;j < mlen + 16;++j) m[j] = rand(); - for (j = nlen;j < nlen + 16;++j) n[j] = rand(); - - for (j = -16;j < sklen + 16;++j) ska2[j] = ska[j]; - for (j = -16;j < sklen + 16;++j) skb2[j] = skb[j]; - for (j = -16;j < pklen + 16;++j) pka2[j] = pka[j]; - for (j = -16;j < pklen + 16;++j) pkb2[j] = pkb[j]; - for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; - for (j = -16;j < nlen + 16;++j) n2[j] = n[j]; - for (j = -16;j < clen + 16;++j) c2[j] = c[j] = rand(); - - if (crypto_box(c,m,mlen,n,pkb,ska) != 0) return "crypto_box returns nonzero"; - - for (j = -16;j < mlen + 16;++j) if (m2[j] != m[j]) return "crypto_box overwrites m"; - for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_box overwrites n"; - for (j = -16;j < 0;++j) if (c2[j] != c[j]) return "crypto_box writes before output"; - for (j = clen;j < clen + 16;++j) if (c2[j] != c[j]) return "crypto_box writes after output"; - for (j = 0;j < crypto_box_BOXZEROBYTES;++j) - if (c[j] != 0) return "crypto_box does not clear extra bytes"; - - for (j = -16;j < sklen + 16;++j) if (ska2[j] != ska[j]) return "crypto_box overwrites ska"; - for (j = -16;j < sklen + 16;++j) if (skb2[j] != skb[j]) return "crypto_box overwrites skb"; - for (j = -16;j < pklen + 16;++j) if (pka2[j] != pka[j]) return "crypto_box overwrites pka"; - for (j = -16;j < pklen + 16;++j) if (pkb2[j] != pkb[j]) return "crypto_box overwrites pkb"; - - for (j = -16;j < 0;++j) c[j] = rand(); - for (j = clen;j < clen + 16;++j) c[j] = rand(); - for (j = -16;j < clen + 16;++j) c2[j] = c[j]; - for (j = -16;j < tlen + 16;++j) t2[j] = t[j] = rand(); - - if (crypto_box_open(t,c,clen,n,pka,skb) != 0) return "crypto_box_open returns nonzero"; - - for (j = -16;j < clen + 16;++j) if (c2[j] != c[j]) return "crypto_box_open overwrites c"; - for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_box_open overwrites n"; - for (j = -16;j < 0;++j) if (t2[j] != t[j]) return "crypto_box_open writes before output"; - for (j = tlen;j < tlen + 16;++j) if (t2[j] != t[j]) return "crypto_box_open writes after output"; - for (j = 0;j < crypto_box_ZEROBYTES;++j) - if (t[j] != 0) return "crypto_box_open does not clear extra bytes"; - - for (j = -16;j < sklen + 16;++j) if (ska2[j] != ska[j]) return "crypto_box_open overwrites ska"; - for (j = -16;j < sklen + 16;++j) if (skb2[j] != skb[j]) return "crypto_box_open overwrites skb"; - for (j = -16;j < pklen + 16;++j) if (pka2[j] != pka[j]) return "crypto_box_open overwrites pka"; - for (j = -16;j < pklen + 16;++j) if (pkb2[j] != pkb[j]) return "crypto_box_open overwrites pkb"; - - for (j = 0;j < mlen;++j) if (t[j] != m[j]) return "plaintext does not match"; - - for (j = -16;j < slen + 16;++j) s2[j] = s[j] = rand(); - if (crypto_box_beforenm(s,pkb,ska) != 0) return "crypto_box_beforenm returns nonzero"; - for (j = -16;j < pklen + 16;++j) if (pka2[j] != pka[j]) return "crypto_box_open overwrites pk"; - for (j = -16;j < sklen + 16;++j) if (skb2[j] != skb[j]) return "crypto_box_open overwrites sk"; - for (j = -16;j < 0;++j) if (s2[j] != s[j]) return "crypto_box_beforenm writes before output"; - for (j = slen;j < slen + 16;++j) if (s2[j] != s[j]) return "crypto_box_beforenm writes after output"; - - for (j = -16;j < slen + 16;++j) s2[j] = s[j]; - for (j = -16;j < tlen + 16;++j) t2[j] = t[j] = rand(); - if (crypto_box_afternm(t,m,mlen,n,s) != 0) return "crypto_box_afternm returns nonzero"; - for (j = -16;j < slen + 16;++j) if (s2[j] != s[j]) return "crypto_box_afternm overwrites s"; - for (j = -16;j < mlen + 16;++j) if (m2[j] != m[j]) return "crypto_box_afternm overwrites m"; - for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_box_afternm overwrites n"; - for (j = -16;j < 0;++j) if (t2[j] != t[j]) return "crypto_box_afternm writes before output"; - for (j = tlen;j < tlen + 16;++j) if (t2[j] != t[j]) return "crypto_box_afternm writes after output"; - for (j = 0;j < crypto_box_BOXZEROBYTES;++j) - if (t[j] != 0) return "crypto_box_afternm does not clear extra bytes"; - for (j = 0;j < mlen;++j) if (t[j] != c[j]) return "crypto_box_afternm does not match crypto_box"; - - if (crypto_box_beforenm(s,pka,skb) != 0) return "crypto_box_beforenm returns nonzero"; - - for (j = -16;j < tlen + 16;++j) t2[j] = t[j] = rand(); - if (crypto_box_open_afternm(t,c,clen,n,s) != 0) return "crypto_box_open_afternm returns nonzero"; - for (j = -16;j < slen + 16;++j) if (s2[j] != s[j]) return "crypto_box_open_afternm overwrites s"; - for (j = -16;j < mlen + 16;++j) if (m2[j] != m[j]) return "crypto_box_open_afternm overwrites m"; - for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_box_open_afternm overwrites n"; - for (j = -16;j < 0;++j) if (t2[j] != t[j]) return "crypto_box_open_afternm writes before output"; - for (j = tlen;j < tlen + 16;++j) if (t2[j] != t[j]) return "crypto_box_open_afternm writes after output"; - for (j = 0;j < crypto_box_ZEROBYTES;++j) - if (t[j] != 0) return "crypto_box_open_afternm does not clear extra bytes"; - for (j = 0;j < mlen;++j) if (t[j] != m[j]) return "crypto_box_open_afternm does not match crypto_box_open"; - - for (j = 0;j < i;++j) n[j % nlen] ^= c[j + crypto_box_BOXZEROBYTES]; - if (i == 0) m[crypto_box_ZEROBYTES] = 0; - m[i + crypto_box_ZEROBYTES] = m[crypto_box_ZEROBYTES]; - for (j = 0;j < i;++j) m[j + crypto_box_ZEROBYTES] ^= c[j + crypto_box_BOXZEROBYTES]; - } - - sodium_bin2hex(checksum, sizeof checksum, n, nlen); - - return 0; -} diff --git a/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h b/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h index 276d305..1838bff 100644 --- a/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h +++ b/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h @@ -15,13 +15,16 @@ #define __BLAKE2_IMPL_H__ #include <stdint.h> +#include <string.h> #include "utils.h" static inline uint32_t load32( const void *src ) { #if defined(NATIVE_LITTLE_ENDIAN) - return *( uint32_t * )( src ); + uint32_t w; + memcpy(&w, src, sizeof w); + return w; #else const uint8_t *p = ( const uint8_t * )src; uint32_t w = *p++; @@ -35,7 +38,9 @@ static inline uint32_t load32( const void *src ) static inline uint64_t load64( const void *src ) { #if defined(NATIVE_LITTLE_ENDIAN) - return *( uint64_t * )( src ); + uint64_t w; + memcpy(&w, src, sizeof w); + return w; #else const uint8_t *p = ( const uint8_t * )src; uint64_t w = *p++; @@ -53,7 +58,7 @@ static inline uint64_t load64( const void *src ) static inline void store32( void *dst, uint32_t w ) { #if defined(NATIVE_LITTLE_ENDIAN) - *( uint32_t * )( dst ) = w; + memcpy(dst, &w, sizeof w); #else uint8_t *p = ( uint8_t * )dst; *p++ = ( uint8_t )w; w >>= 8; @@ -66,7 +71,7 @@ static inline void store32( void *dst, uint32_t w ) static inline void store64( void *dst, uint64_t w ) { #if defined(NATIVE_LITTLE_ENDIAN) - *( uint64_t * )( dst ) = w; + memcpy(dst, &w, sizeof w); #else uint8_t *p = ( uint8_t * )dst; *p++ = ( uint8_t )w; w >>= 8; diff --git a/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c b/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c index 9cc7ede..2610477 100644 --- a/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c +++ b/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c @@ -43,11 +43,13 @@ static const uint8_t blake2b_sigma[12][16] = }; +/* LCOV_EXCL_START */ static inline int blake2b_set_lastnode( blake2b_state *S ) { S->f[1] = ~0ULL; return 0; } +/* LCOV_EXCL_STOP */ #if 0 static inline int blake2b_clear_lastnode( blake2b_state *S ) { @@ -387,12 +389,15 @@ int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen ) uint8_t buffer[BLAKE2B_OUTBYTES]; int i; + if( outlen > BLAKE2B_OUTBYTES ) { + return -1; + } if( S->buflen > BLAKE2B_BLOCKBYTES ) { blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES ); blake2b_compress( S, S->buf ); S->buflen -= BLAKE2B_BLOCKBYTES; - memcpy( S->buf, S->buf + BLAKE2B_BLOCKBYTES, S->buflen ); + memmove( S->buf, S->buf + BLAKE2B_BLOCKBYTES, S->buflen ); } blake2b_increment_counter( S, S->buflen ); diff --git a/src/libsodium/crypto_generichash/blake2/ref/blake2s-ref.c b/src/libsodium/crypto_generichash/blake2/ref/blake2s-ref.c deleted file mode 100644 index 0e79aa5..0000000 --- a/src/libsodium/crypto_generichash/blake2/ref/blake2s-ref.c +++ /dev/null @@ -1,356 +0,0 @@ -/* - BLAKE2 reference source code package - reference C implementations - - Written in 2012 by Samuel Neves <sneves@dei.uc.pt> - - To the extent possible under law, the author(s) have dedicated all copyright - and related and neighboring rights to this software to the public domain - worldwide. This software is distributed without any warranty. - - You should have received a copy of the CC0 Public Domain Dedication along with - this software. If not, see <http://creativecommons.org/publicdomain/zero/1.0/>. -*/ - -#include <stdint.h> -#include <string.h> -#include <stdio.h> - -#include "crypto_generichash_blake2b.h" -#include "blake2.h" -#include "blake2-impl.h" - -static const uint32_t blake2s_IV[8] = -{ - 0x6A09E667UL, 0xBB67AE85UL, 0x3C6EF372UL, 0xA54FF53AUL, - 0x510E527FUL, 0x9B05688CUL, 0x1F83D9ABUL, 0x5BE0CD19UL -}; - -static const uint8_t blake2s_sigma[10][16] = -{ - { 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15 } , - { 14, 10, 4, 8, 9, 15, 13, 6, 1, 12, 0, 2, 11, 7, 5, 3 } , - { 11, 8, 12, 0, 5, 2, 15, 13, 10, 14, 3, 6, 7, 1, 9, 4 } , - { 7, 9, 3, 1, 13, 12, 11, 14, 2, 6, 5, 10, 4, 0, 15, 8 } , - { 9, 0, 5, 7, 2, 4, 10, 15, 14, 1, 11, 12, 6, 8, 3, 13 } , - { 2, 12, 6, 10, 0, 11, 8, 3, 4, 13, 7, 5, 15, 14, 1, 9 } , - { 12, 5, 1, 15, 14, 13, 4, 10, 0, 7, 6, 3, 9, 2, 8, 11 } , - { 13, 11, 7, 14, 12, 1, 3, 9, 5, 0, 15, 4, 8, 6, 2, 10 } , - { 6, 15, 14, 9, 11, 3, 0, 8, 12, 2, 13, 7, 1, 4, 10, 5 } , - { 10, 2, 8, 4, 7, 6, 1, 5, 15, 11, 9, 14, 3, 12, 13 , 0 } , -}; - -static inline int blake2s_set_lastnode( blake2s_state *S ) -{ - S->f[1] = ~0U; - return 0; -} -#if 0 -static inline int blake2s_clear_lastnode( blake2s_state *S ) -{ - S->f[1] = 0U; - return 0; -} -#endif -/* Some helper functions, not necessarily useful */ -static inline int blake2s_set_lastblock( blake2s_state *S ) -{ - if( S->last_node ) blake2s_set_lastnode( S ); - - S->f[0] = ~0U; - return 0; -} -#if 0 -static inline int blake2s_clear_lastblock( blake2s_state *S ) -{ - if( S->last_node ) blake2s_clear_lastnode( S ); - - S->f[0] = 0U; - return 0; -} -#endif -static inline int blake2s_increment_counter( blake2s_state *S, const uint32_t inc ) -{ - S->t[0] += inc; - S->t[1] += ( S->t[0] < inc ); - return 0; -} - -// Parameter-related functions -#if 0 -static inline int blake2s_param_set_digest_length( blake2s_param *P, const uint8_t digest_length ) -{ - P->digest_length = digest_length; - return 0; -} - -static inline int blake2s_param_set_fanout( blake2s_param *P, const uint8_t fanout ) -{ - P->fanout = fanout; - return 0; -} - -static inline int blake2s_param_set_max_depth( blake2s_param *P, const uint8_t depth ) -{ - P->depth = depth; - return 0; -} - -static inline int blake2s_param_set_leaf_length( blake2s_param *P, const uint32_t leaf_length ) -{ - store32( &P->leaf_length, leaf_length ); - return 0; -} - -static inline int blake2s_param_set_node_offset( blake2s_param *P, const uint64_t node_offset ) -{ - store48( P->node_offset, node_offset ); - return 0; -} - -static inline int blake2s_param_set_node_depth( blake2s_param *P, const uint8_t node_depth ) -{ - P->node_depth = node_depth; - return 0; -} - -static inline int blake2s_param_set_inner_length( blake2s_param *P, const uint8_t inner_length ) -{ - P->inner_length = inner_length; - return 0; -} -#endif -static inline int blake2s_param_set_salt( blake2s_param *P, const uint8_t salt[BLAKE2S_SALTBYTES] ) -{ - memcpy( P->salt, salt, BLAKE2S_SALTBYTES ); - return 0; -} - -static inline int blake2s_param_set_personal( blake2s_param *P, const uint8_t personal[BLAKE2S_PERSONALBYTES] ) -{ - memcpy( P->personal, personal, BLAKE2S_PERSONALBYTES ); - return 0; -} - -static inline int blake2s_init0( blake2s_state *S ) -{ - int i; - - memset( S, 0, sizeof( blake2s_state ) ); - - for( i = 0; i < 8; ++i ) S->h[i] = blake2s_IV[i]; - - return 0; -} - -/* init2 xors IV with input parameter block */ -int blake2s_init_param( blake2s_state *S, const blake2s_param *P ) -{ - size_t i; - uint32_t *p; - - blake2s_init0( S ); - p = ( uint32_t * )( P ); - - /* IV XOR ParamBlock */ - for( i = 0; i < 8; ++i ) - S->h[i] ^= load32( &p[i] ); - - return 0; -} - - -// Sequential blake2s initialization -int blake2s_init( blake2s_state *S, const uint8_t outlen ) -{ - blake2s_param P[1]; - - /* Move interval verification here? */ - if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1; - - P->digest_length = outlen; - P->key_length = 0; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store48( &P->node_offset, 0 ); - P->node_depth = 0; - P->inner_length = 0; - // memset(P->reserved, 0, sizeof(P->reserved) ); - memset( P->salt, 0, sizeof( P->salt ) ); - memset( P->personal, 0, sizeof( P->personal ) ); - return blake2s_init_param( S, P ); -} - -int blake2s_init_key( blake2s_state *S, const uint8_t outlen, const void *key, const uint8_t keylen ) -{ - blake2s_param P[1]; - - if ( ( !outlen ) || ( outlen > BLAKE2S_OUTBYTES ) ) return -1; - - if ( !key || !keylen || keylen > BLAKE2S_KEYBYTES ) return -1; - - P->digest_length = outlen; - P->key_length = keylen; - P->fanout = 1; - P->depth = 1; - store32( &P->leaf_length, 0 ); - store48( &P->node_offset, 0 ); - P->node_depth = 0; - P->inner_length = 0; - // memset(P->reserved, 0, sizeof(P->reserved) ); - memset( P->salt, 0, sizeof( P->salt ) ); - memset( P->personal, 0, sizeof( P->personal ) ); - - if( blake2s_init_param( S, P ) < 0 ) return -1; - - { - uint8_t block[BLAKE2S_BLOCKBYTES]; - memset( block, 0, BLAKE2S_BLOCKBYTES ); - memcpy( block, key, keylen ); - blake2s_update( S, block, BLAKE2S_BLOCKBYTES ); - secure_zero_memory( block, BLAKE2S_BLOCKBYTES ); /* Burn the key from stack */ - } - return 0; -} - -static int blake2s_compress( blake2s_state *S, const uint8_t block[BLAKE2S_BLOCKBYTES] ) -{ - uint32_t m[16]; - uint32_t v[16]; - size_t i; - - for( i = 0; i < 16; ++i ) - m[i] = load32( block + i * sizeof( m[i] ) ); - - for( i = 0; i < 8; ++i ) - v[i] = S->h[i]; - - v[ 8] = blake2s_IV[0]; - v[ 9] = blake2s_IV[1]; - v[10] = blake2s_IV[2]; - v[11] = blake2s_IV[3]; - v[12] = S->t[0] ^ blake2s_IV[4]; - v[13] = S->t[1] ^ blake2s_IV[5]; - v[14] = S->f[0] ^ blake2s_IV[6]; - v[15] = S->f[1] ^ blake2s_IV[7]; -#define G(r,i,a,b,c,d) \ - do { \ - a = a + b + m[blake2s_sigma[r][2*i+0]]; \ - d = rotr32(d ^ a, 16); \ - c = c + d; \ - b = rotr32(b ^ c, 12); \ - a = a + b + m[blake2s_sigma[r][2*i+1]]; \ - d = rotr32(d ^ a, 8); \ - c = c + d; \ - b = rotr32(b ^ c, 7); \ - } while(0) -#define ROUND(r) \ - do { \ - G(r,0,v[ 0],v[ 4],v[ 8],v[12]); \ - G(r,1,v[ 1],v[ 5],v[ 9],v[13]); \ - G(r,2,v[ 2],v[ 6],v[10],v[14]); \ - G(r,3,v[ 3],v[ 7],v[11],v[15]); \ - G(r,4,v[ 0],v[ 5],v[10],v[15]); \ - G(r,5,v[ 1],v[ 6],v[11],v[12]); \ - G(r,6,v[ 2],v[ 7],v[ 8],v[13]); \ - G(r,7,v[ 3],v[ 4],v[ 9],v[14]); \ - } while(0) - ROUND( 0 ); - ROUND( 1 ); - ROUND( 2 ); - ROUND( 3 ); - ROUND( 4 ); - ROUND( 5 ); - ROUND( 6 ); - ROUND( 7 ); - ROUND( 8 ); - ROUND( 9 ); - - for( i = 0; i < 8; ++i ) - S->h[i] = S->h[i] ^ v[i] ^ v[i + 8]; - -#undef G -#undef ROUND - return 0; -} - - -int blake2s_update( blake2s_state *S, const uint8_t *in, uint64_t inlen ) -{ - while( inlen > 0 ) - { - size_t left = S->buflen; - size_t fill = 2 * BLAKE2S_BLOCKBYTES - left; - - if( inlen > fill ) - { - memcpy( S->buf + left, in, fill ); // Fill buffer - S->buflen += fill; - blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES ); - blake2s_compress( S, S->buf ); // Compress - memcpy( S->buf, S->buf + BLAKE2S_BLOCKBYTES, BLAKE2S_BLOCKBYTES ); // Shift buffer left - S->buflen -= BLAKE2S_BLOCKBYTES; - in += fill; - inlen -= fill; - } - else // inlen <= fill - { - memcpy( S->buf + left, in, inlen ); - S->buflen += inlen; // Be lazy, do not compress - in += inlen; - inlen -= inlen; - } - } - - return 0; -} - -int blake2s_final( blake2s_state *S, uint8_t *out, uint8_t outlen ) -{ - uint8_t buffer[BLAKE2S_OUTBYTES]; - int i; - - if( S->buflen > BLAKE2S_BLOCKBYTES ) - { - blake2s_increment_counter( S, BLAKE2S_BLOCKBYTES ); - blake2s_compress( S, S->buf ); - S->buflen -= BLAKE2S_BLOCKBYTES; - memcpy( S->buf, S->buf + BLAKE2S_BLOCKBYTES, S->buflen ); - } - - blake2s_increment_counter( S, ( uint32_t )S->buflen ); - blake2s_set_lastblock( S ); - memset( S->buf + S->buflen, 0, 2 * BLAKE2S_BLOCKBYTES - S->buflen ); /* Padding */ - blake2s_compress( S, S->buf ); - - for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */ - store32( buffer + sizeof( S->h[i] ) * i, S->h[i] ); - - memcpy( out, buffer, outlen ); - return 0; -} - -int blake2s( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen ) -{ - blake2s_state S[1]; - - /* Verify parameters */ - if ( NULL == in ) return -1; - - if ( NULL == out ) return -1; - - if ( NULL == key ) keylen = 0; /* Fail here instead if keylen != 0 and key == NULL? */ - - if( keylen > 0 ) - { - if( blake2s_init_key( S, outlen, key, keylen ) < 0 ) return -1; - } - else - { - if( blake2s_init( S, outlen ) < 0 ) return -1; - } - - blake2s_update( S, ( uint8_t * )in, inlen ); - blake2s_final( S, out, outlen ); - return 0; -} diff --git a/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c b/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c index 6a637ec..7253cbf 100644 --- a/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c +++ b/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c @@ -54,11 +54,11 @@ crypto_generichash_blake2b_init(crypto_generichash_blake2b_state *state, assert(keylen <= UINT8_MAX); if (key == NULL || keylen <= 0U) { if (blake2b_init(state, (uint8_t) outlen) != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } } else if (blake2b_init_key(state, (uint8_t) outlen, key, (uint8_t) keylen) != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } return 0; } @@ -79,13 +79,13 @@ crypto_generichash_blake2b_init_salt_personal(crypto_generichash_blake2b_state * if (key == NULL || keylen <= 0U) { if (blake2b_init_salt_personal(state, (uint8_t) outlen, salt, personal) != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } } else if (blake2b_init_key_salt_personal(state, (uint8_t) outlen, key, (uint8_t) keylen, salt, personal) != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } return 0; } diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 721bbe9..738794a 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -245,9 +245,11 @@ crypto_hash_sha256_update(crypto_hash_sha256_state *state, bitlen[1] = ((uint32_t)inlen) << 3; bitlen[0] = (uint32_t)(inlen >> 29); + /* LCOV_EXCL_START */ if ((state->count[1] += bitlen[1]) < bitlen[1]) { state->count[0]++; } + /* LCOV_EXCL_STOP */ state->count[0] += bitlen[0]; if (inlen < 64 - r) { diff --git a/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c b/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c index a740770..e85be74 100644 --- a/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c +++ b/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c @@ -272,9 +272,11 @@ crypto_hash_sha512_update(crypto_hash_sha512_state *state, bitlen[1] = ((uint64_t)inlen) << 3; bitlen[0] = ((uint64_t)inlen) >> 61; + /* LCOV_EXCL_START */ if ((state->count[1] += bitlen[1]) < bitlen[1]) { state->count[0]++; } + /* LCOV_EXCL_STOP */ state->count[0] += bitlen[0]; if (inlen < 128 - r) { diff --git a/src/libsodium/crypto_hash/try.c b/src/libsodium/crypto_hash/try.c deleted file mode 100644 index 5e8b569..0000000 --- a/src/libsodium/crypto_hash/try.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * crypto_hash/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "crypto_hash.h" -#include "utils.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_hash_IMPLEMENTATION; - -#define MAXTEST_BYTES (10000 + crypto_hash_BYTES) -#define CHECKSUM_BYTES 4096 -#define TUNE_BYTES 1536 - -static unsigned char *h; -static unsigned char *h2; -static unsigned char *m; -static unsigned char *m2; - -void preallocate(void) -{ -} - -void allocate(void) -{ - h = alignedcalloc(crypto_hash_BYTES); - h2 = alignedcalloc(crypto_hash_BYTES); - m = alignedcalloc(MAXTEST_BYTES); - m2 = alignedcalloc(MAXTEST_BYTES); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_hash(h,m,TUNE_BYTES); -} - -char checksum[crypto_hash_BYTES * 2 + 1]; - -const char *checksum_compute(void) -{ - long long i; - long long j; - - for (i = 0;i < CHECKSUM_BYTES;++i) { - long long hlen = crypto_hash_BYTES; - long long mlen = i; - for (j = -16;j < 0;++j) h[j] = rand(); - for (j = hlen;j < hlen + 16;++j) h[j] = rand(); - for (j = -16;j < hlen + 16;++j) h2[j] = h[j]; - for (j = -16;j < 0;++j) m[j] = rand(); - for (j = mlen;j < mlen + 16;++j) m[j] = rand(); - for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; - if (crypto_hash(h,m,mlen) != 0) return "crypto_hash returns nonzero"; - for (j = -16;j < mlen + 16;++j) if (m2[j] != m[j]) return "crypto_hash writes to input"; - for (j = -16;j < 0;++j) if (h2[j] != h[j]) return "crypto_hash writes before output"; - for (j = hlen;j < hlen + 16;++j) if (h2[j] != h[j]) return "crypto_hash writes after output"; - if (crypto_hash(m2,m2,mlen) != 0) return "crypto_hash returns nonzero"; - for (j = 0;j < hlen;++j) if (m2[j] != h[j]) return "crypto_hash does not handle overlap"; - for (j = 0;j < mlen;++j) m[j] ^= h[j % hlen]; - m[mlen] = h[0]; - } - if (crypto_hash(h,m,CHECKSUM_BYTES) != 0) return "crypto_hash returns nonzero"; - - sodium_bin2hex(checksum, sizeof checksum, h, crypto_hash_BYTES); - - return 0; -} diff --git a/src/libsodium/crypto_onetimeauth/poly1305/donna/auth_poly1305_donna.c b/src/libsodium/crypto_onetimeauth/poly1305/donna/auth_poly1305_donna.c index acd04c0..eb05e02 100644 --- a/src/libsodium/crypto_onetimeauth/poly1305/donna/auth_poly1305_donna.c +++ b/src/libsodium/crypto_onetimeauth/poly1305/donna/auth_poly1305_donna.c @@ -86,12 +86,13 @@ crypto_onetimeauth_poly1305_donna_final(crypto_onetimeauth_poly1305_state *state return 0; } - +/* LCOV_EXCL_START */ const char * crypto_onetimeauth_poly1305_donna_implementation_name(void) { return POLY1305_IMPLEMENTATION_NAME; } +/* LCOV_EXCL_STOP */ struct crypto_onetimeauth_poly1305_implementation crypto_onetimeauth_poly1305_donna_implementation = { diff --git a/src/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c b/src/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c index 3eb28e5..14253b7 100644 --- a/src/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c +++ b/src/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c @@ -2,6 +2,7 @@ #include "crypto_onetimeauth_poly1305.h" #include "donna/poly1305_donna.h" +/* LCOV_EXCL_START */ static const crypto_onetimeauth_poly1305_implementation *implementation = &crypto_onetimeauth_poly1305_donna_implementation; @@ -18,6 +19,7 @@ crypto_onetimeauth_poly1305_implementation_name(void) { return implementation->implementation_name(); } +/* LCOV_EXCL_STOP */ int crypto_onetimeauth_poly1305(unsigned char *out, const unsigned char *in, diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c index 837ce3f..01a1e09 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c @@ -36,7 +36,7 @@ encode64_uint32(uint8_t * dst, size_t dstlen, uint32_t src, uint32_t srcbits) for (bit = 0; bit < srcbits; bit += 6) { if (dstlen < 1) { - return NULL; + return NULL; /* LCOV_EXCL_LINE */ } *dst++ = itoa64[src & 0x3f]; dstlen--; @@ -60,7 +60,7 @@ encode64(uint8_t * dst, size_t dstlen, const uint8_t * src, size_t srclen) } while (bits < 24 && i < srclen); dnext = encode64_uint32(dst, dstlen, value, bits); if (!dnext) { - return NULL; + return NULL; /* LCOV_EXCL_LINE */ } dstlen -= dnext - dst; dst = dnext; @@ -171,8 +171,8 @@ escrypt_r(escrypt_local_t * local, const uint8_t * passwd, size_t passwdlen, dst = encode64(dst, buflen - (dst - buf), hash, sizeof(hash)); sodium_memzero(hash, sizeof hash); - if (!dst || dst >= buf + buflen) { /* Can't happen */ - return NULL; + if (!dst || dst >= buf + buflen) { + return NULL; /* Can't happen LCOV_EXCL_LINE */ } *dst = 0; /* NUL termination */ @@ -192,7 +192,7 @@ escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, need = prefixlen + saltlen + 1; if (need > buflen || need < saltlen || saltlen < srclen) { - return NULL; + return NULL; /* LCOV_EXCL_LINE */ } if (N_log2 > 63 || ((uint64_t)r * (uint64_t)p >= (1U << 30))) { return NULL; @@ -205,16 +205,16 @@ escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, *dst++ = itoa64[N_log2]; dst = encode64_uint32(dst, buflen - (dst - buf), r, 30); - if (!dst) { /* Can't happen */ - return NULL; + if (!dst) { + return NULL; /* Can't happen LCOV_EXCL_LINE */ } dst = encode64_uint32(dst, buflen - (dst - buf), p, 30); - if (!dst) { /* Can't happen */ - return NULL; + if (!dst) { + return NULL; /* Can't happen LCOV_EXCL_LINE */ } dst = encode64(dst, buflen - (dst - buf), src, srclen); - if (!dst || dst >= buf + buflen) { /* Can't happen */ - return NULL; + if (!dst || dst >= buf + buflen) { + return NULL; /* Can't happen LCOV_EXCL_LINE */ } *dst = 0; /* NUL termination */ @@ -232,7 +232,7 @@ crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen, int retval; if (escrypt_init_local(&local)) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } #if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER) escrypt_kdf = @@ -244,7 +244,7 @@ crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen, passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen); if (escrypt_free_local(&local)) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } return retval; } diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c index ac426d3..9b585a2 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c @@ -44,41 +44,42 @@ void PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt, size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen) { - crypto_auth_hmacsha256_state PShctx, hctx; - size_t i; - uint8_t ivec[4]; - uint8_t U[32]; - uint8_t T[32]; - uint64_t j; - int k; - size_t clen; + crypto_auth_hmacsha256_state PShctx, hctx; + size_t i; + uint8_t ivec[4]; + uint8_t U[32]; + uint8_t T[32]; + uint64_t j; + int k; + size_t clen; crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen); crypto_auth_hmacsha256_update(&PShctx, salt, saltlen); - for (i = 0; i * 32 < dkLen; i++) { - be32enc(ivec, (uint32_t)(i + 1)); - memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state)); - crypto_auth_hmacsha256_update(&hctx, ivec, 4); - crypto_auth_hmacsha256_final(&hctx, U); + for (i = 0; i * 32 < dkLen; i++) { + be32enc(ivec, (uint32_t)(i + 1)); + memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state)); + crypto_auth_hmacsha256_update(&hctx, ivec, 4); + crypto_auth_hmacsha256_final(&hctx, U); - memcpy(T, U, 32); + memcpy(T, U, 32); + /* LCOV_EXCL_START */ + for (j = 2; j <= c; j++) { + crypto_auth_hmacsha256_init(&hctx, passwd, passwdlen); + crypto_auth_hmacsha256_update(&hctx, U, 32); + crypto_auth_hmacsha256_final(&hctx, U); - for (j = 2; j <= c; j++) { - crypto_auth_hmacsha256_init(&hctx, passwd, passwdlen); - crypto_auth_hmacsha256_update(&hctx, U, 32); - crypto_auth_hmacsha256_final(&hctx, U); - - for (k = 0; k < 32; k++) { - T[k] ^= U[k]; + for (k = 0; k < 32; k++) { + T[k] ^= U[k]; } - } - - clen = dkLen - i * 32; - if (clen > 32) { - clen = 32; } - memcpy(&buf[i * 32], T, clen); + /* LCOV_EXCL_STOP */ + + clen = dkLen - i * 32; + if (clen > 32) { + clen = 32; } + memcpy(&buf[i * 32], T, clen); + } sodium_memzero((void *) &PShctx, sizeof PShctx); } diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c index b4e64a5..e7962cc 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c @@ -41,9 +41,11 @@ pickparams(unsigned long long opslimit, const size_t memlimit, } } maxrp = (opslimit / 4) / ((uint64_t) (1) << *N_log2); + /* LCOV_EXCL_START */ if (maxrp > 0x3fffffff) { maxrp = 0x3fffffff; } + /* LCOV_EXCL_STOP */ *p = (uint32_t) (maxrp) / *r; } return 0; @@ -61,6 +63,12 @@ crypto_pwhash_scryptsalsa208sha256_strbytes(void) return crypto_pwhash_scryptsalsa208sha256_STRBYTES; } +const char * +crypto_pwhash_scryptsalsa208sha256_strprefix(void) +{ + return crypto_pwhash_scryptsalsa208sha256_STRPREFIX; +} + size_t crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void) { @@ -100,12 +108,12 @@ crypto_pwhash_scryptsalsa208sha256(unsigned char * const out, memset(out, 0, outlen); if (passwdlen > SIZE_MAX || outlen > SIZE_MAX) { - errno = EFBIG; - return -1; + errno = EFBIG; /* LCOV_EXCL_LINE */ + return -1; /* LCOV_EXCL_LINE */ } if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) { - errno = EINVAL; - return -1; + errno = EINVAL; /* LCOV_EXCL_LINE */ + return -1; /* LCOV_EXCL_LINE */ } return crypto_pwhash_scryptsalsa208sha256_ll((const uint8_t *) passwd, (size_t) passwdlen, @@ -131,28 +139,30 @@ crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha2 memset(out, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES); if (passwdlen > SIZE_MAX) { - errno = EFBIG; - return -1; + errno = EFBIG; /* LCOV_EXCL_LINE */ + return -1; /* LCOV_EXCL_LINE */ } if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) { - errno = EINVAL; - return -1; + errno = EINVAL; /* LCOV_EXCL_LINE */ + return -1; /* LCOV_EXCL_LINE */ } randombytes_buf(salt, sizeof salt); if (escrypt_gensalt_r(N_log2, r, p, salt, sizeof salt, (uint8_t *) setting, sizeof setting) == NULL) { - errno = EINVAL; - return -1; + errno = EINVAL; /* LCOV_EXCL_LINE */ + return -1; /* LCOV_EXCL_LINE */ } if (escrypt_init_local(&escrypt_local) != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen, (const uint8_t *) setting, (uint8_t *) out, crypto_pwhash_scryptsalsa208sha256_STRBYTES) == NULL) { + /* LCOV_EXCL_START */ escrypt_free_local(&escrypt_local); errno = EINVAL; return -1; + /* LCOV_EXCL_STOP */ } escrypt_free_local(&escrypt_local); @@ -181,7 +191,7 @@ crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryp return -1; } if (escrypt_init_local(&escrypt_local) != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen, (const uint8_t *) str, (uint8_t *) wanted, diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c index cddf964..da8b433 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c @@ -43,7 +43,7 @@ alloc_region(escrypt_region_t * region, size_t size) MAP_ANON | MAP_PRIVATE, #endif -1, 0)) == MAP_FAILED) - base = NULL; + base = NULL; /* LCOV_EXCL_LINE */ aligned = base; #elif defined(HAVE_POSIX_MEMALIGN) if ((errno = posix_memalign((void **) &base, 64, size)) != 0) @@ -77,7 +77,7 @@ free_region(escrypt_region_t * region) if (region->base) { #ifdef MAP_ANON if (munmap(region->base, region->size)) - return -1; + return -1; /* LCOV_EXCL_LINE */ #else free(region->base); #endif diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c index d340dd0..15d4a14 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c @@ -365,9 +365,9 @@ escrypt_kdf_sse(escrypt_local_t * local, } if (local->size < need) { if (free_region(local)) - return -1; + return -1; /* LCOV_EXCL_LINE */ if (!alloc_region(local, need)) - return -1; + return -1; /* LCOV_EXCL_LINE */ } B = (uint8_t *)local->aligned; V = (uint32_t *)((uint8_t *)B + B_size); diff --git a/src/libsodium/crypto_scalarmult/curve25519/ref10/pow225521.h b/src/libsodium/crypto_scalarmult/curve25519/ref10/pow225521.h index 109df77..8397222 100644 --- a/src/libsodium/crypto_scalarmult/curve25519/ref10/pow225521.h +++ b/src/libsodium/crypto_scalarmult/curve25519/ref10/pow225521.h @@ -50,7 +50,7 @@ /* qhasm: z2 = z1^2^1 */ /* asm 1: fe_sq(>z2=fe#1,<z1=fe#11); for (i = 1;i < 1;++i) fe_sq(>z2=fe#1,>z2=fe#1); */ /* asm 2: fe_sq(>z2=t0,<z1=z); for (i = 1;i < 1;++i) fe_sq(>z2=t0,>z2=t0); */ -fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0); +fe_sq(t0,z); /* for (i = 1;i < 1;++i) fe_sq(t0,t0); */ /* qhasm: z8 = z2^2^2 */ /* asm 1: fe_sq(>z8=fe#2,<z2=fe#1); for (i = 1;i < 2;++i) fe_sq(>z8=fe#2,>z8=fe#2); */ @@ -70,7 +70,7 @@ fe_mul(t0,t0,t1); /* qhasm: z22 = z11^2^1 */ /* asm 1: fe_sq(>z22=fe#3,<z11=fe#1); for (i = 1;i < 1;++i) fe_sq(>z22=fe#3,>z22=fe#3); */ /* asm 2: fe_sq(>z22=t2,<z11=t0); for (i = 1;i < 1;++i) fe_sq(>z22=t2,>z22=t2); */ -fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2); +fe_sq(t2,t0); /* for (i = 1;i < 1;++i) fe_sq(t2,t2); */ /* qhasm: z_5_0 = z9*z22 */ /* asm 1: fe_mul(>z_5_0=fe#2,<z9=fe#2,<z22=fe#3); */ diff --git a/src/libsodium/crypto_scalarmult/try.c b/src/libsodium/crypto_scalarmult/try.c deleted file mode 100644 index 1f75ab7..0000000 --- a/src/libsodium/crypto_scalarmult/try.c +++ /dev/null @@ -1,125 +0,0 @@ -/* - * crypto_scalarmult/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "crypto_scalarmult.h" -#include "utils.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_scalarmult_IMPLEMENTATION; - -#define mlen crypto_scalarmult_SCALARBYTES -#define nlen crypto_scalarmult_SCALARBYTES -#define plen crypto_scalarmult_BYTES -#define qlen crypto_scalarmult_BYTES -#define rlen crypto_scalarmult_BYTES - -static unsigned char *m; -static unsigned char *n; -static unsigned char *p; -static unsigned char *q; -static unsigned char *r; - -static unsigned char *m2; -static unsigned char *n2; -static unsigned char *p2; -static unsigned char *q2; -static unsigned char *r2; - -void preallocate(void) -{ -} - -void allocate(void) -{ - m = alignedcalloc(mlen); - n = alignedcalloc(nlen); - p = alignedcalloc(plen); - q = alignedcalloc(qlen); - r = alignedcalloc(rlen); - m2 = alignedcalloc(mlen + crypto_scalarmult_BYTES); - n2 = alignedcalloc(nlen + crypto_scalarmult_BYTES); - p2 = alignedcalloc(plen + crypto_scalarmult_BYTES); - q2 = alignedcalloc(qlen + crypto_scalarmult_BYTES); - r2 = alignedcalloc(rlen + crypto_scalarmult_BYTES); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_scalarmult(q,n,p); - crypto_scalarmult_base(r,n); -} - -char checksum[crypto_scalarmult_BYTES * 2 + 1]; - -const char *checksum_compute(void) -{ - long long i; - long long j; - long long tests; - - for (i = 0;i < mlen;++i) m[i] = i; - for (i = 0;i < nlen;++i) n[i] = i + 1; - for (i = 0;i < plen;++i) p[i] = i + 2; - for (i = 0;i < qlen;++i) q[i] = i + 3; - for (i = 0;i < rlen;++i) r[i] = i + 4; - - for (i = -16;i < 0;++i) p[i] = rand(); - for (i = -16;i < 0;++i) n[i] = rand(); - for (i = plen;i < plen + 16;++i) p[i] = rand(); - for (i = nlen;i < nlen + 16;++i) n[i] = rand(); - for (i = -16;i < plen + 16;++i) p2[i] = p[i]; - for (i = -16;i < nlen + 16;++i) n2[i] = n[i]; - - if (crypto_scalarmult_base(p,n) != 0) return "crypto_scalarmult_base returns nonzero"; - - for (i = -16;i < nlen + 16;++i) if (n2[i] != n[i]) return "crypto_scalarmult_base overwrites input"; - for (i = -16;i < 0;++i) if (p2[i] != p[i]) return "crypto_scalarmult_base writes before output"; - for (i = plen;i < plen + 16;++i) if (p2[i] != p[i]) return "crypto_scalarmult_base writes after output"; - - for (tests = 0;tests < 100;++tests) { - for (i = -16;i < 0;++i) q[i] = rand(); - for (i = -16;i < 0;++i) p[i] = rand(); - for (i = -16;i < 0;++i) m[i] = rand(); - for (i = qlen;i < qlen + 16;++i) q[i] = rand(); - for (i = plen;i < plen + 16;++i) p[i] = rand(); - for (i = mlen;i < mlen + 16;++i) m[i] = rand(); - for (i = -16;i < qlen + 16;++i) q2[i] = q[i]; - for (i = -16;i < plen + 16;++i) p2[i] = p[i]; - for (i = -16;i < mlen + 16;++i) m2[i] = m[i]; - - if (crypto_scalarmult(q,m,p) != 0) return "crypto_scalarmult returns nonzero"; - - for (i = -16;i < mlen + 16;++i) if (m2[i] != m[i]) return "crypto_scalarmult overwrites n input"; - for (i = -16;i < plen + 16;++i) if (p2[i] != p[i]) return "crypto_scalarmult overwrites p input"; - for (i = -16;i < 0;++i) if (q2[i] != q[i]) return "crypto_scalarmult writes before output"; - for (i = qlen;i < qlen + 16;++i) if (q2[i] != q[i]) return "crypto_scalarmult writes after output"; - - if (crypto_scalarmult(m2,m2,p) != 0) return "crypto_scalarmult returns nonzero"; - for (i = 0;i < qlen;++i) if (q[i] != m2[i]) return "crypto_scalarmult does not handle n overlap"; - for (i = 0;i < qlen;++i) m2[i] = m[i]; - - if (crypto_scalarmult(p2,m2,p2) != 0) return "crypto_scalarmult returns nonzero"; - for (i = 0;i < qlen;++i) if (q[i] != p2[i]) return "crypto_scalarmult does not handle p overlap"; - - if (crypto_scalarmult(r,n,q) != 0) return "crypto_scalarmult returns nonzero"; - if (crypto_scalarmult(q,n,p) != 0) return "crypto_scalarmult returns nonzero"; - if (crypto_scalarmult(p,m,q) != 0) return "crypto_scalarmult returns nonzero"; - for (j = 0;j < plen;++j) if (p[j] != r[j]) return "crypto_scalarmult not associative"; - for (j = 0;j < mlen;++j) m[j] ^= q[j % qlen]; - for (j = 0;j < nlen;++j) n[j] ^= p[j % plen]; - } - - sodium_bin2hex(checksum, sizeof checksum, p, crypto_scalarmult_BYTES); - - return 0; -} diff --git a/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c b/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c index 08de096..5000a05 100644 --- a/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c +++ b/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c @@ -27,9 +27,6 @@ crypto_secretbox_detached(unsigned char *c, unsigned char *mac, unsigned long long i; unsigned long long mlen0; - if (mlen > SIZE_MAX - crypto_secretbox_MACBYTES) { - return -1; - } crypto_core_hsalsa20(subkey, n, k, sigma); memset(block0, 0U, crypto_secretbox_ZEROBYTES); @@ -68,6 +65,9 @@ crypto_secretbox_easy(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *k) { + if (mlen > SIZE_MAX - crypto_secretbox_MACBYTES) { + return -1; + } return crypto_secretbox_detached(c + crypto_secretbox_MACBYTES, c, m, mlen, n, k); } diff --git a/src/libsodium/crypto_secretbox/try.c b/src/libsodium/crypto_secretbox/try.c deleted file mode 100644 index 9478187..0000000 --- a/src/libsodium/crypto_secretbox/try.c +++ /dev/null @@ -1,129 +0,0 @@ -/* - * crypto_secretbox/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "crypto_secretbox.h" -#include "utils.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_secretbox_IMPLEMENTATION; - -#define MAXTEST_BYTES 10000 -#define CHECKSUM_BYTES 4096 -#define TUNE_BYTES 1536 - -static unsigned char *k; -static unsigned char *n; -static unsigned char *m; -static unsigned char *c; -static unsigned char *t; -static unsigned char *k2; -static unsigned char *n2; -static unsigned char *m2; -static unsigned char *c2; -static unsigned char *t2; - -#define klen crypto_secretbox_KEYBYTES -#define nlen crypto_secretbox_NONCEBYTES - -void preallocate(void) -{ -} - -void allocate(void) -{ - k = alignedcalloc(klen); - n = alignedcalloc(nlen); - m = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES); - c = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES); - t = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES); - k2 = alignedcalloc(klen); - n2 = alignedcalloc(nlen); - m2 = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES); - c2 = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES); - t2 = alignedcalloc(MAXTEST_BYTES + crypto_secretbox_ZEROBYTES); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_secretbox(c,m,TUNE_BYTES + crypto_secretbox_ZEROBYTES,n,k); - crypto_secretbox_open(t,c,TUNE_BYTES + crypto_secretbox_ZEROBYTES,n,k); -} - -char checksum[klen * 2 + 1]; - -const char *checksum_compute(void) -{ - long long i; - long long j; - - for (j = 0;j < crypto_secretbox_ZEROBYTES;++j) m[j] = 0; - - for (i = 0;i < CHECKSUM_BYTES;++i) { - long long mlen = i + crypto_secretbox_ZEROBYTES; - long long tlen = i + crypto_secretbox_ZEROBYTES; - long long clen = i + crypto_secretbox_ZEROBYTES; - - for (j = -16;j < 0;++j) k[j] = rand(); - for (j = -16;j < 0;++j) n[j] = rand(); - for (j = -16;j < 0;++j) m[j] = rand(); - for (j = klen;j < klen + 16;++j) k[j] = rand(); - for (j = nlen;j < nlen + 16;++j) n[j] = rand(); - for (j = mlen;j < mlen + 16;++j) m[j] = rand(); - for (j = -16;j < klen + 16;++j) k2[j] = k[j]; - for (j = -16;j < nlen + 16;++j) n2[j] = n[j]; - for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; - for (j = -16;j < clen + 16;++j) c2[j] = c[j] = rand(); - - if (crypto_secretbox(c,m,mlen,n,k) != 0) return "crypto_secretbox returns nonzero"; - - for (j = -16;j < mlen + 16;++j) if (m2[j] != m[j]) return "crypto_secretbox overwrites m"; - for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_secretbox overwrites n"; - for (j = -16;j < klen + 16;++j) if (k2[j] != k[j]) return "crypto_secretbox overwrites k"; - for (j = -16;j < 0;++j) if (c2[j] != c[j]) return "crypto_secretbox writes before output"; - for (j = clen;j < clen + 16;++j) if (c2[j] != c[j]) return "crypto_secretbox writes after output"; - for (j = 0;j < crypto_secretbox_BOXZEROBYTES;++j) - if (c[j] != 0) return "crypto_secretbox does not clear extra bytes"; - - for (j = -16;j < 0;++j) c[j] = rand(); - for (j = clen;j < clen + 16;++j) c[j] = rand(); - for (j = -16;j < clen + 16;++j) c2[j] = c[j]; - for (j = -16;j < tlen + 16;++j) t2[j] = t[j] = rand(); - - if (crypto_secretbox_open(t,c,clen,n,k) != 0) return "crypto_secretbox_open returns nonzero"; - - for (j = -16;j < clen + 16;++j) if (c2[j] != c[j]) return "crypto_secretbox_open overwrites c"; - for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_secretbox_open overwrites n"; - for (j = -16;j < klen + 16;++j) if (k2[j] != k[j]) return "crypto_secretbox_open overwrites k"; - for (j = -16;j < 0;++j) if (t2[j] != t[j]) return "crypto_secretbox_open writes before output"; - for (j = tlen;j < tlen + 16;++j) if (t2[j] != t[j]) return "crypto_secretbox_open writes after output"; - for (j = 0;j < crypto_secretbox_ZEROBYTES;++j) - if (t[j] != 0) return "crypto_secretbox_open does not clear extra bytes"; - - for (j = 0;j < i;++j) if (t[j] != m[j]) return "plaintext does not match"; - - for (j = 0;j < i;++j) - k[j % klen] ^= c[j + crypto_secretbox_BOXZEROBYTES]; - crypto_secretbox(c,m,mlen,n,k); - for (j = 0;j < i;++j) - n[j % nlen] ^= c[j + crypto_secretbox_BOXZEROBYTES]; - crypto_secretbox(c,m,mlen,n,k); - if (i == 0) m[crypto_secretbox_ZEROBYTES + 0] = 0; - m[crypto_secretbox_ZEROBYTES + i] = m[crypto_secretbox_ZEROBYTES + 0]; - for (j = 0;j < i;++j) - m[j + crypto_secretbox_ZEROBYTES] ^= c[j + crypto_secretbox_BOXZEROBYTES]; - } - - sodium_bin2hex(checksum, sizeof checksum, k, klen); - - return 0; -} diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c index 7955647..2268cd6 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c @@ -2,8 +2,11 @@ #include <string.h> #include "api.h" -#include "randombytes.h" #include "crypto_hash_sha512.h" +#include "crypto_scalarmult_curve25519.h" +#include "randombytes.h" +#include "utils.h" +#include "fe.h" #include "ge.h" int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk, @@ -27,7 +30,47 @@ int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk, int crypto_sign_keypair(unsigned char *pk, unsigned char *sk) { unsigned char seed[32]; + int ret; + + randombytes_buf(seed, sizeof seed); + ret = crypto_sign_seed_keypair(pk, sk, seed); + sodium_memzero(seed, sizeof seed); + + return ret; +} + +int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, + const unsigned char *ed25519_pk) +{ + ge_p3 A; + fe x; + fe one_minus_y; - randombytes(seed,32); - return crypto_sign_seed_keypair(pk,sk,seed); + ge_frombytes_negate_vartime(&A, ed25519_pk); + fe_1(one_minus_y); + fe_sub(one_minus_y, one_minus_y, A.Y); + fe_invert(one_minus_y, one_minus_y); + fe_1(x); + fe_add(x, x, A.Y); + fe_mul(x, x, one_minus_y); + fe_tobytes(curve25519_pk, x); + + return 0; +} + +int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk, + const unsigned char *ed25519_sk) +{ + unsigned char h[crypto_hash_sha512_BYTES]; + + crypto_hash_sha512(h, ed25519_sk, + crypto_sign_ed25519_SECRETKEYBYTES - + crypto_sign_ed25519_PUBLICKEYBYTES); + h[0] &= 248; + h[31] &= 127; + h[31] |= 64; + memcpy(curve25519_sk, h, crypto_scalarmult_curve25519_BYTES); + sodium_memzero(h, sizeof h); + + return 0; } diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c index 36eb084..488333e 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/open.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c @@ -43,16 +43,8 @@ crypto_sign_verify_detached(const unsigned char *sig, const unsigned char *m, ge_double_scalarmult_vartime(&R, h, &A, sig + 32); ge_tobytes(rcheck, &R); - if (crypto_verify_32(rcheck, sig) != 0) { - return -1; - } - if (sig == rcheck) { - return -1; - } - if (sodium_memcmp(sig, rcheck, 32) != 0) { - return -1; - } - return 0; + return crypto_verify_32(rcheck, sig) | (-(rcheck - sig == 0)) | + sodium_memcmp(sig, rcheck, 32); } int diff --git a/src/libsodium/crypto_sign/ed25519/ref10/sign.c b/src/libsodium/crypto_sign/ed25519/ref10/sign.c index 88f4710..1ee5d6c 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/sign.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/sign.c @@ -5,6 +5,7 @@ #include "crypto_hash_sha512.h" #include "ge.h" #include "sc.h" +#include "utils.h" int crypto_sign_detached(unsigned char *sig, unsigned long long *siglen, @@ -44,6 +45,9 @@ crypto_sign_detached(unsigned char *sig, unsigned long long *siglen, sc_reduce(hram); sc_muladd(sig + 32, hram, az, nonce); + sodium_memzero(az, sizeof az); + sodium_memzero(nonce, sizeof nonce); + if (siglen != NULL) { *siglen = 64U; } @@ -57,13 +61,19 @@ crypto_sign(unsigned char *sm, unsigned long long *smlen, { unsigned long long siglen; - if (crypto_sign_detached(sm, &siglen, m, mlen, sk) != 0 || - siglen > crypto_sign_ed25519_BYTES) { - *smlen = 0; + memmove(sm + crypto_sign_ed25519_BYTES, m, mlen); +/* LCOV_EXCL_START */ + if (crypto_sign_detached(sm, &siglen, sm + crypto_sign_ed25519_BYTES, + mlen, sk) != 0 || + siglen != crypto_sign_ed25519_BYTES) { + if (smlen != NULL) { + *smlen = 0; + } memset(sm, 0, mlen + crypto_sign_ed25519_BYTES); return -1; } - memmove(sm + siglen, m, mlen); +/* LCOV_EXCL_STOP */ + if (smlen != NULL) { *smlen = mlen + siglen; } diff --git a/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c b/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c index 9f999d2..7ba6b4c 100644 --- a/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c +++ b/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c @@ -1,3 +1,6 @@ + +#include <string.h> + #include "crypto_sign_ed25519.h" size_t @@ -19,3 +22,18 @@ size_t crypto_sign_ed25519_secretkeybytes(void) { return crypto_sign_ed25519_SECRETKEYBYTES; } + +int +crypto_sign_ed25519_sk_to_seed(unsigned char *seed, const unsigned char *sk) +{ + memmove(seed, sk, crypto_sign_ed25519_SEEDBYTES); + return 0; +} + +int +crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk) +{ + memmove(pk, sk + crypto_sign_ed25519_SEEDBYTES, + crypto_sign_ed25519_PUBLICKEYBYTES); + return 0; +} diff --git a/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c b/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c index 885d7b1..9c548dc 100644 --- a/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c +++ b/src/libsodium/crypto_sign/edwards25519sha512batch/ref/sign_edwards25519sha512batch.c @@ -13,7 +13,7 @@ int crypto_sign_keypair( sc25519 scsk; ge25519 gepk; - randombytes(sk, 32); + randombytes_buf(sk, 32); crypto_hash_sha512(sk, sk, 32); sk[0] &= 248; sk[31] &= 127; diff --git a/src/libsodium/crypto_sign/try.c b/src/libsodium/crypto_sign/try.c deleted file mode 100644 index 8ea81b6..0000000 --- a/src/libsodium/crypto_sign/try.c +++ /dev/null @@ -1,87 +0,0 @@ -/* - * crypto_sign/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "randombytes.h" -#include "crypto_sign.h" -#include "windows/windows-quirks.h" - -#define MAXTEST_BYTES 10000 -#define TUNE_BYTES 1536 - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_sign_IMPLEMENTATION; - -static unsigned char *pk; -static unsigned char *sk; -static unsigned char *m; unsigned long long mlen; -static unsigned char *sm; unsigned long long smlen; -static unsigned char *t; unsigned long long tlen; - -void preallocate(void) -{ -#ifdef RAND_R_PRNG_NOT_SEEDED - RAND_status(); -#endif -} - -void allocate(void) -{ - pk = alignedcalloc(crypto_sign_PUBLICKEYBYTES); - sk = alignedcalloc(crypto_sign_SECRETKEYBYTES); - m = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); - sm = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); - t = alignedcalloc(MAXTEST_BYTES + crypto_sign_BYTES); -} - -void predoit(void) -{ - crypto_sign_keypair(pk,sk); - mlen = TUNE_BYTES; - smlen = 0; - randombytes(m,mlen); - crypto_sign(sm,&smlen,m,mlen,sk); -} - -void doit(void) -{ - crypto_sign_open(t,&tlen,sm,smlen,pk); -} - -char checksum[crypto_sign_BYTES * 2 + 1]; - -const char *checksum_compute(void) -{ - long long mlen; - long long i; - long long j; - - if (crypto_sign_keypair(pk,sk) != 0) return "crypto_sign_keypair returns nonzero"; - for (mlen = 0;mlen < MAXTEST_BYTES;mlen += 1 + (mlen / 16)) { - if (crypto_sign(sm,&smlen,m,mlen,sk) != 0) return "crypto_sign returns nonzero"; - if (crypto_sign_open(t,&tlen,sm,smlen,pk) != 0) return "crypto_sign_open returns nonzero"; - if (tlen != mlen) return "crypto_sign_open does not match length"; - for (i = 0;i < tlen;++i) - if (t[i] != m[i]) - return "crypto_sign_open does not match contents"; - - j = rand() % smlen; - sm[j] ^= 1; - if (crypto_sign_open(t,&tlen,sm,smlen,pk) == 0) { - if (tlen != mlen) return "crypto_sign_open allows trivial forgery of length"; - for (i = 0;i < tlen;++i) - if (t[i] != m[i]) - return "crypto_sign_open allows trivial forgery of contents"; - } - sm[j] ^= 1; - - } - - /* do some long-term checksum */ - checksum[0] = 0; - return 0; -} diff --git a/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table-be.h b/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table-be.h deleted file mode 100644 index 8a4a49c..0000000 --- a/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table-be.h +++ /dev/null @@ -1,273 +0,0 @@ - -#ifndef __AES_TABLE_BE_H__ -#define __AES_TABLE_BE_H__ - -ALIGN(64) static unsigned int T0[256] = { - 0xc66363a5, 0xf87c7c84, 0xee777799, 0xf67b7b8d, - 0xfff2f20d, 0xd66b6bbd, 0xde6f6fb1, 0x91c5c554, - 0x60303050, 0x02010103, 0xce6767a9, 0x562b2b7d, - 0xe7fefe19, 0xb5d7d762, 0x4dababe6, 0xec76769a, - 0x8fcaca45, 0x1f82829d, 0x89c9c940, 0xfa7d7d87, - 0xeffafa15, 0xb25959eb, 0x8e4747c9, 0xfbf0f00b, - 0x41adadec, 0xb3d4d467, 0x5fa2a2fd, 0x45afafea, - 0x239c9cbf, 0x53a4a4f7, 0xe4727296, 0x9bc0c05b, - 0x75b7b7c2, 0xe1fdfd1c, 0x3d9393ae, 0x4c26266a, - 0x6c36365a, 0x7e3f3f41, 0xf5f7f702, 0x83cccc4f, - 0x6834345c, 0x51a5a5f4, 0xd1e5e534, 0xf9f1f108, - 0xe2717193, 0xabd8d873, 0x62313153, 0x2a15153f, - 0x0804040c, 0x95c7c752, 0x46232365, 0x9dc3c35e, - 0x30181828, 0x379696a1, 0x0a05050f, 0x2f9a9ab5, - 0x0e070709, 0x24121236, 0x1b80809b, 0xdfe2e23d, - 0xcdebeb26, 0x4e272769, 0x7fb2b2cd, 0xea75759f, - 0x1209091b, 0x1d83839e, 0x582c2c74, 0x341a1a2e, - 0x361b1b2d, 0xdc6e6eb2, 0xb45a5aee, 0x5ba0a0fb, - 0xa45252f6, 0x763b3b4d, 0xb7d6d661, 0x7db3b3ce, - 0x5229297b, 0xdde3e33e, 0x5e2f2f71, 0x13848497, - 0xa65353f5, 0xb9d1d168, 0x00000000, 0xc1eded2c, - 0x40202060, 0xe3fcfc1f, 0x79b1b1c8, 0xb65b5bed, - 0xd46a6abe, 0x8dcbcb46, 0x67bebed9, 0x7239394b, - 0x944a4ade, 0x984c4cd4, 0xb05858e8, 0x85cfcf4a, - 0xbbd0d06b, 0xc5efef2a, 0x4faaaae5, 0xedfbfb16, - 0x864343c5, 0x9a4d4dd7, 0x66333355, 0x11858594, - 0x8a4545cf, 0xe9f9f910, 0x04020206, 0xfe7f7f81, - 0xa05050f0, 0x783c3c44, 0x259f9fba, 0x4ba8a8e3, - 0xa25151f3, 0x5da3a3fe, 0x804040c0, 0x058f8f8a, - 0x3f9292ad, 0x219d9dbc, 0x70383848, 0xf1f5f504, - 0x63bcbcdf, 0x77b6b6c1, 0xafdada75, 0x42212163, - 0x20101030, 0xe5ffff1a, 0xfdf3f30e, 0xbfd2d26d, - 0x81cdcd4c, 0x180c0c14, 0x26131335, 0xc3ecec2f, - 0xbe5f5fe1, 0x359797a2, 0x884444cc, 0x2e171739, - 0x93c4c457, 0x55a7a7f2, 0xfc7e7e82, 0x7a3d3d47, - 0xc86464ac, 0xba5d5de7, 0x3219192b, 0xe6737395, - 0xc06060a0, 0x19818198, 0x9e4f4fd1, 0xa3dcdc7f, - 0x44222266, 0x542a2a7e, 0x3b9090ab, 0x0b888883, - 0x8c4646ca, 0xc7eeee29, 0x6bb8b8d3, 0x2814143c, - 0xa7dede79, 0xbc5e5ee2, 0x160b0b1d, 0xaddbdb76, - 0xdbe0e03b, 0x64323256, 0x743a3a4e, 0x140a0a1e, - 0x924949db, 0x0c06060a, 0x4824246c, 0xb85c5ce4, - 0x9fc2c25d, 0xbdd3d36e, 0x43acacef, 0xc46262a6, - 0x399191a8, 0x319595a4, 0xd3e4e437, 0xf279798b, - 0xd5e7e732, 0x8bc8c843, 0x6e373759, 0xda6d6db7, - 0x018d8d8c, 0xb1d5d564, 0x9c4e4ed2, 0x49a9a9e0, - 0xd86c6cb4, 0xac5656fa, 0xf3f4f407, 0xcfeaea25, - 0xca6565af, 0xf47a7a8e, 0x47aeaee9, 0x10080818, - 0x6fbabad5, 0xf0787888, 0x4a25256f, 0x5c2e2e72, - 0x381c1c24, 0x57a6a6f1, 0x73b4b4c7, 0x97c6c651, - 0xcbe8e823, 0xa1dddd7c, 0xe874749c, 0x3e1f1f21, - 0x964b4bdd, 0x61bdbddc, 0x0d8b8b86, 0x0f8a8a85, - 0xe0707090, 0x7c3e3e42, 0x71b5b5c4, 0xcc6666aa, - 0x904848d8, 0x06030305, 0xf7f6f601, 0x1c0e0e12, - 0xc26161a3, 0x6a35355f, 0xae5757f9, 0x69b9b9d0, - 0x17868691, 0x99c1c158, 0x3a1d1d27, 0x279e9eb9, - 0xd9e1e138, 0xebf8f813, 0x2b9898b3, 0x22111133, - 0xd26969bb, 0xa9d9d970, 0x078e8e89, 0x339494a7, - 0x2d9b9bb6, 0x3c1e1e22, 0x15878792, 0xc9e9e920, - 0x87cece49, 0xaa5555ff, 0x50282878, 0xa5dfdf7a, - 0x038c8c8f, 0x59a1a1f8, 0x09898980, 0x1a0d0d17, - 0x65bfbfda, 0xd7e6e631, 0x844242c6, 0xd06868b8, - 0x824141c3, 0x299999b0, 0x5a2d2d77, 0x1e0f0f11, - 0x7bb0b0cb, 0xa85454fc, 0x6dbbbbd6, 0x2c16163a -}; - -ALIGN(64) static unsigned int T1[256] = { - 0xa5c66363, 0x84f87c7c, 0x99ee7777, 0x8df67b7b, - 0x0dfff2f2, 0xbdd66b6b, 0xb1de6f6f, 0x5491c5c5, - 0x50603030, 0x03020101, 0xa9ce6767, 0x7d562b2b, - 0x19e7fefe, 0x62b5d7d7, 0xe64dabab, 0x9aec7676, - 0x458fcaca, 0x9d1f8282, 0x4089c9c9, 0x87fa7d7d, - 0x15effafa, 0xebb25959, 0xc98e4747, 0x0bfbf0f0, - 0xec41adad, 0x67b3d4d4, 0xfd5fa2a2, 0xea45afaf, - 0xbf239c9c, 0xf753a4a4, 0x96e47272, 0x5b9bc0c0, - 0xc275b7b7, 0x1ce1fdfd, 0xae3d9393, 0x6a4c2626, - 0x5a6c3636, 0x417e3f3f, 0x02f5f7f7, 0x4f83cccc, - 0x5c683434, 0xf451a5a5, 0x34d1e5e5, 0x08f9f1f1, - 0x93e27171, 0x73abd8d8, 0x53623131, 0x3f2a1515, - 0x0c080404, 0x5295c7c7, 0x65462323, 0x5e9dc3c3, - 0x28301818, 0xa1379696, 0x0f0a0505, 0xb52f9a9a, - 0x090e0707, 0x36241212, 0x9b1b8080, 0x3ddfe2e2, - 0x26cdebeb, 0x694e2727, 0xcd7fb2b2, 0x9fea7575, - 0x1b120909, 0x9e1d8383, 0x74582c2c, 0x2e341a1a, - 0x2d361b1b, 0xb2dc6e6e, 0xeeb45a5a, 0xfb5ba0a0, - 0xf6a45252, 0x4d763b3b, 0x61b7d6d6, 0xce7db3b3, - 0x7b522929, 0x3edde3e3, 0x715e2f2f, 0x97138484, - 0xf5a65353, 0x68b9d1d1, 0x00000000, 0x2cc1eded, - 0x60402020, 0x1fe3fcfc, 0xc879b1b1, 0xedb65b5b, - 0xbed46a6a, 0x468dcbcb, 0xd967bebe, 0x4b723939, - 0xde944a4a, 0xd4984c4c, 0xe8b05858, 0x4a85cfcf, - 0x6bbbd0d0, 0x2ac5efef, 0xe54faaaa, 0x16edfbfb, - 0xc5864343, 0xd79a4d4d, 0x55663333, 0x94118585, - 0xcf8a4545, 0x10e9f9f9, 0x06040202, 0x81fe7f7f, - 0xf0a05050, 0x44783c3c, 0xba259f9f, 0xe34ba8a8, - 0xf3a25151, 0xfe5da3a3, 0xc0804040, 0x8a058f8f, - 0xad3f9292, 0xbc219d9d, 0x48703838, 0x04f1f5f5, - 0xdf63bcbc, 0xc177b6b6, 0x75afdada, 0x63422121, - 0x30201010, 0x1ae5ffff, 0x0efdf3f3, 0x6dbfd2d2, - 0x4c81cdcd, 0x14180c0c, 0x35261313, 0x2fc3ecec, - 0xe1be5f5f, 0xa2359797, 0xcc884444, 0x392e1717, - 0x5793c4c4, 0xf255a7a7, 0x82fc7e7e, 0x477a3d3d, - 0xacc86464, 0xe7ba5d5d, 0x2b321919, 0x95e67373, - 0xa0c06060, 0x98198181, 0xd19e4f4f, 0x7fa3dcdc, - 0x66442222, 0x7e542a2a, 0xab3b9090, 0x830b8888, - 0xca8c4646, 0x29c7eeee, 0xd36bb8b8, 0x3c281414, - 0x79a7dede, 0xe2bc5e5e, 0x1d160b0b, 0x76addbdb, - 0x3bdbe0e0, 0x56643232, 0x4e743a3a, 0x1e140a0a, - 0xdb924949, 0x0a0c0606, 0x6c482424, 0xe4b85c5c, - 0x5d9fc2c2, 0x6ebdd3d3, 0xef43acac, 0xa6c46262, - 0xa8399191, 0xa4319595, 0x37d3e4e4, 0x8bf27979, - 0x32d5e7e7, 0x438bc8c8, 0x596e3737, 0xb7da6d6d, - 0x8c018d8d, 0x64b1d5d5, 0xd29c4e4e, 0xe049a9a9, - 0xb4d86c6c, 0xfaac5656, 0x07f3f4f4, 0x25cfeaea, - 0xafca6565, 0x8ef47a7a, 0xe947aeae, 0x18100808, - 0xd56fbaba, 0x88f07878, 0x6f4a2525, 0x725c2e2e, - 0x24381c1c, 0xf157a6a6, 0xc773b4b4, 0x5197c6c6, - 0x23cbe8e8, 0x7ca1dddd, 0x9ce87474, 0x213e1f1f, - 0xdd964b4b, 0xdc61bdbd, 0x860d8b8b, 0x850f8a8a, - 0x90e07070, 0x427c3e3e, 0xc471b5b5, 0xaacc6666, - 0xd8904848, 0x05060303, 0x01f7f6f6, 0x121c0e0e, - 0xa3c26161, 0x5f6a3535, 0xf9ae5757, 0xd069b9b9, - 0x91178686, 0x5899c1c1, 0x273a1d1d, 0xb9279e9e, - 0x38d9e1e1, 0x13ebf8f8, 0xb32b9898, 0x33221111, - 0xbbd26969, 0x70a9d9d9, 0x89078e8e, 0xa7339494, - 0xb62d9b9b, 0x223c1e1e, 0x92158787, 0x20c9e9e9, - 0x4987cece, 0xffaa5555, 0x78502828, 0x7aa5dfdf, - 0x8f038c8c, 0xf859a1a1, 0x80098989, 0x171a0d0d, - 0xda65bfbf, 0x31d7e6e6, 0xc6844242, 0xb8d06868, - 0xc3824141, 0xb0299999, 0x775a2d2d, 0x111e0f0f, - 0xcb7bb0b0, 0xfca85454, 0xd66dbbbb, 0x3a2c1616 -}; - -ALIGN(64) static unsigned int T2[256] = { - 0x63a5c663, 0x7c84f87c, 0x7799ee77, 0x7b8df67b, - 0xf20dfff2, 0x6bbdd66b, 0x6fb1de6f, 0xc55491c5, - 0x30506030, 0x01030201, 0x67a9ce67, 0x2b7d562b, - 0xfe19e7fe, 0xd762b5d7, 0xabe64dab, 0x769aec76, - 0xca458fca, 0x829d1f82, 0xc94089c9, 0x7d87fa7d, - 0xfa15effa, 0x59ebb259, 0x47c98e47, 0xf00bfbf0, - 0xadec41ad, 0xd467b3d4, 0xa2fd5fa2, 0xafea45af, - 0x9cbf239c, 0xa4f753a4, 0x7296e472, 0xc05b9bc0, - 0xb7c275b7, 0xfd1ce1fd, 0x93ae3d93, 0x266a4c26, - 0x365a6c36, 0x3f417e3f, 0xf702f5f7, 0xcc4f83cc, - 0x345c6834, 0xa5f451a5, 0xe534d1e5, 0xf108f9f1, - 0x7193e271, 0xd873abd8, 0x31536231, 0x153f2a15, - 0x040c0804, 0xc75295c7, 0x23654623, 0xc35e9dc3, - 0x18283018, 0x96a13796, 0x050f0a05, 0x9ab52f9a, - 0x07090e07, 0x12362412, 0x809b1b80, 0xe23ddfe2, - 0xeb26cdeb, 0x27694e27, 0xb2cd7fb2, 0x759fea75, - 0x091b1209, 0x839e1d83, 0x2c74582c, 0x1a2e341a, - 0x1b2d361b, 0x6eb2dc6e, 0x5aeeb45a, 0xa0fb5ba0, - 0x52f6a452, 0x3b4d763b, 0xd661b7d6, 0xb3ce7db3, - 0x297b5229, 0xe33edde3, 0x2f715e2f, 0x84971384, - 0x53f5a653, 0xd168b9d1, 0x00000000, 0xed2cc1ed, - 0x20604020, 0xfc1fe3fc, 0xb1c879b1, 0x5bedb65b, - 0x6abed46a, 0xcb468dcb, 0xbed967be, 0x394b7239, - 0x4ade944a, 0x4cd4984c, 0x58e8b058, 0xcf4a85cf, - 0xd06bbbd0, 0xef2ac5ef, 0xaae54faa, 0xfb16edfb, - 0x43c58643, 0x4dd79a4d, 0x33556633, 0x85941185, - 0x45cf8a45, 0xf910e9f9, 0x02060402, 0x7f81fe7f, - 0x50f0a050, 0x3c44783c, 0x9fba259f, 0xa8e34ba8, - 0x51f3a251, 0xa3fe5da3, 0x40c08040, 0x8f8a058f, - 0x92ad3f92, 0x9dbc219d, 0x38487038, 0xf504f1f5, - 0xbcdf63bc, 0xb6c177b6, 0xda75afda, 0x21634221, - 0x10302010, 0xff1ae5ff, 0xf30efdf3, 0xd26dbfd2, - 0xcd4c81cd, 0x0c14180c, 0x13352613, 0xec2fc3ec, - 0x5fe1be5f, 0x97a23597, 0x44cc8844, 0x17392e17, - 0xc45793c4, 0xa7f255a7, 0x7e82fc7e, 0x3d477a3d, - 0x64acc864, 0x5de7ba5d, 0x192b3219, 0x7395e673, - 0x60a0c060, 0x81981981, 0x4fd19e4f, 0xdc7fa3dc, - 0x22664422, 0x2a7e542a, 0x90ab3b90, 0x88830b88, - 0x46ca8c46, 0xee29c7ee, 0xb8d36bb8, 0x143c2814, - 0xde79a7de, 0x5ee2bc5e, 0x0b1d160b, 0xdb76addb, - 0xe03bdbe0, 0x32566432, 0x3a4e743a, 0x0a1e140a, - 0x49db9249, 0x060a0c06, 0x246c4824, 0x5ce4b85c, - 0xc25d9fc2, 0xd36ebdd3, 0xacef43ac, 0x62a6c462, - 0x91a83991, 0x95a43195, 0xe437d3e4, 0x798bf279, - 0xe732d5e7, 0xc8438bc8, 0x37596e37, 0x6db7da6d, - 0x8d8c018d, 0xd564b1d5, 0x4ed29c4e, 0xa9e049a9, - 0x6cb4d86c, 0x56faac56, 0xf407f3f4, 0xea25cfea, - 0x65afca65, 0x7a8ef47a, 0xaee947ae, 0x08181008, - 0xbad56fba, 0x7888f078, 0x256f4a25, 0x2e725c2e, - 0x1c24381c, 0xa6f157a6, 0xb4c773b4, 0xc65197c6, - 0xe823cbe8, 0xdd7ca1dd, 0x749ce874, 0x1f213e1f, - 0x4bdd964b, 0xbddc61bd, 0x8b860d8b, 0x8a850f8a, - 0x7090e070, 0x3e427c3e, 0xb5c471b5, 0x66aacc66, - 0x48d89048, 0x03050603, 0xf601f7f6, 0x0e121c0e, - 0x61a3c261, 0x355f6a35, 0x57f9ae57, 0xb9d069b9, - 0x86911786, 0xc15899c1, 0x1d273a1d, 0x9eb9279e, - 0xe138d9e1, 0xf813ebf8, 0x98b32b98, 0x11332211, - 0x69bbd269, 0xd970a9d9, 0x8e89078e, 0x94a73394, - 0x9bb62d9b, 0x1e223c1e, 0x87921587, 0xe920c9e9, - 0xce4987ce, 0x55ffaa55, 0x28785028, 0xdf7aa5df, - 0x8c8f038c, 0xa1f859a1, 0x89800989, 0x0d171a0d, - 0xbfda65bf, 0xe631d7e6, 0x42c68442, 0x68b8d068, - 0x41c38241, 0x99b02999, 0x2d775a2d, 0x0f111e0f, - 0xb0cb7bb0, 0x54fca854, 0xbbd66dbb, 0x163a2c16 -}; - -ALIGN(64) static unsigned int T3[256] = { - 0x6363a5c6, 0x7c7c84f8, 0x777799ee, 0x7b7b8df6, - 0xf2f20dff, 0x6b6bbdd6, 0x6f6fb1de, 0xc5c55491, - 0x30305060, 0x01010302, 0x6767a9ce, 0x2b2b7d56, - 0xfefe19e7, 0xd7d762b5, 0xababe64d, 0x76769aec, - 0xcaca458f, 0x82829d1f, 0xc9c94089, 0x7d7d87fa, - 0xfafa15ef, 0x5959ebb2, 0x4747c98e, 0xf0f00bfb, - 0xadadec41, 0xd4d467b3, 0xa2a2fd5f, 0xafafea45, - 0x9c9cbf23, 0xa4a4f753, 0x727296e4, 0xc0c05b9b, - 0xb7b7c275, 0xfdfd1ce1, 0x9393ae3d, 0x26266a4c, - 0x36365a6c, 0x3f3f417e, 0xf7f702f5, 0xcccc4f83, - 0x34345c68, 0xa5a5f451, 0xe5e534d1, 0xf1f108f9, - 0x717193e2, 0xd8d873ab, 0x31315362, 0x15153f2a, - 0x04040c08, 0xc7c75295, 0x23236546, 0xc3c35e9d, - 0x18182830, 0x9696a137, 0x05050f0a, 0x9a9ab52f, - 0x0707090e, 0x12123624, 0x80809b1b, 0xe2e23ddf, - 0xebeb26cd, 0x2727694e, 0xb2b2cd7f, 0x75759fea, - 0x09091b12, 0x83839e1d, 0x2c2c7458, 0x1a1a2e34, - 0x1b1b2d36, 0x6e6eb2dc, 0x5a5aeeb4, 0xa0a0fb5b, - 0x5252f6a4, 0x3b3b4d76, 0xd6d661b7, 0xb3b3ce7d, - 0x29297b52, 0xe3e33edd, 0x2f2f715e, 0x84849713, - 0x5353f5a6, 0xd1d168b9, 0x00000000, 0xeded2cc1, - 0x20206040, 0xfcfc1fe3, 0xb1b1c879, 0x5b5bedb6, - 0x6a6abed4, 0xcbcb468d, 0xbebed967, 0x39394b72, - 0x4a4ade94, 0x4c4cd498, 0x5858e8b0, 0xcfcf4a85, - 0xd0d06bbb, 0xefef2ac5, 0xaaaae54f, 0xfbfb16ed, - 0x4343c586, 0x4d4dd79a, 0x33335566, 0x85859411, - 0x4545cf8a, 0xf9f910e9, 0x02020604, 0x7f7f81fe, - 0x5050f0a0, 0x3c3c4478, 0x9f9fba25, 0xa8a8e34b, - 0x5151f3a2, 0xa3a3fe5d, 0x4040c080, 0x8f8f8a05, - 0x9292ad3f, 0x9d9dbc21, 0x38384870, 0xf5f504f1, - 0xbcbcdf63, 0xb6b6c177, 0xdada75af, 0x21216342, - 0x10103020, 0xffff1ae5, 0xf3f30efd, 0xd2d26dbf, - 0xcdcd4c81, 0x0c0c1418, 0x13133526, 0xecec2fc3, - 0x5f5fe1be, 0x9797a235, 0x4444cc88, 0x1717392e, - 0xc4c45793, 0xa7a7f255, 0x7e7e82fc, 0x3d3d477a, - 0x6464acc8, 0x5d5de7ba, 0x19192b32, 0x737395e6, - 0x6060a0c0, 0x81819819, 0x4f4fd19e, 0xdcdc7fa3, - 0x22226644, 0x2a2a7e54, 0x9090ab3b, 0x8888830b, - 0x4646ca8c, 0xeeee29c7, 0xb8b8d36b, 0x14143c28, - 0xdede79a7, 0x5e5ee2bc, 0x0b0b1d16, 0xdbdb76ad, - 0xe0e03bdb, 0x32325664, 0x3a3a4e74, 0x0a0a1e14, - 0x4949db92, 0x06060a0c, 0x24246c48, 0x5c5ce4b8, - 0xc2c25d9f, 0xd3d36ebd, 0xacacef43, 0x6262a6c4, - 0x9191a839, 0x9595a431, 0xe4e437d3, 0x79798bf2, - 0xe7e732d5, 0xc8c8438b, 0x3737596e, 0x6d6db7da, - 0x8d8d8c01, 0xd5d564b1, 0x4e4ed29c, 0xa9a9e049, - 0x6c6cb4d8, 0x5656faac, 0xf4f407f3, 0xeaea25cf, - 0x6565afca, 0x7a7a8ef4, 0xaeaee947, 0x08081810, - 0xbabad56f, 0x787888f0, 0x25256f4a, 0x2e2e725c, - 0x1c1c2438, 0xa6a6f157, 0xb4b4c773, 0xc6c65197, - 0xe8e823cb, 0xdddd7ca1, 0x74749ce8, 0x1f1f213e, - 0x4b4bdd96, 0xbdbddc61, 0x8b8b860d, 0x8a8a850f, - 0x707090e0, 0x3e3e427c, 0xb5b5c471, 0x6666aacc, - 0x4848d890, 0x03030506, 0xf6f601f7, 0x0e0e121c, - 0x6161a3c2, 0x35355f6a, 0x5757f9ae, 0xb9b9d069, - 0x86869117, 0xc1c15899, 0x1d1d273a, 0x9e9eb927, - 0xe1e138d9, 0xf8f813eb, 0x9898b32b, 0x11113322, - 0x6969bbd2, 0xd9d970a9, 0x8e8e8907, 0x9494a733, - 0x9b9bb62d, 0x1e1e223c, 0x87879215, 0xe9e920c9, - 0xcece4987, 0x5555ffaa, 0x28287850, 0xdfdf7aa5, - 0x8c8c8f03, 0xa1a1f859, 0x89898009, 0x0d0d171a, - 0xbfbfda65, 0xe6e631d7, 0x4242c684, 0x6868b8d0, - 0x4141c382, 0x9999b029, 0x2d2d775a, 0x0f0f111e, - 0xb0b0cb7b, 0x5454fca8, 0xbbbbd66d, 0x16163a2c -}; - -#endif diff --git a/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table-le.h b/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table-le.h deleted file mode 100644 index 9d61039..0000000 --- a/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table-le.h +++ /dev/null @@ -1,274 +0,0 @@ - -#ifndef __AES_TABLE_LE_H__ -#define __AES_TABLE_LE_H__ - -ALIGN(64) static unsigned int T0[256] = { - 0xa56363c6, 0x847c7cf8, 0x997777ee, 0x8d7b7bf6, - 0x0df2f2ff, 0xbd6b6bd6, 0xb16f6fde, 0x54c5c591, - 0x50303060, 0x03010102, 0xa96767ce, 0x7d2b2b56, - 0x19fefee7, 0x62d7d7b5, 0xe6abab4d, 0x9a7676ec, - 0x45caca8f, 0x9d82821f, 0x40c9c989, 0x877d7dfa, - 0x15fafaef, 0xeb5959b2, 0xc947478e, 0x0bf0f0fb, - 0xecadad41, 0x67d4d4b3, 0xfda2a25f, 0xeaafaf45, - 0xbf9c9c23, 0xf7a4a453, 0x967272e4, 0x5bc0c09b, - 0xc2b7b775, 0x1cfdfde1, 0xae93933d, 0x6a26264c, - 0x5a36366c, 0x413f3f7e, 0x02f7f7f5, 0x4fcccc83, - 0x5c343468, 0xf4a5a551, 0x34e5e5d1, 0x08f1f1f9, - 0x937171e2, 0x73d8d8ab, 0x53313162, 0x3f15152a, - 0x0c040408, 0x52c7c795, 0x65232346, 0x5ec3c39d, - 0x28181830, 0xa1969637, 0x0f05050a, 0xb59a9a2f, - 0x0907070e, 0x36121224, 0x9b80801b, 0x3de2e2df, - 0x26ebebcd, 0x6927274e, 0xcdb2b27f, 0x9f7575ea, - 0x1b090912, 0x9e83831d, 0x742c2c58, 0x2e1a1a34, - 0x2d1b1b36, 0xb26e6edc, 0xee5a5ab4, 0xfba0a05b, - 0xf65252a4, 0x4d3b3b76, 0x61d6d6b7, 0xceb3b37d, - 0x7b292952, 0x3ee3e3dd, 0x712f2f5e, 0x97848413, - 0xf55353a6, 0x68d1d1b9, 0x00000000, 0x2cededc1, - 0x60202040, 0x1ffcfce3, 0xc8b1b179, 0xed5b5bb6, - 0xbe6a6ad4, 0x46cbcb8d, 0xd9bebe67, 0x4b393972, - 0xde4a4a94, 0xd44c4c98, 0xe85858b0, 0x4acfcf85, - 0x6bd0d0bb, 0x2aefefc5, 0xe5aaaa4f, 0x16fbfbed, - 0xc5434386, 0xd74d4d9a, 0x55333366, 0x94858511, - 0xcf45458a, 0x10f9f9e9, 0x06020204, 0x817f7ffe, - 0xf05050a0, 0x443c3c78, 0xba9f9f25, 0xe3a8a84b, - 0xf35151a2, 0xfea3a35d, 0xc0404080, 0x8a8f8f05, - 0xad92923f, 0xbc9d9d21, 0x48383870, 0x04f5f5f1, - 0xdfbcbc63, 0xc1b6b677, 0x75dadaaf, 0x63212142, - 0x30101020, 0x1affffe5, 0x0ef3f3fd, 0x6dd2d2bf, - 0x4ccdcd81, 0x140c0c18, 0x35131326, 0x2fececc3, - 0xe15f5fbe, 0xa2979735, 0xcc444488, 0x3917172e, - 0x57c4c493, 0xf2a7a755, 0x827e7efc, 0x473d3d7a, - 0xac6464c8, 0xe75d5dba, 0x2b191932, 0x957373e6, - 0xa06060c0, 0x98818119, 0xd14f4f9e, 0x7fdcdca3, - 0x66222244, 0x7e2a2a54, 0xab90903b, 0x8388880b, - 0xca46468c, 0x29eeeec7, 0xd3b8b86b, 0x3c141428, - 0x79dedea7, 0xe25e5ebc, 0x1d0b0b16, 0x76dbdbad, - 0x3be0e0db, 0x56323264, 0x4e3a3a74, 0x1e0a0a14, - 0xdb494992, 0x0a06060c, 0x6c242448, 0xe45c5cb8, - 0x5dc2c29f, 0x6ed3d3bd, 0xefacac43, 0xa66262c4, - 0xa8919139, 0xa4959531, 0x37e4e4d3, 0x8b7979f2, - 0x32e7e7d5, 0x43c8c88b, 0x5937376e, 0xb76d6dda, - 0x8c8d8d01, 0x64d5d5b1, 0xd24e4e9c, 0xe0a9a949, - 0xb46c6cd8, 0xfa5656ac, 0x07f4f4f3, 0x25eaeacf, - 0xaf6565ca, 0x8e7a7af4, 0xe9aeae47, 0x18080810, - 0xd5baba6f, 0x887878f0, 0x6f25254a, 0x722e2e5c, - 0x241c1c38, 0xf1a6a657, 0xc7b4b473, 0x51c6c697, - 0x23e8e8cb, 0x7cdddda1, 0x9c7474e8, 0x211f1f3e, - 0xdd4b4b96, 0xdcbdbd61, 0x868b8b0d, 0x858a8a0f, - 0x907070e0, 0x423e3e7c, 0xc4b5b571, 0xaa6666cc, - 0xd8484890, 0x05030306, 0x01f6f6f7, 0x120e0e1c, - 0xa36161c2, 0x5f35356a, 0xf95757ae, 0xd0b9b969, - 0x91868617, 0x58c1c199, 0x271d1d3a, 0xb99e9e27, - 0x38e1e1d9, 0x13f8f8eb, 0xb398982b, 0x33111122, - 0xbb6969d2, 0x70d9d9a9, 0x898e8e07, 0xa7949433, - 0xb69b9b2d, 0x221e1e3c, 0x92878715, 0x20e9e9c9, - 0x49cece87, 0xff5555aa, 0x78282850, 0x7adfdfa5, - 0x8f8c8c03, 0xf8a1a159, 0x80898909, 0x170d0d1a, - 0xdabfbf65, 0x31e6e6d7, 0xc6424284, 0xb86868d0, - 0xc3414182, 0xb0999929, 0x772d2d5a, 0x110f0f1e, - 0xcbb0b07b, 0xfc5454a8, 0xd6bbbb6d, 0x3a16162c -}; - - -ALIGN(64) static unsigned int T1[256] = { - 0x6363c6a5, 0x7c7cf884, 0x7777ee99, 0x7b7bf68d, - 0xf2f2ff0d, 0x6b6bd6bd, 0x6f6fdeb1, 0xc5c59154, - 0x30306050, 0x01010203, 0x6767cea9, 0x2b2b567d, - 0xfefee719, 0xd7d7b562, 0xabab4de6, 0x7676ec9a, - 0xcaca8f45, 0x82821f9d, 0xc9c98940, 0x7d7dfa87, - 0xfafaef15, 0x5959b2eb, 0x47478ec9, 0xf0f0fb0b, - 0xadad41ec, 0xd4d4b367, 0xa2a25ffd, 0xafaf45ea, - 0x9c9c23bf, 0xa4a453f7, 0x7272e496, 0xc0c09b5b, - 0xb7b775c2, 0xfdfde11c, 0x93933dae, 0x26264c6a, - 0x36366c5a, 0x3f3f7e41, 0xf7f7f502, 0xcccc834f, - 0x3434685c, 0xa5a551f4, 0xe5e5d134, 0xf1f1f908, - 0x7171e293, 0xd8d8ab73, 0x31316253, 0x15152a3f, - 0x0404080c, 0xc7c79552, 0x23234665, 0xc3c39d5e, - 0x18183028, 0x969637a1, 0x05050a0f, 0x9a9a2fb5, - 0x07070e09, 0x12122436, 0x80801b9b, 0xe2e2df3d, - 0xebebcd26, 0x27274e69, 0xb2b27fcd, 0x7575ea9f, - 0x0909121b, 0x83831d9e, 0x2c2c5874, 0x1a1a342e, - 0x1b1b362d, 0x6e6edcb2, 0x5a5ab4ee, 0xa0a05bfb, - 0x5252a4f6, 0x3b3b764d, 0xd6d6b761, 0xb3b37dce, - 0x2929527b, 0xe3e3dd3e, 0x2f2f5e71, 0x84841397, - 0x5353a6f5, 0xd1d1b968, 0x00000000, 0xededc12c, - 0x20204060, 0xfcfce31f, 0xb1b179c8, 0x5b5bb6ed, - 0x6a6ad4be, 0xcbcb8d46, 0xbebe67d9, 0x3939724b, - 0x4a4a94de, 0x4c4c98d4, 0x5858b0e8, 0xcfcf854a, - 0xd0d0bb6b, 0xefefc52a, 0xaaaa4fe5, 0xfbfbed16, - 0x434386c5, 0x4d4d9ad7, 0x33336655, 0x85851194, - 0x45458acf, 0xf9f9e910, 0x02020406, 0x7f7ffe81, - 0x5050a0f0, 0x3c3c7844, 0x9f9f25ba, 0xa8a84be3, - 0x5151a2f3, 0xa3a35dfe, 0x404080c0, 0x8f8f058a, - 0x92923fad, 0x9d9d21bc, 0x38387048, 0xf5f5f104, - 0xbcbc63df, 0xb6b677c1, 0xdadaaf75, 0x21214263, - 0x10102030, 0xffffe51a, 0xf3f3fd0e, 0xd2d2bf6d, - 0xcdcd814c, 0x0c0c1814, 0x13132635, 0xececc32f, - 0x5f5fbee1, 0x979735a2, 0x444488cc, 0x17172e39, - 0xc4c49357, 0xa7a755f2, 0x7e7efc82, 0x3d3d7a47, - 0x6464c8ac, 0x5d5dbae7, 0x1919322b, 0x7373e695, - 0x6060c0a0, 0x81811998, 0x4f4f9ed1, 0xdcdca37f, - 0x22224466, 0x2a2a547e, 0x90903bab, 0x88880b83, - 0x46468cca, 0xeeeec729, 0xb8b86bd3, 0x1414283c, - 0xdedea779, 0x5e5ebce2, 0x0b0b161d, 0xdbdbad76, - 0xe0e0db3b, 0x32326456, 0x3a3a744e, 0x0a0a141e, - 0x494992db, 0x06060c0a, 0x2424486c, 0x5c5cb8e4, - 0xc2c29f5d, 0xd3d3bd6e, 0xacac43ef, 0x6262c4a6, - 0x919139a8, 0x959531a4, 0xe4e4d337, 0x7979f28b, - 0xe7e7d532, 0xc8c88b43, 0x37376e59, 0x6d6ddab7, - 0x8d8d018c, 0xd5d5b164, 0x4e4e9cd2, 0xa9a949e0, - 0x6c6cd8b4, 0x5656acfa, 0xf4f4f307, 0xeaeacf25, - 0x6565caaf, 0x7a7af48e, 0xaeae47e9, 0x08081018, - 0xbaba6fd5, 0x7878f088, 0x25254a6f, 0x2e2e5c72, - 0x1c1c3824, 0xa6a657f1, 0xb4b473c7, 0xc6c69751, - 0xe8e8cb23, 0xdddda17c, 0x7474e89c, 0x1f1f3e21, - 0x4b4b96dd, 0xbdbd61dc, 0x8b8b0d86, 0x8a8a0f85, - 0x7070e090, 0x3e3e7c42, 0xb5b571c4, 0x6666ccaa, - 0x484890d8, 0x03030605, 0xf6f6f701, 0x0e0e1c12, - 0x6161c2a3, 0x35356a5f, 0x5757aef9, 0xb9b969d0, - 0x86861791, 0xc1c19958, 0x1d1d3a27, 0x9e9e27b9, - 0xe1e1d938, 0xf8f8eb13, 0x98982bb3, 0x11112233, - 0x6969d2bb, 0xd9d9a970, 0x8e8e0789, 0x949433a7, - 0x9b9b2db6, 0x1e1e3c22, 0x87871592, 0xe9e9c920, - 0xcece8749, 0x5555aaff, 0x28285078, 0xdfdfa57a, - 0x8c8c038f, 0xa1a159f8, 0x89890980, 0x0d0d1a17, - 0xbfbf65da, 0xe6e6d731, 0x424284c6, 0x6868d0b8, - 0x414182c3, 0x999929b0, 0x2d2d5a77, 0x0f0f1e11, - 0xb0b07bcb, 0x5454a8fc, 0xbbbb6dd6, 0x16162c3a -}; - -ALIGN(64) static unsigned int T2[256] = { - 0x63c6a563, 0x7cf8847c, 0x77ee9977, 0x7bf68d7b, - 0xf2ff0df2, 0x6bd6bd6b, 0x6fdeb16f, 0xc59154c5, - 0x30605030, 0x01020301, 0x67cea967, 0x2b567d2b, - 0xfee719fe, 0xd7b562d7, 0xab4de6ab, 0x76ec9a76, - 0xca8f45ca, 0x821f9d82, 0xc98940c9, 0x7dfa877d, - 0xfaef15fa, 0x59b2eb59, 0x478ec947, 0xf0fb0bf0, - 0xad41ecad, 0xd4b367d4, 0xa25ffda2, 0xaf45eaaf, - 0x9c23bf9c, 0xa453f7a4, 0x72e49672, 0xc09b5bc0, - 0xb775c2b7, 0xfde11cfd, 0x933dae93, 0x264c6a26, - 0x366c5a36, 0x3f7e413f, 0xf7f502f7, 0xcc834fcc, - 0x34685c34, 0xa551f4a5, 0xe5d134e5, 0xf1f908f1, - 0x71e29371, 0xd8ab73d8, 0x31625331, 0x152a3f15, - 0x04080c04, 0xc79552c7, 0x23466523, 0xc39d5ec3, - 0x18302818, 0x9637a196, 0x050a0f05, 0x9a2fb59a, - 0x070e0907, 0x12243612, 0x801b9b80, 0xe2df3de2, - 0xebcd26eb, 0x274e6927, 0xb27fcdb2, 0x75ea9f75, - 0x09121b09, 0x831d9e83, 0x2c58742c, 0x1a342e1a, - 0x1b362d1b, 0x6edcb26e, 0x5ab4ee5a, 0xa05bfba0, - 0x52a4f652, 0x3b764d3b, 0xd6b761d6, 0xb37dceb3, - 0x29527b29, 0xe3dd3ee3, 0x2f5e712f, 0x84139784, - 0x53a6f553, 0xd1b968d1, 0x00000000, 0xedc12ced, - 0x20406020, 0xfce31ffc, 0xb179c8b1, 0x5bb6ed5b, - 0x6ad4be6a, 0xcb8d46cb, 0xbe67d9be, 0x39724b39, - 0x4a94de4a, 0x4c98d44c, 0x58b0e858, 0xcf854acf, - 0xd0bb6bd0, 0xefc52aef, 0xaa4fe5aa, 0xfbed16fb, - 0x4386c543, 0x4d9ad74d, 0x33665533, 0x85119485, - 0x458acf45, 0xf9e910f9, 0x02040602, 0x7ffe817f, - 0x50a0f050, 0x3c78443c, 0x9f25ba9f, 0xa84be3a8, - 0x51a2f351, 0xa35dfea3, 0x4080c040, 0x8f058a8f, - 0x923fad92, 0x9d21bc9d, 0x38704838, 0xf5f104f5, - 0xbc63dfbc, 0xb677c1b6, 0xdaaf75da, 0x21426321, - 0x10203010, 0xffe51aff, 0xf3fd0ef3, 0xd2bf6dd2, - 0xcd814ccd, 0x0c18140c, 0x13263513, 0xecc32fec, - 0x5fbee15f, 0x9735a297, 0x4488cc44, 0x172e3917, - 0xc49357c4, 0xa755f2a7, 0x7efc827e, 0x3d7a473d, - 0x64c8ac64, 0x5dbae75d, 0x19322b19, 0x73e69573, - 0x60c0a060, 0x81199881, 0x4f9ed14f, 0xdca37fdc, - 0x22446622, 0x2a547e2a, 0x903bab90, 0x880b8388, - 0x468cca46, 0xeec729ee, 0xb86bd3b8, 0x14283c14, - 0xdea779de, 0x5ebce25e, 0x0b161d0b, 0xdbad76db, - 0xe0db3be0, 0x32645632, 0x3a744e3a, 0x0a141e0a, - 0x4992db49, 0x060c0a06, 0x24486c24, 0x5cb8e45c, - 0xc29f5dc2, 0xd3bd6ed3, 0xac43efac, 0x62c4a662, - 0x9139a891, 0x9531a495, 0xe4d337e4, 0x79f28b79, - 0xe7d532e7, 0xc88b43c8, 0x376e5937, 0x6ddab76d, - 0x8d018c8d, 0xd5b164d5, 0x4e9cd24e, 0xa949e0a9, - 0x6cd8b46c, 0x56acfa56, 0xf4f307f4, 0xeacf25ea, - 0x65caaf65, 0x7af48e7a, 0xae47e9ae, 0x08101808, - 0xba6fd5ba, 0x78f08878, 0x254a6f25, 0x2e5c722e, - 0x1c38241c, 0xa657f1a6, 0xb473c7b4, 0xc69751c6, - 0xe8cb23e8, 0xdda17cdd, 0x74e89c74, 0x1f3e211f, - 0x4b96dd4b, 0xbd61dcbd, 0x8b0d868b, 0x8a0f858a, - 0x70e09070, 0x3e7c423e, 0xb571c4b5, 0x66ccaa66, - 0x4890d848, 0x03060503, 0xf6f701f6, 0x0e1c120e, - 0x61c2a361, 0x356a5f35, 0x57aef957, 0xb969d0b9, - 0x86179186, 0xc19958c1, 0x1d3a271d, 0x9e27b99e, - 0xe1d938e1, 0xf8eb13f8, 0x982bb398, 0x11223311, - 0x69d2bb69, 0xd9a970d9, 0x8e07898e, 0x9433a794, - 0x9b2db69b, 0x1e3c221e, 0x87159287, 0xe9c920e9, - 0xce8749ce, 0x55aaff55, 0x28507828, 0xdfa57adf, - 0x8c038f8c, 0xa159f8a1, 0x89098089, 0x0d1a170d, - 0xbf65dabf, 0xe6d731e6, 0x4284c642, 0x68d0b868, - 0x4182c341, 0x9929b099, 0x2d5a772d, 0x0f1e110f, - 0xb07bcbb0, 0x54a8fc54, 0xbb6dd6bb, 0x162c3a16 -}; - -ALIGN(64) static unsigned int T3[256] = { - 0xc6a56363, 0xf8847c7c, 0xee997777, 0xf68d7b7b, - 0xff0df2f2, 0xd6bd6b6b, 0xdeb16f6f, 0x9154c5c5, - 0x60503030, 0x02030101, 0xcea96767, 0x567d2b2b, - 0xe719fefe, 0xb562d7d7, 0x4de6abab, 0xec9a7676, - 0x8f45caca, 0x1f9d8282, 0x8940c9c9, 0xfa877d7d, - 0xef15fafa, 0xb2eb5959, 0x8ec94747, 0xfb0bf0f0, - 0x41ecadad, 0xb367d4d4, 0x5ffda2a2, 0x45eaafaf, - 0x23bf9c9c, 0x53f7a4a4, 0xe4967272, 0x9b5bc0c0, - 0x75c2b7b7, 0xe11cfdfd, 0x3dae9393, 0x4c6a2626, - 0x6c5a3636, 0x7e413f3f, 0xf502f7f7, 0x834fcccc, - 0x685c3434, 0x51f4a5a5, 0xd134e5e5, 0xf908f1f1, - 0xe2937171, 0xab73d8d8, 0x62533131, 0x2a3f1515, - 0x080c0404, 0x9552c7c7, 0x46652323, 0x9d5ec3c3, - 0x30281818, 0x37a19696, 0x0a0f0505, 0x2fb59a9a, - 0x0e090707, 0x24361212, 0x1b9b8080, 0xdf3de2e2, - 0xcd26ebeb, 0x4e692727, 0x7fcdb2b2, 0xea9f7575, - 0x121b0909, 0x1d9e8383, 0x58742c2c, 0x342e1a1a, - 0x362d1b1b, 0xdcb26e6e, 0xb4ee5a5a, 0x5bfba0a0, - 0xa4f65252, 0x764d3b3b, 0xb761d6d6, 0x7dceb3b3, - 0x527b2929, 0xdd3ee3e3, 0x5e712f2f, 0x13978484, - 0xa6f55353, 0xb968d1d1, 0x00000000, 0xc12ceded, - 0x40602020, 0xe31ffcfc, 0x79c8b1b1, 0xb6ed5b5b, - 0xd4be6a6a, 0x8d46cbcb, 0x67d9bebe, 0x724b3939, - 0x94de4a4a, 0x98d44c4c, 0xb0e85858, 0x854acfcf, - 0xbb6bd0d0, 0xc52aefef, 0x4fe5aaaa, 0xed16fbfb, - 0x86c54343, 0x9ad74d4d, 0x66553333, 0x11948585, - 0x8acf4545, 0xe910f9f9, 0x04060202, 0xfe817f7f, - 0xa0f05050, 0x78443c3c, 0x25ba9f9f, 0x4be3a8a8, - 0xa2f35151, 0x5dfea3a3, 0x80c04040, 0x058a8f8f, - 0x3fad9292, 0x21bc9d9d, 0x70483838, 0xf104f5f5, - 0x63dfbcbc, 0x77c1b6b6, 0xaf75dada, 0x42632121, - 0x20301010, 0xe51affff, 0xfd0ef3f3, 0xbf6dd2d2, - 0x814ccdcd, 0x18140c0c, 0x26351313, 0xc32fecec, - 0xbee15f5f, 0x35a29797, 0x88cc4444, 0x2e391717, - 0x9357c4c4, 0x55f2a7a7, 0xfc827e7e, 0x7a473d3d, - 0xc8ac6464, 0xbae75d5d, 0x322b1919, 0xe6957373, - 0xc0a06060, 0x19988181, 0x9ed14f4f, 0xa37fdcdc, - 0x44662222, 0x547e2a2a, 0x3bab9090, 0x0b838888, - 0x8cca4646, 0xc729eeee, 0x6bd3b8b8, 0x283c1414, - 0xa779dede, 0xbce25e5e, 0x161d0b0b, 0xad76dbdb, - 0xdb3be0e0, 0x64563232, 0x744e3a3a, 0x141e0a0a, - 0x92db4949, 0x0c0a0606, 0x486c2424, 0xb8e45c5c, - 0x9f5dc2c2, 0xbd6ed3d3, 0x43efacac, 0xc4a66262, - 0x39a89191, 0x31a49595, 0xd337e4e4, 0xf28b7979, - 0xd532e7e7, 0x8b43c8c8, 0x6e593737, 0xdab76d6d, - 0x018c8d8d, 0xb164d5d5, 0x9cd24e4e, 0x49e0a9a9, - 0xd8b46c6c, 0xacfa5656, 0xf307f4f4, 0xcf25eaea, - 0xcaaf6565, 0xf48e7a7a, 0x47e9aeae, 0x10180808, - 0x6fd5baba, 0xf0887878, 0x4a6f2525, 0x5c722e2e, - 0x38241c1c, 0x57f1a6a6, 0x73c7b4b4, 0x9751c6c6, - 0xcb23e8e8, 0xa17cdddd, 0xe89c7474, 0x3e211f1f, - 0x96dd4b4b, 0x61dcbdbd, 0x0d868b8b, 0x0f858a8a, - 0xe0907070, 0x7c423e3e, 0x71c4b5b5, 0xccaa6666, - 0x90d84848, 0x06050303, 0xf701f6f6, 0x1c120e0e, - 0xc2a36161, 0x6a5f3535, 0xaef95757, 0x69d0b9b9, - 0x17918686, 0x9958c1c1, 0x3a271d1d, 0x27b99e9e, - 0xd938e1e1, 0xeb13f8f8, 0x2bb39898, 0x22331111, - 0xd2bb6969, 0xa970d9d9, 0x07898e8e, 0x33a79494, - 0x2db69b9b, 0x3c221e1e, 0x15928787, 0xc920e9e9, - 0x8749cece, 0xaaff5555, 0x50782828, 0xa57adfdf, - 0x038f8c8c, 0x59f8a1a1, 0x09808989, 0x1a170d0d, - 0x65dabfbf, 0xd731e6e6, 0x84c64242, 0xd0b86868, - 0x82c34141, 0x29b09999, 0x5a772d2d, 0x1e110f0f, - 0x7bcbb0b0, 0xa8fc5454, 0x6dd6bbbb, 0x2c3a1616 -}; - -#endif diff --git a/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table.h b/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table.h deleted file mode 100644 index 89839e5..0000000 --- a/src/libsodium/crypto_stream/aes256estream/hongjun/aes-table.h +++ /dev/null @@ -1,62 +0,0 @@ - -#ifndef __AES_TABLE_H__ -#define __AES_TABLE_H__ - -#if defined(_MSC_VER) -# define ALIGN(x) __declspec(align(x)) -#else -# define ALIGN(x) __attribute__((aligned(x))) -#endif - -#ifdef NATIVE_LITTLE_ENDIAN -# include "aes-table-le.h" -#elif defined(NATIVE_BIG_ENDIAN) -# include "aes-table-be.h" -#else -# error Unsupported byte ordering -#endif - -static const unsigned char Rcon[31] = -{ - 0x0, 0x01, 0x02, 0x04, 0x08, 0x10, 0x20, - 0x40, 0x80, 0x1b, 0x36, 0x6c, 0xc0, - 0xab, 0x4d, 0x9a, 0x2f, 0x5e, 0xbc, - 0x63, 0xc6, 0x97, 0x35, 0x6a, 0xd4, - 0xb3, 0x7d, 0xfa, 0xef, 0xc5, 0x91 -}; - - -ALIGN(64) static const unsigned char Sbox[256] = { - 0x63, 0x7c, 0x77, 0x7b, 0xf2, 0x6b, 0x6f, 0xc5, - 0x30, 0x01, 0x67, 0x2b, 0xfe, 0xd7, 0xab, 0x76, - 0xca, 0x82, 0xc9, 0x7d, 0xfa, 0x59, 0x47, 0xf0, - 0xad, 0xd4, 0xa2, 0xaf, 0x9c, 0xa4, 0x72, 0xc0, - 0xb7, 0xfd, 0x93, 0x26, 0x36, 0x3f, 0xf7, 0xcc, - 0x34, 0xa5, 0xe5, 0xf1, 0x71, 0xd8, 0x31, 0x15, - 0x04, 0xc7, 0x23, 0xc3, 0x18, 0x96, 0x05, 0x9a, - 0x07, 0x12, 0x80, 0xe2, 0xeb, 0x27, 0xb2, 0x75, - 0x09, 0x83, 0x2c, 0x1a, 0x1b, 0x6e, 0x5a, 0xa0, - 0x52, 0x3b, 0xd6, 0xb3, 0x29, 0xe3, 0x2f, 0x84, - 0x53, 0xd1, 0x00, 0xed, 0x20, 0xfc, 0xb1, 0x5b, - 0x6a, 0xcb, 0xbe, 0x39, 0x4a, 0x4c, 0x58, 0xcf, - 0xd0, 0xef, 0xaa, 0xfb, 0x43, 0x4d, 0x33, 0x85, - 0x45, 0xf9, 0x02, 0x7f, 0x50, 0x3c, 0x9f, 0xa8, - 0x51, 0xa3, 0x40, 0x8f, 0x92, 0x9d, 0x38, 0xf5, - 0xbc, 0xb6, 0xda, 0x21, 0x10, 0xff, 0xf3, 0xd2, - 0xcd, 0x0c, 0x13, 0xec, 0x5f, 0x97, 0x44, 0x17, - 0xc4, 0xa7, 0x7e, 0x3d, 0x64, 0x5d, 0x19, 0x73, - 0x60, 0x81, 0x4f, 0xdc, 0x22, 0x2a, 0x90, 0x88, - 0x46, 0xee, 0xb8, 0x14, 0xde, 0x5e, 0x0b, 0xdb, - 0xe0, 0x32, 0x3a, 0x0a, 0x49, 0x06, 0x24, 0x5c, - 0xc2, 0xd3, 0xac, 0x62, 0x91, 0x95, 0xe4, 0x79, - 0xe7, 0xc8, 0x37, 0x6d, 0x8d, 0xd5, 0x4e, 0xa9, - 0x6c, 0x56, 0xf4, 0xea, 0x65, 0x7a, 0xae, 0x08, - 0xba, 0x78, 0x25, 0x2e, 0x1c, 0xa6, 0xb4, 0xc6, - 0xe8, 0xdd, 0x74, 0x1f, 0x4b, 0xbd, 0x8b, 0x8a, - 0x70, 0x3e, 0xb5, 0x66, 0x48, 0x03, 0xf6, 0x0e, - 0x61, 0x35, 0x57, 0xb9, 0x86, 0xc1, 0x1d, 0x9e, - 0xe1, 0xf8, 0x98, 0x11, 0x69, 0xd9, 0x8e, 0x94, - 0x9b, 0x1e, 0x87, 0xe9, 0xce, 0x55, 0x28, 0xdf, - 0x8c, 0xa1, 0x89, 0x0d, 0xbf, 0xe6, 0x42, 0x68, - 0x41, 0x99, 0x2d, 0x0f, 0xb0, 0x54, 0xbb, 0x16}; -#endif diff --git a/src/libsodium/crypto_stream/aes256estream/hongjun/aes256-ctr.c b/src/libsodium/crypto_stream/aes256estream/hongjun/aes256-ctr.c deleted file mode 100644 index c35e310..0000000 --- a/src/libsodium/crypto_stream/aes256estream/hongjun/aes256-ctr.c +++ /dev/null @@ -1,239 +0,0 @@ -/* aes-ctr.c */ -/* AES in CTR mode. */ - -/* Hongjun Wu, January 2007*/ - - -/* ------------------------------------------------------------------------- */ - -#include "api.h" -#include "aes256.h" - -#include <string.h> - -/* ------------------------------------------------------------------------- */ -/* key setup for AES-256*/ -static void -ECRYPT_keysetup(ECRYPT_ctx* ctx, const u8* key, u32 keysize, u32 ivsize) -{ - unsigned int w[Nk*(Nr+1)], temp; - int i, j; - - (void) keysize; - (void) ivsize; - (void) sizeof(char[sizeof *ctx == crypto_stream_BEFORENMBYTES ? 1 : -1]); - - for( i = 0; i < Nk; i++ ) { - w[i] = key[(i << 2)]; - w[i] |= key[(i << 2)+1] << 8; - w[i] |= key[(i << 2)+2] << 16; - w[i] |= (unsigned int) key[(i << 2)+3] << 24; - } - - i = Nk; - - while( i < Nb*(Nr+1) ) { - temp = w[i-1]; - - temp = (unsigned int) Sbox[temp & 0xFF] << 24 ^ - Sbox[(temp >> 8) & 0xFF] ^ - (Sbox[(temp >> 16) & 0xFF] << 8 ) ^ - (Sbox[(temp >> 24) & 0xFF] << 16) ^ - Rcon[i/Nk]; - w[i] = w[i-Nk] ^ temp; - i++; - - temp = w[i-1]; - w[i] = w[i-Nk] ^ temp; - i++; - - temp = w[i-1]; - w[i] = w[i-Nk] ^ temp; - i++; - - temp = w[i-1]; - w[i] = w[i-Nk] ^ temp; - i++; - - temp = w[i-1]; - temp = Sbox[temp & 0xFF] ^ - Sbox[(temp >> 8) & 0xFF] << 8 ^ - (Sbox[(temp >> 16) & 0xFF] << 16) ^ - ((unsigned int) Sbox[(temp >> 24) & 0xFF] << 24); - w[i] = w[i-Nk] ^ temp; - i++; - - temp = w[i-1]; - w[i] = w[i-Nk] ^ temp; - i++; - - temp = w[i-1]; - w[i] = w[i-Nk] ^ temp; - i++; - - temp = w[i-1]; - w[i] = w[i-Nk] ^ temp; - i++; - } - - for (i = 0; i <= Nr; i++) { - for (j = 0; j < Nb; j++) { - ctx->round_key[i][j] = SWP32(w[(i<<2)+j]); - } - } -} - -/* ------------------------------------------------------------------------- */ - -static void -ECRYPT_ivsetup(ECRYPT_ctx* ctx, const u8* iv) -{ - (void) sizeof(char[(sizeof ctx->counter) == crypto_stream_NONCEBYTES ? 1 : -1]); - memcpy(ctx->counter, iv, crypto_stream_NONCEBYTES); -} - -/* ------------------------------------------------------------------------- */ - -/*compute the intermediate values for the first two rounds*/ -static void -partial_precompute_tworounds(ECRYPT_ctx* ctx) -{ - u32 x0,x1,x2,x3,y0,y1,y2,y3; - - x0 = ctx->counter[0] ^ ctx->round_key[0][0]; - x1 = ctx->counter[1] ^ ctx->round_key[0][1]; - x2 = ctx->counter[2] ^ ctx->round_key[0][2]; - x3 = ctx->counter[3] ^ ctx->round_key[0][3]; - x0 &= SWP32(0xffffff00); - round(ctx,x0,x1,x2,x3,y0,y1,y2,y3,1); - ctx->first_round_output_x0 = y0 ^ T0[0]; - y0 = 0; - round(ctx,y0,y1,y2,y3,x0,x1,x2,x3,2); - ctx->second_round_output[0] = x0 ^ T0[0]; - ctx->second_round_output[1] = x1 ^ T3[0]; - ctx->second_round_output[2] = x2 ^ T2[0]; - ctx->second_round_output[3] = x3 ^ T1[0]; -} - -/* ------------------------------------------------------------------------- */ - -#ifndef CPU_ALIGNED_ACCESS_REQUIRED -# define UNALIGNED_U32_READ(P, I) (((const u32 *)(const void *) (P))[(I)]) -#else -static inline uint32_t -UNALIGNED_U32_READ(const u8 * const p, const size_t i) -{ - uint32_t t; - (void) sizeof(int[sizeof(*p) == sizeof(char) ? 1 : -1]); - memcpy(&t, p + i * (sizeof t / sizeof *p), sizeof t); - return t; -} -#endif - -/* ------------------------------------------------------------------------- */ - -static void -ECRYPT_process_bytes(int action, ECRYPT_ctx* ctx, const u8* input, u8* output, - u32 msglen) -{ - __attribute__((aligned(32))) u8 keystream[16]; - u32 i; - - (void) action; - memset(keystream, 0, sizeof keystream); - partial_precompute_tworounds(ctx); - - for ( ; msglen >= 16; msglen -= 16, input += 16, output += 16) { - aes256_enc_block(ctx->counter, keystream, ctx); - - ((u32*)output)[0] = UNALIGNED_U32_READ(input, 0) ^ ((u32*)keystream)[0] ^ ctx->round_key[Nr][0]; - ((u32*)output)[1] = UNALIGNED_U32_READ(input, 1) ^ ((u32*)keystream)[1] ^ ctx->round_key[Nr][1]; - ((u32*)output)[2] = UNALIGNED_U32_READ(input, 2) ^ ((u32*)keystream)[2] ^ ctx->round_key[Nr][2]; - ((u32*)output)[3] = UNALIGNED_U32_READ(input, 3) ^ ((u32*)keystream)[3] ^ ctx->round_key[Nr][3]; - - ctx->counter[0] = SWP32(SWP32(ctx->counter[0]) + 1); - - if ((ctx->counter[0] & SWP32(0xff))== 0) { - partial_precompute_tworounds(ctx); - } - } - - if (msglen > 0) { - aes256_enc_block(ctx->counter, keystream, ctx); - ((u32*)keystream)[0] ^= ctx->round_key[Nr][0]; - ((u32*)keystream)[1] ^= ctx->round_key[Nr][1]; - ((u32*)keystream)[2] ^= ctx->round_key[Nr][2]; - ((u32*)keystream)[3] ^= ctx->round_key[Nr][3]; - - for (i = 0; i < msglen; i ++) { - output[i] = input[i] ^ keystream[i]; - } - } -} - -/* ------------------------------------------------------------------------- */ - -#include "ecrypt-sync.h" - -int -crypto_stream_beforenm(unsigned char *c, const unsigned char *k) -{ - ECRYPT_ctx * const ctx = (ECRYPT_ctx *) c; - - ECRYPT_keysetup(ctx, k, crypto_stream_KEYBYTES * 8, - crypto_stream_NONCEBYTES * 8); - return 0; -} - -int -crypto_stream_afternm(unsigned char *out, unsigned long long len, - const unsigned char *nonce, const unsigned char *c) -{ - ECRYPT_ctx * const ctx = (ECRYPT_ctx *) c; - unsigned long long i; - - ECRYPT_ivsetup(ctx, nonce); - for (i = 0U; i < len; ++i) { - out[i] = 0U; - } - ECRYPT_encrypt_bytes(ctx, (u8 *) out, (u8 *) out, len); - - return 0; -} - -int -crypto_stream_xor_afternm(unsigned char *out, const unsigned char *in, - unsigned long long len, const unsigned char *nonce, - const unsigned char *c) -{ - ECRYPT_ctx * const ctx = (ECRYPT_ctx *) c; - - ECRYPT_ivsetup(ctx, nonce); - ECRYPT_encrypt_bytes(ctx, (const u8 *) in, (u8 *) out, len); - - return 0; -} - -int -crypto_stream(unsigned char *out, unsigned long long outlen, - const unsigned char *n, const unsigned char *k) -{ - unsigned char d[crypto_stream_BEFORENMBYTES]; - - crypto_stream_beforenm(d, k); - crypto_stream_afternm(out, outlen, n, d); - - return 0; -} - -int crypto_stream_xor(unsigned char *out, const unsigned char *in, - unsigned long long inlen, const unsigned char *n, - const unsigned char *k) -{ - unsigned char d[crypto_stream_BEFORENMBYTES]; - - crypto_stream_beforenm(d, k); - crypto_stream_xor_afternm(out, in, inlen, n, d); - - return 0; -} diff --git a/src/libsodium/crypto_stream/aes256estream/hongjun/aes256.h b/src/libsodium/crypto_stream/aes256estream/hongjun/aes256.h deleted file mode 100644 index d562b1d..0000000 --- a/src/libsodium/crypto_stream/aes256estream/hongjun/aes256.h +++ /dev/null @@ -1,171 +0,0 @@ -/* aes256.h */ -/* Hongjun Wu, January 2007*/ - - -#include "ecrypt-sync.h" -#include "aes-table.h" - -#include <stdio.h> - -#ifdef NATIVE_LITTLE_ENDIAN -# define LEROT(X, S) ((uint8_t) ((uint32_t)(X) >> (S))) -# define SWP32(X) (X) -#elif defined(NATIVE_BIG_ENDIAN) -# define LEROT(X, S) ((uint8_t) ((uint32_t)(X) >> (24 - (S)))) -# define SWP32(X) ((uint32_t)((((uint32_t)(X) & 0xff000000) >> 24) | \ - (((uint32_t)(X) & 0x00ff0000) >> 8) | \ - (((uint32_t)(X) & 0x0000ff00) << 8) | \ - (((uint32_t)(X) & 0x000000ff) << 24))) -#else -# error Unsupported byte ordering -#endif - -#define first_round(ctx,x0,y0) { \ - u32 z0,t0,tem0; \ - z0 = (x0) ^ ctx->round_key[0][0]; \ - t0 = LEROT(z0, 0); \ - tem0 = T0[t0]; \ - (y0) = tem0 ^ ctx->first_round_output_x0; \ -} - -#define second_round(ctx,x0,y0,y1,y2,y3) { \ - u32 t0,t7,t10,t13; \ - u32 tem0,tem7,tem10,tem13; \ - t0 = LEROT(x0, 0); \ - tem0 = T0[t0]; \ - (y0) = tem0 ^ ctx->second_round_output[0]; \ - t7 = LEROT(x0, 24); \ - tem7 = T3[t7]; \ - (y1) = tem7 ^ ctx->second_round_output[1]; \ - t10 = LEROT(x0, 16); \ - tem10 = T2[t10]; \ - (y2) = tem10 ^ ctx->second_round_output[2]; \ - t13 = LEROT(x0, 8); \ - tem13 = T1[t13];\ - (y3) = tem13 ^ ctx->second_round_output[3]; \ -} - -#define round(ctx,x0,x1,x2,x3,y0,y1,y2,y3,r) { \ - u32 t0,t1,t2,t3; \ - u32 t4,t5,t6,t7; \ - u32 t8,t9,t10,t11; \ - u32 t12,t13,t14,t15;\ - u32 tem0,tem1,tem2,tem3; \ - u32 tem4,tem5,tem6,tem7; \ - u32 tem8,tem9,tem10,tem11; \ - u32 tem12,tem13,tem14,tem15;\ - \ - t0 = LEROT(x0, 0); \ - tem0 = T0[t0]; \ - t1 = LEROT(x1, 8); \ - tem1 = tem0 ^ T1[t1]; \ - t2 = LEROT(x2, 16); \ - tem2 = tem1 ^ T2[t2]; \ - t3 = LEROT(x3, 24); \ - tem3 = tem2 ^ T3[t3]; \ - (y0) = tem3 ^ ctx->round_key[r][0]; \ - \ - t4 = LEROT(x1, 0); \ - tem4 = T0[t4]; \ - t5 = LEROT(x2, 8); \ - tem5 = tem4 ^ T1[t5]; \ - t6 = LEROT(x3, 16); \ - tem6 = tem5 ^ T2[t6]; \ - t7 = LEROT(x0, 24); \ - tem7 = tem6 ^ T3[t7]; \ - (y1) = tem7 ^ ctx->round_key[r][1]; \ - \ - t8 = LEROT(x2, 0); \ - tem8 = T0[t8]; \ - t9 = LEROT(x3, 8); \ - tem9 = tem8 ^ T1[t9]; \ - t10 = LEROT(x0, 16); \ - tem10 = tem9 ^ T2[t10]; \ - t11 = LEROT(x1, 24); \ - tem11 = tem10 ^ T3[t11];\ - (y2) = tem11 ^ ctx->round_key[r][2]; \ - \ - t12 = LEROT(x3, 0); \ - tem12 = T0[t12]; \ - t13 = LEROT(x0, 8); \ - tem13 = tem12 ^ T1[t13];\ - t14 = LEROT(x1, 16); \ - tem14 = tem13 ^ T2[t14];\ - t15 = LEROT(x2, 24); \ - tem15 = tem14 ^ T3[t15];\ - (y3) = tem15 ^ ctx->round_key[r][3]; \ -} - -/* 22.14 cycles/byte*/ -#define last_round(ctx,x0,x1,x2,x3,output,r) { \ - u32 t0,t1,t2,t3; \ - u32 t4,t5,t6,t7; \ - u32 t8,t9,t10,t11; \ - u32 t12,t13,t14,t15;\ - \ - t0 = LEROT(x0, 0); \ - output[0] = Sbox[t0]; \ - t7 = LEROT(x0, 24); \ - output[7] = Sbox[t7]; \ - t10 = LEROT(x0, 16); \ - output[10] = Sbox[t10]; \ - t13 = LEROT(x0, 8); \ - output[13] = Sbox[t13]; \ - \ - t1 = LEROT(x1, 8); \ - output[1] = Sbox[t1]; \ - t4 = LEROT(x1, 0); \ - output[4] = Sbox[t4]; \ - t11 = LEROT(x1, 24); \ - output[11] = Sbox[t11]; \ - t14 = LEROT(x1, 16); \ - output[14] = Sbox[t14]; \ - \ - t2 = LEROT(x2, 16); \ - output[2] = Sbox[t2]; \ - t5 = LEROT(x2, 8); \ - output[5] = Sbox[t5]; \ - t8 = LEROT(x2, 0); \ - output[8] = Sbox[t8]; \ - t15 = LEROT(x2, 24); \ - output[15] = Sbox[t15]; \ - \ - t3 = LEROT(x3, 24); \ - output[3] = Sbox[t3]; \ - t6 = LEROT(x3, 16); \ - output[6] = Sbox[t6]; \ - t9 = LEROT(x3, 8); \ - output[9] = Sbox[t9]; \ - t12 = LEROT(x3, 0); \ - output[12] = Sbox[t12]; \ -} - -#define aes256_enc_block(x,output,ctx) {\ - u32 y0;\ - u32 z0,z1,z2,z3;\ - u32 a0,a1,a2,a3;\ - u32 b0,b1,b2,b3;\ - u32 c0,c1,c2,c3;\ - u32 d0,d1,d2,d3;\ - u32 e0,e1,e2,e3;\ - u32 f0,f1,f2,f3;\ - u32 g0,g1,g2,g3;\ - u32 h0,h1,h2,h3;\ - u32 i0,i1,i2,i3;\ - u32 j0,j1,j2,j3;\ - u32 k0,k1,k2,k3;\ - first_round(ctx,x[0],y0);\ - second_round(ctx,y0,z0,z1,z2,z3);\ - round(ctx,z0,z1,z2,z3,a0,a1,a2,a3,3);\ - round(ctx,a0,a1,a2,a3,b0,b1,b2,b3,4);\ - round(ctx,b0,b1,b2,b3,c0,c1,c2,c3,5);\ - round(ctx,c0,c1,c2,c3,d0,d1,d2,d3,6);\ - round(ctx,d0,d1,d2,d3,e0,e1,e2,e3,7);\ - round(ctx,e0,e1,e2,e3,f0,f1,f2,f3,8);\ - round(ctx,f0,f1,f2,f3,g0,g1,g2,g3,9);\ - round(ctx,g0,g1,g2,g3,h0,h1,h2,h3,10);\ - round(ctx,h0,h1,h2,h3,i0,i1,i2,i3,11);\ - round(ctx,i0,i1,i2,i3,j0,j1,j2,j3,12);\ - round(ctx,j0,j1,j2,j3,k0,k1,k2,k3,13);\ - last_round(ctx,k0,k1,k2,k3,(output),14);\ -} diff --git a/src/libsodium/crypto_stream/aes256estream/hongjun/api.h b/src/libsodium/crypto_stream/aes256estream/hongjun/api.h deleted file mode 100644 index 017babe..0000000 --- a/src/libsodium/crypto_stream/aes256estream/hongjun/api.h +++ /dev/null @@ -1,13 +0,0 @@ - -#include "crypto_stream_aes256estream.h" - -#define crypto_stream crypto_stream_aes256estream -#define crypto_stream_xor crypto_stream_aes256estream_xor -#define crypto_stream_beforenm crypto_stream_aes256estream_beforenm -#define crypto_stream_afternm crypto_stream_aes256estream_afternm -#define crypto_stream_xor_afternm crypto_stream_aes256estream_xor_afternm -#define crypto_stream_KEYBYTES crypto_stream_aes256estream_KEYBYTES -#define crypto_stream_NONCEBYTES crypto_stream_aes256estream_NONCEBYTES -#define crypto_stream_BEFORENMBYTES crypto_stream_aes256estream_BEFORENMBYTES -#define crypto_stream_IMPLEMENTATION crypto_stream_aes256estream_IMPLEMENTATION -#define crypto_stream_VERSION crypto_stream_aes256estream_VERSION diff --git a/src/libsodium/crypto_stream/aes256estream/hongjun/ecrypt-sync.h b/src/libsodium/crypto_stream/aes256estream/hongjun/ecrypt-sync.h deleted file mode 100644 index 23f2aee..0000000 --- a/src/libsodium/crypto_stream/aes256estream/hongjun/ecrypt-sync.h +++ /dev/null @@ -1,27 +0,0 @@ - -#ifndef __ECRYPT_SYNC__ -#define __ECRYPT_SYNC__ - -#include <stdint.h> - -typedef uint8_t u8; -typedef uint32_t u32; - -#define Nr 14 -#define Nk 8 -#define Nb 4 - -#pragma pack(push, 1) -typedef struct ECRYPT_ctx -{ - u32 round_key[Nr+1][4]; - u32 counter[4]; - u32 first_round_output_x0; - u32 second_round_output[4]; -} ECRYPT_ctx; -#pragma pack(pop) - -#define ECRYPT_encrypt_bytes(ctx, plaintext, ciphertext, msglen) \ - ECRYPT_process_bytes(0, ctx, plaintext, ciphertext, msglen) - -#endif diff --git a/src/libsodium/crypto_stream/aes256estream/stream_aes256estream_api.c b/src/libsodium/crypto_stream/aes256estream/stream_aes256estream_api.c deleted file mode 100644 index 2d3d1cb..0000000 --- a/src/libsodium/crypto_stream/aes256estream/stream_aes256estream_api.c +++ /dev/null @@ -1,16 +0,0 @@ -#include "crypto_stream_aes256estream.h" - -size_t -crypto_stream_aes256estream_keybytes(void) { - return crypto_stream_aes256estream_KEYBYTES; -} - -size_t -crypto_stream_aes256estream_noncebytes(void) { - return crypto_stream_aes256estream_NONCEBYTES; -} - -size_t -crypto_stream_aes256estream_beforenmbytes(void) { - return crypto_stream_aes256estream_BEFORENMBYTES; -} diff --git a/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c b/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c index 7c7d1a5..d6d943e 100644 --- a/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c +++ b/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c @@ -101,7 +101,7 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, unsigned long long bytes unsigned long long i; if (!bytes) { - return; + return; /* LCOV_EXCL_LINE */ } j0 = x->input[0]; j1 = x->input[1]; @@ -190,10 +190,11 @@ chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, unsigned long long bytes x15 = XOR(x15, U8TO32_LITTLE(m + 60)); j12 = PLUSONE(j12); + /* LCOV_EXCL_START */ if (!j12) { j13 = PLUSONE(j13); - /* stopping at 2^70 bytes per nonce is user's responsibility */ } + /* LCOV_EXCL_STOP */ U32TO8_LITTLE(c + 0, x0); U32TO8_LITTLE(c + 4, x1); diff --git a/src/libsodium/crypto_stream/try.c b/src/libsodium/crypto_stream/try.c deleted file mode 100644 index 61bf8ab..0000000 --- a/src/libsodium/crypto_stream/try.c +++ /dev/null @@ -1,122 +0,0 @@ -/* - * crypto_stream/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "crypto_stream.h" -#include "utils.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_stream_IMPLEMENTATION; - -#define MAXTEST_BYTES 10000 -#define CHECKSUM_BYTES 4096 -#define TUNE_BYTES 1536 - -static unsigned char *k; -static unsigned char *n; -static unsigned char *m; -static unsigned char *c; -static unsigned char *s; -static unsigned char *k2; -static unsigned char *n2; -static unsigned char *m2; -static unsigned char *c2; -static unsigned char *s2; - -void preallocate(void) -{ -} - -void allocate(void) -{ - k = alignedcalloc(crypto_stream_KEYBYTES); - n = alignedcalloc(crypto_stream_NONCEBYTES); - m = alignedcalloc(MAXTEST_BYTES); - c = alignedcalloc(MAXTEST_BYTES); - s = alignedcalloc(MAXTEST_BYTES); - k2 = alignedcalloc(crypto_stream_KEYBYTES); - n2 = alignedcalloc(crypto_stream_NONCEBYTES); - m2 = alignedcalloc(MAXTEST_BYTES); - c2 = alignedcalloc(MAXTEST_BYTES); - s2 = alignedcalloc(MAXTEST_BYTES); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_stream_xor(c,m,TUNE_BYTES,n,k); -} - -char checksum[crypto_stream_KEYBYTES * 2 + 1]; - -const char *checksum_compute(void) -{ - long long i; - long long j; - - for (i = 0;i < CHECKSUM_BYTES;++i) { - long long mlen = i; - long long clen = i; - long long slen = i; - long long klen = crypto_stream_KEYBYTES; - long long nlen = crypto_stream_NONCEBYTES; - for (j = -16;j < 0;++j) m[j] = rand(); - for (j = -16;j < 0;++j) c[j] = rand(); - for (j = -16;j < 0;++j) s[j] = rand(); - for (j = -16;j < 0;++j) n[j] = rand(); - for (j = -16;j < 0;++j) k[j] = rand(); - for (j = mlen;j < mlen + 16;++j) m[j] = rand(); - for (j = clen;j < clen + 16;++j) c[j] = rand(); - for (j = slen;j < slen + 16;++j) s[j] = rand(); - for (j = nlen;j < nlen + 16;++j) n[j] = rand(); - for (j = klen;j < klen + 16;++j) k[j] = rand(); - for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; - for (j = -16;j < clen + 16;++j) c2[j] = c[j]; - for (j = -16;j < slen + 16;++j) s2[j] = s[j]; - for (j = -16;j < nlen + 16;++j) n2[j] = n[j]; - for (j = -16;j < klen + 16;++j) k2[j] = k[j]; - - crypto_stream_xor(c,m,mlen,n,k); - - for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_stream_xor overwrites m"; - for (j = -16;j < slen + 16;++j) if (s[j] != s2[j]) return "crypto_stream_xor overwrites s"; - for (j = -16;j < nlen + 16;++j) if (n[j] != n2[j]) return "crypto_stream_xor overwrites n"; - for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_stream_xor overwrites k"; - for (j = -16;j < 0;++j) if (c[j] != c2[j]) return "crypto_stream_xor writes before output"; - for (j = clen;j < clen + 16;++j) if (c[j] != c2[j]) return "crypto_stream_xor writes after output"; - - for (j = -16;j < clen + 16;++j) c2[j] = c[j]; - - crypto_stream(s,slen,n,k); - - for (j = -16;j < mlen + 16;++j) if (m[j] != m2[j]) return "crypto_stream overwrites m"; - for (j = -16;j < clen + 16;++j) if (c[j] != c2[j]) return "crypto_stream overwrites c"; - for (j = -16;j < nlen + 16;++j) if (n[j] != n2[j]) return "crypto_stream overwrites n"; - for (j = -16;j < klen + 16;++j) if (k[j] != k2[j]) return "crypto_stream overwrites k"; - for (j = -16;j < 0;++j) if (s[j] != s2[j]) return "crypto_stream writes before output"; - for (j = slen;j < slen + 16;++j) if (s[j] != s2[j]) return "crypto_stream writes after output"; - - for (j = 0;j < mlen;++j) - if ((s[j] ^ m[j]) != c[j]) return "crypto_stream_xor does not match crypto_stream"; - - for (j = 0;j < clen;++j) k[j % klen] ^= c[j]; - crypto_stream_xor(m,c,clen,n,k); - crypto_stream(s,slen,n,k); - for (j = 0;j < mlen;++j) - if ((s[j] ^ m[j]) != c[j]) return "crypto_stream_xor does not match crypto_stream"; - for (j = 0;j < mlen;++j) n[j % nlen] ^= m[j]; - m[mlen] = 0; - } - - sodium_bin2hex(checksum, sizeof checksum, k, crypto_stream_KEYBYTES); - - return 0; -} diff --git a/src/libsodium/crypto_verify/try.c b/src/libsodium/crypto_verify/try.c deleted file mode 100644 index 06684e7..0000000 --- a/src/libsodium/crypto_verify/try.c +++ /dev/null @@ -1,76 +0,0 @@ -/* - * crypto_verify/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include <stdlib.h> -#include "crypto_verify.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_verify_IMPLEMENTATION; - -static unsigned char *x; -static unsigned char *y; - -void preallocate(void) -{ -} - -void allocate(void) -{ - x = alignedcalloc(crypto_verify_BYTES); - y = alignedcalloc(crypto_verify_BYTES); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_verify(x,y); -} - -static const char *check(void) -{ - int r = crypto_verify(x,y); - if (r == 0) { - if (memcmp(x,y,crypto_verify_BYTES)) return "different strings pass verify"; - } else if (r == -1) { - if (!memcmp(x,y,crypto_verify_BYTES)) return "equal strings fail verify"; - } else { - return "weird return value from verify"; - } - return 0; -} - -char checksum[2]; - -const char *checksum_compute(void) -{ - long long tests; - long long i; - long long j; - const char *c; - - for (tests = 0;tests < 100000;++tests) { - for (i = 0;i < crypto_verify_BYTES;++i) x[i] = rand(); - for (i = 0;i < crypto_verify_BYTES;++i) y[i] = rand(); - c = check(); if (c) return c; - for (i = 0;i < crypto_verify_BYTES;++i) y[i] = x[i]; - c = check(); if (c) return c; - y[rand() % crypto_verify_BYTES] = rand(); - c = check(); if (c) return c; - y[rand() % crypto_verify_BYTES] = rand(); - c = check(); if (c) return c; - y[rand() % crypto_verify_BYTES] = rand(); - c = check(); if (c) return c; - } - - checksum[0] = '0'; - checksum[1] = 0; - return 0; -} diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index 45a82d7..894c371 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -32,7 +32,6 @@ SODIUM_EXPORT = \ sodium/crypto_sign_edwards25519sha512batch.h \ sodium/crypto_stream.h \ sodium/crypto_stream_aes128ctr.h \ - sodium/crypto_stream_aes256estream.h \ sodium/crypto_stream_chacha20.h \ sodium/crypto_stream_salsa20.h \ sodium/crypto_stream_salsa2012.h \ diff --git a/src/libsodium/include/sodium.h b/src/libsodium/include/sodium.h index dcb6b45..4a57108 100644 --- a/src/libsodium/include/sodium.h +++ b/src/libsodium/include/sodium.h @@ -32,7 +32,6 @@ #include <sodium/crypto_sign_ed25519.h> #include <sodium/crypto_stream.h> #include <sodium/crypto_stream_aes128ctr.h> -#include <sodium/crypto_stream_aes256estream.h> #include <sodium/crypto_stream_chacha20.h> #include <sodium/crypto_stream_salsa20.h> #include <sodium/crypto_stream_salsa2012.h> diff --git a/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h b/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h index 54f4a73..fb6eb49 100644 --- a/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h +++ b/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h @@ -54,9 +54,8 @@ const char *crypto_onetimeauth_poly1305_implementation_name(void); SODIUM_EXPORT int crypto_onetimeauth_poly1305_set_implementation(crypto_onetimeauth_poly1305_implementation *impl); -SODIUM_EXPORT crypto_onetimeauth_poly1305_implementation * - crypto_onetimeauth_pick_best_implementation(void); +crypto_onetimeauth_pick_best_implementation(void); SODIUM_EXPORT int crypto_onetimeauth_poly1305(unsigned char *out, diff --git a/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h b/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h index 7de8395..a83233b 100644 --- a/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h +++ b/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h @@ -2,6 +2,7 @@ #define crypto_pwhash_scryptsalsa208sha256_H #include <stddef.h> +#include <stdint.h> #include "export.h" @@ -20,6 +21,10 @@ size_t crypto_pwhash_scryptsalsa208sha256_saltbytes(void); SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_strbytes(void); +#define crypto_pwhash_scryptsalsa208sha256_STRPREFIX "$7$" +SODIUM_EXPORT +const char *crypto_pwhash_scryptsalsa208sha256_strprefix(void); + #define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE 524288ULL SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void); diff --git a/src/libsodium/include/sodium/crypto_sign_ed25519.h b/src/libsodium/include/sodium/crypto_sign_ed25519.h index 101b6c9..0194c39 100644 --- a/src/libsodium/include/sodium/crypto_sign_ed25519.h +++ b/src/libsodium/include/sodium/crypto_sign_ed25519.h @@ -57,6 +57,21 @@ SODIUM_EXPORT int crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, const unsigned char *seed); +SODIUM_EXPORT +int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, + const unsigned char *ed25519_pk); + +SODIUM_EXPORT +int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk, + const unsigned char *ed25519_sk); + +SODIUM_EXPORT +int crypto_sign_ed25519_sk_to_seed(unsigned char *seed, + const unsigned char *sk); + +SODIUM_EXPORT +int crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/include/sodium/crypto_stream_aes256estream.h b/src/libsodium/include/sodium/crypto_stream_aes256estream.h deleted file mode 100644 index d497834..0000000 --- a/src/libsodium/include/sodium/crypto_stream_aes256estream.h +++ /dev/null @@ -1,67 +0,0 @@ -#ifndef crypto_stream_aes256estream_H -#define crypto_stream_aes256estream_H - -/* - * WARNING: This is just a stream cipher. It is NOT authenticated encryption. - * While it provides some protection against eavesdropping, it does NOT - * provide any security against active attacks. - * Furthermore, this implementation was not part of NaCl. - * - * If you are looking for a stream cipher, you might consider - * crypto_stream_aes128ctr, crypto_stream_chacha20 or crypto_stream_(x)salsa20 - * which are timing-attack resistant. - * - * But unless you know what you're doing, what you are looking for is probably - * the crypto_box or crypto_secretbox functions. - */ - -#include <stddef.h> -#include "export.h" - -#ifdef __cplusplus -# if __GNUC__ -# pragma GCC diagnostic ignored "-Wlong-long" -# endif -extern "C" { -#endif - -#define crypto_stream_aes256estream_KEYBYTES 32U -SODIUM_EXPORT -size_t crypto_stream_aes256estream_keybytes(void); - -#define crypto_stream_aes256estream_NONCEBYTES 16U -SODIUM_EXPORT -size_t crypto_stream_aes256estream_noncebytes(void); - -#define crypto_stream_aes256estream_BEFORENMBYTES 276U -SODIUM_EXPORT -size_t crypto_stream_aes256estream_beforenmbytes(void); - -SODIUM_EXPORT -int crypto_stream_aes256estream(unsigned char *out, unsigned long long len, - const unsigned char *nonce, const unsigned char *c); - -SODIUM_EXPORT -int crypto_stream_aes256estream_xor(unsigned char *out, const unsigned char *in, - unsigned long long inlen, const unsigned char *n, - const unsigned char *k); - -SODIUM_EXPORT -int crypto_stream_aes256estream_beforenm(unsigned char *c, const unsigned char *k); - -SODIUM_EXPORT -int crypto_stream_aes256estream_afternm(unsigned char *out, unsigned long long len, - const unsigned char *nonce, - const unsigned char *c); - -SODIUM_EXPORT -int crypto_stream_aes256estream_xor_afternm(unsigned char *out, const unsigned char *in, - unsigned long long len, - const unsigned char *nonce, - const unsigned char *c); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/src/libsodium/include/sodium/randombytes.h b/src/libsodium/include/sodium/randombytes.h index c5175b2..4d07cd5 100644 --- a/src/libsodium/include/sodium/randombytes.h +++ b/src/libsodium/include/sodium/randombytes.h @@ -26,28 +26,30 @@ typedef struct randombytes_implementation { } randombytes_implementation; SODIUM_EXPORT -int randombytes_set_implementation(randombytes_implementation *impl); +void randombytes_buf(void * const buf, const size_t size); SODIUM_EXPORT -void randombytes(unsigned char * const buf, const unsigned long long buf_len); +uint32_t randombytes_random(void); SODIUM_EXPORT -const char *randombytes_implementation_name(void); +uint32_t randombytes_uniform(const uint32_t upper_bound); SODIUM_EXPORT -uint32_t randombytes_random(void); +void randombytes_stir(void); SODIUM_EXPORT -void randombytes_stir(void); +int randombytes_close(void); SODIUM_EXPORT -uint32_t randombytes_uniform(const uint32_t upper_bound); +int randombytes_set_implementation(randombytes_implementation *impl); SODIUM_EXPORT -void randombytes_buf(void * const buf, const size_t size); +const char *randombytes_implementation_name(void); + +/* -- Compatibility layer with NaCl -- */ SODIUM_EXPORT -int randombytes_close(void); +void randombytes(unsigned char * const buf, const unsigned long long buf_len); #ifdef __cplusplus } diff --git a/src/libsodium/include/sodium/utils.h b/src/libsodium/include/sodium/utils.h index 817919b..1ac78eb 100644 --- a/src/libsodium/include/sodium/utils.h +++ b/src/libsodium/include/sodium/utils.h @@ -16,12 +16,14 @@ extern "C" { # define _SODIUM_C99(X) X #endif -unsigned char *_sodium_alignedcalloc(unsigned char ** const unaligned_p, - const size_t len); - SODIUM_EXPORT void sodium_memzero(void * const pnt, const size_t len); +/* WARNING: sodium_memcmp() must be used to verify if two secret keys + * are equal, in constant time. + * It returns 0 if the keys are equal, and -1 if they differ. + * This function is not designed for lexicographical comparisons. + */ SODIUM_EXPORT int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len); @@ -41,6 +43,55 @@ int sodium_mlock(void * const addr, const size_t len); SODIUM_EXPORT int sodium_munlock(void * const addr, const size_t len); +/* WARNING: sodium_malloc() and sodium_allocarray() are not general-purpose + * allocation functions. + * + * They return a pointer to a region filled with 0xd0 bytes, immediately + * followed by a guard page. + * As a result, accessing a single byte after the requested allocation size + * will intentionally trigger a segmentation fault. + * + * A canary and an additional guard page placed before the beginning of the + * region may also kill the process if a buffer underflow is detected. + * + * The memory layout is: + * [unprotected region size (read only)][guard page (no access)][unprotected pages (read/write)][guard page (no access)] + * With the layout of the unprotected pages being: + * [optional padding][16-bytes canary][user region] + * + * However: + * - These functions are significantly slower than standard functions + * - Each allocation requires 3 or 4 additional pages + * - The returned address will not be aligned if the allocation size is not + * a multiple of the required alignment. For this reason, these functions + * are designed to store data, such as secret keys and messages. + * They should not be used to store pointers mixed with other types + * in portable code unless extreme care is taken to ensure correct + * pointers alignment. + */ + +SODIUM_EXPORT +void *sodium_malloc(const size_t size); + +SODIUM_EXPORT +void *sodium_allocarray(size_t count, size_t size); + +SODIUM_EXPORT +void sodium_free(void *ptr); + +SODIUM_EXPORT +int sodium_mprotect_noaccess(void *ptr); + +SODIUM_EXPORT +int sodium_mprotect_readonly(void *ptr); + +SODIUM_EXPORT +int sodium_mprotect_readwrite(void *ptr); + +/* -------- */ + +int _sodium_alloc_init(void); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c b/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c index 374ff4d..2b44469 100644 --- a/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c +++ b/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c @@ -41,7 +41,7 @@ BOOLEAN NTAPI RtlGenRandom(PVOID RandomBuffer, ULONG RandomBufferLength); typedef struct Salsa20Random_ { unsigned char key[crypto_stream_salsa20_KEYBYTES]; - unsigned char rnd32[SALSA20_RANDOM_BLOCK_SIZE]; + unsigned char rnd32[16U * SALSA20_RANDOM_BLOCK_SIZE]; uint64_t nonce; size_t rnd32_outleft; #ifndef _MSC_VER @@ -67,7 +67,10 @@ sodium_hrtime(void) #ifdef _WIN32 struct _timeb tb; +# pragma warning(push) +# pragma warning(disable: 4996) _ftime(&tb); +# pragma warning(pop) tv.tv_sec = (long) tb.time; tv.tv_usec = ((int) tb.millitm) * 1000; ret = 0; @@ -91,12 +94,12 @@ safe_read(const int fd, void * const buf_, size_t count) assert(count > (size_t) 0U); do { while ((readnb = read(fd, buf, count)) < (ssize_t) 0 && - errno == EINTR); + errno == EINTR); /* LCOV_EXCL_LINE */ if (readnb < (ssize_t) 0) { - return readnb; + return readnb; /* LCOV_EXCL_LINE */ } if (readnb == (ssize_t) 0) { - break; + break; /* LCOV_EXCL_LINE */ } count -= (size_t) readnb; buf += readnb; @@ -110,6 +113,7 @@ safe_read(const int fd, void * const buf_, size_t count) static int randombytes_salsa20_random_random_dev_open(void) { +/* LCOV_EXCL_START */ struct stat st; static const char *devices[] = { # ifndef USE_BLOCKING_RANDOM @@ -131,6 +135,7 @@ randombytes_salsa20_random_random_dev_open(void) } while (*device != NULL); return -1; +/* LCOV_EXCL_STOP */ } static void @@ -143,7 +148,7 @@ randombytes_salsa20_random_init(void) if ((stream.random_data_source_fd = randombytes_salsa20_random_random_dev_open()) == -1) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } errno = errno_save; } @@ -181,11 +186,11 @@ randombytes_salsa20_random_stir(void) #ifndef _WIN32 if (safe_read(stream.random_data_source_fd, m0, sizeof m0) != (ssize_t) sizeof m0) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } #else /* _WIN32 */ if (! RtlGenRandom((PVOID) m0, (ULONG) sizeof m0)) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } #endif COMPILER_ASSERT(sizeof stream.key == crypto_auth_hmacsha512256_BYTES); @@ -214,14 +219,26 @@ randombytes_salsa20_random_stir_if_needed(void) #endif } +static void +randombytes_salsa20_random_rekey(const unsigned char * const mix) +{ + unsigned char *key = stream.key; + size_t i; + + for (i = (size_t) 0U; i < sizeof stream.key; i++) { + key[i] ^= mix[i]; + } +} + static uint32_t randombytes_salsa20_random_getword(void) { uint32_t val; int ret; - COMPILER_ASSERT(sizeof stream.rnd32 >= sizeof val); - COMPILER_ASSERT(sizeof stream.rnd32 % sizeof val == (size_t) 0U); + COMPILER_ASSERT(sizeof stream.rnd32 >= (sizeof stream.key) + (sizeof val)); + COMPILER_ASSERT(((sizeof stream.rnd32) - (sizeof stream.key)) + % sizeof val == (size_t) 0U); if (stream.rnd32_outleft <= (size_t) 0U) { randombytes_salsa20_random_stir_if_needed(); COMPILER_ASSERT(sizeof stream.nonce == crypto_stream_salsa20_NONCEBYTES); @@ -230,11 +247,13 @@ randombytes_salsa20_random_getword(void) (unsigned char *) &stream.nonce, stream.key); assert(ret == 0); + stream.rnd32_outleft = (sizeof stream.rnd32) - (sizeof stream.key); + randombytes_salsa20_random_rekey(&stream.rnd32[stream.rnd32_outleft]); stream.nonce++; - stream.rnd32_outleft = sizeof stream.rnd32; } stream.rnd32_outleft -= sizeof val; memcpy(&val, &stream.rnd32[stream.rnd32_outleft], sizeof val); + memset(&stream.rnd32[stream.rnd32_outleft], 0, sizeof val); return val; } @@ -278,10 +297,11 @@ randombytes_salsa20_random_buf(void * const buf, const size_t size) assert(size <= ULONG_LONG_MAX); #endif ret = crypto_stream_salsa20((unsigned char *) buf, (unsigned long long) size, - (unsigned char *) &stream.nonce, - stream.key); + (unsigned char *) &stream.nonce, stream.key); assert(ret == 0); stream.nonce++; + crypto_stream_salsa20_xor(stream.key, stream.key, sizeof stream.key, + (unsigned char *) &stream.nonce, stream.key); } /* @@ -304,7 +324,7 @@ randombytes_salsa20_random_uniform(const uint32_t upper_bound) if (r >= min) { break; } - } + } /* LCOV_EXCL_LINE */ return r % upper_bound; } diff --git a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c index 0ffcc2e..2979ef3 100644 --- a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c +++ b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c @@ -83,12 +83,12 @@ safe_read(const int fd, void * const buf_, size_t count) assert(count > (size_t) 0U); do { while ((readnb = read(fd, buf, count)) < (ssize_t) 0 && - errno == EINTR); + errno == EINTR); /* LCOV_EXCL_LINE */ if (readnb < (ssize_t) 0) { - return readnb; + return readnb; /* LCOV_EXCL_LINE */ } if (readnb == (ssize_t) 0) { - break; + break; /* LCOV_EXCL_LINE */ } count -= (size_t) readnb; buf += readnb; @@ -102,6 +102,7 @@ safe_read(const int fd, void * const buf_, size_t count) static int randombytes_sysrandom_random_dev_open(void) { +/* LCOV_EXCL_START */ struct stat st; static const char *devices[] = { # ifndef USE_BLOCKING_RANDOM @@ -123,6 +124,7 @@ randombytes_sysrandom_random_dev_open(void) } while (*device != NULL); return -1; +/* LCOV_EXCL_STOP */ } static void @@ -132,7 +134,7 @@ randombytes_sysrandom_init(void) if ((stream.random_data_source_fd = randombytes_sysrandom_random_dev_open()) == -1) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } errno = errno_save; } @@ -203,14 +205,14 @@ randombytes_sysrandom_buf(void * const buf, const size_t size) #endif #ifndef _WIN32 if (safe_read(stream.random_data_source_fd, buf, size) != (ssize_t) size) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } #else if (size > 0xffffffff) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } if (! RtlGenRandom((PVOID) buf, (ULONG) size)) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } #endif } @@ -235,7 +237,7 @@ randombytes_sysrandom_uniform(const uint32_t upper_bound) if (r >= min) { break; } - } + } /* LCOV_EXCL_LINE */ return r % upper_bound; } diff --git a/src/libsodium/sodium/compat.c b/src/libsodium/sodium/compat.c deleted file mode 100644 index ece2dbc..0000000 --- a/src/libsodium/sodium/compat.c +++ /dev/null @@ -1,361 +0,0 @@ - -#include "crypto_auth_hmacsha256.h" -#include "crypto_auth_hmacsha512256.h" -#include "crypto_box_curve25519xsalsa20poly1305.h" -#include "crypto_hash_sha256.h" -#include "crypto_hash_sha512.h" -#include "crypto_onetimeauth_poly1305.h" -#include "crypto_pwhash_scryptsalsa208sha256.h" -#include "crypto_scalarmult_curve25519.h" -#include "crypto_secretbox_xsalsa20poly1305.h" -#include "crypto_sign_ed25519.h" -#include "crypto_stream_salsa20.h" -#include "crypto_stream_xsalsa20.h" -#include "crypto_verify_16.h" -#include "crypto_verify_32.h" -#include "export.h" - -#ifdef __cplusplus -extern "C" { -#endif - -#undef crypto_pwhash_scryptxsalsa208sha256_saltbytes -SODIUM_EXPORT size_t -crypto_pwhash_scryptxsalsa208sha256_saltbytes(void) -{ - return crypto_pwhash_scryptsalsa208sha256_saltbytes(); -} - -#undef crypto_pwhash_scryptxsalsa208sha256_strbytes -SODIUM_EXPORT size_t -crypto_pwhash_scryptxsalsa208sha256_strbytes(void) -{ - return crypto_pwhash_scryptsalsa208sha256_strbytes(); -} - -#undef crypto_pwhash_scryptxsalsa208sha256 -SODIUM_EXPORT int -crypto_pwhash_scryptxsalsa208sha256(unsigned char * const out, - unsigned long long outlen, - const char * const passwd, - unsigned long long passwdlen, - const unsigned char * const salt, - unsigned long long opslimit, - size_t memlimit) -{ - return crypto_pwhash_scryptsalsa208sha256(out, outlen, passwd, passwdlen, - salt, opslimit, memlimit); -} - -#undef crypto_pwhash_scryptxsalsa208sha256_str -SODIUM_EXPORT int -crypto_pwhash_scryptxsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES], - const char * const passwd, - unsigned long long passwdlen, - unsigned long long opslimit, - size_t memlimit) -{ - return crypto_pwhash_scryptsalsa208sha256_str(out, passwd, passwdlen, - opslimit, memlimit); -} - -#undef crypto_pwhash_scryptxsalsa208sha256_str_verify -SODIUM_EXPORT int -crypto_pwhash_scryptxsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES], - const char * const passwd, - unsigned long long passwdlen) -{ - return crypto_pwhash_scryptsalsa208sha256_str_verify(str, - passwd, passwdlen); -} - -#ifdef EXPORT_ORIGINAL_IMPLEMENTATIONS - -#undef crypto_hash_sha256_ref -SODIUM_EXPORT int -crypto_hash_sha256_ref(unsigned char *out, const unsigned char *in, - unsigned long long inlen) -{ - return crypto_hash_sha256(out, in, inlen); -} - -#undef crypto_hash_sha512_ref -SODIUM_EXPORT int -crypto_hash_sha512_ref(unsigned char *out, const unsigned char *in, - unsigned long long inlen) -{ - return crypto_hash_sha512(out, in, inlen); -} - -#undef crypto_auth_hmacsha256_ref -SODIUM_EXPORT int -crypto_auth_hmacsha256_ref(unsigned char *out, const unsigned char *in, - unsigned long long inlen, const unsigned char *k) -{ - return crypto_auth_hmacsha256(out, in, inlen, k); -} - -#undef crypto_auth_hmacsha256_ref_verify -SODIUM_EXPORT int -crypto_auth_hmacsha256_ref_verify(const unsigned char *h, - const unsigned char *in, - unsigned long long inlen, - const unsigned char *k) -{ - return crypto_auth_hmacsha256_verify(h, in, inlen, k); -} - -#undef crypto_auth_hmacsha512256_ref -SODIUM_EXPORT int -crypto_auth_hmacsha512256_ref(unsigned char *out, const unsigned char *in, - unsigned long long inlen, const unsigned char *k) -{ - return crypto_auth_hmacsha512256(out, in, inlen, k); -} - -#undef crypto_auth_hmacsha512256_ref_verify -SODIUM_EXPORT int -crypto_auth_hmacsha512256_ref_verify(const unsigned char *h, - const unsigned char *in, - unsigned long long inlen, - const unsigned char *k) -{ - return crypto_auth_hmacsha512256_verify(h, in, inlen, k); -} - -#undef crypto_box_curve25519xsalsa20poly1305_ref_keypair -SODIUM_EXPORT int -crypto_box_curve25519xsalsa20poly1305_ref_keypair(unsigned char *pk, - unsigned char *sk) -{ - return crypto_box_curve25519xsalsa20poly1305_keypair(pk, sk); -} - -#undef crypto_box_curve25519xsalsa20poly1305_ref_beforenm -SODIUM_EXPORT int -crypto_box_curve25519xsalsa20poly1305_ref_beforenm(unsigned char *k, - const unsigned char *pk, - const unsigned char *sk) -{ - return crypto_box_curve25519xsalsa20poly1305_beforenm(k, pk, sk); -} - -#undef crypto_box_curve25519xsalsa20poly1305_ref_afternm -SODIUM_EXPORT int -crypto_box_curve25519xsalsa20poly1305_ref_afternm(unsigned char *c, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_box_curve25519xsalsa20poly1305_afternm(c, m, mlen, n, k); -} - -#undef crypto_box_curve25519xsalsa20poly1305_ref_open_afternm -SODIUM_EXPORT int -crypto_box_curve25519xsalsa20poly1305_ref_open_afternm(unsigned char *m, - const unsigned char *c, - unsigned long long clen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_box_curve25519xsalsa20poly1305_open_afternm(m, c, clen, n, k); -} - -#undef crypto_box_curve25519xsalsa20poly1305_ref -SODIUM_EXPORT int -crypto_box_curve25519xsalsa20poly1305_ref(unsigned char *c, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *n, - const unsigned char *pk, - const unsigned char *sk) -{ - return crypto_box_curve25519xsalsa20poly1305(c, m, mlen, n, pk, sk); -} - -#undef crypto_box_curve25519xsalsa20poly1305_ref_open -SODIUM_EXPORT int -crypto_box_curve25519xsalsa20poly1305_ref_open(unsigned char *m, - const unsigned char *c, - unsigned long long clen, - const unsigned char *n, - const unsigned char *pk, - const unsigned char *sk) -{ - return crypto_box_curve25519xsalsa20poly1305_open(m, c, clen, n, pk, sk); -} - -#undef crypto_scalarmult_curve25519_ref_base -SODIUM_EXPORT int -crypto_scalarmult_curve25519_ref_base(unsigned char *q, const unsigned char *n) -{ - return crypto_scalarmult_curve25519_base(q, n); -} - -#undef crypto_scalarmult_curve25519_ref -SODIUM_EXPORT int -crypto_scalarmult_curve25519_ref(unsigned char *q, const unsigned char *n, - const unsigned char *p) -{ - return crypto_scalarmult_curve25519(q, n, p); -} - -#undef crypto_scalarmult_curve25519_donna_c64_base -SODIUM_EXPORT int -crypto_scalarmult_curve25519_donna_c64_base(unsigned char *q, const unsigned char *n) -{ - return crypto_scalarmult_curve25519_base(q, n); -} - -#undef crypto_scalarmult_curve25519_donna_c64 -SODIUM_EXPORT int -crypto_scalarmult_curve25519_donna_c64(unsigned char *q, const unsigned char *n, - const unsigned char *p) -{ - return crypto_scalarmult_curve25519(q, n, p); -} - -#undef crypto_secretbox_xsalsa20poly1305_ref -SODIUM_EXPORT int -crypto_secretbox_xsalsa20poly1305_ref(unsigned char *c, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_secretbox_xsalsa20poly1305(c, m, mlen, n, k); -} - -#undef crypto_secretbox_xsalsa20poly1305_ref_open -SODIUM_EXPORT int -crypto_secretbox_xsalsa20poly1305_ref_open(unsigned char *m, - const unsigned char *c, - unsigned long long clen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_secretbox_xsalsa20poly1305_open(m, c, clen, n, k); -} - -#undef crypto_sign_ed25519_ref_seed_keypair -SODIUM_EXPORT int -crypto_sign_ed25519_ref_seed_keypair(unsigned char *pk, unsigned char *sk, - const unsigned char *seed) -{ - return crypto_sign_ed25519_seed_keypair(pk, sk, seed); -} - -#undef crypto_sign_ed25519_ref_keypair -SODIUM_EXPORT int -crypto_sign_ed25519_ref_keypair(unsigned char *pk, unsigned char *sk) -{ - return crypto_sign_ed25519_keypair(pk, sk); -} - -#undef crypto_sign_ed25519_ref -SODIUM_EXPORT int -crypto_sign_ed25519_ref(unsigned char *sm, unsigned long long *smlen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *sk) -{ - return crypto_sign_ed25519(sm, smlen, m, mlen, sk); -} - -#undef crypto_sign_ed25519_ref_open -SODIUM_EXPORT int -crypto_sign_ed25519_ref_open(unsigned char *m, unsigned long long *mlen, - const unsigned char *sm, unsigned long long smlen, - const unsigned char *pk) -{ - return crypto_sign_ed25519_open(m, mlen, sm, smlen, pk); -} - -#undef crypto_stream_xsalsa20_ref -SODIUM_EXPORT int -crypto_stream_xsalsa20_ref(unsigned char *c, unsigned long long clen, - const unsigned char *n, const unsigned char *k) -{ - return crypto_stream_xsalsa20(c, clen, n, k); -} - -#undef crypto_stream_xsalsa20_ref_xor -SODIUM_EXPORT int -crypto_stream_xsalsa20_ref_xor(unsigned char *c, const unsigned char *m, - unsigned long long mlen, const unsigned char *n, - const unsigned char *k) -{ - return crypto_stream_xsalsa20_xor(c, m, mlen, n, k); -} - -#undef crypto_verify_16_ref -SODIUM_EXPORT int -crypto_verify_16_ref(const unsigned char *x, const unsigned char *y) -{ - return crypto_verify_16(x, y); -} - -#undef crypto_verify_32_ref -SODIUM_EXPORT int -crypto_verify_32_ref(const unsigned char *x, const unsigned char *y) -{ - return crypto_verify_32(x, y); -} - -#undef crypto_onetimeauth_poly1305_ref -SODIUM_EXPORT int -crypto_onetimeauth_poly1305_ref(unsigned char *out, - const unsigned char *in, - unsigned long long inlen, - const unsigned char *k) -{ - return crypto_onetimeauth_poly1305(out, in, inlen, k); -} - -#undef crypto_stream_salsa20_amd64_xmm6 -SODIUM_EXPORT int -crypto_stream_salsa20_amd64_xmm6(unsigned char *c, - unsigned long long clen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_stream_salsa20(c, clen, n, k); -} - -#undef crypto_stream_salsa20_ref -SODIUM_EXPORT int -crypto_stream_salsa20_ref(unsigned char *c, - unsigned long long clen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_stream_salsa20(c, clen, n, k); -} - -#undef crypto_stream_salsa20_amd64_xmm6_xor -SODIUM_EXPORT int -crypto_stream_salsa20_amd64_xmm6_xor(unsigned char *c, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_stream_salsa20_xor(c, m, mlen, n, k); -} - -#undef crypto_stream_salsa20_ref_xor -SODIUM_EXPORT int -crypto_stream_salsa20_ref_xor(unsigned char *c, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *n, - const unsigned char *k) -{ - return crypto_stream_salsa20_xor(c, m, mlen, n, k); -} - -#endif - -#ifdef __cplusplus -} -#endif diff --git a/src/libsodium/sodium/core.c b/src/libsodium/sodium/core.c index 652f31e..367f275 100644 --- a/src/libsodium/sodium/core.c +++ b/src/libsodium/sodium/core.c @@ -3,6 +3,7 @@ #include "crypto_onetimeauth.h" #include "randombytes.h" #include "runtime.h" +#include "utils.h" static int initialized; @@ -14,9 +15,10 @@ sodium_init(void) } sodium_runtime_get_cpu_features(); if (crypto_onetimeauth_pick_best_implementation() == NULL) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } randombytes_stir(); + _sodium_alloc_init(); initialized = 1; return 0; diff --git a/src/libsodium/sodium/runtime.c b/src/libsodium/sodium/runtime.c index 52b3707..3e424a0 100644 --- a/src/libsodium/sodium/runtime.c +++ b/src/libsodium/sodium/runtime.c @@ -44,7 +44,7 @@ static void _cpuid(unsigned int cpu_info[4U], const unsigned int cpu_info_type) { #ifdef _MSC_VER - __cpuidex((int *) cpu_info, cpu_info_type, 0); + __cpuid((int *) cpu_info, cpu_info_type); #elif defined(HAVE_CPUID) cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0; # ifdef __i386__ @@ -56,7 +56,7 @@ _cpuid(unsigned int cpu_info[4U], const unsigned int cpu_info_type) "=&r" (cpu_info[0]), "=&r" (cpu_info[1]) : "i" (0x200000)); if (((cpu_info[0] ^ cpu_info[1]) & 0x200000) == 0x0) { - return; + return; /* LCOV_EXCL_LINE */ } # endif # ifdef __i386__ @@ -88,7 +88,7 @@ _sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features) _cpuid(cpu_info, 0x0); if ((id = cpu_info[0]) == 0U) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } _cpuid(cpu_info, 0x00000001); #ifndef HAVE_EMMINTRIN_H diff --git a/src/libsodium/sodium/utils.c b/src/libsodium/sodium/utils.c index eff9d0c..e51ae6b 100644 --- a/src/libsodium/sodium/utils.c +++ b/src/libsodium/sodium/utils.c @@ -1,8 +1,10 @@ #ifndef __STDC_WANT_LIB_EXT1__ # define __STDC_WANT_LIB_EXT1__ 1 #endif +#include <assert.h> #include <errno.h> #include <limits.h> +#include <signal.h> #include <stddef.h> #include <stdint.h> #include <stdlib.h> @@ -17,8 +19,32 @@ #ifdef _WIN32 # include <windows.h> # include <wincrypt.h> +#else +# include <unistd.h> +#endif + +#define CANARY_SIZE 16U +#define GARBAGE_VALUE 0xd0 + +#ifndef MAP_NOCORE +# define MAP_NOCORE 0 +#endif +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) +# define MAP_ANON MAP_ANONYMOUS +#endif +#if defined(_WIN32) || defined(MAP_ANON) || defined(HAVE_POSIX_MEMALIGN) +# define HAVE_ALIGNED_MALLOC +#endif +#if defined(HAVE_MPROTECT) && !(defined(PROT_NONE) && defined(PROT_READ) && defined(PROT_WRITE)) +# undef HAVE_MPROTECT +#endif +#if defined(HAVE_ALIGNED_MALLOC) && (defined(_WIN32) || defined(HAVE_MPROTECT)) +# define HAVE_PAGE_PROTECTION #endif +static size_t page_size; +static unsigned char canary[CANARY_SIZE]; + #ifdef HAVE_WEAK_SYMBOLS __attribute__((weak)) void __sodium_dummy_symbol_to_prevent_lto(void * const pnt, const size_t len) @@ -31,11 +57,11 @@ __sodium_dummy_symbol_to_prevent_lto(void * const pnt, const size_t len) void sodium_memzero(void * const pnt, const size_t len) { -#ifdef HAVE_SECUREZEROMEMORY +#ifdef _WIN32 SecureZeroMemory(pnt, len); #elif defined(HAVE_MEMSET_S) if (memset_s(pnt, (rsize_t) len, 0, (rsize_t) len) != 0) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } #elif defined(HAVE_EXPLICIT_BZERO) explicit_bzero(pnt, len); @@ -66,34 +92,6 @@ sodium_memcmp(const void * const b1_, const void * const b2_, size_t len) return (int) ((1 & ((d - 1) >> 8)) - 1); } -unsigned char * -_sodium_alignedcalloc(unsigned char ** const unaligned_p, const size_t len) -{ - unsigned char *aligned; - unsigned char *unaligned; - size_t i; - - if (SIZE_MAX - (size_t) 256U < len || - (unaligned = (unsigned char *) malloc(len + (size_t) 256U)) == NULL) { - *unaligned_p = NULL; - return NULL; - } - *unaligned_p = unaligned; -#ifdef HAVE_ARC4RANDOM_BUF - (void) i; - arc4random_buf(unaligned, len + (size_t) 256U); -#else - for (i = (size_t) 0U; i < len + (size_t) 256U; ++i) { - unaligned[i] = (unsigned char) rand(); - } -#endif - aligned = unaligned + 64; - aligned += (ptrdiff_t) 63 & (-(ptrdiff_t) aligned); - memset(aligned, 0, len); - - return aligned; -} - char * sodium_bin2hex(char * const hex, const size_t hex_maxlen, const unsigned char * const bin, const size_t bin_len) @@ -106,7 +104,7 @@ sodium_bin2hex(char * const hex, const size_t hex_maxlen, size_t j = (size_t) 0U; if (bin_len >= SIZE_MAX / 2 || hex_maxlen < bin_len * 2U) { - abort(); + abort(); /* LCOV_EXCL_LINE */ } while (i < bin_len) { hex[j++] = hexdigits[bin[i] >> 4]; @@ -178,7 +176,7 @@ sodium_mlock(void * const addr, const size_t len) #endif #ifdef HAVE_MLOCK return mlock(addr, len); -#elif defined(HAVE_VIRTUALLOCK) +#elif defined(_WIN32) return -(VirtualLock(addr, len) == 0); #else errno = ENOSYS; @@ -195,10 +193,286 @@ sodium_munlock(void * const addr, const size_t len) #endif #ifdef HAVE_MLOCK return munlock(addr, len); -#elif defined(HAVE_VIRTUALLOCK) +#elif defined(_WIN32) return -(VirtualUnlock(addr, len) == 0); #else errno = ENOSYS; return -1; #endif } + +int +_sodium_alloc_init(void) +{ +#if defined(_SC_PAGESIZE) + long page_size_ = sysconf(_SC_PAGESIZE); + if (page_size_ > 0L) { + page_size = (size_t) page_size_; + } +#elif defined(_WIN32) + SYSTEM_INFO si; + GetSystemInfo(&si); + page_size = (size_t) si.dwPageSize; +#endif + if (page_size < CANARY_SIZE) { + abort(); /* LCOV_EXCL_LINE */ + } + randombytes_buf(canary, sizeof canary); + + return 0; +} + +static inline size_t +_page_round(const size_t size) +{ + const size_t page_mask = page_size - 1U; + + return (size + page_mask) & ~page_mask; +} + +static int +_mprotect_noaccess(void *ptr, size_t size) +{ +#if defined(HAVE_MPROTECT) && defined(HAVE_PAGE_PROTECTION) + return mprotect(ptr, size, PROT_NONE); +#elif defined(_WIN32) + { + DWORD old; + return -(VirtualProtect(ptr, size, PAGE_NOACCESS, &old) == 0); + } +#else + errno = ENOSYS; + return -1; +#endif +} + +static int +_mprotect_readonly(void *ptr, size_t size) +{ +#if defined(HAVE_MPROTECT) && defined(HAVE_PAGE_PROTECTION) + return mprotect(ptr, size, PROT_READ); +#elif defined(_WIN32) + { + DWORD old; + return -(VirtualProtect(ptr, size, PAGE_READONLY, &old) == 0); + } +#else + errno = ENOSYS; + return -1; +#endif +} + +static int +_mprotect_readwrite(void *ptr, size_t size) +{ +#if defined(HAVE_MPROTECT) && defined(HAVE_PAGE_PROTECTION) + return mprotect(ptr, size, PROT_READ | PROT_WRITE); +#elif defined(_WIN32) + { + DWORD old; + return -(VirtualProtect(ptr, size, PAGE_READWRITE, &old) == 0); + } +#else + errno = ENOSYS; + return -1; +#endif +} + +static void +_out_of_bounds(void) +{ +#ifdef SIGSEGV + raise(SIGSEGV); +#elif defined(SIGKILL) + raise(SIGKILL); +#endif + abort(); +} /* LCOV_EXCL_LINE */ + +static __attribute__((malloc)) unsigned char * +_alloc_aligned(const size_t size) +{ + void *ptr; + +#ifdef MAP_ANON + if ((ptr = mmap(NULL, size, PROT_READ | PROT_WRITE, + MAP_ANON | MAP_PRIVATE | MAP_NOCORE, -1, 0)) == MAP_FAILED) { + ptr = NULL; /* LCOV_EXCL_LINE */ + } /* LCOV_EXCL_LINE */ +#elif defined(HAVE_POSIX_MEMALIGN) + if (posix_memalign(&ptr, page_size, size) != 0) { + ptr = NULL; /* LCOV_EXCL_LINE */ + } /* LCOV_EXCL_LINE */ +#elif defined(_WIN32) + ptr = VirtualAlloc(NULL, size, MEM_COMMIT | MEM_RESERVE, PAGE_READWRITE); +#elif !defined(HAVE_ALIGNED_MALLOC) + ptr = malloc(size); +#else +# error Bug +#endif + return (unsigned char *) ptr; +} + +static void +_free_aligned(unsigned char * const ptr, const size_t size) +{ +#ifdef MAP_ANON + (void) munmap(ptr, size); +#elif defined(HAVE_POSIX_MEMALIGN) + free(ptr); +#elif defined(_WIN32) + VirtualFree(ptr, 0U, MEM_RELEASE); +#else + free(ptr); +#endif +} + +static unsigned char * +_unprotected_ptr_from_user_ptr(const void *ptr) +{ + uintptr_t unprotected_ptr_u; + unsigned char *canary_ptr; + size_t page_mask; + + canary_ptr = ((unsigned char *) ptr) - sizeof canary; + page_mask = page_size - 1U; + unprotected_ptr_u = ((uintptr_t) canary_ptr & (uintptr_t) ~page_mask); + if (unprotected_ptr_u <= page_size * 2U) { + abort(); /* LCOV_EXCL_LINE */ + } + return (unsigned char *) unprotected_ptr_u; +} + +static __attribute__((malloc)) void * +_sodium_malloc(const size_t size) +{ + void *user_ptr; + unsigned char *base_ptr; + unsigned char *canary_ptr; + unsigned char *unprotected_ptr; + size_t page_mask; + size_t size_with_canary; + size_t total_size; + size_t unprotected_size; + + if (size >= SIZE_MAX - page_size * 4U) { + errno = ENOMEM; + return NULL; + } + if (page_size <= sizeof canary || page_size < sizeof unprotected_size) { + abort(); /* LCOV_EXCL_LINE */ + } + size_with_canary = (sizeof canary) + size; + unprotected_size = _page_round(size_with_canary); + total_size = page_size + page_size + unprotected_size + page_size; + if ((base_ptr = _alloc_aligned(total_size)) == NULL) { + return NULL; /* LCOV_EXCL_LINE */ + } + unprotected_ptr = base_ptr + page_size * 2U; + _mprotect_noaccess(base_ptr + page_size, page_size); +#ifndef HAVE_PAGE_PROTECTION + memcpy(unprotected_ptr + unprotected_size, canary, sizeof canary); +#endif + _mprotect_noaccess(unprotected_ptr + unprotected_size, page_size); + sodium_mlock(unprotected_ptr, unprotected_size); + page_mask = page_size - 1U; + canary_ptr = unprotected_ptr + _page_round(size_with_canary) - + size_with_canary; + user_ptr = canary_ptr + sizeof canary; + memcpy(canary_ptr, canary, sizeof canary); + memcpy(base_ptr, &unprotected_size, sizeof unprotected_size); + _mprotect_readonly(base_ptr, page_size); + assert(_unprotected_ptr_from_user_ptr(user_ptr) == unprotected_ptr); + + return user_ptr; +} + +__attribute__((malloc)) void * +sodium_malloc(const size_t size) +{ + void *ptr; + + if ((ptr = _sodium_malloc(size)) == NULL) { + return NULL; /* LCOV_EXCL_LINE */ + } + memset(ptr, (int) GARBAGE_VALUE, size); + + return ptr; +} + +__attribute__((malloc)) void * +sodium_allocarray(size_t count, size_t size) +{ + size_t total_size; + + if (size >= SIZE_MAX / count) { + errno = ENOMEM; + return NULL; + } + total_size = count * size; + + return sodium_malloc(total_size); +} + +void +sodium_free(void *ptr) +{ + unsigned char *base_ptr; + unsigned char *canary_ptr; + unsigned char *unprotected_ptr; + size_t total_size; + size_t unprotected_size; + + if (ptr == NULL) { + return; + } + canary_ptr = ((unsigned char *) ptr) - sizeof canary; + if (sodium_memcmp(canary_ptr, canary, sizeof canary) != 0) { + _out_of_bounds(); + } + unprotected_ptr = _unprotected_ptr_from_user_ptr(ptr); + base_ptr = unprotected_ptr - page_size * 2U; + memcpy(&unprotected_size, base_ptr, sizeof unprotected_size); + total_size = page_size + page_size + unprotected_size + page_size; + _mprotect_readwrite(base_ptr, total_size); +#ifndef HAVE_PAGE_PROTECTION + if (sodium_memcmp(unprotected_ptr + unprotected_size, + canary, sizeof canary) != 0) { + _out_of_bounds(); + } +#endif + sodium_munlock(unprotected_ptr, unprotected_size); + _free_aligned(base_ptr, total_size); +} + +static int +_sodium_mprotect(void *ptr, int (*cb)(void *ptr, size_t size)) +{ + unsigned char *base_ptr; + unsigned char *unprotected_ptr; + size_t unprotected_size; + + unprotected_ptr = _unprotected_ptr_from_user_ptr(ptr); + base_ptr = unprotected_ptr - page_size * 2U; + memcpy(&unprotected_size, base_ptr, sizeof unprotected_size); + + return cb(unprotected_ptr, unprotected_size); +} + +int +sodium_mprotect_noaccess(void *ptr) +{ + return _sodium_mprotect(ptr, _mprotect_noaccess); +} + +int +sodium_mprotect_readonly(void *ptr) +{ + return _sodium_mprotect(ptr, _mprotect_readonly); +} + +int +sodium_mprotect_readwrite(void *ptr) +{ + return _sodium_mprotect(ptr, _mprotect_readwrite); +} |