From d9d29efd6a7d0c3ec9c708ef2ae5d76bb6fb6ef3 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 8 Apr 2014 14:11:30 -0700 Subject: [PATCH 01/40] +crypto_verify64 --- libsodium.vcxproj | 3 + libsodium.vcxproj.filters | 11 ++- src/libsodium/Makefile.am | 3 + src/libsodium/crypto_verify/64/ref/api.h | 2 + .../crypto_verify/64/ref/verify_64.c | 72 +++++++++++++++++++ .../crypto_verify/64/verify_64_api.c | 6 ++ src/libsodium/include/Makefile.am | 1 + .../include/sodium/crypto_verify_64.h | 59 +++++++++++++++ 8 files changed, 156 insertions(+), 1 deletion(-) create mode 100644 src/libsodium/crypto_verify/64/ref/api.h create mode 100644 src/libsodium/crypto_verify/64/ref/verify_64.c create mode 100644 src/libsodium/crypto_verify/64/verify_64_api.c create mode 100644 src/libsodium/include/sodium/crypto_verify_64.h diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 520e6dec..2e5ce2e3 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -359,6 +359,7 @@ + @@ -494,6 +495,8 @@ + + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index dd597287..df34098d 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -147,6 +147,9 @@ Header Files + + Header Files + Header Files @@ -544,6 +547,12 @@ Source Files + + Source Files + + + Source Files + Source Files @@ -566,4 +575,4 @@ Source Files - \ No newline at end of file + diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index a0ec32a1..04c4040c 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -180,6 +180,9 @@ libsodium_la_SOURCES = \ crypto_verify/32/verify_32_api.c \ crypto_verify/32/ref/api.h \ crypto_verify/32/ref/verify_32.c \ + crypto_verify/64/verify_64_api.c \ + crypto_verify/64/ref/api.h \ + crypto_verify/64/ref/verify_64.c \ randombytes/randombytes.c \ randombytes/salsa20/randombytes_salsa20_random.c \ randombytes/sysrandom/randombytes_sysrandom.c \ diff --git a/src/libsodium/crypto_verify/64/ref/api.h b/src/libsodium/crypto_verify/64/ref/api.h new file mode 100644 index 00000000..1ffd2f82 --- /dev/null +++ b/src/libsodium/crypto_verify/64/ref/api.h @@ -0,0 +1,2 @@ + +#include "crypto_verify_64.h" diff --git a/src/libsodium/crypto_verify/64/ref/verify_64.c b/src/libsodium/crypto_verify/64/ref/verify_64.c new file mode 100644 index 00000000..730f598b --- /dev/null +++ b/src/libsodium/crypto_verify/64/ref/verify_64.c @@ -0,0 +1,72 @@ +#include "api.h" + +int crypto_verify_64(const unsigned char *x,const unsigned char *y) +{ + unsigned int differentbits = 0; +#define F(i) differentbits |= x[i] ^ y[i]; + F(0) + F(1) + F(2) + F(3) + F(4) + F(5) + F(6) + F(7) + F(8) + F(9) + F(10) + F(11) + F(12) + F(13) + F(14) + F(15) + F(16) + F(17) + F(18) + F(19) + F(20) + F(21) + F(22) + F(23) + F(24) + F(25) + F(26) + F(27) + F(28) + F(29) + F(30) + F(31) + F(32) + F(33) + F(34) + F(35) + F(36) + F(37) + F(38) + F(39) + F(40) + F(41) + F(42) + F(43) + F(44) + F(45) + F(46) + F(47) + F(48) + F(49) + F(50) + F(51) + F(52) + F(53) + F(54) + F(55) + F(56) + F(57) + F(58) + F(59) + F(60) + F(61) + F(62) + F(63) + return (1 & ((differentbits - 1) >> 8)) - 1; +} diff --git a/src/libsodium/crypto_verify/64/verify_64_api.c b/src/libsodium/crypto_verify/64/verify_64_api.c new file mode 100644 index 00000000..ec3e4d49 --- /dev/null +++ b/src/libsodium/crypto_verify/64/verify_64_api.c @@ -0,0 +1,6 @@ +#include "crypto_verify_64.h" + +size_t +crypto_verify_64_bytes(void) { + return crypto_verify_64_BYTES; +} diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index c014141c..23fbe4d9 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -46,6 +46,7 @@ SODIUM_EXPORT = \ sodium/crypto_uint8.h \ sodium/crypto_verify_16.h \ sodium/crypto_verify_32.h \ + sodium/crypto_verify_64.h \ sodium/export.h \ sodium/randombytes.h \ sodium/randombytes_salsa20_random.h \ diff --git a/src/libsodium/include/sodium/crypto_verify_64.h b/src/libsodium/include/sodium/crypto_verify_64.h new file mode 100644 index 00000000..fcb44e68 --- /dev/null +++ b/src/libsodium/include/sodium/crypto_verify_64.h @@ -0,0 +1,59 @@ +#ifndef crypto_verify_64_H +#define crypto_verify_64_H + +#include +#include "export.h" + +/** \addtogroup strcmp + * + * @{ + */ + +#define crypto_verify_64_BYTES 64U + +#ifdef __cplusplus +extern "C" { +#endif + + /// @TODO +SODIUM_EXPORT +size_t crypto_verify_64_bytes(void); + +/** + * Compares the first crypto_verify_64_BYTES of the given strings. + * + * @param[in] string1 a string + * @param[in] string2 another string + * + * @return 0 if string1 and string2 are equal, otherwise -1. + * + * @pre string1 must be minimum of crypto_verify_64_BYTES long. + * @pre string2 must be minimum of crypto_verify_64_BYTES long. + * + * @note The time taken by the function is independent of the contents + * of string1 and string2. In contrast, the standard C comparison + * function memcmp(string1,string2,64) takes time that is dependent on + * the longest matching prefix of string1 and string2. This often + * allows for easy timing attacks. + * + * Example invocation: + * + *~~~~~{.c} + * const unsigned char x[64]; + * const unsigned char y[64]; + * + * crypto_verify_64(x,y); + *~~~~~ + */ +SODIUM_EXPORT +int crypto_verify_64(const unsigned char *x, const unsigned char *y); + +#define crypto_verify_64_ref crypto_verify_64 ///< @TODO + + + /// @} +#ifdef __cplusplus +} +#endif + +#endif From 8dafe380c68f841907db0553a58487f8e71af408 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 8 Apr 2014 14:15:09 -0700 Subject: [PATCH 02/40] De-doxygenize crypto_verify_64.h in this branch. --- .../include/sodium/crypto_verify_64.h | 36 +------------------ 1 file changed, 1 insertion(+), 35 deletions(-) diff --git a/src/libsodium/include/sodium/crypto_verify_64.h b/src/libsodium/include/sodium/crypto_verify_64.h index fcb44e68..4835826e 100644 --- a/src/libsodium/include/sodium/crypto_verify_64.h +++ b/src/libsodium/include/sodium/crypto_verify_64.h @@ -4,54 +4,20 @@ #include #include "export.h" -/** \addtogroup strcmp - * - * @{ - */ - #define crypto_verify_64_BYTES 64U #ifdef __cplusplus extern "C" { #endif - /// @TODO SODIUM_EXPORT size_t crypto_verify_64_bytes(void); -/** - * Compares the first crypto_verify_64_BYTES of the given strings. - * - * @param[in] string1 a string - * @param[in] string2 another string - * - * @return 0 if string1 and string2 are equal, otherwise -1. - * - * @pre string1 must be minimum of crypto_verify_64_BYTES long. - * @pre string2 must be minimum of crypto_verify_64_BYTES long. - * - * @note The time taken by the function is independent of the contents - * of string1 and string2. In contrast, the standard C comparison - * function memcmp(string1,string2,64) takes time that is dependent on - * the longest matching prefix of string1 and string2. This often - * allows for easy timing attacks. - * - * Example invocation: - * - *~~~~~{.c} - * const unsigned char x[64]; - * const unsigned char y[64]; - * - * crypto_verify_64(x,y); - *~~~~~ - */ SODIUM_EXPORT int crypto_verify_64(const unsigned char *x, const unsigned char *y); -#define crypto_verify_64_ref crypto_verify_64 ///< @TODO +#define crypto_verify_64_ref crypto_verify_64 - - /// @} #ifdef __cplusplus } #endif From c7eecc28ba8008d59d0da182465ac985d331ae7d Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 8 Apr 2014 14:19:41 -0700 Subject: [PATCH 03/40] Include crypto_verify_64.h in sodium.h --- src/libsodium/include/sodium.h | 1 + 1 file changed, 1 insertion(+) diff --git a/src/libsodium/include/sodium.h b/src/libsodium/include/sodium.h index ac37b16a..d5191748 100644 --- a/src/libsodium/include/sodium.h +++ b/src/libsodium/include/sodium.h @@ -39,6 +39,7 @@ #include #include #include +#include #include #include #include From 3f4a8f285d5d7041d595d5e38f2efe3f2c8e617c Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 8 Apr 2014 14:36:09 -0700 Subject: [PATCH 04/40] Add a test for crypto_verify_*() --- .gitignore | 1 + test/default/Makefile.am | 12 +++++++++--- test/default/verify1.c | 34 ++++++++++++++++++++++++++++++++++ test/default/verify1.exp | 6 ++++++ 4 files changed, 50 insertions(+), 3 deletions(-) create mode 100644 test/default/verify1.c create mode 100644 test/default/verify1.exp diff --git a/.gitignore b/.gitignore index 15e1f017..62849605 100644 --- a/.gitignore +++ b/.gitignore @@ -99,6 +99,7 @@ test/default/stream3 test/default/stream4 test/default/stream5 test/default/stream6 +test/default/verify1 test-driver testing android-toolchain-* diff --git a/test/default/Makefile.am b/test/default/Makefile.am index f637cec0..36b04329 100644 --- a/test/default/Makefile.am +++ b/test/default/Makefile.am @@ -48,7 +48,8 @@ EXTRA_DIST = \ stream3.exp \ stream4.exp \ stream5.exp \ - stream6.exp + stream6.exp \ + verify1.exp DISTCLEANFILES = \ auth.res \ @@ -97,7 +98,8 @@ DISTCLEANFILES = \ stream3.res \ stream4.res \ stream5.res \ - stream6.res + stream6.res \ + verify1.res AM_CPPFLAGS = \ -DTEST_SRCDIR=\"@srcdir@\" \ @@ -154,7 +156,8 @@ TESTS_TARGETS = \ stream3 \ stream4 \ stream5 \ - stream6 + stream6 \ + verify1 check_PROGRAMS = $(TESTS_TARGETS) @@ -304,4 +307,7 @@ stream5_LDADD = $(TESTS_LDADD) stream6_SOURCE = cmptest.h stream6.c stream6_LDADD = $(TESTS_LDADD) +verify1_SOURCE = cmptest.h verify1.c +verify1_LDADD = $(TESTS_LDADD) + verify: check diff --git a/test/default/verify1.c b/test/default/verify1.c new file mode 100644 index 00000000..def6421c --- /dev/null +++ b/test/default/verify1.c @@ -0,0 +1,34 @@ +#include +#include + +#define TEST_NAME "verify1" +#include "cmptest.h" + +unsigned char v16[16], v16x[16]; +unsigned char v32[32], v32x[32]; +unsigned char v64[64], v64x[64]; + +int main(void) +{ + randombytes_buf(v16, sizeof v16); + randombytes_buf(v32, sizeof v32); + randombytes_buf(v64, sizeof v64); + + memcpy(v16x, v16, sizeof v16); + memcpy(v32x, v32, sizeof v32); + memcpy(v64x, v64, sizeof v64); + + printf("%d\n", crypto_verify_16(v16, v16x)); + printf("%d\n", crypto_verify_32(v32, v32x)); + printf("%d\n", crypto_verify_64(v64, v64x)); + + v16x[randombytes_random() & 15U]++; + v32x[randombytes_random() & 31U]++; + v64x[randombytes_random() & 63U]++; + + printf("%d\n", crypto_verify_16(v16, v16x)); + printf("%d\n", crypto_verify_32(v32, v32x)); + printf("%d\n", crypto_verify_64(v64, v64x)); + + return 0; +} diff --git a/test/default/verify1.exp b/test/default/verify1.exp new file mode 100644 index 00000000..2b845004 --- /dev/null +++ b/test/default/verify1.exp @@ -0,0 +1,6 @@ +0 +0 +0 +-1 +-1 +-1 From fcf228e2e7a2a57c9ae5eabbfde5a88ca62e0c71 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 9 Apr 2014 18:45:59 -0700 Subject: [PATCH 05/40] Add explicit uint8_t casts for Blake2's key length. via @evoskuil --- .../crypto_generichash/blake2/ref/generichash_blake2b.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c b/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c index da4a170c..6a637eca 100644 --- a/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c +++ b/src/libsodium/crypto_generichash/blake2/ref/generichash_blake2b.c @@ -56,7 +56,8 @@ crypto_generichash_blake2b_init(crypto_generichash_blake2b_state *state, if (blake2b_init(state, (uint8_t) outlen) != 0) { return -1; } - } else if (blake2b_init_key(state, (uint8_t) outlen, key, keylen) != 0) { + } else if (blake2b_init_key(state, (uint8_t) outlen, key, + (uint8_t) keylen) != 0) { return -1; } return 0; @@ -81,7 +82,8 @@ crypto_generichash_blake2b_init_salt_personal(crypto_generichash_blake2b_state * return -1; } } else if (blake2b_init_key_salt_personal(state, - (uint8_t) outlen, key, keylen, + (uint8_t) outlen, key, + (uint8_t) keylen, salt, personal) != 0) { return -1; } From b35929d3b1aa970e1fe5a89a7f40259a081cc9f8 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 9 Apr 2014 19:03:15 -0700 Subject: [PATCH 06/40] Do not remove previously generated files from the distribution. --- src/libsodium/include/Makefile.am | 2 -- 1 file changed, 2 deletions(-) diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index 23fbe4d9..63dbac13 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -59,6 +59,4 @@ EXTRA_SRC = $(SODIUM_EXPORT) \ nobase_include_HEADERS = $(SODIUM_EXPORT) nobase_nodist_include_HEADERS = \ - sodium/crypto_scalarmult_curve25519.h \ - sodium/crypto_stream_salsa20.h \ sodium/version.h From 8fc8d2f380ee8a99bf46a35e753b5efc0a69e80a Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 9 Apr 2014 19:07:41 -0700 Subject: [PATCH 07/40] A DWORD is the maximum CryptGenRandom() can support. --- src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c index 304f4878..d0e25209 100644 --- a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c +++ b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c @@ -169,7 +169,10 @@ randombytes_sysrandom_buf(void * const buf, const size_t size) abort(); } #else - if (! CryptGenRandom(stream.hcrypt_prov, size, (BYTE *) buf)) { + if (size > 0xffffffff) { + abort(); + } + if (! CryptGenRandom(stream.hcrypt_prov, (DWORD) size, (BYTE *) buf)) { abort(); } #endif From a06b00ecf44aa63bb67e48253aa997375742d6ae Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Wed, 1 Jan 2014 15:56:50 +0100 Subject: [PATCH 08/40] Initial import of scrypt --- AUTHORS | 5 + configure.ac | 2 + src/libsodium/Makefile.am | 8 + .../crypto_scrypt-common.c | 254 +++++++++++ .../scryptxsalsa208sha256/crypto_scrypt.h | 91 ++++ .../nosse/pwhash_scryptxsalsa208sha256.c | 298 +++++++++++++ .../scryptxsalsa208sha256/scrypt_platform.c | 94 ++++ .../scryptxsalsa208sha256/sha256.c | 411 ++++++++++++++++++ .../scryptxsalsa208sha256/sha256.h | 62 +++ .../sse/pwhash_scryptxsalsa208sha256.c | 381 ++++++++++++++++ .../scryptxsalsa208sha256/sysendian.h | 146 +++++++ 11 files changed, 1752 insertions(+) create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/scrypt_platform.c create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sysendian.h diff --git a/AUTHORS b/AUTHORS index 4f369486..6e7d624a 100644 --- a/AUTHORS +++ b/AUTHORS @@ -99,3 +99,8 @@ Christian Winnerlein crypto_onetimeauth/poly1305/donna --------------------------------- Andrew "floodyberry" M. + +crypto_pwhash/scryptxsalsa208sha256 +-------------------------------- +Colin Percival +Alexander Peslyak diff --git a/configure.ac b/configure.ac index 809516a9..69fed451 100644 --- a/configure.ac +++ b/configure.ac @@ -269,6 +269,8 @@ AC_CHECK_HEADERS([wmmintrin.h], [], [], [ #pragma GCC target("aes") ]) +AC_CHECK_HEADERS([sys/mman.h]) + AC_MSG_CHECKING(for access to floating-point rounding mode) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ #include diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 04c4040c..d81fccae 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -62,6 +62,14 @@ libsodium_la_SOURCES = \ crypto_onetimeauth/poly1305/donna/portable-jane.h \ crypto_onetimeauth/poly1305/donna/auth_poly1305_donna.c \ crypto_onetimeauth/poly1305/donna/verify_poly1305_donna.c \ + crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c \ + crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h \ + crypto_pwhash/scryptxsalsa208sha256/scrypt_platform.c \ + crypto_pwhash/scryptxsalsa208sha256/sha256.c \ + crypto_pwhash/scryptxsalsa208sha256/sha256.h \ + crypto_pwhash/scryptxsalsa208sha256/sysendian.h \ + crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c \ + crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c \ crypto_scalarmult/crypto_scalarmult.c \ crypto_scalarmult/curve25519/scalarmult_curve25519_api.c \ crypto_secretbox/crypto_secretbox.c \ diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c new file mode 100644 index 00000000..c03d1214 --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c @@ -0,0 +1,254 @@ +/*- + * Copyright 2013 Alexander Peslyak + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include +#include + +#include "crypto_scrypt.h" + +#define escrypt_kdf escrypt_kdf_nosse + +#define BYTES2CHARS(bytes) \ + ((((bytes) * 8) + 5) / 6) + +#define HASH_SIZE 32 /* bytes */ +#define HASH_LEN BYTES2CHARS(HASH_SIZE) /* base-64 chars */ + +static const char * const itoa64 = + "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; + +static uint8_t * encode64_uint32(uint8_t * dst, size_t dstlen, + uint32_t src, uint32_t srcbits) +{ + uint32_t bit; + + for (bit = 0; bit < srcbits; bit += 6) { + if (dstlen < 1) + return NULL; + *dst++ = itoa64[src & 0x3f]; + dstlen--; + src >>= 6; + } + + return dst; +} + +static uint8_t * encode64(uint8_t * dst, size_t dstlen, + const uint8_t * src, size_t srclen) +{ + size_t i; + + for (i = 0; i < srclen; ) { + uint8_t * dnext; + uint32_t value = 0, bits = 0; + do { + value |= (uint32_t)src[i++] << bits; + bits += 8; + } while (bits < 24 && i < srclen); + dnext = encode64_uint32(dst, dstlen, value, bits); + if (!dnext) + return NULL; + dstlen -= dnext - dst; + dst = dnext; + } + + return dst; +} + +static int decode64_one(uint32_t * dst, uint8_t src) +{ + const char * ptr = strchr(itoa64, src); + if (ptr) { + *dst = ptr - itoa64; + return 0; + } + *dst = 0; + return -1; +} + +static const uint8_t * decode64_uint32(uint32_t * dst, uint32_t dstbits, + const uint8_t * src) +{ + uint32_t bit; + uint32_t value; + + value = 0; + for (bit = 0; bit < dstbits; bit += 6) { + uint32_t one; + if (decode64_one(&one, *src)) { + *dst = 0; + return NULL; + } + src++; + value |= one << bit; + } + + *dst = value; + return src; +} + +uint8_t * +escrypt_r(escrypt_local_t * local, + const uint8_t * passwd, size_t passwdlen, + const uint8_t * setting, + uint8_t * buf, size_t buflen) +{ + uint8_t hash[HASH_SIZE]; + const uint8_t * src, * salt; + uint8_t * dst; + size_t prefixlen, saltlen, need; + uint64_t N; + uint32_t r, p; + + if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') + return NULL; + src = setting + 3; + + { + uint32_t N_log2; + if (decode64_one(&N_log2, *src)) + return NULL; + src++; + N = (uint64_t)1 << N_log2; + } + + src = decode64_uint32(&r, 30, src); + if (!src) + return NULL; + + src = decode64_uint32(&p, 30, src); + if (!src) + return NULL; + + prefixlen = src - setting; + + salt = src; + src = (uint8_t *)strrchr((char *)salt, '$'); + if (src) + saltlen = src - salt; + else + saltlen = strlen((char *)salt); + + need = prefixlen + saltlen + 1 + HASH_LEN + 1; + if (need > buflen || need < saltlen) + return NULL; + + if (escrypt_kdf(local, passwd, passwdlen, salt, saltlen, + N, r, p, hash, sizeof(hash))) + return NULL; + + dst = buf; + memcpy(dst, setting, prefixlen + saltlen); + dst += prefixlen + saltlen; + *dst++ = '$'; + + dst = encode64(dst, buflen - (dst - buf), hash, sizeof(hash)); + /* Could zeroize hash[] here, but escrypt_kdf() doesn't zeroize its + * memory allocations yet anyway. */ + if (!dst || dst >= buf + buflen) /* Can't happen */ + return NULL; + + *dst = 0; /* NUL termination */ + + return buf; +} + +uint8_t * +escrypt(const uint8_t * passwd, const uint8_t * setting) +{ + static uint8_t buf[4 + 1 + 5 + 5 + BYTES2CHARS(32) + 1 + HASH_LEN + 1]; + escrypt_local_t local; + uint8_t * retval; + + if (escrypt_init_local(&local)) + return NULL; + retval = escrypt_r(&local, + passwd, strlen((char *)passwd), setting, buf, sizeof(buf)); + if (escrypt_free_local(&local)) + return NULL; + return retval; +} + +uint8_t * +escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, + const uint8_t * src, size_t srclen, + uint8_t * buf, size_t buflen) +{ + uint8_t * dst; + size_t prefixlen = 3 + 1 + 5 + 5; + size_t saltlen = BYTES2CHARS(srclen); + size_t need; + + need = prefixlen + saltlen + 1; + if (need > buflen || need < saltlen || saltlen < srclen) + return NULL; + + if (N_log2 > 63 || ((uint64_t)r * (uint64_t)p >= (1U << 30))) + return NULL; + + dst = buf; + *dst++ = '$'; + *dst++ = '7'; + *dst++ = '$'; + + *dst++ = itoa64[N_log2]; + + dst = encode64_uint32(dst, buflen - (dst - buf), r, 30); + if (!dst) /* Can't happen */ + return NULL; + + dst = encode64_uint32(dst, buflen - (dst - buf), p, 30); + if (!dst) /* Can't happen */ + return NULL; + + dst = encode64(dst, buflen - (dst - buf), src, srclen); + if (!dst || dst >= buf + buflen) /* Can't happen */ + return NULL; + + *dst = 0; /* NUL termination */ + + return buf; +} + +uint8_t * +escrypt_gensalt(uint32_t N_log2, uint32_t r, uint32_t p, + const uint8_t * src, size_t srclen) +{ + static uint8_t buf[4 + 1 + 5 + 5 + BYTES2CHARS(32) + 1]; + return escrypt_gensalt_r(N_log2, r, p, src, srclen, + buf, sizeof(buf)); +} + +int +crypto_scrypt(const uint8_t * passwd, size_t passwdlen, + const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t r, uint32_t p, + uint8_t * buf, size_t buflen) +{ + escrypt_local_t local; + int retval; + + if (escrypt_init_local(&local)) + return -1; + retval = escrypt_kdf(&local, + passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen); + if (escrypt_free_local(&local)) + return -1; + return retval; +} diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h new file mode 100644 index 00000000..cd9e53ea --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h @@ -0,0 +1,91 @@ +/*- + * Copyright 2009 Colin Percival + * Copyright 2013 Alexander Peslyak + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * This file was originally written by Colin Percival as part of the Tarsnap + * online backup system. + */ +#ifndef _CRYPTO_SCRYPT_H_ +#define _CRYPTO_SCRYPT_H_ + +#include + +/** + * crypto_scrypt(passwd, passwdlen, salt, saltlen, N, r, p, buf, buflen): + * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, + * p, buflen) and write the result into buf. The parameters r, p, and buflen + * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N + * must be a power of 2 greater than 1. + * + * Return 0 on success; or -1 on error. + */ +extern int crypto_scrypt(const uint8_t * __passwd, size_t __passwdlen, + const uint8_t * __salt, size_t __saltlen, + uint64_t __N, uint32_t __r, uint32_t __p, + uint8_t * __buf, size_t __buflen); + +typedef struct { + void * base, * aligned; + size_t size; +} escrypt_region_t; + +typedef escrypt_region_t escrypt_local_t; + +extern int escrypt_init_local(escrypt_local_t * __local); + +extern int escrypt_free_local(escrypt_local_t * __local); + +extern void *alloc_region(escrypt_region_t * region, size_t size); +extern int free_region(escrypt_region_t * region); + +extern int escrypt_kdf_nosse(escrypt_local_t * __local, + const uint8_t * __passwd, size_t __passwdlen, + const uint8_t * __salt, size_t __saltlen, + uint64_t __N, uint32_t __r, uint32_t __p, + uint8_t * __buf, size_t __buflen); + +extern int escrypt_kdf_sse(escrypt_local_t * __local, + const uint8_t * __passwd, size_t __passwdlen, + const uint8_t * __salt, size_t __saltlen, + uint64_t __N, uint32_t __r, uint32_t __p, + uint8_t * __buf, size_t __buflen); + +extern uint8_t * escrypt_r(escrypt_local_t * __local, + const uint8_t * __passwd, size_t __passwdlen, + const uint8_t * __setting, + uint8_t * __buf, size_t __buflen); + +extern uint8_t * escrypt(const uint8_t * __passwd, const uint8_t * __setting); + +extern uint8_t * escrypt_gensalt_r( + uint32_t __N_log2, uint32_t __r, uint32_t __p, + const uint8_t * __src, size_t __srclen, + uint8_t * __buf, size_t __buflen); + +extern uint8_t * escrypt_gensalt( + uint32_t __N_log2, uint32_t __r, uint32_t __p, + const uint8_t * __src, size_t __srclen); + +#endif /* !_CRYPTO_SCRYPT_H_ */ diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c new file mode 100644 index 00000000..c57cc58a --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c @@ -0,0 +1,298 @@ +/*- + * Copyright 2009 Colin Percival + * Copyright 2013 Alexander Peslyak + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * This file was originally written by Colin Percival as part of the Tarsnap + * online backup system. + */ + +#include +#include +#include +#include + +#include "../sha256.h" +#include "../sysendian.h" +#include "../crypto_scrypt.h" + +static inline void +blkcpy(void * dest, const void * src, size_t len) +{ + size_t * D = (size_t *) dest; + const size_t * S = (const size_t *) src; + size_t L = len / sizeof(size_t); + size_t i; + + for (i = 0; i < L; i++) + D[i] = S[i]; +} + +static inline void +blkxor(void * dest, const void * src, size_t len) +{ + size_t * D = (size_t *) dest; + const size_t * S = (const size_t *) src; + size_t L = len / sizeof(size_t); + size_t i; + + for (i = 0; i < L; i++) + D[i] ^= S[i]; +} + +/** + * salsa20_8(B): + * Apply the salsa20/8 core to the provided block. + */ +static void +salsa20_8(uint32_t B[16]) +{ + uint32_t x[16]; + size_t i; + + blkcpy(x, B, 64); + for (i = 0; i < 8; i += 2) { +#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) + /* Operate on columns. */ + x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9); + x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18); + + x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9); + x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18); + + x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9); + x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18); + + x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9); + x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18); + + /* Operate on rows. */ + x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9); + x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18); + + x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9); + x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18); + + x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9); + x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18); + + x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9); + x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18); +#undef R + } + for (i = 0; i < 16; i++) + B[i] += x[i]; +} + +/** + * blockmix_salsa8(Bin, Bout, X, r): + * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r + * bytes in length; the output Bout must also be the same size. The + * temporary space X must be 64 bytes. + */ +static void +blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r) +{ + size_t i; + + /* 1: X <-- B_{2r - 1} */ + blkcpy(X, &Bin[(2 * r - 1) * 16], 64); + + /* 2: for i = 0 to 2r - 1 do */ + for (i = 0; i < 2 * r; i += 2) { + /* 3: X <-- H(X \xor B_i) */ + blkxor(X, &Bin[i * 16], 64); + salsa20_8(X); + + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + blkcpy(&Bout[i * 8], X, 64); + + /* 3: X <-- H(X \xor B_i) */ + blkxor(X, &Bin[i * 16 + 16], 64); + salsa20_8(X); + + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + blkcpy(&Bout[i * 8 + r * 16], X, 64); + } +} + +/** + * integerify(B, r): + * Return the result of parsing B_{2r-1} as a little-endian integer. + */ +static inline uint64_t +integerify(const void * B, size_t r) +{ + const uint32_t * X = (const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); + + return (((uint64_t)(X[1]) << 32) + X[0]); +} + +/** + * smix(B, r, N, V, XY): + * Compute B = SMix_r(B, N). The input B must be 128r bytes in length; + * the temporary storage V must be 128rN bytes in length; the temporary + * storage XY must be 256r + 64 bytes in length. The value N must be a + * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a + * multiple of 64 bytes. + */ +static void +smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY) +{ + uint32_t * X = XY; + uint32_t * Y = &XY[32 * r]; + uint32_t * Z = &XY[64 * r]; + uint64_t i; + uint64_t j; + size_t k; + + /* 1: X <-- B */ + for (k = 0; k < 32 * r; k++) + X[k] = le32dec(&B[4 * k]); + + /* 2: for i = 0 to N - 1 do */ + for (i = 0; i < N; i += 2) { + /* 3: V_i <-- X */ + blkcpy(&V[i * (32 * r)], X, 128 * r); + + /* 4: X <-- H(X) */ + blockmix_salsa8(X, Y, Z, r); + + /* 3: V_i <-- X */ + blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r); + + /* 4: X <-- H(X) */ + blockmix_salsa8(Y, X, Z, r); + } + + /* 6: for i = 0 to N - 1 do */ + for (i = 0; i < N; i += 2) { + /* 7: j <-- Integerify(X) mod N */ + j = integerify(X, r) & (N - 1); + + /* 8: X <-- H(X \xor V_j) */ + blkxor(X, &V[j * (32 * r)], 128 * r); + blockmix_salsa8(X, Y, Z, r); + + /* 7: j <-- Integerify(X) mod N */ + j = integerify(Y, r) & (N - 1); + + /* 8: X <-- H(X \xor V_j) */ + blkxor(Y, &V[j * (32 * r)], 128 * r); + blockmix_salsa8(Y, X, Z, r); + } + + /* 10: B' <-- X */ + for (k = 0; k < 32 * r; k++) + le32enc(&B[4 * k], X[k]); +} + +/** + * escrypt_kdf(local, passwd, passwdlen, salt, saltlen, + * N, r, p, buf, buflen): + * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, + * p, buflen) and write the result into buf. The parameters r, p, and buflen + * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N + * must be a power of 2 greater than 1. + * + * Return 0 on success; or -1 on error. + */ +int +escrypt_kdf_nosse(escrypt_local_t * local, + const uint8_t * passwd, size_t passwdlen, + const uint8_t * salt, size_t saltlen, + uint64_t N, uint32_t _r, uint32_t _p, + uint8_t * buf, size_t buflen) +{ + size_t B_size, V_size, XY_size, need; + uint8_t * B; + uint32_t * V, * XY; + size_t r = _r, p = _p; + uint32_t i; + + /* Sanity-check parameters. */ +#if SIZE_MAX > UINT32_MAX + if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { + errno = EFBIG; + return -1; + } +#endif + if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) { + errno = EFBIG; + return -1; + } + if (((N & (N - 1)) != 0) || (N < 2)) { + errno = EINVAL; + return -1; + } + if ((r > SIZE_MAX / 128 / p) || +#if SIZE_MAX / 256 <= UINT32_MAX + (r > SIZE_MAX / 256) || +#endif + (N > SIZE_MAX / 128 / r)) { + errno = ENOMEM; + return -1; + } + + /* Allocate memory. */ + B_size = (size_t)128 * r * p; + V_size = (size_t)128 * r * N; + need = B_size + V_size; + if (need < V_size) { + errno = ENOMEM; + return -1; + } + XY_size = (size_t)256 * r; + need += XY_size; + if (need < XY_size) { + errno = ENOMEM; + return -1; + } + if (local->size < need) { + if (free_region(local)) + return -1; + if (!alloc_region(local, need)) + return -1; + } + B = (uint8_t *)local->aligned; + V = (uint32_t *)((uint8_t *)B + B_size); + XY = (uint32_t *)((uint8_t *)V + V_size); + + /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ + PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); + + /* 2: for i = 0 to p - 1 do */ + for (i = 0; i < p; i++) { + /* 3: B_i <-- MF(B_i, N) */ + smix(&B[(size_t)128 * i * r], r, N, V, XY); + } + + /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ + PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); + + /* Success! */ + return 0; +} diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/scrypt_platform.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/scrypt_platform.c new file mode 100644 index 00000000..8aa98397 --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/scrypt_platform.c @@ -0,0 +1,94 @@ +/*- + * Copyright 2013 Alexander Peslyak + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#ifdef HAVE_SYS_MMAN_H +# include +#endif +#include + +#include "crypto_scrypt.h" + +void * +alloc_region(escrypt_region_t * region, size_t size) +{ + uint8_t * base, * aligned; +#ifdef MAP_ANON + if ((base = (uint8_t *) mmap(NULL, size, PROT_READ | PROT_WRITE, +#ifdef MAP_NOCORE + MAP_ANON | MAP_PRIVATE | MAP_NOCORE, +#else + MAP_ANON | MAP_PRIVATE, +#endif + -1, 0)) == MAP_FAILED) + base = NULL; + aligned = base; +#elif defined(HAVE_POSIX_MEMALIGN) + if ((errno = posix_memalign((void **) &base, 64, size)) != 0) + base = NULL; + aligned = base; +#else + base = aligned = NULL; + if (size + 63 < size) + errno = ENOMEM; + else if ((base = (uint8_t *) malloc(size + 63)) != NULL) { + aligned = base + 63; + aligned -= (uintptr_t)aligned & 63; + } +#endif + region->base = base; + region->aligned = aligned; + region->size = base ? size : 0; + return aligned; +} + +static inline void +init_region(escrypt_region_t * region) +{ + region->base = region->aligned = NULL; + region->size = 0; +} + +int +free_region(escrypt_region_t * region) +{ + if (region->base) { +#ifdef MAP_ANON + if (munmap(region->base, region->size)) + return -1; +#else + free(region->base); +#endif + } + init_region(region); + return 0; +} + +int +escrypt_init_local(escrypt_local_t * local) +{ + init_region(local); + return 0; +} + +int +escrypt_free_local(escrypt_local_t * local) +{ + return free_region(local); +} diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c new file mode 100644 index 00000000..052138ae --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c @@ -0,0 +1,411 @@ +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include + +#include +#include + +#include "sysendian.h" + +#include "sha256.h" + +/* + * Encode a length len/4 vector of (uint32_t) into a length len vector of + * (unsigned char) in big-endian form. Assumes len is a multiple of 4. + */ +static void +be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) + be32enc(dst + i * 4, src[i]); +} + +/* + * Decode a big-endian length len vector of (unsigned char) into a length + * len/4 vector of (uint32_t). Assumes len is a multiple of 4. + */ +static void +be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) + dst[i] = be32dec(src + i * 4); +} + +/* Elementary functions used by SHA256 */ +#define Ch(x, y, z) ((x & (y ^ z)) ^ z) +#define Maj(x, y, z) ((x & (y | z)) | (y & z)) +#define SHR(x, n) (x >> n) +#define ROTR(x, n) ((x >> n) | (x << (32 - n))) +#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) +#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) +#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) +#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) + +/* SHA256 round function */ +#define RND(a, b, c, d, e, f, g, h, k) \ + t0 = h + S1(e) + Ch(e, f, g) + k; \ + t1 = S0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; + +/* Adjusted round function for rotating state */ +#define RNDr(S, W, i, k) \ + RND(S[(64 - i) % 8], S[(65 - i) % 8], \ + S[(66 - i) % 8], S[(67 - i) % 8], \ + S[(68 - i) % 8], S[(69 - i) % 8], \ + S[(70 - i) % 8], S[(71 - i) % 8], \ + W[i] + k) + +/* + * SHA256 block compression function. The 256-bit state is transformed via + * the 512-bit input block to produce a new state. + */ +static void +SHA256_Transform(uint32_t * state, const unsigned char block[64]) +{ + uint32_t W[64]; + uint32_t S[8]; + uint32_t t0, t1; + int i; + + /* 1. Prepare message schedule W. */ + be32dec_vect(W, block, 64); + for (i = 16; i < 64; i++) + W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + + /* 2. Initialize working variables. */ + memcpy(S, state, 32); + + /* 3. Mix. */ + RNDr(S, W, 0, 0x428a2f98); + RNDr(S, W, 1, 0x71374491); + RNDr(S, W, 2, 0xb5c0fbcf); + RNDr(S, W, 3, 0xe9b5dba5); + RNDr(S, W, 4, 0x3956c25b); + RNDr(S, W, 5, 0x59f111f1); + RNDr(S, W, 6, 0x923f82a4); + RNDr(S, W, 7, 0xab1c5ed5); + RNDr(S, W, 8, 0xd807aa98); + RNDr(S, W, 9, 0x12835b01); + RNDr(S, W, 10, 0x243185be); + RNDr(S, W, 11, 0x550c7dc3); + RNDr(S, W, 12, 0x72be5d74); + RNDr(S, W, 13, 0x80deb1fe); + RNDr(S, W, 14, 0x9bdc06a7); + RNDr(S, W, 15, 0xc19bf174); + RNDr(S, W, 16, 0xe49b69c1); + RNDr(S, W, 17, 0xefbe4786); + RNDr(S, W, 18, 0x0fc19dc6); + RNDr(S, W, 19, 0x240ca1cc); + RNDr(S, W, 20, 0x2de92c6f); + RNDr(S, W, 21, 0x4a7484aa); + RNDr(S, W, 22, 0x5cb0a9dc); + RNDr(S, W, 23, 0x76f988da); + RNDr(S, W, 24, 0x983e5152); + RNDr(S, W, 25, 0xa831c66d); + RNDr(S, W, 26, 0xb00327c8); + RNDr(S, W, 27, 0xbf597fc7); + RNDr(S, W, 28, 0xc6e00bf3); + RNDr(S, W, 29, 0xd5a79147); + RNDr(S, W, 30, 0x06ca6351); + RNDr(S, W, 31, 0x14292967); + RNDr(S, W, 32, 0x27b70a85); + RNDr(S, W, 33, 0x2e1b2138); + RNDr(S, W, 34, 0x4d2c6dfc); + RNDr(S, W, 35, 0x53380d13); + RNDr(S, W, 36, 0x650a7354); + RNDr(S, W, 37, 0x766a0abb); + RNDr(S, W, 38, 0x81c2c92e); + RNDr(S, W, 39, 0x92722c85); + RNDr(S, W, 40, 0xa2bfe8a1); + RNDr(S, W, 41, 0xa81a664b); + RNDr(S, W, 42, 0xc24b8b70); + RNDr(S, W, 43, 0xc76c51a3); + RNDr(S, W, 44, 0xd192e819); + RNDr(S, W, 45, 0xd6990624); + RNDr(S, W, 46, 0xf40e3585); + RNDr(S, W, 47, 0x106aa070); + RNDr(S, W, 48, 0x19a4c116); + RNDr(S, W, 49, 0x1e376c08); + RNDr(S, W, 50, 0x2748774c); + RNDr(S, W, 51, 0x34b0bcb5); + RNDr(S, W, 52, 0x391c0cb3); + RNDr(S, W, 53, 0x4ed8aa4a); + RNDr(S, W, 54, 0x5b9cca4f); + RNDr(S, W, 55, 0x682e6ff3); + RNDr(S, W, 56, 0x748f82ee); + RNDr(S, W, 57, 0x78a5636f); + RNDr(S, W, 58, 0x84c87814); + RNDr(S, W, 59, 0x8cc70208); + RNDr(S, W, 60, 0x90befffa); + RNDr(S, W, 61, 0xa4506ceb); + RNDr(S, W, 62, 0xbef9a3f7); + RNDr(S, W, 63, 0xc67178f2); + + /* 4. Mix local working variables into global state */ + for (i = 0; i < 8; i++) + state[i] += S[i]; + + /* Clean the stack. */ + memset(W, 0, 256); + memset(S, 0, 32); + t0 = t1 = 0; +} + +static unsigned char PAD[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +/* Add padding and terminating bit-count. */ +static void +SHA256_Pad(SHA256_CTX * ctx) +{ + unsigned char len[8]; + uint32_t r, plen; + + /* + * Convert length to a vector of bytes -- we do this now rather + * than later because the length will change after we pad. + */ + be32enc_vect(len, ctx->count, 8); + + /* Add 1--64 bytes so that the resulting length is 56 mod 64 */ + r = (ctx->count[1] >> 3) & 0x3f; + plen = (r < 56) ? (56 - r) : (120 - r); + _SHA256_Update(ctx, PAD, (size_t)plen); + + /* Add the terminating bit-count */ + _SHA256_Update(ctx, len, 8); +} + +/* SHA-256 initialization. Begins a SHA-256 operation. */ +void +_SHA256_Init(SHA256_CTX * ctx) +{ + + /* Zero bits processed so far */ + ctx->count[0] = ctx->count[1] = 0; + + /* Magic initialization constants */ + ctx->state[0] = 0x6A09E667; + ctx->state[1] = 0xBB67AE85; + ctx->state[2] = 0x3C6EF372; + ctx->state[3] = 0xA54FF53A; + ctx->state[4] = 0x510E527F; + ctx->state[5] = 0x9B05688C; + ctx->state[6] = 0x1F83D9AB; + ctx->state[7] = 0x5BE0CD19; +} + +/* Add bytes into the hash */ +void +_SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) +{ + uint32_t bitlen[2]; + uint32_t r; + const unsigned char *src = (const unsigned char *) in; + + /* Number of bytes left in the buffer from previous updates */ + r = (ctx->count[1] >> 3) & 0x3f; + + /* Convert the length into a number of bits */ + bitlen[1] = ((uint32_t)len) << 3; + bitlen[0] = (uint32_t)(len >> 29); + + /* Update number of bits */ + if ((ctx->count[1] += bitlen[1]) < bitlen[1]) + ctx->count[0]++; + ctx->count[0] += bitlen[0]; + + /* Handle the case where we don't need to perform any transforms */ + if (len < 64 - r) { + memcpy(&ctx->buf[r], src, len); + return; + } + + /* Finish the current block */ + memcpy(&ctx->buf[r], src, 64 - r); + SHA256_Transform(ctx->state, ctx->buf); + src += 64 - r; + len -= 64 - r; + + /* Perform complete blocks */ + while (len >= 64) { + SHA256_Transform(ctx->state, src); + src += 64; + len -= 64; + } + + /* Copy left over data into buffer */ + memcpy(ctx->buf, src, len); +} + +/* + * SHA-256 finalization. Pads the input data, exports the hash value, + * and clears the context state. + */ +void +_SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx) +{ + + /* Add padding */ + SHA256_Pad(ctx); + + /* Write the hash */ + be32enc_vect(digest, ctx->state, 32); + + /* Clear the context state */ + memset((void *)ctx, 0, sizeof(*ctx)); +} + +/* Initialize an HMAC-SHA256 operation with the given key. */ +void +HMAC__SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen) +{ + unsigned char pad[64]; + unsigned char khash[32]; + const unsigned char * K = (const unsigned char *) _K; + size_t i; + + /* If Klen > 64, the key is really SHA256(K). */ + if (Klen > 64) { + _SHA256_Init(&ctx->ictx); + _SHA256_Update(&ctx->ictx, K, Klen); + _SHA256_Final(khash, &ctx->ictx); + K = khash; + Klen = 32; + } + + /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */ + _SHA256_Init(&ctx->ictx); + memset(pad, 0x36, 64); + for (i = 0; i < Klen; i++) + pad[i] ^= K[i]; + _SHA256_Update(&ctx->ictx, pad, 64); + + /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */ + _SHA256_Init(&ctx->octx); + memset(pad, 0x5c, 64); + for (i = 0; i < Klen; i++) + pad[i] ^= K[i]; + _SHA256_Update(&ctx->octx, pad, 64); + + /* Clean the stack. */ + memset(khash, 0, 32); +} + +/* Add bytes to the HMAC-SHA256 operation. */ +void +HMAC__SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len) +{ + + /* Feed data to the inner SHA256 operation. */ + _SHA256_Update(&ctx->ictx, in, len); +} + +/* Finish an HMAC-SHA256 operation. */ +void +HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx) +{ + unsigned char ihash[32]; + + /* Finish the inner SHA256 operation. */ + _SHA256_Final(ihash, &ctx->ictx); + + /* Feed the inner hash to the outer SHA256 operation. */ + _SHA256_Update(&ctx->octx, ihash, 32); + + /* Finish the outer SHA256 operation. */ + _SHA256_Final(digest, &ctx->octx); + + /* Clean the stack. */ + memset(ihash, 0, 32); +} + +/** + * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): + * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and + * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). + */ +void +PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt, + size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen) +{ + HMAC_SHA256_CTX PShctx, hctx; + size_t i; + uint8_t ivec[4]; + uint8_t U[32]; + uint8_t T[32]; + uint64_t j; + int k; + size_t clen; + + /* Compute HMAC state after processing P and S. */ + HMAC__SHA256_Init(&PShctx, passwd, passwdlen); + HMAC__SHA256_Update(&PShctx, salt, saltlen); + + /* Iterate through the blocks. */ + for (i = 0; i * 32 < dkLen; i++) { + /* Generate INT(i + 1). */ + be32enc(ivec, (uint32_t)(i + 1)); + + /* Compute U_1 = PRF(P, S || INT(i)). */ + memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX)); + HMAC__SHA256_Update(&hctx, ivec, 4); + HMAC__SHA256_Final(U, &hctx); + + /* T_i = U_1 ... */ + memcpy(T, U, 32); + + for (j = 2; j <= c; j++) { + /* Compute U_j. */ + HMAC__SHA256_Init(&hctx, passwd, passwdlen); + HMAC__SHA256_Update(&hctx, U, 32); + HMAC__SHA256_Final(U, &hctx); + + /* ... xor U_j ... */ + for (k = 0; k < 32; k++) + T[k] ^= U[k]; + } + + /* Copy as many bytes as necessary into buf. */ + clen = dkLen - i * 32; + if (clen > 32) + clen = 32; + memcpy(&buf[i * 32], T, clen); + } + + /* Clean PShctx, since we never called _Final on it. */ + memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX)); +} diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h new file mode 100644 index 00000000..37da7e20 --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h @@ -0,0 +1,62 @@ +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * $FreeBSD: src/lib/libmd/sha256.h,v 1.2 2006/01/17 15:35:56 phk Exp $ + */ + +#ifndef _SHA256_H_ +#define _SHA256_H_ + +#include + +#include + +typedef struct SHA256Context { + uint32_t state[8]; + uint32_t count[2]; + unsigned char buf[64]; +} SHA256_CTX; + +typedef struct HMAC_SHA256Context { + SHA256_CTX ictx; + SHA256_CTX octx; +} HMAC_SHA256_CTX; + +void _SHA256_Init(SHA256_CTX *); +void _SHA256_Update(SHA256_CTX *, const void *, size_t); +void _SHA256_Final(unsigned char [32], SHA256_CTX *); +void HMAC__SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); +void HMAC__SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); +void HMAC__SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); + +/** + * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): + * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and + * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). + */ +void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, + uint64_t, uint8_t *, size_t); + +#endif /* !_SHA256_H_ */ diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c new file mode 100644 index 00000000..68a81025 --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c @@ -0,0 +1,381 @@ +/*- + * Copyright 2009 Colin Percival + * Copyright 2012,2013 Alexander Peslyak + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * This file was originally written by Colin Percival as part of the Tarsnap + * online backup system. + */ + +#include +#if defined(__XOP__) && defined(DISABLED) +#include +#endif + +#include +#include +#include +#include + +#include "../sha256.h" +#include "../sysendian.h" +#include "../crypto_scrypt.h" + +#if defined(__XOP__) && defined(DISABLED) +#define ARX(out, in1, in2, s) \ + out = _mm_xor_si128(out, _mm_roti_epi32(_mm_add_epi32(in1, in2), s)); +#else +#define ARX(out, in1, in2, s) \ + { \ + __m128i T = _mm_add_epi32(in1, in2); \ + out = _mm_xor_si128(out, _mm_slli_epi32(T, s)); \ + out = _mm_xor_si128(out, _mm_srli_epi32(T, 32-s)); \ + } +#endif + +#define SALSA20_2ROUNDS \ + /* Operate on "columns". */ \ + ARX(X1, X0, X3, 7) \ + ARX(X2, X1, X0, 9) \ + ARX(X3, X2, X1, 13) \ + ARX(X0, X3, X2, 18) \ +\ + /* Rearrange data. */ \ + X1 = _mm_shuffle_epi32(X1, 0x93); \ + X2 = _mm_shuffle_epi32(X2, 0x4E); \ + X3 = _mm_shuffle_epi32(X3, 0x39); \ +\ + /* Operate on "rows". */ \ + ARX(X3, X0, X1, 7) \ + ARX(X2, X3, X0, 9) \ + ARX(X1, X2, X3, 13) \ + ARX(X0, X1, X2, 18) \ +\ + /* Rearrange data. */ \ + X1 = _mm_shuffle_epi32(X1, 0x39); \ + X2 = _mm_shuffle_epi32(X2, 0x4E); \ + X3 = _mm_shuffle_epi32(X3, 0x93); + +/** + * Apply the salsa20/8 core to the block provided in (X0 ... X3) ^ (Z0 ... Z3). + */ +#define SALSA20_8_XOR(in, out) \ + { \ + __m128i Y0 = X0 = _mm_xor_si128(X0, (in)[0]); \ + __m128i Y1 = X1 = _mm_xor_si128(X1, (in)[1]); \ + __m128i Y2 = X2 = _mm_xor_si128(X2, (in)[2]); \ + __m128i Y3 = X3 = _mm_xor_si128(X3, (in)[3]); \ + SALSA20_2ROUNDS \ + SALSA20_2ROUNDS \ + SALSA20_2ROUNDS \ + SALSA20_2ROUNDS \ + (out)[0] = X0 = _mm_add_epi32(X0, Y0); \ + (out)[1] = X1 = _mm_add_epi32(X1, Y1); \ + (out)[2] = X2 = _mm_add_epi32(X2, Y2); \ + (out)[3] = X3 = _mm_add_epi32(X3, Y3); \ + } + +/** + * blockmix_salsa8(Bin, Bout, r): + * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r + * bytes in length; the output Bout must also be the same size. + */ +static inline void +blockmix_salsa8(const __m128i * Bin, __m128i * Bout, size_t r) +{ + __m128i X0, X1, X2, X3; + size_t i; + + /* 1: X <-- B_{2r - 1} */ + X0 = Bin[8 * r - 4]; + X1 = Bin[8 * r - 3]; + X2 = Bin[8 * r - 2]; + X3 = Bin[8 * r - 1]; + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(Bin, Bout) + + /* 2: for i = 0 to 2r - 1 do */ + r--; + for (i = 0; i < r;) { + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) + + i++; + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(&Bin[i * 8], &Bout[i * 4]) + } + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) +} + +#define XOR4(in) \ + X0 = _mm_xor_si128(X0, (in)[0]); \ + X1 = _mm_xor_si128(X1, (in)[1]); \ + X2 = _mm_xor_si128(X2, (in)[2]); \ + X3 = _mm_xor_si128(X3, (in)[3]); + +#define XOR4_2(in1, in2) \ + X0 = _mm_xor_si128((in1)[0], (in2)[0]); \ + X1 = _mm_xor_si128((in1)[1], (in2)[1]); \ + X2 = _mm_xor_si128((in1)[2], (in2)[2]); \ + X3 = _mm_xor_si128((in1)[3], (in2)[3]); + +static inline uint32_t +blockmix_salsa8_xor(const __m128i * Bin1, const __m128i * Bin2, __m128i * Bout, + size_t r) +{ + __m128i X0, X1, X2, X3; + size_t i; + + /* 1: X <-- B_{2r - 1} */ + XOR4_2(&Bin1[8 * r - 4], &Bin2[8 * r - 4]) + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(Bin1) + SALSA20_8_XOR(Bin2, Bout) + + /* 2: for i = 0 to 2r - 1 do */ + r--; + for (i = 0; i < r;) { + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(&Bin1[i * 8 + 4]) + SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) + + i++; + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(&Bin1[i * 8]) + SALSA20_8_XOR(&Bin2[i * 8], &Bout[i * 4]) + } + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(&Bin1[i * 8 + 4]) + SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) + + return _mm_cvtsi128_si32(X0); +} + +#undef ARX +#undef SALSA20_2ROUNDS +#undef SALSA20_8_XOR +#undef XOR4 +#undef XOR4_2 + +/** + * integerify(B, r): + * Return the result of parsing B_{2r-1} as a little-endian integer. + */ +static inline uint32_t +integerify(const void * B, size_t r) +{ + return *(const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); +} + +/** + * smix(B, r, N, V, XY): + * Compute B = SMix_r(B, N). The input B must be 128r bytes in length; + * the temporary storage V must be 128rN bytes in length; the temporary + * storage XY must be 256r + 64 bytes in length. The value N must be a + * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a + * multiple of 64 bytes. + */ +static void +smix(uint8_t * B, size_t r, uint32_t N, void * V, void * XY) +{ + size_t s = 128 * r; + __m128i * X = (__m128i *) V, * Y; + uint32_t * X32 = (uint32_t *) V; + uint32_t i, j; + size_t k; + + /* 1: X <-- B */ + /* 3: V_i <-- X */ + for (k = 0; k < 2 * r; k++) { + for (i = 0; i < 16; i++) { + X32[k * 16 + i] = + le32dec(&B[(k * 16 + (i * 5 % 16)) * 4]); + } + } + + /* 2: for i = 0 to N - 1 do */ + for (i = 1; i < N - 1; i += 2) { + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + Y = (__m128i *)((uintptr_t)(V) + i * s); + blockmix_salsa8(X, Y, r); + + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + X = (__m128i *)((uintptr_t)(V) + (i + 1) * s); + blockmix_salsa8(Y, X, r); + } + + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + Y = (__m128i *)((uintptr_t)(V) + i * s); + blockmix_salsa8(X, Y, r); + + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + X = (__m128i *) XY; + blockmix_salsa8(Y, X, r); + + X32 = (uint32_t *) XY; + Y = (__m128i *)((uintptr_t)(XY) + s); + + /* 7: j <-- Integerify(X) mod N */ + j = integerify(X, r) & (N - 1); + + /* 6: for i = 0 to N - 1 do */ + for (i = 0; i < N; i += 2) { + __m128i * V_j = (__m128i *)((uintptr_t)(V) + j * s); + + /* 8: X <-- H(X \xor V_j) */ + /* 7: j <-- Integerify(X) mod N */ + j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1); + V_j = (__m128i *)((uintptr_t)(V) + j * s); + + /* 8: X <-- H(X \xor V_j) */ + /* 7: j <-- Integerify(X) mod N */ + j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1); + } + + /* 10: B' <-- X */ + for (k = 0; k < 2 * r; k++) { + for (i = 0; i < 16; i++) { + le32enc(&B[(k * 16 + (i * 5 % 16)) * 4], + X32[k * 16 + i]); + } + } +} + +/** + * escrypt_kdf(local, passwd, passwdlen, salt, saltlen, + * N, r, p, buf, buflen): + * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, + * p, buflen) and write the result into buf. The parameters r, p, and buflen + * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N + * must be a power of 2 greater than 1. + * + * Return 0 on success; or -1 on error. + */ +int +escrypt_kdf_sse(escrypt_local_t * local, + const uint8_t * passwd, size_t passwdlen, + const uint8_t * salt, size_t saltlen, + uint64_t N, uint32_t _r, uint32_t _p, + uint8_t * buf, size_t buflen) +{ + size_t B_size, V_size, XY_size, need; + uint8_t * B; + uint32_t * V, * XY; + size_t r = _r, p = _p; + uint32_t i; + + /* Sanity-check parameters. */ +#if SIZE_MAX > UINT32_MAX + if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { + errno = EFBIG; + return -1; + } +#endif + if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) { + errno = EFBIG; + return -1; + } + if (N > UINT32_MAX) { + errno = EFBIG; + return -1; + } + if (((N & (N - 1)) != 0) || (N < 2)) { + errno = EINVAL; + return -1; + } + if ((r > SIZE_MAX / 128 / p) || +#if SIZE_MAX / 256 <= UINT32_MAX + (r > SIZE_MAX / 256) || +#endif + (N > SIZE_MAX / 128 / r)) { + errno = ENOMEM; + return -1; + } + + /* Allocate memory. */ + B_size = (size_t)128 * r * p; + V_size = (size_t)128 * r * N; + need = B_size + V_size; + if (need < V_size) { + errno = ENOMEM; + return -1; + } + XY_size = (size_t)256 * r; + need += XY_size; + if (need < XY_size) { + errno = ENOMEM; + return -1; + } + if (local->size < need) { + if (free_region(local)) + return -1; + if (!alloc_region(local, need)) + return -1; + } + B = (uint8_t *)local->aligned; + V = (uint32_t *)((uint8_t *)B + B_size); + XY = (uint32_t *)((uint8_t *)V + V_size); + + /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ + PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); + + /* 2: for i = 0 to p - 1 do */ + for (i = 0; i < p; i++) { + /* 3: B_i <-- MF(B_i, N) */ + smix(&B[(size_t)128 * i * r], r, N, V, XY); + } + + /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ + PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); + + /* Success! */ + return 0; +} diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sysendian.h b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sysendian.h new file mode 100644 index 00000000..2f2c96f6 --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sysendian.h @@ -0,0 +1,146 @@ +#ifndef _SYSENDIAN_H_ +#define _SYSENDIAN_H_ + +#include + +/* Avoid namespace collisions with BSD . */ +#define be16dec scrypt_be16dec +#define be16enc scrypt_be16enc +#define be32dec scrypt_be32dec +#define be32enc scrypt_be32enc +#define be64dec scrypt_be64dec +#define be64enc scrypt_be64enc +#define le16dec scrypt_le16dec +#define le16enc scrypt_le16enc +#define le32dec scrypt_le32dec +#define le32enc scrypt_le32enc +#define le64dec scrypt_le64dec +#define le64enc scrypt_le64enc + +static inline uint16_t +be16dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8)); +} + +static inline void +be16enc(void *pp, uint16_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[1] = x & 0xff; + p[0] = (x >> 8) & 0xff; +} + +static inline uint32_t +be32dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + + ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); +} + +static inline void +be32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; +} + +static inline uint64_t +be64dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + + ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + + ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + + ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); +} + +static inline void +be64enc(void *pp, uint64_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[7] = x & 0xff; + p[6] = (x >> 8) & 0xff; + p[5] = (x >> 16) & 0xff; + p[4] = (x >> 24) & 0xff; + p[3] = (x >> 32) & 0xff; + p[2] = (x >> 40) & 0xff; + p[1] = (x >> 48) & 0xff; + p[0] = (x >> 56) & 0xff; +} + +static inline uint16_t +le16dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8)); +} + +static inline void +le16enc(void *pp, uint16_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; +} + +static inline uint32_t +le32dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + + ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); +} + +static inline void +le32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; +} + +static inline uint64_t +le64dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + + ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + + ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + + ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); +} + +static inline void +le64enc(void *pp, uint64_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; + p[4] = (x >> 32) & 0xff; + p[5] = (x >> 40) & 0xff; + p[6] = (x >> 48) & 0xff; + p[7] = (x >> 56) & 0xff; +} + +#endif /* !_SYSENDIAN_H_ */ From 4f31e143ca631176e275e15a54c2cb30d7c02f0e Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Fri, 4 Apr 2014 14:04:11 -0700 Subject: [PATCH 09/40] scrypt fixes --- .../scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c | 3 +-- .../scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c | 2 +- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c index c57cc58a..7aaead21 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c @@ -204,7 +204,6 @@ smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY) blkxor(Y, &V[j * (32 * r)], 128 * r); blockmix_salsa8(Y, X, Z, r); } - /* 10: B' <-- X */ for (k = 0; k < 32 * r; k++) le32enc(&B[4 * k], X[k]); @@ -265,7 +264,7 @@ escrypt_kdf_nosse(escrypt_local_t * local, errno = ENOMEM; return -1; } - XY_size = (size_t)256 * r; + XY_size = (size_t)256 * r + 64; need += XY_size; if (need < XY_size) { errno = ENOMEM; diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c index 68a81025..4f3e6584 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c @@ -348,7 +348,7 @@ escrypt_kdf_sse(escrypt_local_t * local, errno = ENOMEM; return -1; } - XY_size = (size_t)256 * r; + XY_size = (size_t)256 * r + 64; need += XY_size; if (need < XY_size) { errno = ENOMEM; From 350771b9d464d944b4bffb6b7d8715cc80550fb8 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 18:48:35 -0700 Subject: [PATCH 10/40] Replace hmac_sha256 implementation with scrypt's --- libsodium.vcxproj | 4 +- libsodium.vcxproj.filters | 2 +- src/libsodium/Makefile.am | 7 +- .../crypto_auth/hmacsha256/{ref => cp}/api.h | 0 .../hmacsha256/cp/hmac_hmacsha256.c | 395 ++++++++++++++++++ .../crypto_auth/hmacsha256/cp/sysendian.h | 146 +++++++ .../{ref => cp}/verify_hmacsha256.c | 0 .../hmacsha256/ref/hmac_hmacsha256.c | 83 ---- 8 files changed, 548 insertions(+), 89 deletions(-) rename src/libsodium/crypto_auth/hmacsha256/{ref => cp}/api.h (100%) create mode 100644 src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c create mode 100644 src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h rename src/libsodium/crypto_auth/hmacsha256/{ref => cp}/verify_hmacsha256.c (100%) delete mode 100644 src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 2e5ce2e3..437978d2 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -374,8 +374,8 @@ - - + + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index df34098d..3419de5d 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -202,7 +202,7 @@ Source Files - + Source Files diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index d81fccae..add096e5 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -4,9 +4,10 @@ lib_LTLIBRARIES = \ libsodium_la_SOURCES = \ crypto_auth/crypto_auth.c \ crypto_auth/hmacsha256/auth_hmacsha256_api.c \ - crypto_auth/hmacsha256/ref/api.h \ - crypto_auth/hmacsha256/ref/hmac_hmacsha256.c \ - crypto_auth/hmacsha256/ref/verify_hmacsha256.c \ + crypto_auth/hmacsha256/cp/api.h \ + crypto_auth/hmacsha256/cp/sysendian.h \ + crypto_auth/hmacsha256/cp/hmac_hmacsha256.c \ + crypto_auth/hmacsha256/cp/verify_hmacsha256.c \ crypto_auth/hmacsha512256/auth_hmacsha512256_api.c \ crypto_auth/hmacsha512256/ref/api.h \ crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c \ diff --git a/src/libsodium/crypto_auth/hmacsha256/ref/api.h b/src/libsodium/crypto_auth/hmacsha256/cp/api.h similarity index 100% rename from src/libsodium/crypto_auth/hmacsha256/ref/api.h rename to src/libsodium/crypto_auth/hmacsha256/cp/api.h diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c new file mode 100644 index 00000000..c9de5a5c --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -0,0 +1,395 @@ + +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include "api.h" +#include "crypto_hashblocks_sha256.h" +#include "utils.h" + +#include + +#include +#include +#include +#include + +#include "sysendian.h" + +typedef struct SHA256Context { + uint32_t state[8]; + uint32_t count[2]; + unsigned char buf[64]; +} SHA256_CTX; + +typedef struct HMAC_SHA256Context { + SHA256_CTX ictx; + SHA256_CTX octx; +} HMAC_SHA256_CTX; + +static void _SHA256_Init(SHA256_CTX *); +static void _SHA256_Update(SHA256_CTX *, const void *, size_t); +static void _SHA256_Final(unsigned char [32], SHA256_CTX *); +static void HMAC__SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); +static void HMAC__SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); +static void HMAC__SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); + +/* + * Encode a length len/4 vector of (uint32_t) into a length len vector of + * (unsigned char) in big-endian form. Assumes len is a multiple of 4. + */ +static void +be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) + be32enc(dst + i * 4, src[i]); +} + +/* + * Decode a big-endian length len vector of (unsigned char) into a length + * len/4 vector of (uint32_t). Assumes len is a multiple of 4. + */ +static void +be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) + dst[i] = be32dec(src + i * 4); +} + +/* Elementary functions used by SHA256 */ +#define Ch(x, y, z) ((x & (y ^ z)) ^ z) +#define Maj(x, y, z) ((x & (y | z)) | (y & z)) +#define SHR(x, n) (x >> n) +#define ROTR(x, n) ((x >> n) | (x << (32 - n))) +#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) +#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) +#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) +#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) + +/* SHA256 round function */ +#define RND(a, b, c, d, e, f, g, h, k) \ + t0 = h + S1(e) + Ch(e, f, g) + k; \ + t1 = S0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; + +/* Adjusted round function for rotating state */ +#define RNDr(S, W, i, k) \ + RND(S[(64 - i) % 8], S[(65 - i) % 8], \ + S[(66 - i) % 8], S[(67 - i) % 8], \ + S[(68 - i) % 8], S[(69 - i) % 8], \ + S[(70 - i) % 8], S[(71 - i) % 8], \ + W[i] + k) + +/* + * SHA256 block compression function. The 256-bit state is transformed via + * the 512-bit input block to produce a new state. + */ +static void +SHA256_Transform(uint32_t * state, const unsigned char block[64]) +{ + uint32_t W[64]; + uint32_t S[8]; + uint32_t t0, t1; + int i; + + /* 1. Prepare message schedule W. */ + be32dec_vect(W, block, 64); + for (i = 16; i < 64; i++) + W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + + /* 2. Initialize working variables. */ + memcpy(S, state, 32); + + /* 3. Mix. */ + RNDr(S, W, 0, 0x428a2f98); + RNDr(S, W, 1, 0x71374491); + RNDr(S, W, 2, 0xb5c0fbcf); + RNDr(S, W, 3, 0xe9b5dba5); + RNDr(S, W, 4, 0x3956c25b); + RNDr(S, W, 5, 0x59f111f1); + RNDr(S, W, 6, 0x923f82a4); + RNDr(S, W, 7, 0xab1c5ed5); + RNDr(S, W, 8, 0xd807aa98); + RNDr(S, W, 9, 0x12835b01); + RNDr(S, W, 10, 0x243185be); + RNDr(S, W, 11, 0x550c7dc3); + RNDr(S, W, 12, 0x72be5d74); + RNDr(S, W, 13, 0x80deb1fe); + RNDr(S, W, 14, 0x9bdc06a7); + RNDr(S, W, 15, 0xc19bf174); + RNDr(S, W, 16, 0xe49b69c1); + RNDr(S, W, 17, 0xefbe4786); + RNDr(S, W, 18, 0x0fc19dc6); + RNDr(S, W, 19, 0x240ca1cc); + RNDr(S, W, 20, 0x2de92c6f); + RNDr(S, W, 21, 0x4a7484aa); + RNDr(S, W, 22, 0x5cb0a9dc); + RNDr(S, W, 23, 0x76f988da); + RNDr(S, W, 24, 0x983e5152); + RNDr(S, W, 25, 0xa831c66d); + RNDr(S, W, 26, 0xb00327c8); + RNDr(S, W, 27, 0xbf597fc7); + RNDr(S, W, 28, 0xc6e00bf3); + RNDr(S, W, 29, 0xd5a79147); + RNDr(S, W, 30, 0x06ca6351); + RNDr(S, W, 31, 0x14292967); + RNDr(S, W, 32, 0x27b70a85); + RNDr(S, W, 33, 0x2e1b2138); + RNDr(S, W, 34, 0x4d2c6dfc); + RNDr(S, W, 35, 0x53380d13); + RNDr(S, W, 36, 0x650a7354); + RNDr(S, W, 37, 0x766a0abb); + RNDr(S, W, 38, 0x81c2c92e); + RNDr(S, W, 39, 0x92722c85); + RNDr(S, W, 40, 0xa2bfe8a1); + RNDr(S, W, 41, 0xa81a664b); + RNDr(S, W, 42, 0xc24b8b70); + RNDr(S, W, 43, 0xc76c51a3); + RNDr(S, W, 44, 0xd192e819); + RNDr(S, W, 45, 0xd6990624); + RNDr(S, W, 46, 0xf40e3585); + RNDr(S, W, 47, 0x106aa070); + RNDr(S, W, 48, 0x19a4c116); + RNDr(S, W, 49, 0x1e376c08); + RNDr(S, W, 50, 0x2748774c); + RNDr(S, W, 51, 0x34b0bcb5); + RNDr(S, W, 52, 0x391c0cb3); + RNDr(S, W, 53, 0x4ed8aa4a); + RNDr(S, W, 54, 0x5b9cca4f); + RNDr(S, W, 55, 0x682e6ff3); + RNDr(S, W, 56, 0x748f82ee); + RNDr(S, W, 57, 0x78a5636f); + RNDr(S, W, 58, 0x84c87814); + RNDr(S, W, 59, 0x8cc70208); + RNDr(S, W, 60, 0x90befffa); + RNDr(S, W, 61, 0xa4506ceb); + RNDr(S, W, 62, 0xbef9a3f7); + RNDr(S, W, 63, 0xc67178f2); + + /* 4. Mix local working variables into global state */ + for (i = 0; i < 8; i++) + state[i] += S[i]; + + /* Clean the stack. */ + sodium_memzero(W, 256); + sodium_memzero(S, 32); + t0 = t1 = 0; +} + +static unsigned char PAD[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +/* Add padding and terminating bit-count. */ +static void +SHA256_Pad(SHA256_CTX * ctx) +{ + unsigned char len[8]; + uint32_t r, plen; + + /* + * Convert length to a vector of bytes -- we do this now rather + * than later because the length will change after we pad. + */ + be32enc_vect(len, ctx->count, 8); + + /* Add 1--64 bytes so that the resulting length is 56 mod 64 */ + r = (ctx->count[1] >> 3) & 0x3f; + plen = (r < 56) ? (56 - r) : (120 - r); + _SHA256_Update(ctx, PAD, (size_t)plen); + + /* Add the terminating bit-count */ + _SHA256_Update(ctx, len, 8); +} + +/* SHA-256 initialization. Begins a SHA-256 operation. */ +static void +_SHA256_Init(SHA256_CTX * ctx) +{ + + /* Zero bits processed so far */ + ctx->count[0] = ctx->count[1] = 0; + + /* Magic initialization constants */ + ctx->state[0] = 0x6A09E667; + ctx->state[1] = 0xBB67AE85; + ctx->state[2] = 0x3C6EF372; + ctx->state[3] = 0xA54FF53A; + ctx->state[4] = 0x510E527F; + ctx->state[5] = 0x9B05688C; + ctx->state[6] = 0x1F83D9AB; + ctx->state[7] = 0x5BE0CD19; +} + +/* Add bytes into the hash */ +static void +_SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) +{ + uint32_t bitlen[2]; + uint32_t r; + const unsigned char *src = (const unsigned char *) in; + + /* Number of bytes left in the buffer from previous updates */ + r = (ctx->count[1] >> 3) & 0x3f; + + /* Convert the length into a number of bits */ + bitlen[1] = ((uint32_t)len) << 3; + bitlen[0] = (uint32_t)(len >> 29); + + /* Update number of bits */ + if ((ctx->count[1] += bitlen[1]) < bitlen[1]) + ctx->count[0]++; + ctx->count[0] += bitlen[0]; + + /* Handle the case where we don't need to perform any transforms */ + if (len < 64 - r) { + memcpy(&ctx->buf[r], src, len); + return; + } + + /* Finish the current block */ + memcpy(&ctx->buf[r], src, 64 - r); + SHA256_Transform(ctx->state, ctx->buf); + src += 64 - r; + len -= 64 - r; + + /* Perform complete blocks */ + while (len >= 64) { + SHA256_Transform(ctx->state, src); + src += 64; + len -= 64; + } + + /* Copy left over data into buffer */ + memcpy(ctx->buf, src, len); +} + +/* + * SHA-256 finalization. Pads the input data, exports the hash value, + * and clears the context state. + */ +static void +_SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx) +{ + + /* Add padding */ + SHA256_Pad(ctx); + + /* Write the hash */ + be32enc_vect(digest, ctx->state, 32); + + /* Clear the context state */ + sodium_memzero((void *)ctx, sizeof(*ctx)); +} + +/* Initialize an HMAC-SHA256 operation with the given key. */ +static void +HMAC__SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen) +{ + unsigned char pad[64]; + unsigned char khash[32]; + const unsigned char * K = (const unsigned char *) _K; + size_t i; + + /* If Klen > 64, the key is really SHA256(K). */ + if (Klen > 64) { + _SHA256_Init(&ctx->ictx); + _SHA256_Update(&ctx->ictx, K, Klen); + _SHA256_Final(khash, &ctx->ictx); + K = khash; + Klen = 32; + } + + /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */ + _SHA256_Init(&ctx->ictx); + memset(pad, 0x36, 64); + for (i = 0; i < Klen; i++) + pad[i] ^= K[i]; + _SHA256_Update(&ctx->ictx, pad, 64); + + /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */ + _SHA256_Init(&ctx->octx); + memset(pad, 0x5c, 64); + for (i = 0; i < Klen; i++) + pad[i] ^= K[i]; + _SHA256_Update(&ctx->octx, pad, 64); + + /* Clean the stack. */ + sodium_memzero(khash, 32); +} + +/* Add bytes to the HMAC-SHA256 operation. */ +void +HMAC__SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len) +{ + + /* Feed data to the inner SHA256 operation. */ + _SHA256_Update(&ctx->ictx, in, len); +} + +/* Finish an HMAC-SHA256 operation. */ +static void +HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx) +{ + unsigned char ihash[32]; + + /* Finish the inner SHA256 operation. */ + _SHA256_Final(ihash, &ctx->ictx); + + /* Feed the inner hash to the outer SHA256 operation. */ + _SHA256_Update(&ctx->octx, ihash, 32); + + /* Finish the outer SHA256 operation. */ + _SHA256_Final(digest, &ctx->octx); + + /* Clean the stack. */ + sodium_memzero(ihash, 32); +} + +int +crypto_auth(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) +{ + HMAC_SHA256_CTX ctx; + + if (inlen > SIZE_MAX) { + memset(out, 0, crypto_auth_BYTES); + return -1; + } + HMAC__SHA256_Init(&ctx, k, crypto_auth_KEYBYTES); + HMAC__SHA256_Update(&ctx, in, (size_t) inlen); + HMAC__SHA256_Final(out, &ctx); + + return 0; +} diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h b/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h new file mode 100644 index 00000000..2f2c96f6 --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h @@ -0,0 +1,146 @@ +#ifndef _SYSENDIAN_H_ +#define _SYSENDIAN_H_ + +#include + +/* Avoid namespace collisions with BSD . */ +#define be16dec scrypt_be16dec +#define be16enc scrypt_be16enc +#define be32dec scrypt_be32dec +#define be32enc scrypt_be32enc +#define be64dec scrypt_be64dec +#define be64enc scrypt_be64enc +#define le16dec scrypt_le16dec +#define le16enc scrypt_le16enc +#define le32dec scrypt_le32dec +#define le32enc scrypt_le32enc +#define le64dec scrypt_le64dec +#define le64enc scrypt_le64enc + +static inline uint16_t +be16dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8)); +} + +static inline void +be16enc(void *pp, uint16_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[1] = x & 0xff; + p[0] = (x >> 8) & 0xff; +} + +static inline uint32_t +be32dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + + ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); +} + +static inline void +be32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; +} + +static inline uint64_t +be64dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + + ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + + ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + + ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); +} + +static inline void +be64enc(void *pp, uint64_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[7] = x & 0xff; + p[6] = (x >> 8) & 0xff; + p[5] = (x >> 16) & 0xff; + p[4] = (x >> 24) & 0xff; + p[3] = (x >> 32) & 0xff; + p[2] = (x >> 40) & 0xff; + p[1] = (x >> 48) & 0xff; + p[0] = (x >> 56) & 0xff; +} + +static inline uint16_t +le16dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8)); +} + +static inline void +le16enc(void *pp, uint16_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; +} + +static inline uint32_t +le32dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + + ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); +} + +static inline void +le32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; +} + +static inline uint64_t +le64dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + + ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + + ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + + ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); +} + +static inline void +le64enc(void *pp, uint64_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[0] = x & 0xff; + p[1] = (x >> 8) & 0xff; + p[2] = (x >> 16) & 0xff; + p[3] = (x >> 24) & 0xff; + p[4] = (x >> 32) & 0xff; + p[5] = (x >> 40) & 0xff; + p[6] = (x >> 48) & 0xff; + p[7] = (x >> 56) & 0xff; +} + +#endif /* !_SYSENDIAN_H_ */ diff --git a/src/libsodium/crypto_auth/hmacsha256/ref/verify_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c similarity index 100% rename from src/libsodium/crypto_auth/hmacsha256/ref/verify_hmacsha256.c rename to src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c diff --git a/src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c deleted file mode 100644 index c1498f8e..00000000 --- a/src/libsodium/crypto_auth/hmacsha256/ref/hmac_hmacsha256.c +++ /dev/null @@ -1,83 +0,0 @@ -/* - * 20080913 - * D. J. Bernstein - * Public domain. - * */ - -#include "api.h" -#include "crypto_hashblocks_sha256.h" - -#define blocks crypto_hashblocks_sha256 - -typedef unsigned int uint32; - -static const unsigned char iv[32] = { - 0x6a,0x09,0xe6,0x67, - 0xbb,0x67,0xae,0x85, - 0x3c,0x6e,0xf3,0x72, - 0xa5,0x4f,0xf5,0x3a, - 0x51,0x0e,0x52,0x7f, - 0x9b,0x05,0x68,0x8c, - 0x1f,0x83,0xd9,0xab, - 0x5b,0xe0,0xcd,0x19, -} ; - -int crypto_auth(unsigned char *out,const unsigned char *in,unsigned long long inlen,const unsigned char *k) -{ - unsigned char h[32]; - unsigned char padded[128]; - unsigned long long i; - unsigned long long bits = 512 + (inlen << 3); - - for (i = 0;i < 32;++i) h[i] = iv[i]; - - for (i = 0;i < 32;++i) padded[i] = k[i] ^ 0x36; - for (i = 32;i < 64;++i) padded[i] = 0x36; - - blocks(h,padded,64); - blocks(h,in,inlen); - in += inlen; - inlen &= 63; - in -= inlen; - - for (i = 0;i < inlen;++i) padded[i] = in[i]; - padded[inlen] = 0x80; - - if (inlen < 56) { - for (i = inlen + 1;i < 56;++i) padded[i] = 0; - padded[56] = bits >> 56; - padded[57] = bits >> 48; - padded[58] = bits >> 40; - padded[59] = bits >> 32; - padded[60] = bits >> 24; - padded[61] = bits >> 16; - padded[62] = bits >> 8; - padded[63] = bits; - blocks(h,padded,64); - } else { - for (i = inlen + 1;i < 120;++i) padded[i] = 0; - padded[120] = bits >> 56; - padded[121] = bits >> 48; - padded[122] = bits >> 40; - padded[123] = bits >> 32; - padded[124] = bits >> 24; - padded[125] = bits >> 16; - padded[126] = bits >> 8; - padded[127] = bits; - blocks(h,padded,128); - } - - for (i = 0;i < 32;++i) padded[i] = k[i] ^ 0x5c; - for (i = 32;i < 64;++i) padded[i] = 0x5c; - for (i = 0;i < 32;++i) padded[64 + i] = h[i]; - - for (i = 0;i < 32;++i) out[i] = iv[i]; - - for (i = 32;i < 64;++i) padded[64 + i] = 0; - padded[64 + 32] = 0x80; - padded[64 + 62] = 3; - - blocks(out,padded,128); - - return 0; -} From 9b151f4efe47bed0d5b348147db990abda4774a5 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 19:20:15 -0700 Subject: [PATCH 11/40] We don't need sysendian.h --- src/libsodium/Makefile.am | 1 - .../hmacsha256/cp/hmac_hmacsha256.c | 26 +++- .../crypto_auth/hmacsha256/cp/sysendian.h | 146 ------------------ 3 files changed, 24 insertions(+), 149 deletions(-) delete mode 100644 src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index add096e5..a3f58c4a 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -5,7 +5,6 @@ libsodium_la_SOURCES = \ crypto_auth/crypto_auth.c \ crypto_auth/hmacsha256/auth_hmacsha256_api.c \ crypto_auth/hmacsha256/cp/api.h \ - crypto_auth/hmacsha256/cp/sysendian.h \ crypto_auth/hmacsha256/cp/hmac_hmacsha256.c \ crypto_auth/hmacsha256/cp/verify_hmacsha256.c \ crypto_auth/hmacsha512256/auth_hmacsha512256_api.c \ diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c index c9de5a5c..989ed971 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -37,8 +37,6 @@ #include #include -#include "sysendian.h" - typedef struct SHA256Context { uint32_t state[8]; uint32_t count[2]; @@ -57,6 +55,30 @@ static void HMAC__SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); static void HMAC__SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); static void HMAC__SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); +/* Avoid namespace collisions with BSD . */ +#define be32dec scrypt_be32dec +#define be32enc scrypt_be32enc + +static inline uint32_t +be32dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + + ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); +} + +static inline void +be32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; +} + /* * Encode a length len/4 vector of (uint32_t) into a length len vector of * (unsigned char) in big-endian form. Assumes len is a multiple of 4. diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h b/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h deleted file mode 100644 index 2f2c96f6..00000000 --- a/src/libsodium/crypto_auth/hmacsha256/cp/sysendian.h +++ /dev/null @@ -1,146 +0,0 @@ -#ifndef _SYSENDIAN_H_ -#define _SYSENDIAN_H_ - -#include - -/* Avoid namespace collisions with BSD . */ -#define be16dec scrypt_be16dec -#define be16enc scrypt_be16enc -#define be32dec scrypt_be32dec -#define be32enc scrypt_be32enc -#define be64dec scrypt_be64dec -#define be64enc scrypt_be64enc -#define le16dec scrypt_le16dec -#define le16enc scrypt_le16enc -#define le32dec scrypt_le32dec -#define le32enc scrypt_le32enc -#define le64dec scrypt_le64dec -#define le64enc scrypt_le64enc - -static inline uint16_t -be16dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8)); -} - -static inline void -be16enc(void *pp, uint16_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[1] = x & 0xff; - p[0] = (x >> 8) & 0xff; -} - -static inline uint32_t -be32dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + - ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); -} - -static inline void -be32enc(void *pp, uint32_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[3] = x & 0xff; - p[2] = (x >> 8) & 0xff; - p[1] = (x >> 16) & 0xff; - p[0] = (x >> 24) & 0xff; -} - -static inline uint64_t -be64dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + - ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + - ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + - ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); -} - -static inline void -be64enc(void *pp, uint64_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[7] = x & 0xff; - p[6] = (x >> 8) & 0xff; - p[5] = (x >> 16) & 0xff; - p[4] = (x >> 24) & 0xff; - p[3] = (x >> 32) & 0xff; - p[2] = (x >> 40) & 0xff; - p[1] = (x >> 48) & 0xff; - p[0] = (x >> 56) & 0xff; -} - -static inline uint16_t -le16dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8)); -} - -static inline void -le16enc(void *pp, uint16_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[0] = x & 0xff; - p[1] = (x >> 8) & 0xff; -} - -static inline uint32_t -le32dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + - ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); -} - -static inline void -le32enc(void *pp, uint32_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[0] = x & 0xff; - p[1] = (x >> 8) & 0xff; - p[2] = (x >> 16) & 0xff; - p[3] = (x >> 24) & 0xff; -} - -static inline uint64_t -le64dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + - ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + - ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + - ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); -} - -static inline void -le64enc(void *pp, uint64_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[0] = x & 0xff; - p[1] = (x >> 8) & 0xff; - p[2] = (x >> 16) & 0xff; - p[3] = (x >> 24) & 0xff; - p[4] = (x >> 32) & 0xff; - p[5] = (x >> 40) & 0xff; - p[6] = (x >> 48) & 0xff; - p[7] = (x >> 56) & 0xff; -} - -#endif /* !_SYSENDIAN_H_ */ From 23e5b13b003f8271c8be0ba31a6728cbad3e465b Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 19:46:07 -0700 Subject: [PATCH 12/40] Indentation --- .../hmacsha256/cp/hmac_hmacsha256.c | 497 ++++++++---------- 1 file changed, 219 insertions(+), 278 deletions(-) diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c index 989ed971..894a64f0 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -37,373 +37,314 @@ #include #include -typedef struct SHA256Context { - uint32_t state[8]; - uint32_t count[2]; - unsigned char buf[64]; -} SHA256_CTX; +typedef struct crypto_hash_sha256_state { + uint32_t state[8]; + uint32_t count[2]; + unsigned char buf[64]; +} crypto_hash_sha256_state; -typedef struct HMAC_SHA256Context { - SHA256_CTX ictx; - SHA256_CTX octx; -} HMAC_SHA256_CTX; +typedef struct crypto_hmac_sha256_state { + crypto_hash_sha256_state ictx; + crypto_hash_sha256_state octx; +} crypto_hmac_sha256_state; -static void _SHA256_Init(SHA256_CTX *); -static void _SHA256_Update(SHA256_CTX *, const void *, size_t); -static void _SHA256_Final(unsigned char [32], SHA256_CTX *); -static void HMAC__SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); -static void HMAC__SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); -static void HMAC__SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); +static void _SHA256_Init(crypto_hash_sha256_state *); +static void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); +static void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); +static void HMAC__SHA256_Init(crypto_hmac_sha256_state *, const void *, size_t); +static void HMAC__SHA256_Update(crypto_hmac_sha256_state *, const void *, size_t); +static void HMAC__SHA256_Final(unsigned char [32], crypto_hmac_sha256_state *); /* Avoid namespace collisions with BSD . */ -#define be32dec scrypt_be32dec -#define be32enc scrypt_be32enc +#define be32dec _sha256_be32dec +#define be32enc _sha256_be32enc static inline uint32_t be32dec(const void *pp) { - const uint8_t *p = (uint8_t const *)pp; + const uint8_t *p = (uint8_t const *)pp; - return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + - ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); + return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + + ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); } static inline void be32enc(void *pp, uint32_t x) { - uint8_t * p = (uint8_t *)pp; + uint8_t * p = (uint8_t *)pp; - p[3] = x & 0xff; - p[2] = (x >> 8) & 0xff; - p[1] = (x >> 16) & 0xff; - p[0] = (x >> 24) & 0xff; + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; } -/* - * Encode a length len/4 vector of (uint32_t) into a length len vector of - * (unsigned char) in big-endian form. Assumes len is a multiple of 4. - */ static void be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) { - size_t i; + size_t i; - for (i = 0; i < len / 4; i++) - be32enc(dst + i * 4, src[i]); + for (i = 0; i < len / 4; i++) { + be32enc(dst + i * 4, src[i]); + } } -/* - * Decode a big-endian length len vector of (unsigned char) into a length - * len/4 vector of (uint32_t). Assumes len is a multiple of 4. - */ static void be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) { - size_t i; + size_t i; - for (i = 0; i < len / 4; i++) - dst[i] = be32dec(src + i * 4); + for (i = 0; i < len / 4; i++) { + dst[i] = be32dec(src + i * 4); + } } -/* Elementary functions used by SHA256 */ -#define Ch(x, y, z) ((x & (y ^ z)) ^ z) -#define Maj(x, y, z) ((x & (y | z)) | (y & z)) -#define SHR(x, n) (x >> n) -#define ROTR(x, n) ((x >> n) | (x << (32 - n))) -#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) -#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) -#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) -#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) +#define Ch(x, y, z) ((x & (y ^ z)) ^ z) +#define Maj(x, y, z) ((x & (y | z)) | (y & z)) +#define SHR(x, n) (x >> n) +#define ROTR(x, n) ((x >> n) | (x << (32 - n))) +#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) +#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) +#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) +#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) -/* SHA256 round function */ -#define RND(a, b, c, d, e, f, g, h, k) \ - t0 = h + S1(e) + Ch(e, f, g) + k; \ - t1 = S0(a) + Maj(a, b, c); \ - d += t0; \ - h = t0 + t1; +#define RND(a, b, c, d, e, f, g, h, k) \ + t0 = h + S1(e) + Ch(e, f, g) + k; \ + t1 = S0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; -/* Adjusted round function for rotating state */ -#define RNDr(S, W, i, k) \ - RND(S[(64 - i) % 8], S[(65 - i) % 8], \ - S[(66 - i) % 8], S[(67 - i) % 8], \ - S[(68 - i) % 8], S[(69 - i) % 8], \ - S[(70 - i) % 8], S[(71 - i) % 8], \ - W[i] + k) +#define RNDr(S, W, i, k) \ + RND(S[(64 - i) % 8], S[(65 - i) % 8], \ + S[(66 - i) % 8], S[(67 - i) % 8], \ + S[(68 - i) % 8], S[(69 - i) % 8], \ + S[(70 - i) % 8], S[(71 - i) % 8], \ + W[i] + k) -/* - * SHA256 block compression function. The 256-bit state is transformed via - * the 512-bit input block to produce a new state. - */ static void SHA256_Transform(uint32_t * state, const unsigned char block[64]) { - uint32_t W[64]; - uint32_t S[8]; - uint32_t t0, t1; - int i; + uint32_t W[64]; + uint32_t S[8]; + uint32_t t0, t1; + int i; - /* 1. Prepare message schedule W. */ - be32dec_vect(W, block, 64); - for (i = 16; i < 64; i++) - W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + be32dec_vect(W, block, 64); + for (i = 16; i < 64; i++) { + W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + } - /* 2. Initialize working variables. */ - memcpy(S, state, 32); + memcpy(S, state, 32); - /* 3. Mix. */ - RNDr(S, W, 0, 0x428a2f98); - RNDr(S, W, 1, 0x71374491); - RNDr(S, W, 2, 0xb5c0fbcf); - RNDr(S, W, 3, 0xe9b5dba5); - RNDr(S, W, 4, 0x3956c25b); - RNDr(S, W, 5, 0x59f111f1); - RNDr(S, W, 6, 0x923f82a4); - RNDr(S, W, 7, 0xab1c5ed5); - RNDr(S, W, 8, 0xd807aa98); - RNDr(S, W, 9, 0x12835b01); - RNDr(S, W, 10, 0x243185be); - RNDr(S, W, 11, 0x550c7dc3); - RNDr(S, W, 12, 0x72be5d74); - RNDr(S, W, 13, 0x80deb1fe); - RNDr(S, W, 14, 0x9bdc06a7); - RNDr(S, W, 15, 0xc19bf174); - RNDr(S, W, 16, 0xe49b69c1); - RNDr(S, W, 17, 0xefbe4786); - RNDr(S, W, 18, 0x0fc19dc6); - RNDr(S, W, 19, 0x240ca1cc); - RNDr(S, W, 20, 0x2de92c6f); - RNDr(S, W, 21, 0x4a7484aa); - RNDr(S, W, 22, 0x5cb0a9dc); - RNDr(S, W, 23, 0x76f988da); - RNDr(S, W, 24, 0x983e5152); - RNDr(S, W, 25, 0xa831c66d); - RNDr(S, W, 26, 0xb00327c8); - RNDr(S, W, 27, 0xbf597fc7); - RNDr(S, W, 28, 0xc6e00bf3); - RNDr(S, W, 29, 0xd5a79147); - RNDr(S, W, 30, 0x06ca6351); - RNDr(S, W, 31, 0x14292967); - RNDr(S, W, 32, 0x27b70a85); - RNDr(S, W, 33, 0x2e1b2138); - RNDr(S, W, 34, 0x4d2c6dfc); - RNDr(S, W, 35, 0x53380d13); - RNDr(S, W, 36, 0x650a7354); - RNDr(S, W, 37, 0x766a0abb); - RNDr(S, W, 38, 0x81c2c92e); - RNDr(S, W, 39, 0x92722c85); - RNDr(S, W, 40, 0xa2bfe8a1); - RNDr(S, W, 41, 0xa81a664b); - RNDr(S, W, 42, 0xc24b8b70); - RNDr(S, W, 43, 0xc76c51a3); - RNDr(S, W, 44, 0xd192e819); - RNDr(S, W, 45, 0xd6990624); - RNDr(S, W, 46, 0xf40e3585); - RNDr(S, W, 47, 0x106aa070); - RNDr(S, W, 48, 0x19a4c116); - RNDr(S, W, 49, 0x1e376c08); - RNDr(S, W, 50, 0x2748774c); - RNDr(S, W, 51, 0x34b0bcb5); - RNDr(S, W, 52, 0x391c0cb3); - RNDr(S, W, 53, 0x4ed8aa4a); - RNDr(S, W, 54, 0x5b9cca4f); - RNDr(S, W, 55, 0x682e6ff3); - RNDr(S, W, 56, 0x748f82ee); - RNDr(S, W, 57, 0x78a5636f); - RNDr(S, W, 58, 0x84c87814); - RNDr(S, W, 59, 0x8cc70208); - RNDr(S, W, 60, 0x90befffa); - RNDr(S, W, 61, 0xa4506ceb); - RNDr(S, W, 62, 0xbef9a3f7); - RNDr(S, W, 63, 0xc67178f2); + RNDr(S, W, 0, 0x428a2f98); + RNDr(S, W, 1, 0x71374491); + RNDr(S, W, 2, 0xb5c0fbcf); + RNDr(S, W, 3, 0xe9b5dba5); + RNDr(S, W, 4, 0x3956c25b); + RNDr(S, W, 5, 0x59f111f1); + RNDr(S, W, 6, 0x923f82a4); + RNDr(S, W, 7, 0xab1c5ed5); + RNDr(S, W, 8, 0xd807aa98); + RNDr(S, W, 9, 0x12835b01); + RNDr(S, W, 10, 0x243185be); + RNDr(S, W, 11, 0x550c7dc3); + RNDr(S, W, 12, 0x72be5d74); + RNDr(S, W, 13, 0x80deb1fe); + RNDr(S, W, 14, 0x9bdc06a7); + RNDr(S, W, 15, 0xc19bf174); + RNDr(S, W, 16, 0xe49b69c1); + RNDr(S, W, 17, 0xefbe4786); + RNDr(S, W, 18, 0x0fc19dc6); + RNDr(S, W, 19, 0x240ca1cc); + RNDr(S, W, 20, 0x2de92c6f); + RNDr(S, W, 21, 0x4a7484aa); + RNDr(S, W, 22, 0x5cb0a9dc); + RNDr(S, W, 23, 0x76f988da); + RNDr(S, W, 24, 0x983e5152); + RNDr(S, W, 25, 0xa831c66d); + RNDr(S, W, 26, 0xb00327c8); + RNDr(S, W, 27, 0xbf597fc7); + RNDr(S, W, 28, 0xc6e00bf3); + RNDr(S, W, 29, 0xd5a79147); + RNDr(S, W, 30, 0x06ca6351); + RNDr(S, W, 31, 0x14292967); + RNDr(S, W, 32, 0x27b70a85); + RNDr(S, W, 33, 0x2e1b2138); + RNDr(S, W, 34, 0x4d2c6dfc); + RNDr(S, W, 35, 0x53380d13); + RNDr(S, W, 36, 0x650a7354); + RNDr(S, W, 37, 0x766a0abb); + RNDr(S, W, 38, 0x81c2c92e); + RNDr(S, W, 39, 0x92722c85); + RNDr(S, W, 40, 0xa2bfe8a1); + RNDr(S, W, 41, 0xa81a664b); + RNDr(S, W, 42, 0xc24b8b70); + RNDr(S, W, 43, 0xc76c51a3); + RNDr(S, W, 44, 0xd192e819); + RNDr(S, W, 45, 0xd6990624); + RNDr(S, W, 46, 0xf40e3585); + RNDr(S, W, 47, 0x106aa070); + RNDr(S, W, 48, 0x19a4c116); + RNDr(S, W, 49, 0x1e376c08); + RNDr(S, W, 50, 0x2748774c); + RNDr(S, W, 51, 0x34b0bcb5); + RNDr(S, W, 52, 0x391c0cb3); + RNDr(S, W, 53, 0x4ed8aa4a); + RNDr(S, W, 54, 0x5b9cca4f); + RNDr(S, W, 55, 0x682e6ff3); + RNDr(S, W, 56, 0x748f82ee); + RNDr(S, W, 57, 0x78a5636f); + RNDr(S, W, 58, 0x84c87814); + RNDr(S, W, 59, 0x8cc70208); + RNDr(S, W, 60, 0x90befffa); + RNDr(S, W, 61, 0xa4506ceb); + RNDr(S, W, 62, 0xbef9a3f7); + RNDr(S, W, 63, 0xc67178f2); - /* 4. Mix local working variables into global state */ - for (i = 0; i < 8; i++) - state[i] += S[i]; + for (i = 0; i < 8; i++) { + state[i] += S[i]; + } - /* Clean the stack. */ - sodium_memzero(W, 256); - sodium_memzero(S, 32); - t0 = t1 = 0; + sodium_memzero(W, 256); + sodium_memzero(S, 32); + t0 = t1 = 0; } static unsigned char PAD[64] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; -/* Add padding and terminating bit-count. */ static void -SHA256_Pad(SHA256_CTX * ctx) +SHA256_Pad(crypto_hash_sha256_state * ctx) { - unsigned char len[8]; - uint32_t r, plen; + unsigned char len[8]; + uint32_t r, plen; - /* - * Convert length to a vector of bytes -- we do this now rather - * than later because the length will change after we pad. - */ - be32enc_vect(len, ctx->count, 8); + be32enc_vect(len, ctx->count, 8); - /* Add 1--64 bytes so that the resulting length is 56 mod 64 */ - r = (ctx->count[1] >> 3) & 0x3f; - plen = (r < 56) ? (56 - r) : (120 - r); - _SHA256_Update(ctx, PAD, (size_t)plen); + r = (ctx->count[1] >> 3) & 0x3f; + plen = (r < 56) ? (56 - r) : (120 - r); + _SHA256_Update(ctx, PAD, (size_t)plen); - /* Add the terminating bit-count */ - _SHA256_Update(ctx, len, 8); + _SHA256_Update(ctx, len, 8); } -/* SHA-256 initialization. Begins a SHA-256 operation. */ static void -_SHA256_Init(SHA256_CTX * ctx) +_SHA256_Init(crypto_hash_sha256_state * ctx) { + ctx->count[0] = ctx->count[1] = 0; - /* Zero bits processed so far */ - ctx->count[0] = ctx->count[1] = 0; - - /* Magic initialization constants */ - ctx->state[0] = 0x6A09E667; - ctx->state[1] = 0xBB67AE85; - ctx->state[2] = 0x3C6EF372; - ctx->state[3] = 0xA54FF53A; - ctx->state[4] = 0x510E527F; - ctx->state[5] = 0x9B05688C; - ctx->state[6] = 0x1F83D9AB; - ctx->state[7] = 0x5BE0CD19; + ctx->state[0] = 0x6A09E667; + ctx->state[1] = 0xBB67AE85; + ctx->state[2] = 0x3C6EF372; + ctx->state[3] = 0xA54FF53A; + ctx->state[4] = 0x510E527F; + ctx->state[5] = 0x9B05688C; + ctx->state[6] = 0x1F83D9AB; + ctx->state[7] = 0x5BE0CD19; } -/* Add bytes into the hash */ static void -_SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) +_SHA256_Update(crypto_hash_sha256_state * ctx, const void *in, size_t len) { - uint32_t bitlen[2]; - uint32_t r; - const unsigned char *src = (const unsigned char *) in; + uint32_t bitlen[2]; + uint32_t r; + const unsigned char *src = (const unsigned char *) in; - /* Number of bytes left in the buffer from previous updates */ - r = (ctx->count[1] >> 3) & 0x3f; + r = (ctx->count[1] >> 3) & 0x3f; - /* Convert the length into a number of bits */ - bitlen[1] = ((uint32_t)len) << 3; - bitlen[0] = (uint32_t)(len >> 29); + bitlen[1] = ((uint32_t)len) << 3; + bitlen[0] = (uint32_t)(len >> 29); - /* Update number of bits */ - if ((ctx->count[1] += bitlen[1]) < bitlen[1]) - ctx->count[0]++; - ctx->count[0] += bitlen[0]; + if ((ctx->count[1] += bitlen[1]) < bitlen[1]) { + ctx->count[0]++; + } + ctx->count[0] += bitlen[0]; - /* Handle the case where we don't need to perform any transforms */ - if (len < 64 - r) { - memcpy(&ctx->buf[r], src, len); - return; - } + if (len < 64 - r) { + memcpy(&ctx->buf[r], src, len); + return; + } - /* Finish the current block */ - memcpy(&ctx->buf[r], src, 64 - r); - SHA256_Transform(ctx->state, ctx->buf); - src += 64 - r; - len -= 64 - r; + memcpy(&ctx->buf[r], src, 64 - r); + SHA256_Transform(ctx->state, ctx->buf); + src += 64 - r; + len -= 64 - r; - /* Perform complete blocks */ - while (len >= 64) { - SHA256_Transform(ctx->state, src); - src += 64; - len -= 64; - } - - /* Copy left over data into buffer */ - memcpy(ctx->buf, src, len); + while (len >= 64) { + SHA256_Transform(ctx->state, src); + src += 64; + len -= 64; + } + memcpy(ctx->buf, src, len); } -/* - * SHA-256 finalization. Pads the input data, exports the hash value, - * and clears the context state. - */ static void -_SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx) +_SHA256_Final(unsigned char digest[32], crypto_hash_sha256_state * ctx) { - - /* Add padding */ - SHA256_Pad(ctx); - - /* Write the hash */ - be32enc_vect(digest, ctx->state, 32); - - /* Clear the context state */ - sodium_memzero((void *)ctx, sizeof(*ctx)); + SHA256_Pad(ctx); + be32enc_vect(digest, ctx->state, 32); + sodium_memzero((void *)ctx, sizeof(*ctx)); } -/* Initialize an HMAC-SHA256 operation with the given key. */ static void -HMAC__SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen) +HMAC__SHA256_Init(crypto_hmac_sha256_state * ctx, const void * _K, size_t Klen) { - unsigned char pad[64]; - unsigned char khash[32]; - const unsigned char * K = (const unsigned char *) _K; - size_t i; + unsigned char pad[64]; + unsigned char khash[32]; + const unsigned char * K = (const unsigned char *) _K; + size_t i; - /* If Klen > 64, the key is really SHA256(K). */ - if (Klen > 64) { - _SHA256_Init(&ctx->ictx); - _SHA256_Update(&ctx->ictx, K, Klen); - _SHA256_Final(khash, &ctx->ictx); - K = khash; - Klen = 32; - } + if (Klen > 64) { + _SHA256_Init(&ctx->ictx); + _SHA256_Update(&ctx->ictx, K, Klen); + _SHA256_Final(khash, &ctx->ictx); + K = khash; + Klen = 32; + } + _SHA256_Init(&ctx->ictx); + memset(pad, 0x36, 64); + for (i = 0; i < Klen; i++) { + pad[i] ^= K[i]; + } + _SHA256_Update(&ctx->ictx, pad, 64); - /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */ - _SHA256_Init(&ctx->ictx); - memset(pad, 0x36, 64); - for (i = 0; i < Klen; i++) - pad[i] ^= K[i]; - _SHA256_Update(&ctx->ictx, pad, 64); + _SHA256_Init(&ctx->octx); + memset(pad, 0x5c, 64); + for (i = 0; i < Klen; i++) { + pad[i] ^= K[i]; + } + _SHA256_Update(&ctx->octx, pad, 64); - /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */ - _SHA256_Init(&ctx->octx); - memset(pad, 0x5c, 64); - for (i = 0; i < Klen; i++) - pad[i] ^= K[i]; - _SHA256_Update(&ctx->octx, pad, 64); - - /* Clean the stack. */ - sodium_memzero(khash, 32); + sodium_memzero(khash, 32); } -/* Add bytes to the HMAC-SHA256 operation. */ -void -HMAC__SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len) +static void +HMAC__SHA256_Update(crypto_hmac_sha256_state * ctx, const void *in, size_t len) { - - /* Feed data to the inner SHA256 operation. */ - _SHA256_Update(&ctx->ictx, in, len); + _SHA256_Update(&ctx->ictx, in, len); } -/* Finish an HMAC-SHA256 operation. */ static void -HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx) +HMAC__SHA256_Final(unsigned char digest[32], crypto_hmac_sha256_state * ctx) { - unsigned char ihash[32]; + unsigned char ihash[32]; - /* Finish the inner SHA256 operation. */ - _SHA256_Final(ihash, &ctx->ictx); + _SHA256_Final(ihash, &ctx->ictx); + _SHA256_Update(&ctx->octx, ihash, 32); + _SHA256_Final(digest, &ctx->octx); - /* Feed the inner hash to the outer SHA256 operation. */ - _SHA256_Update(&ctx->octx, ihash, 32); - - /* Finish the outer SHA256 operation. */ - _SHA256_Final(digest, &ctx->octx); - - /* Clean the stack. */ - sodium_memzero(ihash, 32); + sodium_memzero(ihash, 32); } int crypto_auth(unsigned char *out, const unsigned char *in, unsigned long long inlen, const unsigned char *k) -{ - HMAC_SHA256_CTX ctx; +{ + crypto_hmac_sha256_state ctx; if (inlen > SIZE_MAX) { memset(out, 0, crypto_auth_BYTES); @@ -412,6 +353,6 @@ crypto_auth(unsigned char *out, const unsigned char *in, HMAC__SHA256_Init(&ctx, k, crypto_auth_KEYBYTES); HMAC__SHA256_Update(&ctx, in, (size_t) inlen); HMAC__SHA256_Final(out, &ctx); - + return 0; } From 1d8109c4d64e5caa3bfe4dd96210288651e017dd Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 19:50:51 -0700 Subject: [PATCH 13/40] hash_sha256: ref -> cp --- libsodium.vcxproj | 2 +- libsodium.vcxproj.filters | 2 +- src/libsodium/Makefile.am | 4 ++-- src/libsodium/crypto_hash/sha256/{ref => cp}/api.h | 0 src/libsodium/crypto_hash/sha256/{ref => cp}/hash_sha256.c | 0 5 files changed, 4 insertions(+), 4 deletions(-) rename src/libsodium/crypto_hash/sha256/{ref => cp}/api.h (100%) rename src/libsodium/crypto_hash/sha256/{ref => cp}/hash_sha256.c (100%) diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 437978d2..9b9babef 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -403,7 +403,7 @@ - + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index 3419de5d..aa76d7d9 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -256,7 +256,7 @@ Source Files - + Source Files diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index a3f58c4a..a9a4bd32 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -40,8 +40,8 @@ libsodium_la_SOURCES = \ crypto_generichash/blake2/ref/generichash_blake2b.c \ crypto_hash/crypto_hash.c \ crypto_hash/sha256/hash_sha256_api.c \ - crypto_hash/sha256/ref/api.h \ - crypto_hash/sha256/ref/hash_sha256.c \ + crypto_hash/sha256/cp/api.h \ + crypto_hash/sha256/cp/hash_sha256.c \ crypto_hash/sha512/hash_sha512_api.c \ crypto_hash/sha512/ref/api.h \ crypto_hash/sha512/ref/hash_sha512.c \ diff --git a/src/libsodium/crypto_hash/sha256/ref/api.h b/src/libsodium/crypto_hash/sha256/cp/api.h similarity index 100% rename from src/libsodium/crypto_hash/sha256/ref/api.h rename to src/libsodium/crypto_hash/sha256/cp/api.h diff --git a/src/libsodium/crypto_hash/sha256/ref/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c similarity index 100% rename from src/libsodium/crypto_hash/sha256/ref/hash_sha256.c rename to src/libsodium/crypto_hash/sha256/cp/hash_sha256.c From 6c42962b57bf0f6efa9df473e38be05be9a303ed Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 21:05:19 -0700 Subject: [PATCH 14/40] Use cp sha256 --- .../hmacsha256/cp/hmac_hmacsha256.c | 247 +----------- .../crypto_hash/sha256/cp/hash_sha256.c | 351 +++++++++++++++--- .../scryptxsalsa208sha256/sha256.c | 261 +------------ 3 files changed, 305 insertions(+), 554 deletions(-) diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c index 894a64f0..b0ce9275 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -27,7 +27,8 @@ */ #include "api.h" -#include "crypto_hashblocks_sha256.h" +#include "crypto_auth_hmacsha256.h" +#include "crypto_hash_sha256.h" #include "utils.h" #include @@ -48,248 +49,14 @@ typedef struct crypto_hmac_sha256_state { crypto_hash_sha256_state octx; } crypto_hmac_sha256_state; -static void _SHA256_Init(crypto_hash_sha256_state *); -static void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); -static void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); +void _SHA256_Init(crypto_hash_sha256_state *); +void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); +void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); + static void HMAC__SHA256_Init(crypto_hmac_sha256_state *, const void *, size_t); static void HMAC__SHA256_Update(crypto_hmac_sha256_state *, const void *, size_t); static void HMAC__SHA256_Final(unsigned char [32], crypto_hmac_sha256_state *); -/* Avoid namespace collisions with BSD . */ -#define be32dec _sha256_be32dec -#define be32enc _sha256_be32enc - -static inline uint32_t -be32dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + - ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); -} - -static inline void -be32enc(void *pp, uint32_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[3] = x & 0xff; - p[2] = (x >> 8) & 0xff; - p[1] = (x >> 16) & 0xff; - p[0] = (x >> 24) & 0xff; -} - -static void -be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) -{ - size_t i; - - for (i = 0; i < len / 4; i++) { - be32enc(dst + i * 4, src[i]); - } -} - -static void -be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) -{ - size_t i; - - for (i = 0; i < len / 4; i++) { - dst[i] = be32dec(src + i * 4); - } -} - -#define Ch(x, y, z) ((x & (y ^ z)) ^ z) -#define Maj(x, y, z) ((x & (y | z)) | (y & z)) -#define SHR(x, n) (x >> n) -#define ROTR(x, n) ((x >> n) | (x << (32 - n))) -#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) -#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) -#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) -#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) - -#define RND(a, b, c, d, e, f, g, h, k) \ - t0 = h + S1(e) + Ch(e, f, g) + k; \ - t1 = S0(a) + Maj(a, b, c); \ - d += t0; \ - h = t0 + t1; - -#define RNDr(S, W, i, k) \ - RND(S[(64 - i) % 8], S[(65 - i) % 8], \ - S[(66 - i) % 8], S[(67 - i) % 8], \ - S[(68 - i) % 8], S[(69 - i) % 8], \ - S[(70 - i) % 8], S[(71 - i) % 8], \ - W[i] + k) - -static void -SHA256_Transform(uint32_t * state, const unsigned char block[64]) -{ - uint32_t W[64]; - uint32_t S[8]; - uint32_t t0, t1; - int i; - - be32dec_vect(W, block, 64); - for (i = 16; i < 64; i++) { - W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; - } - - memcpy(S, state, 32); - - RNDr(S, W, 0, 0x428a2f98); - RNDr(S, W, 1, 0x71374491); - RNDr(S, W, 2, 0xb5c0fbcf); - RNDr(S, W, 3, 0xe9b5dba5); - RNDr(S, W, 4, 0x3956c25b); - RNDr(S, W, 5, 0x59f111f1); - RNDr(S, W, 6, 0x923f82a4); - RNDr(S, W, 7, 0xab1c5ed5); - RNDr(S, W, 8, 0xd807aa98); - RNDr(S, W, 9, 0x12835b01); - RNDr(S, W, 10, 0x243185be); - RNDr(S, W, 11, 0x550c7dc3); - RNDr(S, W, 12, 0x72be5d74); - RNDr(S, W, 13, 0x80deb1fe); - RNDr(S, W, 14, 0x9bdc06a7); - RNDr(S, W, 15, 0xc19bf174); - RNDr(S, W, 16, 0xe49b69c1); - RNDr(S, W, 17, 0xefbe4786); - RNDr(S, W, 18, 0x0fc19dc6); - RNDr(S, W, 19, 0x240ca1cc); - RNDr(S, W, 20, 0x2de92c6f); - RNDr(S, W, 21, 0x4a7484aa); - RNDr(S, W, 22, 0x5cb0a9dc); - RNDr(S, W, 23, 0x76f988da); - RNDr(S, W, 24, 0x983e5152); - RNDr(S, W, 25, 0xa831c66d); - RNDr(S, W, 26, 0xb00327c8); - RNDr(S, W, 27, 0xbf597fc7); - RNDr(S, W, 28, 0xc6e00bf3); - RNDr(S, W, 29, 0xd5a79147); - RNDr(S, W, 30, 0x06ca6351); - RNDr(S, W, 31, 0x14292967); - RNDr(S, W, 32, 0x27b70a85); - RNDr(S, W, 33, 0x2e1b2138); - RNDr(S, W, 34, 0x4d2c6dfc); - RNDr(S, W, 35, 0x53380d13); - RNDr(S, W, 36, 0x650a7354); - RNDr(S, W, 37, 0x766a0abb); - RNDr(S, W, 38, 0x81c2c92e); - RNDr(S, W, 39, 0x92722c85); - RNDr(S, W, 40, 0xa2bfe8a1); - RNDr(S, W, 41, 0xa81a664b); - RNDr(S, W, 42, 0xc24b8b70); - RNDr(S, W, 43, 0xc76c51a3); - RNDr(S, W, 44, 0xd192e819); - RNDr(S, W, 45, 0xd6990624); - RNDr(S, W, 46, 0xf40e3585); - RNDr(S, W, 47, 0x106aa070); - RNDr(S, W, 48, 0x19a4c116); - RNDr(S, W, 49, 0x1e376c08); - RNDr(S, W, 50, 0x2748774c); - RNDr(S, W, 51, 0x34b0bcb5); - RNDr(S, W, 52, 0x391c0cb3); - RNDr(S, W, 53, 0x4ed8aa4a); - RNDr(S, W, 54, 0x5b9cca4f); - RNDr(S, W, 55, 0x682e6ff3); - RNDr(S, W, 56, 0x748f82ee); - RNDr(S, W, 57, 0x78a5636f); - RNDr(S, W, 58, 0x84c87814); - RNDr(S, W, 59, 0x8cc70208); - RNDr(S, W, 60, 0x90befffa); - RNDr(S, W, 61, 0xa4506ceb); - RNDr(S, W, 62, 0xbef9a3f7); - RNDr(S, W, 63, 0xc67178f2); - - for (i = 0; i < 8; i++) { - state[i] += S[i]; - } - - sodium_memzero(W, 256); - sodium_memzero(S, 32); - t0 = t1 = 0; -} - -static unsigned char PAD[64] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; - -static void -SHA256_Pad(crypto_hash_sha256_state * ctx) -{ - unsigned char len[8]; - uint32_t r, plen; - - be32enc_vect(len, ctx->count, 8); - - r = (ctx->count[1] >> 3) & 0x3f; - plen = (r < 56) ? (56 - r) : (120 - r); - _SHA256_Update(ctx, PAD, (size_t)plen); - - _SHA256_Update(ctx, len, 8); -} - -static void -_SHA256_Init(crypto_hash_sha256_state * ctx) -{ - ctx->count[0] = ctx->count[1] = 0; - - ctx->state[0] = 0x6A09E667; - ctx->state[1] = 0xBB67AE85; - ctx->state[2] = 0x3C6EF372; - ctx->state[3] = 0xA54FF53A; - ctx->state[4] = 0x510E527F; - ctx->state[5] = 0x9B05688C; - ctx->state[6] = 0x1F83D9AB; - ctx->state[7] = 0x5BE0CD19; -} - -static void -_SHA256_Update(crypto_hash_sha256_state * ctx, const void *in, size_t len) -{ - uint32_t bitlen[2]; - uint32_t r; - const unsigned char *src = (const unsigned char *) in; - - r = (ctx->count[1] >> 3) & 0x3f; - - bitlen[1] = ((uint32_t)len) << 3; - bitlen[0] = (uint32_t)(len >> 29); - - if ((ctx->count[1] += bitlen[1]) < bitlen[1]) { - ctx->count[0]++; - } - ctx->count[0] += bitlen[0]; - - if (len < 64 - r) { - memcpy(&ctx->buf[r], src, len); - return; - } - - memcpy(&ctx->buf[r], src, 64 - r); - SHA256_Transform(ctx->state, ctx->buf); - src += 64 - r; - len -= 64 - r; - - while (len >= 64) { - SHA256_Transform(ctx->state, src); - src += 64; - len -= 64; - } - memcpy(ctx->buf, src, len); -} - -static void -_SHA256_Final(unsigned char digest[32], crypto_hash_sha256_state * ctx) -{ - SHA256_Pad(ctx); - be32enc_vect(digest, ctx->state, 32); - sodium_memzero((void *)ctx, sizeof(*ctx)); -} - static void HMAC__SHA256_Init(crypto_hmac_sha256_state * ctx, const void * _K, size_t Klen) { @@ -351,7 +118,7 @@ crypto_auth(unsigned char *out, const unsigned char *in, return -1; } HMAC__SHA256_Init(&ctx, k, crypto_auth_KEYBYTES); - HMAC__SHA256_Update(&ctx, in, (size_t) inlen); + HMAC__SHA256_Update(&ctx, (const void *) in, (size_t) inlen); HMAC__SHA256_Final(out, &ctx); return 0; diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 4b6891cb..d484605b 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -1,69 +1,300 @@ -/* -20080913 -D. J. Bernstein -Public domain. -*/ + +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ #include "api.h" -#include "crypto_hashblocks_sha256.h" +#include "crypto_hash_sha256.h" +#include "utils.h" -#define blocks crypto_hashblocks_sha256 +#include -typedef unsigned int uint32; +#include +#include +#include +#include -static const unsigned char iv[32] = { - 0x6a,0x09,0xe6,0x67, - 0xbb,0x67,0xae,0x85, - 0x3c,0x6e,0xf3,0x72, - 0xa5,0x4f,0xf5,0x3a, - 0x51,0x0e,0x52,0x7f, - 0x9b,0x05,0x68,0x8c, - 0x1f,0x83,0xd9,0xab, - 0x5b,0xe0,0xcd,0x19, -} ; +typedef struct crypto_hash_sha256_state { + uint32_t state[8]; + uint32_t count[2]; + unsigned char buf[64]; +} crypto_hash_sha256_state; -int crypto_hash(unsigned char *out,const unsigned char *in,unsigned long long inlen) +void _SHA256_Init(crypto_hash_sha256_state *); +void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); +void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); + +/* Avoid namespace collisions with BSD . */ +#define be32dec _sha256_be32dec +#define be32enc _sha256_be32enc + +static inline uint32_t +be32dec(const void *pp) { - unsigned char h[32]; - unsigned char padded[128]; - unsigned long long i; - unsigned long long bits = inlen << 3; + const uint8_t *p = (uint8_t const *)pp; - for (i = 0;i < 32;++i) h[i] = iv[i]; - - blocks(h,in,inlen); - in += inlen; - inlen &= 63; - in -= inlen; - - for (i = 0;i < inlen;++i) padded[i] = in[i]; - padded[inlen] = 0x80; - - if (inlen < 56) { - for (i = inlen + 1;i < 56;++i) padded[i] = 0; - padded[56] = bits >> 56; - padded[57] = bits >> 48; - padded[58] = bits >> 40; - padded[59] = bits >> 32; - padded[60] = bits >> 24; - padded[61] = bits >> 16; - padded[62] = bits >> 8; - padded[63] = bits; - blocks(h,padded,64); - } else { - for (i = inlen + 1;i < 120;++i) padded[i] = 0; - padded[120] = bits >> 56; - padded[121] = bits >> 48; - padded[122] = bits >> 40; - padded[123] = bits >> 32; - padded[124] = bits >> 24; - padded[125] = bits >> 16; - padded[126] = bits >> 8; - padded[127] = bits; - blocks(h,padded,128); - } - - for (i = 0;i < 32;++i) out[i] = h[i]; - - return 0; + return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + + ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); +} + +static inline void +be32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; +} + +static void +be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) { + be32enc(dst + i * 4, src[i]); + } +} + +static void +be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 4; i++) { + dst[i] = be32dec(src + i * 4); + } +} + +#define Ch(x, y, z) ((x & (y ^ z)) ^ z) +#define Maj(x, y, z) ((x & (y | z)) | (y & z)) +#define SHR(x, n) (x >> n) +#define ROTR(x, n) ((x >> n) | (x << (32 - n))) +#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) +#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) +#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) +#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) + +#define RND(a, b, c, d, e, f, g, h, k) \ + t0 = h + S1(e) + Ch(e, f, g) + k; \ + t1 = S0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; + +#define RNDr(S, W, i, k) \ + RND(S[(64 - i) % 8], S[(65 - i) % 8], \ + S[(66 - i) % 8], S[(67 - i) % 8], \ + S[(68 - i) % 8], S[(69 - i) % 8], \ + S[(70 - i) % 8], S[(71 - i) % 8], \ + W[i] + k) + +static void +SHA256_Transform(uint32_t * state, const unsigned char block[64]) +{ + uint32_t W[64]; + uint32_t S[8]; + uint32_t t0, t1; + int i; + + be32dec_vect(W, block, 64); + for (i = 16; i < 64; i++) { + W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + } + + memcpy(S, state, 32); + + RNDr(S, W, 0, 0x428a2f98); + RNDr(S, W, 1, 0x71374491); + RNDr(S, W, 2, 0xb5c0fbcf); + RNDr(S, W, 3, 0xe9b5dba5); + RNDr(S, W, 4, 0x3956c25b); + RNDr(S, W, 5, 0x59f111f1); + RNDr(S, W, 6, 0x923f82a4); + RNDr(S, W, 7, 0xab1c5ed5); + RNDr(S, W, 8, 0xd807aa98); + RNDr(S, W, 9, 0x12835b01); + RNDr(S, W, 10, 0x243185be); + RNDr(S, W, 11, 0x550c7dc3); + RNDr(S, W, 12, 0x72be5d74); + RNDr(S, W, 13, 0x80deb1fe); + RNDr(S, W, 14, 0x9bdc06a7); + RNDr(S, W, 15, 0xc19bf174); + RNDr(S, W, 16, 0xe49b69c1); + RNDr(S, W, 17, 0xefbe4786); + RNDr(S, W, 18, 0x0fc19dc6); + RNDr(S, W, 19, 0x240ca1cc); + RNDr(S, W, 20, 0x2de92c6f); + RNDr(S, W, 21, 0x4a7484aa); + RNDr(S, W, 22, 0x5cb0a9dc); + RNDr(S, W, 23, 0x76f988da); + RNDr(S, W, 24, 0x983e5152); + RNDr(S, W, 25, 0xa831c66d); + RNDr(S, W, 26, 0xb00327c8); + RNDr(S, W, 27, 0xbf597fc7); + RNDr(S, W, 28, 0xc6e00bf3); + RNDr(S, W, 29, 0xd5a79147); + RNDr(S, W, 30, 0x06ca6351); + RNDr(S, W, 31, 0x14292967); + RNDr(S, W, 32, 0x27b70a85); + RNDr(S, W, 33, 0x2e1b2138); + RNDr(S, W, 34, 0x4d2c6dfc); + RNDr(S, W, 35, 0x53380d13); + RNDr(S, W, 36, 0x650a7354); + RNDr(S, W, 37, 0x766a0abb); + RNDr(S, W, 38, 0x81c2c92e); + RNDr(S, W, 39, 0x92722c85); + RNDr(S, W, 40, 0xa2bfe8a1); + RNDr(S, W, 41, 0xa81a664b); + RNDr(S, W, 42, 0xc24b8b70); + RNDr(S, W, 43, 0xc76c51a3); + RNDr(S, W, 44, 0xd192e819); + RNDr(S, W, 45, 0xd6990624); + RNDr(S, W, 46, 0xf40e3585); + RNDr(S, W, 47, 0x106aa070); + RNDr(S, W, 48, 0x19a4c116); + RNDr(S, W, 49, 0x1e376c08); + RNDr(S, W, 50, 0x2748774c); + RNDr(S, W, 51, 0x34b0bcb5); + RNDr(S, W, 52, 0x391c0cb3); + RNDr(S, W, 53, 0x4ed8aa4a); + RNDr(S, W, 54, 0x5b9cca4f); + RNDr(S, W, 55, 0x682e6ff3); + RNDr(S, W, 56, 0x748f82ee); + RNDr(S, W, 57, 0x78a5636f); + RNDr(S, W, 58, 0x84c87814); + RNDr(S, W, 59, 0x8cc70208); + RNDr(S, W, 60, 0x90befffa); + RNDr(S, W, 61, 0xa4506ceb); + RNDr(S, W, 62, 0xbef9a3f7); + RNDr(S, W, 63, 0xc67178f2); + + for (i = 0; i < 8; i++) { + state[i] += S[i]; + } + + sodium_memzero(W, 256); + sodium_memzero(S, 32); + t0 = t1 = 0; +} + +static unsigned char PAD[64] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +static void +SHA256_Pad(crypto_hash_sha256_state * ctx) +{ + unsigned char len[8]; + uint32_t r, plen; + + be32enc_vect(len, ctx->count, 8); + + r = (ctx->count[1] >> 3) & 0x3f; + plen = (r < 56) ? (56 - r) : (120 - r); + _SHA256_Update(ctx, PAD, (size_t)plen); + + _SHA256_Update(ctx, len, 8); +} + +void +_SHA256_Init(crypto_hash_sha256_state * ctx) +{ + ctx->count[0] = ctx->count[1] = 0; + + ctx->state[0] = 0x6A09E667; + ctx->state[1] = 0xBB67AE85; + ctx->state[2] = 0x3C6EF372; + ctx->state[3] = 0xA54FF53A; + ctx->state[4] = 0x510E527F; + ctx->state[5] = 0x9B05688C; + ctx->state[6] = 0x1F83D9AB; + ctx->state[7] = 0x5BE0CD19; +} + +void +_SHA256_Update(crypto_hash_sha256_state * ctx, const void *in, size_t len) +{ + uint32_t bitlen[2]; + uint32_t r; + const unsigned char *src = (const unsigned char *) in; + + r = (ctx->count[1] >> 3) & 0x3f; + + bitlen[1] = ((uint32_t)len) << 3; + bitlen[0] = (uint32_t)(len >> 29); + + if ((ctx->count[1] += bitlen[1]) < bitlen[1]) { + ctx->count[0]++; + } + ctx->count[0] += bitlen[0]; + + if (len < 64 - r) { + memcpy(&ctx->buf[r], src, len); + return; + } + + memcpy(&ctx->buf[r], src, 64 - r); + SHA256_Transform(ctx->state, ctx->buf); + src += 64 - r; + len -= 64 - r; + + while (len >= 64) { + SHA256_Transform(ctx->state, src); + src += 64; + len -= 64; + } + memcpy(ctx->buf, src, len); +} + +void +_SHA256_Final(unsigned char digest[32], crypto_hash_sha256_state * ctx) +{ + SHA256_Pad(ctx); + be32enc_vect(digest, ctx->state, 32); + sodium_memzero((void *)ctx, sizeof(*ctx)); +} + +int +crypto_hash(unsigned char *out, const unsigned char *in, + unsigned long long inlen) +{ + crypto_hash_sha256_state ctx; + + if (inlen > SIZE_MAX) { + memset(out, 0, crypto_hash_BYTES); + return -1; + } + _SHA256_Init(&ctx); + _SHA256_Update(&ctx, (const void *) in, (size_t) inlen); + _SHA256_Final(out, &ctx); + + return 0; } diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c index 052138ae..870686c0 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c @@ -29,264 +29,17 @@ #include #include -#include "sysendian.h" - #include "sha256.h" -/* - * Encode a length len/4 vector of (uint32_t) into a length len vector of - * (unsigned char) in big-endian form. Assumes len is a multiple of 4. - */ -static void -be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) +static inline void +be32enc(void *pp, uint32_t x) { - size_t i; + uint8_t * p = (uint8_t *)pp; - for (i = 0; i < len / 4; i++) - be32enc(dst + i * 4, src[i]); -} - -/* - * Decode a big-endian length len vector of (unsigned char) into a length - * len/4 vector of (uint32_t). Assumes len is a multiple of 4. - */ -static void -be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) -{ - size_t i; - - for (i = 0; i < len / 4; i++) - dst[i] = be32dec(src + i * 4); -} - -/* Elementary functions used by SHA256 */ -#define Ch(x, y, z) ((x & (y ^ z)) ^ z) -#define Maj(x, y, z) ((x & (y | z)) | (y & z)) -#define SHR(x, n) (x >> n) -#define ROTR(x, n) ((x >> n) | (x << (32 - n))) -#define S0(x) (ROTR(x, 2) ^ ROTR(x, 13) ^ ROTR(x, 22)) -#define S1(x) (ROTR(x, 6) ^ ROTR(x, 11) ^ ROTR(x, 25)) -#define s0(x) (ROTR(x, 7) ^ ROTR(x, 18) ^ SHR(x, 3)) -#define s1(x) (ROTR(x, 17) ^ ROTR(x, 19) ^ SHR(x, 10)) - -/* SHA256 round function */ -#define RND(a, b, c, d, e, f, g, h, k) \ - t0 = h + S1(e) + Ch(e, f, g) + k; \ - t1 = S0(a) + Maj(a, b, c); \ - d += t0; \ - h = t0 + t1; - -/* Adjusted round function for rotating state */ -#define RNDr(S, W, i, k) \ - RND(S[(64 - i) % 8], S[(65 - i) % 8], \ - S[(66 - i) % 8], S[(67 - i) % 8], \ - S[(68 - i) % 8], S[(69 - i) % 8], \ - S[(70 - i) % 8], S[(71 - i) % 8], \ - W[i] + k) - -/* - * SHA256 block compression function. The 256-bit state is transformed via - * the 512-bit input block to produce a new state. - */ -static void -SHA256_Transform(uint32_t * state, const unsigned char block[64]) -{ - uint32_t W[64]; - uint32_t S[8]; - uint32_t t0, t1; - int i; - - /* 1. Prepare message schedule W. */ - be32dec_vect(W, block, 64); - for (i = 16; i < 64; i++) - W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; - - /* 2. Initialize working variables. */ - memcpy(S, state, 32); - - /* 3. Mix. */ - RNDr(S, W, 0, 0x428a2f98); - RNDr(S, W, 1, 0x71374491); - RNDr(S, W, 2, 0xb5c0fbcf); - RNDr(S, W, 3, 0xe9b5dba5); - RNDr(S, W, 4, 0x3956c25b); - RNDr(S, W, 5, 0x59f111f1); - RNDr(S, W, 6, 0x923f82a4); - RNDr(S, W, 7, 0xab1c5ed5); - RNDr(S, W, 8, 0xd807aa98); - RNDr(S, W, 9, 0x12835b01); - RNDr(S, W, 10, 0x243185be); - RNDr(S, W, 11, 0x550c7dc3); - RNDr(S, W, 12, 0x72be5d74); - RNDr(S, W, 13, 0x80deb1fe); - RNDr(S, W, 14, 0x9bdc06a7); - RNDr(S, W, 15, 0xc19bf174); - RNDr(S, W, 16, 0xe49b69c1); - RNDr(S, W, 17, 0xefbe4786); - RNDr(S, W, 18, 0x0fc19dc6); - RNDr(S, W, 19, 0x240ca1cc); - RNDr(S, W, 20, 0x2de92c6f); - RNDr(S, W, 21, 0x4a7484aa); - RNDr(S, W, 22, 0x5cb0a9dc); - RNDr(S, W, 23, 0x76f988da); - RNDr(S, W, 24, 0x983e5152); - RNDr(S, W, 25, 0xa831c66d); - RNDr(S, W, 26, 0xb00327c8); - RNDr(S, W, 27, 0xbf597fc7); - RNDr(S, W, 28, 0xc6e00bf3); - RNDr(S, W, 29, 0xd5a79147); - RNDr(S, W, 30, 0x06ca6351); - RNDr(S, W, 31, 0x14292967); - RNDr(S, W, 32, 0x27b70a85); - RNDr(S, W, 33, 0x2e1b2138); - RNDr(S, W, 34, 0x4d2c6dfc); - RNDr(S, W, 35, 0x53380d13); - RNDr(S, W, 36, 0x650a7354); - RNDr(S, W, 37, 0x766a0abb); - RNDr(S, W, 38, 0x81c2c92e); - RNDr(S, W, 39, 0x92722c85); - RNDr(S, W, 40, 0xa2bfe8a1); - RNDr(S, W, 41, 0xa81a664b); - RNDr(S, W, 42, 0xc24b8b70); - RNDr(S, W, 43, 0xc76c51a3); - RNDr(S, W, 44, 0xd192e819); - RNDr(S, W, 45, 0xd6990624); - RNDr(S, W, 46, 0xf40e3585); - RNDr(S, W, 47, 0x106aa070); - RNDr(S, W, 48, 0x19a4c116); - RNDr(S, W, 49, 0x1e376c08); - RNDr(S, W, 50, 0x2748774c); - RNDr(S, W, 51, 0x34b0bcb5); - RNDr(S, W, 52, 0x391c0cb3); - RNDr(S, W, 53, 0x4ed8aa4a); - RNDr(S, W, 54, 0x5b9cca4f); - RNDr(S, W, 55, 0x682e6ff3); - RNDr(S, W, 56, 0x748f82ee); - RNDr(S, W, 57, 0x78a5636f); - RNDr(S, W, 58, 0x84c87814); - RNDr(S, W, 59, 0x8cc70208); - RNDr(S, W, 60, 0x90befffa); - RNDr(S, W, 61, 0xa4506ceb); - RNDr(S, W, 62, 0xbef9a3f7); - RNDr(S, W, 63, 0xc67178f2); - - /* 4. Mix local working variables into global state */ - for (i = 0; i < 8; i++) - state[i] += S[i]; - - /* Clean the stack. */ - memset(W, 0, 256); - memset(S, 0, 32); - t0 = t1 = 0; -} - -static unsigned char PAD[64] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 -}; - -/* Add padding and terminating bit-count. */ -static void -SHA256_Pad(SHA256_CTX * ctx) -{ - unsigned char len[8]; - uint32_t r, plen; - - /* - * Convert length to a vector of bytes -- we do this now rather - * than later because the length will change after we pad. - */ - be32enc_vect(len, ctx->count, 8); - - /* Add 1--64 bytes so that the resulting length is 56 mod 64 */ - r = (ctx->count[1] >> 3) & 0x3f; - plen = (r < 56) ? (56 - r) : (120 - r); - _SHA256_Update(ctx, PAD, (size_t)plen); - - /* Add the terminating bit-count */ - _SHA256_Update(ctx, len, 8); -} - -/* SHA-256 initialization. Begins a SHA-256 operation. */ -void -_SHA256_Init(SHA256_CTX * ctx) -{ - - /* Zero bits processed so far */ - ctx->count[0] = ctx->count[1] = 0; - - /* Magic initialization constants */ - ctx->state[0] = 0x6A09E667; - ctx->state[1] = 0xBB67AE85; - ctx->state[2] = 0x3C6EF372; - ctx->state[3] = 0xA54FF53A; - ctx->state[4] = 0x510E527F; - ctx->state[5] = 0x9B05688C; - ctx->state[6] = 0x1F83D9AB; - ctx->state[7] = 0x5BE0CD19; -} - -/* Add bytes into the hash */ -void -_SHA256_Update(SHA256_CTX * ctx, const void *in, size_t len) -{ - uint32_t bitlen[2]; - uint32_t r; - const unsigned char *src = (const unsigned char *) in; - - /* Number of bytes left in the buffer from previous updates */ - r = (ctx->count[1] >> 3) & 0x3f; - - /* Convert the length into a number of bits */ - bitlen[1] = ((uint32_t)len) << 3; - bitlen[0] = (uint32_t)(len >> 29); - - /* Update number of bits */ - if ((ctx->count[1] += bitlen[1]) < bitlen[1]) - ctx->count[0]++; - ctx->count[0] += bitlen[0]; - - /* Handle the case where we don't need to perform any transforms */ - if (len < 64 - r) { - memcpy(&ctx->buf[r], src, len); - return; - } - - /* Finish the current block */ - memcpy(&ctx->buf[r], src, 64 - r); - SHA256_Transform(ctx->state, ctx->buf); - src += 64 - r; - len -= 64 - r; - - /* Perform complete blocks */ - while (len >= 64) { - SHA256_Transform(ctx->state, src); - src += 64; - len -= 64; - } - - /* Copy left over data into buffer */ - memcpy(ctx->buf, src, len); -} - -/* - * SHA-256 finalization. Pads the input data, exports the hash value, - * and clears the context state. - */ -void -_SHA256_Final(unsigned char digest[32], SHA256_CTX * ctx) -{ - - /* Add padding */ - SHA256_Pad(ctx); - - /* Write the hash */ - be32enc_vect(digest, ctx->state, 32); - - /* Clear the context state */ - memset((void *)ctx, 0, sizeof(*ctx)); + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; } /* Initialize an HMAC-SHA256 operation with the given key. */ From 9fa62b38a4434139b9937f0be930698b565db383 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 21:14:04 -0700 Subject: [PATCH 15/40] Move crypto_hash_sha256_state to the crypto_hash_sha256.h header file --- .../crypto_auth/hmacsha256/cp/hmac_hmacsha256.c | 6 ------ .../crypto_hash/sha256/cp/hash_sha256.c | 6 ------ .../scryptxsalsa208sha256/sha256.h | 17 +++++++---------- .../include/sodium/crypto_hash_sha256.h | 9 +++++++++ 4 files changed, 16 insertions(+), 22 deletions(-) diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c index b0ce9275..ffe29850 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -38,12 +38,6 @@ #include #include -typedef struct crypto_hash_sha256_state { - uint32_t state[8]; - uint32_t count[2]; - unsigned char buf[64]; -} crypto_hash_sha256_state; - typedef struct crypto_hmac_sha256_state { crypto_hash_sha256_state ictx; crypto_hash_sha256_state octx; diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index d484605b..9deabcf5 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -37,12 +37,6 @@ #include #include -typedef struct crypto_hash_sha256_state { - uint32_t state[8]; - uint32_t count[2]; - unsigned char buf[64]; -} crypto_hash_sha256_state; - void _SHA256_Init(crypto_hash_sha256_state *); void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h index 37da7e20..57b9fd33 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h @@ -33,20 +33,17 @@ #include -typedef struct SHA256Context { - uint32_t state[8]; - uint32_t count[2]; - unsigned char buf[64]; -} SHA256_CTX; +#include "crypto_hash_sha256.h" typedef struct HMAC_SHA256Context { - SHA256_CTX ictx; - SHA256_CTX octx; + crypto_hash_sha256_state ictx; + crypto_hash_sha256_state octx; } HMAC_SHA256_CTX; -void _SHA256_Init(SHA256_CTX *); -void _SHA256_Update(SHA256_CTX *, const void *, size_t); -void _SHA256_Final(unsigned char [32], SHA256_CTX *); +void _SHA256_Init(crypto_hash_sha256_state *); +void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); +void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); + void HMAC__SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); void HMAC__SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); void HMAC__SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); diff --git a/src/libsodium/include/sodium/crypto_hash_sha256.h b/src/libsodium/include/sodium/crypto_hash_sha256.h index 0594a097..04669f95 100644 --- a/src/libsodium/include/sodium/crypto_hash_sha256.h +++ b/src/libsodium/include/sodium/crypto_hash_sha256.h @@ -2,6 +2,9 @@ #define crypto_hash_sha256_H #include +#include +#include + #include "export.h" #define crypto_hash_sha256_BYTES 32U @@ -14,6 +17,12 @@ extern "C" { #endif +typedef struct crypto_hash_sha256_state { + uint32_t state[8]; + uint32_t count[2]; + unsigned char buf[64]; +} crypto_hash_sha256_state; + SODIUM_EXPORT size_t crypto_hash_sha256_bytes(void); From a2fc728956382f1d93cfe3889421df8db4dbed24 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 22:10:27 -0700 Subject: [PATCH 16/40] Let crypto_pwhash_scryptxsalsa208sha256 use crypto_auth_hmacsha256 --- src/libsodium/Makefile.am | 4 +- .../hmacsha256/cp/hmac_hmacsha256.c | 82 +++++---- src/libsodium/crypto_hash/sha256/cp/api.h | 3 + .../crypto_hash/sha256/cp/hash_sha256.c | 48 ++++- .../nosse/pwhash_scryptxsalsa208sha256.c | 2 +- .../scryptxsalsa208sha256/pbkdf2-sha256.c | 94 ++++++++++ .../{sha256.h => pbkdf2-sha256.h} | 20 +-- .../scryptxsalsa208sha256/sha256.c | 164 ------------------ .../sse/pwhash_scryptxsalsa208sha256.c | 2 +- .../include/sodium/crypto_auth_hmacsha256.h | 20 +++ .../include/sodium/crypto_hash_sha256.h | 12 ++ 11 files changed, 226 insertions(+), 225 deletions(-) create mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.c rename src/libsodium/crypto_pwhash/scryptxsalsa208sha256/{sha256.h => pbkdf2-sha256.h} (70%) delete mode 100644 src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index a9a4bd32..9ae36266 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -65,8 +65,8 @@ libsodium_la_SOURCES = \ crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c \ crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h \ crypto_pwhash/scryptxsalsa208sha256/scrypt_platform.c \ - crypto_pwhash/scryptxsalsa208sha256/sha256.c \ - crypto_pwhash/scryptxsalsa208sha256/sha256.h \ + crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.c \ + crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.h \ crypto_pwhash/scryptxsalsa208sha256/sysendian.h \ crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c \ crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c \ diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c index ffe29850..5c9b4a2b 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -38,21 +38,8 @@ #include #include -typedef struct crypto_hmac_sha256_state { - crypto_hash_sha256_state ictx; - crypto_hash_sha256_state octx; -} crypto_hmac_sha256_state; - -void _SHA256_Init(crypto_hash_sha256_state *); -void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); -void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); - -static void HMAC__SHA256_Init(crypto_hmac_sha256_state *, const void *, size_t); -static void HMAC__SHA256_Update(crypto_hmac_sha256_state *, const void *, size_t); -static void HMAC__SHA256_Final(unsigned char [32], crypto_hmac_sha256_state *); - static void -HMAC__SHA256_Init(crypto_hmac_sha256_state * ctx, const void * _K, size_t Klen) +HMAC__SHA256_Init(crypto_auth_hmacsha256_state * ctx, const void * _K, size_t Klen) { unsigned char pad[64]; unsigned char khash[32]; @@ -60,55 +47,88 @@ HMAC__SHA256_Init(crypto_hmac_sha256_state * ctx, const void * _K, size_t Klen) size_t i; if (Klen > 64) { - _SHA256_Init(&ctx->ictx); - _SHA256_Update(&ctx->ictx, K, Klen); - _SHA256_Final(khash, &ctx->ictx); + crypto_hash_sha256_init(&ctx->ictx); + crypto_hash_sha256_update(&ctx->ictx, K, Klen); + crypto_hash_sha256_final(&ctx->ictx, khash); K = khash; Klen = 32; } - _SHA256_Init(&ctx->ictx); + crypto_hash_sha256_init(&ctx->ictx); memset(pad, 0x36, 64); for (i = 0; i < Klen; i++) { pad[i] ^= K[i]; } - _SHA256_Update(&ctx->ictx, pad, 64); + crypto_hash_sha256_update(&ctx->ictx, pad, 64); - _SHA256_Init(&ctx->octx); + crypto_hash_sha256_init(&ctx->octx); memset(pad, 0x5c, 64); for (i = 0; i < Klen; i++) { pad[i] ^= K[i]; } - _SHA256_Update(&ctx->octx, pad, 64); + crypto_hash_sha256_update(&ctx->octx, pad, 64); - sodium_memzero(khash, 32); + sodium_memzero((void *) khash, 32); } static void -HMAC__SHA256_Update(crypto_hmac_sha256_state * ctx, const void *in, size_t len) +HMAC__SHA256_Update(crypto_auth_hmacsha256_state * ctx, const void *in, size_t len) { - _SHA256_Update(&ctx->ictx, in, len); + crypto_hash_sha256_update(&ctx->ictx, in, len); } static void -HMAC__SHA256_Final(unsigned char digest[32], crypto_hmac_sha256_state * ctx) +HMAC__SHA256_Final(unsigned char digest[32], crypto_auth_hmacsha256_state * ctx) { unsigned char ihash[32]; - _SHA256_Final(ihash, &ctx->ictx); - _SHA256_Update(&ctx->octx, ihash, 32); - _SHA256_Final(digest, &ctx->octx); + crypto_hash_sha256_final(&ctx->ictx, ihash); + crypto_hash_sha256_update(&ctx->octx, ihash, 32); + crypto_hash_sha256_final(&ctx->octx, digest); - sodium_memzero(ihash, 32); + sodium_memzero((void *) ihash, 32); +} + +int +crypto_auth_hmacsha256_init(crypto_auth_hmacsha256_state *state, + const unsigned char *key, + const size_t keylen) +{ + HMAC__SHA256_Init(state, key, keylen); + + return 0; +} + +int +crypto_auth_hmacsha256_update(crypto_auth_hmacsha256_state *state, + const unsigned char *in, + unsigned long long inlen) +{ + if (inlen > SIZE_MAX) { + sodium_memzero((void *) state, sizeof *state); + return -1; + } + HMAC__SHA256_Update(state, (const void *) in, (size_t) inlen); + + return 0; +} + +int +crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state, + unsigned char *out) +{ + HMAC__SHA256_Final(out, state); + + return 0; } int crypto_auth(unsigned char *out, const unsigned char *in, unsigned long long inlen, const unsigned char *k) { - crypto_hmac_sha256_state ctx; + crypto_auth_hmacsha256_state ctx; if (inlen > SIZE_MAX) { - memset(out, 0, crypto_auth_BYTES); + sodium_memzero((void *) out, crypto_auth_BYTES); return -1; } HMAC__SHA256_Init(&ctx, k, crypto_auth_KEYBYTES); diff --git a/src/libsodium/crypto_hash/sha256/cp/api.h b/src/libsodium/crypto_hash/sha256/cp/api.h index 9878f8e8..b04cff9c 100644 --- a/src/libsodium/crypto_hash/sha256/cp/api.h +++ b/src/libsodium/crypto_hash/sha256/cp/api.h @@ -2,6 +2,9 @@ #include "crypto_hash_sha256.h" #define crypto_hash crypto_hash_sha256 +#define crypto_hash_init crypto_hash_sha256_init +#define crypto_hash_update crypto_hash_sha256_update +#define crypto_hash_final crypto_hash_sha256_final #define crypto_hash_BYTES crypto_hash_sha256_BYTES #define crypto_hash_PRIMITIVE "sha256" #define crypto_hash_IMPLEMENTATION crypto_hash_sha256_IMPLEMENTATION diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 9deabcf5..71544f99 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -191,8 +191,8 @@ SHA256_Transform(uint32_t * state, const unsigned char block[64]) state[i] += S[i]; } - sodium_memzero(W, 256); - sodium_memzero(S, 32); + sodium_memzero((void *) W, 256); + sodium_memzero((void *) S, 32); t0 = t1 = 0; } @@ -273,22 +273,52 @@ _SHA256_Final(unsigned char digest[32], crypto_hash_sha256_state * ctx) { SHA256_Pad(ctx); be32enc_vect(digest, ctx->state, 32); - sodium_memzero((void *)ctx, sizeof(*ctx)); + sodium_memzero((void *) ctx, sizeof *ctx); +} + +int +crypto_hash_sha256_init(crypto_hash_sha256_state *state) +{ + _SHA256_Init(state); + + return 0; +} + +int +crypto_hash_sha256_update(crypto_hash_sha256_state *state, + const unsigned char *in, + unsigned long long inlen) +{ + if (inlen > SIZE_MAX) { + sodium_memzero(state, sizeof *state); + return -1; + } + _SHA256_Update(state, (const void *) in, (size_t) inlen); + + return 0; +} + +int +crypto_hash_sha256_final(crypto_hash_sha256_state *state, + unsigned char *out) +{ + _SHA256_Final(out, state); + + return 0; } int crypto_hash(unsigned char *out, const unsigned char *in, unsigned long long inlen) { - crypto_hash_sha256_state ctx; + crypto_hash_sha256_state state; - if (inlen > SIZE_MAX) { - memset(out, 0, crypto_hash_BYTES); + crypto_hash_sha256_init(&state); + if (crypto_hash_sha256_update(&state, (const void *) in, inlen) != 0) { + sodium_memzero(out, crypto_hash_BYTES); return -1; } - _SHA256_Init(&ctx); - _SHA256_Update(&ctx, (const void *) in, (size_t) inlen); - _SHA256_Final(out, &ctx); + crypto_hash_sha256_final(&state, out); return 0; } diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c index 7aaead21..175c9dcb 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/nosse/pwhash_scryptxsalsa208sha256.c @@ -33,7 +33,7 @@ #include #include -#include "../sha256.h" +#include "../pbkdf2-sha256.h" #include "../sysendian.h" #include "../crypto_scrypt.h" diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.c new file mode 100644 index 00000000..4d4ec4c8 --- /dev/null +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.c @@ -0,0 +1,94 @@ +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + */ + +#include + +#include +#include +#include + +#include "crypto_auth_hmacsha256.h" +#include "pbkdf2-sha256.h" +#include "utils.h" + +static inline void +be32enc(void *pp, uint32_t x) +{ + uint8_t * p = (uint8_t *)pp; + + p[3] = x & 0xff; + p[2] = (x >> 8) & 0xff; + p[1] = (x >> 16) & 0xff; + p[0] = (x >> 24) & 0xff; +} + +/** + * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): + * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and + * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). + */ +void +PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt, + size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen) +{ + crypto_auth_hmacsha256_state PShctx, hctx; + size_t i; + uint8_t ivec[4]; + uint8_t U[32]; + uint8_t T[32]; + uint64_t j; + int k; + size_t clen; + + crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen); + crypto_auth_hmacsha256_update(&PShctx, salt, saltlen); + + for (i = 0; i * 32 < dkLen; i++) { + be32enc(ivec, (uint32_t)(i + 1)); + memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state)); + crypto_auth_hmacsha256_update(&hctx, ivec, 4); + crypto_auth_hmacsha256_final(&hctx, U); + + memcpy(T, U, 32); + + for (j = 2; j <= c; j++) { + crypto_auth_hmacsha256_init(&hctx, passwd, passwdlen); + crypto_auth_hmacsha256_update(&hctx, U, 32); + crypto_auth_hmacsha256_final(&hctx, U); + + for (k = 0; k < 32; k++) { + T[k] ^= U[k]; + } + } + + clen = dkLen - i * 32; + if (clen > 32) { + clen = 32; + } + memcpy(&buf[i * 32], T, clen); + } + sodium_memzero((void *) &PShctx, sizeof PShctx); +} diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.h similarity index 70% rename from src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h rename to src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.h index 57b9fd33..81b2fcc6 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.h +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/pbkdf2-sha256.h @@ -23,7 +23,6 @@ * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. * - * $FreeBSD: src/lib/libmd/sha256.h,v 1.2 2006/01/17 15:35:56 phk Exp $ */ #ifndef _SHA256_H_ @@ -33,27 +32,14 @@ #include -#include "crypto_hash_sha256.h" - -typedef struct HMAC_SHA256Context { - crypto_hash_sha256_state ictx; - crypto_hash_sha256_state octx; -} HMAC_SHA256_CTX; - -void _SHA256_Init(crypto_hash_sha256_state *); -void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); -void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); - -void HMAC__SHA256_Init(HMAC_SHA256_CTX *, const void *, size_t); -void HMAC__SHA256_Update(HMAC_SHA256_CTX *, const void *, size_t); -void HMAC__SHA256_Final(unsigned char [32], HMAC_SHA256_CTX *); +#include "crypto_auth_hmacsha256.h" /** * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). */ -void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, - uint64_t, uint8_t *, size_t); +void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, + uint64_t, uint8_t *, size_t); #endif /* !_SHA256_H_ */ diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c deleted file mode 100644 index 870686c0..00000000 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sha256.c +++ /dev/null @@ -1,164 +0,0 @@ -/*- - * Copyright 2005,2007,2009 Colin Percival - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - */ - -#include - -#include -#include - -#include "sha256.h" - -static inline void -be32enc(void *pp, uint32_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[3] = x & 0xff; - p[2] = (x >> 8) & 0xff; - p[1] = (x >> 16) & 0xff; - p[0] = (x >> 24) & 0xff; -} - -/* Initialize an HMAC-SHA256 operation with the given key. */ -void -HMAC__SHA256_Init(HMAC_SHA256_CTX * ctx, const void * _K, size_t Klen) -{ - unsigned char pad[64]; - unsigned char khash[32]; - const unsigned char * K = (const unsigned char *) _K; - size_t i; - - /* If Klen > 64, the key is really SHA256(K). */ - if (Klen > 64) { - _SHA256_Init(&ctx->ictx); - _SHA256_Update(&ctx->ictx, K, Klen); - _SHA256_Final(khash, &ctx->ictx); - K = khash; - Klen = 32; - } - - /* Inner SHA256 operation is SHA256(K xor [block of 0x36] || data). */ - _SHA256_Init(&ctx->ictx); - memset(pad, 0x36, 64); - for (i = 0; i < Klen; i++) - pad[i] ^= K[i]; - _SHA256_Update(&ctx->ictx, pad, 64); - - /* Outer SHA256 operation is SHA256(K xor [block of 0x5c] || hash). */ - _SHA256_Init(&ctx->octx); - memset(pad, 0x5c, 64); - for (i = 0; i < Klen; i++) - pad[i] ^= K[i]; - _SHA256_Update(&ctx->octx, pad, 64); - - /* Clean the stack. */ - memset(khash, 0, 32); -} - -/* Add bytes to the HMAC-SHA256 operation. */ -void -HMAC__SHA256_Update(HMAC_SHA256_CTX * ctx, const void *in, size_t len) -{ - - /* Feed data to the inner SHA256 operation. */ - _SHA256_Update(&ctx->ictx, in, len); -} - -/* Finish an HMAC-SHA256 operation. */ -void -HMAC__SHA256_Final(unsigned char digest[32], HMAC_SHA256_CTX * ctx) -{ - unsigned char ihash[32]; - - /* Finish the inner SHA256 operation. */ - _SHA256_Final(ihash, &ctx->ictx); - - /* Feed the inner hash to the outer SHA256 operation. */ - _SHA256_Update(&ctx->octx, ihash, 32); - - /* Finish the outer SHA256 operation. */ - _SHA256_Final(digest, &ctx->octx); - - /* Clean the stack. */ - memset(ihash, 0, 32); -} - -/** - * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): - * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and - * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). - */ -void -PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt, - size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen) -{ - HMAC_SHA256_CTX PShctx, hctx; - size_t i; - uint8_t ivec[4]; - uint8_t U[32]; - uint8_t T[32]; - uint64_t j; - int k; - size_t clen; - - /* Compute HMAC state after processing P and S. */ - HMAC__SHA256_Init(&PShctx, passwd, passwdlen); - HMAC__SHA256_Update(&PShctx, salt, saltlen); - - /* Iterate through the blocks. */ - for (i = 0; i * 32 < dkLen; i++) { - /* Generate INT(i + 1). */ - be32enc(ivec, (uint32_t)(i + 1)); - - /* Compute U_1 = PRF(P, S || INT(i)). */ - memcpy(&hctx, &PShctx, sizeof(HMAC_SHA256_CTX)); - HMAC__SHA256_Update(&hctx, ivec, 4); - HMAC__SHA256_Final(U, &hctx); - - /* T_i = U_1 ... */ - memcpy(T, U, 32); - - for (j = 2; j <= c; j++) { - /* Compute U_j. */ - HMAC__SHA256_Init(&hctx, passwd, passwdlen); - HMAC__SHA256_Update(&hctx, U, 32); - HMAC__SHA256_Final(U, &hctx); - - /* ... xor U_j ... */ - for (k = 0; k < 32; k++) - T[k] ^= U[k]; - } - - /* Copy as many bytes as necessary into buf. */ - clen = dkLen - i * 32; - if (clen > 32) - clen = 32; - memcpy(&buf[i * 32], T, clen); - } - - /* Clean PShctx, since we never called _Final on it. */ - memset(&PShctx, 0, sizeof(HMAC_SHA256_CTX)); -} diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c index 4f3e6584..ce3a6912 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/sse/pwhash_scryptxsalsa208sha256.c @@ -38,7 +38,7 @@ #include #include -#include "../sha256.h" +#include "../pbkdf2-sha256.h" #include "../sysendian.h" #include "../crypto_scrypt.h" diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h index 50d08565..ea400dff 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h @@ -2,6 +2,7 @@ #define crypto_auth_hmacsha256_H #include +#include "crypto_hash_sha256.h" #include "export.h" #define crypto_auth_hmacsha256_BYTES 32U @@ -14,6 +15,11 @@ extern "C" { #endif +typedef struct crypto_auth_hmacsha256_state { + crypto_hash_sha256_state ictx; + crypto_hash_sha256_state octx; +} crypto_auth_hmacsha256_state; + SODIUM_EXPORT size_t crypto_auth_hmacsha256_bytes(void); @@ -29,6 +35,20 @@ int crypto_auth_hmacsha256(unsigned char *,const unsigned char *,unsigned long l SODIUM_EXPORT int crypto_auth_hmacsha256_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); +SODIUM_EXPORT +int crypto_auth_hmacsha256_init(crypto_auth_hmacsha256_state *state, + const unsigned char *key, + const size_t keylen); + +SODIUM_EXPORT +int crypto_auth_hmacsha256_update(crypto_auth_hmacsha256_state *state, + const unsigned char *in, + unsigned long long inlen); + +SODIUM_EXPORT +int crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state, + unsigned char *out); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/include/sodium/crypto_hash_sha256.h b/src/libsodium/include/sodium/crypto_hash_sha256.h index 04669f95..9aed565d 100644 --- a/src/libsodium/include/sodium/crypto_hash_sha256.h +++ b/src/libsodium/include/sodium/crypto_hash_sha256.h @@ -32,6 +32,18 @@ const char * crypto_hash_sha256_primitive(void); SODIUM_EXPORT int crypto_hash_sha256(unsigned char *,const unsigned char *,unsigned long long); +SODIUM_EXPORT +int crypto_hash_sha256_init(crypto_hash_sha256_state *state); + +SODIUM_EXPORT +int crypto_hash_sha256_update(crypto_hash_sha256_state *state, + const unsigned char *in, + unsigned long long inlen); + +SODIUM_EXPORT +int crypto_hash_sha256_final(crypto_hash_sha256_state *state, + unsigned char *out); + #ifdef __cplusplus } #endif From 030fac65a8a690642b32b4afb8094a7811f2cfcb Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 22:39:43 -0700 Subject: [PATCH 17/40] Remove wrappers --- .../hmacsha256/cp/hmac_hmacsha256.c | 107 ++++++---------- .../crypto_hash/sha256/cp/hash_sha256.c | 120 +++++++----------- .../include/sodium/crypto_auth_hmacsha256.h | 2 +- 3 files changed, 86 insertions(+), 143 deletions(-) diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c index 5c9b4a2b..89de8812 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -33,67 +33,40 @@ #include -#include #include -#include #include -static void -HMAC__SHA256_Init(crypto_auth_hmacsha256_state * ctx, const void * _K, size_t Klen) -{ - unsigned char pad[64]; - unsigned char khash[32]; - const unsigned char * K = (const unsigned char *) _K; - size_t i; - - if (Klen > 64) { - crypto_hash_sha256_init(&ctx->ictx); - crypto_hash_sha256_update(&ctx->ictx, K, Klen); - crypto_hash_sha256_final(&ctx->ictx, khash); - K = khash; - Klen = 32; - } - crypto_hash_sha256_init(&ctx->ictx); - memset(pad, 0x36, 64); - for (i = 0; i < Klen; i++) { - pad[i] ^= K[i]; - } - crypto_hash_sha256_update(&ctx->ictx, pad, 64); - - crypto_hash_sha256_init(&ctx->octx); - memset(pad, 0x5c, 64); - for (i = 0; i < Klen; i++) { - pad[i] ^= K[i]; - } - crypto_hash_sha256_update(&ctx->octx, pad, 64); - - sodium_memzero((void *) khash, 32); -} - -static void -HMAC__SHA256_Update(crypto_auth_hmacsha256_state * ctx, const void *in, size_t len) -{ - crypto_hash_sha256_update(&ctx->ictx, in, len); -} - -static void -HMAC__SHA256_Final(unsigned char digest[32], crypto_auth_hmacsha256_state * ctx) -{ - unsigned char ihash[32]; - - crypto_hash_sha256_final(&ctx->ictx, ihash); - crypto_hash_sha256_update(&ctx->octx, ihash, 32); - crypto_hash_sha256_final(&ctx->octx, digest); - - sodium_memzero((void *) ihash, 32); -} - int crypto_auth_hmacsha256_init(crypto_auth_hmacsha256_state *state, const unsigned char *key, - const size_t keylen) + size_t keylen) { - HMAC__SHA256_Init(state, key, keylen); + unsigned char pad[64]; + unsigned char khash[32]; + size_t i; + + if (keylen > 64) { + crypto_hash_sha256_init(&state->ictx); + crypto_hash_sha256_update(&state->ictx, key, keylen); + crypto_hash_sha256_final(&state->ictx, khash); + key = khash; + keylen = 32; + } + crypto_hash_sha256_init(&state->ictx); + memset(pad, 0x36, 64); + for (i = 0; i < keylen; i++) { + pad[i] ^= key[i]; + } + crypto_hash_sha256_update(&state->ictx, pad, 64); + + crypto_hash_sha256_init(&state->octx); + memset(pad, 0x5c, 64); + for (i = 0; i < keylen; i++) { + pad[i] ^= key[i]; + } + crypto_hash_sha256_update(&state->octx, pad, 64); + + sodium_memzero((void *) khash, 32); return 0; } @@ -103,11 +76,7 @@ crypto_auth_hmacsha256_update(crypto_auth_hmacsha256_state *state, const unsigned char *in, unsigned long long inlen) { - if (inlen > SIZE_MAX) { - sodium_memzero((void *) state, sizeof *state); - return -1; - } - HMAC__SHA256_Update(state, (const void *) in, (size_t) inlen); + crypto_hash_sha256_update(&state->ictx, in, inlen); return 0; } @@ -116,7 +85,13 @@ int crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state, unsigned char *out) { - HMAC__SHA256_Final(out, state); + unsigned char ihash[32]; + + crypto_hash_sha256_final(&state->ictx, ihash); + crypto_hash_sha256_update(&state->octx, ihash, 32); + crypto_hash_sha256_final(&state->octx, out); + + sodium_memzero((void *) ihash, 32); return 0; } @@ -125,15 +100,11 @@ int crypto_auth(unsigned char *out, const unsigned char *in, unsigned long long inlen, const unsigned char *k) { - crypto_auth_hmacsha256_state ctx; + crypto_auth_hmacsha256_state state; - if (inlen > SIZE_MAX) { - sodium_memzero((void *) out, crypto_auth_BYTES); - return -1; - } - HMAC__SHA256_Init(&ctx, k, crypto_auth_KEYBYTES); - HMAC__SHA256_Update(&ctx, (const void *) in, (size_t) inlen); - HMAC__SHA256_Final(out, &ctx); + crypto_auth_hmacsha256_init(&state, k, crypto_auth_KEYBYTES); + crypto_auth_hmacsha256_update(&state, in, inlen); + crypto_auth_hmacsha256_final(&state, out); return 0; } diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 71544f99..81fe7739 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -37,10 +37,6 @@ #include #include -void _SHA256_Init(crypto_hash_sha256_state *); -void _SHA256_Update(crypto_hash_sha256_state *, const void *, size_t); -void _SHA256_Final(unsigned char [32], crypto_hash_sha256_state *); - /* Avoid namespace collisions with BSD . */ #define be32dec _sha256_be32dec #define be32enc _sha256_be32enc @@ -108,7 +104,7 @@ be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) W[i] + k) static void -SHA256_Transform(uint32_t * state, const unsigned char block[64]) +SHA256_Transform(uint32_t *state, const unsigned char block[64]) { uint32_t W[64]; uint32_t S[8]; @@ -204,82 +200,33 @@ static unsigned char PAD[64] = { }; static void -SHA256_Pad(crypto_hash_sha256_state * ctx) +SHA256_Pad(crypto_hash_sha256_state *state) { unsigned char len[8]; uint32_t r, plen; - be32enc_vect(len, ctx->count, 8); + be32enc_vect(len, state->count, 8); - r = (ctx->count[1] >> 3) & 0x3f; + r = (state->count[1] >> 3) & 0x3f; plen = (r < 56) ? (56 - r) : (120 - r); - _SHA256_Update(ctx, PAD, (size_t)plen); + crypto_hash_sha256_update(state, PAD, (unsigned long long) plen); - _SHA256_Update(ctx, len, 8); -} - -void -_SHA256_Init(crypto_hash_sha256_state * ctx) -{ - ctx->count[0] = ctx->count[1] = 0; - - ctx->state[0] = 0x6A09E667; - ctx->state[1] = 0xBB67AE85; - ctx->state[2] = 0x3C6EF372; - ctx->state[3] = 0xA54FF53A; - ctx->state[4] = 0x510E527F; - ctx->state[5] = 0x9B05688C; - ctx->state[6] = 0x1F83D9AB; - ctx->state[7] = 0x5BE0CD19; -} - -void -_SHA256_Update(crypto_hash_sha256_state * ctx, const void *in, size_t len) -{ - uint32_t bitlen[2]; - uint32_t r; - const unsigned char *src = (const unsigned char *) in; - - r = (ctx->count[1] >> 3) & 0x3f; - - bitlen[1] = ((uint32_t)len) << 3; - bitlen[0] = (uint32_t)(len >> 29); - - if ((ctx->count[1] += bitlen[1]) < bitlen[1]) { - ctx->count[0]++; - } - ctx->count[0] += bitlen[0]; - - if (len < 64 - r) { - memcpy(&ctx->buf[r], src, len); - return; - } - - memcpy(&ctx->buf[r], src, 64 - r); - SHA256_Transform(ctx->state, ctx->buf); - src += 64 - r; - len -= 64 - r; - - while (len >= 64) { - SHA256_Transform(ctx->state, src); - src += 64; - len -= 64; - } - memcpy(ctx->buf, src, len); -} - -void -_SHA256_Final(unsigned char digest[32], crypto_hash_sha256_state * ctx) -{ - SHA256_Pad(ctx); - be32enc_vect(digest, ctx->state, 32); - sodium_memzero((void *) ctx, sizeof *ctx); + crypto_hash_sha256_update(state, len, 8); } int crypto_hash_sha256_init(crypto_hash_sha256_state *state) { - _SHA256_Init(state); + state->count[0] = state->count[1] = 0; + + state->state[0] = 0x6A09E667; + state->state[1] = 0xBB67AE85; + state->state[2] = 0x3C6EF372; + state->state[3] = 0xA54FF53A; + state->state[4] = 0x510E527F; + state->state[5] = 0x9B05688C; + state->state[6] = 0x1F83D9AB; + state->state[7] = 0x5BE0CD19; return 0; } @@ -289,11 +236,34 @@ crypto_hash_sha256_update(crypto_hash_sha256_state *state, const unsigned char *in, unsigned long long inlen) { - if (inlen > SIZE_MAX) { - sodium_memzero(state, sizeof *state); - return -1; + uint32_t bitlen[2]; + uint32_t r; + + r = (state->count[1] >> 3) & 0x3f; + + bitlen[1] = ((uint32_t)inlen) << 3; + bitlen[0] = (uint32_t)(inlen >> 29); + + if ((state->count[1] += bitlen[1]) < bitlen[1]) { + state->count[0]++; } - _SHA256_Update(state, (const void *) in, (size_t) inlen); + state->count[0] += bitlen[0]; + + if (inlen < 64 - r) { + memcpy(&state->buf[r], in, inlen); + return 0; + } + memcpy(&state->buf[r], in, 64 - r); + SHA256_Transform(state->state, state->buf); + in += 64 - r; + inlen -= 64 - r; + + while (inlen >= 64) { + SHA256_Transform(state->state, in); + in += 64; + inlen -= 64; + } + memcpy(state->buf, in, inlen); return 0; } @@ -302,7 +272,9 @@ int crypto_hash_sha256_final(crypto_hash_sha256_state *state, unsigned char *out) { - _SHA256_Final(out, state); + SHA256_Pad(state); + be32enc_vect(out, state->state, 32); + sodium_memzero((void *) state, sizeof *state); return 0; } diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h index ea400dff..8e3ed29d 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h @@ -38,7 +38,7 @@ int crypto_auth_hmacsha256_verify(const unsigned char *,const unsigned char *,un SODIUM_EXPORT int crypto_auth_hmacsha256_init(crypto_auth_hmacsha256_state *state, const unsigned char *key, - const size_t keylen); + size_t keylen); SODIUM_EXPORT int crypto_auth_hmacsha256_update(crypto_auth_hmacsha256_state *state, From 96e8d255b690ffa6ab19c8ea2f78fd92cb375de1 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 22:47:40 -0700 Subject: [PATCH 18/40] Remove hashblocks*.h and sign_edwards25519sha512batch.h from sodium.h --- src/libsodium/include/sodium.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/src/libsodium/include/sodium.h b/src/libsodium/include/sodium.h index d5191748..818909c6 100644 --- a/src/libsodium/include/sodium.h +++ b/src/libsodium/include/sodium.h @@ -17,8 +17,6 @@ #include #include #include -#include -#include #include #include #include @@ -29,7 +27,6 @@ #include #include #include -#include #include #include #include From 3d666ce901052b916bc92c97d6bd2f885a537a7d Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 22:48:59 -0700 Subject: [PATCH 19/40] Remove hashblocks_sha256 --- libsodium.vcxproj | 3 - libsodium.vcxproj.filters | 9 - src/libsodium/Makefile.am | 3 - .../crypto_hashblocks/sha256/checksum | 1 - .../sha256/hashblocks_sha256_api.c | 16 -- .../crypto_hashblocks/sha256/ref/api.h | 9 - .../sha256/ref/blocks_sha256.c | 212 ------------------ src/libsodium/include/Makefile.am | 1 - .../include/sodium/crypto_hashblocks_sha256.h | 35 --- 9 files changed, 289 deletions(-) delete mode 100644 src/libsodium/crypto_hashblocks/sha256/checksum delete mode 100644 src/libsodium/crypto_hashblocks/sha256/hashblocks_sha256_api.c delete mode 100644 src/libsodium/crypto_hashblocks/sha256/ref/api.h delete mode 100644 src/libsodium/crypto_hashblocks/sha256/ref/blocks_sha256.c delete mode 100644 src/libsodium/include/sodium/crypto_hashblocks_sha256.h diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 9b9babef..46af9ee8 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -328,7 +328,6 @@ - @@ -397,8 +396,6 @@ - - diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index aa76d7d9..8e300f90 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -60,9 +60,6 @@ Header Files - - Header Files - Header Files @@ -268,15 +265,9 @@ Source Files - - Source Files - Source Files - - Source Files - Source Files diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 9ae36266..e6aa7ae3 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -45,9 +45,6 @@ libsodium_la_SOURCES = \ crypto_hash/sha512/hash_sha512_api.c \ crypto_hash/sha512/ref/api.h \ crypto_hash/sha512/ref/hash_sha512.c \ - crypto_hashblocks/sha256/ref/blocks_sha256.c \ - crypto_hashblocks/sha256/hashblocks_sha256_api.c \ - crypto_hashblocks/sha256/ref/api.h \ crypto_hashblocks/sha512/ref/blocks_sha512.c \ crypto_hashblocks/sha512/hashblocks_sha512_api.c \ crypto_hashblocks/sha512/ref/api.h \ diff --git a/src/libsodium/crypto_hashblocks/sha256/checksum b/src/libsodium/crypto_hashblocks/sha256/checksum deleted file mode 100644 index edde1d4f..00000000 --- a/src/libsodium/crypto_hashblocks/sha256/checksum +++ /dev/null @@ -1 +0,0 @@ -69a9dc2464f9593161e462d3dbb634b84f1d68d67d26df29aaa805f9dcd8f656 diff --git a/src/libsodium/crypto_hashblocks/sha256/hashblocks_sha256_api.c b/src/libsodium/crypto_hashblocks/sha256/hashblocks_sha256_api.c deleted file mode 100644 index 2b609907..00000000 --- a/src/libsodium/crypto_hashblocks/sha256/hashblocks_sha256_api.c +++ /dev/null @@ -1,16 +0,0 @@ -#include "crypto_hashblocks_sha256.h" - -size_t -crypto_hashblocks_sha256_statebytes(void) { - return crypto_hashblocks_sha256_STATEBYTES; -} - -size_t -crypto_hashblocks_sha256_blockbytes(void) { - return crypto_hashblocks_sha256_BLOCKBYTES; -} - -const char * -crypto_hashblocks_sha256_primitive(void) { - return "sha256"; -} diff --git a/src/libsodium/crypto_hashblocks/sha256/ref/api.h b/src/libsodium/crypto_hashblocks/sha256/ref/api.h deleted file mode 100644 index 4e1701ff..00000000 --- a/src/libsodium/crypto_hashblocks/sha256/ref/api.h +++ /dev/null @@ -1,9 +0,0 @@ - -#include "crypto_hashblocks_sha256.h" - -#define crypto_hashblocks crypto_hashblocks_sha256 -#define crypto_hashblocks_STATEBYTES crypto_hashblocks_sha256_STATEBYTES -#define crypto_hashblocks_BLOCKBYTES crypto_hashblocks_sha256_BLOCKBYTES -#define crypto_hashblocks_PRIMITIVE "sha256" -#define crypto_hashblocks_IMPLEMENTATION crypto_hashblocks_sha256_IMPLEMENTATION -#define crypto_hashblocks_VERSION crypto_hashblocks_sha256_VERSION diff --git a/src/libsodium/crypto_hashblocks/sha256/ref/blocks_sha256.c b/src/libsodium/crypto_hashblocks/sha256/ref/blocks_sha256.c deleted file mode 100644 index 8d89a886..00000000 --- a/src/libsodium/crypto_hashblocks/sha256/ref/blocks_sha256.c +++ /dev/null @@ -1,212 +0,0 @@ -#include "api.h" - -typedef unsigned int uint32; - -static uint32 load_bigendian(const unsigned char *x) -{ - return - (uint32) (x[3]) \ - | (((uint32) (x[2])) << 8) \ - | (((uint32) (x[1])) << 16) \ - | (((uint32) (x[0])) << 24) - ; -} - -static void store_bigendian(unsigned char *x,uint32 u) -{ - x[3] = u; u >>= 8; - x[2] = u; u >>= 8; - x[1] = u; u >>= 8; - x[0] = u; -} - -#define SHR(x,c) ((x) >> (c)) -#define ROTR(x,c) (((x) >> (c)) | ((x) << (32 - (c)))) - -#define Ch(x,y,z) ((x & y) ^ (~x & z)) -#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) -#define Sigma0(x) (ROTR(x, 2) ^ ROTR(x,13) ^ ROTR(x,22)) -#define Sigma1(x) (ROTR(x, 6) ^ ROTR(x,11) ^ ROTR(x,25)) -#define sigma0(x) (ROTR(x, 7) ^ ROTR(x,18) ^ SHR(x, 3)) -#define sigma1(x) (ROTR(x,17) ^ ROTR(x,19) ^ SHR(x,10)) - -#define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; - -#define EXPAND \ - M(w0 ,w14,w9 ,w1 ) \ - M(w1 ,w15,w10,w2 ) \ - M(w2 ,w0 ,w11,w3 ) \ - M(w3 ,w1 ,w12,w4 ) \ - M(w4 ,w2 ,w13,w5 ) \ - M(w5 ,w3 ,w14,w6 ) \ - M(w6 ,w4 ,w15,w7 ) \ - M(w7 ,w5 ,w0 ,w8 ) \ - M(w8 ,w6 ,w1 ,w9 ) \ - M(w9 ,w7 ,w2 ,w10) \ - M(w10,w8 ,w3 ,w11) \ - M(w11,w9 ,w4 ,w12) \ - M(w12,w10,w5 ,w13) \ - M(w13,w11,w6 ,w14) \ - M(w14,w12,w7 ,w15) \ - M(w15,w13,w8 ,w0 ) - -#define F(w,k) \ - T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \ - T2 = Sigma0(a) + Maj(a,b,c); \ - h = g; \ - g = f; \ - f = e; \ - e = d + T1; \ - d = c; \ - c = b; \ - b = a; \ - a = T1 + T2; - -int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen) -{ - uint32 state[8]; - uint32 a; - uint32 b; - uint32 c; - uint32 d; - uint32 e; - uint32 f; - uint32 g; - uint32 h; - uint32 T1; - uint32 T2; - - a = load_bigendian(statebytes + 0); state[0] = a; - b = load_bigendian(statebytes + 4); state[1] = b; - c = load_bigendian(statebytes + 8); state[2] = c; - d = load_bigendian(statebytes + 12); state[3] = d; - e = load_bigendian(statebytes + 16); state[4] = e; - f = load_bigendian(statebytes + 20); state[5] = f; - g = load_bigendian(statebytes + 24); state[6] = g; - h = load_bigendian(statebytes + 28); state[7] = h; - - while (inlen >= 64) { - uint32 w0 = load_bigendian(in + 0); - uint32 w1 = load_bigendian(in + 4); - uint32 w2 = load_bigendian(in + 8); - uint32 w3 = load_bigendian(in + 12); - uint32 w4 = load_bigendian(in + 16); - uint32 w5 = load_bigendian(in + 20); - uint32 w6 = load_bigendian(in + 24); - uint32 w7 = load_bigendian(in + 28); - uint32 w8 = load_bigendian(in + 32); - uint32 w9 = load_bigendian(in + 36); - uint32 w10 = load_bigendian(in + 40); - uint32 w11 = load_bigendian(in + 44); - uint32 w12 = load_bigendian(in + 48); - uint32 w13 = load_bigendian(in + 52); - uint32 w14 = load_bigendian(in + 56); - uint32 w15 = load_bigendian(in + 60); - - F(w0 ,0x428a2f98) - F(w1 ,0x71374491) - F(w2 ,0xb5c0fbcf) - F(w3 ,0xe9b5dba5) - F(w4 ,0x3956c25b) - F(w5 ,0x59f111f1) - F(w6 ,0x923f82a4) - F(w7 ,0xab1c5ed5) - F(w8 ,0xd807aa98) - F(w9 ,0x12835b01) - F(w10,0x243185be) - F(w11,0x550c7dc3) - F(w12,0x72be5d74) - F(w13,0x80deb1fe) - F(w14,0x9bdc06a7) - F(w15,0xc19bf174) - - EXPAND - - F(w0 ,0xe49b69c1) - F(w1 ,0xefbe4786) - F(w2 ,0x0fc19dc6) - F(w3 ,0x240ca1cc) - F(w4 ,0x2de92c6f) - F(w5 ,0x4a7484aa) - F(w6 ,0x5cb0a9dc) - F(w7 ,0x76f988da) - F(w8 ,0x983e5152) - F(w9 ,0xa831c66d) - F(w10,0xb00327c8) - F(w11,0xbf597fc7) - F(w12,0xc6e00bf3) - F(w13,0xd5a79147) - F(w14,0x06ca6351) - F(w15,0x14292967) - - EXPAND - - F(w0 ,0x27b70a85) - F(w1 ,0x2e1b2138) - F(w2 ,0x4d2c6dfc) - F(w3 ,0x53380d13) - F(w4 ,0x650a7354) - F(w5 ,0x766a0abb) - F(w6 ,0x81c2c92e) - F(w7 ,0x92722c85) - F(w8 ,0xa2bfe8a1) - F(w9 ,0xa81a664b) - F(w10,0xc24b8b70) - F(w11,0xc76c51a3) - F(w12,0xd192e819) - F(w13,0xd6990624) - F(w14,0xf40e3585) - F(w15,0x106aa070) - - EXPAND - - F(w0 ,0x19a4c116) - F(w1 ,0x1e376c08) - F(w2 ,0x2748774c) - F(w3 ,0x34b0bcb5) - F(w4 ,0x391c0cb3) - F(w5 ,0x4ed8aa4a) - F(w6 ,0x5b9cca4f) - F(w7 ,0x682e6ff3) - F(w8 ,0x748f82ee) - F(w9 ,0x78a5636f) - F(w10,0x84c87814) - F(w11,0x8cc70208) - F(w12,0x90befffa) - F(w13,0xa4506ceb) - F(w14,0xbef9a3f7) - F(w15,0xc67178f2) - - a += state[0]; - b += state[1]; - c += state[2]; - d += state[3]; - e += state[4]; - f += state[5]; - g += state[6]; - h += state[7]; - - state[0] = a; - state[1] = b; - state[2] = c; - state[3] = d; - state[4] = e; - state[5] = f; - state[6] = g; - state[7] = h; - - in += 64; - inlen -= 64; - } - - store_bigendian(statebytes + 0,state[0]); - store_bigendian(statebytes + 4,state[1]); - store_bigendian(statebytes + 8,state[2]); - store_bigendian(statebytes + 12,state[3]); - store_bigendian(statebytes + 16,state[4]); - store_bigendian(statebytes + 20,state[5]); - store_bigendian(statebytes + 24,state[6]); - store_bigendian(statebytes + 28,state[7]); - - return 0; -} diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index 63dbac13..3cd4e359 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -16,7 +16,6 @@ SODIUM_EXPORT = \ sodium/crypto_hash.h \ sodium/crypto_hash_sha256.h \ sodium/crypto_hash_sha512.h \ - sodium/crypto_hashblocks_sha256.h \ sodium/crypto_hashblocks_sha512.h \ sodium/crypto_onetimeauth.h \ sodium/crypto_onetimeauth_poly1305.h \ diff --git a/src/libsodium/include/sodium/crypto_hashblocks_sha256.h b/src/libsodium/include/sodium/crypto_hashblocks_sha256.h deleted file mode 100644 index 6b667782..00000000 --- a/src/libsodium/include/sodium/crypto_hashblocks_sha256.h +++ /dev/null @@ -1,35 +0,0 @@ -#ifndef crypto_hashblocks_sha256_H -#define crypto_hashblocks_sha256_H - -#include -#include "export.h" - -#define crypto_hashblocks_sha256_STATEBYTES 32U -#define crypto_hashblocks_sha256_BLOCKBYTES 64U - -#ifdef __cplusplus -# if __GNUC__ -# pragma GCC diagnostic ignored "-Wlong-long" -# endif -extern "C" { -#endif - -SODIUM_EXPORT -size_t crypto_hashblocks_sha256_statebytes(void); - -SODIUM_EXPORT -size_t crypto_hashblocks_sha256_blockbytes(void); - -SODIUM_EXPORT -const char * crypto_hashblocks_sha256_primitive(void); - -SODIUM_EXPORT -int crypto_hashblocks_sha256(unsigned char *,const unsigned char *,unsigned long long); - -#ifdef __cplusplus -} -#endif - -#define crypto_hashblocks_sha256_ref crypto_hashblocks_sha256 - -#endif From 175bcccee1f1a8dda89f62d5a97b20fdabd08009 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 22:50:16 -0700 Subject: [PATCH 20/40] Remove unnecessary cast --- src/libsodium/crypto_hash/sha256/cp/hash_sha256.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 81fe7739..95e91d37 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -286,7 +286,7 @@ crypto_hash(unsigned char *out, const unsigned char *in, crypto_hash_sha256_state state; crypto_hash_sha256_init(&state); - if (crypto_hash_sha256_update(&state, (const void *) in, inlen) != 0) { + if (crypto_hash_sha256_update(&state, in, inlen) != 0) { sodium_memzero(out, crypto_hash_BYTES); return -1; } From ca6a52e41314936200e6c0483c1762f9d8017bb3 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 22:56:03 -0700 Subject: [PATCH 21/40] Do not export crypto_hashblocks* --- libsodium.vcxproj | 1 - libsodium.vcxproj.filters | 3 --- src/libsodium/Makefile.am | 1 - .../sha512/hashblocks_sha512_api.c | 16 ---------------- .../include/sodium/crypto_hashblocks_sha512.h | 10 ---------- 5 files changed, 31 deletions(-) delete mode 100644 src/libsodium/crypto_hashblocks/sha512/hashblocks_sha512_api.c diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 46af9ee8..d9661cea 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -396,7 +396,6 @@ - diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index 8e300f90..4921729a 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -268,9 +268,6 @@ Source Files - - Source Files - Source Files diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index e6aa7ae3..13e51d5a 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -46,7 +46,6 @@ libsodium_la_SOURCES = \ crypto_hash/sha512/ref/api.h \ crypto_hash/sha512/ref/hash_sha512.c \ crypto_hashblocks/sha512/ref/blocks_sha512.c \ - crypto_hashblocks/sha512/hashblocks_sha512_api.c \ crypto_hashblocks/sha512/ref/api.h \ crypto_onetimeauth/crypto_onetimeauth.c \ crypto_onetimeauth/poly1305/onetimeauth_poly1305.c \ diff --git a/src/libsodium/crypto_hashblocks/sha512/hashblocks_sha512_api.c b/src/libsodium/crypto_hashblocks/sha512/hashblocks_sha512_api.c deleted file mode 100644 index 63cf6ed5..00000000 --- a/src/libsodium/crypto_hashblocks/sha512/hashblocks_sha512_api.c +++ /dev/null @@ -1,16 +0,0 @@ -#include "crypto_hashblocks_sha512.h" - -size_t -crypto_hashblocks_sha512_statebytes(void) { - return crypto_hashblocks_sha512_STATEBYTES; -} - -size_t -crypto_hashblocks_sha512_blockbytes(void) { - return crypto_hashblocks_sha512_BLOCKBYTES; -} - -const char * -crypto_hashblocks_sha512_primitive(void) { - return "sha512"; -} diff --git a/src/libsodium/include/sodium/crypto_hashblocks_sha512.h b/src/libsodium/include/sodium/crypto_hashblocks_sha512.h index edce45cf..ee6a64b2 100644 --- a/src/libsodium/include/sodium/crypto_hashblocks_sha512.h +++ b/src/libsodium/include/sodium/crypto_hashblocks_sha512.h @@ -14,16 +14,6 @@ extern "C" { #endif -SODIUM_EXPORT -size_t crypto_hashblocks_sha512_statebytes(void); - -SODIUM_EXPORT -size_t crypto_hashblocks_sha512_blockbytes(void); - -SODIUM_EXPORT -const char * crypto_hashblocks_sha512_primitive(void); - -SODIUM_EXPORT int crypto_hashblocks_sha512(unsigned char *,const unsigned char *,unsigned long long); #ifdef __cplusplus From a62af8a4e3d07cc9d307ef4f1a963329c090f751 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 23:00:51 -0700 Subject: [PATCH 22/40] Remove useless define --- src/libsodium/include/sodium/crypto_hashblocks_sha512.h | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/src/libsodium/include/sodium/crypto_hashblocks_sha512.h b/src/libsodium/include/sodium/crypto_hashblocks_sha512.h index ee6a64b2..bfa74407 100644 --- a/src/libsodium/include/sodium/crypto_hashblocks_sha512.h +++ b/src/libsodium/include/sodium/crypto_hashblocks_sha512.h @@ -13,13 +13,11 @@ # endif extern "C" { #endif - + int crypto_hashblocks_sha512(unsigned char *,const unsigned char *,unsigned long long); #ifdef __cplusplus } #endif -#define crypto_hashblocks_sha512_ref crypto_hashblocks_sha512 - #endif From 479620bbd181c500858baa71e1f8238ca8285a98 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 23:09:19 -0700 Subject: [PATCH 23/40] Explicitly make crypto_hashblocks_sha512.h private. --- libsodium.vcxproj | 2 +- libsodium.vcxproj.filters | 2 +- .../crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c | 2 +- src/libsodium/crypto_hash/sha512/ref/hash_sha512.c | 2 +- src/libsodium/crypto_hashblocks/sha512/ref/api.h | 2 +- src/libsodium/include/Makefile.am | 2 +- ...pto_hashblocks_sha512.h => _crypto_hashblocks_sha512.h} | 7 ++++--- 7 files changed, 10 insertions(+), 9 deletions(-) rename src/libsodium/include/sodium/{crypto_hashblocks_sha512.h => _crypto_hashblocks_sha512.h} (76%) diff --git a/libsodium.vcxproj b/libsodium.vcxproj index d9661cea..6ca8ee20 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -328,7 +328,7 @@ - + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index 4921729a..96890124 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -60,7 +60,7 @@ Header Files - + Header Files diff --git a/src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c b/src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c index be871ced..d3ebfd96 100644 --- a/src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c +++ b/src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c @@ -5,7 +5,7 @@ * */ #include "api.h" -#include "crypto_hashblocks_sha512.h" +#include "_crypto_hashblocks_sha512.h" #define blocks crypto_hashblocks_sha512 diff --git a/src/libsodium/crypto_hash/sha512/ref/hash_sha512.c b/src/libsodium/crypto_hash/sha512/ref/hash_sha512.c index 7cc8b85d..fc66045e 100644 --- a/src/libsodium/crypto_hash/sha512/ref/hash_sha512.c +++ b/src/libsodium/crypto_hash/sha512/ref/hash_sha512.c @@ -5,7 +5,7 @@ Public domain. */ #include "api.h" -#include "crypto_hashblocks_sha512.h" +#include "_crypto_hashblocks_sha512.h" #define blocks crypto_hashblocks_sha512 diff --git a/src/libsodium/crypto_hashblocks/sha512/ref/api.h b/src/libsodium/crypto_hashblocks/sha512/ref/api.h index 1662652d..5086bd1c 100644 --- a/src/libsodium/crypto_hashblocks/sha512/ref/api.h +++ b/src/libsodium/crypto_hashblocks/sha512/ref/api.h @@ -1,5 +1,5 @@ -#include "crypto_hashblocks_sha512.h" +#include "_crypto_hashblocks_sha512.h" #define crypto_hashblocks crypto_hashblocks_sha512 #define crypto_hashblocks_STATEBYTES crypto_hashblocks_sha512_STATEBYTES diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index 3cd4e359..c945ba8b 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -16,7 +16,6 @@ SODIUM_EXPORT = \ sodium/crypto_hash.h \ sodium/crypto_hash_sha256.h \ sodium/crypto_hash_sha512.h \ - sodium/crypto_hashblocks_sha512.h \ sodium/crypto_onetimeauth.h \ sodium/crypto_onetimeauth_poly1305.h \ sodium/crypto_onetimeauth_poly1305_53.h \ @@ -53,6 +52,7 @@ SODIUM_EXPORT = \ sodium/utils.h EXTRA_SRC = $(SODIUM_EXPORT) \ + sodium/_crypto_hashblocks_sha512.h \ sodium/version.h.in nobase_include_HEADERS = $(SODIUM_EXPORT) diff --git a/src/libsodium/include/sodium/crypto_hashblocks_sha512.h b/src/libsodium/include/sodium/_crypto_hashblocks_sha512.h similarity index 76% rename from src/libsodium/include/sodium/crypto_hashblocks_sha512.h rename to src/libsodium/include/sodium/_crypto_hashblocks_sha512.h index bfa74407..3b51a3c5 100644 --- a/src/libsodium/include/sodium/crypto_hashblocks_sha512.h +++ b/src/libsodium/include/sodium/_crypto_hashblocks_sha512.h @@ -1,5 +1,5 @@ -#ifndef crypto_hashblocks_sha512_H -#define crypto_hashblocks_sha512_H +#ifndef _crypto_hashblocks_sha512_H +#define _crypto_hashblocks_sha512_H #include #include "export.h" @@ -13,7 +13,8 @@ # endif extern "C" { #endif - + +/* This function is only used internally */ int crypto_hashblocks_sha512(unsigned char *,const unsigned char *,unsigned long long); #ifdef __cplusplus From c9b87029c1f0eba01ea7d0ef7be10f8cfcfa8432 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 23:20:15 -0700 Subject: [PATCH 24/40] crypto_hash_sha256_update() cannot fail --- src/libsodium/crypto_hash/sha256/cp/hash_sha256.c | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 95e91d37..9446f8dc 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -286,10 +286,7 @@ crypto_hash(unsigned char *out, const unsigned char *in, crypto_hash_sha256_state state; crypto_hash_sha256_init(&state); - if (crypto_hash_sha256_update(&state, in, inlen) != 0) { - sodium_memzero(out, crypto_hash_BYTES); - return -1; - } + crypto_hash_sha256_update(&state, in, inlen); crypto_hash_sha256_final(&state, out); return 0; From d3605bf4c3531049b64e8f2830f4d416d5811734 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Thu, 10 Apr 2014 23:36:28 -0700 Subject: [PATCH 25/40] Stored values that are never read are very likely to get optimized out. --- src/libsodium/crypto_hash/sha256/cp/hash_sha256.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 9446f8dc..2c4ab4cf 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -189,7 +189,8 @@ SHA256_Transform(uint32_t *state, const unsigned char block[64]) sodium_memzero((void *) W, 256); sodium_memzero((void *) S, 32); - t0 = t1 = 0; + sodium_memzero((void *) &t0, sizeof t0); + sodium_memzero((void *) &t1, sizeof t1); } static unsigned char PAD[64] = { From 7791007caf5a5c84835b889acb3e86abfbb14405 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Sat, 12 Apr 2014 00:51:49 -0700 Subject: [PATCH 26/40] Remove non-threadsafe versions of the crypt(3)-like interface to scrypt. --- .../crypto_scrypt-common.c | 25 ------------------- .../scryptxsalsa208sha256/crypto_scrypt.h | 6 ----- 2 files changed, 31 deletions(-) diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c index c03d1214..9791863d 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt-common.c @@ -170,22 +170,6 @@ escrypt_r(escrypt_local_t * local, return buf; } -uint8_t * -escrypt(const uint8_t * passwd, const uint8_t * setting) -{ - static uint8_t buf[4 + 1 + 5 + 5 + BYTES2CHARS(32) + 1 + HASH_LEN + 1]; - escrypt_local_t local; - uint8_t * retval; - - if (escrypt_init_local(&local)) - return NULL; - retval = escrypt_r(&local, - passwd, strlen((char *)passwd), setting, buf, sizeof(buf)); - if (escrypt_free_local(&local)) - return NULL; - return retval; -} - uint8_t * escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, const uint8_t * src, size_t srclen, @@ -227,15 +211,6 @@ escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, return buf; } -uint8_t * -escrypt_gensalt(uint32_t N_log2, uint32_t r, uint32_t p, - const uint8_t * src, size_t srclen) -{ - static uint8_t buf[4 + 1 + 5 + 5 + BYTES2CHARS(32) + 1]; - return escrypt_gensalt_r(N_log2, r, p, src, srclen, - buf, sizeof(buf)); -} - int crypto_scrypt(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt, size_t saltlen, uint64_t N, uint32_t r, uint32_t p, diff --git a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h index cd9e53ea..2a1d8d18 100644 --- a/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h +++ b/src/libsodium/crypto_pwhash/scryptxsalsa208sha256/crypto_scrypt.h @@ -77,15 +77,9 @@ extern uint8_t * escrypt_r(escrypt_local_t * __local, const uint8_t * __setting, uint8_t * __buf, size_t __buflen); -extern uint8_t * escrypt(const uint8_t * __passwd, const uint8_t * __setting); - extern uint8_t * escrypt_gensalt_r( uint32_t __N_log2, uint32_t __r, uint32_t __p, const uint8_t * __src, size_t __srclen, uint8_t * __buf, size_t __buflen); -extern uint8_t * escrypt_gensalt( - uint32_t __N_log2, uint32_t __r, uint32_t __p, - const uint8_t * __src, size_t __srclen); - #endif /* !_CRYPTO_SCRYPT_H_ */ From aa884153388100ac748c43fb5c6a359c38226a36 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 15:51:03 -0700 Subject: [PATCH 27/40] Remove unused variables --- test/default/scalarmult7.c | 2 -- test/default/scalarmult8.c | 2 -- 2 files changed, 4 deletions(-) diff --git a/test/default/scalarmult7.c b/test/default/scalarmult7.c index 77ce820b..7b6227bc 100644 --- a/test/default/scalarmult7.c +++ b/test/default/scalarmult7.c @@ -23,8 +23,6 @@ unsigned char out2[32]; int main(void) { - int i; - scalar[0] = 1U; crypto_scalarmult_curve25519(out1, scalar, p1); crypto_scalarmult_curve25519(out2, scalar, p2); diff --git a/test/default/scalarmult8.c b/test/default/scalarmult8.c index 0092bcd0..3ccbd292 100644 --- a/test/default/scalarmult8.c +++ b/test/default/scalarmult8.c @@ -23,8 +23,6 @@ unsigned char out2[32]; int main(void) { - int i; - scalar[0] = 1U; crypto_scalarmult_curve25519(out1, scalar, p1); crypto_scalarmult_curve25519(out2, scalar, p2); From e2262de49c039d58bdff68da136bb08309ef57d2 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 15:52:55 -0700 Subject: [PATCH 28/40] Add a default value for TEST_SRCDIR --- test/default/cmptest.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/test/default/cmptest.h b/test/default/cmptest.h index 477abcbd..ae84e43e 100644 --- a/test/default/cmptest.h +++ b/test/default/cmptest.h @@ -6,6 +6,10 @@ #include "sodium.h" +#ifndef TEST_SRCDIR +# define TEST_SRCDIR "." +#endif + #define TEST_NAME_RES TEST_NAME ".res" #define TEST_NAME_OUT TEST_SRCDIR "/" TEST_NAME ".exp" From 2483af03845b3b3383058fd0b06e0f2f97902d7e Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 20:42:37 -0700 Subject: [PATCH 29/40] Make hash_sha512 / hmac_sha512256 consistent with hash_sha256 / hmac_sha256 --- AUTHORS | 16 +- libsodium.vcxproj | 8 +- libsodium.vcxproj.filters | 12 +- src/libsodium/Makefile.am | 12 +- .../hmacsha512256/{ref => cp}/api.h | 0 .../hmacsha512256/cp/hmac_hmacsha512256.c | 140 ++++++++ .../{ref => cp}/verify_hmacsha512256.c | 0 .../hmacsha512256/ref/hmac_hmacsha512256.c | 86 ----- .../crypto_hash/sha256/cp/hash_sha256.c | 4 +- .../crypto_hash/sha512/{ref => cp}/api.h | 3 + .../crypto_hash/sha512/cp/hash_sha512.c | 322 ++++++++++++++++++ .../crypto_hash/sha512/ref/hash_sha512.c | 71 ---- .../crypto_hashblocks/sha512/checksum | 1 - .../crypto_hashblocks/sha512/ref/api.h | 9 - .../sha512/ref/blocks_sha512.c | 239 ------------- src/libsodium/crypto_hashblocks/try.c | 78 ----- src/libsodium/include/Makefile.am | 1 - .../sodium/_crypto_hashblocks_sha512.h | 24 -- .../include/sodium/crypto_auth_hmacsha256.h | 4 +- .../sodium/crypto_auth_hmacsha512256.h | 12 +- .../include/sodium/crypto_hash_sha256.h | 2 +- .../include/sodium/crypto_hash_sha512.h | 23 +- 22 files changed, 521 insertions(+), 546 deletions(-) rename src/libsodium/crypto_auth/hmacsha512256/{ref => cp}/api.h (100%) create mode 100644 src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c rename src/libsodium/crypto_auth/hmacsha512256/{ref => cp}/verify_hmacsha512256.c (100%) delete mode 100644 src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c rename src/libsodium/crypto_hash/sha512/{ref => cp}/api.h (65%) create mode 100644 src/libsodium/crypto_hash/sha512/cp/hash_sha512.c delete mode 100644 src/libsodium/crypto_hash/sha512/ref/hash_sha512.c delete mode 100644 src/libsodium/crypto_hashblocks/sha512/checksum delete mode 100644 src/libsodium/crypto_hashblocks/sha512/ref/api.h delete mode 100644 src/libsodium/crypto_hashblocks/sha512/ref/blocks_sha512.c delete mode 100644 src/libsodium/crypto_hashblocks/try.c delete mode 100644 src/libsodium/include/sodium/_crypto_hashblocks_sha512.h diff --git a/AUTHORS b/AUTHORS index 6e7d624a..7dfb08d1 100644 --- a/AUTHORS +++ b/AUTHORS @@ -30,19 +30,19 @@ Daniel J. Bernstein crypto_hash/sha256 ------------------ -Daniel J. Bernstein (wrapper around crypto_hashblocks/sha256) +Colin Percival crypto_hash/sha512 ------------------ -Daniel J. Bernstein (wrapper around crypto_hashblocks/sha512) +Colin Percival -crypto_hashblocks/sha256 ------------------------- -Daniel J. Bernstein +crypto_auth/hmacsha256 +------------------ +Colin Percival -crypto_hashblocks/sha512 ------------------------- -Daniel J. Bernstein +crypto_auth/hmacsha512 +------------------ +Colin Percival crypto_scalarmult/curve25519/ref -------------------------------- diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 6ca8ee20..4b723ccb 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -328,7 +328,6 @@ - @@ -376,8 +375,8 @@ - - + + @@ -396,12 +395,11 @@ - - + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index 96890124..e766cc40 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -60,9 +60,6 @@ Header Files - - Header Files - Header Files @@ -202,13 +199,13 @@ Source Files - + Source Files Source Files - + Source Files @@ -259,15 +256,12 @@ Source Files - + Source Files Source Files - - Source Files - Source Files diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 13e51d5a..13da6ec6 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -8,9 +8,9 @@ libsodium_la_SOURCES = \ crypto_auth/hmacsha256/cp/hmac_hmacsha256.c \ crypto_auth/hmacsha256/cp/verify_hmacsha256.c \ crypto_auth/hmacsha512256/auth_hmacsha512256_api.c \ - crypto_auth/hmacsha512256/ref/api.h \ - crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c \ - crypto_auth/hmacsha512256/ref/verify_hmacsha512256.c \ + crypto_auth/hmacsha512256/cp/api.h \ + crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c \ + crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c \ crypto_box/crypto_box.c \ crypto_box/crypto_box_easy.c \ crypto_box/curve25519xsalsa20poly1305/box_curve25519xsalsa20poly1305_api.c \ @@ -43,10 +43,8 @@ libsodium_la_SOURCES = \ crypto_hash/sha256/cp/api.h \ crypto_hash/sha256/cp/hash_sha256.c \ crypto_hash/sha512/hash_sha512_api.c \ - crypto_hash/sha512/ref/api.h \ - crypto_hash/sha512/ref/hash_sha512.c \ - crypto_hashblocks/sha512/ref/blocks_sha512.c \ - crypto_hashblocks/sha512/ref/api.h \ + crypto_hash/sha512/cp/api.h \ + crypto_hash/sha512/cp/hash_sha512.c \ crypto_onetimeauth/crypto_onetimeauth.c \ crypto_onetimeauth/poly1305/onetimeauth_poly1305.c \ crypto_onetimeauth/poly1305/onetimeauth_poly1305_api.c \ diff --git a/src/libsodium/crypto_auth/hmacsha512256/ref/api.h b/src/libsodium/crypto_auth/hmacsha512256/cp/api.h similarity index 100% rename from src/libsodium/crypto_auth/hmacsha512256/ref/api.h rename to src/libsodium/crypto_auth/hmacsha512256/cp/api.h diff --git a/src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c b/src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c new file mode 100644 index 00000000..27a14943 --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c @@ -0,0 +1,140 @@ + +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include "api.h" +#include "crypto_auth_hmacsha512256.h" +#include "crypto_hash_sha512.h" +#include "utils.h" + +#include + +#include +#include + +int +crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state, + const unsigned char *key, + size_t keylen) +{ + unsigned char pad[128]; + unsigned char khash[64]; + size_t i; + + if (keylen > 128) { + crypto_hash_sha512_init(&state->ictx); + crypto_hash_sha512_update(&state->ictx, key, keylen); + crypto_hash_sha512_final(&state->ictx, khash); + key = khash; + keylen = 64; + } + crypto_hash_sha512_init(&state->ictx); + memset(pad, 0x36, 128); + for (i = 0; i < keylen; i++) { + pad[i] ^= key[i]; + } + crypto_hash_sha512_update(&state->ictx, pad, 128); + + crypto_hash_sha512_init(&state->octx); + memset(pad, 0x5c, 128); + for (i = 0; i < keylen; i++) { + pad[i] ^= key[i]; + } + crypto_hash_sha512_update(&state->octx, pad, 128); + + sodium_memzero((void *) khash, 64); + + return 0; +} + +int +crypto_auth_hmacsha512_update(crypto_auth_hmacsha512_state *state, + const unsigned char *in, + unsigned long long inlen) +{ + crypto_hash_sha512_update(&state->ictx, in, inlen); + + return 0; +} + +int +crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state, + unsigned char *out) +{ + unsigned char ihash[64]; + + crypto_hash_sha512_final(&state->ictx, ihash); + crypto_hash_sha512_update(&state->octx, ihash, 64); + crypto_hash_sha512_final(&state->octx, out); + + sodium_memzero((void *) ihash, 64); + + return 0; +} + +int +crypto_auth_hmacsha512256_init(crypto_auth_hmacsha512256_state *state, + const unsigned char *key, + size_t keylen) +{ + return crypto_auth_hmacsha512_init((crypto_auth_hmacsha512_state *) state, + key, keylen); +} + +int +crypto_auth_hmacsha512256_update(crypto_auth_hmacsha512256_state *state, + const unsigned char *in, + unsigned long long inlen) +{ + return crypto_auth_hmacsha512_update((crypto_auth_hmacsha512_state *) state, + in, inlen); +} + +int +crypto_auth_hmacsha512256_final(crypto_auth_hmacsha512256_state *state, + unsigned char *out) +{ + unsigned char out0[64]; + + crypto_auth_hmacsha512_final((crypto_auth_hmacsha512_state *) state, out0); + memcpy(out, out0, 32); + + return 0; +} + +int +crypto_auth(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) +{ + crypto_auth_hmacsha512256_state state; + + crypto_auth_hmacsha512256_init(&state, k, crypto_auth_KEYBYTES); + crypto_auth_hmacsha512256_update(&state, in, inlen); + crypto_auth_hmacsha512256_final(&state, out); + + return 0; +} diff --git a/src/libsodium/crypto_auth/hmacsha512256/ref/verify_hmacsha512256.c b/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c similarity index 100% rename from src/libsodium/crypto_auth/hmacsha512256/ref/verify_hmacsha512256.c rename to src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c diff --git a/src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c b/src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c deleted file mode 100644 index d3ebfd96..00000000 --- a/src/libsodium/crypto_auth/hmacsha512256/ref/hmac_hmacsha512256.c +++ /dev/null @@ -1,86 +0,0 @@ -/* - * 20080913 - * D. J. Bernstein - * Public domain. - * */ - -#include "api.h" -#include "_crypto_hashblocks_sha512.h" - -#define blocks crypto_hashblocks_sha512 - -typedef unsigned long long uint64; - -static const unsigned char iv[64] = { - 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, - 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, - 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, - 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, - 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, - 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, - 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, - 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 -} ; - -int crypto_auth(unsigned char *out,const unsigned char *in,unsigned long long inlen,const unsigned char *k) -{ - unsigned char h[64]; - unsigned char padded[256]; - unsigned long long i; - unsigned long long bytes = 128 + inlen; - - for (i = 0;i < 64;++i) h[i] = iv[i]; - - for (i = 0;i < 32;++i) padded[i] = k[i] ^ 0x36; - for (i = 32;i < 128;++i) padded[i] = 0x36; - - blocks(h,padded,128); - blocks(h,in,inlen); - in += inlen; - inlen &= 127; - in -= inlen; - - for (i = 0;i < inlen;++i) padded[i] = in[i]; - padded[inlen] = 0x80; - - if (inlen < 112) { - for (i = inlen + 1;i < 119;++i) padded[i] = 0; - padded[119] = bytes >> 61; - padded[120] = bytes >> 53; - padded[121] = bytes >> 45; - padded[122] = bytes >> 37; - padded[123] = bytes >> 29; - padded[124] = bytes >> 21; - padded[125] = bytes >> 13; - padded[126] = bytes >> 5; - padded[127] = bytes << 3; - blocks(h,padded,128); - } else { - for (i = inlen + 1;i < 247;++i) padded[i] = 0; - padded[247] = bytes >> 61; - padded[248] = bytes >> 53; - padded[249] = bytes >> 45; - padded[250] = bytes >> 37; - padded[251] = bytes >> 29; - padded[252] = bytes >> 21; - padded[253] = bytes >> 13; - padded[254] = bytes >> 5; - padded[255] = bytes << 3; - blocks(h,padded,256); - } - - for (i = 0;i < 32;++i) padded[i] = k[i] ^ 0x5c; - for (i = 32;i < 128;++i) padded[i] = 0x5c; - - for (i = 0;i < 64;++i) padded[128 + i] = h[i]; - for (i = 0;i < 64;++i) h[i] = iv[i]; - - for (i = 64;i < 128;++i) padded[128 + i] = 0; - padded[128 + 64] = 0x80; - padded[128 + 126] = 6; - - blocks(h,padded,256); - for (i = 0;i < 32;++i) out[i] = h[i]; - - return 0; -} diff --git a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index 2c4ab4cf..721bbe92 100644 --- a/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -187,8 +187,8 @@ SHA256_Transform(uint32_t *state, const unsigned char block[64]) state[i] += S[i]; } - sodium_memzero((void *) W, 256); - sodium_memzero((void *) S, 32); + sodium_memzero((void *) W, sizeof W); + sodium_memzero((void *) S, sizeof S); sodium_memzero((void *) &t0, sizeof t0); sodium_memzero((void *) &t1, sizeof t1); } diff --git a/src/libsodium/crypto_hash/sha512/ref/api.h b/src/libsodium/crypto_hash/sha512/cp/api.h similarity index 65% rename from src/libsodium/crypto_hash/sha512/ref/api.h rename to src/libsodium/crypto_hash/sha512/cp/api.h index afea983f..5e01170d 100644 --- a/src/libsodium/crypto_hash/sha512/ref/api.h +++ b/src/libsodium/crypto_hash/sha512/cp/api.h @@ -2,6 +2,9 @@ #include "crypto_hash_sha512.h" #define crypto_hash crypto_hash_sha512 +#define crypto_hash_init crypto_hash_sha512_init +#define crypto_hash_update crypto_hash_sha512_update +#define crypto_hash_final crypto_hash_sha512_final #define crypto_hash_BYTES crypto_hash_sha512_BYTES #define crypto_hash_PRIMITIVE "sha512" #define crypto_hash_IMPLEMENTATION crypto_hash_sha512_IMPLEMENTATION diff --git a/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c b/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c new file mode 100644 index 00000000..71870083 --- /dev/null +++ b/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c @@ -0,0 +1,322 @@ + +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include "api.h" +#include "crypto_hash_sha512.h" +#include "utils.h" + +#include + +#include +#include +#include +#include + +/* Avoid namespace collisions with BSD . */ +#define be64dec _sha512_be64dec +#define be64enc _sha512_be64enc + +static inline uint64_t +be64dec(const void *pp) +{ + const uint8_t *p = (uint8_t const *)pp; + + return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + + ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + + ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + + ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); +} + +static inline void +be64enc(void *pp, uint64_t x) +{ + uint8_t *p = (uint8_t *)pp; + + p[7] = x & 0xff; + p[6] = (x >> 8) & 0xff; + p[5] = (x >> 16) & 0xff; + p[4] = (x >> 24) & 0xff; + p[3] = (x >> 32) & 0xff; + p[2] = (x >> 40) & 0xff; + p[1] = (x >> 48) & 0xff; + p[0] = (x >> 56) & 0xff; +} + +static void +be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 8; i++) { + be64enc(dst + i * 8, src[i]); + } +} + +static void +be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) +{ + size_t i; + + for (i = 0; i < len / 8; i++) { + dst[i] = be64dec(src + i * 8); + } +} + +#define Ch(x, y, z) ((x & (y ^ z)) ^ z) +#define Maj(x, y, z) ((x & (y | z)) | (y & z)) +#define SHR(x, n) (x >> n) +#define ROTR(x, n) ((x >> n) | (x << (64 - n))) +#define S0(x) (ROTR(x, 28) ^ ROTR(x, 34) ^ ROTR(x, 39)) +#define S1(x) (ROTR(x, 14) ^ ROTR(x, 18) ^ ROTR(x, 41)) +#define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) +#define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) + +#define RND(a, b, c, d, e, f, g, h, k) \ + t0 = h + S1(e) + Ch(e, f, g) + k; \ + t1 = S0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; + +#define RNDr(S, W, i, k) \ + RND(S[(80 - i) % 8], S[(81 - i) % 8], \ + S[(82 - i) % 8], S[(83 - i) % 8], \ + S[(84 - i) % 8], S[(85 - i) % 8], \ + S[(86 - i) % 8], S[(87 - i) % 8], \ + W[i] + k) + +static void +SHA512_Transform(uint64_t *state, const unsigned char block[128]) +{ + uint64_t W[80]; + uint64_t S[8]; + uint64_t t0, t1; + int i; + + be64dec_vect(W, block, 128); + for (i = 16; i < 80; i++) { + W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + } + + memcpy(S, state, 64); + + RNDr(S, W, 0, 0x428a2f98d728ae22ULL); + RNDr(S, W, 1, 0x7137449123ef65cdULL); + RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL); + RNDr(S, W, 3, 0xe9b5dba58189dbbcULL); + RNDr(S, W, 4, 0x3956c25bf348b538ULL); + RNDr(S, W, 5, 0x59f111f1b605d019ULL); + RNDr(S, W, 6, 0x923f82a4af194f9bULL); + RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL); + RNDr(S, W, 8, 0xd807aa98a3030242ULL); + RNDr(S, W, 9, 0x12835b0145706fbeULL); + RNDr(S, W, 10, 0x243185be4ee4b28cULL); + RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL); + RNDr(S, W, 12, 0x72be5d74f27b896fULL); + RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL); + RNDr(S, W, 14, 0x9bdc06a725c71235ULL); + RNDr(S, W, 15, 0xc19bf174cf692694ULL); + RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL); + RNDr(S, W, 17, 0xefbe4786384f25e3ULL); + RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL); + RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL); + RNDr(S, W, 20, 0x2de92c6f592b0275ULL); + RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL); + RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL); + RNDr(S, W, 23, 0x76f988da831153b5ULL); + RNDr(S, W, 24, 0x983e5152ee66dfabULL); + RNDr(S, W, 25, 0xa831c66d2db43210ULL); + RNDr(S, W, 26, 0xb00327c898fb213fULL); + RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL); + RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL); + RNDr(S, W, 29, 0xd5a79147930aa725ULL); + RNDr(S, W, 30, 0x06ca6351e003826fULL); + RNDr(S, W, 31, 0x142929670a0e6e70ULL); + RNDr(S, W, 32, 0x27b70a8546d22ffcULL); + RNDr(S, W, 33, 0x2e1b21385c26c926ULL); + RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL); + RNDr(S, W, 35, 0x53380d139d95b3dfULL); + RNDr(S, W, 36, 0x650a73548baf63deULL); + RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL); + RNDr(S, W, 38, 0x81c2c92e47edaee6ULL); + RNDr(S, W, 39, 0x92722c851482353bULL); + RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL); + RNDr(S, W, 41, 0xa81a664bbc423001ULL); + RNDr(S, W, 42, 0xc24b8b70d0f89791ULL); + RNDr(S, W, 43, 0xc76c51a30654be30ULL); + RNDr(S, W, 44, 0xd192e819d6ef5218ULL); + RNDr(S, W, 45, 0xd69906245565a910ULL); + RNDr(S, W, 46, 0xf40e35855771202aULL); + RNDr(S, W, 47, 0x106aa07032bbd1b8ULL); + RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL); + RNDr(S, W, 49, 0x1e376c085141ab53ULL); + RNDr(S, W, 50, 0x2748774cdf8eeb99ULL); + RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL); + RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL); + RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL); + RNDr(S, W, 54, 0x5b9cca4f7763e373ULL); + RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL); + RNDr(S, W, 56, 0x748f82ee5defb2fcULL); + RNDr(S, W, 57, 0x78a5636f43172f60ULL); + RNDr(S, W, 58, 0x84c87814a1f0ab72ULL); + RNDr(S, W, 59, 0x8cc702081a6439ecULL); + RNDr(S, W, 60, 0x90befffa23631e28ULL); + RNDr(S, W, 61, 0xa4506cebde82bde9ULL); + RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL); + RNDr(S, W, 63, 0xc67178f2e372532bULL); + RNDr(S, W, 64, 0xca273eceea26619cULL); + RNDr(S, W, 65, 0xd186b8c721c0c207ULL); + RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL); + RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL); + RNDr(S, W, 68, 0x06f067aa72176fbaULL); + RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL); + RNDr(S, W, 70, 0x113f9804bef90daeULL); + RNDr(S, W, 71, 0x1b710b35131c471bULL); + RNDr(S, W, 72, 0x28db77f523047d84ULL); + RNDr(S, W, 73, 0x32caab7b40c72493ULL); + RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL); + RNDr(S, W, 75, 0x431d67c49c100d4cULL); + RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL); + RNDr(S, W, 77, 0x597f299cfc657e2aULL); + RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL); + RNDr(S, W, 79, 0x6c44198c4a475817ULL); + + for (i = 0; i < 8; i++) { + state[i] += S[i]; + } + + sodium_memzero((void *) W, sizeof W); + sodium_memzero((void *) S, sizeof S); + sodium_memzero((void *) &t0, sizeof t0); + sodium_memzero((void *) &t1, sizeof t1); +} + +static unsigned char PAD[128] = { + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 +}; + +static void +SHA512_Pad(crypto_hash_sha512_state *state) +{ + unsigned char len[16]; + uint64_t r, plen; + + be64enc_vect(len, state->count, 16); + + r = (state->count[1] >> 3) & 0x7f; + plen = (r < 112) ? (112 - r) : (240 - r); + crypto_hash_sha512_update(state, PAD, (unsigned long long) plen); + + crypto_hash_sha512_update(state, len, 16); +} + +int +crypto_hash_sha512_init(crypto_hash_sha512_state *state) +{ + state->count[0] = state->count[1] = 0; + + state->state[0] = 0x6a09e667f3bcc908ULL; + state->state[1] = 0xbb67ae8584caa73bULL; + state->state[2] = 0x3c6ef372fe94f82bULL; + state->state[3] = 0xa54ff53a5f1d36f1ULL; + state->state[4] = 0x510e527fade682d1ULL; + state->state[5] = 0x9b05688c2b3e6c1fULL; + state->state[6] = 0x1f83d9abfb41bd6bULL; + state->state[7] = 0x5be0cd19137e2179ULL; + + return 0; +} + +int +crypto_hash_sha512_update(crypto_hash_sha512_state *state, + const unsigned char *in, + unsigned long long inlen) +{ + uint64_t bitlen[2]; + uint64_t r; + const unsigned char *src = in; + + r = (state->count[1] >> 3) & 0x7f; + + bitlen[1] = ((uint64_t)inlen) << 3; + bitlen[0] = ((uint64_t)inlen) >> 61; + + if ((state->count[1] += bitlen[1]) < bitlen[1]) { + state->count[0]++; + } + state->count[0] += bitlen[0]; + + if (inlen < 128 - r) { + memcpy(&state->buf[r], src, inlen); + return 0; + } + memcpy(&state->buf[r], src, 128 - r); + SHA512_Transform(state->state, state->buf); + src += 128 - r; + inlen -= 128 - r; + + while (inlen >= 128) { + SHA512_Transform(state->state, src); + src += 128; + inlen -= 128; + } + memcpy(state->buf, src, inlen); + + return 0; +} + +int +crypto_hash_sha512_final(crypto_hash_sha512_state *state, + unsigned char *out) +{ + SHA512_Pad(state); + be64enc_vect(out, state->state, 64); + sodium_memzero((void *) state, sizeof *state); + + return 0; +} + +int +crypto_hash(unsigned char *out, const unsigned char *in, + unsigned long long inlen) +{ + crypto_hash_sha512_state state; + + crypto_hash_sha512_init(&state); + crypto_hash_sha512_update(&state, in, inlen); + crypto_hash_sha512_final(&state, out); + + return 0; +} + diff --git a/src/libsodium/crypto_hash/sha512/ref/hash_sha512.c b/src/libsodium/crypto_hash/sha512/ref/hash_sha512.c deleted file mode 100644 index fc66045e..00000000 --- a/src/libsodium/crypto_hash/sha512/ref/hash_sha512.c +++ /dev/null @@ -1,71 +0,0 @@ -/* -20080913 -D. J. Bernstein -Public domain. -*/ - -#include "api.h" -#include "_crypto_hashblocks_sha512.h" - -#define blocks crypto_hashblocks_sha512 - -static const unsigned char iv[64] = { - 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08, - 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b, - 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b, - 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1, - 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1, - 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f, - 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b, - 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79 -} ; - -typedef unsigned long long uint64; - -int crypto_hash(unsigned char *out,const unsigned char *in,unsigned long long inlen) -{ - unsigned char h[64]; - unsigned char padded[256]; - unsigned long long i; - unsigned long long bytes = inlen; - - for (i = 0;i < 64;++i) h[i] = iv[i]; - - blocks(h,in,inlen); - in += inlen; - inlen &= 127; - in -= inlen; - - for (i = 0;i < inlen;++i) padded[i] = in[i]; - padded[inlen] = 0x80; - - if (inlen < 112) { - for (i = inlen + 1;i < 119;++i) padded[i] = 0; - padded[119] = bytes >> 61; - padded[120] = bytes >> 53; - padded[121] = bytes >> 45; - padded[122] = bytes >> 37; - padded[123] = bytes >> 29; - padded[124] = bytes >> 21; - padded[125] = bytes >> 13; - padded[126] = bytes >> 5; - padded[127] = bytes << 3; - blocks(h,padded,128); - } else { - for (i = inlen + 1;i < 247;++i) padded[i] = 0; - padded[247] = bytes >> 61; - padded[248] = bytes >> 53; - padded[249] = bytes >> 45; - padded[250] = bytes >> 37; - padded[251] = bytes >> 29; - padded[252] = bytes >> 21; - padded[253] = bytes >> 13; - padded[254] = bytes >> 5; - padded[255] = bytes << 3; - blocks(h,padded,256); - } - - for (i = 0;i < 64;++i) out[i] = h[i]; - - return 0; -} diff --git a/src/libsodium/crypto_hashblocks/sha512/checksum b/src/libsodium/crypto_hashblocks/sha512/checksum deleted file mode 100644 index ed5245ec..00000000 --- a/src/libsodium/crypto_hashblocks/sha512/checksum +++ /dev/null @@ -1 +0,0 @@ -f005c91634ae549f0dd4529ddbaf07038cb75a59b818cd1d4eb4e2b4019ab6733556131f320c4a145c735a22594581d454cccb15c18bf198ffcb2da29fe39456 diff --git a/src/libsodium/crypto_hashblocks/sha512/ref/api.h b/src/libsodium/crypto_hashblocks/sha512/ref/api.h deleted file mode 100644 index 5086bd1c..00000000 --- a/src/libsodium/crypto_hashblocks/sha512/ref/api.h +++ /dev/null @@ -1,9 +0,0 @@ - -#include "_crypto_hashblocks_sha512.h" - -#define crypto_hashblocks crypto_hashblocks_sha512 -#define crypto_hashblocks_STATEBYTES crypto_hashblocks_sha512_STATEBYTES -#define crypto_hashblocks_BLOCKBYTES crypto_hashblocks_sha512_BLOCKBYTES -#define crypto_hashblocks_PRIMITIVE "sha512" -#define crypto_hashblocks_IMPLEMENTATION crypto_hashblocks_sha512_IMPLEMENTATION -#define crypto_hashblocks_VERSION crypto_hashblocks_sha512_VERSION diff --git a/src/libsodium/crypto_hashblocks/sha512/ref/blocks_sha512.c b/src/libsodium/crypto_hashblocks/sha512/ref/blocks_sha512.c deleted file mode 100644 index 6571ed64..00000000 --- a/src/libsodium/crypto_hashblocks/sha512/ref/blocks_sha512.c +++ /dev/null @@ -1,239 +0,0 @@ -#include "api.h" - -typedef unsigned long long uint64; - -static uint64 load_bigendian(const unsigned char *x) -{ - return - (uint64) (x[7]) \ - | (((uint64) (x[6])) << 8) \ - | (((uint64) (x[5])) << 16) \ - | (((uint64) (x[4])) << 24) \ - | (((uint64) (x[3])) << 32) \ - | (((uint64) (x[2])) << 40) \ - | (((uint64) (x[1])) << 48) \ - | (((uint64) (x[0])) << 56) - ; -} - -static void store_bigendian(unsigned char *x,uint64 u) -{ - x[7] = u; u >>= 8; - x[6] = u; u >>= 8; - x[5] = u; u >>= 8; - x[4] = u; u >>= 8; - x[3] = u; u >>= 8; - x[2] = u; u >>= 8; - x[1] = u; u >>= 8; - x[0] = u; -} - -#define SHR(x,c) ((x) >> (c)) -#define ROTR(x,c) (((x) >> (c)) | ((x) << (64 - (c)))) - -#define Ch(x,y,z) ((x & y) ^ (~x & z)) -#define Maj(x,y,z) ((x & y) ^ (x & z) ^ (y & z)) -#define Sigma0(x) (ROTR(x,28) ^ ROTR(x,34) ^ ROTR(x,39)) -#define Sigma1(x) (ROTR(x,14) ^ ROTR(x,18) ^ ROTR(x,41)) -#define sigma0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x,7)) -#define sigma1(x) (ROTR(x,19) ^ ROTR(x,61) ^ SHR(x,6)) - -#define M(w0,w14,w9,w1) w0 = sigma1(w14) + w9 + sigma0(w1) + w0; - -#define EXPAND \ - M(w0 ,w14,w9 ,w1 ) \ - M(w1 ,w15,w10,w2 ) \ - M(w2 ,w0 ,w11,w3 ) \ - M(w3 ,w1 ,w12,w4 ) \ - M(w4 ,w2 ,w13,w5 ) \ - M(w5 ,w3 ,w14,w6 ) \ - M(w6 ,w4 ,w15,w7 ) \ - M(w7 ,w5 ,w0 ,w8 ) \ - M(w8 ,w6 ,w1 ,w9 ) \ - M(w9 ,w7 ,w2 ,w10) \ - M(w10,w8 ,w3 ,w11) \ - M(w11,w9 ,w4 ,w12) \ - M(w12,w10,w5 ,w13) \ - M(w13,w11,w6 ,w14) \ - M(w14,w12,w7 ,w15) \ - M(w15,w13,w8 ,w0 ) - -#define F(w,k) \ - T1 = h + Sigma1(e) + Ch(e,f,g) + k + w; \ - T2 = Sigma0(a) + Maj(a,b,c); \ - h = g; \ - g = f; \ - f = e; \ - e = d + T1; \ - d = c; \ - c = b; \ - b = a; \ - a = T1 + T2; - -int crypto_hashblocks(unsigned char *statebytes,const unsigned char *in,unsigned long long inlen) -{ - uint64 state[8]; - uint64 a; - uint64 b; - uint64 c; - uint64 d; - uint64 e; - uint64 f; - uint64 g; - uint64 h; - uint64 T1; - uint64 T2; - - a = load_bigendian(statebytes + 0); state[0] = a; - b = load_bigendian(statebytes + 8); state[1] = b; - c = load_bigendian(statebytes + 16); state[2] = c; - d = load_bigendian(statebytes + 24); state[3] = d; - e = load_bigendian(statebytes + 32); state[4] = e; - f = load_bigendian(statebytes + 40); state[5] = f; - g = load_bigendian(statebytes + 48); state[6] = g; - h = load_bigendian(statebytes + 56); state[7] = h; - - while (inlen >= 128) { - uint64 w0 = load_bigendian(in + 0); - uint64 w1 = load_bigendian(in + 8); - uint64 w2 = load_bigendian(in + 16); - uint64 w3 = load_bigendian(in + 24); - uint64 w4 = load_bigendian(in + 32); - uint64 w5 = load_bigendian(in + 40); - uint64 w6 = load_bigendian(in + 48); - uint64 w7 = load_bigendian(in + 56); - uint64 w8 = load_bigendian(in + 64); - uint64 w9 = load_bigendian(in + 72); - uint64 w10 = load_bigendian(in + 80); - uint64 w11 = load_bigendian(in + 88); - uint64 w12 = load_bigendian(in + 96); - uint64 w13 = load_bigendian(in + 104); - uint64 w14 = load_bigendian(in + 112); - uint64 w15 = load_bigendian(in + 120); - - F(w0 ,0x428a2f98d728ae22ULL) - F(w1 ,0x7137449123ef65cdULL) - F(w2 ,0xb5c0fbcfec4d3b2fULL) - F(w3 ,0xe9b5dba58189dbbcULL) - F(w4 ,0x3956c25bf348b538ULL) - F(w5 ,0x59f111f1b605d019ULL) - F(w6 ,0x923f82a4af194f9bULL) - F(w7 ,0xab1c5ed5da6d8118ULL) - F(w8 ,0xd807aa98a3030242ULL) - F(w9 ,0x12835b0145706fbeULL) - F(w10,0x243185be4ee4b28cULL) - F(w11,0x550c7dc3d5ffb4e2ULL) - F(w12,0x72be5d74f27b896fULL) - F(w13,0x80deb1fe3b1696b1ULL) - F(w14,0x9bdc06a725c71235ULL) - F(w15,0xc19bf174cf692694ULL) - - EXPAND - - F(w0 ,0xe49b69c19ef14ad2ULL) - F(w1 ,0xefbe4786384f25e3ULL) - F(w2 ,0x0fc19dc68b8cd5b5ULL) - F(w3 ,0x240ca1cc77ac9c65ULL) - F(w4 ,0x2de92c6f592b0275ULL) - F(w5 ,0x4a7484aa6ea6e483ULL) - F(w6 ,0x5cb0a9dcbd41fbd4ULL) - F(w7 ,0x76f988da831153b5ULL) - F(w8 ,0x983e5152ee66dfabULL) - F(w9 ,0xa831c66d2db43210ULL) - F(w10,0xb00327c898fb213fULL) - F(w11,0xbf597fc7beef0ee4ULL) - F(w12,0xc6e00bf33da88fc2ULL) - F(w13,0xd5a79147930aa725ULL) - F(w14,0x06ca6351e003826fULL) - F(w15,0x142929670a0e6e70ULL) - - EXPAND - - F(w0 ,0x27b70a8546d22ffcULL) - F(w1 ,0x2e1b21385c26c926ULL) - F(w2 ,0x4d2c6dfc5ac42aedULL) - F(w3 ,0x53380d139d95b3dfULL) - F(w4 ,0x650a73548baf63deULL) - F(w5 ,0x766a0abb3c77b2a8ULL) - F(w6 ,0x81c2c92e47edaee6ULL) - F(w7 ,0x92722c851482353bULL) - F(w8 ,0xa2bfe8a14cf10364ULL) - F(w9 ,0xa81a664bbc423001ULL) - F(w10,0xc24b8b70d0f89791ULL) - F(w11,0xc76c51a30654be30ULL) - F(w12,0xd192e819d6ef5218ULL) - F(w13,0xd69906245565a910ULL) - F(w14,0xf40e35855771202aULL) - F(w15,0x106aa07032bbd1b8ULL) - - EXPAND - - F(w0 ,0x19a4c116b8d2d0c8ULL) - F(w1 ,0x1e376c085141ab53ULL) - F(w2 ,0x2748774cdf8eeb99ULL) - F(w3 ,0x34b0bcb5e19b48a8ULL) - F(w4 ,0x391c0cb3c5c95a63ULL) - F(w5 ,0x4ed8aa4ae3418acbULL) - F(w6 ,0x5b9cca4f7763e373ULL) - F(w7 ,0x682e6ff3d6b2b8a3ULL) - F(w8 ,0x748f82ee5defb2fcULL) - F(w9 ,0x78a5636f43172f60ULL) - F(w10,0x84c87814a1f0ab72ULL) - F(w11,0x8cc702081a6439ecULL) - F(w12,0x90befffa23631e28ULL) - F(w13,0xa4506cebde82bde9ULL) - F(w14,0xbef9a3f7b2c67915ULL) - F(w15,0xc67178f2e372532bULL) - - EXPAND - - F(w0 ,0xca273eceea26619cULL) - F(w1 ,0xd186b8c721c0c207ULL) - F(w2 ,0xeada7dd6cde0eb1eULL) - F(w3 ,0xf57d4f7fee6ed178ULL) - F(w4 ,0x06f067aa72176fbaULL) - F(w5 ,0x0a637dc5a2c898a6ULL) - F(w6 ,0x113f9804bef90daeULL) - F(w7 ,0x1b710b35131c471bULL) - F(w8 ,0x28db77f523047d84ULL) - F(w9 ,0x32caab7b40c72493ULL) - F(w10,0x3c9ebe0a15c9bebcULL) - F(w11,0x431d67c49c100d4cULL) - F(w12,0x4cc5d4becb3e42b6ULL) - F(w13,0x597f299cfc657e2aULL) - F(w14,0x5fcb6fab3ad6faecULL) - F(w15,0x6c44198c4a475817ULL) - - a += state[0]; - b += state[1]; - c += state[2]; - d += state[3]; - e += state[4]; - f += state[5]; - g += state[6]; - h += state[7]; - - state[0] = a; - state[1] = b; - state[2] = c; - state[3] = d; - state[4] = e; - state[5] = f; - state[6] = g; - state[7] = h; - - in += 128; - inlen -= 128; - } - - store_bigendian(statebytes + 0,state[0]); - store_bigendian(statebytes + 8,state[1]); - store_bigendian(statebytes + 16,state[2]); - store_bigendian(statebytes + 24,state[3]); - store_bigendian(statebytes + 32,state[4]); - store_bigendian(statebytes + 40,state[5]); - store_bigendian(statebytes + 48,state[6]); - store_bigendian(statebytes + 56,state[7]); - - return 0; -} diff --git a/src/libsodium/crypto_hashblocks/try.c b/src/libsodium/crypto_hashblocks/try.c deleted file mode 100644 index 3c72cdd2..00000000 --- a/src/libsodium/crypto_hashblocks/try.c +++ /dev/null @@ -1,78 +0,0 @@ -/* - * crypto_hashblocks/try.c version 20090118 - * D. J. Bernstein - * Public domain. - */ - -#include -#include "crypto_hashblocks.h" -#include "utils.h" -#include "windows/windows-quirks.h" - -extern unsigned char *alignedcalloc(unsigned long long); - -const char *primitiveimplementation = crypto_hashblocks_IMPLEMENTATION; - -#define MAXTEST_BYTES (10000 + crypto_hashblocks_STATEBYTES) -#define CHECKSUM_BYTES 4096 -#define TUNE_BYTES 1536 - -static unsigned char *h; -static unsigned char *h2; -static unsigned char *m; -static unsigned char *m2; - -void preallocate(void) -{ -} - -void allocate(void) -{ - h = alignedcalloc(crypto_hashblocks_STATEBYTES); - h2 = alignedcalloc(crypto_hashblocks_STATEBYTES); - m = alignedcalloc(MAXTEST_BYTES); - m2 = alignedcalloc(MAXTEST_BYTES); -} - -void predoit(void) -{ -} - -void doit(void) -{ - crypto_hashblocks(h,m,TUNE_BYTES); -} - -char checksum[crypto_hashblocks_STATEBYTES * 2 + 1]; - -const char *checksum_compute(void) -{ - long long i; - long long j; - - for (i = 0;i < CHECKSUM_BYTES;++i) { - long long hlen = crypto_hashblocks_STATEBYTES; - long long mlen = i; - for (j = -16;j < 0;++j) h[j] = rand(); - for (j = hlen;j < hlen + 16;++j) h[j] = rand(); - for (j = -16;j < hlen + 16;++j) h2[j] = h[j]; - for (j = -16;j < 0;++j) m[j] = rand(); - for (j = mlen;j < mlen + 16;++j) m[j] = rand(); - for (j = -16;j < mlen + 16;++j) m2[j] = m[j]; - if (crypto_hashblocks(h,m,mlen) != 0) return "crypto_hashblocks returns nonzero"; - for (j = -16;j < mlen + 16;++j) if (m2[j] != m[j]) return "crypto_hashblocks writes to input"; - for (j = -16;j < 0;++j) if (h2[j] != h[j]) return "crypto_hashblocks writes before output"; - for (j = hlen;j < hlen + 16;++j) if (h2[j] != h[j]) return "crypto_hashblocks writes after output"; - for (j = 0;j < hlen;++j) m2[j] = h2[j]; - if (crypto_hashblocks(h2,m2,mlen) != 0) return "crypto_hashblocks returns nonzero"; - if (crypto_hashblocks(m2,m2,mlen) != 0) return "crypto_hashblocks returns nonzero"; - for (j = 0;j < hlen;++j) if (m2[j] != h2[j]) return "crypto_hashblocks does not handle overlap"; - for (j = 0;j < mlen;++j) m[j] ^= h[j % hlen]; - m[mlen] = h[0]; - } - if (crypto_hashblocks(h,m,CHECKSUM_BYTES) != 0) return "crypto_hashblocks returns nonzero"; - - sodium_bin2hex(checksum, sizeof checksum, h, crypto_hashblocks_STATEBYTES); - - return 0; -} diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index c945ba8b..9f713e97 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -52,7 +52,6 @@ SODIUM_EXPORT = \ sodium/utils.h EXTRA_SRC = $(SODIUM_EXPORT) \ - sodium/_crypto_hashblocks_sha512.h \ sodium/version.h.in nobase_include_HEADERS = $(SODIUM_EXPORT) diff --git a/src/libsodium/include/sodium/_crypto_hashblocks_sha512.h b/src/libsodium/include/sodium/_crypto_hashblocks_sha512.h deleted file mode 100644 index 3b51a3c5..00000000 --- a/src/libsodium/include/sodium/_crypto_hashblocks_sha512.h +++ /dev/null @@ -1,24 +0,0 @@ -#ifndef _crypto_hashblocks_sha512_H -#define _crypto_hashblocks_sha512_H - -#include -#include "export.h" - -#define crypto_hashblocks_sha512_STATEBYTES 64U -#define crypto_hashblocks_sha512_BLOCKBYTES 128U - -#ifdef __cplusplus -# if __GNUC__ -# pragma GCC diagnostic ignored "-Wlong-long" -# endif -extern "C" { -#endif - -/* This function is only used internally */ -int crypto_hashblocks_sha512(unsigned char *,const unsigned char *,unsigned long long); - -#ifdef __cplusplus -} -#endif - -#endif diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h index 8e3ed29d..1fdd426a 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h @@ -53,7 +53,7 @@ int crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state, } #endif -#define crypto_auth_hmacsha256_ref crypto_auth_hmacsha256 -#define crypto_auth_hmacsha256_ref_verify crypto_auth_hmacsha256_verify +#define crypto_auth_hmacsha256_cp crypto_auth_hmacsha256 +#define crypto_auth_hmacsha256_cp_verify crypto_auth_hmacsha256_verify #endif diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h index 5daeb03a..07413144 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h @@ -2,6 +2,7 @@ #define crypto_auth_hmacsha512256_H #include +#include "crypto_hash_sha512.h" #include "export.h" #define crypto_auth_hmacsha512256_BYTES 32U @@ -14,6 +15,13 @@ extern "C" { #endif +typedef struct crypto_auth_hmacsha512_state { + crypto_hash_sha512_state ictx; + crypto_hash_sha512_state octx; +} crypto_auth_hmacsha512_state; + +typedef struct crypto_auth_hmacsha512_state crypto_auth_hmacsha512256_state; + SODIUM_EXPORT size_t crypto_auth_hmacsha512256_bytes(void); @@ -33,7 +41,7 @@ int crypto_auth_hmacsha512256_verify(const unsigned char *,const unsigned char * } #endif -#define crypto_auth_hmacsha512256_ref crypto_auth_hmacsha512256 -#define crypto_auth_hmacsha512256_ref_verify crypto_auth_hmacsha512256_verify +#define crypto_auth_hmacsha512256_cp crypto_auth_hmacsha512256 +#define crypto_auth_hmacsha512256_cp_verify crypto_auth_hmacsha512256_verify #endif diff --git a/src/libsodium/include/sodium/crypto_hash_sha256.h b/src/libsodium/include/sodium/crypto_hash_sha256.h index 9aed565d..13cdecb8 100644 --- a/src/libsodium/include/sodium/crypto_hash_sha256.h +++ b/src/libsodium/include/sodium/crypto_hash_sha256.h @@ -48,6 +48,6 @@ int crypto_hash_sha256_final(crypto_hash_sha256_state *state, } #endif -#define crypto_hash_sha256_ref crypto_hash_sha256 +#define crypto_hash_sha256_cp crypto_hash_sha256 #endif diff --git a/src/libsodium/include/sodium/crypto_hash_sha512.h b/src/libsodium/include/sodium/crypto_hash_sha512.h index c25d0700..9343f224 100644 --- a/src/libsodium/include/sodium/crypto_hash_sha512.h +++ b/src/libsodium/include/sodium/crypto_hash_sha512.h @@ -2,6 +2,9 @@ #define crypto_hash_sha512_H #include +#include +#include + #include "export.h" #define crypto_hash_sha512_BYTES 64U @@ -14,6 +17,12 @@ extern "C" { #endif +typedef struct crypto_hash_sha512_state { + uint64_t state[8]; + uint64_t count[2]; + unsigned char buf[128]; +} crypto_hash_sha512_state; + SODIUM_EXPORT size_t crypto_hash_sha512_bytes(void); @@ -23,10 +32,22 @@ const char * crypto_hash_sha512_primitive(void); SODIUM_EXPORT int crypto_hash_sha512(unsigned char *,const unsigned char *,unsigned long long); +SODIUM_EXPORT +int crypto_hash_sha512_init(crypto_hash_sha512_state *state); + +SODIUM_EXPORT +int crypto_hash_sha512_update(crypto_hash_sha512_state *state, + const unsigned char *in, + unsigned long long inlen); + +SODIUM_EXPORT +int crypto_hash_sha512_final(crypto_hash_sha512_state *state, + unsigned char *out); + #ifdef __cplusplus } #endif -#define crypto_hash_sha512_ref crypto_hash_sha512 +#define crypto_hash_sha512_cp crypto_hash_sha512 #endif From 665859e302b788ac6a3ae7ae45dbad8aeff15073 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 21:14:59 -0700 Subject: [PATCH 30/40] Since auth_hmac_sha512256 is just truncated hmac_sha512, expose hmac_sha512 --- libsodium.vcxproj | 4 + libsodium.vcxproj.filters | 12 ++ src/libsodium/Makefile.am | 4 + .../hmacsha512/auth_hmacsha512_api.c | 16 +++ src/libsodium/crypto_auth/hmacsha512/cp/api.h | 10 ++ .../hmacsha512/cp/hmac_hmacsha512.c | 110 ++++++++++++++++++ .../hmacsha512/cp/verify_hmacsha512.c | 10 ++ .../hmacsha512256/cp/hmac_hmacsha512256.c | 88 +------------- .../hmacsha512256/cp/verify_hmacsha512256.c | 3 +- src/libsodium/include/Makefile.am | 1 + src/libsodium/include/sodium.h | 1 + .../include/sodium/crypto_auth_hmacsha512.h | 59 ++++++++++ .../sodium/crypto_auth_hmacsha512256.h | 21 +++- 13 files changed, 245 insertions(+), 94 deletions(-) create mode 100644 src/libsodium/crypto_auth/hmacsha512/auth_hmacsha512_api.c create mode 100644 src/libsodium/crypto_auth/hmacsha512/cp/api.h create mode 100644 src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c create mode 100644 src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c create mode 100644 src/libsodium/include/sodium/crypto_auth_hmacsha512.h diff --git a/libsodium.vcxproj b/libsodium.vcxproj index 4b723ccb..f7815ed3 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -318,6 +318,7 @@ + @@ -374,6 +375,9 @@ + + + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index e766cc40..2bcd0ddc 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -24,6 +24,9 @@ Header Files + + Header Files + Header Files @@ -190,6 +193,9 @@ Source Files + + Source Files + Source Files @@ -199,12 +205,18 @@ Source Files + + Source Files + Source Files Source Files + + Source Files + Source Files diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 13da6ec6..7e75f28d 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -7,6 +7,10 @@ libsodium_la_SOURCES = \ crypto_auth/hmacsha256/cp/api.h \ crypto_auth/hmacsha256/cp/hmac_hmacsha256.c \ crypto_auth/hmacsha256/cp/verify_hmacsha256.c \ + crypto_auth/hmacsha512/auth_hmacsha512_api.c \ + crypto_auth/hmacsha512/cp/api.h \ + crypto_auth/hmacsha512/cp/hmac_hmacsha512.c \ + crypto_auth/hmacsha512/cp/verify_hmacsha512.c \ crypto_auth/hmacsha512256/auth_hmacsha512256_api.c \ crypto_auth/hmacsha512256/cp/api.h \ crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c \ diff --git a/src/libsodium/crypto_auth/hmacsha512/auth_hmacsha512_api.c b/src/libsodium/crypto_auth/hmacsha512/auth_hmacsha512_api.c new file mode 100644 index 00000000..0fdbf013 --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha512/auth_hmacsha512_api.c @@ -0,0 +1,16 @@ +#include "crypto_auth_hmacsha512.h" + +size_t +crypto_auth_hmacsha512_bytes(void) { + return crypto_auth_hmacsha512_BYTES; +} + +size_t +crypto_auth_hmacsha512_keybytes(void) { + return crypto_auth_hmacsha512_KEYBYTES; +} + +const char * +crypto_auth_hmacsha512_primitive(void) { + return "hmacsha512"; +} diff --git a/src/libsodium/crypto_auth/hmacsha512/cp/api.h b/src/libsodium/crypto_auth/hmacsha512/cp/api.h new file mode 100644 index 00000000..e8402aa3 --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha512/cp/api.h @@ -0,0 +1,10 @@ + +#include "crypto_auth_hmacsha512.h" + +#define crypto_auth crypto_auth_hmacsha512 +#define crypto_auth_verify crypto_auth_hmacsha512_verify +#define crypto_auth_BYTES crypto_auth_hmacsha512_BYTES +#define crypto_auth_KEYBYTES crypto_auth_hmacsha512_KEYBYTES +#define crypto_auth_PRIMITIVE "hmacsha512" +#define crypto_auth_IMPLEMENTATION crypto_auth_hmacsha512_IMPLEMENTATION +#define crypto_auth_VERSION crypto_auth_hmacsha512_VERSION diff --git a/src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c b/src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c new file mode 100644 index 00000000..8d841543 --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c @@ -0,0 +1,110 @@ + +/*- + * Copyright 2005,2007,2009 Colin Percival + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + */ + +#include "api.h" +#include "crypto_auth_hmacsha512.h" +#include "crypto_hash_sha512.h" +#include "utils.h" + +#include + +#include +#include + +int +crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state, + const unsigned char *key, + size_t keylen) +{ + unsigned char pad[128]; + unsigned char khash[64]; + size_t i; + + if (keylen > 128) { + crypto_hash_sha512_init(&state->ictx); + crypto_hash_sha512_update(&state->ictx, key, keylen); + crypto_hash_sha512_final(&state->ictx, khash); + key = khash; + keylen = 64; + } + crypto_hash_sha512_init(&state->ictx); + memset(pad, 0x36, 128); + for (i = 0; i < keylen; i++) { + pad[i] ^= key[i]; + } + crypto_hash_sha512_update(&state->ictx, pad, 128); + + crypto_hash_sha512_init(&state->octx); + memset(pad, 0x5c, 128); + for (i = 0; i < keylen; i++) { + pad[i] ^= key[i]; + } + crypto_hash_sha512_update(&state->octx, pad, 128); + + sodium_memzero((void *) khash, 64); + + return 0; +} + +int +crypto_auth_hmacsha512_update(crypto_auth_hmacsha512_state *state, + const unsigned char *in, + unsigned long long inlen) +{ + crypto_hash_sha512_update(&state->ictx, in, inlen); + + return 0; +} + +int +crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state, + unsigned char *out) +{ + unsigned char ihash[64]; + + crypto_hash_sha512_final(&state->ictx, ihash); + crypto_hash_sha512_update(&state->octx, ihash, 64); + crypto_hash_sha512_final(&state->octx, out); + + sodium_memzero((void *) ihash, 64); + + return 0; +} + +int +crypto_auth(unsigned char *out, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) +{ + crypto_auth_hmacsha512_state state; + + crypto_auth_hmacsha512_init(&state, k, crypto_auth_KEYBYTES); + crypto_auth_hmacsha512_update(&state, in, inlen); + crypto_auth_hmacsha512_final(&state, out); + + return 0; +} diff --git a/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c b/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c new file mode 100644 index 00000000..fccdc1a4 --- /dev/null +++ b/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c @@ -0,0 +1,10 @@ +#include "api.h" +#include "crypto_verify_64.h" + +int crypto_auth_verify(const unsigned char *h, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) +{ + unsigned char correct[64]; + crypto_auth(correct,in,inlen,k); + return crypto_verify_64(h,correct); +} diff --git a/src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c b/src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c index 27a14943..4b476c33 100644 --- a/src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c +++ b/src/libsodium/crypto_auth/hmacsha512256/cp/hmac_hmacsha512256.c @@ -1,33 +1,7 @@ -/*- - * Copyright 2005,2007,2009 Colin Percival - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - */ - #include "api.h" #include "crypto_auth_hmacsha512256.h" +#include "crypto_auth_hmacsha512.h" #include "crypto_hash_sha512.h" #include "utils.h" @@ -36,66 +10,6 @@ #include #include -int -crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state, - const unsigned char *key, - size_t keylen) -{ - unsigned char pad[128]; - unsigned char khash[64]; - size_t i; - - if (keylen > 128) { - crypto_hash_sha512_init(&state->ictx); - crypto_hash_sha512_update(&state->ictx, key, keylen); - crypto_hash_sha512_final(&state->ictx, khash); - key = khash; - keylen = 64; - } - crypto_hash_sha512_init(&state->ictx); - memset(pad, 0x36, 128); - for (i = 0; i < keylen; i++) { - pad[i] ^= key[i]; - } - crypto_hash_sha512_update(&state->ictx, pad, 128); - - crypto_hash_sha512_init(&state->octx); - memset(pad, 0x5c, 128); - for (i = 0; i < keylen; i++) { - pad[i] ^= key[i]; - } - crypto_hash_sha512_update(&state->octx, pad, 128); - - sodium_memzero((void *) khash, 64); - - return 0; -} - -int -crypto_auth_hmacsha512_update(crypto_auth_hmacsha512_state *state, - const unsigned char *in, - unsigned long long inlen) -{ - crypto_hash_sha512_update(&state->ictx, in, inlen); - - return 0; -} - -int -crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state, - unsigned char *out) -{ - unsigned char ihash[64]; - - crypto_hash_sha512_final(&state->ictx, ihash); - crypto_hash_sha512_update(&state->octx, ihash, 64); - crypto_hash_sha512_final(&state->octx, out); - - sodium_memzero((void *) ihash, 64); - - return 0; -} - int crypto_auth_hmacsha512256_init(crypto_auth_hmacsha512256_state *state, const unsigned char *key, diff --git a/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c b/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c index b6cf4893..1e6e18db 100644 --- a/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c +++ b/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c @@ -1,7 +1,8 @@ #include "api.h" #include "crypto_verify_32.h" -int crypto_auth_verify(const unsigned char *h,const unsigned char *in,unsigned long long inlen,const unsigned char *k) +int crypto_auth_verify(const unsigned char *h, const unsigned char *in, + unsigned long long inlen, const unsigned char *k) { unsigned char correct[32]; crypto_auth(correct,in,inlen,k); diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index 9f713e97..260472be 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -4,6 +4,7 @@ SODIUM_EXPORT = \ sodium/core.h \ sodium/crypto_auth.h \ sodium/crypto_auth_hmacsha256.h \ + sodium/crypto_auth_hmacsha512.h \ sodium/crypto_auth_hmacsha512256.h \ sodium/crypto_box.h \ sodium/crypto_box_curve25519xsalsa20poly1305.h \ diff --git a/src/libsodium/include/sodium.h b/src/libsodium/include/sodium.h index 818909c6..4b2022e4 100644 --- a/src/libsodium/include/sodium.h +++ b/src/libsodium/include/sodium.h @@ -5,6 +5,7 @@ #include #include #include +#include #include #include #include diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512.h new file mode 100644 index 00000000..34764ff2 --- /dev/null +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512.h @@ -0,0 +1,59 @@ +#ifndef crypto_auth_hmacsha512_H +#define crypto_auth_hmacsha512_H + +#include +#include "crypto_hash_sha512.h" +#include "export.h" + +#define crypto_auth_hmacsha512_BYTES 64U +#define crypto_auth_hmacsha512_KEYBYTES 32U + +#ifdef __cplusplus +# if __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +typedef struct crypto_auth_hmacsha512_state { + crypto_hash_sha512_state ictx; + crypto_hash_sha512_state octx; +} crypto_auth_hmacsha512_state; + +SODIUM_EXPORT +size_t crypto_auth_hmacsha512_bytes(void); + +SODIUM_EXPORT +size_t crypto_auth_hmacsha512_keybytes(void); + +SODIUM_EXPORT +const char * crypto_auth_hmacsha512_primitive(void); + +SODIUM_EXPORT +int crypto_auth_hmacsha512(unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state, + const unsigned char *key, + size_t keylen); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_update(crypto_auth_hmacsha512_state *state, + const unsigned char *in, + unsigned long long inlen); + +SODIUM_EXPORT +int crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state, + unsigned char *out); + +#ifdef __cplusplus +} +#endif + +#define crypto_auth_hmacsha512_cp crypto_auth_hmacsha512 +#define crypto_auth_hmacsha512_cp_verify crypto_auth_hmacsha512_verify + +#endif diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h index 07413144..07cbe532 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h @@ -2,7 +2,7 @@ #define crypto_auth_hmacsha512256_H #include -#include "crypto_hash_sha512.h" +#include "crypto_auth_hmacsha512.h" #include "export.h" #define crypto_auth_hmacsha512256_BYTES 32U @@ -15,11 +15,6 @@ extern "C" { #endif -typedef struct crypto_auth_hmacsha512_state { - crypto_hash_sha512_state ictx; - crypto_hash_sha512_state octx; -} crypto_auth_hmacsha512_state; - typedef struct crypto_auth_hmacsha512_state crypto_auth_hmacsha512256_state; SODIUM_EXPORT @@ -37,6 +32,20 @@ int crypto_auth_hmacsha512256(unsigned char *,const unsigned char *,unsigned lon SODIUM_EXPORT int crypto_auth_hmacsha512256_verify(const unsigned char *,const unsigned char *,unsigned long long,const unsigned char *); +SODIUM_EXPORT +int crypto_auth_hmacsha512256_init(crypto_auth_hmacsha512256_state *state, + const unsigned char *key, + size_t keylen); + +SODIUM_EXPORT +int crypto_auth_hmacsha512256_update(crypto_auth_hmacsha512256_state *state, + const unsigned char *in, + unsigned long long inlen); + +SODIUM_EXPORT +int crypto_auth_hmacsha512256_final(crypto_auth_hmacsha512256_state *state, + unsigned char *out); + #ifdef __cplusplus } #endif From 99970e2411a51143971769dacfc96c3037639185 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 21:18:41 -0700 Subject: [PATCH 31/40] Remove useless #define --- src/libsodium/include/sodium/crypto_auth_hmacsha256.h | 3 --- src/libsodium/include/sodium/crypto_auth_hmacsha512.h | 3 --- src/libsodium/include/sodium/crypto_auth_hmacsha512256.h | 3 --- 3 files changed, 9 deletions(-) diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h index 1fdd426a..2242237c 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha256.h @@ -53,7 +53,4 @@ int crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state, } #endif -#define crypto_auth_hmacsha256_cp crypto_auth_hmacsha256 -#define crypto_auth_hmacsha256_cp_verify crypto_auth_hmacsha256_verify - #endif diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512.h index 34764ff2..d1320a03 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha512.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512.h @@ -53,7 +53,4 @@ int crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state, } #endif -#define crypto_auth_hmacsha512_cp crypto_auth_hmacsha512 -#define crypto_auth_hmacsha512_cp_verify crypto_auth_hmacsha512_verify - #endif diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h index 07cbe532..15b188b7 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h @@ -50,7 +50,4 @@ int crypto_auth_hmacsha512256_final(crypto_auth_hmacsha512256_state *state, } #endif -#define crypto_auth_hmacsha512256_cp crypto_auth_hmacsha512256 -#define crypto_auth_hmacsha512256_cp_verify crypto_auth_hmacsha512256_verify - #endif From 8960e5ad77a1980f454f9f5a4bab03ce1091de9c Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 21:32:01 -0700 Subject: [PATCH 32/40] Add tests for auth_hmac_sha512 --- test/default/Makefile.am | 12 ++++++++++++ test/default/auth6.c | 21 +++++++++++++++++++++ test/default/auth6.exp | 8 ++++++++ test/default/auth7.c | 37 +++++++++++++++++++++++++++++++++++++ test/default/auth7.exp | 0 5 files changed, 78 insertions(+) create mode 100644 test/default/auth6.c create mode 100644 test/default/auth6.exp create mode 100644 test/default/auth7.c create mode 100644 test/default/auth7.exp diff --git a/test/default/Makefile.am b/test/default/Makefile.am index 36b04329..c2477509 100644 --- a/test/default/Makefile.am +++ b/test/default/Makefile.am @@ -6,6 +6,8 @@ EXTRA_DIST = \ auth2.exp \ auth3.exp \ auth5.exp \ + auth6.exp \ + auth7.exp \ box.exp \ box2.exp \ box7.exp \ @@ -56,6 +58,8 @@ DISTCLEANFILES = \ auth2.res \ auth3.res \ auth5.res \ + auth6.res \ + auth7.res \ box.res \ box2.res \ box7.res \ @@ -114,6 +118,8 @@ TESTS_TARGETS = \ auth2 \ auth3 \ auth5 \ + auth6 \ + auth7 \ box \ box2 \ box7 \ @@ -178,6 +184,12 @@ auth3_LDADD = $(TESTS_LDADD) auth5_SOURCE = cmptest.h auth5.c windows/windows-quirks.h auth5_LDADD = $(TESTS_LDADD) +auth6_SOURCE = cmptest.h auth6.c windows/windows-quirks.h +auth6_LDADD = $(TESTS_LDADD) + +auth7_SOURCE = cmptest.h auth7.c windows/windows-quirks.h +auth7_LDADD = $(TESTS_LDADD) + box_SOURCE = cmptest.h box.c box_LDADD = $(TESTS_LDADD) diff --git a/test/default/auth6.c b/test/default/auth6.c new file mode 100644 index 00000000..5bf0500f --- /dev/null +++ b/test/default/auth6.c @@ -0,0 +1,21 @@ +#include + +#define TEST_NAME "auth6" +#include "cmptest.h" + +/* "Test Case 2" from RFC 4231 */ +unsigned char key[32] = "Jefe"; +unsigned char c[] = "what do ya want for nothing?"; + +unsigned char a[64]; + +int main(void) +{ + int i; + crypto_auth_hmacsha512(a,c,sizeof c - 1U,key); + for (i = 0;i < 64;++i) { + printf(",0x%02x",(unsigned int) a[i]); + if (i % 8 == 7) printf("\n"); + } + return 0; +} diff --git a/test/default/auth6.exp b/test/default/auth6.exp new file mode 100644 index 00000000..da0c5284 --- /dev/null +++ b/test/default/auth6.exp @@ -0,0 +1,8 @@ +,0x16,0x4b,0x7a,0x7b,0xfc,0xf8,0x19,0xe2 +,0xe3,0x95,0xfb,0xe7,0x3b,0x56,0xe0,0xa3 +,0x87,0xbd,0x64,0x22,0x2e,0x83,0x1f,0xd6 +,0x10,0x27,0x0c,0xd7,0xea,0x25,0x05,0x54 +,0x97,0x58,0xbf,0x75,0xc0,0x5a,0x99,0x4a +,0x6d,0x03,0x4f,0x65,0xf8,0xf0,0xe6,0xfd +,0xca,0xea,0xb1,0xa3,0x4d,0x4a,0x6b,0x4b +,0x63,0x6e,0x07,0x0a,0x38,0xbc,0xe7,0x37 diff --git a/test/default/auth7.c b/test/default/auth7.c new file mode 100644 index 00000000..be67312b --- /dev/null +++ b/test/default/auth7.c @@ -0,0 +1,37 @@ +#include +#include +#include "windows/windows-quirks.h" + +#define TEST_NAME "auth7" +#include "cmptest.h" + +unsigned char key[32]; +unsigned char c[10000]; +unsigned char a[64]; + +int main(void) +{ + int clen; + for (clen = 0;clen < 10000;++clen) { + randombytes(key,sizeof key); + randombytes(c,clen); + crypto_auth_hmacsha512(a,c,clen,key); + if (crypto_auth_hmacsha512_verify(a,c,clen,key) != 0) { + printf("fail %d\n",clen); + return 100; + } + if (clen > 0) { + c[rand() % clen] += 1 + (rand() % 255); + if (crypto_auth_hmacsha512_verify(a,c,clen,key) == 0) { + printf("forgery %d\n",clen); + return 100; + } + a[rand() % sizeof a] += 1 + (rand() % 255); + if (crypto_auth_hmacsha512_verify(a,c,clen,key) == 0) { + printf("forgery %d\n",clen); + return 100; + } + } + } + return 0; +} diff --git a/test/default/auth7.exp b/test/default/auth7.exp new file mode 100644 index 00000000..e69de29b From 434966c23d498ca0465d6c975da707c29da45c60 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 21:35:29 -0700 Subject: [PATCH 33/40] Update .gitignore for the new tests --- .gitignore | 2 ++ 1 file changed, 2 insertions(+) diff --git a/.gitignore b/.gitignore index 62849605..0a37e043 100644 --- a/.gitignore +++ b/.gitignore @@ -56,6 +56,8 @@ test/default/auth test/default/auth2 test/default/auth3 test/default/auth5 +test/default/auth6 +test/default/auth7 test/default/box test/default/box2 test/default/box7 From 9f5a7ce70ae1da223b6cbb598f81538828723bea Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 21:37:42 -0700 Subject: [PATCH 34/40] hardcoded size -> sizeof --- src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c | 4 ++-- src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c | 4 ++-- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c index 89de8812..9cd69ac3 100644 --- a/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c +++ b/src/libsodium/crypto_auth/hmacsha256/cp/hmac_hmacsha256.c @@ -66,7 +66,7 @@ crypto_auth_hmacsha256_init(crypto_auth_hmacsha256_state *state, } crypto_hash_sha256_update(&state->octx, pad, 64); - sodium_memzero((void *) khash, 32); + sodium_memzero((void *) khash, sizeof khash); return 0; } @@ -91,7 +91,7 @@ crypto_auth_hmacsha256_final(crypto_auth_hmacsha256_state *state, crypto_hash_sha256_update(&state->octx, ihash, 32); crypto_hash_sha256_final(&state->octx, out); - sodium_memzero((void *) ihash, 32); + sodium_memzero((void *) ihash, sizeof ihash); return 0; } diff --git a/src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c b/src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c index 8d841543..4ffd2645 100644 --- a/src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c +++ b/src/libsodium/crypto_auth/hmacsha512/cp/hmac_hmacsha512.c @@ -66,7 +66,7 @@ crypto_auth_hmacsha512_init(crypto_auth_hmacsha512_state *state, } crypto_hash_sha512_update(&state->octx, pad, 128); - sodium_memzero((void *) khash, 64); + sodium_memzero((void *) khash, sizeof khash); return 0; } @@ -91,7 +91,7 @@ crypto_auth_hmacsha512_final(crypto_auth_hmacsha512_state *state, crypto_hash_sha512_update(&state->octx, ihash, 64); crypto_hash_sha512_final(&state->octx, out); - sodium_memzero((void *) ihash, 64); + sodium_memzero((void *) ihash, sizeof ihash); return 0; } From c7c4f95655f7b84a46a7e1f1c395461cfd3b571d Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 21:38:41 -0700 Subject: [PATCH 35/40] Indentation --- .../include/sodium/crypto_auth_hmacsha512256.h | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h index 15b188b7..d7a129b8 100644 --- a/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h +++ b/src/libsodium/include/sodium/crypto_auth_hmacsha512256.h @@ -34,17 +34,17 @@ int crypto_auth_hmacsha512256_verify(const unsigned char *,const unsigned char * SODIUM_EXPORT int crypto_auth_hmacsha512256_init(crypto_auth_hmacsha512256_state *state, - const unsigned char *key, - size_t keylen); + const unsigned char *key, + size_t keylen); SODIUM_EXPORT int crypto_auth_hmacsha512256_update(crypto_auth_hmacsha512256_state *state, - const unsigned char *in, - unsigned long long inlen); + const unsigned char *in, + unsigned long long inlen); SODIUM_EXPORT int crypto_auth_hmacsha512256_final(crypto_auth_hmacsha512256_state *state, - unsigned char *out); + unsigned char *out); #ifdef __cplusplus } From 7a85ec97898e4f35f17b855e91ff63ddaa0139c7 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 21:59:24 -0700 Subject: [PATCH 36/40] Directly use OpenBSD's arc4random() instead of opening /dev/urandom. --- .../sysrandom/randombytes_sysrandom.c | 35 +++++++++++++++++++ 1 file changed, 35 insertions(+) diff --git a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c index d0e25209..3bb521b9 100644 --- a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c +++ b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c @@ -24,6 +24,39 @@ # include #endif +#ifdef __OpenBSD__ + +uint32_t +randombytes_sysrandom(void) +{ + return arc4random(); +} + +void +randombytes_sysrandom_stir(void) +{ +} + +uint32_t +randombytes_sysrandom_uniform(const uint32_t upper_bound) +{ + return arc4random_uniform(upper_bound); +} + +void +randombytes_sysrandom_buf(void * const buf, const size_t size) +{ + return arc4random_buf(buf, size); +} + +int +randombytes_sysrandom_close(void) +{ + return 0; +} + +#else /* __OpenBSD__ */ + typedef struct SysRandom_ { #ifdef _WIN32 HCRYPTPROV hcrypt_prov; @@ -202,6 +235,8 @@ randombytes_sysrandom_uniform(const uint32_t upper_bound) return r % upper_bound; } +#endif + const char * randombytes_sysrandom_implementation_name(void) { From 99cf33bc8fb02d3a3c81298cd43be723ec948088 Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Mon, 14 Apr 2014 22:33:46 -0700 Subject: [PATCH 37/40] Indent --- .../crypto_hash/sha512/cp/hash_sha512.c | 313 +++++++++--------- 1 file changed, 156 insertions(+), 157 deletions(-) diff --git a/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c b/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c index 71870083..a7407709 100644 --- a/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c +++ b/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c @@ -70,20 +70,20 @@ be64enc(void *pp, uint64_t x) static void be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) { - size_t i; + size_t i; - for (i = 0; i < len / 8; i++) { - be64enc(dst + i * 8, src[i]); + for (i = 0; i < len / 8; i++) { + be64enc(dst + i * 8, src[i]); } } static void be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) { - size_t i; + size_t i; - for (i = 0; i < len / 8; i++) { - dst[i] = be64dec(src + i * 8); + for (i = 0; i < len / 8; i++) { + dst[i] = be64dec(src + i * 8); } } @@ -96,117 +96,117 @@ be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) #define s0(x) (ROTR(x, 1) ^ ROTR(x, 8) ^ SHR(x, 7)) #define s1(x) (ROTR(x, 19) ^ ROTR(x, 61) ^ SHR(x, 6)) -#define RND(a, b, c, d, e, f, g, h, k) \ - t0 = h + S1(e) + Ch(e, f, g) + k; \ - t1 = S0(a) + Maj(a, b, c); \ - d += t0; \ - h = t0 + t1; +#define RND(a, b, c, d, e, f, g, h, k) \ + t0 = h + S1(e) + Ch(e, f, g) + k; \ + t1 = S0(a) + Maj(a, b, c); \ + d += t0; \ + h = t0 + t1; -#define RNDr(S, W, i, k) \ - RND(S[(80 - i) % 8], S[(81 - i) % 8], \ - S[(82 - i) % 8], S[(83 - i) % 8], \ - S[(84 - i) % 8], S[(85 - i) % 8], \ - S[(86 - i) % 8], S[(87 - i) % 8], \ - W[i] + k) +#define RNDr(S, W, i, k) \ + RND(S[(80 - i) % 8], S[(81 - i) % 8], \ + S[(82 - i) % 8], S[(83 - i) % 8], \ + S[(84 - i) % 8], S[(85 - i) % 8], \ + S[(86 - i) % 8], S[(87 - i) % 8], \ + W[i] + k) static void SHA512_Transform(uint64_t *state, const unsigned char block[128]) { - uint64_t W[80]; - uint64_t S[8]; - uint64_t t0, t1; - int i; + uint64_t W[80]; + uint64_t S[8]; + uint64_t t0, t1; + int i; - be64dec_vect(W, block, 128); - for (i = 16; i < 80; i++) { - W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; + be64dec_vect(W, block, 128); + for (i = 16; i < 80; i++) { + W[i] = s1(W[i - 2]) + W[i - 7] + s0(W[i - 15]) + W[i - 16]; } - memcpy(S, state, 64); + memcpy(S, state, 64); - RNDr(S, W, 0, 0x428a2f98d728ae22ULL); - RNDr(S, W, 1, 0x7137449123ef65cdULL); - RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL); - RNDr(S, W, 3, 0xe9b5dba58189dbbcULL); - RNDr(S, W, 4, 0x3956c25bf348b538ULL); - RNDr(S, W, 5, 0x59f111f1b605d019ULL); - RNDr(S, W, 6, 0x923f82a4af194f9bULL); - RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL); - RNDr(S, W, 8, 0xd807aa98a3030242ULL); - RNDr(S, W, 9, 0x12835b0145706fbeULL); - RNDr(S, W, 10, 0x243185be4ee4b28cULL); - RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL); - RNDr(S, W, 12, 0x72be5d74f27b896fULL); - RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL); - RNDr(S, W, 14, 0x9bdc06a725c71235ULL); - RNDr(S, W, 15, 0xc19bf174cf692694ULL); - RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL); - RNDr(S, W, 17, 0xefbe4786384f25e3ULL); - RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL); - RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL); - RNDr(S, W, 20, 0x2de92c6f592b0275ULL); - RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL); - RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL); - RNDr(S, W, 23, 0x76f988da831153b5ULL); - RNDr(S, W, 24, 0x983e5152ee66dfabULL); - RNDr(S, W, 25, 0xa831c66d2db43210ULL); - RNDr(S, W, 26, 0xb00327c898fb213fULL); - RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL); - RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL); - RNDr(S, W, 29, 0xd5a79147930aa725ULL); - RNDr(S, W, 30, 0x06ca6351e003826fULL); - RNDr(S, W, 31, 0x142929670a0e6e70ULL); - RNDr(S, W, 32, 0x27b70a8546d22ffcULL); - RNDr(S, W, 33, 0x2e1b21385c26c926ULL); - RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL); - RNDr(S, W, 35, 0x53380d139d95b3dfULL); - RNDr(S, W, 36, 0x650a73548baf63deULL); - RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL); - RNDr(S, W, 38, 0x81c2c92e47edaee6ULL); - RNDr(S, W, 39, 0x92722c851482353bULL); - RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL); - RNDr(S, W, 41, 0xa81a664bbc423001ULL); - RNDr(S, W, 42, 0xc24b8b70d0f89791ULL); - RNDr(S, W, 43, 0xc76c51a30654be30ULL); - RNDr(S, W, 44, 0xd192e819d6ef5218ULL); - RNDr(S, W, 45, 0xd69906245565a910ULL); - RNDr(S, W, 46, 0xf40e35855771202aULL); - RNDr(S, W, 47, 0x106aa07032bbd1b8ULL); - RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL); - RNDr(S, W, 49, 0x1e376c085141ab53ULL); - RNDr(S, W, 50, 0x2748774cdf8eeb99ULL); - RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL); - RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL); - RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL); - RNDr(S, W, 54, 0x5b9cca4f7763e373ULL); - RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL); - RNDr(S, W, 56, 0x748f82ee5defb2fcULL); - RNDr(S, W, 57, 0x78a5636f43172f60ULL); - RNDr(S, W, 58, 0x84c87814a1f0ab72ULL); - RNDr(S, W, 59, 0x8cc702081a6439ecULL); - RNDr(S, W, 60, 0x90befffa23631e28ULL); - RNDr(S, W, 61, 0xa4506cebde82bde9ULL); - RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL); - RNDr(S, W, 63, 0xc67178f2e372532bULL); - RNDr(S, W, 64, 0xca273eceea26619cULL); - RNDr(S, W, 65, 0xd186b8c721c0c207ULL); - RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL); - RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL); - RNDr(S, W, 68, 0x06f067aa72176fbaULL); - RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL); - RNDr(S, W, 70, 0x113f9804bef90daeULL); - RNDr(S, W, 71, 0x1b710b35131c471bULL); - RNDr(S, W, 72, 0x28db77f523047d84ULL); - RNDr(S, W, 73, 0x32caab7b40c72493ULL); - RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL); - RNDr(S, W, 75, 0x431d67c49c100d4cULL); - RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL); - RNDr(S, W, 77, 0x597f299cfc657e2aULL); - RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL); - RNDr(S, W, 79, 0x6c44198c4a475817ULL); + RNDr(S, W, 0, 0x428a2f98d728ae22ULL); + RNDr(S, W, 1, 0x7137449123ef65cdULL); + RNDr(S, W, 2, 0xb5c0fbcfec4d3b2fULL); + RNDr(S, W, 3, 0xe9b5dba58189dbbcULL); + RNDr(S, W, 4, 0x3956c25bf348b538ULL); + RNDr(S, W, 5, 0x59f111f1b605d019ULL); + RNDr(S, W, 6, 0x923f82a4af194f9bULL); + RNDr(S, W, 7, 0xab1c5ed5da6d8118ULL); + RNDr(S, W, 8, 0xd807aa98a3030242ULL); + RNDr(S, W, 9, 0x12835b0145706fbeULL); + RNDr(S, W, 10, 0x243185be4ee4b28cULL); + RNDr(S, W, 11, 0x550c7dc3d5ffb4e2ULL); + RNDr(S, W, 12, 0x72be5d74f27b896fULL); + RNDr(S, W, 13, 0x80deb1fe3b1696b1ULL); + RNDr(S, W, 14, 0x9bdc06a725c71235ULL); + RNDr(S, W, 15, 0xc19bf174cf692694ULL); + RNDr(S, W, 16, 0xe49b69c19ef14ad2ULL); + RNDr(S, W, 17, 0xefbe4786384f25e3ULL); + RNDr(S, W, 18, 0x0fc19dc68b8cd5b5ULL); + RNDr(S, W, 19, 0x240ca1cc77ac9c65ULL); + RNDr(S, W, 20, 0x2de92c6f592b0275ULL); + RNDr(S, W, 21, 0x4a7484aa6ea6e483ULL); + RNDr(S, W, 22, 0x5cb0a9dcbd41fbd4ULL); + RNDr(S, W, 23, 0x76f988da831153b5ULL); + RNDr(S, W, 24, 0x983e5152ee66dfabULL); + RNDr(S, W, 25, 0xa831c66d2db43210ULL); + RNDr(S, W, 26, 0xb00327c898fb213fULL); + RNDr(S, W, 27, 0xbf597fc7beef0ee4ULL); + RNDr(S, W, 28, 0xc6e00bf33da88fc2ULL); + RNDr(S, W, 29, 0xd5a79147930aa725ULL); + RNDr(S, W, 30, 0x06ca6351e003826fULL); + RNDr(S, W, 31, 0x142929670a0e6e70ULL); + RNDr(S, W, 32, 0x27b70a8546d22ffcULL); + RNDr(S, W, 33, 0x2e1b21385c26c926ULL); + RNDr(S, W, 34, 0x4d2c6dfc5ac42aedULL); + RNDr(S, W, 35, 0x53380d139d95b3dfULL); + RNDr(S, W, 36, 0x650a73548baf63deULL); + RNDr(S, W, 37, 0x766a0abb3c77b2a8ULL); + RNDr(S, W, 38, 0x81c2c92e47edaee6ULL); + RNDr(S, W, 39, 0x92722c851482353bULL); + RNDr(S, W, 40, 0xa2bfe8a14cf10364ULL); + RNDr(S, W, 41, 0xa81a664bbc423001ULL); + RNDr(S, W, 42, 0xc24b8b70d0f89791ULL); + RNDr(S, W, 43, 0xc76c51a30654be30ULL); + RNDr(S, W, 44, 0xd192e819d6ef5218ULL); + RNDr(S, W, 45, 0xd69906245565a910ULL); + RNDr(S, W, 46, 0xf40e35855771202aULL); + RNDr(S, W, 47, 0x106aa07032bbd1b8ULL); + RNDr(S, W, 48, 0x19a4c116b8d2d0c8ULL); + RNDr(S, W, 49, 0x1e376c085141ab53ULL); + RNDr(S, W, 50, 0x2748774cdf8eeb99ULL); + RNDr(S, W, 51, 0x34b0bcb5e19b48a8ULL); + RNDr(S, W, 52, 0x391c0cb3c5c95a63ULL); + RNDr(S, W, 53, 0x4ed8aa4ae3418acbULL); + RNDr(S, W, 54, 0x5b9cca4f7763e373ULL); + RNDr(S, W, 55, 0x682e6ff3d6b2b8a3ULL); + RNDr(S, W, 56, 0x748f82ee5defb2fcULL); + RNDr(S, W, 57, 0x78a5636f43172f60ULL); + RNDr(S, W, 58, 0x84c87814a1f0ab72ULL); + RNDr(S, W, 59, 0x8cc702081a6439ecULL); + RNDr(S, W, 60, 0x90befffa23631e28ULL); + RNDr(S, W, 61, 0xa4506cebde82bde9ULL); + RNDr(S, W, 62, 0xbef9a3f7b2c67915ULL); + RNDr(S, W, 63, 0xc67178f2e372532bULL); + RNDr(S, W, 64, 0xca273eceea26619cULL); + RNDr(S, W, 65, 0xd186b8c721c0c207ULL); + RNDr(S, W, 66, 0xeada7dd6cde0eb1eULL); + RNDr(S, W, 67, 0xf57d4f7fee6ed178ULL); + RNDr(S, W, 68, 0x06f067aa72176fbaULL); + RNDr(S, W, 69, 0x0a637dc5a2c898a6ULL); + RNDr(S, W, 70, 0x113f9804bef90daeULL); + RNDr(S, W, 71, 0x1b710b35131c471bULL); + RNDr(S, W, 72, 0x28db77f523047d84ULL); + RNDr(S, W, 73, 0x32caab7b40c72493ULL); + RNDr(S, W, 74, 0x3c9ebe0a15c9bebcULL); + RNDr(S, W, 75, 0x431d67c49c100d4cULL); + RNDr(S, W, 76, 0x4cc5d4becb3e42b6ULL); + RNDr(S, W, 77, 0x597f299cfc657e2aULL); + RNDr(S, W, 78, 0x5fcb6fab3ad6faecULL); + RNDr(S, W, 79, 0x6c44198c4a475817ULL); - for (i = 0; i < 8; i++) { - state[i] += S[i]; + for (i = 0; i < 8; i++) { + state[i] += S[i]; } sodium_memzero((void *) W, sizeof W); @@ -216,44 +216,44 @@ SHA512_Transform(uint64_t *state, const unsigned char block[128]) } static unsigned char PAD[128] = { - 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, - 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 + 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, + 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0 }; static void SHA512_Pad(crypto_hash_sha512_state *state) { - unsigned char len[16]; - uint64_t r, plen; + unsigned char len[16]; + uint64_t r, plen; - be64enc_vect(len, state->count, 16); + be64enc_vect(len, state->count, 16); - r = (state->count[1] >> 3) & 0x7f; - plen = (r < 112) ? (112 - r) : (240 - r); - crypto_hash_sha512_update(state, PAD, (unsigned long long) plen); + r = (state->count[1] >> 3) & 0x7f; + plen = (r < 112) ? (112 - r) : (240 - r); + crypto_hash_sha512_update(state, PAD, (unsigned long long) plen); - crypto_hash_sha512_update(state, len, 16); + crypto_hash_sha512_update(state, len, 16); } int crypto_hash_sha512_init(crypto_hash_sha512_state *state) { - state->count[0] = state->count[1] = 0; + state->count[0] = state->count[1] = 0; - state->state[0] = 0x6a09e667f3bcc908ULL; - state->state[1] = 0xbb67ae8584caa73bULL; - state->state[2] = 0x3c6ef372fe94f82bULL; - state->state[3] = 0xa54ff53a5f1d36f1ULL; - state->state[4] = 0x510e527fade682d1ULL; - state->state[5] = 0x9b05688c2b3e6c1fULL; - state->state[6] = 0x1f83d9abfb41bd6bULL; - state->state[7] = 0x5be0cd19137e2179ULL; + state->state[0] = 0x6a09e667f3bcc908ULL; + state->state[1] = 0xbb67ae8584caa73bULL; + state->state[2] = 0x3c6ef372fe94f82bULL; + state->state[3] = 0xa54ff53a5f1d36f1ULL; + state->state[4] = 0x510e527fade682d1ULL; + state->state[5] = 0x9b05688c2b3e6c1fULL; + state->state[6] = 0x1f83d9abfb41bd6bULL; + state->state[7] = 0x5be0cd19137e2179ULL; return 0; } @@ -263,35 +263,35 @@ crypto_hash_sha512_update(crypto_hash_sha512_state *state, const unsigned char *in, unsigned long long inlen) { - uint64_t bitlen[2]; - uint64_t r; - const unsigned char *src = in; + uint64_t bitlen[2]; + uint64_t r; + const unsigned char *src = in; - r = (state->count[1] >> 3) & 0x7f; + r = (state->count[1] >> 3) & 0x7f; - bitlen[1] = ((uint64_t)inlen) << 3; - bitlen[0] = ((uint64_t)inlen) >> 61; + bitlen[1] = ((uint64_t)inlen) << 3; + bitlen[0] = ((uint64_t)inlen) >> 61; - if ((state->count[1] += bitlen[1]) < bitlen[1]) { - state->count[0]++; + if ((state->count[1] += bitlen[1]) < bitlen[1]) { + state->count[0]++; } - state->count[0] += bitlen[0]; + state->count[0] += bitlen[0]; - if (inlen < 128 - r) { - memcpy(&state->buf[r], src, inlen); - return 0; - } - memcpy(&state->buf[r], src, 128 - r); - SHA512_Transform(state->state, state->buf); - src += 128 - r; - inlen -= 128 - r; + if (inlen < 128 - r) { + memcpy(&state->buf[r], src, inlen); + return 0; + } + memcpy(&state->buf[r], src, 128 - r); + SHA512_Transform(state->state, state->buf); + src += 128 - r; + inlen -= 128 - r; - while (inlen >= 128) { - SHA512_Transform(state->state, src); - src += 128; - inlen -= 128; - } - memcpy(state->buf, src, inlen); + while (inlen >= 128) { + SHA512_Transform(state->state, src); + src += 128; + inlen -= 128; + } + memcpy(state->buf, src, inlen); return 0; } @@ -300,8 +300,8 @@ int crypto_hash_sha512_final(crypto_hash_sha512_state *state, unsigned char *out) { - SHA512_Pad(state); - be64enc_vect(out, state->state, 64); + SHA512_Pad(state); + be64enc_vect(out, state->state, 64); sodium_memzero((void *) state, sizeof *state); return 0; @@ -319,4 +319,3 @@ crypto_hash(unsigned char *out, const unsigned char *in, return 0; } - From aec630132cc851f45a455d97cd79da077b5883de Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 15 Apr 2014 00:21:26 -0700 Subject: [PATCH 38/40] Slightly rename args in sodium_bin2hex() for consistency --- src/libsodium/include/sodium/utils.h | 4 ++-- src/libsodium/sodium/utils.c | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/src/libsodium/include/sodium/utils.h b/src/libsodium/include/sodium/utils.h index 14b6a747..f9f3875a 100644 --- a/src/libsodium/include/sodium/utils.h +++ b/src/libsodium/include/sodium/utils.h @@ -26,8 +26,8 @@ SODIUM_EXPORT int sodium_memcmp(const void * const b1_, const void * const b2_, size_t size); SODIUM_EXPORT -char *sodium_bin2hex(char * const hex, const size_t hexlen, - const unsigned char *bin, const size_t binlen); +char *sodium_bin2hex(char * const hex, const size_t hex_len, + const unsigned char * const bin, const size_t bin_len); #ifdef __cplusplus } diff --git a/src/libsodium/sodium/utils.c b/src/libsodium/sodium/utils.c index 2da72fa3..a6afd93d 100644 --- a/src/libsodium/sodium/utils.c +++ b/src/libsodium/sodium/utils.c @@ -77,8 +77,8 @@ _sodium_alignedcalloc(unsigned char ** const unaligned_p, const size_t len) } char * -sodium_bin2hex(char * const hex, const size_t hexlen, - const unsigned char *bin, const size_t binlen) +sodium_bin2hex(char * const hex, const size_t hex_len, + const unsigned char * const bin, const size_t bin_len) { static const char hexdigits[16] = { '0', '1', '2', '3', '4', '5', '6', '7', @@ -87,10 +87,10 @@ sodium_bin2hex(char * const hex, const size_t hexlen, size_t i = (size_t) 0U; size_t j = (size_t) 0U; - if (binlen >= SIZE_MAX / 2 || hexlen < binlen * 2U) { + if (bin_len >= SIZE_MAX / 2 || hex_len < bin_len * 2U) { abort(); } - while (i < binlen) { + while (i < bin_len) { hex[j++] = hexdigits[bin[i] >> 4]; hex[j++] = hexdigits[bin[i] & 0xf]; i++; From 219db714cf47542baff29955913e6c89a6f2cb4b Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 15 Apr 2014 00:39:14 -0700 Subject: [PATCH 39/40] Add sodium_hex2bin() --- src/libsodium/include/sodium/utils.h | 8 +++- src/libsodium/sodium/utils.c | 57 +++++++++++++++++++++++++++- test/default/sodium_utils.c | 8 ++++ test/default/sodium_utils.exp | 1 + 4 files changed, 71 insertions(+), 3 deletions(-) diff --git a/src/libsodium/include/sodium/utils.h b/src/libsodium/include/sodium/utils.h index f9f3875a..e962d71d 100644 --- a/src/libsodium/include/sodium/utils.h +++ b/src/libsodium/include/sodium/utils.h @@ -26,9 +26,15 @@ SODIUM_EXPORT int sodium_memcmp(const void * const b1_, const void * const b2_, size_t size); SODIUM_EXPORT -char *sodium_bin2hex(char * const hex, const size_t hex_len, +char *sodium_bin2hex(char * const hex, const size_t hex_maxlen, const unsigned char * const bin, const size_t bin_len); +SODIUM_EXPORT +int sodium_hex2bin(unsigned char * const bin, const size_t bin_maxlen, + const char * const hex, const size_t hex_len, + const char * const ignore, size_t * const bin_len, + const char ** const hex_end); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/sodium/utils.c b/src/libsodium/sodium/utils.c index a6afd93d..27a0a9f8 100644 --- a/src/libsodium/sodium/utils.c +++ b/src/libsodium/sodium/utils.c @@ -2,6 +2,7 @@ #ifndef __STDC_WANT_LIB_EXT1__ # define __STDC_WANT_LIB_EXT1__ 1 #endif +#include #include #include #include @@ -77,7 +78,7 @@ _sodium_alignedcalloc(unsigned char ** const unaligned_p, const size_t len) } char * -sodium_bin2hex(char * const hex, const size_t hex_len, +sodium_bin2hex(char * const hex, const size_t hex_maxlen, const unsigned char * const bin, const size_t bin_len) { static const char hexdigits[16] = { @@ -87,7 +88,7 @@ sodium_bin2hex(char * const hex, const size_t hex_len, size_t i = (size_t) 0U; size_t j = (size_t) 0U; - if (bin_len >= SIZE_MAX / 2 || hex_len < bin_len * 2U) { + if (bin_len >= SIZE_MAX / 2 || hex_maxlen < bin_len * 2U) { abort(); } while (i < bin_len) { @@ -99,3 +100,55 @@ sodium_bin2hex(char * const hex, const size_t hex_len, return hex; } + +int +sodium_hex2bin(unsigned char * const bin, const size_t bin_maxlen, + const char * const hex, const size_t hex_len, + const char * const ignore, size_t * const bin_len, + const char ** const hex_end) +{ + size_t bin_pos = (size_t) 0U; + size_t hex_pos = (size_t) 0U; + int ret = 0; + unsigned char c; + unsigned char c_acc = 0U; + unsigned char c_num; + unsigned char c_val; + unsigned char state = 0U; + + while (hex_pos < hex_len) { + c = (unsigned char) hex[hex_pos]; + if ((c_num = c ^ 48U) < 10U) { + c_val = c_num; + } else if ((c_num = (c & ~32U)) > 64 && c_num < 71U) { + c_val = c_num - 55U; + } else if (ignore != NULL && strchr(ignore, c) != NULL && state == 0U) { + hex_pos++; + continue; + } else { + break; + } + if (bin_pos >= bin_maxlen) { + ret = -1; + errno = ERANGE; + break; + } + if (state == 0U) { + c_acc = c_val * 16U; + } else { + bin[bin_pos++] = c_acc | c_val; + } + state = ~state; + hex_pos++; + } + if (state != 0U) { + hex_pos--; + } + if (hex_end != NULL) { + *hex_end = &hex[hex_pos]; + } + if (bin_len != NULL) { + *bin_len = bin_pos; + } + return ret; +} diff --git a/test/default/sodium_utils.c b/test/default/sodium_utils.c index 177dbf23..f309cfe6 100644 --- a/test/default/sodium_utils.c +++ b/test/default/sodium_utils.c @@ -9,6 +9,9 @@ int main(void) unsigned char buf1[1000]; unsigned char buf2[1000]; char buf3[33]; + unsigned char buf4[4]; + const char *hex; + size_t bin_len; randombytes(buf1, sizeof buf1); memcpy(buf2, buf1, sizeof buf2); @@ -23,5 +26,10 @@ int main(void) printf("%s\n", sodium_bin2hex(buf3, 33U, (const unsigned char *) "0123456789ABCDEF", 16U)); + hex = "Cafe : 6942"; + sodium_hex2bin(buf4, sizeof buf4, hex, strlen(hex), ": ", &bin_len, NULL); + printf("%zu:%02x%02x%02x%02x\n", bin_len, + buf4[0], buf4[1], buf4[2], buf4[3]); + return 0; } diff --git a/test/default/sodium_utils.exp b/test/default/sodium_utils.exp index 713a1d9b..2be34ae3 100644 --- a/test/default/sodium_utils.exp +++ b/test/default/sodium_utils.exp @@ -4,3 +4,4 @@ 0 0 30313233343536373839414243444546 +4:cafe6942 From 17f8953d3a1b64c2108f635adf0ea6fddddc182c Mon Sep 17 00:00:00 2001 From: Frank Denis Date: Tue, 15 Apr 2014 00:42:05 -0700 Subject: [PATCH 40/40] size -> len, for consistency --- src/libsodium/include/sodium/utils.h | 2 +- src/libsodium/sodium/utils.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/src/libsodium/include/sodium/utils.h b/src/libsodium/include/sodium/utils.h index e962d71d..aaf3fc5d 100644 --- a/src/libsodium/include/sodium/utils.h +++ b/src/libsodium/include/sodium/utils.h @@ -23,7 +23,7 @@ SODIUM_EXPORT void sodium_memzero(void * const pnt, const size_t len); SODIUM_EXPORT -int sodium_memcmp(const void * const b1_, const void * const b2_, size_t size); +int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len); SODIUM_EXPORT char *sodium_bin2hex(char * const hex, const size_t hex_maxlen, diff --git a/src/libsodium/sodium/utils.c b/src/libsodium/sodium/utils.c index 27a0a9f8..75e74b08 100644 --- a/src/libsodium/sodium/utils.c +++ b/src/libsodium/sodium/utils.c @@ -36,14 +36,14 @@ sodium_memzero(void * const pnt, const size_t len) } int -sodium_memcmp(const void * const b1_, const void * const b2_, size_t size) +sodium_memcmp(const void * const b1_, const void * const b2_, size_t len) { const unsigned char *b1 = (const unsigned char *) b1_; const unsigned char *b2 = (const unsigned char *) b2_; size_t i; unsigned char d = (unsigned char) 0U; - for (i = 0U; i < size; i++) { + for (i = 0U; i < len; i++) { d |= b1[i] ^ b2[i]; } return (int) ((1 & ((d - 1) >> 8)) - 1);