diff --git a/ChangeLog b/ChangeLog index c2d79261..f4cb4e04 100644 --- a/ChangeLog +++ b/ChangeLog @@ -14,6 +14,8 @@ the algorithm and can verify both Argon2i and Argon2id hashed passwords. The default algorithm for newly hashed passwords remains Argon2i in this version to avoid breaking compatibility with verifiers running libsodium <= 1.0.12. + - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was +implemented. * Version 1.0.12 - Ed25519ph was implemented, adding a multi-part signature API diff --git a/dist-build/emscripten-symbols.def b/dist-build/emscripten-symbols.def index 02e8be67..0f3f8040 100644 --- a/dist-build/emscripten-symbols.def +++ b/dist-build/emscripten-symbols.def @@ -93,6 +93,9 @@ _crypto_box_curve25519xchacha20poly1305_open_detached_afternm 0 1 _crypto_box_curve25519xchacha20poly1305_open_easy 0 1 _crypto_box_curve25519xchacha20poly1305_open_easy_afternm 0 1 _crypto_box_curve25519xchacha20poly1305_publickeybytes 0 1 +_crypto_box_curve25519xchacha20poly1305_seal 0 1 +_crypto_box_curve25519xchacha20poly1305_seal_open 0 1 +_crypto_box_curve25519xchacha20poly1305_sealbytes 0 1 _crypto_box_curve25519xchacha20poly1305_secretkeybytes 0 1 _crypto_box_curve25519xchacha20poly1305_seed_keypair 0 1 _crypto_box_curve25519xchacha20poly1305_seedbytes 0 1 diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index 04256461..7f93c3b1 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -162,6 +162,7 @@ endif if !MINIMAL libsodium_la_SOURCES += \ crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c \ + crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c \ crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c \ crypto_shorthash/siphash24/shorthash_siphashx24.c \ crypto_shorthash/siphash24/ref/shorthash_siphashx24_ref.c \ diff --git a/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c b/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c new file mode 100644 index 00000000..9e73a265 --- /dev/null +++ b/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c @@ -0,0 +1,79 @@ + +#include + +#include "crypto_box_curve25519xchacha20poly1305.h" +#include "crypto_generichash.h" +#include "private/common.h" +#include "utils.h" + +static int +_crypto_box_curve25519xchacha20poly1305_seal_nonce(unsigned char *nonce, + const unsigned char *pk1, + const unsigned char *pk2) +{ + crypto_generichash_state st; + + crypto_generichash_init(&st, NULL, 0U, + crypto_box_curve25519xchacha20poly1305_NONCEBYTES); + crypto_generichash_update(&st, pk1, + crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES); + crypto_generichash_update(&st, pk2, + crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES); + crypto_generichash_final(&st, nonce, + crypto_box_curve25519xchacha20poly1305_NONCEBYTES); + + return 0; +} + +int +crypto_box_curve25519xchacha20poly1305_seal(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *pk) +{ + unsigned char nonce[crypto_box_curve25519xchacha20poly1305_NONCEBYTES]; + unsigned char epk[crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES]; + unsigned char esk[crypto_box_curve25519xchacha20poly1305_SECRETKEYBYTES]; + int ret; + + if (crypto_box_curve25519xchacha20poly1305_keypair(epk, esk) != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + memcpy(c, epk, crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES); + _crypto_box_curve25519xchacha20poly1305_seal_nonce(nonce, epk, pk); + ret = crypto_box_curve25519xchacha20poly1305_easy( + c + crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES, m, mlen, + nonce, pk, esk); + sodium_memzero(esk, sizeof esk); + sodium_memzero(epk, sizeof epk); + sodium_memzero(nonce, sizeof nonce); + + return ret; +} + +int +crypto_box_curve25519xchacha20poly1305_seal_open(unsigned char *m, const unsigned char *c, + unsigned long long clen, + const unsigned char *pk, + const unsigned char *sk) +{ + unsigned char nonce[crypto_box_curve25519xchacha20poly1305_NONCEBYTES]; + + if (clen < crypto_box_curve25519xchacha20poly1305_SEALBYTES) { + return -1; + } + _crypto_box_curve25519xchacha20poly1305_seal_nonce(nonce, c, pk); + + COMPILER_ASSERT(crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES < + crypto_box_curve25519xchacha20poly1305_SEALBYTES); + + return crypto_box_curve25519xchacha20poly1305_open_easy( + m, c + crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES, + clen - crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES, + nonce, c, sk); +} + +size_t +crypto_box_curve25519xchacha20poly1305_sealbytes(void) +{ + return crypto_box_curve25519xchacha20poly1305_SEALBYTES; +} diff --git a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h index 29c9b255..b781cc6e 100644 --- a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h +++ b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h @@ -123,6 +123,29 @@ int crypto_box_curve25519xchacha20poly1305_open_detached_afternm(unsigned char * const unsigned char *k) __attribute__ ((warn_unused_result)); +/* -- Ephemeral SK interface -- */ + +#define crypto_box_curve25519xchacha20poly1305_SEALBYTES \ + (crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES + \ + crypto_box_curve25519xchacha20poly1305_MACBYTES) + +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_sealbytes(void); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_seal(unsigned char *c, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *pk); + +SODIUM_EXPORT +int crypto_box_curve25519xchacha20poly1305_seal_open(unsigned char *m, + const unsigned char *c, + unsigned long long clen, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)); + #ifdef __cplusplus } #endif