From ccb842f4884aa8917dcbba79509a349f8c475b3c Mon Sep 17 00:00:00 2001
From: Frank Denis <github@pureftpd.org>
Date: Thu, 6 Jul 2017 15:19:13 +0200
Subject: [PATCH] Add a xchacha version of crypto_box_seal

No high level API for it, no reasons to, so not available in minimal mode.
---
 ChangeLog                                     |  2 +
 dist-build/emscripten-symbols.def             |  3 +
 src/libsodium/Makefile.am                     |  1 +
 .../box_seal_curve25519xchacha20poly1305.c    | 79 +++++++++++++++++++
 .../crypto_box_curve25519xchacha20poly1305.h  | 23 ++++++
 5 files changed, 108 insertions(+)
 create mode 100644 src/libsodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c

diff --git a/ChangeLog b/ChangeLog
index c2d79261..f4cb4e04 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -14,6 +14,8 @@ the algorithm and can verify both Argon2i and Argon2id hashed passwords.
 The default algorithm for newly hashed passwords remains Argon2i in
 this version to avoid breaking compatibility with verifiers running
 libsodium <= 1.0.12.
+ - A `crypto_box_curve25519xchacha20poly1305_seal*()` function set was
+implemented.
 
 * Version 1.0.12
  - Ed25519ph was implemented, adding a multi-part signature API
diff --git a/dist-build/emscripten-symbols.def b/dist-build/emscripten-symbols.def
index 02e8be67..0f3f8040 100644
--- a/dist-build/emscripten-symbols.def
+++ b/dist-build/emscripten-symbols.def
@@ -93,6 +93,9 @@ _crypto_box_curve25519xchacha20poly1305_open_detached_afternm 0 1
 _crypto_box_curve25519xchacha20poly1305_open_easy 0 1
 _crypto_box_curve25519xchacha20poly1305_open_easy_afternm 0 1
 _crypto_box_curve25519xchacha20poly1305_publickeybytes 0 1
+_crypto_box_curve25519xchacha20poly1305_seal 0 1
+_crypto_box_curve25519xchacha20poly1305_seal_open 0 1
+_crypto_box_curve25519xchacha20poly1305_sealbytes 0 1
 _crypto_box_curve25519xchacha20poly1305_secretkeybytes 0 1
 _crypto_box_curve25519xchacha20poly1305_seed_keypair 0 1
 _crypto_box_curve25519xchacha20poly1305_seedbytes 0 1
diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am
index 04256461..7f93c3b1 100644
--- a/src/libsodium/Makefile.am
+++ b/src/libsodium/Makefile.am
@@ -162,6 +162,7 @@ endif
 if !MINIMAL
 libsodium_la_SOURCES += \
 	crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c \
+	crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c \
 	crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c \
 	crypto_shorthash/siphash24/shorthash_siphashx24.c \
 	crypto_shorthash/siphash24/ref/shorthash_siphashx24_ref.c \
diff --git a/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c b/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c
new file mode 100644
index 00000000..9e73a265
--- /dev/null
+++ b/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c
@@ -0,0 +1,79 @@
+
+#include <string.h>
+
+#include "crypto_box_curve25519xchacha20poly1305.h"
+#include "crypto_generichash.h"
+#include "private/common.h"
+#include "utils.h"
+
+static int
+_crypto_box_curve25519xchacha20poly1305_seal_nonce(unsigned char *nonce,
+                                                   const unsigned char *pk1,
+                                                   const unsigned char *pk2)
+{
+    crypto_generichash_state st;
+
+    crypto_generichash_init(&st, NULL, 0U,
+                            crypto_box_curve25519xchacha20poly1305_NONCEBYTES);
+    crypto_generichash_update(&st, pk1,
+                              crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES);
+    crypto_generichash_update(&st, pk2,
+                              crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES);
+    crypto_generichash_final(&st, nonce,
+                             crypto_box_curve25519xchacha20poly1305_NONCEBYTES);
+
+    return 0;
+}
+
+int
+crypto_box_curve25519xchacha20poly1305_seal(unsigned char *c, const unsigned char *m,
+                                            unsigned long long mlen,
+                                            const unsigned char *pk)
+{
+    unsigned char nonce[crypto_box_curve25519xchacha20poly1305_NONCEBYTES];
+    unsigned char epk[crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES];
+    unsigned char esk[crypto_box_curve25519xchacha20poly1305_SECRETKEYBYTES];
+    int           ret;
+
+    if (crypto_box_curve25519xchacha20poly1305_keypair(epk, esk) != 0) {
+        return -1; /* LCOV_EXCL_LINE */
+    }
+    memcpy(c, epk, crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES);
+    _crypto_box_curve25519xchacha20poly1305_seal_nonce(nonce, epk, pk);
+    ret = crypto_box_curve25519xchacha20poly1305_easy(
+         c + crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES, m, mlen,
+         nonce, pk, esk);
+    sodium_memzero(esk, sizeof esk);
+    sodium_memzero(epk, sizeof epk);
+    sodium_memzero(nonce, sizeof nonce);
+
+    return ret;
+}
+
+int
+crypto_box_curve25519xchacha20poly1305_seal_open(unsigned char *m, const unsigned char *c,
+                                                 unsigned long long clen,
+                                                 const unsigned char *pk,
+                                                 const unsigned char *sk)
+{
+    unsigned char nonce[crypto_box_curve25519xchacha20poly1305_NONCEBYTES];
+
+    if (clen < crypto_box_curve25519xchacha20poly1305_SEALBYTES) {
+        return -1;
+    }
+    _crypto_box_curve25519xchacha20poly1305_seal_nonce(nonce, c, pk);
+
+    COMPILER_ASSERT(crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES <
+                    crypto_box_curve25519xchacha20poly1305_SEALBYTES);
+
+    return crypto_box_curve25519xchacha20poly1305_open_easy(
+         m, c + crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES,
+         clen - crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES,
+         nonce, c, sk);
+}
+
+size_t
+crypto_box_curve25519xchacha20poly1305_sealbytes(void)
+{
+    return crypto_box_curve25519xchacha20poly1305_SEALBYTES;
+}
diff --git a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h
index 29c9b255..b781cc6e 100644
--- a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h
+++ b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h
@@ -123,6 +123,29 @@ int crypto_box_curve25519xchacha20poly1305_open_detached_afternm(unsigned char *
                                                                  const unsigned char *k)
             __attribute__ ((warn_unused_result));
 
+/* -- Ephemeral SK interface -- */
+
+#define crypto_box_curve25519xchacha20poly1305_SEALBYTES \
+    (crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES + \
+     crypto_box_curve25519xchacha20poly1305_MACBYTES)
+
+SODIUM_EXPORT
+size_t crypto_box_curve25519xchacha20poly1305_sealbytes(void);
+
+SODIUM_EXPORT
+int crypto_box_curve25519xchacha20poly1305_seal(unsigned char *c,
+                                                const unsigned char *m,
+                                                unsigned long long mlen,
+                                                const unsigned char *pk);
+
+SODIUM_EXPORT
+int crypto_box_curve25519xchacha20poly1305_seal_open(unsigned char *m,
+                                                     const unsigned char *c,
+                                                     unsigned long long clen,
+                                                     const unsigned char *pk,
+                                                     const unsigned char *sk)
+            __attribute__ ((warn_unused_result));
+
 #ifdef __cplusplus
 }
 #endif