ffi-hydrogen 0.1.0

data/vendor/libhydrogen/impl/core.h

@@ -0,0 +1,220 @@
+int
+hydro_init(void)
+{
+    if (hydro_random_init() != 0) {
+        abort();
+    }
+    return 0;
+}
+
+void
+hydro_memzero(void *pnt, size_t len)
+{
+    volatile unsigned char *volatile pnt_ = (volatile unsigned char *volatile) pnt;
+    size_t i                              = (size_t) 0U;
+
+    while (i < len) {
+        pnt_[i++] = 0U;
+    }
+}
+
+void
+hydro_increment(uint8_t *n, size_t len)
+{
+    size_t        i;
+    uint_fast16_t c = 1U;
+
+    for (i = 0; i < len; i++) {
+        c += (uint_fast16_t) n[i];
+        n[i] = (uint8_t) c;
+        c >>= 8;
+    }
+}
+
+char *
+hydro_bin2hex(char *hex, size_t hex_maxlen, const uint8_t *bin, size_t bin_len)
+{
+    size_t       i = (size_t) 0U;
+    unsigned int x;
+    int          b;
+    int          c;
+
+    if (bin_len >= SIZE_MAX / 2 || hex_maxlen <= bin_len * 2U) {
+        abort();
+    }
+    while (i < bin_len) {
+        c = bin[i] & 0xf;
+        b = bin[i] >> 4;
+        x = (unsigned char) (87U + c + (((c - 10U) >> 8) & ~38U)) << 8 |
+            (unsigned char) (87U + b + (((b - 10U) >> 8) & ~38U));
+        hex[i * 2U] = (char) x;
+        x >>= 8;
+        hex[i * 2U + 1U] = (char) x;
+        i++;
+    }
+    hex[i * 2U] = 0U;
+
+    return hex;
+}
+
+int
+hydro_hex2bin(uint8_t *bin, size_t bin_maxlen, const char *hex, size_t hex_len, const char *ignore,
+              const char **hex_end_p)
+{
+    size_t        bin_pos = (size_t) 0U;
+    size_t        hex_pos = (size_t) 0U;
+    int           ret     = 0;
+    unsigned char c;
+    unsigned char c_alpha0, c_alpha;
+    unsigned char c_num0, c_num;
+    uint8_t       c_acc = 0U;
+    uint8_t       c_val;
+    unsigned char state = 0U;
+
+    while (hex_pos < hex_len) {
+        c        = (unsigned char) hex[hex_pos];
+        c_num    = c ^ 48U;
+        c_num0   = (c_num - 10U) >> 8;
+        c_alpha  = (c & ~32U) - 55U;
+        c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8;
+        if ((c_num0 | c_alpha0) == 0U) {
+            if (ignore != NULL && state == 0U && strchr(ignore, c) != NULL) {
+                hex_pos++;
+                continue;
+            }
+            break;
+        }
+        c_val = (uint8_t)((c_num0 & c_num) | (c_alpha0 & c_alpha));
+        if (bin_pos >= bin_maxlen) {
+            ret   = -1;
+            errno = ERANGE;
+            break;
+        }
+        if (state == 0U) {
+            c_acc = c_val * 16U;
+        } else {
+            bin[bin_pos++] = c_acc | c_val;
+        }
+        state = ~state;
+        hex_pos++;
+    }
+    if (state != 0U) {
+        hex_pos--;
+        errno = EINVAL;
+        ret   = -1;
+    }
+    if (ret != 0) {
+        bin_pos = (size_t) 0U;
+    }
+    if (hex_end_p != NULL) {
+        *hex_end_p = &hex[hex_pos];
+    } else if (hex_pos != hex_len) {
+        errno = EINVAL;
+        ret   = -1;
+    }
+    if (ret != 0) {
+        return ret;
+    }
+    return (int) bin_pos;
+}
+
+bool
+hydro_equal(const void *b1_, const void *b2_, size_t len)
+{
+    const volatile uint8_t *volatile b1 = (const volatile uint8_t *volatile) b1_;
+    const uint8_t *b2                   = (const uint8_t *) b2_;
+    size_t         i;
+    uint8_t        d = (uint8_t) 0U;
+
+    if (b1 == b2) {
+        d = ~d;
+    }
+    for (i = 0U; i < len; i++) {
+        d |= b1[i] ^ b2[i];
+    }
+    return (bool) (1 & ((d - 1) >> 8));
+}
+
+int
+hydro_compare(const uint8_t *b1_, const uint8_t *b2_, size_t len)
+{
+    const volatile uint8_t *volatile b1 = (const volatile uint8_t *volatile) b1_;
+    const uint8_t *b2                   = (const uint8_t *) b2_;
+    uint8_t        gt                   = 0U;
+    uint8_t        eq                   = 1U;
+    size_t         i;
+
+    i = len;
+    while (i != 0U) {
+        i--;
+        gt |= ((b2[i] - b1[i]) >> 8) & eq;
+        eq &= ((b2[i] ^ b1[i]) - 1) >> 8;
+    }
+    return (int) (gt + gt + eq) - 1;
+}
+
+int
+hydro_pad(unsigned char *buf, size_t unpadded_buflen, size_t blocksize, size_t max_buflen)
+{
+    unsigned char *        tail;
+    size_t                 i;
+    size_t                 xpadlen;
+    size_t                 xpadded_len;
+    volatile unsigned char mask;
+    unsigned char          barrier_mask;
+
+    if (blocksize <= 0U || max_buflen > INT_MAX) {
+        return -1;
+    }
+    xpadlen = blocksize - 1U;
+    if ((blocksize & (blocksize - 1U)) == 0U) {
+        xpadlen -= unpadded_buflen & (blocksize - 1U);
+    } else {
+        xpadlen -= unpadded_buflen % blocksize;
+    }
+    if (SIZE_MAX - unpadded_buflen <= xpadlen) {
+        return -1;
+    }
+    xpadded_len = unpadded_buflen + xpadlen;
+    if (xpadded_len >= max_buflen) {
+        return -1;
+    }
+    tail = &buf[xpadded_len];
+    mask = 0U;
+    for (i = 0; i < blocksize; i++) {
+        barrier_mask = (unsigned char)
+	 (((i ^ xpadlen) - 1U) >> ((sizeof(size_t) - 1U) * CHAR_BIT));
+        tail[-i]     = (tail[-i] & mask) | (0x80 & barrier_mask);
+        mask |= barrier_mask;
+    }
+    return (int) (xpadded_len + 1);
+}
+
+int
+hydro_unpad(const unsigned char *buf, size_t padded_buflen, size_t blocksize)
+{
+    const unsigned char *tail;
+    unsigned char        acc = 0U;
+    unsigned char        c;
+    unsigned char        valid   = 0U;
+    volatile size_t      pad_len = 0U;
+    size_t               i;
+    size_t               is_barrier;
+
+    if (padded_buflen < blocksize || blocksize <= 0U) {
+        return -1;
+    }
+    tail = &buf[padded_buflen - 1U];
+
+    for (i = 0U; i < blocksize; i++) {
+        c          = tail[-i];
+        is_barrier = (((acc - 1U) & (pad_len - 1U) & ((c ^ 0x80) - 1U)) >> 8) & 1U;
+        acc |= c;
+        pad_len |= (i & -is_barrier);
+        valid |= (unsigned char) is_barrier;
+    }
+    if (valid == 0) {
+        return -1;
+    }
+    return (int) (padded_buflen - 1 - pad_len);
+}

data/vendor/libhydrogen/impl/gimli-core/portable.h

@@ -0,0 +1,39 @@
+static void
+gimli_core(uint32_t state[gimli_BLOCKBYTES / 4])
+{
+    unsigned int round;
+    unsigned int column;
+    uint32_t     x;
+    uint32_t     y;
+    uint32_t     z;
+
+    for (round = 24; round > 0; round--) {
+        for (column = 0; column < 4; column++) {
+            x = ROTL32(state[column], 24);
+            y = ROTL32(state[4 + column], 9);
+            z = state[8 + column];
+
+            state[8 + column] = x ^ (z << 1) ^ ((y & z) << 2);
+            state[4 + column] = y ^ x ^ ((x | z) << 1);
+            state[column]     = z ^ y ^ ((x & y) << 3);
+        }
+        switch (round & 3) {
+        case 0:
+            x        = state[0];
+            state[0] = state[1];
+            state[1] = x;
+            x        = state[2];
+            state[2] = state[3];
+            state[3] = x;
+            state[0] ^= ((uint32_t) 0x9e377900 | round);
+            break;
+        case 2:
+            x        = state[0];
+            state[0] = state[2];
+            state[2] = x;
+            x        = state[1];
+            state[1] = state[3];
+            state[3] = x;
+        }
+    }
+}

data/vendor/libhydrogen/impl/gimli-core/sse2.h

@@ -0,0 +1,97 @@
+#include <tmmintrin.h>
+
+#define S 9
+
+static inline __m128i
+shift(__m128i x, int bits)
+{
+    return _mm_slli_epi32(x, bits);
+}
+
+static inline __m128i
+rotate(__m128i x, int bits)
+{
+    return _mm_slli_epi32(x, bits) | _mm_srli_epi32(x, 32 - bits);
+}
+
+#ifdef __SSSE3__
+static inline __m128i
+rotate24(__m128i x)
+{
+    return _mm_shuffle_epi8(x, _mm_set_epi8(12, 15, 14, 13, 8, 11, 10, 9, 4, 7, 6, 5, 0, 3, 2, 1));
+}
+#else
+static inline __m128i
+rotate24(__m128i x)
+{
+    uint8_t _hydro_attr_aligned_(16) x8[16], y8[16];
+
+    _mm_storeu_si128((__m128i *) (void *) x8, x);
+
+    y8[ 0] = x8[ 1]; y8[ 1] = x8[ 2]; y8[ 2] = x8[ 3]; y8[ 3] = x8[ 0];
+    y8[ 4] = x8[ 5]; y8[ 5] = x8[ 6]; y8[ 6] = x8[ 7]; y8[ 7] = x8[ 4];
+    y8[ 8] = x8[ 9]; y8[ 9] = x8[10]; y8[10] = x8[11]; y8[11] = x8[ 8];
+    y8[12] = x8[13]; y8[13] = x8[14]; y8[14] = x8[15]; y8[15] = x8[12];
+
+    return _mm_loadu_si128((const __m128i *) (const void *) y8);
+}
+#endif
+
+static const uint32_t coeffs[24] _hydro_attr_aligned_(16) = {
+    0x9e377904, 0, 0, 0, 0x9e377908, 0, 0, 0, 0x9e37790c, 0, 0, 0,
+    0x9e377910, 0, 0, 0, 0x9e377914, 0, 0, 0, 0x9e377918, 0, 0, 0,
+};
+
+static void
+gimli_core(uint32_t state[gimli_BLOCKBYTES / 4])
+{
+    __m128i x = _mm_loadu_si128((const __m128i *) (const void *) &state[0]);
+    __m128i y = _mm_loadu_si128((const __m128i *) (const void *) &state[4]);
+    __m128i z = _mm_loadu_si128((const __m128i *) (const void *) &state[8]);
+    __m128i newy;
+    __m128i newz;
+    int     round;
+
+    for (round = 5; round >= 0; round--) {
+        x    = rotate24(x);
+        y    = rotate(y, S);
+        newz = x ^ shift(z, 1) ^ shift(y & z, 2);
+        newy = y ^ x ^ shift(x | z, 1);
+        x    = z ^ y ^ shift(x & y, 3);
+        y    = newy;
+        z    = newz;
+
+        x = _mm_shuffle_epi32(x, _MM_SHUFFLE(2, 3, 0, 1));
+        x ^= ((const __m128i *) (const void *) coeffs)[round];
+
+        x    = rotate24(x);
+        y    = rotate(y, S);
+        newz = x ^ shift(z, 1) ^ shift(y & z, 2);
+        newy = y ^ x ^ shift(x | z, 1);
+        x    = z ^ y ^ shift(x & y, 3);
+        y    = newy;
+        z    = newz;
+
+        x    = rotate24(x);
+        y    = rotate(y, S);
+        newz = x ^ shift(z, 1) ^ shift(y & z, 2);
+        newy = y ^ x ^ shift(x | z, 1);
+        x    = z ^ y ^ shift(x & y, 3);
+        y    = newy;
+        z    = newz;
+
+        x = _mm_shuffle_epi32(x, _MM_SHUFFLE(1, 0, 3, 2));
+
+        x    = rotate24(x);
+        y    = rotate(y, S);
+        newz = x ^ shift(z, 1) ^ shift(y & z, 2);
+        newy = y ^ x ^ shift(x | z, 1);
+        x    = z ^ y ^ shift(x & y, 3);
+        y    = newy;
+        z    = newz;
+    }
+
+    _mm_storeu_si128((__m128i *) (void *) &state[0], x);
+    _mm_storeu_si128((__m128i *) (void *) &state[4], y);
+    _mm_storeu_si128((__m128i *) (void *) &state[8], z);
+}

data/vendor/libhydrogen/impl/gimli-core.h

@@ -0,0 +1,25 @@
+#ifdef __SSE2__
+# include "gimli-core/sse2.h"
+#else
+# include "gimli-core/portable.h"
+#endif
+
+static void
+gimli_core_u8(uint8_t state_u8[gimli_BLOCKBYTES], uint8_t tag)
+{
+    state_u8[gimli_BLOCKBYTES - 1] ^= tag;
+#ifndef NATIVE_LITTLE_ENDIAN
+    uint32_t state_u32[12];
+    int      i;
+
+    for (i = 0; i < 12; i++) {
+        state_u32[i] = LOAD32_LE(&state_u8[i * 4]);
+    }
+    gimli_core(state_u32);
+    for (i = 0; i < 12; i++) {
+        STORE32_LE(&state_u8[i * 4], state_u32[i]);
+    }
+#else
+    gimli_core((uint32_t *) (void *) state_u8); /* state_u8 must be properly aligned */
+#endif
+}

data/vendor/libhydrogen/impl/hash.h

@@ -0,0 +1,138 @@
+int
+hydro_hash_update(hydro_hash_state *state, const void *in_, size_t in_len)
+{
+    const uint8_t *in  = (const uint8_t *) in_;
+    uint8_t *      buf = (uint8_t *) (void *) state->state;
+    size_t         left;
+    size_t         ps;
+    size_t         i;
+
+    while (in_len > 0) {
+        if ((left = gimli_RATE - state->buf_off) == 0) {
+            gimli_core_u8(buf, 0);
+            state->buf_off = 0;
+            left           = gimli_RATE;
+        }
+        if ((ps = in_len) > left) {
+            ps = left;
+        }
+        for (i = 0; i < ps; i++) {
+            buf[state->buf_off + i] ^= in[i];
+        }
+        state->buf_off += (uint8_t) ps;
+        in += ps;
+        in_len -= ps;
+    }
+    return 0;
+}
+
+/* pad(str_enc("kmac") || str_enc(context)) || pad(str_enc(k)) ||
+   msg || right_enc(msg_len) || 0x00 */
+
+int
+hydro_hash_init(hydro_hash_state *state, const char ctx[hydro_hash_CONTEXTBYTES],
+                const uint8_t key[hydro_hash_KEYBYTES])
+{
+    uint8_t block[64] = { 4, 'k', 'm', 'a', 'c', 8 };
+    size_t  p;
+
+    COMPILER_ASSERT(hydro_hash_KEYBYTES <= sizeof block - gimli_RATE - 1);
+    COMPILER_ASSERT(hydro_hash_CONTEXTBYTES == 8);
+    mem_zero(block + 14, sizeof block - 14);
+    memcpy(block + 6, ctx, 8);
+    if (key != NULL) {
+        block[gimli_RATE] = (uint8_t) hydro_hash_KEYBYTES;
+        memcpy(block + gimli_RATE + 1, key, hydro_hash_KEYBYTES);
+        p = (gimli_RATE + 1 + hydro_hash_KEYBYTES + (gimli_RATE - 1)) & ~(size_t)(gimli_RATE - 1);
+    } else {
+        block[gimli_RATE] = (uint8_t) 0;
+        p                 = (gimli_RATE + 1 + 0 + (gimli_RATE - 1)) & ~(size_t)(gimli_RATE - 1);
+    }
+    mem_zero(state, sizeof *state);
+    hydro_hash_update(state, block, p);
+
+    return 0;
+}
+
+/* pad(str_enc("tmac") || str_enc(context)) || pad(str_enc(k)) ||
+   pad(right_enc(tweak)) || msg || right_enc(msg_len) || 0x00 */
+
+static int
+hydro_hash_init_with_tweak(hydro_hash_state *state, const char ctx[hydro_hash_CONTEXTBYTES],
+                           uint64_t tweak, const uint8_t key[hydro_hash_KEYBYTES])
+{
+    uint8_t block[80] = { 4, 't', 'm', 'a', 'c', 8 };
+    size_t  p;
+
+    COMPILER_ASSERT(hydro_hash_KEYBYTES <= sizeof block - 2 * gimli_RATE - 1);
+    COMPILER_ASSERT(hydro_hash_CONTEXTBYTES == 8);
+    mem_zero(block + 14, sizeof block - 14);
+    memcpy(block + 6, ctx, 8);
+    if (key != NULL) {
+        block[gimli_RATE] = (uint8_t) hydro_hash_KEYBYTES;
+        memcpy(block + gimli_RATE + 1, key, hydro_hash_KEYBYTES);
+        p = (gimli_RATE + 1 + hydro_hash_KEYBYTES + (gimli_RATE - 1)) & ~(size_t)(gimli_RATE - 1);
+    } else {
+        block[gimli_RATE] = (uint8_t) 0;
+        p                 = (gimli_RATE + 1 + 0 + (gimli_RATE - 1)) & ~(size_t)(gimli_RATE - 1);
+    }
+    block[p] = (uint8_t) sizeof tweak;
+    STORE64_LE(&block[p + 1], tweak);
+    p += gimli_RATE;
+    mem_zero(state, sizeof *state);
+    hydro_hash_update(state, block, p);
+
+    return 0;
+}
+
+int
+hydro_hash_final(hydro_hash_state *state, uint8_t *out, size_t out_len)
+{
+    uint8_t  lc[4];
+    uint8_t *buf = (uint8_t *) (void *) state->state;
+    size_t   i;
+    size_t   lc_len;
+    size_t   leftover;
+
+    if (out_len < hydro_hash_BYTES_MIN || out_len > hydro_hash_BYTES_MAX) {
+        return -1;
+    }
+    COMPILER_ASSERT(hydro_hash_BYTES_MAX <= 0xffff);
+    lc[1]  = (uint8_t) out_len;
+    lc[2]  = (uint8_t)(out_len >> 8);
+    lc[3]  = 0;
+    lc_len = (size_t)(1 + (lc[2] != 0));
+    lc[0]  = (uint8_t) lc_len;
+    hydro_hash_update(state, lc, 1 + lc_len + 1);
+    gimli_pad_u8(buf, state->buf_off, gimli_DOMAIN_XOF);
+    for (i = 0; i < out_len / gimli_RATE; i++) {
+        gimli_core_u8(buf, 0);
+        memcpy(out + i * gimli_RATE, buf, gimli_RATE);
+    }
+    leftover = out_len % gimli_RATE;
+    if (leftover != 0) {
+        gimli_core_u8(buf, 0);
+        mem_cpy(out + i * gimli_RATE, buf, leftover);
+    }
+    return 0;
+}
+
+int
+hydro_hash_hash(uint8_t *out, size_t out_len, const void *in_, size_t in_len,
+                const char ctx[hydro_hash_CONTEXTBYTES], const uint8_t key[hydro_hash_KEYBYTES])
+{
+    hydro_hash_state st;
+    const uint8_t *  in = (const uint8_t *) in_;
+
+    if (hydro_hash_init(&st, ctx, key) != 0 || hydro_hash_update(&st, in, in_len) != 0 ||
+        hydro_hash_final(&st, out, out_len) != 0) {
+        return -1;
+    }
+    return 0;
+}
+
+void
+hydro_hash_keygen(uint8_t key[hydro_hash_KEYBYTES])
+{
+    hydro_random_buf(key, hydro_hash_KEYBYTES);
+}

data/vendor/libhydrogen/impl/hydrogen_p.h

@@ -0,0 +1,83 @@
+static int hydro_random_init(void);
+
+/* ---------------- */
+
+#define gimli_BLOCKBYTES 48
+#define gimli_CAPACITY   32
+#define gimli_RATE       16
+
+#define gimli_TAG_HEADER  0x01
+#define gimli_TAG_PAYLOAD 0x02
+#define gimli_TAG_FINAL   0x08
+#define gimli_TAG_FINAL0  0xf8
+#define gimli_TAG_KEY0    0xfe
+#define gimli_TAG_KEY     0xff
+
+#define gimli_DOMAIN_AEAD 0x0
+#define gimli_DOMAIN_XOF  0xf
+
+static void gimli_core_u8(uint8_t state_u8[gimli_BLOCKBYTES], uint8_t tag);
+
+static inline void
+gimli_pad_u8(uint8_t buf[gimli_BLOCKBYTES], size_t pos, uint8_t domain)
+{
+    buf[pos] ^= (domain << 1) | 1;
+    buf[gimli_RATE - 1] ^= 0x80;
+}
+
+static inline void
+hydro_mem_ct_zero_u32(uint32_t *dst_, size_t n)
+{
+    volatile uint32_t *volatile dst = (volatile uint32_t * volatile)(void *) dst_;
+    size_t i;
+
+    for (i = 0; i < n; i++) {
+        dst[i] = 0;
+    }
+}
+
+static inline uint32_t hydro_mem_ct_cmp_u32(const uint32_t *b1_, const uint32_t *b2,
+                                            size_t n) _hydro_attr_warn_unused_result_;
+
+static inline uint32_t
+hydro_mem_ct_cmp_u32(const uint32_t *b1_, const uint32_t *b2, size_t n)
+{
+    const volatile uint32_t *volatile b1 = (const volatile uint32_t *volatile)(const void *) b1_;
+    size_t   i;
+    uint32_t cv = 0;
+
+    for (i = 0; i < n; i++) {
+        cv |= b1[i] ^ b2[i];
+    }
+    return cv;
+}
+
+/* ---------------- */
+
+static int hydro_hash_init_with_tweak(hydro_hash_state *state,
+                                      const char ctx[hydro_hash_CONTEXTBYTES], uint64_t tweak,
+                                      const uint8_t key[hydro_hash_KEYBYTES]);
+
+/* ---------------- */
+
+#define hydro_secretbox_NONCEBYTES 20
+#define hydro_secretbox_MACBYTES 16
+
+/* ---------------- */
+
+#define hydro_x25519_BYTES 32
+#define hydro_x25519_PUBLICKEYBYTES 32
+#define hydro_x25519_SECRETKEYBYTES 32
+
+static int hydro_x25519_scalarmult(uint8_t       out[hydro_x25519_BYTES],
+                                   const uint8_t scalar[hydro_x25519_BYTES],
+                                   const uint8_t x1[hydro_x25519_BYTES],
+                                   bool          clamp) _hydro_attr_warn_unused_result_;
+
+static inline int hydro_x25519_scalarmult_base(uint8_t       pk[hydro_x25519_PUBLICKEYBYTES],
+                                               const uint8_t sk[hydro_x25519_SECRETKEYBYTES])
+    _hydro_attr_warn_unused_result_;
+
+static inline void
+hydro_x25519_scalarmult_base_uniform(uint8_t       pk[hydro_x25519_PUBLICKEYBYTES],
+                                     const uint8_t sk[hydro_x25519_SECRETKEYBYTES]);

data/vendor/libhydrogen/impl/kdf.h

@@ -0,0 +1,20 @@
+int
+hydro_kdf_derive_from_key(uint8_t *subkey, size_t subkey_len, uint64_t subkey_id,
+                          const char    ctx[hydro_kdf_CONTEXTBYTES],
+                          const uint8_t key[hydro_kdf_KEYBYTES])
+{
+    hydro_hash_state st;
+
+    COMPILER_ASSERT(hydro_kdf_CONTEXTBYTES >= hydro_hash_CONTEXTBYTES);
+    COMPILER_ASSERT(hydro_kdf_KEYBYTES >= hydro_hash_KEYBYTES);
+    if (hydro_hash_init_with_tweak(&st, ctx, subkey_id, key) != 0) {
+        return -1;
+    }
+    return hydro_hash_final(&st, subkey, subkey_len);
+}
+
+void
+hydro_kdf_keygen(uint8_t key[hydro_kdf_KEYBYTES])
+{
+    hydro_random_buf(key, hydro_kdf_KEYBYTES);
+}