rbnacl-libsodium 0.5.0.1 → 0.6.0

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c

@@ -0,0 +1,275 @@
+
+/* $OpenBSD: chacha.c,v 1.1 2013/11/21 00:45:44 djm Exp $ */
+
+/*
+ chacha-merged.c version 20080118
+ D. J. Bernstein
+ Public domain.
+ */
+
+#include <stdint.h>
+#include <string.h>
+
+#include "api.h"
+#include "crypto_stream_chacha20.h"
+#include "utils.h"
+
+struct chacha_ctx {
+    uint32_t input[16];
+};
+
+typedef uint8_t  u8;
+typedef uint32_t u32;
+
+typedef struct chacha_ctx chacha_ctx;
+
+#define U8C(v) (v##U)
+#define U32C(v) (v##U)
+
+#define U8V(v) ((u8)(v) & U8C(0xFF))
+#define U32V(v) ((u32)(v) & U32C(0xFFFFFFFF))
+
+#define ROTL32(v, n) \
+  (U32V((v) << (n)) | ((v) >> (32 - (n))))
+
+#define U8TO32_LITTLE(p) \
+  (((u32)((p)[0])      ) | \
+   ((u32)((p)[1]) <<  8) | \
+   ((u32)((p)[2]) << 16) | \
+   ((u32)((p)[3]) << 24))
+
+#define U32TO8_LITTLE(p, v) \
+  do { \
+    (p)[0] = U8V((v)      ); \
+    (p)[1] = U8V((v) >>  8); \
+    (p)[2] = U8V((v) >> 16); \
+    (p)[3] = U8V((v) >> 24); \
+  } while (0)
+
+#define ROTATE(v,c) (ROTL32(v,c))
+#define XOR(v,w) ((v) ^ (w))
+#define PLUS(v,w) (U32V((v) + (w)))
+#define PLUSONE(v) (PLUS((v),1))
+
+#define QUARTERROUND(a,b,c,d) \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a),16); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c),12); \
+  a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \
+  c = PLUS(c,d); b = ROTATE(XOR(b,c), 7);
+
+static const unsigned char sigma[16] = {
+    'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k'
+};
+
+static void
+chacha_keysetup(chacha_ctx *x, const u8 *k)
+{
+    const unsigned char *constants;
+
+    x->input[4] = U8TO32_LITTLE(k + 0);
+    x->input[5] = U8TO32_LITTLE(k + 4);
+    x->input[6] = U8TO32_LITTLE(k + 8);
+    x->input[7] = U8TO32_LITTLE(k + 12);
+    k += 16;
+    constants = sigma;
+    x->input[8] = U8TO32_LITTLE(k + 0);
+    x->input[9] = U8TO32_LITTLE(k + 4);
+    x->input[10] = U8TO32_LITTLE(k + 8);
+    x->input[11] = U8TO32_LITTLE(k + 12);
+    x->input[0] = U8TO32_LITTLE(constants + 0);
+    x->input[1] = U8TO32_LITTLE(constants + 4);
+    x->input[2] = U8TO32_LITTLE(constants + 8);
+    x->input[3] = U8TO32_LITTLE(constants + 12);
+}
+
+static void
+chacha_ivsetup(chacha_ctx *x, const u8 *iv, const u8 *counter)
+{
+    x->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0);
+    x->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4);
+    x->input[14] = U8TO32_LITTLE(iv + 0);
+    x->input[15] = U8TO32_LITTLE(iv + 4);
+}
+
+static void
+chacha_encrypt_bytes(chacha_ctx *x, const u8 *m, u8 *c, unsigned long long bytes)
+{
+    u32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+    u32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+    u8 *ctarget = NULL;
+    u8 tmp[64];
+    unsigned long long i;
+
+    if (!bytes) {
+        return;
+    }
+    j0 = x->input[0];
+    j1 = x->input[1];
+    j2 = x->input[2];
+    j3 = x->input[3];
+    j4 = x->input[4];
+    j5 = x->input[5];
+    j6 = x->input[6];
+    j7 = x->input[7];
+    j8 = x->input[8];
+    j9 = x->input[9];
+    j10 = x->input[10];
+    j11 = x->input[11];
+    j12 = x->input[12];
+    j13 = x->input[13];
+    j14 = x->input[14];
+    j15 = x->input[15];
+
+    for (;;) {
+        if (bytes < 64) {
+            for (i = 0; i < bytes; ++i) {
+                tmp[i] = m[i];
+            }
+            m = tmp;
+            ctarget = c;
+            c = tmp;
+        }
+        x0 = j0;
+        x1 = j1;
+        x2 = j2;
+        x3 = j3;
+        x4 = j4;
+        x5 = j5;
+        x6 = j6;
+        x7 = j7;
+        x8 = j8;
+        x9 = j9;
+        x10 = j10;
+        x11 = j11;
+        x12 = j12;
+        x13 = j13;
+        x14 = j14;
+        x15 = j15;
+        for (i = 20; i > 0; i -= 2) {
+            QUARTERROUND(x0, x4, x8, x12)
+            QUARTERROUND(x1, x5, x9, x13)
+            QUARTERROUND(x2, x6, x10, x14)
+            QUARTERROUND(x3, x7, x11, x15)
+            QUARTERROUND(x0, x5, x10, x15)
+            QUARTERROUND(x1, x6, x11, x12)
+            QUARTERROUND(x2, x7, x8, x13)
+            QUARTERROUND(x3, x4, x9, x14)
+        }
+        x0 = PLUS(x0, j0);
+        x1 = PLUS(x1, j1);
+        x2 = PLUS(x2, j2);
+        x3 = PLUS(x3, j3);
+        x4 = PLUS(x4, j4);
+        x5 = PLUS(x5, j5);
+        x6 = PLUS(x6, j6);
+        x7 = PLUS(x7, j7);
+        x8 = PLUS(x8, j8);
+        x9 = PLUS(x9, j9);
+        x10 = PLUS(x10, j10);
+        x11 = PLUS(x11, j11);
+        x12 = PLUS(x12, j12);
+        x13 = PLUS(x13, j13);
+        x14 = PLUS(x14, j14);
+        x15 = PLUS(x15, j15);
+
+        x0 = XOR(x0, U8TO32_LITTLE(m + 0));
+        x1 = XOR(x1, U8TO32_LITTLE(m + 4));
+        x2 = XOR(x2, U8TO32_LITTLE(m + 8));
+        x3 = XOR(x3, U8TO32_LITTLE(m + 12));
+        x4 = XOR(x4, U8TO32_LITTLE(m + 16));
+        x5 = XOR(x5, U8TO32_LITTLE(m + 20));
+        x6 = XOR(x6, U8TO32_LITTLE(m + 24));
+        x7 = XOR(x7, U8TO32_LITTLE(m + 28));
+        x8 = XOR(x8, U8TO32_LITTLE(m + 32));
+        x9 = XOR(x9, U8TO32_LITTLE(m + 36));
+        x10 = XOR(x10, U8TO32_LITTLE(m + 40));
+        x11 = XOR(x11, U8TO32_LITTLE(m + 44));
+        x12 = XOR(x12, U8TO32_LITTLE(m + 48));
+        x13 = XOR(x13, U8TO32_LITTLE(m + 52));
+        x14 = XOR(x14, U8TO32_LITTLE(m + 56));
+        x15 = XOR(x15, U8TO32_LITTLE(m + 60));
+
+        j12 = PLUSONE(j12);
+        if (!j12) {
+            j13 = PLUSONE(j13);
+            /* stopping at 2^70 bytes per nonce is user's responsibility */
+        }
+
+        U32TO8_LITTLE(c + 0, x0);
+        U32TO8_LITTLE(c + 4, x1);
+        U32TO8_LITTLE(c + 8, x2);
+        U32TO8_LITTLE(c + 12, x3);
+        U32TO8_LITTLE(c + 16, x4);
+        U32TO8_LITTLE(c + 20, x5);
+        U32TO8_LITTLE(c + 24, x6);
+        U32TO8_LITTLE(c + 28, x7);
+        U32TO8_LITTLE(c + 32, x8);
+        U32TO8_LITTLE(c + 36, x9);
+        U32TO8_LITTLE(c + 40, x10);
+        U32TO8_LITTLE(c + 44, x11);
+        U32TO8_LITTLE(c + 48, x12);
+        U32TO8_LITTLE(c + 52, x13);
+        U32TO8_LITTLE(c + 56, x14);
+        U32TO8_LITTLE(c + 60, x15);
+
+        if (bytes <= 64) {
+            if (bytes < 64) {
+                for (i = 0; i < bytes; ++i) {
+                    ctarget[i] = c[i];
+                }
+            }
+            x->input[12] = j12;
+            x->input[13] = j13;
+            return;
+        }
+        bytes -= 64;
+        c += 64;
+        m += 64;
+    }
+}
+
+int
+crypto_stream_chacha20_ref(unsigned char *c, unsigned long long clen,
+                           const unsigned char *n, const unsigned char *k)
+{
+    struct chacha_ctx ctx;
+
+    if (!clen) {
+        return 0;
+    }
+    (void) sizeof(int[crypto_stream_chacha20_KEYBYTES == 256 / 8 ? 1 : -1]);
+    chacha_keysetup(&ctx, k);
+    chacha_ivsetup(&ctx, n, NULL);
+    memset(c, 0, clen);
+    chacha_encrypt_bytes(&ctx, c, c, clen);
+    sodium_memzero(&ctx, sizeof ctx);
+
+    return 0;
+}
+
+int
+crypto_stream_chacha20_ref_xor_ic(unsigned char *c, const unsigned char *m,
+                                  unsigned long long mlen,
+                                  const unsigned char *n, uint64_t ic,
+                                  const unsigned char *k)
+{
+    struct chacha_ctx ctx;
+    uint8_t           ic_bytes[8];
+    uint32_t          ic_high;
+    uint32_t          ic_low;
+
+    if (!mlen) {
+        return 0;
+    }
+    ic_high = U32V(ic >> 32);
+    ic_low = U32V(ic);
+    U32TO8_LITTLE(&ic_bytes[0], ic_low);
+    U32TO8_LITTLE(&ic_bytes[4], ic_high);
+    chacha_keysetup(&ctx, k);
+    chacha_ivsetup(&ctx, n, ic_bytes);
+    chacha_encrypt_bytes(&ctx, m, c, mlen);
+    sodium_memzero(&ctx, sizeof ctx);
+    sodium_memzero(ic_bytes, sizeof ic_bytes);
+
+    return 0;
+}

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/stream_chacha20_api.c

@@ -0,0 +1,36 @@
+#include "crypto_stream_chacha20.h"
+#include "ref/api.h"
+
+size_t
+crypto_stream_chacha20_keybytes(void) {
+    return crypto_stream_chacha20_KEYBYTES;
+}
+
+size_t
+crypto_stream_chacha20_noncebytes(void) {
+    return crypto_stream_chacha20_NONCEBYTES;
+}
+
+int
+crypto_stream_chacha20(unsigned char *c, unsigned long long clen,
+                       const unsigned char *n, const unsigned char *k)
+{
+    return crypto_stream_chacha20_ref(c, clen, n, k);
+}
+
+int
+crypto_stream_chacha20_xor_ic(unsigned char *c, const unsigned char *m,
+                              unsigned long long mlen,
+                              const unsigned char *n, uint64_t ic,
+                              const unsigned char *k)
+{
+    return crypto_stream_chacha20_ref_xor_ic(c, m, mlen, n, ic, k);
+}
+
+int
+crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m,
+                           unsigned long long mlen, const unsigned char *n,
+                           const unsigned char *k)
+{
+    return crypto_stream_chacha20_ref_xor_ic(c, m, mlen, n, 0U, k);
+}

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/amd64_xmm6/stream_salsa20_amd64_xmm6.S

@@ -33,19 +33,20 @@ mov  $0,%rax
 mov  %r9,%rcx
 rep stosb
 sub  %r9,%rdi
+movq $0,472(%rsp)
 jmp ._start
 
 .text
 .p2align 5
 
-.globl  crypto_stream_salsa20_xor
-.globl _crypto_stream_salsa20_xor
+.globl  crypto_stream_salsa20_xor_ic
+.globl _crypto_stream_salsa20_xor_ic
 #ifdef __ELF__
-.type  crypto_stream_salsa20_xor, @function
-.type _crypto_stream_salsa20_xor, @function
+.type  crypto_stream_salsa20_xor_ic, @function
+.type _crypto_stream_salsa20_xor_ic, @function
 #endif
-crypto_stream_salsa20_xor:
-_crypto_stream_salsa20_xor:
+crypto_stream_salsa20_xor_ic:
+_crypto_stream_salsa20_xor_ic:
 
 mov %rsp,%r11
 and $31,%r11
@@ -60,9 +61,10 @@ movq %rbx,456(%rsp)
 movq %rbp,464(%rsp)
 mov  %rdi,%rdi
 mov  %rsi,%rsi
+mov  %r9,%r10
+movq %r8,472(%rsp)
 mov  %rdx,%r9
 mov  %rcx,%rdx
-mov  %r8,%r10
 cmp  $0,%r9
 jbe ._done
 
@@ -75,17 +77,16 @@ movl %ecx,64(%rsp)
 movl %r8d,4+64(%rsp)
 movl %eax,8+64(%rsp)
 movl %r11d,12+64(%rsp)
-mov  $0,%rcx
 movl   24(%r10),%r8d
 movl   4(%r10),%eax
 movl   4(%rdx),%edx
-movq %rcx,472(%rsp)
+movq 472(%rsp),%rcx
 movl %ecx,80(%rsp)
 movl %r8d,4+80(%rsp)
 movl %eax,8+80(%rsp)
 movl %edx,12+80(%rsp)
 movl   12(%r10),%edx
-mov  $0,%rcx
+shr  $32,%rcx
 movl   28(%r10),%r8d
 movl   8(%r10),%eax
 movl %edx,96(%rsp)

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/ref/xor_salsa20_ref.c

@@ -4,6 +4,8 @@ D. J. Bernstein
 Public domain.
 */
 
+#include <stdint.h>
+
 #include "api.h"
 #include "crypto_core_salsa20.h"
 #include "utils.h"
@@ -16,10 +18,10 @@ static const unsigned char sigma[16] = {
     'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k'
 };
 
-int crypto_stream_xor(
+int crypto_stream_salsa20_xor_ic(
         unsigned char *c,
   const unsigned char *m,unsigned long long mlen,
-  const unsigned char *n,
+  const unsigned char *n, uint64_t ic,
   const unsigned char *k
 )
 {
@@ -33,7 +35,10 @@ int crypto_stream_xor(
 
   for (i = 0;i < 32;++i) kcopy[i] = k[i];
   for (i = 0;i < 8;++i) in[i] = n[i];
-  for (i = 8;i < 16;++i) in[i] = 0;
+  for (i = 8;i < 16;++i) {
+      in[i] = (unsigned char) (ic & 0xff);
+      ic >>= 8;
+  }
 
   while (mlen >= 64) {
     crypto_core_salsa20(block,in,kcopy,sigma);

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/stream_salsa20_api.c

@@ -9,3 +9,11 @@ size_t
 crypto_stream_salsa20_noncebytes(void) {
     return crypto_stream_salsa20_NONCEBYTES;
 }
+
+int
+crypto_stream_salsa20_xor(unsigned char *c, const unsigned char *m,
+                          unsigned long long mlen, const unsigned char *n,
+                          const unsigned char *k)
+{
+    return crypto_stream_salsa20_xor_ic(c, m, mlen, n, 0U, k);
+}

data/vendor/libsodium/src/libsodium/include/Makefile.am

@@ -2,6 +2,7 @@
 SODIUM_EXPORT = \
 	sodium.h \
 	sodium/core.h \
+	sodium/crypto_aead_chacha20poly1305.h \
 	sodium/crypto_auth.h \
 	sodium/crypto_auth_hmacsha256.h \
 	sodium/crypto_auth_hmacsha512.h \
@@ -19,8 +20,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_hash_sha512.h \
 	sodium/crypto_onetimeauth.h \
 	sodium/crypto_onetimeauth_poly1305.h \
-	sodium/crypto_onetimeauth_poly1305_donna.h \
-	sodium/crypto_pwhash_scryptxsalsa208sha256.h \
+	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
 	sodium/crypto_secretbox.h \
@@ -33,6 +33,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_stream.h \
 	sodium/crypto_stream_aes128ctr.h \
 	sodium/crypto_stream_aes256estream.h \
+	sodium/crypto_stream_chacha20.h \
 	sodium/crypto_stream_salsa20.h \
 	sodium/crypto_stream_salsa2012.h \
 	sodium/crypto_stream_salsa208.h \

data/vendor/libsodium/src/libsodium/include/Makefile.in

@@ -299,6 +299,7 @@ top_srcdir = @top_srcdir@
 SODIUM_EXPORT = \
 	sodium.h \
 	sodium/core.h \
+	sodium/crypto_aead_chacha20poly1305.h \
 	sodium/crypto_auth.h \
 	sodium/crypto_auth_hmacsha256.h \
 	sodium/crypto_auth_hmacsha512.h \
@@ -316,8 +317,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_hash_sha512.h \
 	sodium/crypto_onetimeauth.h \
 	sodium/crypto_onetimeauth_poly1305.h \
-	sodium/crypto_onetimeauth_poly1305_donna.h \
-	sodium/crypto_pwhash_scryptxsalsa208sha256.h \
+	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
 	sodium/crypto_secretbox.h \
@@ -330,6 +330,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_stream.h \
 	sodium/crypto_stream_aes128ctr.h \
 	sodium/crypto_stream_aes256estream.h \
+	sodium/crypto_stream_chacha20.h \
 	sodium/crypto_stream_salsa20.h \
 	sodium/crypto_stream_salsa2012.h \
 	sodium/crypto_stream_salsa208.h \