RubyGems - rbnacl-libsodium - Versions diffs - 1.0.15.1 → 1.0.16 - Mend

rbnacl-libsodium 1.0.15.1 → 1.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c DELETED

@@ -1,545 +0,0 @@
-/* Copyright 2008, Google Inc.
- * All rights reserved.
- *
- * Code released into the public domain.
- *
- * curve25519-donna: Curve25519 elliptic curve, public key function
- *
- * http://code.google.com/p/curve25519-donna/
- *
- * Adam Langley <agl@imperialviolet.org>
- * Parts optimised by floodyberry
- * Derived from public domain C code by Daniel J. Bernstein <djb@cr.yp.to>
- *
- * More information about curve25519 can be found here
- *   http://cr.yp.to/ecdh.html
- *
- * djb's sample implementation of curve25519 is written in a special assembly
- * language called qhasm and uses the floating point registers.
- *
- * This is, almost, a clean room reimplementation from the curve25519 paper. It
- * uses many of the tricks described therein. Only the crecip function is taken
- * from the sample implementation.
- */
-#include <stdint.h>
-#include <string.h>
-#ifdef HAVE_TI_MODE
-#include "../scalarmult_curve25519.h"
-#include "curve25519_donna_c64.h"
-#include "utils.h"
-typedef uint8_t u8;
-typedef uint64_t limb;
-typedef limb felem[5];
-/* Special gcc mode for 128-bit integers */
-typedef unsigned uint128_t __attribute__((mode(TI)));
-/* Sum two numbers: output += in */
-static inline void
-fsum(limb *output, const limb *in)
-{
-    output[0] += in[0];
-    output[1] += in[1];
-    output[2] += in[2];
-    output[3] += in[3];
-    output[4] += in[4];
-}
-/* Find the difference of two numbers: output = in - output
- * (note the order of the arguments!)
- *
- * Assumes that out[i] < 2**52
- * On return, out[i] < 2**55
- */
-static inline void
-fdifference_backwards(felem out, const felem in)
-{
-    /* 152 is 19 << 3 */
-    static const limb two54m152 = (((limb)1) << 54) - 152;
-    static const limb two54m8 = (((limb)1) << 54) - 8;
-    out[0] = in[0] + two54m152 - out[0];
-    out[1] = in[1] + two54m8 - out[1];
-    out[2] = in[2] + two54m8 - out[2];
-    out[3] = in[3] + two54m8 - out[3];
-    out[4] = in[4] + two54m8 - out[4];
-}
-/* Multiply a number by a scalar: output = in * scalar */
-static inline void
-fscalar_product(felem output, const felem in, const limb scalar)
-{
-    uint128_t a;
-    a = in[0] * (uint128_t)scalar;
-    output[0] = ((limb)a) & 0x7ffffffffffff;
-    a = in[1] * (uint128_t)scalar + ((limb)(a >> 51));
-    output[1] = ((limb)a) & 0x7ffffffffffff;
-    a = in[2] * (uint128_t)scalar + ((limb)(a >> 51));
-    output[2] = ((limb)a) & 0x7ffffffffffff;
-    a = in[3] * (uint128_t)scalar + ((limb)(a >> 51));
-    output[3] = ((limb)a) & 0x7ffffffffffff;
-    a = in[4] * (uint128_t)scalar + ((limb)(a >> 51));
-    output[4] = ((limb)a) & 0x7ffffffffffff;
-    output[0] += (a >> 51) * 19;
-}
-/* Multiply two numbers: output = in2 * in
- *
- * output must be distinct to both inputs. The inputs are reduced coefficient
- * form, the output is not.
- *
- * Assumes that in[i] < 2**55 and likewise for in2.
- * On return, output[i] < 2**52
- */
-static inline void
-fmul(felem output, const felem in2, const felem in)
-{
-    uint128_t t[5];
-    limb      r0, r1, r2, r3, r4, s0, s1, s2, s3, s4, c;
-    r0 = in[0];
-    r1 = in[1];
-    r2 = in[2];
-    r3 = in[3];
-    r4 = in[4];
-    s0 = in2[0];
-    s1 = in2[1];
-    s2 = in2[2];
-    s3 = in2[3];
-    s4 = in2[4];
-    t[0] = ((uint128_t)r0) * s0;
-    t[1] = ((uint128_t)r0) * s1 + ((uint128_t)r1) * s0;
-    t[2] = ((uint128_t)r0) * s2 + ((uint128_t)r2) * s0 + ((uint128_t)r1) * s1;
-    t[3] = ((uint128_t)r0) * s3 + ((uint128_t)r3) * s0 + ((uint128_t)r1) * s2
-           + ((uint128_t)r2) * s1;
-    t[4] = ((uint128_t)r0) * s4 + ((uint128_t)r4) * s0 + ((uint128_t)r3) * s1
-           + ((uint128_t)r1) * s3 + ((uint128_t)r2) * s2;
-    r4 *= 19;
-    r1 *= 19;
-    r2 *= 19;
-    r3 *= 19;
-    t[0] += ((uint128_t)r4) * s1 + ((uint128_t)r1) * s4 + ((uint128_t)r2) * s3
-            + ((uint128_t)r3) * s2;
-    t[1] += ((uint128_t)r4) * s2 + ((uint128_t)r2) * s4 + ((uint128_t)r3) * s3;
-    t[2] += ((uint128_t)r4) * s3 + ((uint128_t)r3) * s4;
-    t[3] += ((uint128_t)r4) * s4;
-    r0 = (limb)t[0] & 0x7ffffffffffff;
-    c = (limb)(t[0] >> 51);
-    t[1] += c;
-    r1 = (limb)t[1] & 0x7ffffffffffff;
-    c = (limb)(t[1] >> 51);
-    t[2] += c;
-    r2 = (limb)t[2] & 0x7ffffffffffff;
-    c = (limb)(t[2] >> 51);
-    t[3] += c;
-    r3 = (limb)t[3] & 0x7ffffffffffff;
-    c = (limb)(t[3] >> 51);
-    t[4] += c;
-    r4 = (limb)t[4] & 0x7ffffffffffff;
-    c = (limb)(t[4] >> 51);
-    r0 += c * 19;
-    c = r0 >> 51;
-    r0 = r0 & 0x7ffffffffffff;
-    r1 += c;
-    c = r1 >> 51;
-    r1 = r1 & 0x7ffffffffffff;
-    r2 += c;
-    output[0] = r0;
-    output[1] = r1;
-    output[2] = r2;
-    output[3] = r3;
-    output[4] = r4;
-}
-static inline void
-fsquare_times(felem output, const felem in, limb count)
-{
-    uint128_t t[5];
-    limb      r0, r1, r2, r3, r4, c;
-    limb      d0, d1, d2, d4, d419;
-    r0 = in[0];
-    r1 = in[1];
-    r2 = in[2];
-    r3 = in[3];
-    r4 = in[4];
-    do {
-        d0 = r0 * 2;
-        d1 = r1 * 2;
-        d2 = r2 * 2 * 19;
-        d419 = r4 * 19;
-        d4 = d419 * 2;
-        t[0] = ((uint128_t)r0) * r0 + ((uint128_t)d4) * r1
-               + (((uint128_t)d2) * (r3));
-        t[1] = ((uint128_t)d0) * r1 + ((uint128_t)d4) * r2
-               + (((uint128_t)r3) * (r3 * 19));
-        t[2] = ((uint128_t)d0) * r2 + ((uint128_t)r1) * r1
-               + (((uint128_t)d4) * (r3));
-        t[3] = ((uint128_t)d0) * r3 + ((uint128_t)d1) * r2
-               + (((uint128_t)r4) * (d419));
-        t[4] = ((uint128_t)d0) * r4 + ((uint128_t)d1) * r3
-               + (((uint128_t)r2) * (r2));
-        r0 = (limb)t[0] & 0x7ffffffffffff;
-        c = (limb)(t[0] >> 51);
-        t[1] += c;
-        r1 = (limb)t[1] & 0x7ffffffffffff;
-        c = (limb)(t[1] >> 51);
-        t[2] += c;
-        r2 = (limb)t[2] & 0x7ffffffffffff;
-        c = (limb)(t[2] >> 51);
-        t[3] += c;
-        r3 = (limb)t[3] & 0x7ffffffffffff;
-        c = (limb)(t[3] >> 51);
-        t[4] += c;
-        r4 = (limb)t[4] & 0x7ffffffffffff;
-        c = (limb)(t[4] >> 51);
-        r0 += c * 19;
-        c = r0 >> 51;
-        r0 = r0 & 0x7ffffffffffff;
-        r1 += c;
-        c = r1 >> 51;
-        r1 = r1 & 0x7ffffffffffff;
-        r2 += c;
-    } while (--count);
-    output[0] = r0;
-    output[1] = r1;
-    output[2] = r2;
-    output[3] = r3;
-    output[4] = r4;
-}
-#ifdef NATIVE_LITTLE_ENDIAN
-static inline limb
-load_limb(const u8 *in)
-{
-    limb out;
-    memcpy(&out, in, sizeof(limb));
-    return out;
-}
-static inline void
-store_limb(u8 *out, limb in)
-{
-    memcpy(out, &in, sizeof(limb));
-}
-#else
-static inline limb
-load_limb(const u8 *in)
-{
-    return ((limb)in[0]) | (((limb)in[1]) << 8) | (((limb)in[2]) << 16)
-           | (((limb)in[3]) << 24) | (((limb)in[4]) << 32)
-           | (((limb)in[5]) << 40) | (((limb)in[6]) << 48)
-           | (((limb)in[7]) << 56);
-}
-static inline void
-store_limb(u8 *out, limb in)
-{
-    out[0] = in & 0xff;
-    out[1] = (in >> 8) & 0xff;
-    out[2] = (in >> 16) & 0xff;
-    out[3] = (in >> 24) & 0xff;
-    out[4] = (in >> 32) & 0xff;
-    out[5] = (in >> 40) & 0xff;
-    out[6] = (in >> 48) & 0xff;
-    out[7] = (in >> 56) & 0xff;
-}
-#endif
-/* Take a little-endian, 32-byte number and expand it into polynomial form */
-static void
-fexpand(limb *output, const u8 *in)
-{
-    output[0] = load_limb(in) & 0x7ffffffffffff;
-    output[1] = (load_limb(in + 6) >> 3) & 0x7ffffffffffff;
-    output[2] = (load_limb(in + 12) >> 6) & 0x7ffffffffffff;
-    output[3] = (load_limb(in + 19) >> 1) & 0x7ffffffffffff;
-    output[4] = (load_limb(in + 24) >> 12) & 0x7ffffffffffff;
-}
-/* Take a fully reduced polynomial form number and contract it into a
- * little-endian, 32-byte array
- */
-static void
-fcontract(u8 *output, const felem input)
-{
-    uint128_t t[5];
-    t[0] = input[0];
-    t[1] = input[1];
-    t[2] = input[2];
-    t[3] = input[3];
-    t[4] = input[4];
-    t[1] += t[0] >> 51;
-    t[0] &= 0x7ffffffffffff;
-    t[2] += t[1] >> 51;
-    t[1] &= 0x7ffffffffffff;
-    t[3] += t[2] >> 51;
-    t[2] &= 0x7ffffffffffff;
-    t[4] += t[3] >> 51;
-    t[3] &= 0x7ffffffffffff;
-    t[0] += 19 * (t[4] >> 51);
-    t[4] &= 0x7ffffffffffff;
-    t[1] += t[0] >> 51;
-    t[0] &= 0x7ffffffffffff;
-    t[2] += t[1] >> 51;
-    t[1] &= 0x7ffffffffffff;
-    t[3] += t[2] >> 51;
-    t[2] &= 0x7ffffffffffff;
-    t[4] += t[3] >> 51;
-    t[3] &= 0x7ffffffffffff;
-    t[0] += 19 * (t[4] >> 51);
-    t[4] &= 0x7ffffffffffff;
-    /* now t is between 0 and 2^255-1, properly carried. */
-    /* case 1: between 0 and 2^255-20. case 2: between 2^255-19 and 2^255-1. */
-    t[0] += 19;
-    t[1] += t[0] >> 51;
-    t[0] &= 0x7ffffffffffff;
-    t[2] += t[1] >> 51;
-    t[1] &= 0x7ffffffffffff;
-    t[3] += t[2] >> 51;
-    t[2] &= 0x7ffffffffffff;
-    t[4] += t[3] >> 51;
-    t[3] &= 0x7ffffffffffff;
-    t[0] += 19 * (t[4] >> 51);
-    t[4] &= 0x7ffffffffffff;
-    /* now between 19 and 2^255-1 in both cases, and offset by 19. */
-    t[0] += 0x8000000000000 - 19;
-    t[1] += 0x8000000000000 - 1;
-    t[2] += 0x8000000000000 - 1;
-    t[3] += 0x8000000000000 - 1;
-    t[4] += 0x8000000000000 - 1;
-    /* now between 2^255 and 2^256-20, and offset by 2^255. */
-    t[1] += t[0] >> 51;
-    t[0] &= 0x7ffffffffffff;
-    t[2] += t[1] >> 51;
-    t[1] &= 0x7ffffffffffff;
-    t[3] += t[2] >> 51;
-    t[2] &= 0x7ffffffffffff;
-    t[4] += t[3] >> 51;
-    t[3] &= 0x7ffffffffffff;
-    t[4] &= 0x7ffffffffffff;
-    store_limb(output, t[0] | (t[1] << 51));
-    store_limb(output + 8, (t[1] >> 13) | (t[2] << 38));
-    store_limb(output + 16, (t[2] >> 26) | (t[3] << 25));
-    store_limb(output + 24, (t[3] >> 39) | (t[4] << 12));
-}
-/* Input: Q, Q', Q-Q'
- * Output: 2Q, Q+Q'
- *
- *   x2 z2: long form
- *   x3 z3: long form
- *   x z: short form, destroyed
- *   xprime zprime: short form, destroyed
- *   qmqp: short form, preserved
- */
-static void
-fmonty(limb *x2, limb *z2,         /* output 2Q */
-       limb *x3, limb *z3,         /* output Q + Q' */
-       limb *x, limb *z,           /* input Q */
-       limb *xprime, limb *zprime, /* input Q' */
-       const limb *qmqp /* input Q - Q' */)
-{
-    limb origx[5], origxprime[5], zzz[5], xx[5], zz[5], xxprime[5], zzprime[5],
-        zzzprime[5];
-    memcpy(origx, x, 5 * sizeof(limb));
-    fsum(x, z);
-    fdifference_backwards(z, origx); /* does x - z */
-    memcpy(origxprime, xprime, sizeof(limb) * 5);
-    fsum(xprime, zprime);
-    fdifference_backwards(zprime, origxprime);
-    fmul(xxprime, xprime, z);
-    fmul(zzprime, x, zprime);
-    memcpy(origxprime, xxprime, sizeof(limb) * 5);
-    fsum(xxprime, zzprime);
-    fdifference_backwards(zzprime, origxprime);
-    fsquare_times(x3, xxprime, 1);
-    fsquare_times(zzzprime, zzprime, 1);
-    fmul(z3, zzzprime, qmqp);
-    fsquare_times(xx, x, 1);
-    fsquare_times(zz, z, 1);
-    fmul(x2, xx, zz);
-    fdifference_backwards(zz, xx); /* does zz = xx - zz */
-    fscalar_product(zzz, zz, 121665);
-    fsum(zzz, xx);
-    fmul(z2, zz, zzz);
-}
-/* -----------------------------------------------------------------------------
-   Maybe swap the contents of two limb arrays (@a and @b), each @len elements
-   long. Perform the swap iff @swap is non-zero.
-   This function performs the swap without leaking any side-channel
-   information.
-   -----------------------------------------------------------------------------
-   */
-static void
-swap_conditional(limb a[5], limb b[5], limb iswap)
-{
-    const limb swap = -iswap;
-    unsigned   i;
-    for (i = 0; i < 5; ++i) {
-        const limb x = swap & (a[i] ^ b[i]);
-        a[i] ^= x;
-        b[i] ^= x;
-    }
-}
-/* Calculates nQ where Q is the x-coordinate of a point on the curve
- *
- *   resultx/resultz: the x coordinate of the resulting curve point (short form)
- *   n: a little endian, 32-byte number
- *   q: a point of the curve (short form)
- */
-static void
-cmult(limb *resultx, limb *resultz, const u8 *n, const limb *q)
-{
-    limb a[5] = { 0 }, b[5] = { 1 }, c[5] = { 1 }, d[5] = { 0 };
-    limb *nqpqx = a, *nqpqz = b, *nqx = c, *nqz = d, *t;
-    limb e[5] = { 0 }, f[5] = { 1 }, g[5] = { 0 }, h[5] = { 1 };
-    limb *nqpqx2 = e, *nqpqz2 = f, *nqx2 = g, *nqz2 = h;
-    unsigned i, j;
-    memcpy(nqpqx, q, sizeof(limb) * 5);
-    for (i = 0; i < 32; ++i) {
-        u8 byte = n[31 - i];
-        for (j = 0; j < 8; ++j) {
-            const limb bit = byte >> 7;
-            swap_conditional(nqx, nqpqx, bit);
-            swap_conditional(nqz, nqpqz, bit);
-            fmonty(nqx2, nqz2, nqpqx2, nqpqz2, nqx, nqz, nqpqx, nqpqz, q);
-            swap_conditional(nqx2, nqpqx2, bit);
-            swap_conditional(nqz2, nqpqz2, bit);
-            t = nqx;
-            nqx = nqx2;
-            nqx2 = t;
-            t = nqz;
-            nqz = nqz2;
-            nqz2 = t;
-            t = nqpqx;
-            nqpqx = nqpqx2;
-            nqpqx2 = t;
-            t = nqpqz;
-            nqpqz = nqpqz2;
-            nqpqz2 = t;
-            byte <<= 1;
-        }
-    }
-    memcpy(resultx, nqx, sizeof(limb) * 5);
-    memcpy(resultz, nqz, sizeof(limb) * 5);
-}
-/* -----------------------------------------------------------------------------
-   Shamelessly copied from djb's code, tightened a little
-   -----------------------------------------------------------------------------
-   */
-static void
-crecip(felem out, const felem z)
-{
-    felem a, t0, b, c;
-    /* 2 */ fsquare_times(a, z, 1); /* a = 2 */
-    /* 8 */ fsquare_times(t0, a, 2);
-    /* 9 */ fmul(b, t0, z); /* b = 9 */
-    /* 11 */ fmul(a, b, a); /* a = 11 */
-    /* 22 */ fsquare_times(t0, a, 1);
-    /* 2^5 - 2^0 = 31 */ fmul(b, t0, b);
-    /* 2^10 - 2^5 */ fsquare_times(t0, b, 5);
-    /* 2^10 - 2^0 */ fmul(b, t0, b);
-    /* 2^20 - 2^10 */ fsquare_times(t0, b, 10);
-    /* 2^20 - 2^0 */ fmul(c, t0, b);
-    /* 2^40 - 2^20 */ fsquare_times(t0, c, 20);
-    /* 2^40 - 2^0 */ fmul(t0, t0, c);
-    /* 2^50 - 2^10 */ fsquare_times(t0, t0, 10);
-    /* 2^50 - 2^0 */ fmul(b, t0, b);
-    /* 2^100 - 2^50 */ fsquare_times(t0, b, 50);
-    /* 2^100 - 2^0 */ fmul(c, t0, b);
-    /* 2^200 - 2^100 */ fsquare_times(t0, c, 100);
-    /* 2^200 - 2^0 */ fmul(t0, t0, c);
-    /* 2^250 - 2^50 */ fsquare_times(t0, t0, 50);
-    /* 2^250 - 2^0 */ fmul(t0, t0, b);
-    /* 2^255 - 2^5 */ fsquare_times(t0, t0, 5);
-    /* 2^255 - 21 */ fmul(out, t0, a);
-}
-static const unsigned char basepoint[32] = { 9 };
-static int
-crypto_scalarmult_curve25519_donna_c64(unsigned char *mypublic,
-                                       const unsigned char *secret,
-                                       const unsigned char *basepoint)
-{
-    limb    bp[5], x[5], z[5], zmone[5];
-    uint8_t e[32];
-    int     i;
-    for (i = 0; i < 32; ++i) {
-        e[i] = secret[i];
-    }
-    e[0] &= 248;
-    e[31] &= 127;
-    e[31] |= 64;
-    fexpand(bp, basepoint);
-    cmult(x, z, e, bp);
-    crecip(zmone, z);
-    fmul(z, x, zmone);
-    fcontract(mypublic, z);
-    return 0;
-}
-static int
-crypto_scalarmult_curve25519_donna_c64_base(unsigned char *q,
-                                            const unsigned char *n)
-{
-    return crypto_scalarmult_curve25519_donna_c64(q, n, basepoint);
-}
-struct crypto_scalarmult_curve25519_implementation
-    crypto_scalarmult_curve25519_donna_c64_implementation = {
-        SODIUM_C99(.mult =) crypto_scalarmult_curve25519_donna_c64,
-        SODIUM_C99(.mult_base =) crypto_scalarmult_curve25519_donna_c64_base
-    };
-#endif