rbnacl-libsodium 1.0.7 → 1.0.8

data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.h

@@ -0,0 +1,160 @@
+#ifndef CURVE25519_REF10_H
+#define CURVE25519_REF10_H
+
+#include <stddef.h>
+#include <stdint.h>
+
+#define fe crypto_core_curve25519_ref10_fe
+typedef int32_t fe[10];
+
+/*
+fe means field element.
+Here the field is \Z/(2^255-19).
+An element t, entries t[0]...t[9], represents the integer
+t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
+Bounds on each t[i] vary depending on context.
+*/
+
+#define fe_frombytes crypto_core_curve25519_ref10_fe_frombytes
+#define fe_tobytes crypto_core_curve25519_ref10_fe_tobytes
+#define fe_copy crypto_core_curve25519_ref10_fe_copy
+#define fe_isnonzero crypto_core_curve25519_ref10_fe_isnonzero
+#define fe_isnegative crypto_core_curve25519_ref10_fe_isnegative
+#define fe_0 crypto_core_curve25519_ref10_fe_0
+#define fe_1 crypto_core_curve25519_ref10_fe_1
+#define fe_cmov crypto_core_curve25519_ref10_fe_cmov
+#define fe_add crypto_core_curve25519_ref10_fe_add
+#define fe_sub crypto_core_curve25519_ref10_fe_sub
+#define fe_neg crypto_core_curve25519_ref10_fe_neg
+#define fe_mul crypto_core_curve25519_ref10_fe_mul
+#define fe_sq crypto_core_curve25519_ref10_fe_sq
+#define fe_sq2 crypto_core_curve25519_ref10_fe_sq2
+#define fe_invert crypto_core_curve25519_ref10_fe_invert
+#define fe_pow22523 crypto_core_curve25519_ref10_fe_pow22523
+
+extern void fe_frombytes(fe,const unsigned char *);
+extern void fe_tobytes(unsigned char *,const fe);
+
+extern void fe_copy(fe,const fe);
+extern int fe_isnonzero(const fe);
+extern int fe_isnegative(const fe);
+extern void fe_0(fe);
+extern void fe_1(fe);
+extern void fe_cmov(fe,const fe,unsigned int);
+extern void fe_add(fe,const fe,const fe);
+extern void fe_sub(fe,const fe,const fe);
+extern void fe_neg(fe,const fe);
+extern void fe_mul(fe,const fe,const fe);
+extern void fe_sq(fe,const fe);
+extern void fe_sq2(fe,const fe);
+extern void fe_invert(fe,const fe);
+extern void fe_pow22523(fe,const fe);
+
+/*
+ge means group element.
+
+Here the group is the set of pairs (x,y) of field elements (see fe.h)
+satisfying -x^2 + y^2 = 1 + d x^2y^2
+where d = -121665/121666.
+
+Representations:
+  ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
+  ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
+  ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
+  ge_precomp (Duif): (y+x,y-x,2dxy)
+*/
+
+#define ge_p2 crypto_core_curve25519_ref10_ge_p2
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+} ge_p2;
+
+#define ge_p3 crypto_core_curve25519_ref10_ge_p3
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+  fe T;
+} ge_p3;
+
+#define ge_p1p1 crypto_core_curve25519_ref10_ge_p1p1
+typedef struct {
+  fe X;
+  fe Y;
+  fe Z;
+  fe T;
+} ge_p1p1;
+
+#define ge_precomp crypto_core_curve25519_ref10_ge_precomp
+typedef struct {
+  fe yplusx;
+  fe yminusx;
+  fe xy2d;
+} ge_precomp;
+
+#define ge_cached crypto_core_curve25519_ref10_ge_cached
+typedef struct {
+  fe YplusX;
+  fe YminusX;
+  fe Z;
+  fe T2d;
+} ge_cached;
+
+#define ge_frombytes_negate_vartime crypto_core_curve25519_ref10_ge_frombytes_negate_vartime
+#define ge_tobytes crypto_core_curve25519_ref10_ge_tobytes
+#define ge_p3_tobytes crypto_core_curve25519_ref10_ge_p3_tobytes
+
+#define ge_p2_0 crypto_core_curve25519_ref10_ge_p2_0
+#define ge_p3_0 crypto_core_curve25519_ref10_ge_p3_0
+#define ge_precomp_0 crypto_core_curve25519_ref10_ge_precomp_0
+#define ge_p3_to_p2 crypto_core_curve25519_ref10_ge_p3_to_p2
+#define ge_p3_to_cached crypto_core_curve25519_ref10_ge_p3_to_cached
+#define ge_p1p1_to_p2 crypto_core_curve25519_ref10_ge_p1p1_to_p2
+#define ge_p1p1_to_p3 crypto_core_curve25519_ref10_ge_p1p1_to_p3
+#define ge_p2_dbl crypto_core_curve25519_ref10_ge_p2_dbl
+#define ge_p3_dbl crypto_core_curve25519_ref10_ge_p3_dbl
+
+#define ge_madd crypto_core_curve25519_ref10_ge_madd
+#define ge_msub crypto_core_curve25519_ref10_ge_msub
+#define ge_add crypto_core_curve25519_ref10_ge_add
+#define ge_sub crypto_core_curve25519_ref10_ge_sub
+#define ge_scalarmult_base crypto_core_curve25519_ref10_ge_scalarmult_base
+#define ge_double_scalarmult_vartime crypto_core_curve25519_ref10_ge_double_scalarmult_vartime
+#define ge_scalarmult_vartime crypto_core_curve25519_ref10_ge_scalarmult_vartime
+
+extern void ge_tobytes(unsigned char *,const ge_p2 *);
+extern void ge_p3_tobytes(unsigned char *,const ge_p3 *);
+extern int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *);
+
+extern void ge_p2_0(ge_p2 *);
+extern void ge_p3_0(ge_p3 *);
+extern void ge_precomp_0(ge_precomp *);
+extern void ge_p3_to_p2(ge_p2 *,const ge_p3 *);
+extern void ge_p3_to_cached(ge_cached *,const ge_p3 *);
+extern void ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *);
+extern void ge_p1p1_to_p3(ge_p3 *,const ge_p1p1 *);
+extern void ge_p2_dbl(ge_p1p1 *,const ge_p2 *);
+extern void ge_p3_dbl(ge_p1p1 *,const ge_p3 *);
+
+extern void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
+extern void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *);
+extern void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *);
+extern void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *);
+extern void ge_scalarmult_base(ge_p3 *,const unsigned char *);
+extern void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_p3 *,const unsigned char *);
+extern void ge_scalarmult_vartime(ge_p3 *,const unsigned char *,const ge_p3 *);
+
+/*
+The set of scalars is \Z/l
+where l = 2^252 + 27742317777372353535851937790883648493.
+*/
+
+#define sc_reduce crypto_core_curve25519_ref10_sc_reduce
+#define sc_muladd crypto_core_curve25519_ref10_sc_muladd
+
+extern void sc_reduce(unsigned char *);
+extern void sc_muladd(unsigned char *,const unsigned char *,const unsigned char *,const unsigned char *);
+
+#endif

data/vendor/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c

@@ -24,7 +24,7 @@
 # if defined(__SIZEOF_INT128__)
 typedef unsigned __int128 uint128_t;
 # else
-typedef unsigned uint128_t __attribute__((mode(TI)));
+typedef unsigned uint128_t __attribute__ ((mode(TI)));
 # endif
 #endif
 
@@ -321,7 +321,7 @@ int blake2b_update( blake2b_state *S, const uint8_t *in, uint64_t inlen )
 int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen )
 {
   if( !outlen || outlen > BLAKE2B_OUTBYTES ) {
-    abort();
+    abort(); /* LCOV_EXCL_LINE */
   }
   if( S->buflen > BLAKE2B_BLOCKBYTES )
   {

data/vendor/libsodium/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c

@@ -271,7 +271,7 @@ crypto_hash_sha256_update(crypto_hash_sha256_state *state,
         in += 64;
         inlen -= 64;
     }
-    memcpy(state->buf, in, inlen);
+    memcpy(state->buf, in, inlen); /* inlen < 64 */
 
     return 0;
 }

data/vendor/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c

@@ -291,7 +291,7 @@ crypto_hash_sha512_update(crypto_hash_sha512_state *state,
         src += 128;
         inlen -= 128;
     }
-    memcpy(state->buf, src, inlen);
+    memcpy(state->buf, src, inlen); /* inlen < 128 */
 
     return 0;
 }

data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna32.h

@@ -5,7 +5,7 @@
 #if defined(_MSC_VER)
 # define POLY1305_NOINLINE __declspec(noinline)
 #elif defined(__GNUC__)
-# define POLY1305_NOINLINE __attribute__((noinline))
+# define POLY1305_NOINLINE __attribute__ ((noinline))
 #else
 # define POLY1305_NOINLINE
 #endif

data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h

@@ -5,7 +5,7 @@
 #if defined(__SIZEOF_INT128__)
 typedef unsigned __int128 uint128_t;
 #else
-typedef unsigned uint128_t __attribute__((mode(TI)));
+typedef unsigned uint128_t __attribute__ ((mode(TI)));
 #endif
 
 #define MUL(out, x, y) out = ((uint128_t)x * y)
@@ -17,7 +17,7 @@ typedef unsigned uint128_t __attribute__((mode(TI)));
 #if defined(_MSC_VER)
 # define POLY1305_NOINLINE __declspec(noinline)
 #elif defined(__GNUC__)
-# define POLY1305_NOINLINE __attribute__((noinline))
+# define POLY1305_NOINLINE __attribute__ ((noinline))
 #else
 # define POLY1305_NOINLINE
 #endif

data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c

@@ -18,13 +18,13 @@ typedef __m128i xmmi;
 #if defined(__SIZEOF_INT128__)
 typedef unsigned __int128 uint128_t;
 #else
-typedef unsigned uint128_t __attribute__((mode(TI)));
+typedef unsigned uint128_t __attribute__ ((mode(TI)));
 #endif
 
 #if defined(_MSC_VER)
 # define POLY1305_NOINLINE __declspec(noinline)
 #elif defined(__GNUC__)
-# define POLY1305_NOINLINE __attribute__((noinline))
+# define POLY1305_NOINLINE __attribute__ ((noinline))
 #else
 # define POLY1305_NOINLINE
 #endif

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c

@@ -36,7 +36,7 @@ typedef uint64_t limb;
 typedef limb felem[5];
 // This is a special gcc mode for 128-bit integers. It's implemented on 64-bit
 // platforms only as far as I know.
-typedef unsigned uint128_t __attribute__((mode(TI)));
+typedef unsigned uint128_t __attribute__ ((mode(TI)));
 
 /* Sum two numbers: output += in */
 static inline void

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c

@@ -0,0 +1,255 @@
+
+#include <stddef.h>
+#include <stdint.h>
+
+#ifndef HAVE_TI_MODE
+
+#include "utils.h"
+#include "x25519_ref10.h"
+#include "../scalarmult_curve25519.h"
+#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h"
+
+/*
+Replace (f,g) with (g,f) if b == 1;
+replace (f,g) with (f,g) if b == 0.
+
+Preconditions: b in {0,1}.
+*/
+
+static void
+fe_cswap(fe f,fe g,unsigned int b)
+{
+  int32_t f0 = f[0];
+  int32_t f1 = f[1];
+  int32_t f2 = f[2];
+  int32_t f3 = f[3];
+  int32_t f4 = f[4];
+  int32_t f5 = f[5];
+  int32_t f6 = f[6];
+  int32_t f7 = f[7];
+  int32_t f8 = f[8];
+  int32_t f9 = f[9];
+  int32_t g0 = g[0];
+  int32_t g1 = g[1];
+  int32_t g2 = g[2];
+  int32_t g3 = g[3];
+  int32_t g4 = g[4];
+  int32_t g5 = g[5];
+  int32_t g6 = g[6];
+  int32_t g7 = g[7];
+  int32_t g8 = g[8];
+  int32_t g9 = g[9];
+  int32_t x0 = f0 ^ g0;
+  int32_t x1 = f1 ^ g1;
+  int32_t x2 = f2 ^ g2;
+  int32_t x3 = f3 ^ g3;
+  int32_t x4 = f4 ^ g4;
+  int32_t x5 = f5 ^ g5;
+  int32_t x6 = f6 ^ g6;
+  int32_t x7 = f7 ^ g7;
+  int32_t x8 = f8 ^ g8;
+  int32_t x9 = f9 ^ g9;
+  b = (unsigned int) (- (int) b);
+  x0 &= b;
+  x1 &= b;
+  x2 &= b;
+  x3 &= b;
+  x4 &= b;
+  x5 &= b;
+  x6 &= b;
+  x7 &= b;
+  x8 &= b;
+  x9 &= b;
+  f[0] = f0 ^ x0;
+  f[1] = f1 ^ x1;
+  f[2] = f2 ^ x2;
+  f[3] = f3 ^ x3;
+  f[4] = f4 ^ x4;
+  f[5] = f5 ^ x5;
+  f[6] = f6 ^ x6;
+  f[7] = f7 ^ x7;
+  f[8] = f8 ^ x8;
+  f[9] = f9 ^ x9;
+  g[0] = g0 ^ x0;
+  g[1] = g1 ^ x1;
+  g[2] = g2 ^ x2;
+  g[3] = g3 ^ x3;
+  g[4] = g4 ^ x4;
+  g[5] = g5 ^ x5;
+  g[6] = g6 ^ x6;
+  g[7] = g7 ^ x7;
+  g[8] = g8 ^ x8;
+  g[9] = g9 ^ x9;
+}
+
+/*
+h = f * 121666
+Can overlap h with f.
+
+Preconditions:
+   |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
+
+Postconditions:
+   |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
+*/
+
+static void
+fe_mul121666(fe h,const fe f)
+{
+  int32_t f0 = f[0];
+  int32_t f1 = f[1];
+  int32_t f2 = f[2];
+  int32_t f3 = f[3];
+  int32_t f4 = f[4];
+  int32_t f5 = f[5];
+  int32_t f6 = f[6];
+  int32_t f7 = f[7];
+  int32_t f8 = f[8];
+  int32_t f9 = f[9];
+  int64_t h0 = f0 * (int64_t) 121666;
+  int64_t h1 = f1 * (int64_t) 121666;
+  int64_t h2 = f2 * (int64_t) 121666;
+  int64_t h3 = f3 * (int64_t) 121666;
+  int64_t h4 = f4 * (int64_t) 121666;
+  int64_t h5 = f5 * (int64_t) 121666;
+  int64_t h6 = f6 * (int64_t) 121666;
+  int64_t h7 = f7 * (int64_t) 121666;
+  int64_t h8 = f8 * (int64_t) 121666;
+  int64_t h9 = f9 * (int64_t) 121666;
+  int64_t carry0;
+  int64_t carry1;
+  int64_t carry2;
+  int64_t carry3;
+  int64_t carry4;
+  int64_t carry5;
+  int64_t carry6;
+  int64_t carry7;
+  int64_t carry8;
+  int64_t carry9;
+
+  carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
+  carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
+  carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
+  carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
+  carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
+
+  carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
+  carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
+  carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
+  carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
+  carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
+
+  h[0] = h0;
+  h[1] = h1;
+  h[2] = h2;
+  h[3] = h3;
+  h[4] = h4;
+  h[5] = h5;
+  h[6] = h6;
+  h[7] = h7;
+  h[8] = h8;
+  h[9] = h9;
+}
+
+static int
+crypto_scalarmult_curve25519_ref10(unsigned char *q,
+                                   const unsigned char *n,
+                                   const unsigned char *p)
+{
+  unsigned char e[32];
+  unsigned int i;
+  fe x1;
+  fe x2;
+  fe z2;
+  fe x3;
+  fe z3;
+  fe tmp0;
+  fe tmp1;
+  int pos;
+  unsigned int swap;
+  unsigned int b;
+
+  for (i = 0;i < 32;++i) e[i] = n[i];
+  e[0] &= 248;
+  e[31] &= 127;
+  e[31] |= 64;
+  fe_frombytes(x1,p);
+  fe_1(x2);
+  fe_0(z2);
+  fe_copy(x3,x1);
+  fe_1(z3);
+
+  swap = 0;
+  for (pos = 254;pos >= 0;--pos) {
+    b = e[pos / 8] >> (pos & 7);
+    b &= 1;
+    swap ^= b;
+    fe_cswap(x2,x3,swap);
+    fe_cswap(z2,z3,swap);
+    swap = b;
+    fe_sub(tmp0,x3,z3);
+    fe_sub(tmp1,x2,z2);
+    fe_add(x2,x2,z2);
+    fe_add(z2,x3,z3);
+    fe_mul(z3,tmp0,x2);
+    fe_mul(z2,z2,tmp1);
+    fe_sq(tmp0,tmp1);
+    fe_sq(tmp1,x2);
+    fe_add(x3,z3,z2);
+    fe_sub(z2,z3,z2);
+    fe_mul(x2,tmp1,tmp0);
+    fe_sub(tmp1,tmp1,tmp0);
+    fe_sq(z2,z2);
+    fe_mul121666(z3,tmp1);
+    fe_sq(x3,x3);
+    fe_add(tmp0,tmp0,z3);
+    fe_mul(z3,x1,z2);
+    fe_mul(z2,tmp1,tmp0);
+  }
+  fe_cswap(x2,x3,swap);
+  fe_cswap(z2,z3,swap);
+
+  fe_invert(z2,z2);
+  fe_mul(x2,x2,z2);
+  fe_tobytes(q,x2);
+  return 0;
+}
+
+static void
+edwards_to_montgomery(fe montgomeryX, const fe edwardsY, const fe edwardsZ)
+{
+  fe tempX;
+  fe tempZ;
+
+  fe_add(tempX, edwardsZ, edwardsY);
+  fe_sub(tempZ, edwardsZ, edwardsY);
+  fe_invert(tempZ, tempZ);
+  fe_mul(montgomeryX, tempX, tempZ);
+}
+
+static int
+crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
+                                        const unsigned char *n)
+{
+  unsigned char e[32];
+  ge_p3 A;
+  fe pk;
+  unsigned int i;
+
+  for (i = 0;i < 32;++i) e[i] = n[i];
+  e[0] &= 248;
+  e[31] &= 127;
+  e[31] |= 64;
+  ge_scalarmult_base(&A, e);
+  edwards_to_montgomery(pk, A.Y, A.Z);
+  fe_tobytes(q, pk);
+  return 0;
+}
+
+struct crypto_scalarmult_curve25519_implementation
+crypto_scalarmult_curve25519_ref10_implementation = {
+        SODIUM_C99(.mult = ) crypto_scalarmult_curve25519_ref10,
+        SODIUM_C99(.mult_base = ) crypto_scalarmult_curve25519_ref10_base
+};
+
+#endif