diff options
author | Dubslow <bunslow@gmail.com> | 2014-09-09 12:23:09 -0500 |
---|---|---|
committer | Dubslow <bunslow@gmail.com> | 2014-09-09 12:23:09 -0500 |
commit | 7eb7e68805aa795dcb6dbd1a35113ce703e24267 (patch) | |
tree | 4a8753004403e48d42a7924ad1933a7dfe2e9003 | |
parent | 46e03c4c2beaf01ec5a6bc090b80fae7bf1da2a0 (diff) |
compiling against nacl seems to break VANILLA_NACL...
23 files changed, 2309 insertions, 145 deletions
diff --git a/build/Makefile.am b/build/Makefile.am index c2667d5d..c0e59645 100644 --- a/build/Makefile.am +++ b/build/Makefile.am | |||
@@ -6,6 +6,7 @@ EXTRA_DIST= | |||
6 | 6 | ||
7 | include ../toxcore/Makefile.inc | 7 | include ../toxcore/Makefile.inc |
8 | include ../toxdns/Makefile.inc | 8 | include ../toxdns/Makefile.inc |
9 | include ../toxencryptsave/Makefile.inc | ||
9 | include ../toxav/Makefile.inc | 10 | include ../toxav/Makefile.inc |
10 | include ../other/Makefile.inc | 11 | include ../other/Makefile.inc |
11 | include ../testing/Makefile.inc | 12 | include ../testing/Makefile.inc |
diff --git a/libtoxcore.pc.in b/libtoxcore.pc.in index a91a1fb7..57a7469e 100644 --- a/libtoxcore.pc.in +++ b/libtoxcore.pc.in | |||
@@ -7,5 +7,5 @@ Name: libtoxcore | |||
7 | Description: Tox protocol library | 7 | Description: Tox protocol library |
8 | Requires: | 8 | Requires: |
9 | Version: @PACKAGE_VERSION@ | 9 | Version: @PACKAGE_VERSION@ |
10 | Libs: @NACL_OBJECTS_PKGCONFIG@ -L${libdir} @NACL_LDFLAGS@ -ltoxdns -ltoxcore @NACL_LIBS@ @LIBS@ @MATH_LDFLAGS@ | 10 | Libs: @NACL_OBJECTS_PKGCONFIG@ -L${libdir} @NACL_LDFLAGS@ -ltoxdns -ltoxencryptsave -ltoxcore @NACL_LIBS@ @LIBS@ @MATH_LDFLAGS@ |
11 | Cflags: -I${includedir} | 11 | Cflags: -I${includedir} |
diff --git a/toxcore/tox.c b/toxcore/tox.c index 12145a09..b2aadd39 100644 --- a/toxcore/tox.c +++ b/toxcore/tox.c | |||
@@ -928,119 +928,3 @@ int tox_load(Tox *tox, const uint8_t *data, uint32_t length) | |||
928 | Messenger *m = tox; | 928 | Messenger *m = tox; |
929 | return messenger_load(m, data, length); | 929 | return messenger_load(m, data, length); |
930 | } | 930 | } |
931 | |||
932 | #ifndef VANILLA_NACL | ||
933 | /* Only sodium has the necessary functions for this | ||
934 | * Clients should consider alerting their users that, unlike plain data, if even one bit | ||
935 | * becomes corrupted, the data will be entirely unrecoverable. | ||
936 | * Ditto if they forget their password, there is no way to recover the data. | ||
937 | */ | ||
938 | |||
939 | /* return size of the messenger data (for encrypted saving). */ | ||
940 | uint32_t tox_encrypted_size(const Tox *tox) | ||
941 | { | ||
942 | return tox_size(tox) + crypto_box_MACBYTES + crypto_box_NONCEBYTES | ||
943 | + crypto_pwhash_scryptsalsa208sha256_SALTBYTES; | ||
944 | } | ||
945 | |||
946 | /* Save the messenger data encrypted with the given password. | ||
947 | * data must be at least tox_encrypted_size(). | ||
948 | * | ||
949 | * returns 0 on success | ||
950 | * returns -1 on failure | ||
951 | */ | ||
952 | int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength) | ||
953 | { | ||
954 | if (pplength == 0) | ||
955 | return -1; | ||
956 | |||
957 | /* First derive a key from the password */ | ||
958 | /* http://doc.libsodium.org/key_derivation/README.html */ | ||
959 | /* note that, according to the documentation, a generic pwhash interface will be created | ||
960 | * once the pwhash competition (https://password-hashing.net/) is over */ | ||
961 | uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; | ||
962 | uint8_t key[crypto_box_KEYBYTES]; | ||
963 | randombytes_buf(salt, sizeof salt); | ||
964 | |||
965 | if (crypto_pwhash_scryptsalsa208sha256( | ||
966 | key, sizeof(key), passphrase, pplength, salt, | ||
967 | crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */ | ||
968 | crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) | ||
969 | { /* out of memory most likely */ | ||
970 | return -1; | ||
971 | } | ||
972 | sodium_memzero(passphrase, pplength); /* wipe plaintext pw */ | ||
973 | |||
974 | /* next get plain save data */ | ||
975 | uint32_t temp_size = tox_size(tox); | ||
976 | uint8_t temp_data[temp_size]; | ||
977 | tox_save(tox, temp_data); | ||
978 | |||
979 | /* now encrypt. | ||
980 | * the output data consists of, in order: | ||
981 | * salt, nonce, mac, enc_data | ||
982 | * where the mac is automatically prepended by the encrypt() | ||
983 | * the salt+nonce is called the prefix | ||
984 | * I'm not sure what else I'm supposed to do with the salt and nonce, since we | ||
985 | * need them to decrypt the data | ||
986 | */ | ||
987 | uint32_t prefix_size = crypto_box_NONCEBYTES+crypto_pwhash_scryptsalsa208sha256_SALTBYTES; | ||
988 | |||
989 | uint8_t nonce[crypto_box_NONCEBYTES]; | ||
990 | random_nonce(nonce); | ||
991 | |||
992 | if (encrypt_data_symmetric(key, nonce, temp_data, temp_size, data + prefix_size) | ||
993 | != temp_size + crypto_box_MACBYTES) | ||
994 | { | ||
995 | return -1; | ||
996 | } | ||
997 | |||
998 | /* add the prefix */ | ||
999 | memcpy(data, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); | ||
1000 | memcpy(data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, nonce, crypto_box_NONCEBYTES); | ||
1001 | |||
1002 | return 0; | ||
1003 | } | ||
1004 | |||
1005 | /* Load the messenger from encrypted data of size length. | ||
1006 | * | ||
1007 | * returns 0 on success | ||
1008 | * returns -1 on failure | ||
1009 | */ | ||
1010 | int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength) | ||
1011 | { | ||
1012 | if (length <= crypto_box_MACBYTES + crypto_box_NONCEBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES) | ||
1013 | return -1; | ||
1014 | |||
1015 | uint32_t decrypt_length = length - crypto_box_MACBYTES - crypto_box_NONCEBYTES | ||
1016 | - crypto_pwhash_scryptsalsa208sha256_SALTBYTES; | ||
1017 | uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; | ||
1018 | uint8_t nonce[crypto_box_NONCEBYTES]; | ||
1019 | |||
1020 | memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); | ||
1021 | memcpy(nonce, data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, crypto_box_NONCEBYTES); | ||
1022 | |||
1023 | /* derive the key */ | ||
1024 | uint8_t key[crypto_box_KEYBYTES]; | ||
1025 | if (crypto_pwhash_scryptsalsa208sha256( | ||
1026 | key, sizeof(key), passphrase, pplength, salt, | ||
1027 | crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */ | ||
1028 | crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) | ||
1029 | { /* out of memory most likely */ | ||
1030 | return -1; | ||
1031 | } | ||
1032 | sodium_memzero(passphrase, pplength); /* wipe plaintext pw */ | ||
1033 | |||
1034 | /* decrypt the data */ | ||
1035 | uint8_t temp_data[decrypt_length]; | ||
1036 | if (decrypt_data_symmetric(key, nonce, data+crypto_pwhash_scryptsalsa208sha256_SALTBYTES+crypto_box_NONCEBYTES, | ||
1037 | decrypt_length + crypto_box_MACBYTES, temp_data) | ||
1038 | != decrypt_length) | ||
1039 | { | ||
1040 | return -1; | ||
1041 | } | ||
1042 | |||
1043 | return tox_load(tox, temp_data, decrypt_length); | ||
1044 | } | ||
1045 | |||
1046 | #endif /* #ifndef VANILLA_NACL */ | ||
diff --git a/toxcore/tox.h b/toxcore/tox.h index c457fea5..1f251085 100644 --- a/toxcore/tox.h +++ b/toxcore/tox.h | |||
@@ -723,34 +723,6 @@ void tox_save(const Tox *tox, uint8_t *data); | |||
723 | */ | 723 | */ |
724 | int tox_load(Tox *tox, const uint8_t *data, uint32_t length); | 724 | int tox_load(Tox *tox, const uint8_t *data, uint32_t length); |
725 | 725 | ||
726 | #ifndef VANILLA_NACL | ||
727 | /* Only sodium has the necessary functions for this | ||
728 | * Clients should consider alerting their users that, unlike plain data, if even one bit | ||
729 | * becomes corrupted, the data will be entirely unrecoverable. | ||
730 | * Ditto if they forget their password, there is no way to recover the data. | ||
731 | */ | ||
732 | |||
733 | /* return size of the messenger data (for encrypted saving). */ | ||
734 | uint32_t tox_encrypted_size(const Tox *tox); | ||
735 | |||
736 | /* Save the messenger data encrypted with the given password. | ||
737 | * data must be at least tox_encrypted_size(). | ||
738 | * | ||
739 | * returns 0 on success | ||
740 | * returns -1 on failure | ||
741 | */ | ||
742 | int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength); | ||
743 | |||
744 | /* Load the messenger from encrypted data of size length. | ||
745 | * | ||
746 | * returns 0 on success | ||
747 | * returns -1 on failure | ||
748 | */ | ||
749 | int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength); | ||
750 | |||
751 | #endif /* #ifndef VANILLA_NACL */ | ||
752 | |||
753 | |||
754 | #ifdef __cplusplus | 726 | #ifdef __cplusplus |
755 | } | 727 | } |
756 | #endif | 728 | #endif |
diff --git a/toxencryptsave/Makefile.inc b/toxencryptsave/Makefile.inc new file mode 100644 index 00000000..1155e954 --- /dev/null +++ b/toxencryptsave/Makefile.inc | |||
@@ -0,0 +1,45 @@ | |||
1 | lib_LTLIBRARIES += libtoxencryptsave.la | ||
2 | |||
3 | libtoxencryptsave_la_include_HEADERS = \ | ||
4 | ../toxencryptsave/toxencryptsave.h | ||
5 | |||
6 | libtoxencryptsave_la_includedir = $(includedir)/tox | ||
7 | |||
8 | libtoxencryptsave_la_SOURCES = ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h \ | ||
9 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h \ | ||
10 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c \ | ||
11 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c \ | ||
12 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h \ | ||
13 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c \ | ||
14 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c \ | ||
15 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h \ | ||
16 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h \ | ||
17 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c \ | ||
18 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c \ | ||
19 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h \ | ||
20 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h \ | ||
21 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c \ | ||
22 | ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c \ | ||
23 | ../toxencryptsave/toxencryptsave.h \ | ||
24 | ../toxencryptsave/toxencryptsave.c | ||
25 | |||
26 | |||
27 | libtoxencryptsave_la_CFLAGS = -I$(top_srcdir) \ | ||
28 | -I$(top_srcdir)/toxcore \ | ||
29 | $(LIBSODIUM_CFLAGS) \ | ||
30 | $(NACL_CFLAGS) \ | ||
31 | $(PTHREAD_CFLAGS) | ||
32 | |||
33 | libtoxencryptsave_la_LDFLAGS = $(TOXCORE_LT_LDFLAGS) \ | ||
34 | $(EXTRA_LT_LDFLAGS) \ | ||
35 | $(LIBSODIUM_LDFLAGS) \ | ||
36 | $(NACL_LDFLAGS) \ | ||
37 | $(MATH_LDFLAGS) \ | ||
38 | $(RT_LIBS) \ | ||
39 | $(WINSOCK2_LIBS) | ||
40 | |||
41 | libtoxencryptsave_la_LIBADD = $(LIBSODIUM_LIBS) \ | ||
42 | $(NACL_OBJECTS) \ | ||
43 | $(NAC_LIBS) \ | ||
44 | $(PTHREAD_LIBS) \ | ||
45 | libtoxcore.la | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h new file mode 100644 index 00000000..e10a81d8 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h | |||
@@ -0,0 +1,89 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | #ifndef crypto_pwhash_scryptsalsa208sha256_H | ||
4 | #define crypto_pwhash_scryptsalsa208sha256_H | ||
5 | |||
6 | #include <stddef.h> | ||
7 | #include <stdint.h> | ||
8 | |||
9 | #include "export.h" | ||
10 | |||
11 | #ifdef __cplusplus | ||
12 | # if __GNUC__ | ||
13 | # pragma GCC diagnostic ignored "-Wlong-long" | ||
14 | # endif | ||
15 | extern "C" { | ||
16 | #endif | ||
17 | |||
18 | #define crypto_pwhash_scryptsalsa208sha256_SALTBYTES 32U | ||
19 | SODIUM_EXPORT | ||
20 | size_t crypto_pwhash_scryptsalsa208sha256_saltbytes(void); | ||
21 | |||
22 | #define crypto_pwhash_scryptsalsa208sha256_STRBYTES 102U | ||
23 | SODIUM_EXPORT | ||
24 | size_t crypto_pwhash_scryptsalsa208sha256_strbytes(void); | ||
25 | |||
26 | #define crypto_pwhash_scryptsalsa208sha256_STRPREFIX "$7$" | ||
27 | SODIUM_EXPORT | ||
28 | const char *crypto_pwhash_scryptsalsa208sha256_strprefix(void); | ||
29 | |||
30 | #define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE 524288ULL | ||
31 | SODIUM_EXPORT | ||
32 | size_t crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void); | ||
33 | |||
34 | #define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE 16777216ULL | ||
35 | SODIUM_EXPORT | ||
36 | size_t crypto_pwhash_scryptsalsa208sha256_memlimit_interactive(void); | ||
37 | |||
38 | #define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE 33554432ULL | ||
39 | SODIUM_EXPORT | ||
40 | size_t crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive(void); | ||
41 | |||
42 | #define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE 1073741824ULL | ||
43 | SODIUM_EXPORT | ||
44 | size_t crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive(void); | ||
45 | |||
46 | SODIUM_EXPORT | ||
47 | int crypto_pwhash_scryptsalsa208sha256(unsigned char * const out, | ||
48 | unsigned long long outlen, | ||
49 | const char * const passwd, | ||
50 | unsigned long long passwdlen, | ||
51 | const unsigned char * const salt, | ||
52 | unsigned long long opslimit, | ||
53 | size_t memlimit); | ||
54 | |||
55 | SODIUM_EXPORT | ||
56 | int crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES], | ||
57 | const char * const passwd, | ||
58 | unsigned long long passwdlen, | ||
59 | unsigned long long opslimit, | ||
60 | size_t memlimit); | ||
61 | |||
62 | SODIUM_EXPORT | ||
63 | int crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES], | ||
64 | const char * const passwd, | ||
65 | unsigned long long passwdlen); | ||
66 | |||
67 | SODIUM_EXPORT | ||
68 | int crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen, | ||
69 | const uint8_t * salt, size_t saltlen, | ||
70 | uint64_t N, uint32_t r, uint32_t p, | ||
71 | uint8_t * buf, size_t buflen); | ||
72 | |||
73 | #ifdef __cplusplus | ||
74 | } | ||
75 | #endif | ||
76 | |||
77 | /* Backward compatibility with version 0.5.0 */ | ||
78 | |||
79 | #define crypto_pwhash_scryptxsalsa208sha256_SALTBYTES crypto_pwhash_scryptsalsa208sha256_SALTBYTES | ||
80 | #define crypto_pwhash_scryptxsalsa208sha256_saltbytes crypto_pwhash_scryptsalsa208sha256_saltbytes | ||
81 | #define crypto_pwhash_scryptxsalsa208sha256_STRBYTES crypto_pwhash_scryptsalsa208sha256_STRBYTES | ||
82 | #define crypto_pwhash_scryptxsalsa208sha256_strbytes crypto_pwhash_scryptsalsa208sha256_strbytes | ||
83 | #define crypto_pwhash_scryptxsalsa208sha256 crypto_pwhash_scryptsalsa208sha256 | ||
84 | #define crypto_pwhash_scryptxsalsa208sha256_str crypto_pwhash_scryptsalsa208sha256_str | ||
85 | #define crypto_pwhash_scryptxsalsa208sha256_str_verify crypto_pwhash_scryptsalsa208sha256_str_verify | ||
86 | |||
87 | #endif | ||
88 | |||
89 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c new file mode 100644 index 00000000..159dac10 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c | |||
@@ -0,0 +1,254 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | /*- | ||
4 | * Copyright 2013 Alexander Peslyak | ||
5 | * All rights reserved. | ||
6 | * | ||
7 | * Redistribution and use in source and binary forms, with or without | ||
8 | * modification, are permitted. | ||
9 | * | ||
10 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
11 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
12 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
13 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
14 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
15 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
16 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
17 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
18 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
19 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
20 | * SUCH DAMAGE. | ||
21 | */ | ||
22 | |||
23 | #include <stdint.h> | ||
24 | #include <string.h> | ||
25 | |||
26 | #include "crypto_pwhash_scryptsalsa208sha256.h" | ||
27 | #include "crypto_scrypt.h" | ||
28 | #include "runtime.h" | ||
29 | #include "utils.h" | ||
30 | |||
31 | static const char * const itoa64 = | ||
32 | "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz"; | ||
33 | |||
34 | static uint8_t * | ||
35 | encode64_uint32(uint8_t * dst, size_t dstlen, uint32_t src, uint32_t srcbits) | ||
36 | { | ||
37 | uint32_t bit; | ||
38 | |||
39 | for (bit = 0; bit < srcbits; bit += 6) { | ||
40 | if (dstlen < 1) { | ||
41 | return NULL; | ||
42 | } | ||
43 | *dst++ = itoa64[src & 0x3f]; | ||
44 | dstlen--; | ||
45 | src >>= 6; | ||
46 | } | ||
47 | |||
48 | return dst; | ||
49 | } | ||
50 | |||
51 | static uint8_t * | ||
52 | encode64(uint8_t * dst, size_t dstlen, const uint8_t * src, size_t srclen) | ||
53 | { | ||
54 | size_t i; | ||
55 | |||
56 | for (i = 0; i < srclen; ) { | ||
57 | uint8_t * dnext; | ||
58 | uint32_t value = 0, bits = 0; | ||
59 | do { | ||
60 | value |= (uint32_t)src[i++] << bits; | ||
61 | bits += 8; | ||
62 | } while (bits < 24 && i < srclen); | ||
63 | dnext = encode64_uint32(dst, dstlen, value, bits); | ||
64 | if (!dnext) { | ||
65 | return NULL; | ||
66 | } | ||
67 | dstlen -= dnext - dst; | ||
68 | dst = dnext; | ||
69 | } | ||
70 | |||
71 | return dst; | ||
72 | } | ||
73 | |||
74 | static int | ||
75 | decode64_one(uint32_t * dst, uint8_t src) | ||
76 | { | ||
77 | const char *ptr = strchr(itoa64, src); | ||
78 | |||
79 | if (ptr) { | ||
80 | *dst = ptr - itoa64; | ||
81 | return 0; | ||
82 | } | ||
83 | *dst = 0; | ||
84 | return -1; | ||
85 | } | ||
86 | |||
87 | static const uint8_t * | ||
88 | decode64_uint32(uint32_t * dst, uint32_t dstbits, const uint8_t * src) | ||
89 | { | ||
90 | uint32_t bit; | ||
91 | uint32_t value; | ||
92 | |||
93 | value = 0; | ||
94 | for (bit = 0; bit < dstbits; bit += 6) { | ||
95 | uint32_t one; | ||
96 | if (decode64_one(&one, *src)) { | ||
97 | *dst = 0; | ||
98 | return NULL; | ||
99 | } | ||
100 | src++; | ||
101 | value |= one << bit; | ||
102 | } | ||
103 | |||
104 | *dst = value; | ||
105 | return src; | ||
106 | } | ||
107 | |||
108 | uint8_t * | ||
109 | escrypt_r(escrypt_local_t * local, const uint8_t * passwd, size_t passwdlen, | ||
110 | const uint8_t * setting, uint8_t * buf, size_t buflen) | ||
111 | { | ||
112 | uint8_t hash[crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES]; | ||
113 | escrypt_kdf_t escrypt_kdf; | ||
114 | const uint8_t *src; | ||
115 | const uint8_t *salt; | ||
116 | uint8_t *dst; | ||
117 | size_t prefixlen; | ||
118 | size_t saltlen; | ||
119 | size_t need; | ||
120 | uint64_t N; | ||
121 | uint32_t N_log2; | ||
122 | uint32_t r; | ||
123 | uint32_t p; | ||
124 | |||
125 | if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') { | ||
126 | return NULL; | ||
127 | } | ||
128 | src = setting + 3; | ||
129 | |||
130 | if (decode64_one(&N_log2, *src)) { | ||
131 | return NULL; | ||
132 | } | ||
133 | src++; | ||
134 | N = (uint64_t)1 << N_log2; | ||
135 | |||
136 | src = decode64_uint32(&r, 30, src); | ||
137 | if (!src) { | ||
138 | return NULL; | ||
139 | } | ||
140 | src = decode64_uint32(&p, 30, src); | ||
141 | if (!src) { | ||
142 | return NULL; | ||
143 | } | ||
144 | prefixlen = src - setting; | ||
145 | |||
146 | salt = src; | ||
147 | src = (uint8_t *) strrchr((char *)salt, '$'); | ||
148 | if (src) { | ||
149 | saltlen = src - salt; | ||
150 | } else { | ||
151 | saltlen = strlen((char *)salt); | ||
152 | } | ||
153 | need = prefixlen + saltlen + 1 + | ||
154 | crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED + 1; | ||
155 | if (need > buflen || need < saltlen) { | ||
156 | return NULL; | ||
157 | } | ||
158 | #if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER) | ||
159 | escrypt_kdf = | ||
160 | sodium_runtime_has_sse2() ? escrypt_kdf_sse : escrypt_kdf_nosse; | ||
161 | #else | ||
162 | escrypt_kdf = escrypt_kdf_nosse; | ||
163 | #endif | ||
164 | if (escrypt_kdf(local, passwd, passwdlen, salt, saltlen, | ||
165 | N, r, p, hash, sizeof(hash))) { | ||
166 | return NULL; | ||
167 | } | ||
168 | |||
169 | dst = buf; | ||
170 | memcpy(dst, setting, prefixlen + saltlen); | ||
171 | dst += prefixlen + saltlen; | ||
172 | *dst++ = '$'; | ||
173 | |||
174 | dst = encode64(dst, buflen - (dst - buf), hash, sizeof(hash)); | ||
175 | sodium_memzero(hash, sizeof hash); | ||
176 | if (!dst || dst >= buf + buflen) { /* Can't happen */ | ||
177 | return NULL; | ||
178 | } | ||
179 | *dst = 0; /* NUL termination */ | ||
180 | |||
181 | return buf; | ||
182 | } | ||
183 | |||
184 | uint8_t * | ||
185 | escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, | ||
186 | const uint8_t * src, size_t srclen, | ||
187 | uint8_t * buf, size_t buflen) | ||
188 | { | ||
189 | uint8_t *dst; | ||
190 | size_t prefixlen = | ||
191 | (sizeof "$7$" - 1U) + (1U /* N_log2 */) + (5U /* r */) + (5U /* p */); | ||
192 | size_t saltlen = BYTES2CHARS(srclen); | ||
193 | size_t need; | ||
194 | |||
195 | need = prefixlen + saltlen + 1; | ||
196 | if (need > buflen || need < saltlen || saltlen < srclen) { | ||
197 | return NULL; | ||
198 | } | ||
199 | if (N_log2 > 63 || ((uint64_t)r * (uint64_t)p >= (1U << 30))) { | ||
200 | return NULL; | ||
201 | } | ||
202 | dst = buf; | ||
203 | *dst++ = '$'; | ||
204 | *dst++ = '7'; | ||
205 | *dst++ = '$'; | ||
206 | |||
207 | *dst++ = itoa64[N_log2]; | ||
208 | |||
209 | dst = encode64_uint32(dst, buflen - (dst - buf), r, 30); | ||
210 | if (!dst) { /* Can't happen */ | ||
211 | return NULL; | ||
212 | } | ||
213 | dst = encode64_uint32(dst, buflen - (dst - buf), p, 30); | ||
214 | if (!dst) { /* Can't happen */ | ||
215 | return NULL; | ||
216 | } | ||
217 | dst = encode64(dst, buflen - (dst - buf), src, srclen); | ||
218 | if (!dst || dst >= buf + buflen) { /* Can't happen */ | ||
219 | return NULL; | ||
220 | } | ||
221 | *dst = 0; /* NUL termination */ | ||
222 | |||
223 | return buf; | ||
224 | } | ||
225 | |||
226 | int | ||
227 | crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen, | ||
228 | const uint8_t * salt, size_t saltlen, | ||
229 | uint64_t N, uint32_t r, uint32_t p, | ||
230 | uint8_t * buf, size_t buflen) | ||
231 | { | ||
232 | escrypt_kdf_t escrypt_kdf; | ||
233 | escrypt_local_t local; | ||
234 | int retval; | ||
235 | |||
236 | if (escrypt_init_local(&local)) { | ||
237 | return -1; | ||
238 | } | ||
239 | #if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER) | ||
240 | escrypt_kdf = | ||
241 | sodium_runtime_has_sse2() ? escrypt_kdf_sse : escrypt_kdf_nosse; | ||
242 | #else | ||
243 | escrypt_kdf = escrypt_kdf_nosse; | ||
244 | #endif | ||
245 | retval = escrypt_kdf(&local, | ||
246 | passwd, passwdlen, salt, saltlen, | ||
247 | N, r, p, buf, buflen); | ||
248 | if (escrypt_free_local(&local)) { | ||
249 | return -1; | ||
250 | } | ||
251 | return retval; | ||
252 | } | ||
253 | |||
254 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h new file mode 100644 index 00000000..1f70b7a2 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h | |||
@@ -0,0 +1,90 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | /*- | ||
4 | * Copyright 2009 Colin Percival | ||
5 | * Copyright 2013 Alexander Peslyak | ||
6 | * All rights reserved. | ||
7 | * | ||
8 | * Redistribution and use in source and binary forms, with or without | ||
9 | * modification, are permitted provided that the following conditions | ||
10 | * are met: | ||
11 | * 1. Redistributions of source code must retain the above copyright | ||
12 | * notice, this list of conditions and the following disclaimer. | ||
13 | * 2. Redistributions in binary form must reproduce the above copyright | ||
14 | * notice, this list of conditions and the following disclaimer in the | ||
15 | * documentation and/or other materials provided with the distribution. | ||
16 | * | ||
17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
27 | * SUCH DAMAGE. | ||
28 | * | ||
29 | * This file was originally written by Colin Percival as part of the Tarsnap | ||
30 | * online backup system. | ||
31 | */ | ||
32 | #ifndef _CRYPTO_SCRYPT_H_ | ||
33 | #define _CRYPTO_SCRYPT_H_ | ||
34 | |||
35 | #include <stdint.h> | ||
36 | |||
37 | #define crypto_pwhash_scryptsalsa208sha256_STRPREFIXBYTES 14 | ||
38 | #define crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES 57 | ||
39 | #define crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES 32 | ||
40 | #define crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES_ENCODED 43 | ||
41 | #define crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES 32 | ||
42 | #define crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED 43 | ||
43 | |||
44 | #define BYTES2CHARS(bytes) ((((bytes) * 8) + 5) / 6) | ||
45 | |||
46 | typedef struct { | ||
47 | void * base, * aligned; | ||
48 | size_t size; | ||
49 | } escrypt_region_t; | ||
50 | |||
51 | typedef escrypt_region_t escrypt_local_t; | ||
52 | |||
53 | extern int escrypt_init_local(escrypt_local_t * __local); | ||
54 | |||
55 | extern int escrypt_free_local(escrypt_local_t * __local); | ||
56 | |||
57 | extern void *alloc_region(escrypt_region_t * region, size_t size); | ||
58 | extern int free_region(escrypt_region_t * region); | ||
59 | |||
60 | typedef int (*escrypt_kdf_t)(escrypt_local_t * __local, | ||
61 | const uint8_t * __passwd, size_t __passwdlen, | ||
62 | const uint8_t * __salt, size_t __saltlen, | ||
63 | uint64_t __N, uint32_t __r, uint32_t __p, | ||
64 | uint8_t * __buf, size_t __buflen); | ||
65 | |||
66 | extern int escrypt_kdf_nosse(escrypt_local_t * __local, | ||
67 | const uint8_t * __passwd, size_t __passwdlen, | ||
68 | const uint8_t * __salt, size_t __saltlen, | ||
69 | uint64_t __N, uint32_t __r, uint32_t __p, | ||
70 | uint8_t * __buf, size_t __buflen); | ||
71 | |||
72 | extern int escrypt_kdf_sse(escrypt_local_t * __local, | ||
73 | const uint8_t * __passwd, size_t __passwdlen, | ||
74 | const uint8_t * __salt, size_t __saltlen, | ||
75 | uint64_t __N, uint32_t __r, uint32_t __p, | ||
76 | uint8_t * __buf, size_t __buflen); | ||
77 | |||
78 | extern uint8_t * escrypt_r(escrypt_local_t * __local, | ||
79 | const uint8_t * __passwd, size_t __passwdlen, | ||
80 | const uint8_t * __setting, | ||
81 | uint8_t * __buf, size_t __buflen); | ||
82 | |||
83 | extern uint8_t * escrypt_gensalt_r( | ||
84 | uint32_t __N_log2, uint32_t __r, uint32_t __p, | ||
85 | const uint8_t * __src, size_t __srclen, | ||
86 | uint8_t * __buf, size_t __buflen); | ||
87 | |||
88 | #endif /* !_CRYPTO_SCRYPT_H_ */ | ||
89 | |||
90 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h new file mode 100644 index 00000000..d6975e8d --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h | |||
@@ -0,0 +1,35 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | #ifndef __SODIUM_EXPORT_H__ | ||
4 | #define __SODIUM_EXPORT_H__ | ||
5 | |||
6 | #ifndef __GNUC__ | ||
7 | # ifdef __attribute__ | ||
8 | # undef __attribute__ | ||
9 | # endif | ||
10 | # define __attribute__(a) | ||
11 | #endif | ||
12 | |||
13 | #ifdef SODIUM_STATIC | ||
14 | # define SODIUM_EXPORT | ||
15 | #else | ||
16 | # if defined(_MSC_VER) | ||
17 | # ifdef DLL_EXPORT | ||
18 | # define SODIUM_EXPORT __declspec(dllexport) | ||
19 | # else | ||
20 | # define SODIUM_EXPORT __declspec(dllimport) | ||
21 | # endif | ||
22 | # else | ||
23 | # if defined(__SUNPRO_C) | ||
24 | # define SODIUM_EXPORT __attribute__ __global | ||
25 | # elif defined(_MSG_VER) | ||
26 | # define SODIUM_EXPORT extern __declspec(dllexport) | ||
27 | # else | ||
28 | # define SODIUM_EXPORT __attribute__ ((visibility ("default"))) | ||
29 | # endif | ||
30 | # endif | ||
31 | #endif | ||
32 | |||
33 | #endif | ||
34 | |||
35 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c new file mode 100644 index 00000000..0dc896f1 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c | |||
@@ -0,0 +1,306 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | /*- | ||
4 | * Copyright 2009 Colin Percival | ||
5 | * Copyright 2013 Alexander Peslyak | ||
6 | * All rights reserved. | ||
7 | * | ||
8 | * Redistribution and use in source and binary forms, with or without | ||
9 | * modification, are permitted provided that the following conditions | ||
10 | * are met: | ||
11 | * 1. Redistributions of source code must retain the above copyright | ||
12 | * notice, this list of conditions and the following disclaimer. | ||
13 | * 2. Redistributions in binary form must reproduce the above copyright | ||
14 | * notice, this list of conditions and the following disclaimer in the | ||
15 | * documentation and/or other materials provided with the distribution. | ||
16 | * | ||
17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
27 | * SUCH DAMAGE. | ||
28 | * | ||
29 | * This file was originally written by Colin Percival as part of the Tarsnap | ||
30 | * online backup system. | ||
31 | */ | ||
32 | |||
33 | #include <errno.h> | ||
34 | #include <limits.h> | ||
35 | #include <stdint.h> | ||
36 | #include <stdlib.h> | ||
37 | #include <string.h> | ||
38 | |||
39 | #include "../pbkdf2-sha256.h" | ||
40 | #include "../sysendian.h" | ||
41 | #include "../crypto_scrypt.h" | ||
42 | |||
43 | static inline void | ||
44 | blkcpy(void * dest, const void * src, size_t len) | ||
45 | { | ||
46 | size_t * D = (size_t *) dest; | ||
47 | const size_t * S = (const size_t *) src; | ||
48 | size_t L = len / sizeof(size_t); | ||
49 | size_t i; | ||
50 | |||
51 | for (i = 0; i < L; i++) | ||
52 | D[i] = S[i]; | ||
53 | } | ||
54 | |||
55 | static inline void | ||
56 | blkxor(void * dest, const void * src, size_t len) | ||
57 | { | ||
58 | size_t * D = (size_t *) dest; | ||
59 | const size_t * S = (const size_t *) src; | ||
60 | size_t L = len / sizeof(size_t); | ||
61 | size_t i; | ||
62 | |||
63 | for (i = 0; i < L; i++) | ||
64 | D[i] ^= S[i]; | ||
65 | } | ||
66 | |||
67 | /** | ||
68 | * salsa20_8(B): | ||
69 | * Apply the salsa20/8 core to the provided block. | ||
70 | */ | ||
71 | static void | ||
72 | salsa20_8(uint32_t B[16]) | ||
73 | { | ||
74 | uint32_t x[16]; | ||
75 | size_t i; | ||
76 | |||
77 | blkcpy(x, B, 64); | ||
78 | for (i = 0; i < 8; i += 2) { | ||
79 | #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) | ||
80 | /* Operate on columns. */ | ||
81 | x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9); | ||
82 | x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18); | ||
83 | |||
84 | x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9); | ||
85 | x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18); | ||
86 | |||
87 | x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9); | ||
88 | x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18); | ||
89 | |||
90 | x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9); | ||
91 | x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18); | ||
92 | |||
93 | /* Operate on rows. */ | ||
94 | x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9); | ||
95 | x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18); | ||
96 | |||
97 | x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9); | ||
98 | x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18); | ||
99 | |||
100 | x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9); | ||
101 | x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18); | ||
102 | |||
103 | x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9); | ||
104 | x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18); | ||
105 | #undef R | ||
106 | } | ||
107 | for (i = 0; i < 16; i++) | ||
108 | B[i] += x[i]; | ||
109 | } | ||
110 | |||
111 | /** | ||
112 | * blockmix_salsa8(Bin, Bout, X, r): | ||
113 | * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r | ||
114 | * bytes in length; the output Bout must also be the same size. The | ||
115 | * temporary space X must be 64 bytes. | ||
116 | */ | ||
117 | static void | ||
118 | blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r) | ||
119 | { | ||
120 | size_t i; | ||
121 | |||
122 | /* 1: X <-- B_{2r - 1} */ | ||
123 | blkcpy(X, &Bin[(2 * r - 1) * 16], 64); | ||
124 | |||
125 | /* 2: for i = 0 to 2r - 1 do */ | ||
126 | for (i = 0; i < 2 * r; i += 2) { | ||
127 | /* 3: X <-- H(X \xor B_i) */ | ||
128 | blkxor(X, &Bin[i * 16], 64); | ||
129 | salsa20_8(X); | ||
130 | |||
131 | /* 4: Y_i <-- X */ | ||
132 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
133 | blkcpy(&Bout[i * 8], X, 64); | ||
134 | |||
135 | /* 3: X <-- H(X \xor B_i) */ | ||
136 | blkxor(X, &Bin[i * 16 + 16], 64); | ||
137 | salsa20_8(X); | ||
138 | |||
139 | /* 4: Y_i <-- X */ | ||
140 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
141 | blkcpy(&Bout[i * 8 + r * 16], X, 64); | ||
142 | } | ||
143 | } | ||
144 | |||
145 | /** | ||
146 | * integerify(B, r): | ||
147 | * Return the result of parsing B_{2r-1} as a little-endian integer. | ||
148 | */ | ||
149 | static inline uint64_t | ||
150 | integerify(const void * B, size_t r) | ||
151 | { | ||
152 | const uint32_t * X = (const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); | ||
153 | |||
154 | return (((uint64_t)(X[1]) << 32) + X[0]); | ||
155 | } | ||
156 | |||
157 | /** | ||
158 | * smix(B, r, N, V, XY): | ||
159 | * Compute B = SMix_r(B, N). The input B must be 128r bytes in length; | ||
160 | * the temporary storage V must be 128rN bytes in length; the temporary | ||
161 | * storage XY must be 256r + 64 bytes in length. The value N must be a | ||
162 | * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a | ||
163 | * multiple of 64 bytes. | ||
164 | */ | ||
165 | static void | ||
166 | smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY) | ||
167 | { | ||
168 | uint32_t * X = XY; | ||
169 | uint32_t * Y = &XY[32 * r]; | ||
170 | uint32_t * Z = &XY[64 * r]; | ||
171 | uint64_t i; | ||
172 | uint64_t j; | ||
173 | size_t k; | ||
174 | |||
175 | /* 1: X <-- B */ | ||
176 | for (k = 0; k < 32 * r; k++) | ||
177 | X[k] = le32dec(&B[4 * k]); | ||
178 | |||
179 | /* 2: for i = 0 to N - 1 do */ | ||
180 | for (i = 0; i < N; i += 2) { | ||
181 | /* 3: V_i <-- X */ | ||
182 | blkcpy(&V[i * (32 * r)], X, 128 * r); | ||
183 | |||
184 | /* 4: X <-- H(X) */ | ||
185 | blockmix_salsa8(X, Y, Z, r); | ||
186 | |||
187 | /* 3: V_i <-- X */ | ||
188 | blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r); | ||
189 | |||
190 | /* 4: X <-- H(X) */ | ||
191 | blockmix_salsa8(Y, X, Z, r); | ||
192 | } | ||
193 | |||
194 | /* 6: for i = 0 to N - 1 do */ | ||
195 | for (i = 0; i < N; i += 2) { | ||
196 | /* 7: j <-- Integerify(X) mod N */ | ||
197 | j = integerify(X, r) & (N - 1); | ||
198 | |||
199 | /* 8: X <-- H(X \xor V_j) */ | ||
200 | blkxor(X, &V[j * (32 * r)], 128 * r); | ||
201 | blockmix_salsa8(X, Y, Z, r); | ||
202 | |||
203 | /* 7: j <-- Integerify(X) mod N */ | ||
204 | j = integerify(Y, r) & (N - 1); | ||
205 | |||
206 | /* 8: X <-- H(X \xor V_j) */ | ||
207 | blkxor(Y, &V[j * (32 * r)], 128 * r); | ||
208 | blockmix_salsa8(Y, X, Z, r); | ||
209 | } | ||
210 | /* 10: B' <-- X */ | ||
211 | for (k = 0; k < 32 * r; k++) | ||
212 | le32enc(&B[4 * k], X[k]); | ||
213 | } | ||
214 | |||
215 | /** | ||
216 | * escrypt_kdf(local, passwd, passwdlen, salt, saltlen, | ||
217 | * N, r, p, buf, buflen): | ||
218 | * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, | ||
219 | * p, buflen) and write the result into buf. The parameters r, p, and buflen | ||
220 | * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N | ||
221 | * must be a power of 2 greater than 1. | ||
222 | * | ||
223 | * Return 0 on success; or -1 on error. | ||
224 | */ | ||
225 | int | ||
226 | escrypt_kdf_nosse(escrypt_local_t * local, | ||
227 | const uint8_t * passwd, size_t passwdlen, | ||
228 | const uint8_t * salt, size_t saltlen, | ||
229 | uint64_t N, uint32_t _r, uint32_t _p, | ||
230 | uint8_t * buf, size_t buflen) | ||
231 | { | ||
232 | size_t B_size, V_size, XY_size, need; | ||
233 | uint8_t * B; | ||
234 | uint32_t * V, * XY; | ||
235 | size_t r = _r, p = _p; | ||
236 | uint32_t i; | ||
237 | |||
238 | /* Sanity-check parameters. */ | ||
239 | #if SIZE_MAX > UINT32_MAX | ||
240 | if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { | ||
241 | errno = EFBIG; | ||
242 | return -1; | ||
243 | } | ||
244 | #endif | ||
245 | if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) { | ||
246 | errno = EFBIG; | ||
247 | return -1; | ||
248 | } | ||
249 | if (((N & (N - 1)) != 0) || (N < 2)) { | ||
250 | errno = EINVAL; | ||
251 | return -1; | ||
252 | } | ||
253 | if (r == 0 || p == 0) { | ||
254 | errno = EINVAL; | ||
255 | return -1; | ||
256 | } | ||
257 | if ((r > SIZE_MAX / 128 / p) || | ||
258 | #if SIZE_MAX / 256 <= UINT32_MAX | ||
259 | (r > SIZE_MAX / 256) || | ||
260 | #endif | ||
261 | (N > SIZE_MAX / 128 / r)) { | ||
262 | errno = ENOMEM; | ||
263 | return -1; | ||
264 | } | ||
265 | |||
266 | /* Allocate memory. */ | ||
267 | B_size = (size_t)128 * r * p; | ||
268 | V_size = (size_t)128 * r * N; | ||
269 | need = B_size + V_size; | ||
270 | if (need < V_size) { | ||
271 | errno = ENOMEM; | ||
272 | return -1; | ||
273 | } | ||
274 | XY_size = (size_t)256 * r + 64; | ||
275 | need += XY_size; | ||
276 | if (need < XY_size) { | ||
277 | errno = ENOMEM; | ||
278 | return -1; | ||
279 | } | ||
280 | if (local->size < need) { | ||
281 | if (free_region(local)) | ||
282 | return -1; | ||
283 | if (!alloc_region(local, need)) | ||
284 | return -1; | ||
285 | } | ||
286 | B = (uint8_t *)local->aligned; | ||
287 | V = (uint32_t *)((uint8_t *)B + B_size); | ||
288 | XY = (uint32_t *)((uint8_t *)V + V_size); | ||
289 | |||
290 | /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ | ||
291 | PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); | ||
292 | |||
293 | /* 2: for i = 0 to p - 1 do */ | ||
294 | for (i = 0; i < p; i++) { | ||
295 | /* 3: B_i <-- MF(B_i, N) */ | ||
296 | smix(&B[(size_t)128 * i * r], r, N, V, XY); | ||
297 | } | ||
298 | |||
299 | /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ | ||
300 | PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); | ||
301 | |||
302 | /* Success! */ | ||
303 | return 0; | ||
304 | } | ||
305 | |||
306 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt new file mode 100644 index 00000000..66bbfe2d --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt | |||
@@ -0,0 +1,14 @@ | |||
1 | This folder is only meant for use with nacl, i.e. when sodium is unavailable. | ||
2 | |||
3 | |||
4 | The files in this folder were mostly copied from | ||
5 | https://github.com/jedisct1/libsodium/tree/0.7.0/src/libsodium/crypto_pwhash/scryptsalsa208sha256, | ||
6 | with #ifdef VANILLA_NACL added around each of them as required for this module. | ||
7 | |||
8 | export.h, utils.h, and runtime.h were copied from | ||
9 | https://github.com/jedisct1/libsodium/tree/0.7.0/src/libsodium/include/sodium. | ||
10 | utils.h was significantly truncated. | ||
11 | |||
12 | utils.c and runtime.c were copied from | ||
13 | https://github.com/jedisct1/libsodium/blob/0.7.0/src/libsodium/sodium. | ||
14 | utils.c was also significantly truncated. | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c new file mode 100644 index 00000000..d66a5395 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c | |||
@@ -0,0 +1,88 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | /*- | ||
4 | * Copyright 2005,2007,2009 Colin Percival | ||
5 | * All rights reserved. | ||
6 | * | ||
7 | * Redistribution and use in source and binary forms, with or without | ||
8 | * modification, are permitted provided that the following conditions | ||
9 | * are met: | ||
10 | * 1. Redistributions of source code must retain the above copyright | ||
11 | * notice, this list of conditions and the following disclaimer. | ||
12 | * 2. Redistributions in binary form must reproduce the above copyright | ||
13 | * notice, this list of conditions and the following disclaimer in the | ||
14 | * documentation and/or other materials provided with the distribution. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
26 | * SUCH DAMAGE. | ||
27 | */ | ||
28 | |||
29 | #include <sys/types.h> | ||
30 | |||
31 | #include <stdint.h> | ||
32 | #include <stdlib.h> | ||
33 | #include <string.h> | ||
34 | |||
35 | #include "crypto_auth_hmacsha256.h" | ||
36 | #include "pbkdf2-sha256.h" | ||
37 | #include "sysendian.h" | ||
38 | #include "utils.h" | ||
39 | |||
40 | /** | ||
41 | * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): | ||
42 | * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and | ||
43 | * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). | ||
44 | */ | ||
45 | void | ||
46 | PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt, | ||
47 | size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen) | ||
48 | { | ||
49 | crypto_auth_hmacsha256_state PShctx, hctx; | ||
50 | size_t i; | ||
51 | uint8_t ivec[4]; | ||
52 | uint8_t U[32]; | ||
53 | uint8_t T[32]; | ||
54 | uint64_t j; | ||
55 | int k; | ||
56 | size_t clen; | ||
57 | |||
58 | crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen); | ||
59 | crypto_auth_hmacsha256_update(&PShctx, salt, saltlen); | ||
60 | |||
61 | for (i = 0; i * 32 < dkLen; i++) { | ||
62 | be32enc(ivec, (uint32_t)(i + 1)); | ||
63 | memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state)); | ||
64 | crypto_auth_hmacsha256_update(&hctx, ivec, 4); | ||
65 | crypto_auth_hmacsha256_final(&hctx, U); | ||
66 | |||
67 | memcpy(T, U, 32); | ||
68 | |||
69 | for (j = 2; j <= c; j++) { | ||
70 | crypto_auth_hmacsha256_init(&hctx, passwd, passwdlen); | ||
71 | crypto_auth_hmacsha256_update(&hctx, U, 32); | ||
72 | crypto_auth_hmacsha256_final(&hctx, U); | ||
73 | |||
74 | for (k = 0; k < 32; k++) { | ||
75 | T[k] ^= U[k]; | ||
76 | } | ||
77 | } | ||
78 | |||
79 | clen = dkLen - i * 32; | ||
80 | if (clen > 32) { | ||
81 | clen = 32; | ||
82 | } | ||
83 | memcpy(&buf[i * 32], T, clen); | ||
84 | } | ||
85 | sodium_memzero((void *) &PShctx, sizeof PShctx); | ||
86 | } | ||
87 | |||
88 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h new file mode 100644 index 00000000..6e5f2832 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h | |||
@@ -0,0 +1,49 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | /*- | ||
4 | * Copyright 2005,2007,2009 Colin Percival | ||
5 | * All rights reserved. | ||
6 | * | ||
7 | * Redistribution and use in source and binary forms, with or without | ||
8 | * modification, are permitted provided that the following conditions | ||
9 | * are met: | ||
10 | * 1. Redistributions of source code must retain the above copyright | ||
11 | * notice, this list of conditions and the following disclaimer. | ||
12 | * 2. Redistributions in binary form must reproduce the above copyright | ||
13 | * notice, this list of conditions and the following disclaimer in the | ||
14 | * documentation and/or other materials provided with the distribution. | ||
15 | * | ||
16 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
17 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
18 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
19 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
20 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
21 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
22 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
23 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
24 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
25 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
26 | * SUCH DAMAGE. | ||
27 | * | ||
28 | */ | ||
29 | |||
30 | #ifndef _SHA256_H_ | ||
31 | #define _SHA256_H_ | ||
32 | |||
33 | #include <sys/types.h> | ||
34 | |||
35 | #include <stdint.h> | ||
36 | |||
37 | #include "crypto_auth_hmacsha256.h" | ||
38 | |||
39 | /** | ||
40 | * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): | ||
41 | * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and | ||
42 | * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1). | ||
43 | */ | ||
44 | void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, | ||
45 | uint64_t, uint8_t *, size_t); | ||
46 | |||
47 | #endif /* !_SHA256_H_ */ | ||
48 | |||
49 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c new file mode 100644 index 00000000..0a519937 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c | |||
@@ -0,0 +1,207 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | |||
4 | #include <errno.h> | ||
5 | #include <limits.h> | ||
6 | #include <stddef.h> | ||
7 | #include <stdint.h> | ||
8 | #include <string.h> | ||
9 | |||
10 | #include "crypto_pwhash_scryptsalsa208sha256.h" | ||
11 | #include "crypto_scrypt.h" | ||
12 | #include "randombytes.h" | ||
13 | #include "utils.h" | ||
14 | |||
15 | #define SETTING_SIZE(saltbytes) \ | ||
16 | (sizeof "$7$" - 1U) + \ | ||
17 | (1U /* N_log2 */) + (5U /* r */) + (5U /* p */) + BYTES2CHARS(saltbytes) | ||
18 | |||
19 | static int | ||
20 | pickparams(unsigned long long opslimit, const size_t memlimit, | ||
21 | uint32_t * const N_log2, uint32_t * const p, uint32_t * const r) | ||
22 | { | ||
23 | unsigned long long maxN; | ||
24 | unsigned long long maxrp; | ||
25 | |||
26 | if (opslimit < 32768) { | ||
27 | opslimit = 32768; | ||
28 | } | ||
29 | *r = 8; | ||
30 | if (opslimit < memlimit / 32) { | ||
31 | *p = 1; | ||
32 | maxN = opslimit / (*r * 4); | ||
33 | for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) { | ||
34 | if ((uint64_t)(1) << *N_log2 > maxN / 2) { | ||
35 | break; | ||
36 | } | ||
37 | } | ||
38 | } else { | ||
39 | maxN = memlimit / (*r * 128); | ||
40 | for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) { | ||
41 | if ((uint64_t) (1) << *N_log2 > maxN / 2) { | ||
42 | break; | ||
43 | } | ||
44 | } | ||
45 | maxrp = (opslimit / 4) / ((uint64_t) (1) << *N_log2); | ||
46 | if (maxrp > 0x3fffffff) { | ||
47 | maxrp = 0x3fffffff; | ||
48 | } | ||
49 | *p = (uint32_t) (maxrp) / *r; | ||
50 | } | ||
51 | return 0; | ||
52 | } | ||
53 | |||
54 | size_t | ||
55 | crypto_pwhash_scryptsalsa208sha256_saltbytes(void) | ||
56 | { | ||
57 | return crypto_pwhash_scryptsalsa208sha256_SALTBYTES; | ||
58 | } | ||
59 | |||
60 | size_t | ||
61 | crypto_pwhash_scryptsalsa208sha256_strbytes(void) | ||
62 | { | ||
63 | return crypto_pwhash_scryptsalsa208sha256_STRBYTES; | ||
64 | } | ||
65 | |||
66 | const char * | ||
67 | crypto_pwhash_scryptsalsa208sha256_strprefix(void) | ||
68 | { | ||
69 | return crypto_pwhash_scryptsalsa208sha256_STRPREFIX; | ||
70 | } | ||
71 | |||
72 | size_t | ||
73 | crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void) | ||
74 | { | ||
75 | return crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE; | ||
76 | } | ||
77 | |||
78 | size_t | ||
79 | crypto_pwhash_scryptsalsa208sha256_memlimit_interactive(void) | ||
80 | { | ||
81 | return crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE; | ||
82 | } | ||
83 | |||
84 | size_t | ||
85 | crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive(void) | ||
86 | { | ||
87 | return crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE; | ||
88 | } | ||
89 | |||
90 | size_t | ||
91 | crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive(void) | ||
92 | { | ||
93 | return crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE; | ||
94 | } | ||
95 | |||
96 | int | ||
97 | crypto_pwhash_scryptsalsa208sha256(unsigned char * const out, | ||
98 | unsigned long long outlen, | ||
99 | const char * const passwd, | ||
100 | unsigned long long passwdlen, | ||
101 | const unsigned char * const salt, | ||
102 | unsigned long long opslimit, | ||
103 | size_t memlimit) | ||
104 | { | ||
105 | uint32_t N_log2; | ||
106 | uint32_t p; | ||
107 | uint32_t r; | ||
108 | |||
109 | memset(out, 0, outlen); | ||
110 | if (passwdlen > SIZE_MAX || outlen > SIZE_MAX) { | ||
111 | errno = EFBIG; | ||
112 | return -1; | ||
113 | } | ||
114 | if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) { | ||
115 | errno = EINVAL; | ||
116 | return -1; | ||
117 | } | ||
118 | return crypto_pwhash_scryptsalsa208sha256_ll((const uint8_t *) passwd, | ||
119 | (size_t) passwdlen, | ||
120 | (const uint8_t *) salt, | ||
121 | crypto_pwhash_scryptsalsa208sha256_SALTBYTES, | ||
122 | (uint64_t) (1) << N_log2, r, p, | ||
123 | out, (size_t) outlen); | ||
124 | } | ||
125 | |||
126 | int | ||
127 | crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES], | ||
128 | const char * const passwd, | ||
129 | unsigned long long passwdlen, | ||
130 | unsigned long long opslimit, | ||
131 | size_t memlimit) | ||
132 | { | ||
133 | uint8_t salt[crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES]; | ||
134 | char setting[crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES + 1U]; | ||
135 | escrypt_local_t escrypt_local; | ||
136 | uint32_t N_log2; | ||
137 | uint32_t p; | ||
138 | uint32_t r; | ||
139 | |||
140 | memset(out, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES); | ||
141 | if (passwdlen > SIZE_MAX) { | ||
142 | errno = EFBIG; | ||
143 | return -1; | ||
144 | } | ||
145 | if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) { | ||
146 | errno = EINVAL; | ||
147 | return -1; | ||
148 | } | ||
149 | randombytes_buf(salt, sizeof salt); | ||
150 | if (escrypt_gensalt_r(N_log2, r, p, salt, sizeof salt, | ||
151 | (uint8_t *) setting, sizeof setting) == NULL) { | ||
152 | errno = EINVAL; | ||
153 | return -1; | ||
154 | } | ||
155 | if (escrypt_init_local(&escrypt_local) != 0) { | ||
156 | return -1; | ||
157 | } | ||
158 | if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen, | ||
159 | (const uint8_t *) setting, (uint8_t *) out, | ||
160 | crypto_pwhash_scryptsalsa208sha256_STRBYTES) == NULL) { | ||
161 | escrypt_free_local(&escrypt_local); | ||
162 | errno = EINVAL; | ||
163 | return -1; | ||
164 | } | ||
165 | escrypt_free_local(&escrypt_local); | ||
166 | |||
167 | (void) sizeof | ||
168 | (int[SETTING_SIZE(crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES) | ||
169 | == crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES ? 1 : -1]); | ||
170 | (void) sizeof | ||
171 | (int[crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES + 1U + | ||
172 | crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED + 1U | ||
173 | == crypto_pwhash_scryptsalsa208sha256_STRBYTES ? 1 : -1]); | ||
174 | |||
175 | return 0; | ||
176 | } | ||
177 | |||
178 | int | ||
179 | crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES], | ||
180 | const char * const passwd, | ||
181 | unsigned long long passwdlen) | ||
182 | { | ||
183 | char wanted[crypto_pwhash_scryptsalsa208sha256_STRBYTES]; | ||
184 | escrypt_local_t escrypt_local; | ||
185 | int ret = -1; | ||
186 | |||
187 | if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) != | ||
188 | &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) { | ||
189 | return -1; | ||
190 | } | ||
191 | if (escrypt_init_local(&escrypt_local) != 0) { | ||
192 | return -1; | ||
193 | } | ||
194 | if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen, | ||
195 | (const uint8_t *) str, (uint8_t *) wanted, | ||
196 | sizeof wanted) == NULL) { | ||
197 | escrypt_free_local(&escrypt_local); | ||
198 | return -1; | ||
199 | } | ||
200 | escrypt_free_local(&escrypt_local); | ||
201 | ret = sodium_memcmp(wanted, str, sizeof wanted); | ||
202 | sodium_memzero(wanted, sizeof wanted); | ||
203 | |||
204 | return ret; | ||
205 | } | ||
206 | |||
207 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c new file mode 100644 index 00000000..f02c3803 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c | |||
@@ -0,0 +1,137 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | #ifdef HAVE_ANDROID_GETCPUFEATURES | ||
4 | # include <cpu-features.h> | ||
5 | #endif | ||
6 | |||
7 | #include "runtime.h" | ||
8 | |||
9 | typedef struct CPUFeatures_ { | ||
10 | int initialized; | ||
11 | int has_neon; | ||
12 | int has_sse2; | ||
13 | int has_sse3; | ||
14 | } CPUFeatures; | ||
15 | |||
16 | static CPUFeatures _cpu_features; | ||
17 | |||
18 | #define CPUID_SSE2 0x04000000 | ||
19 | #define CPUIDECX_SSE3 0x00000001 | ||
20 | |||
21 | static int | ||
22 | _sodium_runtime_arm_cpu_features(CPUFeatures * const cpu_features) | ||
23 | { | ||
24 | #ifndef __arm__ | ||
25 | cpu_features->has_neon = 0; | ||
26 | return -1; | ||
27 | #else | ||
28 | # ifdef __APPLE__ | ||
29 | # ifdef __ARM_NEON__ | ||
30 | cpu_features->has_neon = 1; | ||
31 | # else | ||
32 | cpu_features->has_neon = 0; | ||
33 | # endif | ||
34 | # elif defined(HAVE_ANDROID_GETCPUFEATURES) && defined(ANDROID_CPU_ARM_FEATURE_NEON) | ||
35 | cpu_features->has_neon = | ||
36 | (android_getCpuFeatures() & ANDROID_CPU_ARM_FEATURE_NEON) != 0x0; | ||
37 | # else | ||
38 | cpu_features->has_neon = 0; | ||
39 | # endif | ||
40 | return 0; | ||
41 | #endif | ||
42 | } | ||
43 | |||
44 | static void | ||
45 | _cpuid(unsigned int cpu_info[4U], const unsigned int cpu_info_type) | ||
46 | { | ||
47 | #ifdef _MSC_VER | ||
48 | __cpuidex((int *) cpu_info, cpu_info_type, 0); | ||
49 | #elif defined(HAVE_CPUID) | ||
50 | cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0; | ||
51 | # ifdef __i386__ | ||
52 | __asm__ __volatile__ ("pushfl; pushfl; " | ||
53 | "popl %0; " | ||
54 | "movl %0, %1; xorl %2, %0; " | ||
55 | "pushl %0; " | ||
56 | "popfl; pushfl; popl %0; popfl" : | ||
57 | "=&r" (cpu_info[0]), "=&r" (cpu_info[1]) : | ||
58 | "i" (0x200000)); | ||
59 | if (((cpu_info[0] ^ cpu_info[1]) & 0x200000) == 0x0) { | ||
60 | return; | ||
61 | } | ||
62 | # endif | ||
63 | # ifdef __i386__ | ||
64 | __asm__ __volatile__ ("xchgl %%ebx, %k1; cpuid; xchgl %%ebx, %k1" : | ||
65 | "=a" (cpu_info[0]), "=&r" (cpu_info[1]), | ||
66 | "=c" (cpu_info[2]), "=d" (cpu_info[3]) : | ||
67 | "0" (cpu_info_type), "2" (0U)); | ||
68 | # elif defined(__x86_64__) | ||
69 | __asm__ __volatile__ ("xchgq %%rbx, %q1; cpuid; xchgq %%rbx, %q1" : | ||
70 | "=a" (cpu_info[0]), "=&r" (cpu_info[1]), | ||
71 | "=c" (cpu_info[2]), "=d" (cpu_info[3]) : | ||
72 | "0" (cpu_info_type), "2" (0U)); | ||
73 | # else | ||
74 | __asm__ __volatile__ ("cpuid" : | ||
75 | "=a" (cpu_info[0]), "=b" (cpu_info[1]), | ||
76 | "=c" (cpu_info[2]), "=d" (cpu_info[3]) : | ||
77 | "0" (cpu_info_type), "2" (0U)); | ||
78 | # endif | ||
79 | #else | ||
80 | cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0; | ||
81 | #endif | ||
82 | } | ||
83 | |||
84 | static int | ||
85 | _sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features) | ||
86 | { | ||
87 | unsigned int cpu_info[4]; | ||
88 | unsigned int id; | ||
89 | |||
90 | _cpuid(cpu_info, 0x0); | ||
91 | if ((id = cpu_info[0]) == 0U) { | ||
92 | return -1; | ||
93 | } | ||
94 | _cpuid(cpu_info, 0x00000001); | ||
95 | #ifndef HAVE_EMMINTRIN_H | ||
96 | cpu_features->has_sse2 = 0; | ||
97 | #else | ||
98 | cpu_features->has_sse2 = ((cpu_info[3] & CPUID_SSE2) != 0x0); | ||
99 | #endif | ||
100 | |||
101 | #ifndef HAVE_PMMINTRIN_H | ||
102 | cpu_features->has_sse3 = 0; | ||
103 | #else | ||
104 | cpu_features->has_sse3 = ((cpu_info[2] & CPUIDECX_SSE3) != 0x0); | ||
105 | #endif | ||
106 | |||
107 | return 0; | ||
108 | } | ||
109 | |||
110 | int | ||
111 | sodium_runtime_get_cpu_features(void) | ||
112 | { | ||
113 | int ret = -1; | ||
114 | |||
115 | ret &= _sodium_runtime_arm_cpu_features(&_cpu_features); | ||
116 | ret &= _sodium_runtime_intel_cpu_features(&_cpu_features); | ||
117 | _cpu_features.initialized = 1; | ||
118 | |||
119 | return ret; | ||
120 | } | ||
121 | |||
122 | int | ||
123 | sodium_runtime_has_neon(void) { | ||
124 | return _cpu_features.has_neon; | ||
125 | } | ||
126 | |||
127 | int | ||
128 | sodium_runtime_has_sse2(void) { | ||
129 | return _cpu_features.has_sse2; | ||
130 | } | ||
131 | |||
132 | int | ||
133 | sodium_runtime_has_sse3(void) { | ||
134 | return _cpu_features.has_sse3; | ||
135 | } | ||
136 | |||
137 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h new file mode 100644 index 00000000..2e5efddd --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h | |||
@@ -0,0 +1,30 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | #ifndef __SODIUM_RUNTIME_H__ | ||
4 | #define __SODIUM_RUNTIME_H__ 1 | ||
5 | |||
6 | #include "export.h" | ||
7 | |||
8 | #ifdef __cplusplus | ||
9 | extern "C" { | ||
10 | #endif | ||
11 | |||
12 | SODIUM_EXPORT | ||
13 | int sodium_runtime_get_cpu_features(void); | ||
14 | |||
15 | SODIUM_EXPORT | ||
16 | int sodium_runtime_has_neon(void); | ||
17 | |||
18 | SODIUM_EXPORT | ||
19 | int sodium_runtime_has_sse2(void); | ||
20 | |||
21 | SODIUM_EXPORT | ||
22 | int sodium_runtime_has_sse3(void); | ||
23 | |||
24 | #ifdef __cplusplus | ||
25 | } | ||
26 | #endif | ||
27 | |||
28 | #endif | ||
29 | |||
30 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c new file mode 100644 index 00000000..9de9763a --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c | |||
@@ -0,0 +1,104 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | /*- | ||
4 | * Copyright 2013 Alexander Peslyak | ||
5 | * All rights reserved. | ||
6 | * | ||
7 | * Redistribution and use in source and binary forms, with or without | ||
8 | * modification, are permitted. | ||
9 | * | ||
10 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
11 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
12 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
13 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
14 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
15 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
16 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
17 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
18 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
19 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
20 | * SUCH DAMAGE. | ||
21 | */ | ||
22 | |||
23 | #ifdef HAVE_SYS_MMAN_H | ||
24 | # include <sys/mman.h> | ||
25 | #endif | ||
26 | #include <errno.h> | ||
27 | #include <stdlib.h> | ||
28 | |||
29 | #include "crypto_scrypt.h" | ||
30 | #include "runtime.h" | ||
31 | |||
32 | #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) | ||
33 | # define MAP_ANON MAP_ANONYMOUS | ||
34 | #endif | ||
35 | |||
36 | void * | ||
37 | alloc_region(escrypt_region_t * region, size_t size) | ||
38 | { | ||
39 | uint8_t * base, * aligned; | ||
40 | #ifdef MAP_ANON | ||
41 | if ((base = (uint8_t *) mmap(NULL, size, PROT_READ | PROT_WRITE, | ||
42 | #ifdef MAP_NOCORE | ||
43 | MAP_ANON | MAP_PRIVATE | MAP_NOCORE, | ||
44 | #else | ||
45 | MAP_ANON | MAP_PRIVATE, | ||
46 | #endif | ||
47 | -1, 0)) == MAP_FAILED) | ||
48 | base = NULL; | ||
49 | aligned = base; | ||
50 | #elif defined(HAVE_POSIX_MEMALIGN) | ||
51 | if ((errno = posix_memalign((void **) &base, 64, size)) != 0) | ||
52 | base = NULL; | ||
53 | aligned = base; | ||
54 | #else | ||
55 | base = aligned = NULL; | ||
56 | if (size + 63 < size) | ||
57 | errno = ENOMEM; | ||
58 | else if ((base = (uint8_t *) malloc(size + 63)) != NULL) { | ||
59 | aligned = base + 63; | ||
60 | aligned -= (uintptr_t)aligned & 63; | ||
61 | } | ||
62 | #endif | ||
63 | region->base = base; | ||
64 | region->aligned = aligned; | ||
65 | region->size = base ? size : 0; | ||
66 | return aligned; | ||
67 | } | ||
68 | |||
69 | static inline void | ||
70 | init_region(escrypt_region_t * region) | ||
71 | { | ||
72 | region->base = region->aligned = NULL; | ||
73 | region->size = 0; | ||
74 | } | ||
75 | |||
76 | int | ||
77 | free_region(escrypt_region_t * region) | ||
78 | { | ||
79 | if (region->base) { | ||
80 | #ifdef MAP_ANON | ||
81 | if (munmap(region->base, region->size)) | ||
82 | return -1; | ||
83 | #else | ||
84 | free(region->base); | ||
85 | #endif | ||
86 | } | ||
87 | init_region(region); | ||
88 | return 0; | ||
89 | } | ||
90 | |||
91 | int | ||
92 | escrypt_init_local(escrypt_local_t * local) | ||
93 | { | ||
94 | init_region(local); | ||
95 | return 0; | ||
96 | } | ||
97 | |||
98 | int | ||
99 | escrypt_free_local(escrypt_local_t * local) | ||
100 | { | ||
101 | return free_region(local); | ||
102 | } | ||
103 | |||
104 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c new file mode 100644 index 00000000..18cf6ae6 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c | |||
@@ -0,0 +1,395 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | /*- | ||
4 | * Copyright 2009 Colin Percival | ||
5 | * Copyright 2012,2013 Alexander Peslyak | ||
6 | * All rights reserved. | ||
7 | * | ||
8 | * Redistribution and use in source and binary forms, with or without | ||
9 | * modification, are permitted provided that the following conditions | ||
10 | * are met: | ||
11 | * 1. Redistributions of source code must retain the above copyright | ||
12 | * notice, this list of conditions and the following disclaimer. | ||
13 | * 2. Redistributions in binary form must reproduce the above copyright | ||
14 | * notice, this list of conditions and the following disclaimer in the | ||
15 | * documentation and/or other materials provided with the distribution. | ||
16 | * | ||
17 | * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND | ||
18 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE | ||
19 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE | ||
20 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE | ||
21 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL | ||
22 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS | ||
23 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) | ||
24 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT | ||
25 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY | ||
26 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF | ||
27 | * SUCH DAMAGE. | ||
28 | * | ||
29 | * This file was originally written by Colin Percival as part of the Tarsnap | ||
30 | * online backup system. | ||
31 | */ | ||
32 | |||
33 | #if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER) | ||
34 | #if __GNUC__ | ||
35 | # pragma GCC target("sse2") | ||
36 | #endif | ||
37 | #include <emmintrin.h> | ||
38 | #if defined(__XOP__) && defined(DISABLED) | ||
39 | # include <x86intrin.h> | ||
40 | #endif | ||
41 | |||
42 | #include <errno.h> | ||
43 | #include <limits.h> | ||
44 | #include <stdint.h> | ||
45 | #include <stdlib.h> | ||
46 | #include <string.h> | ||
47 | |||
48 | #include "../pbkdf2-sha256.h" | ||
49 | #include "../sysendian.h" | ||
50 | #include "../crypto_scrypt.h" | ||
51 | |||
52 | #if defined(__XOP__) && defined(DISABLED) | ||
53 | #define ARX(out, in1, in2, s) \ | ||
54 | out = _mm_xor_si128(out, _mm_roti_epi32(_mm_add_epi32(in1, in2), s)); | ||
55 | #else | ||
56 | #define ARX(out, in1, in2, s) \ | ||
57 | { \ | ||
58 | __m128i T = _mm_add_epi32(in1, in2); \ | ||
59 | out = _mm_xor_si128(out, _mm_slli_epi32(T, s)); \ | ||
60 | out = _mm_xor_si128(out, _mm_srli_epi32(T, 32-s)); \ | ||
61 | } | ||
62 | #endif | ||
63 | |||
64 | #define SALSA20_2ROUNDS \ | ||
65 | /* Operate on "columns". */ \ | ||
66 | ARX(X1, X0, X3, 7) \ | ||
67 | ARX(X2, X1, X0, 9) \ | ||
68 | ARX(X3, X2, X1, 13) \ | ||
69 | ARX(X0, X3, X2, 18) \ | ||
70 | \ | ||
71 | /* Rearrange data. */ \ | ||
72 | X1 = _mm_shuffle_epi32(X1, 0x93); \ | ||
73 | X2 = _mm_shuffle_epi32(X2, 0x4E); \ | ||
74 | X3 = _mm_shuffle_epi32(X3, 0x39); \ | ||
75 | \ | ||
76 | /* Operate on "rows". */ \ | ||
77 | ARX(X3, X0, X1, 7) \ | ||
78 | ARX(X2, X3, X0, 9) \ | ||
79 | ARX(X1, X2, X3, 13) \ | ||
80 | ARX(X0, X1, X2, 18) \ | ||
81 | \ | ||
82 | /* Rearrange data. */ \ | ||
83 | X1 = _mm_shuffle_epi32(X1, 0x39); \ | ||
84 | X2 = _mm_shuffle_epi32(X2, 0x4E); \ | ||
85 | X3 = _mm_shuffle_epi32(X3, 0x93); | ||
86 | |||
87 | /** | ||
88 | * Apply the salsa20/8 core to the block provided in (X0 ... X3) ^ (Z0 ... Z3). | ||
89 | */ | ||
90 | #define SALSA20_8_XOR(in, out) \ | ||
91 | { \ | ||
92 | __m128i Y0 = X0 = _mm_xor_si128(X0, (in)[0]); \ | ||
93 | __m128i Y1 = X1 = _mm_xor_si128(X1, (in)[1]); \ | ||
94 | __m128i Y2 = X2 = _mm_xor_si128(X2, (in)[2]); \ | ||
95 | __m128i Y3 = X3 = _mm_xor_si128(X3, (in)[3]); \ | ||
96 | SALSA20_2ROUNDS \ | ||
97 | SALSA20_2ROUNDS \ | ||
98 | SALSA20_2ROUNDS \ | ||
99 | SALSA20_2ROUNDS \ | ||
100 | (out)[0] = X0 = _mm_add_epi32(X0, Y0); \ | ||
101 | (out)[1] = X1 = _mm_add_epi32(X1, Y1); \ | ||
102 | (out)[2] = X2 = _mm_add_epi32(X2, Y2); \ | ||
103 | (out)[3] = X3 = _mm_add_epi32(X3, Y3); \ | ||
104 | } | ||
105 | |||
106 | /** | ||
107 | * blockmix_salsa8(Bin, Bout, r): | ||
108 | * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r | ||
109 | * bytes in length; the output Bout must also be the same size. | ||
110 | */ | ||
111 | static inline void | ||
112 | blockmix_salsa8(const __m128i * Bin, __m128i * Bout, size_t r) | ||
113 | { | ||
114 | __m128i X0, X1, X2, X3; | ||
115 | size_t i; | ||
116 | |||
117 | /* 1: X <-- B_{2r - 1} */ | ||
118 | X0 = Bin[8 * r - 4]; | ||
119 | X1 = Bin[8 * r - 3]; | ||
120 | X2 = Bin[8 * r - 2]; | ||
121 | X3 = Bin[8 * r - 1]; | ||
122 | |||
123 | /* 3: X <-- H(X \xor B_i) */ | ||
124 | /* 4: Y_i <-- X */ | ||
125 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
126 | SALSA20_8_XOR(Bin, Bout) | ||
127 | |||
128 | /* 2: for i = 0 to 2r - 1 do */ | ||
129 | r--; | ||
130 | for (i = 0; i < r;) { | ||
131 | /* 3: X <-- H(X \xor B_i) */ | ||
132 | /* 4: Y_i <-- X */ | ||
133 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
134 | SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) | ||
135 | |||
136 | i++; | ||
137 | |||
138 | /* 3: X <-- H(X \xor B_i) */ | ||
139 | /* 4: Y_i <-- X */ | ||
140 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
141 | SALSA20_8_XOR(&Bin[i * 8], &Bout[i * 4]) | ||
142 | } | ||
143 | |||
144 | /* 3: X <-- H(X \xor B_i) */ | ||
145 | /* 4: Y_i <-- X */ | ||
146 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
147 | SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) | ||
148 | } | ||
149 | |||
150 | #define XOR4(in) \ | ||
151 | X0 = _mm_xor_si128(X0, (in)[0]); \ | ||
152 | X1 = _mm_xor_si128(X1, (in)[1]); \ | ||
153 | X2 = _mm_xor_si128(X2, (in)[2]); \ | ||
154 | X3 = _mm_xor_si128(X3, (in)[3]); | ||
155 | |||
156 | #define XOR4_2(in1, in2) \ | ||
157 | X0 = _mm_xor_si128((in1)[0], (in2)[0]); \ | ||
158 | X1 = _mm_xor_si128((in1)[1], (in2)[1]); \ | ||
159 | X2 = _mm_xor_si128((in1)[2], (in2)[2]); \ | ||
160 | X3 = _mm_xor_si128((in1)[3], (in2)[3]); | ||
161 | |||
162 | static inline uint32_t | ||
163 | blockmix_salsa8_xor(const __m128i * Bin1, const __m128i * Bin2, __m128i * Bout, | ||
164 | size_t r) | ||
165 | { | ||
166 | __m128i X0, X1, X2, X3; | ||
167 | size_t i; | ||
168 | |||
169 | /* 1: X <-- B_{2r - 1} */ | ||
170 | XOR4_2(&Bin1[8 * r - 4], &Bin2[8 * r - 4]) | ||
171 | |||
172 | /* 3: X <-- H(X \xor B_i) */ | ||
173 | /* 4: Y_i <-- X */ | ||
174 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
175 | XOR4(Bin1) | ||
176 | SALSA20_8_XOR(Bin2, Bout) | ||
177 | |||
178 | /* 2: for i = 0 to 2r - 1 do */ | ||
179 | r--; | ||
180 | for (i = 0; i < r;) { | ||
181 | /* 3: X <-- H(X \xor B_i) */ | ||
182 | /* 4: Y_i <-- X */ | ||
183 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
184 | XOR4(&Bin1[i * 8 + 4]) | ||
185 | SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) | ||
186 | |||
187 | i++; | ||
188 | |||
189 | /* 3: X <-- H(X \xor B_i) */ | ||
190 | /* 4: Y_i <-- X */ | ||
191 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
192 | XOR4(&Bin1[i * 8]) | ||
193 | SALSA20_8_XOR(&Bin2[i * 8], &Bout[i * 4]) | ||
194 | } | ||
195 | |||
196 | /* 3: X <-- H(X \xor B_i) */ | ||
197 | /* 4: Y_i <-- X */ | ||
198 | /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ | ||
199 | XOR4(&Bin1[i * 8 + 4]) | ||
200 | SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) | ||
201 | |||
202 | return _mm_cvtsi128_si32(X0); | ||
203 | } | ||
204 | |||
205 | #undef ARX | ||
206 | #undef SALSA20_2ROUNDS | ||
207 | #undef SALSA20_8_XOR | ||
208 | #undef XOR4 | ||
209 | #undef XOR4_2 | ||
210 | |||
211 | /** | ||
212 | * integerify(B, r): | ||
213 | * Return the result of parsing B_{2r-1} as a little-endian integer. | ||
214 | */ | ||
215 | static inline uint32_t | ||
216 | integerify(const void * B, size_t r) | ||
217 | { | ||
218 | return *(const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); | ||
219 | } | ||
220 | |||
221 | /** | ||
222 | * smix(B, r, N, V, XY): | ||
223 | * Compute B = SMix_r(B, N). The input B must be 128r bytes in length; | ||
224 | * the temporary storage V must be 128rN bytes in length; the temporary | ||
225 | * storage XY must be 256r + 64 bytes in length. The value N must be a | ||
226 | * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a | ||
227 | * multiple of 64 bytes. | ||
228 | */ | ||
229 | static void | ||
230 | smix(uint8_t * B, size_t r, uint32_t N, void * V, void * XY) | ||
231 | { | ||
232 | size_t s = 128 * r; | ||
233 | __m128i * X = (__m128i *) V, * Y; | ||
234 | uint32_t * X32 = (uint32_t *) V; | ||
235 | uint32_t i, j; | ||
236 | size_t k; | ||
237 | |||
238 | /* 1: X <-- B */ | ||
239 | /* 3: V_i <-- X */ | ||
240 | for (k = 0; k < 2 * r; k++) { | ||
241 | for (i = 0; i < 16; i++) { | ||
242 | X32[k * 16 + i] = | ||
243 | le32dec(&B[(k * 16 + (i * 5 % 16)) * 4]); | ||
244 | } | ||
245 | } | ||
246 | |||
247 | /* 2: for i = 0 to N - 1 do */ | ||
248 | for (i = 1; i < N - 1; i += 2) { | ||
249 | /* 4: X <-- H(X) */ | ||
250 | /* 3: V_i <-- X */ | ||
251 | Y = (__m128i *)((uintptr_t)(V) + i * s); | ||
252 | blockmix_salsa8(X, Y, r); | ||
253 | |||
254 | /* 4: X <-- H(X) */ | ||
255 | /* 3: V_i <-- X */ | ||
256 | X = (__m128i *)((uintptr_t)(V) + (i + 1) * s); | ||
257 | blockmix_salsa8(Y, X, r); | ||
258 | } | ||
259 | |||
260 | /* 4: X <-- H(X) */ | ||
261 | /* 3: V_i <-- X */ | ||
262 | Y = (__m128i *)((uintptr_t)(V) + i * s); | ||
263 | blockmix_salsa8(X, Y, r); | ||
264 | |||
265 | /* 4: X <-- H(X) */ | ||
266 | /* 3: V_i <-- X */ | ||
267 | X = (__m128i *) XY; | ||
268 | blockmix_salsa8(Y, X, r); | ||
269 | |||
270 | X32 = (uint32_t *) XY; | ||
271 | Y = (__m128i *)((uintptr_t)(XY) + s); | ||
272 | |||
273 | /* 7: j <-- Integerify(X) mod N */ | ||
274 | j = integerify(X, r) & (N - 1); | ||
275 | |||
276 | /* 6: for i = 0 to N - 1 do */ | ||
277 | for (i = 0; i < N; i += 2) { | ||
278 | __m128i * V_j = (__m128i *)((uintptr_t)(V) + j * s); | ||
279 | |||
280 | /* 8: X <-- H(X \xor V_j) */ | ||
281 | /* 7: j <-- Integerify(X) mod N */ | ||
282 | j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1); | ||
283 | V_j = (__m128i *)((uintptr_t)(V) + j * s); | ||
284 | |||
285 | /* 8: X <-- H(X \xor V_j) */ | ||
286 | /* 7: j <-- Integerify(X) mod N */ | ||
287 | j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1); | ||
288 | } | ||
289 | |||
290 | /* 10: B' <-- X */ | ||
291 | for (k = 0; k < 2 * r; k++) { | ||
292 | for (i = 0; i < 16; i++) { | ||
293 | le32enc(&B[(k * 16 + (i * 5 % 16)) * 4], | ||
294 | X32[k * 16 + i]); | ||
295 | } | ||
296 | } | ||
297 | } | ||
298 | |||
299 | /** | ||
300 | * escrypt_kdf(local, passwd, passwdlen, salt, saltlen, | ||
301 | * N, r, p, buf, buflen): | ||
302 | * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, | ||
303 | * p, buflen) and write the result into buf. The parameters r, p, and buflen | ||
304 | * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N | ||
305 | * must be a power of 2 greater than 1. | ||
306 | * | ||
307 | * Return 0 on success; or -1 on error. | ||
308 | */ | ||
309 | int | ||
310 | escrypt_kdf_sse(escrypt_local_t * local, | ||
311 | const uint8_t * passwd, size_t passwdlen, | ||
312 | const uint8_t * salt, size_t saltlen, | ||
313 | uint64_t N, uint32_t _r, uint32_t _p, | ||
314 | uint8_t * buf, size_t buflen) | ||
315 | { | ||
316 | size_t B_size, V_size, XY_size, need; | ||
317 | uint8_t * B; | ||
318 | uint32_t * V, * XY; | ||
319 | size_t r = _r, p = _p; | ||
320 | uint32_t i; | ||
321 | |||
322 | /* Sanity-check parameters. */ | ||
323 | #if SIZE_MAX > UINT32_MAX | ||
324 | if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { | ||
325 | errno = EFBIG; | ||
326 | return -1; | ||
327 | } | ||
328 | #endif | ||
329 | if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) { | ||
330 | errno = EFBIG; | ||
331 | return -1; | ||
332 | } | ||
333 | if (N > UINT32_MAX) { | ||
334 | errno = EFBIG; | ||
335 | return -1; | ||
336 | } | ||
337 | if (((N & (N - 1)) != 0) || (N < 2)) { | ||
338 | errno = EINVAL; | ||
339 | return -1; | ||
340 | } | ||
341 | if (r == 0 || p == 0) { | ||
342 | errno = EINVAL; | ||
343 | return -1; | ||
344 | } | ||
345 | if ((r > SIZE_MAX / 128 / p) || | ||
346 | #if SIZE_MAX / 256 <= UINT32_MAX | ||
347 | (r > SIZE_MAX / 256) || | ||
348 | #endif | ||
349 | (N > SIZE_MAX / 128 / r)) { | ||
350 | errno = ENOMEM; | ||
351 | return -1; | ||
352 | } | ||
353 | |||
354 | /* Allocate memory. */ | ||
355 | B_size = (size_t)128 * r * p; | ||
356 | V_size = (size_t)128 * r * N; | ||
357 | need = B_size + V_size; | ||
358 | if (need < V_size) { | ||
359 | errno = ENOMEM; | ||
360 | return -1; | ||
361 | } | ||
362 | XY_size = (size_t)256 * r + 64; | ||
363 | need += XY_size; | ||
364 | if (need < XY_size) { | ||
365 | errno = ENOMEM; | ||
366 | return -1; | ||
367 | } | ||
368 | if (local->size < need) { | ||
369 | if (free_region(local)) | ||
370 | return -1; | ||
371 | if (!alloc_region(local, need)) | ||
372 | return -1; | ||
373 | } | ||
374 | B = (uint8_t *)local->aligned; | ||
375 | V = (uint32_t *)((uint8_t *)B + B_size); | ||
376 | XY = (uint32_t *)((uint8_t *)V + V_size); | ||
377 | |||
378 | /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ | ||
379 | PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); | ||
380 | |||
381 | /* 2: for i = 0 to p - 1 do */ | ||
382 | for (i = 0; i < p; i++) { | ||
383 | /* 3: B_i <-- MF(B_i, N) */ | ||
384 | smix(&B[(size_t)128 * i * r], r, N, V, XY); | ||
385 | } | ||
386 | |||
387 | /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ | ||
388 | PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); | ||
389 | |||
390 | /* Success! */ | ||
391 | return 0; | ||
392 | } | ||
393 | #endif | ||
394 | |||
395 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h new file mode 100644 index 00000000..e28c5202 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h | |||
@@ -0,0 +1,150 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | #ifndef _SYSENDIAN_H_ | ||
4 | #define _SYSENDIAN_H_ | ||
5 | |||
6 | #include <stdint.h> | ||
7 | |||
8 | /* Avoid namespace collisions with BSD <sys/endian.h>. */ | ||
9 | #define be16dec scrypt_be16dec | ||
10 | #define be16enc scrypt_be16enc | ||
11 | #define be32dec scrypt_be32dec | ||
12 | #define be32enc scrypt_be32enc | ||
13 | #define be64dec scrypt_be64dec | ||
14 | #define be64enc scrypt_be64enc | ||
15 | #define le16dec scrypt_le16dec | ||
16 | #define le16enc scrypt_le16enc | ||
17 | #define le32dec scrypt_le32dec | ||
18 | #define le32enc scrypt_le32enc | ||
19 | #define le64dec scrypt_le64dec | ||
20 | #define le64enc scrypt_le64enc | ||
21 | |||
22 | static inline uint16_t | ||
23 | be16dec(const void *pp) | ||
24 | { | ||
25 | const uint8_t *p = (uint8_t const *)pp; | ||
26 | |||
27 | return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8)); | ||
28 | } | ||
29 | |||
30 | static inline void | ||
31 | be16enc(void *pp, uint16_t x) | ||
32 | { | ||
33 | uint8_t * p = (uint8_t *)pp; | ||
34 | |||
35 | p[1] = x & 0xff; | ||
36 | p[0] = (x >> 8) & 0xff; | ||
37 | } | ||
38 | |||
39 | static inline uint32_t | ||
40 | be32dec(const void *pp) | ||
41 | { | ||
42 | const uint8_t *p = (uint8_t const *)pp; | ||
43 | |||
44 | return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + | ||
45 | ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); | ||
46 | } | ||
47 | |||
48 | static inline void | ||
49 | be32enc(void *pp, uint32_t x) | ||
50 | { | ||
51 | uint8_t * p = (uint8_t *)pp; | ||
52 | |||
53 | p[3] = x & 0xff; | ||
54 | p[2] = (x >> 8) & 0xff; | ||
55 | p[1] = (x >> 16) & 0xff; | ||
56 | p[0] = (x >> 24) & 0xff; | ||
57 | } | ||
58 | |||
59 | static inline uint64_t | ||
60 | be64dec(const void *pp) | ||
61 | { | ||
62 | const uint8_t *p = (uint8_t const *)pp; | ||
63 | |||
64 | return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + | ||
65 | ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + | ||
66 | ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + | ||
67 | ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); | ||
68 | } | ||
69 | |||
70 | static inline void | ||
71 | be64enc(void *pp, uint64_t x) | ||
72 | { | ||
73 | uint8_t * p = (uint8_t *)pp; | ||
74 | |||
75 | p[7] = x & 0xff; | ||
76 | p[6] = (x >> 8) & 0xff; | ||
77 | p[5] = (x >> 16) & 0xff; | ||
78 | p[4] = (x >> 24) & 0xff; | ||
79 | p[3] = (x >> 32) & 0xff; | ||
80 | p[2] = (x >> 40) & 0xff; | ||
81 | p[1] = (x >> 48) & 0xff; | ||
82 | p[0] = (x >> 56) & 0xff; | ||
83 | } | ||
84 | |||
85 | static inline uint16_t | ||
86 | le16dec(const void *pp) | ||
87 | { | ||
88 | const uint8_t *p = (uint8_t const *)pp; | ||
89 | |||
90 | return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8)); | ||
91 | } | ||
92 | |||
93 | static inline void | ||
94 | le16enc(void *pp, uint16_t x) | ||
95 | { | ||
96 | uint8_t * p = (uint8_t *)pp; | ||
97 | |||
98 | p[0] = x & 0xff; | ||
99 | p[1] = (x >> 8) & 0xff; | ||
100 | } | ||
101 | |||
102 | static inline uint32_t | ||
103 | le32dec(const void *pp) | ||
104 | { | ||
105 | const uint8_t *p = (uint8_t const *)pp; | ||
106 | |||
107 | return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + | ||
108 | ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); | ||
109 | } | ||
110 | |||
111 | static inline void | ||
112 | le32enc(void *pp, uint32_t x) | ||
113 | { | ||
114 | uint8_t * p = (uint8_t *)pp; | ||
115 | |||
116 | p[0] = x & 0xff; | ||
117 | p[1] = (x >> 8) & 0xff; | ||
118 | p[2] = (x >> 16) & 0xff; | ||
119 | p[3] = (x >> 24) & 0xff; | ||
120 | } | ||
121 | |||
122 | static inline uint64_t | ||
123 | le64dec(const void *pp) | ||
124 | { | ||
125 | const uint8_t *p = (uint8_t const *)pp; | ||
126 | |||
127 | return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + | ||
128 | ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + | ||
129 | ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + | ||
130 | ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); | ||
131 | } | ||
132 | |||
133 | static inline void | ||
134 | le64enc(void *pp, uint64_t x) | ||
135 | { | ||
136 | uint8_t * p = (uint8_t *)pp; | ||
137 | |||
138 | p[0] = x & 0xff; | ||
139 | p[1] = (x >> 8) & 0xff; | ||
140 | p[2] = (x >> 16) & 0xff; | ||
141 | p[3] = (x >> 24) & 0xff; | ||
142 | p[4] = (x >> 32) & 0xff; | ||
143 | p[5] = (x >> 40) & 0xff; | ||
144 | p[6] = (x >> 48) & 0xff; | ||
145 | p[7] = (x >> 56) & 0xff; | ||
146 | } | ||
147 | |||
148 | #endif /* !_SYSENDIAN_H_ */ | ||
149 | |||
150 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c new file mode 100644 index 00000000..677633b4 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c | |||
@@ -0,0 +1,75 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | #ifndef __STDC_WANT_LIB_EXT1__ | ||
4 | # define __STDC_WANT_LIB_EXT1__ 1 | ||
5 | #endif | ||
6 | #include <assert.h> | ||
7 | #include <errno.h> | ||
8 | #include <limits.h> | ||
9 | #include <signal.h> | ||
10 | #include <stddef.h> | ||
11 | #include <stdint.h> | ||
12 | #include <stdlib.h> | ||
13 | #include <string.h> | ||
14 | |||
15 | #ifdef HAVE_SYS_MMAN_H | ||
16 | # include <sys/mman.h> | ||
17 | #endif | ||
18 | |||
19 | #include "utils.h" | ||
20 | |||
21 | #ifdef _WIN32 | ||
22 | # include <windows.h> | ||
23 | # include <wincrypt.h> | ||
24 | #else | ||
25 | # include <unistd.h> | ||
26 | #endif | ||
27 | |||
28 | #ifdef HAVE_WEAK_SYMBOLS | ||
29 | __attribute__((weak)) void | ||
30 | __sodium_dummy_symbol_to_prevent_lto(void * const pnt, const size_t len) | ||
31 | { | ||
32 | (void) pnt; | ||
33 | (void) len; | ||
34 | } | ||
35 | #endif | ||
36 | |||
37 | void | ||
38 | sodium_memzero(void * const pnt, const size_t len) | ||
39 | { | ||
40 | #ifdef _WIN32 | ||
41 | SecureZeroMemory(pnt, len); | ||
42 | #elif defined(HAVE_MEMSET_S) | ||
43 | if (memset_s(pnt, (rsize_t) len, 0, (rsize_t) len) != 0) { | ||
44 | abort(); | ||
45 | } | ||
46 | #elif defined(HAVE_EXPLICIT_BZERO) | ||
47 | explicit_bzero(pnt, len); | ||
48 | #elif HAVE_WEAK_SYMBOLS | ||
49 | memset(pnt, 0, len); | ||
50 | __sodium_dummy_symbol_to_prevent_lto(pnt, len); | ||
51 | #else | ||
52 | volatile unsigned char *pnt_ = (volatile unsigned char *) pnt; | ||
53 | size_t i = (size_t) 0U; | ||
54 | |||
55 | while (i < len) { | ||
56 | pnt_[i++] = 0U; | ||
57 | } | ||
58 | #endif | ||
59 | } | ||
60 | |||
61 | int | ||
62 | sodium_memcmp(const void * const b1_, const void * const b2_, size_t len) | ||
63 | { | ||
64 | const unsigned char *b1 = (const unsigned char *) b1_; | ||
65 | const unsigned char *b2 = (const unsigned char *) b2_; | ||
66 | size_t i; | ||
67 | unsigned char d = (unsigned char) 0U; | ||
68 | |||
69 | for (i = 0U; i < len; i++) { | ||
70 | d |= b1[i] ^ b2[i]; | ||
71 | } | ||
72 | return (int) ((1 & ((d - 1) >> 8)) - 1); | ||
73 | } | ||
74 | |||
75 | #endif | ||
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h new file mode 100644 index 00000000..7d5214e1 --- /dev/null +++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h | |||
@@ -0,0 +1,37 @@ | |||
1 | #ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */ | ||
2 | |||
3 | #ifndef __SODIUM_UTILS_H__ | ||
4 | #define __SODIUM_UTILS_H__ | ||
5 | |||
6 | #include <stddef.h> | ||
7 | |||
8 | #include "export.h" | ||
9 | |||
10 | #ifdef __cplusplus | ||
11 | extern "C" { | ||
12 | #endif | ||
13 | |||
14 | #if defined(__cplusplus) || !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L | ||
15 | # define _SODIUM_C99(X) | ||
16 | #else | ||
17 | # define _SODIUM_C99(X) X | ||
18 | #endif | ||
19 | |||
20 | SODIUM_EXPORT | ||
21 | void sodium_memzero(void * const pnt, const size_t len); | ||
22 | |||
23 | /* WARNING: sodium_memcmp() must be used to verify if two secret keys | ||
24 | * are equal, in constant time. | ||
25 | * It returns 0 if the keys are equal, and -1 if they differ. | ||
26 | * This function is not designed for lexicographical comparisons. | ||
27 | */ | ||
28 | SODIUM_EXPORT | ||
29 | int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len); | ||
30 | |||
31 | #ifdef __cplusplus | ||
32 | } | ||
33 | #endif | ||
34 | |||
35 | #endif | ||
36 | |||
37 | #endif | ||
diff --git a/toxencryptsave/toxencryptsave.c b/toxencryptsave/toxencryptsave.c new file mode 100644 index 00000000..f6fc7f9e --- /dev/null +++ b/toxencryptsave/toxencryptsave.c | |||
@@ -0,0 +1,135 @@ | |||
1 | /* toxencryptsave.c | ||
2 | * | ||
3 | * The Tox encrypted save functions. | ||
4 | * | ||
5 | * Copyright (C) 2013 Tox project All Rights Reserved. | ||
6 | * | ||
7 | * This file is part of Tox. | ||
8 | * | ||
9 | * Tox is free software: you can redistribute it and/or modify | ||
10 | * it under the terms of the GNU General Public License as published by | ||
11 | * the Free Software Foundation, either version 3 of the License, or | ||
12 | * (at your option) any later version. | ||
13 | * | ||
14 | * Tox is distributed in the hope that it will be useful, | ||
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
17 | * GNU General Public License for more details. | ||
18 | * | ||
19 | * You should have received a copy of the GNU General Public License | ||
20 | * along with Tox. If not, see <http://www.gnu.org/licenses/>. | ||
21 | * | ||
22 | */ | ||
23 | |||
24 | #include "toxencryptsave.h" | ||
25 | |||
26 | /* This "module" provides functions analogous to tox_load and tox_save in toxcore | ||
27 | * Clients should consider alerting their users that, unlike plain data, if even one bit | ||
28 | * becomes corrupted, the data will be entirely unrecoverable. | ||
29 | * Ditto if they forget their password, there is no way to recover the data. | ||
30 | */ | ||
31 | |||
32 | /* return size of the messenger data (for encrypted saving). */ | ||
33 | uint32_t tox_encrypted_size(const Tox *tox) | ||
34 | { | ||
35 | return tox_size(tox) + crypto_box_MACBYTES + crypto_box_NONCEBYTES | ||
36 | + crypto_pwhash_scryptsalsa208sha256_SALTBYTES; | ||
37 | } | ||
38 | |||
39 | /* Save the messenger data encrypted with the given password. | ||
40 | * data must be at least tox_encrypted_size(). | ||
41 | * | ||
42 | * returns 0 on success | ||
43 | * returns -1 on failure | ||
44 | */ | ||
45 | int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength) | ||
46 | { | ||
47 | if (pplength == 0) | ||
48 | return -1; | ||
49 | |||
50 | /* First derive a key from the password */ | ||
51 | /* http://doc.libsodium.org/key_derivation/README.html */ | ||
52 | /* note that, according to the documentation, a generic pwhash interface will be created | ||
53 | * once the pwhash competition (https://password-hashing.net/) is over */ | ||
54 | uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; | ||
55 | uint8_t key[crypto_box_KEYBYTES]; | ||
56 | randombytes_buf(salt, sizeof salt); | ||
57 | |||
58 | if (crypto_pwhash_scryptsalsa208sha256( | ||
59 | key, sizeof(key), passphrase, pplength, salt, | ||
60 | crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */ | ||
61 | crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) { | ||
62 | /* out of memory most likely */ | ||
63 | return -1; | ||
64 | } | ||
65 | sodium_memzero(passphrase, pplength); /* wipe plaintext pw */ | ||
66 | |||
67 | /* next get plain save data */ | ||
68 | uint32_t temp_size = tox_size(tox); | ||
69 | uint8_t temp_data[temp_size]; | ||
70 | tox_save(tox, temp_data); | ||
71 | |||
72 | /* now encrypt. | ||
73 | * the output data consists of, in order: | ||
74 | * salt, nonce, mac, enc_data | ||
75 | * where the mac is automatically prepended by the encrypt() | ||
76 | * the salt+nonce is called the prefix | ||
77 | * I'm not sure what else I'm supposed to do with the salt and nonce, since we | ||
78 | * need them to decrypt the data | ||
79 | */ | ||
80 | uint32_t prefix_size = crypto_box_NONCEBYTES+crypto_pwhash_scryptsalsa208sha256_SALTBYTES; | ||
81 | |||
82 | uint8_t nonce[crypto_box_NONCEBYTES]; | ||
83 | random_nonce(nonce); | ||
84 | |||
85 | if (encrypt_data_symmetric(key, nonce, temp_data, temp_size, data + prefix_size) | ||
86 | != temp_size + crypto_box_MACBYTES) { | ||
87 | return -1; | ||
88 | } | ||
89 | |||
90 | /* add the prefix */ | ||
91 | memcpy(data, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); | ||
92 | memcpy(data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, nonce, crypto_box_NONCEBYTES); | ||
93 | |||
94 | return 0; | ||
95 | } | ||
96 | |||
97 | /* Load the messenger from encrypted data of size length. | ||
98 | * | ||
99 | * returns 0 on success | ||
100 | * returns -1 on failure | ||
101 | */ | ||
102 | int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength) | ||
103 | { | ||
104 | if (length <= crypto_box_MACBYTES + crypto_box_NONCEBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES) | ||
105 | return -1; | ||
106 | |||
107 | uint32_t decrypt_length = length - crypto_box_MACBYTES - crypto_box_NONCEBYTES | ||
108 | - crypto_pwhash_scryptsalsa208sha256_SALTBYTES; | ||
109 | uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; | ||
110 | uint8_t nonce[crypto_box_NONCEBYTES]; | ||
111 | |||
112 | memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES); | ||
113 | memcpy(nonce, data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, crypto_box_NONCEBYTES); | ||
114 | |||
115 | /* derive the key */ | ||
116 | uint8_t key[crypto_box_KEYBYTES]; | ||
117 | if (crypto_pwhash_scryptsalsa208sha256( | ||
118 | key, sizeof(key), passphrase, pplength, salt, | ||
119 | crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */ | ||
120 | crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) { | ||
121 | /* out of memory most likely */ | ||
122 | return -1; | ||
123 | } | ||
124 | sodium_memzero(passphrase, pplength); /* wipe plaintext pw */ | ||
125 | |||
126 | /* decrypt the data */ | ||
127 | uint8_t temp_data[decrypt_length]; | ||
128 | if (decrypt_data_symmetric(key, nonce, data+crypto_pwhash_scryptsalsa208sha256_SALTBYTES+crypto_box_NONCEBYTES, | ||
129 | decrypt_length + crypto_box_MACBYTES, temp_data) | ||
130 | != decrypt_length) { | ||
131 | return -1; | ||
132 | } | ||
133 | |||
134 | return tox_load(tox, temp_data, decrypt_length); | ||
135 | } | ||
diff --git a/toxencryptsave/toxencryptsave.h b/toxencryptsave/toxencryptsave.h new file mode 100644 index 00000000..f28ea731 --- /dev/null +++ b/toxencryptsave/toxencryptsave.h | |||
@@ -0,0 +1,67 @@ | |||
1 | /* toxencryptsave.h | ||
2 | * | ||
3 | * The Tox encrypted save functions. | ||
4 | * | ||
5 | * Copyright (C) 2013 Tox project All Rights Reserved. | ||
6 | * | ||
7 | * This file is part of Tox. | ||
8 | * | ||
9 | * Tox is free software: you can redistribute it and/or modify | ||
10 | * it under the terms of the GNU General Public License as published by | ||
11 | * the Free Software Foundation, either version 3 of the License, or | ||
12 | * (at your option) any later version. | ||
13 | * | ||
14 | * Tox is distributed in the hope that it will be useful, | ||
15 | * but WITHOUT ANY WARRANTY; without even the implied warranty of | ||
16 | * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the | ||
17 | * GNU General Public License for more details. | ||
18 | * | ||
19 | * You should have received a copy of the GNU General Public License | ||
20 | * along with Tox. If not, see <http://www.gnu.org/licenses/>. | ||
21 | * | ||
22 | */ | ||
23 | |||
24 | #ifndef TOXENCRYPTSAVE_H | ||
25 | #define TOXENCRYPTSAVE_H | ||
26 | |||
27 | #ifdef VANILLA_NACL | ||
28 | #include "crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h" | ||
29 | #include "crypto_pwhash_scryptsalsa208sha256/utils.h" /* sodium_memzero */ | ||
30 | #endif | ||
31 | |||
32 | #include "../toxcore/tox.h" | ||
33 | #include "../toxcore/crypto_core.h" | ||
34 | |||
35 | #ifdef __cplusplus | ||
36 | extern "C" { | ||
37 | #endif | ||
38 | |||
39 | /* This "module" provides functions analogous to tox_load and tox_save in toxcore | ||
40 | * Clients should consider alerting their users that, unlike plain data, if even one bit | ||
41 | * becomes corrupted, the data will be entirely unrecoverable. | ||
42 | * Ditto if they forget their password, there is no way to recover the data. | ||
43 | */ | ||
44 | |||
45 | /* return size of the messenger data (for encrypted saving). */ | ||
46 | uint32_t tox_encrypted_size(const Tox *tox); | ||
47 | |||
48 | /* Save the messenger data encrypted with the given password. | ||
49 | * data must be at least tox_encrypted_size(). | ||
50 | * | ||
51 | * returns 0 on success | ||
52 | * returns -1 on failure | ||
53 | */ | ||
54 | int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength); | ||
55 | |||
56 | /* Load the messenger from encrypted data of size length. | ||
57 | * | ||
58 | * returns 0 on success | ||
59 | * returns -1 on failure | ||
60 | */ | ||
61 | int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength); | ||
62 | |||
63 | #ifdef __cplusplus | ||
64 | } | ||
65 | #endif | ||
66 | |||
67 | #endif | ||