summaryrefslogtreecommitdiff
path: root/toxencryptsave
diff options
context:
space:
mode:
authorDubslow <bunslow@gmail.com>2014-09-09 12:23:09 -0500
committerDubslow <bunslow@gmail.com>2014-09-09 12:23:09 -0500
commit7eb7e68805aa795dcb6dbd1a35113ce703e24267 (patch)
tree4a8753004403e48d42a7924ad1933a7dfe2e9003 /toxencryptsave
parent46e03c4c2beaf01ec5a6bc090b80fae7bf1da2a0 (diff)
compiling against nacl seems to break VANILLA_NACL...
Diffstat (limited to 'toxencryptsave')
-rw-r--r--toxencryptsave/Makefile.inc45
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h89
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c254
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h90
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h35
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c306
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt14
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c88
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h49
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c207
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c137
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h30
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c104
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c395
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h150
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c75
-rw-r--r--toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h37
-rw-r--r--toxencryptsave/toxencryptsave.c135
-rw-r--r--toxencryptsave/toxencryptsave.h67
19 files changed, 2307 insertions, 0 deletions
diff --git a/toxencryptsave/Makefile.inc b/toxencryptsave/Makefile.inc
new file mode 100644
index 00000000..1155e954
--- /dev/null
+++ b/toxencryptsave/Makefile.inc
@@ -0,0 +1,45 @@
1lib_LTLIBRARIES += libtoxencryptsave.la
2
3libtoxencryptsave_la_include_HEADERS = \
4 ../toxencryptsave/toxencryptsave.h
5
6libtoxencryptsave_la_includedir = $(includedir)/tox
7
8libtoxencryptsave_la_SOURCES = ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h \
9 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h \
10 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c \
11 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c \
12 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h \
13 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c \
14 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c \
15 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h \
16 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h \
17 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c \
18 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c \
19 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h \
20 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h \
21 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c \
22 ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c \
23 ../toxencryptsave/toxencryptsave.h \
24 ../toxencryptsave/toxencryptsave.c
25
26
27libtoxencryptsave_la_CFLAGS = -I$(top_srcdir) \
28 -I$(top_srcdir)/toxcore \
29 $(LIBSODIUM_CFLAGS) \
30 $(NACL_CFLAGS) \
31 $(PTHREAD_CFLAGS)
32
33libtoxencryptsave_la_LDFLAGS = $(TOXCORE_LT_LDFLAGS) \
34 $(EXTRA_LT_LDFLAGS) \
35 $(LIBSODIUM_LDFLAGS) \
36 $(NACL_LDFLAGS) \
37 $(MATH_LDFLAGS) \
38 $(RT_LIBS) \
39 $(WINSOCK2_LIBS)
40
41libtoxencryptsave_la_LIBADD = $(LIBSODIUM_LIBS) \
42 $(NACL_OBJECTS) \
43 $(NAC_LIBS) \
44 $(PTHREAD_LIBS) \
45 libtoxcore.la
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h
new file mode 100644
index 00000000..e10a81d8
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h
@@ -0,0 +1,89 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3#ifndef crypto_pwhash_scryptsalsa208sha256_H
4#define crypto_pwhash_scryptsalsa208sha256_H
5
6#include <stddef.h>
7#include <stdint.h>
8
9#include "export.h"
10
11#ifdef __cplusplus
12# if __GNUC__
13# pragma GCC diagnostic ignored "-Wlong-long"
14# endif
15extern "C" {
16#endif
17
18#define crypto_pwhash_scryptsalsa208sha256_SALTBYTES 32U
19SODIUM_EXPORT
20size_t crypto_pwhash_scryptsalsa208sha256_saltbytes(void);
21
22#define crypto_pwhash_scryptsalsa208sha256_STRBYTES 102U
23SODIUM_EXPORT
24size_t crypto_pwhash_scryptsalsa208sha256_strbytes(void);
25
26#define crypto_pwhash_scryptsalsa208sha256_STRPREFIX "$7$"
27SODIUM_EXPORT
28const char *crypto_pwhash_scryptsalsa208sha256_strprefix(void);
29
30#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE 524288ULL
31SODIUM_EXPORT
32size_t crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void);
33
34#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE 16777216ULL
35SODIUM_EXPORT
36size_t crypto_pwhash_scryptsalsa208sha256_memlimit_interactive(void);
37
38#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE 33554432ULL
39SODIUM_EXPORT
40size_t crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive(void);
41
42#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE 1073741824ULL
43SODIUM_EXPORT
44size_t crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive(void);
45
46SODIUM_EXPORT
47int crypto_pwhash_scryptsalsa208sha256(unsigned char * const out,
48 unsigned long long outlen,
49 const char * const passwd,
50 unsigned long long passwdlen,
51 const unsigned char * const salt,
52 unsigned long long opslimit,
53 size_t memlimit);
54
55SODIUM_EXPORT
56int crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
57 const char * const passwd,
58 unsigned long long passwdlen,
59 unsigned long long opslimit,
60 size_t memlimit);
61
62SODIUM_EXPORT
63int crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
64 const char * const passwd,
65 unsigned long long passwdlen);
66
67SODIUM_EXPORT
68int crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen,
69 const uint8_t * salt, size_t saltlen,
70 uint64_t N, uint32_t r, uint32_t p,
71 uint8_t * buf, size_t buflen);
72
73#ifdef __cplusplus
74}
75#endif
76
77/* Backward compatibility with version 0.5.0 */
78
79#define crypto_pwhash_scryptxsalsa208sha256_SALTBYTES crypto_pwhash_scryptsalsa208sha256_SALTBYTES
80#define crypto_pwhash_scryptxsalsa208sha256_saltbytes crypto_pwhash_scryptsalsa208sha256_saltbytes
81#define crypto_pwhash_scryptxsalsa208sha256_STRBYTES crypto_pwhash_scryptsalsa208sha256_STRBYTES
82#define crypto_pwhash_scryptxsalsa208sha256_strbytes crypto_pwhash_scryptsalsa208sha256_strbytes
83#define crypto_pwhash_scryptxsalsa208sha256 crypto_pwhash_scryptsalsa208sha256
84#define crypto_pwhash_scryptxsalsa208sha256_str crypto_pwhash_scryptsalsa208sha256_str
85#define crypto_pwhash_scryptxsalsa208sha256_str_verify crypto_pwhash_scryptsalsa208sha256_str_verify
86
87#endif
88
89#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c
new file mode 100644
index 00000000..159dac10
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c
@@ -0,0 +1,254 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3/*-
4 * Copyright 2013 Alexander Peslyak
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted.
9 *
10 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
11 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
12 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
13 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
14 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
15 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
16 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
18 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
19 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
20 * SUCH DAMAGE.
21 */
22
23#include <stdint.h>
24#include <string.h>
25
26#include "crypto_pwhash_scryptsalsa208sha256.h"
27#include "crypto_scrypt.h"
28#include "runtime.h"
29#include "utils.h"
30
31static const char * const itoa64 =
32 "./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
33
34static uint8_t *
35encode64_uint32(uint8_t * dst, size_t dstlen, uint32_t src, uint32_t srcbits)
36{
37 uint32_t bit;
38
39 for (bit = 0; bit < srcbits; bit += 6) {
40 if (dstlen < 1) {
41 return NULL;
42 }
43 *dst++ = itoa64[src & 0x3f];
44 dstlen--;
45 src >>= 6;
46 }
47
48 return dst;
49}
50
51static uint8_t *
52encode64(uint8_t * dst, size_t dstlen, const uint8_t * src, size_t srclen)
53{
54 size_t i;
55
56 for (i = 0; i < srclen; ) {
57 uint8_t * dnext;
58 uint32_t value = 0, bits = 0;
59 do {
60 value |= (uint32_t)src[i++] << bits;
61 bits += 8;
62 } while (bits < 24 && i < srclen);
63 dnext = encode64_uint32(dst, dstlen, value, bits);
64 if (!dnext) {
65 return NULL;
66 }
67 dstlen -= dnext - dst;
68 dst = dnext;
69 }
70
71 return dst;
72}
73
74static int
75decode64_one(uint32_t * dst, uint8_t src)
76{
77 const char *ptr = strchr(itoa64, src);
78
79 if (ptr) {
80 *dst = ptr - itoa64;
81 return 0;
82 }
83 *dst = 0;
84 return -1;
85}
86
87static const uint8_t *
88decode64_uint32(uint32_t * dst, uint32_t dstbits, const uint8_t * src)
89{
90 uint32_t bit;
91 uint32_t value;
92
93 value = 0;
94 for (bit = 0; bit < dstbits; bit += 6) {
95 uint32_t one;
96 if (decode64_one(&one, *src)) {
97 *dst = 0;
98 return NULL;
99 }
100 src++;
101 value |= one << bit;
102 }
103
104 *dst = value;
105 return src;
106}
107
108uint8_t *
109escrypt_r(escrypt_local_t * local, const uint8_t * passwd, size_t passwdlen,
110 const uint8_t * setting, uint8_t * buf, size_t buflen)
111{
112 uint8_t hash[crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES];
113 escrypt_kdf_t escrypt_kdf;
114 const uint8_t *src;
115 const uint8_t *salt;
116 uint8_t *dst;
117 size_t prefixlen;
118 size_t saltlen;
119 size_t need;
120 uint64_t N;
121 uint32_t N_log2;
122 uint32_t r;
123 uint32_t p;
124
125 if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') {
126 return NULL;
127 }
128 src = setting + 3;
129
130 if (decode64_one(&N_log2, *src)) {
131 return NULL;
132 }
133 src++;
134 N = (uint64_t)1 << N_log2;
135
136 src = decode64_uint32(&r, 30, src);
137 if (!src) {
138 return NULL;
139 }
140 src = decode64_uint32(&p, 30, src);
141 if (!src) {
142 return NULL;
143 }
144 prefixlen = src - setting;
145
146 salt = src;
147 src = (uint8_t *) strrchr((char *)salt, '$');
148 if (src) {
149 saltlen = src - salt;
150 } else {
151 saltlen = strlen((char *)salt);
152 }
153 need = prefixlen + saltlen + 1 +
154 crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED + 1;
155 if (need > buflen || need < saltlen) {
156 return NULL;
157 }
158#if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER)
159 escrypt_kdf =
160 sodium_runtime_has_sse2() ? escrypt_kdf_sse : escrypt_kdf_nosse;
161#else
162 escrypt_kdf = escrypt_kdf_nosse;
163#endif
164 if (escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
165 N, r, p, hash, sizeof(hash))) {
166 return NULL;
167 }
168
169 dst = buf;
170 memcpy(dst, setting, prefixlen + saltlen);
171 dst += prefixlen + saltlen;
172 *dst++ = '$';
173
174 dst = encode64(dst, buflen - (dst - buf), hash, sizeof(hash));
175 sodium_memzero(hash, sizeof hash);
176 if (!dst || dst >= buf + buflen) { /* Can't happen */
177 return NULL;
178 }
179 *dst = 0; /* NUL termination */
180
181 return buf;
182}
183
184uint8_t *
185escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p,
186 const uint8_t * src, size_t srclen,
187 uint8_t * buf, size_t buflen)
188{
189 uint8_t *dst;
190 size_t prefixlen =
191 (sizeof "$7$" - 1U) + (1U /* N_log2 */) + (5U /* r */) + (5U /* p */);
192 size_t saltlen = BYTES2CHARS(srclen);
193 size_t need;
194
195 need = prefixlen + saltlen + 1;
196 if (need > buflen || need < saltlen || saltlen < srclen) {
197 return NULL;
198 }
199 if (N_log2 > 63 || ((uint64_t)r * (uint64_t)p >= (1U << 30))) {
200 return NULL;
201 }
202 dst = buf;
203 *dst++ = '$';
204 *dst++ = '7';
205 *dst++ = '$';
206
207 *dst++ = itoa64[N_log2];
208
209 dst = encode64_uint32(dst, buflen - (dst - buf), r, 30);
210 if (!dst) { /* Can't happen */
211 return NULL;
212 }
213 dst = encode64_uint32(dst, buflen - (dst - buf), p, 30);
214 if (!dst) { /* Can't happen */
215 return NULL;
216 }
217 dst = encode64(dst, buflen - (dst - buf), src, srclen);
218 if (!dst || dst >= buf + buflen) { /* Can't happen */
219 return NULL;
220 }
221 *dst = 0; /* NUL termination */
222
223 return buf;
224}
225
226int
227crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen,
228 const uint8_t * salt, size_t saltlen,
229 uint64_t N, uint32_t r, uint32_t p,
230 uint8_t * buf, size_t buflen)
231{
232 escrypt_kdf_t escrypt_kdf;
233 escrypt_local_t local;
234 int retval;
235
236 if (escrypt_init_local(&local)) {
237 return -1;
238 }
239#if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER)
240 escrypt_kdf =
241 sodium_runtime_has_sse2() ? escrypt_kdf_sse : escrypt_kdf_nosse;
242#else
243 escrypt_kdf = escrypt_kdf_nosse;
244#endif
245 retval = escrypt_kdf(&local,
246 passwd, passwdlen, salt, saltlen,
247 N, r, p, buf, buflen);
248 if (escrypt_free_local(&local)) {
249 return -1;
250 }
251 return retval;
252}
253
254#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h
new file mode 100644
index 00000000..1f70b7a2
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h
@@ -0,0 +1,90 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3/*-
4 * Copyright 2009 Colin Percival
5 * Copyright 2013 Alexander Peslyak
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * This file was originally written by Colin Percival as part of the Tarsnap
30 * online backup system.
31 */
32#ifndef _CRYPTO_SCRYPT_H_
33#define _CRYPTO_SCRYPT_H_
34
35#include <stdint.h>
36
37#define crypto_pwhash_scryptsalsa208sha256_STRPREFIXBYTES 14
38#define crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES 57
39#define crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES 32
40#define crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES_ENCODED 43
41#define crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES 32
42#define crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED 43
43
44#define BYTES2CHARS(bytes) ((((bytes) * 8) + 5) / 6)
45
46typedef struct {
47 void * base, * aligned;
48 size_t size;
49} escrypt_region_t;
50
51typedef escrypt_region_t escrypt_local_t;
52
53extern int escrypt_init_local(escrypt_local_t * __local);
54
55extern int escrypt_free_local(escrypt_local_t * __local);
56
57extern void *alloc_region(escrypt_region_t * region, size_t size);
58extern int free_region(escrypt_region_t * region);
59
60typedef int (*escrypt_kdf_t)(escrypt_local_t * __local,
61 const uint8_t * __passwd, size_t __passwdlen,
62 const uint8_t * __salt, size_t __saltlen,
63 uint64_t __N, uint32_t __r, uint32_t __p,
64 uint8_t * __buf, size_t __buflen);
65
66extern int escrypt_kdf_nosse(escrypt_local_t * __local,
67 const uint8_t * __passwd, size_t __passwdlen,
68 const uint8_t * __salt, size_t __saltlen,
69 uint64_t __N, uint32_t __r, uint32_t __p,
70 uint8_t * __buf, size_t __buflen);
71
72extern int escrypt_kdf_sse(escrypt_local_t * __local,
73 const uint8_t * __passwd, size_t __passwdlen,
74 const uint8_t * __salt, size_t __saltlen,
75 uint64_t __N, uint32_t __r, uint32_t __p,
76 uint8_t * __buf, size_t __buflen);
77
78extern uint8_t * escrypt_r(escrypt_local_t * __local,
79 const uint8_t * __passwd, size_t __passwdlen,
80 const uint8_t * __setting,
81 uint8_t * __buf, size_t __buflen);
82
83extern uint8_t * escrypt_gensalt_r(
84 uint32_t __N_log2, uint32_t __r, uint32_t __p,
85 const uint8_t * __src, size_t __srclen,
86 uint8_t * __buf, size_t __buflen);
87
88#endif /* !_CRYPTO_SCRYPT_H_ */
89
90#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h
new file mode 100644
index 00000000..d6975e8d
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h
@@ -0,0 +1,35 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3#ifndef __SODIUM_EXPORT_H__
4#define __SODIUM_EXPORT_H__
5
6#ifndef __GNUC__
7# ifdef __attribute__
8# undef __attribute__
9# endif
10# define __attribute__(a)
11#endif
12
13#ifdef SODIUM_STATIC
14# define SODIUM_EXPORT
15#else
16# if defined(_MSC_VER)
17# ifdef DLL_EXPORT
18# define SODIUM_EXPORT __declspec(dllexport)
19# else
20# define SODIUM_EXPORT __declspec(dllimport)
21# endif
22# else
23# if defined(__SUNPRO_C)
24# define SODIUM_EXPORT __attribute__ __global
25# elif defined(_MSG_VER)
26# define SODIUM_EXPORT extern __declspec(dllexport)
27# else
28# define SODIUM_EXPORT __attribute__ ((visibility ("default")))
29# endif
30# endif
31#endif
32
33#endif
34
35#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
new file mode 100644
index 00000000..0dc896f1
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
@@ -0,0 +1,306 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3/*-
4 * Copyright 2009 Colin Percival
5 * Copyright 2013 Alexander Peslyak
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * This file was originally written by Colin Percival as part of the Tarsnap
30 * online backup system.
31 */
32
33#include <errno.h>
34#include <limits.h>
35#include <stdint.h>
36#include <stdlib.h>
37#include <string.h>
38
39#include "../pbkdf2-sha256.h"
40#include "../sysendian.h"
41#include "../crypto_scrypt.h"
42
43static inline void
44blkcpy(void * dest, const void * src, size_t len)
45{
46 size_t * D = (size_t *) dest;
47 const size_t * S = (const size_t *) src;
48 size_t L = len / sizeof(size_t);
49 size_t i;
50
51 for (i = 0; i < L; i++)
52 D[i] = S[i];
53}
54
55static inline void
56blkxor(void * dest, const void * src, size_t len)
57{
58 size_t * D = (size_t *) dest;
59 const size_t * S = (const size_t *) src;
60 size_t L = len / sizeof(size_t);
61 size_t i;
62
63 for (i = 0; i < L; i++)
64 D[i] ^= S[i];
65}
66
67/**
68 * salsa20_8(B):
69 * Apply the salsa20/8 core to the provided block.
70 */
71static void
72salsa20_8(uint32_t B[16])
73{
74 uint32_t x[16];
75 size_t i;
76
77 blkcpy(x, B, 64);
78 for (i = 0; i < 8; i += 2) {
79#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
80 /* Operate on columns. */
81 x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9);
82 x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18);
83
84 x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9);
85 x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18);
86
87 x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9);
88 x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18);
89
90 x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9);
91 x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18);
92
93 /* Operate on rows. */
94 x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9);
95 x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18);
96
97 x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9);
98 x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18);
99
100 x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9);
101 x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18);
102
103 x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9);
104 x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18);
105#undef R
106 }
107 for (i = 0; i < 16; i++)
108 B[i] += x[i];
109}
110
111/**
112 * blockmix_salsa8(Bin, Bout, X, r):
113 * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r
114 * bytes in length; the output Bout must also be the same size. The
115 * temporary space X must be 64 bytes.
116 */
117static void
118blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
119{
120 size_t i;
121
122 /* 1: X <-- B_{2r - 1} */
123 blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
124
125 /* 2: for i = 0 to 2r - 1 do */
126 for (i = 0; i < 2 * r; i += 2) {
127 /* 3: X <-- H(X \xor B_i) */
128 blkxor(X, &Bin[i * 16], 64);
129 salsa20_8(X);
130
131 /* 4: Y_i <-- X */
132 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
133 blkcpy(&Bout[i * 8], X, 64);
134
135 /* 3: X <-- H(X \xor B_i) */
136 blkxor(X, &Bin[i * 16 + 16], 64);
137 salsa20_8(X);
138
139 /* 4: Y_i <-- X */
140 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
141 blkcpy(&Bout[i * 8 + r * 16], X, 64);
142 }
143}
144
145/**
146 * integerify(B, r):
147 * Return the result of parsing B_{2r-1} as a little-endian integer.
148 */
149static inline uint64_t
150integerify(const void * B, size_t r)
151{
152 const uint32_t * X = (const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64);
153
154 return (((uint64_t)(X[1]) << 32) + X[0]);
155}
156
157/**
158 * smix(B, r, N, V, XY):
159 * Compute B = SMix_r(B, N). The input B must be 128r bytes in length;
160 * the temporary storage V must be 128rN bytes in length; the temporary
161 * storage XY must be 256r + 64 bytes in length. The value N must be a
162 * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a
163 * multiple of 64 bytes.
164 */
165static void
166smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY)
167{
168 uint32_t * X = XY;
169 uint32_t * Y = &XY[32 * r];
170 uint32_t * Z = &XY[64 * r];
171 uint64_t i;
172 uint64_t j;
173 size_t k;
174
175 /* 1: X <-- B */
176 for (k = 0; k < 32 * r; k++)
177 X[k] = le32dec(&B[4 * k]);
178
179 /* 2: for i = 0 to N - 1 do */
180 for (i = 0; i < N; i += 2) {
181 /* 3: V_i <-- X */
182 blkcpy(&V[i * (32 * r)], X, 128 * r);
183
184 /* 4: X <-- H(X) */
185 blockmix_salsa8(X, Y, Z, r);
186
187 /* 3: V_i <-- X */
188 blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
189
190 /* 4: X <-- H(X) */
191 blockmix_salsa8(Y, X, Z, r);
192 }
193
194 /* 6: for i = 0 to N - 1 do */
195 for (i = 0; i < N; i += 2) {
196 /* 7: j <-- Integerify(X) mod N */
197 j = integerify(X, r) & (N - 1);
198
199 /* 8: X <-- H(X \xor V_j) */
200 blkxor(X, &V[j * (32 * r)], 128 * r);
201 blockmix_salsa8(X, Y, Z, r);
202
203 /* 7: j <-- Integerify(X) mod N */
204 j = integerify(Y, r) & (N - 1);
205
206 /* 8: X <-- H(X \xor V_j) */
207 blkxor(Y, &V[j * (32 * r)], 128 * r);
208 blockmix_salsa8(Y, X, Z, r);
209 }
210 /* 10: B' <-- X */
211 for (k = 0; k < 32 * r; k++)
212 le32enc(&B[4 * k], X[k]);
213}
214
215/**
216 * escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
217 * N, r, p, buf, buflen):
218 * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
219 * p, buflen) and write the result into buf. The parameters r, p, and buflen
220 * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N
221 * must be a power of 2 greater than 1.
222 *
223 * Return 0 on success; or -1 on error.
224 */
225int
226escrypt_kdf_nosse(escrypt_local_t * local,
227 const uint8_t * passwd, size_t passwdlen,
228 const uint8_t * salt, size_t saltlen,
229 uint64_t N, uint32_t _r, uint32_t _p,
230 uint8_t * buf, size_t buflen)
231{
232 size_t B_size, V_size, XY_size, need;
233 uint8_t * B;
234 uint32_t * V, * XY;
235 size_t r = _r, p = _p;
236 uint32_t i;
237
238 /* Sanity-check parameters. */
239#if SIZE_MAX > UINT32_MAX
240 if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
241 errno = EFBIG;
242 return -1;
243 }
244#endif
245 if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
246 errno = EFBIG;
247 return -1;
248 }
249 if (((N & (N - 1)) != 0) || (N < 2)) {
250 errno = EINVAL;
251 return -1;
252 }
253 if (r == 0 || p == 0) {
254 errno = EINVAL;
255 return -1;
256 }
257 if ((r > SIZE_MAX / 128 / p) ||
258#if SIZE_MAX / 256 <= UINT32_MAX
259 (r > SIZE_MAX / 256) ||
260#endif
261 (N > SIZE_MAX / 128 / r)) {
262 errno = ENOMEM;
263 return -1;
264 }
265
266 /* Allocate memory. */
267 B_size = (size_t)128 * r * p;
268 V_size = (size_t)128 * r * N;
269 need = B_size + V_size;
270 if (need < V_size) {
271 errno = ENOMEM;
272 return -1;
273 }
274 XY_size = (size_t)256 * r + 64;
275 need += XY_size;
276 if (need < XY_size) {
277 errno = ENOMEM;
278 return -1;
279 }
280 if (local->size < need) {
281 if (free_region(local))
282 return -1;
283 if (!alloc_region(local, need))
284 return -1;
285 }
286 B = (uint8_t *)local->aligned;
287 V = (uint32_t *)((uint8_t *)B + B_size);
288 XY = (uint32_t *)((uint8_t *)V + V_size);
289
290 /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
291 PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
292
293 /* 2: for i = 0 to p - 1 do */
294 for (i = 0; i < p; i++) {
295 /* 3: B_i <-- MF(B_i, N) */
296 smix(&B[(size_t)128 * i * r], r, N, V, XY);
297 }
298
299 /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
300 PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
301
302 /* Success! */
303 return 0;
304}
305
306#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt
new file mode 100644
index 00000000..66bbfe2d
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt
@@ -0,0 +1,14 @@
1This folder is only meant for use with nacl, i.e. when sodium is unavailable.
2
3
4The files in this folder were mostly copied from
5https://github.com/jedisct1/libsodium/tree/0.7.0/src/libsodium/crypto_pwhash/scryptsalsa208sha256,
6with #ifdef VANILLA_NACL added around each of them as required for this module.
7
8export.h, utils.h, and runtime.h were copied from
9https://github.com/jedisct1/libsodium/tree/0.7.0/src/libsodium/include/sodium.
10utils.h was significantly truncated.
11
12utils.c and runtime.c were copied from
13https://github.com/jedisct1/libsodium/blob/0.7.0/src/libsodium/sodium.
14utils.c was also significantly truncated.
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c
new file mode 100644
index 00000000..d66a5395
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c
@@ -0,0 +1,88 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3/*-
4 * Copyright 2005,2007,2009 Colin Percival
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 */
28
29#include <sys/types.h>
30
31#include <stdint.h>
32#include <stdlib.h>
33#include <string.h>
34
35#include "crypto_auth_hmacsha256.h"
36#include "pbkdf2-sha256.h"
37#include "sysendian.h"
38#include "utils.h"
39
40/**
41 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
42 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
43 * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
44 */
45void
46PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
47 size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
48{
49 crypto_auth_hmacsha256_state PShctx, hctx;
50 size_t i;
51 uint8_t ivec[4];
52 uint8_t U[32];
53 uint8_t T[32];
54 uint64_t j;
55 int k;
56 size_t clen;
57
58 crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen);
59 crypto_auth_hmacsha256_update(&PShctx, salt, saltlen);
60
61 for (i = 0; i * 32 < dkLen; i++) {
62 be32enc(ivec, (uint32_t)(i + 1));
63 memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state));
64 crypto_auth_hmacsha256_update(&hctx, ivec, 4);
65 crypto_auth_hmacsha256_final(&hctx, U);
66
67 memcpy(T, U, 32);
68
69 for (j = 2; j <= c; j++) {
70 crypto_auth_hmacsha256_init(&hctx, passwd, passwdlen);
71 crypto_auth_hmacsha256_update(&hctx, U, 32);
72 crypto_auth_hmacsha256_final(&hctx, U);
73
74 for (k = 0; k < 32; k++) {
75 T[k] ^= U[k];
76 }
77 }
78
79 clen = dkLen - i * 32;
80 if (clen > 32) {
81 clen = 32;
82 }
83 memcpy(&buf[i * 32], T, clen);
84 }
85 sodium_memzero((void *) &PShctx, sizeof PShctx);
86}
87
88#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h
new file mode 100644
index 00000000..6e5f2832
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h
@@ -0,0 +1,49 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3/*-
4 * Copyright 2005,2007,2009 Colin Percival
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 *
16 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
17 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
18 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
19 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
20 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
21 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
22 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
23 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
24 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
25 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
26 * SUCH DAMAGE.
27 *
28 */
29
30#ifndef _SHA256_H_
31#define _SHA256_H_
32
33#include <sys/types.h>
34
35#include <stdint.h>
36
37#include "crypto_auth_hmacsha256.h"
38
39/**
40 * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
41 * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
42 * write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
43 */
44void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t,
45 uint64_t, uint8_t *, size_t);
46
47#endif /* !_SHA256_H_ */
48
49#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c
new file mode 100644
index 00000000..0a519937
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c
@@ -0,0 +1,207 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3
4#include <errno.h>
5#include <limits.h>
6#include <stddef.h>
7#include <stdint.h>
8#include <string.h>
9
10#include "crypto_pwhash_scryptsalsa208sha256.h"
11#include "crypto_scrypt.h"
12#include "randombytes.h"
13#include "utils.h"
14
15#define SETTING_SIZE(saltbytes) \
16 (sizeof "$7$" - 1U) + \
17 (1U /* N_log2 */) + (5U /* r */) + (5U /* p */) + BYTES2CHARS(saltbytes)
18
19static int
20pickparams(unsigned long long opslimit, const size_t memlimit,
21 uint32_t * const N_log2, uint32_t * const p, uint32_t * const r)
22{
23 unsigned long long maxN;
24 unsigned long long maxrp;
25
26 if (opslimit < 32768) {
27 opslimit = 32768;
28 }
29 *r = 8;
30 if (opslimit < memlimit / 32) {
31 *p = 1;
32 maxN = opslimit / (*r * 4);
33 for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) {
34 if ((uint64_t)(1) << *N_log2 > maxN / 2) {
35 break;
36 }
37 }
38 } else {
39 maxN = memlimit / (*r * 128);
40 for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) {
41 if ((uint64_t) (1) << *N_log2 > maxN / 2) {
42 break;
43 }
44 }
45 maxrp = (opslimit / 4) / ((uint64_t) (1) << *N_log2);
46 if (maxrp > 0x3fffffff) {
47 maxrp = 0x3fffffff;
48 }
49 *p = (uint32_t) (maxrp) / *r;
50 }
51 return 0;
52}
53
54size_t
55crypto_pwhash_scryptsalsa208sha256_saltbytes(void)
56{
57 return crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
58}
59
60size_t
61crypto_pwhash_scryptsalsa208sha256_strbytes(void)
62{
63 return crypto_pwhash_scryptsalsa208sha256_STRBYTES;
64}
65
66const char *
67crypto_pwhash_scryptsalsa208sha256_strprefix(void)
68{
69 return crypto_pwhash_scryptsalsa208sha256_STRPREFIX;
70}
71
72size_t
73crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void)
74{
75 return crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE;
76}
77
78size_t
79crypto_pwhash_scryptsalsa208sha256_memlimit_interactive(void)
80{
81 return crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE;
82}
83
84size_t
85crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive(void)
86{
87 return crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE;
88}
89
90size_t
91crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive(void)
92{
93 return crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE;
94}
95
96int
97crypto_pwhash_scryptsalsa208sha256(unsigned char * const out,
98 unsigned long long outlen,
99 const char * const passwd,
100 unsigned long long passwdlen,
101 const unsigned char * const salt,
102 unsigned long long opslimit,
103 size_t memlimit)
104{
105 uint32_t N_log2;
106 uint32_t p;
107 uint32_t r;
108
109 memset(out, 0, outlen);
110 if (passwdlen > SIZE_MAX || outlen > SIZE_MAX) {
111 errno = EFBIG;
112 return -1;
113 }
114 if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) {
115 errno = EINVAL;
116 return -1;
117 }
118 return crypto_pwhash_scryptsalsa208sha256_ll((const uint8_t *) passwd,
119 (size_t) passwdlen,
120 (const uint8_t *) salt,
121 crypto_pwhash_scryptsalsa208sha256_SALTBYTES,
122 (uint64_t) (1) << N_log2, r, p,
123 out, (size_t) outlen);
124}
125
126int
127crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
128 const char * const passwd,
129 unsigned long long passwdlen,
130 unsigned long long opslimit,
131 size_t memlimit)
132{
133 uint8_t salt[crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES];
134 char setting[crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES + 1U];
135 escrypt_local_t escrypt_local;
136 uint32_t N_log2;
137 uint32_t p;
138 uint32_t r;
139
140 memset(out, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES);
141 if (passwdlen > SIZE_MAX) {
142 errno = EFBIG;
143 return -1;
144 }
145 if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) {
146 errno = EINVAL;
147 return -1;
148 }
149 randombytes_buf(salt, sizeof salt);
150 if (escrypt_gensalt_r(N_log2, r, p, salt, sizeof salt,
151 (uint8_t *) setting, sizeof setting) == NULL) {
152 errno = EINVAL;
153 return -1;
154 }
155 if (escrypt_init_local(&escrypt_local) != 0) {
156 return -1;
157 }
158 if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen,
159 (const uint8_t *) setting, (uint8_t *) out,
160 crypto_pwhash_scryptsalsa208sha256_STRBYTES) == NULL) {
161 escrypt_free_local(&escrypt_local);
162 errno = EINVAL;
163 return -1;
164 }
165 escrypt_free_local(&escrypt_local);
166
167 (void) sizeof
168 (int[SETTING_SIZE(crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES)
169 == crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES ? 1 : -1]);
170 (void) sizeof
171 (int[crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES + 1U +
172 crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED + 1U
173 == crypto_pwhash_scryptsalsa208sha256_STRBYTES ? 1 : -1]);
174
175 return 0;
176}
177
178int
179crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
180 const char * const passwd,
181 unsigned long long passwdlen)
182{
183 char wanted[crypto_pwhash_scryptsalsa208sha256_STRBYTES];
184 escrypt_local_t escrypt_local;
185 int ret = -1;
186
187 if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) !=
188 &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) {
189 return -1;
190 }
191 if (escrypt_init_local(&escrypt_local) != 0) {
192 return -1;
193 }
194 if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen,
195 (const uint8_t *) str, (uint8_t *) wanted,
196 sizeof wanted) == NULL) {
197 escrypt_free_local(&escrypt_local);
198 return -1;
199 }
200 escrypt_free_local(&escrypt_local);
201 ret = sodium_memcmp(wanted, str, sizeof wanted);
202 sodium_memzero(wanted, sizeof wanted);
203
204 return ret;
205}
206
207#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c
new file mode 100644
index 00000000..f02c3803
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c
@@ -0,0 +1,137 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3#ifdef HAVE_ANDROID_GETCPUFEATURES
4# include <cpu-features.h>
5#endif
6
7#include "runtime.h"
8
9typedef struct CPUFeatures_ {
10 int initialized;
11 int has_neon;
12 int has_sse2;
13 int has_sse3;
14} CPUFeatures;
15
16static CPUFeatures _cpu_features;
17
18#define CPUID_SSE2 0x04000000
19#define CPUIDECX_SSE3 0x00000001
20
21static int
22_sodium_runtime_arm_cpu_features(CPUFeatures * const cpu_features)
23{
24#ifndef __arm__
25 cpu_features->has_neon = 0;
26 return -1;
27#else
28# ifdef __APPLE__
29# ifdef __ARM_NEON__
30 cpu_features->has_neon = 1;
31# else
32 cpu_features->has_neon = 0;
33# endif
34# elif defined(HAVE_ANDROID_GETCPUFEATURES) && defined(ANDROID_CPU_ARM_FEATURE_NEON)
35 cpu_features->has_neon =
36 (android_getCpuFeatures() & ANDROID_CPU_ARM_FEATURE_NEON) != 0x0;
37# else
38 cpu_features->has_neon = 0;
39# endif
40 return 0;
41#endif
42}
43
44static void
45_cpuid(unsigned int cpu_info[4U], const unsigned int cpu_info_type)
46{
47#ifdef _MSC_VER
48 __cpuidex((int *) cpu_info, cpu_info_type, 0);
49#elif defined(HAVE_CPUID)
50 cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0;
51# ifdef __i386__
52 __asm__ __volatile__ ("pushfl; pushfl; "
53 "popl %0; "
54 "movl %0, %1; xorl %2, %0; "
55 "pushl %0; "
56 "popfl; pushfl; popl %0; popfl" :
57 "=&r" (cpu_info[0]), "=&r" (cpu_info[1]) :
58 "i" (0x200000));
59 if (((cpu_info[0] ^ cpu_info[1]) & 0x200000) == 0x0) {
60 return;
61 }
62# endif
63# ifdef __i386__
64 __asm__ __volatile__ ("xchgl %%ebx, %k1; cpuid; xchgl %%ebx, %k1" :
65 "=a" (cpu_info[0]), "=&r" (cpu_info[1]),
66 "=c" (cpu_info[2]), "=d" (cpu_info[3]) :
67 "0" (cpu_info_type), "2" (0U));
68# elif defined(__x86_64__)
69 __asm__ __volatile__ ("xchgq %%rbx, %q1; cpuid; xchgq %%rbx, %q1" :
70 "=a" (cpu_info[0]), "=&r" (cpu_info[1]),
71 "=c" (cpu_info[2]), "=d" (cpu_info[3]) :
72 "0" (cpu_info_type), "2" (0U));
73# else
74 __asm__ __volatile__ ("cpuid" :
75 "=a" (cpu_info[0]), "=b" (cpu_info[1]),
76 "=c" (cpu_info[2]), "=d" (cpu_info[3]) :
77 "0" (cpu_info_type), "2" (0U));
78# endif
79#else
80 cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0;
81#endif
82}
83
84static int
85_sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features)
86{
87 unsigned int cpu_info[4];
88 unsigned int id;
89
90 _cpuid(cpu_info, 0x0);
91 if ((id = cpu_info[0]) == 0U) {
92 return -1;
93 }
94 _cpuid(cpu_info, 0x00000001);
95#ifndef HAVE_EMMINTRIN_H
96 cpu_features->has_sse2 = 0;
97#else
98 cpu_features->has_sse2 = ((cpu_info[3] & CPUID_SSE2) != 0x0);
99#endif
100
101#ifndef HAVE_PMMINTRIN_H
102 cpu_features->has_sse3 = 0;
103#else
104 cpu_features->has_sse3 = ((cpu_info[2] & CPUIDECX_SSE3) != 0x0);
105#endif
106
107 return 0;
108}
109
110int
111sodium_runtime_get_cpu_features(void)
112{
113 int ret = -1;
114
115 ret &= _sodium_runtime_arm_cpu_features(&_cpu_features);
116 ret &= _sodium_runtime_intel_cpu_features(&_cpu_features);
117 _cpu_features.initialized = 1;
118
119 return ret;
120}
121
122int
123sodium_runtime_has_neon(void) {
124 return _cpu_features.has_neon;
125}
126
127int
128sodium_runtime_has_sse2(void) {
129 return _cpu_features.has_sse2;
130}
131
132int
133sodium_runtime_has_sse3(void) {
134 return _cpu_features.has_sse3;
135}
136
137#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h
new file mode 100644
index 00000000..2e5efddd
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h
@@ -0,0 +1,30 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3#ifndef __SODIUM_RUNTIME_H__
4#define __SODIUM_RUNTIME_H__ 1
5
6#include "export.h"
7
8#ifdef __cplusplus
9extern "C" {
10#endif
11
12SODIUM_EXPORT
13int sodium_runtime_get_cpu_features(void);
14
15SODIUM_EXPORT
16int sodium_runtime_has_neon(void);
17
18SODIUM_EXPORT
19int sodium_runtime_has_sse2(void);
20
21SODIUM_EXPORT
22int sodium_runtime_has_sse3(void);
23
24#ifdef __cplusplus
25}
26#endif
27
28#endif
29
30#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c
new file mode 100644
index 00000000..9de9763a
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c
@@ -0,0 +1,104 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3/*-
4 * Copyright 2013 Alexander Peslyak
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted.
9 *
10 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
11 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
12 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
13 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
14 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
15 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
16 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
17 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
18 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
19 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
20 * SUCH DAMAGE.
21 */
22
23#ifdef HAVE_SYS_MMAN_H
24# include <sys/mman.h>
25#endif
26#include <errno.h>
27#include <stdlib.h>
28
29#include "crypto_scrypt.h"
30#include "runtime.h"
31
32#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
33# define MAP_ANON MAP_ANONYMOUS
34#endif
35
36void *
37alloc_region(escrypt_region_t * region, size_t size)
38{
39 uint8_t * base, * aligned;
40#ifdef MAP_ANON
41 if ((base = (uint8_t *) mmap(NULL, size, PROT_READ | PROT_WRITE,
42#ifdef MAP_NOCORE
43 MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
44#else
45 MAP_ANON | MAP_PRIVATE,
46#endif
47 -1, 0)) == MAP_FAILED)
48 base = NULL;
49 aligned = base;
50#elif defined(HAVE_POSIX_MEMALIGN)
51 if ((errno = posix_memalign((void **) &base, 64, size)) != 0)
52 base = NULL;
53 aligned = base;
54#else
55 base = aligned = NULL;
56 if (size + 63 < size)
57 errno = ENOMEM;
58 else if ((base = (uint8_t *) malloc(size + 63)) != NULL) {
59 aligned = base + 63;
60 aligned -= (uintptr_t)aligned & 63;
61 }
62#endif
63 region->base = base;
64 region->aligned = aligned;
65 region->size = base ? size : 0;
66 return aligned;
67}
68
69static inline void
70init_region(escrypt_region_t * region)
71{
72 region->base = region->aligned = NULL;
73 region->size = 0;
74}
75
76int
77free_region(escrypt_region_t * region)
78{
79 if (region->base) {
80#ifdef MAP_ANON
81 if (munmap(region->base, region->size))
82 return -1;
83#else
84 free(region->base);
85#endif
86 }
87 init_region(region);
88 return 0;
89}
90
91int
92escrypt_init_local(escrypt_local_t * local)
93{
94 init_region(local);
95 return 0;
96}
97
98int
99escrypt_free_local(escrypt_local_t * local)
100{
101 return free_region(local);
102}
103
104#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c
new file mode 100644
index 00000000..18cf6ae6
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c
@@ -0,0 +1,395 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3/*-
4 * Copyright 2009 Colin Percival
5 * Copyright 2012,2013 Alexander Peslyak
6 * All rights reserved.
7 *
8 * Redistribution and use in source and binary forms, with or without
9 * modification, are permitted provided that the following conditions
10 * are met:
11 * 1. Redistributions of source code must retain the above copyright
12 * notice, this list of conditions and the following disclaimer.
13 * 2. Redistributions in binary form must reproduce the above copyright
14 * notice, this list of conditions and the following disclaimer in the
15 * documentation and/or other materials provided with the distribution.
16 *
17 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
18 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
19 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
20 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
21 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
22 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
23 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
24 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
25 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
26 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
27 * SUCH DAMAGE.
28 *
29 * This file was originally written by Colin Percival as part of the Tarsnap
30 * online backup system.
31 */
32
33#if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER)
34#if __GNUC__
35# pragma GCC target("sse2")
36#endif
37#include <emmintrin.h>
38#if defined(__XOP__) && defined(DISABLED)
39# include <x86intrin.h>
40#endif
41
42#include <errno.h>
43#include <limits.h>
44#include <stdint.h>
45#include <stdlib.h>
46#include <string.h>
47
48#include "../pbkdf2-sha256.h"
49#include "../sysendian.h"
50#include "../crypto_scrypt.h"
51
52#if defined(__XOP__) && defined(DISABLED)
53#define ARX(out, in1, in2, s) \
54 out = _mm_xor_si128(out, _mm_roti_epi32(_mm_add_epi32(in1, in2), s));
55#else
56#define ARX(out, in1, in2, s) \
57 { \
58 __m128i T = _mm_add_epi32(in1, in2); \
59 out = _mm_xor_si128(out, _mm_slli_epi32(T, s)); \
60 out = _mm_xor_si128(out, _mm_srli_epi32(T, 32-s)); \
61 }
62#endif
63
64#define SALSA20_2ROUNDS \
65 /* Operate on "columns". */ \
66 ARX(X1, X0, X3, 7) \
67 ARX(X2, X1, X0, 9) \
68 ARX(X3, X2, X1, 13) \
69 ARX(X0, X3, X2, 18) \
70\
71 /* Rearrange data. */ \
72 X1 = _mm_shuffle_epi32(X1, 0x93); \
73 X2 = _mm_shuffle_epi32(X2, 0x4E); \
74 X3 = _mm_shuffle_epi32(X3, 0x39); \
75\
76 /* Operate on "rows". */ \
77 ARX(X3, X0, X1, 7) \
78 ARX(X2, X3, X0, 9) \
79 ARX(X1, X2, X3, 13) \
80 ARX(X0, X1, X2, 18) \
81\
82 /* Rearrange data. */ \
83 X1 = _mm_shuffle_epi32(X1, 0x39); \
84 X2 = _mm_shuffle_epi32(X2, 0x4E); \
85 X3 = _mm_shuffle_epi32(X3, 0x93);
86
87/**
88 * Apply the salsa20/8 core to the block provided in (X0 ... X3) ^ (Z0 ... Z3).
89 */
90#define SALSA20_8_XOR(in, out) \
91 { \
92 __m128i Y0 = X0 = _mm_xor_si128(X0, (in)[0]); \
93 __m128i Y1 = X1 = _mm_xor_si128(X1, (in)[1]); \
94 __m128i Y2 = X2 = _mm_xor_si128(X2, (in)[2]); \
95 __m128i Y3 = X3 = _mm_xor_si128(X3, (in)[3]); \
96 SALSA20_2ROUNDS \
97 SALSA20_2ROUNDS \
98 SALSA20_2ROUNDS \
99 SALSA20_2ROUNDS \
100 (out)[0] = X0 = _mm_add_epi32(X0, Y0); \
101 (out)[1] = X1 = _mm_add_epi32(X1, Y1); \
102 (out)[2] = X2 = _mm_add_epi32(X2, Y2); \
103 (out)[3] = X3 = _mm_add_epi32(X3, Y3); \
104 }
105
106/**
107 * blockmix_salsa8(Bin, Bout, r):
108 * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r
109 * bytes in length; the output Bout must also be the same size.
110 */
111static inline void
112blockmix_salsa8(const __m128i * Bin, __m128i * Bout, size_t r)
113{
114 __m128i X0, X1, X2, X3;
115 size_t i;
116
117 /* 1: X <-- B_{2r - 1} */
118 X0 = Bin[8 * r - 4];
119 X1 = Bin[8 * r - 3];
120 X2 = Bin[8 * r - 2];
121 X3 = Bin[8 * r - 1];
122
123 /* 3: X <-- H(X \xor B_i) */
124 /* 4: Y_i <-- X */
125 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
126 SALSA20_8_XOR(Bin, Bout)
127
128 /* 2: for i = 0 to 2r - 1 do */
129 r--;
130 for (i = 0; i < r;) {
131 /* 3: X <-- H(X \xor B_i) */
132 /* 4: Y_i <-- X */
133 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
134 SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4])
135
136 i++;
137
138 /* 3: X <-- H(X \xor B_i) */
139 /* 4: Y_i <-- X */
140 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
141 SALSA20_8_XOR(&Bin[i * 8], &Bout[i * 4])
142 }
143
144 /* 3: X <-- H(X \xor B_i) */
145 /* 4: Y_i <-- X */
146 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
147 SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4])
148}
149
150#define XOR4(in) \
151 X0 = _mm_xor_si128(X0, (in)[0]); \
152 X1 = _mm_xor_si128(X1, (in)[1]); \
153 X2 = _mm_xor_si128(X2, (in)[2]); \
154 X3 = _mm_xor_si128(X3, (in)[3]);
155
156#define XOR4_2(in1, in2) \
157 X0 = _mm_xor_si128((in1)[0], (in2)[0]); \
158 X1 = _mm_xor_si128((in1)[1], (in2)[1]); \
159 X2 = _mm_xor_si128((in1)[2], (in2)[2]); \
160 X3 = _mm_xor_si128((in1)[3], (in2)[3]);
161
162static inline uint32_t
163blockmix_salsa8_xor(const __m128i * Bin1, const __m128i * Bin2, __m128i * Bout,
164 size_t r)
165{
166 __m128i X0, X1, X2, X3;
167 size_t i;
168
169 /* 1: X <-- B_{2r - 1} */
170 XOR4_2(&Bin1[8 * r - 4], &Bin2[8 * r - 4])
171
172 /* 3: X <-- H(X \xor B_i) */
173 /* 4: Y_i <-- X */
174 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
175 XOR4(Bin1)
176 SALSA20_8_XOR(Bin2, Bout)
177
178 /* 2: for i = 0 to 2r - 1 do */
179 r--;
180 for (i = 0; i < r;) {
181 /* 3: X <-- H(X \xor B_i) */
182 /* 4: Y_i <-- X */
183 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
184 XOR4(&Bin1[i * 8 + 4])
185 SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4])
186
187 i++;
188
189 /* 3: X <-- H(X \xor B_i) */
190 /* 4: Y_i <-- X */
191 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
192 XOR4(&Bin1[i * 8])
193 SALSA20_8_XOR(&Bin2[i * 8], &Bout[i * 4])
194 }
195
196 /* 3: X <-- H(X \xor B_i) */
197 /* 4: Y_i <-- X */
198 /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
199 XOR4(&Bin1[i * 8 + 4])
200 SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4])
201
202 return _mm_cvtsi128_si32(X0);
203}
204
205#undef ARX
206#undef SALSA20_2ROUNDS
207#undef SALSA20_8_XOR
208#undef XOR4
209#undef XOR4_2
210
211/**
212 * integerify(B, r):
213 * Return the result of parsing B_{2r-1} as a little-endian integer.
214 */
215static inline uint32_t
216integerify(const void * B, size_t r)
217{
218 return *(const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64);
219}
220
221/**
222 * smix(B, r, N, V, XY):
223 * Compute B = SMix_r(B, N). The input B must be 128r bytes in length;
224 * the temporary storage V must be 128rN bytes in length; the temporary
225 * storage XY must be 256r + 64 bytes in length. The value N must be a
226 * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a
227 * multiple of 64 bytes.
228 */
229static void
230smix(uint8_t * B, size_t r, uint32_t N, void * V, void * XY)
231{
232 size_t s = 128 * r;
233 __m128i * X = (__m128i *) V, * Y;
234 uint32_t * X32 = (uint32_t *) V;
235 uint32_t i, j;
236 size_t k;
237
238 /* 1: X <-- B */
239 /* 3: V_i <-- X */
240 for (k = 0; k < 2 * r; k++) {
241 for (i = 0; i < 16; i++) {
242 X32[k * 16 + i] =
243 le32dec(&B[(k * 16 + (i * 5 % 16)) * 4]);
244 }
245 }
246
247 /* 2: for i = 0 to N - 1 do */
248 for (i = 1; i < N - 1; i += 2) {
249 /* 4: X <-- H(X) */
250 /* 3: V_i <-- X */
251 Y = (__m128i *)((uintptr_t)(V) + i * s);
252 blockmix_salsa8(X, Y, r);
253
254 /* 4: X <-- H(X) */
255 /* 3: V_i <-- X */
256 X = (__m128i *)((uintptr_t)(V) + (i + 1) * s);
257 blockmix_salsa8(Y, X, r);
258 }
259
260 /* 4: X <-- H(X) */
261 /* 3: V_i <-- X */
262 Y = (__m128i *)((uintptr_t)(V) + i * s);
263 blockmix_salsa8(X, Y, r);
264
265 /* 4: X <-- H(X) */
266 /* 3: V_i <-- X */
267 X = (__m128i *) XY;
268 blockmix_salsa8(Y, X, r);
269
270 X32 = (uint32_t *) XY;
271 Y = (__m128i *)((uintptr_t)(XY) + s);
272
273 /* 7: j <-- Integerify(X) mod N */
274 j = integerify(X, r) & (N - 1);
275
276 /* 6: for i = 0 to N - 1 do */
277 for (i = 0; i < N; i += 2) {
278 __m128i * V_j = (__m128i *)((uintptr_t)(V) + j * s);
279
280 /* 8: X <-- H(X \xor V_j) */
281 /* 7: j <-- Integerify(X) mod N */
282 j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1);
283 V_j = (__m128i *)((uintptr_t)(V) + j * s);
284
285 /* 8: X <-- H(X \xor V_j) */
286 /* 7: j <-- Integerify(X) mod N */
287 j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1);
288 }
289
290 /* 10: B' <-- X */
291 for (k = 0; k < 2 * r; k++) {
292 for (i = 0; i < 16; i++) {
293 le32enc(&B[(k * 16 + (i * 5 % 16)) * 4],
294 X32[k * 16 + i]);
295 }
296 }
297}
298
299/**
300 * escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
301 * N, r, p, buf, buflen):
302 * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
303 * p, buflen) and write the result into buf. The parameters r, p, and buflen
304 * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N
305 * must be a power of 2 greater than 1.
306 *
307 * Return 0 on success; or -1 on error.
308 */
309int
310escrypt_kdf_sse(escrypt_local_t * local,
311 const uint8_t * passwd, size_t passwdlen,
312 const uint8_t * salt, size_t saltlen,
313 uint64_t N, uint32_t _r, uint32_t _p,
314 uint8_t * buf, size_t buflen)
315{
316 size_t B_size, V_size, XY_size, need;
317 uint8_t * B;
318 uint32_t * V, * XY;
319 size_t r = _r, p = _p;
320 uint32_t i;
321
322 /* Sanity-check parameters. */
323#if SIZE_MAX > UINT32_MAX
324 if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
325 errno = EFBIG;
326 return -1;
327 }
328#endif
329 if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
330 errno = EFBIG;
331 return -1;
332 }
333 if (N > UINT32_MAX) {
334 errno = EFBIG;
335 return -1;
336 }
337 if (((N & (N - 1)) != 0) || (N < 2)) {
338 errno = EINVAL;
339 return -1;
340 }
341 if (r == 0 || p == 0) {
342 errno = EINVAL;
343 return -1;
344 }
345 if ((r > SIZE_MAX / 128 / p) ||
346#if SIZE_MAX / 256 <= UINT32_MAX
347 (r > SIZE_MAX / 256) ||
348#endif
349 (N > SIZE_MAX / 128 / r)) {
350 errno = ENOMEM;
351 return -1;
352 }
353
354 /* Allocate memory. */
355 B_size = (size_t)128 * r * p;
356 V_size = (size_t)128 * r * N;
357 need = B_size + V_size;
358 if (need < V_size) {
359 errno = ENOMEM;
360 return -1;
361 }
362 XY_size = (size_t)256 * r + 64;
363 need += XY_size;
364 if (need < XY_size) {
365 errno = ENOMEM;
366 return -1;
367 }
368 if (local->size < need) {
369 if (free_region(local))
370 return -1;
371 if (!alloc_region(local, need))
372 return -1;
373 }
374 B = (uint8_t *)local->aligned;
375 V = (uint32_t *)((uint8_t *)B + B_size);
376 XY = (uint32_t *)((uint8_t *)V + V_size);
377
378 /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
379 PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
380
381 /* 2: for i = 0 to p - 1 do */
382 for (i = 0; i < p; i++) {
383 /* 3: B_i <-- MF(B_i, N) */
384 smix(&B[(size_t)128 * i * r], r, N, V, XY);
385 }
386
387 /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
388 PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
389
390 /* Success! */
391 return 0;
392}
393#endif
394
395#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h
new file mode 100644
index 00000000..e28c5202
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h
@@ -0,0 +1,150 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3#ifndef _SYSENDIAN_H_
4#define _SYSENDIAN_H_
5
6#include <stdint.h>
7
8/* Avoid namespace collisions with BSD <sys/endian.h>. */
9#define be16dec scrypt_be16dec
10#define be16enc scrypt_be16enc
11#define be32dec scrypt_be32dec
12#define be32enc scrypt_be32enc
13#define be64dec scrypt_be64dec
14#define be64enc scrypt_be64enc
15#define le16dec scrypt_le16dec
16#define le16enc scrypt_le16enc
17#define le32dec scrypt_le32dec
18#define le32enc scrypt_le32enc
19#define le64dec scrypt_le64dec
20#define le64enc scrypt_le64enc
21
22static inline uint16_t
23be16dec(const void *pp)
24{
25 const uint8_t *p = (uint8_t const *)pp;
26
27 return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8));
28}
29
30static inline void
31be16enc(void *pp, uint16_t x)
32{
33 uint8_t * p = (uint8_t *)pp;
34
35 p[1] = x & 0xff;
36 p[0] = (x >> 8) & 0xff;
37}
38
39static inline uint32_t
40be32dec(const void *pp)
41{
42 const uint8_t *p = (uint8_t const *)pp;
43
44 return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
45 ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
46}
47
48static inline void
49be32enc(void *pp, uint32_t x)
50{
51 uint8_t * p = (uint8_t *)pp;
52
53 p[3] = x & 0xff;
54 p[2] = (x >> 8) & 0xff;
55 p[1] = (x >> 16) & 0xff;
56 p[0] = (x >> 24) & 0xff;
57}
58
59static inline uint64_t
60be64dec(const void *pp)
61{
62 const uint8_t *p = (uint8_t const *)pp;
63
64 return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) +
65 ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) +
66 ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) +
67 ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56));
68}
69
70static inline void
71be64enc(void *pp, uint64_t x)
72{
73 uint8_t * p = (uint8_t *)pp;
74
75 p[7] = x & 0xff;
76 p[6] = (x >> 8) & 0xff;
77 p[5] = (x >> 16) & 0xff;
78 p[4] = (x >> 24) & 0xff;
79 p[3] = (x >> 32) & 0xff;
80 p[2] = (x >> 40) & 0xff;
81 p[1] = (x >> 48) & 0xff;
82 p[0] = (x >> 56) & 0xff;
83}
84
85static inline uint16_t
86le16dec(const void *pp)
87{
88 const uint8_t *p = (uint8_t const *)pp;
89
90 return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8));
91}
92
93static inline void
94le16enc(void *pp, uint16_t x)
95{
96 uint8_t * p = (uint8_t *)pp;
97
98 p[0] = x & 0xff;
99 p[1] = (x >> 8) & 0xff;
100}
101
102static inline uint32_t
103le32dec(const void *pp)
104{
105 const uint8_t *p = (uint8_t const *)pp;
106
107 return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
108 ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
109}
110
111static inline void
112le32enc(void *pp, uint32_t x)
113{
114 uint8_t * p = (uint8_t *)pp;
115
116 p[0] = x & 0xff;
117 p[1] = (x >> 8) & 0xff;
118 p[2] = (x >> 16) & 0xff;
119 p[3] = (x >> 24) & 0xff;
120}
121
122static inline uint64_t
123le64dec(const void *pp)
124{
125 const uint8_t *p = (uint8_t const *)pp;
126
127 return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) +
128 ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) +
129 ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) +
130 ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56));
131}
132
133static inline void
134le64enc(void *pp, uint64_t x)
135{
136 uint8_t * p = (uint8_t *)pp;
137
138 p[0] = x & 0xff;
139 p[1] = (x >> 8) & 0xff;
140 p[2] = (x >> 16) & 0xff;
141 p[3] = (x >> 24) & 0xff;
142 p[4] = (x >> 32) & 0xff;
143 p[5] = (x >> 40) & 0xff;
144 p[6] = (x >> 48) & 0xff;
145 p[7] = (x >> 56) & 0xff;
146}
147
148#endif /* !_SYSENDIAN_H_ */
149
150#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c
new file mode 100644
index 00000000..677633b4
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c
@@ -0,0 +1,75 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3#ifndef __STDC_WANT_LIB_EXT1__
4# define __STDC_WANT_LIB_EXT1__ 1
5#endif
6#include <assert.h>
7#include <errno.h>
8#include <limits.h>
9#include <signal.h>
10#include <stddef.h>
11#include <stdint.h>
12#include <stdlib.h>
13#include <string.h>
14
15#ifdef HAVE_SYS_MMAN_H
16# include <sys/mman.h>
17#endif
18
19#include "utils.h"
20
21#ifdef _WIN32
22# include <windows.h>
23# include <wincrypt.h>
24#else
25# include <unistd.h>
26#endif
27
28#ifdef HAVE_WEAK_SYMBOLS
29__attribute__((weak)) void
30__sodium_dummy_symbol_to_prevent_lto(void * const pnt, const size_t len)
31{
32 (void) pnt;
33 (void) len;
34}
35#endif
36
37void
38sodium_memzero(void * const pnt, const size_t len)
39{
40#ifdef _WIN32
41 SecureZeroMemory(pnt, len);
42#elif defined(HAVE_MEMSET_S)
43 if (memset_s(pnt, (rsize_t) len, 0, (rsize_t) len) != 0) {
44 abort();
45 }
46#elif defined(HAVE_EXPLICIT_BZERO)
47 explicit_bzero(pnt, len);
48#elif HAVE_WEAK_SYMBOLS
49 memset(pnt, 0, len);
50 __sodium_dummy_symbol_to_prevent_lto(pnt, len);
51#else
52 volatile unsigned char *pnt_ = (volatile unsigned char *) pnt;
53 size_t i = (size_t) 0U;
54
55 while (i < len) {
56 pnt_[i++] = 0U;
57 }
58#endif
59}
60
61int
62sodium_memcmp(const void * const b1_, const void * const b2_, size_t len)
63{
64 const unsigned char *b1 = (const unsigned char *) b1_;
65 const unsigned char *b2 = (const unsigned char *) b2_;
66 size_t i;
67 unsigned char d = (unsigned char) 0U;
68
69 for (i = 0U; i < len; i++) {
70 d |= b1[i] ^ b2[i];
71 }
72 return (int) ((1 & ((d - 1) >> 8)) - 1);
73}
74
75#endif
diff --git a/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h
new file mode 100644
index 00000000..7d5214e1
--- /dev/null
+++ b/toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h
@@ -0,0 +1,37 @@
1#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
2
3#ifndef __SODIUM_UTILS_H__
4#define __SODIUM_UTILS_H__
5
6#include <stddef.h>
7
8#include "export.h"
9
10#ifdef __cplusplus
11extern "C" {
12#endif
13
14#if defined(__cplusplus) || !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L
15# define _SODIUM_C99(X)
16#else
17# define _SODIUM_C99(X) X
18#endif
19
20SODIUM_EXPORT
21void sodium_memzero(void * const pnt, const size_t len);
22
23/* WARNING: sodium_memcmp() must be used to verify if two secret keys
24 * are equal, in constant time.
25 * It returns 0 if the keys are equal, and -1 if they differ.
26 * This function is not designed for lexicographical comparisons.
27 */
28SODIUM_EXPORT
29int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len);
30
31#ifdef __cplusplus
32}
33#endif
34
35#endif
36
37#endif
diff --git a/toxencryptsave/toxencryptsave.c b/toxencryptsave/toxencryptsave.c
new file mode 100644
index 00000000..f6fc7f9e
--- /dev/null
+++ b/toxencryptsave/toxencryptsave.c
@@ -0,0 +1,135 @@
1/* toxencryptsave.c
2 *
3 * The Tox encrypted save functions.
4 *
5 * Copyright (C) 2013 Tox project All Rights Reserved.
6 *
7 * This file is part of Tox.
8 *
9 * Tox is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
13 *
14 * Tox is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with Tox. If not, see <http://www.gnu.org/licenses/>.
21 *
22 */
23
24#include "toxencryptsave.h"
25
26/* This "module" provides functions analogous to tox_load and tox_save in toxcore
27 * Clients should consider alerting their users that, unlike plain data, if even one bit
28 * becomes corrupted, the data will be entirely unrecoverable.
29 * Ditto if they forget their password, there is no way to recover the data.
30 */
31
32/* return size of the messenger data (for encrypted saving). */
33uint32_t tox_encrypted_size(const Tox *tox)
34{
35 return tox_size(tox) + crypto_box_MACBYTES + crypto_box_NONCEBYTES
36 + crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
37}
38
39/* Save the messenger data encrypted with the given password.
40 * data must be at least tox_encrypted_size().
41 *
42 * returns 0 on success
43 * returns -1 on failure
44 */
45int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength)
46{
47 if (pplength == 0)
48 return -1;
49
50 /* First derive a key from the password */
51 /* http://doc.libsodium.org/key_derivation/README.html */
52 /* note that, according to the documentation, a generic pwhash interface will be created
53 * once the pwhash competition (https://password-hashing.net/) is over */
54 uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES];
55 uint8_t key[crypto_box_KEYBYTES];
56 randombytes_buf(salt, sizeof salt);
57
58 if (crypto_pwhash_scryptsalsa208sha256(
59 key, sizeof(key), passphrase, pplength, salt,
60 crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */
61 crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) {
62 /* out of memory most likely */
63 return -1;
64 }
65 sodium_memzero(passphrase, pplength); /* wipe plaintext pw */
66
67 /* next get plain save data */
68 uint32_t temp_size = tox_size(tox);
69 uint8_t temp_data[temp_size];
70 tox_save(tox, temp_data);
71
72 /* now encrypt.
73 * the output data consists of, in order:
74 * salt, nonce, mac, enc_data
75 * where the mac is automatically prepended by the encrypt()
76 * the salt+nonce is called the prefix
77 * I'm not sure what else I'm supposed to do with the salt and nonce, since we
78 * need them to decrypt the data
79 */
80 uint32_t prefix_size = crypto_box_NONCEBYTES+crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
81
82 uint8_t nonce[crypto_box_NONCEBYTES];
83 random_nonce(nonce);
84
85 if (encrypt_data_symmetric(key, nonce, temp_data, temp_size, data + prefix_size)
86 != temp_size + crypto_box_MACBYTES) {
87 return -1;
88 }
89
90 /* add the prefix */
91 memcpy(data, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES);
92 memcpy(data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, nonce, crypto_box_NONCEBYTES);
93
94 return 0;
95}
96
97/* Load the messenger from encrypted data of size length.
98 *
99 * returns 0 on success
100 * returns -1 on failure
101 */
102int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength)
103{
104 if (length <= crypto_box_MACBYTES + crypto_box_NONCEBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES)
105 return -1;
106
107 uint32_t decrypt_length = length - crypto_box_MACBYTES - crypto_box_NONCEBYTES
108 - crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
109 uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES];
110 uint8_t nonce[crypto_box_NONCEBYTES];
111
112 memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES);
113 memcpy(nonce, data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, crypto_box_NONCEBYTES);
114
115 /* derive the key */
116 uint8_t key[crypto_box_KEYBYTES];
117 if (crypto_pwhash_scryptsalsa208sha256(
118 key, sizeof(key), passphrase, pplength, salt,
119 crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */
120 crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) {
121 /* out of memory most likely */
122 return -1;
123 }
124 sodium_memzero(passphrase, pplength); /* wipe plaintext pw */
125
126 /* decrypt the data */
127 uint8_t temp_data[decrypt_length];
128 if (decrypt_data_symmetric(key, nonce, data+crypto_pwhash_scryptsalsa208sha256_SALTBYTES+crypto_box_NONCEBYTES,
129 decrypt_length + crypto_box_MACBYTES, temp_data)
130 != decrypt_length) {
131 return -1;
132 }
133
134 return tox_load(tox, temp_data, decrypt_length);
135}
diff --git a/toxencryptsave/toxencryptsave.h b/toxencryptsave/toxencryptsave.h
new file mode 100644
index 00000000..f28ea731
--- /dev/null
+++ b/toxencryptsave/toxencryptsave.h
@@ -0,0 +1,67 @@
1/* toxencryptsave.h
2 *
3 * The Tox encrypted save functions.
4 *
5 * Copyright (C) 2013 Tox project All Rights Reserved.
6 *
7 * This file is part of Tox.
8 *
9 * Tox is free software: you can redistribute it and/or modify
10 * it under the terms of the GNU General Public License as published by
11 * the Free Software Foundation, either version 3 of the License, or
12 * (at your option) any later version.
13 *
14 * Tox is distributed in the hope that it will be useful,
15 * but WITHOUT ANY WARRANTY; without even the implied warranty of
16 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
17 * GNU General Public License for more details.
18 *
19 * You should have received a copy of the GNU General Public License
20 * along with Tox. If not, see <http://www.gnu.org/licenses/>.
21 *
22 */
23
24#ifndef TOXENCRYPTSAVE_H
25#define TOXENCRYPTSAVE_H
26
27#ifdef VANILLA_NACL
28#include "crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h"
29#include "crypto_pwhash_scryptsalsa208sha256/utils.h" /* sodium_memzero */
30#endif
31
32#include "../toxcore/tox.h"
33#include "../toxcore/crypto_core.h"
34
35#ifdef __cplusplus
36extern "C" {
37#endif
38
39/* This "module" provides functions analogous to tox_load and tox_save in toxcore
40 * Clients should consider alerting their users that, unlike plain data, if even one bit
41 * becomes corrupted, the data will be entirely unrecoverable.
42 * Ditto if they forget their password, there is no way to recover the data.
43 */
44
45/* return size of the messenger data (for encrypted saving). */
46uint32_t tox_encrypted_size(const Tox *tox);
47
48/* Save the messenger data encrypted with the given password.
49 * data must be at least tox_encrypted_size().
50 *
51 * returns 0 on success
52 * returns -1 on failure
53 */
54int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength);
55
56/* Load the messenger from encrypted data of size length.
57 *
58 * returns 0 on success
59 * returns -1 on failure
60 */
61int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength);
62
63#ifdef __cplusplus
64}
65#endif
66
67#endif
generated by cgit v1.2.3 (git 2.39.1) at 2024-06-01 13:08:55 +0000