26 files changed, 808 insertions, 0 deletions

diff --git a/nacl/crypto_core/hsalsa20/checksum b/nacl/crypto_core/hsalsa20/checksum
new file mode 100644
index 00000000..f67bb2e2
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/checksum
@@ -0,0 +1 @@
+28ebe700b5878570702a68740aa131e6fa907e58a3f6915cd183c6db3f7afd7a
diff --git a/nacl/crypto_core/hsalsa20/ref/api.h b/nacl/crypto_core/hsalsa20/ref/api.h
new file mode 100644
index 00000000..73bd8541
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/ref/api.h
@@ -0,0 +1,4 @@
+#define CRYPTO_OUTPUTBYTES 32
+#define CRYPTO_INPUTBYTES 16
+#define CRYPTO_KEYBYTES 32
+#define CRYPTO_CONSTBYTES 16
diff --git a/nacl/crypto_core/hsalsa20/ref/core.c b/nacl/crypto_core/hsalsa20/ref/core.c
new file mode 100644
index 00000000..36118da0
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/ref/core.c
@@ -0,0 +1,135 @@
+/*
+version 20080912
+D. J. Bernstein
+Public domain.
+*/
+
+#include "crypto_core.h"
+
+#define ROUNDS 20
+
+typedef unsigned int uint32;
+
+static uint32 rotate(uint32 u,int c)
+{
+  return (u << c) | (u >> (32 - c));
+}
+
+static uint32 load_littleendian(const unsigned char *x)
+{
+  return
+      (uint32) (x[0]) \
+  | (((uint32) (x[1])) << 8) \
+  | (((uint32) (x[2])) << 16) \
+  | (((uint32) (x[3])) << 24)
+  ;
+}
+
+static void store_littleendian(unsigned char *x,uint32 u)
+{
+  x[0] = u; u >>= 8;
+  x[1] = u; u >>= 8;
+  x[2] = u; u >>= 8;
+  x[3] = u;
+}
+
+int crypto_core(
+        unsigned char *out,
+  const unsigned char *in,
+  const unsigned char *k,
+  const unsigned char *c
+)
+{
+  uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  int i;
+
+  j0 = x0 = load_littleendian(c + 0);
+  j1 = x1 = load_littleendian(k + 0);
+  j2 = x2 = load_littleendian(k + 4);
+  j3 = x3 = load_littleendian(k + 8);
+  j4 = x4 = load_littleendian(k + 12);
+  j5 = x5 = load_littleendian(c + 4);
+  j6 = x6 = load_littleendian(in + 0);
+  j7 = x7 = load_littleendian(in + 4);
+  j8 = x8 = load_littleendian(in + 8);
+  j9 = x9 = load_littleendian(in + 12);
+  j10 = x10 = load_littleendian(c + 8);
+  j11 = x11 = load_littleendian(k + 16);
+  j12 = x12 = load_littleendian(k + 20);
+  j13 = x13 = load_littleendian(k + 24);
+  j14 = x14 = load_littleendian(k + 28);
+  j15 = x15 = load_littleendian(c + 12);
+
+  for (i = ROUNDS;i > 0;i -= 2) {
+     x4 ^= rotate( x0+x12, 7);
+     x8 ^= rotate( x4+ x0, 9);
+    x12 ^= rotate( x8+ x4,13);
+     x0 ^= rotate(x12+ x8,18);
+     x9 ^= rotate( x5+ x1, 7);
+    x13 ^= rotate( x9+ x5, 9);
+     x1 ^= rotate(x13+ x9,13);
+     x5 ^= rotate( x1+x13,18);
+    x14 ^= rotate(x10+ x6, 7);
+     x2 ^= rotate(x14+x10, 9);
+     x6 ^= rotate( x2+x14,13);
+    x10 ^= rotate( x6+ x2,18);
+     x3 ^= rotate(x15+x11, 7);
+     x7 ^= rotate( x3+x15, 9);
+    x11 ^= rotate( x7+ x3,13);
+    x15 ^= rotate(x11+ x7,18);
+     x1 ^= rotate( x0+ x3, 7);
+     x2 ^= rotate( x1+ x0, 9);
+     x3 ^= rotate( x2+ x1,13);
+     x0 ^= rotate( x3+ x2,18);
+     x6 ^= rotate( x5+ x4, 7);
+     x7 ^= rotate( x6+ x5, 9);
+     x4 ^= rotate( x7+ x6,13);
+     x5 ^= rotate( x4+ x7,18);
+    x11 ^= rotate(x10+ x9, 7);
+     x8 ^= rotate(x11+x10, 9);
+     x9 ^= rotate( x8+x11,13);
+    x10 ^= rotate( x9+ x8,18);
+    x12 ^= rotate(x15+x14, 7);
+    x13 ^= rotate(x12+x15, 9);
+    x14 ^= rotate(x13+x12,13);
+    x15 ^= rotate(x14+x13,18);
+  }
+
+  x0 += j0;
+  x1 += j1;
+  x2 += j2;
+  x3 += j3;
+  x4 += j4;
+  x5 += j5;
+  x6 += j6;
+  x7 += j7;
+  x8 += j8;
+  x9 += j9;
+  x10 += j10;
+  x11 += j11;
+  x12 += j12;
+  x13 += j13;
+  x14 += j14;
+  x15 += j15;
+
+  x0 -= load_littleendian(c + 0);
+  x5 -= load_littleendian(c + 4);
+  x10 -= load_littleendian(c + 8);
+  x15 -= load_littleendian(c + 12);
+  x6 -= load_littleendian(in + 0);
+  x7 -= load_littleendian(in + 4);
+  x8 -= load_littleendian(in + 8);
+  x9 -= load_littleendian(in + 12);
+
+  store_littleendian(out + 0,x0);
+  store_littleendian(out + 4,x5);
+  store_littleendian(out + 8,x10);
+  store_littleendian(out + 12,x15);
+  store_littleendian(out + 16,x6);
+  store_littleendian(out + 20,x7);
+  store_littleendian(out + 24,x8);
+  store_littleendian(out + 28,x9);
+
+  return 0;
+}
diff --git a/nacl/crypto_core/hsalsa20/ref/implementors b/nacl/crypto_core/hsalsa20/ref/implementors
new file mode 100644
index 00000000..f6fb3c73
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/ref/implementors
@@ -0,0 +1 @@
+Daniel J. Bernstein
diff --git a/nacl/crypto_core/hsalsa20/ref2/api.h b/nacl/crypto_core/hsalsa20/ref2/api.h
new file mode 100644
index 00000000..73bd8541
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/ref2/api.h
@@ -0,0 +1,4 @@
+#define CRYPTO_OUTPUTBYTES 32
+#define CRYPTO_INPUTBYTES 16
+#define CRYPTO_KEYBYTES 32
+#define CRYPTO_CONSTBYTES 16
diff --git a/nacl/crypto_core/hsalsa20/ref2/core.c b/nacl/crypto_core/hsalsa20/ref2/core.c
new file mode 100644
index 00000000..9a9a8c7c
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/ref2/core.c
@@ -0,0 +1,108 @@
+/*
+version 20080912
+D. J. Bernstein
+Public domain.
+*/
+
+#include "crypto_core.h"
+
+#define ROUNDS 20
+
+typedef unsigned int uint32;
+
+static uint32 rotate(uint32 u,int c)
+{
+  return (u << c) | (u >> (32 - c));
+}
+
+static uint32 load_littleendian(const unsigned char *x)
+{
+  return
+      (uint32) (x[0]) \
+  | (((uint32) (x[1])) << 8) \
+  | (((uint32) (x[2])) << 16) \
+  | (((uint32) (x[3])) << 24)
+  ;
+}
+
+static void store_littleendian(unsigned char *x,uint32 u)
+{
+  x[0] = u; u >>= 8;
+  x[1] = u; u >>= 8;
+  x[2] = u; u >>= 8;
+  x[3] = u;
+}
+
+int crypto_core(
+        unsigned char *out,
+  const unsigned char *in,
+  const unsigned char *k,
+  const unsigned char *c
+)
+{
+  uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  int i;
+
+  x0 = load_littleendian(c + 0);
+  x1 = load_littleendian(k + 0);
+  x2 = load_littleendian(k + 4);
+  x3 = load_littleendian(k + 8);
+  x4 = load_littleendian(k + 12);
+  x5 = load_littleendian(c + 4);
+  x6 = load_littleendian(in + 0);
+  x7 = load_littleendian(in + 4);
+  x8 = load_littleendian(in + 8);
+  x9 = load_littleendian(in + 12);
+  x10 = load_littleendian(c + 8);
+  x11 = load_littleendian(k + 16);
+  x12 = load_littleendian(k + 20);
+  x13 = load_littleendian(k + 24);
+  x14 = load_littleendian(k + 28);
+  x15 = load_littleendian(c + 12);
+
+  for (i = ROUNDS;i > 0;i -= 2) {
+     x4 ^= rotate( x0+x12, 7);
+     x8 ^= rotate( x4+ x0, 9);
+    x12 ^= rotate( x8+ x4,13);
+     x0 ^= rotate(x12+ x8,18);
+     x9 ^= rotate( x5+ x1, 7);
+    x13 ^= rotate( x9+ x5, 9);
+     x1 ^= rotate(x13+ x9,13);
+     x5 ^= rotate( x1+x13,18);
+    x14 ^= rotate(x10+ x6, 7);
+     x2 ^= rotate(x14+x10, 9);
+     x6 ^= rotate( x2+x14,13);
+    x10 ^= rotate( x6+ x2,18);
+     x3 ^= rotate(x15+x11, 7);
+     x7 ^= rotate( x3+x15, 9);
+    x11 ^= rotate( x7+ x3,13);
+    x15 ^= rotate(x11+ x7,18);
+     x1 ^= rotate( x0+ x3, 7);
+     x2 ^= rotate( x1+ x0, 9);
+     x3 ^= rotate( x2+ x1,13);
+     x0 ^= rotate( x3+ x2,18);
+     x6 ^= rotate( x5+ x4, 7);
+     x7 ^= rotate( x6+ x5, 9);
+     x4 ^= rotate( x7+ x6,13);
+     x5 ^= rotate( x4+ x7,18);
+    x11 ^= rotate(x10+ x9, 7);
+     x8 ^= rotate(x11+x10, 9);
+     x9 ^= rotate( x8+x11,13);
+    x10 ^= rotate( x9+ x8,18);
+    x12 ^= rotate(x15+x14, 7);
+    x13 ^= rotate(x12+x15, 9);
+    x14 ^= rotate(x13+x12,13);
+    x15 ^= rotate(x14+x13,18);
+  }
+
+  store_littleendian(out + 0,x0);
+  store_littleendian(out + 4,x5);
+  store_littleendian(out + 8,x10);
+  store_littleendian(out + 12,x15);
+  store_littleendian(out + 16,x6);
+  store_littleendian(out + 20,x7);
+  store_littleendian(out + 24,x8);
+  store_littleendian(out + 28,x9);
+
+  return 0;
+}
diff --git a/nacl/crypto_core/hsalsa20/ref2/implementors b/nacl/crypto_core/hsalsa20/ref2/implementors
new file mode 100644
index 00000000..f6fb3c73
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/ref2/implementors
@@ -0,0 +1 @@
+Daniel J. Bernstein
diff --git a/nacl/crypto_core/hsalsa20/used b/nacl/crypto_core/hsalsa20/used
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/nacl/crypto_core/hsalsa20/used
diff --git a/nacl/crypto_core/measure.c b/nacl/crypto_core/measure.c
new file mode 100644
index 00000000..dd7bac81
--- /dev/null
+++ b/nacl/crypto_core/measure.c
@@ -0,0 +1,18 @@
+#include "crypto_core.h"
+
+const char *primitiveimplementation = crypto_core_IMPLEMENTATION;
+const char *implementationversion = crypto_core_VERSION;
+const char *sizenames[] = { "outputbytes", "inputbytes", "keybytes", "constbytes", 0 };
+const long long sizes[] = { crypto_core_OUTPUTBYTES, crypto_core_INPUTBYTES, crypto_core_KEYBYTES, crypto_core_CONSTBYTES };
+
+void preallocate(void)
+{
+}
+
+void allocate(void)
+{
+}
+
+void measure(void)
+{
+}
diff --git a/nacl/crypto_core/salsa20/checksum b/nacl/crypto_core/salsa20/checksum
new file mode 100644
index 00000000..fcf56186
--- /dev/null
+++ b/nacl/crypto_core/salsa20/checksum
@@ -0,0 +1 @@
+9d1ee8d84b974e648507ffd93829376c5b4420751710e44f6593abd8769378011d85ecda51ceb8f43661d3c65ef5b57c4f5bf8df76c8202784c8df8def61e6a6
diff --git a/nacl/crypto_core/salsa20/ref/api.h b/nacl/crypto_core/salsa20/ref/api.h
new file mode 100644
index 00000000..2a387b6d
--- /dev/null
+++ b/nacl/crypto_core/salsa20/ref/api.h
@@ -0,0 +1,4 @@
+#define CRYPTO_OUTPUTBYTES 64
+#define CRYPTO_INPUTBYTES 16
+#define CRYPTO_KEYBYTES 32
+#define CRYPTO_CONSTBYTES 16
diff --git a/nacl/crypto_core/salsa20/ref/core.c b/nacl/crypto_core/salsa20/ref/core.c
new file mode 100644
index 00000000..910a0056
--- /dev/null
+++ b/nacl/crypto_core/salsa20/ref/core.c
@@ -0,0 +1,134 @@
+/*
+version 20080912
+D. J. Bernstein
+Public domain.
+*/
+
+#include "crypto_core.h"
+
+#define ROUNDS 20
+
+typedef unsigned int uint32;
+
+static uint32 rotate(uint32 u,int c)
+{
+  return (u << c) | (u >> (32 - c));
+}
+
+static uint32 load_littleendian(const unsigned char *x)
+{
+  return
+      (uint32) (x[0]) \
+  | (((uint32) (x[1])) << 8) \
+  | (((uint32) (x[2])) << 16) \
+  | (((uint32) (x[3])) << 24)
+  ;
+}
+
+static void store_littleendian(unsigned char *x,uint32 u)
+{
+  x[0] = u; u >>= 8;
+  x[1] = u; u >>= 8;
+  x[2] = u; u >>= 8;
+  x[3] = u;
+}
+
+int crypto_core(
+        unsigned char *out,
+  const unsigned char *in,
+  const unsigned char *k,
+  const unsigned char *c
+)
+{
+  uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  int i;
+
+  j0 = x0 = load_littleendian(c + 0);
+  j1 = x1 = load_littleendian(k + 0);
+  j2 = x2 = load_littleendian(k + 4);
+  j3 = x3 = load_littleendian(k + 8);
+  j4 = x4 = load_littleendian(k + 12);
+  j5 = x5 = load_littleendian(c + 4);
+  j6 = x6 = load_littleendian(in + 0);
+  j7 = x7 = load_littleendian(in + 4);
+  j8 = x8 = load_littleendian(in + 8);
+  j9 = x9 = load_littleendian(in + 12);
+  j10 = x10 = load_littleendian(c + 8);
+  j11 = x11 = load_littleendian(k + 16);
+  j12 = x12 = load_littleendian(k + 20);
+  j13 = x13 = load_littleendian(k + 24);
+  j14 = x14 = load_littleendian(k + 28);
+  j15 = x15 = load_littleendian(c + 12);
+
+  for (i = ROUNDS;i > 0;i -= 2) {
+     x4 ^= rotate( x0+x12, 7);
+     x8 ^= rotate( x4+ x0, 9);
+    x12 ^= rotate( x8+ x4,13);
+     x0 ^= rotate(x12+ x8,18);
+     x9 ^= rotate( x5+ x1, 7);
+    x13 ^= rotate( x9+ x5, 9);
+     x1 ^= rotate(x13+ x9,13);
+     x5 ^= rotate( x1+x13,18);
+    x14 ^= rotate(x10+ x6, 7);
+     x2 ^= rotate(x14+x10, 9);
+     x6 ^= rotate( x2+x14,13);
+    x10 ^= rotate( x6+ x2,18);
+     x3 ^= rotate(x15+x11, 7);
+     x7 ^= rotate( x3+x15, 9);
+    x11 ^= rotate( x7+ x3,13);
+    x15 ^= rotate(x11+ x7,18);
+     x1 ^= rotate( x0+ x3, 7);
+     x2 ^= rotate( x1+ x0, 9);
+     x3 ^= rotate( x2+ x1,13);
+     x0 ^= rotate( x3+ x2,18);
+     x6 ^= rotate( x5+ x4, 7);
+     x7 ^= rotate( x6+ x5, 9);
+     x4 ^= rotate( x7+ x6,13);
+     x5 ^= rotate( x4+ x7,18);
+    x11 ^= rotate(x10+ x9, 7);
+     x8 ^= rotate(x11+x10, 9);
+     x9 ^= rotate( x8+x11,13);
+    x10 ^= rotate( x9+ x8,18);
+    x12 ^= rotate(x15+x14, 7);
+    x13 ^= rotate(x12+x15, 9);
+    x14 ^= rotate(x13+x12,13);
+    x15 ^= rotate(x14+x13,18);
+  }
+
+  x0 += j0;
+  x1 += j1;
+  x2 += j2;
+  x3 += j3;
+  x4 += j4;
+  x5 += j5;
+  x6 += j6;
+  x7 += j7;
+  x8 += j8;
+  x9 += j9;
+  x10 += j10;
+  x11 += j11;
+  x12 += j12;
+  x13 += j13;
+  x14 += j14;
+  x15 += j15;
+
+  store_littleendian(out + 0,x0);
+  store_littleendian(out + 4,x1);
+  store_littleendian(out + 8,x2);
+  store_littleendian(out + 12,x3);
+  store_littleendian(out + 16,x4);
+  store_littleendian(out + 20,x5);
+  store_littleendian(out + 24,x6);
+  store_littleendian(out + 28,x7);
+  store_littleendian(out + 32,x8);
+  store_littleendian(out + 36,x9);
+  store_littleendian(out + 40,x10);
+  store_littleendian(out + 44,x11);
+  store_littleendian(out + 48,x12);
+  store_littleendian(out + 52,x13);
+  store_littleendian(out + 56,x14);
+  store_littleendian(out + 60,x15);
+
+  return 0;
+}
diff --git a/nacl/crypto_core/salsa20/ref/implementors b/nacl/crypto_core/salsa20/ref/implementors
new file mode 100644
index 00000000..f6fb3c73
--- /dev/null
+++ b/nacl/crypto_core/salsa20/ref/implementors
@@ -0,0 +1 @@
+Daniel J. Bernstein
diff --git a/nacl/crypto_core/salsa20/used b/nacl/crypto_core/salsa20/used
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/nacl/crypto_core/salsa20/used
diff --git a/nacl/crypto_core/salsa2012/checksum b/nacl/crypto_core/salsa2012/checksum
new file mode 100644
index 00000000..2f99a8d6
--- /dev/null
+++ b/nacl/crypto_core/salsa2012/checksum
@@ -0,0 +1 @@
+f36d643f798efc0fca888d3ac4bdcc54c98a968c2da16bd5b8bfe9fe9025a6ca3a207e9362dc7cf17ddfc7477ee754d3f521b1df91640093754f7275b1a54293
diff --git a/nacl/crypto_core/salsa2012/ref/api.h b/nacl/crypto_core/salsa2012/ref/api.h
new file mode 100644
index 00000000..2a387b6d
--- /dev/null
+++ b/nacl/crypto_core/salsa2012/ref/api.h
@@ -0,0 +1,4 @@
+#define CRYPTO_OUTPUTBYTES 64
+#define CRYPTO_INPUTBYTES 16
+#define CRYPTO_KEYBYTES 32
+#define CRYPTO_CONSTBYTES 16
diff --git a/nacl/crypto_core/salsa2012/ref/core.c b/nacl/crypto_core/salsa2012/ref/core.c
new file mode 100644
index 00000000..d4b59e48
--- /dev/null
+++ b/nacl/crypto_core/salsa2012/ref/core.c
@@ -0,0 +1,134 @@
+/*
+version 20080913
+D. J. Bernstein
+Public domain.
+*/
+
+#include "crypto_core.h"
+
+#define ROUNDS 12
+
+typedef unsigned int uint32;
+
+static uint32 rotate(uint32 u,int c)
+{
+  return (u << c) | (u >> (32 - c));
+}
+
+static uint32 load_littleendian(const unsigned char *x)
+{
+  return
+      (uint32) (x[0]) \
+  | (((uint32) (x[1])) << 8) \
+  | (((uint32) (x[2])) << 16) \
+  | (((uint32) (x[3])) << 24)
+  ;
+}
+
+static void store_littleendian(unsigned char *x,uint32 u)
+{
+  x[0] = u; u >>= 8;
+  x[1] = u; u >>= 8;
+  x[2] = u; u >>= 8;
+  x[3] = u;
+}
+
+int crypto_core(
+        unsigned char *out,
+  const unsigned char *in,
+  const unsigned char *k,
+  const unsigned char *c
+)
+{
+  uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  int i;
+
+  j0 = x0 = load_littleendian(c + 0);
+  j1 = x1 = load_littleendian(k + 0);
+  j2 = x2 = load_littleendian(k + 4);
+  j3 = x3 = load_littleendian(k + 8);
+  j4 = x4 = load_littleendian(k + 12);
+  j5 = x5 = load_littleendian(c + 4);
+  j6 = x6 = load_littleendian(in + 0);
+  j7 = x7 = load_littleendian(in + 4);
+  j8 = x8 = load_littleendian(in + 8);
+  j9 = x9 = load_littleendian(in + 12);
+  j10 = x10 = load_littleendian(c + 8);
+  j11 = x11 = load_littleendian(k + 16);
+  j12 = x12 = load_littleendian(k + 20);
+  j13 = x13 = load_littleendian(k + 24);
+  j14 = x14 = load_littleendian(k + 28);
+  j15 = x15 = load_littleendian(c + 12);
+
+  for (i = ROUNDS;i > 0;i -= 2) {
+     x4 ^= rotate( x0+x12, 7);
+     x8 ^= rotate( x4+ x0, 9);
+    x12 ^= rotate( x8+ x4,13);
+     x0 ^= rotate(x12+ x8,18);
+     x9 ^= rotate( x5+ x1, 7);
+    x13 ^= rotate( x9+ x5, 9);
+     x1 ^= rotate(x13+ x9,13);
+     x5 ^= rotate( x1+x13,18);
+    x14 ^= rotate(x10+ x6, 7);
+     x2 ^= rotate(x14+x10, 9);
+     x6 ^= rotate( x2+x14,13);
+    x10 ^= rotate( x6+ x2,18);
+     x3 ^= rotate(x15+x11, 7);
+     x7 ^= rotate( x3+x15, 9);
+    x11 ^= rotate( x7+ x3,13);
+    x15 ^= rotate(x11+ x7,18);
+     x1 ^= rotate( x0+ x3, 7);
+     x2 ^= rotate( x1+ x0, 9);
+     x3 ^= rotate( x2+ x1,13);
+     x0 ^= rotate( x3+ x2,18);
+     x6 ^= rotate( x5+ x4, 7);
+     x7 ^= rotate( x6+ x5, 9);
+     x4 ^= rotate( x7+ x6,13);
+     x5 ^= rotate( x4+ x7,18);
+    x11 ^= rotate(x10+ x9, 7);
+     x8 ^= rotate(x11+x10, 9);
+     x9 ^= rotate( x8+x11,13);
+    x10 ^= rotate( x9+ x8,18);
+    x12 ^= rotate(x15+x14, 7);
+    x13 ^= rotate(x12+x15, 9);
+    x14 ^= rotate(x13+x12,13);
+    x15 ^= rotate(x14+x13,18);
+  }
+
+  x0 += j0;
+  x1 += j1;
+  x2 += j2;
+  x3 += j3;
+  x4 += j4;
+  x5 += j5;
+  x6 += j6;
+  x7 += j7;
+  x8 += j8;
+  x9 += j9;
+  x10 += j10;
+  x11 += j11;
+  x12 += j12;
+  x13 += j13;
+  x14 += j14;
+  x15 += j15;
+
+  store_littleendian(out + 0,x0);
+  store_littleendian(out + 4,x1);
+  store_littleendian(out + 8,x2);
+  store_littleendian(out + 12,x3);
+  store_littleendian(out + 16,x4);
+  store_littleendian(out + 20,x5);
+  store_littleendian(out + 24,x6);
+  store_littleendian(out + 28,x7);
+  store_littleendian(out + 32,x8);
+  store_littleendian(out + 36,x9);
+  store_littleendian(out + 40,x10);
+  store_littleendian(out + 44,x11);
+  store_littleendian(out + 48,x12);
+  store_littleendian(out + 52,x13);
+  store_littleendian(out + 56,x14);
+  store_littleendian(out + 60,x15);
+
+  return 0;
+}
diff --git a/nacl/crypto_core/salsa2012/ref/implementors b/nacl/crypto_core/salsa2012/ref/implementors
new file mode 100644
index 00000000..f6fb3c73
--- /dev/null
+++ b/nacl/crypto_core/salsa2012/ref/implementors
@@ -0,0 +1 @@
+Daniel J. Bernstein
diff --git a/nacl/crypto_core/salsa2012/used b/nacl/crypto_core/salsa2012/used
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/nacl/crypto_core/salsa2012/used
diff --git a/nacl/crypto_core/salsa208/checksum b/nacl/crypto_core/salsa208/checksum
new file mode 100644
index 00000000..a16cb52f
--- /dev/null
+++ b/nacl/crypto_core/salsa208/checksum
@@ -0,0 +1 @@
+1e13ea9e74cb36989f7cbf4abc80b29154e1a8b150bd5244951318abea002a93ae9fe2abbcf7217526ac2a85b66c256ba9374b1257eda0c01816da328edfa11a
diff --git a/nacl/crypto_core/salsa208/ref/api.h b/nacl/crypto_core/salsa208/ref/api.h
new file mode 100644
index 00000000..2a387b6d
--- /dev/null
+++ b/nacl/crypto_core/salsa208/ref/api.h
@@ -0,0 +1,4 @@
+#define CRYPTO_OUTPUTBYTES 64
+#define CRYPTO_INPUTBYTES 16
+#define CRYPTO_KEYBYTES 32
+#define CRYPTO_CONSTBYTES 16
diff --git a/nacl/crypto_core/salsa208/ref/core.c b/nacl/crypto_core/salsa208/ref/core.c
new file mode 100644
index 00000000..921e7a86
--- /dev/null
+++ b/nacl/crypto_core/salsa208/ref/core.c
@@ -0,0 +1,134 @@
+/*
+version 20080913
+D. J. Bernstein
+Public domain.
+*/
+
+#include "crypto_core.h"
+
+#define ROUNDS 8
+
+typedef unsigned int uint32;
+
+static uint32 rotate(uint32 u,int c)
+{
+  return (u << c) | (u >> (32 - c));
+}
+
+static uint32 load_littleendian(const unsigned char *x)
+{
+  return
+      (uint32) (x[0]) \
+  | (((uint32) (x[1])) << 8) \
+  | (((uint32) (x[2])) << 16) \
+  | (((uint32) (x[3])) << 24)
+  ;
+}
+
+static void store_littleendian(unsigned char *x,uint32 u)
+{
+  x[0] = u; u >>= 8;
+  x[1] = u; u >>= 8;
+  x[2] = u; u >>= 8;
+  x[3] = u;
+}
+
+int crypto_core(
+        unsigned char *out,
+  const unsigned char *in,
+  const unsigned char *k,
+  const unsigned char *c
+)
+{
+  uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15;
+  uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15;
+  int i;
+
+  j0 = x0 = load_littleendian(c + 0);
+  j1 = x1 = load_littleendian(k + 0);
+  j2 = x2 = load_littleendian(k + 4);
+  j3 = x3 = load_littleendian(k + 8);
+  j4 = x4 = load_littleendian(k + 12);
+  j5 = x5 = load_littleendian(c + 4);
+  j6 = x6 = load_littleendian(in + 0);
+  j7 = x7 = load_littleendian(in + 4);
+  j8 = x8 = load_littleendian(in + 8);
+  j9 = x9 = load_littleendian(in + 12);
+  j10 = x10 = load_littleendian(c + 8);
+  j11 = x11 = load_littleendian(k + 16);
+  j12 = x12 = load_littleendian(k + 20);
+  j13 = x13 = load_littleendian(k + 24);
+  j14 = x14 = load_littleendian(k + 28);
+  j15 = x15 = load_littleendian(c + 12);
+
+  for (i = ROUNDS;i > 0;i -= 2) {
+     x4 ^= rotate( x0+x12, 7);
+     x8 ^= rotate( x4+ x0, 9);
+    x12 ^= rotate( x8+ x4,13);
+     x0 ^= rotate(x12+ x8,18);
+     x9 ^= rotate( x5+ x1, 7);
+    x13 ^= rotate( x9+ x5, 9);
+     x1 ^= rotate(x13+ x9,13);
+     x5 ^= rotate( x1+x13,18);
+    x14 ^= rotate(x10+ x6, 7);
+     x2 ^= rotate(x14+x10, 9);
+     x6 ^= rotate( x2+x14,13);
+    x10 ^= rotate( x6+ x2,18);
+     x3 ^= rotate(x15+x11, 7);
+     x7 ^= rotate( x3+x15, 9);
+    x11 ^= rotate( x7+ x3,13);
+    x15 ^= rotate(x11+ x7,18);
+     x1 ^= rotate( x0+ x3, 7);
+     x2 ^= rotate( x1+ x0, 9);
+     x3 ^= rotate( x2+ x1,13);
+     x0 ^= rotate( x3+ x2,18);
+     x6 ^= rotate( x5+ x4, 7);
+     x7 ^= rotate( x6+ x5, 9);
+     x4 ^= rotate( x7+ x6,13);
+     x5 ^= rotate( x4+ x7,18);
+    x11 ^= rotate(x10+ x9, 7);
+     x8 ^= rotate(x11+x10, 9);
+     x9 ^= rotate( x8+x11,13);
+    x10 ^= rotate( x9+ x8,18);
+    x12 ^= rotate(x15+x14, 7);
+    x13 ^= rotate(x12+x15, 9);
+    x14 ^= rotate(x13+x12,13);
+    x15 ^= rotate(x14+x13,18);
+  }
+
+  x0 += j0;
+  x1 += j1;
+  x2 += j2;
+  x3 += j3;
+  x4 += j4;
+  x5 += j5;
+  x6 += j6;
+  x7 += j7;
+  x8 += j8;
+  x9 += j9;
+  x10 += j10;
+  x11 += j11;
+  x12 += j12;
+  x13 += j13;
+  x14 += j14;
+  x15 += j15;
+
+  store_littleendian(out + 0,x0);
+  store_littleendian(out + 4,x1);
+  store_littleendian(out + 8,x2);
+  store_littleendian(out + 12,x3);
+  store_littleendian(out + 16,x4);
+  store_littleendian(out + 20,x5);
+  store_littleendian(out + 24,x6);
+  store_littleendian(out + 28,x7);
+  store_littleendian(out + 32,x8);
+  store_littleendian(out + 36,x9);
+  store_littleendian(out + 40,x10);
+  store_littleendian(out + 44,x11);
+  store_littleendian(out + 48,x12);
+  store_littleendian(out + 52,x13);
+  store_littleendian(out + 56,x14);
+  store_littleendian(out + 60,x15);
+
+  return 0;
+}
diff --git a/nacl/crypto_core/salsa208/ref/implementors b/nacl/crypto_core/salsa208/ref/implementors
new file mode 100644
index 00000000..f6fb3c73
--- /dev/null
+++ b/nacl/crypto_core/salsa208/ref/implementors
@@ -0,0 +1 @@
+Daniel J. Bernstein
diff --git a/nacl/crypto_core/salsa208/used b/nacl/crypto_core/salsa208/used
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/nacl/crypto_core/salsa208/used
diff --git a/nacl/crypto_core/try.c b/nacl/crypto_core/try.c
new file mode 100644
index 00000000..7eb1c677
--- /dev/null
+++ b/nacl/crypto_core/try.c
@@ -0,0 +1,116 @@
+/*
+ * crypto_core/try.c version 20090118
+ * D. J. Bernstein
+ * Public domain.
+ */
+
+#include <stdlib.h>
+#include "crypto_core.h"
+
+extern unsigned char *alignedcalloc(unsigned long long);
+
+const char *primitiveimplementation = crypto_core_IMPLEMENTATION;
+
+static unsigned char *h;
+static unsigned char *n;
+static unsigned char *k;
+static unsigned char *c;
+static unsigned char *h2;
+static unsigned char *n2;
+static unsigned char *k2;
+static unsigned char *c2;
+
+#define hlen crypto_core_OUTPUTBYTES
+#define nlen crypto_core_INPUTBYTES
+#define klen crypto_core_KEYBYTES
+#define clen crypto_core_CONSTBYTES
+
+void preallocate(void)
+{
+}
+
+void allocate(void)
+{
+  h = alignedcalloc(hlen);
+  n = alignedcalloc(nlen);
+  k = alignedcalloc(klen);
+  c = alignedcalloc(clen);
+  h2 = alignedcalloc(hlen);
+  n2 = alignedcalloc(nlen + crypto_core_OUTPUTBYTES);
+  k2 = alignedcalloc(klen + crypto_core_OUTPUTBYTES);
+  c2 = alignedcalloc(clen + crypto_core_OUTPUTBYTES);
+}
+
+void predoit(void)
+{
+}
+
+void doit(void)
+{
+  crypto_core(h,n,k,c);
+}
+
+static unsigned char newbyte(void)
+{
+  unsigned long long x;
+  long long j;
+  x = 8675309;
+  for (j = 0;j < hlen;++j) { x += h[j]; x *= x; x += (x >> 31); }
+  for (j = 0;j < nlen;++j) { x += n[j]; x *= x; x += (x >> 31); }
+  for (j = 0;j < klen;++j) { x += k[j]; x *= x; x += (x >> 31); }
+  for (j = 0;j < clen;++j) { x += c[j]; x *= x; x += (x >> 31); }
+  for (j = 0;j < 100;++j)  { x +=   j ; x *= x; x += (x >> 31); }
+  return x;
+}
+
+char checksum[hlen * 2 + 1];
+
+const char *checksum_compute(void)
+{
+  long long i;
+  long long j;
+
+  for (i = 0;i < 100;++i) {
+    for (j = -16;j < 0;++j) h[j] = random();
+    for (j = hlen;j < hlen + 16;++j) h[j] = random();
+    for (j = -16;j < hlen + 16;++j) h2[j] = h[j];
+    for (j = -16;j < 0;++j) n[j] = random();
+    for (j = nlen;j < nlen + 16;++j) n[j] = random();
+    for (j = -16;j < nlen + 16;++j) n2[j] = n[j];
+    for (j = -16;j < 0;++j) k[j] = random();
+    for (j = klen;j < klen + 16;++j) k[j] = random();
+    for (j = -16;j < klen + 16;++j) k2[j] = k[j];
+    for (j = -16;j < 0;++j) c[j] = random();
+    for (j = clen;j < clen + 16;++j) c[j] = random();
+    for (j = -16;j < clen + 16;++j) c2[j] = c[j];
+    if (crypto_core(h,n,k,c) != 0) return "crypto_core returns nonzero";
+    for (j = -16;j < 0;++j) if (h2[j] != h[j]) return "crypto_core writes before output";
+    for (j = hlen;j < hlen + 16;++j) if (h2[j] != h[j]) return "crypto_core writes after output";
+    for (j = -16;j < klen + 16;++j) if (k2[j] != k[j]) return "crypto_core writes to k";
+    for (j = -16;j < nlen + 16;++j) if (n2[j] != n[j]) return "crypto_core writes to n";
+    for (j = -16;j < clen + 16;++j) if (c2[j] != c[j]) return "crypto_core writes to c";
+
+    if (crypto_core(n2,n2,k,c) != 0) return "crypto_core returns nonzero";
+    for (j = 0;j < hlen;++j) if (h[j] != n2[j]) return "crypto_core does not handle n overlap";
+    for (j = 0;j < hlen;++j) n2[j] = n[j];
+    if (crypto_core(k2,n2,k2,c) != 0) return "crypto_core returns nonzero";
+    for (j = 0;j < hlen;++j) if (h[j] != k2[j]) return "crypto_core does not handle k overlap";
+    for (j = 0;j < hlen;++j) k2[j] = k[j];
+    if (crypto_core(c2,n2,k2,c2) != 0) return "crypto_core returns nonzero";
+    for (j = 0;j < hlen;++j) if (h[j] != c2[j]) return "crypto_core does not handle c overlap";
+    for (j = 0;j < hlen;++j) c2[j] = c[j];
+
+    for (j = 0;j < nlen;++j) n[j] = newbyte();
+    if (crypto_core(h,n,k,c) != 0) return "crypto_core returns nonzero";
+    for (j = 0;j < klen;++j) k[j] = newbyte();
+    if (crypto_core(h,n,k,c) != 0) return "crypto_core returns nonzero";
+    for (j = 0;j < clen;++j) c[j] = newbyte();
+  }
+
+  for (i = 0;i < hlen;++i) {
+    checksum[2 * i] = "0123456789abcdef"[15 & (h[i] >> 4)];
+    checksum[2 * i + 1] = "0123456789abcdef"[15 & h[i]];
+  }
+  checksum[2 * i] = 0;
+  return 0;
+}
diff --git a/nacl/crypto_core/wrapper-empty.cpp b/nacl/crypto_core/wrapper-empty.cpp
new file mode 100644
index 00000000..e69de29b
--- /dev/null
+++ b/nacl/crypto_core/wrapper-empty.cpp