mirror of https://github.com/OpenTTD/OpenTTD.git
Add: monocypher 4.0.2
Monocypher will take care of all our encryption needs; as most OSes and vcpkg doesn't have it available, we vendor it.
This commit is contained in:
parent
6b21368bc2
commit
63a3d56b8a
|
@ -197,6 +197,9 @@ See `src/3rdparty/catch2/LICENSE.txt` for the complete license text.
|
|||
The icu scriptrun implementation in `src/3rdparty/icu` is licensed under the Unicode license.
|
||||
See `src/3rdparty/icu/LICENSE` for the complete license text.
|
||||
|
||||
The monocypher implementation in `src/3rdparty/monocypher` is licensed under the 2-clause BSD and CC-0 license.
|
||||
See src/3rdparty/monocypher/LICENSE.md` for the complete license text.
|
||||
|
||||
## 4.0 Credits
|
||||
|
||||
See [CREDITS.md](./CREDITS.md)
|
||||
|
|
|
@ -2,6 +2,7 @@ add_subdirectory(catch2)
|
|||
add_subdirectory(fmt)
|
||||
add_subdirectory(icu)
|
||||
add_subdirectory(md5)
|
||||
add_subdirectory(monocypher)
|
||||
add_subdirectory(squirrel)
|
||||
add_subdirectory(nlohmann)
|
||||
add_subdirectory(opengl)
|
||||
|
|
|
@ -0,0 +1,63 @@
|
|||
Designers
|
||||
---------
|
||||
|
||||
- **ChaCha20:** Daniel J. Bernstein.
|
||||
- **Poly1305:** Daniel J. Bernstein.
|
||||
- **BLAKE2:** Jean-Philippe Aumasson, Christian Winnerlein, Samuel Neves,
|
||||
and Zooko Wilcox-O'Hearn.
|
||||
- **Argon2:** Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich.
|
||||
- **X25519:** Daniel J. Bernstein.
|
||||
- **EdDSA:** Daniel J. Bernstein, Bo-Yin Yang, Niels Duif, Peter
|
||||
Schwabe, and Tanja Lange.
|
||||
|
||||
Implementors
|
||||
------------
|
||||
|
||||
- **ChaCha20:** Loup Vaillant, implemented from spec.
|
||||
- **Poly1305:** Loup Vaillant, implemented from spec.
|
||||
- **BLAKE2b:** Loup Vaillant, implemented from spec.
|
||||
- **Argon2i:** Loup Vaillant, implemented from spec.
|
||||
- **X25519:** Daniel J. Bernstein, taken and packaged from SUPERCOP
|
||||
ref10.
|
||||
- **EdDSA:** Loup Vaillant, with bits and pieces from SUPERCOP ref10.
|
||||
|
||||
Test suite
|
||||
----------
|
||||
|
||||
Designed and implemented by Loup Vaillant, using _libsodium_ (by many
|
||||
authors), and _ed25519-donna_ (by Andrew Moon —floodyberry).
|
||||
|
||||
Manual
|
||||
------
|
||||
|
||||
Loup Vaillant, Fabio Scotoni, and Michael Savage.
|
||||
|
||||
- Loup Vaillant did a first draft.
|
||||
- Fabio Scotoni rewrote the manual into proper man pages (and
|
||||
substantially changed it in the process).
|
||||
- Michael Savage did extensive editing and proofreading.
|
||||
|
||||
Thanks
|
||||
------
|
||||
|
||||
Fabio Scotoni provided much needed advice about testing, interface,
|
||||
packaging, and the general direction of the whole project. He also
|
||||
redesigned the monocypher.org style sheets.
|
||||
|
||||
Mike Pechkin and André Maroneze found bugs in earlier versions of
|
||||
Monocypher.
|
||||
|
||||
Andrew Moon clarified carry propagation in modular arithmetic, and
|
||||
provided advice and code that significantly simplified and improved
|
||||
Elligator2 mappings.
|
||||
|
||||
Mike Hamburg explained comb algorithms, including the signed
|
||||
all-bits-set comb described in his 2012 paper, Fast and compact
|
||||
elliptic-curve cryptography. This made EdDSA signatures over twice as
|
||||
fast.
|
||||
|
||||
Samuel Lucas found many typos in both the manual and the website.
|
||||
|
||||
Jens Alfke added some #ifdefs that enabled Monocypher to compile into
|
||||
a C++ namespace, preventing symbol collisions with similarly-named
|
||||
functions in other crypto libraries.
|
|
@ -0,0 +1,295 @@
|
|||
4.0.2
|
||||
-----
|
||||
2023/08/24
|
||||
|
||||
- Fixed multiple-lanes Argon2.
|
||||
- Improved Poly1305 performance.
|
||||
- Improved Argon2 performance.
|
||||
- Makefiles no longer override standard environment variables.
|
||||
|
||||
|
||||
4.0.1
|
||||
-----
|
||||
2023/03/06
|
||||
|
||||
- Fixed Ed25519 secret key size in function prototype.
|
||||
- Fixed soname (should have been changed in 4.0.0)
|
||||
- Added convenience sub-targets to makefile.
|
||||
- Briefly specified wire format of Elligator and incremental AEAD.
|
||||
|
||||
|
||||
4.0.0
|
||||
-----
|
||||
2023/02/20
|
||||
|
||||
- Fixed unsafe signature API.
|
||||
- Simpler, more flexible low-level signature API.
|
||||
- Fully specified, consensus-friendly signatures.
|
||||
- Added Argon2d and Argon2id, support multiple lanes.
|
||||
- Added safe and fast streaming AEAD.
|
||||
- Added HKDF-SHA-512 and documented BLAKE2b KDF.
|
||||
- More consistent and memorable function names.
|
||||
- POSIX makefile.
|
||||
|
||||
|
||||
3.1.3
|
||||
-----
|
||||
2022/04/25
|
||||
|
||||
- Fixed many typos in the documentation.
|
||||
- Fixed buffer overflow in speed benchmarks.
|
||||
- Fixed some MSVC warnings.
|
||||
- Fixed a minor violation of the Elligator2 reverse map specs.
|
||||
- Added `change-prefix.sh` to help changing the `crypto_` prefix.
|
||||
- Added the `MONOCYPHER_CPP_NAMESPACE` preprocessor definition to
|
||||
support namespaces for C++.
|
||||
- Deprecated `crypto_key_exchange()`
|
||||
- Use GitHub actions to automate the regular test suite.
|
||||
|
||||
|
||||
3.1.2
|
||||
-----
|
||||
2020/12/27
|
||||
|
||||
- Addressed issues from Cure53's audit:
|
||||
- MON-01-001: Clarified which CSPRNG to use on Darwin.
|
||||
- MON-01-002: Won't fix (nonce handling is a core design decision).
|
||||
- MON-01-004: Compared with Kleshni's implementation.
|
||||
- MON-01-005: Split a dedicated "advanced" folder in the manual.
|
||||
- Quality assurance for 2^255-19 arithmetic (elliptic curves):
|
||||
- Documented carry propagation.
|
||||
- Enforced slightly safer invariants.
|
||||
- Improved the speed of EdDSA signature generation.
|
||||
- Made the vectors.h header more compact and easier to modify.
|
||||
- TIS-CI integration.
|
||||
- Added speed benchmark for ed25519-donna.
|
||||
- Documented lengths limits of `crypto_ietf_chacha20()`
|
||||
|
||||
|
||||
3.1.1
|
||||
-----
|
||||
2020/06/15
|
||||
|
||||
- Various documentation fixes.
|
||||
- Fixed various compiler warnings.
|
||||
- Fixed some integer overflows (16-bit platforms only).
|
||||
|
||||
|
||||
3.1.0
|
||||
-----
|
||||
2020/04/03
|
||||
|
||||
- Added Elligator 2 mappings (hash to curve, curve to hash).
|
||||
- Added OPRF support (with scalar inversion).
|
||||
- Added Edwards25519 -> Curve25519 conversions.
|
||||
|
||||
|
||||
3.0.0
|
||||
-----
|
||||
2020/01/19
|
||||
|
||||
- Deprecated the incremental AEAD interface.
|
||||
- Deprecated the incremental Chacha20, added a direct interface.
|
||||
- Added IETF Chacha20 (96-bit nonce), as described in RFC 8439.
|
||||
- Moved deprecated interfaces to a separate `src/deprecated` folder.
|
||||
- Removed the `ED25519_SHA512` preprocessor flag.
|
||||
- `crypto_x25519()` and `crypto_key_exchange()` now return `void`.
|
||||
- Added a custom hash interface to EdDSA. Several instances of EdDSA
|
||||
can share the same binary.
|
||||
- Added optional support for HMAC SHA-512.
|
||||
- Moved SHA-512 operations to `src/optional/monocypher-ed25519.(h|c)`.
|
||||
- Optional support for Ed25519 no longer requires a preprocessor flag.
|
||||
Add `src/optional/monocypher-ed25519.(h|c)` to your project instead.
|
||||
|
||||
|
||||
2.0.6
|
||||
-----
|
||||
2019/10/21
|
||||
|
||||
- Added the `BLAKE2_NO_UNROLLING` preprocessor definition. Activating
|
||||
it makes the binary about 5KB smaller and speeds up processing times
|
||||
on many embedded processors.
|
||||
- Reduced the stack usage of signature verification by about
|
||||
40%. Signature verification now fits in smaller machines.
|
||||
- Fixed many implicit casts warnings.
|
||||
- Fixed the manual here and there.
|
||||
- Lots of small nitpicks.
|
||||
|
||||
|
||||
2.0.5
|
||||
-----
|
||||
2018/08/23
|
||||
|
||||
- Faster EdDSA signatures and verification. Like, 4 times as fast.
|
||||
|
||||
|
||||
2.0.4
|
||||
-----
|
||||
2018/06/24
|
||||
|
||||
- Corrected a critical vulnerability found by Mike Pechkin in EdDSA,
|
||||
where crypto_check() was accepting invalid signatures. The current
|
||||
fix removes a buggy optimisation, effectively halving the performance
|
||||
of EdDSA.
|
||||
- The test suite no longer tries to allocate zero bytes (some platforms
|
||||
fail such an allocation).
|
||||
|
||||
2.0.3
|
||||
-----
|
||||
2018/06/16
|
||||
|
||||
- Corrected undefined behaviour in BLAKE2b.
|
||||
- Improved the test suite (faster, better coverage).
|
||||
|
||||
2.0.2
|
||||
-----
|
||||
2018/04/23
|
||||
|
||||
- Corrected a couple failures to wipe secret buffers.
|
||||
- Corrected a bug that prevented compilation in Ed25519 mode.
|
||||
- Adjusted the number of test vectors in the test suite.
|
||||
- Improved tests for incremental interfaces.
|
||||
- Replaced the GNU all permissive licence by a public domain dedication
|
||||
(Creative Commons CC-0). The BSD licence remains as a fallback.
|
||||
|
||||
2.0.1
|
||||
-----
|
||||
2018/03/07
|
||||
|
||||
- Followed a systematic pattern for the loading code of symmetric
|
||||
crypto. It is now easier to review.
|
||||
- Tweaked Poly1305 code to make it easier to prove correct.
|
||||
|
||||
2.0.0
|
||||
-----
|
||||
2018/02/14
|
||||
|
||||
- Changed the authenticated encryption format. It now conforms to
|
||||
RFC 7539, with one exception: it uses XChacha20 initialisation instead
|
||||
of the IETF version of Chacha20. This new format conforms to
|
||||
libsodium's `crypto_aead_xchacha20poly1305_ietf_encrypt`.
|
||||
- Removed `crypto_lock_encrypt()` and `crypto_lock_auth()`.
|
||||
- Renamed `crypto_lock_aead_auth()` to `crypto_lock_auth_ad()`.
|
||||
- Renamed `crypto_unlock_aead_auth()` to `crypto_unlock_auth_ad()`.
|
||||
- Added `crypto_lock_auth_message()` and `crypto_unlock_auth_message()`.
|
||||
- Renamed `crypto_aead_lock` to `crypto_lock_aead`.
|
||||
- Renamed `crypto_aead_unlock` to `crypto_unlock_aead`.
|
||||
|
||||
The format change facilitates optimisation by aligning data to block
|
||||
boundaries. The API changes increase consistency.
|
||||
|
||||
1.1.0
|
||||
-----
|
||||
2018/02/06
|
||||
|
||||
- Rewrote the manual into proper man pages.
|
||||
- Added incremental interfaces for authenticated encryption and
|
||||
signatures.
|
||||
- Replaced `crypto_memcmp()` by 3 fixed size buffer comparisons (16, 32,
|
||||
and 64 bytes), to make sure the generated code remains constant time.
|
||||
- A couple breaking API changes, easily fixed by renaming the affected
|
||||
functions.
|
||||
|
||||
1.0.1
|
||||
-----
|
||||
2017/07/23
|
||||
|
||||
- Optimised the loading and unloading code of the symmetric crypto
|
||||
(BLAKE2b, SHA-512, Chacha20, and Poly1305).
|
||||
- Fused self-contained tests together for easier analysis with Frama-C
|
||||
and the TIS interpreter.
|
||||
|
||||
1.0
|
||||
---
|
||||
2017/07/18
|
||||
|
||||
- Renamed `crypto_chacha20_Xinit` to `crypto_chacha20_x_init`, for
|
||||
consistency reasons (snake case everywhere).
|
||||
- Fixed signed integer overflow detected by UBSan.
|
||||
- Doubled the speed of EdDSA by performing the scalar product in
|
||||
Montgomery space.
|
||||
|
||||
0.8
|
||||
---
|
||||
2017/07/06
|
||||
|
||||
- Added about a hundred lines of code to improve performance of public
|
||||
key cryptography. Diffie-Hellman is now 20% faster than before.
|
||||
The effects are less pronounced for EdDSA.
|
||||
- Added random self-consistency tests.
|
||||
- Added a speed benchmark against libsodium.
|
||||
|
||||
0.7
|
||||
---
|
||||
2017/06/07
|
||||
|
||||
- Slightly changed the authenticated encryption API. Functions are
|
||||
now all in "detached" mode. The reason is better support for
|
||||
authenticated encryption _without_ additional data.
|
||||
- Rewrote BLAKE2b from spec so it can use the same licence as
|
||||
everything else.
|
||||
- Added random tests that compare Monocypher with libsodium and
|
||||
ed25519-donna.
|
||||
- Added explicit support for Frama-C analysis (this doesn't affect the
|
||||
source code).
|
||||
|
||||
0.6
|
||||
---
|
||||
2017/03/17
|
||||
|
||||
- Fixed incorrect Poly1305 output on empty messages. (Found by Mike
|
||||
Pechkin.)
|
||||
|
||||
0.5
|
||||
---
|
||||
2017/03/10
|
||||
|
||||
- Fixed many undefined behaviours in Curve25519 that occur whenever
|
||||
we perform a left shift on a signed negative integer. It doesn't
|
||||
affect the generated code, but you never know. (Found with Frama-C
|
||||
by André Maroneze.)
|
||||
|
||||
Fun fact: TweetNaCl and ref10 have the same bug. Libsodium has
|
||||
corrected the issue, though.
|
||||
|
||||
For those who don't comprehend the magnitude of this madness, the
|
||||
expression `-1 << 3` is undefined in C. This is explained in
|
||||
section 6.5.7(§4) of the C11 standard.
|
||||
|
||||
0.4
|
||||
---
|
||||
2017/03/09
|
||||
|
||||
- Fixed critical bug causing Argon2i to fail whenever it uses more
|
||||
than 512 blocks. It was reading uninitialised memory and the
|
||||
results were incorrect. (Found by Mike Pechkin.)
|
||||
- Fixed an undefined behaviour in Curve25519 (`fe_tobytes()`). It was
|
||||
accessing uninitialised memory before throwing it away. It didn't
|
||||
affect the compiled code nor the results, but you never know.
|
||||
(Found with [Frama-C](http://frama-c.com) by André Maroneze.)
|
||||
|
||||
0.3
|
||||
---
|
||||
2017/02/27
|
||||
|
||||
- Got the invariants of Poly1305 right and put them in the comments.
|
||||
There was no bug, but that was lucky (turned out the IETF test
|
||||
vectors were designed to trigger the bugs I was afraid of).
|
||||
- Simplified Poly1305 finalisation (replaced conditional subtraction
|
||||
by a carry propagation).
|
||||
- Made a few cosmetic changes here and there.
|
||||
|
||||
0.2
|
||||
---
|
||||
????/??/??
|
||||
|
||||
- Public interface significantly reworked. Removed redundant, hard to
|
||||
mess up constructions.
|
||||
- Added AEAD.
|
||||
- Sped up Curve25519 by a factor of more than 6 (switched to ref10
|
||||
arithmetic).
|
||||
- Added various test vectors and completed the consistency tests.
|
||||
|
||||
0.1
|
||||
---
|
||||
2016/??/??
|
|
@ -0,0 +1,6 @@
|
|||
add_files(
|
||||
monocypher-ed25519.cpp
|
||||
monocypher-ed25519.h
|
||||
monocypher.cpp
|
||||
monocypher.h
|
||||
)
|
|
@ -0,0 +1,167 @@
|
|||
Monocypher as a whole is dual-licensed. Choose whichever licence you
|
||||
want from the two licences listed below.
|
||||
|
||||
The first licence is a regular 2-clause BSD licence. The second licence
|
||||
is the CC-0 from Creative Commons. It is intended to release Monocypher
|
||||
to the public domain. The BSD licence serves as a fallback option.
|
||||
|
||||
See the individual files for specific information about who contributed
|
||||
to what file during which years. See below for special notes.
|
||||
|
||||
Licence 1 (2-clause BSD)
|
||||
------------------------
|
||||
|
||||
Copyright (c) 2017-2023, Loup Vaillant
|
||||
Copyright (c) 2017-2019, Michael Savage
|
||||
Copyright (c) 2017-2023, Fabio Scotoni
|
||||
All rights reserved.
|
||||
|
||||
Redistribution and use in source and binary forms, with or without
|
||||
modification, are permitted provided that the following conditions are
|
||||
met:
|
||||
|
||||
1. Redistributions of source code must retain the above copyright
|
||||
notice, this list of conditions and the following disclaimer.
|
||||
|
||||
2. Redistributions in binary form must reproduce the above copyright
|
||||
notice, this list of conditions and the following disclaimer in the
|
||||
documentation and/or other materials provided with the
|
||||
distribution.
|
||||
|
||||
THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
"AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
|
||||
|
||||
Licence 2 (CC-0)
|
||||
----------------
|
||||
|
||||
> CREATIVE COMMONS CORPORATION IS NOT A LAW FIRM AND DOES NOT PROVIDE
|
||||
> LEGAL SERVICES. DISTRIBUTION OF THIS DOCUMENT DOES NOT CREATE AN
|
||||
> ATTORNEY-CLIENT RELATIONSHIP. CREATIVE COMMONS PROVIDES THIS
|
||||
> INFORMATION ON AN "AS-IS" BASIS. CREATIVE COMMONS MAKES NO WARRANTIES
|
||||
> REGARDING THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS
|
||||
> PROVIDED HEREUNDER, AND DISCLAIMS LIABILITY FOR DAMAGES RESULTING FROM
|
||||
> THE USE OF THIS DOCUMENT OR THE INFORMATION OR WORKS PROVIDED
|
||||
> HEREUNDER.
|
||||
|
||||
### Statement of Purpose
|
||||
|
||||
The laws of most jurisdictions throughout the world automatically confer
|
||||
exclusive Copyright and Related Rights (defined below) upon the creator
|
||||
and subsequent owner(s) (each and all, an "owner") of an original work
|
||||
of authorship and/or a database (each, a "Work").
|
||||
|
||||
Certain owners wish to permanently relinquish those rights to a Work for
|
||||
the purpose of contributing to a commons of creative, cultural and
|
||||
scientific works ("Commons") that the public can reliably and without
|
||||
fear of later claims of infringement build upon, modify, incorporate in
|
||||
other works, reuse and redistribute as freely as possible in any form
|
||||
whatsoever and for any purposes, including without limitation commercial
|
||||
purposes. These owners may contribute to the Commons to promote the
|
||||
ideal of a free culture and the further production of creative, cultural
|
||||
and scientific works, or to gain reputation or greater distribution for
|
||||
their Work in part through the use and efforts of others.
|
||||
|
||||
For these and/or other purposes and motivations, and without any
|
||||
expectation of additional consideration or compensation, the person
|
||||
associating CC0 with a Work (the "Affirmer"), to the extent that he or
|
||||
she is an owner of Copyright and Related Rights in the Work, voluntarily
|
||||
elects to apply CC0 to the Work and publicly distribute the Work under
|
||||
its terms, with knowledge of his or her Copyright and Related Rights in
|
||||
the Work and the meaning and intended legal effect of CC0 on those
|
||||
rights.
|
||||
|
||||
1. **Copyright and Related Rights.** A Work made available under CC0 may
|
||||
be protected by copyright and related or neighboring rights
|
||||
("Copyright and Related Rights"). Copyright and Related Rights
|
||||
include, but are not limited to, the following:
|
||||
|
||||
- the right to reproduce, adapt, distribute, perform, display,
|
||||
communicate, and translate a Work;
|
||||
- moral rights retained by the original author(s) and/or
|
||||
performer(s); publicity and privacy rights pertaining to a person's
|
||||
image or likeness depicted in a Work;
|
||||
- rights protecting against unfair competition in regards to a Work,
|
||||
subject to the limitations in paragraph 4(a), below;
|
||||
- rights protecting the extraction, dissemination, use and reuse of
|
||||
data in a Work;
|
||||
- database rights (such as those arising under Directive 96/9/EC of
|
||||
the European Parliament and of the Council of 11 March 1996 on the
|
||||
legal protection of databases, and under any national
|
||||
implementation thereof, including any amended or successor version
|
||||
of such directive); and
|
||||
- other similar, equivalent or corresponding rights throughout the
|
||||
world based on applicable law or treaty, and any national
|
||||
implementations thereof.
|
||||
|
||||
2. **Waiver.** To the greatest extent permitted by, but not in
|
||||
contravention of, applicable law, Affirmer hereby overtly, fully,
|
||||
permanently, irrevocably and unconditionally waives, abandons, and
|
||||
surrenders all of Affirmer's Copyright and Related Rights and
|
||||
associated claims and causes of action, whether now known or unknown
|
||||
(including existing as well as future claims and causes of action),
|
||||
in the Work (i) in all territories worldwide, (ii) for the maximum
|
||||
duration provided by applicable law or treaty (including future time
|
||||
extensions), (iii) in any current or future medium and for any number
|
||||
of copies, and (iv) for any purpose whatsoever, including without
|
||||
limitation commercial, advertising or promotional purposes (the
|
||||
"Waiver"). Affirmer makes the Waiver for the benefit of each member
|
||||
of the public at large and to the detriment of Affirmer's heirs and
|
||||
successors, fully intending that such Waiver shall not be subject to
|
||||
revocation, rescission, cancellation, termination, or any other legal
|
||||
or equitable action to disrupt the quiet enjoyment of the Work by the
|
||||
public as contemplated by Affirmer's express Statement of Purpose.
|
||||
|
||||
3. **Public License Fallback.** Should any part of the Waiver for any
|
||||
reason be judged legally invalid or ineffective under applicable law,
|
||||
then the Waiver shall be preserved to the maximum extent permitted
|
||||
taking into account Affirmer's express Statement of Purpose. In
|
||||
addition, to the extent the Waiver is so judged Affirmer hereby
|
||||
grants to each affected person a royalty-free, non transferable, non
|
||||
sublicensable, non exclusive, irrevocable and unconditional license
|
||||
to exercise Affirmer's Copyright and Related Rights in the Work (i)
|
||||
in all territories worldwide, (ii) for the maximum duration provided
|
||||
by applicable law or treaty (including future time extensions), (iii)
|
||||
in any current or future medium and for any number of copies, and
|
||||
(iv) for any purpose whatsoever, including without limitation
|
||||
commercial, advertising or promotional purposes (the "License"). The
|
||||
License shall be deemed effective as of the date CC0 was applied by
|
||||
Affirmer to the Work. Should any part of the License for any reason
|
||||
be judged legally invalid or ineffective under applicable law, such
|
||||
partial invalidity or ineffectiveness shall not invalidate the
|
||||
remainder of the License, and in such case Affirmer hereby affirms
|
||||
that he or she will not (i) exercise any of his or her remaining
|
||||
Copyright and Related Rights in the Work or (ii) assert any
|
||||
associated claims and causes of action with respect to the Work, in
|
||||
either case contrary to Affirmer's express Statement of Purpose.
|
||||
|
||||
4. **Limitations and Disclaimers.**
|
||||
|
||||
- No trademark or patent rights held by Affirmer are waived,
|
||||
abandoned, surrendered, licensed or otherwise affected by this
|
||||
document.
|
||||
- Affirmer offers the Work as-is and makes no representations or
|
||||
warranties of any kind concerning the Work, express, implied,
|
||||
statutory or otherwise, including without limitation warranties of
|
||||
title, merchantability, fitness for a particular purpose, non
|
||||
infringement, or the absence of latent or other defects, accuracy,
|
||||
or the present or absence of errors, whether or not discoverable,
|
||||
all to the greatest extent permissible under applicable law.
|
||||
- Affirmer disclaims responsibility for clearing rights of other
|
||||
persons that may apply to the Work or any use thereof, including
|
||||
without limitation any person's Copyright and Related Rights in the
|
||||
Work. Further, Affirmer disclaims responsibility for obtaining any
|
||||
necessary consents, permissions or other rights required for any
|
||||
use of the Work.
|
||||
- Affirmer understands and acknowledges that Creative Commons is not
|
||||
a party to this document and has no duty or obligation with respect
|
||||
to this CC0 or use of the Work.
|
|
@ -0,0 +1,164 @@
|
|||
Monocypher
|
||||
----------
|
||||
|
||||
Monocypher is an easy to use, easy to deploy, auditable crypto library
|
||||
written in portable C. It approaches the size of [TweetNaCl][] and the
|
||||
speed of [libsodium][].
|
||||
|
||||
[Official site.](https://monocypher.org/)
|
||||
[Official releases.](https://monocypher.org/download/)
|
||||
|
||||
[libsodium]: https://libsodium.org
|
||||
[TweetNaCl]: https://tweetnacl.cr.yp.to/
|
||||
|
||||
|
||||
Features
|
||||
--------
|
||||
|
||||
- [Authenticated Encryption][AEAD] with XChaCha20 and Poly1305
|
||||
(RFC 8439).
|
||||
- [Hashing and key derivation][HASH] with BLAKE2b (and [SHA-512][]).
|
||||
- [Password Hashing][PWH] with Argon2.
|
||||
- [Public Key Cryptography][PKC] with X25519 key exchanges.
|
||||
- [Public Key Signatures][EDDSA] with EdDSA and [Ed25519][].
|
||||
- [Steganography and PAKE][STEG] with [Elligator 2][ELLI].
|
||||
|
||||
[AEAD]: https://monocypher.org/manual/aead
|
||||
[HASH]: https://monocypher.org/manual/blake2
|
||||
[SHA-512]: https://monocypher.org/manual/sha-512
|
||||
[PWH]: https://monocypher.org/manual/argon2
|
||||
[PKC]: https://monocypher.org/manual/x25519
|
||||
[EDDSA]: https://monocypher.org/manual/eddsa
|
||||
[Ed25519]: https://monocypher.org/manual/ed25519
|
||||
[STEG]: https://monocypher.org/manual/elligator
|
||||
[ELLI]: https://elligator.org
|
||||
|
||||
|
||||
Manual
|
||||
------
|
||||
|
||||
The manual can be found at https://monocypher.org/manual/, and in the
|
||||
`doc/` folder.
|
||||
|
||||
|
||||
Installation
|
||||
------------
|
||||
|
||||
### Option 1: grab the sources
|
||||
|
||||
The easiest way to use Monocypher is to include `src/monocypher.h` and
|
||||
`src/monocypher.c` directly into your project. They compile as C (since
|
||||
C99) and C++ (since C++98).
|
||||
|
||||
If you need the optional SHA-512 or Ed25519, grab
|
||||
`src/optional/monocypher-ed25519.h` and
|
||||
`src/optional/monocypher-ed25519.c` as well.
|
||||
|
||||
### Option 2: grab the library
|
||||
|
||||
Run `make`, then grab the `src/monocypher.h` header and either the
|
||||
`lib/libmonocypher.a` or `lib/libmonocypher.so` library. The default
|
||||
compiler is `gcc -std=c99`, and the default flags are `-pedantic -Wall
|
||||
-Wextra -O3 -march=native`. If they don't work on your platform, you
|
||||
can change them like this:
|
||||
|
||||
$ make CC="clang -std=c11" CFLAGS="-O2"
|
||||
|
||||
### Option 3: install it on your system
|
||||
|
||||
Run `make`, then `make install` as root. This will install Monocypher in
|
||||
`/usr/local` by default. This can be changed with `PREFIX` and
|
||||
`DESTDIR`:
|
||||
|
||||
$ make install PREFIX="/opt"
|
||||
|
||||
Once installed, you may use `pkg-config` to compile and link your
|
||||
program. For instance:
|
||||
|
||||
$ gcc program.c $(pkg-config monocypher --cflags) -c
|
||||
$ gcc program.o $(pkg-config monocypher --libs) -o program
|
||||
|
||||
If for any reason you wish to avoid installing the man pages or the
|
||||
`pkg-config` file, you can use the following installation sub targets
|
||||
instead: `install-lib`, `install-doc`, and `install-pc`.
|
||||
|
||||
|
||||
Test suite
|
||||
----------
|
||||
|
||||
$ make test
|
||||
|
||||
It should display a nice printout of all the tests, ending with "All
|
||||
tests OK!". If you see "failure" or "Error" anywhere, something has gone
|
||||
wrong.
|
||||
|
||||
*Do not* use Monocypher without running those tests at least once.
|
||||
|
||||
The same test suite can be run under Clang sanitisers and Valgrind, and
|
||||
be checked for code coverage:
|
||||
|
||||
$ tests/test.sh
|
||||
$ tests/coverage.sh
|
||||
|
||||
|
||||
### Serious auditing
|
||||
|
||||
The code may be analysed more formally with [Frama-c][] and the
|
||||
[TIS interpreter][TIS]. To analyse the code with Frama-c, run:
|
||||
|
||||
$ tests/formal-analysis.sh
|
||||
$ tests/frama-c.sh
|
||||
|
||||
This will have Frama-c parse, and analyse the code, then launch a GUI.
|
||||
You must have Frama-c installed. See `frama-c.sh` for the recommended
|
||||
settings. To run the code under the TIS interpreter, run
|
||||
|
||||
$ tests/formal-analysis.sh
|
||||
$ tis-interpreter.sh --cc -Dvolatile= tests/formal-analysis/*.c
|
||||
|
||||
Notes:
|
||||
|
||||
- `tis-interpreter.sh` is part of TIS. If it is not in your path,
|
||||
adjust the command accordingly.
|
||||
|
||||
- The TIS interpreter sometimes fails to evaluate correct programs when
|
||||
they use the `volatile` keyword (which is only used as an attempt to
|
||||
prevent dead store elimination for memory wipes). The `-cc
|
||||
-Dvolatile=` option works around that bug by ignoring `volatile`
|
||||
altogether.
|
||||
|
||||
[Frama-c]:https://frama-c.com/
|
||||
[TIS]: https://trust-in-soft.com/tis-interpreter/
|
||||
|
||||
|
||||
Customisation
|
||||
-------------
|
||||
|
||||
Monocypher has optional compatibility with Ed25519. To have that, add
|
||||
`monocypher-ed25519.h` and `monocypher-ed25519.c` provided in
|
||||
`src/optional` to your project. If you compile or install Monocypher
|
||||
with the makefile, they will be automatically included.
|
||||
|
||||
Monocypher also has the `BLAKE2_NO_UNROLLING` preprocessor flag, which
|
||||
is activated by compiling monocypher.c with the `-DBLAKE2_NO_UNROLLING`
|
||||
option.
|
||||
|
||||
The `-DBLAKE2_NO_UNROLLING` option is a performance tweak. By default,
|
||||
Monocypher unrolls the BLAKE2b inner loop, because doing so is over 25%
|
||||
faster on modern processors. Some embedded processors however, run the
|
||||
unrolled loop _slower_ (possibly because of the cost of fetching 5KB of
|
||||
additional code). If you're using an embedded platform, try this
|
||||
option. The binary will be about 5KB smaller, and in some cases faster.
|
||||
|
||||
The `MONOCYPHER_CPP_NAMESPACE` preprocessor definition allows C++ users
|
||||
who compile Monocypher as C++ to wrap it in a namespace. When it is not
|
||||
defined (the default), we assume Monocypher is compiled as C, and an
|
||||
`extern "C"` declaration is added when we detect that the header is
|
||||
included in C++ code.
|
||||
|
||||
The `change-prefix.sh` script can rename all functions by replacing
|
||||
`crypto_` by a chosen prefix, so you can avoid name clashes. For
|
||||
instance, the following command changes all instances of `crypto_` by
|
||||
`foobar_` (note the absence of the underscore):
|
||||
|
||||
./change-prefix.sh foobar
|
|
@ -0,0 +1,500 @@
|
|||
// Monocypher version 4.0.2
|
||||
//
|
||||
// This file is dual-licensed. Choose whichever licence you want from
|
||||
// the two licences listed below.
|
||||
//
|
||||
// The first licence is a regular 2-clause BSD licence. The second licence
|
||||
// is the CC-0 from Creative Commons. It is intended to release Monocypher
|
||||
// to the public domain. The BSD licence serves as a fallback option.
|
||||
//
|
||||
// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
|
||||
//
|
||||
// ------------------------------------------------------------------------
|
||||
//
|
||||
// Copyright (c) 2017-2019, Loup Vaillant
|
||||
// All rights reserved.
|
||||
//
|
||||
//
|
||||
// Redistribution and use in source and binary forms, with or without
|
||||
// modification, are permitted provided that the following conditions are
|
||||
// met:
|
||||
//
|
||||
// 1. Redistributions of source code must retain the above copyright
|
||||
// notice, this list of conditions and the following disclaimer.
|
||||
//
|
||||
// 2. Redistributions in binary form must reproduce the above copyright
|
||||
// notice, this list of conditions and the following disclaimer in the
|
||||
// documentation and/or other materials provided with the
|
||||
// distribution.
|
||||
//
|
||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
//
|
||||
// ------------------------------------------------------------------------
|
||||
//
|
||||
// Written in 2017-2019 by Loup Vaillant
|
||||
//
|
||||
// To the extent possible under law, the author(s) have dedicated all copyright
|
||||
// and related neighboring rights to this software to the public domain
|
||||
// worldwide. This software is distributed without any warranty.
|
||||
//
|
||||
// You should have received a copy of the CC0 Public Domain Dedication along
|
||||
// with this software. If not, see
|
||||
// <https://creativecommons.org/publicdomain/zero/1.0/>
|
||||
|
||||
#include "monocypher-ed25519.h"
|
||||
|
||||
#ifdef MONOCYPHER_CPP_NAMESPACE
|
||||
namespace MONOCYPHER_CPP_NAMESPACE {
|
||||
#endif
|
||||
|
||||
/////////////////
|
||||
/// Utilities ///
|
||||
/////////////////
|
||||
#define FOR(i, min, max) for (size_t i = min; i < max; i++)
|
||||
#define COPY(dst, src, size) FOR(_i_, 0, size) (dst)[_i_] = (src)[_i_]
|
||||
#define ZERO(buf, size) FOR(_i_, 0, size) (buf)[_i_] = 0
|
||||
#define WIPE_CTX(ctx) crypto_wipe(ctx , sizeof(*(ctx)))
|
||||
#define WIPE_BUFFER(buffer) crypto_wipe(buffer, sizeof(buffer))
|
||||
#define MIN(a, b) ((a) <= (b) ? (a) : (b))
|
||||
typedef uint8_t u8;
|
||||
typedef uint64_t u64;
|
||||
|
||||
// Returns the smallest positive integer y such that
|
||||
// (x + y) % pow_2 == 0
|
||||
// Basically, it's how many bytes we need to add to "align" x.
|
||||
// Only works when pow_2 is a power of 2.
|
||||
// Note: we use ~x+1 instead of -x to avoid compiler warnings
|
||||
static size_t align(size_t x, size_t pow_2)
|
||||
{
|
||||
return (~x + 1) & (pow_2 - 1);
|
||||
}
|
||||
|
||||
static u64 load64_be(const u8 s[8])
|
||||
{
|
||||
return((u64)s[0] << 56)
|
||||
| ((u64)s[1] << 48)
|
||||
| ((u64)s[2] << 40)
|
||||
| ((u64)s[3] << 32)
|
||||
| ((u64)s[4] << 24)
|
||||
| ((u64)s[5] << 16)
|
||||
| ((u64)s[6] << 8)
|
||||
| (u64)s[7];
|
||||
}
|
||||
|
||||
static void store64_be(u8 out[8], u64 in)
|
||||
{
|
||||
out[0] = (in >> 56) & 0xff;
|
||||
out[1] = (in >> 48) & 0xff;
|
||||
out[2] = (in >> 40) & 0xff;
|
||||
out[3] = (in >> 32) & 0xff;
|
||||
out[4] = (in >> 24) & 0xff;
|
||||
out[5] = (in >> 16) & 0xff;
|
||||
out[6] = (in >> 8) & 0xff;
|
||||
out[7] = in & 0xff;
|
||||
}
|
||||
|
||||
static void load64_be_buf (u64 *dst, const u8 *src, size_t size) {
|
||||
FOR(i, 0, size) { dst[i] = load64_be(src + i*8); }
|
||||
}
|
||||
|
||||
///////////////
|
||||
/// SHA 512 ///
|
||||
///////////////
|
||||
static u64 rot(u64 x, int c ) { return (x >> c) | (x << (64 - c)); }
|
||||
static u64 ch (u64 x, u64 y, u64 z) { return (x & y) ^ (~x & z); }
|
||||
static u64 maj(u64 x, u64 y, u64 z) { return (x & y) ^ ( x & z) ^ (y & z); }
|
||||
static u64 big_sigma0(u64 x) { return rot(x, 28) ^ rot(x, 34) ^ rot(x, 39); }
|
||||
static u64 big_sigma1(u64 x) { return rot(x, 14) ^ rot(x, 18) ^ rot(x, 41); }
|
||||
static u64 lit_sigma0(u64 x) { return rot(x, 1) ^ rot(x, 8) ^ (x >> 7); }
|
||||
static u64 lit_sigma1(u64 x) { return rot(x, 19) ^ rot(x, 61) ^ (x >> 6); }
|
||||
|
||||
static const u64 K[80] = {
|
||||
0x428a2f98d728ae22,0x7137449123ef65cd,0xb5c0fbcfec4d3b2f,0xe9b5dba58189dbbc,
|
||||
0x3956c25bf348b538,0x59f111f1b605d019,0x923f82a4af194f9b,0xab1c5ed5da6d8118,
|
||||
0xd807aa98a3030242,0x12835b0145706fbe,0x243185be4ee4b28c,0x550c7dc3d5ffb4e2,
|
||||
0x72be5d74f27b896f,0x80deb1fe3b1696b1,0x9bdc06a725c71235,0xc19bf174cf692694,
|
||||
0xe49b69c19ef14ad2,0xefbe4786384f25e3,0x0fc19dc68b8cd5b5,0x240ca1cc77ac9c65,
|
||||
0x2de92c6f592b0275,0x4a7484aa6ea6e483,0x5cb0a9dcbd41fbd4,0x76f988da831153b5,
|
||||
0x983e5152ee66dfab,0xa831c66d2db43210,0xb00327c898fb213f,0xbf597fc7beef0ee4,
|
||||
0xc6e00bf33da88fc2,0xd5a79147930aa725,0x06ca6351e003826f,0x142929670a0e6e70,
|
||||
0x27b70a8546d22ffc,0x2e1b21385c26c926,0x4d2c6dfc5ac42aed,0x53380d139d95b3df,
|
||||
0x650a73548baf63de,0x766a0abb3c77b2a8,0x81c2c92e47edaee6,0x92722c851482353b,
|
||||
0xa2bfe8a14cf10364,0xa81a664bbc423001,0xc24b8b70d0f89791,0xc76c51a30654be30,
|
||||
0xd192e819d6ef5218,0xd69906245565a910,0xf40e35855771202a,0x106aa07032bbd1b8,
|
||||
0x19a4c116b8d2d0c8,0x1e376c085141ab53,0x2748774cdf8eeb99,0x34b0bcb5e19b48a8,
|
||||
0x391c0cb3c5c95a63,0x4ed8aa4ae3418acb,0x5b9cca4f7763e373,0x682e6ff3d6b2b8a3,
|
||||
0x748f82ee5defb2fc,0x78a5636f43172f60,0x84c87814a1f0ab72,0x8cc702081a6439ec,
|
||||
0x90befffa23631e28,0xa4506cebde82bde9,0xbef9a3f7b2c67915,0xc67178f2e372532b,
|
||||
0xca273eceea26619c,0xd186b8c721c0c207,0xeada7dd6cde0eb1e,0xf57d4f7fee6ed178,
|
||||
0x06f067aa72176fba,0x0a637dc5a2c898a6,0x113f9804bef90dae,0x1b710b35131c471b,
|
||||
0x28db77f523047d84,0x32caab7b40c72493,0x3c9ebe0a15c9bebc,0x431d67c49c100d4c,
|
||||
0x4cc5d4becb3e42b6,0x597f299cfc657e2a,0x5fcb6fab3ad6faec,0x6c44198c4a475817
|
||||
};
|
||||
|
||||
static void sha512_compress(crypto_sha512_ctx *ctx)
|
||||
{
|
||||
u64 a = ctx->hash[0]; u64 b = ctx->hash[1];
|
||||
u64 c = ctx->hash[2]; u64 d = ctx->hash[3];
|
||||
u64 e = ctx->hash[4]; u64 f = ctx->hash[5];
|
||||
u64 g = ctx->hash[6]; u64 h = ctx->hash[7];
|
||||
|
||||
FOR (j, 0, 16) {
|
||||
u64 in = K[j] + ctx->input[j];
|
||||
u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in;
|
||||
u64 t2 = big_sigma0(a) + maj(a, b, c);
|
||||
h = g; g = f; f = e; e = d + t1;
|
||||
d = c; c = b; b = a; a = t1 + t2;
|
||||
}
|
||||
size_t i16 = 0;
|
||||
FOR(i, 1, 5) {
|
||||
i16 += 16;
|
||||
FOR (j, 0, 16) {
|
||||
ctx->input[j] += lit_sigma1(ctx->input[(j- 2) & 15]);
|
||||
ctx->input[j] += lit_sigma0(ctx->input[(j-15) & 15]);
|
||||
ctx->input[j] += ctx->input[(j- 7) & 15];
|
||||
u64 in = K[i16 + j] + ctx->input[j];
|
||||
u64 t1 = big_sigma1(e) + ch (e, f, g) + h + in;
|
||||
u64 t2 = big_sigma0(a) + maj(a, b, c);
|
||||
h = g; g = f; f = e; e = d + t1;
|
||||
d = c; c = b; b = a; a = t1 + t2;
|
||||
}
|
||||
}
|
||||
|
||||
ctx->hash[0] += a; ctx->hash[1] += b;
|
||||
ctx->hash[2] += c; ctx->hash[3] += d;
|
||||
ctx->hash[4] += e; ctx->hash[5] += f;
|
||||
ctx->hash[6] += g; ctx->hash[7] += h;
|
||||
}
|
||||
|
||||
// Write 1 input byte
|
||||
static void sha512_set_input(crypto_sha512_ctx *ctx, u8 input)
|
||||
{
|
||||
size_t word = ctx->input_idx >> 3;
|
||||
size_t byte = ctx->input_idx & 7;
|
||||
ctx->input[word] |= (u64)input << (8 * (7 - byte));
|
||||
}
|
||||
|
||||
// Increment a 128-bit "word".
|
||||
static void sha512_incr(u64 x[2], u64 y)
|
||||
{
|
||||
x[1] += y;
|
||||
if (x[1] < y) {
|
||||
x[0]++;
|
||||
}
|
||||
}
|
||||
|
||||
void crypto_sha512_init(crypto_sha512_ctx *ctx)
|
||||
{
|
||||
ctx->hash[0] = 0x6a09e667f3bcc908;
|
||||
ctx->hash[1] = 0xbb67ae8584caa73b;
|
||||
ctx->hash[2] = 0x3c6ef372fe94f82b;
|
||||
ctx->hash[3] = 0xa54ff53a5f1d36f1;
|
||||
ctx->hash[4] = 0x510e527fade682d1;
|
||||
ctx->hash[5] = 0x9b05688c2b3e6c1f;
|
||||
ctx->hash[6] = 0x1f83d9abfb41bd6b;
|
||||
ctx->hash[7] = 0x5be0cd19137e2179;
|
||||
ctx->input_size[0] = 0;
|
||||
ctx->input_size[1] = 0;
|
||||
ctx->input_idx = 0;
|
||||
ZERO(ctx->input, 16);
|
||||
}
|
||||
|
||||
void crypto_sha512_update(crypto_sha512_ctx *ctx,
|
||||
const u8 *message, size_t message_size)
|
||||
{
|
||||
// Avoid undefined NULL pointer increments with empty messages
|
||||
if (message_size == 0) {
|
||||
return;
|
||||
}
|
||||
|
||||
// Align ourselves with word boundaries
|
||||
if ((ctx->input_idx & 7) != 0) {
|
||||
size_t nb_bytes = MIN(align(ctx->input_idx, 8), message_size);
|
||||
FOR (i, 0, nb_bytes) {
|
||||
sha512_set_input(ctx, message[i]);
|
||||
ctx->input_idx++;
|
||||
}
|
||||
message += nb_bytes;
|
||||
message_size -= nb_bytes;
|
||||
}
|
||||
|
||||
// Align ourselves with block boundaries
|
||||
if ((ctx->input_idx & 127) != 0) {
|
||||
size_t nb_words = MIN(align(ctx->input_idx, 128), message_size) >> 3;
|
||||
load64_be_buf(ctx->input + (ctx->input_idx >> 3), message, nb_words);
|
||||
ctx->input_idx += nb_words << 3;
|
||||
message += nb_words << 3;
|
||||
message_size -= nb_words << 3;
|
||||
}
|
||||
|
||||
// Compress block if needed
|
||||
if (ctx->input_idx == 128) {
|
||||
sha512_incr(ctx->input_size, 1024); // size is in bits
|
||||
sha512_compress(ctx);
|
||||
ctx->input_idx = 0;
|
||||
ZERO(ctx->input, 16);
|
||||
}
|
||||
|
||||
// Process the message block by block
|
||||
FOR (i, 0, message_size >> 7) { // number of blocks
|
||||
load64_be_buf(ctx->input, message, 16);
|
||||
sha512_incr(ctx->input_size, 1024); // size is in bits
|
||||
sha512_compress(ctx);
|
||||
ctx->input_idx = 0;
|
||||
ZERO(ctx->input, 16);
|
||||
message += 128;
|
||||
}
|
||||
message_size &= 127;
|
||||
|
||||
if (message_size != 0) {
|
||||
// Remaining words
|
||||
size_t nb_words = message_size >> 3;
|
||||
load64_be_buf(ctx->input, message, nb_words);
|
||||
ctx->input_idx += nb_words << 3;
|
||||
message += nb_words << 3;
|
||||
message_size -= nb_words << 3;
|
||||
|
||||
// Remaining bytes
|
||||
FOR (i, 0, message_size) {
|
||||
sha512_set_input(ctx, message[i]);
|
||||
ctx->input_idx++;
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
void crypto_sha512_final(crypto_sha512_ctx *ctx, u8 hash[64])
|
||||
{
|
||||
// Add padding bit
|
||||
if (ctx->input_idx == 0) {
|
||||
ZERO(ctx->input, 16);
|
||||
}
|
||||
sha512_set_input(ctx, 128);
|
||||
|
||||
// Update size
|
||||
sha512_incr(ctx->input_size, ctx->input_idx * 8);
|
||||
|
||||
// Compress penultimate block (if any)
|
||||
if (ctx->input_idx > 111) {
|
||||
sha512_compress(ctx);
|
||||
ZERO(ctx->input, 14);
|
||||
}
|
||||
// Compress last block
|
||||
ctx->input[14] = ctx->input_size[0];
|
||||
ctx->input[15] = ctx->input_size[1];
|
||||
sha512_compress(ctx);
|
||||
|
||||
// Copy hash to output (big endian)
|
||||
FOR (i, 0, 8) {
|
||||
store64_be(hash + i*8, ctx->hash[i]);
|
||||
}
|
||||
|
||||
WIPE_CTX(ctx);
|
||||
}
|
||||
|
||||
void crypto_sha512(u8 hash[64], const u8 *message, size_t message_size)
|
||||
{
|
||||
crypto_sha512_ctx ctx;
|
||||
crypto_sha512_init (&ctx);
|
||||
crypto_sha512_update(&ctx, message, message_size);
|
||||
crypto_sha512_final (&ctx, hash);
|
||||
}
|
||||
|
||||
////////////////////
|
||||
/// HMAC SHA 512 ///
|
||||
////////////////////
|
||||
void crypto_sha512_hmac_init(crypto_sha512_hmac_ctx *ctx,
|
||||
const u8 *key, size_t key_size)
|
||||
{
|
||||
// hash key if it is too long
|
||||
if (key_size > 128) {
|
||||
crypto_sha512(ctx->key, key, key_size);
|
||||
key = ctx->key;
|
||||
key_size = 64;
|
||||
}
|
||||
// Compute inner key: padded key XOR 0x36
|
||||
FOR (i, 0, key_size) { ctx->key[i] = key[i] ^ 0x36; }
|
||||
FOR (i, key_size, 128) { ctx->key[i] = 0x36; }
|
||||
// Start computing inner hash
|
||||
crypto_sha512_init (&ctx->ctx);
|
||||
crypto_sha512_update(&ctx->ctx, ctx->key, 128);
|
||||
}
|
||||
|
||||
void crypto_sha512_hmac_update(crypto_sha512_hmac_ctx *ctx,
|
||||
const u8 *message, size_t message_size)
|
||||
{
|
||||
crypto_sha512_update(&ctx->ctx, message, message_size);
|
||||
}
|
||||
|
||||
void crypto_sha512_hmac_final(crypto_sha512_hmac_ctx *ctx, u8 hmac[64])
|
||||
{
|
||||
// Finish computing inner hash
|
||||
crypto_sha512_final(&ctx->ctx, hmac);
|
||||
// Compute outer key: padded key XOR 0x5c
|
||||
FOR (i, 0, 128) {
|
||||
ctx->key[i] ^= 0x36 ^ 0x5c;
|
||||
}
|
||||
// Compute outer hash
|
||||
crypto_sha512_init (&ctx->ctx);
|
||||
crypto_sha512_update(&ctx->ctx, ctx->key , 128);
|
||||
crypto_sha512_update(&ctx->ctx, hmac, 64);
|
||||
crypto_sha512_final (&ctx->ctx, hmac); // outer hash
|
||||
WIPE_CTX(ctx);
|
||||
}
|
||||
|
||||
void crypto_sha512_hmac(u8 hmac[64], const u8 *key, size_t key_size,
|
||||
const u8 *message, size_t message_size)
|
||||
{
|
||||
crypto_sha512_hmac_ctx ctx;
|
||||
crypto_sha512_hmac_init (&ctx, key, key_size);
|
||||
crypto_sha512_hmac_update(&ctx, message, message_size);
|
||||
crypto_sha512_hmac_final (&ctx, hmac);
|
||||
}
|
||||
|
||||
////////////////////
|
||||
/// HKDF SHA 512 ///
|
||||
////////////////////
|
||||
void crypto_sha512_hkdf_expand(u8 *okm, size_t okm_size,
|
||||
const u8 *prk, size_t prk_size,
|
||||
const u8 *info, size_t info_size)
|
||||
{
|
||||
int not_first = 0;
|
||||
u8 ctr = 1;
|
||||
u8 blk[64];
|
||||
|
||||
while (okm_size > 0) {
|
||||
size_t out_size = MIN(okm_size, sizeof(blk));
|
||||
|
||||
crypto_sha512_hmac_ctx ctx;
|
||||
crypto_sha512_hmac_init(&ctx, prk , prk_size);
|
||||
if (not_first) {
|
||||
// For some reason HKDF uses some kind of CBC mode.
|
||||
// For some reason CTR mode alone wasn't enough.
|
||||
// Like what, they didn't trust HMAC in 2010? Really??
|
||||
crypto_sha512_hmac_update(&ctx, blk , sizeof(blk));
|
||||
}
|
||||
crypto_sha512_hmac_update(&ctx, info, info_size);
|
||||
crypto_sha512_hmac_update(&ctx, &ctr, 1);
|
||||
crypto_sha512_hmac_final(&ctx, blk);
|
||||
|
||||
COPY(okm, blk, out_size);
|
||||
|
||||
not_first = 1;
|
||||
okm += out_size;
|
||||
okm_size -= out_size;
|
||||
ctr++;
|
||||
}
|
||||
}
|
||||
|
||||
void crypto_sha512_hkdf(u8 *okm , size_t okm_size,
|
||||
const u8 *ikm , size_t ikm_size,
|
||||
const u8 *salt, size_t salt_size,
|
||||
const u8 *info, size_t info_size)
|
||||
{
|
||||
// Extract
|
||||
u8 prk[64];
|
||||
crypto_sha512_hmac(prk, salt, salt_size, ikm, ikm_size);
|
||||
|
||||
// Expand
|
||||
crypto_sha512_hkdf_expand(okm, okm_size, prk, sizeof(prk), info, info_size);
|
||||
}
|
||||
|
||||
///////////////
|
||||
/// Ed25519 ///
|
||||
///////////////
|
||||
void crypto_ed25519_key_pair(u8 secret_key[64], u8 public_key[32], u8 seed[32])
|
||||
{
|
||||
u8 a[64];
|
||||
COPY(a, seed, 32); // a[ 0..31] = seed
|
||||
crypto_wipe(seed, 32);
|
||||
COPY(secret_key, a, 32); // secret key = seed
|
||||
crypto_sha512(a, a, 32); // a[ 0..31] = scalar
|
||||
crypto_eddsa_trim_scalar(a, a); // a[ 0..31] = trimmed scalar
|
||||
crypto_eddsa_scalarbase(public_key, a); // public key = [trimmed scalar]B
|
||||
COPY(secret_key + 32, public_key, 32); // secret key includes public half
|
||||
WIPE_BUFFER(a);
|
||||
}
|
||||
|
||||
static void hash_reduce(u8 h[32],
|
||||
const u8 *a, size_t a_size,
|
||||
const u8 *b, size_t b_size,
|
||||
const u8 *c, size_t c_size,
|
||||
const u8 *d, size_t d_size)
|
||||
{
|
||||
u8 hash[64];
|
||||
crypto_sha512_ctx ctx;
|
||||
crypto_sha512_init (&ctx);
|
||||
crypto_sha512_update(&ctx, a, a_size);
|
||||
crypto_sha512_update(&ctx, b, b_size);
|
||||
crypto_sha512_update(&ctx, c, c_size);
|
||||
crypto_sha512_update(&ctx, d, d_size);
|
||||
crypto_sha512_final (&ctx, hash);
|
||||
crypto_eddsa_reduce(h, hash);
|
||||
}
|
||||
|
||||
static void ed25519_dom_sign(u8 signature [64], const u8 secret_key[32],
|
||||
const u8 *dom, size_t dom_size,
|
||||
const u8 *message, size_t message_size)
|
||||
{
|
||||
u8 a[64]; // secret scalar and prefix
|
||||
u8 r[32]; // secret deterministic "random" nonce
|
||||
u8 h[32]; // publically verifiable hash of the message (not wiped)
|
||||
u8 R[32]; // first half of the signature (allows overlapping inputs)
|
||||
const u8 *pk = secret_key + 32;
|
||||
|
||||
crypto_sha512(a, secret_key, 32);
|
||||
crypto_eddsa_trim_scalar(a, a);
|
||||
hash_reduce(r, dom, dom_size, a + 32, 32, message, message_size, 0, 0);
|
||||
crypto_eddsa_scalarbase(R, r);
|
||||
hash_reduce(h, dom, dom_size, R, 32, pk, 32, message, message_size);
|
||||
COPY(signature, R, 32);
|
||||
crypto_eddsa_mul_add(signature + 32, h, a, r);
|
||||
|
||||
WIPE_BUFFER(a);
|
||||
WIPE_BUFFER(r);
|
||||
}
|
||||
|
||||
void crypto_ed25519_sign(u8 signature [64], const u8 secret_key[64],
|
||||
const u8 *message, size_t message_size)
|
||||
{
|
||||
ed25519_dom_sign(signature, secret_key, 0, 0, message, message_size);
|
||||
}
|
||||
|
||||
int crypto_ed25519_check(const u8 signature[64], const u8 public_key[32],
|
||||
const u8 *msg, size_t msg_size)
|
||||
{
|
||||
u8 h_ram[32];
|
||||
hash_reduce(h_ram, signature, 32, public_key, 32, msg, msg_size, 0, 0);
|
||||
return crypto_eddsa_check_equation(signature, public_key, h_ram);
|
||||
}
|
||||
|
||||
static const u8 domain[34] = "SigEd25519 no Ed25519 collisions\1";
|
||||
|
||||
void crypto_ed25519_ph_sign(uint8_t signature[64], const uint8_t secret_key[64],
|
||||
const uint8_t message_hash[64])
|
||||
{
|
||||
ed25519_dom_sign(signature, secret_key, domain, sizeof(domain),
|
||||
message_hash, 64);
|
||||
}
|
||||
|
||||
int crypto_ed25519_ph_check(const uint8_t sig[64], const uint8_t pk[32],
|
||||
const uint8_t msg_hash[64])
|
||||
{
|
||||
u8 h_ram[32];
|
||||
hash_reduce(h_ram, domain, sizeof(domain), sig, 32, pk, 32, msg_hash, 64);
|
||||
return crypto_eddsa_check_equation(sig, pk, h_ram);
|
||||
}
|
||||
|
||||
|
||||
#ifdef MONOCYPHER_CPP_NAMESPACE
|
||||
}
|
||||
#endif
|
|
@ -0,0 +1,140 @@
|
|||
// Monocypher version 4.0.2
|
||||
//
|
||||
// This file is dual-licensed. Choose whichever licence you want from
|
||||
// the two licences listed below.
|
||||
//
|
||||
// The first licence is a regular 2-clause BSD licence. The second licence
|
||||
// is the CC-0 from Creative Commons. It is intended to release Monocypher
|
||||
// to the public domain. The BSD licence serves as a fallback option.
|
||||
//
|
||||
// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
|
||||
//
|
||||
// ------------------------------------------------------------------------
|
||||
//
|
||||
// Copyright (c) 2017-2019, Loup Vaillant
|
||||
// All rights reserved.
|
||||
//
|
||||
//
|
||||
// Redistribution and use in source and binary forms, with or without
|
||||
// modification, are permitted provided that the following conditions are
|
||||
// met:
|
||||
//
|
||||
// 1. Redistributions of source code must retain the above copyright
|
||||
// notice, this list of conditions and the following disclaimer.
|
||||
//
|
||||
// 2. Redistributions in binary form must reproduce the above copyright
|
||||
// notice, this list of conditions and the following disclaimer in the
|
||||
// documentation and/or other materials provided with the
|
||||
// distribution.
|
||||
//
|
||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
//
|
||||
// ------------------------------------------------------------------------
|
||||
//
|
||||
// Written in 2017-2019 by Loup Vaillant
|
||||
//
|
||||
// To the extent possible under law, the author(s) have dedicated all copyright
|
||||
// and related neighboring rights to this software to the public domain
|
||||
// worldwide. This software is distributed without any warranty.
|
||||
//
|
||||
// You should have received a copy of the CC0 Public Domain Dedication along
|
||||
// with this software. If not, see
|
||||
// <https://creativecommons.org/publicdomain/zero/1.0/>
|
||||
|
||||
#ifndef ED25519_H
|
||||
#define ED25519_H
|
||||
|
||||
#include "monocypher.h"
|
||||
|
||||
#ifdef MONOCYPHER_CPP_NAMESPACE
|
||||
namespace MONOCYPHER_CPP_NAMESPACE {
|
||||
#elif defined(__cplusplus)
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
////////////////////////
|
||||
/// Type definitions ///
|
||||
////////////////////////
|
||||
|
||||
// Do not rely on the size or content on any of those types,
|
||||
// they may change without notice.
|
||||
typedef struct {
|
||||
uint64_t hash[8];
|
||||
uint64_t input[16];
|
||||
uint64_t input_size[2];
|
||||
size_t input_idx;
|
||||
} crypto_sha512_ctx;
|
||||
|
||||
typedef struct {
|
||||
uint8_t key[128];
|
||||
crypto_sha512_ctx ctx;
|
||||
} crypto_sha512_hmac_ctx;
|
||||
|
||||
|
||||
// SHA 512
|
||||
// -------
|
||||
void crypto_sha512_init (crypto_sha512_ctx *ctx);
|
||||
void crypto_sha512_update(crypto_sha512_ctx *ctx,
|
||||
const uint8_t *message, size_t message_size);
|
||||
void crypto_sha512_final (crypto_sha512_ctx *ctx, uint8_t hash[64]);
|
||||
void crypto_sha512(uint8_t hash[64],
|
||||
const uint8_t *message, size_t message_size);
|
||||
|
||||
// SHA 512 HMAC
|
||||
// ------------
|
||||
void crypto_sha512_hmac_init(crypto_sha512_hmac_ctx *ctx,
|
||||
const uint8_t *key, size_t key_size);
|
||||
void crypto_sha512_hmac_update(crypto_sha512_hmac_ctx *ctx,
|
||||
const uint8_t *message, size_t message_size);
|
||||
void crypto_sha512_hmac_final(crypto_sha512_hmac_ctx *ctx, uint8_t hmac[64]);
|
||||
void crypto_sha512_hmac(uint8_t hmac[64],
|
||||
const uint8_t *key , size_t key_size,
|
||||
const uint8_t *message, size_t message_size);
|
||||
|
||||
// SHA 512 HKDF
|
||||
// ------------
|
||||
void crypto_sha512_hkdf_expand(uint8_t *okm, size_t okm_size,
|
||||
const uint8_t *prk, size_t prk_size,
|
||||
const uint8_t *info, size_t info_size);
|
||||
void crypto_sha512_hkdf(uint8_t *okm , size_t okm_size,
|
||||
const uint8_t *ikm , size_t ikm_size,
|
||||
const uint8_t *salt, size_t salt_size,
|
||||
const uint8_t *info, size_t info_size);
|
||||
|
||||
// Ed25519
|
||||
// -------
|
||||
// Signatures (EdDSA with curve25519 + SHA-512)
|
||||
// --------------------------------------------
|
||||
void crypto_ed25519_key_pair(uint8_t secret_key[64],
|
||||
uint8_t public_key[32],
|
||||
uint8_t seed[32]);
|
||||
void crypto_ed25519_sign(uint8_t signature [64],
|
||||
const uint8_t secret_key[64],
|
||||
const uint8_t *message, size_t message_size);
|
||||
int crypto_ed25519_check(const uint8_t signature [64],
|
||||
const uint8_t public_key[32],
|
||||
const uint8_t *message, size_t message_size);
|
||||
|
||||
// Pre-hash variants
|
||||
void crypto_ed25519_ph_sign(uint8_t signature [64],
|
||||
const uint8_t secret_key [64],
|
||||
const uint8_t message_hash[64]);
|
||||
int crypto_ed25519_ph_check(const uint8_t signature [64],
|
||||
const uint8_t public_key [32],
|
||||
const uint8_t message_hash[64]);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif // ED25519_H
|
File diff suppressed because it is too large
Load Diff
|
@ -0,0 +1,321 @@
|
|||
// Monocypher version 4.0.2
|
||||
//
|
||||
// This file is dual-licensed. Choose whichever licence you want from
|
||||
// the two licences listed below.
|
||||
//
|
||||
// The first licence is a regular 2-clause BSD licence. The second licence
|
||||
// is the CC-0 from Creative Commons. It is intended to release Monocypher
|
||||
// to the public domain. The BSD licence serves as a fallback option.
|
||||
//
|
||||
// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
|
||||
//
|
||||
// ------------------------------------------------------------------------
|
||||
//
|
||||
// Copyright (c) 2017-2019, Loup Vaillant
|
||||
// All rights reserved.
|
||||
//
|
||||
//
|
||||
// Redistribution and use in source and binary forms, with or without
|
||||
// modification, are permitted provided that the following conditions are
|
||||
// met:
|
||||
//
|
||||
// 1. Redistributions of source code must retain the above copyright
|
||||
// notice, this list of conditions and the following disclaimer.
|
||||
//
|
||||
// 2. Redistributions in binary form must reproduce the above copyright
|
||||
// notice, this list of conditions and the following disclaimer in the
|
||||
// documentation and/or other materials provided with the
|
||||
// distribution.
|
||||
//
|
||||
// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
|
||||
// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
|
||||
// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
|
||||
// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
|
||||
// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
|
||||
// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
|
||||
// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
|
||||
// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
|
||||
// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
|
||||
// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
|
||||
// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
|
||||
//
|
||||
// ------------------------------------------------------------------------
|
||||
//
|
||||
// Written in 2017-2019 by Loup Vaillant
|
||||
//
|
||||
// To the extent possible under law, the author(s) have dedicated all copyright
|
||||
// and related neighboring rights to this software to the public domain
|
||||
// worldwide. This software is distributed without any warranty.
|
||||
//
|
||||
// You should have received a copy of the CC0 Public Domain Dedication along
|
||||
// with this software. If not, see
|
||||
// <https://creativecommons.org/publicdomain/zero/1.0/>
|
||||
|
||||
#ifndef MONOCYPHER_H
|
||||
#define MONOCYPHER_H
|
||||
|
||||
#include <stddef.h>
|
||||
#include <stdint.h>
|
||||
|
||||
#ifdef MONOCYPHER_CPP_NAMESPACE
|
||||
namespace MONOCYPHER_CPP_NAMESPACE {
|
||||
#elif defined(__cplusplus)
|
||||
extern "C" {
|
||||
#endif
|
||||
|
||||
// Constant time comparisons
|
||||
// -------------------------
|
||||
|
||||
// Return 0 if a and b are equal, -1 otherwise
|
||||
int crypto_verify16(const uint8_t a[16], const uint8_t b[16]);
|
||||
int crypto_verify32(const uint8_t a[32], const uint8_t b[32]);
|
||||
int crypto_verify64(const uint8_t a[64], const uint8_t b[64]);
|
||||
|
||||
|
||||
// Erase sensitive data
|
||||
// --------------------
|
||||
void crypto_wipe(void *secret, size_t size);
|
||||
|
||||
|
||||
// Authenticated encryption
|
||||
// ------------------------
|
||||
void crypto_aead_lock(uint8_t *cipher_text,
|
||||
uint8_t mac [16],
|
||||
const uint8_t key [32],
|
||||
const uint8_t nonce[24],
|
||||
const uint8_t *ad, size_t ad_size,
|
||||
const uint8_t *plain_text, size_t text_size);
|
||||
int crypto_aead_unlock(uint8_t *plain_text,
|
||||
const uint8_t mac [16],
|
||||
const uint8_t key [32],
|
||||
const uint8_t nonce[24],
|
||||
const uint8_t *ad, size_t ad_size,
|
||||
const uint8_t *cipher_text, size_t text_size);
|
||||
|
||||
// Authenticated stream
|
||||
// --------------------
|
||||
typedef struct {
|
||||
uint64_t counter;
|
||||
uint8_t key[32];
|
||||
uint8_t nonce[8];
|
||||
} crypto_aead_ctx;
|
||||
|
||||
void crypto_aead_init_x(crypto_aead_ctx *ctx,
|
||||
const uint8_t key[32], const uint8_t nonce[24]);
|
||||
void crypto_aead_init_djb(crypto_aead_ctx *ctx,
|
||||
const uint8_t key[32], const uint8_t nonce[8]);
|
||||
void crypto_aead_init_ietf(crypto_aead_ctx *ctx,
|
||||
const uint8_t key[32], const uint8_t nonce[12]);
|
||||
|
||||
void crypto_aead_write(crypto_aead_ctx *ctx,
|
||||
uint8_t *cipher_text,
|
||||
uint8_t mac[16],
|
||||
const uint8_t *ad , size_t ad_size,
|
||||
const uint8_t *plain_text, size_t text_size);
|
||||
int crypto_aead_read(crypto_aead_ctx *ctx,
|
||||
uint8_t *plain_text,
|
||||
const uint8_t mac[16],
|
||||
const uint8_t *ad , size_t ad_size,
|
||||
const uint8_t *cipher_text, size_t text_size);
|
||||
|
||||
|
||||
// General purpose hash (BLAKE2b)
|
||||
// ------------------------------
|
||||
|
||||
// Direct interface
|
||||
void crypto_blake2b(uint8_t *hash, size_t hash_size,
|
||||
const uint8_t *message, size_t message_size);
|
||||
|
||||
void crypto_blake2b_keyed(uint8_t *hash, size_t hash_size,
|
||||
const uint8_t *key, size_t key_size,
|
||||
const uint8_t *message, size_t message_size);
|
||||
|
||||
// Incremental interface
|
||||
typedef struct {
|
||||
// Do not rely on the size or contents of this type,
|
||||
// for they may change without notice.
|
||||
uint64_t hash[8];
|
||||
uint64_t input_offset[2];
|
||||
uint64_t input[16];
|
||||
size_t input_idx;
|
||||
size_t hash_size;
|
||||
} crypto_blake2b_ctx;
|
||||
|
||||
void crypto_blake2b_init(crypto_blake2b_ctx *ctx, size_t hash_size);
|
||||
void crypto_blake2b_keyed_init(crypto_blake2b_ctx *ctx, size_t hash_size,
|
||||
const uint8_t *key, size_t key_size);
|
||||
void crypto_blake2b_update(crypto_blake2b_ctx *ctx,
|
||||
const uint8_t *message, size_t message_size);
|
||||
void crypto_blake2b_final(crypto_blake2b_ctx *ctx, uint8_t *hash);
|
||||
|
||||
|
||||
// Password key derivation (Argon2)
|
||||
// --------------------------------
|
||||
#define CRYPTO_ARGON2_D 0
|
||||
#define CRYPTO_ARGON2_I 1
|
||||
#define CRYPTO_ARGON2_ID 2
|
||||
|
||||
typedef struct {
|
||||
uint32_t algorithm; // Argon2d, Argon2i, Argon2id
|
||||
uint32_t nb_blocks; // memory hardness, >= 8 * nb_lanes
|
||||
uint32_t nb_passes; // CPU hardness, >= 1 (>= 3 recommended for Argon2i)
|
||||
uint32_t nb_lanes; // parallelism level (single threaded anyway)
|
||||
} crypto_argon2_config;
|
||||
|
||||
typedef struct {
|
||||
const uint8_t *pass;
|
||||
const uint8_t *salt;
|
||||
uint32_t pass_size;
|
||||
uint32_t salt_size; // 16 bytes recommended
|
||||
} crypto_argon2_inputs;
|
||||
|
||||
typedef struct {
|
||||
const uint8_t *key; // may be NULL if no key
|
||||
const uint8_t *ad; // may be NULL if no additional data
|
||||
uint32_t key_size; // 0 if no key (32 bytes recommended otherwise)
|
||||
uint32_t ad_size; // 0 if no additional data
|
||||
} crypto_argon2_extras;
|
||||
|
||||
extern const crypto_argon2_extras crypto_argon2_no_extras;
|
||||
|
||||
void crypto_argon2(uint8_t *hash, uint32_t hash_size, void *work_area,
|
||||
crypto_argon2_config config,
|
||||
crypto_argon2_inputs inputs,
|
||||
crypto_argon2_extras extras);
|
||||
|
||||
|
||||
// Key exchange (X-25519)
|
||||
// ----------------------
|
||||
|
||||
// Shared secrets are not quite random.
|
||||
// Hash them to derive an actual shared key.
|
||||
void crypto_x25519_public_key(uint8_t public_key[32],
|
||||
const uint8_t secret_key[32]);
|
||||
void crypto_x25519(uint8_t raw_shared_secret[32],
|
||||
const uint8_t your_secret_key [32],
|
||||
const uint8_t their_public_key [32]);
|
||||
|
||||
// Conversion to EdDSA
|
||||
void crypto_x25519_to_eddsa(uint8_t eddsa[32], const uint8_t x25519[32]);
|
||||
|
||||
// scalar "division"
|
||||
// Used for OPRF. Be aware that exponential blinding is less secure
|
||||
// than Diffie-Hellman key exchange.
|
||||
void crypto_x25519_inverse(uint8_t blind_salt [32],
|
||||
const uint8_t private_key[32],
|
||||
const uint8_t curve_point[32]);
|
||||
|
||||
// "Dirty" versions of x25519_public_key().
|
||||
// Use with crypto_elligator_rev().
|
||||
// Leaks 3 bits of the private key.
|
||||
void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]);
|
||||
void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]);
|
||||
|
||||
|
||||
// Signatures
|
||||
// ----------
|
||||
|
||||
// EdDSA with curve25519 + BLAKE2b
|
||||
void crypto_eddsa_key_pair(uint8_t secret_key[64],
|
||||
uint8_t public_key[32],
|
||||
uint8_t seed[32]);
|
||||
void crypto_eddsa_sign(uint8_t signature [64],
|
||||
const uint8_t secret_key[64],
|
||||
const uint8_t *message, size_t message_size);
|
||||
int crypto_eddsa_check(const uint8_t signature [64],
|
||||
const uint8_t public_key[32],
|
||||
const uint8_t *message, size_t message_size);
|
||||
|
||||
// Conversion to X25519
|
||||
void crypto_eddsa_to_x25519(uint8_t x25519[32], const uint8_t eddsa[32]);
|
||||
|
||||
// EdDSA building blocks
|
||||
void crypto_eddsa_trim_scalar(uint8_t out[32], const uint8_t in[32]);
|
||||
void crypto_eddsa_reduce(uint8_t reduced[32], const uint8_t expanded[64]);
|
||||
void crypto_eddsa_mul_add(uint8_t r[32],
|
||||
const uint8_t a[32],
|
||||
const uint8_t b[32],
|
||||
const uint8_t c[32]);
|
||||
void crypto_eddsa_scalarbase(uint8_t point[32], const uint8_t scalar[32]);
|
||||
int crypto_eddsa_check_equation(const uint8_t signature[64],
|
||||
const uint8_t public_key[32],
|
||||
const uint8_t h_ram[32]);
|
||||
|
||||
|
||||
// Chacha20
|
||||
// --------
|
||||
|
||||
// Specialised hash.
|
||||
// Used to hash X25519 shared secrets.
|
||||
void crypto_chacha20_h(uint8_t out[32],
|
||||
const uint8_t key[32],
|
||||
const uint8_t in [16]);
|
||||
|
||||
// Unauthenticated stream cipher.
|
||||
// Don't forget to add authentication.
|
||||
uint64_t crypto_chacha20_djb(uint8_t *cipher_text,
|
||||
const uint8_t *plain_text,
|
||||
size_t text_size,
|
||||
const uint8_t key[32],
|
||||
const uint8_t nonce[8],
|
||||
uint64_t ctr);
|
||||
uint32_t crypto_chacha20_ietf(uint8_t *cipher_text,
|
||||
const uint8_t *plain_text,
|
||||
size_t text_size,
|
||||
const uint8_t key[32],
|
||||
const uint8_t nonce[12],
|
||||
uint32_t ctr);
|
||||
uint64_t crypto_chacha20_x(uint8_t *cipher_text,
|
||||
const uint8_t *plain_text,
|
||||
size_t text_size,
|
||||
const uint8_t key[32],
|
||||
const uint8_t nonce[24],
|
||||
uint64_t ctr);
|
||||
|
||||
|
||||
// Poly 1305
|
||||
// ---------
|
||||
|
||||
// This is a *one time* authenticator.
|
||||
// Disclosing the mac reveals the key.
|
||||
// See crypto_lock() on how to use it properly.
|
||||
|
||||
// Direct interface
|
||||
void crypto_poly1305(uint8_t mac[16],
|
||||
const uint8_t *message, size_t message_size,
|
||||
const uint8_t key[32]);
|
||||
|
||||
// Incremental interface
|
||||
typedef struct {
|
||||
// Do not rely on the size or contents of this type,
|
||||
// for they may change without notice.
|
||||
uint8_t c[16]; // chunk of the message
|
||||
size_t c_idx; // How many bytes are there in the chunk.
|
||||
uint32_t r [4]; // constant multiplier (from the secret key)
|
||||
uint32_t pad[4]; // random number added at the end (from the secret key)
|
||||
uint32_t h [5]; // accumulated hash
|
||||
} crypto_poly1305_ctx;
|
||||
|
||||
void crypto_poly1305_init (crypto_poly1305_ctx *ctx, const uint8_t key[32]);
|
||||
void crypto_poly1305_update(crypto_poly1305_ctx *ctx,
|
||||
const uint8_t *message, size_t message_size);
|
||||
void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]);
|
||||
|
||||
|
||||
// Elligator 2
|
||||
// -----------
|
||||
|
||||
// Elligator mappings proper
|
||||
void crypto_elligator_map(uint8_t curve [32], const uint8_t hidden[32]);
|
||||
int crypto_elligator_rev(uint8_t hidden[32], const uint8_t curve [32],
|
||||
uint8_t tweak);
|
||||
|
||||
// Easy to use key pair generation
|
||||
void crypto_elligator_key_pair(uint8_t hidden[32], uint8_t secret_key[32],
|
||||
uint8_t seed[32]);
|
||||
|
||||
#ifdef __cplusplus
|
||||
}
|
||||
#endif
|
||||
|
||||
#endif // MONOCYPHER_H
|
Loading…
Reference in New Issue