From e475cb2b7609932e497b011dce11717077090b3f Mon Sep 17 00:00:00 2001 From: AndreDVJ Date: Fri, 22 Jul 2016 20:04:54 +0200 Subject: [PATCH] libsodium: updated to 1.0.10 --- release/src/router/Makefile | 8 +- release/src/router/libsodium/AUTHORS | 14 + release/src/router/libsodium/ChangeLog | 30 + release/src/router/libsodium/LICENSE | 2 +- release/src/router/libsodium/Makefile.am | 1 + release/src/router/libsodium/Makefile.in | 9 + release/src/router/libsodium/README.markdown | 7 + release/src/router/libsodium/aclocal.m4 | 1 + release/src/router/libsodium/configure | 792 +++- release/src/router/libsodium/configure.ac | 120 +- .../src/router/libsodium/dist-build/Makefile.in | 9 + .../src/router/libsodium/dist-build/emscripten.sh | 14 +- .../router/libsodium/libsodium-uninstalled.pc.in | 2 +- release/src/router/libsodium/libsodium.pc.in | 2 +- release/src/router/libsodium/libsodium.vcxproj | 136 +- .../src/router/libsodium/libsodium.vcxproj.filters | 396 +- .../src/router/libsodium/m4/ax_valgrind_check.m4 | 190 + .../src/router/libsodium/msvc-scripts/Makefile.in | 9 + .../src/router/libsodium/msvc-scripts/process.bat | 4 +- release/src/router/libsodium/src/Makefile.in | 9 + .../src/router/libsodium/src/libsodium/Makefile.am | 41 +- .../src/router/libsodium/src/libsodium/Makefile.in | 330 +- .../aes256gcm/aesni/aead_aes256gcm_aesni.c | 272 +- .../sodium/aead_chacha20poly1305.c | 326 +- .../src/libsodium/crypto_box/crypto_box_seal.c | 4 +- .../ref/before_curve25519xsalsa20poly1305.c | 5 +- .../curve25519/ref10/curve25519_ref10.c | 4475 ++++++++++---------- .../crypto_core/hchacha20/core_hchacha20.c | 86 + .../crypto_core/hchacha20/core_hchacha20.h | 28 + .../crypto_core/hsalsa20/ref2/core_hsalsa20.c | 84 +- .../crypto_core/salsa20/ref/core_salsa20.c | 102 +- .../crypto_core/salsa2012/ref/core_salsa2012.c | 102 +- .../crypto_core/salsa208/ref/core_salsa208.c | 102 +- .../blake2/generichash_blake2_api.c | 7 + .../crypto_generichash/blake2/ref/blake2-impl.h | 185 +- .../crypto_generichash/blake2/ref/blake2.h | 285 +- .../blake2/ref/blake2b-compress-avx2.c | 45 + .../blake2/ref/blake2b-compress-avx2.h | 123 + .../blake2/ref/blake2b-compress-ref.c | 5 +- .../blake2/ref/blake2b-compress-sse41.c | 4 +- .../{blake2b-round.h => blake2b-compress-sse41.h} | 30 +- .../blake2/ref/blake2b-compress-ssse3.c | 6 +- .../{blake2b-round.h => blake2b-compress-ssse3.h} | 30 +- .../blake2/ref/blake2b-load-avx2.h | 339 ++ .../blake2/ref/blake2b-load-sse2.h | 2 - .../blake2/ref/blake2b-load-sse41.h | 2 - .../crypto_generichash/blake2/ref/blake2b-ref.c | 49 +- .../libsodium/crypto_hash/sha256/cp/hash_sha256.c | 47 +- .../libsodium/crypto_hash/sha512/cp/hash_sha512.c | 35 +- .../poly1305/donna/poly1305_donna.h | 43 +- .../poly1305/donna/poly1305_donna32.h | 63 +- .../poly1305/donna/poly1305_donna64.h | 51 +- .../poly1305/sse2/poly1305_sse2.c | 6 +- .../poly1305/sse2/poly1305_sse2.h | 43 +- .../libsodium/crypto_pwhash/argon2/argon2-core.c | 570 +++ .../libsodium/crypto_pwhash/argon2/argon2-core.h | 198 + .../crypto_pwhash/argon2/argon2-encoding.c | 444 ++ .../crypto_pwhash/argon2/argon2-encoding.h | 32 + .../crypto_pwhash/argon2/argon2-fill-block-ref.c | 229 + .../crypto_pwhash/argon2/argon2-fill-block-ssse3.c | 222 + .../libsodium/crypto_pwhash/argon2/argon2-impl.h | 40 + .../src/libsodium/crypto_pwhash/argon2/argon2.c | 238 ++ .../src/libsodium/crypto_pwhash/argon2/argon2.h | 251 ++ .../libsodium/crypto_pwhash/argon2/blake2b-long.c | 80 + .../libsodium/crypto_pwhash/argon2/blake2b-long.h | 8 + .../crypto_pwhash/argon2/blamka-round-ref.h | 38 + .../crypto_pwhash/argon2/blamka-round-ssse3.h | 117 + .../crypto_pwhash/argon2/pwhash_argon2i.c | 164 + .../src/libsodium/crypto_pwhash/crypto_pwhash.c | 106 + .../scryptsalsa208sha256/crypto_scrypt-common.c | 2 +- .../scryptsalsa208sha256/crypto_scrypt.h | 8 +- .../nosse/pwhash_scryptsalsa208sha256_nosse.c | 372 +- .../scryptsalsa208sha256/pbkdf2-sha256.c | 4 +- .../pwhash_scryptsalsa208sha256.c | 5 +- .../scryptsalsa208sha256/scrypt_platform.c | 66 +- .../sse/pwhash_scryptsalsa208sha256_sse.c | 783 ++-- .../crypto_pwhash/scryptsalsa208sha256/sysendian.h | 146 - .../curve25519/donna_c64/curve25519_donna_c64.c | 33 +- .../curve25519/donna_c64/curve25519_donna_c64.h | 1 + .../curve25519/ref10/x25519_ref10.c | 24 +- .../curve25519/ref10/x25519_ref10.h | 1 + .../curve25519/sandy2x/consts_namespace.h | 2 +- .../crypto_scalarmult/curve25519/sandy2x/fe.h | 5 +- .../crypto_scalarmult/curve25519/sandy2x/fe51.h | 8 +- .../curve25519/sandy2x/fe51_invert.c | 114 +- .../curve25519/sandy2x/fe51_mul.S | 12 +- .../curve25519/sandy2x/fe51_namespace.h | 2 +- .../curve25519/sandy2x/fe51_nsquare.S | 4 + .../curve25519/sandy2x/fe51_pack.S | 4 + .../curve25519/sandy2x/fe_frombytes_sandy2x.c | 63 +- .../crypto_scalarmult/curve25519/sandy2x/ladder.S | 4 + .../crypto_scalarmult/curve25519/sandy2x/ladder.h | 2 +- .../curve25519/sandy2x/ladder_base.S | 4 + .../curve25519/sandy2x/ladder_base.h | 2 +- .../curve25519/sandy2x/ladder_base_namespace.h | 2 +- .../curve25519/sandy2x/ladder_namespace.h | 2 +- .../crypto_secretbox/crypto_secretbox_easy.c | 8 +- .../siphash24/ref/shorthash_siphash24.c | 36 +- .../libsodium/crypto_sign/ed25519/ref10/keypair.c | 2 +- .../libsodium/crypto_sign/ed25519/ref10/obsolete.c | 2 +- .../src/libsodium/crypto_sign/ed25519/ref10/open.c | 77 +- .../src/libsodium/crypto_sign/ed25519/ref10/sign.c | 2 +- .../aes128ctr/portable/afternm_aes128ctr.c | 12 +- .../crypto_stream/aes128ctr/portable/common.h | 19 +- .../aes128ctr/portable/common_aes128ctr.c | 64 - .../aes128ctr/portable/int128_aes128ctr.c | 40 +- .../crypto_stream/aes128ctr/portable/types.h | 8 +- .../aes128ctr/portable/xor_afternm_aes128ctr.c | 12 +- .../chacha20/ref/stream_chacha20_ref.c | 133 +- .../chacha20/ref/stream_chacha20_ref.h | 1 + .../chacha20/vec/stream_chacha20_vec.h | 1 + .../crypto_stream/salsa20/ref/stream_salsa20_ref.c | 10 +- .../crypto_stream/salsa20/ref/xor_salsa20_ref.c | 10 +- .../crypto_stream/salsa2012/ref/stream_salsa2012.c | 10 +- .../crypto_stream/salsa2012/ref/xor_salsa2012.c | 10 +- .../crypto_stream/salsa208/ref/stream_salsa208.c | 10 +- .../crypto_stream/salsa208/ref/xor_salsa208.c | 10 +- .../crypto_stream/xsalsa20/ref/stream_xsalsa20.c | 6 +- .../crypto_stream/xsalsa20/ref/xor_xsalsa20.c | 6 +- .../libsodium/src/libsodium/include/Makefile.am | 3 + .../libsodium/src/libsodium/include/Makefile.in | 27 +- .../libsodium/src/libsodium/include/sodium.h | 3 + .../include/sodium/crypto_aead_aes256gcm.h | 50 + .../include/sodium/crypto_aead_chacha20poly1305.h | 116 +- .../sodium/crypto_box_curve25519xsalsa20poly1305.h | 12 +- .../include/sodium/crypto_core_hchacha20.h | 35 + .../include/sodium/crypto_generichash_blake2b.h | 3 + .../src/libsodium/include/sodium/crypto_pwhash.h | 89 + .../include/sodium/crypto_pwhash_argon2i.h | 86 + .../sodium/crypto_secretbox_xsalsa20poly1305.h | 12 +- .../sodium/crypto_sign_edwards25519sha512batch.h | 11 - .../src/libsodium/include/sodium/private/common.h | 150 + .../sodium/private}/curve25519_ref10.h | 78 +- .../src/libsodium/include/sodium/runtime.h | 3 + .../src/libsodium/randombytes/randombytes.c | 3 + .../salsa20/randombytes_salsa20_random.c | 6 +- .../router/libsodium/src/libsodium/sodium/core.c | 4 +- .../libsodium/src/libsodium/sodium/runtime.c | 56 +- .../router/libsodium/src/libsodium/sodium/utils.c | 27 +- release/src/router/libsodium/test/Makefile.in | 9 + .../src/router/libsodium/test/default/Makefile.am | 10 + .../src/router/libsodium/test/default/Makefile.in | 73 +- .../router/libsodium/test/default/aead_aes256gcm.c | 62 +- .../libsodium/test/default/aead_chacha20poly1305.c | 275 +- release/src/router/libsodium/test/default/auth7.c | 10 +- release/src/router/libsodium/test/default/box.c | 8 +- release/src/router/libsodium/test/default/box2.c | 2 +- release/src/router/libsodium/test/default/core6.c | 2 +- .../router/libsodium/test/default/generichash.c | 13 +- .../router/libsodium/test/default/generichash2.c | 4 +- .../router/libsodium/test/default/generichash3.c | 21 + release/src/router/libsodium/test/default/pwhash.c | 354 +- .../src/router/libsodium/test/default/pwhash.exp | 43 +- .../test/default/{pwhash.c => pwhash_scrypt.c} | 2 +- .../test/default/{pwhash.exp => pwhash_scrypt.exp} | 0 .../src/router/libsodium/test/default/secretbox.c | 2 +- .../src/router/libsodium/test/default/secretbox2.c | 2 +- release/src/router/libsodium/test/default/sign.c | 15 + .../router/libsodium/test/default/sodium_utils2.c | 11 +- .../router/libsodium/test/default/sodium_utils3.c | 6 +- .../src/router/libsodium/test/default/verify1.c | 4 - release/src/router/libsodium/test/quirks/quirks.h | 3 + 162 files changed, 10332 insertions(+), 5386 deletions(-) create mode 100644 release/src/router/libsodium/m4/ax_valgrind_check.m4 rewrite release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c (88%) create mode 100644 release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.h rewrite release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h (62%) rewrite release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2.h (76%) create mode 100644 release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.h copy release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/{blake2b-round.h => blake2b-compress-sse41.h} (77%) rename release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/{blake2b-round.h => blake2b-compress-ssse3.h} (77%) create mode 100644 release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-avx2.h rewrite release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna.h (82%) rewrite release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.h (82%) create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.h create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-impl.h create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.h create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.h create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ref.h create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ssse3.h create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c create mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/crypto_pwhash.c rewrite release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c (61%) delete mode 100644 release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sysendian.h rewrite release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c (79%) delete mode 100644 release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common_aes128ctr.c create mode 100644 release/src/router/libsodium/src/libsodium/include/sodium/crypto_core_hchacha20.h create mode 100644 release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash.h create mode 100644 release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash_argon2i.h create mode 100644 release/src/router/libsodium/src/libsodium/include/sodium/private/common.h rename release/src/router/libsodium/src/libsodium/{crypto_core/curve25519/ref10 => include/sodium/private}/curve25519_ref10.h (83%) rewrite release/src/router/libsodium/test/default/pwhash.exp (99%) copy release/src/router/libsodium/test/default/{pwhash.c => pwhash_scrypt.c} (99%) copy release/src/router/libsodium/test/default/{pwhash.exp => pwhash_scrypt.exp} (100%) diff --git a/release/src/router/Makefile b/release/src/router/Makefile index 69b3c56c12..1d0af37bbb 100644 --- a/release/src/router/Makefile +++ b/release/src/router/Makefile @@ -2455,11 +2455,11 @@ libsodium: libsodium/stamp-h1 libsodium-install: libsodium install -d $(INSTALLDIR)/libsodium/usr/lib - install -D libsodium/src/libsodium/.libs/libsodium.so.18.0.1 $(INSTALLDIR)/libsodium/usr/lib/libsodium.so.18.0.1 - $(STRIP) -s $(INSTALLDIR)/libsodium/usr/lib/libsodium.so.18.0.1 + install -D libsodium/src/libsodium/.libs/libsodium.so.18.1.0 $(INSTALLDIR)/libsodium/usr/lib/libsodium.so.18.1.0 + $(STRIP) -s $(INSTALLDIR)/libsodium/usr/lib/libsodium.so.18.1.0 cd $(INSTALLDIR)/libsodium/usr/lib/ && \ - ln -sf libsodium.so.18.0.1 libsodium.so.18 && \ - ln -sf libsodium.so.18.0.1 libsodium.so + ln -sf libsodium.so.18.1.0 libsodium.so.18 && \ + ln -sf libsodium.so.18.1.0 libsodium.so libsodium-clean: -$(MAKE) -C libsodium clean diff --git a/release/src/router/libsodium/AUTHORS b/release/src/router/libsodium/AUTHORS index 6f2b7ca39a..d8585c48d1 100644 --- a/release/src/router/libsodium/AUTHORS +++ b/release/src/router/libsodium/AUTHORS @@ -2,6 +2,10 @@ Designers ========= +argon2 Alex Biryukov + Daniel Dinu + Dmitry Khovratovich + blake2 Jean-Philippe Aumasson Christian Winnerlein Samuel Neves @@ -38,8 +42,12 @@ crypto_aead/aes256gcm/aesni Romain Dolbeau crypto_aead/chacha20poly1305 Frank Denis +crypto_core/curve25519 Daniel J. Bernstein + crypto_box/curve25519xsalsa20poly1305 Daniel J. Bernstein +crypto_core/hchacha20 Frank Denis + crypto_core/hsalsa20 Daniel J. Bernstein crypto_core/salsa20 crypto_core/salsa2012 @@ -90,5 +98,11 @@ crypto_onetimeauth/poly1305/donna Andrew "floodyberry" Moon crypto_onetimeauth/poly1305/sse2 Andrew "floodyberry" Moon +crypto_pwhash/argon2 Samuel Neves + Dmitry Khovratovich + Jean-Philippe Aumasson + Daniel Dinu + Thomas Pornin + crypto_pwhash/scryptsalsa208sha256 Colin Percival Alexander Peslyak diff --git a/release/src/router/libsodium/ChangeLog b/release/src/router/libsodium/ChangeLog index 2e1d40e512..e3561d4022 100644 --- a/release/src/router/libsodium/ChangeLog +++ b/release/src/router/libsodium/ChangeLog @@ -1,4 +1,34 @@ +* Version 1.0.10 + - This release only fixes a compilation issue reported with some older +gcc versions. There are no functional changes over the previous release. + +* Version 1.0.9 + - The Javascript target now includes a `--sumo` option to include all +the symbols of the original C library. + - A detached API was added to the ChaCha20-Poly1305 and AES256-GCM +implementations. + - The Argon2i password hashing function was added, and is accessible +directly and through a new, high-level `crypto_pwhash` API. The scrypt +function remains available as well. + - A speed-record AVX2 implementation of BLAKE2b was added (thanks to +Samuel Neves). + - The library can now be compiled using C++Builder (thanks to @jcolli44) + - Countermeasures for Ed25519 signatures malleability have been added +to match the irtf-cfrg-eddsa draft (note that malleability is irrelevant to +the standard definition of signature security). Signatures with a small-order +`R` point are now also rejected. + - Some implementations are now slightly faster when using the Clang +compiler. + - The HChaCha20 core function was implemented (`crypto_core_hchacha20()`). + - No-op stubs were added for all AES256-GCM public functions even when +compiled on non-Intel platforms. + - `crypt_generichash_blake2b_statebytes()` was added. + - New macros were added for the IETF variant of the ChaCha20-Poly1305 +construction. + - The library can now be compiled on Minix. + - HEASLR is now enabled on MinGW builds. + * Version 1.0.8 - Handle the case where the CPU supports AVX, but we are running on an hypervisor with AVX disabled/not supported. diff --git a/release/src/router/libsodium/LICENSE b/release/src/router/libsodium/LICENSE index 3edb000f65..a4d2968602 100644 --- a/release/src/router/libsodium/LICENSE +++ b/release/src/router/libsodium/LICENSE @@ -1,5 +1,5 @@ /* - * Copyright (c) 2013-2015 + * Copyright (c) 2013-2016 * Frank Denis * * Permission to use, copy, modify, and/or distribute this software for any diff --git a/release/src/router/libsodium/Makefile.am b/release/src/router/libsodium/Makefile.am index ee794b076f..db2d2b3bcd 100644 --- a/release/src/router/libsodium/Makefile.am +++ b/release/src/router/libsodium/Makefile.am @@ -17,5 +17,6 @@ SUBDIRS = \ pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = @PACKAGE_NAME@.pc + DISTCLEANFILES = $(pkgconfig_DATA) diff --git a/release/src/router/libsodium/Makefile.in b/release/src/router/libsodium/Makefile.in index 30d4b5dc00..0f805f0793 100644 --- a/release/src/router/libsodium/Makefile.in +++ b/release/src/router/libsodium/Makefile.in @@ -93,6 +93,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -264,6 +265,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -336,6 +339,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/release/src/router/libsodium/README.markdown b/release/src/router/libsodium/README.markdown index 7159fb1066..a14e81d454 100644 --- a/release/src/router/libsodium/README.markdown +++ b/release/src/router/libsodium/README.markdown @@ -1,4 +1,5 @@ [![Build Status](https://travis-ci.org/jedisct1/libsodium.svg?branch=master)](https://travis-ci.org/jedisct1/libsodium?branch=master) +[![Windows build status](https://ci.appveyor.com/api/projects/status/fu8s2elx25il98hj?svg=true)](https://ci.appveyor.com/project/jedisct1/libsodium) [![Coverity Scan Build Status](https://scan.coverity.com/projects/2397/badge.svg)](https://scan.coverity.com/projects/2397) ![libsodium](https://raw.github.com/jedisct1/libsodium/master/logo.png) @@ -27,6 +28,12 @@ online, requires Javascript. * [offline documentation](https://www.gitbook.com/book/jedisct1/libsodium/details) in PDF, MOBI and ePUB formats. +## Integrity Checking + +The integrity checking instructions (including the signing key for libsodium) +are available in the [installation](https://download.libsodium.org/doc/installation/index.html#integrity-checking) +section of the documentation. + ## Community A mailing-list is available to discuss libsodium. diff --git a/release/src/router/libsodium/aclocal.m4 b/release/src/router/libsodium/aclocal.m4 index 21dfb18e95..6d43c09151 100644 --- a/release/src/router/libsodium/aclocal.m4 +++ b/release/src/router/libsodium/aclocal.m4 @@ -1209,6 +1209,7 @@ AC_SUBST([am__untar]) m4_include([m4/ax_check_compile_flag.m4]) m4_include([m4/ax_check_define.m4]) m4_include([m4/ax_check_link_flag.m4]) +m4_include([m4/ax_valgrind_check.m4]) m4_include([m4/ld-output-def.m4]) m4_include([m4/libtool.m4]) m4_include([m4/ltoptions.m4]) diff --git a/release/src/router/libsodium/configure b/release/src/router/libsodium/configure index 9983747f9d..0a825b67f1 100755 --- a/release/src/router/libsodium/configure +++ b/release/src/router/libsodium/configure @@ -1,6 +1,6 @@ #! /bin/sh # Guess values for system-dependent variables and create Makefiles. -# Generated by GNU Autoconf 2.69 for libsodium 1.0.8. +# Generated by GNU Autoconf 2.69 for libsodium 1.0.10. # # Report bugs to . # @@ -590,8 +590,8 @@ MAKEFLAGS= # Identity of this package. PACKAGE_NAME='libsodium' PACKAGE_TARNAME='libsodium' -PACKAGE_VERSION='1.0.8' -PACKAGE_STRING='libsodium 1.0.8' +PACKAGE_VERSION='1.0.10' +PACKAGE_STRING='libsodium 1.0.10' PACKAGE_BUGREPORT='https://github.com/jedisct1/libsodium/issues' PACKAGE_URL='https://github.com/jedisct1/libsodium' @@ -657,6 +657,8 @@ HAVE_AMD64_ASM_FALSE HAVE_AMD64_ASM_TRUE CFLAGS_PCLMUL CFLAGS_AESNI +CFLAGS_AVX2 +CFLAGS_AVX CFLAGS_SSE41 CFLAGS_SSSE3 CFLAGS_SSE3 @@ -705,6 +707,15 @@ CPPFLAGS LDFLAGS CFLAGS CC +VALGRIND_CHECK_RULES +VALGRIND_HAVE_TOOL_exp_sgcheck +VALGRIND_HAVE_TOOL_drd +VALGRIND_HAVE_TOOL_helgrind +VALGRIND_HAVE_TOOL_memcheck +VALGRIND_ENABLED +VALGRIND_ENABLED_FALSE +VALGRIND_ENABLED_TRUE +VALGRIND SAFECODE_HOME MINIMAL_FALSE MINIMAL_TRUE @@ -807,6 +818,7 @@ enable_minimal with_safecode enable_debug enable_opt +enable_valgrind enable_soname_versions enable_shared enable_static @@ -1372,7 +1384,7 @@ if test "$ac_init_help" = "long"; then # Omit some internal or obsolete options to make the list less imposing. # This message is too long to be a string in the A/UX 3.1 sh. cat <<_ACEOF -\`configure' configures libsodium 1.0.8 to adapt to many kinds of systems. +\`configure' configures libsodium 1.0.10 to adapt to many kinds of systems. Usage: $0 [OPTION]... [VAR=VALUE]... @@ -1442,7 +1454,7 @@ fi if test -n "$ac_init_help"; then case $ac_init_help in - short | recursive ) echo "Configuration of libsodium 1.0.8:";; + short | recursive ) echo "Configuration of libsodium 1.0.10:";; esac cat <<\_ACEOF @@ -1470,6 +1482,8 @@ Optional Features: --enable-debug For maintainers only - please do not use --enable-opt Optimize for the native CPU - The resulting library will be faster but not portable + --enable-valgrind Whether to enable Valgrind on the unit tests + (requires GNU make) --enable-soname-versions enable soname versions (must be disabled for Android) (default: enabled) @@ -1577,7 +1591,7 @@ fi test -n "$ac_init_help" && exit $ac_status if $ac_init_version; then cat <<\_ACEOF -libsodium configure 1.0.8 +libsodium configure 1.0.10 generated by GNU Autoconf 2.69 Copyright (C) 2012 Free Software Foundation, Inc. @@ -1946,7 +1960,7 @@ cat >config.log <<_ACEOF This file contains any messages produced by compilers while running configure, to aid debugging if configure makes a mistake. -It was created by libsodium $as_me 1.0.8, which was +It was created by libsodium $as_me 1.0.10, which was generated by GNU Autoconf 2.69. Invocation command line was $ $0 $@ @@ -2882,7 +2896,7 @@ fi # Define the identity of the package. PACKAGE='libsodium' - VERSION='1.0.8' + VERSION='1.0.10' cat >>confdefs.h <<_ACEOF @@ -3178,9 +3192,9 @@ ISODATE=`date +%Y-%m-%d` SODIUM_LIBRARY_VERSION_MAJOR=9 -SODIUM_LIBRARY_VERSION_MINOR=1 +SODIUM_LIBRARY_VERSION_MINOR=2 DLL_VERSION=8 -SODIUM_LIBRARY_VERSION=18:1:0 +SODIUM_LIBRARY_VERSION=19:0:1 # | | | # +------+ | +---+ # | | | @@ -3363,8 +3377,8 @@ if test "${enable_opt+set}" = set; then : enableval=$enable_opt; if test "x$enableval" = "xyes"; then : - CFLAGS="$CFLAGS -march=native -save-temps" - LDFLAGS="$LDFLAGS -march=native" + CFLAGS="$CFLAGS -O3 -march=native" + LDFLAGS="$LDFLAGS -O3 -march=native" fi fi @@ -3373,6 +3387,276 @@ fi + # Check whether --enable-valgrind was given. +if test "${enable_valgrind+set}" = set; then : + enableval=$enable_valgrind; enable_valgrind=$enableval +else + enable_valgrind=no +fi + + + if test "$enable_valgrind" != "no"; then : + + # Check for Valgrind. + # Extract the first word of "valgrind", so it can be a program name with args. +set dummy valgrind; ac_word=$2 +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking for $ac_word" >&5 +$as_echo_n "checking for $ac_word... " >&6; } +if ${ac_cv_prog_VALGRIND+:} false; then : + $as_echo_n "(cached) " >&6 +else + if test -n "$VALGRIND"; then + ac_cv_prog_VALGRIND="$VALGRIND" # Let the user override the test. +else +as_save_IFS=$IFS; IFS=$PATH_SEPARATOR +for as_dir in $PATH +do + IFS=$as_save_IFS + test -z "$as_dir" && as_dir=. + for ac_exec_ext in '' $ac_executable_extensions; do + if as_fn_executable_p "$as_dir/$ac_word$ac_exec_ext"; then + ac_cv_prog_VALGRIND="valgrind" + $as_echo "$as_me:${as_lineno-$LINENO}: found $as_dir/$ac_word$ac_exec_ext" >&5 + break 2 + fi +done + done +IFS=$as_save_IFS + +fi +fi +VALGRIND=$ac_cv_prog_VALGRIND +if test -n "$VALGRIND"; then + { $as_echo "$as_me:${as_lineno-$LINENO}: result: $VALGRIND" >&5 +$as_echo "$VALGRIND" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi + + + if test "$VALGRIND" = ""; then : + + if test "$enable_valgrind" = "yes"; then : + + as_fn_error $? "Could not find valgrind; either install it or reconfigure with --disable-valgrind" "$LINENO" 5 + +else + + enable_valgrind=no + +fi + +else + + enable_valgrind=yes + +fi + +fi + + if test "$enable_valgrind" = "yes"; then + VALGRIND_ENABLED_TRUE= + VALGRIND_ENABLED_FALSE='#' +else + VALGRIND_ENABLED_TRUE='#' + VALGRIND_ENABLED_FALSE= +fi + + VALGRIND_ENABLED=$enable_valgrind + + + # Check for Valgrind tools we care about. + + + if test "$VALGRIND" != ""; then : + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Valgrind tool memcheck" >&5 +$as_echo_n "checking for Valgrind tool memcheck... " >&6; } +if ${ax_cv_valgrind_tool_memcheck+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_cv_valgrind_tool_memcheck= + if `$VALGRIND --tool=memcheck --help >/dev/null 2>&1`; then : + + ax_cv_valgrind_tool_memcheck="memcheck" + +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_valgrind_tool_memcheck" >&5 +$as_echo "$ax_cv_valgrind_tool_memcheck" >&6; } + + VALGRIND_HAVE_TOOL_memcheck=$ax_cv_valgrind_tool_memcheck + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Valgrind tool helgrind" >&5 +$as_echo_n "checking for Valgrind tool helgrind... " >&6; } +if ${ax_cv_valgrind_tool_helgrind+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_cv_valgrind_tool_helgrind= + if `$VALGRIND --tool=helgrind --help >/dev/null 2>&1`; then : + + ax_cv_valgrind_tool_helgrind="helgrind" + +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_valgrind_tool_helgrind" >&5 +$as_echo "$ax_cv_valgrind_tool_helgrind" >&6; } + + VALGRIND_HAVE_TOOL_helgrind=$ax_cv_valgrind_tool_helgrind + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Valgrind tool drd" >&5 +$as_echo_n "checking for Valgrind tool drd... " >&6; } +if ${ax_cv_valgrind_tool_drd+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_cv_valgrind_tool_drd= + if `$VALGRIND --tool=drd --help >/dev/null 2>&1`; then : + + ax_cv_valgrind_tool_drd="drd" + +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_valgrind_tool_drd" >&5 +$as_echo "$ax_cv_valgrind_tool_drd" >&6; } + + VALGRIND_HAVE_TOOL_drd=$ax_cv_valgrind_tool_drd + + + + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for Valgrind tool exp-sgcheck" >&5 +$as_echo_n "checking for Valgrind tool exp-sgcheck... " >&6; } +if ${ax_cv_valgrind_tool_exp_sgcheck+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_cv_valgrind_tool_exp_sgcheck= + if `$VALGRIND --tool=exp-sgcheck --help >/dev/null 2>&1`; then : + + ax_cv_valgrind_tool_exp_sgcheck="exp-sgcheck" + +fi + +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_valgrind_tool_exp_sgcheck" >&5 +$as_echo "$ax_cv_valgrind_tool_exp_sgcheck" >&6; } + + VALGRIND_HAVE_TOOL_exp_sgcheck=$ax_cv_valgrind_tool_exp_sgcheck + + + +fi + +VALGRIND_CHECK_RULES=' +# Valgrind check +# +# Optional: +# - VALGRIND_SUPPRESSIONS_FILES: Space-separated list of Valgrind suppressions +# files to load. (Default: empty) +# - VALGRIND_FLAGS: General flags to pass to all Valgrind tools. +# (Default: --num-callers=30) +# - VALGRIND_$toolname_FLAGS: Flags to pass to Valgrind $toolname (one of: +# memcheck, helgrind, drd, sgcheck). (Default: various) + +# Optional variables +VALGRIND_SUPPRESSIONS ?= $(addprefix --suppressions=,$(VALGRIND_SUPPRESSIONS_FILES)) +VALGRIND_FLAGS ?= --num-callers=30 +VALGRIND_memcheck_FLAGS ?= --leak-check=full --show-reachable=no +VALGRIND_helgrind_FLAGS ?= --history-level=approx +VALGRIND_drd_FLAGS ?= +VALGRIND_sgcheck_FLAGS ?= + +# Internal use +valgrind_tools = memcheck helgrind drd sgcheck +valgrind_log_files = $(addprefix test-suite-,$(addsuffix .log,$(valgrind_tools))) + +valgrind_memcheck_flags = --tool=memcheck $(VALGRIND_memcheck_FLAGS) +valgrind_helgrind_flags = --tool=helgrind $(VALGRIND_helgrind_FLAGS) +valgrind_drd_flags = --tool=drd $(VALGRIND_drd_FLAGS) +valgrind_sgcheck_flags = --tool=exp-sgcheck $(VALGRIND_sgcheck_FLAGS) + +valgrind_quiet = $(valgrind_quiet_$(V)) +valgrind_quiet_ = $(valgrind_quiet_$(AM_DEFAULT_VERBOSITY)) +valgrind_quiet_0 = --quiet + +# Support running with and without libtool. +ifneq ($(LIBTOOL),) +valgrind_lt = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=execute +else +valgrind_lt = +endif + +# Use recursive makes in order to ignore errors during check +check-valgrind: +ifeq ($(VALGRIND_ENABLED),yes) + -$(foreach tool,$(valgrind_tools), \ + $(if $(VALGRIND_HAVE_TOOL_$(tool))$(VALGRIND_HAVE_TOOL_exp_$(tool)), \ + $(MAKE) $(AM_MAKEFLAGS) -k check-valgrind-tool VALGRIND_TOOL=$(tool); \ + ) \ + ) +else + @echo "Need to reconfigure with --enable-valgrind" +endif + +# Valgrind running +VALGRIND_TESTS_ENVIRONMENT = \ + $(TESTS_ENVIRONMENT) \ + env VALGRIND=$(VALGRIND) \ + G_SLICE=always-malloc,debug-blocks \ + G_DEBUG=fatal-warnings,fatal-criticals,gc-friendly + +VALGRIND_LOG_COMPILER = \ + $(valgrind_lt) \ + $(VALGRIND) $(VALGRIND_SUPPRESSIONS) --error-exitcode=1 $(VALGRIND_FLAGS) + +check-valgrind-tool: +ifeq ($(VALGRIND_ENABLED),yes) + $(MAKE) check-TESTS \ + TESTS_ENVIRONMENT="$(VALGRIND_TESTS_ENVIRONMENT)" \ + LOG_COMPILER="$(VALGRIND_LOG_COMPILER)" \ + LOG_FLAGS="$(valgrind_$(VALGRIND_TOOL)_flags)" \ + TEST_SUITE_LOG=test-suite-$(VALGRIND_TOOL).log +else + @echo "Need to reconfigure with --enable-valgrind" +endif + +A''M_DISTCHECK_CONFIGURE_FLAGS ?= +A''M_DISTCHECK_CONFIGURE_FLAGS += --disable-valgrind + +MOSTLYCLEANFILES ?= +MOSTLYCLEANFILES += $(valgrind_log_files) + +.PHONY: check-valgrind check-valgrind-tool +' + + if test "$enable_valgrind" != "yes"; then : + +VALGRIND_CHECK_RULES=' +check-valgrind: + @echo "Need to use GNU make and reconfigure with --enable-valgrind"' + +fi + + + + + DEPDIR="${am__leading_dot}deps" ac_config_commands="$ac_config_commands depfiles" @@ -5611,6 +5895,70 @@ fi fi +if test "$GCC" = "yes" ; then : + + case $host_cpu in #( + i?86|amd64|x86_64) : + + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#if !defined(__clang__) && defined(__GNUC__) && ((__GNUC__ << 8) | __GNUC_MINOR__) < 0x403 +# error old gcc +#endif +int main(void) { return 0; } + +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + +else + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -flax-vector-conversions" >&5 +$as_echo_n "checking whether C compiler accepts -flax-vector-conversions... " >&6; } +if ${ax_cv_check_cflags___flax_vector_conversions+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -flax-vector-conversions" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +char x[42U], fodder = 0;if (fodder > -1000 && fgets(x,1000,stdin)) puts(x) + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___flax_vector_conversions=yes +else + ax_cv_check_cflags___flax_vector_conversions=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___flax_vector_conversions" >&5 +$as_echo "$ax_cv_check_cflags___flax_vector_conversions" >&6; } +if test "x$ax_cv_check_cflags___flax_vector_conversions" = xyes; then : + CFLAGS="$CFLAGS -flax-vector-conversions" +else + : +fi + + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + + ;; #( + *) : + ;; +esac + +fi + LIBTOOL_OLD_FLAGS="$LIBTOOL_EXTRA_FLAGS" LIBTOOL_EXTRA_FLAGS="$LIBTOOL_EXTRA_FLAGS -version-info $SODIUM_LIBRARY_VERSION" # Check whether --enable-soname-versions was given. @@ -5665,6 +6013,42 @@ else : fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--high-entropy-va" >&5 +$as_echo_n "checking whether the linker accepts -Wl,--high-entropy-va... " >&6; } +if ${ax_cv_check_ldflags___Wl___high_entropy_va+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$LDFLAGS + LDFLAGS="$LDFLAGS -Wl,--high-entropy-va" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +char x[42U];if (fgets(x,1000,stdin)) puts(x) + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + ax_cv_check_ldflags___Wl___high_entropy_va=yes +else + ax_cv_check_ldflags___Wl___high_entropy_va=no +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + LDFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_ldflags___Wl___high_entropy_va" >&5 +$as_echo "$ax_cv_check_ldflags___Wl___high_entropy_va" >&6; } +if test "x$ax_cv_check_ldflags___Wl___high_entropy_va" = xyes; then : + LDFLAGS="$LDFLAGS -Wl,--high-entropy-va" +else + : +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether the linker accepts -Wl,--nxcompat" >&5 $as_echo_n "checking whether the linker accepts -Wl,--nxcompat... " >&6; } if ${ax_cv_check_ldflags___Wl___nxcompat+:} false; then : @@ -5794,41 +6178,6 @@ esac fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Winit-self" >&5 -$as_echo_n "checking whether C compiler accepts -Winit-self... " >&6; } -if ${ax_cv_check_cflags___Winit_self+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS -Winit-self" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -char x[42U], fodder = 0;if (fodder > -1000 && fgets(x,1000,stdin)) puts(x) - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - ax_cv_check_cflags___Winit_self=yes -else - ax_cv_check_cflags___Winit_self=no -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___Winit_self" >&5 -$as_echo "$ax_cv_check_cflags___Winit_self" >&6; } -if test "x$ax_cv_check_cflags___Winit_self" = xyes; then : - CFLAGS="$CFLAGS -Winit-self" -else - : -fi - { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -Wwrite-strings" >&5 $as_echo_n "checking whether C compiler accepts -Wwrite-strings... " >&6; } if ${ax_cv_check_cflags___Wwrite_strings+:} false; then : @@ -6188,15 +6537,15 @@ else : fi -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wchar-subscripts" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wchar-subscripts" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wchar-subscripts... " >&6; } +as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wduplicated-cond" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wduplicated-cond" >&5 +$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wduplicated-cond... " >&6; } if eval \${$as_CACHEVAR+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Wchar-subscripts" + CFLAGS="$CFLAGS $CWFLAGS -Wduplicated-cond" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -6220,44 +6569,7 @@ eval ac_res=\$$as_CACHEVAR { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Wchar-subscripts" -else - : -fi - -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wcomment" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wcomment" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wcomment... " >&6; } -if eval \${$as_CACHEVAR+:} false; then : - $as_echo_n "(cached) " >&6 -else - - ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Wcomment" - cat confdefs.h - <<_ACEOF >conftest.$ac_ext -/* end confdefs.h. */ -#include -int -main () -{ -char x[42U], fodder = 0;if (fodder > -1000 && fgets(x,1000,stdin)) puts(x) - ; - return 0; -} -_ACEOF -if ac_fn_c_try_compile "$LINENO"; then : - eval "$as_CACHEVAR=yes" -else - eval "$as_CACHEVAR=no" -fi -rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext - CFLAGS=$ax_check_save_flags -fi -eval ac_res=\$$as_CACHEVAR - { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 -$as_echo "$ac_res" >&6; } -if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Wcomment" + CWFLAGS="$CWFLAGS -Wduplicated-cond" else : fi @@ -6336,15 +6648,15 @@ else : fi -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wimplicit" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wimplicit" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wimplicit... " >&6; } +as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wmissing-declarations" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wmissing-declarations" >&5 +$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wmissing-declarations... " >&6; } if eval \${$as_CACHEVAR+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Wimplicit" + CFLAGS="$CFLAGS $CWFLAGS -Wmissing-declarations" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -6368,20 +6680,20 @@ eval ac_res=\$$as_CACHEVAR { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Wimplicit" + CWFLAGS="$CWFLAGS -Wmissing-declarations" else : fi -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wmissing-declarations" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wmissing-declarations" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wmissing-declarations... " >&6; } +as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wmissing-prototypes" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wmissing-prototypes" >&5 +$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wmissing-prototypes... " >&6; } if eval \${$as_CACHEVAR+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Wmissing-declarations" + CFLAGS="$CFLAGS $CWFLAGS -Wmissing-prototypes" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -6405,20 +6717,20 @@ eval ac_res=\$$as_CACHEVAR { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Wmissing-declarations" + CWFLAGS="$CWFLAGS -Wmissing-prototypes" else : fi -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wmissing-prototypes" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wmissing-prototypes" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wmissing-prototypes... " >&6; } +as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wnested-externs" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wnested-externs" >&5 +$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wnested-externs... " >&6; } if eval \${$as_CACHEVAR+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Wmissing-prototypes" + CFLAGS="$CFLAGS $CWFLAGS -Wnested-externs" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -6442,20 +6754,20 @@ eval ac_res=\$$as_CACHEVAR { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Wmissing-prototypes" + CWFLAGS="$CWFLAGS -Wnested-externs" else : fi -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wnormalized=id" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wnormalized=id" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wnormalized=id... " >&6; } +as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wno-unknown-pragmas" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wno-unknown-pragmas" >&5 +$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wno-unknown-pragmas... " >&6; } if eval \${$as_CACHEVAR+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Wnormalized=id" + CFLAGS="$CFLAGS $CWFLAGS -Wno-unknown-pragmas" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -6479,20 +6791,20 @@ eval ac_res=\$$as_CACHEVAR { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Wnormalized=id" + CWFLAGS="$CWFLAGS -Wno-unknown-pragmas" else : fi -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Woverride-init" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Woverride-init" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Woverride-init... " >&6; } +as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wnormalized=id" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wnormalized=id" >&5 +$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wnormalized=id... " >&6; } if eval \${$as_CACHEVAR+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Woverride-init" + CFLAGS="$CFLAGS $CWFLAGS -Wnormalized=id" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -6516,20 +6828,20 @@ eval ac_res=\$$as_CACHEVAR { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Woverride-init" + CWFLAGS="$CWFLAGS -Wnormalized=id" else : fi -as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wparentheses" | $as_tr_sh` -{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wparentheses" >&5 -$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wparentheses... " >&6; } +as_CACHEVAR=`$as_echo "ax_cv_check_cflags__$CWFLAGS -Wnull-dereference" | $as_tr_sh` +{ $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts $CWFLAGS -Wnull-dereference" >&5 +$as_echo_n "checking whether C compiler accepts $CWFLAGS -Wnull-dereference... " >&6; } if eval \${$as_CACHEVAR+:} false; then : $as_echo_n "(cached) " >&6 else ax_check_save_flags=$CFLAGS - CFLAGS="$CFLAGS $CWFLAGS -Wparentheses" + CFLAGS="$CFLAGS $CWFLAGS -Wnull-dereference" cat confdefs.h - <<_ACEOF >conftest.$ac_ext /* end confdefs.h. */ #include @@ -6553,7 +6865,7 @@ eval ac_res=\$$as_CACHEVAR { $as_echo "$as_me:${as_lineno-$LINENO}: result: $ac_res" >&5 $as_echo "$ac_res" >&6; } if eval test \"x\$"$as_CACHEVAR"\" = x"yes"; then : - CWFLAGS="$CWFLAGS -Wparentheses" + CWFLAGS="$CWFLAGS -Wnull-dereference" else : fi @@ -14704,6 +15016,7 @@ int main () { __m128d x = _mm_setzero_pd(); + __m128i y = _mm_srli_epi64(_mm_setzero_si128(), 26); ; return 0; } @@ -15158,6 +15471,134 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext CFLAGS="$oldcflags" oldcflags="$CFLAGS" + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mavx2" >&5 +$as_echo_n "checking whether C compiler accepts -mavx2... " >&6; } +if ${ax_cv_check_cflags___mavx2+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -mavx2" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +char x[42U], fodder = 0;if (fodder > -1000 && fgets(x,1000,stdin)) puts(x) + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___mavx2=yes +else + ax_cv_check_cflags___mavx2=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mavx2" >&5 +$as_echo "$ax_cv_check_cflags___mavx2" >&6; } +if test "x$ax_cv_check_cflags___mavx2" = xyes; then : + CFLAGS="$CFLAGS -mavx2" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking for AVX2 instructions set" >&5 +$as_echo_n "checking for AVX2 instructions set... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#pragma GCC target("avx2") +#include + +int +main () +{ + __m256i x = _mm256_abs_epi8(_mm256_setzero_si256()); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + +$as_echo "#define HAVE_AVX2INTRIN_H 1" >>confdefs.h + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -mavx2" >&5 +$as_echo_n "checking whether C compiler accepts -mavx2... " >&6; } +if ${ax_cv_check_cflags___mavx2+:} false; then : + $as_echo_n "(cached) " >&6 +else + + ax_check_save_flags=$CFLAGS + CFLAGS="$CFLAGS -mavx2" + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ +#include +int +main () +{ +char x[42U], fodder = 0;if (fodder > -1000 && fgets(x,1000,stdin)) puts(x) + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + ax_cv_check_cflags___mavx2=yes +else + ax_cv_check_cflags___mavx2=no +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS=$ax_check_save_flags +fi +{ $as_echo "$as_me:${as_lineno-$LINENO}: result: $ax_cv_check_cflags___mavx2" >&5 +$as_echo "$ax_cv_check_cflags___mavx2" >&6; } +if test "x$ax_cv_check_cflags___mavx2" = xyes; then : + CFLAGS_AVX="-mavx2" +else + : +fi + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if _mm256_broadcastsi128_si256 is correctly defined" >&5 +$as_echo_n "checking if _mm256_broadcastsi128_si256 is correctly defined... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +#pragma GCC target("avx2") +#include + +int +main () +{ + __m256i y = _mm256_broadcastsi128_si256(_mm_setzero_si128()); + ; + return 0; +} +_ACEOF +if ac_fn_c_try_compile "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } + +$as_echo "#define _mm256_broadcastsi128_si256 _mm_broadcastsi128_si256" >>confdefs.h + +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext + CFLAGS="$oldcflags" + + oldcflags="$CFLAGS" { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether C compiler accepts -maes" >&5 $as_echo_n "checking whether C compiler accepts -maes... " >&6; } if ${ax_cv_check_cflags___maes+:} false; then : @@ -15341,6 +15782,8 @@ fi + + for ac_header in sys/mman.h do : ac_fn_c_check_header_mongrel "$LINENO" "sys/mman.h" "ac_cv_header_sys_mman_h" "$ac_includes_default" @@ -15397,6 +15840,13 @@ _ACEOF ;; esac +case $host_cpu in #( + i?86|amd64|x86_64) : + ac_cv_c_bigendian=no + ;; #( + *) : + ;; +esac { $as_echo "$as_me:${as_lineno-$LINENO}: checking whether byte ordering is bigendian" >&5 $as_echo_n "checking whether byte ordering is bigendian... " >&6; } if ${ac_cv_c_bigendian+:} false; then : @@ -15615,11 +16065,11 @@ $as_echo "#define NATIVE_BIG_ENDIAN 1" >>confdefs.h $as_echo "#define NATIVE_LITTLE_ENDIAN 1" >>confdefs.h ;; #( universal) - as_fn_error $? "universal endianess is not supported - compile separately and use lipo(1)" "$LINENO" 5 + as_fn_error $? "universal endianness is not supported - compile separately and use lipo(1)" "$LINENO" 5 ;; #( *) - as_fn_error $? "unknown endianess" "$LINENO" 5 ;; + as_fn_error $? "unknown endianness" "$LINENO" 5 ;; esac @@ -15861,6 +16311,94 @@ rm -f core conftest.err conftest.$ac_objext conftest.$ac_ext fi +asm_hide_symbol="unsupported" +if test "$enable_asm" != "no"; then : + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the .private_extern asm directive is supported" >&5 +$as_echo_n "checking if the .private_extern asm directive is supported... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + +__asm__ __volatile__ (".private_extern dummy_symbol \n" + ".private_extern _dummy_symbol \n" + ".globl dummy_symbol \n" + ".globl _dummy_symbol \n" + "dummy_symbol: \n" + "_dummy_symbol: \n" + " nop \n" +); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + asm_hide_symbol=".private_extern" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if the .hidden asm directive is supported" >&5 +$as_echo_n "checking if the .hidden asm directive is supported... " >&6; } + cat confdefs.h - <<_ACEOF >conftest.$ac_ext +/* end confdefs.h. */ + +int +main () +{ + +__asm__ __volatile__ (".hidden dummy_symbol \n" + ".hidden _dummy_symbol \n" + ".globl dummy_symbol \n" + ".globl _dummy_symbol \n" + "dummy_symbol: \n" + "_dummy_symbol: \n" + " nop \n" +); + + ; + return 0; +} +_ACEOF +if ac_fn_c_try_link "$LINENO"; then : + { $as_echo "$as_me:${as_lineno-$LINENO}: result: yes" >&5 +$as_echo "yes" >&6; } + if test "$asm_hide_symbol" = "unsupported"; then : + asm_hide_symbol=".hidden" +else + { $as_echo "$as_me:${as_lineno-$LINENO}: unable to reliably tag symbols as private" >&5 +$as_echo "$as_me: unable to reliably tag symbols as private" >&6;} + asm_hide_symbol="unsupported" +fi + +else + { $as_echo "$as_me:${as_lineno-$LINENO}: result: no" >&5 +$as_echo "no" >&6; } +fi +rm -f core conftest.err conftest.$ac_objext \ + conftest$ac_exeext conftest.$ac_ext + + if test "$asm_hide_symbol" != "unsupported"; then : + + +cat >>confdefs.h <<_ACEOF +#define ASM_HIDE_SYMBOL $asm_hide_symbol +_ACEOF + + +fi + +fi + { $as_echo "$as_me:${as_lineno-$LINENO}: checking if weak symbols are supported" >&5 $as_echo_n "checking if weak symbols are supported... " >&6; } cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -15895,7 +16433,7 @@ rm -f core conftest.err conftest.$ac_objext \ $as_echo_n "checking if data alignment is required... " >&6; } aligned_access_required=yes case $host_cpu in #( - i*86 | x86_64 | powerpc* | s390*) : + i?86|amd64|x86_64|powerpc*|s390*) : aligned_access_required=no ;; #( arm*) : cat confdefs.h - <<_ACEOF >conftest.$ac_ext @@ -15980,7 +16518,7 @@ TEST_LDFLAGS='' if test "x$EMSCRIPTEN" != "x"; then : EXEEXT=.js - TEST_LDFLAGS='--memory-init-file 0 --pre-js pre.js.inc -s NO_BROWSER=1 -s RESERVED_FUNCTION_POINTERS=8' + TEST_LDFLAGS='--memory-init-file 0 --pre-js pre.js.inc -s RESERVED_FUNCTION_POINTERS=8' fi @@ -16524,6 +17062,10 @@ if test -z "${MINIMAL_TRUE}" && test -z "${MINIMAL_FALSE}"; then as_fn_error $? "conditional \"MINIMAL\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 fi +if test -z "${VALGRIND_ENABLED_TRUE}" && test -z "${VALGRIND_ENABLED_FALSE}"; then + as_fn_error $? "conditional \"VALGRIND_ENABLED\" was never defined. +Usually this means the macro was only invoked conditionally." "$LINENO" 5 +fi if test -z "${am__fastdepCC_TRUE}" && test -z "${am__fastdepCC_FALSE}"; then as_fn_error $? "conditional \"am__fastdepCC\" was never defined. Usually this means the macro was only invoked conditionally." "$LINENO" 5 @@ -16953,7 +17495,7 @@ cat >>$CONFIG_STATUS <<\_ACEOF || ac_write_fail=1 # report actual input values of CONFIG_FILES etc. instead of their # values after options handling. ac_log=" -This file was extended by libsodium $as_me 1.0.8, which was +This file was extended by libsodium $as_me 1.0.10, which was generated by GNU Autoconf 2.69. Invocation command line was CONFIG_FILES = $CONFIG_FILES @@ -17011,7 +17553,7 @@ _ACEOF cat >>$CONFIG_STATUS <<_ACEOF || ac_write_fail=1 ac_cs_config="`$as_echo "$ac_configure_args" | sed 's/^ //; s/[\\""\`\$]/\\\\&/g'`" ac_cs_version="\\ -libsodium config.status 1.0.8 +libsodium config.status 1.0.10 configured by $0, generated by GNU Autoconf 2.69, with options \\"\$ac_cs_config\\" diff --git a/release/src/router/libsodium/configure.ac b/release/src/router/libsodium/configure.ac index 18533c907e..9c6ab047e4 100644 --- a/release/src/router/libsodium/configure.ac +++ b/release/src/router/libsodium/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.65]) -AC_INIT([libsodium],[1.0.8], +AC_INIT([libsodium],[1.0.10], [https://github.com/jedisct1/libsodium/issues], [libsodium], [https://github.com/jedisct1/libsodium]) @@ -17,9 +17,9 @@ ISODATE=`date +%Y-%m-%d` AC_SUBST(ISODATE) SODIUM_LIBRARY_VERSION_MAJOR=9 -SODIUM_LIBRARY_VERSION_MINOR=1 +SODIUM_LIBRARY_VERSION_MINOR=2 DLL_VERSION=8 -SODIUM_LIBRARY_VERSION=18:1:0 +SODIUM_LIBRARY_VERSION=19:0:1 # | | | # +------+ | +---+ # | | | @@ -139,12 +139,14 @@ AC_ARG_ENABLE(opt, [AS_HELP_STRING(--enable-opt,Optimize for the native CPU - The resulting library will be faster but not portable)], [ AS_IF([test "x$enableval" = "xyes"], [ - CFLAGS="$CFLAGS -march=native -save-temps" - LDFLAGS="$LDFLAGS -march=native"]) + CFLAGS="$CFLAGS -O3 -march=native" + LDFLAGS="$LDFLAGS -O3 -march=native"]) ]) AC_SUBST([MAINT]) +AX_VALGRIND_CHECK + dnl Checks AC_PROG_CC_C99 @@ -184,6 +186,22 @@ AX_CHECK_COMPILE_FLAG([-fno-strict-overflow], [CFLAGS="$CFLAGS -fno-strict-overf AX_CHECK_COMPILE_FLAG([-fwrapv], [CFLAGS="$CFLAGS -fwrapv"]) ]) +AS_IF([test "$GCC" = "yes" ], [ + AS_CASE([$host_cpu], + [i?86|amd64|x86_64], [ + AC_COMPILE_IFELSE( + [AC_LANG_SOURCE([ +#if !defined(__clang__) && defined(__GNUC__) && ((__GNUC__ << 8) | __GNUC_MINOR__) < 0x403 +# error old gcc +#endif +int main(void) { return 0; } + ])],,[ + AX_CHECK_COMPILE_FLAG([-flax-vector-conversions], [CFLAGS="$CFLAGS -flax-vector-conversions"]) + ]) + ] + ) + ]) + LIBTOOL_OLD_FLAGS="$LIBTOOL_EXTRA_FLAGS" LIBTOOL_EXTRA_FLAGS="$LIBTOOL_EXTRA_FLAGS -version-info $SODIUM_LIBRARY_VERSION" AC_ARG_ENABLE(soname-versions, @@ -198,6 +216,7 @@ AC_ARG_ENABLE(soname-versions, AS_CASE([$host_os], [cygwin*|mingw*|msys|pw32*|cegcc*], [ AX_CHECK_LINK_FLAG([-Wl,--dynamicbase], [LDFLAGS="$LDFLAGS -Wl,--dynamicbase"]) + AX_CHECK_LINK_FLAG([-Wl,--high-entropy-va], [LDFLAGS="$LDFLAGS -Wl,--high-entropy-va"]) AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"]) ]) @@ -214,7 +233,6 @@ AS_CASE([$host_os], ]) ]) -AX_CHECK_COMPILE_FLAG([-Winit-self], [CFLAGS="$CFLAGS -Winit-self"]) AX_CHECK_COMPILE_FLAG([-Wwrite-strings], [CFLAGS="$CFLAGS -Wwrite-strings"]) AX_CHECK_COMPILE_FLAG([-Wdiv-by-zero], [CFLAGS="$CFLAGS -Wdiv-by-zero"]) AX_CHECK_COMPILE_FLAG([-Wsometimes-uninitialized], [CFLAGS="$CFLAGS -Wsometimes-uninitialized"]) @@ -240,16 +258,15 @@ be sad AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wbad-function-cast], [CWFLAGS="$CWFLAGS -Wbad-function-cast"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wcast-align], [CWFLAGS="$CWFLAGS -Wcast-align"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wcast-qual], [CWFLAGS="$CWFLAGS -Wcast-qual"]) -AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wchar-subscripts], [CWFLAGS="$CWFLAGS -Wchar-subscripts"]) -AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wcomment], [CWFLAGS="$CWFLAGS -Wcomment"]) +AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wduplicated-cond], [CWFLAGS="$CWFLAGS -Wduplicated-cond"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wfloat-equal], [CWFLAGS="$CWFLAGS -Wfloat-equal"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wformat=2], [CWFLAGS="$CWFLAGS -Wformat=2"]) -AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wimplicit], [CWFLAGS="$CWFLAGS -Wimplicit"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wmissing-declarations], [CWFLAGS="$CWFLAGS -Wmissing-declarations"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wmissing-prototypes], [CWFLAGS="$CWFLAGS -Wmissing-prototypes"]) +AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wnested-externs], [CWFLAGS="$CWFLAGS -Wnested-externs"]) +AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wno-unknown-pragmas], [CWFLAGS="$CWFLAGS -Wno-unknown-pragmas"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wnormalized=id], [CWFLAGS="$CWFLAGS -Wnormalized=id"]) -AX_CHECK_COMPILE_FLAG([$CWFLAGS -Woverride-init], [CWFLAGS="$CWFLAGS -Woverride-init"]) -AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wparentheses], [CWFLAGS="$CWFLAGS -Wparentheses"]) +AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wnull-dereference], [CWFLAGS="$CWFLAGS -Wnull-dereference"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wpointer-arith], [CWFLAGS="$CWFLAGS -Wpointer-arith"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wredundant-decls], [CWFLAGS="$CWFLAGS -Wredundant-decls"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wstrict-prototypes], [CWFLAGS="$CWFLAGS -Wstrict-prototypes"]) @@ -292,7 +309,8 @@ AS_IF([test "x$EMSCRIPTEN" = "x"],[ # define __SSE2__ #endif #include -]], [[ __m128d x = _mm_setzero_pd(); ]])], +]], [[ __m128d x = _mm_setzero_pd(); + __m128i y = _mm_srli_epi64(_mm_setzero_si128(), 26); ]])], [AC_MSG_RESULT(yes) AC_DEFINE([HAVE_EMMINTRIN_H], [1], [sse2 is available]) AX_CHECK_COMPILE_FLAG([-msse2], [CFLAGS_SSE2="-msse2"])], @@ -353,6 +371,29 @@ AS_IF([test "x$EMSCRIPTEN" = "x"],[ CFLAGS="$oldcflags" oldcflags="$CFLAGS" + AX_CHECK_COMPILE_FLAG([-mavx2], [CFLAGS="$CFLAGS -mavx2"]) + AC_MSG_CHECKING(for AVX2 instructions set) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#pragma GCC target("avx2") +#include +]], [[ __m256i x = _mm256_abs_epi8(_mm256_setzero_si256()); ]])], + [AC_MSG_RESULT(yes) + AC_DEFINE([HAVE_AVX2INTRIN_H], [1], [AVX2 is available]) + AX_CHECK_COMPILE_FLAG([-mavx2], [CFLAGS_AVX="-mavx2"]) + AC_MSG_CHECKING(if _mm256_broadcastsi128_si256 is correctly defined) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#pragma GCC target("avx2") +#include + ]], [[ __m256i y = _mm256_broadcastsi128_si256(_mm_setzero_si128()); ]])], + [AC_MSG_RESULT(yes)], + [AC_MSG_RESULT(no) + AC_DEFINE([_mm256_broadcastsi128_si256], [_mm_broadcastsi128_si256], + [Define to the local name of _mm256_broadcastsi128_si256])]) + ], + [AC_MSG_RESULT(no)]) + CFLAGS="$oldcflags" + + oldcflags="$CFLAGS" AX_CHECK_COMPILE_FLAG([-maes], [CFLAGS="$CFLAGS -maes"]) AX_CHECK_COMPILE_FLAG([-mpclmul], [CFLAGS="$CFLAGS -mpclmul"]) AC_MSG_CHECKING(for AESNI instructions set and PCLMULQDQ) @@ -377,6 +418,8 @@ AC_SUBST(CFLAGS_SSE2) AC_SUBST(CFLAGS_SSE3) AC_SUBST(CFLAGS_SSSE3) AC_SUBST(CFLAGS_SSE41) +AC_SUBST(CFLAGS_AVX) +AC_SUBST(CFLAGS_AVX2) AC_SUBST(CFLAGS_AESNI) AC_SUBST(CFLAGS_PCLMUL) @@ -385,11 +428,15 @@ AC_CHECK_HEADERS([sys/mman.h]) dnl Checks for typedefs, structures, and compiler characteristics. AC_C_INLINE +AS_CASE([$host_cpu], + [i?86|amd64|x86_64], + [ac_cv_c_bigendian=no] +) AC_C_BIGENDIAN( AC_DEFINE(NATIVE_BIG_ENDIAN, 1, [machine is bigendian]), AC_DEFINE(NATIVE_LITTLE_ENDIAN, 1, [machine is littleendian]), - AC_MSG_ERROR([unknown endianess]), - AC_MSG_ERROR([universal endianess is not supported - compile separately and use lipo(1)]) + AC_MSG_ERROR([unknown endianness]), + AC_MSG_ERROR([universal endianness is not supported - compile separately and use lipo(1)]) ) AC_MSG_CHECKING(whether __STDC_LIMIT_MACROS is required) @@ -510,6 +557,47 @@ __asm__ __volatile__ ("xchgl %%ebx, %k1; cpuid; xchgl %%ebx, %k1" : ]) AC_SUBST(HAVE_CPUID_V) +asm_hide_symbol="unsupported" +AS_IF([test "$enable_asm" != "no"],[ + AC_MSG_CHECKING(if the .private_extern asm directive is supported) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ]], [[ +__asm__ __volatile__ (".private_extern dummy_symbol \n" + ".private_extern _dummy_symbol \n" + ".globl dummy_symbol \n" + ".globl _dummy_symbol \n" + "dummy_symbol: \n" + "_dummy_symbol: \n" + " nop \n" +); + ]])], + [AC_MSG_RESULT(yes) + asm_hide_symbol=".private_extern"], + [AC_MSG_RESULT(no)]) + + AC_MSG_CHECKING(if the .hidden asm directive is supported) + AC_LINK_IFELSE([AC_LANG_PROGRAM([[ ]], [[ +__asm__ __volatile__ (".hidden dummy_symbol \n" + ".hidden _dummy_symbol \n" + ".globl dummy_symbol \n" + ".globl _dummy_symbol \n" + "dummy_symbol: \n" + "_dummy_symbol: \n" + " nop \n" +); + ]])], + [AC_MSG_RESULT(yes) + AS_IF([test "$asm_hide_symbol" = "unsupported"], + [asm_hide_symbol=".hidden"], + [AC_MSG_NOTICE([unable to reliably tag symbols as private]) + asm_hide_symbol="unsupported"]) + ], + [AC_MSG_RESULT(no)]) + + AS_IF([test "$asm_hide_symbol" != "unsupported"],[ + AC_DEFINE_UNQUOTED([ASM_HIDE_SYMBOL], [$asm_hide_symbol], [directive to hide symbols]) + ]) +]) + AC_MSG_CHECKING(if weak symbols are supported) AC_LINK_IFELSE([AC_LANG_PROGRAM([[ __attribute__((weak)) void __dummy(void *x) { } @@ -523,7 +611,7 @@ void f(void *x) { __dummy(x); } AC_MSG_CHECKING(if data alignment is required) aligned_access_required=yes AS_CASE([$host_cpu], - [i*86 | x86_64 | powerpc* | s390*], + [i?86|amd64|x86_64|powerpc*|s390*], [aligned_access_required=no], [arm*], [AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ @@ -550,7 +638,7 @@ AC_SUBST([LIBTOOL_EXTRA_FLAGS]) TEST_LDFLAGS='' AS_IF([test "x$EMSCRIPTEN" != "x"],[ EXEEXT=.js - TEST_LDFLAGS='--memory-init-file 0 --pre-js pre.js.inc -s NO_BROWSER=1 -s RESERVED_FUNCTION_POINTERS=8' + TEST_LDFLAGS='--memory-init-file 0 --pre-js pre.js.inc -s RESERVED_FUNCTION_POINTERS=8' ]) AC_SUBST(TEST_LDFLAGS) AM_CONDITIONAL([EMSCRIPTEN], [test "x$EMSCRIPTEN" != "x"]) diff --git a/release/src/router/libsodium/dist-build/Makefile.in b/release/src/router/libsodium/dist-build/Makefile.in index 9774ce4997..7a08bae91d 100644 --- a/release/src/router/libsodium/dist-build/Makefile.in +++ b/release/src/router/libsodium/dist-build/Makefile.in @@ -92,6 +92,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -140,6 +141,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -212,6 +215,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/release/src/router/libsodium/dist-build/emscripten.sh b/release/src/router/libsodium/dist-build/emscripten.sh index 76a1a9368d..46d37f0b49 100755 --- a/release/src/router/libsodium/dist-build/emscripten.sh +++ b/release/src/router/libsodium/dist-build/emscripten.sh @@ -2,10 +2,16 @@ export MAKE_FLAGS='-j4' export PREFIX="$(pwd)/libsodium-js" -export EXPORTED_FUNCTIONS='["_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_verify_detached","_randombytes_buf","_randombytes_close","_randombytes_random","_randombytes_stir","_randombytes_uniform","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_version_major","_sodium_library_version_minor","_sodium_memzero","_sodium_version_string"]' -export TOTAL_MEMORY=33554432 +export EXPORTED_FUNCTIONS_STANDARD='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_default","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_verify_detached","_randombytes","_randombytes_buf","_randombytes_close","_randombytes_random","_randombytes_stir","_randombytes_uniform","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_version_major","_sodium_library_version_minor","_sodium_version_string"]' +export EXPORTED_FUNCTIONS_SUMO='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_hmacsha256","_crypto_auth_hmacsha256_bytes","_crypto_auth_hmacsha256_final","_crypto_auth_hmacsha256_init","_crypto_auth_hmacsha256_keybytes","_crypto_auth_hmacsha256_statebytes","_crypto_auth_hmacsha256_update","_crypto_auth_hmacsha256_verify","_crypto_auth_hmacsha512","_crypto_auth_hmacsha512256","_crypto_auth_hmacsha512256_bytes","_crypto_auth_hmacsha512256_final","_crypto_auth_hmacsha512256_init","_crypto_auth_hmacsha512256_keybytes","_crypto_auth_hmacsha512256_statebytes","_crypto_auth_hmacsha512256_update","_crypto_auth_hmacsha512256_verify","_crypto_auth_hmacsha512_bytes","_crypto_auth_hmacsha512_final","_crypto_auth_hmacsha512_init","_crypto_auth_hmacsha512_keybytes","_crypto_auth_hmacsha512_statebytes","_crypto_auth_hmacsha512_update","_crypto_auth_hmacsha512_verify","_crypto_auth_keybytes","_crypto_auth_verify","_crypto_box","_crypto_box_afternm","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305","_crypto_box_curve25519xsalsa20poly1305_afternm","_crypto_box_curve25519xsalsa20poly1305_beforenm","_crypto_box_curve25519xsalsa20poly1305_beforenmbytes","_crypto_box_curve25519xsalsa20poly1305_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305_keypair","_crypto_box_curve25519xsalsa20poly1305_macbytes","_crypto_box_curve25519xsalsa20poly1305_noncebytes","_crypto_box_curve25519xsalsa20poly1305_open","_crypto_box_curve25519xsalsa20poly1305_open_afternm","_crypto_box_curve25519xsalsa20poly1305_publickeybytes","_crypto_box_curve25519xsalsa20poly1305_secretkeybytes","_crypto_box_curve25519xsalsa20poly1305_seed_keypair","_crypto_box_curve25519xsalsa20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305_zerobytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open","_crypto_box_open_afternm","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_primitive","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_box_zerobytes","_crypto_core_hsalsa20","_crypto_core_hsalsa20_constbytes","_crypto_core_hsalsa20_inputbytes","_crypto_core_hsalsa20_keybytes","_crypto_core_hsalsa20_outputbytes","_crypto_core_salsa20","_crypto_core_salsa20_constbytes","_crypto_core_salsa20_inputbytes","_crypto_core_salsa20_keybytes","_crypto_core_salsa20_outputbytes","_crypto_generichash","_crypto_generichash_blake2b","_crypto_generichash_blake2b_bytes","_crypto_generichash_blake2b_bytes_max","_crypto_generichash_blake2b_bytes_min","_crypto_generichash_blake2b_final","_crypto_generichash_blake2b_init","_crypto_generichash_blake2b_init_salt_personal","_crypto_generichash_blake2b_keybytes","_crypto_generichash_blake2b_keybytes_max","_crypto_generichash_blake2b_keybytes_min","_crypto_generichash_blake2b_personalbytes","_crypto_generichash_blake2b_salt_personal","_crypto_generichash_blake2b_saltbytes","_crypto_generichash_blake2b_statebytes","_crypto_generichash_blake2b_update","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_hash_primitive","_crypto_hash_sha256","_crypto_hash_sha256_bytes","_crypto_hash_sha256_final","_crypto_hash_sha256_init","_crypto_hash_sha256_statebytes","_crypto_hash_sha256_update","_crypto_hash_sha512","_crypto_hash_sha512_bytes","_crypto_hash_sha512_final","_crypto_hash_sha512_init","_crypto_hash_sha512_statebytes","_crypto_hash_sha512_update","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_poly1305","_crypto_onetimeauth_poly1305_bytes","_crypto_onetimeauth_poly1305_final","_crypto_onetimeauth_poly1305_init","_crypto_onetimeauth_poly1305_keybytes","_crypto_onetimeauth_poly1305_update","_crypto_onetimeauth_poly1305_verify","_crypto_onetimeauth_primitive","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_default","_crypto_pwhash_argon2i","_crypto_pwhash_argon2i_alg_argon2i13","_crypto_pwhash_argon2i_memlimit_interactive","_crypto_pwhash_argon2i_memlimit_moderate","_crypto_pwhash_argon2i_memlimit_sensitive","_crypto_pwhash_argon2i_opslimit_interactive","_crypto_pwhash_argon2i_opslimit_moderate","_crypto_pwhash_argon2i_opslimit_sensitive","_crypto_pwhash_argon2i_saltbytes","_crypto_pwhash_argon2i_str","_crypto_pwhash_argon2i_str_verify","_crypto_pwhash_argon2i_strbytes","_crypto_pwhash_argon2i_strprefix","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_curve25519","_crypto_scalarmult_curve25519_base","_crypto_scalarmult_curve25519_bytes","_crypto_scalarmult_curve25519_scalarbytes","_crypto_scalarmult_primitive","_crypto_scalarmult_scalarbytes","_crypto_secretbox","_crypto_secretbox_boxzerobytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretbox_primitive","_crypto_secretbox_xsalsa20poly1305","_crypto_secretbox_xsalsa20poly1305_boxzerobytes","_crypto_secretbox_xsalsa20poly1305_keybytes","_crypto_secretbox_xsalsa20poly1305_macbytes","_crypto_secretbox_xsalsa20poly1305_noncebytes","_crypto_secretbox_xsalsa20poly1305_open","_crypto_secretbox_xsalsa20poly1305_zerobytes","_crypto_secretbox_zerobytes","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_primitive","_crypto_shorthash_siphash24","_crypto_shorthash_siphash24_bytes","_crypto_shorthash_siphash24_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519","_crypto_sign_ed25519_bytes","_crypto_sign_ed25519_detached","_crypto_sign_ed25519_keypair","_crypto_sign_ed25519_open","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_publickeybytes","_crypto_sign_ed25519_secretkeybytes","_crypto_sign_ed25519_seed_keypair","_crypto_sign_ed25519_seedbytes","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_ed25519_sk_to_pk","_crypto_sign_ed25519_sk_to_seed","_crypto_sign_ed25519_verify_detached","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_primitive","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_verify_detached","_crypto_stream","_crypto_stream_chacha20","_crypto_stream_chacha20_ietf","_crypto_stream_chacha20_ietf_noncebytes","_crypto_stream_chacha20_ietf_xor","_crypto_stream_chacha20_ietf_xor_ic","_crypto_stream_chacha20_keybytes","_crypto_stream_chacha20_noncebytes","_crypto_stream_chacha20_xor","_crypto_stream_chacha20_xor_ic","_crypto_stream_keybytes","_crypto_stream_noncebytes","_crypto_stream_primitive","_crypto_stream_salsa20","_crypto_stream_salsa20_keybytes","_crypto_stream_salsa20_noncebytes","_crypto_stream_salsa20_xor","_crypto_stream_salsa20_xor_ic","_crypto_stream_xor","_crypto_stream_xsalsa20","_crypto_stream_xsalsa20_keybytes","_crypto_stream_xsalsa20_noncebytes","_crypto_stream_xsalsa20_xor","_crypto_stream_xsalsa20_xor_ic","_crypto_verify_16","_crypto_verify_16_bytes","_crypto_verify_32","_crypto_verify_32_bytes","_crypto_verify_64","_crypto_verify_64_bytes","_randombytes","_randombytes_buf","_randombytes_close","_randombytes_implementation_name","_randombytes_random","_randombytes_stir","_randombytes_uniform","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_version_major","_sodium_library_version_minor","_sodium_version_string"]' +export TOTAL_MEMORY=50000000 +export LDFLAGS="-s TOTAL_MEMORY=${TOTAL_MEMORY} -s RESERVED_FUNCTION_POINTERS=8 -s NO_DYNAMIC_EXECUTION=1 -s RUNNING_JS_OPTS=1" + +export EXPORTED_FUNCTIONS="$EXPORTED_FUNCTIONS_STANDARD" +if [ "x$1" = "x--sumo" ]; then + export EXPORTED_FUNCTIONS="$EXPORTED_FUNCTIONS_SUMO" +fi export JS_EXPORTS_FLAGS="-s EXPORTED_FUNCTIONS=${EXPORTED_FUNCTIONS}" -export LDFLAGS="-s TOTAL_MEMORY=${TOTAL_MEMORY} -s RESERVED_FUNCTION_POINTERS=8 -s NO_BROWSER=1 -s NO_DYNAMIC_EXECUTION=1 -s RUNNING_JS_OPTS=1" if [ "x$1" = "x--browser-tests" ]; then export BROWSER_TESTS='yes' @@ -64,7 +70,7 @@ if [ "x$BROWSER_TESTS" != "x" ]; then sed "s/{{tname}}/${tname}/" index.html.tpl > "browser/${tname}.html" echo "${tname}.html" >> "browser/tests.txt" done - touch -r "${PREFIX}/lib/libsodium.js" test/browser-js.done + touch -r "${PREFIX}/lib/libsodium.js" ../browser-js.done ) else echo 'Running the test suite' diff --git a/release/src/router/libsodium/libsodium-uninstalled.pc.in b/release/src/router/libsodium/libsodium-uninstalled.pc.in index 6f43156e80..3d50230831 100644 --- a/release/src/router/libsodium/libsodium-uninstalled.pc.in +++ b/release/src/router/libsodium/libsodium-uninstalled.pc.in @@ -1,6 +1,6 @@ Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ -Description: A portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API. +Description: A modern and easy-to-use crypto library Libs: -L${pcfiledir}/src/libsodium -lsodium Cflags: -I${pcfiledir}/src/libsodium/include -I@top_srcdir@/src/libsodium/include -I@top_srcdir@/src/libsodium/include/sodium diff --git a/release/src/router/libsodium/libsodium.pc.in b/release/src/router/libsodium/libsodium.pc.in index 6a983d5ed1..19b3c1afc7 100644 --- a/release/src/router/libsodium/libsodium.pc.in +++ b/release/src/router/libsodium/libsodium.pc.in @@ -5,7 +5,7 @@ includedir=@includedir@ Name: @PACKAGE_NAME@ Version: @PACKAGE_VERSION@ -Description: A portable, cross-compilable, installable, packageable fork of NaCl, with a compatible API. +Description: A modern and easy-to-use crypto library Libs: -L${libdir} -lsodium Cflags: -I${includedir} diff --git a/release/src/router/libsodium/libsodium.vcxproj b/release/src/router/libsodium/libsodium.vcxproj index b3de7f11fc..6ebe34e902 100644 --- a/release/src/router/libsodium/libsodium.vcxproj +++ b/release/src/router/libsodium/libsodium.vcxproj @@ -315,70 +315,6 @@ - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - @@ -400,6 +336,7 @@ + @@ -410,6 +347,7 @@ + @@ -423,6 +361,14 @@ + + + + + + + + @@ -451,7 +397,6 @@ - @@ -486,7 +431,66 @@ + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + + - \ No newline at end of file + diff --git a/release/src/router/libsodium/libsodium.vcxproj.filters b/release/src/router/libsodium/libsodium.vcxproj.filters index b1a2cc61ca..8c760e5937 100644 --- a/release/src/router/libsodium/libsodium.vcxproj.filters +++ b/release/src/router/libsodium/libsodium.vcxproj.filters @@ -15,194 +15,6 @@ - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Header Files - - - Source Files @@ -344,9 +156,6 @@ Source Files - - Source Files - Source Files @@ -488,6 +297,9 @@ Source Files + + Source Files + Source Files @@ -521,5 +333,205 @@ Source Files + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + Source Files + + + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + + + Header Files + - \ No newline at end of file + diff --git a/release/src/router/libsodium/m4/ax_valgrind_check.m4 b/release/src/router/libsodium/m4/ax_valgrind_check.m4 new file mode 100644 index 0000000000..faed023acd --- /dev/null +++ b/release/src/router/libsodium/m4/ax_valgrind_check.m4 @@ -0,0 +1,190 @@ +# =========================================================================== +# http://www.gnu.org/software/autoconf-archive/ax_valgrind_check.html +# =========================================================================== +# +# SYNOPSIS +# +# AX_VALGRIND_CHECK() +# +# DESCRIPTION +# +# Checks whether Valgrind is present and, if so, allows running `make +# check` under a variety of Valgrind tools to check for memory and +# threading errors. +# +# Defines VALGRIND_CHECK_RULES which should be substituted in your +# Makefile; and $enable_valgrind which can be used in subsequent configure +# output. VALGRIND_ENABLED is defined and substituted, and corresponds to +# the value of the --enable-valgrind option, which defaults to being +# enabled if Valgrind is installed and disabled otherwise. +# +# If unit tests are written using a shell script and automake's +# LOG_COMPILER system, the $(VALGRIND) variable can be used within the +# shell scripts to enable Valgrind, as described here: +# +# https://www.gnu.org/software/gnulib/manual/html_node/Running-self_002dtests-under-valgrind.html +# +# Usage example: +# +# configure.ac: +# +# AX_VALGRIND_CHECK +# +# Makefile.am: +# +# @VALGRIND_CHECK_RULES@ +# VALGRIND_SUPPRESSIONS_FILES = my-project.supp +# EXTRA_DIST = my-project.supp +# +# This results in a "check-valgrind" rule being added to any Makefile.am +# which includes "@VALGRIND_CHECK_RULES@" (assuming the module has been +# configured with --enable-valgrind). Running `make check-valgrind` in +# that directory will run the module's test suite (`make check`) once for +# each of the available Valgrind tools (out of memcheck, helgrind, drd and +# sgcheck), and will output results to test-suite-$toolname.log for each. +# The target will succeed if there are zero errors and fail otherwise. +# +# The macro supports running with and without libtool. +# +# LICENSE +# +# Copyright (c) 2014, 2015, 2016 Philip Withnall +# +# Copying and distribution of this file, with or without modification, are +# permitted in any medium without royalty provided the copyright notice +# and this notice are preserved. This file is offered as-is, without any +# warranty. + +#serial 8 + +AC_DEFUN([AX_VALGRIND_CHECK],[ + dnl Check for --enable-valgrind + AC_ARG_ENABLE([valgrind], + [AS_HELP_STRING([--enable-valgrind], [Whether to enable Valgrind on the unit tests (requires GNU make)])], + [enable_valgrind=$enableval],[enable_valgrind=no]) + + AS_IF([test "$enable_valgrind" != "no"],[ + # Check for Valgrind. + AC_CHECK_PROG([VALGRIND],[valgrind],[valgrind]) + AS_IF([test "$VALGRIND" = ""],[ + AS_IF([test "$enable_valgrind" = "yes"],[ + AC_MSG_ERROR([Could not find valgrind; either install it or reconfigure with --disable-valgrind]) + ],[ + enable_valgrind=no + ]) + ],[ + enable_valgrind=yes + ]) + ]) + + AM_CONDITIONAL([VALGRIND_ENABLED],[test "$enable_valgrind" = "yes"]) + AC_SUBST([VALGRIND_ENABLED],[$enable_valgrind]) + + # Check for Valgrind tools we care about. + m4_define([valgrind_tool_list],[[memcheck], [helgrind], [drd], [exp-sgcheck]]) + + AS_IF([test "$VALGRIND" != ""],[ + m4_foreach([vgtool],[valgrind_tool_list],[ + m4_define([vgtooln],AS_TR_SH(vgtool)) + m4_define([ax_cv_var],[ax_cv_valgrind_tool_]vgtooln) + AC_CACHE_CHECK([for Valgrind tool ]vgtool,ax_cv_var,[ + ax_cv_var= + AS_IF([`$VALGRIND --tool=vgtool --help >/dev/null 2>&1`],[ + ax_cv_var="vgtool" + ]) + ]) + + AC_SUBST([VALGRIND_HAVE_TOOL_]vgtooln,[$ax_cv_var]) + ]) + ]) + +[VALGRIND_CHECK_RULES=' +# Valgrind check +# +# Optional: +# - VALGRIND_SUPPRESSIONS_FILES: Space-separated list of Valgrind suppressions +# files to load. (Default: empty) +# - VALGRIND_FLAGS: General flags to pass to all Valgrind tools. +# (Default: --num-callers=30) +# - VALGRIND_$toolname_FLAGS: Flags to pass to Valgrind $toolname (one of: +# memcheck, helgrind, drd, sgcheck). (Default: various) + +# Optional variables +VALGRIND_SUPPRESSIONS ?= $(addprefix --suppressions=,$(VALGRIND_SUPPRESSIONS_FILES)) +VALGRIND_FLAGS ?= --num-callers=30 +VALGRIND_memcheck_FLAGS ?= --leak-check=full --show-reachable=no +VALGRIND_helgrind_FLAGS ?= --history-level=approx +VALGRIND_drd_FLAGS ?= +VALGRIND_sgcheck_FLAGS ?= + +# Internal use +valgrind_tools = memcheck helgrind drd sgcheck +valgrind_log_files = $(addprefix test-suite-,$(addsuffix .log,$(valgrind_tools))) + +valgrind_memcheck_flags = --tool=memcheck $(VALGRIND_memcheck_FLAGS) +valgrind_helgrind_flags = --tool=helgrind $(VALGRIND_helgrind_FLAGS) +valgrind_drd_flags = --tool=drd $(VALGRIND_drd_FLAGS) +valgrind_sgcheck_flags = --tool=exp-sgcheck $(VALGRIND_sgcheck_FLAGS) + +valgrind_quiet = $(valgrind_quiet_$(V)) +valgrind_quiet_ = $(valgrind_quiet_$(AM_DEFAULT_VERBOSITY)) +valgrind_quiet_0 = --quiet + +# Support running with and without libtool. +ifneq ($(LIBTOOL),) +valgrind_lt = $(LIBTOOL) $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=execute +else +valgrind_lt = +endif + +# Use recursive makes in order to ignore errors during check +check-valgrind: +ifeq ($(VALGRIND_ENABLED),yes) + -$(foreach tool,$(valgrind_tools), \ + $(if $(VALGRIND_HAVE_TOOL_$(tool))$(VALGRIND_HAVE_TOOL_exp_$(tool)), \ + $(MAKE) $(AM_MAKEFLAGS) -k check-valgrind-tool VALGRIND_TOOL=$(tool); \ + ) \ + ) +else + @echo "Need to reconfigure with --enable-valgrind" +endif + +# Valgrind running +VALGRIND_TESTS_ENVIRONMENT = \ + $(TESTS_ENVIRONMENT) \ + env VALGRIND=$(VALGRIND) \ + G_SLICE=always-malloc,debug-blocks \ + G_DEBUG=fatal-warnings,fatal-criticals,gc-friendly + +VALGRIND_LOG_COMPILER = \ + $(valgrind_lt) \ + $(VALGRIND) $(VALGRIND_SUPPRESSIONS) --error-exitcode=1 $(VALGRIND_FLAGS) + +check-valgrind-tool: +ifeq ($(VALGRIND_ENABLED),yes) + $(MAKE) check-TESTS \ + TESTS_ENVIRONMENT="$(VALGRIND_TESTS_ENVIRONMENT)" \ + LOG_COMPILER="$(VALGRIND_LOG_COMPILER)" \ + LOG_FLAGS="$(valgrind_$(VALGRIND_TOOL)_flags)" \ + TEST_SUITE_LOG=test-suite-$(VALGRIND_TOOL).log +else + @echo "Need to reconfigure with --enable-valgrind" +endif + +A''M_DISTCHECK_CONFIGURE_FLAGS ?= +A''M_DISTCHECK_CONFIGURE_FLAGS += --disable-valgrind + +MOSTLYCLEANFILES ?= +MOSTLYCLEANFILES += $(valgrind_log_files) + +.PHONY: check-valgrind check-valgrind-tool +'] + + AS_IF([test "$enable_valgrind" != "yes"],[ +VALGRIND_CHECK_RULES=' +check-valgrind: + @echo "Need to use GNU make and reconfigure with --enable-valgrind"' +]) + AC_SUBST([VALGRIND_CHECK_RULES]) + m4_ifdef([_AM_SUBST_NOTMAKE], [_AM_SUBST_NOTMAKE([VALGRIND_CHECK_RULES])]) +]) diff --git a/release/src/router/libsodium/msvc-scripts/Makefile.in b/release/src/router/libsodium/msvc-scripts/Makefile.in index a710b159ef..22201f446d 100644 --- a/release/src/router/libsodium/msvc-scripts/Makefile.in +++ b/release/src/router/libsodium/msvc-scripts/Makefile.in @@ -92,6 +92,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -140,6 +141,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -212,6 +215,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/release/src/router/libsodium/msvc-scripts/process.bat b/release/src/router/libsodium/msvc-scripts/process.bat index 9a2de9523d..312d270bf1 100755 --- a/release/src/router/libsodium/msvc-scripts/process.bat +++ b/release/src/router/libsodium/msvc-scripts/process.bat @@ -1,4 +1,4 @@ -cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.8/ < src\libsodium\include\sodium\version.h.in > tmp +cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.10/ < src\libsodium\include\sodium\version.h.in > tmp cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MAJOR@/9/ < tmp > tmp2 -cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/1/ < tmp2 > src\libsodium\include\sodium\version.h +cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/2/ < tmp2 > src\libsodium\include\sodium\version.h del tmp tmp2 diff --git a/release/src/router/libsodium/src/Makefile.in b/release/src/router/libsodium/src/Makefile.in index dfcd777ce3..e06c506b16 100644 --- a/release/src/router/libsodium/src/Makefile.in +++ b/release/src/router/libsodium/src/Makefile.in @@ -92,6 +92,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -200,6 +201,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -272,6 +275,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/release/src/router/libsodium/src/libsodium/Makefile.am b/release/src/router/libsodium/src/libsodium/Makefile.am index cf99534ebc..03cb5fbb18 100644 --- a/release/src/router/libsodium/src/libsodium/Makefile.am +++ b/release/src/router/libsodium/src/libsodium/Makefile.am @@ -24,7 +24,6 @@ libsodium_la_SOURCES = \ crypto_core/curve25519/ref10/base.h \ crypto_core/curve25519/ref10/base2.h \ crypto_core/curve25519/ref10/curve25519_ref10.c \ - crypto_core/curve25519/ref10/curve25519_ref10.h \ crypto_core/hsalsa20/ref2/core_hsalsa20.c \ crypto_core/hsalsa20/core_hsalsa20_api.c \ crypto_core/salsa20/ref/core_salsa20.c \ @@ -36,8 +35,8 @@ libsodium_la_SOURCES = \ crypto_generichash/blake2/ref/blake2b-compress-ref.c \ crypto_generichash/blake2/ref/blake2b-load-sse2.h \ crypto_generichash/blake2/ref/blake2b-load-sse41.h \ + crypto_generichash/blake2/ref/blake2b-load-avx2.h \ crypto_generichash/blake2/ref/blake2b-ref.c \ - crypto_generichash/blake2/ref/blake2b-round.h \ crypto_generichash/blake2/ref/generichash_blake2b.c \ crypto_hash/crypto_hash.c \ crypto_hash/sha256/hash_sha256_api.c \ @@ -51,13 +50,25 @@ libsodium_la_SOURCES = \ crypto_onetimeauth/poly1305/donna/poly1305_donna32.h \ crypto_onetimeauth/poly1305/donna/poly1305_donna64.h \ crypto_onetimeauth/poly1305/donna/poly1305_donna.c \ + crypto_pwhash/argon2/argon2-core.c \ + crypto_pwhash/argon2/argon2-core.h \ + crypto_pwhash/argon2/argon2-encoding.c \ + crypto_pwhash/argon2/argon2-encoding.h \ + crypto_pwhash/argon2/argon2-fill-block-ref.c \ + crypto_pwhash/argon2/argon2-impl.h \ + crypto_pwhash/argon2/argon2.c \ + crypto_pwhash/argon2/argon2.h \ + crypto_pwhash/argon2/blake2b-long.c \ + crypto_pwhash/argon2/blake2b-long.h \ + crypto_pwhash/argon2/blamka-round-ref.h \ + crypto_pwhash/argon2/pwhash_argon2i.c \ + crypto_pwhash/crypto_pwhash.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h \ crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c \ crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c \ crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.h \ crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c \ - crypto_pwhash/scryptsalsa208sha256/sysendian.h \ crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c \ crypto_scalarmult/crypto_scalarmult.c \ crypto_scalarmult/curve25519/scalarmult_curve25519.c \ @@ -74,11 +85,11 @@ libsodium_la_SOURCES = \ crypto_sign/ed25519/ref10/keypair.c \ crypto_sign/ed25519/ref10/open.c \ crypto_sign/ed25519/ref10/sign.c \ - crypto_stream/crypto_stream.c \ crypto_stream/chacha20/stream_chacha20.c \ crypto_stream/chacha20/stream_chacha20.h \ crypto_stream/chacha20/ref/stream_chacha20_ref.h \ crypto_stream/chacha20/ref/stream_chacha20_ref.c \ + crypto_stream/crypto_stream.c \ crypto_stream/salsa20/stream_salsa20_api.c \ crypto_stream/xsalsa20/stream_xsalsa20_api.c \ crypto_stream/xsalsa20/ref/stream_xsalsa20.c \ @@ -89,6 +100,8 @@ libsodium_la_SOURCES = \ crypto_verify/32/ref/verify_32.c \ crypto_verify/64/verify_64_api.c \ crypto_verify/64/ref/verify_64.c \ + include/sodium/private/common.h \ + include/sodium/private/curve25519_ref10.h \ randombytes/randombytes.c \ sodium/core.c \ sodium/runtime.c \ @@ -155,6 +168,8 @@ endif if !MINIMAL libsodium_la_SOURCES += \ + crypto_core/hchacha20/core_hchacha20.c \ + crypto_core/hchacha20/core_hchacha20.h \ crypto_core/salsa2012/ref/core_salsa2012.c \ crypto_core/salsa2012/core_salsa2012_api.c \ crypto_core/salsa208/ref/core_salsa208.c \ @@ -164,7 +179,6 @@ libsodium_la_SOURCES += \ crypto_stream/aes128ctr/stream_aes128ctr_api.c \ crypto_stream/aes128ctr/portable/beforenm_aes128ctr.c \ crypto_stream/aes128ctr/portable/common.h \ - crypto_stream/aes128ctr/portable/common_aes128ctr.c \ crypto_stream/aes128ctr/portable/consts.h \ crypto_stream/aes128ctr/portable/consts_aes128ctr.c \ crypto_stream/aes128ctr/portable/int128.h \ @@ -202,8 +216,8 @@ endif SUBDIRS = \ include -libsodium_la_LIBADD = libaesni.la libsse2.la libssse3.la libsse41.la -noinst_LTLIBRARIES = libaesni.la libsse2.la libssse3.la libsse41.la +libsodium_la_LIBADD = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la +noinst_LTLIBRARIES = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la libaesni_la_LDFLAGS = $(libsodium_la_LDFLAGS) libaesni_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ @@ -224,6 +238,9 @@ libssse3_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ @CFLAGS_SSE2@ @CFLAGS_SSSE3@ libssse3_la_SOURCES = \ crypto_generichash/blake2/ref/blake2b-compress-ssse3.c \ + crypto_generichash/blake2/ref/blake2b-compress-ssse3.h \ + crypto_pwhash/argon2/argon2-fill-block-ssse3.c \ + crypto_pwhash/argon2/blamka-round-ssse3.h \ crypto_stream/chacha20/vec/stream_chacha20_vec.h \ crypto_stream/chacha20/vec/stream_chacha20_vec.c @@ -231,4 +248,12 @@ libsse41_la_LDFLAGS = $(libsodium_la_LDFLAGS) libsse41_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ @CFLAGS_SSE2@ @CFLAGS_SSSE3@ @CFLAGS_SSE41@ libsse41_la_SOURCES = \ - crypto_generichash/blake2/ref/blake2b-compress-sse41.c + crypto_generichash/blake2/ref/blake2b-compress-sse41.c \ + crypto_generichash/blake2/ref/blake2b-compress-sse41.h + +libavx2_la_LDFLAGS = $(libsodium_la_LDFLAGS) +libavx2_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ + @CFLAGS_SSE2@ @CFLAGS_SSSE3@ @CFLAGS_SSE41@ @CFLAGS_AVX@ @CFLAGS_AVX2@ +libavx2_la_SOURCES = \ + crypto_generichash/blake2/ref/blake2b-compress-avx2.c \ + crypto_generichash/blake2/ref/blake2b-compress-avx2.h diff --git a/release/src/router/libsodium/src/libsodium/Makefile.in b/release/src/router/libsodium/src/libsodium/Makefile.in index 5f088e58d7..d1a319cf20 100644 --- a/release/src/router/libsodium/src/libsodium/Makefile.in +++ b/release/src/router/libsodium/src/libsodium/Makefile.in @@ -130,6 +130,8 @@ host_triplet = @host@ @HAVE_AMD64_ASM_FALSE@ crypto_stream/salsa20/ref/xor_salsa20_ref.c @MINIMAL_FALSE@am__append_9 = \ +@MINIMAL_FALSE@ crypto_core/hchacha20/core_hchacha20.c \ +@MINIMAL_FALSE@ crypto_core/hchacha20/core_hchacha20.h \ @MINIMAL_FALSE@ crypto_core/salsa2012/ref/core_salsa2012.c \ @MINIMAL_FALSE@ crypto_core/salsa2012/core_salsa2012_api.c \ @MINIMAL_FALSE@ crypto_core/salsa208/ref/core_salsa208.c \ @@ -139,7 +141,6 @@ host_triplet = @host@ @MINIMAL_FALSE@ crypto_stream/aes128ctr/stream_aes128ctr_api.c \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/beforenm_aes128ctr.c \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/common.h \ -@MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/common_aes128ctr.c \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/consts.h \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/consts_aes128ctr.c \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/int128.h \ @@ -160,6 +161,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -211,8 +213,14 @@ am__v_lt_1 = libaesni_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ $(libaesni_la_LDFLAGS) $(LDFLAGS) -o $@ +libavx2_la_LIBADD = +am_libavx2_la_OBJECTS = crypto_generichash/blake2/ref/libavx2_la-blake2b-compress-avx2.lo +libavx2_la_OBJECTS = $(am_libavx2_la_OBJECTS) +libavx2_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ + $(LIBTOOLFLAGS) --mode=link $(CCLD) $(AM_CFLAGS) $(CFLAGS) \ + $(libavx2_la_LDFLAGS) $(LDFLAGS) -o $@ libsodium_la_DEPENDENCIES = libaesni.la libsse2.la libssse3.la \ - libsse41.la + libsse41.la libavx2.la am__libsodium_la_SOURCES_DIST = \ crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c \ crypto_auth/crypto_auth.c \ @@ -235,7 +243,6 @@ am__libsodium_la_SOURCES_DIST = \ crypto_core/curve25519/ref10/base.h \ crypto_core/curve25519/ref10/base2.h \ crypto_core/curve25519/ref10/curve25519_ref10.c \ - crypto_core/curve25519/ref10/curve25519_ref10.h \ crypto_core/hsalsa20/ref2/core_hsalsa20.c \ crypto_core/hsalsa20/core_hsalsa20_api.c \ crypto_core/salsa20/ref/core_salsa20.c \ @@ -247,8 +254,8 @@ am__libsodium_la_SOURCES_DIST = \ crypto_generichash/blake2/ref/blake2b-compress-ref.c \ crypto_generichash/blake2/ref/blake2b-load-sse2.h \ crypto_generichash/blake2/ref/blake2b-load-sse41.h \ + crypto_generichash/blake2/ref/blake2b-load-avx2.h \ crypto_generichash/blake2/ref/blake2b-ref.c \ - crypto_generichash/blake2/ref/blake2b-round.h \ crypto_generichash/blake2/ref/generichash_blake2b.c \ crypto_hash/crypto_hash.c crypto_hash/sha256/hash_sha256_api.c \ crypto_hash/sha256/cp/hash_sha256.c \ @@ -261,13 +268,24 @@ am__libsodium_la_SOURCES_DIST = \ crypto_onetimeauth/poly1305/donna/poly1305_donna32.h \ crypto_onetimeauth/poly1305/donna/poly1305_donna64.h \ crypto_onetimeauth/poly1305/donna/poly1305_donna.c \ + crypto_pwhash/argon2/argon2-core.c \ + crypto_pwhash/argon2/argon2-core.h \ + crypto_pwhash/argon2/argon2-encoding.c \ + crypto_pwhash/argon2/argon2-encoding.h \ + crypto_pwhash/argon2/argon2-fill-block-ref.c \ + crypto_pwhash/argon2/argon2-impl.h \ + crypto_pwhash/argon2/argon2.c crypto_pwhash/argon2/argon2.h \ + crypto_pwhash/argon2/blake2b-long.c \ + crypto_pwhash/argon2/blake2b-long.h \ + crypto_pwhash/argon2/blamka-round-ref.h \ + crypto_pwhash/argon2/pwhash_argon2i.c \ + crypto_pwhash/crypto_pwhash.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h \ crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c \ crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c \ crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.h \ crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c \ - crypto_pwhash/scryptsalsa208sha256/sysendian.h \ crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c \ crypto_scalarmult/crypto_scalarmult.c \ crypto_scalarmult/curve25519/scalarmult_curve25519.c \ @@ -283,11 +301,12 @@ am__libsodium_la_SOURCES_DIST = \ crypto_sign/ed25519/sign_ed25519_api.c \ crypto_sign/ed25519/ref10/keypair.c \ crypto_sign/ed25519/ref10/open.c \ - crypto_sign/ed25519/ref10/sign.c crypto_stream/crypto_stream.c \ + crypto_sign/ed25519/ref10/sign.c \ crypto_stream/chacha20/stream_chacha20.c \ crypto_stream/chacha20/stream_chacha20.h \ crypto_stream/chacha20/ref/stream_chacha20_ref.h \ crypto_stream/chacha20/ref/stream_chacha20_ref.c \ + crypto_stream/crypto_stream.c \ crypto_stream/salsa20/stream_salsa20_api.c \ crypto_stream/xsalsa20/stream_xsalsa20_api.c \ crypto_stream/xsalsa20/ref/stream_xsalsa20.c \ @@ -297,8 +316,11 @@ am__libsodium_la_SOURCES_DIST = \ crypto_verify/32/verify_32_api.c \ crypto_verify/32/ref/verify_32.c \ crypto_verify/64/verify_64_api.c \ - crypto_verify/64/ref/verify_64.c randombytes/randombytes.c \ - sodium/core.c sodium/runtime.c sodium/utils.c sodium/version.c \ + crypto_verify/64/ref/verify_64.c \ + include/sodium/private/common.h \ + include/sodium/private/curve25519_ref10.h \ + randombytes/randombytes.c sodium/core.c sodium/runtime.c \ + sodium/utils.c sodium/version.c \ randombytes/salsa20/randombytes_salsa20_random.c \ randombytes/nativeclient/randombytes_nativeclient.c \ randombytes/sysrandom/randombytes_sysrandom.c \ @@ -322,6 +344,8 @@ am__libsodium_la_SOURCES_DIST = \ crypto_stream/salsa20/amd64_xmm6/stream_salsa20_amd64_xmm6.S \ crypto_stream/salsa20/ref/stream_salsa20_ref.c \ crypto_stream/salsa20/ref/xor_salsa20_ref.c \ + crypto_core/hchacha20/core_hchacha20.c \ + crypto_core/hchacha20/core_hchacha20.h \ crypto_core/salsa2012/ref/core_salsa2012.c \ crypto_core/salsa2012/core_salsa2012_api.c \ crypto_core/salsa208/ref/core_salsa208.c \ @@ -331,7 +355,6 @@ am__libsodium_la_SOURCES_DIST = \ crypto_stream/aes128ctr/stream_aes128ctr_api.c \ crypto_stream/aes128ctr/portable/beforenm_aes128ctr.c \ crypto_stream/aes128ctr/portable/common.h \ - crypto_stream/aes128ctr/portable/common_aes128ctr.c \ crypto_stream/aes128ctr/portable/consts.h \ crypto_stream/aes128ctr/portable/consts_aes128ctr.c \ crypto_stream/aes128ctr/portable/int128.h \ @@ -357,7 +380,8 @@ am__libsodium_la_SOURCES_DIST = \ @HAVE_AMD64_ASM_TRUE@am__objects_7 = crypto_stream/salsa20/amd64_xmm6/libsodium_la-stream_salsa20_amd64_xmm6.lo @HAVE_AMD64_ASM_FALSE@am__objects_8 = crypto_stream/salsa20/ref/libsodium_la-stream_salsa20_ref.lo \ @HAVE_AMD64_ASM_FALSE@ crypto_stream/salsa20/ref/libsodium_la-xor_salsa20_ref.lo -@MINIMAL_FALSE@am__objects_9 = crypto_core/salsa2012/ref/libsodium_la-core_salsa2012.lo \ +@MINIMAL_FALSE@am__objects_9 = crypto_core/hchacha20/libsodium_la-core_hchacha20.lo \ +@MINIMAL_FALSE@ crypto_core/salsa2012/ref/libsodium_la-core_salsa2012.lo \ @MINIMAL_FALSE@ crypto_core/salsa2012/libsodium_la-core_salsa2012_api.lo \ @MINIMAL_FALSE@ crypto_core/salsa208/ref/libsodium_la-core_salsa208.lo \ @MINIMAL_FALSE@ crypto_core/salsa208/libsodium_la-core_salsa208_api.lo \ @@ -365,7 +389,6 @@ am__libsodium_la_SOURCES_DIST = \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/libsodium_la-afternm_aes128ctr.lo \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/libsodium_la-stream_aes128ctr_api.lo \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/libsodium_la-beforenm_aes128ctr.lo \ -@MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/libsodium_la-common_aes128ctr.lo \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/libsodium_la-consts_aes128ctr.lo \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/libsodium_la-int128_aes128ctr.lo \ @MINIMAL_FALSE@ crypto_stream/aes128ctr/portable/libsodium_la-stream_aes128ctr.lo \ @@ -413,6 +436,13 @@ am_libsodium_la_OBJECTS = crypto_aead/chacha20poly1305/sodium/libsodium_la-aead_ crypto_onetimeauth/libsodium_la-crypto_onetimeauth.lo \ crypto_onetimeauth/poly1305/libsodium_la-onetimeauth_poly1305.lo \ crypto_onetimeauth/poly1305/donna/libsodium_la-poly1305_donna.lo \ + crypto_pwhash/argon2/libsodium_la-argon2-core.lo \ + crypto_pwhash/argon2/libsodium_la-argon2-encoding.lo \ + crypto_pwhash/argon2/libsodium_la-argon2-fill-block-ref.lo \ + crypto_pwhash/argon2/libsodium_la-argon2.lo \ + crypto_pwhash/argon2/libsodium_la-blake2b-long.lo \ + crypto_pwhash/argon2/libsodium_la-pwhash_argon2i.lo \ + crypto_pwhash/libsodium_la-crypto_pwhash.lo \ crypto_pwhash/scryptsalsa208sha256/libsodium_la-crypto_scrypt-common.lo \ crypto_pwhash/scryptsalsa208sha256/libsodium_la-scrypt_platform.lo \ crypto_pwhash/scryptsalsa208sha256/libsodium_la-pbkdf2-sha256.lo \ @@ -432,9 +462,9 @@ am_libsodium_la_OBJECTS = crypto_aead/chacha20poly1305/sodium/libsodium_la-aead_ crypto_sign/ed25519/ref10/libsodium_la-keypair.lo \ crypto_sign/ed25519/ref10/libsodium_la-open.lo \ crypto_sign/ed25519/ref10/libsodium_la-sign.lo \ - crypto_stream/libsodium_la-crypto_stream.lo \ crypto_stream/chacha20/libsodium_la-stream_chacha20.lo \ crypto_stream/chacha20/ref/libsodium_la-stream_chacha20_ref.lo \ + crypto_stream/libsodium_la-crypto_stream.lo \ crypto_stream/salsa20/libsodium_la-stream_salsa20_api.lo \ crypto_stream/xsalsa20/libsodium_la-stream_xsalsa20_api.lo \ crypto_stream/xsalsa20/ref/libsodium_la-stream_xsalsa20.lo \ @@ -470,6 +500,7 @@ libsse41_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ $(libsse41_la_LDFLAGS) $(LDFLAGS) -o $@ libssse3_la_LIBADD = am_libssse3_la_OBJECTS = crypto_generichash/blake2/ref/libssse3_la-blake2b-compress-ssse3.lo \ + crypto_pwhash/argon2/libssse3_la-argon2-fill-block-ssse3.lo \ crypto_stream/chacha20/vec/libssse3_la-stream_chacha20_vec.lo libssse3_la_OBJECTS = $(am_libssse3_la_OBJECTS) libssse3_la_LINK = $(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) \ @@ -519,12 +550,12 @@ AM_V_CCLD = $(am__v_CCLD_@AM_V@) am__v_CCLD_ = $(am__v_CCLD_@AM_DEFAULT_V@) am__v_CCLD_0 = @echo " CCLD " $@; am__v_CCLD_1 = -SOURCES = $(libaesni_la_SOURCES) $(libsodium_la_SOURCES) \ - $(libsse2_la_SOURCES) $(libsse41_la_SOURCES) \ - $(libssse3_la_SOURCES) -DIST_SOURCES = $(libaesni_la_SOURCES) $(am__libsodium_la_SOURCES_DIST) \ - $(libsse2_la_SOURCES) $(libsse41_la_SOURCES) \ - $(libssse3_la_SOURCES) +SOURCES = $(libaesni_la_SOURCES) $(libavx2_la_SOURCES) \ + $(libsodium_la_SOURCES) $(libsse2_la_SOURCES) \ + $(libsse41_la_SOURCES) $(libssse3_la_SOURCES) +DIST_SOURCES = $(libaesni_la_SOURCES) $(libavx2_la_SOURCES) \ + $(am__libsodium_la_SOURCES_DIST) $(libsse2_la_SOURCES) \ + $(libsse41_la_SOURCES) $(libssse3_la_SOURCES) RECURSIVE_TARGETS = all-recursive check-recursive cscopelist-recursive \ ctags-recursive dvi-recursive html-recursive info-recursive \ install-data-recursive install-dvi-recursive \ @@ -612,6 +643,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -684,6 +717,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -762,7 +801,6 @@ libsodium_la_SOURCES = \ crypto_core/curve25519/ref10/base.h \ crypto_core/curve25519/ref10/base2.h \ crypto_core/curve25519/ref10/curve25519_ref10.c \ - crypto_core/curve25519/ref10/curve25519_ref10.h \ crypto_core/hsalsa20/ref2/core_hsalsa20.c \ crypto_core/hsalsa20/core_hsalsa20_api.c \ crypto_core/salsa20/ref/core_salsa20.c \ @@ -774,8 +812,8 @@ libsodium_la_SOURCES = \ crypto_generichash/blake2/ref/blake2b-compress-ref.c \ crypto_generichash/blake2/ref/blake2b-load-sse2.h \ crypto_generichash/blake2/ref/blake2b-load-sse41.h \ + crypto_generichash/blake2/ref/blake2b-load-avx2.h \ crypto_generichash/blake2/ref/blake2b-ref.c \ - crypto_generichash/blake2/ref/blake2b-round.h \ crypto_generichash/blake2/ref/generichash_blake2b.c \ crypto_hash/crypto_hash.c crypto_hash/sha256/hash_sha256_api.c \ crypto_hash/sha256/cp/hash_sha256.c \ @@ -788,13 +826,24 @@ libsodium_la_SOURCES = \ crypto_onetimeauth/poly1305/donna/poly1305_donna32.h \ crypto_onetimeauth/poly1305/donna/poly1305_donna64.h \ crypto_onetimeauth/poly1305/donna/poly1305_donna.c \ + crypto_pwhash/argon2/argon2-core.c \ + crypto_pwhash/argon2/argon2-core.h \ + crypto_pwhash/argon2/argon2-encoding.c \ + crypto_pwhash/argon2/argon2-encoding.h \ + crypto_pwhash/argon2/argon2-fill-block-ref.c \ + crypto_pwhash/argon2/argon2-impl.h \ + crypto_pwhash/argon2/argon2.c crypto_pwhash/argon2/argon2.h \ + crypto_pwhash/argon2/blake2b-long.c \ + crypto_pwhash/argon2/blake2b-long.h \ + crypto_pwhash/argon2/blamka-round-ref.h \ + crypto_pwhash/argon2/pwhash_argon2i.c \ + crypto_pwhash/crypto_pwhash.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c \ crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h \ crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c \ crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c \ crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.h \ crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c \ - crypto_pwhash/scryptsalsa208sha256/sysendian.h \ crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c \ crypto_scalarmult/crypto_scalarmult.c \ crypto_scalarmult/curve25519/scalarmult_curve25519.c \ @@ -810,11 +859,12 @@ libsodium_la_SOURCES = \ crypto_sign/ed25519/sign_ed25519_api.c \ crypto_sign/ed25519/ref10/keypair.c \ crypto_sign/ed25519/ref10/open.c \ - crypto_sign/ed25519/ref10/sign.c crypto_stream/crypto_stream.c \ + crypto_sign/ed25519/ref10/sign.c \ crypto_stream/chacha20/stream_chacha20.c \ crypto_stream/chacha20/stream_chacha20.h \ crypto_stream/chacha20/ref/stream_chacha20_ref.h \ crypto_stream/chacha20/ref/stream_chacha20_ref.c \ + crypto_stream/crypto_stream.c \ crypto_stream/salsa20/stream_salsa20_api.c \ crypto_stream/xsalsa20/stream_xsalsa20_api.c \ crypto_stream/xsalsa20/ref/stream_xsalsa20.c \ @@ -824,11 +874,14 @@ libsodium_la_SOURCES = \ crypto_verify/32/verify_32_api.c \ crypto_verify/32/ref/verify_32.c \ crypto_verify/64/verify_64_api.c \ - crypto_verify/64/ref/verify_64.c randombytes/randombytes.c \ - sodium/core.c sodium/runtime.c sodium/utils.c sodium/version.c \ - $(am__append_1) $(am__append_2) $(am__append_3) \ - $(am__append_4) $(am__append_5) $(am__append_6) \ - $(am__append_7) $(am__append_8) $(am__append_9) + crypto_verify/64/ref/verify_64.c \ + include/sodium/private/common.h \ + include/sodium/private/curve25519_ref10.h \ + randombytes/randombytes.c sodium/core.c sodium/runtime.c \ + sodium/utils.c sodium/version.c $(am__append_1) \ + $(am__append_2) $(am__append_3) $(am__append_4) \ + $(am__append_5) $(am__append_6) $(am__append_7) \ + $(am__append_8) $(am__append_9) noinst_HEADERS = \ crypto_scalarmult/curve25519/sandy2x/consts.S \ crypto_scalarmult/curve25519/sandy2x/fe51_mul.S \ @@ -850,8 +903,8 @@ libsodium_la_CPPFLAGS = \ SUBDIRS = \ include -libsodium_la_LIBADD = libaesni.la libsse2.la libssse3.la libsse41.la -noinst_LTLIBRARIES = libaesni.la libsse2.la libssse3.la libsse41.la +libsodium_la_LIBADD = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la +noinst_LTLIBRARIES = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la libaesni_la_LDFLAGS = $(libsodium_la_LDFLAGS) libaesni_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ @CFLAGS_SSSE3@ @CFLAGS_AESNI@ @CFLAGS_PCLMUL@ @@ -874,6 +927,9 @@ libssse3_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ libssse3_la_SOURCES = \ crypto_generichash/blake2/ref/blake2b-compress-ssse3.c \ + crypto_generichash/blake2/ref/blake2b-compress-ssse3.h \ + crypto_pwhash/argon2/argon2-fill-block-ssse3.c \ + crypto_pwhash/argon2/blamka-round-ssse3.h \ crypto_stream/chacha20/vec/stream_chacha20_vec.h \ crypto_stream/chacha20/vec/stream_chacha20_vec.c @@ -882,7 +938,16 @@ libsse41_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ @CFLAGS_SSE2@ @CFLAGS_SSSE3@ @CFLAGS_SSE41@ libsse41_la_SOURCES = \ - crypto_generichash/blake2/ref/blake2b-compress-sse41.c + crypto_generichash/blake2/ref/blake2b-compress-sse41.c \ + crypto_generichash/blake2/ref/blake2b-compress-sse41.h + +libavx2_la_LDFLAGS = $(libsodium_la_LDFLAGS) +libavx2_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ + @CFLAGS_SSE2@ @CFLAGS_SSSE3@ @CFLAGS_SSE41@ @CFLAGS_AVX@ @CFLAGS_AVX2@ + +libavx2_la_SOURCES = \ + crypto_generichash/blake2/ref/blake2b-compress-avx2.c \ + crypto_generichash/blake2/ref/blake2b-compress-avx2.h all: all-recursive @@ -975,6 +1040,18 @@ crypto_aead/aes256gcm/aesni/libaesni_la-aead_aes256gcm_aesni.lo: \ libaesni.la: $(libaesni_la_OBJECTS) $(libaesni_la_DEPENDENCIES) $(EXTRA_libaesni_la_DEPENDENCIES) $(AM_V_CCLD)$(libaesni_la_LINK) $(libaesni_la_OBJECTS) $(libaesni_la_LIBADD) $(LIBS) +crypto_generichash/blake2/ref/$(am__dirstamp): + @$(MKDIR_P) crypto_generichash/blake2/ref + @: > crypto_generichash/blake2/ref/$(am__dirstamp) +crypto_generichash/blake2/ref/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) crypto_generichash/blake2/ref/$(DEPDIR) + @: > crypto_generichash/blake2/ref/$(DEPDIR)/$(am__dirstamp) +crypto_generichash/blake2/ref/libavx2_la-blake2b-compress-avx2.lo: \ + crypto_generichash/blake2/ref/$(am__dirstamp) \ + crypto_generichash/blake2/ref/$(DEPDIR)/$(am__dirstamp) + +libavx2.la: $(libavx2_la_OBJECTS) $(libavx2_la_DEPENDENCIES) $(EXTRA_libavx2_la_DEPENDENCIES) + $(AM_V_CCLD)$(libavx2_la_LINK) $(libavx2_la_OBJECTS) $(libavx2_la_LIBADD) $(LIBS) crypto_aead/chacha20poly1305/sodium/$(am__dirstamp): @$(MKDIR_P) crypto_aead/chacha20poly1305/sodium @: > crypto_aead/chacha20poly1305/sodium/$(am__dirstamp) @@ -1159,12 +1236,6 @@ crypto_generichash/blake2/$(DEPDIR)/$(am__dirstamp): crypto_generichash/blake2/libsodium_la-generichash_blake2_api.lo: \ crypto_generichash/blake2/$(am__dirstamp) \ crypto_generichash/blake2/$(DEPDIR)/$(am__dirstamp) -crypto_generichash/blake2/ref/$(am__dirstamp): - @$(MKDIR_P) crypto_generichash/blake2/ref - @: > crypto_generichash/blake2/ref/$(am__dirstamp) -crypto_generichash/blake2/ref/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) crypto_generichash/blake2/ref/$(DEPDIR) - @: > crypto_generichash/blake2/ref/$(DEPDIR)/$(am__dirstamp) crypto_generichash/blake2/ref/libsodium_la-blake2b-compress-ref.lo: \ crypto_generichash/blake2/ref/$(am__dirstamp) \ crypto_generichash/blake2/ref/$(DEPDIR)/$(am__dirstamp) @@ -1245,6 +1316,39 @@ crypto_onetimeauth/poly1305/donna/$(DEPDIR)/$(am__dirstamp): crypto_onetimeauth/poly1305/donna/libsodium_la-poly1305_donna.lo: \ crypto_onetimeauth/poly1305/donna/$(am__dirstamp) \ crypto_onetimeauth/poly1305/donna/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/$(am__dirstamp): + @$(MKDIR_P) crypto_pwhash/argon2 + @: > crypto_pwhash/argon2/$(am__dirstamp) +crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) crypto_pwhash/argon2/$(DEPDIR) + @: > crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/libsodium_la-argon2-core.lo: \ + crypto_pwhash/argon2/$(am__dirstamp) \ + crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/libsodium_la-argon2-encoding.lo: \ + crypto_pwhash/argon2/$(am__dirstamp) \ + crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/libsodium_la-argon2-fill-block-ref.lo: \ + crypto_pwhash/argon2/$(am__dirstamp) \ + crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/libsodium_la-argon2.lo: \ + crypto_pwhash/argon2/$(am__dirstamp) \ + crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/libsodium_la-blake2b-long.lo: \ + crypto_pwhash/argon2/$(am__dirstamp) \ + crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/libsodium_la-pwhash_argon2i.lo: \ + crypto_pwhash/argon2/$(am__dirstamp) \ + crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/$(am__dirstamp): + @$(MKDIR_P) crypto_pwhash + @: > crypto_pwhash/$(am__dirstamp) +crypto_pwhash/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) crypto_pwhash/$(DEPDIR) + @: > crypto_pwhash/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/libsodium_la-crypto_pwhash.lo: \ + crypto_pwhash/$(am__dirstamp) \ + crypto_pwhash/$(DEPDIR)/$(am__dirstamp) crypto_pwhash/scryptsalsa208sha256/$(am__dirstamp): @$(MKDIR_P) crypto_pwhash/scryptsalsa208sha256 @: > crypto_pwhash/scryptsalsa208sha256/$(am__dirstamp) @@ -1379,15 +1483,6 @@ crypto_sign/ed25519/ref10/libsodium_la-open.lo: \ crypto_sign/ed25519/ref10/libsodium_la-sign.lo: \ crypto_sign/ed25519/ref10/$(am__dirstamp) \ crypto_sign/ed25519/ref10/$(DEPDIR)/$(am__dirstamp) -crypto_stream/$(am__dirstamp): - @$(MKDIR_P) crypto_stream - @: > crypto_stream/$(am__dirstamp) -crypto_stream/$(DEPDIR)/$(am__dirstamp): - @$(MKDIR_P) crypto_stream/$(DEPDIR) - @: > crypto_stream/$(DEPDIR)/$(am__dirstamp) -crypto_stream/libsodium_la-crypto_stream.lo: \ - crypto_stream/$(am__dirstamp) \ - crypto_stream/$(DEPDIR)/$(am__dirstamp) crypto_stream/chacha20/$(am__dirstamp): @$(MKDIR_P) crypto_stream/chacha20 @: > crypto_stream/chacha20/$(am__dirstamp) @@ -1406,6 +1501,15 @@ crypto_stream/chacha20/ref/$(DEPDIR)/$(am__dirstamp): crypto_stream/chacha20/ref/libsodium_la-stream_chacha20_ref.lo: \ crypto_stream/chacha20/ref/$(am__dirstamp) \ crypto_stream/chacha20/ref/$(DEPDIR)/$(am__dirstamp) +crypto_stream/$(am__dirstamp): + @$(MKDIR_P) crypto_stream + @: > crypto_stream/$(am__dirstamp) +crypto_stream/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) crypto_stream/$(DEPDIR) + @: > crypto_stream/$(DEPDIR)/$(am__dirstamp) +crypto_stream/libsodium_la-crypto_stream.lo: \ + crypto_stream/$(am__dirstamp) \ + crypto_stream/$(DEPDIR)/$(am__dirstamp) crypto_stream/salsa20/$(am__dirstamp): @$(MKDIR_P) crypto_stream/salsa20 @: > crypto_stream/salsa20/$(am__dirstamp) @@ -1596,6 +1700,15 @@ crypto_stream/salsa20/ref/libsodium_la-stream_salsa20_ref.lo: \ crypto_stream/salsa20/ref/libsodium_la-xor_salsa20_ref.lo: \ crypto_stream/salsa20/ref/$(am__dirstamp) \ crypto_stream/salsa20/ref/$(DEPDIR)/$(am__dirstamp) +crypto_core/hchacha20/$(am__dirstamp): + @$(MKDIR_P) crypto_core/hchacha20 + @: > crypto_core/hchacha20/$(am__dirstamp) +crypto_core/hchacha20/$(DEPDIR)/$(am__dirstamp): + @$(MKDIR_P) crypto_core/hchacha20/$(DEPDIR) + @: > crypto_core/hchacha20/$(DEPDIR)/$(am__dirstamp) +crypto_core/hchacha20/libsodium_la-core_hchacha20.lo: \ + crypto_core/hchacha20/$(am__dirstamp) \ + crypto_core/hchacha20/$(DEPDIR)/$(am__dirstamp) crypto_core/salsa2012/ref/$(am__dirstamp): @$(MKDIR_P) crypto_core/salsa2012/ref @: > crypto_core/salsa2012/ref/$(am__dirstamp) @@ -1656,9 +1769,6 @@ crypto_stream/aes128ctr/libsodium_la-stream_aes128ctr_api.lo: \ crypto_stream/aes128ctr/portable/libsodium_la-beforenm_aes128ctr.lo: \ crypto_stream/aes128ctr/portable/$(am__dirstamp) \ crypto_stream/aes128ctr/portable/$(DEPDIR)/$(am__dirstamp) -crypto_stream/aes128ctr/portable/libsodium_la-common_aes128ctr.lo: \ - crypto_stream/aes128ctr/portable/$(am__dirstamp) \ - crypto_stream/aes128ctr/portable/$(DEPDIR)/$(am__dirstamp) crypto_stream/aes128ctr/portable/libsodium_la-consts_aes128ctr.lo: \ crypto_stream/aes128ctr/portable/$(am__dirstamp) \ crypto_stream/aes128ctr/portable/$(DEPDIR)/$(am__dirstamp) @@ -1746,6 +1856,9 @@ libsse41.la: $(libsse41_la_OBJECTS) $(libsse41_la_DEPENDENCIES) $(EXTRA_libsse41 crypto_generichash/blake2/ref/libssse3_la-blake2b-compress-ssse3.lo: \ crypto_generichash/blake2/ref/$(am__dirstamp) \ crypto_generichash/blake2/ref/$(DEPDIR)/$(am__dirstamp) +crypto_pwhash/argon2/libssse3_la-argon2-fill-block-ssse3.lo: \ + crypto_pwhash/argon2/$(am__dirstamp) \ + crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) crypto_stream/chacha20/vec/$(am__dirstamp): @$(MKDIR_P) crypto_stream/chacha20/vec @: > crypto_stream/chacha20/vec/$(am__dirstamp) @@ -1787,6 +1900,8 @@ mostlyclean-compile: -rm -f crypto_box/curve25519xsalsa20poly1305/ref/*.lo -rm -f crypto_core/curve25519/ref10/*.$(OBJEXT) -rm -f crypto_core/curve25519/ref10/*.lo + -rm -f crypto_core/hchacha20/*.$(OBJEXT) + -rm -f crypto_core/hchacha20/*.lo -rm -f crypto_core/hsalsa20/*.$(OBJEXT) -rm -f crypto_core/hsalsa20/*.lo -rm -f crypto_core/hsalsa20/ref2/*.$(OBJEXT) @@ -1827,6 +1942,10 @@ mostlyclean-compile: -rm -f crypto_onetimeauth/poly1305/donna/*.lo -rm -f crypto_onetimeauth/poly1305/sse2/*.$(OBJEXT) -rm -f crypto_onetimeauth/poly1305/sse2/*.lo + -rm -f crypto_pwhash/*.$(OBJEXT) + -rm -f crypto_pwhash/*.lo + -rm -f crypto_pwhash/argon2/*.$(OBJEXT) + -rm -f crypto_pwhash/argon2/*.lo -rm -f crypto_pwhash/scryptsalsa208sha256/*.$(OBJEXT) -rm -f crypto_pwhash/scryptsalsa208sha256/*.lo -rm -f crypto_pwhash/scryptsalsa208sha256/nosse/*.$(OBJEXT) @@ -1938,6 +2057,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto_box/curve25519xsalsa20poly1305/ref/$(DEPDIR)/libsodium_la-box_curve25519xsalsa20poly1305.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_box/curve25519xsalsa20poly1305/ref/$(DEPDIR)/libsodium_la-keypair_curve25519xsalsa20poly1305.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_core/curve25519/ref10/$(DEPDIR)/libsodium_la-curve25519_ref10.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_core/hchacha20/$(DEPDIR)/libsodium_la-core_hchacha20.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_core/hsalsa20/$(DEPDIR)/libsodium_la-core_hsalsa20_api.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_core/hsalsa20/ref2/$(DEPDIR)/libsodium_la-core_hsalsa20.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_core/salsa20/$(DEPDIR)/libsodium_la-core_salsa20_api.Plo@am__quote@ @@ -1948,6 +2068,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto_core/salsa208/ref/$(DEPDIR)/libsodium_la-core_salsa208.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_generichash/$(DEPDIR)/libsodium_la-crypto_generichash.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_generichash/blake2/$(DEPDIR)/libsodium_la-generichash_blake2_api.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_generichash/blake2/ref/$(DEPDIR)/libavx2_la-blake2b-compress-avx2.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_generichash/blake2/ref/$(DEPDIR)/libsodium_la-blake2b-compress-ref.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_generichash/blake2/ref/$(DEPDIR)/libsodium_la-blake2b-ref.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_generichash/blake2/ref/$(DEPDIR)/libsodium_la-generichash_blake2b.Plo@am__quote@ @@ -1962,6 +2083,14 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto_onetimeauth/poly1305/$(DEPDIR)/libsodium_la-onetimeauth_poly1305.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_onetimeauth/poly1305/donna/$(DEPDIR)/libsodium_la-poly1305_donna.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_onetimeauth/poly1305/sse2/$(DEPDIR)/libsse2_la-poly1305_sse2.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/$(DEPDIR)/libsodium_la-crypto_pwhash.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-core.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-encoding.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-fill-block-ref.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-blake2b-long.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-pwhash_argon2i.Plo@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/argon2/$(DEPDIR)/libssse3_la-argon2-fill-block-ssse3.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/scryptsalsa208sha256/$(DEPDIR)/libsodium_la-crypto_scrypt-common.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/scryptsalsa208sha256/$(DEPDIR)/libsodium_la-pbkdf2-sha256.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_pwhash/scryptsalsa208sha256/$(DEPDIR)/libsodium_la-pwhash_scryptsalsa208sha256.Plo@am__quote@ @@ -1993,7 +2122,6 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@crypto_stream/aes128ctr/$(DEPDIR)/libsodium_la-stream_aes128ctr_api.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-afternm_aes128ctr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-beforenm_aes128ctr.Plo@am__quote@ -@AMDEP_TRUE@@am__include@ @am__quote@crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-common_aes128ctr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-consts_aes128ctr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-int128_aes128ctr.Plo@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-stream_aes128ctr.Plo@am__quote@ @@ -2098,6 +2226,13 @@ crypto_aead/aes256gcm/aesni/libaesni_la-aead_aes256gcm_aesni.lo: crypto_aead/aes @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libaesni_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_aead/aes256gcm/aesni/libaesni_la-aead_aes256gcm_aesni.lo `test -f 'crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c' || echo '$(srcdir)/'`crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c +crypto_generichash/blake2/ref/libavx2_la-blake2b-compress-avx2.lo: crypto_generichash/blake2/ref/blake2b-compress-avx2.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libavx2_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_generichash/blake2/ref/libavx2_la-blake2b-compress-avx2.lo -MD -MP -MF crypto_generichash/blake2/ref/$(DEPDIR)/libavx2_la-blake2b-compress-avx2.Tpo -c -o crypto_generichash/blake2/ref/libavx2_la-blake2b-compress-avx2.lo `test -f 'crypto_generichash/blake2/ref/blake2b-compress-avx2.c' || echo '$(srcdir)/'`crypto_generichash/blake2/ref/blake2b-compress-avx2.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_generichash/blake2/ref/$(DEPDIR)/libavx2_la-blake2b-compress-avx2.Tpo crypto_generichash/blake2/ref/$(DEPDIR)/libavx2_la-blake2b-compress-avx2.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_generichash/blake2/ref/blake2b-compress-avx2.c' object='crypto_generichash/blake2/ref/libavx2_la-blake2b-compress-avx2.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libavx2_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_generichash/blake2/ref/libavx2_la-blake2b-compress-avx2.lo `test -f 'crypto_generichash/blake2/ref/blake2b-compress-avx2.c' || echo '$(srcdir)/'`crypto_generichash/blake2/ref/blake2b-compress-avx2.c + crypto_aead/chacha20poly1305/sodium/libsodium_la-aead_chacha20poly1305.lo: crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_aead/chacha20poly1305/sodium/libsodium_la-aead_chacha20poly1305.lo -MD -MP -MF crypto_aead/chacha20poly1305/sodium/$(DEPDIR)/libsodium_la-aead_chacha20poly1305.Tpo -c -o crypto_aead/chacha20poly1305/sodium/libsodium_la-aead_chacha20poly1305.lo `test -f 'crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c' || echo '$(srcdir)/'`crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_aead/chacha20poly1305/sodium/$(DEPDIR)/libsodium_la-aead_chacha20poly1305.Tpo crypto_aead/chacha20poly1305/sodium/$(DEPDIR)/libsodium_la-aead_chacha20poly1305.Plo @@ -2357,6 +2492,55 @@ crypto_onetimeauth/poly1305/donna/libsodium_la-poly1305_donna.lo: crypto_onetime @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_onetimeauth/poly1305/donna/libsodium_la-poly1305_donna.lo `test -f 'crypto_onetimeauth/poly1305/donna/poly1305_donna.c' || echo '$(srcdir)/'`crypto_onetimeauth/poly1305/donna/poly1305_donna.c +crypto_pwhash/argon2/libsodium_la-argon2-core.lo: crypto_pwhash/argon2/argon2-core.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/argon2/libsodium_la-argon2-core.lo -MD -MP -MF crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-core.Tpo -c -o crypto_pwhash/argon2/libsodium_la-argon2-core.lo `test -f 'crypto_pwhash/argon2/argon2-core.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-core.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-core.Tpo crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-core.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/argon2/argon2-core.c' object='crypto_pwhash/argon2/libsodium_la-argon2-core.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/argon2/libsodium_la-argon2-core.lo `test -f 'crypto_pwhash/argon2/argon2-core.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-core.c + +crypto_pwhash/argon2/libsodium_la-argon2-encoding.lo: crypto_pwhash/argon2/argon2-encoding.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/argon2/libsodium_la-argon2-encoding.lo -MD -MP -MF crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-encoding.Tpo -c -o crypto_pwhash/argon2/libsodium_la-argon2-encoding.lo `test -f 'crypto_pwhash/argon2/argon2-encoding.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-encoding.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-encoding.Tpo crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-encoding.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/argon2/argon2-encoding.c' object='crypto_pwhash/argon2/libsodium_la-argon2-encoding.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/argon2/libsodium_la-argon2-encoding.lo `test -f 'crypto_pwhash/argon2/argon2-encoding.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-encoding.c + +crypto_pwhash/argon2/libsodium_la-argon2-fill-block-ref.lo: crypto_pwhash/argon2/argon2-fill-block-ref.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/argon2/libsodium_la-argon2-fill-block-ref.lo -MD -MP -MF crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-fill-block-ref.Tpo -c -o crypto_pwhash/argon2/libsodium_la-argon2-fill-block-ref.lo `test -f 'crypto_pwhash/argon2/argon2-fill-block-ref.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-fill-block-ref.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-fill-block-ref.Tpo crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2-fill-block-ref.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/argon2/argon2-fill-block-ref.c' object='crypto_pwhash/argon2/libsodium_la-argon2-fill-block-ref.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/argon2/libsodium_la-argon2-fill-block-ref.lo `test -f 'crypto_pwhash/argon2/argon2-fill-block-ref.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-fill-block-ref.c + +crypto_pwhash/argon2/libsodium_la-argon2.lo: crypto_pwhash/argon2/argon2.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/argon2/libsodium_la-argon2.lo -MD -MP -MF crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2.Tpo -c -o crypto_pwhash/argon2/libsodium_la-argon2.lo `test -f 'crypto_pwhash/argon2/argon2.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2.Tpo crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-argon2.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/argon2/argon2.c' object='crypto_pwhash/argon2/libsodium_la-argon2.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/argon2/libsodium_la-argon2.lo `test -f 'crypto_pwhash/argon2/argon2.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2.c + +crypto_pwhash/argon2/libsodium_la-blake2b-long.lo: crypto_pwhash/argon2/blake2b-long.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/argon2/libsodium_la-blake2b-long.lo -MD -MP -MF crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-blake2b-long.Tpo -c -o crypto_pwhash/argon2/libsodium_la-blake2b-long.lo `test -f 'crypto_pwhash/argon2/blake2b-long.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/blake2b-long.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-blake2b-long.Tpo crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-blake2b-long.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/argon2/blake2b-long.c' object='crypto_pwhash/argon2/libsodium_la-blake2b-long.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/argon2/libsodium_la-blake2b-long.lo `test -f 'crypto_pwhash/argon2/blake2b-long.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/blake2b-long.c + +crypto_pwhash/argon2/libsodium_la-pwhash_argon2i.lo: crypto_pwhash/argon2/pwhash_argon2i.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/argon2/libsodium_la-pwhash_argon2i.lo -MD -MP -MF crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-pwhash_argon2i.Tpo -c -o crypto_pwhash/argon2/libsodium_la-pwhash_argon2i.lo `test -f 'crypto_pwhash/argon2/pwhash_argon2i.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/pwhash_argon2i.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-pwhash_argon2i.Tpo crypto_pwhash/argon2/$(DEPDIR)/libsodium_la-pwhash_argon2i.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/argon2/pwhash_argon2i.c' object='crypto_pwhash/argon2/libsodium_la-pwhash_argon2i.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/argon2/libsodium_la-pwhash_argon2i.lo `test -f 'crypto_pwhash/argon2/pwhash_argon2i.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/pwhash_argon2i.c + +crypto_pwhash/libsodium_la-crypto_pwhash.lo: crypto_pwhash/crypto_pwhash.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/libsodium_la-crypto_pwhash.lo -MD -MP -MF crypto_pwhash/$(DEPDIR)/libsodium_la-crypto_pwhash.Tpo -c -o crypto_pwhash/libsodium_la-crypto_pwhash.lo `test -f 'crypto_pwhash/crypto_pwhash.c' || echo '$(srcdir)/'`crypto_pwhash/crypto_pwhash.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/$(DEPDIR)/libsodium_la-crypto_pwhash.Tpo crypto_pwhash/$(DEPDIR)/libsodium_la-crypto_pwhash.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/crypto_pwhash.c' object='crypto_pwhash/libsodium_la-crypto_pwhash.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/libsodium_la-crypto_pwhash.lo `test -f 'crypto_pwhash/crypto_pwhash.c' || echo '$(srcdir)/'`crypto_pwhash/crypto_pwhash.c + crypto_pwhash/scryptsalsa208sha256/libsodium_la-crypto_scrypt-common.lo: crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/scryptsalsa208sha256/libsodium_la-crypto_scrypt-common.lo -MD -MP -MF crypto_pwhash/scryptsalsa208sha256/$(DEPDIR)/libsodium_la-crypto_scrypt-common.Tpo -c -o crypto_pwhash/scryptsalsa208sha256/libsodium_la-crypto_scrypt-common.lo `test -f 'crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c' || echo '$(srcdir)/'`crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/scryptsalsa208sha256/$(DEPDIR)/libsodium_la-crypto_scrypt-common.Tpo crypto_pwhash/scryptsalsa208sha256/$(DEPDIR)/libsodium_la-crypto_scrypt-common.Plo @@ -2490,13 +2674,6 @@ crypto_sign/ed25519/ref10/libsodium_la-sign.lo: crypto_sign/ed25519/ref10/sign.c @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_sign/ed25519/ref10/libsodium_la-sign.lo `test -f 'crypto_sign/ed25519/ref10/sign.c' || echo '$(srcdir)/'`crypto_sign/ed25519/ref10/sign.c -crypto_stream/libsodium_la-crypto_stream.lo: crypto_stream/crypto_stream.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_stream/libsodium_la-crypto_stream.lo -MD -MP -MF crypto_stream/$(DEPDIR)/libsodium_la-crypto_stream.Tpo -c -o crypto_stream/libsodium_la-crypto_stream.lo `test -f 'crypto_stream/crypto_stream.c' || echo '$(srcdir)/'`crypto_stream/crypto_stream.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_stream/$(DEPDIR)/libsodium_la-crypto_stream.Tpo crypto_stream/$(DEPDIR)/libsodium_la-crypto_stream.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_stream/crypto_stream.c' object='crypto_stream/libsodium_la-crypto_stream.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_stream/libsodium_la-crypto_stream.lo `test -f 'crypto_stream/crypto_stream.c' || echo '$(srcdir)/'`crypto_stream/crypto_stream.c - crypto_stream/chacha20/libsodium_la-stream_chacha20.lo: crypto_stream/chacha20/stream_chacha20.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_stream/chacha20/libsodium_la-stream_chacha20.lo -MD -MP -MF crypto_stream/chacha20/$(DEPDIR)/libsodium_la-stream_chacha20.Tpo -c -o crypto_stream/chacha20/libsodium_la-stream_chacha20.lo `test -f 'crypto_stream/chacha20/stream_chacha20.c' || echo '$(srcdir)/'`crypto_stream/chacha20/stream_chacha20.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_stream/chacha20/$(DEPDIR)/libsodium_la-stream_chacha20.Tpo crypto_stream/chacha20/$(DEPDIR)/libsodium_la-stream_chacha20.Plo @@ -2511,6 +2688,13 @@ crypto_stream/chacha20/ref/libsodium_la-stream_chacha20_ref.lo: crypto_stream/ch @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_stream/chacha20/ref/libsodium_la-stream_chacha20_ref.lo `test -f 'crypto_stream/chacha20/ref/stream_chacha20_ref.c' || echo '$(srcdir)/'`crypto_stream/chacha20/ref/stream_chacha20_ref.c +crypto_stream/libsodium_la-crypto_stream.lo: crypto_stream/crypto_stream.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_stream/libsodium_la-crypto_stream.lo -MD -MP -MF crypto_stream/$(DEPDIR)/libsodium_la-crypto_stream.Tpo -c -o crypto_stream/libsodium_la-crypto_stream.lo `test -f 'crypto_stream/crypto_stream.c' || echo '$(srcdir)/'`crypto_stream/crypto_stream.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_stream/$(DEPDIR)/libsodium_la-crypto_stream.Tpo crypto_stream/$(DEPDIR)/libsodium_la-crypto_stream.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_stream/crypto_stream.c' object='crypto_stream/libsodium_la-crypto_stream.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_stream/libsodium_la-crypto_stream.lo `test -f 'crypto_stream/crypto_stream.c' || echo '$(srcdir)/'`crypto_stream/crypto_stream.c + crypto_stream/salsa20/libsodium_la-stream_salsa20_api.lo: crypto_stream/salsa20/stream_salsa20_api.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_stream/salsa20/libsodium_la-stream_salsa20_api.lo -MD -MP -MF crypto_stream/salsa20/$(DEPDIR)/libsodium_la-stream_salsa20_api.Tpo -c -o crypto_stream/salsa20/libsodium_la-stream_salsa20_api.lo `test -f 'crypto_stream/salsa20/stream_salsa20_api.c' || echo '$(srcdir)/'`crypto_stream/salsa20/stream_salsa20_api.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_stream/salsa20/$(DEPDIR)/libsodium_la-stream_salsa20_api.Tpo crypto_stream/salsa20/$(DEPDIR)/libsodium_la-stream_salsa20_api.Plo @@ -2686,6 +2870,13 @@ crypto_stream/salsa20/ref/libsodium_la-xor_salsa20_ref.lo: crypto_stream/salsa20 @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_stream/salsa20/ref/libsodium_la-xor_salsa20_ref.lo `test -f 'crypto_stream/salsa20/ref/xor_salsa20_ref.c' || echo '$(srcdir)/'`crypto_stream/salsa20/ref/xor_salsa20_ref.c +crypto_core/hchacha20/libsodium_la-core_hchacha20.lo: crypto_core/hchacha20/core_hchacha20.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_core/hchacha20/libsodium_la-core_hchacha20.lo -MD -MP -MF crypto_core/hchacha20/$(DEPDIR)/libsodium_la-core_hchacha20.Tpo -c -o crypto_core/hchacha20/libsodium_la-core_hchacha20.lo `test -f 'crypto_core/hchacha20/core_hchacha20.c' || echo '$(srcdir)/'`crypto_core/hchacha20/core_hchacha20.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_core/hchacha20/$(DEPDIR)/libsodium_la-core_hchacha20.Tpo crypto_core/hchacha20/$(DEPDIR)/libsodium_la-core_hchacha20.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_core/hchacha20/core_hchacha20.c' object='crypto_core/hchacha20/libsodium_la-core_hchacha20.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_core/hchacha20/libsodium_la-core_hchacha20.lo `test -f 'crypto_core/hchacha20/core_hchacha20.c' || echo '$(srcdir)/'`crypto_core/hchacha20/core_hchacha20.c + crypto_core/salsa2012/ref/libsodium_la-core_salsa2012.lo: crypto_core/salsa2012/ref/core_salsa2012.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_core/salsa2012/ref/libsodium_la-core_salsa2012.lo -MD -MP -MF crypto_core/salsa2012/ref/$(DEPDIR)/libsodium_la-core_salsa2012.Tpo -c -o crypto_core/salsa2012/ref/libsodium_la-core_salsa2012.lo `test -f 'crypto_core/salsa2012/ref/core_salsa2012.c' || echo '$(srcdir)/'`crypto_core/salsa2012/ref/core_salsa2012.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_core/salsa2012/ref/$(DEPDIR)/libsodium_la-core_salsa2012.Tpo crypto_core/salsa2012/ref/$(DEPDIR)/libsodium_la-core_salsa2012.Plo @@ -2742,13 +2933,6 @@ crypto_stream/aes128ctr/portable/libsodium_la-beforenm_aes128ctr.lo: crypto_stre @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_stream/aes128ctr/portable/libsodium_la-beforenm_aes128ctr.lo `test -f 'crypto_stream/aes128ctr/portable/beforenm_aes128ctr.c' || echo '$(srcdir)/'`crypto_stream/aes128ctr/portable/beforenm_aes128ctr.c -crypto_stream/aes128ctr/portable/libsodium_la-common_aes128ctr.lo: crypto_stream/aes128ctr/portable/common_aes128ctr.c -@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_stream/aes128ctr/portable/libsodium_la-common_aes128ctr.lo -MD -MP -MF crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-common_aes128ctr.Tpo -c -o crypto_stream/aes128ctr/portable/libsodium_la-common_aes128ctr.lo `test -f 'crypto_stream/aes128ctr/portable/common_aes128ctr.c' || echo '$(srcdir)/'`crypto_stream/aes128ctr/portable/common_aes128ctr.c -@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-common_aes128ctr.Tpo crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-common_aes128ctr.Plo -@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_stream/aes128ctr/portable/common_aes128ctr.c' object='crypto_stream/aes128ctr/portable/libsodium_la-common_aes128ctr.lo' libtool=yes @AMDEPBACKSLASH@ -@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ -@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_stream/aes128ctr/portable/libsodium_la-common_aes128ctr.lo `test -f 'crypto_stream/aes128ctr/portable/common_aes128ctr.c' || echo '$(srcdir)/'`crypto_stream/aes128ctr/portable/common_aes128ctr.c - crypto_stream/aes128ctr/portable/libsodium_la-consts_aes128ctr.lo: crypto_stream/aes128ctr/portable/consts_aes128ctr.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libsodium_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_stream/aes128ctr/portable/libsodium_la-consts_aes128ctr.lo -MD -MP -MF crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-consts_aes128ctr.Tpo -c -o crypto_stream/aes128ctr/portable/libsodium_la-consts_aes128ctr.lo `test -f 'crypto_stream/aes128ctr/portable/consts_aes128ctr.c' || echo '$(srcdir)/'`crypto_stream/aes128ctr/portable/consts_aes128ctr.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-consts_aes128ctr.Tpo crypto_stream/aes128ctr/portable/$(DEPDIR)/libsodium_la-consts_aes128ctr.Plo @@ -2847,6 +3031,13 @@ crypto_generichash/blake2/ref/libssse3_la-blake2b-compress-ssse3.lo: crypto_gene @AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ @am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libssse3_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_generichash/blake2/ref/libssse3_la-blake2b-compress-ssse3.lo `test -f 'crypto_generichash/blake2/ref/blake2b-compress-ssse3.c' || echo '$(srcdir)/'`crypto_generichash/blake2/ref/blake2b-compress-ssse3.c +crypto_pwhash/argon2/libssse3_la-argon2-fill-block-ssse3.lo: crypto_pwhash/argon2/argon2-fill-block-ssse3.c +@am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libssse3_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_pwhash/argon2/libssse3_la-argon2-fill-block-ssse3.lo -MD -MP -MF crypto_pwhash/argon2/$(DEPDIR)/libssse3_la-argon2-fill-block-ssse3.Tpo -c -o crypto_pwhash/argon2/libssse3_la-argon2-fill-block-ssse3.lo `test -f 'crypto_pwhash/argon2/argon2-fill-block-ssse3.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-fill-block-ssse3.c +@am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_pwhash/argon2/$(DEPDIR)/libssse3_la-argon2-fill-block-ssse3.Tpo crypto_pwhash/argon2/$(DEPDIR)/libssse3_la-argon2-fill-block-ssse3.Plo +@AMDEP_TRUE@@am__fastdepCC_FALSE@ $(AM_V_CC)source='crypto_pwhash/argon2/argon2-fill-block-ssse3.c' object='crypto_pwhash/argon2/libssse3_la-argon2-fill-block-ssse3.lo' libtool=yes @AMDEPBACKSLASH@ +@AMDEP_TRUE@@am__fastdepCC_FALSE@ DEPDIR=$(DEPDIR) $(CCDEPMODE) $(depcomp) @AMDEPBACKSLASH@ +@am__fastdepCC_FALSE@ $(AM_V_CC@am__nodep@)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libssse3_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -c -o crypto_pwhash/argon2/libssse3_la-argon2-fill-block-ssse3.lo `test -f 'crypto_pwhash/argon2/argon2-fill-block-ssse3.c' || echo '$(srcdir)/'`crypto_pwhash/argon2/argon2-fill-block-ssse3.c + crypto_stream/chacha20/vec/libssse3_la-stream_chacha20_vec.lo: crypto_stream/chacha20/vec/stream_chacha20_vec.c @am__fastdepCC_TRUE@ $(AM_V_CC)$(LIBTOOL) $(AM_V_lt) --tag=CC $(AM_LIBTOOLFLAGS) $(LIBTOOLFLAGS) --mode=compile $(CC) $(DEFS) $(DEFAULT_INCLUDES) $(INCLUDES) $(libssse3_la_CPPFLAGS) $(CPPFLAGS) $(AM_CFLAGS) $(CFLAGS) -MT crypto_stream/chacha20/vec/libssse3_la-stream_chacha20_vec.lo -MD -MP -MF crypto_stream/chacha20/vec/$(DEPDIR)/libssse3_la-stream_chacha20_vec.Tpo -c -o crypto_stream/chacha20/vec/libssse3_la-stream_chacha20_vec.lo `test -f 'crypto_stream/chacha20/vec/stream_chacha20_vec.c' || echo '$(srcdir)/'`crypto_stream/chacha20/vec/stream_chacha20_vec.c @am__fastdepCC_TRUE@ $(AM_V_at)$(am__mv) crypto_stream/chacha20/vec/$(DEPDIR)/libssse3_la-stream_chacha20_vec.Tpo crypto_stream/chacha20/vec/$(DEPDIR)/libssse3_la-stream_chacha20_vec.Plo @@ -2872,6 +3063,7 @@ clean-libtool: -rm -rf crypto_box/curve25519xsalsa20poly1305/.libs crypto_box/curve25519xsalsa20poly1305/_libs -rm -rf crypto_box/curve25519xsalsa20poly1305/ref/.libs crypto_box/curve25519xsalsa20poly1305/ref/_libs -rm -rf crypto_core/curve25519/ref10/.libs crypto_core/curve25519/ref10/_libs + -rm -rf crypto_core/hchacha20/.libs crypto_core/hchacha20/_libs -rm -rf crypto_core/hsalsa20/.libs crypto_core/hsalsa20/_libs -rm -rf crypto_core/hsalsa20/ref2/.libs crypto_core/hsalsa20/ref2/_libs -rm -rf crypto_core/salsa20/.libs crypto_core/salsa20/_libs @@ -2892,6 +3084,8 @@ clean-libtool: -rm -rf crypto_onetimeauth/poly1305/.libs crypto_onetimeauth/poly1305/_libs -rm -rf crypto_onetimeauth/poly1305/donna/.libs crypto_onetimeauth/poly1305/donna/_libs -rm -rf crypto_onetimeauth/poly1305/sse2/.libs crypto_onetimeauth/poly1305/sse2/_libs + -rm -rf crypto_pwhash/.libs crypto_pwhash/_libs + -rm -rf crypto_pwhash/argon2/.libs crypto_pwhash/argon2/_libs -rm -rf crypto_pwhash/scryptsalsa208sha256/.libs crypto_pwhash/scryptsalsa208sha256/_libs -rm -rf crypto_pwhash/scryptsalsa208sha256/nosse/.libs crypto_pwhash/scryptsalsa208sha256/nosse/_libs -rm -rf crypto_pwhash/scryptsalsa208sha256/sse/.libs crypto_pwhash/scryptsalsa208sha256/sse/_libs @@ -3172,6 +3366,8 @@ distclean-generic: -rm -f crypto_box/curve25519xsalsa20poly1305/ref/$(am__dirstamp) -rm -f crypto_core/curve25519/ref10/$(DEPDIR)/$(am__dirstamp) -rm -f crypto_core/curve25519/ref10/$(am__dirstamp) + -rm -f crypto_core/hchacha20/$(DEPDIR)/$(am__dirstamp) + -rm -f crypto_core/hchacha20/$(am__dirstamp) -rm -f crypto_core/hsalsa20/$(DEPDIR)/$(am__dirstamp) -rm -f crypto_core/hsalsa20/$(am__dirstamp) -rm -f crypto_core/hsalsa20/ref2/$(DEPDIR)/$(am__dirstamp) @@ -3212,6 +3408,10 @@ distclean-generic: -rm -f crypto_onetimeauth/poly1305/donna/$(am__dirstamp) -rm -f crypto_onetimeauth/poly1305/sse2/$(DEPDIR)/$(am__dirstamp) -rm -f crypto_onetimeauth/poly1305/sse2/$(am__dirstamp) + -rm -f crypto_pwhash/$(DEPDIR)/$(am__dirstamp) + -rm -f crypto_pwhash/$(am__dirstamp) + -rm -f crypto_pwhash/argon2/$(DEPDIR)/$(am__dirstamp) + -rm -f crypto_pwhash/argon2/$(am__dirstamp) -rm -f crypto_pwhash/scryptsalsa208sha256/$(DEPDIR)/$(am__dirstamp) -rm -f crypto_pwhash/scryptsalsa208sha256/$(am__dirstamp) -rm -f crypto_pwhash/scryptsalsa208sha256/nosse/$(DEPDIR)/$(am__dirstamp) @@ -3308,7 +3508,7 @@ clean-am: clean-generic clean-libLTLIBRARIES clean-libtool \ clean-noinstLTLIBRARIES mostlyclean-am distclean: distclean-recursive - -rm -rf crypto_aead/aes256gcm/aesni/$(DEPDIR) crypto_aead/chacha20poly1305/sodium/$(DEPDIR) crypto_auth/$(DEPDIR) crypto_auth/hmacsha256/$(DEPDIR) crypto_auth/hmacsha256/cp/$(DEPDIR) crypto_auth/hmacsha512/$(DEPDIR) crypto_auth/hmacsha512/cp/$(DEPDIR) crypto_auth/hmacsha512256/$(DEPDIR) crypto_auth/hmacsha512256/cp/$(DEPDIR) crypto_box/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/ref/$(DEPDIR) crypto_core/curve25519/ref10/$(DEPDIR) crypto_core/hsalsa20/$(DEPDIR) crypto_core/hsalsa20/ref2/$(DEPDIR) crypto_core/salsa20/$(DEPDIR) crypto_core/salsa20/ref/$(DEPDIR) crypto_core/salsa2012/$(DEPDIR) crypto_core/salsa2012/ref/$(DEPDIR) crypto_core/salsa208/$(DEPDIR) crypto_core/salsa208/ref/$(DEPDIR) crypto_generichash/$(DEPDIR) crypto_generichash/blake2/$(DEPDIR) crypto_generichash/blake2/ref/$(DEPDIR) crypto_hash/$(DEPDIR) crypto_hash/sha256/$(DEPDIR) crypto_hash/sha256/cp/$(DEPDIR) crypto_hash/sha512/$(DEPDIR) crypto_hash/sha512/cp/$(DEPDIR) crypto_onetimeauth/$(DEPDIR) crypto_onetimeauth/poly1305/$(DEPDIR) crypto_onetimeauth/poly1305/donna/$(DEPDIR) crypto_onetimeauth/poly1305/sse2/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/nosse/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/sse/$(DEPDIR) crypto_scalarmult/$(DEPDIR) crypto_scalarmult/curve25519/$(DEPDIR) crypto_scalarmult/curve25519/donna_c64/$(DEPDIR) crypto_scalarmult/curve25519/ref10/$(DEPDIR) crypto_scalarmult/curve25519/sandy2x/$(DEPDIR) crypto_secretbox/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/ref/$(DEPDIR) crypto_shorthash/$(DEPDIR) crypto_shorthash/siphash24/$(DEPDIR) crypto_shorthash/siphash24/ref/$(DEPDIR) crypto_sign/$(DEPDIR) crypto_sign/ed25519/$(DEPDIR) crypto_sign/ed25519/ref10/$(DEPDIR) crypto_stream/$(DEPDIR) crypto_stream/aes128ctr/$(DEPDIR) crypto_stream/aes128ctr/portable/$(DEPDIR) crypto_stream/chacha20/$(DEPDIR) crypto_stream/chacha20/ref/$(DEPDIR) crypto_stream/chacha20/vec/$(DEPDIR) crypto_stream/salsa20/$(DEPDIR) crypto_stream/salsa20/amd64_xmm6/$(DEPDIR) crypto_stream/salsa20/ref/$(DEPDIR) crypto_stream/salsa2012/$(DEPDIR) crypto_stream/salsa2012/ref/$(DEPDIR) crypto_stream/salsa208/$(DEPDIR) crypto_stream/salsa208/ref/$(DEPDIR) crypto_stream/xsalsa20/$(DEPDIR) crypto_stream/xsalsa20/ref/$(DEPDIR) crypto_verify/16/$(DEPDIR) crypto_verify/16/ref/$(DEPDIR) crypto_verify/32/$(DEPDIR) crypto_verify/32/ref/$(DEPDIR) crypto_verify/64/$(DEPDIR) crypto_verify/64/ref/$(DEPDIR) randombytes/$(DEPDIR) randombytes/nativeclient/$(DEPDIR) randombytes/salsa20/$(DEPDIR) randombytes/sysrandom/$(DEPDIR) sodium/$(DEPDIR) + -rm -rf crypto_aead/aes256gcm/aesni/$(DEPDIR) crypto_aead/chacha20poly1305/sodium/$(DEPDIR) crypto_auth/$(DEPDIR) crypto_auth/hmacsha256/$(DEPDIR) crypto_auth/hmacsha256/cp/$(DEPDIR) crypto_auth/hmacsha512/$(DEPDIR) crypto_auth/hmacsha512/cp/$(DEPDIR) crypto_auth/hmacsha512256/$(DEPDIR) crypto_auth/hmacsha512256/cp/$(DEPDIR) crypto_box/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/ref/$(DEPDIR) crypto_core/curve25519/ref10/$(DEPDIR) crypto_core/hchacha20/$(DEPDIR) crypto_core/hsalsa20/$(DEPDIR) crypto_core/hsalsa20/ref2/$(DEPDIR) crypto_core/salsa20/$(DEPDIR) crypto_core/salsa20/ref/$(DEPDIR) crypto_core/salsa2012/$(DEPDIR) crypto_core/salsa2012/ref/$(DEPDIR) crypto_core/salsa208/$(DEPDIR) crypto_core/salsa208/ref/$(DEPDIR) crypto_generichash/$(DEPDIR) crypto_generichash/blake2/$(DEPDIR) crypto_generichash/blake2/ref/$(DEPDIR) crypto_hash/$(DEPDIR) crypto_hash/sha256/$(DEPDIR) crypto_hash/sha256/cp/$(DEPDIR) crypto_hash/sha512/$(DEPDIR) crypto_hash/sha512/cp/$(DEPDIR) crypto_onetimeauth/$(DEPDIR) crypto_onetimeauth/poly1305/$(DEPDIR) crypto_onetimeauth/poly1305/donna/$(DEPDIR) crypto_onetimeauth/poly1305/sse2/$(DEPDIR) crypto_pwhash/$(DEPDIR) crypto_pwhash/argon2/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/nosse/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/sse/$(DEPDIR) crypto_scalarmult/$(DEPDIR) crypto_scalarmult/curve25519/$(DEPDIR) crypto_scalarmult/curve25519/donna_c64/$(DEPDIR) crypto_scalarmult/curve25519/ref10/$(DEPDIR) crypto_scalarmult/curve25519/sandy2x/$(DEPDIR) crypto_secretbox/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/ref/$(DEPDIR) crypto_shorthash/$(DEPDIR) crypto_shorthash/siphash24/$(DEPDIR) crypto_shorthash/siphash24/ref/$(DEPDIR) crypto_sign/$(DEPDIR) crypto_sign/ed25519/$(DEPDIR) crypto_sign/ed25519/ref10/$(DEPDIR) crypto_stream/$(DEPDIR) crypto_stream/aes128ctr/$(DEPDIR) crypto_stream/aes128ctr/portable/$(DEPDIR) crypto_stream/chacha20/$(DEPDIR) crypto_stream/chacha20/ref/$(DEPDIR) crypto_stream/chacha20/vec/$(DEPDIR) crypto_stream/salsa20/$(DEPDIR) crypto_stream/salsa20/amd64_xmm6/$(DEPDIR) crypto_stream/salsa20/ref/$(DEPDIR) crypto_stream/salsa2012/$(DEPDIR) crypto_stream/salsa2012/ref/$(DEPDIR) crypto_stream/salsa208/$(DEPDIR) crypto_stream/salsa208/ref/$(DEPDIR) crypto_stream/xsalsa20/$(DEPDIR) crypto_stream/xsalsa20/ref/$(DEPDIR) crypto_verify/16/$(DEPDIR) crypto_verify/16/ref/$(DEPDIR) crypto_verify/32/$(DEPDIR) crypto_verify/32/ref/$(DEPDIR) crypto_verify/64/$(DEPDIR) crypto_verify/64/ref/$(DEPDIR) randombytes/$(DEPDIR) randombytes/nativeclient/$(DEPDIR) randombytes/salsa20/$(DEPDIR) randombytes/sysrandom/$(DEPDIR) sodium/$(DEPDIR) -rm -f Makefile distclean-am: clean-am distclean-compile distclean-generic \ distclean-tags @@ -3354,7 +3554,7 @@ install-ps-am: installcheck-am: maintainer-clean: maintainer-clean-recursive - -rm -rf crypto_aead/aes256gcm/aesni/$(DEPDIR) crypto_aead/chacha20poly1305/sodium/$(DEPDIR) crypto_auth/$(DEPDIR) crypto_auth/hmacsha256/$(DEPDIR) crypto_auth/hmacsha256/cp/$(DEPDIR) crypto_auth/hmacsha512/$(DEPDIR) crypto_auth/hmacsha512/cp/$(DEPDIR) crypto_auth/hmacsha512256/$(DEPDIR) crypto_auth/hmacsha512256/cp/$(DEPDIR) crypto_box/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/ref/$(DEPDIR) crypto_core/curve25519/ref10/$(DEPDIR) crypto_core/hsalsa20/$(DEPDIR) crypto_core/hsalsa20/ref2/$(DEPDIR) crypto_core/salsa20/$(DEPDIR) crypto_core/salsa20/ref/$(DEPDIR) crypto_core/salsa2012/$(DEPDIR) crypto_core/salsa2012/ref/$(DEPDIR) crypto_core/salsa208/$(DEPDIR) crypto_core/salsa208/ref/$(DEPDIR) crypto_generichash/$(DEPDIR) crypto_generichash/blake2/$(DEPDIR) crypto_generichash/blake2/ref/$(DEPDIR) crypto_hash/$(DEPDIR) crypto_hash/sha256/$(DEPDIR) crypto_hash/sha256/cp/$(DEPDIR) crypto_hash/sha512/$(DEPDIR) crypto_hash/sha512/cp/$(DEPDIR) crypto_onetimeauth/$(DEPDIR) crypto_onetimeauth/poly1305/$(DEPDIR) crypto_onetimeauth/poly1305/donna/$(DEPDIR) crypto_onetimeauth/poly1305/sse2/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/nosse/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/sse/$(DEPDIR) crypto_scalarmult/$(DEPDIR) crypto_scalarmult/curve25519/$(DEPDIR) crypto_scalarmult/curve25519/donna_c64/$(DEPDIR) crypto_scalarmult/curve25519/ref10/$(DEPDIR) crypto_scalarmult/curve25519/sandy2x/$(DEPDIR) crypto_secretbox/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/ref/$(DEPDIR) crypto_shorthash/$(DEPDIR) crypto_shorthash/siphash24/$(DEPDIR) crypto_shorthash/siphash24/ref/$(DEPDIR) crypto_sign/$(DEPDIR) crypto_sign/ed25519/$(DEPDIR) crypto_sign/ed25519/ref10/$(DEPDIR) crypto_stream/$(DEPDIR) crypto_stream/aes128ctr/$(DEPDIR) crypto_stream/aes128ctr/portable/$(DEPDIR) crypto_stream/chacha20/$(DEPDIR) crypto_stream/chacha20/ref/$(DEPDIR) crypto_stream/chacha20/vec/$(DEPDIR) crypto_stream/salsa20/$(DEPDIR) crypto_stream/salsa20/amd64_xmm6/$(DEPDIR) crypto_stream/salsa20/ref/$(DEPDIR) crypto_stream/salsa2012/$(DEPDIR) crypto_stream/salsa2012/ref/$(DEPDIR) crypto_stream/salsa208/$(DEPDIR) crypto_stream/salsa208/ref/$(DEPDIR) crypto_stream/xsalsa20/$(DEPDIR) crypto_stream/xsalsa20/ref/$(DEPDIR) crypto_verify/16/$(DEPDIR) crypto_verify/16/ref/$(DEPDIR) crypto_verify/32/$(DEPDIR) crypto_verify/32/ref/$(DEPDIR) crypto_verify/64/$(DEPDIR) crypto_verify/64/ref/$(DEPDIR) randombytes/$(DEPDIR) randombytes/nativeclient/$(DEPDIR) randombytes/salsa20/$(DEPDIR) randombytes/sysrandom/$(DEPDIR) sodium/$(DEPDIR) + -rm -rf crypto_aead/aes256gcm/aesni/$(DEPDIR) crypto_aead/chacha20poly1305/sodium/$(DEPDIR) crypto_auth/$(DEPDIR) crypto_auth/hmacsha256/$(DEPDIR) crypto_auth/hmacsha256/cp/$(DEPDIR) crypto_auth/hmacsha512/$(DEPDIR) crypto_auth/hmacsha512/cp/$(DEPDIR) crypto_auth/hmacsha512256/$(DEPDIR) crypto_auth/hmacsha512256/cp/$(DEPDIR) crypto_box/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/$(DEPDIR) crypto_box/curve25519xsalsa20poly1305/ref/$(DEPDIR) crypto_core/curve25519/ref10/$(DEPDIR) crypto_core/hchacha20/$(DEPDIR) crypto_core/hsalsa20/$(DEPDIR) crypto_core/hsalsa20/ref2/$(DEPDIR) crypto_core/salsa20/$(DEPDIR) crypto_core/salsa20/ref/$(DEPDIR) crypto_core/salsa2012/$(DEPDIR) crypto_core/salsa2012/ref/$(DEPDIR) crypto_core/salsa208/$(DEPDIR) crypto_core/salsa208/ref/$(DEPDIR) crypto_generichash/$(DEPDIR) crypto_generichash/blake2/$(DEPDIR) crypto_generichash/blake2/ref/$(DEPDIR) crypto_hash/$(DEPDIR) crypto_hash/sha256/$(DEPDIR) crypto_hash/sha256/cp/$(DEPDIR) crypto_hash/sha512/$(DEPDIR) crypto_hash/sha512/cp/$(DEPDIR) crypto_onetimeauth/$(DEPDIR) crypto_onetimeauth/poly1305/$(DEPDIR) crypto_onetimeauth/poly1305/donna/$(DEPDIR) crypto_onetimeauth/poly1305/sse2/$(DEPDIR) crypto_pwhash/$(DEPDIR) crypto_pwhash/argon2/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/nosse/$(DEPDIR) crypto_pwhash/scryptsalsa208sha256/sse/$(DEPDIR) crypto_scalarmult/$(DEPDIR) crypto_scalarmult/curve25519/$(DEPDIR) crypto_scalarmult/curve25519/donna_c64/$(DEPDIR) crypto_scalarmult/curve25519/ref10/$(DEPDIR) crypto_scalarmult/curve25519/sandy2x/$(DEPDIR) crypto_secretbox/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/$(DEPDIR) crypto_secretbox/xsalsa20poly1305/ref/$(DEPDIR) crypto_shorthash/$(DEPDIR) crypto_shorthash/siphash24/$(DEPDIR) crypto_shorthash/siphash24/ref/$(DEPDIR) crypto_sign/$(DEPDIR) crypto_sign/ed25519/$(DEPDIR) crypto_sign/ed25519/ref10/$(DEPDIR) crypto_stream/$(DEPDIR) crypto_stream/aes128ctr/$(DEPDIR) crypto_stream/aes128ctr/portable/$(DEPDIR) crypto_stream/chacha20/$(DEPDIR) crypto_stream/chacha20/ref/$(DEPDIR) crypto_stream/chacha20/vec/$(DEPDIR) crypto_stream/salsa20/$(DEPDIR) crypto_stream/salsa20/amd64_xmm6/$(DEPDIR) crypto_stream/salsa20/ref/$(DEPDIR) crypto_stream/salsa2012/$(DEPDIR) crypto_stream/salsa2012/ref/$(DEPDIR) crypto_stream/salsa208/$(DEPDIR) crypto_stream/salsa208/ref/$(DEPDIR) crypto_stream/xsalsa20/$(DEPDIR) crypto_stream/xsalsa20/ref/$(DEPDIR) crypto_verify/16/$(DEPDIR) crypto_verify/16/ref/$(DEPDIR) crypto_verify/32/$(DEPDIR) crypto_verify/32/ref/$(DEPDIR) crypto_verify/64/$(DEPDIR) crypto_verify/64/ref/$(DEPDIR) randombytes/$(DEPDIR) randombytes/nativeclient/$(DEPDIR) randombytes/salsa20/$(DEPDIR) randombytes/sysrandom/$(DEPDIR) sodium/$(DEPDIR) -rm -f Makefile maintainer-clean-am: distclean-am maintainer-clean-generic diff --git a/release/src/router/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c b/release/src/router/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c index d72423b628..96f6441f32 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c +++ b/release/src/router/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c @@ -3,6 +3,7 @@ * AES256-GCM, based on original code by Romain Dolbeau */ +#include #include #include #include @@ -21,6 +22,10 @@ #include +#ifndef ENOSYS +# define ENOSYS ENXIO +#endif + #if defined(__INTEL_COMPILER) || defined(_bswap64) #elif defined(_MSC_VER) # define _bswap64(a) _byteswap_uint64(a) @@ -124,8 +129,8 @@ aesni_encrypt1(unsigned char *out, __m128i nv, const __m128i *rkeys) } /** multiple-blocks-at-once AES encryption with AES-NI ; - on Haswell, aesenc as a latency of 7 and a througput of 1 - so the sequence of aesenc should be bubble-free, if you + on Haswell, aesenc as a latency of 7 and a throughput of 1 + so the sequence of aesenc should be bubble-free if you have at least 8 blocks. Let's build an arbitratry-sized function */ /* Step 1 : loading the nonce */ @@ -504,12 +509,13 @@ crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_, } int -crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen, - const unsigned char *m, unsigned long long mlen, - const unsigned char *ad, unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const crypto_aead_aes256gcm_state *ctx_) +crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c, + unsigned char *mac, unsigned long long *maclen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) { const __m128i rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); const context *ctx = (const context *) ctx_; @@ -526,7 +532,7 @@ crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen (void) nsec; memcpy(H, ctx->H, sizeof H); - if (mlen > 16ULL * (1ULL << 32)) { + if (mlen > 16ULL * ((1ULL << 32) - 2)) { abort(); /* LCOV_EXCL_LINE */ } memcpy(&n2[0], npub, 3 * 4); @@ -614,22 +620,41 @@ crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen addmul(accum, fb, 16, H); for (i = 0; i < 16; ++i) { - c[i + mlen] = T[i] ^ accum[15 - i]; + mac[i] = T[i] ^ accum[15 - i]; } - if (clen != NULL) { - *clen = mlen + 16; + if (maclen_p != NULL) { + *maclen_p = 16; } return 0; } int -crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen_p, - unsigned char *nsec, - const unsigned char *c, unsigned long long clen, +crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen_p, + const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, const unsigned char *npub, const crypto_aead_aes256gcm_state *ctx_) { + int ret = crypto_aead_aes256gcm_encrypt_detached_afternm(c, + c + mlen, NULL, + m, mlen, + ad, adlen, + nsec, npub, ctx_); + if (clen_p != NULL) { + *clen_p = mlen + crypto_aead_aes256gcm_ABYTES; + } + return ret; +} + +int +crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) +{ const __m128i rev = _mm_set_epi8(0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15); const context *ctx = (const context *) ctx_; const __m128i *rkeys = ctx->rkeys; @@ -645,20 +670,15 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen CRYPTO_ALIGN(16) unsigned char fb[16]; (void) nsec; - if (clen > 16ULL * (1ULL << 32) - 16ULL) { + if (clen > 16ULL * (1ULL << 32)) { abort(); /* LCOV_EXCL_LINE */ } - if (mlen_p != NULL) { - *mlen_p = 0U; - } - if (clen < 16) { - return -1; - } - mlen = clen - 16; + mlen = clen; memcpy(&n2[0], npub, 3 * 4); n2[3] = 0x01000000; aesni_encrypt1(T, _mm_load_si128((const __m128i *) n2), rkeys); + { uint64_t x; x = _bswap64((uint64_t)(8 * adlen)); @@ -666,6 +686,7 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen x = _bswap64((uint64_t)(8 * mlen)); memcpy(&fb[8], &x, sizeof x); } + memcpy(H, ctx->H, sizeof H); Hv = _mm_shuffle_epi8(_mm_load_si128((const __m128i *) H), rev); _mm_store_si128((__m128i *) H, Hv); @@ -752,6 +773,7 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen } \ } \ } while(0) + n2[3] &= 0x00ffffff; COUNTER_INC2(n2); @@ -762,9 +784,10 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen unsigned char d = 0; for (i = 0; i < 16; i++) { - d |= (c[i + mlen] ^ (T[i] ^ accum[15 - i])); + d |= (mac[i] ^ (T[i] ^ accum[15 - i])); } if (d != 0) { + memset(m, 0, mlen); return -1; } } @@ -773,10 +796,54 @@ crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen LOOPDRND128; LOOPDRMD128; + return 0; +} + +int +crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) +{ + unsigned long long mlen = 0ULL; + int ret = -1; + + if (clen >= crypto_aead_aes256gcm_ABYTES) { + ret = crypto_aead_aes256gcm_decrypt_detached_afternm + (m, nsec, c, clen - crypto_aead_aes256gcm_ABYTES, + c + clen - crypto_aead_aes256gcm_ABYTES, + ad, adlen, npub, ctx_); + } if (mlen_p != NULL) { + if (ret == 0) { + mlen = clen - crypto_aead_aes256gcm_ABYTES; + } *mlen_p = mlen; } - return 0; + return ret; +} + +int +crypto_aead_aes256gcm_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx; + + crypto_aead_aes256gcm_beforenm(&ctx, k); + + return crypto_aead_aes256gcm_encrypt_detached_afternm + (c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub, + (const crypto_aead_aes256gcm_state *) &ctx); } int @@ -790,7 +857,7 @@ crypto_aead_aes256gcm_encrypt(unsigned char *c, const unsigned char *npub, const unsigned char *k) { - crypto_aead_aes256gcm_state ctx; + CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx; crypto_aead_aes256gcm_beforenm(&ctx, k); @@ -800,6 +867,26 @@ crypto_aead_aes256gcm_encrypt(unsigned char *c, } int +crypto_aead_aes256gcm_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx; + + crypto_aead_aes256gcm_beforenm(&ctx, k); + + return crypto_aead_aes256gcm_decrypt_detached_afternm + (m, nsec, c, clen, mac, ad, adlen, npub, + (const crypto_aead_aes256gcm_state *) &ctx); +} + +int crypto_aead_aes256gcm_decrypt(unsigned char *m, unsigned long long *mlen_p, unsigned char *nsec, @@ -810,13 +897,13 @@ crypto_aead_aes256gcm_decrypt(unsigned char *m, const unsigned char *npub, const unsigned char *k) { - crypto_aead_aes256gcm_state ctx; + CRYPTO_ALIGN(16) crypto_aead_aes256gcm_state ctx; crypto_aead_aes256gcm_beforenm(&ctx, k); return crypto_aead_aes256gcm_decrypt_afternm (m, mlen_p, nsec, c, clen, ad, adlen, npub, - (const crypto_aead_aes256gcm_state *) &ctx); + (const crypto_aead_aes256gcm_state *) &ctx); } int @@ -825,6 +912,125 @@ crypto_aead_aes256gcm_is_available(void) return sodium_runtime_has_pclmul() & sodium_runtime_has_aesni(); } +#else + +int +crypto_aead_aes256gcm_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_encrypt(unsigned char *c, unsigned long long *clen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, const unsigned char *npub, + const unsigned char *k) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_decrypt(unsigned char *m, unsigned long long *mlen_p, + unsigned char *nsec, const unsigned char *c, + unsigned long long clen, const unsigned char *ad, + unsigned long long adlen, const unsigned char *npub, + const unsigned char *k) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_, + const unsigned char *k) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c, + unsigned char *mac, unsigned long long *maclen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_encrypt_afternm(unsigned char *c, unsigned long long *clen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *nsec, const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) +{ + errno = ENOSYS; + return -1; +} + +int +crypto_aead_aes256gcm_is_available(void) +{ + return 0; +} + +#endif + size_t crypto_aead_aes256gcm_keybytes(void) { @@ -854,13 +1060,3 @@ crypto_aead_aes256gcm_statebytes(void) { return (sizeof(crypto_aead_aes256gcm_state) + (size_t) 15U) & ~(size_t) 15U; } - -#else - -int -crypto_aead_aes256gcm_is_available(void) -{ - return 0; -} - -#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c b/release/src/router/libsodium/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c index 703485a9ed..768578e4c0 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c +++ b/release/src/router/libsodium/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c @@ -1,4 +1,5 @@ +#include #include #include #include @@ -9,98 +10,98 @@ #include "crypto_verify_16.h" #include "utils.h" -static unsigned char _pad0[16]; +#include "private/common.h" -static inline void -_u64_le_from_ull(unsigned char out[8U], unsigned long long x) -{ - out[0] = (unsigned char) (x & 0xff); x >>= 8; - out[1] = (unsigned char) (x & 0xff); x >>= 8; - out[2] = (unsigned char) (x & 0xff); x >>= 8; - out[3] = (unsigned char) (x & 0xff); x >>= 8; - out[4] = (unsigned char) (x & 0xff); x >>= 8; - out[5] = (unsigned char) (x & 0xff); x >>= 8; - out[6] = (unsigned char) (x & 0xff); x >>= 8; - out[7] = (unsigned char) (x & 0xff); -} +static const unsigned char _pad0[16] = { 0 }; int -crypto_aead_chacha20poly1305_encrypt(unsigned char *c, - unsigned long long *clen_p, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *ad, - unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) +crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) { crypto_onetimeauth_poly1305_state state; unsigned char block0[64U]; unsigned char slen[8U]; (void) nsec; -/* LCOV_EXCL_START */ -#ifdef ULONG_LONG_MAX - if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ABYTES) { - if (clen_p != NULL) { - *clen_p = 0ULL; - } - return -1; - } -#endif -/* LCOV_EXCL_STOP */ - crypto_stream_chacha20(block0, sizeof block0, npub, k); crypto_onetimeauth_poly1305_init(&state, block0); sodium_memzero(block0, sizeof block0); crypto_onetimeauth_poly1305_update(&state, ad, adlen); - _u64_le_from_ull(slen, adlen); + STORE64_LE(slen, (uint64_t) adlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); crypto_stream_chacha20_xor_ic(c, m, mlen, npub, 1U, k); crypto_onetimeauth_poly1305_update(&state, c, mlen); - _u64_le_from_ull(slen, mlen); + STORE64_LE(slen, (uint64_t) mlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); - crypto_onetimeauth_poly1305_final(&state, c + mlen); + crypto_onetimeauth_poly1305_final(&state, mac); sodium_memzero(&state, sizeof state); - if (clen_p != NULL) { - *clen_p = mlen + crypto_aead_chacha20poly1305_ABYTES; + if (maclen_p != NULL) { + *maclen_p = crypto_aead_chacha20poly1305_ABYTES; } return 0; } int -crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, - unsigned long long *clen_p, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *ad, - unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k) +crypto_aead_chacha20poly1305_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned long long clen = 0ULL; + int ret; + + if (mlen > UINT64_MAX - crypto_aead_chacha20poly1305_ABYTES) { + abort(); /* LCOV_EXCL_LINE */ + } + ret = crypto_aead_chacha20poly1305_encrypt_detached(c, + c + mlen, NULL, + m, mlen, + ad, adlen, + nsec, npub, k); + if (clen_p != NULL) { + if (ret == 0) { + clen = mlen + crypto_aead_chacha20poly1305_ABYTES; + } + *clen_p = clen; + } + return ret; +} + +int +crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) { crypto_onetimeauth_poly1305_state state; unsigned char block0[64U]; unsigned char slen[8U]; (void) nsec; -/* LCOV_EXCL_START */ -#ifdef ULONG_LONG_MAX - if (mlen > ULONG_LONG_MAX - crypto_aead_chacha20poly1305_ABYTES) { - if (clen_p != NULL) { - *clen_p = 0ULL; - } - return -1; - } -#endif -/* LCOV_EXCL_STOP */ - crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k); crypto_onetimeauth_poly1305_init(&state, block0); sodium_memzero(block0, sizeof block0); @@ -113,102 +114,148 @@ crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, crypto_onetimeauth_poly1305_update(&state, c, mlen); crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf); - _u64_le_from_ull(slen, adlen); + STORE64_LE(slen, (uint64_t) adlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); - _u64_le_from_ull(slen, mlen); + STORE64_LE(slen, (uint64_t) mlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); - crypto_onetimeauth_poly1305_final(&state, c + mlen); + crypto_onetimeauth_poly1305_final(&state, mac); sodium_memzero(&state, sizeof state); - if (clen_p != NULL) { - *clen_p = mlen + crypto_aead_chacha20poly1305_ABYTES; + if (maclen_p != NULL) { + *maclen_p = crypto_aead_chacha20poly1305_ietf_ABYTES; } return 0; } int -crypto_aead_chacha20poly1305_decrypt(unsigned char *m, - unsigned long long *mlen_p, - unsigned char *nsec, - const unsigned char *c, - unsigned long long clen, - const unsigned char *ad, - unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) +crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned long long clen = 0ULL; + int ret; + + if (mlen > UINT64_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES) { + abort(); /* LCOV_EXCL_LINE */ + } + ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached(c, + c + mlen, NULL, + m, mlen, + ad, adlen, + nsec, npub, k); + if (clen_p != NULL) { + if (ret == 0) { + clen = mlen + crypto_aead_chacha20poly1305_ietf_ABYTES; + } + *clen_p = clen; + } + return ret; +} + +int +crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) { crypto_onetimeauth_poly1305_state state; unsigned char block0[64U]; unsigned char slen[8U]; - unsigned char mac[crypto_aead_chacha20poly1305_ABYTES]; + unsigned char computed_mac[crypto_aead_chacha20poly1305_ABYTES]; unsigned long long mlen; int ret; (void) nsec; - if (mlen_p != NULL) { - *mlen_p = 0ULL; - } - if (clen < crypto_aead_chacha20poly1305_ABYTES) { - return -1; - } crypto_stream_chacha20(block0, sizeof block0, npub, k); crypto_onetimeauth_poly1305_init(&state, block0); sodium_memzero(block0, sizeof block0); crypto_onetimeauth_poly1305_update(&state, ad, adlen); - _u64_le_from_ull(slen, adlen); + STORE64_LE(slen, (uint64_t) adlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); - mlen = clen - crypto_aead_chacha20poly1305_ABYTES; + mlen = clen; crypto_onetimeauth_poly1305_update(&state, c, mlen); - _u64_le_from_ull(slen, mlen); + STORE64_LE(slen, (uint64_t) mlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); - crypto_onetimeauth_poly1305_final(&state, mac); + crypto_onetimeauth_poly1305_final(&state, computed_mac); sodium_memzero(&state, sizeof state); - (void) sizeof(int[sizeof mac == 16U ? 1 : -1]); - ret = crypto_verify_16(mac, c + mlen); - sodium_memzero(mac, sizeof mac); + (void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]); + ret = crypto_verify_16(computed_mac, mac); + sodium_memzero(computed_mac, sizeof computed_mac); if (ret != 0) { memset(m, 0, mlen); return -1; } - crypto_stream_chacha20_xor_ic - (m, c, mlen, npub, 1U, k); + crypto_stream_chacha20_xor_ic(m, c, mlen, npub, 1U, k); + + return 0; +} + +int +crypto_aead_chacha20poly1305_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned long long mlen = 0ULL; + int ret = -1; + + if (clen >= crypto_aead_chacha20poly1305_ABYTES) { + ret = crypto_aead_chacha20poly1305_decrypt_detached + (m, nsec, + c, clen - crypto_aead_chacha20poly1305_ABYTES, + c + clen - crypto_aead_chacha20poly1305_ABYTES, + ad, adlen, npub, k); + } if (mlen_p != NULL) { + if (ret == 0) { + mlen = clen - crypto_aead_chacha20poly1305_ABYTES; + } *mlen_p = mlen; } - return 0; + return ret; } int -crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m, - unsigned long long *mlen_p, - unsigned char *nsec, - const unsigned char *c, - unsigned long long clen, - const unsigned char *ad, - unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) +crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) { crypto_onetimeauth_poly1305_state state; unsigned char block0[64U]; unsigned char slen[8U]; - unsigned char mac[crypto_aead_chacha20poly1305_ABYTES]; + unsigned char computed_mac[crypto_aead_chacha20poly1305_ietf_ABYTES]; unsigned long long mlen; int ret; (void) nsec; - if (mlen_p != NULL) { - *mlen_p = 0ULL; - } - if (clen < crypto_aead_chacha20poly1305_ABYTES) { - return -1; - } crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k); crypto_onetimeauth_poly1305_init(&state, block0); sodium_memzero(block0, sizeof block0); @@ -216,31 +263,79 @@ crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m, crypto_onetimeauth_poly1305_update(&state, ad, adlen); crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf); - mlen = clen - crypto_aead_chacha20poly1305_ABYTES; + mlen = clen; crypto_onetimeauth_poly1305_update(&state, c, mlen); crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf); - _u64_le_from_ull(slen, adlen); + STORE64_LE(slen, (uint64_t) adlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); - _u64_le_from_ull(slen, mlen); + STORE64_LE(slen, (uint64_t) mlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); - crypto_onetimeauth_poly1305_final(&state, mac); + crypto_onetimeauth_poly1305_final(&state, computed_mac); sodium_memzero(&state, sizeof state); - (void) sizeof(int[sizeof mac == 16U ? 1 : -1]); - ret = crypto_verify_16(mac, c + mlen); - sodium_memzero(mac, sizeof mac); + (void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]); + ret = crypto_verify_16(computed_mac, mac); + sodium_memzero(computed_mac, sizeof computed_mac); if (ret != 0) { memset(m, 0, mlen); return -1; } crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, npub, 1U, k); + + return 0; +} + +int +crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + unsigned long long mlen = 0ULL; + int ret = -1; + + if (clen >= crypto_aead_chacha20poly1305_ietf_ABYTES) { + ret = crypto_aead_chacha20poly1305_ietf_decrypt_detached + (m, nsec, + c, clen - crypto_aead_chacha20poly1305_ietf_ABYTES, + c + clen - crypto_aead_chacha20poly1305_ietf_ABYTES, + ad, adlen, npub, k); + } if (mlen_p != NULL) { + if (ret == 0) { + mlen = clen - crypto_aead_chacha20poly1305_ietf_ABYTES; + } *mlen_p = mlen; } - return 0; + return ret; +} + +size_t +crypto_aead_chacha20poly1305_ietf_keybytes(void) { + return crypto_aead_chacha20poly1305_ietf_KEYBYTES; +} + +size_t +crypto_aead_chacha20poly1305_ietf_npubbytes(void) { + return crypto_aead_chacha20poly1305_ietf_NPUBBYTES; +} + +size_t +crypto_aead_chacha20poly1305_ietf_nsecbytes(void) { + return crypto_aead_chacha20poly1305_ietf_NSECBYTES; +} + +size_t +crypto_aead_chacha20poly1305_ietf_abytes(void) { + return crypto_aead_chacha20poly1305_ietf_ABYTES; } size_t @@ -254,11 +349,6 @@ crypto_aead_chacha20poly1305_npubbytes(void) { } size_t -crypto_aead_chacha20poly1305_ietf_npubbytes(void) { - return crypto_aead_chacha20poly1305_IETF_NPUBBYTES; -} - -size_t crypto_aead_chacha20poly1305_nsecbytes(void) { return crypto_aead_chacha20poly1305_NSECBYTES; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_box/crypto_box_seal.c b/release/src/router/libsodium/src/libsodium/crypto_box/crypto_box_seal.c index e494b07cf9..64cc5ff69f 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_box/crypto_box_seal.c +++ b/release/src/router/libsodium/src/libsodium/crypto_box/crypto_box_seal.c @@ -35,9 +35,9 @@ crypto_box_seal(unsigned char *c, const unsigned char *m, _crypto_box_seal_nonce(nonce, epk, pk); ret = crypto_box_easy(c + crypto_box_PUBLICKEYBYTES, m, mlen, nonce, pk, esk); - sodium_memzero(nonce, sizeof nonce); - sodium_memzero(epk, sizeof epk); sodium_memzero(esk, sizeof esk); + sodium_memzero(epk, sizeof epk); + sodium_memzero(nonce, sizeof nonce); return ret; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/before_curve25519xsalsa20poly1305.c b/release/src/router/libsodium/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/before_curve25519xsalsa20poly1305.c index 2440c82ed4..3835538f7f 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/before_curve25519xsalsa20poly1305.c +++ b/release/src/router/libsodium/src/libsodium/crypto_box/curve25519xsalsa20poly1305/ref/before_curve25519xsalsa20poly1305.c @@ -2,9 +2,6 @@ #include "crypto_core_hsalsa20.h" #include "crypto_scalarmult_curve25519.h" -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; static const unsigned char n[16] = {0}; int crypto_box_curve25519xsalsa20poly1305_beforenm( @@ -17,5 +14,5 @@ int crypto_box_curve25519xsalsa20poly1305_beforenm( if (crypto_scalarmult_curve25519(s,sk,pk) != 0) { return -1; } - return crypto_core_hsalsa20(k,n,s,sigma); + return crypto_core_hsalsa20(k,n,s,NULL); } diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c b/release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c dissimilarity index 88% index 59bbf7fa7f..c0c9d56e67 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c +++ b/release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c @@ -1,2233 +1,2242 @@ -#include -#include -#include -#include "curve25519_ref10.h" -#include "crypto_verify_32.h" - -static uint64_t load_3(const unsigned char *in) -{ - uint64_t result; - result = (uint64_t) in[0]; - result |= ((uint64_t) in[1]) << 8; - result |= ((uint64_t) in[2]) << 16; - return result; -} - -static uint64_t load_4(const unsigned char *in) -{ - uint64_t result; - result = (uint64_t) in[0]; - result |= ((uint64_t) in[1]) << 8; - result |= ((uint64_t) in[2]) << 16; - result |= ((uint64_t) in[3]) << 24; - return result; -} - -/* -h = 0 -*/ - -void fe_0(fe h) -{ - memset(&h[0], 0, 10 * sizeof h[0]); -} - -/* -h = 1 -*/ - -void fe_1(fe h) -{ - h[0] = 1; - h[1] = 0; - memset(&h[2], 0, 8 * sizeof h[0]); -} - -/* -h = f + g -Can overlap h with f or g. - -Preconditions: - |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. - |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. - -Postconditions: - |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -*/ - -void fe_add(fe h,const fe f,const fe g) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - int32_t g0 = g[0]; - int32_t g1 = g[1]; - int32_t g2 = g[2]; - int32_t g3 = g[3]; - int32_t g4 = g[4]; - int32_t g5 = g[5]; - int32_t g6 = g[6]; - int32_t g7 = g[7]; - int32_t g8 = g[8]; - int32_t g9 = g[9]; - int32_t h0 = f0 + g0; - int32_t h1 = f1 + g1; - int32_t h2 = f2 + g2; - int32_t h3 = f3 + g3; - int32_t h4 = f4 + g4; - int32_t h5 = f5 + g5; - int32_t h6 = f6 + g6; - int32_t h7 = f7 + g7; - int32_t h8 = f8 + g8; - int32_t h9 = f9 + g9; - h[0] = h0; - h[1] = h1; - h[2] = h2; - h[3] = h3; - h[4] = h4; - h[5] = h5; - h[6] = h6; - h[7] = h7; - h[8] = h8; - h[9] = h9; -} - -/* -Replace (f,g) with (g,g) if b == 1; -replace (f,g) with (f,g) if b == 0. - -Preconditions: b in {0,1}. -*/ - -void fe_cmov(fe f,const fe g,unsigned int b) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - int32_t g0 = g[0]; - int32_t g1 = g[1]; - int32_t g2 = g[2]; - int32_t g3 = g[3]; - int32_t g4 = g[4]; - int32_t g5 = g[5]; - int32_t g6 = g[6]; - int32_t g7 = g[7]; - int32_t g8 = g[8]; - int32_t g9 = g[9]; - int32_t x0 = f0 ^ g0; - int32_t x1 = f1 ^ g1; - int32_t x2 = f2 ^ g2; - int32_t x3 = f3 ^ g3; - int32_t x4 = f4 ^ g4; - int32_t x5 = f5 ^ g5; - int32_t x6 = f6 ^ g6; - int32_t x7 = f7 ^ g7; - int32_t x8 = f8 ^ g8; - int32_t x9 = f9 ^ g9; - b = (unsigned int) (- (int) b); - x0 &= b; - x1 &= b; - x2 &= b; - x3 &= b; - x4 &= b; - x5 &= b; - x6 &= b; - x7 &= b; - x8 &= b; - x9 &= b; - f[0] = f0 ^ x0; - f[1] = f1 ^ x1; - f[2] = f2 ^ x2; - f[3] = f3 ^ x3; - f[4] = f4 ^ x4; - f[5] = f5 ^ x5; - f[6] = f6 ^ x6; - f[7] = f7 ^ x7; - f[8] = f8 ^ x8; - f[9] = f9 ^ x9; -} - -/* -h = f -*/ - -void fe_copy(fe h,const fe f) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - h[0] = f0; - h[1] = f1; - h[2] = f2; - h[3] = f3; - h[4] = f4; - h[5] = f5; - h[6] = f6; - h[7] = f7; - h[8] = f8; - h[9] = f9; -} - -/* -Ignores top bit of h. -*/ - -void fe_frombytes(fe h,const unsigned char *s) -{ - int64_t h0 = load_4(s); - int64_t h1 = load_3(s + 4) << 6; - int64_t h2 = load_3(s + 7) << 5; - int64_t h3 = load_3(s + 10) << 3; - int64_t h4 = load_3(s + 13) << 2; - int64_t h5 = load_4(s + 16); - int64_t h6 = load_3(s + 20) << 7; - int64_t h7 = load_3(s + 23) << 5; - int64_t h8 = load_3(s + 26) << 4; - int64_t h9 = (load_3(s + 29) & 8388607) << 2; - int64_t carry0; - int64_t carry1; - int64_t carry2; - int64_t carry3; - int64_t carry4; - int64_t carry5; - int64_t carry6; - int64_t carry7; - int64_t carry8; - int64_t carry9; - - carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); - carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); - carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); - carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); - carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); - - carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); - carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); - carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); - carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); - carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); - - h[0] = (int32_t) h0; - h[1] = (int32_t) h1; - h[2] = (int32_t) h2; - h[3] = (int32_t) h3; - h[4] = (int32_t) h4; - h[5] = (int32_t) h5; - h[6] = (int32_t) h6; - h[7] = (int32_t) h7; - h[8] = (int32_t) h8; - h[9] = (int32_t) h9; -} - -/* -Preconditions: - |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. - -Write p=2^255-19; q=floor(h/p). -Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). - -Proof: - Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. - Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. - - Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). - Then 0> 25; - q = (h0 + q) >> 26; - q = (h1 + q) >> 25; - q = (h2 + q) >> 26; - q = (h3 + q) >> 25; - q = (h4 + q) >> 26; - q = (h5 + q) >> 25; - q = (h6 + q) >> 26; - q = (h7 + q) >> 25; - q = (h8 + q) >> 26; - q = (h9 + q) >> 25; - - /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ - h0 += 19 * q; - /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ - - carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 * ((uint32_t) 1L << 26); - carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 * ((uint32_t) 1L << 25); - carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 * ((uint32_t) 1L << 26); - carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 * ((uint32_t) 1L << 25); - carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 * ((uint32_t) 1L << 26); - carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 * ((uint32_t) 1L << 25); - carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 * ((uint32_t) 1L << 26); - carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 * ((uint32_t) 1L << 25); - carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 * ((uint32_t) 1L << 26); - carry9 = h9 >> 25; h9 -= carry9 * ((uint32_t) 1L << 25); - /* h10 = carry9 */ - - /* - Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. - Have h0+...+2^230 h9 between 0 and 2^255-1; - evidently 2^255 h10-2^255 q = 0. - Goal: Output h0+...+2^230 h9. - */ - - s[0] = h0 >> 0; - s[1] = h0 >> 8; - s[2] = h0 >> 16; - s[3] = (h0 >> 24) | (h1 * ((uint32_t) 1 << 2)); - s[4] = h1 >> 6; - s[5] = h1 >> 14; - s[6] = (h1 >> 22) | (h2 * ((uint32_t) 1 << 3)); - s[7] = h2 >> 5; - s[8] = h2 >> 13; - s[9] = (h2 >> 21) | (h3 * ((uint32_t) 1 << 5)); - s[10] = h3 >> 3; - s[11] = h3 >> 11; - s[12] = (h3 >> 19) | (h4 * ((uint32_t) 1 << 6)); - s[13] = h4 >> 2; - s[14] = h4 >> 10; - s[15] = h4 >> 18; - s[16] = h5 >> 0; - s[17] = h5 >> 8; - s[18] = h5 >> 16; - s[19] = (h5 >> 24) | (h6 * ((uint32_t) 1 << 1)); - s[20] = h6 >> 7; - s[21] = h6 >> 15; - s[22] = (h6 >> 23) | (h7 * ((uint32_t) 1 << 3)); - s[23] = h7 >> 5; - s[24] = h7 >> 13; - s[25] = (h7 >> 21) | (h8 * ((uint32_t) 1 << 4)); - s[26] = h8 >> 4; - s[27] = h8 >> 12; - s[28] = (h8 >> 20) | (h9 * ((uint32_t) 1 << 6)); - s[29] = h9 >> 2; - s[30] = h9 >> 10; - s[31] = h9 >> 18; -} - -/* -return 1 if f is in {1,3,5,...,q-2} -return 0 if f is in {0,2,4,...,q-1} - -Preconditions: - |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -*/ - -int fe_isnegative(const fe f) -{ - unsigned char s[32]; - fe_tobytes(s,f); - return s[0] & 1; -} - -/* -return 1 if f == 0 -return 0 if f != 0 - -Preconditions: - |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -*/ - -static unsigned char zero[32]; - -int fe_isnonzero(const fe f) -{ - unsigned char s[32]; - fe_tobytes(s,f); - return crypto_verify_32(s,zero); -} - -/* -h = f * g -Can overlap h with f or g. - -Preconditions: - |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. - |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. - -Postconditions: - |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. -*/ - -/* -Notes on implementation strategy: - -Using schoolbook multiplication. -Karatsuba would save a little in some cost models. - -Most multiplications by 2 and 19 are 32-bit precomputations; -cheaper than 64-bit postcomputations. - -There is one remaining multiplication by 19 in the carry chain; -one *19 precomputation can be merged into this, -but the resulting data flow is considerably less clean. - -There are 12 carries below. -10 of them are 2-way parallelizable and vectorizable. -Can get away with 11 carries, but then data flow is much deeper. - -With tighter constraints on inputs can squeeze carries into int32. -*/ - -void fe_mul(fe h,const fe f,const fe g) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - int32_t g0 = g[0]; - int32_t g1 = g[1]; - int32_t g2 = g[2]; - int32_t g3 = g[3]; - int32_t g4 = g[4]; - int32_t g5 = g[5]; - int32_t g6 = g[6]; - int32_t g7 = g[7]; - int32_t g8 = g[8]; - int32_t g9 = g[9]; - int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ - int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ - int32_t g3_19 = 19 * g3; - int32_t g4_19 = 19 * g4; - int32_t g5_19 = 19 * g5; - int32_t g6_19 = 19 * g6; - int32_t g7_19 = 19 * g7; - int32_t g8_19 = 19 * g8; - int32_t g9_19 = 19 * g9; - int32_t f1_2 = 2 * f1; - int32_t f3_2 = 2 * f3; - int32_t f5_2 = 2 * f5; - int32_t f7_2 = 2 * f7; - int32_t f9_2 = 2 * f9; - int64_t f0g0 = f0 * (int64_t) g0; - int64_t f0g1 = f0 * (int64_t) g1; - int64_t f0g2 = f0 * (int64_t) g2; - int64_t f0g3 = f0 * (int64_t) g3; - int64_t f0g4 = f0 * (int64_t) g4; - int64_t f0g5 = f0 * (int64_t) g5; - int64_t f0g6 = f0 * (int64_t) g6; - int64_t f0g7 = f0 * (int64_t) g7; - int64_t f0g8 = f0 * (int64_t) g8; - int64_t f0g9 = f0 * (int64_t) g9; - int64_t f1g0 = f1 * (int64_t) g0; - int64_t f1g1_2 = f1_2 * (int64_t) g1; - int64_t f1g2 = f1 * (int64_t) g2; - int64_t f1g3_2 = f1_2 * (int64_t) g3; - int64_t f1g4 = f1 * (int64_t) g4; - int64_t f1g5_2 = f1_2 * (int64_t) g5; - int64_t f1g6 = f1 * (int64_t) g6; - int64_t f1g7_2 = f1_2 * (int64_t) g7; - int64_t f1g8 = f1 * (int64_t) g8; - int64_t f1g9_38 = f1_2 * (int64_t) g9_19; - int64_t f2g0 = f2 * (int64_t) g0; - int64_t f2g1 = f2 * (int64_t) g1; - int64_t f2g2 = f2 * (int64_t) g2; - int64_t f2g3 = f2 * (int64_t) g3; - int64_t f2g4 = f2 * (int64_t) g4; - int64_t f2g5 = f2 * (int64_t) g5; - int64_t f2g6 = f2 * (int64_t) g6; - int64_t f2g7 = f2 * (int64_t) g7; - int64_t f2g8_19 = f2 * (int64_t) g8_19; - int64_t f2g9_19 = f2 * (int64_t) g9_19; - int64_t f3g0 = f3 * (int64_t) g0; - int64_t f3g1_2 = f3_2 * (int64_t) g1; - int64_t f3g2 = f3 * (int64_t) g2; - int64_t f3g3_2 = f3_2 * (int64_t) g3; - int64_t f3g4 = f3 * (int64_t) g4; - int64_t f3g5_2 = f3_2 * (int64_t) g5; - int64_t f3g6 = f3 * (int64_t) g6; - int64_t f3g7_38 = f3_2 * (int64_t) g7_19; - int64_t f3g8_19 = f3 * (int64_t) g8_19; - int64_t f3g9_38 = f3_2 * (int64_t) g9_19; - int64_t f4g0 = f4 * (int64_t) g0; - int64_t f4g1 = f4 * (int64_t) g1; - int64_t f4g2 = f4 * (int64_t) g2; - int64_t f4g3 = f4 * (int64_t) g3; - int64_t f4g4 = f4 * (int64_t) g4; - int64_t f4g5 = f4 * (int64_t) g5; - int64_t f4g6_19 = f4 * (int64_t) g6_19; - int64_t f4g7_19 = f4 * (int64_t) g7_19; - int64_t f4g8_19 = f4 * (int64_t) g8_19; - int64_t f4g9_19 = f4 * (int64_t) g9_19; - int64_t f5g0 = f5 * (int64_t) g0; - int64_t f5g1_2 = f5_2 * (int64_t) g1; - int64_t f5g2 = f5 * (int64_t) g2; - int64_t f5g3_2 = f5_2 * (int64_t) g3; - int64_t f5g4 = f5 * (int64_t) g4; - int64_t f5g5_38 = f5_2 * (int64_t) g5_19; - int64_t f5g6_19 = f5 * (int64_t) g6_19; - int64_t f5g7_38 = f5_2 * (int64_t) g7_19; - int64_t f5g8_19 = f5 * (int64_t) g8_19; - int64_t f5g9_38 = f5_2 * (int64_t) g9_19; - int64_t f6g0 = f6 * (int64_t) g0; - int64_t f6g1 = f6 * (int64_t) g1; - int64_t f6g2 = f6 * (int64_t) g2; - int64_t f6g3 = f6 * (int64_t) g3; - int64_t f6g4_19 = f6 * (int64_t) g4_19; - int64_t f6g5_19 = f6 * (int64_t) g5_19; - int64_t f6g6_19 = f6 * (int64_t) g6_19; - int64_t f6g7_19 = f6 * (int64_t) g7_19; - int64_t f6g8_19 = f6 * (int64_t) g8_19; - int64_t f6g9_19 = f6 * (int64_t) g9_19; - int64_t f7g0 = f7 * (int64_t) g0; - int64_t f7g1_2 = f7_2 * (int64_t) g1; - int64_t f7g2 = f7 * (int64_t) g2; - int64_t f7g3_38 = f7_2 * (int64_t) g3_19; - int64_t f7g4_19 = f7 * (int64_t) g4_19; - int64_t f7g5_38 = f7_2 * (int64_t) g5_19; - int64_t f7g6_19 = f7 * (int64_t) g6_19; - int64_t f7g7_38 = f7_2 * (int64_t) g7_19; - int64_t f7g8_19 = f7 * (int64_t) g8_19; - int64_t f7g9_38 = f7_2 * (int64_t) g9_19; - int64_t f8g0 = f8 * (int64_t) g0; - int64_t f8g1 = f8 * (int64_t) g1; - int64_t f8g2_19 = f8 * (int64_t) g2_19; - int64_t f8g3_19 = f8 * (int64_t) g3_19; - int64_t f8g4_19 = f8 * (int64_t) g4_19; - int64_t f8g5_19 = f8 * (int64_t) g5_19; - int64_t f8g6_19 = f8 * (int64_t) g6_19; - int64_t f8g7_19 = f8 * (int64_t) g7_19; - int64_t f8g8_19 = f8 * (int64_t) g8_19; - int64_t f8g9_19 = f8 * (int64_t) g9_19; - int64_t f9g0 = f9 * (int64_t) g0; - int64_t f9g1_38 = f9_2 * (int64_t) g1_19; - int64_t f9g2_19 = f9 * (int64_t) g2_19; - int64_t f9g3_38 = f9_2 * (int64_t) g3_19; - int64_t f9g4_19 = f9 * (int64_t) g4_19; - int64_t f9g5_38 = f9_2 * (int64_t) g5_19; - int64_t f9g6_19 = f9 * (int64_t) g6_19; - int64_t f9g7_38 = f9_2 * (int64_t) g7_19; - int64_t f9g8_19 = f9 * (int64_t) g8_19; - int64_t f9g9_38 = f9_2 * (int64_t) g9_19; - int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; - int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; - int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; - int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; - int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; - int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; - int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; - int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; - int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; - int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; - int64_t carry0; - int64_t carry1; - int64_t carry2; - int64_t carry3; - int64_t carry4; - int64_t carry5; - int64_t carry6; - int64_t carry7; - int64_t carry8; - int64_t carry9; - - /* - |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) - i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 - |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) - i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 - */ - - carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); - carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); - /* |h0| <= 2^25 */ - /* |h4| <= 2^25 */ - /* |h1| <= 1.71*2^59 */ - /* |h5| <= 1.71*2^59 */ - - carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); - carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); - /* |h1| <= 2^24; from now on fits into int32 */ - /* |h5| <= 2^24; from now on fits into int32 */ - /* |h2| <= 1.41*2^60 */ - /* |h6| <= 1.41*2^60 */ - - carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); - carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); - /* |h2| <= 2^25; from now on fits into int32 unchanged */ - /* |h6| <= 2^25; from now on fits into int32 unchanged */ - /* |h3| <= 1.71*2^59 */ - /* |h7| <= 1.71*2^59 */ - - carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); - carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); - /* |h3| <= 2^24; from now on fits into int32 unchanged */ - /* |h7| <= 2^24; from now on fits into int32 unchanged */ - /* |h4| <= 1.72*2^34 */ - /* |h8| <= 1.41*2^60 */ - - carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); - carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); - /* |h4| <= 2^25; from now on fits into int32 unchanged */ - /* |h8| <= 2^25; from now on fits into int32 unchanged */ - /* |h5| <= 1.01*2^24 */ - /* |h9| <= 1.71*2^59 */ - - carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); - /* |h9| <= 2^24; from now on fits into int32 unchanged */ - /* |h0| <= 1.1*2^39 */ - - carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); - /* |h0| <= 2^25; from now on fits into int32 unchanged */ - /* |h1| <= 1.01*2^24 */ - - h[0] = (int32_t) h0; - h[1] = (int32_t) h1; - h[2] = (int32_t) h2; - h[3] = (int32_t) h3; - h[4] = (int32_t) h4; - h[5] = (int32_t) h5; - h[6] = (int32_t) h6; - h[7] = (int32_t) h7; - h[8] = (int32_t) h8; - h[9] = (int32_t) h9; -} - -/* -h = -f - -Preconditions: - |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. - -Postconditions: - |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. -*/ - -void fe_neg(fe h,const fe f) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - int32_t h0 = -f0; - int32_t h1 = -f1; - int32_t h2 = -f2; - int32_t h3 = -f3; - int32_t h4 = -f4; - int32_t h5 = -f5; - int32_t h6 = -f6; - int32_t h7 = -f7; - int32_t h8 = -f8; - int32_t h9 = -f9; - h[0] = h0; - h[1] = h1; - h[2] = h2; - h[3] = h3; - h[4] = h4; - h[5] = h5; - h[6] = h6; - h[7] = h7; - h[8] = h8; - h[9] = h9; -} - -/* -h = f * f -Can overlap h with f. - -Preconditions: - |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. - -Postconditions: - |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. -*/ - -/* -See fe_mul.c for discussion of implementation strategy. -*/ - -void fe_sq(fe h,const fe f) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - int32_t f0_2 = 2 * f0; - int32_t f1_2 = 2 * f1; - int32_t f2_2 = 2 * f2; - int32_t f3_2 = 2 * f3; - int32_t f4_2 = 2 * f4; - int32_t f5_2 = 2 * f5; - int32_t f6_2 = 2 * f6; - int32_t f7_2 = 2 * f7; - int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ - int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ - int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ - int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ - int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ - int64_t f0f0 = f0 * (int64_t) f0; - int64_t f0f1_2 = f0_2 * (int64_t) f1; - int64_t f0f2_2 = f0_2 * (int64_t) f2; - int64_t f0f3_2 = f0_2 * (int64_t) f3; - int64_t f0f4_2 = f0_2 * (int64_t) f4; - int64_t f0f5_2 = f0_2 * (int64_t) f5; - int64_t f0f6_2 = f0_2 * (int64_t) f6; - int64_t f0f7_2 = f0_2 * (int64_t) f7; - int64_t f0f8_2 = f0_2 * (int64_t) f8; - int64_t f0f9_2 = f0_2 * (int64_t) f9; - int64_t f1f1_2 = f1_2 * (int64_t) f1; - int64_t f1f2_2 = f1_2 * (int64_t) f2; - int64_t f1f3_4 = f1_2 * (int64_t) f3_2; - int64_t f1f4_2 = f1_2 * (int64_t) f4; - int64_t f1f5_4 = f1_2 * (int64_t) f5_2; - int64_t f1f6_2 = f1_2 * (int64_t) f6; - int64_t f1f7_4 = f1_2 * (int64_t) f7_2; - int64_t f1f8_2 = f1_2 * (int64_t) f8; - int64_t f1f9_76 = f1_2 * (int64_t) f9_38; - int64_t f2f2 = f2 * (int64_t) f2; - int64_t f2f3_2 = f2_2 * (int64_t) f3; - int64_t f2f4_2 = f2_2 * (int64_t) f4; - int64_t f2f5_2 = f2_2 * (int64_t) f5; - int64_t f2f6_2 = f2_2 * (int64_t) f6; - int64_t f2f7_2 = f2_2 * (int64_t) f7; - int64_t f2f8_38 = f2_2 * (int64_t) f8_19; - int64_t f2f9_38 = f2 * (int64_t) f9_38; - int64_t f3f3_2 = f3_2 * (int64_t) f3; - int64_t f3f4_2 = f3_2 * (int64_t) f4; - int64_t f3f5_4 = f3_2 * (int64_t) f5_2; - int64_t f3f6_2 = f3_2 * (int64_t) f6; - int64_t f3f7_76 = f3_2 * (int64_t) f7_38; - int64_t f3f8_38 = f3_2 * (int64_t) f8_19; - int64_t f3f9_76 = f3_2 * (int64_t) f9_38; - int64_t f4f4 = f4 * (int64_t) f4; - int64_t f4f5_2 = f4_2 * (int64_t) f5; - int64_t f4f6_38 = f4_2 * (int64_t) f6_19; - int64_t f4f7_38 = f4 * (int64_t) f7_38; - int64_t f4f8_38 = f4_2 * (int64_t) f8_19; - int64_t f4f9_38 = f4 * (int64_t) f9_38; - int64_t f5f5_38 = f5 * (int64_t) f5_38; - int64_t f5f6_38 = f5_2 * (int64_t) f6_19; - int64_t f5f7_76 = f5_2 * (int64_t) f7_38; - int64_t f5f8_38 = f5_2 * (int64_t) f8_19; - int64_t f5f9_76 = f5_2 * (int64_t) f9_38; - int64_t f6f6_19 = f6 * (int64_t) f6_19; - int64_t f6f7_38 = f6 * (int64_t) f7_38; - int64_t f6f8_38 = f6_2 * (int64_t) f8_19; - int64_t f6f9_38 = f6 * (int64_t) f9_38; - int64_t f7f7_38 = f7 * (int64_t) f7_38; - int64_t f7f8_38 = f7_2 * (int64_t) f8_19; - int64_t f7f9_76 = f7_2 * (int64_t) f9_38; - int64_t f8f8_19 = f8 * (int64_t) f8_19; - int64_t f8f9_38 = f8 * (int64_t) f9_38; - int64_t f9f9_38 = f9 * (int64_t) f9_38; - int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; - int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; - int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; - int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; - int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; - int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; - int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; - int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; - int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; - int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; - int64_t carry0; - int64_t carry1; - int64_t carry2; - int64_t carry3; - int64_t carry4; - int64_t carry5; - int64_t carry6; - int64_t carry7; - int64_t carry8; - int64_t carry9; - - carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); - carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); - - carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); - carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); - - carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); - carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); - - carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); - carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); - - carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); - carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); - - carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); - - carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); - - h[0] = (int32_t) h0; - h[1] = (int32_t) h1; - h[2] = (int32_t) h2; - h[3] = (int32_t) h3; - h[4] = (int32_t) h4; - h[5] = (int32_t) h5; - h[6] = (int32_t) h6; - h[7] = (int32_t) h7; - h[8] = (int32_t) h8; - h[9] = (int32_t) h9; -} - -/* -h = 2 * f * f -Can overlap h with f. - -Preconditions: - |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. - -Postconditions: - |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. -*/ - -/* -See fe_mul.c for discussion of implementation strategy. -*/ - -void fe_sq2(fe h,const fe f) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - int32_t f0_2 = 2 * f0; - int32_t f1_2 = 2 * f1; - int32_t f2_2 = 2 * f2; - int32_t f3_2 = 2 * f3; - int32_t f4_2 = 2 * f4; - int32_t f5_2 = 2 * f5; - int32_t f6_2 = 2 * f6; - int32_t f7_2 = 2 * f7; - int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ - int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ - int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ - int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ - int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ - int64_t f0f0 = f0 * (int64_t) f0; - int64_t f0f1_2 = f0_2 * (int64_t) f1; - int64_t f0f2_2 = f0_2 * (int64_t) f2; - int64_t f0f3_2 = f0_2 * (int64_t) f3; - int64_t f0f4_2 = f0_2 * (int64_t) f4; - int64_t f0f5_2 = f0_2 * (int64_t) f5; - int64_t f0f6_2 = f0_2 * (int64_t) f6; - int64_t f0f7_2 = f0_2 * (int64_t) f7; - int64_t f0f8_2 = f0_2 * (int64_t) f8; - int64_t f0f9_2 = f0_2 * (int64_t) f9; - int64_t f1f1_2 = f1_2 * (int64_t) f1; - int64_t f1f2_2 = f1_2 * (int64_t) f2; - int64_t f1f3_4 = f1_2 * (int64_t) f3_2; - int64_t f1f4_2 = f1_2 * (int64_t) f4; - int64_t f1f5_4 = f1_2 * (int64_t) f5_2; - int64_t f1f6_2 = f1_2 * (int64_t) f6; - int64_t f1f7_4 = f1_2 * (int64_t) f7_2; - int64_t f1f8_2 = f1_2 * (int64_t) f8; - int64_t f1f9_76 = f1_2 * (int64_t) f9_38; - int64_t f2f2 = f2 * (int64_t) f2; - int64_t f2f3_2 = f2_2 * (int64_t) f3; - int64_t f2f4_2 = f2_2 * (int64_t) f4; - int64_t f2f5_2 = f2_2 * (int64_t) f5; - int64_t f2f6_2 = f2_2 * (int64_t) f6; - int64_t f2f7_2 = f2_2 * (int64_t) f7; - int64_t f2f8_38 = f2_2 * (int64_t) f8_19; - int64_t f2f9_38 = f2 * (int64_t) f9_38; - int64_t f3f3_2 = f3_2 * (int64_t) f3; - int64_t f3f4_2 = f3_2 * (int64_t) f4; - int64_t f3f5_4 = f3_2 * (int64_t) f5_2; - int64_t f3f6_2 = f3_2 * (int64_t) f6; - int64_t f3f7_76 = f3_2 * (int64_t) f7_38; - int64_t f3f8_38 = f3_2 * (int64_t) f8_19; - int64_t f3f9_76 = f3_2 * (int64_t) f9_38; - int64_t f4f4 = f4 * (int64_t) f4; - int64_t f4f5_2 = f4_2 * (int64_t) f5; - int64_t f4f6_38 = f4_2 * (int64_t) f6_19; - int64_t f4f7_38 = f4 * (int64_t) f7_38; - int64_t f4f8_38 = f4_2 * (int64_t) f8_19; - int64_t f4f9_38 = f4 * (int64_t) f9_38; - int64_t f5f5_38 = f5 * (int64_t) f5_38; - int64_t f5f6_38 = f5_2 * (int64_t) f6_19; - int64_t f5f7_76 = f5_2 * (int64_t) f7_38; - int64_t f5f8_38 = f5_2 * (int64_t) f8_19; - int64_t f5f9_76 = f5_2 * (int64_t) f9_38; - int64_t f6f6_19 = f6 * (int64_t) f6_19; - int64_t f6f7_38 = f6 * (int64_t) f7_38; - int64_t f6f8_38 = f6_2 * (int64_t) f8_19; - int64_t f6f9_38 = f6 * (int64_t) f9_38; - int64_t f7f7_38 = f7 * (int64_t) f7_38; - int64_t f7f8_38 = f7_2 * (int64_t) f8_19; - int64_t f7f9_76 = f7_2 * (int64_t) f9_38; - int64_t f8f8_19 = f8 * (int64_t) f8_19; - int64_t f8f9_38 = f8 * (int64_t) f9_38; - int64_t f9f9_38 = f9 * (int64_t) f9_38; - int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; - int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; - int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; - int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; - int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; - int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; - int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; - int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; - int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; - int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; - int64_t carry0; - int64_t carry1; - int64_t carry2; - int64_t carry3; - int64_t carry4; - int64_t carry5; - int64_t carry6; - int64_t carry7; - int64_t carry8; - int64_t carry9; - - h0 += h0; - h1 += h1; - h2 += h2; - h3 += h3; - h4 += h4; - h5 += h5; - h6 += h6; - h7 += h7; - h8 += h8; - h9 += h9; - - carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); - carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); - - carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); - carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); - - carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); - carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); - - carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); - carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); - - carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); - carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); - - carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); - - carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); - - h[0] = (int32_t) h0; - h[1] = (int32_t) h1; - h[2] = (int32_t) h2; - h[3] = (int32_t) h3; - h[4] = (int32_t) h4; - h[5] = (int32_t) h5; - h[6] = (int32_t) h6; - h[7] = (int32_t) h7; - h[8] = (int32_t) h8; - h[9] = (int32_t) h9; -} - -void fe_invert(fe out,const fe z) -{ - fe t0; - fe t1; - fe t2; - fe t3; - int i; - - fe_sq(t0, z); - fe_sq(t1, t0); - fe_sq(t1, t1); - fe_mul(t1, z, t1); - fe_mul(t0, t0, t1); - fe_sq(t2, t0); - fe_mul(t1, t1, t2); - fe_sq(t2, t1); - for (i = 1; i < 5; ++i) { - fe_sq(t2, t2); - } - fe_mul(t1, t2, t1); - fe_sq(t2, t1); - for (i = 1; i < 10; ++i) { - fe_sq(t2, t2); - } - fe_mul(t2, t2, t1); - fe_sq(t3, t2); - for (i = 1; i < 20; ++i) { - fe_sq(t3, t3); - } - fe_mul(t2, t3, t2); - fe_sq(t2, t2); - for (i = 1; i < 10; ++i) { - fe_sq(t2, t2); - } - fe_mul(t1, t2, t1); - fe_sq(t2, t1); - for (i = 1; i < 50; ++i) { - fe_sq(t2, t2); - } - fe_mul(t2, t2, t1); - fe_sq(t3, t2); - for (i = 1; i < 100; ++i) { - fe_sq(t3, t3); - } - fe_mul(t2, t3, t2); - fe_sq(t2, t2); - for (i = 1; i < 50; ++i) { - fe_sq(t2, t2); - } - fe_mul(t1, t2, t1); - fe_sq(t1, t1); - for (i = 1; i < 5; ++i) { - fe_sq(t1, t1); - } - fe_mul(out, t1, t0); -} - -void fe_pow22523(fe out,const fe z) -{ - fe t0; - fe t1; - fe t2; - int i; - - fe_sq(t0, z); - fe_sq(t1, t0); - fe_sq(t1, t1); - fe_mul(t1, z, t1); - fe_mul(t0, t0, t1); - fe_sq(t0, t0); - fe_mul(t0, t1, t0); - fe_sq(t1, t0); - for (i = 1; i < 5; ++i) { - fe_sq(t1, t1); - } - fe_mul(t0, t1, t0); - fe_sq(t1, t0); - for (i = 1; i < 10; ++i) { - fe_sq(t1, t1); - } - fe_mul(t1, t1, t0); - fe_sq(t2, t1); - for (i = 1; i < 20; ++i) { - fe_sq(t2, t2); - } - fe_mul(t1, t2, t1); - fe_sq(t1, t1); - for (i = 1; i < 10; ++i) { - fe_sq(t1, t1); - } - fe_mul(t0, t1, t0); - fe_sq(t1, t0); - for (i = 1; i < 50; ++i) { - fe_sq(t1, t1); - } - fe_mul(t1, t1, t0); - fe_sq(t2, t1); - for (i = 1; i < 100; ++i) { - fe_sq(t2, t2); - } - fe_mul(t1, t2, t1); - fe_sq(t1, t1); - for (i = 1; i < 50; ++i) { - fe_sq(t1, t1); - } - fe_mul(t0, t1, t0); - fe_sq(t0, t0); - fe_sq(t0, t0); - fe_mul(out, t0, z); -} - -/* -h = f - g -Can overlap h with f or g. - -Preconditions: - |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. - |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. - -Postconditions: - |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. -*/ - -void fe_sub(fe h,const fe f,const fe g) -{ - int32_t f0 = f[0]; - int32_t f1 = f[1]; - int32_t f2 = f[2]; - int32_t f3 = f[3]; - int32_t f4 = f[4]; - int32_t f5 = f[5]; - int32_t f6 = f[6]; - int32_t f7 = f[7]; - int32_t f8 = f[8]; - int32_t f9 = f[9]; - int32_t g0 = g[0]; - int32_t g1 = g[1]; - int32_t g2 = g[2]; - int32_t g3 = g[3]; - int32_t g4 = g[4]; - int32_t g5 = g[5]; - int32_t g6 = g[6]; - int32_t g7 = g[7]; - int32_t g8 = g[8]; - int32_t g9 = g[9]; - int32_t h0 = f0 - g0; - int32_t h1 = f1 - g1; - int32_t h2 = f2 - g2; - int32_t h3 = f3 - g3; - int32_t h4 = f4 - g4; - int32_t h5 = f5 - g5; - int32_t h6 = f6 - g6; - int32_t h7 = f7 - g7; - int32_t h8 = f8 - g8; - int32_t h9 = f9 - g9; - h[0] = h0; - h[1] = h1; - h[2] = h2; - h[3] = h3; - h[4] = h4; - h[5] = h5; - h[6] = h6; - h[7] = h7; - h[8] = h8; - h[9] = h9; -} - -/* -r = p + q -*/ - -void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) -{ - fe t0; - - fe_add(r->X, p->Y, p->X); - fe_sub(r->Y, p->Y, p->X); - fe_mul(r->Z, r->X, q->YplusX); - fe_mul(r->Y, r->Y, q->YminusX); - fe_mul(r->T, q->T2d, p->T); - fe_mul(r->X, p->Z, q->Z); - fe_add(t0, r->X, r->X); - fe_sub(r->X, r->Z, r->Y); - fe_add(r->Y, r->Z, r->Y); - fe_add(r->Z, t0, r->T); - fe_sub(r->T, t0, r->T); -} - -static void slide(signed char *r,const unsigned char *a) -{ - int i; - int b; - int k; - - for (i = 0;i < 256;++i) - r[i] = 1 & (a[i >> 3] >> (i & 7)); - - for (i = 0;i < 256;++i) - if (r[i]) { - for (b = 1;b <= 6 && i + b < 256;++b) { - if (r[i + b]) { - if (r[i] + (r[i + b] << b) <= 15) { - r[i] += r[i + b] << b; r[i + b] = 0; - } else if (r[i] - (r[i + b] << b) >= -15) { - r[i] -= r[i + b] << b; - for (k = i + b;k < 256;++k) { - if (!r[k]) { - r[k] = 1; - break; - } - r[k] = 0; - } - } else - break; - } - } - } - -} - -static const ge_precomp Bi[8] = { -#include "base2.h" -}; - -/* 37095705934669439343138083508754565189542113879843219016388785533085940283555 */ -static const fe d = { - -10913610,13857413,-15372611,6949391,114729,-8787816,-6275908,-3247719,-18696448,-12055116 -}; - -/* sqrt(-1) */ -static const fe sqrtm1 = { - -32595792,-7943725,9377950,3500415,12389472,-272473,-25146209,-2005654,326686,11406482 -}; - -int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s) -{ - fe u; - fe v; - fe v3; - fe vxx; - fe check; - - fe_frombytes(h->Y,s); - fe_1(h->Z); - fe_sq(u,h->Y); - fe_mul(v,u,d); - fe_sub(u,u,h->Z); /* u = y^2-1 */ - fe_add(v,v,h->Z); /* v = dy^2+1 */ - - fe_sq(v3,v); - fe_mul(v3,v3,v); /* v3 = v^3 */ - fe_sq(h->X,v3); - fe_mul(h->X,h->X,v); - fe_mul(h->X,h->X,u); /* x = uv^7 */ - - fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */ - fe_mul(h->X,h->X,v3); - fe_mul(h->X,h->X,u); /* x = uv^3(uv^7)^((q-5)/8) */ - - fe_sq(vxx,h->X); - fe_mul(vxx,vxx,v); - fe_sub(check,vxx,u); /* vx^2-u */ - if (fe_isnonzero(check)) { - fe_add(check,vxx,u); /* vx^2+u */ - if (fe_isnonzero(check)) return -1; - fe_mul(h->X,h->X,sqrtm1); - } - - if (fe_isnegative(h->X) == (s[31] >> 7)) - fe_neg(h->X,h->X); - - fe_mul(h->T,h->X,h->Y); - return 0; -} - -/* -r = p + q -*/ - -void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) -{ - fe t0; - - fe_add(r->X, p->Y, p->X); - fe_sub(r->Y, p->Y, p->X); - fe_mul(r->Z, r->X, q->yplusx); - fe_mul(r->Y, r->Y, q->yminusx); - fe_mul(r->T, q->xy2d, p->T); - fe_add(t0, p->Z, p->Z); - fe_sub(r->X, r->Z, r->Y); - fe_add(r->Y, r->Z, r->Y); - fe_add(r->Z, t0, r->T); - fe_sub(r->T, t0, r->T); -} - -/* -r = p - q -*/ - -void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) -{ - fe t0; - - fe_add(r->X, p->Y, p->X); - fe_sub(r->Y, p->Y, p->X); - fe_mul(r->Z, r->X, q->yminusx); - fe_mul(r->Y, r->Y, q->yplusx); - fe_mul(r->T, q->xy2d, p->T); - fe_add(t0, p->Z, p->Z); - fe_sub(r->X, r->Z, r->Y); - fe_add(r->Y, r->Z, r->Y); - fe_sub(r->Z, t0, r->T); - fe_add(r->T, t0, r->T); -} - -/* -r = p -*/ - -extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p) -{ - fe_mul(r->X,p->X,p->T); - fe_mul(r->Y,p->Y,p->Z); - fe_mul(r->Z,p->Z,p->T); -} - -/* -r = p -*/ - -extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p) -{ - fe_mul(r->X,p->X,p->T); - fe_mul(r->Y,p->Y,p->Z); - fe_mul(r->Z,p->Z,p->T); - fe_mul(r->T,p->X,p->Y); -} - -void ge_p2_0(ge_p2 *h) -{ - fe_0(h->X); - fe_1(h->Y); - fe_1(h->Z); -} - -/* -r = 2 * p -*/ - -void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p) -{ - fe t0; - - fe_sq(r->X, p->X); - fe_sq(r->Z, p->Y); - fe_sq2(r->T, p->Z); - fe_add(r->Y, p->X, p->Y); - fe_sq(t0, r->Y); - fe_add(r->Y, r->Z, r->X); - fe_sub(r->Z, r->Z, r->X); - fe_sub(r->X, t0, r->Y); - fe_sub(r->T, r->T, r->Z); -} - -void ge_p3_0(ge_p3 *h) -{ - fe_0(h->X); - fe_1(h->Y); - fe_1(h->Z); - fe_0(h->T); -} - -/* -r = p -*/ - -/* 2 * d = 16295367250680780974490674513165176452449235426866156013048779062215315747161 */ -static const fe d2 = { - -21827239,-5839606,-30745221,13898782,229458,15978800,-12551817,-6495438,29715968,9444199 -}; - -extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p) -{ - fe_add(r->YplusX,p->Y,p->X); - fe_sub(r->YminusX,p->Y,p->X); - fe_copy(r->Z,p->Z); - fe_mul(r->T2d,p->T,d2); -} - -/* -r = p -*/ - -extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p) -{ - fe_copy(r->X,p->X); - fe_copy(r->Y,p->Y); - fe_copy(r->Z,p->Z); -} - -void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) -{ - fe recip; - fe x; - fe y; - - fe_invert(recip,h->Z); - fe_mul(x,h->X,recip); - fe_mul(y,h->Y,recip); - fe_tobytes(s,y); - s[31] ^= fe_isnegative(x) << 7; -} - -/* -r = 2 * p -*/ - -void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p) -{ - ge_p2 q; - ge_p3_to_p2(&q,p); - ge_p2_dbl(r,&q); -} - -void ge_precomp_0(ge_precomp *h) -{ - fe_1(h->yplusx); - fe_1(h->yminusx); - fe_0(h->xy2d); -} - -static unsigned char equal(signed char b,signed char c) -{ - unsigned char ub = b; - unsigned char uc = c; - unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ - uint32_t y = x; /* 0: yes; 1..255: no */ - y -= 1; /* 4294967295: yes; 0..254: no */ - y >>= 31; /* 1: yes; 0: no */ - return y; -} - -static unsigned char negative(signed char b) -{ - uint64_t x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ - x >>= 63; /* 1: yes; 0: no */ - return x; -} - -static void cmov(ge_precomp *t,const ge_precomp *u,unsigned char b) -{ - fe_cmov(t->yplusx,u->yplusx,b); - fe_cmov(t->yminusx,u->yminusx,b); - fe_cmov(t->xy2d,u->xy2d,b); -} - -/* base[i][j] = (j+1)*256^i*B */ -static const ge_precomp base[32][8] = { -#include "base.h" -}; - -static void ge_select(ge_precomp *t,int pos,signed char b) -{ - ge_precomp minust; - unsigned char bnegative = negative(b); - unsigned char babs = b - (((-bnegative) & b) * ((signed char) 1 << 1)); - - ge_precomp_0(t); - cmov(t,&base[pos][0],equal(babs,1)); - cmov(t,&base[pos][1],equal(babs,2)); - cmov(t,&base[pos][2],equal(babs,3)); - cmov(t,&base[pos][3],equal(babs,4)); - cmov(t,&base[pos][4],equal(babs,5)); - cmov(t,&base[pos][5],equal(babs,6)); - cmov(t,&base[pos][6],equal(babs,7)); - cmov(t,&base[pos][7],equal(babs,8)); - fe_copy(minust.yplusx,t->yminusx); - fe_copy(minust.yminusx,t->yplusx); - fe_neg(minust.xy2d,t->xy2d); - cmov(t,&minust,bnegative); -} - -/* -r = p - q -*/ - -void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) -{ - fe t0; - - fe_add(r->X, p->Y, p->X); - fe_sub(r->Y, p->Y, p->X); - fe_mul(r->Z, r->X, q->YminusX); - fe_mul(r->Y, r->Y, q->YplusX); - fe_mul(r->T, q->T2d, p->T); - fe_mul(r->X, p->Z, q->Z); - fe_add(t0, r->X, r->X); - fe_sub(r->X, r->Z, r->Y); - fe_add(r->Y, r->Z, r->Y); - fe_sub(r->Z, t0, r->T); - fe_add(r->T, t0, r->T); -} - -void ge_tobytes(unsigned char *s,const ge_p2 *h) -{ - fe recip; - fe x; - fe y; - - fe_invert(recip,h->Z); - fe_mul(x,h->X,recip); - fe_mul(y,h->Y,recip); - fe_tobytes(s,y); - s[31] ^= fe_isnegative(x) << 7; -} - -/* -h = a * B -where a = a[0]+256*a[1]+...+256^31 a[31] -B is the Ed25519 base point (x,4/5) with x positive. - -Preconditions: - a[31] <= 127 -*/ - -/* -r = a * A + b * B -where a = a[0]+256*a[1]+...+256^31 a[31]. -and b = b[0]+256*b[1]+...+256^31 b[31]. -B is the Ed25519 base point (x,4/5) with x positive. -*/ - -void ge_double_scalarmult_vartime(ge_p2 *r,const unsigned char *a,const ge_p3 *A,const unsigned char *b) -{ - signed char aslide[256]; - signed char bslide[256]; - ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ - ge_p1p1 t; - ge_p3 u; - ge_p3 A2; - int i; - - slide(aslide,a); - slide(bslide,b); - - ge_p3_to_cached(&Ai[0],A); - ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); - ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); - ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); - ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); - ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); - ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); - ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); - ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); - - ge_p2_0(r); - - for (i = 255;i >= 0;--i) { - if (aslide[i] || bslide[i]) break; - } - - for (;i >= 0;--i) { - ge_p2_dbl(&t,r); - - if (aslide[i] > 0) { - ge_p1p1_to_p3(&u,&t); - ge_add(&t,&u,&Ai[aslide[i]/2]); - } else if (aslide[i] < 0) { - ge_p1p1_to_p3(&u,&t); - ge_sub(&t,&u,&Ai[(-aslide[i])/2]); - } - - if (bslide[i] > 0) { - ge_p1p1_to_p3(&u,&t); - ge_madd(&t,&u,&Bi[bslide[i]/2]); - } else if (bslide[i] < 0) { - ge_p1p1_to_p3(&u,&t); - ge_msub(&t,&u,&Bi[(-bslide[i])/2]); - } - - ge_p1p1_to_p2(r,&t); - } -} - -void ge_scalarmult_vartime(ge_p3 *r,const unsigned char *a,const ge_p3 *A) -{ - signed char aslide[256]; - ge_cached Ai[8]; - ge_p1p1 t; - ge_p3 u; - ge_p3 A2; - int i; - - slide(aslide,a); - - ge_p3_to_cached(&Ai[0],A); - ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); - ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); - ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); - ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); - ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); - ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); - ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); - ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); - - ge_p3_0(r); - - for (i = 255;i >= 0;--i) { - if (aslide[i]) break; - } - - for (;i >= 0;--i) { - ge_p3_dbl(&t,r); - - if (aslide[i] > 0) { - ge_p1p1_to_p3(&u,&t); - ge_add(&t,&u,&Ai[aslide[i]/2]); - } else if (aslide[i] < 0) { - ge_p1p1_to_p3(&u,&t); - ge_sub(&t,&u,&Ai[(-aslide[i])/2]); - } - - ge_p1p1_to_p3(r,&t); - } -} - -void ge_scalarmult_base(ge_p3 *h,const unsigned char *a) -{ - signed char e[64]; - signed char carry; - ge_p1p1 r; - ge_p2 s; - ge_precomp t; - int i; - - for (i = 0;i < 32;++i) { - e[2 * i + 0] = (a[i] >> 0) & 15; - e[2 * i + 1] = (a[i] >> 4) & 15; - } - /* each e[i] is between 0 and 15 */ - /* e[63] is between 0 and 7 */ - - carry = 0; - for (i = 0;i < 63;++i) { - e[i] += carry; - carry = e[i] + 8; - carry >>= 4; - e[i] -= carry * ((signed char) 1 << 4); - } - e[63] += carry; - /* each e[i] is between -8 and 8 */ - - ge_p3_0(h); - for (i = 1;i < 64;i += 2) { - ge_select(&t,i / 2,e[i]); - ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); - } - - ge_p3_dbl(&r,h); ge_p1p1_to_p2(&s,&r); - ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); - ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); - ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r); - - for (i = 0;i < 64;i += 2) { - ge_select(&t,i / 2,e[i]); - ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); - } -} - -/* -Input: - a[0]+256*a[1]+...+256^31*a[31] = a - b[0]+256*b[1]+...+256^31*b[31] = b - c[0]+256*c[1]+...+256^31*c[31] = c - -Output: - s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l - where l = 2^252 + 27742317777372353535851937790883648493. -*/ - -void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,const unsigned char *c) -{ - int64_t a0 = 2097151 & load_3(a); - int64_t a1 = 2097151 & (load_4(a + 2) >> 5); - int64_t a2 = 2097151 & (load_3(a + 5) >> 2); - int64_t a3 = 2097151 & (load_4(a + 7) >> 7); - int64_t a4 = 2097151 & (load_4(a + 10) >> 4); - int64_t a5 = 2097151 & (load_3(a + 13) >> 1); - int64_t a6 = 2097151 & (load_4(a + 15) >> 6); - int64_t a7 = 2097151 & (load_3(a + 18) >> 3); - int64_t a8 = 2097151 & load_3(a + 21); - int64_t a9 = 2097151 & (load_4(a + 23) >> 5); - int64_t a10 = 2097151 & (load_3(a + 26) >> 2); - int64_t a11 = (load_4(a + 28) >> 7); - int64_t b0 = 2097151 & load_3(b); - int64_t b1 = 2097151 & (load_4(b + 2) >> 5); - int64_t b2 = 2097151 & (load_3(b + 5) >> 2); - int64_t b3 = 2097151 & (load_4(b + 7) >> 7); - int64_t b4 = 2097151 & (load_4(b + 10) >> 4); - int64_t b5 = 2097151 & (load_3(b + 13) >> 1); - int64_t b6 = 2097151 & (load_4(b + 15) >> 6); - int64_t b7 = 2097151 & (load_3(b + 18) >> 3); - int64_t b8 = 2097151 & load_3(b + 21); - int64_t b9 = 2097151 & (load_4(b + 23) >> 5); - int64_t b10 = 2097151 & (load_3(b + 26) >> 2); - int64_t b11 = (load_4(b + 28) >> 7); - int64_t c0 = 2097151 & load_3(c); - int64_t c1 = 2097151 & (load_4(c + 2) >> 5); - int64_t c2 = 2097151 & (load_3(c + 5) >> 2); - int64_t c3 = 2097151 & (load_4(c + 7) >> 7); - int64_t c4 = 2097151 & (load_4(c + 10) >> 4); - int64_t c5 = 2097151 & (load_3(c + 13) >> 1); - int64_t c6 = 2097151 & (load_4(c + 15) >> 6); - int64_t c7 = 2097151 & (load_3(c + 18) >> 3); - int64_t c8 = 2097151 & load_3(c + 21); - int64_t c9 = 2097151 & (load_4(c + 23) >> 5); - int64_t c10 = 2097151 & (load_3(c + 26) >> 2); - int64_t c11 = (load_4(c + 28) >> 7); - int64_t s0; - int64_t s1; - int64_t s2; - int64_t s3; - int64_t s4; - int64_t s5; - int64_t s6; - int64_t s7; - int64_t s8; - int64_t s9; - int64_t s10; - int64_t s11; - int64_t s12; - int64_t s13; - int64_t s14; - int64_t s15; - int64_t s16; - int64_t s17; - int64_t s18; - int64_t s19; - int64_t s20; - int64_t s21; - int64_t s22; - int64_t s23; - int64_t carry0; - int64_t carry1; - int64_t carry2; - int64_t carry3; - int64_t carry4; - int64_t carry5; - int64_t carry6; - int64_t carry7; - int64_t carry8; - int64_t carry9; - int64_t carry10; - int64_t carry11; - int64_t carry12; - int64_t carry13; - int64_t carry14; - int64_t carry15; - int64_t carry16; - int64_t carry17; - int64_t carry18; - int64_t carry19; - int64_t carry20; - int64_t carry21; - int64_t carry22; - - s0 = c0 + a0*b0; - s1 = c1 + a0*b1 + a1*b0; - s2 = c2 + a0*b2 + a1*b1 + a2*b0; - s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0; - s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0; - s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0; - s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0; - s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0; - s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0; - s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0; - s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0; - s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0; - s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1; - s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2; - s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3; - s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4; - s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5; - s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6; - s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7; - s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8; - s20 = a9*b11 + a10*b10 + a11*b9; - s21 = a10*b11 + a11*b10; - s22 = a11*b11; - s23 = 0; - - carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); - carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); - carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); - carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21); - carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21); - carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21); - carry18 = (s18 + (int64_t) (1L << 20)) >> 21; s19 += carry18; s18 -= carry18 * ((uint64_t) 1L << 21); - carry20 = (s20 + (int64_t) (1L << 20)) >> 21; s21 += carry20; s20 -= carry20 * ((uint64_t) 1L << 21); - carry22 = (s22 + (int64_t) (1L << 20)) >> 21; s23 += carry22; s22 -= carry22 * ((uint64_t) 1L << 21); - - carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); - carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); - carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); - carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); - carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21); - carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21); - carry17 = (s17 + (int64_t) (1L << 20)) >> 21; s18 += carry17; s17 -= carry17 * ((uint64_t) 1L << 21); - carry19 = (s19 + (int64_t) (1L << 20)) >> 21; s20 += carry19; s19 -= carry19 * ((uint64_t) 1L << 21); - carry21 = (s21 + (int64_t) (1L << 20)) >> 21; s22 += carry21; s21 -= carry21 * ((uint64_t) 1L << 21); - - s11 += s23 * 666643; - s12 += s23 * 470296; - s13 += s23 * 654183; - s14 -= s23 * 997805; - s15 += s23 * 136657; - s16 -= s23 * 683901; - - s10 += s22 * 666643; - s11 += s22 * 470296; - s12 += s22 * 654183; - s13 -= s22 * 997805; - s14 += s22 * 136657; - s15 -= s22 * 683901; - - s9 += s21 * 666643; - s10 += s21 * 470296; - s11 += s21 * 654183; - s12 -= s21 * 997805; - s13 += s21 * 136657; - s14 -= s21 * 683901; - - s8 += s20 * 666643; - s9 += s20 * 470296; - s10 += s20 * 654183; - s11 -= s20 * 997805; - s12 += s20 * 136657; - s13 -= s20 * 683901; - - s7 += s19 * 666643; - s8 += s19 * 470296; - s9 += s19 * 654183; - s10 -= s19 * 997805; - s11 += s19 * 136657; - s12 -= s19 * 683901; - - s6 += s18 * 666643; - s7 += s18 * 470296; - s8 += s18 * 654183; - s9 -= s18 * 997805; - s10 += s18 * 136657; - s11 -= s18 * 683901; - - carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21); - carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21); - carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21); - - carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); - carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21); - carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21); - - s5 += s17 * 666643; - s6 += s17 * 470296; - s7 += s17 * 654183; - s8 -= s17 * 997805; - s9 += s17 * 136657; - s10 -= s17 * 683901; - - s4 += s16 * 666643; - s5 += s16 * 470296; - s6 += s16 * 654183; - s7 -= s16 * 997805; - s8 += s16 * 136657; - s9 -= s16 * 683901; - - s3 += s15 * 666643; - s4 += s15 * 470296; - s5 += s15 * 654183; - s6 -= s15 * 997805; - s7 += s15 * 136657; - s8 -= s15 * 683901; - - s2 += s14 * 666643; - s3 += s14 * 470296; - s4 += s14 * 654183; - s5 -= s14 * 997805; - s6 += s14 * 136657; - s7 -= s14 * 683901; - - s1 += s13 * 666643; - s2 += s13 * 470296; - s3 += s13 * 654183; - s4 -= s13 * 997805; - s5 += s13 * 136657; - s6 -= s13 * 683901; - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; - - carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); - carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); - carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); - carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - - carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); - carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); - carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); - carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; - - carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); - carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); - carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); - carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); - carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); - carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); - carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - - carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); - carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); - carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); - carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); - carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); - carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); - carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - - s[0] = s0 >> 0; - s[1] = s0 >> 8; - s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5)); - s[3] = s1 >> 3; - s[4] = s1 >> 11; - s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2)); - s[6] = s2 >> 6; - s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7)); - s[8] = s3 >> 1; - s[9] = s3 >> 9; - s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4)); - s[11] = s4 >> 4; - s[12] = s4 >> 12; - s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1)); - s[14] = s5 >> 7; - s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6)); - s[16] = s6 >> 2; - s[17] = s6 >> 10; - s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3)); - s[19] = s7 >> 5; - s[20] = s7 >> 13; - s[21] = s8 >> 0; - s[22] = s8 >> 8; - s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5)); - s[24] = s9 >> 3; - s[25] = s9 >> 11; - s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2)); - s[27] = s10 >> 6; - s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7)); - s[29] = s11 >> 1; - s[30] = s11 >> 9; - s[31] = s11 >> 17; -} - -/* -Input: - s[0]+256*s[1]+...+256^63*s[63] = s - -Output: - s[0]+256*s[1]+...+256^31*s[31] = s mod l - where l = 2^252 + 27742317777372353535851937790883648493. - Overwrites s in place. -*/ - -void sc_reduce(unsigned char *s) -{ - int64_t s0 = 2097151 & load_3(s); - int64_t s1 = 2097151 & (load_4(s + 2) >> 5); - int64_t s2 = 2097151 & (load_3(s + 5) >> 2); - int64_t s3 = 2097151 & (load_4(s + 7) >> 7); - int64_t s4 = 2097151 & (load_4(s + 10) >> 4); - int64_t s5 = 2097151 & (load_3(s + 13) >> 1); - int64_t s6 = 2097151 & (load_4(s + 15) >> 6); - int64_t s7 = 2097151 & (load_3(s + 18) >> 3); - int64_t s8 = 2097151 & load_3(s + 21); - int64_t s9 = 2097151 & (load_4(s + 23) >> 5); - int64_t s10 = 2097151 & (load_3(s + 26) >> 2); - int64_t s11 = 2097151 & (load_4(s + 28) >> 7); - int64_t s12 = 2097151 & (load_4(s + 31) >> 4); - int64_t s13 = 2097151 & (load_3(s + 34) >> 1); - int64_t s14 = 2097151 & (load_4(s + 36) >> 6); - int64_t s15 = 2097151 & (load_3(s + 39) >> 3); - int64_t s16 = 2097151 & load_3(s + 42); - int64_t s17 = 2097151 & (load_4(s + 44) >> 5); - int64_t s18 = 2097151 & (load_3(s + 47) >> 2); - int64_t s19 = 2097151 & (load_4(s + 49) >> 7); - int64_t s20 = 2097151 & (load_4(s + 52) >> 4); - int64_t s21 = 2097151 & (load_3(s + 55) >> 1); - int64_t s22 = 2097151 & (load_4(s + 57) >> 6); - int64_t s23 = (load_4(s + 60) >> 3); - int64_t carry0; - int64_t carry1; - int64_t carry2; - int64_t carry3; - int64_t carry4; - int64_t carry5; - int64_t carry6; - int64_t carry7; - int64_t carry8; - int64_t carry9; - int64_t carry10; - int64_t carry11; - int64_t carry12; - int64_t carry13; - int64_t carry14; - int64_t carry15; - int64_t carry16; - - s11 += s23 * 666643; - s12 += s23 * 470296; - s13 += s23 * 654183; - s14 -= s23 * 997805; - s15 += s23 * 136657; - s16 -= s23 * 683901; - - s10 += s22 * 666643; - s11 += s22 * 470296; - s12 += s22 * 654183; - s13 -= s22 * 997805; - s14 += s22 * 136657; - s15 -= s22 * 683901; - - s9 += s21 * 666643; - s10 += s21 * 470296; - s11 += s21 * 654183; - s12 -= s21 * 997805; - s13 += s21 * 136657; - s14 -= s21 * 683901; - - s8 += s20 * 666643; - s9 += s20 * 470296; - s10 += s20 * 654183; - s11 -= s20 * 997805; - s12 += s20 * 136657; - s13 -= s20 * 683901; - - s7 += s19 * 666643; - s8 += s19 * 470296; - s9 += s19 * 654183; - s10 -= s19 * 997805; - s11 += s19 * 136657; - s12 -= s19 * 683901; - - s6 += s18 * 666643; - s7 += s18 * 470296; - s8 += s18 * 654183; - s9 -= s18 * 997805; - s10 += s18 * 136657; - s11 -= s18 * 683901; - - carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21); - carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21); - carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21); - - carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); - carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21); - carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21); - - s5 += s17 * 666643; - s6 += s17 * 470296; - s7 += s17 * 654183; - s8 -= s17 * 997805; - s9 += s17 * 136657; - s10 -= s17 * 683901; - - s4 += s16 * 666643; - s5 += s16 * 470296; - s6 += s16 * 654183; - s7 -= s16 * 997805; - s8 += s16 * 136657; - s9 -= s16 * 683901; - - s3 += s15 * 666643; - s4 += s15 * 470296; - s5 += s15 * 654183; - s6 -= s15 * 997805; - s7 += s15 * 136657; - s8 -= s15 * 683901; - - s2 += s14 * 666643; - s3 += s14 * 470296; - s4 += s14 * 654183; - s5 -= s14 * 997805; - s6 += s14 * 136657; - s7 -= s14 * 683901; - - s1 += s13 * 666643; - s2 += s13 * 470296; - s3 += s13 * 654183; - s4 -= s13 * 997805; - s5 += s13 * 136657; - s6 -= s13 * 683901; - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; - - carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); - carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); - carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); - carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - - carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); - carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); - carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); - carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - s12 = 0; - - carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); - carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); - carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); - carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); - carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); - carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); - carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); - - s0 += s12 * 666643; - s1 += s12 * 470296; - s2 += s12 * 654183; - s3 -= s12 * 997805; - s4 += s12 * 136657; - s5 -= s12 * 683901; - - carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); - carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); - carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); - carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); - carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); - carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); - carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); - carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); - carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); - carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); - carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); - - s[0] = s0 >> 0; - s[1] = s0 >> 8; - s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5)); - s[3] = s1 >> 3; - s[4] = s1 >> 11; - s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2)); - s[6] = s2 >> 6; - s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7)); - s[8] = s3 >> 1; - s[9] = s3 >> 9; - s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4)); - s[11] = s4 >> 4; - s[12] = s4 >> 12; - s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1)); - s[14] = s5 >> 7; - s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6)); - s[16] = s6 >> 2; - s[17] = s6 >> 10; - s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3)); - s[19] = s7 >> 5; - s[20] = s7 >> 13; - s[21] = s8 >> 0; - s[22] = s8 >> 8; - s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5)); - s[24] = s9 >> 3; - s[25] = s9 >> 11; - s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2)); - s[27] = s10 >> 6; - s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7)); - s[29] = s11 >> 1; - s[30] = s11 >> 9; - s[31] = s11 >> 17; -} +#include +#include +#include +#include "crypto_verify_32.h" +#include "private/curve25519_ref10.h" + +static uint64_t load_3(const unsigned char *in) +{ + uint64_t result; + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + + return result; +} + +static uint64_t load_4(const unsigned char *in) +{ + uint64_t result; + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + result |= ((uint64_t) in[3]) << 24; + + return result; +} + +/* + h = 0 + */ + +void fe_0(fe h) +{ + memset(&h[0], 0, 10 * sizeof h[0]); +} + +/* + h = 1 + */ + +void fe_1(fe h) +{ + h[0] = 1; + h[1] = 0; + memset(&h[2], 0, 8 * sizeof h[0]); +} + +/* + h = f + g + Can overlap h with f or g. + * + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * + Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +void fe_add(fe h,const fe f,const fe g) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t h0 = f0 + g0; + int32_t h1 = f1 + g1; + int32_t h2 = f2 + g2; + int32_t h3 = f3 + g3; + int32_t h4 = f4 + g4; + int32_t h5 = f5 + g5; + int32_t h6 = f6 + g6; + int32_t h7 = f7 + g7; + int32_t h8 = f8 + g8; + int32_t h9 = f9 + g9; + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* + Replace (f,g) with (g,g) if b == 1; + replace (f,g) with (f,g) if b == 0. + * + Preconditions: b in {0,1}. + */ + +void fe_cmov(fe f,const fe g,unsigned int b) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t x0 = f0 ^ g0; + int32_t x1 = f1 ^ g1; + int32_t x2 = f2 ^ g2; + int32_t x3 = f3 ^ g3; + int32_t x4 = f4 ^ g4; + int32_t x5 = f5 ^ g5; + int32_t x6 = f6 ^ g6; + int32_t x7 = f7 ^ g7; + int32_t x8 = f8 ^ g8; + int32_t x9 = f9 ^ g9; + b = (unsigned int) (- (int) b); + x0 &= b; + x1 &= b; + x2 &= b; + x3 &= b; + x4 &= b; + x5 &= b; + x6 &= b; + x7 &= b; + x8 &= b; + x9 &= b; + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; + f[5] = f5 ^ x5; + f[6] = f6 ^ x6; + f[7] = f7 ^ x7; + f[8] = f8 ^ x8; + f[9] = f9 ^ x9; +} + +/* + h = f + */ + +void fe_copy(fe h,const fe f) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + h[0] = f0; + h[1] = f1; + h[2] = f2; + h[3] = f3; + h[4] = f4; + h[5] = f5; + h[6] = f6; + h[7] = f7; + h[8] = f8; + h[9] = f9; +} + +/* + Ignores top bit of h. + */ + +void fe_frombytes(fe h,const unsigned char *s) +{ + int64_t h0 = load_4(s); + int64_t h1 = load_3(s + 4) << 6; + int64_t h2 = load_3(s + 7) << 5; + int64_t h3 = load_3(s + 10) << 3; + int64_t h4 = load_3(s + 13) << 2; + int64_t h5 = load_4(s + 16); + int64_t h6 = load_3(s + 20) << 7; + int64_t h7 = load_3(s + 23) << 5; + int64_t h8 = load_3(s + 26) << 4; + int64_t h9 = (load_3(s + 29) & 8388607) << 2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); + carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); + carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); + carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); + carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); + + carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); + carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); + carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); + carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); + carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + +/* + Preconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + * + Write p=2^255-19; q=floor(h/p). + Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). + * + Proof: + Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. + Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. + * + Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). + Then 0> 25; + q = (h0 + q) >> 26; + q = (h1 + q) >> 25; + q = (h2 + q) >> 26; + q = (h3 + q) >> 25; + q = (h4 + q) >> 26; + q = (h5 + q) >> 25; + q = (h6 + q) >> 26; + q = (h7 + q) >> 25; + q = (h8 + q) >> 26; + q = (h9 + q) >> 25; + + /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ + h0 += 19 * q; + /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ + + carry0 = h0 >> 26; h1 += carry0; h0 -= carry0 * ((uint32_t) 1L << 26); + carry1 = h1 >> 25; h2 += carry1; h1 -= carry1 * ((uint32_t) 1L << 25); + carry2 = h2 >> 26; h3 += carry2; h2 -= carry2 * ((uint32_t) 1L << 26); + carry3 = h3 >> 25; h4 += carry3; h3 -= carry3 * ((uint32_t) 1L << 25); + carry4 = h4 >> 26; h5 += carry4; h4 -= carry4 * ((uint32_t) 1L << 26); + carry5 = h5 >> 25; h6 += carry5; h5 -= carry5 * ((uint32_t) 1L << 25); + carry6 = h6 >> 26; h7 += carry6; h6 -= carry6 * ((uint32_t) 1L << 26); + carry7 = h7 >> 25; h8 += carry7; h7 -= carry7 * ((uint32_t) 1L << 25); + carry8 = h8 >> 26; h9 += carry8; h8 -= carry8 * ((uint32_t) 1L << 26); + carry9 = h9 >> 25; h9 -= carry9 * ((uint32_t) 1L << 25); + /* h10 = carry9 */ + + /* + Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. + Have h0+...+2^230 h9 between 0 and 2^255-1; + evidently 2^255 h10-2^255 q = 0. + Goal: Output h0+...+2^230 h9. + */ + + s[0] = h0 >> 0; + s[1] = h0 >> 8; + s[2] = h0 >> 16; + s[3] = (h0 >> 24) | (h1 * ((uint32_t) 1 << 2)); + s[4] = h1 >> 6; + s[5] = h1 >> 14; + s[6] = (h1 >> 22) | (h2 * ((uint32_t) 1 << 3)); + s[7] = h2 >> 5; + s[8] = h2 >> 13; + s[9] = (h2 >> 21) | (h3 * ((uint32_t) 1 << 5)); + s[10] = h3 >> 3; + s[11] = h3 >> 11; + s[12] = (h3 >> 19) | (h4 * ((uint32_t) 1 << 6)); + s[13] = h4 >> 2; + s[14] = h4 >> 10; + s[15] = h4 >> 18; + s[16] = h5 >> 0; + s[17] = h5 >> 8; + s[18] = h5 >> 16; + s[19] = (h5 >> 24) | (h6 * ((uint32_t) 1 << 1)); + s[20] = h6 >> 7; + s[21] = h6 >> 15; + s[22] = (h6 >> 23) | (h7 * ((uint32_t) 1 << 3)); + s[23] = h7 >> 5; + s[24] = h7 >> 13; + s[25] = (h7 >> 21) | (h8 * ((uint32_t) 1 << 4)); + s[26] = h8 >> 4; + s[27] = h8 >> 12; + s[28] = (h8 >> 20) | (h9 * ((uint32_t) 1 << 6)); + s[29] = h9 >> 2; + s[30] = h9 >> 10; + s[31] = h9 >> 18; +} + +/* + return 1 if f is in {1,3,5,...,q-2} + return 0 if f is in {0,2,4,...,q-1} + * + Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +int fe_isnegative(const fe f) +{ + unsigned char s[32]; + fe_tobytes(s,f); + + return s[0] & 1; +} + +/* + return 1 if f == 0 + return 0 if f != 0 + * + Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +static unsigned char zero[32]; + +int fe_isnonzero(const fe f) +{ + unsigned char s[32]; + fe_tobytes(s,f); + + return crypto_verify_32(s,zero); +} + +/* + h = f * g + Can overlap h with f or g. + * + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + +/* + Notes on implementation strategy: + * + Using schoolbook multiplication. + Karatsuba would save a little in some cost models. + * + Most multiplications by 2 and 19 are 32-bit precomputations; + cheaper than 64-bit postcomputations. + * + There is one remaining multiplication by 19 in the carry chain; + one *19 precomputation can be merged into this, + but the resulting data flow is considerably less clean. + * + There are 12 carries below. + 10 of them are 2-way parallelizable and vectorizable. + Can get away with 11 carries, but then data flow is much deeper. + * + With tighter constraints on inputs can squeeze carries into int32. + */ + +void fe_mul(fe h,const fe f,const fe g) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ + int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ + int32_t g3_19 = 19 * g3; + int32_t g4_19 = 19 * g4; + int32_t g5_19 = 19 * g5; + int32_t g6_19 = 19 * g6; + int32_t g7_19 = 19 * g7; + int32_t g8_19 = 19 * g8; + int32_t g9_19 = 19 * g9; + int32_t f1_2 = 2 * f1; + int32_t f3_2 = 2 * f3; + int32_t f5_2 = 2 * f5; + int32_t f7_2 = 2 * f7; + int32_t f9_2 = 2 * f9; + int64_t f0g0 = f0 * (int64_t) g0; + int64_t f0g1 = f0 * (int64_t) g1; + int64_t f0g2 = f0 * (int64_t) g2; + int64_t f0g3 = f0 * (int64_t) g3; + int64_t f0g4 = f0 * (int64_t) g4; + int64_t f0g5 = f0 * (int64_t) g5; + int64_t f0g6 = f0 * (int64_t) g6; + int64_t f0g7 = f0 * (int64_t) g7; + int64_t f0g8 = f0 * (int64_t) g8; + int64_t f0g9 = f0 * (int64_t) g9; + int64_t f1g0 = f1 * (int64_t) g0; + int64_t f1g1_2 = f1_2 * (int64_t) g1; + int64_t f1g2 = f1 * (int64_t) g2; + int64_t f1g3_2 = f1_2 * (int64_t) g3; + int64_t f1g4 = f1 * (int64_t) g4; + int64_t f1g5_2 = f1_2 * (int64_t) g5; + int64_t f1g6 = f1 * (int64_t) g6; + int64_t f1g7_2 = f1_2 * (int64_t) g7; + int64_t f1g8 = f1 * (int64_t) g8; + int64_t f1g9_38 = f1_2 * (int64_t) g9_19; + int64_t f2g0 = f2 * (int64_t) g0; + int64_t f2g1 = f2 * (int64_t) g1; + int64_t f2g2 = f2 * (int64_t) g2; + int64_t f2g3 = f2 * (int64_t) g3; + int64_t f2g4 = f2 * (int64_t) g4; + int64_t f2g5 = f2 * (int64_t) g5; + int64_t f2g6 = f2 * (int64_t) g6; + int64_t f2g7 = f2 * (int64_t) g7; + int64_t f2g8_19 = f2 * (int64_t) g8_19; + int64_t f2g9_19 = f2 * (int64_t) g9_19; + int64_t f3g0 = f3 * (int64_t) g0; + int64_t f3g1_2 = f3_2 * (int64_t) g1; + int64_t f3g2 = f3 * (int64_t) g2; + int64_t f3g3_2 = f3_2 * (int64_t) g3; + int64_t f3g4 = f3 * (int64_t) g4; + int64_t f3g5_2 = f3_2 * (int64_t) g5; + int64_t f3g6 = f3 * (int64_t) g6; + int64_t f3g7_38 = f3_2 * (int64_t) g7_19; + int64_t f3g8_19 = f3 * (int64_t) g8_19; + int64_t f3g9_38 = f3_2 * (int64_t) g9_19; + int64_t f4g0 = f4 * (int64_t) g0; + int64_t f4g1 = f4 * (int64_t) g1; + int64_t f4g2 = f4 * (int64_t) g2; + int64_t f4g3 = f4 * (int64_t) g3; + int64_t f4g4 = f4 * (int64_t) g4; + int64_t f4g5 = f4 * (int64_t) g5; + int64_t f4g6_19 = f4 * (int64_t) g6_19; + int64_t f4g7_19 = f4 * (int64_t) g7_19; + int64_t f4g8_19 = f4 * (int64_t) g8_19; + int64_t f4g9_19 = f4 * (int64_t) g9_19; + int64_t f5g0 = f5 * (int64_t) g0; + int64_t f5g1_2 = f5_2 * (int64_t) g1; + int64_t f5g2 = f5 * (int64_t) g2; + int64_t f5g3_2 = f5_2 * (int64_t) g3; + int64_t f5g4 = f5 * (int64_t) g4; + int64_t f5g5_38 = f5_2 * (int64_t) g5_19; + int64_t f5g6_19 = f5 * (int64_t) g6_19; + int64_t f5g7_38 = f5_2 * (int64_t) g7_19; + int64_t f5g8_19 = f5 * (int64_t) g8_19; + int64_t f5g9_38 = f5_2 * (int64_t) g9_19; + int64_t f6g0 = f6 * (int64_t) g0; + int64_t f6g1 = f6 * (int64_t) g1; + int64_t f6g2 = f6 * (int64_t) g2; + int64_t f6g3 = f6 * (int64_t) g3; + int64_t f6g4_19 = f6 * (int64_t) g4_19; + int64_t f6g5_19 = f6 * (int64_t) g5_19; + int64_t f6g6_19 = f6 * (int64_t) g6_19; + int64_t f6g7_19 = f6 * (int64_t) g7_19; + int64_t f6g8_19 = f6 * (int64_t) g8_19; + int64_t f6g9_19 = f6 * (int64_t) g9_19; + int64_t f7g0 = f7 * (int64_t) g0; + int64_t f7g1_2 = f7_2 * (int64_t) g1; + int64_t f7g2 = f7 * (int64_t) g2; + int64_t f7g3_38 = f7_2 * (int64_t) g3_19; + int64_t f7g4_19 = f7 * (int64_t) g4_19; + int64_t f7g5_38 = f7_2 * (int64_t) g5_19; + int64_t f7g6_19 = f7 * (int64_t) g6_19; + int64_t f7g7_38 = f7_2 * (int64_t) g7_19; + int64_t f7g8_19 = f7 * (int64_t) g8_19; + int64_t f7g9_38 = f7_2 * (int64_t) g9_19; + int64_t f8g0 = f8 * (int64_t) g0; + int64_t f8g1 = f8 * (int64_t) g1; + int64_t f8g2_19 = f8 * (int64_t) g2_19; + int64_t f8g3_19 = f8 * (int64_t) g3_19; + int64_t f8g4_19 = f8 * (int64_t) g4_19; + int64_t f8g5_19 = f8 * (int64_t) g5_19; + int64_t f8g6_19 = f8 * (int64_t) g6_19; + int64_t f8g7_19 = f8 * (int64_t) g7_19; + int64_t f8g8_19 = f8 * (int64_t) g8_19; + int64_t f8g9_19 = f8 * (int64_t) g9_19; + int64_t f9g0 = f9 * (int64_t) g0; + int64_t f9g1_38 = f9_2 * (int64_t) g1_19; + int64_t f9g2_19 = f9 * (int64_t) g2_19; + int64_t f9g3_38 = f9_2 * (int64_t) g3_19; + int64_t f9g4_19 = f9 * (int64_t) g4_19; + int64_t f9g5_38 = f9_2 * (int64_t) g5_19; + int64_t f9g6_19 = f9 * (int64_t) g6_19; + int64_t f9g7_38 = f9_2 * (int64_t) g7_19; + int64_t f9g8_19 = f9 * (int64_t) g8_19; + int64_t f9g9_38 = f9_2 * (int64_t) g9_19; + int64_t h0 = f0g0+f1g9_38+f2g8_19+f3g7_38+f4g6_19+f5g5_38+f6g4_19+f7g3_38+f8g2_19+f9g1_38; + int64_t h1 = f0g1+f1g0 +f2g9_19+f3g8_19+f4g7_19+f5g6_19+f6g5_19+f7g4_19+f8g3_19+f9g2_19; + int64_t h2 = f0g2+f1g1_2 +f2g0 +f3g9_38+f4g8_19+f5g7_38+f6g6_19+f7g5_38+f8g4_19+f9g3_38; + int64_t h3 = f0g3+f1g2 +f2g1 +f3g0 +f4g9_19+f5g8_19+f6g7_19+f7g6_19+f8g5_19+f9g4_19; + int64_t h4 = f0g4+f1g3_2 +f2g2 +f3g1_2 +f4g0 +f5g9_38+f6g8_19+f7g7_38+f8g6_19+f9g5_38; + int64_t h5 = f0g5+f1g4 +f2g3 +f3g2 +f4g1 +f5g0 +f6g9_19+f7g8_19+f8g7_19+f9g6_19; + int64_t h6 = f0g6+f1g5_2 +f2g4 +f3g3_2 +f4g2 +f5g1_2 +f6g0 +f7g9_38+f8g8_19+f9g7_38; + int64_t h7 = f0g7+f1g6 +f2g5 +f3g4 +f4g3 +f5g2 +f6g1 +f7g0 +f8g9_19+f9g8_19; + int64_t h8 = f0g8+f1g7_2 +f2g6 +f3g5_2 +f4g4 +f5g3_2 +f6g2 +f7g1_2 +f8g0 +f9g9_38; + int64_t h9 = f0g9+f1g8 +f2g7 +f3g6 +f4g5 +f5g4 +f6g3 +f7g2 +f8g1 +f9g0 ; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + /* + |h0| <= (1.65*1.65*2^52*(1+19+19+19+19)+1.65*1.65*2^50*(38+38+38+38+38)) + i.e. |h0| <= 1.4*2^60; narrower ranges for h2, h4, h6, h8 + |h1| <= (1.65*1.65*2^51*(1+1+19+19+19+19+19+19+19+19)) + i.e. |h1| <= 1.7*2^59; narrower ranges for h3, h5, h7, h9 + */ + + carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); + carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); + /* |h0| <= 2^25 */ + /* |h4| <= 2^25 */ + /* |h1| <= 1.71*2^59 */ + /* |h5| <= 1.71*2^59 */ + + carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); + carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); + /* |h1| <= 2^24; from now on fits into int32 */ + /* |h5| <= 2^24; from now on fits into int32 */ + /* |h2| <= 1.41*2^60 */ + /* |h6| <= 1.41*2^60 */ + + carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); + carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); + /* |h2| <= 2^25; from now on fits into int32 unchanged */ + /* |h6| <= 2^25; from now on fits into int32 unchanged */ + /* |h3| <= 1.71*2^59 */ + /* |h7| <= 1.71*2^59 */ + + carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); + carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); + /* |h3| <= 2^24; from now on fits into int32 unchanged */ + /* |h7| <= 2^24; from now on fits into int32 unchanged */ + /* |h4| <= 1.72*2^34 */ + /* |h8| <= 1.41*2^60 */ + + carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); + carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); + /* |h4| <= 2^25; from now on fits into int32 unchanged */ + /* |h8| <= 2^25; from now on fits into int32 unchanged */ + /* |h5| <= 1.01*2^24 */ + /* |h9| <= 1.71*2^59 */ + + carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); + /* |h9| <= 2^24; from now on fits into int32 unchanged */ + /* |h0| <= 1.1*2^39 */ + + carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); + /* |h0| <= 2^25; from now on fits into int32 unchanged */ + /* |h1| <= 1.01*2^24 */ + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + +/* + h = -f + * + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * + Postconditions: + |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + */ + +void fe_neg(fe h,const fe f) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t h0 = -f0; + int32_t h1 = -f1; + int32_t h2 = -f2; + int32_t h3 = -f3; + int32_t h4 = -f4; + int32_t h5 = -f5; + int32_t h6 = -f6; + int32_t h7 = -f7; + int32_t h8 = -f8; + int32_t h9 = -f9; + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* + h = f * f + Can overlap h with f. + * + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + +/* + See fe_mul.c for discussion of implementation strategy. + */ + +void fe_sq(fe h,const fe f) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; + int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; + int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; + int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; + int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; + int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; + int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; + int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; + int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; + int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); + carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); + + carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); + carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); + + carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); + carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); + + carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); + carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); + + carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); + carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); + + carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); + + carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + +/* + h = 2 * f * f + Can overlap h with f. + * + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + * + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + +/* + See fe_mul.c for discussion of implementation strategy. + */ + +void fe_sq2(fe h,const fe f) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + int64_t h0 = f0f0 +f1f9_76+f2f8_38+f3f7_76+f4f6_38+f5f5_38; + int64_t h1 = f0f1_2+f2f9_38+f3f8_38+f4f7_38+f5f6_38; + int64_t h2 = f0f2_2+f1f1_2 +f3f9_76+f4f8_38+f5f7_76+f6f6_19; + int64_t h3 = f0f3_2+f1f2_2 +f4f9_38+f5f8_38+f6f7_38; + int64_t h4 = f0f4_2+f1f3_4 +f2f2 +f5f9_76+f6f8_38+f7f7_38; + int64_t h5 = f0f5_2+f1f4_2 +f2f3_2 +f6f9_38+f7f8_38; + int64_t h6 = f0f6_2+f1f5_4 +f2f4_2 +f3f3_2 +f7f9_76+f8f8_19; + int64_t h7 = f0f7_2+f1f6_2 +f2f5_2 +f3f4_2 +f8f9_38; + int64_t h8 = f0f8_2+f1f7_4 +f2f6_2 +f3f5_4 +f4f4 +f9f9_38; + int64_t h9 = f0f9_2+f1f8_2 +f2f7_2 +f3f6_2 +f4f5_2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + h0 += h0; + h1 += h1; + h2 += h2; + h3 += h3; + h4 += h4; + h5 += h5; + h6 += h6; + h7 += h7; + h8 += h8; + h9 += h9; + + carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); + carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); + + carry1 = (h1 + (int64_t) (1L << 24)) >> 25; h2 += carry1; h1 -= carry1 * ((uint64_t) 1L << 25); + carry5 = (h5 + (int64_t) (1L << 24)) >> 25; h6 += carry5; h5 -= carry5 * ((uint64_t) 1L << 25); + + carry2 = (h2 + (int64_t) (1L << 25)) >> 26; h3 += carry2; h2 -= carry2 * ((uint64_t) 1L << 26); + carry6 = (h6 + (int64_t) (1L << 25)) >> 26; h7 += carry6; h6 -= carry6 * ((uint64_t) 1L << 26); + + carry3 = (h3 + (int64_t) (1L << 24)) >> 25; h4 += carry3; h3 -= carry3 * ((uint64_t) 1L << 25); + carry7 = (h7 + (int64_t) (1L << 24)) >> 25; h8 += carry7; h7 -= carry7 * ((uint64_t) 1L << 25); + + carry4 = (h4 + (int64_t) (1L << 25)) >> 26; h5 += carry4; h4 -= carry4 * ((uint64_t) 1L << 26); + carry8 = (h8 + (int64_t) (1L << 25)) >> 26; h9 += carry8; h8 -= carry8 * ((uint64_t) 1L << 26); + + carry9 = (h9 + (int64_t) (1L << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 * ((uint64_t) 1L << 25); + + carry0 = (h0 + (int64_t) (1L << 25)) >> 26; h1 += carry0; h0 -= carry0 * ((uint64_t) 1L << 26); + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + +void fe_invert(fe out,const fe z) +{ + fe t0; + fe t1; + fe t2; + fe t3; + int i; + + fe_sq(t0, z); + fe_sq(t1, t0); + fe_sq(t1, t1); + fe_mul(t1, z, t1); + fe_mul(t0, t0, t1); + fe_sq(t2, t0); + fe_mul(t1, t1, t2); + fe_sq(t2, t1); + for (i = 1; i < 5; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t2, t1); + for (i = 1; i < 10; ++i) { + fe_sq(t2, t2); + } + fe_mul(t2, t2, t1); + fe_sq(t3, t2); + for (i = 1; i < 20; ++i) { + fe_sq(t3, t3); + } + fe_mul(t2, t3, t2); + fe_sq(t2, t2); + for (i = 1; i < 10; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t2, t1); + for (i = 1; i < 50; ++i) { + fe_sq(t2, t2); + } + fe_mul(t2, t2, t1); + fe_sq(t3, t2); + for (i = 1; i < 100; ++i) { + fe_sq(t3, t3); + } + fe_mul(t2, t3, t2); + fe_sq(t2, t2); + for (i = 1; i < 50; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t1, t1); + for (i = 1; i < 5; ++i) { + fe_sq(t1, t1); + } + fe_mul(out, t1, t0); +} + +void fe_pow22523(fe out,const fe z) +{ + fe t0; + fe t1; + fe t2; + int i; + + fe_sq(t0, z); + fe_sq(t1, t0); + fe_sq(t1, t1); + fe_mul(t1, z, t1); + fe_mul(t0, t0, t1); + fe_sq(t0, t0); + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + for (i = 1; i < 5; ++i) { + fe_sq(t1, t1); + } + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + for (i = 1; i < 10; ++i) { + fe_sq(t1, t1); + } + fe_mul(t1, t1, t0); + fe_sq(t2, t1); + for (i = 1; i < 20; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t1, t1); + for (i = 1; i < 10; ++i) { + fe_sq(t1, t1); + } + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + for (i = 1; i < 50; ++i) { + fe_sq(t1, t1); + } + fe_mul(t1, t1, t0); + fe_sq(t2, t1); + for (i = 1; i < 100; ++i) { + fe_sq(t2, t2); + } + fe_mul(t1, t2, t1); + fe_sq(t1, t1); + for (i = 1; i < 50; ++i) { + fe_sq(t1, t1); + } + fe_mul(t0, t1, t0); + fe_sq(t0, t0); + fe_sq(t0, t0); + fe_mul(out, t0, z); +} + +/* + h = f - g + Can overlap h with f or g. + * + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + * + Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + */ + +void fe_sub(fe h,const fe f,const fe g) +{ + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t h0 = f0 - g0; + int32_t h1 = f1 - g1; + int32_t h2 = f2 - g2; + int32_t h3 = f3 - g3; + int32_t h4 = f4 - g4; + int32_t h5 = f5 - g5; + int32_t h6 = f6 - g6; + int32_t h7 = f7 - g7; + int32_t h8 = f8 - g8; + int32_t h9 = f9 - g9; + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + +/* + r = p + q + */ + +void ge_add(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) +{ + fe t0; + + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->YplusX); + fe_mul(r->Y, r->Y, q->YminusX); + fe_mul(r->T, q->T2d, p->T); + fe_mul(r->X, p->Z, q->Z); + fe_add(t0, r->X, r->X); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_add(r->Z, t0, r->T); + fe_sub(r->T, t0, r->T); +} + +static void slide(signed char *r,const unsigned char *a) +{ + int i; + int b; + int k; + + for (i = 0;i < 256;++i) + r[i] = 1 & (a[i >> 3] >> (i & 7)); + + for (i = 0;i < 256;++i) + if (r[i]) { + for (b = 1;b <= 6 && i + b < 256;++b) { + if (r[i + b]) { + if (r[i] + (r[i + b] << b) <= 15) { + r[i] += r[i + b] << b; r[i + b] = 0; + } else if (r[i] - (r[i + b] << b) >= -15) { + r[i] -= r[i + b] << b; + for (k = i + b;k < 256;++k) { + if (!r[k]) { + r[k] = 1; + break; + } + r[k] = 0; + } + } else + break; + } + } + } + +} + +static const ge_precomp Bi[8] = { +#include "base2.h" +}; + +/* 37095705934669439343138083508754565189542113879843219016388785533085940283555 */ +static const fe d = { + -10913610,13857413,-15372611,6949391,114729,-8787816,-6275908,-3247719,-18696448,-12055116 +}; + +/* sqrt(-1) */ +static const fe sqrtm1 = { + -32595792,-7943725,9377950,3500415,12389472,-272473,-25146209,-2005654,326686,11406482 +}; + +int ge_frombytes_negate_vartime(ge_p3 *h,const unsigned char *s) +{ + fe u; + fe v; + fe v3; + fe vxx; + fe check; + + fe_frombytes(h->Y,s); + fe_1(h->Z); + fe_sq(u,h->Y); + fe_mul(v,u,d); + fe_sub(u,u,h->Z); /* u = y^2-1 */ + fe_add(v,v,h->Z); /* v = dy^2+1 */ + + fe_sq(v3,v); + fe_mul(v3,v3,v); /* v3 = v^3 */ + fe_sq(h->X,v3); + fe_mul(h->X,h->X,v); + fe_mul(h->X,h->X,u); /* x = uv^7 */ + + fe_pow22523(h->X,h->X); /* x = (uv^7)^((q-5)/8) */ + fe_mul(h->X,h->X,v3); + fe_mul(h->X,h->X,u); /* x = uv^3(uv^7)^((q-5)/8) */ + + fe_sq(vxx,h->X); + fe_mul(vxx,vxx,v); + fe_sub(check,vxx,u); /* vx^2-u */ + if (fe_isnonzero(check)) { + fe_add(check,vxx,u); /* vx^2+u */ + if (fe_isnonzero(check)) { + return -1; + } + fe_mul(h->X,h->X,sqrtm1); + } + + if (fe_isnegative(h->X) == (s[31] >> 7)) { + fe_neg(h->X,h->X); + } + fe_mul(h->T,h->X,h->Y); + + return 0; +} + +/* + r = p + q + */ + +void ge_madd(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) +{ + fe t0; + + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->yplusx); + fe_mul(r->Y, r->Y, q->yminusx); + fe_mul(r->T, q->xy2d, p->T); + fe_add(t0, p->Z, p->Z); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_add(r->Z, t0, r->T); + fe_sub(r->T, t0, r->T); +} + +/* + r = p - q + */ + +void ge_msub(ge_p1p1 *r,const ge_p3 *p,const ge_precomp *q) +{ + fe t0; + + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->yminusx); + fe_mul(r->Y, r->Y, q->yplusx); + fe_mul(r->T, q->xy2d, p->T); + fe_add(t0, p->Z, p->Z); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_sub(r->Z, t0, r->T); + fe_add(r->T, t0, r->T); +} + +/* + r = p + */ + +extern void ge_p1p1_to_p2(ge_p2 *r,const ge_p1p1 *p) +{ + fe_mul(r->X,p->X,p->T); + fe_mul(r->Y,p->Y,p->Z); + fe_mul(r->Z,p->Z,p->T); +} + +/* + r = p + */ + +extern void ge_p1p1_to_p3(ge_p3 *r,const ge_p1p1 *p) +{ + fe_mul(r->X,p->X,p->T); + fe_mul(r->Y,p->Y,p->Z); + fe_mul(r->Z,p->Z,p->T); + fe_mul(r->T,p->X,p->Y); +} + +void ge_p2_0(ge_p2 *h) +{ + fe_0(h->X); + fe_1(h->Y); + fe_1(h->Z); +} + +/* + r = 2 * p + */ + +void ge_p2_dbl(ge_p1p1 *r,const ge_p2 *p) +{ + fe t0; + + fe_sq(r->X, p->X); + fe_sq(r->Z, p->Y); + fe_sq2(r->T, p->Z); + fe_add(r->Y, p->X, p->Y); + fe_sq(t0, r->Y); + fe_add(r->Y, r->Z, r->X); + fe_sub(r->Z, r->Z, r->X); + fe_sub(r->X, t0, r->Y); + fe_sub(r->T, r->T, r->Z); +} + +void ge_p3_0(ge_p3 *h) +{ + fe_0(h->X); + fe_1(h->Y); + fe_1(h->Z); + fe_0(h->T); +} + +/* + r = p + */ + +/* 2 * d = 16295367250680780974490674513165176452449235426866156013048779062215315747161 */ +static const fe d2 = { + -21827239,-5839606,-30745221,13898782,229458,15978800,-12551817,-6495438,29715968,9444199 +}; + +extern void ge_p3_to_cached(ge_cached *r,const ge_p3 *p) +{ + fe_add(r->YplusX,p->Y,p->X); + fe_sub(r->YminusX,p->Y,p->X); + fe_copy(r->Z,p->Z); + fe_mul(r->T2d,p->T,d2); +} + +/* + r = p + */ + +extern void ge_p3_to_p2(ge_p2 *r,const ge_p3 *p) +{ + fe_copy(r->X,p->X); + fe_copy(r->Y,p->Y); + fe_copy(r->Z,p->Z); +} + +void ge_p3_tobytes(unsigned char *s,const ge_p3 *h) +{ + fe recip; + fe x; + fe y; + + fe_invert(recip,h->Z); + fe_mul(x,h->X,recip); + fe_mul(y,h->Y,recip); + fe_tobytes(s,y); + s[31] ^= fe_isnegative(x) << 7; +} + +/* + r = 2 * p + */ + +void ge_p3_dbl(ge_p1p1 *r,const ge_p3 *p) +{ + ge_p2 q; + ge_p3_to_p2(&q,p); + ge_p2_dbl(r,&q); +} + +void ge_precomp_0(ge_precomp *h) +{ + fe_1(h->yplusx); + fe_1(h->yminusx); + fe_0(h->xy2d); +} + +static unsigned char equal(signed char b,signed char c) +{ + unsigned char ub = b; + unsigned char uc = c; + unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ + uint32_t y = x; /* 0: yes; 1..255: no */ + y -= 1; /* 4294967295: yes; 0..254: no */ + y >>= 31; /* 1: yes; 0: no */ + + return y; +} + +static unsigned char negative(signed char b) +{ + uint64_t x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ + x >>= 63; /* 1: yes; 0: no */ + + return x; +} + +static void cmov(ge_precomp *t,const ge_precomp *u,unsigned char b) +{ + fe_cmov(t->yplusx,u->yplusx,b); + fe_cmov(t->yminusx,u->yminusx,b); + fe_cmov(t->xy2d,u->xy2d,b); +} + +/* base[i][j] = (j+1)*256^i*B */ +static const ge_precomp base[32][8] = { +#include "base.h" +}; + +static void ge_select(ge_precomp *t,int pos,signed char b) +{ + ge_precomp minust; + unsigned char bnegative = negative(b); + unsigned char babs = b - (((-bnegative) & b) * ((signed char) 1 << 1)); + + ge_precomp_0(t); + cmov(t,&base[pos][0],equal(babs,1)); + cmov(t,&base[pos][1],equal(babs,2)); + cmov(t,&base[pos][2],equal(babs,3)); + cmov(t,&base[pos][3],equal(babs,4)); + cmov(t,&base[pos][4],equal(babs,5)); + cmov(t,&base[pos][5],equal(babs,6)); + cmov(t,&base[pos][6],equal(babs,7)); + cmov(t,&base[pos][7],equal(babs,8)); + fe_copy(minust.yplusx,t->yminusx); + fe_copy(minust.yminusx,t->yplusx); + fe_neg(minust.xy2d,t->xy2d); + cmov(t,&minust,bnegative); +} + +/* + r = p - q + */ + +void ge_sub(ge_p1p1 *r,const ge_p3 *p,const ge_cached *q) +{ + fe t0; + + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->YminusX); + fe_mul(r->Y, r->Y, q->YplusX); + fe_mul(r->T, q->T2d, p->T); + fe_mul(r->X, p->Z, q->Z); + fe_add(t0, r->X, r->X); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_sub(r->Z, t0, r->T); + fe_add(r->T, t0, r->T); +} + +void ge_tobytes(unsigned char *s,const ge_p2 *h) +{ + fe recip; + fe x; + fe y; + + fe_invert(recip,h->Z); + fe_mul(x,h->X,recip); + fe_mul(y,h->Y,recip); + fe_tobytes(s,y); + s[31] ^= fe_isnegative(x) << 7; +} + +/* + h = a * B + where a = a[0]+256*a[1]+...+256^31 a[31] + B is the Ed25519 base point (x,4/5) with x positive. + * + Preconditions: + a[31] <= 127 + */ + +/* + r = a * A + b * B + where a = a[0]+256*a[1]+...+256^31 a[31]. + and b = b[0]+256*b[1]+...+256^31 b[31]. + B is the Ed25519 base point (x,4/5) with x positive. + */ + +void ge_double_scalarmult_vartime(ge_p2 *r,const unsigned char *a,const ge_p3 *A,const unsigned char *b) +{ + signed char aslide[256]; + signed char bslide[256]; + ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ + ge_p1p1 t; + ge_p3 u; + ge_p3 A2; + int i; + + slide(aslide,a); + slide(bslide,b); + + ge_p3_to_cached(&Ai[0],A); + ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); + ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); + ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); + ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); + ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); + ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); + ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); + ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); + + ge_p2_0(r); + + for (i = 255;i >= 0;--i) { + if (aslide[i] || bslide[i]) break; + } + + for (;i >= 0;--i) { + ge_p2_dbl(&t,r); + + if (aslide[i] > 0) { + ge_p1p1_to_p3(&u,&t); + ge_add(&t,&u,&Ai[aslide[i]/2]); + } else if (aslide[i] < 0) { + ge_p1p1_to_p3(&u,&t); + ge_sub(&t,&u,&Ai[(-aslide[i])/2]); + } + + if (bslide[i] > 0) { + ge_p1p1_to_p3(&u,&t); + ge_madd(&t,&u,&Bi[bslide[i]/2]); + } else if (bslide[i] < 0) { + ge_p1p1_to_p3(&u,&t); + ge_msub(&t,&u,&Bi[(-bslide[i])/2]); + } + + ge_p1p1_to_p2(r,&t); + } +} + +void ge_scalarmult_vartime(ge_p3 *r,const unsigned char *a,const ge_p3 *A) +{ + signed char aslide[256]; + ge_cached Ai[8]; + ge_p1p1 t; + ge_p3 u; + ge_p3 A2; + int i; + + slide(aslide,a); + + ge_p3_to_cached(&Ai[0],A); + ge_p3_dbl(&t,A); ge_p1p1_to_p3(&A2,&t); + ge_add(&t,&A2,&Ai[0]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[1],&u); + ge_add(&t,&A2,&Ai[1]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[2],&u); + ge_add(&t,&A2,&Ai[2]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[3],&u); + ge_add(&t,&A2,&Ai[3]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[4],&u); + ge_add(&t,&A2,&Ai[4]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[5],&u); + ge_add(&t,&A2,&Ai[5]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[6],&u); + ge_add(&t,&A2,&Ai[6]); ge_p1p1_to_p3(&u,&t); ge_p3_to_cached(&Ai[7],&u); + + ge_p3_0(r); + + for (i = 255;i >= 0;--i) { + if (aslide[i]) break; + } + + for (;i >= 0;--i) { + ge_p3_dbl(&t,r); + + if (aslide[i] > 0) { + ge_p1p1_to_p3(&u,&t); + ge_add(&t,&u,&Ai[aslide[i]/2]); + } else if (aslide[i] < 0) { + ge_p1p1_to_p3(&u,&t); + ge_sub(&t,&u,&Ai[(-aslide[i])/2]); + } + + ge_p1p1_to_p3(r,&t); + } +} + +void ge_scalarmult_base(ge_p3 *h,const unsigned char *a) +{ + signed char e[64]; + signed char carry; + ge_p1p1 r; + ge_p2 s; + ge_precomp t; + int i; + + for (i = 0;i < 32;++i) { + e[2 * i + 0] = (a[i] >> 0) & 15; + e[2 * i + 1] = (a[i] >> 4) & 15; + } + /* each e[i] is between 0 and 15 */ + /* e[63] is between 0 and 7 */ + + carry = 0; + for (i = 0;i < 63;++i) { + e[i] += carry; + carry = e[i] + 8; + carry >>= 4; + e[i] -= carry * ((signed char) 1 << 4); + } + e[63] += carry; + /* each e[i] is between -8 and 8 */ + + ge_p3_0(h); + for (i = 1;i < 64;i += 2) { + ge_select(&t,i / 2,e[i]); + ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); + } + + ge_p3_dbl(&r,h); ge_p1p1_to_p2(&s,&r); + ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); + ge_p2_dbl(&r,&s); ge_p1p1_to_p2(&s,&r); + ge_p2_dbl(&r,&s); ge_p1p1_to_p3(h,&r); + + for (i = 0;i < 64;i += 2) { + ge_select(&t,i / 2,e[i]); + ge_madd(&r,h,&t); ge_p1p1_to_p3(h,&r); + } +} + +/* + Input: + a[0]+256*a[1]+...+256^31*a[31] = a + b[0]+256*b[1]+...+256^31*b[31] = b + c[0]+256*c[1]+...+256^31*c[31] = c + * + Output: + s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l + where l = 2^252 + 27742317777372353535851937790883648493. + */ + +void sc_muladd(unsigned char *s,const unsigned char *a,const unsigned char *b,const unsigned char *c) +{ + int64_t a0 = 2097151 & load_3(a); + int64_t a1 = 2097151 & (load_4(a + 2) >> 5); + int64_t a2 = 2097151 & (load_3(a + 5) >> 2); + int64_t a3 = 2097151 & (load_4(a + 7) >> 7); + int64_t a4 = 2097151 & (load_4(a + 10) >> 4); + int64_t a5 = 2097151 & (load_3(a + 13) >> 1); + int64_t a6 = 2097151 & (load_4(a + 15) >> 6); + int64_t a7 = 2097151 & (load_3(a + 18) >> 3); + int64_t a8 = 2097151 & load_3(a + 21); + int64_t a9 = 2097151 & (load_4(a + 23) >> 5); + int64_t a10 = 2097151 & (load_3(a + 26) >> 2); + int64_t a11 = (load_4(a + 28) >> 7); + int64_t b0 = 2097151 & load_3(b); + int64_t b1 = 2097151 & (load_4(b + 2) >> 5); + int64_t b2 = 2097151 & (load_3(b + 5) >> 2); + int64_t b3 = 2097151 & (load_4(b + 7) >> 7); + int64_t b4 = 2097151 & (load_4(b + 10) >> 4); + int64_t b5 = 2097151 & (load_3(b + 13) >> 1); + int64_t b6 = 2097151 & (load_4(b + 15) >> 6); + int64_t b7 = 2097151 & (load_3(b + 18) >> 3); + int64_t b8 = 2097151 & load_3(b + 21); + int64_t b9 = 2097151 & (load_4(b + 23) >> 5); + int64_t b10 = 2097151 & (load_3(b + 26) >> 2); + int64_t b11 = (load_4(b + 28) >> 7); + int64_t c0 = 2097151 & load_3(c); + int64_t c1 = 2097151 & (load_4(c + 2) >> 5); + int64_t c2 = 2097151 & (load_3(c + 5) >> 2); + int64_t c3 = 2097151 & (load_4(c + 7) >> 7); + int64_t c4 = 2097151 & (load_4(c + 10) >> 4); + int64_t c5 = 2097151 & (load_3(c + 13) >> 1); + int64_t c6 = 2097151 & (load_4(c + 15) >> 6); + int64_t c7 = 2097151 & (load_3(c + 18) >> 3); + int64_t c8 = 2097151 & load_3(c + 21); + int64_t c9 = 2097151 & (load_4(c + 23) >> 5); + int64_t c10 = 2097151 & (load_3(c + 26) >> 2); + int64_t c11 = (load_4(c + 28) >> 7); + int64_t s0; + int64_t s1; + int64_t s2; + int64_t s3; + int64_t s4; + int64_t s5; + int64_t s6; + int64_t s7; + int64_t s8; + int64_t s9; + int64_t s10; + int64_t s11; + int64_t s12; + int64_t s13; + int64_t s14; + int64_t s15; + int64_t s16; + int64_t s17; + int64_t s18; + int64_t s19; + int64_t s20; + int64_t s21; + int64_t s22; + int64_t s23; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + int64_t carry12; + int64_t carry13; + int64_t carry14; + int64_t carry15; + int64_t carry16; + int64_t carry17; + int64_t carry18; + int64_t carry19; + int64_t carry20; + int64_t carry21; + int64_t carry22; + + s0 = c0 + a0*b0; + s1 = c1 + a0*b1 + a1*b0; + s2 = c2 + a0*b2 + a1*b1 + a2*b0; + s3 = c3 + a0*b3 + a1*b2 + a2*b1 + a3*b0; + s4 = c4 + a0*b4 + a1*b3 + a2*b2 + a3*b1 + a4*b0; + s5 = c5 + a0*b5 + a1*b4 + a2*b3 + a3*b2 + a4*b1 + a5*b0; + s6 = c6 + a0*b6 + a1*b5 + a2*b4 + a3*b3 + a4*b2 + a5*b1 + a6*b0; + s7 = c7 + a0*b7 + a1*b6 + a2*b5 + a3*b4 + a4*b3 + a5*b2 + a6*b1 + a7*b0; + s8 = c8 + a0*b8 + a1*b7 + a2*b6 + a3*b5 + a4*b4 + a5*b3 + a6*b2 + a7*b1 + a8*b0; + s9 = c9 + a0*b9 + a1*b8 + a2*b7 + a3*b6 + a4*b5 + a5*b4 + a6*b3 + a7*b2 + a8*b1 + a9*b0; + s10 = c10 + a0*b10 + a1*b9 + a2*b8 + a3*b7 + a4*b6 + a5*b5 + a6*b4 + a7*b3 + a8*b2 + a9*b1 + a10*b0; + s11 = c11 + a0*b11 + a1*b10 + a2*b9 + a3*b8 + a4*b7 + a5*b6 + a6*b5 + a7*b4 + a8*b3 + a9*b2 + a10*b1 + a11*b0; + s12 = a1*b11 + a2*b10 + a3*b9 + a4*b8 + a5*b7 + a6*b6 + a7*b5 + a8*b4 + a9*b3 + a10*b2 + a11*b1; + s13 = a2*b11 + a3*b10 + a4*b9 + a5*b8 + a6*b7 + a7*b6 + a8*b5 + a9*b4 + a10*b3 + a11*b2; + s14 = a3*b11 + a4*b10 + a5*b9 + a6*b8 + a7*b7 + a8*b6 + a9*b5 + a10*b4 + a11*b3; + s15 = a4*b11 + a5*b10 + a6*b9 + a7*b8 + a8*b7 + a9*b6 + a10*b5 + a11*b4; + s16 = a5*b11 + a6*b10 + a7*b9 + a8*b8 + a9*b7 + a10*b6 + a11*b5; + s17 = a6*b11 + a7*b10 + a8*b9 + a9*b8 + a10*b7 + a11*b6; + s18 = a7*b11 + a8*b10 + a9*b9 + a10*b8 + a11*b7; + s19 = a8*b11 + a9*b10 + a10*b9 + a11*b8; + s20 = a9*b11 + a10*b10 + a11*b9; + s21 = a10*b11 + a11*b10; + s22 = a11*b11; + s23 = 0; + + carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); + carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); + carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); + carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21); + carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21); + carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21); + carry18 = (s18 + (int64_t) (1L << 20)) >> 21; s19 += carry18; s18 -= carry18 * ((uint64_t) 1L << 21); + carry20 = (s20 + (int64_t) (1L << 20)) >> 21; s21 += carry20; s20 -= carry20 * ((uint64_t) 1L << 21); + carry22 = (s22 + (int64_t) (1L << 20)) >> 21; s23 += carry22; s22 -= carry22 * ((uint64_t) 1L << 21); + + carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); + carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); + carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); + carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); + carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21); + carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21); + carry17 = (s17 + (int64_t) (1L << 20)) >> 21; s18 += carry17; s17 -= carry17 * ((uint64_t) 1L << 21); + carry19 = (s19 + (int64_t) (1L << 20)) >> 21; s20 += carry19; s19 -= carry19 * ((uint64_t) 1L << 21); + carry21 = (s21 + (int64_t) (1L << 20)) >> 21; s22 += carry21; s21 -= carry21 * ((uint64_t) 1L << 21); + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + + carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21); + carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21); + carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21); + + carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); + carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21); + carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21); + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); + carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); + carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); + carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + + carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); + carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); + carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); + carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5)); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2)); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7)); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4)); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1)); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6)); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3)); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5)); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2)); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7)); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} + +/* + Input: + s[0]+256*s[1]+...+256^63*s[63] = s + * + Output: + s[0]+256*s[1]+...+256^31*s[31] = s mod l + where l = 2^252 + 27742317777372353535851937790883648493. + Overwrites s in place. + */ + +void sc_reduce(unsigned char *s) +{ + int64_t s0 = 2097151 & load_3(s); + int64_t s1 = 2097151 & (load_4(s + 2) >> 5); + int64_t s2 = 2097151 & (load_3(s + 5) >> 2); + int64_t s3 = 2097151 & (load_4(s + 7) >> 7); + int64_t s4 = 2097151 & (load_4(s + 10) >> 4); + int64_t s5 = 2097151 & (load_3(s + 13) >> 1); + int64_t s6 = 2097151 & (load_4(s + 15) >> 6); + int64_t s7 = 2097151 & (load_3(s + 18) >> 3); + int64_t s8 = 2097151 & load_3(s + 21); + int64_t s9 = 2097151 & (load_4(s + 23) >> 5); + int64_t s10 = 2097151 & (load_3(s + 26) >> 2); + int64_t s11 = 2097151 & (load_4(s + 28) >> 7); + int64_t s12 = 2097151 & (load_4(s + 31) >> 4); + int64_t s13 = 2097151 & (load_3(s + 34) >> 1); + int64_t s14 = 2097151 & (load_4(s + 36) >> 6); + int64_t s15 = 2097151 & (load_3(s + 39) >> 3); + int64_t s16 = 2097151 & load_3(s + 42); + int64_t s17 = 2097151 & (load_4(s + 44) >> 5); + int64_t s18 = 2097151 & (load_3(s + 47) >> 2); + int64_t s19 = 2097151 & (load_4(s + 49) >> 7); + int64_t s20 = 2097151 & (load_4(s + 52) >> 4); + int64_t s21 = 2097151 & (load_3(s + 55) >> 1); + int64_t s22 = 2097151 & (load_4(s + 57) >> 6); + int64_t s23 = (load_4(s + 60) >> 3); + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + int64_t carry12; + int64_t carry13; + int64_t carry14; + int64_t carry15; + int64_t carry16; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + + carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + carry12 = (s12 + (int64_t) (1L << 20)) >> 21; s13 += carry12; s12 -= carry12 * ((uint64_t) 1L << 21); + carry14 = (s14 + (int64_t) (1L << 20)) >> 21; s15 += carry14; s14 -= carry14 * ((uint64_t) 1L << 21); + carry16 = (s16 + (int64_t) (1L << 20)) >> 21; s17 += carry16; s16 -= carry16 * ((uint64_t) 1L << 21); + + carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); + carry13 = (s13 + (int64_t) (1L << 20)) >> 21; s14 += carry13; s13 -= carry13 * ((uint64_t) 1L << 21); + carry15 = (s15 + (int64_t) (1L << 20)) >> 21; s16 += carry15; s15 -= carry15 * ((uint64_t) 1L << 21); + + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = (s0 + (int64_t) (1L << 20)) >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); + carry2 = (s2 + (int64_t) (1L << 20)) >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); + carry4 = (s4 + (int64_t) (1L << 20)) >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); + carry6 = (s6 + (int64_t) (1L << 20)) >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry8 = (s8 + (int64_t) (1L << 20)) >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry10 = (s10 + (int64_t) (1L << 20)) >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + + carry1 = (s1 + (int64_t) (1L << 20)) >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); + carry3 = (s3 + (int64_t) (1L << 20)) >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); + carry5 = (s5 + (int64_t) (1L << 20)) >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); + carry7 = (s7 + (int64_t) (1L << 20)) >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry9 = (s9 + (int64_t) (1L << 20)) >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry11 = (s11 + (int64_t) (1L << 20)) >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + carry11 = s11 >> 21; s12 += carry11; s11 -= carry11 * ((uint64_t) 1L << 21); + + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + + carry0 = s0 >> 21; s1 += carry0; s0 -= carry0 * ((uint64_t) 1L << 21); + carry1 = s1 >> 21; s2 += carry1; s1 -= carry1 * ((uint64_t) 1L << 21); + carry2 = s2 >> 21; s3 += carry2; s2 -= carry2 * ((uint64_t) 1L << 21); + carry3 = s3 >> 21; s4 += carry3; s3 -= carry3 * ((uint64_t) 1L << 21); + carry4 = s4 >> 21; s5 += carry4; s4 -= carry4 * ((uint64_t) 1L << 21); + carry5 = s5 >> 21; s6 += carry5; s5 -= carry5 * ((uint64_t) 1L << 21); + carry6 = s6 >> 21; s7 += carry6; s6 -= carry6 * ((uint64_t) 1L << 21); + carry7 = s7 >> 21; s8 += carry7; s7 -= carry7 * ((uint64_t) 1L << 21); + carry8 = s8 >> 21; s9 += carry8; s8 -= carry8 * ((uint64_t) 1L << 21); + carry9 = s9 >> 21; s10 += carry9; s9 -= carry9 * ((uint64_t) 1L << 21); + carry10 = s10 >> 21; s11 += carry10; s10 -= carry10 * ((uint64_t) 1L << 21); + + s[0] = s0 >> 0; + s[1] = s0 >> 8; + s[2] = (s0 >> 16) | (s1 * ((uint64_t) 1 << 5)); + s[3] = s1 >> 3; + s[4] = s1 >> 11; + s[5] = (s1 >> 19) | (s2 * ((uint64_t) 1 << 2)); + s[6] = s2 >> 6; + s[7] = (s2 >> 14) | (s3 * ((uint64_t) 1 << 7)); + s[8] = s3 >> 1; + s[9] = s3 >> 9; + s[10] = (s3 >> 17) | (s4 * ((uint64_t) 1 << 4)); + s[11] = s4 >> 4; + s[12] = s4 >> 12; + s[13] = (s4 >> 20) | (s5 * ((uint64_t) 1 << 1)); + s[14] = s5 >> 7; + s[15] = (s5 >> 15) | (s6 * ((uint64_t) 1 << 6)); + s[16] = s6 >> 2; + s[17] = s6 >> 10; + s[18] = (s6 >> 18) | (s7 * ((uint64_t) 1 << 3)); + s[19] = s7 >> 5; + s[20] = s7 >> 13; + s[21] = s8 >> 0; + s[22] = s8 >> 8; + s[23] = (s8 >> 16) | (s9 * ((uint64_t) 1 << 5)); + s[24] = s9 >> 3; + s[25] = s9 >> 11; + s[26] = (s9 >> 19) | (s10 * ((uint64_t) 1 << 2)); + s[27] = s10 >> 6; + s[28] = (s10 >> 14) | (s11 * ((uint64_t) 1 << 7)); + s[29] = s11 >> 1; + s[30] = s11 >> 9; + s[31] = s11 >> 17; +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.c b/release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.c new file mode 100644 index 0000000000..37d1c94d56 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.c @@ -0,0 +1,86 @@ + +#include +#include + +#include "core_hchacha20.h" +#include "crypto_core_hchacha20.h" +#include "private/common.h" + +int +crypto_core_hchacha20(unsigned char *out, const unsigned char *in, + const unsigned char *k, const unsigned char *c) +{ + int i; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7; + uint32_t x8, x9, x10, x11, x12, x13, x14, x15; + + if (c == NULL) { + x0 = U32C(0x61707865); + x1 = U32C(0x3320646e); + x2 = U32C(0x79622d32); + x3 = U32C(0x6b206574); + } else { + x0 = LOAD32_LE(c + 0); + x1 = LOAD32_LE(c + 4); + x2 = LOAD32_LE(c + 8); + x3 = LOAD32_LE(c + 12); + } + x4 = LOAD32_LE(k + 0); + x5 = LOAD32_LE(k + 4); + x6 = LOAD32_LE(k + 8); + x7 = LOAD32_LE(k + 12); + x8 = LOAD32_LE(k + 16); + x9 = LOAD32_LE(k + 20); + x10 = LOAD32_LE(k + 24); + x11 = LOAD32_LE(k + 28); + x12 = LOAD32_LE(in + 0); + x13 = LOAD32_LE(in + 4); + x14 = LOAD32_LE(in + 8); + x15 = LOAD32_LE(in + 12); + + for (i = 0; i < 10; i++) { + QUARTERROUND(x0, x4, x8, x12); + QUARTERROUND(x1, x5, x9, x13); + QUARTERROUND(x2, x6, x10, x14); + QUARTERROUND(x3, x7, x11, x15); + QUARTERROUND(x0, x5, x10, x15); + QUARTERROUND(x1, x6, x11, x12); + QUARTERROUND(x2, x7, x8, x13); + QUARTERROUND(x3, x4, x9, x14); + } + + STORE32_LE(out + 0, x0); + STORE32_LE(out + 4, x1); + STORE32_LE(out + 8, x2); + STORE32_LE(out + 12, x3); + STORE32_LE(out + 16, x12); + STORE32_LE(out + 20, x13); + STORE32_LE(out + 24, x14); + STORE32_LE(out + 28, x15); + + return 0; +} + +size_t +crypto_core_hchacha20_outputbytes(void) +{ + return crypto_core_hchacha20_OUTPUTBYTES; +} + +size_t +crypto_core_hchacha20_inputbytes(void) +{ + return crypto_core_hchacha20_INPUTBYTES; +} + +size_t +crypto_core_hchacha20_keybytes(void) +{ + return crypto_core_hchacha20_KEYBYTES; +} + +size_t +crypto_core_hchacha20_constbytes(void) +{ + return crypto_core_hchacha20_CONSTBYTES; +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.h b/release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.h new file mode 100644 index 0000000000..6e1d1c54fa --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_core/hchacha20/core_hchacha20.h @@ -0,0 +1,28 @@ +#ifndef core_hchacha20_H +#define core_hchacha20_H + +#include +#include +#include + +#define U8C(v) (v##U) +#define U32C(v) (v##U) + +#define U8V(v) ((uint8_t)(v) & U8C(0xFF)) +#define U32V(v) ((uint32_t)(v) & U32C(0xFFFFFFFF)) + +#define ROTL32(v, n) (U32V((v) << (n)) | ((v) >> (32 - (n)))) + +#define ROTATE(v, c) (ROTL32(v, c)) +#define XOR(v, w) ((v) ^ (w)) +#define PLUS(v, w) (U32V((v) + (w))) + +#define QUARTERROUND(a, b, c, d) \ + do { \ + a = PLUS(a, b); d = ROTATE(XOR(d, a), 16); \ + c = PLUS(c, d); b = ROTATE(XOR(b, c), 12); \ + a = PLUS(a, b); d = ROTATE(XOR(d, a), 8); \ + c = PLUS(c, d); b = ROTATE(XOR(b, c), 7); \ + } while(0) + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/hsalsa20/ref2/core_hsalsa20.c b/release/src/router/libsodium/src/libsodium/crypto_core/hsalsa20/ref2/core_hsalsa20.c index ae71f0bd8c..2713bc8a47 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_core/hsalsa20/ref2/core_hsalsa20.c +++ b/release/src/router/libsodium/src/libsodium/crypto_core/hsalsa20/ref2/core_hsalsa20.c @@ -4,35 +4,20 @@ D. J. Bernstein Public domain. */ +#include +#include + #include "crypto_core_hsalsa20.h" +#include "private/common.h" #define ROUNDS 20 +#define U32C(v) (v##U) -typedef unsigned int uint32; - -static uint32 rotate(uint32 u,int c) +static uint32_t rotate(uint32_t u,int c) { return (u << c) | (u >> (32 - c)); } -static uint32 load_littleendian(const unsigned char *x) -{ - return - (uint32) (x[0]) \ - | (((uint32) (x[1])) << 8) \ - | (((uint32) (x[2])) << 16) \ - | (((uint32) (x[3])) << 24) - ; -} - -static void store_littleendian(unsigned char *x,uint32 u) -{ - x[0] = u; u >>= 8; - x[1] = u; u >>= 8; - x[2] = u; u >>= 8; - x[3] = u; -} - int crypto_core_hsalsa20( unsigned char *out, const unsigned char *in, @@ -40,25 +25,32 @@ int crypto_core_hsalsa20( const unsigned char *c ) { - uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; int i; - x0 = load_littleendian(c + 0); - x1 = load_littleendian(k + 0); - x2 = load_littleendian(k + 4); - x3 = load_littleendian(k + 8); - x4 = load_littleendian(k + 12); - x5 = load_littleendian(c + 4); - x6 = load_littleendian(in + 0); - x7 = load_littleendian(in + 4); - x8 = load_littleendian(in + 8); - x9 = load_littleendian(in + 12); - x10 = load_littleendian(c + 8); - x11 = load_littleendian(k + 16); - x12 = load_littleendian(k + 20); - x13 = load_littleendian(k + 24); - x14 = load_littleendian(k + 28); - x15 = load_littleendian(c + 12); + if (c == NULL) { + x0 = U32C(0x61707865); + x5 = U32C(0x3320646e); + x10 = U32C(0x79622d32); + x15 = U32C(0x6b206574); + } else { + x0 = LOAD32_LE(c + 0); + x5 = LOAD32_LE(c + 4); + x10 = LOAD32_LE(c + 8); + x15 = LOAD32_LE(c + 12); + } + x1 = LOAD32_LE(k + 0); + x2 = LOAD32_LE(k + 4); + x3 = LOAD32_LE(k + 8); + x4 = LOAD32_LE(k + 12); + x11 = LOAD32_LE(k + 16); + x12 = LOAD32_LE(k + 20); + x13 = LOAD32_LE(k + 24); + x14 = LOAD32_LE(k + 28); + x6 = LOAD32_LE(in + 0); + x7 = LOAD32_LE(in + 4); + x8 = LOAD32_LE(in + 8); + x9 = LOAD32_LE(in + 12); for (i = ROUNDS;i > 0;i -= 2) { x4 ^= rotate( x0+x12, 7); @@ -95,14 +87,14 @@ int crypto_core_hsalsa20( x15 ^= rotate(x14+x13,18); } - store_littleendian(out + 0,x0); - store_littleendian(out + 4,x5); - store_littleendian(out + 8,x10); - store_littleendian(out + 12,x15); - store_littleendian(out + 16,x6); - store_littleendian(out + 20,x7); - store_littleendian(out + 24,x8); - store_littleendian(out + 28,x9); + STORE32_LE(out + 0,x0); + STORE32_LE(out + 4,x5); + STORE32_LE(out + 8,x10); + STORE32_LE(out + 12,x15); + STORE32_LE(out + 16,x6); + STORE32_LE(out + 20,x7); + STORE32_LE(out + 24,x8); + STORE32_LE(out + 28,x9); return 0; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/salsa20/ref/core_salsa20.c b/release/src/router/libsodium/src/libsodium/crypto_core/salsa20/ref/core_salsa20.c index 8096791161..26fb66fdd2 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_core/salsa20/ref/core_salsa20.c +++ b/release/src/router/libsodium/src/libsodium/crypto_core/salsa20/ref/core_salsa20.c @@ -4,35 +4,20 @@ D. J. Bernstein Public domain. */ +#include +#include + #include "crypto_core_salsa20.h" +#include "private/common.h" #define ROUNDS 20 +#define U32C(v) (v##U) -typedef unsigned int uint32; - -static uint32 rotate(uint32 u,int c) +static uint32_t rotate(uint32_t u,int c) { return (u << c) | (u >> (32 - c)); } -static uint32 load_littleendian(const unsigned char *x) -{ - return - (uint32) (x[0]) \ - | (((uint32) (x[1])) << 8) \ - | (((uint32) (x[2])) << 16) \ - | (((uint32) (x[3])) << 24) - ; -} - -static void store_littleendian(unsigned char *x,uint32 u) -{ - x[0] = u; u >>= 8; - x[1] = u; u >>= 8; - x[2] = u; u >>= 8; - x[3] = u; -} - int crypto_core_salsa20( unsigned char *out, const unsigned char *in, @@ -40,26 +25,33 @@ int crypto_core_salsa20( const unsigned char *c ) { - uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; - uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + uint32_t j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; int i; - j0 = x0 = load_littleendian(c + 0); - j1 = x1 = load_littleendian(k + 0); - j2 = x2 = load_littleendian(k + 4); - j3 = x3 = load_littleendian(k + 8); - j4 = x4 = load_littleendian(k + 12); - j5 = x5 = load_littleendian(c + 4); - j6 = x6 = load_littleendian(in + 0); - j7 = x7 = load_littleendian(in + 4); - j8 = x8 = load_littleendian(in + 8); - j9 = x9 = load_littleendian(in + 12); - j10 = x10 = load_littleendian(c + 8); - j11 = x11 = load_littleendian(k + 16); - j12 = x12 = load_littleendian(k + 20); - j13 = x13 = load_littleendian(k + 24); - j14 = x14 = load_littleendian(k + 28); - j15 = x15 = load_littleendian(c + 12); + if (c == NULL) { + j0 = x0 = U32C(0x61707865); + j5 = x5 = U32C(0x3320646e); + j10 = x10 = U32C(0x79622d32); + j15 = x15 = U32C(0x6b206574); + } else { + j0 = x0 = LOAD32_LE(c + 0); + j5 = x5 = LOAD32_LE(c + 4); + j10 = x10 = LOAD32_LE(c + 8); + j15 = x15 = LOAD32_LE(c + 12); + } + j1 = x1 = LOAD32_LE(k + 0); + j2 = x2 = LOAD32_LE(k + 4); + j3 = x3 = LOAD32_LE(k + 8); + j4 = x4 = LOAD32_LE(k + 12); + j6 = x6 = LOAD32_LE(in + 0); + j7 = x7 = LOAD32_LE(in + 4); + j8 = x8 = LOAD32_LE(in + 8); + j9 = x9 = LOAD32_LE(in + 12); + j11 = x11 = LOAD32_LE(k + 16); + j12 = x12 = LOAD32_LE(k + 20); + j13 = x13 = LOAD32_LE(k + 24); + j14 = x14 = LOAD32_LE(k + 28); for (i = ROUNDS;i > 0;i -= 2) { x4 ^= rotate( x0+x12, 7); @@ -113,22 +105,22 @@ int crypto_core_salsa20( x14 += j14; x15 += j15; - store_littleendian(out + 0,x0); - store_littleendian(out + 4,x1); - store_littleendian(out + 8,x2); - store_littleendian(out + 12,x3); - store_littleendian(out + 16,x4); - store_littleendian(out + 20,x5); - store_littleendian(out + 24,x6); - store_littleendian(out + 28,x7); - store_littleendian(out + 32,x8); - store_littleendian(out + 36,x9); - store_littleendian(out + 40,x10); - store_littleendian(out + 44,x11); - store_littleendian(out + 48,x12); - store_littleendian(out + 52,x13); - store_littleendian(out + 56,x14); - store_littleendian(out + 60,x15); + STORE32_LE(out + 0,x0); + STORE32_LE(out + 4,x1); + STORE32_LE(out + 8,x2); + STORE32_LE(out + 12,x3); + STORE32_LE(out + 16,x4); + STORE32_LE(out + 20,x5); + STORE32_LE(out + 24,x6); + STORE32_LE(out + 28,x7); + STORE32_LE(out + 32,x8); + STORE32_LE(out + 36,x9); + STORE32_LE(out + 40,x10); + STORE32_LE(out + 44,x11); + STORE32_LE(out + 48,x12); + STORE32_LE(out + 52,x13); + STORE32_LE(out + 56,x14); + STORE32_LE(out + 60,x15); return 0; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/salsa2012/ref/core_salsa2012.c b/release/src/router/libsodium/src/libsodium/crypto_core/salsa2012/ref/core_salsa2012.c index 2c3d540843..5658166268 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_core/salsa2012/ref/core_salsa2012.c +++ b/release/src/router/libsodium/src/libsodium/crypto_core/salsa2012/ref/core_salsa2012.c @@ -4,35 +4,20 @@ D. J. Bernstein Public domain. */ +#include +#include + #include "crypto_core_salsa2012.h" +#include "private/common.h" #define ROUNDS 12 +#define U32C(v) (v##U) -typedef unsigned int uint32; - -static uint32 rotate(uint32 u,int c) +static uint32_t rotate(uint32_t u,int c) { return (u << c) | (u >> (32 - c)); } -static uint32 load_littleendian(const unsigned char *x) -{ - return - (uint32) (x[0]) \ - | (((uint32) (x[1])) << 8) \ - | (((uint32) (x[2])) << 16) \ - | (((uint32) (x[3])) << 24) - ; -} - -static void store_littleendian(unsigned char *x,uint32 u) -{ - x[0] = u; u >>= 8; - x[1] = u; u >>= 8; - x[2] = u; u >>= 8; - x[3] = u; -} - int crypto_core_salsa2012( unsigned char *out, const unsigned char *in, @@ -40,26 +25,33 @@ int crypto_core_salsa2012( const unsigned char *c ) { - uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; - uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + uint32_t j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; int i; - j0 = x0 = load_littleendian(c + 0); - j1 = x1 = load_littleendian(k + 0); - j2 = x2 = load_littleendian(k + 4); - j3 = x3 = load_littleendian(k + 8); - j4 = x4 = load_littleendian(k + 12); - j5 = x5 = load_littleendian(c + 4); - j6 = x6 = load_littleendian(in + 0); - j7 = x7 = load_littleendian(in + 4); - j8 = x8 = load_littleendian(in + 8); - j9 = x9 = load_littleendian(in + 12); - j10 = x10 = load_littleendian(c + 8); - j11 = x11 = load_littleendian(k + 16); - j12 = x12 = load_littleendian(k + 20); - j13 = x13 = load_littleendian(k + 24); - j14 = x14 = load_littleendian(k + 28); - j15 = x15 = load_littleendian(c + 12); + if (c == NULL) { + j0 = x0 = U32C(0x61707865); + j5 = x5 = U32C(0x3320646e); + j10 = x10 = U32C(0x79622d32); + j15 = x15 = U32C(0x6b206574); + } else { + j0 = x0 = LOAD32_LE(c + 0); + j5 = x5 = LOAD32_LE(c + 4); + j10 = x10 = LOAD32_LE(c + 8); + j15 = x15 = LOAD32_LE(c + 12); + } + j1 = x1 = LOAD32_LE(k + 0); + j2 = x2 = LOAD32_LE(k + 4); + j3 = x3 = LOAD32_LE(k + 8); + j4 = x4 = LOAD32_LE(k + 12); + j6 = x6 = LOAD32_LE(in + 0); + j7 = x7 = LOAD32_LE(in + 4); + j8 = x8 = LOAD32_LE(in + 8); + j9 = x9 = LOAD32_LE(in + 12); + j11 = x11 = LOAD32_LE(k + 16); + j12 = x12 = LOAD32_LE(k + 20); + j13 = x13 = LOAD32_LE(k + 24); + j14 = x14 = LOAD32_LE(k + 28); for (i = ROUNDS;i > 0;i -= 2) { x4 ^= rotate( x0+x12, 7); @@ -113,22 +105,22 @@ int crypto_core_salsa2012( x14 += j14; x15 += j15; - store_littleendian(out + 0,x0); - store_littleendian(out + 4,x1); - store_littleendian(out + 8,x2); - store_littleendian(out + 12,x3); - store_littleendian(out + 16,x4); - store_littleendian(out + 20,x5); - store_littleendian(out + 24,x6); - store_littleendian(out + 28,x7); - store_littleendian(out + 32,x8); - store_littleendian(out + 36,x9); - store_littleendian(out + 40,x10); - store_littleendian(out + 44,x11); - store_littleendian(out + 48,x12); - store_littleendian(out + 52,x13); - store_littleendian(out + 56,x14); - store_littleendian(out + 60,x15); + STORE32_LE(out + 0,x0); + STORE32_LE(out + 4,x1); + STORE32_LE(out + 8,x2); + STORE32_LE(out + 12,x3); + STORE32_LE(out + 16,x4); + STORE32_LE(out + 20,x5); + STORE32_LE(out + 24,x6); + STORE32_LE(out + 28,x7); + STORE32_LE(out + 32,x8); + STORE32_LE(out + 36,x9); + STORE32_LE(out + 40,x10); + STORE32_LE(out + 44,x11); + STORE32_LE(out + 48,x12); + STORE32_LE(out + 52,x13); + STORE32_LE(out + 56,x14); + STORE32_LE(out + 60,x15); return 0; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/salsa208/ref/core_salsa208.c b/release/src/router/libsodium/src/libsodium/crypto_core/salsa208/ref/core_salsa208.c index 5078bfb778..c350e84e74 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_core/salsa208/ref/core_salsa208.c +++ b/release/src/router/libsodium/src/libsodium/crypto_core/salsa208/ref/core_salsa208.c @@ -4,35 +4,20 @@ D. J. Bernstein Public domain. */ +#include +#include + #include "crypto_core_salsa208.h" +#include "private/common.h" #define ROUNDS 8 +#define U32C(v) (v##U) -typedef unsigned int uint32; - -static uint32 rotate(uint32 u,int c) +static uint32_t rotate(uint32_t u,int c) { return (u << c) | (u >> (32 - c)); } -static uint32 load_littleendian(const unsigned char *x) -{ - return - (uint32) (x[0]) \ - | (((uint32) (x[1])) << 8) \ - | (((uint32) (x[2])) << 16) \ - | (((uint32) (x[3])) << 24) - ; -} - -static void store_littleendian(unsigned char *x,uint32 u) -{ - x[0] = u; u >>= 8; - x[1] = u; u >>= 8; - x[2] = u; u >>= 8; - x[3] = u; -} - int crypto_core_salsa208( unsigned char *out, const unsigned char *in, @@ -40,26 +25,33 @@ int crypto_core_salsa208( const unsigned char *c ) { - uint32 x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; - uint32 j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; + uint32_t x0, x1, x2, x3, x4, x5, x6, x7, x8, x9, x10, x11, x12, x13, x14, x15; + uint32_t j0, j1, j2, j3, j4, j5, j6, j7, j8, j9, j10, j11, j12, j13, j14, j15; int i; - j0 = x0 = load_littleendian(c + 0); - j1 = x1 = load_littleendian(k + 0); - j2 = x2 = load_littleendian(k + 4); - j3 = x3 = load_littleendian(k + 8); - j4 = x4 = load_littleendian(k + 12); - j5 = x5 = load_littleendian(c + 4); - j6 = x6 = load_littleendian(in + 0); - j7 = x7 = load_littleendian(in + 4); - j8 = x8 = load_littleendian(in + 8); - j9 = x9 = load_littleendian(in + 12); - j10 = x10 = load_littleendian(c + 8); - j11 = x11 = load_littleendian(k + 16); - j12 = x12 = load_littleendian(k + 20); - j13 = x13 = load_littleendian(k + 24); - j14 = x14 = load_littleendian(k + 28); - j15 = x15 = load_littleendian(c + 12); + if (c == NULL) { + j0 = x0 = U32C(0x61707865); + j5 = x5 = U32C(0x3320646e); + j10 = x10 = U32C(0x79622d32); + j15 = x15 = U32C(0x6b206574); + } else { + j0 = x0 = LOAD32_LE(c + 0); + j5 = x5 = LOAD32_LE(c + 4); + j10 = x10 = LOAD32_LE(c + 8); + j15 = x15 = LOAD32_LE(c + 12); + } + j1 = x1 = LOAD32_LE(k + 0); + j2 = x2 = LOAD32_LE(k + 4); + j3 = x3 = LOAD32_LE(k + 8); + j4 = x4 = LOAD32_LE(k + 12); + j6 = x6 = LOAD32_LE(in + 0); + j7 = x7 = LOAD32_LE(in + 4); + j8 = x8 = LOAD32_LE(in + 8); + j9 = x9 = LOAD32_LE(in + 12); + j11 = x11 = LOAD32_LE(k + 16); + j12 = x12 = LOAD32_LE(k + 20); + j13 = x13 = LOAD32_LE(k + 24); + j14 = x14 = LOAD32_LE(k + 28); for (i = ROUNDS;i > 0;i -= 2) { x4 ^= rotate( x0+x12, 7); @@ -113,22 +105,22 @@ int crypto_core_salsa208( x14 += j14; x15 += j15; - store_littleendian(out + 0,x0); - store_littleendian(out + 4,x1); - store_littleendian(out + 8,x2); - store_littleendian(out + 12,x3); - store_littleendian(out + 16,x4); - store_littleendian(out + 20,x5); - store_littleendian(out + 24,x6); - store_littleendian(out + 28,x7); - store_littleendian(out + 32,x8); - store_littleendian(out + 36,x9); - store_littleendian(out + 40,x10); - store_littleendian(out + 44,x11); - store_littleendian(out + 48,x12); - store_littleendian(out + 52,x13); - store_littleendian(out + 56,x14); - store_littleendian(out + 60,x15); + STORE32_LE(out + 0,x0); + STORE32_LE(out + 4,x1); + STORE32_LE(out + 8,x2); + STORE32_LE(out + 12,x3); + STORE32_LE(out + 16,x4); + STORE32_LE(out + 20,x5); + STORE32_LE(out + 24,x6); + STORE32_LE(out + 28,x7); + STORE32_LE(out + 32,x8); + STORE32_LE(out + 36,x9); + STORE32_LE(out + 40,x10); + STORE32_LE(out + 44,x11); + STORE32_LE(out + 48,x12); + STORE32_LE(out + 52,x13); + STORE32_LE(out + 56,x14); + STORE32_LE(out + 60,x15); return 0; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/generichash_blake2_api.c b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/generichash_blake2_api.c index b775921ed1..14f16e4237 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/generichash_blake2_api.c +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/generichash_blake2_api.c @@ -39,3 +39,10 @@ size_t crypto_generichash_blake2b_personalbytes(void) { return crypto_generichash_blake2b_PERSONALBYTES; } + +size_t +crypto_generichash_blake2b_statebytes(void) +{ + return (sizeof(crypto_generichash_blake2b_state) + (size_t) 63U) + & ~(size_t) 63U; +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h dissimilarity index 62% index b14728dfd9..9515f408de 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2-impl.h @@ -1,137 +1,48 @@ -/* - BLAKE2 reference source code package - reference C implementations - - Written in 2012 by Samuel Neves - - To the extent possible under law, the author(s) have dedicated all copyright - and related and neighboring rights to this software to the public domain - worldwide. This software is distributed without any warranty. - - You should have received a copy of the CC0 Public Domain Dedication along with - this software. If not, see . -*/ - -#ifndef blake2_impl_H -#define blake2_impl_H - -#include -#include - -#include "utils.h" - -static inline uint32_t load32( const void *src ) -{ -#ifdef NATIVE_LITTLE_ENDIAN - uint32_t w; - memcpy(&w, src, sizeof w); - return w; -#else - const uint8_t *p = ( const uint8_t * )src; - uint32_t w = *p++; - w |= ( uint32_t )( *p++ ) << 8; - w |= ( uint32_t )( *p++ ) << 16; - w |= ( uint32_t )( *p++ ) << 24; - return w; -#endif -} - -static inline uint64_t load64( const void *src ) -{ -#ifdef NATIVE_LITTLE_ENDIAN - uint64_t w; - memcpy(&w, src, sizeof w); - return w; -#else - const uint8_t *p = ( const uint8_t * )src; - uint64_t w = *p++; - w |= ( uint64_t )( *p++ ) << 8; - w |= ( uint64_t )( *p++ ) << 16; - w |= ( uint64_t )( *p++ ) << 24; - w |= ( uint64_t )( *p++ ) << 32; - w |= ( uint64_t )( *p++ ) << 40; - w |= ( uint64_t )( *p++ ) << 48; - w |= ( uint64_t )( *p++ ) << 56; - return w; -#endif -} - -static inline void store32( void *dst, uint32_t w ) -{ -#ifdef NATIVE_LITTLE_ENDIAN - memcpy(dst, &w, sizeof w); -#else - uint8_t *p = ( uint8_t * )dst; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; -#endif -} - -static inline void store64( void *dst, uint64_t w ) -{ -#ifdef NATIVE_LITTLE_ENDIAN - memcpy(dst, &w, sizeof w); -#else - uint8_t *p = ( uint8_t * )dst; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; -#endif -} - -static inline uint64_t load48( const void *src ) -{ - const uint8_t *p = ( const uint8_t * )src; - uint64_t w = *p++; - w |= ( uint64_t )( *p++ ) << 8; - w |= ( uint64_t )( *p++ ) << 16; - w |= ( uint64_t )( *p++ ) << 24; - w |= ( uint64_t )( *p++ ) << 32; - w |= ( uint64_t )( *p++ ) << 40; - return w; -} - -static inline void store48( void *dst, uint64_t w ) -{ - uint8_t *p = ( uint8_t * )dst; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; w >>= 8; - *p++ = ( uint8_t )w; -} - -static inline uint32_t rotl32( const uint32_t w, const unsigned c ) -{ - return ( w << c ) | ( w >> ( 32 - c ) ); -} - -static inline uint64_t rotl64( const uint64_t w, const unsigned c ) -{ - return ( w << c ) | ( w >> ( 64 - c ) ); -} - -static inline uint32_t rotr32( const uint32_t w, const unsigned c ) -{ - return ( w >> c ) | ( w << ( 32 - c ) ); -} - -static inline uint64_t rotr64( const uint64_t w, const unsigned c ) -{ - return ( w >> c ) | ( w << ( 64 - c ) ); -} - -/* prevents compiler optimizing out memset() */ -static inline void secure_zero_memory( void *v, size_t n ) -{ - sodium_memzero(v, n); -} - -#endif +/* + BLAKE2 reference source code package - reference C implementations + + Written in 2012 by Samuel Neves + + To the extent possible under law, the author(s) have dedicated all copyright + and related and neighboring rights to this software to the public domain + worldwide. This software is distributed without any warranty. + + You should have received a copy of the CC0 Public Domain Dedication along with + this software. If not, see . +*/ + +#ifndef blake2_impl_H +#define blake2_impl_H + +#include +#include + +#include "utils.h" + +static inline uint32_t rotl32( const uint32_t w, const unsigned c ) +{ + return ( w << c ) | ( w >> ( 32 - c ) ); +} + +static inline uint64_t rotl64( const uint64_t w, const unsigned c ) +{ + return ( w << c ) | ( w >> ( 64 - c ) ); +} + +static inline uint32_t rotr32( const uint32_t w, const unsigned c ) +{ + return ( w >> c ) | ( w << ( 32 - c ) ); +} + +static inline uint64_t rotr64( const uint64_t w, const unsigned c ) +{ + return ( w >> c ) | ( w << ( 64 - c ) ); +} + +/* prevents compiler optimizing out memset() */ +static inline void secure_zero_memory( void *v, size_t n ) +{ + sodium_memzero(v, n); +} + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2.h dissimilarity index 76% index 3f53fd03af..3e98a3661e 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2.h +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2.h @@ -1,188 +1,97 @@ -/* - BLAKE2 reference source code package - reference C implementations - - Written in 2012 by Samuel Neves - - To the extent possible under law, the author(s) have dedicated all copyright - and related and neighboring rights to this software to the public domain - worldwide. This software is distributed without any warranty. - - You should have received a copy of the CC0 Public Domain Dedication along with - this software. If not, see . -*/ - -#ifndef blake2_H -#define blake2_H - -#include -#include - -#include "crypto_generichash_blake2b.h" -#include "export.h" - -#define blake2b_init_param crypto_generichash_blake2b__init_param -#define blake2b_init crypto_generichash_blake2b__init -#define blake2b_init_salt_personal crypto_generichash_blake2b__init_salt_personal -#define blake2b_init_key crypto_generichash_blake2b__init_key -#define blake2b_init_key_salt_personal crypto_generichash_blake2b__init_key_salt_personal -#define blake2b_update crypto_generichash_blake2b__update -#define blake2b_final crypto_generichash_blake2b__final -#define blake2b crypto_generichash_blake2b__blake2b -#define blake2b_salt_personal crypto_generichash_blake2b__blake2b_salt_personal -#define blake2b_pick_best_implementation crypto_generichash_blake2b__pick_best_implementation - -#if defined(__cplusplus) -extern "C" { -#endif - - enum blake2s_constant - { - BLAKE2S_BLOCKBYTES = 64, - BLAKE2S_OUTBYTES = 32, - BLAKE2S_KEYBYTES = 32, - BLAKE2S_SALTBYTES = 8, - BLAKE2S_PERSONALBYTES = 8 - }; - - enum blake2b_constant - { - BLAKE2B_BLOCKBYTES = 128, - BLAKE2B_OUTBYTES = 64, - BLAKE2B_KEYBYTES = 64, - BLAKE2B_SALTBYTES = 16, - BLAKE2B_PERSONALBYTES = 16 - }; - -#if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) -# pragma pack(1) -#else -# pragma pack(push, 1) -#endif - - typedef struct blake2s_param_ - { - uint8_t digest_length; // 1 - uint8_t key_length; // 2 - uint8_t fanout; // 3 - uint8_t depth; // 4 - uint32_t leaf_length; // 8 - uint8_t node_offset[6];// 14 - uint8_t node_depth; // 15 - uint8_t inner_length; // 16 - // uint8_t reserved[0]; - uint8_t salt[BLAKE2S_SALTBYTES]; // 24 - uint8_t personal[BLAKE2S_PERSONALBYTES]; // 32 - } blake2s_param; - -CRYPTO_ALIGN( 64 ) typedef struct blake2s_state_ - { - uint32_t h[8]; - uint32_t t[2]; - uint32_t f[2]; - uint8_t buf[2 * BLAKE2S_BLOCKBYTES]; - size_t buflen; - uint8_t last_node; - } blake2s_state ; - - typedef struct blake2b_param_ - { - uint8_t digest_length; // 1 - uint8_t key_length; // 2 - uint8_t fanout; // 3 - uint8_t depth; // 4 - uint32_t leaf_length; // 8 - uint64_t node_offset; // 16 - uint8_t node_depth; // 17 - uint8_t inner_length; // 18 - uint8_t reserved[14]; // 32 - uint8_t salt[BLAKE2B_SALTBYTES]; // 48 - uint8_t personal[BLAKE2B_PERSONALBYTES]; // 64 - } blake2b_param; - -#ifndef DEFINE_BLAKE2B_STATE -typedef crypto_generichash_blake2b_state blake2b_state; -#else -CRYPTO_ALIGN( 64 ) typedef struct blake2b_state_ - { - uint64_t h[8]; - uint64_t t[2]; - uint64_t f[2]; - uint8_t buf[2 * BLAKE2B_BLOCKBYTES]; - size_t buflen; - uint8_t last_node; - } blake2b_state; -#endif - - typedef struct blake2sp_state_ - { - blake2s_state S[8][1]; - blake2s_state R[1]; - uint8_t buf[8 * BLAKE2S_BLOCKBYTES]; - size_t buflen; - } blake2sp_state; - - typedef struct blake2bp_state_ - { - blake2b_state S[4][1]; - blake2b_state R[1]; - uint8_t buf[4 * BLAKE2B_BLOCKBYTES]; - size_t buflen; - } blake2bp_state; - -#if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) -# pragma pack() -#else -# pragma pack(pop) -#endif - - // Streaming API - int blake2s_init( blake2s_state *S, const uint8_t outlen ); - int blake2s_init_key( blake2s_state *S, const uint8_t outlen, const void *key, const uint8_t keylen ); - int blake2s_init_param( blake2s_state *S, const blake2s_param *P ); - int blake2s_update( blake2s_state *S, const uint8_t *in, uint64_t inlen ); - int blake2s_final( blake2s_state *S, uint8_t *out, uint8_t outlen ); - - int blake2b_init( blake2b_state *S, const uint8_t outlen ); - int blake2b_init_salt_personal( blake2b_state *S, const uint8_t outlen, - const void *personal, const void *salt ); - int blake2b_init_key( blake2b_state *S, const uint8_t outlen, const void *key, const uint8_t keylen ); - int blake2b_init_key_salt_personal( blake2b_state *S, const uint8_t outlen, const void *key, const uint8_t keylen, - const void *salt, const void *personal ); - int blake2b_init_param( blake2b_state *S, const blake2b_param *P ); - int blake2b_update( blake2b_state *S, const uint8_t *in, uint64_t inlen ); - int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen ); - - int blake2sp_init( blake2sp_state *S, const uint8_t outlen ); - int blake2sp_init_key( blake2sp_state *S, const uint8_t outlen, const void *key, const uint8_t keylen ); - int blake2sp_update( blake2sp_state *S, const uint8_t *in, uint64_t inlen ); - int blake2sp_final( blake2sp_state *S, uint8_t *out, uint8_t outlen ); - - int blake2bp_init( blake2bp_state *S, const uint8_t outlen ); - int blake2bp_init_key( blake2bp_state *S, const uint8_t outlen, const void *key, const uint8_t keylen ); - int blake2bp_update( blake2bp_state *S, const uint8_t *in, uint64_t inlen ); - int blake2bp_final( blake2bp_state *S, uint8_t *out, uint8_t outlen ); - - // Simple API - int blake2s( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen ); - int blake2b( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen ); - int blake2b_salt_personal( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen, const void *salt, const void *personal ); - - int blake2sp( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen ); - int blake2bp( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen ); - - static inline int blake2( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen ) - { - return blake2b( out, in, key, outlen, inlen, keylen ); - } - - typedef int ( *blake2b_compress_fn )( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); - int blake2b_pick_best_implementation(void); - int blake2b_compress_ref( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); - int blake2b_compress_ssse3( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); - int blake2b_compress_sse41( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); - -#if defined(__cplusplus) -} -#endif - -#endif +/* + BLAKE2 reference source code package - reference C implementations + + Written in 2012 by Samuel Neves + + To the extent possible under law, the author(s) have dedicated all copyright + and related and neighboring rights to this software to the public domain + worldwide. This software is distributed without any warranty. + + All code is triple-licensed under the + [CC0](http://creativecommons.org/publicdomain/zero/1.0), the + [OpenSSL Licence](https://www.openssl.org/source/license.html), or + the [Apache Public License 2.0](http://www.apache.org/licenses/LICENSE-2.0), + at your choosing. + */ + +#ifndef blake2_H +#define blake2_H + +#include +#include + +#include "crypto_generichash_blake2b.h" +#include "export.h" + +#define blake2b_init_param crypto_generichash_blake2b__init_param +#define blake2b_init crypto_generichash_blake2b__init +#define blake2b_init_salt_personal crypto_generichash_blake2b__init_salt_personal +#define blake2b_init_key crypto_generichash_blake2b__init_key +#define blake2b_init_key_salt_personal crypto_generichash_blake2b__init_key_salt_personal +#define blake2b_update crypto_generichash_blake2b__update +#define blake2b_final crypto_generichash_blake2b__final +#define blake2b crypto_generichash_blake2b__blake2b +#define blake2b_salt_personal crypto_generichash_blake2b__blake2b_salt_personal +#define blake2b_pick_best_implementation crypto_generichash_blake2b__pick_best_implementation + +enum blake2b_constant +{ + BLAKE2B_BLOCKBYTES = 128, + BLAKE2B_OUTBYTES = 64, + BLAKE2B_KEYBYTES = 64, + BLAKE2B_SALTBYTES = 16, + BLAKE2B_PERSONALBYTES = 16 +}; + +#if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) +# pragma pack(1) +#else +# pragma pack(push, 1) +#endif + +typedef struct blake2b_param_ +{ + uint8_t digest_length; /* 1 */ + uint8_t key_length; /* 2 */ + uint8_t fanout; /* 3 */ + uint8_t depth; /* 4 */ + uint8_t leaf_length[4]; /* 8 */ + uint8_t node_offset[8]; /* 16 */ + uint8_t node_depth; /* 17 */ + uint8_t inner_length; /* 18 */ + uint8_t reserved[14]; /* 32 */ + uint8_t salt[BLAKE2B_SALTBYTES]; /* 48 */ + uint8_t personal[BLAKE2B_PERSONALBYTES]; /* 64 */ +} blake2b_param; + +typedef crypto_generichash_blake2b_state blake2b_state; + +#if defined(__IBMC__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) +# pragma pack() +#else +# pragma pack(pop) +#endif + +/* Streaming API */ +int blake2b_init( blake2b_state *S, const uint8_t outlen ); +int blake2b_init_salt_personal( blake2b_state *S, const uint8_t outlen, + const void *personal, const void *salt ); +int blake2b_init_key( blake2b_state *S, const uint8_t outlen, const void *key, const uint8_t keylen ); +int blake2b_init_key_salt_personal( blake2b_state *S, const uint8_t outlen, const void *key, const uint8_t keylen, + const void *salt, const void *personal ); +int blake2b_init_param( blake2b_state *S, const blake2b_param *P ); +int blake2b_update( blake2b_state *S, const uint8_t *in, uint64_t inlen ); +int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen ); + +/* Simple API */ +int blake2b( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen ); +int blake2b_salt_personal( uint8_t *out, const void *in, const void *key, const uint8_t outlen, const uint64_t inlen, uint8_t keylen, const void *salt, const void *personal ); + +typedef int ( *blake2b_compress_fn )( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); +int blake2b_pick_best_implementation(void); +int blake2b_compress_ref( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); +int blake2b_compress_ssse3( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); +int blake2b_compress_sse41( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); +int blake2b_compress_avx2( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ); + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.c b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.c new file mode 100644 index 0000000000..e489e866a4 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.c @@ -0,0 +1,45 @@ + +#define BLAKE2_USE_SSSE3 +#define BLAKE2_USE_SSE41 +#define BLAKE2_USE_AVX2 + +#include +#include + +#if (defined(HAVE_AVX2INTRIN_H) && defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)) || \ + (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64))) + +#pragma GCC target("sse2") +#pragma GCC target("ssse3") +#pragma GCC target("sse4.1") +#pragma GCC target("avx2") + +#include +#include +#include +#include + +#include "blake2.h" +#include "blake2-impl.h" +#include "blake2b-compress-avx2.h" + +CRYPTO_ALIGN(64) static const uint64_t blake2b_IV[8] = +{ + 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, + 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, + 0x510e527fade682d1ULL, 0x9b05688c2b3e6c1fULL, + 0x1f83d9abfb41bd6bULL, 0x5be0cd19137e2179ULL +}; + +int blake2b_compress_avx2( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYTES] ) +{ + __m256i a = LOADU(&S->h[0]); + __m256i b = LOADU(&S->h[4]); + BLAKE2B_COMPRESS_V1(a, b, block, S->t[0], S->t[1], S->f[0], S->f[1]); + STOREU(&S->h[0], a); + STOREU(&S->h[4], b); + + return 0; +} + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.h new file mode 100644 index 0000000000..af24871f19 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.h @@ -0,0 +1,123 @@ + +#ifndef blake2b_compress_avx2_H +#define blake2b_compress_avx2_H + +#define LOAD128(p) _mm_load_si128((__m128i *)(p)) +#define STORE128(p, r) _mm_store_si128((__m128i *)(p), r) + +#define LOADU128(p) _mm_loadu_si128((__m128i *)(p)) +#define STOREU128(p, r) _mm_storeu_si128((__m128i *)(p), r) + +#define LOAD(p) _mm256_load_si256((__m256i *)(p)) +#define STORE(p, r) _mm256_store_si256((__m256i *)(p), r) + +#define LOADU(p) _mm256_loadu_si256((__m256i *)(p)) +#define STOREU(p, r) _mm256_storeu_si256((__m256i *)(p), r) + +static inline uint64_t LOADU64(const void *p) { + uint64_t v; + memcpy(&v, p, sizeof v); + return v; +} + +#define ROTATE16 _mm256_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9, \ + 2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9) + +#define ROTATE24 _mm256_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10, \ + 3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10) + +#define ADD(a, b) _mm256_add_epi64(a, b) +#define SUB(a, b) _mm256_sub_epi64(a, b) + +#define XOR(a, b) _mm256_xor_si256(a, b) +#define AND(a, b) _mm256_and_si256(a, b) +#define OR(a, b) _mm256_or_si256(a, b) + +#define ROT32(x) _mm256_shuffle_epi32((x), _MM_SHUFFLE(2, 3, 0, 1)) +#define ROT24(x) _mm256_shuffle_epi8((x), ROTATE24) +#define ROT16(x) _mm256_shuffle_epi8((x), ROTATE16) +#define ROT63(x) _mm256_or_si256(_mm256_srli_epi64((x), 63), ADD((x), (x))) + +#define BLAKE2B_G1_V1(a, b, c, d, m) do { \ + a = ADD(a, m); \ + a = ADD(a, b); d = XOR(d, a); d = ROT32(d); \ + c = ADD(c, d); b = XOR(b, c); b = ROT24(b); \ +} while(0) + +#define BLAKE2B_G2_V1(a, b, c, d, m) do { \ + a = ADD(a, m); \ + a = ADD(a, b); d = XOR(d, a); d = ROT16(d); \ + c = ADD(c, d); b = XOR(b, c); b = ROT63(b); \ +} while(0) + +#define BLAKE2B_DIAG_V1(a, b, c, d) do { \ + d = _mm256_permute4x64_epi64(d, _MM_SHUFFLE(2,1,0,3)); \ + c = _mm256_permute4x64_epi64(c, _MM_SHUFFLE(1,0,3,2)); \ + b = _mm256_permute4x64_epi64(b, _MM_SHUFFLE(0,3,2,1)); \ +} while(0) + +#define BLAKE2B_UNDIAG_V1(a, b, c, d) do { \ + d = _mm256_permute4x64_epi64(d, _MM_SHUFFLE(0,3,2,1)); \ + c = _mm256_permute4x64_epi64(c, _MM_SHUFFLE(1,0,3,2)); \ + b = _mm256_permute4x64_epi64(b, _MM_SHUFFLE(2,1,0,3)); \ +} while(0) + +#include "blake2b-load-avx2.h" + +#define BLAKE2B_ROUND_V1(a, b, c, d, r, m) do { \ + __m256i b0; \ + BLAKE2B_LOAD_MSG_ ##r ##_1(b0); \ + BLAKE2B_G1_V1(a, b, c, d, b0); \ + BLAKE2B_LOAD_MSG_ ##r ##_2(b0); \ + BLAKE2B_G2_V1(a, b, c, d, b0); \ + BLAKE2B_DIAG_V1(a, b, c, d); \ + BLAKE2B_LOAD_MSG_ ##r ##_3(b0); \ + BLAKE2B_G1_V1(a, b, c, d, b0); \ + BLAKE2B_LOAD_MSG_ ##r ##_4(b0); \ + BLAKE2B_G2_V1(a, b, c, d, b0); \ + BLAKE2B_UNDIAG_V1(a, b, c, d); \ +} while(0) + +#define BLAKE2B_ROUNDS_V1(a, b, c, d, m) do { \ + BLAKE2B_ROUND_V1(a, b, c, d, 0, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 1, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 2, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 3, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 4, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 5, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 6, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 7, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 8, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 9, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 10, (m)); \ + BLAKE2B_ROUND_V1(a, b, c, d, 11, (m)); \ +} while(0) + +#define DECLARE_MESSAGE_WORDS(m) \ + const __m256i m0 = _mm256_broadcastsi128_si256(LOADU128((m) + 0)); \ + const __m256i m1 = _mm256_broadcastsi128_si256(LOADU128((m) + 16)); \ + const __m256i m2 = _mm256_broadcastsi128_si256(LOADU128((m) + 32)); \ + const __m256i m3 = _mm256_broadcastsi128_si256(LOADU128((m) + 48)); \ + const __m256i m4 = _mm256_broadcastsi128_si256(LOADU128((m) + 64)); \ + const __m256i m5 = _mm256_broadcastsi128_si256(LOADU128((m) + 80)); \ + const __m256i m6 = _mm256_broadcastsi128_si256(LOADU128((m) + 96)); \ + const __m256i m7 = _mm256_broadcastsi128_si256(LOADU128((m) + 112)); \ + __m256i t0, t1; + +#define BLAKE2B_COMPRESS_V1(a, b, m, t0, t1, f0, f1) do { \ + DECLARE_MESSAGE_WORDS(m) \ + const __m256i iv0 = a; \ + const __m256i iv1 = b; \ + __m256i c = LOAD(&blake2b_IV[0]); \ + __m256i d = XOR( \ + LOAD(&blake2b_IV[4]), \ + _mm256_set_epi64x(f1, f0, t1, t0) \ + ); \ + BLAKE2B_ROUNDS_V1(a, b, c, d, m); \ + a = XOR(a, c); \ + b = XOR(b, d); \ + a = XOR(a, iv0); \ + b = XOR(b, iv1); \ +} while(0) + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ref.c b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ref.c index c177ed1792..8af04dd835 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ref.c +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ref.c @@ -4,8 +4,9 @@ #include "blake2.h" #include "blake2-impl.h" +#include "private/common.h" -static const uint64_t blake2b_IV[8] = +CRYPTO_ALIGN(64) static const uint64_t blake2b_IV[8] = { 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, @@ -36,7 +37,7 @@ int blake2b_compress_ref( blake2b_state *S, const uint8_t block[BLAKE2B_BLOCKBYT int i; for( i = 0; i < 16; ++i ) - m[i] = load64( block + i * sizeof( m[i] ) ); + m[i] = LOAD64_LE( block + i * sizeof( m[i] ) ); for( i = 0; i < 8; ++i ) v[i] = S->h[i]; diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-sse41.c b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-sse41.c index 48424e6b2b..ea064c269c 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-sse41.c +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-sse41.c @@ -18,9 +18,9 @@ #include "blake2.h" #include "blake2-impl.h" -#include "blake2b-round.h" +#include "blake2b-compress-sse41.h" -static const uint64_t blake2b_IV[8] = +CRYPTO_ALIGN(64) static const uint64_t blake2b_IV[8] = { 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-round.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-sse41.h similarity index 77% copy from release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-round.h copy to release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-sse41.h index 0c322b1818..8e854661fd 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-round.h +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-sse41.h @@ -1,31 +1,10 @@ -/* - BLAKE2 reference source code package - optimized C implementations - Written in 2012 by Samuel Neves - - To the extent possible under law, the author(s) have dedicated all copyright - and related and neighboring rights to this software to the public domain - worldwide. This software is distributed without any warranty. - - You should have received a copy of the CC0 Public Domain Dedication along with - this software. If not, see . -*/ - -#ifndef blake2b_round_H -#define blake2b_round_H - -#ifndef BLAKE2_USE_SSSE3 -# error BLAKE2_USE_SSSE3 must be defined in order to use this file -#endif +#ifndef blake2b_compress_sse41_H +#define blake2b_compress_sse41_H #define LOADU(p) _mm_loadu_si128( (const __m128i *)(const void *)(p) ) #define STOREU(p,r) _mm_storeu_si128((__m128i *)(void *)(p), r) -#define TOF(reg) _mm_castsi128_ps((reg)) -#define TOI(reg) _mm_castps_si128((reg)) - - -/* Microarchitecture-specific macros */ #define _mm_roti_epi64(x, c) \ (-(c) == 32) ? _mm_shuffle_epi32((x), _MM_SHUFFLE(2,3,0,1)) \ : (-(c) == 24) ? _mm_shuffle_epi8((x), r24) \ @@ -33,7 +12,6 @@ : (-(c) == 63) ? _mm_xor_si128(_mm_srli_epi64((x), -(c)), _mm_add_epi64((x), (x))) \ : _mm_xor_si128(_mm_srli_epi64((x), -(c)), _mm_slli_epi64((x), 64-(-(c)))) - #define G1(row1l,row2l,row3l,row4l,row1h,row2h,row3h,row4h,b0,b1) \ row1l = _mm_add_epi64(_mm_add_epi64(row1l, b0), row2l); \ row1h = _mm_add_epi64(_mm_add_epi64(row1h, b1), row2h); \ @@ -102,11 +80,7 @@ row4l = t1; \ row4h = t0; -#if defined(BLAKE2_USE_SSE41) #include "blake2b-load-sse41.h" -#else -#include "blake2b-load-sse2.h" -#endif #define ROUND(r) \ LOAD_MSG_ ##r ##_1(b0, b1); \ diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ssse3.c b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ssse3.c index 775cac11fe..882351e22a 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ssse3.c +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ssse3.c @@ -1,6 +1,4 @@ -#define BLAKE2_USE_SSSE3 - #include #include @@ -18,9 +16,9 @@ #include "blake2.h" #include "blake2-impl.h" -#include "blake2b-round.h" +#include "blake2b-compress-ssse3.h" -static const uint64_t blake2b_IV[8] = +CRYPTO_ALIGN(64) static const uint64_t blake2b_IV[8] = { 0x6a09e667f3bcc908ULL, 0xbb67ae8584caa73bULL, 0x3c6ef372fe94f82bULL, 0xa54ff53a5f1d36f1ULL, diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-round.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ssse3.h similarity index 77% rename from release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-round.h rename to release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ssse3.h index 0c322b1818..dcfe84e989 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-round.h +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-ssse3.h @@ -1,31 +1,10 @@ -/* - BLAKE2 reference source code package - optimized C implementations - Written in 2012 by Samuel Neves - - To the extent possible under law, the author(s) have dedicated all copyright - and related and neighboring rights to this software to the public domain - worldwide. This software is distributed without any warranty. - - You should have received a copy of the CC0 Public Domain Dedication along with - this software. If not, see . -*/ - -#ifndef blake2b_round_H -#define blake2b_round_H - -#ifndef BLAKE2_USE_SSSE3 -# error BLAKE2_USE_SSSE3 must be defined in order to use this file -#endif +#ifndef blake2b_compress_ssse3_H +#define blake2b_compress_ssse3_H #define LOADU(p) _mm_loadu_si128( (const __m128i *)(const void *)(p) ) #define STOREU(p,r) _mm_storeu_si128((__m128i *)(void *)(p), r) -#define TOF(reg) _mm_castsi128_ps((reg)) -#define TOI(reg) _mm_castps_si128((reg)) - - -/* Microarchitecture-specific macros */ #define _mm_roti_epi64(x, c) \ (-(c) == 32) ? _mm_shuffle_epi32((x), _MM_SHUFFLE(2,3,0,1)) \ : (-(c) == 24) ? _mm_shuffle_epi8((x), r24) \ @@ -33,7 +12,6 @@ : (-(c) == 63) ? _mm_xor_si128(_mm_srli_epi64((x), -(c)), _mm_add_epi64((x), (x))) \ : _mm_xor_si128(_mm_srli_epi64((x), -(c)), _mm_slli_epi64((x), 64-(-(c)))) - #define G1(row1l,row2l,row3l,row4l,row1h,row2h,row3h,row4h,b0,b1) \ row1l = _mm_add_epi64(_mm_add_epi64(row1l, b0), row2l); \ row1h = _mm_add_epi64(_mm_add_epi64(row1h, b1), row2h); \ @@ -102,11 +80,7 @@ row4l = t1; \ row4h = t0; -#if defined(BLAKE2_USE_SSE41) -#include "blake2b-load-sse41.h" -#else #include "blake2b-load-sse2.h" -#endif #define ROUND(r) \ LOAD_MSG_ ##r ##_1(b0, b1); \ diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-avx2.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-avx2.h new file mode 100644 index 0000000000..6be370477a --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-avx2.h @@ -0,0 +1,339 @@ +#ifndef blake2b_load_avx2_H +#define blake2b_load_avx2_H + +#define BLAKE2B_LOAD_MSG_0_1(b0) do { \ + t0 = _mm256_unpacklo_epi64(m0, m1); \ + t1 = _mm256_unpacklo_epi64(m2, m3); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_0_2(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m0, m1); \ + t1 = _mm256_unpackhi_epi64(m2, m3); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_0_3(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m4, m5); \ + t1 = _mm256_unpacklo_epi64(m6, m7); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_0_4(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m4, m5); \ + t1 = _mm256_unpackhi_epi64(m6, m7); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_1_1(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m7, m2); \ + t1 = _mm256_unpackhi_epi64(m4, m6); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_1_2(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m5, m4); \ + t1 = _mm256_alignr_epi8(m3, m7, 8); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_1_3(b0) \ +do { \ + t0 = _mm256_shuffle_epi32(m0, _MM_SHUFFLE(1,0,3,2)); \ + t1 = _mm256_unpackhi_epi64(m5, m2); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_1_4(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m6, m1); \ + t1 = _mm256_unpackhi_epi64(m3, m1); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_2_1(b0) \ +do { \ + t0 = _mm256_alignr_epi8(m6, m5, 8); \ + t1 = _mm256_unpackhi_epi64(m2, m7); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_2_2(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m4, m0); \ + t1 = _mm256_blend_epi32(m6, m1, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_2_3(b0) \ +do { \ + t0 = _mm256_blend_epi32(m1, m5, 0x33); \ + t1 = _mm256_unpackhi_epi64(m3, m4); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_2_4(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m7, m3); \ + t1 = _mm256_alignr_epi8(m2, m0, 8); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_3_1(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m3, m1); \ + t1 = _mm256_unpackhi_epi64(m6, m5); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_3_2(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m4, m0); \ + t1 = _mm256_unpacklo_epi64(m6, m7); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_3_3(b0) \ +do { \ + t0 = _mm256_blend_epi32(m2, m1, 0x33); \ + t1 = _mm256_blend_epi32(m7, m2, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_3_4(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m3, m5); \ + t1 = _mm256_unpacklo_epi64(m0, m4); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_4_1(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m4, m2); \ + t1 = _mm256_unpacklo_epi64(m1, m5); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_4_2(b0) \ +do { \ + t0 = _mm256_blend_epi32(m3, m0, 0x33); \ + t1 = _mm256_blend_epi32(m7, m2, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_4_3(b0) \ +do { \ + t0 = _mm256_blend_epi32(m5, m7, 0x33); \ + t1 = _mm256_blend_epi32(m1, m3, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_4_4(b0) \ +do { \ + t0 = _mm256_alignr_epi8(m6, m0, 8); \ + t1 = _mm256_blend_epi32(m6, m4, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_5_1(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m1, m3); \ + t1 = _mm256_unpacklo_epi64(m0, m4); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_5_2(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m6, m5); \ + t1 = _mm256_unpackhi_epi64(m5, m1); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_5_3(b0) \ +do { \ + t0 = _mm256_blend_epi32(m3, m2, 0x33); \ + t1 = _mm256_unpackhi_epi64(m7, m0); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_5_4(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m6, m2); \ + t1 = _mm256_blend_epi32(m4, m7, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_6_1(b0) \ +do { \ + t0 = _mm256_blend_epi32(m0, m6, 0x33); \ + t1 = _mm256_unpacklo_epi64(m7, m2); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_6_2(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m2, m7); \ + t1 = _mm256_alignr_epi8(m5, m6, 8); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_6_3(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m0, m3); \ + t1 = _mm256_shuffle_epi32(m4, _MM_SHUFFLE(1,0,3,2)); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_6_4(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m3, m1); \ + t1 = _mm256_blend_epi32(m5, m1, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_7_1(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m6, m3); \ + t1 = _mm256_blend_epi32(m1, m6, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_7_2(b0) \ +do { \ + t0 = _mm256_alignr_epi8(m7, m5, 8); \ + t1 = _mm256_unpackhi_epi64(m0, m4); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_7_3(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m2, m7); \ + t1 = _mm256_unpacklo_epi64(m4, m1); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_7_4(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m0, m2); \ + t1 = _mm256_unpacklo_epi64(m3, m5); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_8_1(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m3, m7); \ + t1 = _mm256_alignr_epi8(m0, m5, 8); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_8_2(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m7, m4); \ + t1 = _mm256_alignr_epi8(m4, m1, 8); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_8_3(b0) \ +do { \ + t0 = m6; \ + t1 = _mm256_alignr_epi8(m5, m0, 8); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_8_4(b0) \ +do { \ + t0 = _mm256_blend_epi32(m3, m1, 0x33); \ + t1 = m2; \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_9_1(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m5, m4); \ + t1 = _mm256_unpackhi_epi64(m3, m0); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_9_2(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m1, m2); \ + t1 = _mm256_blend_epi32(m2, m3, 0x33); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_9_3(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m7, m4); \ + t1 = _mm256_unpackhi_epi64(m1, m6); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_9_4(b0) \ +do { \ + t0 = _mm256_alignr_epi8(m7, m5, 8); \ + t1 = _mm256_unpacklo_epi64(m6, m0); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_10_1(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m0, m1); \ + t1 = _mm256_unpacklo_epi64(m2, m3); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_10_2(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m0, m1); \ + t1 = _mm256_unpackhi_epi64(m2, m3); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_10_3(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m4, m5); \ + t1 = _mm256_unpacklo_epi64(m6, m7); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_10_4(b0) \ +do { \ + t0 = _mm256_unpackhi_epi64(m4, m5); \ + t1 = _mm256_unpackhi_epi64(m6, m7); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_11_1(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m7, m2); \ + t1 = _mm256_unpackhi_epi64(m4, m6); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_11_2(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m5, m4); \ + t1 = _mm256_alignr_epi8(m3, m7, 8); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_11_3(b0) \ +do { \ + t0 = _mm256_shuffle_epi32(m0, _MM_SHUFFLE(1,0,3,2)); \ + t1 = _mm256_unpackhi_epi64(m5, m2); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#define BLAKE2B_LOAD_MSG_11_4(b0) \ +do { \ + t0 = _mm256_unpacklo_epi64(m6, m1); \ + t1 = _mm256_unpackhi_epi64(m3, m1); \ + b0 = _mm256_blend_epi32(t0, t1, 0xF0); \ +} while(0) + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse2.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse2.h index fb05a1914b..4c6593a070 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse2.h +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse2.h @@ -63,6 +63,4 @@ #define LOAD_MSG_11_3(b0, b1) b0 = _mm_set_epi64x(m0, m1); b1 = _mm_set_epi64x(m5, m11) #define LOAD_MSG_11_4(b0, b1) b0 = _mm_set_epi64x(m2, m12); b1 = _mm_set_epi64x(m3, m7) - #endif - diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse41.h b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse41.h index 38ca244b27..7c7f89f807 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse41.h +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-load-sse41.h @@ -397,6 +397,4 @@ b0 = _mm_unpacklo_epi64(m6, m1); \ b1 = _mm_unpackhi_epi64(m3, m1); \ } while(0) - #endif - diff --git a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c index bc54425420..676bc33073 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c +++ b/release/src/router/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c @@ -19,6 +19,7 @@ #include "blake2.h" #include "blake2-impl.h" #include "runtime.h" +#include "private/common.h" #ifdef HAVE_TI_MODE # if defined(__SIZEOF_INT128__) @@ -83,8 +84,10 @@ static inline int blake2b_increment_counter( blake2b_state *S, const uint64_t in return 0; } -// Parameter-related functions +/* Parameter-related functions */ #if 0 +/* Redundant: digest length is directly set in blake2b_init(), blake2b_init_salt_personal(), + * blake2b_init_key() and blake2b_init_key_salt_personal() */ static inline int blake2b_param_set_digest_length( blake2b_param *P, const uint8_t digest_length ) { P->digest_length = digest_length; @@ -105,13 +108,13 @@ static inline int blake2b_param_set_max_depth( blake2b_param *P, const uint8_t d static inline int blake2b_param_set_leaf_length( blake2b_param *P, const uint32_t leaf_length ) { - store32( &P->leaf_length, leaf_length ); + STORE32_LE( P->leaf_length, leaf_length ); return 0; } static inline int blake2b_param_set_node_offset( blake2b_param *P, const uint64_t node_offset ) { - store64( &P->node_offset, node_offset ); + STORE64_LE( P->node_offset, node_offset ); return 0; } @@ -155,12 +158,13 @@ int blake2b_init_param( blake2b_state *S, const blake2b_param *P ) size_t i; const uint8_t *p; + (void) sizeof(int[sizeof *P == 64 ? 1 : -1]); blake2b_init0( S ); p = ( const uint8_t * )( P ); /* IV XOR ParamBlock */ for( i = 0; i < 8; ++i ) - S->h[i] ^= load64( p + sizeof( S->h[i] ) * i ); + S->h[i] ^= LOAD64_LE( p + sizeof( S->h[i] ) * i ); return 0; } @@ -175,8 +179,8 @@ int blake2b_init( blake2b_state *S, const uint8_t outlen ) P->key_length = 0; P->fanout = 1; P->depth = 1; - store32( &P->leaf_length, 0 ); - store64( &P->node_offset, 0 ); + STORE32_LE( P->leaf_length, 0 ); + STORE64_LE( P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; memset( P->reserved, 0, sizeof( P->reserved ) ); @@ -196,8 +200,8 @@ int blake2b_init_salt_personal( blake2b_state *S, const uint8_t outlen, P->key_length = 0; P->fanout = 1; P->depth = 1; - store32( &P->leaf_length, 0 ); - store64( &P->node_offset, 0 ); + STORE32_LE( P->leaf_length, 0 ); + STORE64_LE( P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; memset( P->reserved, 0, sizeof( P->reserved ) ); @@ -226,8 +230,8 @@ int blake2b_init_key( blake2b_state *S, const uint8_t outlen, const void *key, c P->key_length = keylen; P->fanout = 1; P->depth = 1; - store32( &P->leaf_length, 0 ); - store64( &P->node_offset, 0 ); + STORE32_LE( P->leaf_length, 0 ); + STORE64_LE( P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; memset( P->reserved, 0, sizeof( P->reserved ) ); @@ -259,8 +263,8 @@ int blake2b_init_key_salt_personal( blake2b_state *S, const uint8_t outlen, cons P->key_length = keylen; P->fanout = 1; P->depth = 1; - store32( &P->leaf_length, 0 ); - store64( &P->node_offset, 0 ); + STORE32_LE( P->leaf_length, 0 ); + STORE64_LE( P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; memset( P->reserved, 0, sizeof( P->reserved ) ); @@ -297,19 +301,19 @@ int blake2b_update( blake2b_state *S, const uint8_t *in, uint64_t inlen ) if( inlen > fill ) { - memcpy( S->buf + left, in, fill ); // Fill buffer + memcpy( S->buf + left, in, fill ); /* Fill buffer */ S->buflen += fill; blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES ); - blake2b_compress( S, S->buf ); // Compress - memcpy( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES ); // Shift buffer left + blake2b_compress( S, S->buf ); /* Compress */ + memcpy( S->buf, S->buf + BLAKE2B_BLOCKBYTES, BLAKE2B_BLOCKBYTES ); /* Shift buffer left */ S->buflen -= BLAKE2B_BLOCKBYTES; in += fill; inlen -= fill; } - else // inlen <= fill + else /* inlen <= fill */ { memcpy( S->buf + left, in, inlen ); - S->buflen += inlen; // Be lazy, do not compress + S->buflen += inlen; /* Be lazy, do not compress */ in += inlen; inlen -= inlen; } @@ -345,7 +349,7 @@ int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen ) int i; for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */ - store64( buffer + sizeof( S->h[i] ) * i, S->h[i] ); + STORE64_LE( buffer + sizeof( S->h[i] ) * i, S->h[i] ); memcpy( out, buffer, outlen ); } #endif @@ -415,6 +419,14 @@ int blake2b_salt_personal( uint8_t *out, const void *in, const void *key, const int blake2b_pick_best_implementation(void) { +/* LCOV_EXCL_START */ +#if (defined(HAVE_AVX2INTRIN_H) && defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)) || \ + (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64))) + if (sodium_runtime_has_avx2()) { + blake2b_compress = blake2b_compress_avx2; + return 0; + } +#endif #if (defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)) || \ (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) if (sodium_runtime_has_sse41()) { @@ -432,4 +444,5 @@ blake2b_pick_best_implementation(void) blake2b_compress = blake2b_compress_ref; return 0; +/* LCOV_EXCL_STOP */ } diff --git a/release/src/router/libsodium/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c b/release/src/router/libsodium/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c index ffb38f6b97..0eb330e235 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c +++ b/release/src/router/libsodium/src/libsodium/crypto_hash/sha256/cp/hash_sha256.c @@ -28,6 +28,7 @@ #include "crypto_hash_sha256.h" #include "utils.h" +#include "private/common.h" #include @@ -36,53 +37,13 @@ #include #include -/* Avoid namespace collisions with BSD . */ -#define be32dec _sha256_be32dec -#define be32enc _sha256_be32enc -#define be64enc _sha256_be64enc - -static inline uint32_t -be32dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + - ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); -} - -static inline void -be32enc(void *pp, uint32_t x) -{ - uint8_t *p = (uint8_t *)pp; - - p[3] = x & 0xff; - p[2] = (x >> 8) & 0xff; - p[1] = (x >> 16) & 0xff; - p[0] = (x >> 24) & 0xff; -} - -static inline void -be64enc(void * pp, uint64_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[7] = x & 0xff; - p[6] = (x >> 8) & 0xff; - p[5] = (x >> 16) & 0xff; - p[4] = (x >> 24) & 0xff; - p[3] = (x >> 32) & 0xff; - p[2] = (x >> 40) & 0xff; - p[1] = (x >> 48) & 0xff; - p[0] = (x >> 56) & 0xff; -} - static void be32enc_vect(unsigned char *dst, const uint32_t *src, size_t len) { size_t i; for (i = 0; i < len / 4; i++) { - be32enc(dst + i * 4, src[i]); + STORE32_BE(dst + i * 4, src[i]); } } @@ -92,7 +53,7 @@ be32dec_vect(uint32_t *dst, const unsigned char *src, size_t len) size_t i; for (i = 0; i < len / 4; i++) { - dst[i] = be32dec(src + i * 4); + dst[i] = LOAD32_BE(src + i * 4); } } @@ -221,7 +182,7 @@ SHA256_Pad(crypto_hash_sha256_state *state) unsigned char len[8]; uint32_t r, plen; - be64enc(len, state->count); + STORE64_BE(len, state->count); r = (state->count >> 3) & 0x3f; plen = (r < 56) ? (56 - r) : (120 - r); diff --git a/release/src/router/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c b/release/src/router/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c index 0b5624fa10..4e6b515cf4 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c +++ b/release/src/router/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512.c @@ -28,6 +28,7 @@ #include "crypto_hash_sha512.h" #include "utils.h" +#include "private/common.h" #include @@ -36,43 +37,13 @@ #include #include -/* Avoid namespace collisions with BSD . */ -#define be64dec _sha512_be64dec -#define be64enc _sha512_be64enc - -static inline uint64_t -be64dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + - ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + - ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + - ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); -} - -static inline void -be64enc(void *pp, uint64_t x) -{ - uint8_t *p = (uint8_t *)pp; - - p[7] = x & 0xff; - p[6] = (x >> 8) & 0xff; - p[5] = (x >> 16) & 0xff; - p[4] = (x >> 24) & 0xff; - p[3] = (x >> 32) & 0xff; - p[2] = (x >> 40) & 0xff; - p[1] = (x >> 48) & 0xff; - p[0] = (x >> 56) & 0xff; -} - static void be64enc_vect(unsigned char *dst, const uint64_t *src, size_t len) { size_t i; for (i = 0; i < len / 8; i++) { - be64enc(dst + i * 8, src[i]); + STORE64_BE(dst + i * 8, src[i]); } } @@ -82,7 +53,7 @@ be64dec_vect(uint64_t *dst, const unsigned char *src, size_t len) size_t i; for (i = 0; i < len / 8; i++) { - dst[i] = be64dec(src + i * 8); + dst[i] = LOAD64_BE(src + i * 8); } } diff --git a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna.h b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna.h dissimilarity index 82% index 344ee83c41..d5e49048cf 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna.h +++ b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna.h @@ -1,31 +1,12 @@ -#ifndef poly1305_donna_H -#define poly1305_donna_H - -#include - -#include "crypto_onetimeauth_poly1305.h" - -extern struct crypto_onetimeauth_poly1305_implementation - crypto_onetimeauth_poly1305_donna_implementation; - -static int crypto_onetimeauth_poly1305_donna(unsigned char *out, - const unsigned char *in, - unsigned long long inlen, - const unsigned char *k); - -static int crypto_onetimeauth_poly1305_donna_verify(const unsigned char *h, - const unsigned char *in, - unsigned long long inlen, - const unsigned char *k); - -static int crypto_onetimeauth_poly1305_donna_init(crypto_onetimeauth_poly1305_state *state, - const unsigned char *key); - -static int crypto_onetimeauth_poly1305_donna_update(crypto_onetimeauth_poly1305_state *state, - const unsigned char *in, - unsigned long long inlen); - -static int crypto_onetimeauth_poly1305_donna_final(crypto_onetimeauth_poly1305_state *state, - unsigned char *out); - -#endif /* poly1305_donna_H */ +#ifndef poly1305_donna_H +#define poly1305_donna_H + +#include + +#include "crypto_onetimeauth_poly1305.h" +#include "../onetimeauth_poly1305.h" + +extern struct crypto_onetimeauth_poly1305_implementation + crypto_onetimeauth_poly1305_donna_implementation; + +#endif /* poly1305_donna_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna32.h b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna32.h index d998330cc8..2fe9088c24 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna32.h +++ b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna32.h @@ -10,6 +10,8 @@ # define POLY1305_NOINLINE #endif +#include "private/common.h" + #define poly1305_block_size 16 /* 17 + sizeof(unsigned long long) + 14*sizeof(unsigned long) */ @@ -22,36 +24,15 @@ typedef struct poly1305_state_internal_t { unsigned char final; } poly1305_state_internal_t; -/* interpret four 8 bit unsigned integers as a 32 bit unsigned integer in little endian */ -static unsigned long -U8TO32(const unsigned char *p) -{ - return - (((unsigned long)(p[0] & 0xff) ) | - ((unsigned long)(p[1] & 0xff) << 8) | - ((unsigned long)(p[2] & 0xff) << 16) | - ((unsigned long)(p[3] & 0xff) << 24)); -} - -/* store a 32 bit unsigned integer as four 8 bit unsigned integers in little endian */ -static void -U32TO8(unsigned char *p, unsigned long v) -{ - p[0] = (v ) & 0xff; - p[1] = (v >> 8) & 0xff; - p[2] = (v >> 16) & 0xff; - p[3] = (v >> 24) & 0xff; -} - static void poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32]) { /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ - st->r[0] = (U8TO32(&key[ 0]) ) & 0x3ffffff; - st->r[1] = (U8TO32(&key[ 3]) >> 2) & 0x3ffff03; - st->r[2] = (U8TO32(&key[ 6]) >> 4) & 0x3ffc0ff; - st->r[3] = (U8TO32(&key[ 9]) >> 6) & 0x3f03fff; - st->r[4] = (U8TO32(&key[12]) >> 8) & 0x00fffff; + st->r[0] = (LOAD32_LE(&key[ 0]) ) & 0x3ffffff; + st->r[1] = (LOAD32_LE(&key[ 3]) >> 2) & 0x3ffff03; + st->r[2] = (LOAD32_LE(&key[ 6]) >> 4) & 0x3ffc0ff; + st->r[3] = (LOAD32_LE(&key[ 9]) >> 6) & 0x3f03fff; + st->r[4] = (LOAD32_LE(&key[12]) >> 8) & 0x00fffff; /* h = 0 */ st->h[0] = 0; @@ -61,10 +42,10 @@ poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32]) st->h[4] = 0; /* save pad for later */ - st->pad[0] = U8TO32(&key[16]); - st->pad[1] = U8TO32(&key[20]); - st->pad[2] = U8TO32(&key[24]); - st->pad[3] = U8TO32(&key[28]); + st->pad[0] = LOAD32_LE(&key[16]); + st->pad[1] = LOAD32_LE(&key[20]); + st->pad[2] = LOAD32_LE(&key[24]); + st->pad[3] = LOAD32_LE(&key[28]); st->leftover = 0; st->final = 0; @@ -73,7 +54,7 @@ poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32]) static void poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, unsigned long long bytes) { - const unsigned long hibit = (st->final) ? 0 : (1 << 24); /* 1 << 128 */ + const unsigned long hibit = (st->final) ? 0UL : (1UL << 24); /* 1 << 128 */ unsigned long r0,r1,r2,r3,r4; unsigned long s1,s2,s3,s4; unsigned long h0,h1,h2,h3,h4; @@ -99,11 +80,11 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, unsigned while (bytes >= poly1305_block_size) { /* h += m[i] */ - h0 += (U8TO32(m+ 0) ) & 0x3ffffff; - h1 += (U8TO32(m+ 3) >> 2) & 0x3ffffff; - h2 += (U8TO32(m+ 6) >> 4) & 0x3ffffff; - h3 += (U8TO32(m+ 9) >> 6) & 0x3ffffff; - h4 += (U8TO32(m+12) >> 8) | hibit; + h0 += (LOAD32_LE(m+ 0) ) & 0x3ffffff; + h1 += (LOAD32_LE(m+ 3) >> 2) & 0x3ffffff; + h2 += (LOAD32_LE(m+ 6) >> 4) & 0x3ffffff; + h3 += (LOAD32_LE(m+ 9) >> 6) & 0x3ffffff; + h4 += (LOAD32_LE(m+12) >> 8) | hibit; /* h *= r */ d0 = ((unsigned long long)h0 * r0) + ((unsigned long long)h1 * s4) + ((unsigned long long)h2 * s3) + ((unsigned long long)h3 * s2) + ((unsigned long long)h4 * s1); @@ -169,7 +150,7 @@ poly1305_finish(poly1305_state_internal_t *st, unsigned char mac[16]) g1 = h1 + c; c = g1 >> 26; g1 &= 0x3ffffff; g2 = h2 + c; c = g2 >> 26; g2 &= 0x3ffffff; g3 = h3 + c; c = g3 >> 26; g3 &= 0x3ffffff; - g4 = h4 + c - (1 << 26); + g4 = h4 + c - (1UL << 26); /* select h if h < p, or h + -p if h >= p */ mask = (g4 >> ((sizeof(unsigned long) * 8) - 1)) - 1; @@ -197,10 +178,10 @@ poly1305_finish(poly1305_state_internal_t *st, unsigned char mac[16]) f = (unsigned long long)h2 + st->pad[2] + (f >> 32); h2 = (unsigned long)f; f = (unsigned long long)h3 + st->pad[3] + (f >> 32); h3 = (unsigned long)f; - U32TO8(mac + 0, h0); - U32TO8(mac + 4, h1); - U32TO8(mac + 8, h2); - U32TO8(mac + 12, h3); + STORE32_LE(mac + 0, h0); + STORE32_LE(mac + 4, h1); + STORE32_LE(mac + 8, h2); + STORE32_LE(mac + 12, h3); /* zero out the state */ sodium_memzero((void *)st, sizeof *st); diff --git a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h index fbc7ca36c4..f797fe7d60 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h +++ b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h @@ -22,6 +22,8 @@ typedef unsigned uint128_t __attribute__ ((mode(TI))); # define POLY1305_NOINLINE #endif +#include "private/common.h" + #define poly1305_block_size 16 /* 17 + sizeof(unsigned long long) + 8*sizeof(unsigned long long) */ @@ -34,43 +36,14 @@ typedef struct poly1305_state_internal_t { unsigned char final; } poly1305_state_internal_t; -/* interpret eight 8 bit unsigned integers as a 64 bit unsigned integer in little endian */ -static unsigned long long -U8TO64(const unsigned char *p) -{ - return - (((unsigned long long)(p[0] & 0xff) ) | - ((unsigned long long)(p[1] & 0xff) << 8) | - ((unsigned long long)(p[2] & 0xff) << 16) | - ((unsigned long long)(p[3] & 0xff) << 24) | - ((unsigned long long)(p[4] & 0xff) << 32) | - ((unsigned long long)(p[5] & 0xff) << 40) | - ((unsigned long long)(p[6] & 0xff) << 48) | - ((unsigned long long)(p[7] & 0xff) << 56)); -} - -/* store a 64 bit unsigned integer as eight 8 bit unsigned integers in little endian */ -static void -U64TO8(unsigned char *p, unsigned long long v) -{ - p[0] = (v ) & 0xff; - p[1] = (v >> 8) & 0xff; - p[2] = (v >> 16) & 0xff; - p[3] = (v >> 24) & 0xff; - p[4] = (v >> 32) & 0xff; - p[5] = (v >> 40) & 0xff; - p[6] = (v >> 48) & 0xff; - p[7] = (v >> 56) & 0xff; -} - static void poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32]) { unsigned long long t0,t1; /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */ - t0 = U8TO64(&key[0]); - t1 = U8TO64(&key[8]); + t0 = LOAD64_LE(&key[0]); + t1 = LOAD64_LE(&key[8]); st->r[0] = ( t0 ) & 0xffc0fffffff; st->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff; @@ -82,8 +55,8 @@ poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32]) st->h[2] = 0; /* save pad for later */ - st->pad[0] = U8TO64(&key[16]); - st->pad[1] = U8TO64(&key[24]); + st->pad[0] = LOAD64_LE(&key[16]); + st->pad[1] = LOAD64_LE(&key[24]); st->leftover = 0; st->final = 0; @@ -92,7 +65,7 @@ poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32]) static void poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, unsigned long long bytes) { - const unsigned long long hibit = (st->final) ? 0 : ((unsigned long long)1 << 40); /* 1 << 128 */ + const unsigned long long hibit = (st->final) ? 0ULL : (1ULL << 40); /* 1 << 128 */ unsigned long long r0,r1,r2; unsigned long long s1,s2; unsigned long long h0,h1,h2; @@ -114,8 +87,8 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, unsigned unsigned long long t0,t1; /* h += m[i] */ - t0 = U8TO64(&m[0]); - t1 = U8TO64(&m[8]); + t0 = LOAD64_LE(&m[0]); + t1 = LOAD64_LE(&m[8]); h0 += (( t0 ) & 0xfffffffffff); h1 += (((t0 >> 44) | (t1 << 20)) & 0xfffffffffff); @@ -176,7 +149,7 @@ poly1305_finish(poly1305_state_internal_t *st, unsigned char mac[16]) /* compute h + -p */ g0 = h0 + 5; c = (g0 >> 44); g0 &= 0xfffffffffff; g1 = h1 + c; c = (g1 >> 44); g1 &= 0xfffffffffff; - g2 = h2 + c - ((unsigned long long)1 << 42); + g2 = h2 + c - (1ULL << 42); /* select h if h < p, or h + -p if h >= p */ c = (g2 >> ((sizeof(unsigned long long) * 8) - 1)) - 1; @@ -200,8 +173,8 @@ poly1305_finish(poly1305_state_internal_t *st, unsigned char mac[16]) h0 = ((h0 ) | (h1 << 44)); h1 = ((h1 >> 20) | (h2 << 24)); - U64TO8(&mac[0], h0); - U64TO8(&mac[8], h1); + STORE64_LE(&mac[0], h0); + STORE64_LE(&mac[8], h1); /* zero out the state */ sodium_memzero((void *)st, sizeof *st); diff --git a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c index cd46460597..ef5b17f4e8 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c +++ b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c @@ -88,9 +88,8 @@ poly1305_init_ext(poly1305_state_internal_t *st, const unsigned char key[32], unsigned long long bytes) { uint32_t *R; - uint128_t d[3],m0; + uint128_t d[3]; uint64_t r0,r1,r2; - uint32_t rp0,rp1,rp2,rp3,rp4; uint64_t rt0,rt1,rt2,st2,c; uint64_t t0,t1; unsigned long long i; @@ -170,7 +169,7 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, xmmi H0,H1,H2,H3,H4; xmmi T0,T1,T2,T3,T4,T5,T6,T7,T8; xmmi M0,M1,M2,M3,M4; - xmmi M5,M6,M7,M8,M9; + xmmi M5,M6,M7,M8; xmmi C1,C2; xmmi R20,R21,R22,R23,R24,S21,S22,S23,S24; xmmi R40,R41,R42,R43,R44,S41,S42,S43,S44; @@ -569,7 +568,6 @@ poly1305_finish_ext(poly1305_state_internal_t *st, const unsigned char *m, unsigned long long leftover, unsigned char mac[16]) { uint64_t h0,h1,h2; - uint64_t t0,t1,c; if (leftover) { CRYPTO_ALIGN(16) unsigned char final[32] = {0}; diff --git a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.h b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.h dissimilarity index 82% index 8029b00a98..3d3c076c0b 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.h +++ b/release/src/router/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.h @@ -1,31 +1,12 @@ -#ifndef poly1305_sse2_H -#define poly1305_sse2_H - -#include - -#include "crypto_onetimeauth_poly1305.h" - -extern struct crypto_onetimeauth_poly1305_implementation - crypto_onetimeauth_poly1305_sse2_implementation; - -static int crypto_onetimeauth_poly1305_sse2(unsigned char *out, - const unsigned char *in, - unsigned long long inlen, - const unsigned char *k); - -static int crypto_onetimeauth_poly1305_sse2_verify(const unsigned char *h, - const unsigned char *in, - unsigned long long inlen, - const unsigned char *k); - -static int crypto_onetimeauth_poly1305_sse2_init(crypto_onetimeauth_poly1305_state *state, - const unsigned char *key); - -static int crypto_onetimeauth_poly1305_sse2_update(crypto_onetimeauth_poly1305_state *state, - const unsigned char *in, - unsigned long long inlen); - -static int crypto_onetimeauth_poly1305_sse2_final(crypto_onetimeauth_poly1305_state *state, - unsigned char *out); - -#endif /* poly1305_sse2_H */ +#ifndef poly1305_sse2_H +#define poly1305_sse2_H + +#include + +#include "crypto_onetimeauth_poly1305.h" +#include "../onetimeauth_poly1305.h" + +extern struct crypto_onetimeauth_poly1305_implementation + crypto_onetimeauth_poly1305_sse2_implementation; + +#endif /* poly1305_sse2_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.c new file mode 100644 index 0000000000..99a4dee90c --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.c @@ -0,0 +1,570 @@ +/* + * Argon2 source code package + * + * Written by Daniel Dinu and Dmitry Khovratovich, 2015 + * + * This work is licensed under a Creative Commons CC0 1.0 License/Waiver. + * + * You should have received a copy of the CC0 Public Domain Dedication along + * with + * this software. If not, see + * . + */ + +#ifdef HAVE_SYS_MMAN_H +# include +#endif +#include +#include +#include +#include +#include + +#include "crypto_generichash_blake2b.h" +#include "runtime.h" +#include "utils.h" +#include "private/common.h" + +#include "argon2-core.h" +#include "argon2-impl.h" +#include "blake2b-long.h" + +#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS) +# define MAP_ANON MAP_ANONYMOUS +#endif + +static fill_segment_fn fill_segment = fill_segment_ref; + +/***************Instance and Position constructors**********/ +void init_block_value(block *b, uint8_t in) { + memset(b->v, in, sizeof(b->v)); +} + +void copy_block(block *dst, const block *src) { + memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK); +} + +void xor_block(block *dst, const block *src) { + int i; + for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { + dst->v[i] ^= src->v[i]; + } +} + +static void load_block(block *dst, const void *input) { + unsigned i; + for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { + dst->v[i] = LOAD64_LE((const uint8_t *)input + i * sizeof(dst->v[i])); + } +} + +static void store_block(void *output, const block *src) { + unsigned i; + for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { + STORE64_LE((uint8_t *)output + i * sizeof(src->v[i]), src->v[i]); + } +} + +/***************Memory allocators*****************/ +/* Allocates memory to the given pointer + * @param memory pointer to the pointer to the memory + * @param m_cost number of blocks to allocate in the memory + * @return ARGON2_OK if @memory is a valid pointer and memory is allocated + */ +static int allocate_memory(block_region **memory, uint32_t m_cost); + +static int allocate_memory(block_region **region, uint32_t m_cost) { + void *base; + block *memory; + size_t memory_size; + + if (region == NULL) { + return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */ + } + memory_size = sizeof(block) * m_cost; + if (m_cost == 0 || + memory_size / m_cost != sizeof(block)) { /*1. Check for multiplication overflow*/ + return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */ + } + *region = (block_region *)malloc(sizeof(block_region)); /*2. Try to allocate region*/ + if (!*region) { + return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */ + } + +#if defined(MAP_ANON) && defined(HAVE_MMAP) + if ((base = mmap(NULL, memory_size, PROT_READ | PROT_WRITE, +# ifdef MAP_NOCORE + MAP_ANON | MAP_PRIVATE | MAP_NOCORE, +# else + MAP_ANON | MAP_PRIVATE, +# endif + -1, 0)) == MAP_FAILED) { + base = NULL; /* LCOV_EXCL_LINE */ + } /* LCOV_EXCL_LINE */ + memcpy(&memory, &base, sizeof memory); +#elif defined(HAVE_POSIX_MEMALIGN) + if ((errno = posix_memalign((void **) &base, 64, memory_size)) != 0) { + base = NULL; + } + memcpy(&memory, &base, sizeof memory); +#else + memory = NULL; + if (memory_size + 63 < memory_size) { + base = NULL; + errno = ENOMEM; + } else if ((base = malloc(memory_size + 63)) != NULL) { + uint8_t *aligned = ((uint8_t *) base) + 63; + aligned -= (uintptr_t) aligned & 63; + memcpy(&memory, &aligned, sizeof memory); + } +#endif + if (base == NULL) { + return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */ + } + (*region)->base = base; + (*region)->memory = memory; + (*region)->size = memory_size; + + return ARGON2_OK; +} + +/*********Memory functions*/ + +/* Clears memory + * @param instance pointer to the current instance + * @param clear_memory indicates if we clear the memory with zeros. + */ +static void clear_memory(argon2_instance_t *instance, int clear); + +static void clear_memory(argon2_instance_t *instance, int clear) { + if (instance->region != NULL && clear) { + /* LCOV_EXCL_START */ + sodium_memzero(instance->region->memory, + sizeof(block) * instance->memory_blocks); + /* LCOV_EXCL_STOP */ + } +} + +/* Deallocates memory + * @param memory pointer to the blocks + */ +static void free_memory(block_region *memory); + +static void free_memory(block_region *region) { + if (region->base) { +#if defined(MAP_ANON) && defined(HAVE_MMAP) + if (munmap(region->base, region->size)) { + return; /* LCOV_EXCL_LINE */ + } +#else + free(region->base); +#endif + } + free(region); +} + +void finalize(const argon2_context *context, argon2_instance_t *instance) { + if (context != NULL && instance != NULL) { + block blockhash; + uint32_t l; + + copy_block(&blockhash, instance->region->memory + instance->lane_length - 1); + + /* XOR the last blocks */ + for (l = 1; l < instance->lanes; ++l) { + uint32_t last_block_in_lane = + l * instance->lane_length + (instance->lane_length - 1); + xor_block(&blockhash, instance->region->memory + last_block_in_lane); + } + + /* Hash the result */ + { + uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE]; + store_block(blockhash_bytes, &blockhash); + blake2b_long(context->out, context->outlen, blockhash_bytes, + ARGON2_BLOCK_SIZE); + sodium_memzero(blockhash.v, + ARGON2_BLOCK_SIZE); /* clear blockhash */ + sodium_memzero(blockhash_bytes, + ARGON2_BLOCK_SIZE); /* clear blockhash_bytes */ + } + + /* Clear memory */ + clear_memory(instance, context->flags & ARGON2_FLAG_CLEAR_PASSWORD); + + /* Deallocate the memory */ + free_memory(instance->region); + } +} + +uint32_t index_alpha(const argon2_instance_t *instance, + const argon2_position_t *position, uint32_t pseudo_rand, + int same_lane) { + /* + * Pass 0: + * This lane : all already finished segments plus already constructed + * blocks in this segment + * Other lanes : all already finished segments + * Pass 1+: + * This lane : (SYNC_POINTS - 1) last segments plus already constructed + * blocks in this segment + * Other lanes : (SYNC_POINTS - 1) last segments + */ + uint32_t reference_area_size; + uint64_t relative_position; + uint32_t start_position, absolute_position; + + if (position->pass == 0) { + /* First pass */ + if (position->slice == 0) { + /* First slice */ + reference_area_size = + position->index - 1; /* all but the previous */ + } else { + if (same_lane) { + /* The same lane => add current segment */ + reference_area_size = + position->slice * instance->segment_length + + position->index - 1; + } else { + reference_area_size = + position->slice * instance->segment_length + + ((position->index == 0) ? (-1) : 0); + } + } + } else { + /* Second pass */ + if (same_lane) { + reference_area_size = instance->lane_length - + instance->segment_length + position->index - + 1; + } else { + reference_area_size = instance->lane_length - + instance->segment_length + + ((position->index == 0) ? (-1) : 0); + } + } + + /* 1.2.4. Mapping pseudo_rand to 0.. and produce + * relative position */ + relative_position = pseudo_rand; + relative_position = relative_position * relative_position >> 32; + relative_position = reference_area_size - 1 - + (reference_area_size * relative_position >> 32); + + /* 1.2.5 Computing starting position */ + start_position = 0; + + if (position->pass != 0) { + start_position = (position->slice == ARGON2_SYNC_POINTS - 1) + ? 0 + : (position->slice + 1) * instance->segment_length; + } + + /* 1.2.6. Computing absolute position */ + absolute_position = (start_position + relative_position) % + instance->lane_length; /* absolute position */ + return absolute_position; +} + +int fill_memory_blocks(argon2_instance_t *instance) { + int result; + uint32_t r, s; + + if (instance == NULL || instance->lanes == 0) { + return ARGON2_OK; /* LCOV_EXCL_LINE */ + } + + for (r = 0; r < instance->passes; ++r) { + for (s = 0; s < ARGON2_SYNC_POINTS; ++s) { + uint32_t l; + + for (l = 0; l < instance->lanes; ++l) { + argon2_position_t position; + + position.pass = r; + position.lane = l; + position.slice = (uint8_t)s; + position.index = 0; + result = fill_segment(instance, position); + if (ARGON2_OK != result) { + return result; /* LCOV_EXCL_LINE */ + } + } + } + } + return ARGON2_OK; +} + +int validate_inputs(const argon2_context *context) { + /* LCOV_EXCL_START */ + if (NULL == context) { + return ARGON2_INCORRECT_PARAMETER; + } + + if (NULL == context->out) { + return ARGON2_OUTPUT_PTR_NULL; + } + + /* Validate output length */ + if (ARGON2_MIN_OUTLEN > context->outlen) { + return ARGON2_OUTPUT_TOO_SHORT; + } + + if (ARGON2_MAX_OUTLEN < context->outlen) { + return ARGON2_OUTPUT_TOO_LONG; + } + + /* Validate password length */ + if (NULL == context->pwd) { + if (0 != context->pwdlen) { + return ARGON2_PWD_PTR_MISMATCH; + } + } else { + if (ARGON2_MIN_PWD_LENGTH > context->pwdlen) { + return ARGON2_PWD_TOO_SHORT; + } + + if (ARGON2_MAX_PWD_LENGTH < context->pwdlen) { + return ARGON2_PWD_TOO_LONG; + } + } + + /* Validate salt length */ + if (NULL == context->salt) { + if (0 != context->saltlen) { + return ARGON2_SALT_PTR_MISMATCH; + } + } else { + if (ARGON2_MIN_SALT_LENGTH > context->saltlen) { + return ARGON2_SALT_TOO_SHORT; + } + + if (ARGON2_MAX_SALT_LENGTH < context->saltlen) { + return ARGON2_SALT_TOO_LONG; + } + } + + /* Validate secret length */ + if (NULL == context->secret) { + if (0 != context->secretlen) { + return ARGON2_SECRET_PTR_MISMATCH; + } + } else { + if (ARGON2_MIN_SECRET > context->secretlen) { + return ARGON2_SECRET_TOO_SHORT; + } + + if (ARGON2_MAX_SECRET < context->secretlen) { + return ARGON2_SECRET_TOO_LONG; + } + } + + /* Validate associated data */ + if (NULL == context->ad) { + if (0 != context->adlen) { + return ARGON2_AD_PTR_MISMATCH; + } + } else { + if (ARGON2_MIN_AD_LENGTH > context->adlen) { + return ARGON2_AD_TOO_SHORT; + } + + if (ARGON2_MAX_AD_LENGTH < context->adlen) { + return ARGON2_AD_TOO_LONG; + } + } + + /* Validate memory cost */ + if (ARGON2_MIN_MEMORY > context->m_cost) { + return ARGON2_MEMORY_TOO_LITTLE; + } + + if (ARGON2_MAX_MEMORY < context->m_cost) { + return ARGON2_MEMORY_TOO_MUCH; + } + + if (context->m_cost < 8 * context->lanes) { + return ARGON2_MEMORY_TOO_LITTLE; + } + + /* Validate time cost */ + if (ARGON2_MIN_TIME > context->t_cost) { + return ARGON2_TIME_TOO_SMALL; + } + + if (ARGON2_MAX_TIME < context->t_cost) { + return ARGON2_TIME_TOO_LARGE; + } + + /* Validate lanes */ + if (ARGON2_MIN_LANES > context->lanes) { + return ARGON2_LANES_TOO_FEW; + } + + if (ARGON2_MAX_LANES < context->lanes) { + return ARGON2_LANES_TOO_MANY; + } + + /* Validate threads */ + if (ARGON2_MIN_THREADS > context->threads) { + return ARGON2_THREADS_TOO_FEW; + } + + if (ARGON2_MAX_THREADS < context->threads) { + return ARGON2_THREADS_TOO_MANY; + } + /* LCOV_EXCL_STOP */ + + return ARGON2_OK; +} + +void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance) { + uint32_t l; + /* Make the first and second block in each lane as G(H0||i||0) or + G(H0||i||1) */ + uint8_t blockhash_bytes[ARGON2_BLOCK_SIZE]; + for (l = 0; l < instance->lanes; ++l) { + + STORE32_LE(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 0); + STORE32_LE(blockhash + ARGON2_PREHASH_DIGEST_LENGTH + 4, l); + blake2b_long(blockhash_bytes, ARGON2_BLOCK_SIZE, blockhash, + ARGON2_PREHASH_SEED_LENGTH); + load_block(&instance->region->memory[l * instance->lane_length + 0], + blockhash_bytes); + + STORE32_LE(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, 1); + blake2b_long(blockhash_bytes, ARGON2_BLOCK_SIZE, blockhash, + ARGON2_PREHASH_SEED_LENGTH); + load_block(&instance->region->memory[l * instance->lane_length + 1], + blockhash_bytes); + } + sodium_memzero(blockhash_bytes, ARGON2_BLOCK_SIZE); +} + +void initial_hash(uint8_t *blockhash, argon2_context *context, + argon2_type type) { + crypto_generichash_blake2b_state BlakeHash; + uint8_t value[4U /* sizeof(uint32_t) */]; + + if (NULL == context || NULL == blockhash) { + return; /* LCOV_EXCL_LINE */ + } + + crypto_generichash_blake2b_init(&BlakeHash, NULL, 0U, + ARGON2_PREHASH_DIGEST_LENGTH); + + STORE32_LE(value, context->lanes); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + STORE32_LE(value, context->outlen); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + STORE32_LE(value, context->m_cost); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + STORE32_LE(value, context->t_cost); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + STORE32_LE(value, ARGON2_VERSION_NUMBER); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + STORE32_LE(value, (uint32_t)type); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + STORE32_LE(value, context->pwdlen); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + if (context->pwd != NULL) { + crypto_generichash_blake2b_update(&BlakeHash, (const uint8_t *)context->pwd, + context->pwdlen); + + if (context->flags & ARGON2_FLAG_CLEAR_PASSWORD) { + sodium_memzero(context->pwd, context->pwdlen); /* LCOV_EXCL_LINE */ + context->pwdlen = 0; /* LCOV_EXCL_LINE */ + } + } + + STORE32_LE(value, context->saltlen); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + if (context->salt != NULL) { + crypto_generichash_blake2b_update(&BlakeHash, (const uint8_t *)context->salt, + context->saltlen); + } + + STORE32_LE(value, context->secretlen); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + if (context->secret != NULL) { +/* LCOV_EXCL_START */ + crypto_generichash_blake2b_update(&BlakeHash, (const uint8_t *)context->secret, + context->secretlen); + + if (context->flags & ARGON2_FLAG_CLEAR_SECRET) { + sodium_memzero(context->secret, context->secretlen); + context->secretlen = 0; + } +/* LCOV_EXCL_STOP */ + } + + STORE32_LE(value, context->adlen); + crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + + if (context->ad != NULL) { +/* LCOV_EXCL_START */ + crypto_generichash_blake2b_update(&BlakeHash, (const uint8_t *)context->ad, + context->adlen); +/* LCOV_EXCL_STOP */ + } + + crypto_generichash_blake2b_final(&BlakeHash, blockhash, ARGON2_PREHASH_DIGEST_LENGTH); +} + +int initialize(argon2_instance_t *instance, argon2_context *context) { + uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH]; + int result = ARGON2_OK; + + if (instance == NULL || context == NULL) + return ARGON2_INCORRECT_PARAMETER; + + /* 1. Memory allocation */ + + result = allocate_memory(&(instance->region), instance->memory_blocks); + if (ARGON2_OK != result) { + return result; + } + + /* 2. Initial hashing */ + /* H_0 + 8 extra bytes to produce the first blocks */ + /* uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH]; */ + /* Hashing all inputs */ + initial_hash(blockhash, context, instance->type); + /* Zeroing 8 extra bytes */ + sodium_memzero(blockhash + ARGON2_PREHASH_DIGEST_LENGTH, + ARGON2_PREHASH_SEED_LENGTH - ARGON2_PREHASH_DIGEST_LENGTH); + + /* 3. Creating first blocks, we always have at least two blocks in a slice + */ + fill_first_blocks(blockhash, instance); + /* Clearing the hash */ + sodium_memzero(blockhash, ARGON2_PREHASH_SEED_LENGTH); + + return ARGON2_OK; +} + +int argon2_pick_best_implementation(void) +{ +/* LCOV_EXCL_START */ +#if (defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H)) || \ + (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) + if (sodium_runtime_has_ssse3()) { + fill_segment = fill_segment_ssse3; + return 0; + } +#endif + fill_segment = fill_segment_ref; + + return 0; +/* LCOV_EXCL_STOP */ +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h new file mode 100644 index 0000000000..941eea6321 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h @@ -0,0 +1,198 @@ +/* + * Argon2 source code package + * + * Written by Daniel Dinu and Dmitry Khovratovich, 2015 + * + * This work is licensed under a Creative Commons CC0 1.0 License/Waiver. + * + * You should have received a copy of the CC0 Public Domain Dedication along + * with + * this software. If not, see + * . + */ + +#ifndef argon2_core_H +#define argon2_core_H + +#include "argon2.h" + +/*************************Argon2 internal + * constants**************************************************/ + +enum argon2_ctx_constants { + /* Version of the algorithm */ + ARGON2_VERSION_NUMBER = 0x13, + + /* Memory block size in bytes */ + ARGON2_BLOCK_SIZE = 1024, + ARGON2_QWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 8, + ARGON2_OWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 16, + + /* Number of pseudo-random values generated by one call to Blake in Argon2i + to + generate reference block positions */ + ARGON2_ADDRESSES_IN_BLOCK = 128, + + /* Pre-hashing digest length and its extension*/ + ARGON2_PREHASH_DIGEST_LENGTH = 64, + ARGON2_PREHASH_SEED_LENGTH = 72 +}; + +/*************************Argon2 internal data + * types**************************************************/ + +/* + * Structure for the (1KB) memory block implemented as 128 64-bit words. + * Memory blocks can be copied, XORed. Internal words can be accessed by [] (no + * bounds checking). + */ +typedef struct block_ { uint64_t v[ARGON2_QWORDS_IN_BLOCK]; } block; + +typedef struct block_region_ { + void *base; + block *memory; + size_t size; +} block_region; + +/*****************Functions that work with the block******************/ + +/* Initialize each byte of the block with @in */ +void init_block_value(block *b, uint8_t in); + +/* Copy block @src to block @dst */ +void copy_block(block *dst, const block *src); + +/* XOR @src onto @dst bytewise */ +void xor_block(block *dst, const block *src); + +/* + * Argon2 instance: memory pointer, number of passes, amount of memory, type, + * and derived values. + * Used to evaluate the number and location of blocks to construct in each + * thread + */ +typedef struct Argon2_instance_t { + block_region *region; /* Memory region pointer */ + uint32_t passes; /* Number of passes */ + uint32_t memory_blocks; /* Number of blocks in memory */ + uint32_t segment_length; + uint32_t lane_length; + uint32_t lanes; + uint32_t threads; + argon2_type type; + int print_internals; /* whether to print the memory blocks */ +} argon2_instance_t; + +/* + * Argon2 position: where we construct the block right now. Used to distribute + * work between threads. + */ +typedef struct Argon2_position_t { + uint32_t pass; + uint32_t lane; + uint8_t slice; + uint32_t index; +} argon2_position_t; + +/*Struct that holds the inputs for thread handling FillSegment*/ +typedef struct Argon2_thread_data { + argon2_instance_t *instance_ptr; + argon2_position_t pos; +} argon2_thread_data; + +/*************************Argon2 core + * functions**************************************************/ + +/* + * Computes absolute position of reference block in the lane following a skewed + * distribution and using a pseudo-random value as input + * @param instance Pointer to the current instance + * @param position Pointer to the current position + * @param pseudo_rand 32-bit pseudo-random value used to determine the position + * @param same_lane Indicates if the block will be taken from the current lane. + * If so we can reference the current segment + * @pre All pointers must be valid + */ +uint32_t index_alpha(const argon2_instance_t *instance, + const argon2_position_t *position, uint32_t pseudo_rand, + int same_lane); + +/* + * Function that validates all inputs against predefined restrictions and return + * an error code + * @param context Pointer to current Argon2 context + * @return ARGON2_OK if everything is all right, otherwise one of error codes + * (all defined in + */ +int validate_inputs(const argon2_context *context); + +/* + * Hashes all the inputs into @a blockhash[PREHASH_DIGEST_LENGTH], clears + * password and secret if needed + * @param context Pointer to the Argon2 internal structure containing memory + * pointer, and parameters for time and space requirements. + * @param blockhash Buffer for pre-hashing digest + * @param type Argon2 type + * @pre @a blockhash must have at least @a PREHASH_DIGEST_LENGTH bytes + * allocated + */ +void initial_hash(uint8_t *blockhash, argon2_context *context, + argon2_type type); + +/* + * Function creates first 2 blocks per lane + * @param instance Pointer to the current instance + * @param blockhash Pointer to the pre-hashing digest + * @pre blockhash must point to @a PREHASH_SEED_LENGTH allocated values + */ +void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance); + +/* + * Function allocates memory, hashes the inputs with Blake, and creates first + * two blocks. Returns the pointer to the main memory with 2 blocks per lane + * initialized + * @param context Pointer to the Argon2 internal structure containing memory + * pointer, and parameters for time and space requirements. + * @param instance Current Argon2 instance + * @return Zero if successful, -1 if memory failed to allocate. @context->state + * will be modified if successful. + */ +int initialize(argon2_instance_t *instance, argon2_context *context); + +/* + * XORing the last block of each lane, hashing it, making the tag. Deallocates + * the memory. + * @param context Pointer to current Argon2 context (use only the out parameters + * from it) + * @param instance Pointer to current instance of Argon2 + * @pre instance->state must point to necessary amount of memory + * @pre context->out must point to outlen bytes of memory + * @pre if context->free_cbk is not NULL, it should point to a function that + * deallocates memory + */ +void finalize(const argon2_context *context, argon2_instance_t *instance); + +/* + * Function that fills the segment using previous segments also from other + * threads + * @param instance Pointer to the current instance + * @param position Current position + * @pre all block pointers must be valid + */ +typedef int (*fill_segment_fn)(const argon2_instance_t *instance, + argon2_position_t position); +int argon2_pick_best_implementation(void); +int fill_segment_ssse3(const argon2_instance_t *instance, + argon2_position_t position); +int fill_segment_ref(const argon2_instance_t *instance, + argon2_position_t position); + +/* + * Function that fills the entire memory t_cost times based on the first two + * blocks in each lane + * @param instance Pointer to the current instance + * @return Zero if successful, -1 if memory failed to allocate + */ +int fill_memory_blocks(argon2_instance_t *instance); + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c new file mode 100644 index 0000000000..5b8d6c4350 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c @@ -0,0 +1,444 @@ +#include +#include +#include +#include +#include "argon2-core.h" +#include "argon2-encoding.h" + +/* + * Example code for a decoder and encoder of "hash strings", with Argon2 + * parameters. + * + * This code comprises three sections: + * + * -- The first section contains generic Base64 encoding and decoding + * functions. It is conceptually applicable to any hash function + * implementation that uses Base64 to encode and decode parameters, + * salts and outputs. It could be made into a library, provided that + * the relevant functions are made public (non-static) and be given + * reasonable names to avoid collisions with other functions. + * + * -- The second section is specific to Argon2. It encodes and decodes + * the parameters, salts and outputs. It does not compute the hash + * itself. + * + * -- The third section is test code, with a main() function. With + * this section, the whole file compiles as a stand-alone program + * that exercises the encoding and decoding functions with some + * test vectors. + * + * The code was originally written by Thomas Pornin , + * to whom comments and remarks may be sent. It is released under what + * should amount to Public Domain or its closest equivalent; the + * following mantra is supposed to incarnate that fact with all the + * proper legal rituals: + * + * --------------------------------------------------------------------- + * This file is provided under the terms of Creative Commons CC0 1.0 + * Public Domain Dedication. To the extent possible under law, the + * author (Thomas Pornin) has waived all copyright and related or + * neighboring rights to this file. This work is published from: Canada. + * --------------------------------------------------------------------- + * + * Copyright (c) 2015 Thomas Pornin + */ + +/* ==================================================================== */ +/* + * Common code; could be shared between different hash functions. + * + * Note: the Base64 functions below assume that uppercase letters (resp. + * lowercase letters) have consecutive numerical codes, that fit on 8 + * bits. All modern systems use ASCII-compatible charsets, where these + * properties are true. If you are stuck with a dinosaur of a system + * that still defaults to EBCDIC then you already have much bigger + * interoperability issues to deal with. + */ + +/* + * Some macros for constant-time comparisons. These work over values in + * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true". + */ +#define EQ(x, y) ((((0U - ((unsigned)(x) ^ (unsigned)(y))) >> 8) & 0xFF) ^ 0xFF) +#define GT(x, y) ((((unsigned)(y) - (unsigned)(x)) >> 8) & 0xFF) +#define GE(x, y) (GT(y, x) ^ 0xFF) +#define LT(x, y) GT(y, x) +#define LE(x, y) GE(y, x) + +/* + * Convert value x (0..63) to corresponding Base64 character. + */ +static int b64_byte_to_char(unsigned x) { + return (LT(x, 26) & (x + 'A')) | + (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) | + (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '+') | + (EQ(x, 63) & '/'); +} + +/* + * Convert character c to the corresponding 6-bit value. If character c + * is not a Base64 character, then 0xFF (255) is returned. + */ +static unsigned b64_char_to_byte(int c) { + unsigned x; + + x = (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) | + (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) | + (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) | + (EQ(c, '/') & 63); + return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF)); +} + +/* + * Convert some bytes to Base64. 'dst_len' is the length (in characters) + * of the output buffer 'dst'; if that buffer is not large enough to + * receive the result (including the terminating 0), then (size_t)-1 + * is returned. Otherwise, the zero-terminated Base64 string is written + * in the buffer, and the output length (counted WITHOUT the terminating + * zero) is returned. + */ +static size_t to_base64(char *dst, size_t dst_len, const void *src, + size_t src_len) { + size_t olen; + const unsigned char *buf; + unsigned acc, acc_len; + + olen = (src_len / 3) << 2; + switch (src_len % 3) { + case 2: + olen++; + /* fall through */ + case 1: + olen += 2; + break; + } + if (dst_len <= olen) { + return (size_t)-1; + } + acc = 0; + acc_len = 0; + buf = (const unsigned char *)src; + while (src_len-- > 0) { + acc = (acc << 8) + (*buf++); + acc_len += 8; + while (acc_len >= 6) { + acc_len -= 6; + *dst++ = (char)b64_byte_to_char((acc >> acc_len) & 0x3F); + } + } + if (acc_len > 0) { + *dst++ = (char)b64_byte_to_char((acc << (6 - acc_len)) & 0x3F); + } + *dst++ = 0; + return olen; +} + +/* + * Decode Base64 chars into bytes. The '*dst_len' value must initially + * contain the length of the output buffer '*dst'; when the decoding + * ends, the actual number of decoded bytes is written back in + * '*dst_len'. + * + * Decoding stops when a non-Base64 character is encountered, or when + * the output buffer capacity is exceeded. If an error occurred (output + * buffer is too small, invalid last characters leading to unprocessed + * buffered bits), then NULL is returned; otherwise, the returned value + * points to the first non-Base64 character in the source stream, which + * may be the terminating zero. + */ +static const char *from_base64(void *dst, size_t *dst_len, const char *src) { + size_t len; + unsigned char *buf; + unsigned acc, acc_len; + + buf = (unsigned char *)dst; + len = 0; + acc = 0; + acc_len = 0; + for (;;) { + unsigned d; + + d = b64_char_to_byte(*src); + if (d == 0xFF) { + break; + } + src++; + acc = (acc << 6) + d; + acc_len += 6; + if (acc_len >= 8) { + acc_len -= 8; + if ((len++) >= *dst_len) { + return NULL; + } + *buf++ = (acc >> acc_len) & 0xFF; + } + } + + /* + * If the input length is equal to 1 modulo 4 (which is + * invalid), then there will remain 6 unprocessed bits; + * otherwise, only 0, 2 or 4 bits are buffered. The buffered + * bits must also all be zero. + */ + if (acc_len > 4 || (acc & ((1U << acc_len) - 1)) != 0) { + return NULL; + } + *dst_len = len; + return src; +} + +/* + * Decode decimal integer from 'str'; the value is written in '*v'. + * Returned value is a pointer to the next non-decimal character in the + * string. If there is no digit at all, or the value encoding is not + * minimal (extra leading zeros), or the value does not fit in an + * 'unsigned long', then NULL is returned. + */ +static const char *decode_decimal(const char *str, unsigned long *v) { + const char *orig; + unsigned long acc; + + acc = 0; + for (orig = str;; str++) { + int c; + + c = *str; + if (c < '0' || c > '9') { + break; + } + c -= '0'; + if (acc > (ULONG_MAX / 10)) { + return NULL; + } + acc *= 10; + if ((unsigned long)c > (ULONG_MAX - acc)) { + return NULL; + } + acc += (unsigned long)c; + } + if (str == orig || (*orig == '0' && str != (orig + 1))) { + return NULL; + } + *v = acc; + return str; +} + +/* ==================================================================== */ +/* + * Code specific to Argon2. + * + * The code below applies the following format: + * + * $argon2$v=$m=,t=,p=[,keyid=][,data=][$[$]] + * + * where is either 'd' or 'i', is a decimal integer (positive, fits in an 'unsigned long') + * and is Base64-encoded data (no '=' padding characters, no newline + * or whitespace). The "keyid" is a binary identifier for a key (up to 8 + * bytes); "data" is associated data (up to 32 bytes). When the 'keyid' + * (resp. the 'data') is empty, then it is ommitted from the output. + * + * The last two binary chunks (encoded in Base64) are, in that order, + * the salt and the output. Both are optional, but you cannot have an + * output without a salt. The binary salt length is between 8 and 48 bytes. + * The output length is always exactly 32 bytes. + */ + +/* + * Decode an Argon2i hash string into the provided structure 'ctx'. + * Returned value is ARGON2_OK on success. + */ +int decode_string(argon2_context *ctx, const char *str, argon2_type type) { + /* Prefix checking */ +#define CC(prefix) \ + do { \ + size_t cc_len = strlen(prefix); \ + if (strncmp(str, prefix, cc_len) != 0) { \ + return ARGON2_DECODING_FAIL; \ + } \ + str += cc_len; \ + } while ((void)0, 0) + + /* Prefix checking with supplied code */ +#define CC_opt(prefix, code) \ + do { \ + size_t cc_len = strlen(prefix); \ + if (strncmp(str, prefix, cc_len) == 0) { \ + str += cc_len; \ + { code; } \ + } \ + } while ((void)0, 0) + + /* Decoding prefix into decimal */ +#define DECIMAL(x) \ + do { \ + unsigned long dec_x; \ + str = decode_decimal(str, &dec_x); \ + if (str == NULL) { \ + return ARGON2_DECODING_FAIL; \ + } \ + (x) = dec_x; \ + } while ((void)0, 0) + + /* Decoding prefix into binary */ +#define BIN(buf, max_len, len) \ + do { \ + size_t bin_len = (max_len); \ + str = from_base64(buf, &bin_len, str); \ + if (str == NULL || bin_len > UINT32_MAX) { \ + return ARGON2_DECODING_FAIL; \ + } \ + (len) = (uint32_t)bin_len; \ + } while ((void)0, 0) + + size_t maxadlen = ctx->adlen; + size_t maxsaltlen = ctx->saltlen; + size_t maxoutlen = ctx->outlen; + unsigned long version = 0; + int validation_result; + + ctx->adlen = 0; + ctx->saltlen = 0; + ctx->outlen = 0; + ctx->pwdlen = 0; + if (type == Argon2_i) { + CC("$argon2i"); + } else { + return ARGON2_INCORRECT_TYPE; + } + CC("$v="); + DECIMAL(version); + if (version != ARGON2_VERSION_NUMBER) { + return ARGON2_INCORRECT_TYPE; + } + CC("$m="); + DECIMAL(ctx->m_cost); + CC(",t="); + DECIMAL(ctx->t_cost); + CC(",p="); + DECIMAL(ctx->lanes); + ctx->threads = ctx->lanes; + + CC_opt(",data=", BIN(ctx->ad, maxadlen, ctx->adlen)); + if (*str == 0) { + return ARGON2_OK; + } + CC("$"); + BIN(ctx->salt, maxsaltlen, ctx->saltlen); + if (*str == 0) { + return ARGON2_OK; + } + CC("$"); + BIN(ctx->out, maxoutlen, ctx->outlen); + validation_result = validate_inputs(ctx); + if (validation_result != ARGON2_OK) { + return validation_result; + } + if (*str == 0) { + return ARGON2_OK; + } + return ARGON2_DECODING_FAIL; + +#undef CC +#undef CC_opt +#undef DECIMAL +#undef BIN +} + +#define U32_STR_MAXSIZE 11U + +static void u32_to_string(char *str, uint32_t x) { + char tmp[U32_STR_MAXSIZE - 1U]; + size_t i; + + i = sizeof tmp; + do { + tmp[--i] = (x % (uint32_t) 10U) + '0'; + x /= (uint32_t) 10U; + } while (x != 0U && i != 0U); + memcpy(str, &tmp[i], (sizeof tmp) - i); + str[(sizeof tmp) - i] = 0; +} + +/* + * Encode an argon2i hash string into the provided buffer. 'dst_len' + * contains the size, in characters, of the 'dst' buffer; if 'dst_len' + * is less than the number of required characters (including the + * terminating 0), then this function returns 0. + * + * If pp->output_len is 0, then the hash string will be a salt string + * (no output). if pp->salt_len is also 0, then the string will be a + * parameter-only string (no salt and no output). + * + * On success, ARGON2_OK is returned. + */ +int encode_string(char *dst, size_t dst_len, argon2_context *ctx, + argon2_type type) { +#define SS(str) \ + do { \ + size_t pp_len = strlen(str); \ + if (pp_len >= dst_len) { \ + return ARGON2_ENCODING_FAIL; \ + } \ + memcpy(dst, str, pp_len + 1); \ + dst += pp_len; \ + dst_len -= pp_len; \ + } while ((void)0, 0) + +#define SX(x) \ + do { \ + char tmp[U32_STR_MAXSIZE]; \ + u32_to_string(tmp, x); \ + SS(tmp); \ + } while ((void)0, 0) + +#define SB(buf, len) \ + do { \ + size_t sb_len = to_base64(dst, dst_len, buf, len); \ + if (sb_len == (size_t)-1) { \ + return ARGON2_ENCODING_FAIL; \ + } \ + dst += sb_len; \ + dst_len -= sb_len; \ + } while ((void)0, 0) + + int validation_result; + + if (type == Argon2_i) { + SS("$argon2i$v="); + } else { + return ARGON2_ENCODING_FAIL; + } + validation_result = validate_inputs(ctx); + if (validation_result != ARGON2_OK) { + return validation_result; + } + SX(ARGON2_VERSION_NUMBER); + SS("$m="); + SX(ctx->m_cost); + SS(",t="); + SX(ctx->t_cost); + SS(",p="); + SX(ctx->lanes); + + if (ctx->adlen > 0) { + SS(",data="); + SB(ctx->ad, ctx->adlen); + } + + if (ctx->saltlen == 0) { + return ARGON2_OK; + } + SS("$"); + SB(ctx->salt, ctx->saltlen); + + if (ctx->outlen == 0) { + return ARGON2_OK; + } + SS("$"); + SB(ctx->out, ctx->outlen); + return ARGON2_OK; + +#undef SS +#undef SX +#undef SB +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.h new file mode 100644 index 0000000000..7366004bbb --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-encoding.h @@ -0,0 +1,32 @@ +#ifndef argon2_encoding_H +#define argon2_encoding_H + +#include "argon2.h" + +/* + * encode an Argon2 hash string into the provided buffer. 'dst_len' + * contains the size, in characters, of the 'dst' buffer; if 'dst_len' + * is less than the number of required characters (including the + * terminating 0), then this function returns 0. + * + * if ctx->outlen is 0, then the hash string will be a salt string + * (no output). if ctx->saltlen is also 0, then the string will be a + * parameter-only string (no salt and no output). + * + * On success, ARGON2_OK is returned. + * + * No other parameters are checked + */ +int encode_string(char *dst, size_t dst_len, argon2_context *ctx, + argon2_type type); + +/* + * Decodes an Argon2 hash string into the provided structure 'ctx'. + * The fields ctx.saltlen, ctx.adlen, ctx.outlen set the maximal salt, ad, out length values + * that are allowed; invalid input string causes an error + * + * Returned value is ARGON2_OK on success. + */ +int decode_string(argon2_context *ctx, const char *str, argon2_type type); + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c new file mode 100644 index 0000000000..b7df197e3b --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c @@ -0,0 +1,229 @@ +/* + * Argon2 source code package + * + * Written by Daniel Dinu and Dmitry Khovratovich, 2015 + * + * This work is licensed under a Creative Commons CC0 1.0 License/Waiver. + * + * You should have received a copy of the CC0 Public Domain Dedication along + * with + * this software. If not, see + * . + */ + +#include +#include +#include + +#include "argon2.h" +#include "argon2-core.h" +#include "argon2-impl.h" +#include "blamka-round-ref.h" + +static void fill_block(const block *prev_block, const block *ref_block, + block *next_block) { + block blockR, block_tmp; + unsigned i; + + copy_block(&blockR, ref_block); + xor_block(&blockR, prev_block); + copy_block(&block_tmp, &blockR); + /* Now blockR = ref_block + prev_block and bloc_tmp = ref_block + prev_block + Apply Blake2 on columns of 64-bit words: (0,1,...,15), then + (16,17,..31)... finally (112,113,...127) */ + for (i = 0; i < 8; ++i) { + BLAKE2_ROUND_NOMSG( + blockR.v[16 * i], blockR.v[16 * i + 1], blockR.v[16 * i + 2], + blockR.v[16 * i + 3], blockR.v[16 * i + 4], blockR.v[16 * i + 5], + blockR.v[16 * i + 6], blockR.v[16 * i + 7], blockR.v[16 * i + 8], + blockR.v[16 * i + 9], blockR.v[16 * i + 10], blockR.v[16 * i + 11], + blockR.v[16 * i + 12], blockR.v[16 * i + 13], blockR.v[16 * i + 14], + blockR.v[16 * i + 15]); + } + + /* Apply Blake2 on rows of 64-bit words: (0,1,16,17,...112,113), then + (2,3,18,19,...,114,115).. finally (14,15,30,31,...,126,127) */ + for (i = 0; i < 8; i++) { + BLAKE2_ROUND_NOMSG( + blockR.v[2 * i], blockR.v[2 * i + 1], blockR.v[2 * i + 16], + blockR.v[2 * i + 17], blockR.v[2 * i + 32], blockR.v[2 * i + 33], + blockR.v[2 * i + 48], blockR.v[2 * i + 49], blockR.v[2 * i + 64], + blockR.v[2 * i + 65], blockR.v[2 * i + 80], blockR.v[2 * i + 81], + blockR.v[2 * i + 96], blockR.v[2 * i + 97], blockR.v[2 * i + 112], + blockR.v[2 * i + 113]); + } + + copy_block(next_block, &block_tmp); + xor_block(next_block, &blockR); +} + +static void fill_block_with_xor(const block *prev_block, const block *ref_block, + block *next_block) { + block blockR, block_tmp; + unsigned i; + + copy_block(&blockR, ref_block); + xor_block(&blockR, prev_block); + copy_block(&block_tmp, &blockR); + xor_block(&block_tmp, next_block); /* Saving the next block contents for XOR over */ + /* Now blockR = ref_block + prev_block and bloc_tmp = ref_block + prev_block + next_block */ + /* Apply Blake2 on columns of 64-bit words: (0,1,...,15) , then + (16,17,..31)... finally (112,113,...127) */ + for (i = 0; i < 8; ++i) { + BLAKE2_ROUND_NOMSG( + blockR.v[16 * i], blockR.v[16 * i + 1], blockR.v[16 * i + 2], + blockR.v[16 * i + 3], blockR.v[16 * i + 4], blockR.v[16 * i + 5], + blockR.v[16 * i + 6], blockR.v[16 * i + 7], blockR.v[16 * i + 8], + blockR.v[16 * i + 9], blockR.v[16 * i + 10], blockR.v[16 * i + 11], + blockR.v[16 * i + 12], blockR.v[16 * i + 13], blockR.v[16 * i + 14], + blockR.v[16 * i + 15]); + } + + /* Apply Blake2 on rows of 64-bit words: (0,1,16,17,...112,113), then + (2,3,18,19,...,114,115).. finally (14,15,30,31,...,126,127) */ + for (i = 0; i < 8; i++) { + BLAKE2_ROUND_NOMSG( + blockR.v[2 * i], blockR.v[2 * i + 1], blockR.v[2 * i + 16], + blockR.v[2 * i + 17], blockR.v[2 * i + 32], blockR.v[2 * i + 33], + blockR.v[2 * i + 48], blockR.v[2 * i + 49], blockR.v[2 * i + 64], + blockR.v[2 * i + 65], blockR.v[2 * i + 80], blockR.v[2 * i + 81], + blockR.v[2 * i + 96], blockR.v[2 * i + 97], blockR.v[2 * i + 112], + blockR.v[2 * i + 113]); + } + + copy_block(next_block, &block_tmp); + xor_block(next_block, &blockR); +} + +/* + * Generate pseudo-random values to reference blocks in the segment and puts + * them into the array + * @param instance Pointer to the current instance + * @param position Pointer to the current position + * @param pseudo_rands Pointer to the array of 64-bit values + * @pre pseudo_rands must point to @a instance->segment_length allocated values + */ +static void generate_addresses(const argon2_instance_t *instance, + const argon2_position_t *position, + uint64_t *pseudo_rands) { + block zero_block, input_block, address_block, tmp_block; + uint32_t i; + + init_block_value(&zero_block, 0); + init_block_value(&input_block, 0); + + if (instance != NULL && position != NULL) { + input_block.v[0] = position->pass; + input_block.v[1] = position->lane; + input_block.v[2] = position->slice; + input_block.v[3] = instance->memory_blocks; + input_block.v[4] = instance->passes; + input_block.v[5] = instance->type; + + for (i = 0; i < instance->segment_length; ++i) { + if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) { + input_block.v[6]++; + init_block_value(&tmp_block, 0); + init_block_value(&address_block, 0); + fill_block_with_xor(&zero_block, &input_block, &tmp_block); + fill_block_with_xor(&zero_block, &tmp_block, &address_block); + } + + pseudo_rands[i] = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK]; + } + } +} + +int fill_segment_ref(const argon2_instance_t *instance, + argon2_position_t position) { + block *ref_block = NULL, *curr_block = NULL; + uint64_t pseudo_rand, ref_index, ref_lane; + uint32_t prev_offset, curr_offset; + uint32_t starting_index; + uint32_t i; + const int data_independent_addressing = 1; /* instance->type == Argon2_i */ + /* Pseudo-random values that determine the reference block position */ + uint64_t *pseudo_rands = NULL; + + if (instance == NULL) { + return ARGON2_OK; + } + + pseudo_rands = + (uint64_t *)malloc(sizeof(uint64_t) * (instance->segment_length)); + + if (pseudo_rands == NULL) { + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + + if (data_independent_addressing) { + generate_addresses(instance, &position, pseudo_rands); + } + + starting_index = 0; + + if ((0 == position.pass) && (0 == position.slice)) { + starting_index = 2; /* we have already generated the first two blocks */ + } + + /* Offset of the current block */ + curr_offset = position.lane * instance->lane_length + + position.slice * instance->segment_length + starting_index; + + if (0 == curr_offset % instance->lane_length) { + /* Last block in this lane */ + prev_offset = curr_offset + instance->lane_length - 1; + } else { + /* Previous block */ + prev_offset = curr_offset - 1; + } + + for (i = starting_index; i < instance->segment_length; + ++i, ++curr_offset, ++prev_offset) { + /*1.1 Rotating prev_offset if needed */ + if (curr_offset % instance->lane_length == 1) { + prev_offset = curr_offset - 1; + } + + /* 1.2 Computing the index of the reference block */ + /* 1.2.1 Taking pseudo-random value from the previous block */ + if (data_independent_addressing) { +#pragma warning(push) +#pragma warning(disable: 6385) + pseudo_rand = pseudo_rands[i]; +#pragma warning(pop) + } else { + pseudo_rand = instance->region->memory[prev_offset].v[0]; + } + + /* 1.2.2 Computing the lane of the reference block */ + ref_lane = ((pseudo_rand >> 32)) % instance->lanes; + + if ((position.pass == 0) && (position.slice == 0)) { + /* Can not reference other lanes yet */ + ref_lane = position.lane; + } + + /* 1.2.3 Computing the number of possible reference block within the + * lane. + */ + position.index = i; + ref_index = index_alpha(instance, &position, pseudo_rand & 0xFFFFFFFF, + ref_lane == position.lane); + + /* 2 Creating a new block */ + ref_block = + instance->region->memory + instance->lane_length * ref_lane + ref_index; + curr_block = instance->region->memory + curr_offset; + if (position.pass != 0) { + fill_block_with_xor(instance->region->memory + prev_offset, ref_block, curr_block); + } else { + fill_block(instance->region->memory + prev_offset, ref_block, curr_block); + } + } + + free(pseudo_rands); + + return ARGON2_OK; +} + diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c new file mode 100644 index 0000000000..ba2617fa0b --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c @@ -0,0 +1,222 @@ +/* + * Argon2 source code package + * + * Written by Daniel Dinu and Dmitry Khovratovich, 2015 + * + * This work is licensed under a Creative Commons CC0 1.0 License/Waiver. + * + * You should have received a copy of the CC0 Public Domain Dedication along + * with + * this software. If not, see + * . + */ + +#include +#include +#include + +#if (defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H)) || \ + (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) + +#pragma GCC target("sse2") +#pragma GCC target("ssse3") + +#ifdef _MSC_VER +# include /* for _mm_set_epi64x */ +#endif +#include +#include + +#include "argon2.h" +#include "argon2-core.h" +#include "argon2-impl.h" +#include "blamka-round-ssse3.h" + +static void fill_block(__m128i *state, const uint8_t *ref_block, uint8_t *next_block) { + __m128i block_XY[ARGON2_OWORDS_IN_BLOCK]; + uint32_t i; + + for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) { + block_XY[i] = state[i] = _mm_xor_si128( + state[i], _mm_loadu_si128((__m128i const *)(&ref_block[16 * i]))); + } + + for (i = 0; i < 8; ++i) { + BLAKE2_ROUND(state[8 * i + 0], state[8 * i + 1], state[8 * i + 2], + state[8 * i + 3], state[8 * i + 4], state[8 * i + 5], + state[8 * i + 6], state[8 * i + 7]); + } + + for (i = 0; i < 8; ++i) { + BLAKE2_ROUND(state[8 * 0 + i], state[8 * 1 + i], state[8 * 2 + i], + state[8 * 3 + i], state[8 * 4 + i], state[8 * 5 + i], + state[8 * 6 + i], state[8 * 7 + i]); + } + + for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) { + state[i] = _mm_xor_si128(state[i], block_XY[i]); + _mm_storeu_si128((__m128i *)(&next_block[16 * i]), state[i]); + } +} + +static void fill_block_with_xor(__m128i *state, const uint8_t *ref_block, uint8_t *next_block) { + __m128i block_XY[ARGON2_OWORDS_IN_BLOCK]; + uint32_t i; + + for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) { + state[i] = _mm_xor_si128(state[i], _mm_loadu_si128((__m128i const *)(&ref_block[16 * i]))); + block_XY[i] = _mm_xor_si128(state[i], _mm_loadu_si128((__m128i const *)(&next_block[16 * i]))); + } + + for (i = 0; i < 8; ++i) { + BLAKE2_ROUND(state[8 * i + 0], state[8 * i + 1], state[8 * i + 2], + state[8 * i + 3], state[8 * i + 4], state[8 * i + 5], + state[8 * i + 6], state[8 * i + 7]); + } + + for (i = 0; i < 8; ++i) { + BLAKE2_ROUND(state[8 * 0 + i], state[8 * 1 + i], state[8 * 2 + i], + state[8 * 3 + i], state[8 * 4 + i], state[8 * 5 + i], + state[8 * 6 + i], state[8 * 7 + i]); + } + + for (i = 0; i < ARGON2_OWORDS_IN_BLOCK; i++) { + state[i] = _mm_xor_si128(state[i], block_XY[i]); + _mm_storeu_si128((__m128i *)(&next_block[16 * i]), state[i]); + } +} + +static void generate_addresses(const argon2_instance_t *instance, + const argon2_position_t *position, + uint64_t *pseudo_rands) { + block address_block, input_block, tmp_block; + uint32_t i; + + init_block_value(&address_block, 0); + init_block_value(&input_block, 0); + + if (instance != NULL && position != NULL) { + input_block.v[0] = position->pass; + input_block.v[1] = position->lane; + input_block.v[2] = position->slice; + input_block.v[3] = instance->memory_blocks; + input_block.v[4] = instance->passes; + input_block.v[5] = instance->type; + + for (i = 0; i < instance->segment_length; ++i) { + if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) { + /* Temporary zero-initialized blocks */ + __m128i zero_block[ARGON2_OWORDS_IN_BLOCK]; + __m128i zero2_block[ARGON2_OWORDS_IN_BLOCK]; + memset(zero_block, 0, sizeof(zero_block)); + memset(zero2_block, 0, sizeof(zero2_block)); + init_block_value(&address_block, 0); + init_block_value(&tmp_block, 0); + /* Increasing index counter */ + input_block.v[6]++; + /* First iteration of G */ + fill_block_with_xor(zero_block, (uint8_t *)&input_block.v, (uint8_t *)&tmp_block.v); + /* Second iteration of G */ + fill_block_with_xor(zero2_block, (uint8_t *)&tmp_block.v, (uint8_t *)&address_block.v); + } + + pseudo_rands[i] = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK]; + } + } +} + +int fill_segment_ssse3(const argon2_instance_t *instance, + argon2_position_t position) { + block *ref_block = NULL, *curr_block = NULL; + uint64_t pseudo_rand, ref_index, ref_lane; + uint32_t prev_offset, curr_offset; + uint32_t starting_index, i; + __m128i state[64]; + const int data_independent_addressing = 1; /* instance->type == Argon2_i */ + + /* Pseudo-random values that determine the reference block position */ + uint64_t *pseudo_rands = NULL; + + if (instance == NULL) { + return ARGON2_OK; + } + + pseudo_rands = + (uint64_t *)malloc(sizeof(uint64_t) * instance->segment_length); + if (pseudo_rands == NULL) { + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + + if (data_independent_addressing) { + generate_addresses(instance, &position, pseudo_rands); + } + + starting_index = 0; + + if ((0 == position.pass) && (0 == position.slice)) { + starting_index = 2; /* we have already generated the first two blocks */ + } + + /* Offset of the current block */ + curr_offset = position.lane * instance->lane_length + + position.slice * instance->segment_length + starting_index; + + if (0 == curr_offset % instance->lane_length) { + /* Last block in this lane */ + prev_offset = curr_offset + instance->lane_length - 1; + } else { + /* Previous block */ + prev_offset = curr_offset - 1; + } + + memcpy(state, ((instance->region->memory + prev_offset)->v), ARGON2_BLOCK_SIZE); + + for (i = starting_index; i < instance->segment_length; + ++i, ++curr_offset, ++prev_offset) { + /*1.1 Rotating prev_offset if needed */ + if (curr_offset % instance->lane_length == 1) { + prev_offset = curr_offset - 1; + } + + /* 1.2 Computing the index of the reference block */ + /* 1.2.1 Taking pseudo-random value from the previous block */ + if (data_independent_addressing) { +#pragma warning(push) +#pragma warning(disable: 6385) + pseudo_rand = pseudo_rands[i]; +#pragma warning(pop) + } else { + pseudo_rand = instance->region->memory[prev_offset].v[0]; + } + + /* 1.2.2 Computing the lane of the reference block */ + ref_lane = ((pseudo_rand >> 32)) % instance->lanes; + + if ((position.pass == 0) && (position.slice == 0)) { + /* Can not reference other lanes yet */ + ref_lane = position.lane; + } + + /* 1.2.3 Computing the number of possible reference block within the + * lane. + */ + position.index = i; + ref_index = index_alpha(instance, &position, pseudo_rand & 0xFFFFFFFF, + ref_lane == position.lane); + + /* 2 Creating a new block */ + ref_block = + instance->region->memory + instance->lane_length * ref_lane + ref_index; + curr_block = instance->region->memory + curr_offset; + if (position.pass != 0) { + fill_block_with_xor(state, (uint8_t *)ref_block->v, (uint8_t *)curr_block->v); + } else { + fill_block(state, (uint8_t *)ref_block->v, (uint8_t *)curr_block->v); + } + } + + free(pseudo_rands); + + return ARGON2_OK; +} +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-impl.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-impl.h new file mode 100644 index 0000000000..be17d1c978 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-impl.h @@ -0,0 +1,40 @@ +/* + BLAKE2 reference source code package - reference C implementations + + Written in 2012 by Samuel Neves + + To the extent possible under law, the author(s) have dedicated all copyright + and related and neighboring rights to this software to the public domain + worldwide. This software is distributed without any warranty. + + You should have received a copy of the CC0 Public Domain Dedication along with + this software. If not, see . +*/ + +#ifndef argon2_impl_H +#define argon2_impl_H + +#include +#include + +static inline uint32_t rotl32( const uint32_t w, const unsigned c ) +{ + return ( w << c ) | ( w >> ( 32 - c ) ); +} + +static inline uint64_t rotl64( const uint64_t w, const unsigned c ) +{ + return ( w << c ) | ( w >> ( 64 - c ) ); +} + +static inline uint32_t rotr32( const uint32_t w, const unsigned c ) +{ + return ( w >> c ) | ( w << ( 32 - c ) ); +} + +static inline uint64_t rotr64( const uint64_t w, const unsigned c ) +{ + return ( w >> c ) | ( w << ( 64 - c ) ); +} + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.c new file mode 100644 index 0000000000..9596a8d406 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.c @@ -0,0 +1,238 @@ +/* + * Argon2 source code package + * + * Written by Daniel Dinu and Dmitry Khovratovich, 2015 + * + * This work is licensed under a Creative Commons CC0 1.0 License/Waiver. + * + * You should have received a copy of the CC0 Public Domain Dedication along + * with + * this software. If not, see + * . + */ + +#include +#include +#include +#include +#include + + +#include "utils.h" + +#include "argon2.h" +#include "argon2-encoding.h" +#include "argon2-core.h" + +int argon2_ctx(argon2_context *context, argon2_type type) { + /* 1. Validate all inputs */ + int result = validate_inputs(context); + uint32_t memory_blocks, segment_length; + argon2_instance_t instance; + + if (ARGON2_OK != result) { + return result; + } + + if (Argon2_i != type) { + return ARGON2_INCORRECT_TYPE; + } + + /* 2. Align memory size */ + /* Minimum memory_blocks = 8L blocks, where L is the number of lanes */ + memory_blocks = context->m_cost; + + if (memory_blocks < 2 * ARGON2_SYNC_POINTS * context->lanes) { + memory_blocks = 2 * ARGON2_SYNC_POINTS * context->lanes; + } + + segment_length = memory_blocks / (context->lanes * ARGON2_SYNC_POINTS); + /* Ensure that all segments have equal length */ + memory_blocks = segment_length * (context->lanes * ARGON2_SYNC_POINTS); + + instance.region = NULL; + instance.passes = context->t_cost; + instance.memory_blocks = memory_blocks; + instance.segment_length = segment_length; + instance.lane_length = segment_length * ARGON2_SYNC_POINTS; + instance.lanes = context->lanes; + instance.threads = context->threads; + instance.type = type; + + /* 3. Initialization: Hashing inputs, allocating memory, filling first + * blocks + */ + result = initialize(&instance, context); + + if (ARGON2_OK != result) { + return result; + } + + /* 4. Filling memory */ + result = fill_memory_blocks(&instance); + + if (ARGON2_OK != result) { + return result; + } + + /* 5. Finalization */ + finalize(context, &instance); + + return ARGON2_OK; +} + +int argon2_hash(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, const size_t saltlen, + void *hash, const size_t hashlen, char *encoded, + const size_t encodedlen, argon2_type type) { + + argon2_context context; + int result; + uint8_t *out; + + if (pwdlen > ARGON2_MAX_PWD_LENGTH) { + return ARGON2_PWD_TOO_LONG; + } + + if (hashlen > ARGON2_MAX_OUTLEN) { + return ARGON2_OUTPUT_TOO_LONG; + } + + if (saltlen > ARGON2_MAX_SALT_LENGTH) { + return ARGON2_SALT_TOO_LONG; + } + + out = (uint8_t *) malloc(hashlen); + if (!out) { + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + + context.out = (uint8_t *)out; + context.outlen = (uint32_t)hashlen; + context.pwd = (uint8_t *)pwd; + context.pwdlen = (uint32_t)pwdlen; + context.salt = (uint8_t *)salt; + context.saltlen = (uint32_t)saltlen; + context.secret = NULL; + context.secretlen = 0; + context.ad = NULL; + context.adlen = 0; + context.t_cost = t_cost; + context.m_cost = m_cost; + context.lanes = parallelism; + context.threads = parallelism; + context.flags = ARGON2_DEFAULT_FLAGS; + + result = argon2_ctx(&context, type); + + if (result != ARGON2_OK) { + sodium_memzero(out, hashlen); + free(out); + return result; + } + + /* if raw hash requested, write it */ + if (hash) { + memcpy(hash, out, hashlen); + } + + /* if encoding requested, write it */ + if (encoded && encodedlen) { + if (encode_string(encoded, encodedlen, &context, type) != ARGON2_OK) { + sodium_memzero(out, hashlen); + sodium_memzero(encoded, encodedlen); + free(out); + return ARGON2_ENCODING_FAIL; + } + } + + sodium_memzero(out, hashlen); + free(out); + + return ARGON2_OK; +} + +int argon2i_hash_encoded(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, const size_t hashlen, + char *encoded, const size_t encodedlen) { + + return argon2_hash(t_cost, m_cost, parallelism, pwd, pwdlen, salt, saltlen, + NULL, hashlen, encoded, encodedlen, Argon2_i); +} + +int argon2i_hash_raw(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, void *hash, const size_t hashlen) { + + return argon2_hash(t_cost, m_cost, parallelism, pwd, pwdlen, salt, saltlen, + hash, hashlen, NULL, 0, Argon2_i); +} + +int argon2_verify(const char *encoded, const void *pwd, const size_t pwdlen, + argon2_type type) { + + argon2_context ctx; + uint8_t *out; + int decode_result; + int ret; + uint32_t encoded_len; + + memset(&ctx, 0, sizeof ctx); + + ctx.secret = NULL; + ctx.secretlen = 0; + + /* max values, to be updated in decode_string */ + encoded_len = (uint32_t) strlen(encoded); + ctx.adlen = encoded_len; + ctx.saltlen = encoded_len; + ctx.outlen = encoded_len; + + ctx.ad = (uint8_t *) malloc(ctx.adlen); + ctx.salt = (uint8_t *) malloc(ctx.saltlen); + ctx.out = (uint8_t *) malloc(ctx.outlen); + if (!ctx.out || !ctx.salt || !ctx.ad) { + free(ctx.ad); + free(ctx.salt); + free(ctx.out); + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + out = (uint8_t *) malloc(ctx.outlen); + if (!out) { + free(ctx.ad); + free(ctx.salt); + free(ctx.out); + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + + decode_result = decode_string(&ctx, encoded, type); + if (decode_result != ARGON2_OK) { + free(ctx.ad); + free(ctx.salt); + free(ctx.out); + free(out); + return decode_result; + } + + ret = argon2_hash(ctx.t_cost, ctx.m_cost, ctx.threads, pwd, pwdlen, ctx.salt, + ctx.saltlen, out, ctx.outlen, NULL, 0, type); + + free(ctx.ad); + free(ctx.salt); + + if (ret != ARGON2_OK || sodium_memcmp(out, ctx.out, ctx.outlen) != 0) { + ret = ARGON2_VERIFY_MISMATCH; + } + free(out); + free(ctx.out); + + return ret; +} + +int argon2i_verify(const char *encoded, const void *pwd, const size_t pwdlen) { + return argon2_verify(encoded, pwd, pwdlen, Argon2_i); +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.h new file mode 100644 index 0000000000..0e9b8ed919 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.h @@ -0,0 +1,251 @@ +/* + * Argon2 source code package + * + * Written by Daniel Dinu and Dmitry Khovratovich, 2015 + * + * This work is licensed under a Creative Commons CC0 1.0 License/Waiver. + * + * You should have received a copy of the CC0 Public Domain Dedication along + * with this software. If not, see . + */ +#ifndef argon2_H +#define argon2_H + +#include +#include +#include + +/* + * Argon2 input parameter restrictions + */ + +/* Minimum and maximum number of lanes (degree of parallelism) */ +#define ARGON2_MIN_LANES UINT32_C(1) +#define ARGON2_MAX_LANES UINT32_C(0xFFFFFF) + +/* Minimum and maximum number of threads */ +#define ARGON2_MIN_THREADS UINT32_C(1) +#define ARGON2_MAX_THREADS UINT32_C(0xFFFFFF) + +/* Number of synchronization points between lanes per pass */ +#define ARGON2_SYNC_POINTS UINT32_C(4) + +/* Minimum and maximum digest size in bytes */ +#define ARGON2_MIN_OUTLEN UINT32_C(16) +#define ARGON2_MAX_OUTLEN UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum number of memory blocks (each of BLOCK_SIZE bytes) */ +#define ARGON2_MIN_MEMORY (2 * ARGON2_SYNC_POINTS) /* 2 blocks per slice */ + +#define ARGON2_MIN(a, b) ((a) < (b) ? (a) : (b)) +/* Max memory size is half the addressing space, topping at 2^32 blocks (4 TB) */ +#define ARGON2_MAX_MEMORY_BITS \ + ARGON2_MIN(UINT32_C(32), (sizeof(void *) * CHAR_BIT - 10 - 1)) +#define ARGON2_MAX_MEMORY \ + ARGON2_MIN(UINT32_C(0xFFFFFFFF), UINT64_C(1) << ARGON2_MAX_MEMORY_BITS) + +/* Minimum and maximum number of passes */ +#define ARGON2_MIN_TIME UINT32_C(3) +#define ARGON2_MAX_TIME UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum password length in bytes */ +#define ARGON2_MIN_PWD_LENGTH UINT32_C(0) +#define ARGON2_MAX_PWD_LENGTH UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum associated data length in bytes */ +#define ARGON2_MIN_AD_LENGTH UINT32_C(0) +#define ARGON2_MAX_AD_LENGTH UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum salt length in bytes */ +#define ARGON2_MIN_SALT_LENGTH UINT32_C(8) +#define ARGON2_MAX_SALT_LENGTH UINT32_C(0xFFFFFFFF) + +/* Minimum and maximum key length in bytes */ +#define ARGON2_MIN_SECRET UINT32_C(0) +#define ARGON2_MAX_SECRET UINT32_C(0xFFFFFFFF) + +#define ARGON2_FLAG_CLEAR_PASSWORD (UINT32_C(1) << 0) +#define ARGON2_FLAG_CLEAR_SECRET (UINT32_C(1) << 1) +#define ARGON2_FLAG_CLEAR_MEMORY (UINT32_C(1) << 2) +#define ARGON2_DEFAULT_FLAGS (ARGON2_FLAG_CLEAR_MEMORY) + +/* Error codes */ +typedef enum Argon2_ErrorCodes { + ARGON2_OK = 0, + + ARGON2_OUTPUT_PTR_NULL = -1, + + ARGON2_OUTPUT_TOO_SHORT = -2, + ARGON2_OUTPUT_TOO_LONG = -3, + + ARGON2_PWD_TOO_SHORT = -4, + ARGON2_PWD_TOO_LONG = -5, + + ARGON2_SALT_TOO_SHORT = -6, + ARGON2_SALT_TOO_LONG = -7, + + ARGON2_AD_TOO_SHORT = -8, + ARGON2_AD_TOO_LONG = -9, + + ARGON2_SECRET_TOO_SHORT = -10, + ARGON2_SECRET_TOO_LONG = -11, + + ARGON2_TIME_TOO_SMALL = -12, + ARGON2_TIME_TOO_LARGE = -13, + + ARGON2_MEMORY_TOO_LITTLE = -14, + ARGON2_MEMORY_TOO_MUCH = -15, + + ARGON2_LANES_TOO_FEW = -16, + ARGON2_LANES_TOO_MANY = -17, + + ARGON2_PWD_PTR_MISMATCH = -18, /* NULL ptr with non-zero length */ + ARGON2_SALT_PTR_MISMATCH = -19, /* NULL ptr with non-zero length */ + ARGON2_SECRET_PTR_MISMATCH = -20, /* NULL ptr with non-zero length */ + ARGON2_AD_PTR_MISMATCH = -21, /* NULL ptr with non-zero length */ + + ARGON2_MEMORY_ALLOCATION_ERROR = -22, + + ARGON2_FREE_MEMORY_CBK_NULL = -23, + ARGON2_ALLOCATE_MEMORY_CBK_NULL = -24, + + ARGON2_INCORRECT_PARAMETER = -25, + ARGON2_INCORRECT_TYPE = -26, + + ARGON2_OUT_PTR_MISMATCH = -27, + + ARGON2_THREADS_TOO_FEW = -28, + ARGON2_THREADS_TOO_MANY = -29, + + ARGON2_MISSING_ARGS = -30, + + ARGON2_ENCODING_FAIL = -31, + + ARGON2_DECODING_FAIL = -32, + + ARGON2_THREAD_FAIL = -33, + + ARGON2_DECODING_LENGTH_FAIL = -34, + + ARGON2_VERIFY_MISMATCH = -35 +} argon2_error_codes; + +/* Argon2 external data structures */ + +/* + * Context: structure to hold Argon2 inputs: + * output array and its length, + * password and its length, + * salt and its length, + * secret and its length, + * associated data and its length, + * number of passes, amount of used memory (in KBytes, can be rounded up a bit) + * number of parallel threads that will be run. + * All the parameters above affect the output hash value. + * Additionally, two function pointers can be provided to allocate and + * deallocate the memory (if NULL, memory will be allocated internally). + * Also, three flags indicate whether to erase password, secret as soon as they + * are pre-hashed (and thus not needed anymore), and the entire memory + ***** + * Simplest situation: you have output array out[8], password is stored in + * pwd[32], salt is stored in salt[16], you do not have keys nor associated data. + * You need to spend 1 GB of RAM and you run 5 passes of Argon2 with 4 parallel lanes. + * You want to erase the password, but you're OK with last pass not being erased. + * You want to use the default memory allocator. + * Then you initialize: + * Argon2_Context(out,8,pwd,32,salt,16,NULL,0,NULL,0,5,1<<20,4,4,NULL,NULL,true,false,false,false). + */ +typedef struct Argon2_Context { + uint8_t *out; /* output array */ + uint32_t outlen; /* digest length */ + + uint8_t *pwd; /* password array */ + uint32_t pwdlen; /* password length */ + + uint8_t *salt; /* salt array */ + uint32_t saltlen; /* salt length */ + + uint8_t *secret; /* key array */ + uint32_t secretlen; /* key length */ + + uint8_t *ad; /* associated data array */ + uint32_t adlen; /* associated data length */ + + uint32_t t_cost; /* number of passes */ + uint32_t m_cost; /* amount of memory requested (KB) */ + uint32_t lanes; /* number of lanes */ + uint32_t threads; /* maximum number of threads */ + + uint32_t flags; /* array of bool options */ +} argon2_context; + +/* Argon2 primitive type */ +typedef enum Argon2_type { Argon2_i = 1 } argon2_type; + +/* + * Function that performs memory-hard hashing with certain degree of parallelism + * @param context Pointer to the Argon2 internal structure + * @return Error code if smth is wrong, ARGON2_OK otherwise + */ +int argon2_ctx(argon2_context *context, argon2_type type); + +/** + * Hashes a password with Argon2i, producing an encoded hash + * @param t_cost Number of iterations + * @param m_cost Sets memory usage to m_cost kibibytes + * @param parallelism Number of threads and compute lanes + * @param pwd Pointer to password + * @param pwdlen Password size in bytes + * @param salt Pointer to salt + * @param saltlen Salt size in bytes + * @param hashlen Desired length of the hash in bytes + * @param encoded Buffer where to write the encoded hash + * @param encodedlen Size of the buffer (thus max size of the encoded hash) + * @pre Different parallelism levels will give different results + * @pre Returns ARGON2_OK if successful + */ +int argon2i_hash_encoded(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, const size_t hashlen, + char *encoded, const size_t encodedlen); + +/** + * Hashes a password with Argon2i, producing a raw hash + * @param t_cost Number of iterations + * @param m_cost Sets memory usage to m_cost kibibytes + * @param parallelism Number of threads and compute lanes + * @param pwd Pointer to password + * @param pwdlen Password size in bytes + * @param salt Pointer to salt + * @param saltlen Salt size in bytes + * @param hash Buffer where to write the raw hash + * @param hashlen Desired length of the hash in bytes + * @pre Different parallelism levels will give different results + * @pre Returns ARGON2_OK if successful + */ +int argon2i_hash_raw(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, + const size_t saltlen, void *hash, const size_t hashlen); + +/* generic function underlying the above ones */ +int argon2_hash(const uint32_t t_cost, const uint32_t m_cost, + const uint32_t parallelism, const void *pwd, + const size_t pwdlen, const void *salt, const size_t saltlen, + void *hash, const size_t hashlen, char *encoded, + const size_t encodedlen, argon2_type type); + +/** + * Verifies a password against an encoded string + * Encoded string is restricted as in validate_inputs() + * @param encoded String encoding parameters, salt, hash + * @param pwd Pointer to password + * @pre Returns ARGON2_OK if successful + */ +int argon2i_verify(const char *encoded, const void *pwd, const size_t pwdlen); + +/* generic function underlying the above ones */ +int argon2_verify(const char *encoded, const void *pwd, const size_t pwdlen, + argon2_type type); +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.c new file mode 100644 index 0000000000..5e4012c222 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.c @@ -0,0 +1,80 @@ +#include +#include +#include +#include + +#include "crypto_generichash_blake2b.h" +#include "utils.h" +#include "private/common.h" + +#include "argon2-impl.h" +#include "blake2b-long.h" + +int blake2b_long(void *pout, size_t outlen, const void *in, size_t inlen) { + uint8_t *out = (uint8_t *)pout; + crypto_generichash_blake2b_state blake_state; + uint8_t outlen_bytes[4 /* sizeof(uint32_t) */] = {0}; + int ret = -1; + + if (outlen > UINT32_MAX) { + goto fail; /* LCOV_EXCL_LINE */ + } + + /* Ensure little-endian byte order! */ + STORE32_LE(outlen_bytes, (uint32_t)outlen); + +#define TRY(statement) \ + do { \ + ret = statement; \ + if (ret < 0) { \ + goto fail; \ + } \ + } while ((void)0, 0) + + if (outlen <= crypto_generichash_blake2b_BYTES_MAX) { + TRY(crypto_generichash_blake2b_init(&blake_state, NULL, 0U, outlen)); + TRY(crypto_generichash_blake2b_update(&blake_state, outlen_bytes, + sizeof(outlen_bytes))); + TRY(crypto_generichash_blake2b_update(&blake_state, + (const unsigned char *) in, + inlen)); + TRY(crypto_generichash_blake2b_final(&blake_state, out, outlen)); + } else { + uint32_t toproduce; + uint8_t out_buffer[crypto_generichash_blake2b_BYTES_MAX]; + uint8_t in_buffer[crypto_generichash_blake2b_BYTES_MAX]; + TRY(crypto_generichash_blake2b_init(&blake_state, NULL, 0U, + crypto_generichash_blake2b_BYTES_MAX)); + TRY(crypto_generichash_blake2b_update(&blake_state, outlen_bytes, + sizeof(outlen_bytes))); + TRY(crypto_generichash_blake2b_update(&blake_state, + (const unsigned char *) in, + inlen)); + TRY(crypto_generichash_blake2b_final(&blake_state, out_buffer, + crypto_generichash_blake2b_BYTES_MAX)); + memcpy(out, out_buffer, crypto_generichash_blake2b_BYTES_MAX / 2); + out += crypto_generichash_blake2b_BYTES_MAX / 2; + toproduce = (uint32_t)outlen - crypto_generichash_blake2b_BYTES_MAX / 2; + + while (toproduce > crypto_generichash_blake2b_BYTES_MAX) { + memcpy(in_buffer, out_buffer, crypto_generichash_blake2b_BYTES_MAX); + TRY(crypto_generichash_blake2b(out_buffer, crypto_generichash_blake2b_BYTES_MAX, + in_buffer, + crypto_generichash_blake2b_BYTES_MAX, + NULL, 0U)); + memcpy(out, out_buffer, crypto_generichash_blake2b_BYTES_MAX / 2); + out += crypto_generichash_blake2b_BYTES_MAX / 2; + toproduce -= crypto_generichash_blake2b_BYTES_MAX / 2; + } + + memcpy(in_buffer, out_buffer, crypto_generichash_blake2b_BYTES_MAX); + TRY(crypto_generichash_blake2b(out_buffer, toproduce, in_buffer, + crypto_generichash_blake2b_BYTES_MAX, + NULL, 0U)); + memcpy(out, out_buffer, toproduce); + } +fail: + sodium_memzero(&blake_state, sizeof(blake_state)); + return ret; +#undef TRY +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.h new file mode 100644 index 0000000000..3d6d775521 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blake2b-long.h @@ -0,0 +1,8 @@ +#ifndef blake2b_long_H +#define blake2b_long_H + +#include + +int blake2b_long(void *pout, size_t outlen, const void *in, size_t inlen); + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ref.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ref.h new file mode 100644 index 0000000000..2ed2760c35 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ref.h @@ -0,0 +1,38 @@ +#ifndef blamka_round_ref_H +#define blamka_round_ref_H + +#include "argon2-impl.h" + +/*designed by the Lyra PHC team */ +static inline uint64_t fBlaMka(uint64_t x, uint64_t y) { + const uint64_t m = UINT64_C(0xFFFFFFFF); + const uint64_t xy = (x & m) * (y & m); + return x + y + 2 * xy; +} + +#define G(a, b, c, d) \ + do { \ + a = fBlaMka(a, b); \ + d = rotr64(d ^ a, 32); \ + c = fBlaMka(c, d); \ + b = rotr64(b ^ c, 24); \ + a = fBlaMka(a, b); \ + d = rotr64(d ^ a, 16); \ + c = fBlaMka(c, d); \ + b = rotr64(b ^ c, 63); \ + } while ((void)0, 0) + +#define BLAKE2_ROUND_NOMSG(v0, v1, v2, v3, v4, v5, v6, v7, v8, v9, v10, v11, \ + v12, v13, v14, v15) \ + do { \ + G(v0, v4, v8, v12); \ + G(v1, v5, v9, v13); \ + G(v2, v6, v10, v14); \ + G(v3, v7, v11, v15); \ + G(v0, v5, v10, v15); \ + G(v1, v6, v11, v12); \ + G(v2, v7, v8, v13); \ + G(v3, v4, v9, v14); \ + } while ((void)0, 0) + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ssse3.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ssse3.h new file mode 100644 index 0000000000..07d158ec7d --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/blamka-round-ssse3.h @@ -0,0 +1,117 @@ +#ifndef blamka_round_ssse3_H +#define blamka_round_ssse3_H + +#include "argon2-impl.h" + +#define r16 \ + (_mm_setr_epi8(2, 3, 4, 5, 6, 7, 0, 1, 10, 11, 12, 13, 14, 15, 8, 9)) +#define r24 \ + (_mm_setr_epi8(3, 4, 5, 6, 7, 0, 1, 2, 11, 12, 13, 14, 15, 8, 9, 10)) +#define _mm_roti_epi64(x, c) \ + (-(c) == 32) \ + ? _mm_shuffle_epi32((x), _MM_SHUFFLE(2, 3, 0, 1)) \ + : (-(c) == 24) \ + ? _mm_shuffle_epi8((x), r24) \ + : (-(c) == 16) \ + ? _mm_shuffle_epi8((x), r16) \ + : (-(c) == 63) \ + ? _mm_xor_si128(_mm_srli_epi64((x), -(c)), \ + _mm_add_epi64((x), (x))) \ + : _mm_xor_si128(_mm_srli_epi64((x), -(c)), \ + _mm_slli_epi64((x), 64 - (-(c)))) + +static inline __m128i fBlaMka(__m128i x, __m128i y) { + const __m128i z = _mm_mul_epu32(x, y); + return _mm_add_epi64(_mm_add_epi64(x, y), _mm_add_epi64(z, z)); +} + +#define G1(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + A0 = fBlaMka(A0, B0); \ + A1 = fBlaMka(A1, B1); \ + \ + D0 = _mm_xor_si128(D0, A0); \ + D1 = _mm_xor_si128(D1, A1); \ + \ + D0 = _mm_roti_epi64(D0, -32); \ + D1 = _mm_roti_epi64(D1, -32); \ + \ + C0 = fBlaMka(C0, D0); \ + C1 = fBlaMka(C1, D1); \ + \ + B0 = _mm_xor_si128(B0, C0); \ + B1 = _mm_xor_si128(B1, C1); \ + \ + B0 = _mm_roti_epi64(B0, -24); \ + B1 = _mm_roti_epi64(B1, -24); \ + } while ((void)0, 0) + +#define G2(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + A0 = fBlaMka(A0, B0); \ + A1 = fBlaMka(A1, B1); \ + \ + D0 = _mm_xor_si128(D0, A0); \ + D1 = _mm_xor_si128(D1, A1); \ + \ + D0 = _mm_roti_epi64(D0, -16); \ + D1 = _mm_roti_epi64(D1, -16); \ + \ + C0 = fBlaMka(C0, D0); \ + C1 = fBlaMka(C1, D1); \ + \ + B0 = _mm_xor_si128(B0, C0); \ + B1 = _mm_xor_si128(B1, C1); \ + \ + B0 = _mm_roti_epi64(B0, -63); \ + B1 = _mm_roti_epi64(B1, -63); \ + } while ((void)0, 0) + +#define DIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + __m128i t0 = _mm_alignr_epi8(B1, B0, 8); \ + __m128i t1 = _mm_alignr_epi8(B0, B1, 8); \ + B0 = t0; \ + B1 = t1; \ + \ + t0 = C0; \ + C0 = C1; \ + C1 = t0; \ + \ + t0 = _mm_alignr_epi8(D1, D0, 8); \ + t1 = _mm_alignr_epi8(D0, D1, 8); \ + D0 = t1; \ + D1 = t0; \ + } while ((void)0, 0) + +#define UNDIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + __m128i t0 = _mm_alignr_epi8(B0, B1, 8); \ + __m128i t1 = _mm_alignr_epi8(B1, B0, 8); \ + B0 = t0; \ + B1 = t1; \ + \ + t0 = C0; \ + C0 = C1; \ + C1 = t0; \ + \ + t0 = _mm_alignr_epi8(D0, D1, 8); \ + t1 = _mm_alignr_epi8(D1, D0, 8); \ + D0 = t1; \ + D1 = t0; \ + } while ((void)0, 0) + +#define BLAKE2_ROUND(A0, A1, B0, B1, C0, C1, D0, D1) \ + do { \ + G1(A0, B0, C0, D0, A1, B1, C1, D1); \ + G2(A0, B0, C0, D0, A1, B1, C1, D1); \ + \ + DIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1); \ + \ + G1(A0, B0, C0, D0, A1, B1, C1, D1); \ + G2(A0, B0, C0, D0, A1, B1, C1, D1); \ + \ + UNDIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1); \ + } while ((void)0, 0) + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c new file mode 100644 index 0000000000..6665d2fb24 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c @@ -0,0 +1,164 @@ + +#include +#include +#include +#include +#include + +#include "argon2.h" +#include "argon2-core.h" +#include "crypto_pwhash_argon2i.h" +#include "randombytes.h" +#include "utils.h" + +#define STR_HASHBYTES 32U + +int +crypto_pwhash_argon2i_alg_argon2i13(void) +{ + return crypto_pwhash_argon2i_ALG_ARGON2I13; +} + +size_t +crypto_pwhash_argon2i_saltbytes(void) +{ + return crypto_pwhash_argon2i_SALTBYTES; +} + +size_t +crypto_pwhash_argon2i_strbytes(void) +{ + return crypto_pwhash_argon2i_STRBYTES; +} + +const char * +crypto_pwhash_argon2i_strprefix(void) +{ + return crypto_pwhash_argon2i_STRPREFIX; +} + +size_t +crypto_pwhash_argon2i_opslimit_interactive(void) +{ + return crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE; +} + +size_t +crypto_pwhash_argon2i_memlimit_interactive(void) +{ + return crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE; +} + +size_t +crypto_pwhash_argon2i_opslimit_moderate(void) +{ + return crypto_pwhash_argon2i_OPSLIMIT_MODERATE; +} + +size_t +crypto_pwhash_argon2i_memlimit_moderate(void) +{ + return crypto_pwhash_argon2i_MEMLIMIT_MODERATE; +} + +size_t +crypto_pwhash_argon2i_opslimit_sensitive(void) +{ + return crypto_pwhash_argon2i_OPSLIMIT_SENSITIVE; +} + +size_t +crypto_pwhash_argon2i_memlimit_sensitive(void) +{ + return crypto_pwhash_argon2i_MEMLIMIT_SENSITIVE; +} + +int +crypto_pwhash_argon2i(unsigned char * const out, + unsigned long long outlen, + const char * const passwd, + unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, + size_t memlimit, int alg) +{ + if (alg != crypto_pwhash_argon2i_ALG_ARGON2I13) { + return -1; + } + memlimit /= 1024U; + if (outlen > ARGON2_MAX_OUTLEN || passwdlen > ARGON2_MAX_PWD_LENGTH || + opslimit > ARGON2_MAX_TIME || memlimit > ARGON2_MAX_MEMORY) { + errno = EFBIG; + return -1; + } + if (outlen < ARGON2_MIN_OUTLEN || passwdlen < ARGON2_MIN_PWD_LENGTH || + opslimit < ARGON2_MIN_TIME || memlimit < ARGON2_MIN_MEMORY) { + errno = EINVAL; + return -1; + } + if (argon2i_hash_raw((uint32_t) opslimit, (uint32_t) memlimit, + (uint32_t) 1U, passwd, (size_t) passwdlen, + salt, (size_t) crypto_pwhash_argon2i_SALTBYTES, + out, (size_t) outlen) != ARGON2_OK) { + return -1; /* LCOV_EXCL_LINE */ + } + return 0; +} + +int +crypto_pwhash_argon2i_str(char out[crypto_pwhash_argon2i_STRBYTES], + const char * const passwd, + unsigned long long passwdlen, + unsigned long long opslimit, + size_t memlimit) +{ + unsigned char salt[crypto_pwhash_argon2i_SALTBYTES]; + + memset(out, 0, crypto_pwhash_argon2i_STRBYTES); + memlimit /= 1024U; + if (passwdlen > ARGON2_MAX_PWD_LENGTH || + opslimit > ARGON2_MAX_TIME || memlimit > ARGON2_MAX_MEMORY) { + errno = EFBIG; + return -1; + } + if (passwdlen < ARGON2_MIN_PWD_LENGTH || + opslimit < ARGON2_MIN_TIME || memlimit < ARGON2_MIN_MEMORY) { + errno = EINVAL; + return -1; + } + randombytes_buf(salt, sizeof salt); + if (argon2i_hash_encoded((uint32_t) opslimit, (uint32_t) memlimit, + (uint32_t) 1U, passwd, (size_t) passwdlen, + salt, sizeof salt, STR_HASHBYTES, + out, crypto_pwhash_argon2i_STRBYTES) != ARGON2_OK) { + return -1; /* LCOV_EXCL_LINE */ + } + return 0; +} + +int +crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) +{ + if (passwdlen > ARGON2_MAX_PWD_LENGTH) { + errno = EFBIG; + return -1; + } +/* LCOV_EXCL_START */ + if (passwdlen < ARGON2_MIN_PWD_LENGTH) { + errno = EINVAL; + return -1; + } +/* LCOV_EXCL_STOP */ + if (argon2i_verify(str, passwd, (size_t) passwdlen) != ARGON2_OK) { + return -1; + } + return 0; +} + +int +_crypto_pwhash_argon2i_pick_best_implementation(void) +{ + return argon2_pick_best_implementation(); +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/crypto_pwhash.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/crypto_pwhash.c new file mode 100644 index 0000000000..d6227f87e4 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/crypto_pwhash.c @@ -0,0 +1,106 @@ + +#include + +#include "crypto_pwhash.h" + +int +crypto_pwhash_alg_argon2i13(void) +{ + return crypto_pwhash_ALG_ARGON2I13; +} + +int +crypto_pwhash_alg_default(void) +{ + return crypto_pwhash_ALG_ARGON2I13; +} + +size_t +crypto_pwhash_saltbytes(void) +{ + return crypto_pwhash_SALTBYTES; +} + +size_t +crypto_pwhash_strbytes(void) +{ + return crypto_pwhash_STRBYTES; +} + +const char * +crypto_pwhash_strprefix(void) +{ + return crypto_pwhash_STRPREFIX; +} + +size_t +crypto_pwhash_opslimit_interactive(void) +{ + return crypto_pwhash_OPSLIMIT_INTERACTIVE; +} + +size_t +crypto_pwhash_memlimit_interactive(void) +{ + return crypto_pwhash_MEMLIMIT_INTERACTIVE; +} + +size_t +crypto_pwhash_opslimit_moderate(void) +{ + return crypto_pwhash_OPSLIMIT_MODERATE; +} + +size_t +crypto_pwhash_memlimit_moderate(void) +{ + return crypto_pwhash_MEMLIMIT_MODERATE; +} + +size_t +crypto_pwhash_opslimit_sensitive(void) +{ + return crypto_pwhash_OPSLIMIT_SENSITIVE; +} + +size_t +crypto_pwhash_memlimit_sensitive(void) +{ + return crypto_pwhash_MEMLIMIT_SENSITIVE; +} + +int +crypto_pwhash(unsigned char * const out, unsigned long long outlen, + const char * const passwd, unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, size_t memlimit, int alg) +{ + if (alg != crypto_pwhash_ALG_ARGON2I13) { + errno = EINVAL; + return -1; + } + return crypto_pwhash_argon2i(out, outlen, passwd, passwdlen, salt, + opslimit, memlimit, alg); +} + +int +crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit) +{ + return crypto_pwhash_argon2i_str(out, passwd, passwdlen, + opslimit, memlimit); +} + +int +crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) +{ + return crypto_pwhash_argon2i_str_verify(str, passwd, passwdlen); +} + +const char * +crypto_pwhash_primitive(void) { + return crypto_pwhash_PRIMITIVE; +} diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c index 8e9aceff9c..c65463d4d7 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c @@ -129,7 +129,7 @@ escrypt_r(escrypt_local_t * local, const uint8_t * passwd, size_t passwdlen, return NULL; } src++; - N = (uint64_t)1 << N_log2; + N = (uint64_t) 1 << N_log2; src = decode64_uint32(&r, 30, src); if (!src) { diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h index a0b92cfc42..000b682bbd 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h @@ -50,13 +50,13 @@ #define BYTES2CHARS(bytes) ((((bytes) * 8) + 5) / 6) typedef struct { - void * base, * aligned; - size_t size; + void * base, * aligned; + size_t size; } escrypt_region_t; typedef union { - uint64_t d[8]; - uint32_t w[16]; + uint64_t d[8]; + uint32_t w[16]; } escrypt_block_t; typedef escrypt_region_t escrypt_local_t; diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c index 4786e5bf4f..3332517afe 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c @@ -35,64 +35,64 @@ #include #include "../pbkdf2-sha256.h" -#include "../sysendian.h" #include "../crypto_scrypt.h" +#include "private/common.h" static inline void blkcpy_64(escrypt_block_t *dest, const escrypt_block_t *src) { - int i; + int i; #if (ARCH_BITS==32) - for (i = 0; i < 16; ++i) - dest->w[i] = src->w[i]; + for (i = 0; i < 16; ++i) + dest->w[i] = src->w[i]; #else - for (i = 0; i < 8; ++i) - dest->d[i] = src->d[i]; + for (i = 0; i < 8; ++i) + dest->d[i] = src->d[i]; #endif } static inline void blkxor_64(escrypt_block_t *dest, const escrypt_block_t *src) { - int i; + int i; #if (ARCH_BITS==32) - for (i = 0; i < 16; ++i) - dest->w[i] ^= src->w[i]; + for (i = 0; i < 16; ++i) + dest->w[i] ^= src->w[i]; #else - for (i = 0; i < 8; ++i) - dest->d[i] ^= src->d[i]; + for (i = 0; i < 8; ++i) + dest->d[i] ^= src->d[i]; #endif } static inline void blkcpy(escrypt_block_t *dest, const escrypt_block_t *src, size_t len) { - size_t i, L; + size_t i, L; #if (ARCH_BITS==32) - L = (len>>2); - for (i = 0; i < L; ++i) - dest->w[i] = src->w[i]; + L = (len>>2); + for (i = 0; i < L; ++i) + dest->w[i] = src->w[i]; #else - L = (len>>3); - for (i = 0; i < L; ++i) - dest->d[i] = src->d[i]; + L = (len>>3); + for (i = 0; i < L; ++i) + dest->d[i] = src->d[i]; #endif } static inline void blkxor(escrypt_block_t *dest, const escrypt_block_t *src, size_t len) { - size_t i, L; + size_t i, L; #if (ARCH_BITS==32) - L = (len>>2); - for (i = 0; i < L; ++i) - dest->w[i] ^= src->w[i]; + L = (len>>2); + for (i = 0; i < L; ++i) + dest->w[i] ^= src->w[i]; #else - L = (len>>3); - for (i = 0; i < L; ++i) - dest->d[i] ^= src->d[i]; + L = (len>>3); + for (i = 0; i < L; ++i) + dest->d[i] ^= src->d[i]; #endif } @@ -103,42 +103,42 @@ blkxor(escrypt_block_t *dest, const escrypt_block_t *src, size_t len) static void salsa20_8(uint32_t B[16]) { - escrypt_block_t X; - uint32_t *x = X.w; - size_t i; + escrypt_block_t X; + uint32_t *x = X.w; + size_t i; - blkcpy_64(&X, (escrypt_block_t*)B); - for (i = 0; i < 8; i += 2) { + blkcpy_64(&X, (escrypt_block_t*)B); + for (i = 0; i < 8; i += 2) { #define R(a,b) (((a) << (b)) | ((a) >> (32 - (b)))) - /* Operate on columns. */ - x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9); - x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18); + /* Operate on columns. */ + x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9); + x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18); - x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9); - x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18); + x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9); + x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18); - x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9); - x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18); + x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9); + x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18); - x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9); - x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18); + x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9); + x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18); - /* Operate on rows. */ - x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9); - x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18); + /* Operate on rows. */ + x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9); + x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18); - x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9); - x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18); + x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9); + x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18); - x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9); - x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18); + x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9); + x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18); - x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9); - x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18); + x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9); + x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18); #undef R - } - for (i = 0; i < 16; i++) - B[i] += x[i]; + } + for (i = 0; i < 16; i++) + B[i] += x[i]; } /** @@ -150,29 +150,29 @@ salsa20_8(uint32_t B[16]) static void blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r) { - size_t i; + size_t i; - /* 1: X <-- B_{2r - 1} */ - blkcpy_64((escrypt_block_t*)X, (escrypt_block_t*)&Bin[(2 * r - 1) * 16]); + /* 1: X <-- B_{2r - 1} */ + blkcpy_64((escrypt_block_t*)X, (escrypt_block_t*)&Bin[(2 * r - 1) * 16]); - /* 2: for i = 0 to 2r - 1 do */ - for (i = 0; i < 2 * r; i += 2) { - /* 3: X <-- H(X \xor B_i) */ - blkxor_64((escrypt_block_t*)X, (escrypt_block_t*)&Bin[i * 16]); - salsa20_8(X); + /* 2: for i = 0 to 2r - 1 do */ + for (i = 0; i < 2 * r; i += 2) { + /* 3: X <-- H(X \xor B_i) */ + blkxor_64((escrypt_block_t*)X, (escrypt_block_t*)&Bin[i * 16]); + salsa20_8(X); - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - blkcpy_64((escrypt_block_t*)&Bout[i * 8], (escrypt_block_t*)X); + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + blkcpy_64((escrypt_block_t*)&Bout[i * 8], (escrypt_block_t*)X); - /* 3: X <-- H(X \xor B_i) */ - blkxor_64((escrypt_block_t*)X, (escrypt_block_t*)&Bin[i * 16 + 16]); - salsa20_8(X); + /* 3: X <-- H(X \xor B_i) */ + blkxor_64((escrypt_block_t*)X, (escrypt_block_t*)&Bin[i * 16 + 16]); + salsa20_8(X); - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - blkcpy_64((escrypt_block_t*)&Bout[i * 8 + r * 16], (escrypt_block_t*)X); - } + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + blkcpy_64((escrypt_block_t*)&Bout[i * 8 + r * 16], (escrypt_block_t*)X); + } } /** @@ -182,9 +182,9 @@ blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r) static inline uint64_t integerify(const void * B, size_t r) { - const uint32_t * X = (const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); + const uint32_t * X = (const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); - return (((uint64_t)(X[1]) << 32) + X[0]); + return (((uint64_t)(X[1]) << 32) + X[0]); } /** @@ -198,51 +198,51 @@ integerify(const void * B, size_t r) static void smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY) { - uint32_t * X = XY; - uint32_t * Y = &XY[32 * r]; - uint32_t * Z = &XY[64 * r]; - uint64_t i; - uint64_t j; - size_t k; - - /* 1: X <-- B */ - for (k = 0; k < 32 * r; k++) - X[k] = le32dec(&B[4 * k]); - - /* 2: for i = 0 to N - 1 do */ - for (i = 0; i < N; i += 2) { - /* 3: V_i <-- X */ - blkcpy((escrypt_block_t*)&V[i * (32 * r)], (escrypt_block_t*)X, 128 * r); - - /* 4: X <-- H(X) */ - blockmix_salsa8(X, Y, Z, r); - - /* 3: V_i <-- X */ - blkcpy((escrypt_block_t*)&V[(i + 1) * (32 * r)], (escrypt_block_t*)Y, 128 * r); - - /* 4: X <-- H(X) */ - blockmix_salsa8(Y, X, Z, r); - } - - /* 6: for i = 0 to N - 1 do */ - for (i = 0; i < N; i += 2) { - /* 7: j <-- Integerify(X) mod N */ - j = integerify(X, r) & (N - 1); - - /* 8: X <-- H(X \xor V_j) */ - blkxor((escrypt_block_t*)X, (escrypt_block_t*)&V[j * (32 * r)], 128 * r); - blockmix_salsa8(X, Y, Z, r); - - /* 7: j <-- Integerify(X) mod N */ - j = integerify(Y, r) & (N - 1); - - /* 8: X <-- H(X \xor V_j) */ - blkxor((escrypt_block_t*)Y, (escrypt_block_t*)&V[j * (32 * r)], 128 * r); - blockmix_salsa8(Y, X, Z, r); - } - /* 10: B' <-- X */ - for (k = 0; k < 32 * r; k++) - le32enc(&B[4 * k], X[k]); + uint32_t * X = XY; + uint32_t * Y = &XY[32 * r]; + uint32_t * Z = &XY[64 * r]; + uint64_t i; + uint64_t j; + size_t k; + + /* 1: X <-- B */ + for (k = 0; k < 32 * r; k++) + X[k] = LOAD32_LE(&B[4 * k]); + + /* 2: for i = 0 to N - 1 do */ + for (i = 0; i < N; i += 2) { + /* 3: V_i <-- X */ + blkcpy((escrypt_block_t*)&V[i * (32 * r)], (escrypt_block_t*)X, 128 * r); + + /* 4: X <-- H(X) */ + blockmix_salsa8(X, Y, Z, r); + + /* 3: V_i <-- X */ + blkcpy((escrypt_block_t*)&V[(i + 1) * (32 * r)], (escrypt_block_t*)Y, 128 * r); + + /* 4: X <-- H(X) */ + blockmix_salsa8(Y, X, Z, r); + } + + /* 6: for i = 0 to N - 1 do */ + for (i = 0; i < N; i += 2) { + /* 7: j <-- Integerify(X) mod N */ + j = integerify(X, r) & (N - 1); + + /* 8: X <-- H(X \xor V_j) */ + blkxor((escrypt_block_t*)X, (escrypt_block_t*)&V[j * (32 * r)], 128 * r); + blockmix_salsa8(X, Y, Z, r); + + /* 7: j <-- Integerify(X) mod N */ + j = integerify(Y, r) & (N - 1); + + /* 8: X <-- H(X \xor V_j) */ + blkxor((escrypt_block_t*)Y, (escrypt_block_t*)&V[j * (32 * r)], 128 * r); + blockmix_salsa8(Y, X, Z, r); + } + /* 10: B' <-- X */ + for (k = 0; k < 32 * r; k++) + STORE32_LE(&B[4 * k], X[k]); } /** @@ -262,80 +262,80 @@ escrypt_kdf_nosse(escrypt_local_t * local, uint64_t N, uint32_t _r, uint32_t _p, uint8_t * buf, size_t buflen) { - size_t B_size, V_size, XY_size, need; - uint8_t * B; - uint32_t * V, * XY; + size_t B_size, V_size, XY_size, need; + uint8_t * B; + uint32_t * V, * XY; size_t r = _r, p = _p; - uint32_t i; + uint32_t i; - /* Sanity-check parameters. */ + /* Sanity-check parameters. */ #if SIZE_MAX > UINT32_MAX - if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { - errno = EFBIG; - return -1; - } + if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { + errno = EFBIG; + return -1; + } #endif - if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) { - errno = EFBIG; - return -1; - } - if (N > UINT32_MAX) { - errno = EFBIG; - return -1; - } - if (((N & (N - 1)) != 0) || (N < 2)) { - errno = EINVAL; - return -1; - } - if (r == 0 || p == 0) { - errno = EINVAL; - return -1; - } - if ((r > SIZE_MAX / 128 / p) || + if ((uint64_t)(r) * (uint64_t)(p) >= ((uint64_t) 1 << 30)) { + errno = EFBIG; + return -1; + } + if (N > UINT32_MAX) { + errno = EFBIG; + return -1; + } + if (((N & (N - 1)) != 0) || (N < 2)) { + errno = EINVAL; + return -1; + } + if (r == 0 || p == 0) { + errno = EINVAL; + return -1; + } + if ((r > SIZE_MAX / 128 / p) || #if SIZE_MAX / 256 <= UINT32_MAX - (r > SIZE_MAX / 256) || + (r > SIZE_MAX / 256) || #endif - (N > SIZE_MAX / 128 / r)) { - errno = ENOMEM; - return -1; - } - - /* Allocate memory. */ - B_size = (size_t)128 * r * p; - V_size = (size_t)128 * r * N; - need = B_size + V_size; - if (need < V_size) { - errno = ENOMEM; - return -1; - } - XY_size = (size_t)256 * r + 64; - need += XY_size; - if (need < XY_size) { - errno = ENOMEM; - return -1; - } - if (local->size < need) { - if (free_region(local)) - return -1; - if (!alloc_region(local, need)) - return -1; - } - B = (uint8_t *)local->aligned; - V = (uint32_t *)((uint8_t *)B + B_size); - XY = (uint32_t *)((uint8_t *)V + V_size); - - /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ - PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); - - /* 2: for i = 0 to p - 1 do */ - for (i = 0; i < p; i++) { - /* 3: B_i <-- MF(B_i, N) */ - smix(&B[(size_t)128 * i * r], r, N, V, XY); - } - - /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ - PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); - - /* Success! */ - return 0; + (N > SIZE_MAX / 128 / r)) { + errno = ENOMEM; + return -1; + } + + /* Allocate memory. */ + B_size = (size_t)128 * r * p; + V_size = (size_t)128 * r * N; + need = B_size + V_size; + if (need < V_size) { + errno = ENOMEM; + return -1; + } + XY_size = (size_t)256 * r + 64; + need += XY_size; + if (need < XY_size) { + errno = ENOMEM; + return -1; + } + if (local->size < need) { + if (free_region(local)) + return -1; + if (!alloc_region(local, need)) + return -1; + } + B = (uint8_t *)local->aligned; + V = (uint32_t *)((uint8_t *)B + B_size); + XY = (uint32_t *)((uint8_t *)V + V_size); + + /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ + PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); + + /* 2: for i = 0 to p - 1 do */ + for (i = 0; i < p; i++) { + /* 3: B_i <-- MF(B_i, N) */ + smix(&B[(size_t)128 * i * r], r, N, V, XY); + } + + /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ + PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); + + /* Success! */ + return 0; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c index ff6ba57754..e1efdd9505 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c @@ -32,8 +32,8 @@ #include "crypto_auth_hmacsha256.h" #include "pbkdf2-sha256.h" -#include "sysendian.h" #include "utils.h" +#include "private/common.h" /** * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen): @@ -60,7 +60,7 @@ PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt, crypto_auth_hmacsha256_update(&PShctx, salt, saltlen); for (i = 0; i * 32 < dkLen; i++) { - be32enc(ivec, (uint32_t)(i + 1)); + STORE32_BE(ivec, (uint32_t)(i + 1)); memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state)); crypto_auth_hmacsha256_update(&hctx, ivec, 4); crypto_auth_hmacsha256_final(&hctx, U); diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c index 94eb7d99f8..7cf9f70ea5 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c @@ -11,8 +11,8 @@ #include "utils.h" #define SETTING_SIZE(saltbytes) \ - (sizeof "$7$" - 1U) + \ - (1U /* N_log2 */) + (5U /* r */) + (5U /* p */) + BYTES2CHARS(saltbytes) + ((sizeof "$7$" - 1U) + \ + (1U /* N_log2 */) + (5U /* r */) + (5U /* p */) + BYTES2CHARS(saltbytes)) static int pickparams(unsigned long long opslimit, const size_t memlimit, @@ -193,6 +193,7 @@ crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryp if (escrypt_init_local(&escrypt_local) != 0) { return -1; /* LCOV_EXCL_LINE */ } + memset(wanted, 0, sizeof wanted); if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen, (const uint8_t *) str, (uint8_t *) wanted, sizeof wanted) == NULL) { diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c index 85d4267df4..a6f2615d68 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c @@ -34,67 +34,67 @@ void * alloc_region(escrypt_region_t * region, size_t size) { - uint8_t * base, * aligned; + uint8_t * base, * aligned; #if defined(MAP_ANON) && defined(HAVE_MMAP) - if ((base = (uint8_t *) mmap(NULL, size, PROT_READ | PROT_WRITE, + if ((base = (uint8_t *) mmap(NULL, size, PROT_READ | PROT_WRITE, #ifdef MAP_NOCORE - MAP_ANON | MAP_PRIVATE | MAP_NOCORE, + MAP_ANON | MAP_PRIVATE | MAP_NOCORE, #else - MAP_ANON | MAP_PRIVATE, + MAP_ANON | MAP_PRIVATE, #endif - -1, 0)) == MAP_FAILED) - base = NULL; /* LCOV_EXCL_LINE */ - aligned = base; + -1, 0)) == MAP_FAILED) + base = NULL; /* LCOV_EXCL_LINE */ + aligned = base; #elif defined(HAVE_POSIX_MEMALIGN) - if ((errno = posix_memalign((void **) &base, 64, size)) != 0) - base = NULL; - aligned = base; + if ((errno = posix_memalign((void **) &base, 64, size)) != 0) + base = NULL; + aligned = base; #else - base = aligned = NULL; - if (size + 63 < size) - errno = ENOMEM; - else if ((base = (uint8_t *) malloc(size + 63)) != NULL) { - aligned = base + 63; - aligned -= (uintptr_t)aligned & 63; - } + base = aligned = NULL; + if (size + 63 < size) + errno = ENOMEM; + else if ((base = (uint8_t *) malloc(size + 63)) != NULL) { + aligned = base + 63; + aligned -= (uintptr_t)aligned & 63; + } #endif - region->base = base; - region->aligned = aligned; - region->size = base ? size : 0; - return aligned; + region->base = base; + region->aligned = aligned; + region->size = base ? size : 0; + return aligned; } static inline void init_region(escrypt_region_t * region) { - region->base = region->aligned = NULL; - region->size = 0; + region->base = region->aligned = NULL; + region->size = 0; } int free_region(escrypt_region_t * region) { - if (region->base) { + if (region->base) { #if defined(MAP_ANON) && defined(HAVE_MMAP) - if (munmap(region->base, region->size)) - return -1; /* LCOV_EXCL_LINE */ + if (munmap(region->base, region->size)) + return -1; /* LCOV_EXCL_LINE */ #else - free(region->base); + free(region->base); #endif - } - init_region(region); - return 0; + } + init_region(region); + return 0; } int escrypt_init_local(escrypt_local_t * local) { - init_region(local); - return 0; + init_region(local); + return 0; } int escrypt_free_local(escrypt_local_t * local) { - return free_region(local); + return free_region(local); } diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c dissimilarity index 61% index faba9f17d2..9baea8139a 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c +++ b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c @@ -1,392 +1,391 @@ -/*- - * Copyright 2009 Colin Percival - * Copyright 2012,2013 Alexander Peslyak - * All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * - * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * This file was originally written by Colin Percival as part of the Tarsnap - * online backup system. - */ - -#if defined(HAVE_EMMINTRIN_H) || \ - (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) -#if __GNUC__ -# pragma GCC target("sse2") -#endif -#include -#if defined(__XOP__) && defined(DISABLED) -# include -#endif - -#include -#include -#include -#include -#include - -#include "../pbkdf2-sha256.h" -#include "../sysendian.h" -#include "../crypto_scrypt.h" - -#if defined(__XOP__) && defined(DISABLED) -#define ARX(out, in1, in2, s) \ - out = _mm_xor_si128(out, _mm_roti_epi32(_mm_add_epi32(in1, in2), s)); -#else -#define ARX(out, in1, in2, s) \ - { \ - __m128i T = _mm_add_epi32(in1, in2); \ - out = _mm_xor_si128(out, _mm_slli_epi32(T, s)); \ - out = _mm_xor_si128(out, _mm_srli_epi32(T, 32-s)); \ - } -#endif - -#define SALSA20_2ROUNDS \ - /* Operate on "columns". */ \ - ARX(X1, X0, X3, 7) \ - ARX(X2, X1, X0, 9) \ - ARX(X3, X2, X1, 13) \ - ARX(X0, X3, X2, 18) \ -\ - /* Rearrange data. */ \ - X1 = _mm_shuffle_epi32(X1, 0x93); \ - X2 = _mm_shuffle_epi32(X2, 0x4E); \ - X3 = _mm_shuffle_epi32(X3, 0x39); \ -\ - /* Operate on "rows". */ \ - ARX(X3, X0, X1, 7) \ - ARX(X2, X3, X0, 9) \ - ARX(X1, X2, X3, 13) \ - ARX(X0, X1, X2, 18) \ -\ - /* Rearrange data. */ \ - X1 = _mm_shuffle_epi32(X1, 0x39); \ - X2 = _mm_shuffle_epi32(X2, 0x4E); \ - X3 = _mm_shuffle_epi32(X3, 0x93); - -/** - * Apply the salsa20/8 core to the block provided in (X0 ... X3) ^ (Z0 ... Z3). - */ -#define SALSA20_8_XOR(in, out) \ - { \ - __m128i Y0 = X0 = _mm_xor_si128(X0, (in)[0]); \ - __m128i Y1 = X1 = _mm_xor_si128(X1, (in)[1]); \ - __m128i Y2 = X2 = _mm_xor_si128(X2, (in)[2]); \ - __m128i Y3 = X3 = _mm_xor_si128(X3, (in)[3]); \ - SALSA20_2ROUNDS \ - SALSA20_2ROUNDS \ - SALSA20_2ROUNDS \ - SALSA20_2ROUNDS \ - (out)[0] = X0 = _mm_add_epi32(X0, Y0); \ - (out)[1] = X1 = _mm_add_epi32(X1, Y1); \ - (out)[2] = X2 = _mm_add_epi32(X2, Y2); \ - (out)[3] = X3 = _mm_add_epi32(X3, Y3); \ - } - -/** - * blockmix_salsa8(Bin, Bout, r): - * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r - * bytes in length; the output Bout must also be the same size. - */ -static inline void -blockmix_salsa8(const __m128i * Bin, __m128i * Bout, size_t r) -{ - __m128i X0, X1, X2, X3; - size_t i; - - /* 1: X <-- B_{2r - 1} */ - X0 = Bin[8 * r - 4]; - X1 = Bin[8 * r - 3]; - X2 = Bin[8 * r - 2]; - X3 = Bin[8 * r - 1]; - - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - SALSA20_8_XOR(Bin, Bout) - - /* 2: for i = 0 to 2r - 1 do */ - r--; - for (i = 0; i < r;) { - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) - - i++; - - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - SALSA20_8_XOR(&Bin[i * 8], &Bout[i * 4]) - } - - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) -} - -#define XOR4(in) \ - X0 = _mm_xor_si128(X0, (in)[0]); \ - X1 = _mm_xor_si128(X1, (in)[1]); \ - X2 = _mm_xor_si128(X2, (in)[2]); \ - X3 = _mm_xor_si128(X3, (in)[3]); - -#define XOR4_2(in1, in2) \ - X0 = _mm_xor_si128((in1)[0], (in2)[0]); \ - X1 = _mm_xor_si128((in1)[1], (in2)[1]); \ - X2 = _mm_xor_si128((in1)[2], (in2)[2]); \ - X3 = _mm_xor_si128((in1)[3], (in2)[3]); - -static inline uint32_t -blockmix_salsa8_xor(const __m128i * Bin1, const __m128i * Bin2, __m128i * Bout, - size_t r) -{ - __m128i X0, X1, X2, X3; - size_t i; - - /* 1: X <-- B_{2r - 1} */ - XOR4_2(&Bin1[8 * r - 4], &Bin2[8 * r - 4]) - - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - XOR4(Bin1) - SALSA20_8_XOR(Bin2, Bout) - - /* 2: for i = 0 to 2r - 1 do */ - r--; - for (i = 0; i < r;) { - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - XOR4(&Bin1[i * 8 + 4]) - SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) - - i++; - - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - XOR4(&Bin1[i * 8]) - SALSA20_8_XOR(&Bin2[i * 8], &Bout[i * 4]) - } - - /* 3: X <-- H(X \xor B_i) */ - /* 4: Y_i <-- X */ - /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ - XOR4(&Bin1[i * 8 + 4]) - SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) - - return _mm_cvtsi128_si32(X0); -} - -#undef ARX -#undef SALSA20_2ROUNDS -#undef SALSA20_8_XOR -#undef XOR4 -#undef XOR4_2 - -/** - * integerify(B, r): - * Return the result of parsing B_{2r-1} as a little-endian integer. - */ -static inline uint32_t -integerify(const void * B, size_t r) -{ - return *(const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); -} - -/** - * smix(B, r, N, V, XY): - * Compute B = SMix_r(B, N). The input B must be 128r bytes in length; - * the temporary storage V must be 128rN bytes in length; the temporary - * storage XY must be 256r + 64 bytes in length. The value N must be a - * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a - * multiple of 64 bytes. - */ -static void -smix(uint8_t * B, size_t r, uint32_t N, void * V, void * XY) -{ - size_t s = 128 * r; - __m128i * X = (__m128i *) V, * Y; - uint32_t * X32 = (uint32_t *) V; - uint32_t i, j; - size_t k; - - /* 1: X <-- B */ - /* 3: V_i <-- X */ - for (k = 0; k < 2 * r; k++) { - for (i = 0; i < 16; i++) { - X32[k * 16 + i] = - le32dec(&B[(k * 16 + (i * 5 % 16)) * 4]); - } - } - - /* 2: for i = 0 to N - 1 do */ - for (i = 1; i < N - 1; i += 2) { - /* 4: X <-- H(X) */ - /* 3: V_i <-- X */ - Y = (__m128i *)((uintptr_t)(V) + i * s); - blockmix_salsa8(X, Y, r); - - /* 4: X <-- H(X) */ - /* 3: V_i <-- X */ - X = (__m128i *)((uintptr_t)(V) + (i + 1) * s); - blockmix_salsa8(Y, X, r); - } - - /* 4: X <-- H(X) */ - /* 3: V_i <-- X */ - Y = (__m128i *)((uintptr_t)(V) + i * s); - blockmix_salsa8(X, Y, r); - - /* 4: X <-- H(X) */ - /* 3: V_i <-- X */ - X = (__m128i *) XY; - blockmix_salsa8(Y, X, r); - - X32 = (uint32_t *) XY; - Y = (__m128i *)((uintptr_t)(XY) + s); - - /* 7: j <-- Integerify(X) mod N */ - j = integerify(X, r) & (N - 1); - - /* 6: for i = 0 to N - 1 do */ - for (i = 0; i < N; i += 2) { - __m128i * V_j = (__m128i *)((uintptr_t)(V) + j * s); - - /* 8: X <-- H(X \xor V_j) */ - /* 7: j <-- Integerify(X) mod N */ - j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1); - V_j = (__m128i *)((uintptr_t)(V) + j * s); - - /* 8: X <-- H(X \xor V_j) */ - /* 7: j <-- Integerify(X) mod N */ - j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1); - } - - /* 10: B' <-- X */ - for (k = 0; k < 2 * r; k++) { - for (i = 0; i < 16; i++) { - le32enc(&B[(k * 16 + (i * 5 % 16)) * 4], - X32[k * 16 + i]); - } - } -} - -/** - * escrypt_kdf(local, passwd, passwdlen, salt, saltlen, - * N, r, p, buf, buflen): - * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, - * p, buflen) and write the result into buf. The parameters r, p, and buflen - * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N - * must be a power of 2 greater than 1. - * - * Return 0 on success; or -1 on error. - */ -int -escrypt_kdf_sse(escrypt_local_t * local, - const uint8_t * passwd, size_t passwdlen, - const uint8_t * salt, size_t saltlen, - uint64_t N, uint32_t _r, uint32_t _p, - uint8_t * buf, size_t buflen) -{ - size_t B_size, V_size, XY_size, need; - uint8_t * B; - uint32_t * V, * XY; - size_t r = _r, p = _p; - uint32_t i; - - /* Sanity-check parameters. */ -#if SIZE_MAX > UINT32_MAX - if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { - errno = EFBIG; - return -1; - } -#endif - if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) { - errno = EFBIG; - return -1; - } - if (N > UINT32_MAX) { - errno = EFBIG; - return -1; - } - if (((N & (N - 1)) != 0) || (N < 2)) { - errno = EINVAL; - return -1; - } - if (r == 0 || p == 0) { - errno = EINVAL; - return -1; - } - if ((r > SIZE_MAX / 128 / p) || -#if SIZE_MAX / 256 <= UINT32_MAX - (r > SIZE_MAX / 256) || -#endif - (N > SIZE_MAX / 128 / r)) { - errno = ENOMEM; - return -1; - } - - /* Allocate memory. */ - B_size = (size_t)128 * r * p; - V_size = (size_t)128 * r * N; - need = B_size + V_size; - if (need < V_size) { - errno = ENOMEM; - return -1; - } - XY_size = (size_t)256 * r + 64; - need += XY_size; - if (need < XY_size) { - errno = ENOMEM; - return -1; - } - if (local->size < need) { - if (free_region(local)) - return -1; /* LCOV_EXCL_LINE */ - if (!alloc_region(local, need)) - return -1; /* LCOV_EXCL_LINE */ - } - B = (uint8_t *)local->aligned; - V = (uint32_t *)((uint8_t *)B + B_size); - XY = (uint32_t *)((uint8_t *)V + V_size); - - /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ - PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); - - /* 2: for i = 0 to p - 1 do */ - for (i = 0; i < p; i++) { - /* 3: B_i <-- MF(B_i, N) */ - smix(&B[(size_t)128 * i * r], r, (uint32_t) N, V, XY); - } - - /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ - PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); - - /* Success! */ - return 0; -} -#endif +/*- + * Copyright 2009 Colin Percival + * Copyright 2012,2013 Alexander Peslyak + * All rights reserved. + * + * Redistribution and use in source and binary forms, with or without + * modification, are permitted provided that the following conditions + * are met: + * 1. Redistributions of source code must retain the above copyright + * notice, this list of conditions and the following disclaimer. + * 2. Redistributions in binary form must reproduce the above copyright + * notice, this list of conditions and the following disclaimer in the + * documentation and/or other materials provided with the distribution. + * + * THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND + * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE + * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE + * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE + * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL + * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS + * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) + * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT + * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY + * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF + * SUCH DAMAGE. + * + * This file was originally written by Colin Percival as part of the Tarsnap + * online backup system. + */ + +#if defined(HAVE_EMMINTRIN_H) || \ + (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) +#if __GNUC__ +# pragma GCC target("sse2") +#endif +#include +#if defined(__XOP__) && defined(DISABLED) +# include +#endif + +#include +#include +#include +#include +#include + +#include "../pbkdf2-sha256.h" +#include "../crypto_scrypt.h" +#include "private/common.h" + +#if defined(__XOP__) && defined(DISABLED) +#define ARX(out, in1, in2, s) \ + out = _mm_xor_si128(out, _mm_roti_epi32(_mm_add_epi32(in1, in2), s)); +#else +#define ARX(out, in1, in2, s) \ + { \ + __m128i T = _mm_add_epi32(in1, in2); \ + out = _mm_xor_si128(out, _mm_slli_epi32(T, s)); \ + out = _mm_xor_si128(out, _mm_srli_epi32(T, 32-s)); \ + } +#endif + +#define SALSA20_2ROUNDS \ + /* Operate on "columns". */ \ + ARX(X1, X0, X3, 7) \ + ARX(X2, X1, X0, 9) \ + ARX(X3, X2, X1, 13) \ + ARX(X0, X3, X2, 18) \ +\ + /* Rearrange data. */ \ + X1 = _mm_shuffle_epi32(X1, 0x93); \ + X2 = _mm_shuffle_epi32(X2, 0x4E); \ + X3 = _mm_shuffle_epi32(X3, 0x39); \ +\ + /* Operate on "rows". */ \ + ARX(X3, X0, X1, 7) \ + ARX(X2, X3, X0, 9) \ + ARX(X1, X2, X3, 13) \ + ARX(X0, X1, X2, 18) \ +\ + /* Rearrange data. */ \ + X1 = _mm_shuffle_epi32(X1, 0x39); \ + X2 = _mm_shuffle_epi32(X2, 0x4E); \ + X3 = _mm_shuffle_epi32(X3, 0x93); + +/** + * Apply the salsa20/8 core to the block provided in (X0 ... X3) ^ (Z0 ... Z3). + */ +#define SALSA20_8_XOR(in, out) \ + { \ + __m128i Y0 = X0 = _mm_xor_si128(X0, (in)[0]); \ + __m128i Y1 = X1 = _mm_xor_si128(X1, (in)[1]); \ + __m128i Y2 = X2 = _mm_xor_si128(X2, (in)[2]); \ + __m128i Y3 = X3 = _mm_xor_si128(X3, (in)[3]); \ + SALSA20_2ROUNDS \ + SALSA20_2ROUNDS \ + SALSA20_2ROUNDS \ + SALSA20_2ROUNDS \ + (out)[0] = X0 = _mm_add_epi32(X0, Y0); \ + (out)[1] = X1 = _mm_add_epi32(X1, Y1); \ + (out)[2] = X2 = _mm_add_epi32(X2, Y2); \ + (out)[3] = X3 = _mm_add_epi32(X3, Y3); \ + } + +/** + * blockmix_salsa8(Bin, Bout, r): + * Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r + * bytes in length; the output Bout must also be the same size. + */ +static inline void +blockmix_salsa8(const __m128i * Bin, __m128i * Bout, size_t r) +{ + __m128i X0, X1, X2, X3; + size_t i; + + /* 1: X <-- B_{2r - 1} */ + X0 = Bin[8 * r - 4]; + X1 = Bin[8 * r - 3]; + X2 = Bin[8 * r - 2]; + X3 = Bin[8 * r - 1]; + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(Bin, Bout) + + /* 2: for i = 0 to 2r - 1 do */ + r--; + for (i = 0; i < r;) { + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) + + i++; + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(&Bin[i * 8], &Bout[i * 4]) + } + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4]) +} + +#define XOR4(in) \ + X0 = _mm_xor_si128(X0, (in)[0]); \ + X1 = _mm_xor_si128(X1, (in)[1]); \ + X2 = _mm_xor_si128(X2, (in)[2]); \ + X3 = _mm_xor_si128(X3, (in)[3]); + +#define XOR4_2(in1, in2) \ + X0 = _mm_xor_si128((in1)[0], (in2)[0]); \ + X1 = _mm_xor_si128((in1)[1], (in2)[1]); \ + X2 = _mm_xor_si128((in1)[2], (in2)[2]); \ + X3 = _mm_xor_si128((in1)[3], (in2)[3]); + +static inline uint32_t +blockmix_salsa8_xor(const __m128i * Bin1, const __m128i * Bin2, __m128i * Bout, + size_t r) +{ + __m128i X0, X1, X2, X3; + size_t i; + + /* 1: X <-- B_{2r - 1} */ + XOR4_2(&Bin1[8 * r - 4], &Bin2[8 * r - 4]) + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(Bin1) + SALSA20_8_XOR(Bin2, Bout) + + /* 2: for i = 0 to 2r - 1 do */ + r--; + for (i = 0; i < r;) { + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(&Bin1[i * 8 + 4]) + SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) + + i++; + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(&Bin1[i * 8]) + SALSA20_8_XOR(&Bin2[i * 8], &Bout[i * 4]) + } + + /* 3: X <-- H(X \xor B_i) */ + /* 4: Y_i <-- X */ + /* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */ + XOR4(&Bin1[i * 8 + 4]) + SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4]) + + return _mm_cvtsi128_si32(X0); +} + +#undef ARX +#undef SALSA20_2ROUNDS +#undef SALSA20_8_XOR +#undef XOR4 +#undef XOR4_2 + +/** + * integerify(B, r): + * Return the result of parsing B_{2r-1} as a little-endian integer. + */ +static inline uint32_t +integerify(const void * B, size_t r) +{ + return *(const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64); +} + +/** + * smix(B, r, N, V, XY): + * Compute B = SMix_r(B, N). The input B must be 128r bytes in length; + * the temporary storage V must be 128rN bytes in length; the temporary + * storage XY must be 256r + 64 bytes in length. The value N must be a + * power of 2 greater than 1. The arrays B, V, and XY must be aligned to a + * multiple of 64 bytes. + */ +static void +smix(uint8_t * B, size_t r, uint32_t N, void * V, void * XY) +{ + size_t s = 128 * r; + __m128i * X = (__m128i *) V, * Y; + uint32_t * X32 = (uint32_t *) V; + uint32_t i, j; + size_t k; + + /* 1: X <-- B */ + /* 3: V_i <-- X */ + for (k = 0; k < 2 * r; k++) { + for (i = 0; i < 16; i++) { + X32[k * 16 + i] = + LOAD32_LE(&B[(k * 16 + (i * 5 % 16)) * 4]); + } + } + + /* 2: for i = 0 to N - 1 do */ + for (i = 1; i < N - 1; i += 2) { + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + Y = (__m128i *)((uintptr_t)(V) + i * s); + blockmix_salsa8(X, Y, r); + + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + X = (__m128i *)((uintptr_t)(V) + (i + 1) * s); + blockmix_salsa8(Y, X, r); + } + + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + Y = (__m128i *)((uintptr_t)(V) + i * s); + blockmix_salsa8(X, Y, r); + + /* 4: X <-- H(X) */ + /* 3: V_i <-- X */ + X = (__m128i *) XY; + blockmix_salsa8(Y, X, r); + + X32 = (uint32_t *) XY; + Y = (__m128i *)((uintptr_t)(XY) + s); + + /* 7: j <-- Integerify(X) mod N */ + j = integerify(X, r) & (N - 1); + + /* 6: for i = 0 to N - 1 do */ + for (i = 0; i < N; i += 2) { + __m128i * V_j = (__m128i *)((uintptr_t)(V) + j * s); + + /* 8: X <-- H(X \xor V_j) */ + /* 7: j <-- Integerify(X) mod N */ + j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1); + V_j = (__m128i *)((uintptr_t)(V) + j * s); + + /* 8: X <-- H(X \xor V_j) */ + /* 7: j <-- Integerify(X) mod N */ + j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1); + } + + /* 10: B' <-- X */ + for (k = 0; k < 2 * r; k++) { + for (i = 0; i < 16; i++) { + STORE32_LE(&B[(k * 16 + (i * 5 % 16)) * 4], X32[k * 16 + i]); + } + } +} + +/** + * escrypt_kdf(local, passwd, passwdlen, salt, saltlen, + * N, r, p, buf, buflen): + * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r, + * p, buflen) and write the result into buf. The parameters r, p, and buflen + * must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N + * must be a power of 2 greater than 1. + * + * Return 0 on success; or -1 on error. + */ +int +escrypt_kdf_sse(escrypt_local_t * local, + const uint8_t * passwd, size_t passwdlen, + const uint8_t * salt, size_t saltlen, + uint64_t N, uint32_t _r, uint32_t _p, + uint8_t * buf, size_t buflen) +{ + size_t B_size, V_size, XY_size, need; + uint8_t * B; + uint32_t * V, * XY; + size_t r = _r, p = _p; + uint32_t i; + + /* Sanity-check parameters. */ +#if SIZE_MAX > UINT32_MAX + if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { + errno = EFBIG; + return -1; + } +#endif + if ((uint64_t)(r) * (uint64_t)(p) >= ((uint64_t) 1 << 30)) { + errno = EFBIG; + return -1; + } + if (N > UINT32_MAX) { + errno = EFBIG; + return -1; + } + if (((N & (N - 1)) != 0) || (N < 2)) { + errno = EINVAL; + return -1; + } + if (r == 0 || p == 0) { + errno = EINVAL; + return -1; + } + if ((r > SIZE_MAX / 128 / p) || +#if SIZE_MAX / 256 <= UINT32_MAX + (r > SIZE_MAX / 256) || +#endif + (N > SIZE_MAX / 128 / r)) { + errno = ENOMEM; + return -1; + } + + /* Allocate memory. */ + B_size = (size_t)128 * r * p; + V_size = (size_t)128 * r * N; + need = B_size + V_size; + if (need < V_size) { + errno = ENOMEM; + return -1; + } + XY_size = (size_t)256 * r + 64; + need += XY_size; + if (need < XY_size) { + errno = ENOMEM; + return -1; + } + if (local->size < need) { + if (free_region(local)) + return -1; /* LCOV_EXCL_LINE */ + if (!alloc_region(local, need)) + return -1; /* LCOV_EXCL_LINE */ + } + B = (uint8_t *)local->aligned; + V = (uint32_t *)((uint8_t *)B + B_size); + XY = (uint32_t *)((uint8_t *)V + V_size); + + /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */ + PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size); + + /* 2: for i = 0 to p - 1 do */ + for (i = 0; i < p; i++) { + /* 3: B_i <-- MF(B_i, N) */ + smix(&B[(size_t)128 * i * r], r, (uint32_t) N, V, XY); + } + + /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */ + PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen); + + /* Success! */ + return 0; +} +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sysendian.h b/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sysendian.h deleted file mode 100644 index 080aae8b8b..0000000000 --- a/release/src/router/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sysendian.h +++ /dev/null @@ -1,146 +0,0 @@ -#ifndef sysendian_H -#define sysendian_H - -#include - -/* Avoid namespace collisions with BSD . */ -#define be16dec scrypt_be16dec -#define be16enc scrypt_be16enc -#define be32dec scrypt_be32dec -#define be32enc scrypt_be32enc -#define be64dec scrypt_be64dec -#define be64enc scrypt_be64enc -#define le16dec scrypt_le16dec -#define le16enc scrypt_le16enc -#define le32dec scrypt_le32dec -#define le32enc scrypt_le32enc -#define le64dec scrypt_le64dec -#define le64enc scrypt_le64enc - -static inline uint16_t -be16dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8)); -} - -static inline void -be16enc(void *pp, uint16_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[1] = x & 0xff; - p[0] = (x >> 8) & 0xff; -} - -static inline uint32_t -be32dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) + - ((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24)); -} - -static inline void -be32enc(void *pp, uint32_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[3] = x & 0xff; - p[2] = (x >> 8) & 0xff; - p[1] = (x >> 16) & 0xff; - p[0] = (x >> 24) & 0xff; -} - -static inline uint64_t -be64dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) + - ((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) + - ((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) + - ((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56)); -} - -static inline void -be64enc(void *pp, uint64_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[7] = x & 0xff; - p[6] = (x >> 8) & 0xff; - p[5] = (x >> 16) & 0xff; - p[4] = (x >> 24) & 0xff; - p[3] = (x >> 32) & 0xff; - p[2] = (x >> 40) & 0xff; - p[1] = (x >> 48) & 0xff; - p[0] = (x >> 56) & 0xff; -} - -static inline uint16_t -le16dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8)); -} - -static inline void -le16enc(void *pp, uint16_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[0] = x & 0xff; - p[1] = (x >> 8) & 0xff; -} - -static inline uint32_t -le32dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) + - ((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24)); -} - -static inline void -le32enc(void *pp, uint32_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[0] = x & 0xff; - p[1] = (x >> 8) & 0xff; - p[2] = (x >> 16) & 0xff; - p[3] = (x >> 24) & 0xff; -} - -static inline uint64_t -le64dec(const void *pp) -{ - const uint8_t *p = (uint8_t const *)pp; - - return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) + - ((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) + - ((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) + - ((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56)); -} - -static inline void -le64enc(void *pp, uint64_t x) -{ - uint8_t * p = (uint8_t *)pp; - - p[0] = x & 0xff; - p[1] = (x >> 8) & 0xff; - p[2] = (x >> 16) & 0xff; - p[3] = (x >> 24) & 0xff; - p[4] = (x >> 32) & 0xff; - p[5] = (x >> 40) & 0xff; - p[6] = (x >> 48) & 0xff; - p[7] = (x >> 56) & 0xff; -} - -#endif /* !_SYSENDIAN_H_ */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c index fe923ea3e2..6a278f95c6 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c @@ -34,8 +34,7 @@ typedef uint8_t u8; typedef uint64_t limb; typedef limb felem[5]; -// This is a special gcc mode for 128-bit integers. It's implemented on 64-bit -// platforms only as far as I know. +/* Special gcc mode for 128-bit integers */ typedef unsigned uint128_t __attribute__ ((mode(TI))); /* Sum two numbers: output += in */ @@ -315,7 +314,7 @@ fmonty(limb *x2, limb *z2, /* output 2Q */ memcpy(origx, x, 5 * sizeof(limb)); fsum(x, z); - fdifference_backwards(z, origx); // does x - z + fdifference_backwards(z, origx); /* does x - z */ memcpy(origxprime, xprime, sizeof(limb) * 5); fsum(xprime, zprime); @@ -332,19 +331,19 @@ fmonty(limb *x2, limb *z2, /* output 2Q */ fsquare_times(xx, x, 1); fsquare_times(zz, z, 1); fmul(x2, xx, zz); - fdifference_backwards(zz, xx); // does zz = xx - zz + fdifference_backwards(zz, xx); /* does zz = xx - zz */ fscalar_product(zzz, zz, 121665); fsum(zzz, xx); fmul(z2, zz, zzz); } -// ----------------------------------------------------------------------------- -// Maybe swap the contents of two limb arrays (@a and @b), each @len elements -// long. Perform the swap iff @swap is non-zero. -// -// This function performs the swap without leaking any side-channel -// information. -// ----------------------------------------------------------------------------- +/* ----------------------------------------------------------------------------- + Maybe swap the contents of two limb arrays (@a and @b), each @len elements + long. Perform the swap iff @swap is non-zero. + + This function performs the swap without leaking any side-channel + information. + ----------------------------------------------------------------------------- */ static void swap_conditional(limb a[5], limb b[5], limb iswap) { unsigned i; @@ -411,17 +410,17 @@ cmult(limb *resultx, limb *resultz, const u8 *n, const limb *q) { } -// ----------------------------------------------------------------------------- -// Shamelessly copied from djb's code, tightened a little -// ----------------------------------------------------------------------------- +/* ----------------------------------------------------------------------------- + Shamelessly copied from djb's code, tightened a little + ----------------------------------------------------------------------------- */ static void crecip(felem out, const felem z) { felem a,t0,b,c; - /* 2 */ fsquare_times(a, z, 1); // a = 2 + /* 2 */ fsquare_times(a, z, 1); /* a = 2 */ /* 8 */ fsquare_times(t0, a, 2); - /* 9 */ fmul(b, t0, z); // b = 9 - /* 11 */ fmul(a, b, a); // a = 11 + /* 9 */ fmul(b, t0, z); /* b = 9 */ + /* 11 */ fmul(a, b, a); /* a = 11 */ /* 22 */ fsquare_times(t0, a, 1); /* 2^5 - 2^0 = 31 */ fmul(b, t0, b); /* 2^10 - 2^5 */ fsquare_times(t0, b, 5); diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.h index c3e8d47402..d114be51fc 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.h @@ -2,6 +2,7 @@ #define curve25519_donna_c64_H #include "crypto_scalarmult_curve25519.h" +#include "../scalarmult_curve25519.h" extern struct crypto_scalarmult_curve25519_implementation crypto_scalarmult_curve25519_donna_c64_implementation; diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c index 5f598437be..1f06e71dab 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c @@ -7,7 +7,7 @@ #include "utils.h" #include "x25519_ref10.h" #include "../scalarmult_curve25519.h" -#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h" +#include "private/curve25519_ref10.h" /* Replace (f,g) with (g,f) if b == 1; @@ -127,17 +127,17 @@ fe_mul121666(fe h,const fe f) int64_t carry8; int64_t carry9; - carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; - carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; - carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; - carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; - carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; - - carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; - carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; - carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; - carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; - carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + carry9 = (h9 + ((int64_t) 1 << 24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + carry1 = (h1 + ((int64_t) 1 << 24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry3 = (h3 + ((int64_t) 1 << 24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry5 = (h5 + ((int64_t) 1 << 24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + carry7 = (h7 + ((int64_t) 1 << 24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry0 = (h0 + ((int64_t) 1 << 25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry2 = (h2 + ((int64_t) 1 << 25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry4 = (h4 + ((int64_t) 1 << 25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry6 = (h6 + ((int64_t) 1 << 25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + carry8 = (h8 + ((int64_t) 1 << 25)) >> 26; h9 += carry8; h8 -= carry8 << 26; h[0] = h0; h[1] = h1; diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.h index 6ce9b76d2d..39c2a20a42 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.h @@ -2,6 +2,7 @@ #define curve25519_ref10_H #include "crypto_scalarmult_curve25519.h" +#include "../scalarmult_curve25519.h" extern struct crypto_scalarmult_curve25519_implementation crypto_scalarmult_curve25519_ref10_implementation; diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/consts_namespace.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/consts_namespace.h index c9f3efe4a3..9f81fa61c4 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/consts_namespace.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/consts_namespace.h @@ -16,5 +16,5 @@ #define subc2 crypto_scalarmult_curve25519_sandy2x_subc2 #define REDMASK51 crypto_scalarmult_curve25519_sandy2x_REDMASK51 -#endif //ifndef consts_namespace_H +#endif /* ifndef consts_namespace_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe.h index a9a50e618e..b1115f8691 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe.h @@ -6,9 +6,10 @@ #ifndef fe_H #define fe_H -#include "crypto_uint64.h" +#include +#include -typedef crypto_uint64 fe[10]; +typedef uint64_t fe[10]; /* fe means field element. diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51.h index 7e88ef9ce2..8e3f199b24 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51.h @@ -12,12 +12,14 @@ extern "C" { #endif -#include "crypto_uint64.h" +#include +#include + #include "fe51_namespace.h" -typedef struct +typedef struct { - crypto_uint64 v[5]; + uint64_t v[5]; } fe51; diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c dissimilarity index 79% index a9d0be760f..70cd13a005 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c @@ -1,57 +1,57 @@ -/* - This file is adapted from amd64-51/fe25519_invert.c: - Loops of squares are replaced by nsquares for better performance. -*/ - -#include "fe51.h" - -#ifdef HAVE_AVX_ASM - -#define fe51_square(x, y) fe51_nsquare(x, y, 1) - -void fe51_invert(fe51 *r, const fe51 *x) -{ - fe51 z2; - fe51 z9; - fe51 z11; - fe51 z2_5_0; - fe51 z2_10_0; - fe51 z2_20_0; - fe51 z2_50_0; - fe51 z2_100_0; - fe51 t; - - /* 2 */ fe51_square(&z2,x); - /* 4 */ fe51_square(&t,&z2); - /* 8 */ fe51_square(&t,&t); - /* 9 */ fe51_mul(&z9,&t,x); - /* 11 */ fe51_mul(&z11,&z9,&z2); - /* 22 */ fe51_square(&t,&z11); - /* 2^5 - 2^0 = 31 */ fe51_mul(&z2_5_0,&t,&z9); - - /* 2^10 - 2^5 */ fe51_nsquare(&t,&z2_5_0, 5); - /* 2^10 - 2^0 */ fe51_mul(&z2_10_0,&t,&z2_5_0); - - /* 2^20 - 2^10 */ fe51_nsquare(&t,&z2_10_0, 10); - /* 2^20 - 2^0 */ fe51_mul(&z2_20_0,&t,&z2_10_0); - - /* 2^40 - 2^20 */ fe51_nsquare(&t,&z2_20_0, 20); - /* 2^40 - 2^0 */ fe51_mul(&t,&t,&z2_20_0); - - /* 2^50 - 2^10 */ fe51_nsquare(&t,&t,10); - /* 2^50 - 2^0 */ fe51_mul(&z2_50_0,&t,&z2_10_0); - - /* 2^100 - 2^50 */ fe51_nsquare(&t,&z2_50_0, 50); - /* 2^100 - 2^0 */ fe51_mul(&z2_100_0,&t,&z2_50_0); - - /* 2^200 - 2^100 */ fe51_nsquare(&t,&z2_100_0, 100); - /* 2^200 - 2^0 */ fe51_mul(&t,&t,&z2_100_0); - - /* 2^250 - 2^50 */ fe51_nsquare(&t,&t, 50); - /* 2^250 - 2^0 */ fe51_mul(&t,&t,&z2_50_0); - - /* 2^255 - 2^5 */ fe51_nsquare(&t,&t,5); - /* 2^255 - 21 */ fe51_mul(r,&t,&z11); -} - -#endif +/* + This file is adapted from amd64-51/fe25519_invert.c: + Loops of squares are replaced by nsquares for better performance. +*/ + +#include "fe51.h" + +#ifdef HAVE_AVX_ASM + +#define fe51_square(x, y) fe51_nsquare(x, y, 1) + +void fe51_invert(fe51 *r, const fe51 *x) +{ + fe51 z2; + fe51 z9; + fe51 z11; + fe51 z2_5_0; + fe51 z2_10_0; + fe51 z2_20_0; + fe51 z2_50_0; + fe51 z2_100_0; + fe51 t; + + /* 2 */ fe51_square(&z2,x); + /* 4 */ fe51_square(&t,&z2); + /* 8 */ fe51_square(&t,&t); + /* 9 */ fe51_mul(&z9,&t,x); + /* 11 */ fe51_mul(&z11,&z9,&z2); + /* 22 */ fe51_square(&t,&z11); + /* 2^5 - 2^0 = 31 */ fe51_mul(&z2_5_0,&t,&z9); + + /* 2^10 - 2^5 */ fe51_nsquare(&t,&z2_5_0, 5); + /* 2^10 - 2^0 */ fe51_mul(&z2_10_0,&t,&z2_5_0); + + /* 2^20 - 2^10 */ fe51_nsquare(&t,&z2_10_0, 10); + /* 2^20 - 2^0 */ fe51_mul(&z2_20_0,&t,&z2_10_0); + + /* 2^40 - 2^20 */ fe51_nsquare(&t,&z2_20_0, 20); + /* 2^40 - 2^0 */ fe51_mul(&t,&t,&z2_20_0); + + /* 2^50 - 2^10 */ fe51_nsquare(&t,&t,10); + /* 2^50 - 2^0 */ fe51_mul(&z2_50_0,&t,&z2_10_0); + + /* 2^100 - 2^50 */ fe51_nsquare(&t,&z2_50_0, 50); + /* 2^100 - 2^0 */ fe51_mul(&z2_100_0,&t,&z2_50_0); + + /* 2^200 - 2^100 */ fe51_nsquare(&t,&z2_100_0, 100); + /* 2^200 - 2^0 */ fe51_mul(&t,&t,&z2_100_0); + + /* 2^250 - 2^50 */ fe51_nsquare(&t,&t, 50); + /* 2^250 - 2^0 */ fe51_mul(&t,&t,&z2_50_0); + + /* 2^255 - 2^5 */ fe51_nsquare(&t,&t,5); + /* 2^255 - 21 */ fe51_mul(r,&t,&z11); +} + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_mul.S b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_mul.S index 3b7637881b..83501b0395 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_mul.S +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_mul.S @@ -7,10 +7,18 @@ #include "consts_namespace.h" .text .p2align 5 -.globl _fe51_mul +#ifdef ASM_HIDE_SYMBOL +ASM_HIDE_SYMBOL fe51_mul +ASM_HIDE_SYMBOL _fe51_mul +#endif .globl fe51_mul -_fe51_mul: +.globl _fe51_mul +#ifdef __ELF__ +.type fe51_mul, @function +.type _fe51_mul, @function +#endif fe51_mul: +_fe51_mul: mov %rsp,%r11 and $31,%r11 add $96,%r11 diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_namespace.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_namespace.h index 9d8f942be5..057f242ca1 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_namespace.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_namespace.h @@ -12,5 +12,5 @@ #define fe51_invert crypto_scalarmult_curve25519_sandy2x_fe51_invert -#endif //ifndef fe51_namespace_H +#endif /* ifndef fe51_namespace_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_nsquare.S b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_nsquare.S index 9b74ee3e5d..fabdf5b8bb 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_nsquare.S +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_nsquare.S @@ -8,6 +8,10 @@ #include "consts_namespace.h" .p2align 5 +#ifdef ASM_HIDE_SYMBOL +ASM_HIDE_SYMBOL fe51_nsquare +ASM_HIDE_SYMBOL _fe51_nsquare +#endif .globl fe51_nsquare .globl _fe51_nsquare #ifdef __ELF__ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_pack.S b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_pack.S index c8cf405bbe..cf5d2c5cc4 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_pack.S +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_pack.S @@ -8,6 +8,10 @@ #include "consts_namespace.h" .p2align 5 +#ifdef ASM_HIDE_SYMBOL +ASM_HIDE_SYMBOL fe51_pack +ASM_HIDE_SYMBOL _fe51_pack +#endif .globl fe51_pack .globl _fe51_pack #ifdef __ELF__ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe_frombytes_sandy2x.c b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe_frombytes_sandy2x.c index 0de060c81a..f1a29a34f4 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe_frombytes_sandy2x.c +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe_frombytes_sandy2x.c @@ -3,51 +3,50 @@ */ #include "fe.h" -#include "crypto_uint64.h" #ifdef HAVE_AVX_ASM -static crypto_uint64 load_3(const unsigned char *in) +static uint64_t load_3(const unsigned char *in) { - crypto_uint64 result; - result = (crypto_uint64) in[0]; - result |= ((crypto_uint64) in[1]) << 8; - result |= ((crypto_uint64) in[2]) << 16; + uint64_t result; + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; return result; } -static crypto_uint64 load_4(const unsigned char *in) +static uint64_t load_4(const unsigned char *in) { - crypto_uint64 result; - result = (crypto_uint64) in[0]; - result |= ((crypto_uint64) in[1]) << 8; - result |= ((crypto_uint64) in[2]) << 16; - result |= ((crypto_uint64) in[3]) << 24; + uint64_t result; + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + result |= ((uint64_t) in[3]) << 24; return result; } void fe_frombytes(fe h,const unsigned char *s) { - crypto_uint64 h0 = load_4(s); - crypto_uint64 h1 = load_3(s + 4) << 6; - crypto_uint64 h2 = load_3(s + 7) << 5; - crypto_uint64 h3 = load_3(s + 10) << 3; - crypto_uint64 h4 = load_3(s + 13) << 2; - crypto_uint64 h5 = load_4(s + 16); - crypto_uint64 h6 = load_3(s + 20) << 7; - crypto_uint64 h7 = load_3(s + 23) << 5; - crypto_uint64 h8 = load_3(s + 26) << 4; - crypto_uint64 h9 = (load_3(s + 29) & 8388607) << 2; - crypto_uint64 carry0; - crypto_uint64 carry1; - crypto_uint64 carry2; - crypto_uint64 carry3; - crypto_uint64 carry4; - crypto_uint64 carry5; - crypto_uint64 carry6; - crypto_uint64 carry7; - crypto_uint64 carry8; - crypto_uint64 carry9; + uint64_t h0 = load_4(s); + uint64_t h1 = load_3(s + 4) << 6; + uint64_t h2 = load_3(s + 7) << 5; + uint64_t h3 = load_3(s + 10) << 3; + uint64_t h4 = load_3(s + 13) << 2; + uint64_t h5 = load_4(s + 16); + uint64_t h6 = load_3(s + 20) << 7; + uint64_t h7 = load_3(s + 23) << 5; + uint64_t h8 = load_3(s + 26) << 4; + uint64_t h9 = (load_3(s + 29) & 8388607) << 2; + uint64_t carry0; + uint64_t carry1; + uint64_t carry2; + uint64_t carry3; + uint64_t carry4; + uint64_t carry5; + uint64_t carry6; + uint64_t carry7; + uint64_t carry8; + uint64_t carry9; carry9 = h9 >> 25; h0 += carry9 * 19; h9 &= 0x1FFFFFF; carry1 = h1 >> 25; h2 += carry1; h1 &= 0x1FFFFFF; diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.S b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.S index 0adc44af16..92ecac9b10 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.S +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.S @@ -4,6 +4,10 @@ #include "consts_namespace.h" .p2align 5 +#ifdef ASM_HIDE_SYMBOL +ASM_HIDE_SYMBOL ladder +ASM_HIDE_SYMBOL _ladder +#endif .globl ladder .globl _ladder #ifdef __ELF__ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.h index 1912500bbb..ccf4ecaecd 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder.h @@ -14,5 +14,5 @@ extern void ladder(fe *, const unsigned char *); } #endif -#endif //ifndef ladder_H +#endif /* ifndef ladder_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.S b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.S index 536ac101d8..a400b2aa5e 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.S +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.S @@ -4,6 +4,10 @@ #include "consts_namespace.h" .p2align 5 +#ifdef ASM_HIDE_SYMBOL +ASM_HIDE_SYMBOL ladder_base +ASM_HIDE_SYMBOL _ladder_base +#endif .globl ladder_base .globl _ladder_base #ifdef __ELF__ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.h index 09b5fe79e8..a69be13f0d 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base.h @@ -14,5 +14,5 @@ extern void ladder_base(fe *, const unsigned char *); } #endif -#endif //ifndef ladder_base_H +#endif /* ifndef ladder_base_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base_namespace.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base_namespace.h index af5fa56928..304546a185 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base_namespace.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_base_namespace.h @@ -4,5 +4,5 @@ #define ladder_base crypto_scalarmult_curve25519_sandy2x_ladder_base #define _ladder_base _crypto_scalarmult_curve25519_sandy2x_ladder_base -#endif //ifndef ladder_base_namespace_H +#endif /* ifndef ladder_base_namespace_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_namespace.h b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_namespace.h index 8481ff4a61..6637074bec 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_namespace.h +++ b/release/src/router/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/ladder_namespace.h @@ -4,5 +4,5 @@ #define ladder crypto_scalarmult_curve25519_sandy2x_ladder #define _ladder _crypto_scalarmult_curve25519_sandy2x_ladder -#endif //ifndef ladder_namespace_H +#endif /* ifndef ladder_namespace_H */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c b/release/src/router/libsodium/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c index 7802b003da..dcc21b33c3 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c +++ b/release/src/router/libsodium/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c @@ -11,10 +11,6 @@ #include "crypto_stream_salsa20.h" #include "utils.h" -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_secretbox_detached(unsigned char *c, unsigned char *mac, const unsigned char *m, @@ -27,7 +23,7 @@ crypto_secretbox_detached(unsigned char *c, unsigned char *mac, unsigned long long i; unsigned long long mlen0; - crypto_core_hsalsa20(subkey, n, k, sigma); + crypto_core_hsalsa20(subkey, n, k, NULL); if (((uintptr_t) c >= (uintptr_t) m && (uintptr_t) c - (uintptr_t) m < mlen) || @@ -93,7 +89,7 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c, unsigned long long i; unsigned long long mlen0; - crypto_core_hsalsa20(subkey, n, k, sigma); + crypto_core_hsalsa20(subkey, n, k, NULL); crypto_stream_salsa20(block0, crypto_stream_salsa20_KEYBYTES, n + 16, subkey); if (crypto_onetimeauth_poly1305_verify(mac, c, clen, block0) != 0) { diff --git a/release/src/router/libsodium/src/libsodium/crypto_shorthash/siphash24/ref/shorthash_siphash24.c b/release/src/router/libsodium/src/libsodium/crypto_shorthash/siphash24/ref/shorthash_siphash24.c index d77f419878..27f7b13c16 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_shorthash/siphash24/ref/shorthash_siphash24.c +++ b/release/src/router/libsodium/src/libsodium/crypto_shorthash/siphash24/ref/shorthash_siphash24.c @@ -1,32 +1,12 @@ #include "crypto_shorthash_siphash24.h" -#include "crypto_uint64.h" -#include "crypto_uint32.h" -#include "crypto_uint8.h" +#include "private/common.h" -typedef crypto_uint64 u64; -typedef crypto_uint32 u32; -typedef crypto_uint8 u8; +typedef uint64_t u64; +typedef uint32_t u32; +typedef uint8_t u8; #define ROTL(x,b) (u64)( ((x) << (b)) | ( (x) >> (64 - (b))) ) -#define U32TO8_LE(p, v) \ - (p)[0] = (u8)((v) ); (p)[1] = (u8)((v) >> 8); \ - (p)[2] = (u8)((v) >> 16); (p)[3] = (u8)((v) >> 24); - -#define U64TO8_LE(p, v) \ - U32TO8_LE((p), (u32)((v) )); \ - U32TO8_LE((p) + 4, (u32)((v) >> 32)); - -#define U8TO64_LE(p) \ - (((u64)((p)[0]) ) | \ - ((u64)((p)[1]) << 8) | \ - ((u64)((p)[2]) << 16) | \ - ((u64)((p)[3]) << 24) | \ - ((u64)((p)[4]) << 32) | \ - ((u64)((p)[5]) << 40) | \ - ((u64)((p)[6]) << 48) | \ - ((u64)((p)[7]) << 56)) - #define SIPROUND \ do { \ v0 += v1; v1=ROTL(v1,13); v1 ^= v0; v0=ROTL(v0,32); \ @@ -44,8 +24,8 @@ int crypto_shorthash_siphash24(unsigned char *out, const unsigned char *in, u64 v2 = 0x6c7967656e657261ULL; u64 v3 = 0x7465646279746573ULL; u64 b; - u64 k0 = U8TO64_LE( k ); - u64 k1 = U8TO64_LE( k + 8 ); + u64 k0 = LOAD64_LE( k ); + u64 k1 = LOAD64_LE( k + 8 ); u64 m; const u8 *end = in + inlen - ( inlen % sizeof( u64 ) ); const int left = inlen & 7; @@ -57,7 +37,7 @@ int crypto_shorthash_siphash24(unsigned char *out, const unsigned char *in, for ( ; in != end; in += 8 ) { - m = U8TO64_LE( in ); + m = LOAD64_LE( in ); v3 ^= m; SIPROUND; SIPROUND; @@ -86,7 +66,7 @@ int crypto_shorthash_siphash24(unsigned char *out, const unsigned char *in, SIPROUND; SIPROUND; b = v0 ^ v1 ^ v2 ^ v3; - U64TO8_LE( out, b ); + STORE64_LE( out, b ); return 0; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c index a9c396647e..de1c652b2f 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +++ b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c @@ -6,7 +6,7 @@ #include "crypto_scalarmult_curve25519.h" #include "randombytes.h" #include "utils.h" -#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h" +#include "private/curve25519_ref10.h" int crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk, const unsigned char *seed) diff --git a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c index 2c644ad0c2..37b756b5eb 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c +++ b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c @@ -8,7 +8,7 @@ #include "crypto_verify_32.h" #include "randombytes.h" #include "utils.h" -#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h" +#include "private/curve25519_ref10.h" int crypto_sign_edwards25519sha512batch_keypair(unsigned char *pk, unsigned char *sk) diff --git a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c index bafb71dd7b..2731e813be 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c +++ b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c @@ -7,7 +7,75 @@ #include "crypto_sign_ed25519.h" #include "crypto_verify_32.h" #include "utils.h" -#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h" +#include "private/curve25519_ref10.h" + +#ifndef ED25519_COMPAT +static int +crypto_sign_check_S_lt_L(const unsigned char *S) +{ + /* 2^252+27742317777372353535851937790883648493 */ + static const unsigned char L[32] = + { 0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, + 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10 }; + unsigned char c = 0; + unsigned char n = 1; + unsigned int i = 32; + + do { + i--; + c |= ((S[i] - L[i]) >> 8) & n; + n &= ((S[i] ^ L[i]) - 1) >> 8; + } while (i != 0); + + return -(c == 0); +} + +static int +small_order(const unsigned char R[32]) +{ + CRYPTO_ALIGN(16) static const unsigned char blacklist[][32] = { + /* 0 (order 4) */ + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + /* 1 (order 1) */ + { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + /* 2707385501144840649318225287225658788936804267575313519463743609750303402022 (order 8) */ + { 0x26, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4, 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6, 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x05 }, + /* 55188659117513257062467267217118295137698188065244968500265048394206261417927 (order 8) */ + { 0xc7, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0x7a }, + /* p-1 (order 2) */ + { 0x13, 0xe8, 0x95, 0x8f, 0xc2, 0xb2, 0x27, 0xb0, 0x45, 0xc3, 0xf4, 0x89, 0xf2, 0xef, 0x98, 0xf0, 0xd5, 0xdf, 0xac, 0x05, 0xd3, 0xc6, 0x33, 0x39, 0xb1, 0x38, 0x02, 0x88, 0x6d, 0x53, 0xfc, 0x85 }, + /* p (order 4) */ + { 0xb4, 0x17, 0x6a, 0x70, 0x3d, 0x4d, 0xd8, 0x4f, 0xba, 0x3c, 0x0b, 0x76, 0x0d, 0x10, 0x67, 0x0f, 0x2a, 0x20, 0x53, 0xfa, 0x2c, 0x39, 0xcc, 0xc6, 0x4e, 0xc7, 0xfd, 0x77, 0x92, 0xac, 0x03, 0xfa }, + /* p+1 (order 1) */ + { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + /* p+2707385501144840649318225287225658788936804267575313519463743609750303402022 (order 8) */ + { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + /* p+55188659117513257062467267217118295137698188065244968500265048394206261417927 (order 8) */ + { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + /* 2p-1 (order 2) */ + { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + /* 2p (order 4) */ + { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, + /* 2p+1 (order 1) */ + { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff } + }; + size_t i, j; + unsigned char c; + + for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { + c = 0; + for (j = 0; j < 32; j++) { + c |= R[j] ^ blacklist[i][j]; + } + if (c == 0) { + return 1; + } + } + return 0; +} +#endif int crypto_sign_ed25519_verify_detached(const unsigned char *sig, @@ -23,9 +91,16 @@ crypto_sign_ed25519_verify_detached(const unsigned char *sig, ge_p3 A; ge_p2 R; +#ifndef ED25519_COMPAT + if (crypto_sign_check_S_lt_L(sig + 32) != 0 || + small_order(sig) != 0) { + return -1; + } +#else if (sig[63] & 224) { return -1; } +#endif if (ge_frombytes_negate_vartime(&A, pk) != 0) { return -1; } diff --git a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c index 46c108cc34..7ebc20cd63 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c +++ b/release/src/router/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c @@ -4,7 +4,7 @@ #include "crypto_hash_sha512.h" #include "crypto_sign_ed25519.h" #include "utils.h" -#include "../../../crypto_core/curve25519/ref10/curve25519_ref10.h" +#include "private/curve25519_ref10.h" int crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p, diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/afternm_aes128ctr.c b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/afternm_aes128ctr.c index 9c76f22f9c..6f0cec62e6 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/afternm_aes128ctr.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/afternm_aes128ctr.c @@ -88,9 +88,9 @@ int crypto_stream_aes128ctr_afternm(unsigned char *out, unsigned long long len, if(len < 128) goto partial; if(len == 128) goto full; - tmp = load32_bigendian(np + 12); + tmp = LOAD32_BE(np + 12); tmp += 8; - store32_bigendian(np + 12, tmp); + STORE32_BE(np + 12, tmp); *(int128 *) (out + 0) = xmm8; *(int128 *) (out + 16) = xmm9; @@ -111,9 +111,9 @@ int crypto_stream_aes128ctr_afternm(unsigned char *out, unsigned long long len, lensav = len; len >>= 4; - tmp = load32_bigendian(np + 12); + tmp = LOAD32_BE(np + 12); tmp += len; - store32_bigendian(np + 12, tmp); + STORE32_BE(np + 12, tmp); blp = bl; *(int128 *)(blp + 0) = xmm8; @@ -140,9 +140,9 @@ int crypto_stream_aes128ctr_afternm(unsigned char *out, unsigned long long len, full: - tmp = load32_bigendian(np + 12); + tmp = LOAD32_BE(np + 12); tmp += 8; - store32_bigendian(np + 12, tmp); + STORE32_BE(np + 12, tmp); *(int128 *) (out + 0) = xmm8; *(int128 *) (out + 16) = xmm9; diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common.h b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common.h index 3923c02df4..5b7dec5845 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common.h +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common.h @@ -5,24 +5,7 @@ #define COMMON_H #include "types.h" - -#define load32_bigendian crypto_stream_aes128ctr_portable_load32_bigendian -uint32 load32_bigendian(const unsigned char *x); - -#define store32_bigendian crypto_stream_aes128ctr_portable_store32_bigendian -void store32_bigendian(unsigned char *x,uint32 u); - -#define load32_littleendian crypto_stream_aes128ctr_portable_load32_littleendian -uint32 load32_littleendian(const unsigned char *x); - -#define store32_littleendian crypto_stream_aes128ctr_portable_store32_littleendian -void store32_littleendian(unsigned char *x,uint32 u); - -#define load64_littleendian crypto_stream_aes128ctr_portable_load64_littleendian -uint64 load64_littleendian(const unsigned char *x); - -#define store64_littleendian crypto_stream_aes128ctr_portable_store64_littleendian -void store64_littleendian(unsigned char *x,uint64 u); +#include "private/common.h" /* Macros required only for key expansion */ diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common_aes128ctr.c b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common_aes128ctr.c deleted file mode 100644 index 14a28cc6c1..0000000000 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/common_aes128ctr.c +++ /dev/null @@ -1,64 +0,0 @@ -#include "common.h" - -uint32 load32_bigendian(const unsigned char *x) -{ - return - (uint32) (x[3]) \ - | (((uint32) (x[2])) << 8) \ - | (((uint32) (x[1])) << 16) \ - | (((uint32) (x[0])) << 24) - ; -} - -void store32_bigendian(unsigned char *x,uint32 u) -{ - x[3] = u; u >>= 8; - x[2] = u; u >>= 8; - x[1] = u; u >>= 8; - x[0] = u; -} - -uint32 load32_littleendian(const unsigned char *x) -{ - return - (uint32) (x[0]) \ - | (((uint32) (x[1])) << 8) \ - | (((uint32) (x[2])) << 16) \ - | (((uint32) (x[3])) << 24) - ; -} - -void store32_littleendian(unsigned char *x,uint32 u) -{ - x[0] = u; u >>= 8; - x[1] = u; u >>= 8; - x[2] = u; u >>= 8; - x[3] = u; -} - - -uint64 load64_littleendian(const unsigned char *x) -{ - return - (uint64) (x[0]) \ - | (((uint64) (x[1])) << 8) \ - | (((uint64) (x[2])) << 16) \ - | (((uint64) (x[3])) << 24) - | (((uint64) (x[4])) << 32) - | (((uint64) (x[5])) << 40) - | (((uint64) (x[6])) << 48) - | (((uint64) (x[7])) << 56) - ; -} - -void store64_littleendian(unsigned char *x,uint64 u) -{ - x[0] = u; u >>= 8; - x[1] = u; u >>= 8; - x[2] = u; u >>= 8; - x[3] = u; u >>= 8; - x[4] = u; u >>= 8; - x[5] = u; u >>= 8; - x[6] = u; u >>= 8; - x[7] = u; -} diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/int128_aes128ctr.c b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/int128_aes128ctr.c index 703de39bfa..d7fe2bc96f 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/int128_aes128ctr.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/int128_aes128ctr.c @@ -68,42 +68,42 @@ void rshift32_littleendian(int128 *r, const unsigned int n) { unsigned char *rp = (unsigned char *)r; uint32 t; - t = load32_littleendian(rp); + t = LOAD32_LE(rp); t >>= n; - store32_littleendian(rp, t); - t = load32_littleendian(rp+4); + STORE32_LE(rp, t); + t = LOAD32_LE(rp+4); t >>= n; - store32_littleendian(rp+4, t); - t = load32_littleendian(rp+8); + STORE32_LE(rp+4, t); + t = LOAD32_LE(rp+8); t >>= n; - store32_littleendian(rp+8, t); - t = load32_littleendian(rp+12); + STORE32_LE(rp+8, t); + t = LOAD32_LE(rp+12); t >>= n; - store32_littleendian(rp+12, t); + STORE32_LE(rp+12, t); } void rshift64_littleendian(int128 *r, const unsigned int n) { unsigned char *rp = (unsigned char *)r; uint64 t; - t = load64_littleendian(rp); + t = LOAD64_LE(rp); t >>= n; - store64_littleendian(rp, t); - t = load64_littleendian(rp+8); + STORE64_LE(rp, t); + t = LOAD64_LE(rp+8); t >>= n; - store64_littleendian(rp+8, t); + STORE64_LE(rp+8, t); } void lshift64_littleendian(int128 *r, const unsigned int n) { unsigned char *rp = (unsigned char *)r; uint64 t; - t = load64_littleendian(rp); + t = LOAD64_LE(rp); t <<= n; - store64_littleendian(rp, t); - t = load64_littleendian(rp+8); + STORE64_LE(rp, t); + t = LOAD64_LE(rp+8); t <<= n; - store64_littleendian(rp+8, t); + STORE64_LE(rp+8, t); } void toggle(int128 *r) @@ -116,16 +116,16 @@ void xor_rcon(int128 *r) { unsigned char *rp = (unsigned char *)r; uint32 t; - t = load32_littleendian(rp+12); + t = LOAD32_LE(rp+12); t ^= 0xffffffff; - store32_littleendian(rp+12, t); + STORE32_LE(rp+12, t); } void add_uint32_big(int128 *r, uint32 x) { unsigned char *rp = (unsigned char *)r; uint32 t; - t = load32_littleendian(rp+12); + t = LOAD32_LE(rp+12); t += x; - store32_littleendian(rp+12, t); + STORE32_LE(rp+12, t); } diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/types.h b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/types.h index 6aa502fced..1427271ffd 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/types.h +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/types.h @@ -1,10 +1,10 @@ #ifndef TYPES_H #define TYPES_H -#include "crypto_uint32.h" -typedef crypto_uint32 uint32; +#include +#include -#include "crypto_uint64.h" -typedef crypto_uint64 uint64; +typedef uint32_t uint32; +typedef uint64_t uint64; #endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/xor_afternm_aes128ctr.c b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/xor_afternm_aes128ctr.c index 4a895206ae..c65d73ba60 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/xor_afternm_aes128ctr.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/aes128ctr/portable/xor_afternm_aes128ctr.c @@ -88,9 +88,9 @@ int crypto_stream_aes128ctr_xor_afternm(unsigned char *out, const unsigned char if(len < 128) goto partial; if(len == 128) goto full; - tmp = load32_bigendian(np + 12); + tmp = LOAD32_BE(np + 12); tmp += 8; - store32_bigendian(np + 12, tmp); + STORE32_BE(np + 12, tmp); xor2(&xmm8, (const int128 *)(in + 0)); xor2(&xmm9, (const int128 *)(in + 16)); @@ -121,9 +121,9 @@ int crypto_stream_aes128ctr_xor_afternm(unsigned char *out, const unsigned char lensav = len; len >>= 4; - tmp = load32_bigendian(np + 12); + tmp = LOAD32_BE(np + 12); tmp += len; - store32_bigendian(np + 12, tmp); + STORE32_BE(np + 12, tmp); blp = bl; *(int128 *)(blp + 0) = xmm8; @@ -152,9 +152,9 @@ int crypto_stream_aes128ctr_xor_afternm(unsigned char *out, const unsigned char full: - tmp = load32_bigendian(np + 12); + tmp = LOAD32_BE(np + 12); tmp += 8; - store32_bigendian(np + 12, tmp); + STORE32_BE(np + 12, tmp); xor2(&xmm8, (const int128 *)(in + 0)); xor2(&xmm9, (const int128 *)(in + 16)); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c b/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c index d3c09af181..fe4c9773a8 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.c @@ -13,6 +13,7 @@ #include "crypto_stream_chacha20.h" #include "stream_chacha20_ref.h" #include "../stream_chacha20.h" +#include "private/common.h" struct chacha_ctx { uint32_t input[16]; @@ -32,20 +33,6 @@ typedef struct chacha_ctx chacha_ctx; #define ROTL32(v, n) \ (U32V((v) << (n)) | ((v) >> (32 - (n)))) -#define U8TO32_LITTLE(p) \ - (((u32)((p)[0]) ) | \ - ((u32)((p)[1]) << 8) | \ - ((u32)((p)[2]) << 16) | \ - ((u32)((p)[3]) << 24)) - -#define U32TO8_LITTLE(p, v) \ - do { \ - (p)[0] = U8V((v) ); \ - (p)[1] = U8V((v) >> 8); \ - (p)[2] = U8V((v) >> 16); \ - (p)[3] = U8V((v) >> 24); \ - } while (0) - #define ROTATE(v,c) (ROTL32(v,c)) #define XOR(v,w) ((v) ^ (w)) #define PLUS(v,w) (U32V((v) + (w))) @@ -57,47 +44,39 @@ typedef struct chacha_ctx chacha_ctx; a = PLUS(a,b); d = ROTATE(XOR(d,a), 8); \ c = PLUS(c,d); b = ROTATE(XOR(b,c), 7); -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - static void chacha_keysetup(chacha_ctx *ctx, const u8 *k) { - const unsigned char *constants; - - ctx->input[4] = U8TO32_LITTLE(k + 0); - ctx->input[5] = U8TO32_LITTLE(k + 4); - ctx->input[6] = U8TO32_LITTLE(k + 8); - ctx->input[7] = U8TO32_LITTLE(k + 12); - k += 16; - constants = sigma; - ctx->input[8] = U8TO32_LITTLE(k + 0); - ctx->input[9] = U8TO32_LITTLE(k + 4); - ctx->input[10] = U8TO32_LITTLE(k + 8); - ctx->input[11] = U8TO32_LITTLE(k + 12); - ctx->input[0] = U8TO32_LITTLE(constants + 0); - ctx->input[1] = U8TO32_LITTLE(constants + 4); - ctx->input[2] = U8TO32_LITTLE(constants + 8); - ctx->input[3] = U8TO32_LITTLE(constants + 12); + ctx->input[0] = U32C(0x61707865); + ctx->input[1] = U32C(0x3320646e); + ctx->input[2] = U32C(0x79622d32); + ctx->input[3] = U32C(0x6b206574); + ctx->input[4] = LOAD32_LE(k + 0); + ctx->input[5] = LOAD32_LE(k + 4); + ctx->input[6] = LOAD32_LE(k + 8); + ctx->input[7] = LOAD32_LE(k + 12); + ctx->input[8] = LOAD32_LE(k + 16); + ctx->input[9] = LOAD32_LE(k + 20); + ctx->input[10] = LOAD32_LE(k + 24); + ctx->input[11] = LOAD32_LE(k + 28); } static void chacha_ivsetup(chacha_ctx *ctx, const u8 *iv, const u8 *counter) { - ctx->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 0); - ctx->input[13] = counter == NULL ? 0 : U8TO32_LITTLE(counter + 4); - ctx->input[14] = U8TO32_LITTLE(iv + 0); - ctx->input[15] = U8TO32_LITTLE(iv + 4); + ctx->input[12] = counter == NULL ? 0 : LOAD32_LE(counter + 0); + ctx->input[13] = counter == NULL ? 0 : LOAD32_LE(counter + 4); + ctx->input[14] = LOAD32_LE(iv + 0); + ctx->input[15] = LOAD32_LE(iv + 4); } static void chacha_ietf_ivsetup(chacha_ctx *ctx, const u8 *iv, const u8 *counter) { - ctx->input[12] = counter == NULL ? 0 : U8TO32_LITTLE(counter); - ctx->input[13] = U8TO32_LITTLE(iv + 0); - ctx->input[14] = U8TO32_LITTLE(iv + 4); - ctx->input[15] = U8TO32_LITTLE(iv + 8); + ctx->input[12] = counter == NULL ? 0 : LOAD32_LE(counter); + ctx->input[13] = LOAD32_LE(iv + 0); + ctx->input[14] = LOAD32_LE(iv + 4); + ctx->input[15] = LOAD32_LE(iv + 8); } static void @@ -185,22 +164,22 @@ chacha_encrypt_bytes(chacha_ctx *ctx, const u8 *m, u8 *c, unsigned long long byt x14 = PLUS(x14, j14); x15 = PLUS(x15, j15); - x0 = XOR(x0, U8TO32_LITTLE(m + 0)); - x1 = XOR(x1, U8TO32_LITTLE(m + 4)); - x2 = XOR(x2, U8TO32_LITTLE(m + 8)); - x3 = XOR(x3, U8TO32_LITTLE(m + 12)); - x4 = XOR(x4, U8TO32_LITTLE(m + 16)); - x5 = XOR(x5, U8TO32_LITTLE(m + 20)); - x6 = XOR(x6, U8TO32_LITTLE(m + 24)); - x7 = XOR(x7, U8TO32_LITTLE(m + 28)); - x8 = XOR(x8, U8TO32_LITTLE(m + 32)); - x9 = XOR(x9, U8TO32_LITTLE(m + 36)); - x10 = XOR(x10, U8TO32_LITTLE(m + 40)); - x11 = XOR(x11, U8TO32_LITTLE(m + 44)); - x12 = XOR(x12, U8TO32_LITTLE(m + 48)); - x13 = XOR(x13, U8TO32_LITTLE(m + 52)); - x14 = XOR(x14, U8TO32_LITTLE(m + 56)); - x15 = XOR(x15, U8TO32_LITTLE(m + 60)); + x0 = XOR(x0, LOAD32_LE(m + 0)); + x1 = XOR(x1, LOAD32_LE(m + 4)); + x2 = XOR(x2, LOAD32_LE(m + 8)); + x3 = XOR(x3, LOAD32_LE(m + 12)); + x4 = XOR(x4, LOAD32_LE(m + 16)); + x5 = XOR(x5, LOAD32_LE(m + 20)); + x6 = XOR(x6, LOAD32_LE(m + 24)); + x7 = XOR(x7, LOAD32_LE(m + 28)); + x8 = XOR(x8, LOAD32_LE(m + 32)); + x9 = XOR(x9, LOAD32_LE(m + 36)); + x10 = XOR(x10, LOAD32_LE(m + 40)); + x11 = XOR(x11, LOAD32_LE(m + 44)); + x12 = XOR(x12, LOAD32_LE(m + 48)); + x13 = XOR(x13, LOAD32_LE(m + 52)); + x14 = XOR(x14, LOAD32_LE(m + 56)); + x15 = XOR(x15, LOAD32_LE(m + 60)); j12 = PLUSONE(j12); /* LCOV_EXCL_START */ @@ -209,22 +188,22 @@ chacha_encrypt_bytes(chacha_ctx *ctx, const u8 *m, u8 *c, unsigned long long byt } /* LCOV_EXCL_STOP */ - U32TO8_LITTLE(c + 0, x0); - U32TO8_LITTLE(c + 4, x1); - U32TO8_LITTLE(c + 8, x2); - U32TO8_LITTLE(c + 12, x3); - U32TO8_LITTLE(c + 16, x4); - U32TO8_LITTLE(c + 20, x5); - U32TO8_LITTLE(c + 24, x6); - U32TO8_LITTLE(c + 28, x7); - U32TO8_LITTLE(c + 32, x8); - U32TO8_LITTLE(c + 36, x9); - U32TO8_LITTLE(c + 40, x10); - U32TO8_LITTLE(c + 44, x11); - U32TO8_LITTLE(c + 48, x12); - U32TO8_LITTLE(c + 52, x13); - U32TO8_LITTLE(c + 56, x14); - U32TO8_LITTLE(c + 60, x15); + STORE32_LE(c + 0, x0); + STORE32_LE(c + 4, x1); + STORE32_LE(c + 8, x2); + STORE32_LE(c + 12, x3); + STORE32_LE(c + 16, x4); + STORE32_LE(c + 20, x5); + STORE32_LE(c + 24, x6); + STORE32_LE(c + 28, x7); + STORE32_LE(c + 32, x8); + STORE32_LE(c + 36, x9); + STORE32_LE(c + 40, x10); + STORE32_LE(c + 44, x11); + STORE32_LE(c + 48, x12); + STORE32_LE(c + 52, x13); + STORE32_LE(c + 56, x14); + STORE32_LE(c + 60, x15); if (bytes <= 64) { if (bytes < 64) { @@ -296,8 +275,8 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m, } ic_high = U32V(ic >> 32); ic_low = U32V(ic); - U32TO8_LITTLE(&ic_bytes[0], ic_low); - U32TO8_LITTLE(&ic_bytes[4], ic_high); + STORE32_LE(&ic_bytes[0], ic_low); + STORE32_LE(&ic_bytes[4], ic_high); chacha_keysetup(&ctx, k); chacha_ivsetup(&ctx, n, ic_bytes); chacha_encrypt_bytes(&ctx, m, c, mlen); @@ -318,7 +297,7 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m, if (!mlen) { return 0; } - U32TO8_LITTLE(ic_bytes, ic); + STORE32_LE(ic_bytes, ic); chacha_keysetup(&ctx, k); chacha_ietf_ivsetup(&ctx, n, ic_bytes); chacha_encrypt_bytes(&ctx, m, c, mlen); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.h b/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.h index f2091ab0e8..c8b923c5e5 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.h +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/ref/stream_chacha20_ref.h @@ -2,6 +2,7 @@ #include #include "crypto_stream_chacha20.h" +#include "../stream_chacha20.h" extern struct crypto_stream_chacha20_implementation crypto_stream_chacha20_ref_implementation; diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/vec/stream_chacha20_vec.h b/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/vec/stream_chacha20_vec.h index e73ab3e9cf..da8babce27 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/vec/stream_chacha20_vec.h +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/chacha20/vec/stream_chacha20_vec.h @@ -2,6 +2,7 @@ #include #include "crypto_stream_chacha20.h" +#include "../stream_chacha20.h" extern struct crypto_stream_chacha20_implementation crypto_stream_chacha20_vec_implementation; diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/stream_salsa20_ref.c b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/stream_salsa20_ref.c index 3e4f6eb0d9..5a17b4bc34 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/stream_salsa20_ref.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/stream_salsa20_ref.c @@ -10,12 +10,6 @@ Public domain. #ifndef HAVE_AMD64_ASM -typedef unsigned int uint32; - -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_salsa20( unsigned char *c,unsigned long long clen, const unsigned char *n, @@ -35,7 +29,7 @@ int crypto_stream_salsa20( for (i = 8;i < 16;++i) in[i] = 0; while (clen >= 64) { - crypto_core_salsa20(c,in,kcopy,sigma); + crypto_core_salsa20(c,in,kcopy,NULL); u = 1; for (i = 8;i < 16;++i) { @@ -49,7 +43,7 @@ int crypto_stream_salsa20( } if (clen) { - crypto_core_salsa20(block,in,kcopy,sigma); + crypto_core_salsa20(block,in,kcopy,NULL); for (i = 0;i < (unsigned int) clen;++i) c[i] = block[i]; } sodium_memzero(block, sizeof block); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/xor_salsa20_ref.c b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/xor_salsa20_ref.c index b998ae4c54..d598496521 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/xor_salsa20_ref.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa20/ref/xor_salsa20_ref.c @@ -12,12 +12,6 @@ Public domain. #ifndef HAVE_AMD64_ASM -typedef unsigned int uint32; - -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_salsa20_xor_ic( unsigned char *c, const unsigned char *m,unsigned long long mlen, @@ -41,7 +35,7 @@ int crypto_stream_salsa20_xor_ic( } while (mlen >= 64) { - crypto_core_salsa20(block,in,kcopy,sigma); + crypto_core_salsa20(block,in,kcopy,NULL); for (i = 0;i < 64;++i) c[i] = m[i] ^ block[i]; u = 1; @@ -57,7 +51,7 @@ int crypto_stream_salsa20_xor_ic( } if (mlen) { - crypto_core_salsa20(block,in,kcopy,sigma); + crypto_core_salsa20(block,in,kcopy,NULL); for (i = 0;i < (unsigned int) mlen;++i) c[i] = m[i] ^ block[i]; } sodium_memzero(block, sizeof block); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/stream_salsa2012.c b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/stream_salsa2012.c index 5008ab69ca..5a3a3c1e0b 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/stream_salsa2012.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/stream_salsa2012.c @@ -8,12 +8,6 @@ Public domain. #include "crypto_stream_salsa2012.h" #include "utils.h" -typedef unsigned int uint32; - -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_salsa2012( unsigned char *c,unsigned long long clen, const unsigned char *n, @@ -33,7 +27,7 @@ int crypto_stream_salsa2012( for (i = 8;i < 16;++i) in[i] = 0; while (clen >= 64) { - crypto_core_salsa2012(c,in,kcopy,sigma); + crypto_core_salsa2012(c,in,kcopy,NULL); u = 1; for (i = 8;i < 16;++i) { @@ -47,7 +41,7 @@ int crypto_stream_salsa2012( } if (clen) { - crypto_core_salsa2012(block,in,kcopy,sigma); + crypto_core_salsa2012(block,in,kcopy,NULL); for (i = 0;i < (unsigned int) clen;++i) c[i] = block[i]; } sodium_memzero(block, sizeof block); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/xor_salsa2012.c b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/xor_salsa2012.c index ab471b33fe..f885b30f7b 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/xor_salsa2012.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa2012/ref/xor_salsa2012.c @@ -8,12 +8,6 @@ Public domain. #include "crypto_stream_salsa2012.h" #include "utils.h" -typedef unsigned int uint32; - -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_salsa2012_xor( unsigned char *c, const unsigned char *m,unsigned long long mlen, @@ -34,7 +28,7 @@ int crypto_stream_salsa2012_xor( for (i = 8;i < 16;++i) in[i] = 0; while (mlen >= 64) { - crypto_core_salsa2012(block,in,kcopy,sigma); + crypto_core_salsa2012(block,in,kcopy,NULL); for (i = 0;i < 64;++i) c[i] = m[i] ^ block[i]; u = 1; @@ -50,7 +44,7 @@ int crypto_stream_salsa2012_xor( } if (mlen) { - crypto_core_salsa2012(block,in,kcopy,sigma); + crypto_core_salsa2012(block,in,kcopy,NULL); for (i = 0;i < (unsigned int) mlen;++i) c[i] = m[i] ^ block[i]; } sodium_memzero(block, sizeof block); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/stream_salsa208.c b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/stream_salsa208.c index 7869b8465a..0b81ce1da9 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/stream_salsa208.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/stream_salsa208.c @@ -8,12 +8,6 @@ Public domain. #include "crypto_stream_salsa208.h" #include "utils.h" -typedef unsigned int uint32; - -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_salsa208( unsigned char *c,unsigned long long clen, const unsigned char *n, @@ -33,7 +27,7 @@ int crypto_stream_salsa208( for (i = 8;i < 16;++i) in[i] = 0; while (clen >= 64) { - crypto_core_salsa208(c,in,kcopy,sigma); + crypto_core_salsa208(c,in,kcopy,NULL); u = 1; for (i = 8;i < 16;++i) { @@ -47,7 +41,7 @@ int crypto_stream_salsa208( } if (clen) { - crypto_core_salsa208(block,in,kcopy,sigma); + crypto_core_salsa208(block,in,kcopy,NULL); for (i = 0;i < (unsigned int) clen;++i) c[i] = block[i]; } sodium_memzero(block, sizeof block); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/xor_salsa208.c b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/xor_salsa208.c index 706970f0a1..fdbd59383d 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/xor_salsa208.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/salsa208/ref/xor_salsa208.c @@ -8,12 +8,6 @@ Public domain. #include "crypto_stream_salsa208.h" #include "utils.h" -typedef unsigned int uint32; - -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_salsa208_xor( unsigned char *c, const unsigned char *m,unsigned long long mlen, @@ -34,7 +28,7 @@ int crypto_stream_salsa208_xor( for (i = 8;i < 16;++i) in[i] = 0; while (mlen >= 64) { - crypto_core_salsa208(block,in,kcopy,sigma); + crypto_core_salsa208(block,in,kcopy,NULL); for (i = 0;i < 64;++i) c[i] = m[i] ^ block[i]; u = 1; @@ -50,7 +44,7 @@ int crypto_stream_salsa208_xor( } if (mlen) { - crypto_core_salsa208(block,in,kcopy,sigma); + crypto_core_salsa208(block,in,kcopy,NULL); for (i = 0;i < (unsigned int) mlen;++i) c[i] = m[i] ^ block[i]; } sodium_memzero(block, sizeof block); diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/stream_xsalsa20.c b/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/stream_xsalsa20.c index c6614cbbc9..1e6513a8e5 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/stream_xsalsa20.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/stream_xsalsa20.c @@ -9,10 +9,6 @@ Public domain. #include "crypto_stream_xsalsa20.h" #include "utils.h" -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_xsalsa20( unsigned char *c,unsigned long long clen, const unsigned char *n, @@ -21,7 +17,7 @@ int crypto_stream_xsalsa20( { unsigned char subkey[32]; int ret; - crypto_core_hsalsa20(subkey,n,k,sigma); + crypto_core_hsalsa20(subkey,n,k,NULL); ret = crypto_stream_salsa20(c,clen,n + 16,subkey); sodium_memzero(subkey, sizeof subkey); return ret; diff --git a/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/xor_xsalsa20.c b/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/xor_xsalsa20.c index b38c6510d4..7a4562b653 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/xor_xsalsa20.c +++ b/release/src/router/libsodium/src/libsodium/crypto_stream/xsalsa20/ref/xor_xsalsa20.c @@ -9,10 +9,6 @@ Public domain. #include "crypto_stream_xsalsa20.h" #include "utils.h" -static const unsigned char sigma[16] = { - 'e', 'x', 'p', 'a', 'n', 'd', ' ', '3', '2', '-', 'b', 'y', 't', 'e', ' ', 'k' -}; - int crypto_stream_xsalsa20_xor_ic( unsigned char *c, const unsigned char *m,unsigned long long mlen, @@ -22,7 +18,7 @@ int crypto_stream_xsalsa20_xor_ic( { unsigned char subkey[32]; int ret; - crypto_core_hsalsa20(subkey,n,k,sigma); + crypto_core_hsalsa20(subkey,n,k,NULL); ret = crypto_stream_salsa20_xor_ic(c,m,mlen,n + 16,ic,subkey); sodium_memzero(subkey, sizeof subkey); return ret; diff --git a/release/src/router/libsodium/src/libsodium/include/Makefile.am b/release/src/router/libsodium/src/libsodium/include/Makefile.am index 31d2c1c808..05b8ae8fdc 100644 --- a/release/src/router/libsodium/src/libsodium/include/Makefile.am +++ b/release/src/router/libsodium/src/libsodium/include/Makefile.am @@ -10,6 +10,7 @@ SODIUM_EXPORT = \ sodium/crypto_auth_hmacsha512256.h \ sodium/crypto_box.h \ sodium/crypto_box_curve25519xsalsa20poly1305.h \ + sodium/crypto_core_hchacha20.h \ sodium/crypto_core_hsalsa20.h \ sodium/crypto_core_salsa20.h \ sodium/crypto_core_salsa2012.h \ @@ -21,6 +22,8 @@ SODIUM_EXPORT = \ sodium/crypto_hash_sha512.h \ sodium/crypto_onetimeauth.h \ sodium/crypto_onetimeauth_poly1305.h \ + sodium/crypto_pwhash.h \ + sodium/crypto_pwhash_argon2i.h \ sodium/crypto_pwhash_scryptsalsa208sha256.h \ sodium/crypto_scalarmult.h \ sodium/crypto_scalarmult_curve25519.h \ diff --git a/release/src/router/libsodium/src/libsodium/include/Makefile.in b/release/src/router/libsodium/src/libsodium/include/Makefile.in index 655e1c8ca9..7f4364318d 100644 --- a/release/src/router/libsodium/src/libsodium/include/Makefile.in +++ b/release/src/router/libsodium/src/libsodium/include/Makefile.in @@ -96,6 +96,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -133,13 +134,14 @@ am__nobase_include_HEADERS_DIST = sodium.h sodium/core.h \ sodium/crypto_auth_hmacsha512.h \ sodium/crypto_auth_hmacsha512256.h sodium/crypto_box.h \ sodium/crypto_box_curve25519xsalsa20poly1305.h \ - sodium/crypto_core_hsalsa20.h sodium/crypto_core_salsa20.h \ - sodium/crypto_core_salsa2012.h sodium/crypto_core_salsa208.h \ - sodium/crypto_generichash.h \ + sodium/crypto_core_hchacha20.h sodium/crypto_core_hsalsa20.h \ + sodium/crypto_core_salsa20.h sodium/crypto_core_salsa2012.h \ + sodium/crypto_core_salsa208.h sodium/crypto_generichash.h \ sodium/crypto_generichash_blake2b.h sodium/crypto_hash.h \ sodium/crypto_hash_sha256.h sodium/crypto_hash_sha512.h \ sodium/crypto_onetimeauth.h \ - sodium/crypto_onetimeauth_poly1305.h \ + sodium/crypto_onetimeauth_poly1305.h sodium/crypto_pwhash.h \ + sodium/crypto_pwhash_argon2i.h \ sodium/crypto_pwhash_scryptsalsa208sha256.h \ sodium/crypto_scalarmult.h \ sodium/crypto_scalarmult_curve25519.h \ @@ -227,6 +229,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -299,6 +303,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -358,13 +368,14 @@ SODIUM_EXPORT = sodium.h sodium/core.h sodium/crypto_aead_aes256gcm.h \ sodium/crypto_auth_hmacsha512.h \ sodium/crypto_auth_hmacsha512256.h sodium/crypto_box.h \ sodium/crypto_box_curve25519xsalsa20poly1305.h \ - sodium/crypto_core_hsalsa20.h sodium/crypto_core_salsa20.h \ - sodium/crypto_core_salsa2012.h sodium/crypto_core_salsa208.h \ - sodium/crypto_generichash.h \ + sodium/crypto_core_hchacha20.h sodium/crypto_core_hsalsa20.h \ + sodium/crypto_core_salsa20.h sodium/crypto_core_salsa2012.h \ + sodium/crypto_core_salsa208.h sodium/crypto_generichash.h \ sodium/crypto_generichash_blake2b.h sodium/crypto_hash.h \ sodium/crypto_hash_sha256.h sodium/crypto_hash_sha512.h \ sodium/crypto_onetimeauth.h \ - sodium/crypto_onetimeauth_poly1305.h \ + sodium/crypto_onetimeauth_poly1305.h sodium/crypto_pwhash.h \ + sodium/crypto_pwhash_argon2i.h \ sodium/crypto_pwhash_scryptsalsa208sha256.h \ sodium/crypto_scalarmult.h \ sodium/crypto_scalarmult_curve25519.h \ diff --git a/release/src/router/libsodium/src/libsodium/include/sodium.h b/release/src/router/libsodium/src/libsodium/include/sodium.h index b9a44ca398..ea0c247cb7 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium.h @@ -12,6 +12,7 @@ #include "sodium/crypto_box.h" #include "sodium/crypto_box_curve25519xsalsa20poly1305.h" #include "sodium/crypto_core_hsalsa20.h" +#include "sodium/crypto_core_hchacha20.h" #include "sodium/crypto_core_salsa20.h" #include "sodium/crypto_core_salsa2012.h" #include "sodium/crypto_core_salsa208.h" @@ -22,6 +23,8 @@ #include "sodium/crypto_hash_sha512.h" #include "sodium/crypto_onetimeauth.h" #include "sodium/crypto_onetimeauth_poly1305.h" +#include "sodium/crypto_pwhash.h" +#include "sodium/crypto_pwhash_argon2i.h" #include "sodium/crypto_pwhash_scryptsalsa208sha256.h" #include "sodium/crypto_scalarmult.h" #include "sodium/crypto_scalarmult_curve25519.h" diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_aes256gcm.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_aes256gcm.h index 42c0c8301b..d7be484855 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_aes256gcm.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_aes256gcm.h @@ -58,6 +58,32 @@ int crypto_aead_aes256gcm_decrypt(unsigned char *m, __attribute__ ((warn_unused_result)); SODIUM_EXPORT +int crypto_aead_aes256gcm_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)); + +/* -- Precomputation interface -- */ + +SODIUM_EXPORT int crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_, const unsigned char *k); @@ -84,6 +110,30 @@ int crypto_aead_aes256gcm_decrypt_afternm(unsigned char *m, const crypto_aead_aes256gcm_state *ctx_) __attribute__ ((warn_unused_result)); +SODIUM_EXPORT +int crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_); + +SODIUM_EXPORT +int crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const crypto_aead_aes256gcm_state *ctx_) + __attribute__ ((warn_unused_result)); + #ifdef __cplusplus } #endif diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h index 1c0b85ba0d..8ee5e42dd3 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h @@ -11,6 +11,74 @@ extern "C" { #endif +/* -- IETF ChaCha20-Poly1305 construction with a 96-bit nonce and a 32-bit internal counter -- */ + +#define crypto_aead_chacha20poly1305_ietf_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_keybytes(void); + +#define crypto_aead_chacha20poly1305_ietf_NSECBYTES 0U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_nsecbytes(void); + +#define crypto_aead_chacha20poly1305_ietf_NPUBBYTES 12U + +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_npubbytes(void); + +#define crypto_aead_chacha20poly1305_ietf_ABYTES 16U +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_abytes(void); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, + unsigned long long *clen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m, + unsigned long long *mlen_p, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); + +SODIUM_EXPORT +int crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)); + +/* -- Original ChaCha20-Poly1305 construction with a 64-bit nonce and a 64-bit internal counter -- */ + #define crypto_aead_chacha20poly1305_KEYBYTES 32U SODIUM_EXPORT size_t crypto_aead_chacha20poly1305_keybytes(void); @@ -50,32 +118,36 @@ int crypto_aead_chacha20poly1305_decrypt(unsigned char *m, const unsigned char *k) __attribute__ ((warn_unused_result)); -#define crypto_aead_chacha20poly1305_IETF_NPUBBYTES 12U SODIUM_EXPORT -size_t crypto_aead_chacha20poly1305_ietf_npubbytes(void); +int crypto_aead_chacha20poly1305_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k); SODIUM_EXPORT -int crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, - unsigned long long *clen_p, - const unsigned char *m, - unsigned long long mlen, - const unsigned char *ad, - unsigned long long adlen, - const unsigned char *nsec, - const unsigned char *npub, - const unsigned char *k); +int crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) + __attribute__ ((warn_unused_result)); -SODIUM_EXPORT -int crypto_aead_chacha20poly1305_ietf_decrypt(unsigned char *m, - unsigned long long *mlen_p, - unsigned char *nsec, - const unsigned char *c, - unsigned long long clen, - const unsigned char *ad, - unsigned long long adlen, - const unsigned char *npub, - const unsigned char *k) - __attribute__ ((warn_unused_result)); +/* Aliases */ + +#define crypto_aead_chacha20poly1305_IETF_KEYBYTES crypto_aead_chacha20poly1305_ietf_KEYBYTES +#define crypto_aead_chacha20poly1305_IETF_NSECBYTES crypto_aead_chacha20poly1305_ietf_NSECBYTES +#define crypto_aead_chacha20poly1305_IETF_NPUBBYTES crypto_aead_chacha20poly1305_ietf_NPUBBYTES +#define crypto_aead_chacha20poly1305_IETF_ABYTES crypto_aead_chacha20poly1305_ietf_ABYTES #ifdef __cplusplus } diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h index e9c38d6d3f..b18be2017a 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h @@ -31,19 +31,19 @@ size_t crypto_box_curve25519xsalsa20poly1305_beforenmbytes(void); SODIUM_EXPORT size_t crypto_box_curve25519xsalsa20poly1305_noncebytes(void); -#define crypto_box_curve25519xsalsa20poly1305_ZEROBYTES 32U +#define crypto_box_curve25519xsalsa20poly1305_MACBYTES 16U SODIUM_EXPORT -size_t crypto_box_curve25519xsalsa20poly1305_zerobytes(void); +size_t crypto_box_curve25519xsalsa20poly1305_macbytes(void); #define crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES 16U SODIUM_EXPORT size_t crypto_box_curve25519xsalsa20poly1305_boxzerobytes(void); -#define crypto_box_curve25519xsalsa20poly1305_MACBYTES \ - (crypto_box_curve25519xsalsa20poly1305_ZEROBYTES - \ - crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES) +#define crypto_box_curve25519xsalsa20poly1305_ZEROBYTES \ + (crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES + \ + crypto_box_curve25519xsalsa20poly1305_MACBYTES) SODIUM_EXPORT -size_t crypto_box_curve25519xsalsa20poly1305_macbytes(void); +size_t crypto_box_curve25519xsalsa20poly1305_zerobytes(void); SODIUM_EXPORT int crypto_box_curve25519xsalsa20poly1305(unsigned char *c, diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_core_hchacha20.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_core_hchacha20.h new file mode 100644 index 0000000000..05e5670c10 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_core_hchacha20.h @@ -0,0 +1,35 @@ +#ifndef crypto_core_hchacha20_H +#define crypto_core_hchacha20_H + +#include +#include "export.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#define crypto_core_hchacha20_OUTPUTBYTES 32U +SODIUM_EXPORT +size_t crypto_core_hchacha20_outputbytes(void); + +#define crypto_core_hchacha20_INPUTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_hchacha20_inputbytes(void); + +#define crypto_core_hchacha20_KEYBYTES 32U +SODIUM_EXPORT +size_t crypto_core_hchacha20_keybytes(void); + +#define crypto_core_hchacha20_CONSTBYTES 16U +SODIUM_EXPORT +size_t crypto_core_hchacha20_constbytes(void); + +SODIUM_EXPORT +int crypto_core_hchacha20(unsigned char *out, const unsigned char *in, + const unsigned char *k, const unsigned char *c); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_generichash_blake2b.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_generichash_blake2b.h index 1708813ef3..3998e1bdaf 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_generichash_blake2b.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_generichash_blake2b.h @@ -68,6 +68,9 @@ SODIUM_EXPORT size_t crypto_generichash_blake2b_personalbytes(void); SODIUM_EXPORT +size_t crypto_generichash_blake2b_statebytes(void); + +SODIUM_EXPORT int crypto_generichash_blake2b(unsigned char *out, size_t outlen, const unsigned char *in, unsigned long long inlen, diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash.h new file mode 100644 index 0000000000..30d38e87f5 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash.h @@ -0,0 +1,89 @@ +#ifndef crypto_pwhash_H +#define crypto_pwhash_H + +#include + +#include "crypto_pwhash_argon2i.h" +#include "export.h" + +#ifdef __cplusplus +# if __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_pwhash_ALG_ARGON2I13 crypto_pwhash_argon2i_ALG_ARGON2I13 +SODIUM_EXPORT +int crypto_pwhash_alg_argon2i13(void); + +#define crypto_pwhash_ALG_DEFAULT crypto_pwhash_ALG_ARGON2I13 +SODIUM_EXPORT +int crypto_pwhash_alg_default(void); + +#define crypto_pwhash_SALTBYTES crypto_pwhash_argon2i_SALTBYTES +SODIUM_EXPORT +size_t crypto_pwhash_saltbytes(void); + +#define crypto_pwhash_STRBYTES crypto_pwhash_argon2i_STRBYTES +SODIUM_EXPORT +size_t crypto_pwhash_strbytes(void); + +#define crypto_pwhash_STRPREFIX crypto_pwhash_argon2i_STRPREFIX +SODIUM_EXPORT +const char *crypto_pwhash_strprefix(void); + +#define crypto_pwhash_OPSLIMIT_INTERACTIVE crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_interactive(void); + +#define crypto_pwhash_MEMLIMIT_INTERACTIVE crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_interactive(void); + +#define crypto_pwhash_OPSLIMIT_MODERATE crypto_pwhash_argon2i_OPSLIMIT_MODERATE +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_moderate(void); + +#define crypto_pwhash_MEMLIMIT_MODERATE crypto_pwhash_argon2i_MEMLIMIT_MODERATE +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_moderate(void); + +#define crypto_pwhash_OPSLIMIT_SENSITIVE crypto_pwhash_argon2i_OPSLIMIT_SENSITIVE +SODIUM_EXPORT +size_t crypto_pwhash_opslimit_sensitive(void); + +#define crypto_pwhash_MEMLIMIT_SENSITIVE crypto_pwhash_argon2i_MEMLIMIT_SENSITIVE +SODIUM_EXPORT +size_t crypto_pwhash_memlimit_sensitive(void); + +SODIUM_EXPORT +int crypto_pwhash(unsigned char * const out, unsigned long long outlen, + const char * const passwd, unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, size_t memlimit, int alg) + __attribute__ ((warn_unused_result)); + +SODIUM_EXPORT +int crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)); + +SODIUM_EXPORT +int crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) + __attribute__ ((warn_unused_result)); + +#define crypto_pwhash_PRIMITIVE "argon2i" +SODIUM_EXPORT +const char *crypto_pwhash_primitive(void) + __attribute__ ((warn_unused_result)); + +#ifdef __cplusplus +} +#endif + +#endif + diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash_argon2i.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash_argon2i.h new file mode 100644 index 0000000000..3fbf6b0038 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_pwhash_argon2i.h @@ -0,0 +1,86 @@ +#ifndef crypto_pwhash_argon2i_H +#define crypto_pwhash_argon2i_H + +#include + +#include "export.h" + +#ifdef __cplusplus +# if __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_pwhash_argon2i_ALG_ARGON2I13 1 +SODIUM_EXPORT +int crypto_pwhash_argon2i_alg_argon2i13(void); + +#define crypto_pwhash_argon2i_SALTBYTES 16U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_saltbytes(void); + +#define crypto_pwhash_argon2i_STRBYTES 128U +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_strbytes(void); + +#define crypto_pwhash_argon2i_STRPREFIX "$argon2i$" +SODIUM_EXPORT +const char *crypto_pwhash_argon2i_strprefix(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE 4ULL +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_interactive(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE 33554432ULL +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_interactive(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_MODERATE 6ULL +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_moderate(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_MODERATE 134217728ULL +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_moderate(void); + +#define crypto_pwhash_argon2i_OPSLIMIT_SENSITIVE 8ULL +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_opslimit_sensitive(void); + +#define crypto_pwhash_argon2i_MEMLIMIT_SENSITIVE 536870912ULL +SODIUM_EXPORT +size_t crypto_pwhash_argon2i_memlimit_sensitive(void); + +SODIUM_EXPORT +int crypto_pwhash_argon2i(unsigned char * const out, + unsigned long long outlen, + const char * const passwd, + unsigned long long passwdlen, + const unsigned char * const salt, + unsigned long long opslimit, size_t memlimit, + int alg) + __attribute__ ((warn_unused_result)); + +SODIUM_EXPORT +int crypto_pwhash_argon2i_str(char out[crypto_pwhash_argon2i_STRBYTES], + const char * const passwd, + unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)); + +SODIUM_EXPORT +int crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYTES], + const char * const passwd, + unsigned long long passwdlen) + __attribute__ ((warn_unused_result)); + +/* ------------------------------------------------------------------------- */ + +int _crypto_pwhash_argon2i_pick_best_implementation(void); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h index 4afc2cdf99..a80f5b507a 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h @@ -19,19 +19,19 @@ size_t crypto_secretbox_xsalsa20poly1305_keybytes(void); SODIUM_EXPORT size_t crypto_secretbox_xsalsa20poly1305_noncebytes(void); -#define crypto_secretbox_xsalsa20poly1305_ZEROBYTES 32U +#define crypto_secretbox_xsalsa20poly1305_MACBYTES 16U SODIUM_EXPORT -size_t crypto_secretbox_xsalsa20poly1305_zerobytes(void); +size_t crypto_secretbox_xsalsa20poly1305_macbytes(void); #define crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES 16U SODIUM_EXPORT size_t crypto_secretbox_xsalsa20poly1305_boxzerobytes(void); -#define crypto_secretbox_xsalsa20poly1305_MACBYTES \ - (crypto_secretbox_xsalsa20poly1305_ZEROBYTES - \ - crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES) +#define crypto_secretbox_xsalsa20poly1305_ZEROBYTES \ + (crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES + \ + crypto_secretbox_xsalsa20poly1305_MACBYTES) SODIUM_EXPORT -size_t crypto_secretbox_xsalsa20poly1305_macbytes(void); +size_t crypto_secretbox_xsalsa20poly1305_zerobytes(void); SODIUM_EXPORT int crypto_secretbox_xsalsa20poly1305(unsigned char *c, diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h index 77117c7d13..8dadf5a299 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h @@ -23,19 +23,8 @@ extern "C" { #endif #define crypto_sign_edwards25519sha512batch_BYTES 64U -SODIUM_EXPORT -size_t crypto_sign_edwards25519sha512batch_bytes(void) - __attribute__ ((deprecated)); - #define crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES 32U -SODIUM_EXPORT -size_t crypto_sign_edwards25519sha512batch_publickeybytes(void) - __attribute__ ((deprecated)); - #define crypto_sign_edwards25519sha512batch_SECRETKEYBYTES (32U + 32U) -SODIUM_EXPORT -size_t crypto_sign_edwards25519sha512batch_secretkeybytes(void) - __attribute__ ((deprecated)); SODIUM_EXPORT int crypto_sign_edwards25519sha512batch(unsigned char *sm, diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/private/common.h b/release/src/router/libsodium/src/libsodium/include/sodium/private/common.h new file mode 100644 index 0000000000..f289725a57 --- /dev/null +++ b/release/src/router/libsodium/src/libsodium/include/sodium/private/common.h @@ -0,0 +1,150 @@ +#ifndef common_H +#define common_H 1 + +#include +#include +#include + +#define LOAD64_LE(SRC) load64_le(SRC) +static inline uint64_t +load64_le(const uint8_t src[8]) +{ +#ifdef NATIVE_LITTLE_ENDIAN + uint64_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint64_t w = (uint64_t) src[0]; + w |= (uint64_t) src[1] << 8; + w |= (uint64_t) src[2] << 16; + w |= (uint64_t) src[3] << 24; + w |= (uint64_t) src[4] << 32; + w |= (uint64_t) src[5] << 40; + w |= (uint64_t) src[6] << 48; + w |= (uint64_t) src[7] << 56; + return w; +#endif +} + +#define STORE64_LE(DST, W) store64_le((DST), (W)) +static inline void +store64_le(uint8_t dst[8], uint64_t w) +{ +#ifdef NATIVE_LITTLE_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[0] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[3] = (uint8_t) w; w >>= 8; + dst[4] = (uint8_t) w; w >>= 8; + dst[5] = (uint8_t) w; w >>= 8; + dst[6] = (uint8_t) w; w >>= 8; + dst[7] = (uint8_t) w; +#endif +} + +#define LOAD32_LE(SRC) load32_le(SRC) +static inline uint32_t +load32_le(const uint8_t src[4]) +{ +#ifdef NATIVE_LITTLE_ENDIAN + uint32_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint32_t w = (uint32_t) src[0]; + w |= (uint32_t) src[1] << 8; + w |= (uint32_t) src[2] << 16; + w |= (uint32_t) src[3] << 24; + return w; +#endif +} + +#define STORE32_LE(DST, W) store32_le((DST), (W)) +static inline void +store32_le(uint8_t dst[4], uint32_t w) +{ +#ifdef NATIVE_LITTLE_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[0] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[3] = (uint8_t) w; +#endif +} + +/* ----- */ + +#define LOAD64_BE(SRC) load64_be(SRC) +static inline uint64_t +load64_be(const uint8_t src[8]) +{ +#ifdef NATIVE_BIG_ENDIAN + uint64_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint64_t w = (uint64_t) src[7]; + w |= (uint64_t) src[6] << 8; + w |= (uint64_t) src[5] << 16; + w |= (uint64_t) src[4] << 24; + w |= (uint64_t) src[3] << 32; + w |= (uint64_t) src[2] << 40; + w |= (uint64_t) src[1] << 48; + w |= (uint64_t) src[0] << 56; + return w; +#endif +} + +#define LOAD32_BE(SRC) load32_be(SRC) +static inline uint32_t +load32_be(const uint8_t src[4]) +{ +#ifdef NATIVE_BIG_ENDIAN + uint32_t w; + memcpy(&w, src, sizeof w); + return w; +#else + uint32_t w = (uint32_t) src[3]; + w |= (uint32_t) src[2] << 8; + w |= (uint32_t) src[1] << 16; + w |= (uint32_t) src[0] << 24; + return w; +#endif +} + +#define STORE64_BE(DST, W) store64_be((DST), (W)) +static inline void +store64_be(uint8_t dst[8], uint64_t w) +{ +#ifdef NATIVE_BIG_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[7] = (uint8_t) w; w >>= 8; + dst[6] = (uint8_t) w; w >>= 8; + dst[5] = (uint8_t) w; w >>= 8; + dst[4] = (uint8_t) w; w >>= 8; + dst[3] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[0] = (uint8_t) w; +#endif +} + +#define STORE32_BE(DST, W) store32_be((DST), (W)) +static inline void +store32_be(uint8_t dst[4], uint32_t w) +{ +#ifdef NATIVE_BIG_ENDIAN + memcpy(dst, &w, sizeof w); +#else + dst[3] = (uint8_t) w; w >>= 8; + dst[2] = (uint8_t) w; w >>= 8; + dst[1] = (uint8_t) w; w >>= 8; + dst[0] = (uint8_t) w; +#endif +} + +#endif diff --git a/release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.h b/release/src/router/libsodium/src/libsodium/include/sodium/private/curve25519_ref10.h similarity index 83% rename from release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.h rename to release/src/router/libsodium/src/libsodium/include/sodium/private/curve25519_ref10.h index af0744e444..4fdf23eca7 100644 --- a/release/src/router/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/private/curve25519_ref10.h @@ -8,12 +8,12 @@ typedef int32_t fe[10]; /* -fe means field element. -Here the field is \Z/(2^255-19). -An element t, entries t[0]...t[9], represents the integer -t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. -Bounds on each t[i] vary depending on context. -*/ + fe means field element. + Here the field is \Z/(2^255-19). + An element t, entries t[0]...t[9], represents the integer + t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. + Bounds on each t[i] vary depending on context. + */ #define fe_frombytes crypto_core_curve25519_ref10_fe_frombytes #define fe_tobytes crypto_core_curve25519_ref10_fe_tobytes @@ -51,55 +51,55 @@ extern void fe_invert(fe,const fe); extern void fe_pow22523(fe,const fe); /* -ge means group element. - -Here the group is the set of pairs (x,y) of field elements (see fe.h) -satisfying -x^2 + y^2 = 1 + d x^2y^2 -where d = -121665/121666. - -Representations: - ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z - ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT - ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T - ge_precomp (Duif): (y+x,y-x,2dxy) -*/ + ge means group element. + * + Here the group is the set of pairs (x,y) of field elements (see fe.h) + satisfying -x^2 + y^2 = 1 + d x^2y^2 + where d = -121665/121666. + * + Representations: + ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z + ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT + ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T + ge_precomp (Duif): (y+x,y-x,2dxy) + */ #define ge_p2 crypto_core_curve25519_ref10_ge_p2 typedef struct { - fe X; - fe Y; - fe Z; + fe X; + fe Y; + fe Z; } ge_p2; #define ge_p3 crypto_core_curve25519_ref10_ge_p3 typedef struct { - fe X; - fe Y; - fe Z; - fe T; + fe X; + fe Y; + fe Z; + fe T; } ge_p3; #define ge_p1p1 crypto_core_curve25519_ref10_ge_p1p1 typedef struct { - fe X; - fe Y; - fe Z; - fe T; + fe X; + fe Y; + fe Z; + fe T; } ge_p1p1; #define ge_precomp crypto_core_curve25519_ref10_ge_precomp typedef struct { - fe yplusx; - fe yminusx; - fe xy2d; + fe yplusx; + fe yminusx; + fe xy2d; } ge_precomp; #define ge_cached crypto_core_curve25519_ref10_ge_cached typedef struct { - fe YplusX; - fe YminusX; - fe Z; - fe T2d; + fe YplusX; + fe YminusX; + fe Z; + fe T2d; } ge_cached; #define ge_frombytes_negate_vartime crypto_core_curve25519_ref10_ge_frombytes_negate_vartime @@ -147,9 +147,9 @@ extern void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_ extern void ge_scalarmult_vartime(ge_p3 *,const unsigned char *,const ge_p3 *); /* -The set of scalars is \Z/l -where l = 2^252 + 27742317777372353535851937790883648493. -*/ + The set of scalars is \Z/l + where l = 2^252 + 27742317777372353535851937790883648493. + */ #define sc_reduce crypto_core_curve25519_ref10_sc_reduce #define sc_muladd crypto_core_curve25519_ref10_sc_muladd diff --git a/release/src/router/libsodium/src/libsodium/include/sodium/runtime.h b/release/src/router/libsodium/src/libsodium/include/sodium/runtime.h index 2c5c004838..76859ea0e1 100644 --- a/release/src/router/libsodium/src/libsodium/include/sodium/runtime.h +++ b/release/src/router/libsodium/src/libsodium/include/sodium/runtime.h @@ -27,6 +27,9 @@ SODIUM_EXPORT int sodium_runtime_has_avx(void); SODIUM_EXPORT +int sodium_runtime_has_avx2(void); + +SODIUM_EXPORT int sodium_runtime_has_pclmul(void); SODIUM_EXPORT diff --git a/release/src/router/libsodium/src/libsodium/randombytes/randombytes.c b/release/src/router/libsodium/src/libsodium/randombytes/randombytes.c index c207600b4a..c01b87ffb1 100644 --- a/release/src/router/libsodium/src/libsodium/randombytes/randombytes.c +++ b/release/src/router/libsodium/src/libsodium/randombytes/randombytes.c @@ -17,6 +17,9 @@ # include "randombytes_nativeclient.h" #endif +/* C++Builder defines a "random" macro */ +#undef random + #ifndef __EMSCRIPTEN__ #ifdef __native_client__ static const randombytes_implementation *implementation = diff --git a/release/src/router/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c b/release/src/router/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c index 7bfaa722d8..9473699636 100644 --- a/release/src/router/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c +++ b/release/src/router/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c @@ -16,7 +16,7 @@ #include #include #include -#ifndef _MSC_VER +#if !defined(_MSC_VER) && !defined(__BORLANDC__) # include #endif @@ -36,6 +36,10 @@ extern "C" # endif BOOLEAN NTAPI RtlGenRandom(PVOID RandomBuffer, ULONG RandomBufferLength); # pragma comment(lib, "advapi32.lib") +# ifdef __BORLANDC__ +# define _ftime ftime +# define _timeb timeb +# endif #endif #define SALSA20_RANDOM_BLOCK_SIZE crypto_core_salsa20_OUTPUTBYTES diff --git a/release/src/router/libsodium/src/libsodium/sodium/core.c b/release/src/router/libsodium/src/libsodium/sodium/core.c index 8775559830..daf11d2517 100644 --- a/release/src/router/libsodium/src/libsodium/sodium/core.c +++ b/release/src/router/libsodium/src/libsodium/sodium/core.c @@ -2,13 +2,14 @@ #include "core.h" #include "crypto_generichash.h" #include "crypto_onetimeauth.h" +#include "crypto_pwhash_argon2i.h" #include "crypto_scalarmult.h" #include "crypto_stream_chacha20.h" #include "randombytes.h" #include "runtime.h" #include "utils.h" -#if 0 +#if !defined(_MSC_VER) && 0 # warning This is unstable, untested, development code. # warning It might not compile. It might not work as expected. # warning It might be totally insecure. @@ -28,6 +29,7 @@ sodium_init(void) _sodium_runtime_get_cpu_features(); randombytes_stir(); _sodium_alloc_init(); + _crypto_pwhash_argon2i_pick_best_implementation(); _crypto_generichash_blake2b_pick_best_implementation(); _crypto_onetimeauth_poly1305_pick_best_implementation(); _crypto_scalarmult_curve25519_pick_best_implementation(); diff --git a/release/src/router/libsodium/src/libsodium/sodium/runtime.c b/release/src/router/libsodium/src/libsodium/sodium/runtime.c index e6006715ce..f6d7576f79 100644 --- a/release/src/router/libsodium/src/libsodium/sodium/runtime.c +++ b/release/src/router/libsodium/src/libsodium/sodium/runtime.c @@ -15,24 +15,28 @@ typedef struct CPUFeatures_ { int has_ssse3; int has_sse41; int has_avx; + int has_avx2; int has_pclmul; int has_aesni; } CPUFeatures; static CPUFeatures _cpu_features; -#define CPUID_SSE2 0x04000000 -#define CPUIDECX_SSE3 0x00000001 -#define CPUIDECX_SSSE3 0x00000200 -#define CPUIDECX_SSE41 0x00080000 -#define CPUIDECX_AVX 0x10000000 -#define CPUIDECX_PCLMUL 0x00000002 -#define CPUIDECX_AESNI 0x02000000 -#define CPUIDECX_XSAVE 0x04000000 -#define CPUIDECX_OSXSAVE 0x08000000 +#define CPUID_EBX_AVX2 0x00000020 -#define XCR0_SSE 0x00000002 -#define XCR0_AVX 0x00000004 +#define CPUID_ECX_SSE3 0x00000001 +#define CPUID_ECX_PCLMUL 0x00000002 +#define CPUID_ECX_SSSE3 0x00000200 +#define CPUID_ECX_SSE41 0x00080000 +#define CPUID_ECX_AESNI 0x02000000 +#define CPUID_ECX_XSAVE 0x04000000 +#define CPUID_ECX_OSXSAVE 0x08000000 +#define CPUID_ECX_AVX 0x10000000 + +#define CPUID_EDX_SSE2 0x04000000 + +#define XCR0_SSE 0x00000002 +#define XCR0_AVX 0x00000004 static int _sodium_runtime_arm_cpu_features(CPUFeatures * const cpu_features) @@ -94,6 +98,7 @@ _cpuid(unsigned int cpu_info[4U], const unsigned int cpu_info_type) "0" (cpu_info_type), "2" (0U)); # endif #else + (void) cpu_info_type; cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0; #endif } @@ -111,28 +116,28 @@ _sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features) _cpuid(cpu_info, 0x00000001); #if defined(HAVE_EMMINTRIN_H) || \ (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) - cpu_features->has_sse2 = ((cpu_info[3] & CPUID_SSE2) != 0x0); + cpu_features->has_sse2 = ((cpu_info[3] & CPUID_EDX_SSE2) != 0x0); #else cpu_features->has_sse2 = 0; #endif #if defined(HAVE_PMMINTRIN_H) || \ (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) - cpu_features->has_sse3 = ((cpu_info[2] & CPUIDECX_SSE3) != 0x0); + cpu_features->has_sse3 = ((cpu_info[2] & CPUID_ECX_SSE3) != 0x0); #else cpu_features->has_sse3 = 0; #endif #if defined(HAVE_TMMINTRIN_H) || \ (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) - cpu_features->has_ssse3 = ((cpu_info[2] & CPUIDECX_SSSE3) != 0x0); + cpu_features->has_ssse3 = ((cpu_info[2] & CPUID_ECX_SSSE3) != 0x0); #else cpu_features->has_ssse3 = 0; #endif #if defined(HAVE_SMMINTRIN_H) || \ (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) - cpu_features->has_sse41 = ((cpu_info[2] & CPUIDECX_SSE41) != 0x0); + cpu_features->has_sse41 = ((cpu_info[2] & CPUID_ECX_SSE41) != 0x0); #else cpu_features->has_sse41 = 0; #endif @@ -140,8 +145,8 @@ _sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features) cpu_features->has_avx = 0; #if defined(HAVE_AVXINTRIN_H) || \ (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) - if ((cpu_info[2] & (CPUIDECX_AVX | CPUIDECX_XSAVE | CPUIDECX_OSXSAVE)) - == (CPUIDECX_AVX | CPUIDECX_XSAVE | CPUIDECX_OSXSAVE)) { + if ((cpu_info[2] & (CPUID_ECX_AVX | CPUID_ECX_XSAVE | CPUID_ECX_OSXSAVE)) + == (CPUID_ECX_AVX | CPUID_ECX_XSAVE | CPUID_ECX_OSXSAVE)) { uint32_t xcr0 = 0U; # ifdef MSC_VER __asm { @@ -159,10 +164,18 @@ _sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features) } #endif + cpu_features->has_avx2 = 0; +#if defined(HAVE_AVX2INTRIN_H) || \ + (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) + if (cpu_features->has_avx) { + cpu_features->has_avx2 = ((cpu_info[1] & CPUID_EBX_AVX2) != 0x0); + } +#endif + #if defined(HAVE_WMMINTRIN_H) || \ (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) - cpu_features->has_pclmul = ((cpu_info[2] & CPUIDECX_PCLMUL) != 0x0); - cpu_features->has_aesni = ((cpu_info[2] & CPUIDECX_AESNI) != 0x0); + cpu_features->has_pclmul = ((cpu_info[2] & CPUID_ECX_PCLMUL) != 0x0); + cpu_features->has_aesni = ((cpu_info[2] & CPUID_ECX_AESNI) != 0x0); #else cpu_features->has_pclmul = 0; cpu_features->has_aesni = 0; @@ -214,6 +227,11 @@ sodium_runtime_has_avx(void) { } int +sodium_runtime_has_avx2(void) { + return _cpu_features.has_avx2; +} + +int sodium_runtime_has_pclmul(void) { return _cpu_features.has_pclmul; } diff --git a/release/src/router/libsodium/src/libsodium/sodium/utils.c b/release/src/router/libsodium/src/libsodium/sodium/utils.c index 039255dcef..e35262ffb5 100644 --- a/release/src/router/libsodium/src/libsodium/sodium/utils.c +++ b/release/src/router/libsodium/src/libsodium/sodium/utils.c @@ -23,6 +23,10 @@ # include #endif +#ifndef ENOSYS +# define ENOSYS ENXIO +#endif + #if defined(_WIN32) && (!defined(WINAPI_FAMILY) || WINAPI_FAMILY == WINAPI_FAMILY_DESKTOP_APP) # define WINAPI_DESKTOP #endif @@ -73,8 +77,9 @@ sodium_memzero(void * const pnt, const size_t len) memset(pnt, 0, len); _sodium_dummy_symbol_to_prevent_memzero_lto(pnt, len); #else - volatile unsigned char *pnt_ = (volatile unsigned char *) pnt; - size_t i = (size_t) 0U; + volatile unsigned char *volatile pnt_ = + (volatile unsigned char * volatile) pnt; + size_t i = (size_t) 0U; while (i < len) { pnt_[i++] = 0U; @@ -101,8 +106,10 @@ sodium_memcmp(const void * const b1_, const void * const b2_, size_t len) const unsigned char *b1 = (const unsigned char *) b1_; const unsigned char *b2 = (const unsigned char *) b2_; #else - const volatile unsigned char *b1 = (const volatile unsigned char *) b1_; - const volatile unsigned char *b2 = (const volatile unsigned char *) b2_; + const volatile unsigned char *volatile b1 = + (const volatile unsigned char * volatile) b1_; + const volatile unsigned char *volatile b2 = + (const volatile unsigned char * volatile) b2_; #endif size_t i; unsigned char d = (unsigned char) 0U; @@ -135,8 +142,10 @@ sodium_compare(const unsigned char *b1_, const unsigned char *b2_, size_t len) const unsigned char *b1 = b1_; const unsigned char *b2 = b2_; #else - const volatile unsigned char *b1 = (const volatile unsigned char *) b1_; - const volatile unsigned char *b2 = (const volatile unsigned char *) b2_; + const volatile unsigned char * volatile b1 = + (const volatile unsigned char * volatile) b1_; + const volatile unsigned char * volatile b2 = + (const volatile unsigned char * volatile) b2_; #endif unsigned char gt = 0U; unsigned char eq = 1U; @@ -440,7 +449,7 @@ _mprotect_readwrite(void *ptr, size_t size) #ifdef HAVE_ALIGNED_MALLOC -static void +__attribute__ ((noreturn)) static void _out_of_bounds(void) { # ifdef SIGSEGV @@ -517,7 +526,7 @@ _unprotected_ptr_from_user_ptr(void * const ptr) static __attribute__ ((malloc)) void * _sodium_malloc(const size_t size) { - return malloc(size); + return malloc(size > (size_t) 0U ? size : (size_t) 1U); } #else static __attribute__ ((malloc)) void * @@ -569,7 +578,7 @@ sodium_malloc(const size_t size) void *ptr; if ((ptr = _sodium_malloc(size)) == NULL) { - return NULL; /* LCOV_EXCL_LINE */ + return NULL; } memset(ptr, (int) GARBAGE_VALUE, size); diff --git a/release/src/router/libsodium/test/Makefile.in b/release/src/router/libsodium/test/Makefile.in index 2032ff2135..cd6e8e67d7 100644 --- a/release/src/router/libsodium/test/Makefile.in +++ b/release/src/router/libsodium/test/Makefile.in @@ -92,6 +92,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -200,6 +201,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -272,6 +275,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ diff --git a/release/src/router/libsodium/test/default/Makefile.am b/release/src/router/libsodium/test/default/Makefile.am index 9c24295e66..2889a86a67 100644 --- a/release/src/router/libsodium/test/default/Makefile.am +++ b/release/src/router/libsodium/test/default/Makefile.am @@ -37,6 +37,7 @@ EXTRA_DIST = \ onetimeauth2.exp \ onetimeauth7.exp \ pwhash.exp \ + pwhash_scrypt.exp \ pwhash_scrypt_ll.exp \ randombytes.exp \ scalarmult.exp \ @@ -98,6 +99,7 @@ DISTCLEANFILES = \ onetimeauth2.res \ onetimeauth7.res \ pwhash.res \ + pwhash_scrypt.res \ pwhash_scrypt_ll.res \ randombytes.res \ scalarmult.res \ @@ -160,6 +162,7 @@ CLEANFILES = \ onetimeauth2.final \ onetimeauth7.final \ pwhash.final \ + pwhash_scrypt.final \ pwhash_scrypt_ll.final \ randombytes.final \ scalarmult.final \ @@ -217,6 +220,7 @@ CLEANFILES = \ onetimeauth2.nexe \ onetimeauth7.nexe \ pwhash.nexe \ + pwhash_scrypt.nexe \ pwhash_scrypt_ll.nexe \ randombytes.nexe \ scalarmult.nexe \ @@ -286,6 +290,7 @@ TESTS_TARGETS = \ onetimeauth2 \ onetimeauth7 \ pwhash \ + pwhash_scrypt \ pwhash_scrypt_ll \ randombytes \ scalarmult \ @@ -424,6 +429,9 @@ onetimeauth7_LDADD = $(TESTS_LDADD) pwhash_SOURCE = cmptest.h pwhash.c pwhash_LDADD = $(TESTS_LDADD) +pwhash_scrypt_SOURCE = cmptest.h pwhash_scrypt.c +pwhash_scrypt_LDADD = $(TESTS_LDADD) + pwhash_scrypt_ll_SOURCE = cmptest.h pwhash_scrypt_ll.c pwhash_scrypt_ll_LDADD = $(TESTS_LDADD) @@ -504,3 +512,5 @@ LOG_COMPILER = ./nacl-test-wrapper.sh endif verify: check + +@VALGRIND_CHECK_RULES@ diff --git a/release/src/router/libsodium/test/default/Makefile.in b/release/src/router/libsodium/test/default/Makefile.in index ebf9fdcb0e..cd07724706 100644 --- a/release/src/router/libsodium/test/default/Makefile.in +++ b/release/src/router/libsodium/test/default/Makefile.in @@ -98,6 +98,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \ $(top_srcdir)/m4/ax_check_define.m4 \ $(top_srcdir)/m4/ax_check_link_flag.m4 \ + $(top_srcdir)/m4/ax_valgrind_check.m4 \ $(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \ $(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \ $(top_srcdir)/m4/ltversion.m4 $(top_srcdir)/m4/lt~obsolete.m4 \ @@ -121,7 +122,7 @@ am__EXEEXT_2 = aead_aes256gcm$(EXEEXT) aead_chacha20poly1305$(EXEEXT) \ ed25519_convert$(EXEEXT) generichash$(EXEEXT) \ generichash2$(EXEEXT) generichash3$(EXEEXT) hash$(EXEEXT) \ hash3$(EXEEXT) onetimeauth$(EXEEXT) onetimeauth2$(EXEEXT) \ - onetimeauth7$(EXEEXT) pwhash$(EXEEXT) \ + onetimeauth7$(EXEEXT) pwhash$(EXEEXT) pwhash_scrypt$(EXEEXT) \ pwhash_scrypt_ll$(EXEEXT) randombytes$(EXEEXT) \ scalarmult$(EXEEXT) scalarmult2$(EXEEXT) scalarmult5$(EXEEXT) \ scalarmult6$(EXEEXT) scalarmult7$(EXEEXT) secretbox$(EXEEXT) \ @@ -234,6 +235,9 @@ onetimeauth7_DEPENDENCIES = $(TESTS_LDADD) pwhash_SOURCES = pwhash.c pwhash_OBJECTS = pwhash.$(OBJEXT) pwhash_DEPENDENCIES = $(TESTS_LDADD) +pwhash_scrypt_SOURCES = pwhash_scrypt.c +pwhash_scrypt_OBJECTS = pwhash_scrypt.$(OBJEXT) +pwhash_scrypt_DEPENDENCIES = $(TESTS_LDADD) pwhash_scrypt_ll_SOURCES = pwhash_scrypt_ll.c pwhash_scrypt_ll_OBJECTS = pwhash_scrypt_ll.$(OBJEXT) pwhash_scrypt_ll_DEPENDENCIES = $(TESTS_LDADD) @@ -349,26 +353,26 @@ SOURCES = aead_aes256gcm.c aead_chacha20poly1305.c auth.c auth2.c \ core1.c core2.c core3.c core4.c core5.c core6.c \ ed25519_convert.c generichash.c generichash2.c generichash3.c \ hash.c hash3.c onetimeauth.c onetimeauth2.c onetimeauth7.c \ - pwhash.c pwhash_scrypt_ll.c randombytes.c scalarmult.c \ - scalarmult2.c scalarmult5.c scalarmult6.c scalarmult7.c \ - secretbox.c secretbox2.c secretbox7.c secretbox8.c \ - secretbox_easy.c secretbox_easy2.c shorthash.c sign.c \ - sodium_core.c sodium_utils.c sodium_utils2.c sodium_utils3.c \ - sodium_version.c stream.c stream2.c stream3.c stream4.c \ - verify1.c + pwhash.c pwhash_scrypt.c pwhash_scrypt_ll.c randombytes.c \ + scalarmult.c scalarmult2.c scalarmult5.c scalarmult6.c \ + scalarmult7.c secretbox.c secretbox2.c secretbox7.c \ + secretbox8.c secretbox_easy.c secretbox_easy2.c shorthash.c \ + sign.c sodium_core.c sodium_utils.c sodium_utils2.c \ + sodium_utils3.c sodium_version.c stream.c stream2.c stream3.c \ + stream4.c verify1.c DIST_SOURCES = aead_aes256gcm.c aead_chacha20poly1305.c auth.c auth2.c \ auth3.c auth5.c auth6.c auth7.c box.c box2.c box7.c box8.c \ box_easy.c box_easy2.c box_seal.c box_seed.c chacha20.c \ core1.c core2.c core3.c core4.c core5.c core6.c \ ed25519_convert.c generichash.c generichash2.c generichash3.c \ hash.c hash3.c onetimeauth.c onetimeauth2.c onetimeauth7.c \ - pwhash.c pwhash_scrypt_ll.c randombytes.c scalarmult.c \ - scalarmult2.c scalarmult5.c scalarmult6.c scalarmult7.c \ - secretbox.c secretbox2.c secretbox7.c secretbox8.c \ - secretbox_easy.c secretbox_easy2.c shorthash.c sign.c \ - sodium_core.c sodium_utils.c sodium_utils2.c sodium_utils3.c \ - sodium_version.c stream.c stream2.c stream3.c stream4.c \ - verify1.c + pwhash.c pwhash_scrypt.c pwhash_scrypt_ll.c randombytes.c \ + scalarmult.c scalarmult2.c scalarmult5.c scalarmult6.c \ + scalarmult7.c secretbox.c secretbox2.c secretbox7.c \ + secretbox8.c secretbox_easy.c secretbox_easy2.c shorthash.c \ + sign.c sodium_core.c sodium_utils.c sodium_utils2.c \ + sodium_utils3.c sodium_version.c stream.c stream2.c stream3.c \ + stream4.c verify1.c am__can_run_installinfo = \ case $$AM_UPDATE_INFO_DIR in \ n|no|NO) false;; \ @@ -617,6 +621,8 @@ CCASFLAGS = @CCASFLAGS@ CCDEPMODE = @CCDEPMODE@ CFLAGS = @CFLAGS@ CFLAGS_AESNI = @CFLAGS_AESNI@ +CFLAGS_AVX = @CFLAGS_AVX@ +CFLAGS_AVX2 = @CFLAGS_AVX2@ CFLAGS_MMX = @CFLAGS_MMX@ CFLAGS_PCLMUL = @CFLAGS_PCLMUL@ CFLAGS_SSE2 = @CFLAGS_SSE2@ @@ -689,6 +695,12 @@ SODIUM_LIBRARY_VERSION_MAJOR = @SODIUM_LIBRARY_VERSION_MAJOR@ SODIUM_LIBRARY_VERSION_MINOR = @SODIUM_LIBRARY_VERSION_MINOR@ STRIP = @STRIP@ TEST_LDFLAGS = @TEST_LDFLAGS@ +VALGRIND = @VALGRIND@ +VALGRIND_ENABLED = @VALGRIND_ENABLED@ +VALGRIND_HAVE_TOOL_drd = @VALGRIND_HAVE_TOOL_drd@ +VALGRIND_HAVE_TOOL_exp_sgcheck = @VALGRIND_HAVE_TOOL_exp_sgcheck@ +VALGRIND_HAVE_TOOL_helgrind = @VALGRIND_HAVE_TOOL_helgrind@ +VALGRIND_HAVE_TOOL_memcheck = @VALGRIND_HAVE_TOOL_memcheck@ VERSION = @VERSION@ abs_builddir = @abs_builddir@ abs_srcdir = @abs_srcdir@ @@ -780,6 +792,7 @@ EXTRA_DIST = \ onetimeauth2.exp \ onetimeauth7.exp \ pwhash.exp \ + pwhash_scrypt.exp \ pwhash_scrypt_ll.exp \ randombytes.exp \ scalarmult.exp \ @@ -841,6 +854,7 @@ DISTCLEANFILES = \ onetimeauth2.res \ onetimeauth7.res \ pwhash.res \ + pwhash_scrypt.res \ pwhash_scrypt_ll.res \ randombytes.res \ scalarmult.res \ @@ -902,6 +916,7 @@ DISTCLEANFILES = \ @NATIVECLIENT_TRUE@ onetimeauth2.final \ @NATIVECLIENT_TRUE@ onetimeauth7.final \ @NATIVECLIENT_TRUE@ pwhash.final \ +@NATIVECLIENT_TRUE@ pwhash_scrypt.final \ @NATIVECLIENT_TRUE@ pwhash_scrypt_ll.final \ @NATIVECLIENT_TRUE@ randombytes.final \ @NATIVECLIENT_TRUE@ scalarmult.final \ @@ -959,6 +974,7 @@ DISTCLEANFILES = \ @NATIVECLIENT_TRUE@ onetimeauth2.nexe \ @NATIVECLIENT_TRUE@ onetimeauth7.nexe \ @NATIVECLIENT_TRUE@ pwhash.nexe \ +@NATIVECLIENT_TRUE@ pwhash_scrypt.nexe \ @NATIVECLIENT_TRUE@ pwhash_scrypt_ll.nexe \ @NATIVECLIENT_TRUE@ randombytes.nexe \ @NATIVECLIENT_TRUE@ scalarmult.nexe \ @@ -997,11 +1013,12 @@ TESTS_TARGETS = aead_aes256gcm aead_chacha20poly1305 auth auth2 auth3 \ box_seal box_seed chacha20 core1 core2 core3 core4 core5 core6 \ ed25519_convert generichash generichash2 generichash3 hash \ hash3 onetimeauth onetimeauth2 onetimeauth7 pwhash \ - pwhash_scrypt_ll randombytes scalarmult scalarmult2 \ - scalarmult5 scalarmult6 scalarmult7 secretbox secretbox2 \ - secretbox7 secretbox8 secretbox_easy secretbox_easy2 shorthash \ - sign sodium_core sodium_utils sodium_version stream stream2 \ - stream3 stream4 verify1 $(am__append_1) + pwhash_scrypt pwhash_scrypt_ll randombytes scalarmult \ + scalarmult2 scalarmult5 scalarmult6 scalarmult7 secretbox \ + secretbox2 secretbox7 secretbox8 secretbox_easy \ + secretbox_easy2 shorthash sign sodium_core sodium_utils \ + sodium_version stream stream2 stream3 stream4 verify1 \ + $(am__append_1) TESTS_LDADD = \ ${top_builddir}/src/libsodium/libsodium.la @@ -1071,6 +1088,8 @@ onetimeauth7_SOURCE = cmptest.h onetimeauth7.c onetimeauth7_LDADD = $(TESTS_LDADD) pwhash_SOURCE = cmptest.h pwhash.c pwhash_LDADD = $(TESTS_LDADD) +pwhash_scrypt_SOURCE = cmptest.h pwhash_scrypt.c +pwhash_scrypt_LDADD = $(TESTS_LDADD) pwhash_scrypt_ll_SOURCE = cmptest.h pwhash_scrypt_ll.c pwhash_scrypt_ll_LDADD = $(TESTS_LDADD) randombytes_SOURCE = cmptest.h randombytes.c @@ -1297,6 +1316,10 @@ pwhash$(EXEEXT): $(pwhash_OBJECTS) $(pwhash_DEPENDENCIES) $(EXTRA_pwhash_DEPENDE @rm -f pwhash$(EXEEXT) $(AM_V_CCLD)$(LINK) $(pwhash_OBJECTS) $(pwhash_LDADD) $(LIBS) +pwhash_scrypt$(EXEEXT): $(pwhash_scrypt_OBJECTS) $(pwhash_scrypt_DEPENDENCIES) $(EXTRA_pwhash_scrypt_DEPENDENCIES) + @rm -f pwhash_scrypt$(EXEEXT) + $(AM_V_CCLD)$(LINK) $(pwhash_scrypt_OBJECTS) $(pwhash_scrypt_LDADD) $(LIBS) + pwhash_scrypt_ll$(EXEEXT): $(pwhash_scrypt_ll_OBJECTS) $(pwhash_scrypt_ll_DEPENDENCIES) $(EXTRA_pwhash_scrypt_ll_DEPENDENCIES) @rm -f pwhash_scrypt_ll$(EXEEXT) $(AM_V_CCLD)$(LINK) $(pwhash_scrypt_ll_OBJECTS) $(pwhash_scrypt_ll_LDADD) $(LIBS) @@ -1436,6 +1459,7 @@ distclean-compile: @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onetimeauth2.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/onetimeauth7.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhash.Po@am__quote@ +@AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhash_scrypt.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/pwhash_scrypt_ll.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/randombytes.Po@am__quote@ @AMDEP_TRUE@@am__include@ @am__quote@./$(DEPDIR)/scalarmult.Po@am__quote@ @@ -1916,6 +1940,13 @@ pwhash.log: pwhash$(EXEEXT) --log-file $$b.log --trs-file $$b.trs \ $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ "$$tst" $(AM_TESTS_FD_REDIRECT) +pwhash_scrypt.log: pwhash_scrypt$(EXEEXT) + @p='pwhash_scrypt$(EXEEXT)'; \ + b='pwhash_scrypt'; \ + $(am__check_pre) $(LOG_DRIVER) --test-name "$$f" \ + --log-file $$b.log --trs-file $$b.trs \ + $(am__common_driver_flags) $(AM_LOG_DRIVER_FLAGS) $(LOG_DRIVER_FLAGS) -- $(LOG_COMPILE) \ + "$$tst" $(AM_TESTS_FD_REDIRECT) pwhash_scrypt_ll.log: pwhash_scrypt_ll$(EXEEXT) @p='pwhash_scrypt_ll$(EXEEXT)'; \ b='pwhash_scrypt_ll'; \ @@ -2269,6 +2300,8 @@ uninstall-am: verify: check +@VALGRIND_CHECK_RULES@ + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. .NOEXPORT: diff --git a/release/src/router/libsodium/test/default/aead_aes256gcm.c b/release/src/router/libsodium/test/default/aead_aes256gcm.c index 6c208261e6..3338c5fd0e 100644 --- a/release/src/router/libsodium/test/default/aead_aes256gcm.c +++ b/release/src/router/libsodium/test/default/aead_aes256gcm.c @@ -2,9 +2,6 @@ #define TEST_NAME "aead_aes256gcm" #include "cmptest.h" -#if defined(HAVE_WMMINTRIN_H) || \ - (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86))) - static struct { const char *key_hex; const char *nonce_hex; @@ -3079,26 +3076,31 @@ static struct { } }; -int +static int tv(void) { unsigned char *ad; unsigned char *ciphertext; unsigned char *decrypted; + unsigned char *detached_ciphertext; unsigned char *expected_ciphertext; unsigned char *key; unsigned char *message; + unsigned char *mac; unsigned char *nonce; char *hex; unsigned long long found_ciphertext_len; + unsigned long long found_mac_len; unsigned long long found_message_len; size_t ad_len; size_t ciphertext_len; + size_t detached_ciphertext_len; size_t i = 0U; size_t message_len; key = (unsigned char *) sodium_malloc(crypto_aead_aes256gcm_KEYBYTES); nonce = (unsigned char *) sodium_malloc(crypto_aead_aes256gcm_NPUBBYTES); + mac = (unsigned char *) sodium_malloc(crypto_aead_aes256gcm_ABYTES); do { assert(strlen(tests[i].key_hex) == 2 * crypto_aead_aes256gcm_KEYBYTES); @@ -3120,6 +3122,7 @@ tv(void) tests[i].ad_hex, strlen(tests[i].ad_hex), NULL, NULL, NULL); ciphertext_len = message_len + crypto_aead_aes256gcm_ABYTES; + detached_ciphertext_len = message_len; expected_ciphertext = (unsigned char *) sodium_malloc(ciphertext_len); assert(strlen(tests[i].ciphertext_hex) == 2 * message_len); sodium_hex2bin(expected_ciphertext, message_len, @@ -3130,6 +3133,24 @@ tv(void) tests[i].mac_hex, strlen(tests[i].mac_hex), NULL, NULL, NULL); ciphertext = (unsigned char *) sodium_malloc(ciphertext_len); + detached_ciphertext = (unsigned char *) sodium_malloc(detached_ciphertext_len); + + crypto_aead_aes256gcm_encrypt_detached(detached_ciphertext, mac, + &found_mac_len, + message, message_len, + ad, ad_len, NULL, nonce, key); + assert(found_mac_len == crypto_aead_aes256gcm_ABYTES); + if (memcmp(detached_ciphertext, expected_ciphertext, + detached_ciphertext_len) != 0 || + memcmp(mac, expected_ciphertext + message_len, + crypto_aead_aes256gcm_ABYTES) != 0) { + printf("Detached encryption of test vector #%u failed\n", (unsigned int) i); + hex = (char *) sodium_malloc((size_t) found_ciphertext_len * 2 + 1); + sodium_bin2hex(hex, (size_t) found_ciphertext_len * 2 + 1, + ciphertext, ciphertext_len); + printf("Computed: [%s]\n", hex); + sodium_free(hex); + } crypto_aead_aes256gcm_encrypt(ciphertext, &found_ciphertext_len, message, message_len, @@ -3144,7 +3165,9 @@ tv(void) printf("Computed: [%s]\n", hex); sodium_free(hex); } + decrypted = (unsigned char *) sodium_malloc(message_len); + found_message_len = 1; if (crypto_aead_aes256gcm_decrypt(decrypted, &found_message_len, NULL, ciphertext, randombytes_uniform(ciphertext_len), @@ -3152,8 +3175,11 @@ tv(void) printf("Verification of test vector #%u after truncation succeeded\n", (unsigned int) i); } + if (found_message_len != 0) { + printf("Message length should have been set to zero after a failure\n"); + } if (crypto_aead_aes256gcm_decrypt(decrypted, &found_message_len, - NULL, ciphertext, + NULL, NULL, randombytes_uniform(crypto_aead_aes256gcm_ABYTES), ad, ad_len, nonce, key) != -1) { printf("Verification of test vector #%u with a truncated tag failed\n", @@ -3168,14 +3194,27 @@ tv(void) if (memcmp(decrypted, message, message_len) != 0) { printf("Incorrect decryption of test vector #%u\n", (unsigned int) i); } + memset(decrypted, 0xd0, message_len); + if (crypto_aead_aes256gcm_decrypt_detached(decrypted, + NULL, detached_ciphertext, + detached_ciphertext_len, + mac, ad, ad_len, nonce, key) != 0) { + printf("Detached verification of test vector #%u failed\n", (unsigned int) i); + } + if (memcmp(decrypted, message, message_len) != 0) { + printf("Incorrect decryption of test vector #%u\n", (unsigned int) i); + } + sodium_free(message); sodium_free(ad); sodium_free(expected_ciphertext); sodium_free(ciphertext); sodium_free(decrypted); + sodium_free(detached_ciphertext); } while (++i < (sizeof tests) / (sizeof tests[0])); sodium_free(key); + sodium_free(mac); sodium_free(nonce); return 0; @@ -3196,16 +3235,3 @@ main(void) return 0; } - -#else - -int -main(void) -{ - assert(crypto_aead_aes256gcm_is_available() >= 0); - printf("OK\n"); - - return 0; -} - -#endif diff --git a/release/src/router/libsodium/test/default/aead_chacha20poly1305.c b/release/src/router/libsodium/test/default/aead_chacha20poly1305.c index d82319b269..8d1b3aaeba 100644 --- a/release/src/router/libsodium/test/default/aead_chacha20poly1305.c +++ b/release/src/router/libsodium/test/default/aead_chacha20poly1305.c @@ -5,118 +5,161 @@ static int tv(void) { - static unsigned char firstkey[crypto_aead_chacha20poly1305_KEYBYTES] +#undef MLEN +#define MLEN 10U +#undef ADLEN +#define ADLEN 10U +#undef CLEN +#define CLEN (MLEN + crypto_aead_chacha20poly1305_ABYTES) + static const unsigned char firstkey[crypto_aead_chacha20poly1305_KEYBYTES] = { 0x42, 0x90, 0xbc, 0xb1, 0x54, 0x17, 0x35, 0x31, 0xf3, 0x14, 0xaf, 0x57, 0xf3, 0xbe, 0x3b, 0x50, 0x06, 0xda, 0x37, 0x1e, 0xce, 0x27, 0x2a, 0xfa, 0x1b, 0x5d, 0xbd, 0xd1, 0x10, 0x0a, 0x10, 0x07 }; - static unsigned char m[10U] + static const unsigned char m[MLEN] = { 0x86, 0xd0, 0x99, 0x74, 0x84, 0x0b, 0xde, 0xd2, 0xa5, 0xca }; - static unsigned char nonce[crypto_aead_chacha20poly1305_NPUBBYTES] + static const unsigned char nonce[crypto_aead_chacha20poly1305_NPUBBYTES] = { 0xcd, 0x7c, 0xf6, 0x7b, 0xe3, 0x9c, 0x79, 0x4a }; - static unsigned char ad[10U] + static const unsigned char ad[ADLEN] = { 0x87, 0xe2, 0x29, 0xd4, 0x50, 0x08, 0x45, 0xa0, 0x79, 0xc0 }; - static unsigned char c[10U + crypto_aead_chacha20poly1305_ABYTES]; - - unsigned char m2[10U]; - unsigned long long clen; + unsigned char *c = (unsigned char *) sodium_malloc(CLEN); + unsigned char *detached_c = (unsigned char *) sodium_malloc(MLEN); + unsigned char *mac = (unsigned char *) sodium_malloc(crypto_aead_chacha20poly1305_ABYTES); + unsigned char *m2 = (unsigned char *) sodium_malloc(MLEN); + unsigned long long found_clen; + unsigned long long found_maclen; unsigned long long m2len; size_t i; - crypto_aead_chacha20poly1305_encrypt(c, &clen, m, sizeof m, ad, sizeof ad, + crypto_aead_chacha20poly1305_encrypt(c, &found_clen, m, MLEN, + ad, ADLEN, NULL, nonce, firstkey); - if (clen != sizeof m + crypto_aead_chacha20poly1305_abytes()) { - printf("clen is not properly set\n"); + if (found_clen != CLEN) { + printf("found_clen is not properly set\n"); } - for (i = 0U; i < sizeof c; ++i) { - printf(",0x%02x", (unsigned int)c[i]); + for (i = 0U; i < CLEN; ++i) { + printf(",0x%02x", (unsigned int) c[i]); if (i % 8 == 7) { printf("\n"); } } printf("\n"); + crypto_aead_chacha20poly1305_encrypt_detached(detached_c, + mac, &found_maclen, + m, MLEN, ad, ADLEN, + NULL, nonce, firstkey); + if (found_maclen != crypto_aead_chacha20poly1305_abytes()) { + printf("found_maclen is not properly set\n"); + } + if (memcmp(detached_c, c, MLEN) != 0) { + printf("detached ciphertext is bogus\n"); + } - if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, sizeof c, ad, - sizeof ad, nonce, firstkey) != 0) { + if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, CLEN, + ad, ADLEN, + nonce, firstkey) != 0) { printf("crypto_aead_chacha20poly1305_decrypt() failed\n"); } - if (m2len != sizeof c - crypto_aead_chacha20poly1305_abytes()) { + if (m2len != MLEN) { printf("m2len is not properly set\n"); } - if (memcmp(m, m2, sizeof m) != 0) { + if (memcmp(m, m2, MLEN) != 0) { printf("m != m2\n"); } + memset(m2, 0, m2len); + if (crypto_aead_chacha20poly1305_decrypt_detached(m2, NULL, + c, MLEN, mac, + ad, ADLEN, + nonce, firstkey) != 0) { + printf("crypto_aead_chacha20poly1305_decrypt_detached() failed\n"); + } + if (memcmp(m, m2, MLEN) != 0) { + printf("detached m != m2\n"); + } - for (i = 0U; i < sizeof c; i++) { + for (i = 0U; i < CLEN; i++) { c[i] ^= (i + 1U); - if (crypto_aead_chacha20poly1305_decrypt(m2, NULL, NULL, c, sizeof c, - ad, sizeof ad, nonce, firstkey) - == 0 || memcmp(m, m2, sizeof m) == 0) { + if (crypto_aead_chacha20poly1305_decrypt(m2, NULL, NULL, c, CLEN, + ad, ADLEN, nonce, firstkey) + == 0 || memcmp(m, m2, MLEN) == 0) { printf("message can be forged\n"); } c[i] ^= (i + 1U); } - crypto_aead_chacha20poly1305_encrypt(c, &clen, m, sizeof m, NULL, 0U, NULL, - nonce, firstkey); - if (clen != sizeof m + crypto_aead_chacha20poly1305_abytes()) { - printf("clen is not properly set (adlen=0)\n"); + crypto_aead_chacha20poly1305_encrypt(c, &found_clen, m, MLEN, + NULL, 0U, NULL, nonce, firstkey); + if (found_clen != CLEN) { + printf("found_clen is not properly set (adlen=0)\n"); } - for (i = 0U; i < sizeof c; ++i) { - printf(",0x%02x", (unsigned int)c[i]); + for (i = 0U; i < CLEN; ++i) { + printf(",0x%02x", (unsigned int) c[i]); if (i % 8 == 7) { printf("\n"); } } printf("\n"); - if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, sizeof c, + if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, CLEN, NULL, 0U, nonce, firstkey) != 0) { printf("crypto_aead_chacha20poly1305_decrypt() failed (adlen=0)\n"); } - if (m2len != sizeof c - crypto_aead_chacha20poly1305_abytes()) { + if (m2len != MLEN) { printf("m2len is not properly set (adlen=0)\n"); } - if (memcmp(m, m2, sizeof m) != 0) { + if (memcmp(m, m2, MLEN) != 0) { printf("m != m2 (adlen=0)\n"); } - + m2len = 1; if (crypto_aead_chacha20poly1305_decrypt( - m2, &m2len, NULL, c, crypto_aead_chacha20poly1305_ABYTES / 2, NULL, - 0U, nonce, firstkey) != -1) { + m2, &m2len, NULL, NULL, + randombytes_uniform(crypto_aead_chacha20poly1305_ABYTES), + NULL, 0U, nonce, firstkey) != -1) { printf("crypto_aead_chacha20poly1305_decrypt() worked with a short " "ciphertext\n"); } + if (m2len != 0) { + printf("Message length should have been set to zero after a failure\n"); + } + m2len = 1; if (crypto_aead_chacha20poly1305_decrypt(m2, &m2len, NULL, c, 0U, NULL, 0U, nonce, firstkey) != -1) { printf("crypto_aead_chacha20poly1305_decrypt() worked with an empty " "ciphertext\n"); } - - memcpy(c, m, sizeof m); - crypto_aead_chacha20poly1305_encrypt(c, &clen, c, sizeof m, NULL, 0U, NULL, - nonce, firstkey); - if (clen != sizeof m + crypto_aead_chacha20poly1305_abytes()) { - printf("clen is not properly set (adlen=0)\n"); + if (m2len != 0) { + printf("Message length should have been set to zero after a failure\n"); } - for (i = 0U; i < sizeof c; ++i) { - printf(",0x%02x", (unsigned int)c[i]); + + memcpy(c, m, MLEN); + crypto_aead_chacha20poly1305_encrypt(c, &found_clen, c, MLEN, + NULL, 0U, NULL, nonce, firstkey); + if (found_clen != CLEN) { + printf("found_clen is not properly set (adlen=0)\n"); + } + for (i = 0U; i < CLEN; ++i) { + printf(",0x%02x", (unsigned int) c[i]); if (i % 8 == 7) { printf("\n"); } } printf("\n"); - if (crypto_aead_chacha20poly1305_decrypt(c, &m2len, NULL, c, sizeof c, + if (crypto_aead_chacha20poly1305_decrypt(c, &m2len, NULL, c, CLEN, NULL, 0U, nonce, firstkey) != 0) { printf("crypto_aead_chacha20poly1305_decrypt() failed (adlen=0)\n"); } - if (m2len != sizeof c - crypto_aead_chacha20poly1305_abytes()) { + if (m2len != MLEN) { printf("m2len is not properly set (adlen=0)\n"); } - if (memcmp(m, c, sizeof m) != 0) { + if (memcmp(m, c, MLEN) != 0) { printf("m != c (adlen=0)\n"); } + sodium_free(c); + sodium_free(detached_c); + sodium_free(mac); + sodium_free(m2); + assert(crypto_aead_chacha20poly1305_keybytes() > 0U); assert(crypto_aead_chacha20poly1305_npubbytes() > 0U); assert(crypto_aead_chacha20poly1305_nsecbytes() == 0U); @@ -127,126 +170,178 @@ tv(void) static int tv_ietf(void) { - static unsigned char firstkey[crypto_aead_chacha20poly1305_KEYBYTES] +#undef MLEN +#define MLEN 114U +#undef ADLEN +#define ADLEN 12U +#undef CLEN +#define CLEN (MLEN + crypto_aead_chacha20poly1305_ietf_ABYTES) + static const unsigned char firstkey[crypto_aead_chacha20poly1305_ietf_KEYBYTES] = { 0x80, 0x81, 0x82, 0x83, 0x84, 0x85, 0x86, 0x87, 0x88, 0x89, 0x8a, 0x8b, 0x8c, 0x8d, 0x8e, 0x8f, 0x90, 0x91, 0x92, 0x93, 0x94, 0x95, 0x96, 0x97, 0x98, 0x99, 0x9a, 0x9b, 0x9c, 0x9d, 0x9e, 0x9f }; +#undef MESSAGE #define MESSAGE "Ladies and Gentlemen of the class of '99: If I could offer you " \ "only one tip for the future, sunscreen would be it." - static unsigned char m[114U]; - static unsigned char nonce[crypto_aead_chacha20poly1305_IETF_NPUBBYTES] + unsigned char *m = (unsigned char *) sodium_malloc(MLEN); + static const unsigned char nonce[crypto_aead_chacha20poly1305_ietf_NPUBBYTES] = { 0x07, 0x00, 0x00, 0x00, 0x40, 0x41, 0x42, 0x43, 0x44, 0x45, 0x46, 0x47 }; - static unsigned char ad[12U] + static const unsigned char ad[ADLEN] = { 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 }; - static unsigned char c[114U + crypto_aead_chacha20poly1305_ABYTES]; - - unsigned char m2[114U]; - unsigned long long clen; + unsigned char *c = (unsigned char *) sodium_malloc(CLEN); + unsigned char *detached_c = (unsigned char *) sodium_malloc(MLEN); + unsigned char *mac = (unsigned char *) sodium_malloc(crypto_aead_chacha20poly1305_ietf_ABYTES); + unsigned char *m2 = (unsigned char *) sodium_malloc(MLEN); + unsigned long long found_clen; + unsigned long long found_maclen; unsigned long long m2len; size_t i; - assert(sizeof MESSAGE - 1U == sizeof m); - memcpy(m, MESSAGE, sizeof m); - crypto_aead_chacha20poly1305_ietf_encrypt(c, &clen, m, sizeof m, ad, sizeof ad, + assert(sizeof MESSAGE - 1U == MLEN); + memcpy(m, MESSAGE, MLEN); + crypto_aead_chacha20poly1305_ietf_encrypt(c, &found_clen, m, MLEN, + ad, ADLEN, NULL, nonce, firstkey); - if (clen != sizeof m + crypto_aead_chacha20poly1305_abytes()) { - printf("clen is not properly set\n"); + if (found_clen != MLEN + crypto_aead_chacha20poly1305_ietf_abytes()) { + printf("found_clen is not properly set\n"); } - for (i = 0U; i < sizeof c; ++i) { - printf(",0x%02x", (unsigned int)c[i]); + for (i = 0U; i < CLEN; ++i) { + printf(",0x%02x", (unsigned int) c[i]); if (i % 8 == 7) { printf("\n"); } } printf("\n"); + crypto_aead_chacha20poly1305_ietf_encrypt_detached(detached_c, + mac, &found_maclen, + m, MLEN, + ad, ADLEN, + NULL, nonce, firstkey); + if (found_maclen != crypto_aead_chacha20poly1305_ietf_abytes()) { + printf("found_maclen is not properly set\n"); + } + if (memcmp(detached_c, c, MLEN) != 0) { + printf("detached ciphertext is bogus\n"); + } - if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, sizeof c, ad, - sizeof ad, nonce, firstkey) != 0) { + if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, CLEN, ad, + ADLEN, nonce, firstkey) != 0) { printf("crypto_aead_chacha20poly1305_ietf_decrypt() failed\n"); } - if (m2len != sizeof c - crypto_aead_chacha20poly1305_abytes()) { + if (m2len != MLEN) { printf("m2len is not properly set\n"); } - if (memcmp(m, m2, sizeof m) != 0) { + if (memcmp(m, m2, MLEN) != 0) { printf("m != m2\n"); } + memset(m2, 0, m2len); + if (crypto_aead_chacha20poly1305_ietf_decrypt_detached(m2, NULL, + c, MLEN, mac, + ad, ADLEN, + nonce, firstkey) != 0) { + printf("crypto_aead_chacha20poly1305_ietf_decrypt_detached() failed\n"); + } + if (memcmp(m, m2, MLEN) != 0) { + printf("detached m != m2\n"); + } - for (i = 0U; i < sizeof c; i++) { + for (i = 0U; i < CLEN; i++) { c[i] ^= (i + 1U); - if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, NULL, NULL, c, sizeof c, - ad, sizeof ad, nonce, firstkey) - == 0 || memcmp(m, m2, sizeof m) == 0) { + if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, NULL, NULL, c, CLEN, + ad, ADLEN, nonce, firstkey) + == 0 || memcmp(m, m2, MLEN) == 0) { printf("message can be forged\n"); } c[i] ^= (i + 1U); } - crypto_aead_chacha20poly1305_ietf_encrypt(c, &clen, m, sizeof m, NULL, 0U, NULL, - nonce, firstkey); - if (clen != sizeof m + crypto_aead_chacha20poly1305_abytes()) { + crypto_aead_chacha20poly1305_ietf_encrypt(c, &found_clen, m, MLEN, + NULL, 0U, NULL, nonce, firstkey); + if (found_clen != CLEN) { printf("clen is not properly set (adlen=0)\n"); } - for (i = 0U; i < sizeof c; ++i) { - printf(",0x%02x", (unsigned int)c[i]); + for (i = 0U; i < CLEN; ++i) { + printf(",0x%02x", (unsigned int) c[i]); if (i % 8 == 7) { printf("\n"); } } printf("\n"); - if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, sizeof c, + if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, CLEN, NULL, 0U, nonce, firstkey) != 0) { printf("crypto_aead_chacha20poly1305_ietf_decrypt() failed (adlen=0)\n"); } - if (m2len != sizeof c - crypto_aead_chacha20poly1305_abytes()) { + if (m2len != MLEN) { printf("m2len is not properly set (adlen=0)\n"); } - if (memcmp(m, m2, sizeof m) != 0) { + if (memcmp(m, m2, MLEN) != 0) { printf("m != m2 (adlen=0)\n"); } - + m2len = 1; if (crypto_aead_chacha20poly1305_ietf_decrypt( - m2, &m2len, NULL, c, crypto_aead_chacha20poly1305_ABYTES / 2, NULL, - 0U, nonce, firstkey) != -1) { + m2, &m2len, NULL, NULL, + randombytes_uniform(crypto_aead_chacha20poly1305_ietf_ABYTES), + NULL, 0U, nonce, firstkey) != -1) { printf("crypto_aead_chacha20poly1305_ietf_decrypt() worked with a short " "ciphertext\n"); } + if (m2len != 0) { + printf("Message length should have been set to zero after a failure\n"); + } + m2len = 1; if (crypto_aead_chacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, 0U, NULL, 0U, nonce, firstkey) != -1) { printf("crypto_aead_chacha20poly1305_ietf_decrypt() worked with an empty " "ciphertext\n"); } + if (m2len != 0) { + printf("Message length should have been set to zero after a failure\n"); + } - memcpy(c, m, sizeof m); - crypto_aead_chacha20poly1305_ietf_encrypt(c, &clen, c, sizeof m, NULL, 0U, NULL, - nonce, firstkey); - if (clen != sizeof m + crypto_aead_chacha20poly1305_abytes()) { + memcpy(c, m, MLEN); + crypto_aead_chacha20poly1305_ietf_encrypt(c, &found_clen, c, MLEN, + NULL, 0U, NULL, nonce, firstkey); + if (found_clen != CLEN) { printf("clen is not properly set (adlen=0)\n"); } - for (i = 0U; i < sizeof c; ++i) { - printf(",0x%02x", (unsigned int)c[i]); + for (i = 0U; i < CLEN; ++i) { + printf(",0x%02x", (unsigned int) c[i]); if (i % 8 == 7) { printf("\n"); } } printf("\n"); - if (crypto_aead_chacha20poly1305_ietf_decrypt(c, &m2len, NULL, c, sizeof c, - NULL, 0U, nonce, firstkey) != 0) { + if (crypto_aead_chacha20poly1305_ietf_decrypt(c, &m2len, NULL, c, CLEN, + NULL, 0U, nonce, firstkey) != 0) { printf("crypto_aead_chacha20poly1305_ietf_decrypt() failed (adlen=0)\n"); } - if (m2len != sizeof c - crypto_aead_chacha20poly1305_abytes()) { + if (m2len != MLEN) { printf("m2len is not properly set (adlen=0)\n"); } - if (memcmp(m, c, sizeof m) != 0) { + if (memcmp(m, c, MLEN) != 0) { printf("m != c (adlen=0)\n"); } - assert(crypto_aead_chacha20poly1305_keybytes() > 0U); + sodium_free(c); + sodium_free(detached_c); + sodium_free(mac); + sodium_free(m2); + sodium_free(m); + + assert(crypto_aead_chacha20poly1305_ietf_keybytes() > 0U); + assert(crypto_aead_chacha20poly1305_ietf_keybytes() == crypto_aead_chacha20poly1305_keybytes()); assert(crypto_aead_chacha20poly1305_ietf_npubbytes() > 0U); - assert(crypto_aead_chacha20poly1305_nsecbytes() == 0U); + assert(crypto_aead_chacha20poly1305_ietf_npubbytes() > crypto_aead_chacha20poly1305_npubbytes()); + assert(crypto_aead_chacha20poly1305_ietf_nsecbytes() == 0U); + assert(crypto_aead_chacha20poly1305_ietf_nsecbytes() == crypto_aead_chacha20poly1305_nsecbytes()); + assert(crypto_aead_chacha20poly1305_IETF_KEYBYTES == crypto_aead_chacha20poly1305_ietf_KEYBYTES); + assert(crypto_aead_chacha20poly1305_IETF_NSECBYTES == crypto_aead_chacha20poly1305_ietf_NSECBYTES); + assert(crypto_aead_chacha20poly1305_IETF_NPUBBYTES == crypto_aead_chacha20poly1305_ietf_NPUBBYTES); + assert(crypto_aead_chacha20poly1305_IETF_ABYTES == crypto_aead_chacha20poly1305_ietf_ABYTES); return 0; } diff --git a/release/src/router/libsodium/test/default/auth7.c b/release/src/router/libsodium/test/default/auth7.c index 04ef06bcfd..94823d215c 100644 --- a/release/src/router/libsodium/test/default/auth7.c +++ b/release/src/router/libsodium/test/default/auth7.c @@ -8,25 +8,25 @@ static unsigned char a[64]; int main(void) { - int clen; + size_t clen; for (clen = 0; clen < sizeof c; ++clen) { randombytes_buf(key, sizeof key); randombytes_buf(c, clen); crypto_auth_hmacsha512(a, c, clen, key); if (crypto_auth_hmacsha512_verify(a, c, clen, key) != 0) { - printf("fail %d\n", clen); + printf("fail %u\n", (unsigned int) clen); return 100; } if (clen > 0) { - c[rand() % clen] += 1 + (rand() % 255); + c[(size_t) rand() % clen] += 1 + (rand() % 255); if (crypto_auth_hmacsha512_verify(a, c, clen, key) == 0) { - printf("forgery %d\n", clen); + printf("forgery %u\n", (unsigned int) clen); return 100; } a[rand() % sizeof a] += 1 + (rand() % 255); if (crypto_auth_hmacsha512_verify(a, c, clen, key) == 0) { - printf("forgery %d\n", clen); + printf("forgery %u\n", (unsigned int) clen); return 100; } } diff --git a/release/src/router/libsodium/test/default/box.c b/release/src/router/libsodium/test/default/box.c index 9ed686e2e4..44f41ad9f0 100644 --- a/release/src/router/libsodium/test/default/box.c +++ b/release/src/router/libsodium/test/default/box.c @@ -22,7 +22,7 @@ static const unsigned char nonce[24] 0xcd, 0x62, 0xbd, 0xa8, 0x75, 0xfc, 0x73, 0xd6, 0x82, 0x19, 0xe0, 0x03, 0x6b, 0x7a, 0x0b, 0x37 }; -// API requires first 32 bytes to be 0 +/* API requires first 32 bytes to be 0 */ static const unsigned char m[163] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, @@ -55,12 +55,12 @@ int main(void) printf("\n"); } printf("\n"); - + ret = crypto_box(c, m, 163, nonce, small_order_p, alicesk); assert(ret == -1); memset(c, 0, sizeof c); - + ret = crypto_box_beforenm(k, bobpk, alicesk); assert(ret == 0); crypto_box_afternm(c, m, 163, nonce, k); @@ -70,7 +70,7 @@ int main(void) printf("\n"); } printf("\n"); - + ret = crypto_box_beforenm(k, small_order_p, alicesk); assert(ret == -1); diff --git a/release/src/router/libsodium/test/default/box2.c b/release/src/router/libsodium/test/default/box2.c index 765d26c359..86335d6c33 100644 --- a/release/src/router/libsodium/test/default/box2.c +++ b/release/src/router/libsodium/test/default/box2.c @@ -22,7 +22,7 @@ static unsigned char nonce[24] 0xcd, 0x62, 0xbd, 0xa8, 0x75, 0xfc, 0x73, 0xd6, 0x82, 0x19, 0xe0, 0x03, 0x6b, 0x7a, 0x0b, 0x37 }; -// API requires first 16 bytes to be 0 +/* API requires first 16 bytes to be 0 */ static unsigned char c[163] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5, diff --git a/release/src/router/libsodium/test/default/core6.c b/release/src/router/libsodium/test/default/core6.c index 3c183df724..a71b3f2c7e 100644 --- a/release/src/router/libsodium/test/default/core6.c +++ b/release/src/router/libsodium/test/default/core6.c @@ -17,7 +17,7 @@ static unsigned char c[16] static unsigned char out[64]; -void print(unsigned char *x, unsigned char *y) +static void print(unsigned char *x, unsigned char *y) { int i; unsigned int borrow = 0; diff --git a/release/src/router/libsodium/test/default/generichash.c b/release/src/router/libsodium/test/default/generichash.c index 056559ca59..507d4e0c7b 100644 --- a/release/src/router/libsodium/test/default/generichash.c +++ b/release/src/router/libsodium/test/default/generichash.c @@ -1291,7 +1291,7 @@ static struct { } }; -int +static int tv(void) { unsigned char *expected_out; @@ -1366,6 +1366,17 @@ main(void) printf("%02x", (unsigned int) out[j]); } printf("\n"); + + assert(crypto_generichash(NULL, 0, + in, (unsigned long long) sizeof in, + k, sizeof k) == -1); + assert(crypto_generichash(NULL, crypto_generichash_BYTES_MAX + 1, + in, (unsigned long long) sizeof in, + k, sizeof k) == -1); + assert(crypto_generichash(NULL, (unsigned long long) sizeof in, + in, (unsigned long long) sizeof in, + k, crypto_generichash_KEYBYTES_MAX + 1) == -1); + assert(crypto_generichash_bytes_min() > 0U); assert(crypto_generichash_bytes_max() > 0U); assert(crypto_generichash_bytes() > 0U); diff --git a/release/src/router/libsodium/test/default/generichash2.c b/release/src/router/libsodium/test/default/generichash2.c index 29d2a6f597..6447d7e0e6 100644 --- a/release/src/router/libsodium/test/default/generichash2.c +++ b/release/src/router/libsodium/test/default/generichash2.c @@ -13,10 +13,10 @@ main(void) assert(crypto_generichash_statebytes() >= sizeof st); for (h = 0; h < crypto_generichash_KEYBYTES_MAX; ++h) - k[h] = h; + k[h] = (unsigned char) h; for (i = 0; i < MAXLEN; ++i) { - in[i] = i; + in[i] = (unsigned char) i; if (crypto_generichash_init(&st, k, 1 + i % crypto_generichash_KEYBYTES_MAX, 1 + i % crypto_generichash_BYTES_MAX) != 0) { diff --git a/release/src/router/libsodium/test/default/generichash3.c b/release/src/router/libsodium/test/default/generichash3.c index e430b725af..d964634358 100644 --- a/release/src/router/libsodium/test/default/generichash3.c +++ b/release/src/router/libsodium/test/default/generichash3.c @@ -20,6 +20,7 @@ main(void) size_t i; size_t j; + assert(crypto_generichash_blake2b_statebytes() >= sizeof st); for (h = 0; h < crypto_generichash_blake2b_KEYBYTES_MAX; ++h) { k[h] = (unsigned char) h; } @@ -129,6 +130,19 @@ main(void) } printf("\n"); + assert(crypto_generichash_blake2b_salt_personal + (NULL, 0, + in, (unsigned long long) sizeof in, + k, sizeof k, NULL, NULL) == -1); + assert(crypto_generichash_blake2b_salt_personal + (NULL, crypto_generichash_BYTES_MAX + 1, + in, (unsigned long long) sizeof in, + k, sizeof k, NULL, NULL) == -1); + assert(crypto_generichash_blake2b_salt_personal + (NULL, (unsigned long long) sizeof in, + in, (unsigned long long) sizeof in, + k, crypto_generichash_KEYBYTES_MAX + 1, NULL, NULL) == -1); + crypto_generichash_blake2b_init_salt_personal(&st, NULL, 0U, crypto_generichash_BYTES, NULL, personal); crypto_generichash_blake2b_update(&st, in, MAXLEN); @@ -147,6 +161,13 @@ main(void) } printf("\n"); + assert(crypto_generichash_blake2b_init_salt_personal + (&st, k, sizeof k, 0, NULL, NULL) == -1); + assert(crypto_generichash_blake2b_init_salt_personal + (&st, k, sizeof k, crypto_generichash_blake2b_BYTES_MAX + 1, NULL, NULL) == -1); + assert(crypto_generichash_blake2b_init_salt_personal + (&st, k, crypto_generichash_blake2b_KEYBYTES_MAX + 1, sizeof out, NULL, NULL) == -1); + assert(crypto_generichash_blake2b_init_salt_personal(&st, k, sizeof k, crypto_generichash_BYTES, NULL, personal) == 0); assert(crypto_generichash_blake2b_init_salt_personal(&st, k, sizeof k, crypto_generichash_BYTES, diff --git a/release/src/router/libsodium/test/default/pwhash.c b/release/src/router/libsodium/test/default/pwhash.c index 3fa8e7f5c1..4b16a33f08 100644 --- a/release/src/router/libsodium/test/default/pwhash.c +++ b/release/src/router/libsodium/test/default/pwhash.c @@ -3,8 +3,8 @@ #include "cmptest.h" #define OUT_LEN 128 -#define OPSLIMIT 1000000 -#define MEMLIMIT 10000000 +#define OPSLIMIT 3 +#define MEMLIMIT 5000000 static void tv(void) { @@ -15,6 +15,7 @@ static void tv(void) size_t outlen; unsigned long long opslimit; size_t memlimit; + unsigned int lanes; } tests[] = { { "a347ae92bce9f80f6f595a4480fc9c2fe7e7d7148d371e9487d75f5c23008ffae0" "65577a928febd9b1973a5a95073acdbeb6a030cfc0d79caa2dc5cd011cef02c08d" @@ -22,13 +23,13 @@ static void tv(void) "8d220b20c60d7c07ec1fd93c52c31020300c6c1facd77937a597c7a6", 127, "5541fbc995d5c197ba290346d2c559dedf405cf97e5f95482143202f9e74f5c2", - 155, 481326, 7256678 }, + 155, 5, 7256678, 1 }, { "e125cee61c8cb7778d9e5ad0a6f5d978ce9f84de213a8556d9ffe202020ab4a6ed" "9074a4eb3416f9b168f137510f3a30b70b96cbfa219ff99f6c6eaffb15c06b60e0" "0cc2890277f0fd3c622115772f7048adaebed86e", 86, "f1192dd5dc2368b9cd421338b22433455ee0a3699f9379a08b9650ea2c126f0d", - 250, 535778, 7849083 }, + 250, 4, 7849083, 1 }, { "92263cbf6ac376499f68a4289d3bb59e5a22335eba63a32e6410249155b956b6a3" "b48d4a44906b18b897127300b375b8f834f1ceffc70880a885f47c33876717e392" "be57f7da3ae58da4fd1f43daa7e44bb82d3717af4319349c24cd31e46d295856b0" @@ -37,7 +38,7 @@ static void tv(void) "711f58c8c392016b2fdfc09c64f0f6b6ab7b", 183, "3b840e20e9555e9fb031c4ba1f1747ce25cc1d0ff664be676b9b4a90641ff194", - 249, 311757, 7994791 }, + 249, 3, 7994791, 1 }, { "027b6d8e8c8c474e9b69c7d9ed4f9971e8e1ce2f6ba95048414c3970f0f09b70e3" "b6c5ae05872b3d8678705b7d381829c351a5a9c88c233569b35d6b0b809df44b64" "51a9c273f1150e2ef8a0b5437eb701e373474cd44b97ef0248ebce2ca0400e1b53" @@ -45,19 +46,13 @@ static void tv(void) "9bb078ed1f0d31e7f9b8062409f37f19f8550aae", 152, "eb2a3056a09ad2d7d7f975bcd707598f24cd32518cde3069f2e403b34bfee8a5", - 5, 643464, 1397645 }, + 5, 4, 1397645, 1 }, { "4a857e2ee8aa9b6056f2424e84d24a72473378906ee04a46cb05311502d5250b82" "ad86b83c8f20a23dbb74f6da60b0b6ecffd67134d45946ac8ebfb3064294bc097d" "43ced68642bfb8bbbdd0f50b30118f5e", 82, "39d82eef32010b8b79cc5ba88ed539fbaba741100f2edbeca7cc171ffeabf258", - 190, 758010, 5432947 }, - { "1845e375479537e9dd4f4486d5c91ac72775d66605eeb11a787b78a7745f1fd005" - "2d526c67235dbae1b2a4d575a74cb551c8e9096c593a497aee74ba3047d911358e" - "de57bc27c9ea1829824348daaab606217cc931dcb6627787bd6e4e5854f0e8", - 97, - "3ee91a805aa62cfbe8dce29a2d9a44373a5006f4a4ce24022aca9cecb29d1473", - 212, 233177, 13101817 }, + 190, 3, 1432947, 1 }, { "c7b09aec680e7b42fedd7fc792e78b2f6c1bea8f4a884320b648f81e8cf515e8ba" "9dcfb11d43c4aae114c1734aa69ca82d44998365db9c93744fa28b63fd16000e82" "61cbbe083e7e2da1e5f696bde0834fe53146d7e0e35e7de9920d041f5a5621aabe" @@ -65,19 +60,12 @@ static void tv(void) "089dbeb6d6342a909c1307b3fff5fe2cf4da56bdae50848f", 156, "039c056d933b475032777edbaffac50f143f64c123329ed9cf59e3b65d3f43b6", - 178, 234753, 4886999 }, - { "8f3a06e2fd8711350a517bb12e31f3d3423e8dc0bb14aac8240fca0995938d59bb" - "37bd0a7dfc9c9cc0705684b46612e8c8b1d6655fb0f9887562bb9899791a0250d1" - "320f945eda48cdc20c233f40a5bb0a7e3ac5ad7250ce684f68fc0b8c9633bfd75a" - "ad116525af7bdcdbbdb4e00ab163fd4df08f243f12557e", - 122, - "90631f686a8c3dbc0703ffa353bc1fdf35774568ac62406f98a13ed8f47595fd", - 55, 695191, 15738350 }, + 178, 3, 4886999, 1 }, { "b540beb016a5366524d4605156493f9874514a5aa58818cd0c6dfffaa9e90205f1" "7b", 34, "44071f6d181561670bda728d43fb79b443bb805afdebaf98622b5165e01b15fb", - 231, 78652, 6631659 }, + 231, 1, 1631659, 1 }, { "a14975c26c088755a8b715ff2528d647cd343987fcf4aa25e7194a8417fb2b4b3f" "7268da9f3182b4cfb22d138b2749d673a47ecc7525dd15a0a3c66046971784bb63" "d7eae24cc84f2631712075a10e10a96b0e0ee67c43e01c423cb9c44e5371017e9c" @@ -87,10 +75,10 @@ static void tv(void) "55a3b4169f22cccb0745a2689407ea1901a0a766eb99", 220, "3d968b2752b8838431165059319f3ff8910b7b8ecb54ea01d3f54769e9d98daf", - 167, 717248, 10784179 }, + 167, 3, 1784128, 1 }, }; char passwd[256]; - unsigned char salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; + unsigned char salt[crypto_pwhash_SALTBYTES]; unsigned char out[256]; char out_hex[256 * 2 + 1]; size_t i = 0U; @@ -101,12 +89,12 @@ static void tv(void) NULL, NULL); sodium_hex2bin(salt, sizeof salt, tests[i].salt_hex, strlen(tests[i].salt_hex), NULL, NULL, NULL); - if (crypto_pwhash_scryptsalsa208sha256( - out, (unsigned long long) tests[i].outlen, - passwd, tests[i].passwdlen, - (const unsigned char *) salt, tests[i].opslimit, - tests[i].memlimit) != 0) { - printf("pwhash failure\n"); + if (crypto_pwhash(out, (unsigned long long) tests[i].outlen, + passwd, tests[i].passwdlen, + (const unsigned char *) salt, tests[i].opslimit, + tests[i].memlimit, crypto_pwhash_alg_default()) != 0) { + printf("[tv] pwhash failure (maybe intentional): [%u]\n", (unsigned int) i); + continue; } sodium_bin2hex(out_hex, sizeof out_hex, out, tests[i].outlen); printf("%s\n", out_hex); @@ -122,6 +110,7 @@ static void tv2(void) size_t outlen; unsigned long long opslimit; size_t memlimit; + unsigned int lanes; } tests[] = { { "a347ae92bce9f80f6f595a4480fc9c2fe7e7d7148d371e9487d75f5c23008ffae0" "65577a928febd9b1973a5a95073acdbeb6a030cfc0d79caa2dc5cd011cef02c08d" @@ -129,17 +118,17 @@ static void tv2(void) "8d220b20c60d7c07ec1fd93c52c31020300c6c1facd77937a597c7a6", 127, "5541fbc995d5c197ba290346d2c559dedf405cf97e5f95482143202f9e74f5c2", - 155, 64, 1397645 }, + 155, 4, 1397645, 1 }, { "a347ae92bce9f80f6f595a4480fc9c2fe7e7d7148d371e9487d75f5c23008ffae0" "65577a928febd9b1973a5a95073acdbeb6a030cfc0d79caa2dc5cd011cef02c08d" "a232d76d52dfbca38ca8dcbd665b17d1665f7cf5fe59772ec909733b24de97d6f5" "8d220b20c60d7c07ec1fd93c52c31020300c6c1facd77937a597c7a6", 127, "5541fbc995d5c197ba290346d2c559dedf405cf97e5f95482143202f9e74f5c2", - 155, 32768, 1397645 }, + 155, 3, 1397645, 1 }, }; char passwd[256]; - unsigned char salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES]; + unsigned char salt[crypto_pwhash_SALTBYTES]; unsigned char out[256]; char out_hex[256 * 2 + 1]; size_t i = 0U; @@ -150,16 +139,41 @@ static void tv2(void) NULL, NULL); sodium_hex2bin(salt, sizeof salt, tests[i].salt_hex, strlen(tests[i].salt_hex), NULL, NULL, NULL); - if (crypto_pwhash_scryptsalsa208sha256( - out, (unsigned long long) tests[i].outlen, - passwd, tests[i].passwdlen, - (const unsigned char *) salt, tests[i].opslimit, - tests[i].memlimit) != 0) { - printf("pwhash failure\n"); + if (crypto_pwhash(out, (unsigned long long) tests[i].outlen, + passwd, tests[i].passwdlen, + (const unsigned char *) salt, tests[i].opslimit, + tests[i].memlimit, crypto_pwhash_alg_default()) != 0) { + printf("[tv2] pwhash failure: [%u]\n", (unsigned int) i); + continue; } sodium_bin2hex(out_hex, sizeof out_hex, out, tests[i].outlen); printf("%s\n", out_hex); } while (++i < (sizeof tests) / (sizeof tests[0])); + + if (crypto_pwhash(out, sizeof out, "password", strlen("password"), + salt, 3, 1ULL << 12, 0) != -1) { + printf("[tv2] pwhash should have failed (0)\n"); + } + if (crypto_pwhash(out, sizeof out, "password", strlen("password"), + salt, 3, 1, crypto_pwhash_alg_default()) != -1) { + printf("[tv2] pwhash should have failed (1)\n"); + } + if (crypto_pwhash(out, sizeof out, "password", strlen("password"), + salt, 3, 1ULL << 12, crypto_pwhash_alg_default()) != -1) { + printf("[tv2] pwhash should have failed (2)\n"); + } + if (crypto_pwhash(out, sizeof out, "password", strlen("password"), + salt, 2, 1ULL << 12, crypto_pwhash_alg_default()) != -1) { + printf("[tv2] pwhash should have failed (3)\n"); + } + if (crypto_pwhash(out, 0x100000000ULL, "password", strlen("password"), + salt, 3, 1ULL << 12, crypto_pwhash_alg_default()) != -1) { + printf("[tv2] pwhash with a long output length should have failed\n"); + } + if (crypto_pwhash(out, sizeof out, "password", 0x100000000ULL, + salt, 3, 1ULL << 12, crypto_pwhash_alg_default()) != -1) { + printf("[tv2] pwhash with a long password length should have failed\n"); + } } static void tv3(void) @@ -168,103 +182,15 @@ static void tv3(void) const char *passwd; const char *out; } tests[] = { - { "^T5H$JYt39n%K*j:W]!1s?vg!:jGi]Ax?..l7[p0v:1jHTpla9;]bUN;?bWyCbtqg " - "nrDFal+Jxl3,2`#^tFSu%v_+7iYse8-cCkNf!tD=KrW)", - "$7$B6....1....75gBMAGwfFWZqBdyF3WdTQnWdUsuTiWjG1fF9c1jiSD$tc8RoB3." - "Em3/zNgMLWo2u00oGIoTyJv4fl3Fl8Tix72" }, - { "bl72h6#y<':MFRZ>B IA1=NRkCKS%W8`1I.2uQxJN0g)N N aTt^4K!Iw5r " - "H6;crDsv^a55j9tsk'/GqweZn;cdk6+F_St6:#*=?ZCD_lw>.", - "$7$A6....3....Iahc6qM0.UQJHVgE4h9oa1/" - "4OWlWLm9CCtfguvz6bQD$QnXCo3M7nIqtry2WKsUZ5gQ.mY0wAlJu." - "WUhtE8vF66" }, - { "Py " - ">e.5b+tLo@rL`dC2k@eJ&4eVl!W=JJ4+k&mAt@gt',FS1JjqKW3aq21:]^kna`" - "mde7kVkN5NrpKUptu)@4*b&?BE_sJMG1=&@`3GBCV]Wg7xwgo7x3El", - "$7$96..../....f6bEusKt79kK4wdYN0ki2nw4bJQ7P3rN6k3BSigsK/" - "D$Dsvuw7vXj5xijmrb/NOhdgoyK/OiSIYv88cEtl9Cik7" }, - { "2vj;Um]FKOL27oam(:Uo8+UmSTvb1FD*h?jk_,S=;RDgF-$Fjk?]9yvfxe@fN^!NN(" - "Cuml?+2Raa", - "$7$86....I....7XwIxLtCx4VphmFeUa6OGuGJrFaIaYzDiLNu/" - "tyUPhD$U3q5GCEqCWxMwh.YQHDJrlg7FIZgViv9pcXE3h1vg61" }, - { "CT=[9uUoGav,J`kU+348tA50ue#sL:ABZ3QgF+r[#vh:tTOiL>s8tv%,Jeo]jH/" - "_4^i(*jD-_ku[9Ko[=86 06V", - "$7$A6....2....R3.bjH6YS9wz9z8Jsj.3weGQ3J80ZZElGw2oVux1TP6$" - "i5u6lFzXDHaIgYEICinLD6WNaovbiXP8SnLrDRdKgA9" }, - { "J#wNn`hDgOpTHNI.w^1a70%f,.9V_m038H_JIJQln`vdWnn/" - "rmILR?9H5g(+`;@H(2VosN9Fgk[WEjaBr'yB9Q19-imNa04[Mk5kvGcSn-TV", - "$7$B6....1....Dj1y.4mF1J9XmT/6IDskYdCLaPFJTq9xcCwXQ1DpT92$92/" - "hYfZLRq1nTLyIz.uc/dC6wLqwnsoqpkadrCXusm6" }, - { "j4BS38Asa;p)[K+9TY!3YDjQw+!qJb]>pP :_.9`dxM9k [eR7Y!yL-3)sNs[R,j_/^ " - "TH=5ny'15>6UXWcQW^6D%XCsO[vN[%ReA-`tV1vW(Nt*0KVK#]45P_A", - "$7$B6....1....D/" - "eyk8N5y6Z8YVQEsw521cTx.9zzLuK7YDs1KMMh.o4$alfW8ZbsUWnXc." - "vqon2zoljVk24Tt1.IsCuo2KurvS2" }, - { "K3S=KyH#)36_?]LxeR8QNKw6X=gFb'ai$C%29V* " - "tyh^Wo$TN-#Q4qkmtTCf0LLb.^E$0uykkP", - "$7$B6....1....CuBuU97xgAage8whp/" - "JNKobo0TFbsORGVbfcQIefyP8$aqalP." - "XofGViB8EPLONqHma8vs1xc9uTIMYh9CgE.S8" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - - /* Invalid pwhash strings */ - - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1....$TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$.6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A.....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6.........TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i44269$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AH" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx54269" }, - { "Y0!?iQa9M%5ekffW(`", - "$7^A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$!6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A!....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....!....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "", - "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7fA6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4#" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$AX....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1!...TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "a4ik5hGDN7foMuHOW.cp.CtX01UyCeO0.JAG.AHPpx5" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$" }, - { "Y0!?iQa9M%5ekffW(`", - "" }, - { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "" }, - }; + { "", + "$argon2i$v=19$m=4096,t=1,p=1$X1NhbHQAAAAAAAAAAAAAAA$bWh++MKN1OiFHKgIWTLvIi1iHicmHH7+Fv3K88ifFfI" }, + { "", + "$argon2i$v=19$m=2048,t=4,p=1$SWkxaUhpY21ISDcrRnYzSw$Mbg/Eck1kpZir5T9io7C64cpffdTBaORgyriLQFgQj8" }, + { "^T5H$JYt39n%K*j:W]!1s?vg!:jGi]Ax?..l7[p0v:1jHTpla9;]bUN;?bWyCbtqg ", + "$argon2i$v=19$m=4096,t=3,p=2$X1NhbHQAAAAAAAAAAAAAAA$z/QMiU4lQxGsYNc/+K/bizwsA1P11UG2dj/7+aILJ4I" }, + { "K3S=KyH#)36_?]LxeR8QNKw6X=gFbxai$C%29V*", + "$argon2i$v=19$m=4096,t=3,p=1$X1NhbHQAAAAAAAAAAAAAAA$fu2Wsecyt+yPnBvSvYN16oP5ozRmkp0ixJ1YL19V3Uo" } + }; char *out; char *passwd; size_t i = 0U; @@ -276,9 +202,10 @@ static void tv3(void) passwd = (char *) sodium_malloc(strlen(tests[i].passwd) + 1U); assert(passwd != NULL); memcpy(passwd, tests[i].passwd, strlen(tests[i].passwd) + 1U); - if (crypto_pwhash_scryptsalsa208sha256_str_verify + if (crypto_pwhash_str_verify (out, passwd, strlen(passwd)) != 0) { - printf("pwhash_str failure: [%u]\n", (unsigned int)i); + printf("[tv3] pwhash_str failure (maybe intentional): [%u]\n", (unsigned int) i); + continue; } sodium_free(out); sodium_free(passwd); @@ -295,49 +222,140 @@ int main(void) tv(); tv2(); tv3(); - salt = (char *) - sodium_malloc(crypto_pwhash_scryptsalsa208sha256_SALTBYTES); - str_out = (char *) - sodium_malloc(crypto_pwhash_scryptsalsa208sha256_STRBYTES); - str_out2 = (char *) - sodium_malloc(crypto_pwhash_scryptsalsa208sha256_STRBYTES); - memcpy(salt, "[<~A 32-bytes salt for scrypt~>]", - crypto_pwhash_scryptsalsa208sha256_SALTBYTES); - if (crypto_pwhash_scryptsalsa208sha256_str(str_out, passwd, strlen(passwd), - OPSLIMIT, MEMLIMIT) != 0) { + salt = (char *) sodium_malloc(crypto_pwhash_SALTBYTES); + str_out = (char *) sodium_malloc(crypto_pwhash_STRBYTES); + str_out2 = (char *) sodium_malloc(crypto_pwhash_STRBYTES); + memcpy(salt, ">A 16-bytes salt", crypto_pwhash_SALTBYTES); + if (crypto_pwhash_str(str_out, passwd, strlen(passwd), + OPSLIMIT, MEMLIMIT) != 0) { printf("pwhash_str failure\n"); + return 1; } - if (crypto_pwhash_scryptsalsa208sha256_str(str_out2, passwd, strlen(passwd), - OPSLIMIT, MEMLIMIT) != 0) { + if (crypto_pwhash_str(str_out2, passwd, strlen(passwd), + OPSLIMIT, MEMLIMIT) != 0) { printf("pwhash_str(2) failure\n"); + return 1; } if (strcmp(str_out, str_out2) == 0) { - printf("pwhash_str doesn't generate different salts\n"); + printf("pwhash_str() doesn't generate different salts\n"); } - if (crypto_pwhash_scryptsalsa208sha256_str_verify(str_out, passwd, - strlen(passwd)) != 0) { - printf("pwhash_str_verify failure\n"); + if (sodium_is_zero((const unsigned char *) str_out + strlen(str_out), + crypto_pwhash_STRBYTES - strlen(str_out)) != 1 || + sodium_is_zero((const unsigned char *) str_out2 + strlen(str_out2), + crypto_pwhash_STRBYTES - strlen(str_out2)) != 1) { + printf("pwhash_str() doesn't properly pad with zeros\n"); } - if (crypto_pwhash_scryptsalsa208sha256_str_verify(str_out, passwd, - strlen(passwd)) != 0) { - printf("pwhash_str_verify failure\n"); + if (crypto_pwhash_str_verify(str_out, passwd, strlen(passwd)) != 0) { + printf("pwhash_str_verify(1) failure\n"); } str_out[14]++; - if (crypto_pwhash_scryptsalsa208sha256_str_verify( - str_out, passwd, strlen(passwd)) == 0) { + if (crypto_pwhash_str_verify(str_out, passwd, strlen(passwd)) != -1) { printf("pwhash_str_verify(2) failure\n"); } str_out[14]--; + assert(str_out[crypto_pwhash_STRBYTES - 1U] == 0); + + if (crypto_pwhash_str(str_out2, passwd, 0x100000000ULL, + OPSLIMIT, MEMLIMIT) != -1) { + printf("pwhash_str() with a large password should have failed\n"); + return 1; + } + if (crypto_pwhash_str(str_out2, passwd, strlen(passwd), + 1, MEMLIMIT) != -1) { + printf("pwhash_str() with a small opslimit should have failed\n"); + return 1; + } + if (crypto_pwhash_str_verify("$argon2i$m=65536,t=2,p=1c29tZXNhbHQ" + "$9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ", + "password", 0x100000000ULL) != -1) { + printf("pwhash_str_verify(invalid(0)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$m=65536,t=2,p=1c29tZXNhbHQ" + "$9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(1)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$m=65536,t=2,p=1$c29tZXNhbHQ" + "9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(2)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$m=65536,t=2,p=1$c29tZXNhbHQ" + "$b2G3seW+uPzerwQQC+/E1K50CLLO7YXy0JRcaTuswRo", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(3)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$v=19$m=65536,t=2,p=1c29tZXNhbHQ" + "$wWKIMhR9lyDFvRz9YTZweHKfbftvj+qf+YFY4NeBbtA", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(4)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$v=19$m=65536,t=2,p=1$c29tZXNhbHQ" + "wWKIMhR9lyDFvRz9YTZweHKfbftvj+qf+YFY4NeBbtA", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(5)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$v=19$m=65536,t=2,p=1$c29tZXNhbHQ" + "$8iIuixkI73Js3G1uMbezQXD0b8LG4SXGsOwoQkdAQIM", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(6)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$v=19$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" + "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + "password", strlen("password")) != 0) { + printf("pwhash_str_verify(valid(7)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$v=19$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" + "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + "passwore", strlen("passwore")) != -1) { + printf("pwhash_str_verify(invalid(7)) failure\n"); + } + if (crypto_pwhash_str_verify("$Argon2i$v=19$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" + "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(8)) failure\n"); + } + if (crypto_pwhash_str_verify("$argon2i$v=1$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" + "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + "password", strlen("password")) != -1) { + printf("pwhash_str_verify(invalid(9)) failure\n"); + } + assert(crypto_pwhash_saltbytes() > 0U); + assert(crypto_pwhash_strbytes() > 1U); + assert(crypto_pwhash_strbytes() > strlen(crypto_pwhash_strprefix())); + assert(crypto_pwhash_opslimit_interactive() > 0U); + assert(crypto_pwhash_memlimit_interactive() > 0U); + assert(crypto_pwhash_opslimit_moderate() > 0U); + assert(crypto_pwhash_memlimit_moderate() > 0U); + assert(crypto_pwhash_opslimit_sensitive() > 0U); + assert(crypto_pwhash_memlimit_sensitive() > 0U); + assert(strcmp(crypto_pwhash_primitive(), "argon2i") == 0); + + assert(crypto_pwhash_opslimit_interactive() == crypto_pwhash_OPSLIMIT_INTERACTIVE); + assert(crypto_pwhash_memlimit_interactive() == crypto_pwhash_MEMLIMIT_INTERACTIVE); + assert(crypto_pwhash_opslimit_moderate() == crypto_pwhash_OPSLIMIT_MODERATE); + assert(crypto_pwhash_memlimit_moderate() == crypto_pwhash_MEMLIMIT_MODERATE); + assert(crypto_pwhash_opslimit_sensitive() == crypto_pwhash_OPSLIMIT_SENSITIVE); + assert(crypto_pwhash_memlimit_sensitive() == crypto_pwhash_MEMLIMIT_SENSITIVE); - assert(str_out[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U] == 0); - assert(crypto_pwhash_scryptsalsa208sha256_saltbytes() > 0U); - assert(crypto_pwhash_scryptsalsa208sha256_strbytes() > 1U); - assert(crypto_pwhash_scryptsalsa208sha256_strbytes() > - strlen(crypto_pwhash_scryptsalsa208sha256_strprefix())); - assert(crypto_pwhash_scryptsalsa208sha256_opslimit_interactive() > 0U); - assert(crypto_pwhash_scryptsalsa208sha256_memlimit_interactive() > 0U); - assert(crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive() > 0U); - assert(crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive() > 0U); + assert(crypto_pwhash_argon2i_saltbytes() == crypto_pwhash_saltbytes()); + assert(crypto_pwhash_argon2i_strbytes() == crypto_pwhash_strbytes()); + assert(strcmp(crypto_pwhash_argon2i_strprefix(), crypto_pwhash_strprefix()) == 0); + assert(crypto_pwhash_argon2i_opslimit_interactive() == + crypto_pwhash_opslimit_interactive()); + assert(crypto_pwhash_argon2i_opslimit_moderate() == + crypto_pwhash_opslimit_moderate()); + assert(crypto_pwhash_argon2i_opslimit_sensitive() == + crypto_pwhash_opslimit_sensitive()); + assert(crypto_pwhash_argon2i_memlimit_interactive() == + crypto_pwhash_memlimit_interactive()); + assert(crypto_pwhash_argon2i_memlimit_moderate() == + crypto_pwhash_memlimit_moderate()); + assert(crypto_pwhash_argon2i_memlimit_sensitive() == + crypto_pwhash_memlimit_sensitive()); + assert(crypto_pwhash_alg_argon2i13() == crypto_pwhash_argon2i_alg_argon2i13()); + assert(crypto_pwhash_alg_argon2i13() == crypto_pwhash_ALG_ARGON2I13); + assert(crypto_pwhash_alg_argon2i13() == crypto_pwhash_alg_default()); sodium_free(salt); sodium_free(str_out); diff --git a/release/src/router/libsodium/test/default/pwhash.exp b/release/src/router/libsodium/test/default/pwhash.exp dissimilarity index 99% index 5c58d530e4..abe873251e 100644 --- a/release/src/router/libsodium/test/default/pwhash.exp +++ b/release/src/router/libsodium/test/default/pwhash.exp @@ -1,31 +1,12 @@ -8d40f5f8c6a1791204f03e19a98cd74f918b6e331b39cfc2415e5014d7738b7bb0a83551fb14a035e07fdd4dc0c60c1a6822ac253918979f6324ff0c87cba75d3b91f88f41ca5414a0f152bdc4d636f42ab2250afd058c19ec31a3374d1bd7133289bf21513ff67cbf8482e626aee9864c58fd05f9ea02e508a10182b7d838157119866f072004987ef6c56683ed207705923921af9d76444a331a -d985d4c278343a46d82af0c4268b7ae6b6d1d2dd289675ef45bfb6d0648bffe5bab8c91228f3a31b091154a9c1142670a07b92e70a298333066de07db9300e046fd7cacc99780804683df7babdfc9d019047178400b2875bde0a1ad824dda7a422d9ed48475af9a3876378dd3a2f206e34984e223afb82c0c1e4644c9a458f4666379fdd3e2d9206d87e3c32c3977f35826a27590baaa1ec1a3bd7d15a92bc84c95dcfc56c14fca7c4c9810162dfdf9dc08a191e79fe40250b7e07d3a9317d9a5cb56e1062c419a6cd6a9b73128e8ad79ab7efffbb3cc52c1f49f86d2ebb46e6e4846aecdb14c2d046f5380517ff8cc794e4a772a58b93083dad -ee7e9e1369267ec555981f0ea088ff6f93953abfcb767d88ec3c46393d24cfbaba5e4e26e0f35b5d5259647748476d65cd8881c96f8cda049d9c877b2d33d932e67f4c0df2cb434b4b4900e0c49c3f8ba9663795420577e65d0b456201ad9162fbc485c7b44f2b34e6673aa3692c123021ee3b624c3bb22b808b89613d8ecc7b87da47f57152eb3f7b10ad206f6b09cb6935b347b5e42bc3b8c9c9bcd8d7b7c44929b367fc279dec48ea78e6ee3e2620d7459700bd0aedb1c9aa5a323ca94403927f5e5c2b73bda7c5c3287b62fe51874cfeb1dc3151cd886b26d83ece68833229d2d432798c602d85b0505947207d8430febbe901164b12ce -1828b82997 -bcc5c2fd785e4781d1201ed43d84925537e2a540d3de55f5812f29e9dd0a4a00451a5c8ddbb4862c03d45c75bf91b7fb49265feb667ad5c899fdbf2ca19eac67aa5e48595d5b02f8183ab07f71b1ce0d76e5df54919f63810ad0893ded7d1ca18fc956ec06ffd4c3d1f77a00ed53608947b25eea5df6bea02272be15815f974c321a2a9208674fdf59d1d798c2a12f1889df68b0c222b37ee9ef0d6391fc160b0281ec53073cb3a3706ce1d71c3af2f5237a1b3d8545d99012eecc0b4abb -82765c040c58c1810f8c053ef5c248556299385476bde44bdd91a0d9a239f24e9b1717fd8b23209ffa45b7aa7937296c601b79e77da99e8d2fda0ea4459be2d0900f5bc5a269b5488d873d4632d1baf75965e509ee24b12501a9ce3bbbd8b7d759987d545a1c221a363195e5802d768b3b9e00ebe5ac0ed8ad2362c1c4157b910a40f94adf2561a2b0d3e65dbb06f244e5ac44d362103df54c9b9175777b3db1cdadb03e977ab8a79baf1e1e18ec9f5d0f25c487ddc53d7e81910f83576b44e9caeece26e2eb376569ad3a8cdccbde8bc355210e -ca9216d4127e2e4a6ee3584b49be106217bb61cc807016d46d0cfbb1fd722e2bbac33541386bdfeac41a299ead22790993fcaa8e1d23bd1c8426afa5ff4c08e731dc476ef834f142c32dfb2c1be12b9978802e63b2cd6f226b1a8df59f0c79154d7ef4296a68ec654538d987104f9a11aca1b7c83ab2ed8fd69da6b88f0bcbd27d3fea01329cecf10c57ec3ba163d57b38801bd6c3b31ce527b33717bb56a46f78fb96be9f2424a21b3284232388cbba6a74 -2732a7566023c8db90a5fdd08dbe6c1b5e70c046d50c5735c8d86a589ba177f69db12d6cc3596319fa27c9e063ed05b8a31970a07dc905 -d7b1ef464be03ce9050b5108e25f0b8e821299986fe0ff89e17fbae65ba9fad167fbd265866ac03efc86ab0b50d46d6740a59adf5949b44f7f9f3ac3f3d4cc9f128966db9099deb1b6b78505242b2401a193820408eb0780b27162ebafb7c505b0e7c32ce66c6efc0be487008c1201454680498a2fc06e00b454e0b20933906bbb0e43b399b9ee46d882f107df1ebdd1e7cd867c9cdba6015b7e80064ae8b3417d969524bec046e782a13b125f058cd36b5d1ae65886ae7caab45a6d98651ada435b8ee11d5c1224232f5f515df974138dd6cf347b730481d4b073af8ff0394fe9f0b8cdfd99f5 -1839be14287053bfcd4ea60db82777fad1a6e9535c388b770743e61235449e668717199defd516c438b3ebd79b3529eb32482ef414525292ea1bbec09da10790a2330a4399f2fe6dd63d80954e3c547a5f1c619db5a30bde495b23f2214b4fa7572851d75246f2817775f0b521acc6efbc7832c9a76de7465e3c65cade88e86c973f85a882bb54f92b983977c6e937c88f083ba68c70fb49497065b158e2e789809b1d4cc9ec2d -d54916748076b9d9f72198c8fbef563462dc8c706e1ad38abd1fac570016721acd0a7659ab49a47299a996b43597690c0c947143069f35d83e606273dbf2d622321393949b8ed5a68315362c4f84804384d05e0e0e86bc00e3641233f9f975ab46b60ba185c5e5fe47f78efd207e69fd8f6390730828b93b9b3763ea1283caa03bc36726763715de811915681dd214524f5ad4dd386608cac6c7f2 -d54916748076b9d9f72198c8fbef563462dc8c706e1ad38abd1fac570016721acd0a7659ab49a47299a996b43597690c0c947143069f35d83e606273dbf2d622321393949b8ed5a68315362c4f84804384d05e0e0e86bc00e3641233f9f975ab46b60ba185c5e5fe47f78efd207e69fd8f6390730828b93b9b3763ea1283caa03bc36726763715de811915681dd214524f5ad4dd386608cac6c7f2 -pwhash_str failure: [10] -pwhash_str failure: [11] -pwhash_str failure: [12] -pwhash_str failure: [13] -pwhash_str failure: [14] -pwhash_str failure: [15] -pwhash_str failure: [16] -pwhash_str failure: [17] -pwhash_str failure: [18] -pwhash_str failure: [19] -pwhash_str failure: [20] -pwhash_str failure: [21] -pwhash_str failure: [22] -pwhash_str failure: [23] -pwhash_str failure: [24] -pwhash_str failure: [25] -pwhash_str failure: [26] -pwhash_str failure: [27] -OK +23b803c84eaa25f4b44634cc1e5e37792c53fcd9b1eb20f865329c68e09cbfa9f1968757901b383fce221afe27713f97914a041395bbe1fb70e079e5bed2c7145b1f6154046f5958e9b1b29055454e264d1f2231c316f26be2e3738e83a80315e9a0951ce4b137b52e7d5ee7b37f7d936dcee51362bcf792595e3c896ad5042734fc90c92cae572ce63ff659a2f7974a3bd730d04d525d253ccc38 +0bb3769b064b9c43a9460476ab38c4a9a2470d55d4c992c6e723af895e4c07c09af41f22f90eab583a0c362d177f4677f212482fd145bfb9ac6211635e48461122bb49097b5fb0739d2cd22a39bf03d268e7495d4fd8d710aa156202f0a06e932ff513e6e7c76a4e98b6df5cf922f124791b1076ad904e6897271f5d7d24c5929e2a3b836d0f2f2697c2d758ee79bf1264f3fae65f3744e0f6d7d07ef6e8b35b70c0f88e9036325bfb24ac7f550351486da87aef10d6b0cb77d1cf6e31cf98399c6f241c605c6530dffb4764784f6c0b0bf601d4e4431e8b18dabdc3079c6e264302ade79f61cbd5497c95486340bb891a737223100be0429650 +e9aa073b0b872f15c083d1d7ce52c09f493b827ca78f13a06c1721b45b1e17b24c04e19fe869333135360197a7eb55994fee3e8d9680aedfdf7674f3ad7b84d59d7eab03579ffc10c7093093bc48ec84252aa1b30f40f5e838f1443e15e2772a39f4e774eb052097e8881e94f15457b779fa2af2bbc9a993687657c7704ac8a37c25c1df4289eb4c70da45f2fd46bc0f78259767d3dd478a7c369cf866758bc36d9bd8e2e3c9fb0cf7fd6073ebf630c1f67fa7d303c07da40b36749d157ea37965fef810f2ea05ae6fc7d96a8f3470d73e15b22b42e8d6986dbfe5303256b2b3560372c4452ffb2a04fb7c6691489f70cb46831be0679117f7 +[tv] pwhash failure (maybe intentional): [3] +c121209f0ba70aed93d49200e5dc82cce013cef25ea31e160bf8db3cf448a59d1a56f6c19259e18ea020553cb75781761d112b2d949a297584c65e60df95ad89c4109825a3171dc6f20b1fd6b0cdfd194861bc2b414295bee5c6c52619e544abce7d520659c3d51de2c60e89948d830695ab38dcb75dd7ab06a4770dd4bc7c8f335519e04b038416b1a7dbd25c026786a8105c5ffe7a0931364f0376ae5772be39b51d91d3281464e0f3a128e7155a68e87cf79626ffca0b2a3022fc8420 +91c337ce8918a5805a59b00bd1819d3eb4356807cbd2a80b271c4b482dce03f5b02ae4eb831ff668cbb327b93c300b41da4852e5547bea8342d518dd9311aaeb5f90eccf66d548f9275631f0b1fd4b299cec5d2e86a59e55dc7b3afab6204447b21d1ef1da824abaf31a25a0d6135c4fe81d34a06816c8a6eab19141f5687108500f3719a862af8c5fee36e130c69921e11ce83dfc72c5ec3b862c1bccc5fd63ad57f432fbcca6f9e18d5a59015950cdf053 +[tv] pwhash failure (maybe intentional): [6] +e942951dfbc2d508294b10f9e97b47d0cd04e668a043cb95679cc1139df7c27cd54367688725be9d069f5704c12223e7e4ca181fbd0bed18bb4634795e545a6c04a7306933a41a794baedbb628d41bc285e0b9084055ae136f6b63624c874f5a1e1d8be7b0b7227a171d2d7ed578d88bfdcf18323198962d0dcad4126fd3f21adeb1e11d66252ea0c58c91696e91031bfdcc2a9dc0e028d17b9705ba2d7bcdcd1e3ba75b4b1fea +9fbbc02a420b00614a49a8e8d89834df368fa54dbef5dce7f9928f4d09f45ce22766598c0c979a707b1df130ab8d63802447923f6e8b89b3c183d71d694161569b1937d8b58f0091fcb8b1f48f2e3f43067bb2498b727fb62cc776ed39219613aa2083619385ec64dfb38f3cda7fddce9cec708a1aa5e9b09d6a5f063cda6c644c5e4a6c1bba9362b27f050984ee3a91bbed69160c95d63c04724f +28645e1a4f5bc2a58786c87f0d88c2c68047b874b122e2c3936fb6adf26d7ca8fbcb872a8aef282ff202526a91b8ca1d0926c4ae0f5429c342bfd4987916b147ccaa1624bbb2d3f197e56601a541939a1a867ee659515d379d252c8b53aa2297b6008f97bc4a246040b0fb4f46754482884ff04bdade7ffc74989c68ec085de660ef2071db22bacc227d43af282a2336049d78fe0b8ff543628dc8 +[tv3] pwhash_str failure (maybe intentional): [0] +OK diff --git a/release/src/router/libsodium/test/default/pwhash.c b/release/src/router/libsodium/test/default/pwhash_scrypt.c similarity index 99% copy from release/src/router/libsodium/test/default/pwhash.c copy to release/src/router/libsodium/test/default/pwhash_scrypt.c index 3fa8e7f5c1..62eaf2a7cb 100644 --- a/release/src/router/libsodium/test/default/pwhash.c +++ b/release/src/router/libsodium/test/default/pwhash_scrypt.c @@ -1,5 +1,5 @@ -#define TEST_NAME "pwhash" +#define TEST_NAME "pwhash_scrypt" #include "cmptest.h" #define OUT_LEN 128 diff --git a/release/src/router/libsodium/test/default/pwhash.exp b/release/src/router/libsodium/test/default/pwhash_scrypt.exp similarity index 100% copy from release/src/router/libsodium/test/default/pwhash.exp copy to release/src/router/libsodium/test/default/pwhash_scrypt.exp diff --git a/release/src/router/libsodium/test/default/secretbox.c b/release/src/router/libsodium/test/default/secretbox.c index 64b240e172..264086e9e7 100644 --- a/release/src/router/libsodium/test/default/secretbox.c +++ b/release/src/router/libsodium/test/default/secretbox.c @@ -12,7 +12,7 @@ static unsigned char nonce[24] 0xcd, 0x62, 0xbd, 0xa8, 0x75, 0xfc, 0x73, 0xd6, 0x82, 0x19, 0xe0, 0x03, 0x6b, 0x7a, 0x0b, 0x37 }; -// API requires first 32 bytes to be 0 +/* API requires first 32 bytes to be 0 */ static unsigned char m[163] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, diff --git a/release/src/router/libsodium/test/default/secretbox2.c b/release/src/router/libsodium/test/default/secretbox2.c index 70fc9a09d7..d3915f28f8 100644 --- a/release/src/router/libsodium/test/default/secretbox2.c +++ b/release/src/router/libsodium/test/default/secretbox2.c @@ -12,7 +12,7 @@ static unsigned char nonce[24] 0xcd, 0x62, 0xbd, 0xa8, 0x75, 0xfc, 0x73, 0xd6, 0x82, 0x19, 0xe0, 0x03, 0x6b, 0x7a, 0x0b, 0x37 }; -// API requires first 16 bytes to be 0 +/* API requires first 16 bytes to be 0 */ static unsigned char c[163] = { 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0xf3, 0xff, 0xc7, 0x70, 0x3f, 0x94, 0x00, 0xe5, diff --git a/release/src/router/libsodium/test/default/sign.c b/release/src/router/libsodium/test/default/sign.c index a8d6fe8e07..eea0c99eab 100644 --- a/release/src/router/libsodium/test/default/sign.c +++ b/release/src/router/libsodium/test/default/sign.c @@ -1101,10 +1101,17 @@ int main(void) continue; } add_l(sm + 32); +#ifndef ED25519_COMPAT + if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != -1) { + printf("crypto_sign_open(): signature [%u] is malleable\n", i); + continue; + } +#else if (crypto_sign_open(m, &mlen, sm, smlen, test_data[i].pk) != 0) { printf("crypto_sign_open(): signature [%u] is not malleable\n", i); continue; } +#endif if (memcmp(test_data[i].m, m, (size_t)mlen) != 0) { printf("message verification failure: [%u]\n", i); continue; @@ -1174,6 +1181,14 @@ int main(void) printf("detached signature verification should have failed\n"); } + memset(sig, 0xff, 32); + sig[0] = 0xdb; + if (crypto_sign_verify_detached(sig, + (const unsigned char *)test_data[i].m, + i, pk) != -1) { + printf("detached signature verification should have failed\n"); + } + if (crypto_sign_keypair(pk, sk) != 0) { printf("crypto_sign_keypair() failure\n"); } diff --git a/release/src/router/libsodium/test/default/sodium_utils2.c b/release/src/router/libsodium/test/default/sodium_utils2.c index 7bf1b30fe6..d6dc800509 100644 --- a/release/src/router/libsodium/test/default/sodium_utils2.c +++ b/release/src/router/libsodium/test/default/sodium_utils2.c @@ -12,8 +12,10 @@ # warning The sodium_utils2 test is expected to fail with address sanitizer #endif -static void segv_handler(int sig) +__attribute__ ((noreturn)) static void segv_handler(int sig) { + (void) sig; + printf("Intentional segfault / bus error caught\n"); printf("OK\n"); #ifdef SIGSEGV @@ -37,6 +39,9 @@ int main(void) if (sodium_malloc(SIZE_MAX - 1U) != NULL) { return 1; } + if (sodium_malloc(0U) == NULL) { + return 1; + } if (sodium_allocarray(SIZE_MAX / 2U + 1U, SIZE_MAX / 2U) != NULL) { return 1; } @@ -51,7 +56,7 @@ int main(void) sodium_free(sodium_malloc(0U)); sodium_free(NULL); for (i = 0U; i < 10000U; i++) { - size = randombytes_uniform(100000U); + size = 1U + randombytes_uniform(100000U); buf = sodium_malloc(size); assert(buf != NULL); memset(buf, i, size); @@ -69,7 +74,7 @@ int main(void) #ifdef SIGABRT signal(SIGABRT, segv_handler); #endif - size = randombytes_uniform(100000U); + size = 1U + randombytes_uniform(100000U); buf = sodium_malloc(size); assert(buf != NULL); sodium_mprotect_readonly(buf); diff --git a/release/src/router/libsodium/test/default/sodium_utils3.c b/release/src/router/libsodium/test/default/sodium_utils3.c index bf261e6be3..603cf757d3 100644 --- a/release/src/router/libsodium/test/default/sodium_utils3.c +++ b/release/src/router/libsodium/test/default/sodium_utils3.c @@ -12,8 +12,10 @@ # warning The sodium_utils3 test is expected to fail with address sanitizer #endif -static void segv_handler(int sig) +__attribute__ ((noreturn)) static void segv_handler(int sig) { + (void) sig; + printf("Intentional segfault / bus error caught\n"); printf("OK\n"); #ifdef SIGSEGV @@ -42,7 +44,7 @@ int main(void) #ifdef SIGABRT signal(SIGABRT, segv_handler); #endif - size = randombytes_uniform(100000U); + size = 1U + randombytes_uniform(100000U); buf = sodium_malloc(size); assert(buf != NULL); sodium_mprotect_noaccess(buf); diff --git a/release/src/router/libsodium/test/default/verify1.c b/release/src/router/libsodium/test/default/verify1.c index 5cba6d6a4c..1c20cb1304 100644 --- a/release/src/router/libsodium/test/default/verify1.c +++ b/release/src/router/libsodium/test/default/verify1.c @@ -2,10 +2,6 @@ #define TEST_NAME "verify1" #include "cmptest.h" -static unsigned char v16[16], v16x[16]; -static unsigned char v32[32], v32x[32]; -static unsigned char v64[64], v64x[64]; - int main(void) { unsigned char *v16, *v16x; diff --git a/release/src/router/libsodium/test/quirks/quirks.h b/release/src/router/libsodium/test/quirks/quirks.h index 00caf7c927..9f61acdff9 100644 --- a/release/src/router/libsodium/test/quirks/quirks.h +++ b/release/src/router/libsodium/test/quirks/quirks.h @@ -1,6 +1,9 @@ #include +/* C++Builder defines a "random" macro */ +#undef random + #ifdef __EMSCRIPTEN__ # define strcmp(s1, s2) xstrcmp(s1, s2) -- 2.11.4.GIT