StarMirror/toxcore
1
0
Fork 0
mirror of https://github.com/irungentoo/toxcore.git synced 2024-03-22 13:30:51 +08:00
Code Issues Projects Releases Wiki Activity

compiling against nacl seems to break VANILLA_NACL...

Browse Source
This commit is contained in:
Dubslow 2014-09-09 12:23:09 -05:00
parent 46e03c4c2b
commit 7eb7e68805
23 changed files with 2309 additions and 145 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
build/Makefile.am
View File

@ -6,6 +6,7 @@ EXTRA_DIST=
include ../toxcore/Makefile.inc
include ../toxdns/Makefile.inc
include ../toxencryptsave/Makefile.inc
include ../toxav/Makefile.inc
include ../other/Makefile.inc
include ../testing/Makefile.inc

2
libtoxcore.pc.in
View File

@ -7,5 +7,5 @@ Name: libtoxcore
Description: Tox protocol library
Requires:
Version: @PACKAGE_VERSION@
Libs: @NACL_OBJECTS_PKGCONFIG@ -L${libdir} @NACL_LDFLAGS@ -ltoxdns -ltoxcore @NACL_LIBS@ @LIBS@ @MATH_LDFLAGS@
Libs: @NACL_OBJECTS_PKGCONFIG@ -L${libdir} @NACL_LDFLAGS@ -ltoxdns -ltoxencryptsave -ltoxcore @NACL_LIBS@ @LIBS@ @MATH_LDFLAGS@
Cflags: -I${includedir}

116
toxcore/tox.c
View File

@ -928,119 +928,3 @@ int tox_load(Tox *tox, const uint8_t *data, uint32_t length)
Messenger *m = tox;
return messenger_load(m, data, length);
}
#ifndef VANILLA_NACL
/* Only sodium has the necessary functions for this
* Clients should consider alerting their users that, unlike plain data, if even one bit
* becomes corrupted, the data will be entirely unrecoverable.
* Ditto if they forget their password, there is no way to recover the data.
*/
/* return size of the messenger data (for encrypted saving). */
uint32_t tox_encrypted_size(const Tox *tox)
{
return tox_size(tox) + crypto_box_MACBYTES + crypto_box_NONCEBYTES
+ crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
}
/* Save the messenger data encrypted with the given password.
* data must be at least tox_encrypted_size().
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength)
{
if (pplength == 0)
return -1;
/* First derive a key from the password */
/* http://doc.libsodium.org/key_derivation/README.html */
/* note that, according to the documentation, a generic pwhash interface will be created
* once the pwhash competition (https://password-hashing.net/) is over */
uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES];
uint8_t key[crypto_box_KEYBYTES];
randombytes_buf(salt, sizeof salt);
if (crypto_pwhash_scryptsalsa208sha256(
key, sizeof(key), passphrase, pplength, salt,
crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */
crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0)
{ /* out of memory most likely */
return -1;
}
sodium_memzero(passphrase, pplength); /* wipe plaintext pw */
/* next get plain save data */
uint32_t temp_size = tox_size(tox);
uint8_t temp_data[temp_size];
tox_save(tox, temp_data);
/* now encrypt.
* the output data consists of, in order:
* salt, nonce, mac, enc_data
* where the mac is automatically prepended by the encrypt()
* the salt+nonce is called the prefix
* I'm not sure what else I'm supposed to do with the salt and nonce, since we
* need them to decrypt the data
*/
uint32_t prefix_size = crypto_box_NONCEBYTES+crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
uint8_t nonce[crypto_box_NONCEBYTES];
random_nonce(nonce);
if (encrypt_data_symmetric(key, nonce, temp_data, temp_size, data + prefix_size)
!= temp_size + crypto_box_MACBYTES)
{
return -1;
}
/* add the prefix */
memcpy(data, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES);
memcpy(data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, nonce, crypto_box_NONCEBYTES);
return 0;
}
/* Load the messenger from encrypted data of size length.
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength)
{
if (length <= crypto_box_MACBYTES + crypto_box_NONCEBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES)
return -1;
uint32_t decrypt_length = length - crypto_box_MACBYTES - crypto_box_NONCEBYTES
- crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES];
uint8_t nonce[crypto_box_NONCEBYTES];
memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES);
memcpy(nonce, data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, crypto_box_NONCEBYTES);
/* derive the key */
uint8_t key[crypto_box_KEYBYTES];
if (crypto_pwhash_scryptsalsa208sha256(
key, sizeof(key), passphrase, pplength, salt,
crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */
crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0)
{ /* out of memory most likely */
return -1;
}
sodium_memzero(passphrase, pplength); /* wipe plaintext pw */
/* decrypt the data */
uint8_t temp_data[decrypt_length];
if (decrypt_data_symmetric(key, nonce, data+crypto_pwhash_scryptsalsa208sha256_SALTBYTES+crypto_box_NONCEBYTES,
decrypt_length + crypto_box_MACBYTES, temp_data)
!= decrypt_length)
{
return -1;
}
return tox_load(tox, temp_data, decrypt_length);
}
#endif /* #ifndef VANILLA_NACL */

28
toxcore/tox.h
View File

@ -723,34 +723,6 @@ void tox_save(const Tox *tox, uint8_t *data);
*/
int tox_load(Tox *tox, const uint8_t *data, uint32_t length);
#ifndef VANILLA_NACL
/* Only sodium has the necessary functions for this
* Clients should consider alerting their users that, unlike plain data, if even one bit
* becomes corrupted, the data will be entirely unrecoverable.
* Ditto if they forget their password, there is no way to recover the data.
*/
/* return size of the messenger data (for encrypted saving). */
uint32_t tox_encrypted_size(const Tox *tox);
/* Save the messenger data encrypted with the given password.
* data must be at least tox_encrypted_size().
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength);
/* Load the messenger from encrypted data of size length.
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength);
#endif /* #ifndef VANILLA_NACL */
#ifdef __cplusplus
}
#endif

45
toxencryptsave/Makefile.inc Normal file
View File

@ -0,0 +1,45 @@
lib_LTLIBRARIES += libtoxencryptsave.la
libtoxencryptsave_la_include_HEADERS = \
../toxencryptsave/toxencryptsave.h
libtoxencryptsave_la_includedir = $(includedir)/tox
libtoxencryptsave_la_SOURCES = ../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c \
../toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c \
../toxencryptsave/toxencryptsave.h \
../toxencryptsave/toxencryptsave.c
libtoxencryptsave_la_CFLAGS = -I$(top_srcdir) \
-I$(top_srcdir)/toxcore \
$(LIBSODIUM_CFLAGS) \
$(NACL_CFLAGS) \
$(PTHREAD_CFLAGS)
libtoxencryptsave_la_LDFLAGS = $(TOXCORE_LT_LDFLAGS) \
$(EXTRA_LT_LDFLAGS) \
$(LIBSODIUM_LDFLAGS) \
$(NACL_LDFLAGS) \
$(MATH_LDFLAGS) \
$(RT_LIBS) \
$(WINSOCK2_LIBS)
libtoxencryptsave_la_LIBADD = $(LIBSODIUM_LIBS) \
$(NACL_OBJECTS) \
$(NAC_LIBS) \
$(PTHREAD_LIBS) \
libtoxcore.la

89
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h Normal file
View File

@ -0,0 +1,89 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#ifndef crypto_pwhash_scryptsalsa208sha256_H
#define crypto_pwhash_scryptsalsa208sha256_H
#include <stddef.h>
#include <stdint.h>
#include "export.h"
#ifdef __cplusplus
# if __GNUC__
# pragma GCC diagnostic ignored "-Wlong-long"
# endif
extern "C" {
#endif
#define crypto_pwhash_scryptsalsa208sha256_SALTBYTES 32U
SODIUM_EXPORT
size_t crypto_pwhash_scryptsalsa208sha256_saltbytes(void);
#define crypto_pwhash_scryptsalsa208sha256_STRBYTES 102U
SODIUM_EXPORT
size_t crypto_pwhash_scryptsalsa208sha256_strbytes(void);
#define crypto_pwhash_scryptsalsa208sha256_STRPREFIX "$7$"
SODIUM_EXPORT
const char *crypto_pwhash_scryptsalsa208sha256_strprefix(void);
#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE 524288ULL
SODIUM_EXPORT
size_t crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void);
#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE 16777216ULL
SODIUM_EXPORT
size_t crypto_pwhash_scryptsalsa208sha256_memlimit_interactive(void);
#define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE 33554432ULL
SODIUM_EXPORT
size_t crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive(void);
#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE 1073741824ULL
SODIUM_EXPORT
size_t crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive(void);
SODIUM_EXPORT
int crypto_pwhash_scryptsalsa208sha256(unsigned char * const out,
unsigned long long outlen,
const char * const passwd,
unsigned long long passwdlen,
const unsigned char * const salt,
unsigned long long opslimit,
size_t memlimit);
SODIUM_EXPORT
int crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
const char * const passwd,
unsigned long long passwdlen,
unsigned long long opslimit,
size_t memlimit);
SODIUM_EXPORT
int crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
const char * const passwd,
unsigned long long passwdlen);
SODIUM_EXPORT
int crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen,
const uint8_t * salt, size_t saltlen,
uint64_t N, uint32_t r, uint32_t p,
uint8_t * buf, size_t buflen);
#ifdef __cplusplus
}
#endif
/* Backward compatibility with version 0.5.0 */
#define crypto_pwhash_scryptxsalsa208sha256_SALTBYTES crypto_pwhash_scryptsalsa208sha256_SALTBYTES
#define crypto_pwhash_scryptxsalsa208sha256_saltbytes crypto_pwhash_scryptsalsa208sha256_saltbytes
#define crypto_pwhash_scryptxsalsa208sha256_STRBYTES crypto_pwhash_scryptsalsa208sha256_STRBYTES
#define crypto_pwhash_scryptxsalsa208sha256_strbytes crypto_pwhash_scryptsalsa208sha256_strbytes
#define crypto_pwhash_scryptxsalsa208sha256 crypto_pwhash_scryptsalsa208sha256
#define crypto_pwhash_scryptxsalsa208sha256_str crypto_pwhash_scryptsalsa208sha256_str
#define crypto_pwhash_scryptxsalsa208sha256_str_verify crypto_pwhash_scryptsalsa208sha256_str_verify
#endif
#endif

254
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt-common.c Normal file
View File

@ -0,0 +1,254 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
/*-
* Copyright 2013 Alexander Peslyak
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <stdint.h>
#include <string.h>
#include "crypto_pwhash_scryptsalsa208sha256.h"
#include "crypto_scrypt.h"
#include "runtime.h"
#include "utils.h"
static const char * const itoa64 =
"./0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz";
static uint8_t *
encode64_uint32(uint8_t * dst, size_t dstlen, uint32_t src, uint32_t srcbits)
{
uint32_t bit;
for (bit = 0; bit < srcbits; bit += 6) {
if (dstlen < 1) {
return NULL;
}
*dst++ = itoa64[src & 0x3f];
dstlen--;
src >>= 6;
}
return dst;
}
static uint8_t *
encode64(uint8_t * dst, size_t dstlen, const uint8_t * src, size_t srclen)
{
size_t i;
for (i = 0; i < srclen; ) {
uint8_t * dnext;
uint32_t value = 0, bits = 0;
do {
value |= (uint32_t)src[i++] << bits;
bits += 8;
} while (bits < 24 && i < srclen);
dnext = encode64_uint32(dst, dstlen, value, bits);
if (!dnext) {
return NULL;
}
dstlen -= dnext - dst;
dst = dnext;
}
return dst;
}
static int
decode64_one(uint32_t * dst, uint8_t src)
{
const char *ptr = strchr(itoa64, src);
if (ptr) {
*dst = ptr - itoa64;
return 0;
}
*dst = 0;
return -1;
}
static const uint8_t *
decode64_uint32(uint32_t * dst, uint32_t dstbits, const uint8_t * src)
{
uint32_t bit;
uint32_t value;
value = 0;
for (bit = 0; bit < dstbits; bit += 6) {
uint32_t one;
if (decode64_one(&one, *src)) {
*dst = 0;
return NULL;
}
src++;
value |= one << bit;
}
*dst = value;
return src;
}
uint8_t *
escrypt_r(escrypt_local_t * local, const uint8_t * passwd, size_t passwdlen,
const uint8_t * setting, uint8_t * buf, size_t buflen)
{
uint8_t hash[crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES];
escrypt_kdf_t escrypt_kdf;
const uint8_t *src;
const uint8_t *salt;
uint8_t *dst;
size_t prefixlen;
size_t saltlen;
size_t need;
uint64_t N;
uint32_t N_log2;
uint32_t r;
uint32_t p;
if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') {
return NULL;
}
src = setting + 3;
if (decode64_one(&N_log2, *src)) {
return NULL;
}
src++;
N = (uint64_t)1 << N_log2;
src = decode64_uint32(&r, 30, src);
if (!src) {
return NULL;
}
src = decode64_uint32(&p, 30, src);
if (!src) {
return NULL;
}
prefixlen = src - setting;
salt = src;
src = (uint8_t *) strrchr((char *)salt, '$');
if (src) {
saltlen = src - salt;
} else {
saltlen = strlen((char *)salt);
}
need = prefixlen + saltlen + 1 +
crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED + 1;
if (need > buflen || need < saltlen) {
return NULL;
}
#if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER)
escrypt_kdf =
sodium_runtime_has_sse2() ? escrypt_kdf_sse : escrypt_kdf_nosse;
#else
escrypt_kdf = escrypt_kdf_nosse;
#endif
if (escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
N, r, p, hash, sizeof(hash))) {
return NULL;
}
dst = buf;
memcpy(dst, setting, prefixlen + saltlen);
dst += prefixlen + saltlen;
*dst++ = '$';
dst = encode64(dst, buflen - (dst - buf), hash, sizeof(hash));
sodium_memzero(hash, sizeof hash);
if (!dst || dst >= buf + buflen) { /* Can't happen */
return NULL;
}
*dst = 0; /* NUL termination */
return buf;
}
uint8_t *
escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p,
const uint8_t * src, size_t srclen,
uint8_t * buf, size_t buflen)
{
uint8_t *dst;
size_t prefixlen =
(sizeof "$7$" - 1U) + (1U /* N_log2 */) + (5U /* r */) + (5U /* p */);
size_t saltlen = BYTES2CHARS(srclen);
size_t need;
need = prefixlen + saltlen + 1;
if (need > buflen || need < saltlen || saltlen < srclen) {
return NULL;
}
if (N_log2 > 63 || ((uint64_t)r * (uint64_t)p >= (1U << 30))) {
return NULL;
}
dst = buf;
*dst++ = '$';
*dst++ = '7';
*dst++ = '$';
*dst++ = itoa64[N_log2];
dst = encode64_uint32(dst, buflen - (dst - buf), r, 30);
if (!dst) { /* Can't happen */
return NULL;
}
dst = encode64_uint32(dst, buflen - (dst - buf), p, 30);
if (!dst) { /* Can't happen */
return NULL;
}
dst = encode64(dst, buflen - (dst - buf), src, srclen);
if (!dst || dst >= buf + buflen) { /* Can't happen */
return NULL;
}
*dst = 0; /* NUL termination */
return buf;
}
int
crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdlen,
const uint8_t * salt, size_t saltlen,
uint64_t N, uint32_t r, uint32_t p,
uint8_t * buf, size_t buflen)
{
escrypt_kdf_t escrypt_kdf;
escrypt_local_t local;
int retval;
if (escrypt_init_local(&local)) {
return -1;
}
#if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER)
escrypt_kdf =
sodium_runtime_has_sse2() ? escrypt_kdf_sse : escrypt_kdf_nosse;
#else
escrypt_kdf = escrypt_kdf_nosse;
#endif
retval = escrypt_kdf(&local,
passwd, passwdlen, salt, saltlen,
N, r, p, buf, buflen);
if (escrypt_free_local(&local)) {
return -1;
}
return retval;
}
#endif

90
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/crypto_scrypt.h Normal file
View File

@ -0,0 +1,90 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
/*-
* Copyright 2009 Colin Percival
* Copyright 2013 Alexander Peslyak
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* This file was originally written by Colin Percival as part of the Tarsnap
* online backup system.
*/
#ifndef _CRYPTO_SCRYPT_H_
#define _CRYPTO_SCRYPT_H_
#include <stdint.h>
#define crypto_pwhash_scryptsalsa208sha256_STRPREFIXBYTES 14
#define crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES 57
#define crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES 32
#define crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES_ENCODED 43
#define crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES 32
#define crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED 43
#define BYTES2CHARS(bytes) ((((bytes) * 8) + 5) / 6)
typedef struct {
void * base, * aligned;
size_t size;
} escrypt_region_t;
typedef escrypt_region_t escrypt_local_t;
extern int escrypt_init_local(escrypt_local_t * __local);
extern int escrypt_free_local(escrypt_local_t * __local);
extern void *alloc_region(escrypt_region_t * region, size_t size);
extern int free_region(escrypt_region_t * region);
typedef int (*escrypt_kdf_t)(escrypt_local_t * __local,
const uint8_t * __passwd, size_t __passwdlen,
const uint8_t * __salt, size_t __saltlen,
uint64_t __N, uint32_t __r, uint32_t __p,
uint8_t * __buf, size_t __buflen);
extern int escrypt_kdf_nosse(escrypt_local_t * __local,
const uint8_t * __passwd, size_t __passwdlen,
const uint8_t * __salt, size_t __saltlen,
uint64_t __N, uint32_t __r, uint32_t __p,
uint8_t * __buf, size_t __buflen);
extern int escrypt_kdf_sse(escrypt_local_t * __local,
const uint8_t * __passwd, size_t __passwdlen,
const uint8_t * __salt, size_t __saltlen,
uint64_t __N, uint32_t __r, uint32_t __p,
uint8_t * __buf, size_t __buflen);
extern uint8_t * escrypt_r(escrypt_local_t * __local,
const uint8_t * __passwd, size_t __passwdlen,
const uint8_t * __setting,
uint8_t * __buf, size_t __buflen);
extern uint8_t * escrypt_gensalt_r(
uint32_t __N_log2, uint32_t __r, uint32_t __p,
const uint8_t * __src, size_t __srclen,
uint8_t * __buf, size_t __buflen);
#endif /* !_CRYPTO_SCRYPT_H_ */
#endif

35
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/export.h Normal file
View File

@ -0,0 +1,35 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#ifndef __SODIUM_EXPORT_H__
#define __SODIUM_EXPORT_H__
#ifndef __GNUC__
# ifdef __attribute__
# undef __attribute__
# endif
# define __attribute__(a)
#endif
#ifdef SODIUM_STATIC
# define SODIUM_EXPORT
#else
# if defined(_MSC_VER)
# ifdef DLL_EXPORT
# define SODIUM_EXPORT __declspec(dllexport)
# else
# define SODIUM_EXPORT __declspec(dllimport)
# endif
# else
# if defined(__SUNPRO_C)
# define SODIUM_EXPORT __attribute__ __global
# elif defined(_MSG_VER)
# define SODIUM_EXPORT extern __declspec(dllexport)
# else
# define SODIUM_EXPORT __attribute__ ((visibility ("default")))
# endif
# endif
#endif
#endif
#endif

306
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c Normal file
View File

@ -0,0 +1,306 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
/*-
* Copyright 2009 Colin Percival
* Copyright 2013 Alexander Peslyak
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* This file was originally written by Colin Percival as part of the Tarsnap
* online backup system.
*/
#include <errno.h>
#include <limits.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "../pbkdf2-sha256.h"
#include "../sysendian.h"
#include "../crypto_scrypt.h"
static inline void
blkcpy(void * dest, const void * src, size_t len)
{
size_t * D = (size_t *) dest;
const size_t * S = (const size_t *) src;
size_t L = len / sizeof(size_t);
size_t i;
for (i = 0; i < L; i++)
D[i] = S[i];
}
static inline void
blkxor(void * dest, const void * src, size_t len)
{
size_t * D = (size_t *) dest;
const size_t * S = (const size_t *) src;
size_t L = len / sizeof(size_t);
size_t i;
for (i = 0; i < L; i++)
D[i] ^= S[i];
}
/**
* salsa20_8(B):
* Apply the salsa20/8 core to the provided block.
*/
static void
salsa20_8(uint32_t B[16])
{
uint32_t x[16];
size_t i;
blkcpy(x, B, 64);
for (i = 0; i < 8; i += 2) {
#define R(a,b) (((a) << (b)) | ((a) >> (32 - (b))))
/* Operate on columns. */
x[ 4] ^= R(x[ 0]+x[12], 7); x[ 8] ^= R(x[ 4]+x[ 0], 9);
x[12] ^= R(x[ 8]+x[ 4],13); x[ 0] ^= R(x[12]+x[ 8],18);
x[ 9] ^= R(x[ 5]+x[ 1], 7); x[13] ^= R(x[ 9]+x[ 5], 9);
x[ 1] ^= R(x[13]+x[ 9],13); x[ 5] ^= R(x[ 1]+x[13],18);
x[14] ^= R(x[10]+x[ 6], 7); x[ 2] ^= R(x[14]+x[10], 9);
x[ 6] ^= R(x[ 2]+x[14],13); x[10] ^= R(x[ 6]+x[ 2],18);
x[ 3] ^= R(x[15]+x[11], 7); x[ 7] ^= R(x[ 3]+x[15], 9);
x[11] ^= R(x[ 7]+x[ 3],13); x[15] ^= R(x[11]+x[ 7],18);
/* Operate on rows. */
x[ 1] ^= R(x[ 0]+x[ 3], 7); x[ 2] ^= R(x[ 1]+x[ 0], 9);
x[ 3] ^= R(x[ 2]+x[ 1],13); x[ 0] ^= R(x[ 3]+x[ 2],18);
x[ 6] ^= R(x[ 5]+x[ 4], 7); x[ 7] ^= R(x[ 6]+x[ 5], 9);
x[ 4] ^= R(x[ 7]+x[ 6],13); x[ 5] ^= R(x[ 4]+x[ 7],18);
x[11] ^= R(x[10]+x[ 9], 7); x[ 8] ^= R(x[11]+x[10], 9);
x[ 9] ^= R(x[ 8]+x[11],13); x[10] ^= R(x[ 9]+x[ 8],18);
x[12] ^= R(x[15]+x[14], 7); x[13] ^= R(x[12]+x[15], 9);
x[14] ^= R(x[13]+x[12],13); x[15] ^= R(x[14]+x[13],18);
#undef R
}
for (i = 0; i < 16; i++)
B[i] += x[i];
}
/**
* blockmix_salsa8(Bin, Bout, X, r):
* Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r
* bytes in length; the output Bout must also be the same size. The
* temporary space X must be 64 bytes.
*/
static void
blockmix_salsa8(const uint32_t * Bin, uint32_t * Bout, uint32_t * X, size_t r)
{
size_t i;
/* 1: X <-- B_{2r - 1} */
blkcpy(X, &Bin[(2 * r - 1) * 16], 64);
/* 2: for i = 0 to 2r - 1 do */
for (i = 0; i < 2 * r; i += 2) {
/* 3: X <-- H(X \xor B_i) */
blkxor(X, &Bin[i * 16], 64);
salsa20_8(X);
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
blkcpy(&Bout[i * 8], X, 64);
/* 3: X <-- H(X \xor B_i) */
blkxor(X, &Bin[i * 16 + 16], 64);
salsa20_8(X);
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
blkcpy(&Bout[i * 8 + r * 16], X, 64);
}
}
/**
* integerify(B, r):
* Return the result of parsing B_{2r-1} as a little-endian integer.
*/
static inline uint64_t
integerify(const void * B, size_t r)
{
const uint32_t * X = (const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64);
return (((uint64_t)(X[1]) << 32) + X[0]);
}
/**
* smix(B, r, N, V, XY):
* Compute B = SMix_r(B, N). The input B must be 128r bytes in length;
* the temporary storage V must be 128rN bytes in length; the temporary
* storage XY must be 256r + 64 bytes in length. The value N must be a
* power of 2 greater than 1. The arrays B, V, and XY must be aligned to a
* multiple of 64 bytes.
*/
static void
smix(uint8_t * B, size_t r, uint64_t N, uint32_t * V, uint32_t * XY)
{
uint32_t * X = XY;
uint32_t * Y = &XY[32 * r];
uint32_t * Z = &XY[64 * r];
uint64_t i;
uint64_t j;
size_t k;
/* 1: X <-- B */
for (k = 0; k < 32 * r; k++)
X[k] = le32dec(&B[4 * k]);
/* 2: for i = 0 to N - 1 do */
for (i = 0; i < N; i += 2) {
/* 3: V_i <-- X */
blkcpy(&V[i * (32 * r)], X, 128 * r);
/* 4: X <-- H(X) */
blockmix_salsa8(X, Y, Z, r);
/* 3: V_i <-- X */
blkcpy(&V[(i + 1) * (32 * r)], Y, 128 * r);
/* 4: X <-- H(X) */
blockmix_salsa8(Y, X, Z, r);
}
/* 6: for i = 0 to N - 1 do */
for (i = 0; i < N; i += 2) {
/* 7: j <-- Integerify(X) mod N */
j = integerify(X, r) & (N - 1);
/* 8: X <-- H(X \xor V_j) */
blkxor(X, &V[j * (32 * r)], 128 * r);
blockmix_salsa8(X, Y, Z, r);
/* 7: j <-- Integerify(X) mod N */
j = integerify(Y, r) & (N - 1);
/* 8: X <-- H(X \xor V_j) */
blkxor(Y, &V[j * (32 * r)], 128 * r);
blockmix_salsa8(Y, X, Z, r);
}
/* 10: B' <-- X */
for (k = 0; k < 32 * r; k++)
le32enc(&B[4 * k], X[k]);
}
/**
* escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
* N, r, p, buf, buflen):
* Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
* p, buflen) and write the result into buf. The parameters r, p, and buflen
* must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N
* must be a power of 2 greater than 1.
*
* Return 0 on success; or -1 on error.
*/
int
escrypt_kdf_nosse(escrypt_local_t * local,
const uint8_t * passwd, size_t passwdlen,
const uint8_t * salt, size_t saltlen,
uint64_t N, uint32_t _r, uint32_t _p,
uint8_t * buf, size_t buflen)
{
size_t B_size, V_size, XY_size, need;
uint8_t * B;
uint32_t * V, * XY;
size_t r = _r, p = _p;
uint32_t i;
/* Sanity-check parameters. */
#if SIZE_MAX > UINT32_MAX
if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
errno = EFBIG;
return -1;
}
#endif
if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
errno = EFBIG;
return -1;
}
if (((N & (N - 1)) != 0) || (N < 2)) {
errno = EINVAL;
return -1;
}
if (r == 0 || p == 0) {
errno = EINVAL;
return -1;
}
if ((r > SIZE_MAX / 128 / p) ||
#if SIZE_MAX / 256 <= UINT32_MAX
(r > SIZE_MAX / 256) ||
#endif
(N > SIZE_MAX / 128 / r)) {
errno = ENOMEM;
return -1;
}
/* Allocate memory. */
B_size = (size_t)128 * r * p;
V_size = (size_t)128 * r * N;
need = B_size + V_size;
if (need < V_size) {
errno = ENOMEM;
return -1;
}
XY_size = (size_t)256 * r + 64;
need += XY_size;
if (need < XY_size) {
errno = ENOMEM;
return -1;
}
if (local->size < need) {
if (free_region(local))
return -1;
if (!alloc_region(local, need))
return -1;
}
B = (uint8_t *)local->aligned;
V = (uint32_t *)((uint8_t *)B + B_size);
XY = (uint32_t *)((uint8_t *)V + V_size);
/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
/* 2: for i = 0 to p - 1 do */
for (i = 0; i < p; i++) {
/* 3: B_i <-- MF(B_i, N) */
smix(&B[(size_t)128 * i * r], r, N, V, XY);
}
/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
/* Success! */
return 0;
}
#endif

14
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/note_to_maintainers.txt Normal file
View File

@ -0,0 +1,14 @@
This folder is only meant for use with nacl, i.e. when sodium is unavailable.
The files in this folder were mostly copied from
https://github.com/jedisct1/libsodium/tree/0.7.0/src/libsodium/crypto_pwhash/scryptsalsa208sha256,
with #ifdef VANILLA_NACL added around each of them as required for this module.
export.h, utils.h, and runtime.h were copied from
https://github.com/jedisct1/libsodium/tree/0.7.0/src/libsodium/include/sodium.
utils.h was significantly truncated.
utils.c and runtime.c were copied from
https://github.com/jedisct1/libsodium/blob/0.7.0/src/libsodium/sodium.
utils.c was also significantly truncated.

88
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.c Normal file
View File

@ -0,0 +1,88 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
/*-
* Copyright 2005,2007,2009 Colin Percival
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#include <sys/types.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "crypto_auth_hmacsha256.h"
#include "pbkdf2-sha256.h"
#include "sysendian.h"
#include "utils.h"
/**
* PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
* Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
* write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
*/
void
PBKDF2_SHA256(const uint8_t * passwd, size_t passwdlen, const uint8_t * salt,
size_t saltlen, uint64_t c, uint8_t * buf, size_t dkLen)
{
crypto_auth_hmacsha256_state PShctx, hctx;
size_t i;
uint8_t ivec[4];
uint8_t U[32];
uint8_t T[32];
uint64_t j;
int k;
size_t clen;
crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen);
crypto_auth_hmacsha256_update(&PShctx, salt, saltlen);
for (i = 0; i * 32 < dkLen; i++) {
be32enc(ivec, (uint32_t)(i + 1));
memcpy(&hctx, &PShctx, sizeof(crypto_auth_hmacsha256_state));
crypto_auth_hmacsha256_update(&hctx, ivec, 4);
crypto_auth_hmacsha256_final(&hctx, U);
memcpy(T, U, 32);
for (j = 2; j <= c; j++) {
crypto_auth_hmacsha256_init(&hctx, passwd, passwdlen);
crypto_auth_hmacsha256_update(&hctx, U, 32);
crypto_auth_hmacsha256_final(&hctx, U);
for (k = 0; k < 32; k++) {
T[k] ^= U[k];
}
}
clen = dkLen - i * 32;
if (clen > 32) {
clen = 32;
}
memcpy(&buf[i * 32], T, clen);
}
sodium_memzero((void *) &PShctx, sizeof PShctx);
}
#endif

49
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pbkdf2-sha256.h Normal file
View File

@ -0,0 +1,49 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
/*-
* Copyright 2005,2007,2009 Colin Percival
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
*/
#ifndef _SHA256_H_
#define _SHA256_H_
#include <sys/types.h>
#include <stdint.h>
#include "crypto_auth_hmacsha256.h"
/**
* PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
* Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
* write the output to buf. The value dkLen must be at most 32 * (2^32 - 1).
*/
void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t,
uint64_t, uint8_t *, size_t);
#endif /* !_SHA256_H_ */
#endif

207
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c Normal file
View File

@ -0,0 +1,207 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#include <errno.h>
#include <limits.h>
#include <stddef.h>
#include <stdint.h>
#include <string.h>
#include "crypto_pwhash_scryptsalsa208sha256.h"
#include "crypto_scrypt.h"
#include "randombytes.h"
#include "utils.h"
#define SETTING_SIZE(saltbytes) \
(sizeof "$7$" - 1U) + \
(1U /* N_log2 */) + (5U /* r */) + (5U /* p */) + BYTES2CHARS(saltbytes)
static int
pickparams(unsigned long long opslimit, const size_t memlimit,
uint32_t * const N_log2, uint32_t * const p, uint32_t * const r)
{
unsigned long long maxN;
unsigned long long maxrp;
if (opslimit < 32768) {
opslimit = 32768;
}
*r = 8;
if (opslimit < memlimit / 32) {
*p = 1;
maxN = opslimit / (*r * 4);
for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) {
if ((uint64_t)(1) << *N_log2 > maxN / 2) {
break;
}
}
} else {
maxN = memlimit / (*r * 128);
for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) {
if ((uint64_t) (1) << *N_log2 > maxN / 2) {
break;
}
}
maxrp = (opslimit / 4) / ((uint64_t) (1) << *N_log2);
if (maxrp > 0x3fffffff) {
maxrp = 0x3fffffff;
}
*p = (uint32_t) (maxrp) / *r;
}
return 0;
}
size_t
crypto_pwhash_scryptsalsa208sha256_saltbytes(void)
{
return crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
}
size_t
crypto_pwhash_scryptsalsa208sha256_strbytes(void)
{
return crypto_pwhash_scryptsalsa208sha256_STRBYTES;
}
const char *
crypto_pwhash_scryptsalsa208sha256_strprefix(void)
{
return crypto_pwhash_scryptsalsa208sha256_STRPREFIX;
}
size_t
crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void)
{
return crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE;
}
size_t
crypto_pwhash_scryptsalsa208sha256_memlimit_interactive(void)
{
return crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE;
}
size_t
crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive(void)
{
return crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_SENSITIVE;
}
size_t
crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive(void)
{
return crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_SENSITIVE;
}
int
crypto_pwhash_scryptsalsa208sha256(unsigned char * const out,
unsigned long long outlen,
const char * const passwd,
unsigned long long passwdlen,
const unsigned char * const salt,
unsigned long long opslimit,
size_t memlimit)
{
uint32_t N_log2;
uint32_t p;
uint32_t r;
memset(out, 0, outlen);
if (passwdlen > SIZE_MAX || outlen > SIZE_MAX) {
errno = EFBIG;
return -1;
}
if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) {
errno = EINVAL;
return -1;
}
return crypto_pwhash_scryptsalsa208sha256_ll((const uint8_t *) passwd,
(size_t) passwdlen,
(const uint8_t *) salt,
crypto_pwhash_scryptsalsa208sha256_SALTBYTES,
(uint64_t) (1) << N_log2, r, p,
out, (size_t) outlen);
}
int
crypto_pwhash_scryptsalsa208sha256_str(char out[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
const char * const passwd,
unsigned long long passwdlen,
unsigned long long opslimit,
size_t memlimit)
{
uint8_t salt[crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES];
char setting[crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES + 1U];
escrypt_local_t escrypt_local;
uint32_t N_log2;
uint32_t p;
uint32_t r;
memset(out, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES);
if (passwdlen > SIZE_MAX) {
errno = EFBIG;
return -1;
}
if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) {
errno = EINVAL;
return -1;
}
randombytes_buf(salt, sizeof salt);
if (escrypt_gensalt_r(N_log2, r, p, salt, sizeof salt,
(uint8_t *) setting, sizeof setting) == NULL) {
errno = EINVAL;
return -1;
}
if (escrypt_init_local(&escrypt_local) != 0) {
return -1;
}
if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen,
(const uint8_t *) setting, (uint8_t *) out,
crypto_pwhash_scryptsalsa208sha256_STRBYTES) == NULL) {
escrypt_free_local(&escrypt_local);
errno = EINVAL;
return -1;
}
escrypt_free_local(&escrypt_local);
(void) sizeof
(int[SETTING_SIZE(crypto_pwhash_scryptsalsa208sha256_STRSALTBYTES)
== crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES ? 1 : -1]);
(void) sizeof
(int[crypto_pwhash_scryptsalsa208sha256_STRSETTINGBYTES + 1U +
crypto_pwhash_scryptsalsa208sha256_STRHASHBYTES_ENCODED + 1U
== crypto_pwhash_scryptsalsa208sha256_STRBYTES ? 1 : -1]);
return 0;
}
int
crypto_pwhash_scryptsalsa208sha256_str_verify(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
const char * const passwd,
unsigned long long passwdlen)
{
char wanted[crypto_pwhash_scryptsalsa208sha256_STRBYTES];
escrypt_local_t escrypt_local;
int ret = -1;
if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) !=
&str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) {
return -1;
}
if (escrypt_init_local(&escrypt_local) != 0) {
return -1;
}
if (escrypt_r(&escrypt_local, (const uint8_t *) passwd, (size_t) passwdlen,
(const uint8_t *) str, (uint8_t *) wanted,
sizeof wanted) == NULL) {
escrypt_free_local(&escrypt_local);
return -1;
}
escrypt_free_local(&escrypt_local);
ret = sodium_memcmp(wanted, str, sizeof wanted);
sodium_memzero(wanted, sizeof wanted);
return ret;
}
#endif

137
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.c Normal file
View File

@ -0,0 +1,137 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#ifdef HAVE_ANDROID_GETCPUFEATURES
# include <cpu-features.h>
#endif
#include "runtime.h"
typedef struct CPUFeatures_ {
int initialized;
int has_neon;
int has_sse2;
int has_sse3;
} CPUFeatures;
static CPUFeatures _cpu_features;
#define CPUID_SSE2 0x04000000
#define CPUIDECX_SSE3 0x00000001
static int
_sodium_runtime_arm_cpu_features(CPUFeatures * const cpu_features)
{
#ifndef __arm__
cpu_features->has_neon = 0;
return -1;
#else
# ifdef __APPLE__
# ifdef __ARM_NEON__
cpu_features->has_neon = 1;
# else
cpu_features->has_neon = 0;
# endif
# elif defined(HAVE_ANDROID_GETCPUFEATURES) && defined(ANDROID_CPU_ARM_FEATURE_NEON)
cpu_features->has_neon =
(android_getCpuFeatures() & ANDROID_CPU_ARM_FEATURE_NEON) != 0x0;
# else
cpu_features->has_neon = 0;
# endif
return 0;
#endif
}
static void
_cpuid(unsigned int cpu_info[4U], const unsigned int cpu_info_type)
{
#ifdef _MSC_VER
__cpuidex((int *) cpu_info, cpu_info_type, 0);
#elif defined(HAVE_CPUID)
cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0;
# ifdef __i386__
__asm__ __volatile__ ("pushfl; pushfl; "
"popl %0; "
"movl %0, %1; xorl %2, %0; "
"pushl %0; "
"popfl; pushfl; popl %0; popfl" :
"=&r" (cpu_info[0]), "=&r" (cpu_info[1]) :
"i" (0x200000));
if (((cpu_info[0] ^ cpu_info[1]) & 0x200000) == 0x0) {
return;
}
# endif
# ifdef __i386__
__asm__ __volatile__ ("xchgl %%ebx, %k1; cpuid; xchgl %%ebx, %k1" :
"=a" (cpu_info[0]), "=&r" (cpu_info[1]),
"=c" (cpu_info[2]), "=d" (cpu_info[3]) :
"0" (cpu_info_type), "2" (0U));
# elif defined(__x86_64__)
__asm__ __volatile__ ("xchgq %%rbx, %q1; cpuid; xchgq %%rbx, %q1" :
"=a" (cpu_info[0]), "=&r" (cpu_info[1]),
"=c" (cpu_info[2]), "=d" (cpu_info[3]) :
"0" (cpu_info_type), "2" (0U));
# else
__asm__ __volatile__ ("cpuid" :
"=a" (cpu_info[0]), "=b" (cpu_info[1]),
"=c" (cpu_info[2]), "=d" (cpu_info[3]) :
"0" (cpu_info_type), "2" (0U));
# endif
#else
cpu_info[0] = cpu_info[1] = cpu_info[2] = cpu_info[3] = 0;
#endif
}
static int
_sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features)
{
unsigned int cpu_info[4];
unsigned int id;
_cpuid(cpu_info, 0x0);
if ((id = cpu_info[0]) == 0U) {
return -1;
}
_cpuid(cpu_info, 0x00000001);
#ifndef HAVE_EMMINTRIN_H
cpu_features->has_sse2 = 0;
#else
cpu_features->has_sse2 = ((cpu_info[3] & CPUID_SSE2) != 0x0);
#endif
#ifndef HAVE_PMMINTRIN_H
cpu_features->has_sse3 = 0;
#else
cpu_features->has_sse3 = ((cpu_info[2] & CPUIDECX_SSE3) != 0x0);
#endif
return 0;
}
int
sodium_runtime_get_cpu_features(void)
{
int ret = -1;
ret &= _sodium_runtime_arm_cpu_features(&_cpu_features);
ret &= _sodium_runtime_intel_cpu_features(&_cpu_features);
_cpu_features.initialized = 1;
return ret;
}
int
sodium_runtime_has_neon(void) {
return _cpu_features.has_neon;
}
int
sodium_runtime_has_sse2(void) {
return _cpu_features.has_sse2;
}
int
sodium_runtime_has_sse3(void) {
return _cpu_features.has_sse3;
}
#endif

30
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/runtime.h Normal file
View File

@ -0,0 +1,30 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#ifndef __SODIUM_RUNTIME_H__
#define __SODIUM_RUNTIME_H__ 1
#include "export.h"
#ifdef __cplusplus
extern "C" {
#endif
SODIUM_EXPORT
int sodium_runtime_get_cpu_features(void);
SODIUM_EXPORT
int sodium_runtime_has_neon(void);
SODIUM_EXPORT
int sodium_runtime_has_sse2(void);
SODIUM_EXPORT
int sodium_runtime_has_sse3(void);
#ifdef __cplusplus
}
#endif
#endif
#endif

104
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/scrypt_platform.c Normal file
View File

@ -0,0 +1,104 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
/*-
* Copyright 2013 Alexander Peslyak
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifdef HAVE_SYS_MMAN_H
# include <sys/mman.h>
#endif
#include <errno.h>
#include <stdlib.h>
#include "crypto_scrypt.h"
#include "runtime.h"
#if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
# define MAP_ANON MAP_ANONYMOUS
#endif
void *
alloc_region(escrypt_region_t * region, size_t size)
{
uint8_t * base, * aligned;
#ifdef MAP_ANON
if ((base = (uint8_t *) mmap(NULL, size, PROT_READ | PROT_WRITE,
#ifdef MAP_NOCORE
MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
#else
MAP_ANON | MAP_PRIVATE,
#endif
-1, 0)) == MAP_FAILED)
base = NULL;
aligned = base;
#elif defined(HAVE_POSIX_MEMALIGN)
if ((errno = posix_memalign((void **) &base, 64, size)) != 0)
base = NULL;
aligned = base;
#else
base = aligned = NULL;
if (size + 63 < size)
errno = ENOMEM;
else if ((base = (uint8_t *) malloc(size + 63)) != NULL) {
aligned = base + 63;
aligned -= (uintptr_t)aligned & 63;
}
#endif
region->base = base;
region->aligned = aligned;
region->size = base ? size : 0;
return aligned;
}
static inline void
init_region(escrypt_region_t * region)
{
region->base = region->aligned = NULL;
region->size = 0;
}
int
free_region(escrypt_region_t * region)
{
if (region->base) {
#ifdef MAP_ANON
if (munmap(region->base, region->size))
return -1;
#else
free(region->base);
#endif
}
init_region(region);
return 0;
}
int
escrypt_init_local(escrypt_local_t * local)
{
init_region(local);
return 0;
}
int
escrypt_free_local(escrypt_local_t * local)
{
return free_region(local);
}
#endif

395
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c Normal file
View File

@ -0,0 +1,395 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
/*-
* Copyright 2009 Colin Percival
* Copyright 2012,2013 Alexander Peslyak
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* THIS SOFTWARE IS PROVIDED BY THE AUTHOR AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* This file was originally written by Colin Percival as part of the Tarsnap
* online backup system.
*/
#if defined(HAVE_EMMINTRIN_H) || defined(_MSC_VER)
#if __GNUC__
# pragma GCC target("sse2")
#endif
#include <emmintrin.h>
#if defined(__XOP__) && defined(DISABLED)
# include <x86intrin.h>
#endif
#include <errno.h>
#include <limits.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#include "../pbkdf2-sha256.h"
#include "../sysendian.h"
#include "../crypto_scrypt.h"
#if defined(__XOP__) && defined(DISABLED)
#define ARX(out, in1, in2, s) \
out = _mm_xor_si128(out, _mm_roti_epi32(_mm_add_epi32(in1, in2), s));
#else
#define ARX(out, in1, in2, s) \
{ \
__m128i T = _mm_add_epi32(in1, in2); \
out = _mm_xor_si128(out, _mm_slli_epi32(T, s)); \
out = _mm_xor_si128(out, _mm_srli_epi32(T, 32-s)); \
}
#endif
#define SALSA20_2ROUNDS \
/* Operate on "columns". */ \
ARX(X1, X0, X3, 7) \
ARX(X2, X1, X0, 9) \
ARX(X3, X2, X1, 13) \
ARX(X0, X3, X2, 18) \
\
/* Rearrange data. */ \
X1 = _mm_shuffle_epi32(X1, 0x93); \
X2 = _mm_shuffle_epi32(X2, 0x4E); \
X3 = _mm_shuffle_epi32(X3, 0x39); \
\
/* Operate on "rows". */ \
ARX(X3, X0, X1, 7) \
ARX(X2, X3, X0, 9) \
ARX(X1, X2, X3, 13) \
ARX(X0, X1, X2, 18) \
\
/* Rearrange data. */ \
X1 = _mm_shuffle_epi32(X1, 0x39); \
X2 = _mm_shuffle_epi32(X2, 0x4E); \
X3 = _mm_shuffle_epi32(X3, 0x93);
/**
* Apply the salsa20/8 core to the block provided in (X0 ... X3) ^ (Z0 ... Z3).
*/
#define SALSA20_8_XOR(in, out) \
{ \
__m128i Y0 = X0 = _mm_xor_si128(X0, (in)[0]); \
__m128i Y1 = X1 = _mm_xor_si128(X1, (in)[1]); \
__m128i Y2 = X2 = _mm_xor_si128(X2, (in)[2]); \
__m128i Y3 = X3 = _mm_xor_si128(X3, (in)[3]); \
SALSA20_2ROUNDS \
SALSA20_2ROUNDS \
SALSA20_2ROUNDS \
SALSA20_2ROUNDS \
(out)[0] = X0 = _mm_add_epi32(X0, Y0); \
(out)[1] = X1 = _mm_add_epi32(X1, Y1); \
(out)[2] = X2 = _mm_add_epi32(X2, Y2); \
(out)[3] = X3 = _mm_add_epi32(X3, Y3); \
}
/**
* blockmix_salsa8(Bin, Bout, r):
* Compute Bout = BlockMix_{salsa20/8, r}(Bin). The input Bin must be 128r
* bytes in length; the output Bout must also be the same size.
*/
static inline void
blockmix_salsa8(const __m128i * Bin, __m128i * Bout, size_t r)
{
__m128i X0, X1, X2, X3;
size_t i;
/* 1: X <-- B_{2r - 1} */
X0 = Bin[8 * r - 4];
X1 = Bin[8 * r - 3];
X2 = Bin[8 * r - 2];
X3 = Bin[8 * r - 1];
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
SALSA20_8_XOR(Bin, Bout)
/* 2: for i = 0 to 2r - 1 do */
r--;
for (i = 0; i < r;) {
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4])
i++;
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
SALSA20_8_XOR(&Bin[i * 8], &Bout[i * 4])
}
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
SALSA20_8_XOR(&Bin[i * 8 + 4], &Bout[(r + i) * 4 + 4])
}
#define XOR4(in) \
X0 = _mm_xor_si128(X0, (in)[0]); \
X1 = _mm_xor_si128(X1, (in)[1]); \
X2 = _mm_xor_si128(X2, (in)[2]); \
X3 = _mm_xor_si128(X3, (in)[3]);
#define XOR4_2(in1, in2) \
X0 = _mm_xor_si128((in1)[0], (in2)[0]); \
X1 = _mm_xor_si128((in1)[1], (in2)[1]); \
X2 = _mm_xor_si128((in1)[2], (in2)[2]); \
X3 = _mm_xor_si128((in1)[3], (in2)[3]);
static inline uint32_t
blockmix_salsa8_xor(const __m128i * Bin1, const __m128i * Bin2, __m128i * Bout,
size_t r)
{
__m128i X0, X1, X2, X3;
size_t i;
/* 1: X <-- B_{2r - 1} */
XOR4_2(&Bin1[8 * r - 4], &Bin2[8 * r - 4])
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
XOR4(Bin1)
SALSA20_8_XOR(Bin2, Bout)
/* 2: for i = 0 to 2r - 1 do */
r--;
for (i = 0; i < r;) {
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
XOR4(&Bin1[i * 8 + 4])
SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4])
i++;
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
XOR4(&Bin1[i * 8])
SALSA20_8_XOR(&Bin2[i * 8], &Bout[i * 4])
}
/* 3: X <-- H(X \xor B_i) */
/* 4: Y_i <-- X */
/* 6: B' <-- (Y_0, Y_2 ... Y_{2r-2}, Y_1, Y_3 ... Y_{2r-1}) */
XOR4(&Bin1[i * 8 + 4])
SALSA20_8_XOR(&Bin2[i * 8 + 4], &Bout[(r + i) * 4 + 4])
return _mm_cvtsi128_si32(X0);
}
#undef ARX
#undef SALSA20_2ROUNDS
#undef SALSA20_8_XOR
#undef XOR4
#undef XOR4_2
/**
* integerify(B, r):
* Return the result of parsing B_{2r-1} as a little-endian integer.
*/
static inline uint32_t
integerify(const void * B, size_t r)
{
return *(const uint32_t *)((uintptr_t)(B) + (2 * r - 1) * 64);
}
/**
* smix(B, r, N, V, XY):
* Compute B = SMix_r(B, N). The input B must be 128r bytes in length;
* the temporary storage V must be 128rN bytes in length; the temporary
* storage XY must be 256r + 64 bytes in length. The value N must be a
* power of 2 greater than 1. The arrays B, V, and XY must be aligned to a
* multiple of 64 bytes.
*/
static void
smix(uint8_t * B, size_t r, uint32_t N, void * V, void * XY)
{
size_t s = 128 * r;
__m128i * X = (__m128i *) V, * Y;
uint32_t * X32 = (uint32_t *) V;
uint32_t i, j;
size_t k;
/* 1: X <-- B */
/* 3: V_i <-- X */
for (k = 0; k < 2 * r; k++) {
for (i = 0; i < 16; i++) {
X32[k * 16 + i] =
le32dec(&B[(k * 16 + (i * 5 % 16)) * 4]);
}
}
/* 2: for i = 0 to N - 1 do */
for (i = 1; i < N - 1; i += 2) {
/* 4: X <-- H(X) */
/* 3: V_i <-- X */
Y = (__m128i *)((uintptr_t)(V) + i * s);
blockmix_salsa8(X, Y, r);
/* 4: X <-- H(X) */
/* 3: V_i <-- X */
X = (__m128i *)((uintptr_t)(V) + (i + 1) * s);
blockmix_salsa8(Y, X, r);
}
/* 4: X <-- H(X) */
/* 3: V_i <-- X */
Y = (__m128i *)((uintptr_t)(V) + i * s);
blockmix_salsa8(X, Y, r);
/* 4: X <-- H(X) */
/* 3: V_i <-- X */
X = (__m128i *) XY;
blockmix_salsa8(Y, X, r);
X32 = (uint32_t *) XY;
Y = (__m128i *)((uintptr_t)(XY) + s);
/* 7: j <-- Integerify(X) mod N */
j = integerify(X, r) & (N - 1);
/* 6: for i = 0 to N - 1 do */
for (i = 0; i < N; i += 2) {
__m128i * V_j = (__m128i *)((uintptr_t)(V) + j * s);
/* 8: X <-- H(X \xor V_j) */
/* 7: j <-- Integerify(X) mod N */
j = blockmix_salsa8_xor(X, V_j, Y, r) & (N - 1);
V_j = (__m128i *)((uintptr_t)(V) + j * s);
/* 8: X <-- H(X \xor V_j) */
/* 7: j <-- Integerify(X) mod N */
j = blockmix_salsa8_xor(Y, V_j, X, r) & (N - 1);
}
/* 10: B' <-- X */
for (k = 0; k < 2 * r; k++) {
for (i = 0; i < 16; i++) {
le32enc(&B[(k * 16 + (i * 5 % 16)) * 4],
X32[k * 16 + i]);
}
}
}
/**
* escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
* N, r, p, buf, buflen):
* Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
* p, buflen) and write the result into buf. The parameters r, p, and buflen
* must satisfy r * p < 2^30 and buflen <= (2^32 - 1) * 32. The parameter N
* must be a power of 2 greater than 1.
*
* Return 0 on success; or -1 on error.
*/
int
escrypt_kdf_sse(escrypt_local_t * local,
const uint8_t * passwd, size_t passwdlen,
const uint8_t * salt, size_t saltlen,
uint64_t N, uint32_t _r, uint32_t _p,
uint8_t * buf, size_t buflen)
{
size_t B_size, V_size, XY_size, need;
uint8_t * B;
uint32_t * V, * XY;
size_t r = _r, p = _p;
uint32_t i;
/* Sanity-check parameters. */
#if SIZE_MAX > UINT32_MAX
if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
errno = EFBIG;
return -1;
}
#endif
if ((uint64_t)(r) * (uint64_t)(p) >= (1 << 30)) {
errno = EFBIG;
return -1;
}
if (N > UINT32_MAX) {
errno = EFBIG;
return -1;
}
if (((N & (N - 1)) != 0) || (N < 2)) {
errno = EINVAL;
return -1;
}
if (r == 0 || p == 0) {
errno = EINVAL;
return -1;
}
if ((r > SIZE_MAX / 128 / p) ||
#if SIZE_MAX / 256 <= UINT32_MAX
(r > SIZE_MAX / 256) ||
#endif
(N > SIZE_MAX / 128 / r)) {
errno = ENOMEM;
return -1;
}
/* Allocate memory. */
B_size = (size_t)128 * r * p;
V_size = (size_t)128 * r * N;
need = B_size + V_size;
if (need < V_size) {
errno = ENOMEM;
return -1;
}
XY_size = (size_t)256 * r + 64;
need += XY_size;
if (need < XY_size) {
errno = ENOMEM;
return -1;
}
if (local->size < need) {
if (free_region(local))
return -1;
if (!alloc_region(local, need))
return -1;
}
B = (uint8_t *)local->aligned;
V = (uint32_t *)((uint8_t *)B + B_size);
XY = (uint32_t *)((uint8_t *)V + V_size);
/* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
/* 2: for i = 0 to p - 1 do */
for (i = 0; i < p; i++) {
/* 3: B_i <-- MF(B_i, N) */
smix(&B[(size_t)128 * i * r], r, N, V, XY);
}
/* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
/* Success! */
return 0;
}
#endif
#endif

150
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/sysendian.h Normal file
View File

@ -0,0 +1,150 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#ifndef _SYSENDIAN_H_
#define _SYSENDIAN_H_
#include <stdint.h>
/* Avoid namespace collisions with BSD <sys/endian.h>. */
#define be16dec scrypt_be16dec
#define be16enc scrypt_be16enc
#define be32dec scrypt_be32dec
#define be32enc scrypt_be32enc
#define be64dec scrypt_be64dec
#define be64enc scrypt_be64enc
#define le16dec scrypt_le16dec
#define le16enc scrypt_le16enc
#define le32dec scrypt_le32dec
#define le32enc scrypt_le32enc
#define le64dec scrypt_le64dec
#define le64enc scrypt_le64enc
static inline uint16_t
be16dec(const void *pp)
{
const uint8_t *p = (uint8_t const *)pp;
return ((uint16_t)(p[1]) + ((uint16_t)(p[0]) << 8));
}
static inline void
be16enc(void *pp, uint16_t x)
{
uint8_t * p = (uint8_t *)pp;
p[1] = x & 0xff;
p[0] = (x >> 8) & 0xff;
}
static inline uint32_t
be32dec(const void *pp)
{
const uint8_t *p = (uint8_t const *)pp;
return ((uint32_t)(p[3]) + ((uint32_t)(p[2]) << 8) +
((uint32_t)(p[1]) << 16) + ((uint32_t)(p[0]) << 24));
}
static inline void
be32enc(void *pp, uint32_t x)
{
uint8_t * p = (uint8_t *)pp;
p[3] = x & 0xff;
p[2] = (x >> 8) & 0xff;
p[1] = (x >> 16) & 0xff;
p[0] = (x >> 24) & 0xff;
}
static inline uint64_t
be64dec(const void *pp)
{
const uint8_t *p = (uint8_t const *)pp;
return ((uint64_t)(p[7]) + ((uint64_t)(p[6]) << 8) +
((uint64_t)(p[5]) << 16) + ((uint64_t)(p[4]) << 24) +
((uint64_t)(p[3]) << 32) + ((uint64_t)(p[2]) << 40) +
((uint64_t)(p[1]) << 48) + ((uint64_t)(p[0]) << 56));
}
static inline void
be64enc(void *pp, uint64_t x)
{
uint8_t * p = (uint8_t *)pp;
p[7] = x & 0xff;
p[6] = (x >> 8) & 0xff;
p[5] = (x >> 16) & 0xff;
p[4] = (x >> 24) & 0xff;
p[3] = (x >> 32) & 0xff;
p[2] = (x >> 40) & 0xff;
p[1] = (x >> 48) & 0xff;
p[0] = (x >> 56) & 0xff;
}
static inline uint16_t
le16dec(const void *pp)
{
const uint8_t *p = (uint8_t const *)pp;
return ((uint16_t)(p[0]) + ((uint16_t)(p[1]) << 8));
}
static inline void
le16enc(void *pp, uint16_t x)
{
uint8_t * p = (uint8_t *)pp;
p[0] = x & 0xff;
p[1] = (x >> 8) & 0xff;
}
static inline uint32_t
le32dec(const void *pp)
{
const uint8_t *p = (uint8_t const *)pp;
return ((uint32_t)(p[0]) + ((uint32_t)(p[1]) << 8) +
((uint32_t)(p[2]) << 16) + ((uint32_t)(p[3]) << 24));
}
static inline void
le32enc(void *pp, uint32_t x)
{
uint8_t * p = (uint8_t *)pp;
p[0] = x & 0xff;
p[1] = (x >> 8) & 0xff;
p[2] = (x >> 16) & 0xff;
p[3] = (x >> 24) & 0xff;
}
static inline uint64_t
le64dec(const void *pp)
{
const uint8_t *p = (uint8_t const *)pp;
return ((uint64_t)(p[0]) + ((uint64_t)(p[1]) << 8) +
((uint64_t)(p[2]) << 16) + ((uint64_t)(p[3]) << 24) +
((uint64_t)(p[4]) << 32) + ((uint64_t)(p[5]) << 40) +
((uint64_t)(p[6]) << 48) + ((uint64_t)(p[7]) << 56));
}
static inline void
le64enc(void *pp, uint64_t x)
{
uint8_t * p = (uint8_t *)pp;
p[0] = x & 0xff;
p[1] = (x >> 8) & 0xff;
p[2] = (x >> 16) & 0xff;
p[3] = (x >> 24) & 0xff;
p[4] = (x >> 32) & 0xff;
p[5] = (x >> 40) & 0xff;
p[6] = (x >> 48) & 0xff;
p[7] = (x >> 56) & 0xff;
}
#endif /* !_SYSENDIAN_H_ */
#endif

75
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.c Normal file
View File

@ -0,0 +1,75 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#ifndef __STDC_WANT_LIB_EXT1__
# define __STDC_WANT_LIB_EXT1__ 1
#endif
#include <assert.h>
#include <errno.h>
#include <limits.h>
#include <signal.h>
#include <stddef.h>
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
#ifdef HAVE_SYS_MMAN_H
# include <sys/mman.h>
#endif
#include "utils.h"
#ifdef _WIN32
# include <windows.h>
# include <wincrypt.h>
#else
# include <unistd.h>
#endif
#ifdef HAVE_WEAK_SYMBOLS
__attribute__((weak)) void
__sodium_dummy_symbol_to_prevent_lto(void * const pnt, const size_t len)
{
(void) pnt;
(void) len;
}
#endif
void
sodium_memzero(void * const pnt, const size_t len)
{
#ifdef _WIN32
SecureZeroMemory(pnt, len);
#elif defined(HAVE_MEMSET_S)
if (memset_s(pnt, (rsize_t) len, 0, (rsize_t) len) != 0) {
abort();
}
#elif defined(HAVE_EXPLICIT_BZERO)
explicit_bzero(pnt, len);
#elif HAVE_WEAK_SYMBOLS
memset(pnt, 0, len);
__sodium_dummy_symbol_to_prevent_lto(pnt, len);
#else
volatile unsigned char *pnt_ = (volatile unsigned char *) pnt;
size_t i = (size_t) 0U;
while (i < len) {
pnt_[i++] = 0U;
}
#endif
}
int
sodium_memcmp(const void * const b1_, const void * const b2_, size_t len)
{
const unsigned char *b1 = (const unsigned char *) b1_;
const unsigned char *b2 = (const unsigned char *) b2_;
size_t i;
unsigned char d = (unsigned char) 0U;
for (i = 0U; i < len; i++) {
d |= b1[i] ^ b2[i];
}
return (int) ((1 & ((d - 1) >> 8)) - 1);
}
#endif

37
toxencryptsave/crypto_pwhash_scryptsalsa208sha256/utils.h Normal file
View File

@ -0,0 +1,37 @@
#ifdef VANILLA_NACL /* toxcore only uses this when libsodium is unavailable */
#ifndef __SODIUM_UTILS_H__
#define __SODIUM_UTILS_H__
#include <stddef.h>
#include "export.h"
#ifdef __cplusplus
extern "C" {
#endif
#if defined(__cplusplus) || !defined(__STDC_VERSION__) || __STDC_VERSION__ < 199901L
# define _SODIUM_C99(X)
#else
# define _SODIUM_C99(X) X
#endif
SODIUM_EXPORT
void sodium_memzero(void * const pnt, const size_t len);
/* WARNING: sodium_memcmp() must be used to verify if two secret keys
* are equal, in constant time.
* It returns 0 if the keys are equal, and -1 if they differ.
* This function is not designed for lexicographical comparisons.
*/
SODIUM_EXPORT
int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len);
#ifdef __cplusplus
}
#endif
#endif
#endif

135
toxencryptsave/toxencryptsave.c Normal file
View File

@ -0,0 +1,135 @@
/* toxencryptsave.c
*
* The Tox encrypted save functions.
*
* Copyright (C) 2013 Tox project All Rights Reserved.
*
* This file is part of Tox.
*
* Tox is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Tox is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Tox. If not, see <http://www.gnu.org/licenses/>.
*
*/
#include "toxencryptsave.h"
/* This "module" provides functions analogous to tox_load and tox_save in toxcore
* Clients should consider alerting their users that, unlike plain data, if even one bit
* becomes corrupted, the data will be entirely unrecoverable.
* Ditto if they forget their password, there is no way to recover the data.
*/
/* return size of the messenger data (for encrypted saving). */
uint32_t tox_encrypted_size(const Tox *tox)
{
return tox_size(tox) + crypto_box_MACBYTES + crypto_box_NONCEBYTES
+ crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
}
/* Save the messenger data encrypted with the given password.
* data must be at least tox_encrypted_size().
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength)
{
if (pplength == 0)
return -1;
/* First derive a key from the password */
/* http://doc.libsodium.org/key_derivation/README.html */
/* note that, according to the documentation, a generic pwhash interface will be created
* once the pwhash competition (https://password-hashing.net/) is over */
uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES];
uint8_t key[crypto_box_KEYBYTES];
randombytes_buf(salt, sizeof salt);
if (crypto_pwhash_scryptsalsa208sha256(
key, sizeof(key), passphrase, pplength, salt,
crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */
crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) {
/* out of memory most likely */
return -1;
}
sodium_memzero(passphrase, pplength); /* wipe plaintext pw */
/* next get plain save data */
uint32_t temp_size = tox_size(tox);
uint8_t temp_data[temp_size];
tox_save(tox, temp_data);
/* now encrypt.
* the output data consists of, in order:
* salt, nonce, mac, enc_data
* where the mac is automatically prepended by the encrypt()
* the salt+nonce is called the prefix
* I'm not sure what else I'm supposed to do with the salt and nonce, since we
* need them to decrypt the data
*/
uint32_t prefix_size = crypto_box_NONCEBYTES+crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
uint8_t nonce[crypto_box_NONCEBYTES];
random_nonce(nonce);
if (encrypt_data_symmetric(key, nonce, temp_data, temp_size, data + prefix_size)
!= temp_size + crypto_box_MACBYTES) {
return -1;
}
/* add the prefix */
memcpy(data, salt, crypto_pwhash_scryptsalsa208sha256_SALTBYTES);
memcpy(data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, nonce, crypto_box_NONCEBYTES);
return 0;
}
/* Load the messenger from encrypted data of size length.
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength)
{
if (length <= crypto_box_MACBYTES + crypto_box_NONCEBYTES + crypto_pwhash_scryptsalsa208sha256_SALTBYTES)
return -1;
uint32_t decrypt_length = length - crypto_box_MACBYTES - crypto_box_NONCEBYTES
- crypto_pwhash_scryptsalsa208sha256_SALTBYTES;
uint8_t salt[crypto_pwhash_scryptsalsa208sha256_SALTBYTES];
uint8_t nonce[crypto_box_NONCEBYTES];
memcpy(salt, data, crypto_pwhash_scryptsalsa208sha256_SALTBYTES);
memcpy(nonce, data + crypto_pwhash_scryptsalsa208sha256_SALTBYTES, crypto_box_NONCEBYTES);
/* derive the key */
uint8_t key[crypto_box_KEYBYTES];
if (crypto_pwhash_scryptsalsa208sha256(
key, sizeof(key), passphrase, pplength, salt,
crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE * 2, /* slightly stronger */
crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_INTERACTIVE) != 0) {
/* out of memory most likely */
return -1;
}
sodium_memzero(passphrase, pplength); /* wipe plaintext pw */
/* decrypt the data */
uint8_t temp_data[decrypt_length];
if (decrypt_data_symmetric(key, nonce, data+crypto_pwhash_scryptsalsa208sha256_SALTBYTES+crypto_box_NONCEBYTES,
decrypt_length + crypto_box_MACBYTES, temp_data)
!= decrypt_length) {
return -1;
}
return tox_load(tox, temp_data, decrypt_length);
}

67
toxencryptsave/toxencryptsave.h Normal file
View File

@ -0,0 +1,67 @@
/* toxencryptsave.h
*
* The Tox encrypted save functions.
*
* Copyright (C) 2013 Tox project All Rights Reserved.
*
* This file is part of Tox.
*
* Tox is free software: you can redistribute it and/or modify
* it under the terms of the GNU General Public License as published by
* the Free Software Foundation, either version 3 of the License, or
* (at your option) any later version.
*
* Tox is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
* GNU General Public License for more details.
*
* You should have received a copy of the GNU General Public License
* along with Tox. If not, see <http://www.gnu.org/licenses/>.
*
*/
#ifndef TOXENCRYPTSAVE_H
#define TOXENCRYPTSAVE_H
#ifdef VANILLA_NACL
#include "crypto_pwhash_scryptsalsa208sha256/crypto_pwhash_scryptsalsa208sha256.h"
#include "crypto_pwhash_scryptsalsa208sha256/utils.h" /* sodium_memzero */
#endif
#include "../toxcore/tox.h"
#include "../toxcore/crypto_core.h"
#ifdef __cplusplus
extern "C" {
#endif
/* This "module" provides functions analogous to tox_load and tox_save in toxcore
* Clients should consider alerting their users that, unlike plain data, if even one bit
* becomes corrupted, the data will be entirely unrecoverable.
* Ditto if they forget their password, there is no way to recover the data.
*/
/* return size of the messenger data (for encrypted saving). */
uint32_t tox_encrypted_size(const Tox *tox);
/* Save the messenger data encrypted with the given password.
* data must be at least tox_encrypted_size().
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_save(const Tox *tox, uint8_t *data, uint8_t *passphrase, uint32_t pplength);
/* Load the messenger from encrypted data of size length.
*
* returns 0 on success
* returns -1 on failure
*/
int tox_encrypted_load(Tox *tox, const uint8_t *data, uint32_t length, uint8_t *passphrase, uint32_t pplength);
#ifdef __cplusplus
}
#endif
#endif