int crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m, unsigned char *nsec, const unsigned char *c, unsigned long long clen, const unsigned char *mac, const unsigned char *ad, unsigned long long adlen, const unsigned char *npub, const unsigned char *k) { crypto_onetimeauth_poly1305_state state; unsigned char block0[64U]; unsigned char slen[8U]; unsigned char computed_mac[crypto_aead_chacha20poly1305_ietf_ABYTES]; unsigned long long mlen; int ret; (void) nsec; crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k); crypto_onetimeauth_poly1305_init(&state, block0); sodium_memzero(block0, sizeof block0); crypto_onetimeauth_poly1305_update(&state, ad, adlen); crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf); mlen = clen; crypto_onetimeauth_poly1305_update(&state, c, mlen); crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf); STORE64_LE(slen, (uint64_t) adlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); STORE64_LE(slen, (uint64_t) mlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); crypto_onetimeauth_poly1305_final(&state, computed_mac); sodium_memzero(&state, sizeof state); COMPILER_ASSERT(sizeof computed_mac == 16U); ret = crypto_verify_16(computed_mac, mac); sodium_memzero(computed_mac, sizeof computed_mac); if (m == NULL) { return ret; } if (ret != 0) { memset(m, 0, mlen); return -1; } crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, npub, 1U, k); return 0; }
int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen ) { if( !outlen || outlen > BLAKE2B_OUTBYTES ) { abort(); /* LCOV_EXCL_LINE */ } if( S->buflen > BLAKE2B_BLOCKBYTES ) { blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES ); blake2b_compress( S, S->buf ); S->buflen -= BLAKE2B_BLOCKBYTES; assert( S->buflen <= BLAKE2B_BLOCKBYTES ); memcpy( S->buf, S->buf + BLAKE2B_BLOCKBYTES, S->buflen ); } blake2b_increment_counter( S, S->buflen ); blake2b_set_lastblock( S ); memset( S->buf + S->buflen, 0, 2 * BLAKE2B_BLOCKBYTES - S->buflen ); /* Padding */ blake2b_compress( S, S->buf ); #ifdef NATIVE_LITTLE_ENDIAN memcpy( out, &S->h[0], outlen ); #else { uint8_t buffer[BLAKE2B_OUTBYTES]; int i; for( i = 0; i < 8; ++i ) /* Output full hash to temp buffer */ STORE64_LE( buffer + sizeof( S->h[i] ) * i, S->h[i] ); memcpy( out, buffer, outlen ); } #endif return 0; }
int blake2b_init_key( blake2b_state *S, const uint8_t outlen, const void *key, const uint8_t keylen ) { blake2b_param P[1]; if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) abort(); if ( !key || !keylen || keylen > BLAKE2B_KEYBYTES ) abort(); P->digest_length = outlen; P->key_length = keylen; P->fanout = 1; P->depth = 1; STORE32_LE( P->leaf_length, 0 ); STORE64_LE( P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; memset( P->reserved, 0, sizeof( P->reserved ) ); memset( P->salt, 0, sizeof( P->salt ) ); memset( P->personal, 0, sizeof( P->personal ) ); if( blake2b_init_param( S, P ) < 0 ) abort(); { uint8_t block[BLAKE2B_BLOCKBYTES]; memset( block, 0, BLAKE2B_BLOCKBYTES ); memcpy( block, key, keylen ); blake2b_update( S, block, BLAKE2B_BLOCKBYTES ); secure_zero_memory( block, BLAKE2B_BLOCKBYTES ); /* Burn the key from stack */ } return 0; }
int blake2b_init_salt_personal( blake2b_state *S, const uint8_t outlen, const void *salt, const void *personal ) { blake2b_param P[1]; if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) abort(); P->digest_length = outlen; P->key_length = 0; P->fanout = 1; P->depth = 1; STORE32_LE( P->leaf_length, 0 ); STORE64_LE( P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; memset( P->reserved, 0, sizeof( P->reserved ) ); if (salt != NULL) { blake2b_param_set_salt( P, (const uint8_t *) salt ); } else { memset( P->salt, 0, sizeof( P->salt ) ); } if (personal != NULL) { blake2b_param_set_personal( P, (const uint8_t *) personal ); } else { memset( P->personal, 0, sizeof( P->personal ) ); } return blake2b_init_param( S, P ); }
int crypto_aead_chacha20poly1305_ietf_encrypt_detached(unsigned char *c, unsigned char *mac, unsigned long long *maclen_p, const unsigned char *m, unsigned long long mlen, const unsigned char *ad, unsigned long long adlen, const unsigned char *nsec, const unsigned char *npub, const unsigned char *k) { crypto_onetimeauth_poly1305_state state; unsigned char block0[64U]; unsigned char slen[8U]; (void) nsec; crypto_stream_chacha20_ietf(block0, sizeof block0, npub, k); crypto_onetimeauth_poly1305_init(&state, block0); sodium_memzero(block0, sizeof block0); crypto_onetimeauth_poly1305_update(&state, ad, adlen); crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf); crypto_stream_chacha20_ietf_xor_ic(c, m, mlen, npub, 1U, k); crypto_onetimeauth_poly1305_update(&state, c, mlen); crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf); STORE64_LE(slen, (uint64_t) adlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); STORE64_LE(slen, (uint64_t) mlen); crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); crypto_onetimeauth_poly1305_final(&state, mac); sodium_memzero(&state, sizeof state); if (maclen_p != NULL) { *maclen_p = crypto_aead_chacha20poly1305_ietf_ABYTES; } return 0; }
int blake2b_init( blake2b_state *S, const uint8_t outlen ) { blake2b_param P[1]; if ( ( !outlen ) || ( outlen > BLAKE2B_OUTBYTES ) ) abort(); P->digest_length = outlen; P->key_length = 0; P->fanout = 1; P->depth = 1; STORE32_LE( P->leaf_length, 0 ); STORE64_LE( P->node_offset, 0 ); P->node_depth = 0; P->inner_length = 0; memset( P->reserved, 0, sizeof( P->reserved ) ); memset( P->salt, 0, sizeof( P->salt ) ); memset( P->personal, 0, sizeof( P->personal ) ); return blake2b_init_param( S, P ); }
static inline int blake2b_param_set_node_offset( blake2b_param *P, const uint64_t node_offset ) { STORE64_LE( P->node_offset, node_offset ); return 0; }
int crypto_shorthash_siphash24(unsigned char *out, const unsigned char *in, unsigned long long inlen, const unsigned char *k) { /* "somepseudorandomlygeneratedbytes" */ uint64_t v0 = 0x736f6d6570736575ULL; uint64_t v1 = 0x646f72616e646f6dULL; uint64_t v2 = 0x6c7967656e657261ULL; uint64_t v3 = 0x7465646279746573ULL; uint64_t b; uint64_t k0 = LOAD64_LE(k); uint64_t k1 = LOAD64_LE(k + 8); uint64_t m; const uint8_t *end = in + inlen - (inlen % sizeof(uint64_t)); const int left = inlen & 7; b = ((uint64_t) inlen) << 56; v3 ^= k1; v2 ^= k0; v1 ^= k1; v0 ^= k0; for (; in != end; in += 8) { m = LOAD64_LE(in); v3 ^= m; SIPROUND; SIPROUND; v0 ^= m; } switch (left) { case 7: b |= ((uint64_t) in[6]) << 48; /* FALLTHRU */ case 6: b |= ((uint64_t) in[5]) << 40; /* FALLTHRU */ case 5: b |= ((uint64_t) in[4]) << 32; /* FALLTHRU */ case 4: b |= ((uint64_t) in[3]) << 24; /* FALLTHRU */ case 3: b |= ((uint64_t) in[2]) << 16; /* FALLTHRU */ case 2: b |= ((uint64_t) in[1]) << 8; /* FALLTHRU */ case 1: b |= ((uint64_t) in[0]); break; case 0: break; } v3 ^= b; SIPROUND; SIPROUND; v0 ^= b; v2 ^= 0xff; SIPROUND; SIPROUND; SIPROUND; SIPROUND; b = v0 ^ v1 ^ v2 ^ v3; STORE64_LE(out, b); return 0; }