30 #include "platform.hpp" 31 #if defined (ZMQ_USE_TWEETNACL) 37 #if defined __GNUC__ && (__GNUC__ > 4 || (__GNUC__ == 4 && __GNUC_MINOR__ >= 2)) && __STDC_VERSION__ < 201112L 38 # pragma GCC diagnostic ignored "-Wsign-compare" 39 #elif defined _MSC_VER 40 # pragma warning (disable:4018 4244 4146) 45 #define FOR(i,n) for (i = 0;i < n;++i) 46 #define sv static void 55 D = {0x78a3, 0x1359, 0x4dca, 0x75eb, 0xd8ab, 0x4141, 0x0a4d, 0x0070, 0xe898, 0x7779, 0x4079, 0x8cc7, 0xfe73, 0x2b6f, 0x6cee, 0x5203},
56 D2 = {0xf159, 0x26b2, 0x9b94, 0xebd6, 0xb156, 0x8283, 0x149a, 0x00e0, 0xd130, 0xeef3, 0x80f2, 0x198e, 0xfce7, 0x56df, 0xd9dc, 0x2406},
57 X = {0xd51a, 0x8f25, 0x2d60, 0xc956, 0xa7b2, 0x9525, 0xc760, 0x692c, 0xdc5c, 0xfdd6, 0xe231, 0xc0a4, 0x53fe, 0xcd6e, 0x36d3, 0x2169},
58 Y = {0x6658, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666, 0x6666},
59 I = {0xa0b0, 0x4a0e, 0x1b27, 0xc4ee, 0xe478, 0xad2f, 0x1806, 0x2f43, 0xd7a7, 0x3dfb, 0x0099, 0x2b4d, 0xdf0b, 0x4fc1, 0x2480, 0x2b83};
61 static u32 L32(u32 x,
int c) {
return (x << c) | ((x&0xffffffff) >> (32 - c)); }
63 static u32 ld32(
const u8 *x)
71 static u64 dl64(
const u8 *x)
74 FOR(i,8) u=(u<<8)|x[i];
81 FOR(i,4) { x[i] = u; u >>= 8; }
87 for (i = 7;i >= 0;--i) { x[i] = u; u >>= 8; }
90 static int vn(
const u8 *x,
const u8 *y,
int n)
93 FOR(i,n) d |= x[i]^y[i];
94 return (1 & ((d - 1) >> 8)) - 1;
97 int crypto_verify_16(const u8 *x,const u8 *y)
102 int crypto_verify_32(
const u8 *x,
const u8 *y)
107 sv core(u8 *out,
const u8 *in,
const u8 *k,
const u8 *c,
int h)
109 u32 w[16],x[16],y[16],t[4];
113 x[5*i] = ld32(c+4*i);
114 x[1+i] = ld32(k+4*i);
115 x[6+i] = ld32(in+4*i);
116 x[11+i] = ld32(k+16+4*i);
119 FOR(i,16) y[i] = x[i];
123 FOR(m,4) t[m] = x[(5*j+4*m)%16];
124 t[1] ^= L32(t[0]+t[3], 7);
125 t[2] ^= L32(t[1]+t[0], 9);
126 t[3] ^= L32(t[2]+t[1],13);
127 t[0] ^= L32(t[3]+t[2],18);
128 FOR(m,4) w[4*j+(j+m)%4] = t[m];
130 FOR(m,16) x[m] = w[m];
134 FOR(i,16) x[i] += y[i];
136 x[5*i] -= ld32(c+4*i);
137 x[6+i] -= ld32(in+4*i);
140 st32(out+4*i,x[5*i]);
141 st32(out+16+4*i,x[6+i]);
144 FOR(i,16) st32(out + 4 * i,x[i] + y[i]);
147 int crypto_core_salsa20(u8 *out,const u8 *in,const u8 *k,const u8 *c)
153 int crypto_core_hsalsa20(u8 *out,
const u8 *in,
const u8 *k,
const u8 *c)
159 static const u8 sigma[16] =
"expand 32-byte k";
161 int crypto_stream_salsa20_xor(u8 *c,
const u8 *m,u64 b,
const u8 *n,
const u8 *k)
167 FOR(i,8) z[i] = n[i];
169 crypto_core_salsa20(x,z,k,sigma);
170 FOR(i,64) c[i] = (m?m[i]:0) ^ x[i];
172 for (i = 8;i < 16;++i) {
182 crypto_core_salsa20(x,z,k,sigma);
183 FOR(i,b) c[i] = (m?m[i]:0) ^ x[i];
188 int crypto_stream_salsa20(u8 *c,u64 d,const u8 *n,const u8 *k)
190 return crypto_stream_salsa20_xor(c,0,d,n,k);
193 int crypto_stream(u8 *c,u64 d,
const u8 *n,
const u8 *k)
196 crypto_core_hsalsa20(s,n,k,sigma);
197 return crypto_stream_salsa20(c,d,n+16,s);
200 int crypto_stream_xor(u8 *c,
const u8 *m,u64 d,
const u8 *n,
const u8 *k)
203 crypto_core_hsalsa20(s,n,k,sigma);
204 return crypto_stream_salsa20_xor(c,m,d,n+16,s);
207 sv add1305(u32 *h,
const u32 *c)
217 static const u32 minusp[17] = {
218 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 252
221 int crypto_onetimeauth(u8 *out,
const u8 *m,u64 n,
const u8 *k)
223 u32 s,i,j,u,x[17],r[17],h[17],c[17],g[17];
225 FOR(j,17) r[j]=h[j]=0;
237 for (j = 0;(j < 16) && (j < n);++j) c[j] = m[j];
243 FOR(j,17) x[i] += h[j] * ((j <= i) ? r[i - j] : 320 * r[i + 17 - j]);
245 FOR(i,17) h[i] = x[i];
252 u += h[16]; h[16] = u & 3;
259 u += h[16]; h[16] = u;
262 FOR(j,17) g[j] = h[j];
265 FOR(j,17) h[j] ^= s & (g[j] ^ h[j]);
267 FOR(j,16) c[j] = k[j + 16];
270 FOR(j,16) out[j] = h[j];
274 int crypto_onetimeauth_verify(const u8 *h,const u8 *m,u64 n,const u8 *k)
277 crypto_onetimeauth(x,m,n,k);
278 return crypto_verify_16(h,x);
281 int crypto_secretbox(u8 *c,
const u8 *m,u64 d,
const u8 *n,
const u8 *k)
284 if (d < 32)
return -1;
285 crypto_stream_xor(c,m,d,n,k);
286 crypto_onetimeauth(c + 16,c + 32,d - 32,c);
291 int crypto_secretbox_open(u8 *m,const u8 *c,u64 d,const u8 *n,const u8 *k)
295 if (d < 32)
return -1;
296 crypto_stream(x,32,n,k);
297 if (crypto_onetimeauth_verify(c + 16,c + 32,d - 32,x) != 0)
return -1;
298 crypto_stream_xor(m,c,d,n,k);
303 sv set25519(gf r, const gf a)
316 o[(i+1)*(i<15)]+=c-1+37*(c-1)*(i==15);
321 sv sel25519(gf p,gf q,
int b)
331 sv pack25519(u8 *o,
const gf n)
342 m[i]=t[i]-0xffff-((m[i-1]>>16)&1);
345 m[15]=t[15]-0x7fff-((m[14]>>16)&1);
356 static int neq25519(
const gf a,
const gf b)
361 return crypto_verify_32(c,d);
364 static u8 par25519(
const gf a)
371 sv unpack25519(gf o,
const u8 *n)
374 FOR(i,16) o[i]=n[2*i]+((i64)n[2*i+1]<<8);
378 sv A(gf o,const gf a,const gf b)
381 FOR(i,16) o[i]=a[i]+b[i];
384 sv Z(gf o,const gf a,const gf b)
387 FOR(i,16) o[i]=a[i]-b[i];
390 sv M(gf o,const gf a,const gf b)
394 FOR(i,16) FOR(j,16) t[i+j]+=a[i]*b[j];
395 FOR(i,15) t[i]+=38*t[i+16];
401 sv S(gf o,const gf a)
406 sv inv25519(gf o,
const gf i)
411 for(a=253;a>=0;a--) {
413 if(a!=2&&a!=4) M(c,c,i);
418 sv pow2523(gf o,const gf i)
423 for(a=250;a>=0;a--) {
430 int crypto_scalarmult(u8 *q,const u8 *n,const u8 *p)
436 z[31]=(n[31]&127)|64;
444 for(i=254;i>=0;--i) {
445 r=(z[i>>3]>>(i&7))&1;
481 int crypto_scalarmult_base(u8 *q,
const u8 *n)
483 return crypto_scalarmult(q,n,_9);
486 int crypto_box_keypair(u8 *y,u8 *x)
489 return crypto_scalarmult_base(y,x);
492 int crypto_box_beforenm(u8 *k,
const u8 *y,
const u8 *x)
495 crypto_scalarmult(s,x,y);
496 return crypto_core_hsalsa20(k,_0,s,sigma);
499 int crypto_box_afternm(u8 *c,
const u8 *m,u64 d,
const u8 *n,
const u8 *k)
501 return crypto_secretbox(c,m,d,n,k);
504 int crypto_box_open_afternm(u8 *m,
const u8 *c,u64 d,
const u8 *n,
const u8 *k)
506 return crypto_secretbox_open(m,c,d,n,k);
509 int crypto_box(u8 *c,
const u8 *m,u64 d,
const u8 *n,
const u8 *y,
const u8 *x)
512 crypto_box_beforenm(k,y,x);
513 return crypto_box_afternm(c,m,d,n,k);
516 int crypto_box_open(u8 *m,
const u8 *c,u64 d,
const u8 *n,
const u8 *y,
const u8 *x)
519 crypto_box_beforenm(k,y,x);
520 return crypto_box_open_afternm(m,c,d,n,k);
523 static u64 R(u64 x,
int c) {
return (x >> c) | (x << (64 - c)); }
524 static u64 Ch(u64 x,u64 y,u64 z) {
return (x & y) ^ (~x & z); }
525 static u64 Maj(u64 x,u64 y,u64 z) {
return (x & y) ^ (x & z) ^ (y & z); }
526 static u64 Sigma0(u64 x) {
return R(x,28) ^ R(x,34) ^ R(x,39); }
527 static u64 Sigma1(u64 x) {
return R(x,14) ^ R(x,18) ^ R(x,41); }
528 static u64 sigma0(u64 x) {
return R(x, 1) ^ R(x, 8) ^ (x >> 7); }
529 static u64 sigma1(u64 x) {
return R(x,19) ^ R(x,61) ^ (x >> 6); }
531 static const u64 K[80] =
533 0x428a2f98d728ae22ULL, 0x7137449123ef65cdULL, 0xb5c0fbcfec4d3b2fULL, 0xe9b5dba58189dbbcULL,
534 0x3956c25bf348b538ULL, 0x59f111f1b605d019ULL, 0x923f82a4af194f9bULL, 0xab1c5ed5da6d8118ULL,
535 0xd807aa98a3030242ULL, 0x12835b0145706fbeULL, 0x243185be4ee4b28cULL, 0x550c7dc3d5ffb4e2ULL,
536 0x72be5d74f27b896fULL, 0x80deb1fe3b1696b1ULL, 0x9bdc06a725c71235ULL, 0xc19bf174cf692694ULL,
537 0xe49b69c19ef14ad2ULL, 0xefbe4786384f25e3ULL, 0x0fc19dc68b8cd5b5ULL, 0x240ca1cc77ac9c65ULL,
538 0x2de92c6f592b0275ULL, 0x4a7484aa6ea6e483ULL, 0x5cb0a9dcbd41fbd4ULL, 0x76f988da831153b5ULL,
539 0x983e5152ee66dfabULL, 0xa831c66d2db43210ULL, 0xb00327c898fb213fULL, 0xbf597fc7beef0ee4ULL,
540 0xc6e00bf33da88fc2ULL, 0xd5a79147930aa725ULL, 0x06ca6351e003826fULL, 0x142929670a0e6e70ULL,
541 0x27b70a8546d22ffcULL, 0x2e1b21385c26c926ULL, 0x4d2c6dfc5ac42aedULL, 0x53380d139d95b3dfULL,
542 0x650a73548baf63deULL, 0x766a0abb3c77b2a8ULL, 0x81c2c92e47edaee6ULL, 0x92722c851482353bULL,
543 0xa2bfe8a14cf10364ULL, 0xa81a664bbc423001ULL, 0xc24b8b70d0f89791ULL, 0xc76c51a30654be30ULL,
544 0xd192e819d6ef5218ULL, 0xd69906245565a910ULL, 0xf40e35855771202aULL, 0x106aa07032bbd1b8ULL,
545 0x19a4c116b8d2d0c8ULL, 0x1e376c085141ab53ULL, 0x2748774cdf8eeb99ULL, 0x34b0bcb5e19b48a8ULL,
546 0x391c0cb3c5c95a63ULL, 0x4ed8aa4ae3418acbULL, 0x5b9cca4f7763e373ULL, 0x682e6ff3d6b2b8a3ULL,
547 0x748f82ee5defb2fcULL, 0x78a5636f43172f60ULL, 0x84c87814a1f0ab72ULL, 0x8cc702081a6439ecULL,
548 0x90befffa23631e28ULL, 0xa4506cebde82bde9ULL, 0xbef9a3f7b2c67915ULL, 0xc67178f2e372532bULL,
549 0xca273eceea26619cULL, 0xd186b8c721c0c207ULL, 0xeada7dd6cde0eb1eULL, 0xf57d4f7fee6ed178ULL,
550 0x06f067aa72176fbaULL, 0x0a637dc5a2c898a6ULL, 0x113f9804bef90daeULL, 0x1b710b35131c471bULL,
551 0x28db77f523047d84ULL, 0x32caab7b40c72493ULL, 0x3c9ebe0a15c9bebcULL, 0x431d67c49c100d4cULL,
552 0x4cc5d4becb3e42b6ULL, 0x597f299cfc657e2aULL, 0x5fcb6fab3ad6faecULL, 0x6c44198c4a475817ULL
555 int crypto_hashblocks(u8 *x,
const u8 *m,u64 n)
557 u64 z[8],b[8],a[8],w[16],t;
560 FOR(i,8) z[i] = a[i] = dl64(x + 8 * i);
563 FOR(i,16) w[i] = dl64(m + 8 * i);
566 FOR(j,8) b[j] = a[j];
567 t = a[7] + Sigma1(a[4]) + Ch(a[4],a[5],a[6]) + K[i] + w[i%16];
568 b[7] = t + Sigma0(a[0]) + Maj(a[0],a[1],a[2]);
570 FOR(j,8) a[(j+1)%8] = b[j];
573 w[j] += w[(j+9)%16] + sigma0(w[(j+1)%16]) + sigma1(w[(j+14)%16]);
576 FOR(i,8) { a[i] += z[i]; z[i] = a[i]; }
582 FOR(i,8) ts64(x+8*i,z[i]);
587 static const u8 iv[64] = {
588 0x6a,0x09,0xe6,0x67,0xf3,0xbc,0xc9,0x08,
589 0xbb,0x67,0xae,0x85,0x84,0xca,0xa7,0x3b,
590 0x3c,0x6e,0xf3,0x72,0xfe,0x94,0xf8,0x2b,
591 0xa5,0x4f,0xf5,0x3a,0x5f,0x1d,0x36,0xf1,
592 0x51,0x0e,0x52,0x7f,0xad,0xe6,0x82,0xd1,
593 0x9b,0x05,0x68,0x8c,0x2b,0x3e,0x6c,0x1f,
594 0x1f,0x83,0xd9,0xab,0xfb,0x41,0xbd,0x6b,
595 0x5b,0xe0,0xcd,0x19,0x13,0x7e,0x21,0x79
598 int crypto_hash(u8 *out,
const u8 *m,u64 n)
603 FOR(i,64) h[i] = iv[i];
605 crypto_hashblocks(h,m,n);
611 FOR(i,n) x[i] = m[i];
617 crypto_hashblocks(h,x,n);
619 FOR(i,64) out[i] = h[i];
624 sv add(gf p[4],gf q[4])
626 gf a,b,c,d,t,e,f,g,h;
649 sv cswap(gf p[4],gf q[4],u8 b)
653 sel25519(p[i],q[i],b);
656 sv pack(u8 *r,gf p[4])
663 r[31] ^= par25519(tx) << 7;
666 sv scalarmult(gf p[4],gf q[4],
const u8 *s)
673 for (i = 255;i >= 0;--i) {
674 u8 b = (s[i/8]>>(i&7))&1;
682 sv scalarbase(gf p[4],
const u8 *s)
692 int crypto_sign_keypair(u8 *pk, u8 *sk)
699 crypto_hash(d, sk, 32);
707 FOR(i,32) sk[32 + i] = pk[i];
711 static const u64 L[32] = {0xed, 0xd3, 0xf5, 0x5c, 0x1a, 0x63, 0x12, 0x58, 0xd6, 0x9c, 0xf7, 0xa2, 0xde, 0xf9, 0xde, 0x14, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0x10};
713 sv modL(u8 *r,i64 x[64])
716 for (i = 63;i >= 32;--i) {
718 for (j = i - 32;j < i - 12;++j) {
719 x[j] += carry - 16 * x[i] * L[j - (i - 32)];
720 carry = (x[j] + 128) >> 8;
728 x[j] += carry - (x[31] >> 4) * L[j];
732 FOR(j,32) x[j] -= carry * L[j];
742 FOR(i,64) x[i] = (u64) r[i];
747 int crypto_sign(u8 *sm,u64 *smlen,const u8 *m,u64 n,const u8 *sk)
749 u8 d[64],h[64],r[64];
753 crypto_hash(d, sk, 32);
759 FOR(i,n) sm[64 + i] = m[i];
760 FOR(i,32) sm[32 + i] = d[32 + i];
762 crypto_hash(r, sm+32, n+32);
767 FOR(i,32) sm[i+32] = sk[i+32];
768 crypto_hash(h,sm,n + 64);
772 FOR(i,32) x[i] = (u64) r[i];
773 FOR(i,32) FOR(j,32) x[i+j] += h[i] * (u64) d[j];
779 static
int unpackneg(gf r[4],const u8 p[32])
781 gf t, chk, num, den, den2, den4, den6;
803 if (neq25519(chk, num)) M(r[0],r[0],I);
807 if (neq25519(chk, num))
return -1;
809 if (par25519(r[0]) == (p[31]>>7)) Z(r[0],gf0,r[0]);
815 int crypto_sign_open(u8 *m,u64 *mlen,
const u8 *sm,u64 n,
const u8 *pk)
822 if (n < 64)
return -1;
824 if (unpackneg(q,pk))
return -1;
826 FOR(i,n) m[i] = sm[i];
827 FOR(i,32) m[i+32] = pk[i];
832 scalarbase(q,sm + 32);
837 if (crypto_verify_32(sm, t)) {
842 FOR(i,n) m[i] = sm[i + 64];
848 #ifdef ZMQ_HAVE_WINDOWS 851 #include <WinCrypt.h> 853 #define NCP ((HCRYPTPROV) 0) 855 HCRYPTPROV hProvider = NCP;
857 void randombytes(
unsigned char *x,
unsigned long long xlen)
862 if (hProvider == NCP) {
864 ret = CryptAcquireContext(&hProvider, NULL, NULL,
865 PROV_RSA_FULL, CRYPT_VERIFYCONTEXT | CRYPT_SILENT);
877 ret = CryptGenRandom(hProvider, i, x);
887 int randombytes_close(
void)
890 if ((hProvider != NCP) && (CryptReleaseContext(hProvider, 0) != FALSE)) {
899 #include <sys/types.h> 900 #include <sys/stat.h> 906 void randombytes (
unsigned char *x,
unsigned long long xlen)
911 fd = open(
"/dev/urandom",O_RDONLY);
932 int randombytes_close (
void)
935 if (fd != -1 && close(fd) == 0) {