dave/openttd
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

3rdparty: Update monocypher from 3.1.3 to 4.0.1

Browse Source 
Update to match interface changes
This commit is contained in:
Jonathan G Rennison
2023-06-14 17:36:06 +01:00
parent 11a3dc287b
commit c4c14cb6a7
7 changed files with 2087 additions and 2180 deletions
Download Patch File Download Diff File Expand all files Collapse all files

26
src/3rdparty/monocypher/CHANGELOG.md vendored
View File

@@ -1,3 +1,27 @@
4.0.1
-----
2023/03/06
- Fixed Ed25519 secret key size in function prototype.
- Fixed soname (should have been changed in 4.0.0)
- Added convenience sub-targets to makefile.
- Briefly specified wire format of Elligator and incremental AEAD.
4.0.0
-----
2023/02/20
- Fixed unsafe signature API.
- Simpler, more flexible low-level signature API.
- Fully specified, consensus-friendly signatures.
- Added Argon2d and Argon2id, support multiple lanes.
- Added safe and fast streaming AEAD.
- Added HKDF-SHA-512 and documented BLAKE2b KDF.
- More consistent and memorable function names.
- POSIX makefile.
3.1.3
-----
2022/04/25
@@ -151,6 +175,8 @@ boundaries. The API changes increase consistency.
- Rewrote the manual into proper man pages.
- Added incremental interfaces for authenticated encryption and
signatures.
- Replaced `crypto_memcmp()` by 3 fixed size buffer comparisons (16, 32,
and 64 bytes), to make sure the generated code remains constant time.
- A couple breaking API changes, easily fixed by renaming the affected
functions.

10
src/3rdparty/monocypher/LICENCE.md vendored
View File

@@ -11,9 +11,9 @@ to what file during which years. See below for special notes.
Licence 1 (2-clause BSD)
------------------------
Copyright (c) 2017-2020, Loup Vaillant
Copyright (c) 2017-2023, Loup Vaillant
Copyright (c) 2017-2019, Michael Savage
Copyright (c) 2017-2020, Fabio Scotoni
Copyright (c) 2017-2023, Fabio Scotoni
All rights reserved.
Redistribution and use in source and binary forms, with or without
@@ -165,9 +165,3 @@ rights.
- Affirmer understands and acknowledges that Creative Commons is not
a party to this document and has no duty or obligation with respect
to this CC0 or use of the Work.
Special notes
-------------
The files in `tests/externals/` were placed in the public domain by
their respective authors. See the `AUTHORS.md` files in each directory.

126
src/3rdparty/monocypher/README.md vendored
View File

@@ -16,22 +16,22 @@ Features
--------
- [Authenticated Encryption][AEAD] with XChaCha20 and Poly1305
(RFC 8439).
- [Hashing][HASH] with BLAKE2b.
- [Password Hashing][PWH] with Argon2i.
- [Public Key Cryptography][PKC] with X25519 (key exchange).
- [Public Key Signatures][PKS] with EdDSA (RFC 8032) and Ed25519.
- [Steganography support][STEG] with Elligator 2.
- [OPRF and PAKE support][PAKE] with Elligator 2 and scalar
inversion.
(RFC 8439).
- [Hashing and key derivation][HASH] with BLAKE2b (and [SHA-512][]).
- [Password Hashing][PWH] with Argon2.
- [Public Key Cryptography][PKC] with X25519 key exchanges.
- [Public Key Signatures][EDDSA] with EdDSA and [Ed25519][].
- [Steganography and PAKE][STEG] with [Elligator 2][ELLI].
[AEAD]: https://monocypher.org/manual/aead
[HASH]: https://monocypher.org/manual/hash
[PWH]: https://monocypher.org/manual/argon2i
[PKC]: https://monocypher.org/manual/key_exchange
[PKS]: https://monocypher.org/manual/sign
[STEG]: https://monocypher.org/manual/advanced/elligator
[PAKE]: https://monocypher.org/manual/advanced/x25519_inverse
[AEAD]: https://monocypher.org/manual/aead
[HASH]: https://monocypher.org/manual/blake2
[SHA-512]: https://monocypher.org/manual/sha-512
[PWH]: https://monocypher.org/manual/argon2
[PKC]: https://monocypher.org/manual/x25519
[EDDSA]: https://monocypher.org/manual/eddsa
[Ed25519]: https://monocypher.org/manual/ed25519
[STEG]: https://monocypher.org/manual/elligator
[ELLI]: https://elligator.org
Manual
@@ -40,10 +40,6 @@ Manual
The manual can be found at https://monocypher.org/manual/, and in the
`doc/` folder.
The `doc/man/` folder contains the man pages. You can install them in
your system by running `make install-doc`. Official releases also have a
`doc/html/` folder with an html version.
Installation
------------
@@ -54,41 +50,37 @@ The easiest way to use Monocypher is to include `src/monocypher.h` and
`src/monocypher.c` directly into your project. They compile as C (since
C99) and C++ (since C++98).
If you need the optional SHA-512 or Ed25519, grab
`src/optional/monocypher-ed25519.h` and
`src/optional/monocypher-ed25519.c` as well.
### Option 2: grab the library
Run `make`, then grab the `src/monocypher.h` header and either the
`lib/libmonocypher.a` or `lib/libmonocypher.so` library. The default
compiler is `gcc -std=gnu99`, and the default flags are `-pedantic -Wall
compiler is `gcc -std=c99`, and the default flags are `-pedantic -Wall
-Wextra -O3 -march=native`. If they don't work on your platform, you
can change them like this:
$ make CC="clang -std=c99" CFLAGS="-O2"
$ make CC="clang -std=c11" CFLAGS="-O2"
### Option 3: install it on your system
The following should work on most UNIX systems:
$ make install
This will install Monocypher in `/usr/local/` by default. Libraries
will go to `/usr/local/lib/`, the header in `/usr/local/include/`, and
the man pages in `/usr/local/share/man/man3`. You can change those
defaults with the `PREFIX` and `DESTDIR` variables thus:
Run `make`, then `make install` as root. This will install Monocypher in
`/usr/local` by default. This can be changed with `PREFIX` and
`DESTDIR`:
$ make install PREFIX="/opt"
Once installed, you can use `pkg-config` to compile and link your
program. For instance, if you have a one file C project that uses
Monocypher, you can compile it thus:
Once installed, you may use `pkg-config` to compile and link your
program. For instance:
$ gcc -o myProgram myProgram.c \
$(pkg-config monocypher --cflags) \
$(pkg-config monocypher --libs)
$ gcc program.c $(pkg-config monocypher --cflags) -c
$ gcc program.o $(pkg-config monocypher --libs) -o program
The `cflags` line gives the include path for monocypher.h, and the
`libs` line provides the link path and option required to find
`libmonocypher.a` (or `libmonocypher.so`).
If for any reason you wish to avoid installing the man pages or the
`pkg-config` file, you can use the following installation sub targets
instead: `install-lib`, `install-doc`, and `install-pc`.
Test suite
@@ -96,9 +88,9 @@ Test suite
$ make test
It should display a nice printout of all the tests, all starting with
"OK". If you see "FAILURE" anywhere, something has gone very wrong
somewhere.
It should display a nice printout of all the tests, ending with "All
tests OK!". If you see "failure" or "Error" anywhere, something has gone
wrong.
*Do not* use Monocypher without running those tests at least once.
@@ -139,53 +131,13 @@ Notes:
[TIS]: https://trust-in-soft.com/tis-interpreter/
Speed benchmark
---------------
$ make speed
This will give you an idea how fast Monocypher is on your machine. Make
sure you run it on the target platform if performance is a concern. If
Monocypher is too slow, try libsodium. If you're not sure, you can
always switch later.
Note: the speed benchmark currently requires the POSIX
`clock_gettime()` function.
There are similar benchmarks for libsodium, TweetNaCl, LibHydrogen,
c25519, and ed25519-donna (the portable, 32-bit version):
$ make speed-sodium
$ make speed-tweetnacl
$ make speed-hydrogen
$ make speed-c25519
$ make speed-donna
(The `speed-hydrogen` target assumes it has pkg-config installed. Try
`make pkg-config-libhydrogen` as root if it is not.)
You can also adjust the optimisation options for Monocypher, TweetNaCl,
and c25519 (the default is `-O3 march=native`):
$ make speed CFLAGS="-O2"
$ make speed-tweetnacl CFLAGS="-O2"
Customisation
-------------
Monocypher has optional compatibility with Ed25519. To have that, add
`monocypher-ed25519.h` and `monocypher-ed25519.c` provided in
`src/optional` to your project. If you're using the makefile, define
the `USE_ED25519` variable to link it to monocypher.a and monocypher.so:
$ make USE_ED25519=true
If you install Monocypher with the makefile, you also need that option
to copy `monocypher-ed25519.h` automatically:
$ make install USE_ED25519=true
`src/optional` to your project. If you compile or install Monocypher
with the makefile, they will be automatically included.
Monocypher also has the `BLAKE2_NO_UNROLLING` preprocessor flag, which
is activated by compiling monocypher.c with the `-DBLAKE2_NO_UNROLLING`
@@ -205,10 +157,8 @@ defined (the default), we assume Monocypher is compiled as C, and an
included in C++ code.
The `change-prefix.sh` script can rename all functions by replacing
"crypto_" by a chosen prefix, so you can avoid name clashes. For
instance, the following command changes all instances of "crypto_" by
"foobar_" (note the absence of the underscore):
`crypto_` by a chosen prefix, so you can avoid name clashes. For
instance, the following command changes all instances of `crypto_` by
`foobar_` (note the absence of the underscore):
./change-prefix.sh foobar

3699
src/3rdparty/monocypher/monocypher.c vendored
View File

File diff suppressed because it is too large Load Diff

395
src/3rdparty/monocypher/monocypher.h vendored
View File

@@ -1,4 +1,4 @@
// Monocypher version 3.1.3
// Monocypher version 4.0.1
//
// This file is dual-licensed. Choose whichever licence you want from
// the two licences listed below.
@@ -63,60 +63,6 @@ namespace MONOCYPHER_CPP_NAMESPACE {
extern "C" {
#endif
////////////////////////
/// Type definitions ///
////////////////////////
// Vtable for EdDSA with a custom hash.
// Instantiate it to define a custom hash.
// Its size, contents, and layout, are part of the public API.
typedef struct {
void (*hash)(uint8_t hash[64], const uint8_t *message, size_t message_size);
void (*init )(void *ctx);
void (*update)(void *ctx, const uint8_t *message, size_t message_size);
void (*final )(void *ctx, uint8_t hash[64]);
size_t ctx_size;
} crypto_sign_vtable;
// Do not rely on the size or contents of any of the types below,
// they may change without notice.
// Poly1305
typedef struct {
uint32_t r[4]; // constant multiplier (from the secret key)
uint32_t h[5]; // accumulated hash
uint8_t c[16]; // chunk of the message
uint32_t pad[4]; // random number added at the end (from the secret key)
size_t c_idx; // How many bytes are there in the chunk.
} crypto_poly1305_ctx;
// Hash (BLAKE2b)
typedef struct {
uint64_t hash[8];
uint64_t input_offset[2];
uint64_t input[16];
size_t input_idx;
size_t hash_size;
} crypto_blake2b_ctx;
// Signatures (EdDSA)
typedef struct {
const crypto_sign_vtable *hash;
uint8_t buf[96];
uint8_t pk [32];
} crypto_sign_ctx_abstract;
typedef crypto_sign_ctx_abstract crypto_check_ctx_abstract;
typedef struct {
crypto_sign_ctx_abstract ctx;
crypto_blake2b_ctx hash;
} crypto_sign_ctx;
typedef crypto_sign_ctx crypto_check_ctx;
////////////////////////////
/// High level interface ///
////////////////////////////
// Constant time comparisons
// -------------------------
@@ -125,156 +71,207 @@ int crypto_verify16(const uint8_t a[16], const uint8_t b[16]);
int crypto_verify32(const uint8_t a[32], const uint8_t b[32]);
int crypto_verify64(const uint8_t a[64], const uint8_t b[64]);
// Erase sensitive data
// --------------------
// Please erase all copies
void crypto_wipe(void *secret, size_t size);
// Authenticated encryption
// ------------------------
void crypto_lock(uint8_t mac[16],
uint8_t *cipher_text,
const uint8_t key[32],
const uint8_t nonce[24],
const uint8_t *plain_text, size_t text_size);
int crypto_unlock(uint8_t *plain_text,
const uint8_t key[32],
const uint8_t nonce[24],
const uint8_t mac[16],
const uint8_t *cipher_text, size_t text_size);
// With additional data
void crypto_lock_aead(uint8_t mac[16],
uint8_t *cipher_text,
const uint8_t key[32],
void crypto_aead_lock(uint8_t *cipher_text,
uint8_t mac [16],
const uint8_t key [32],
const uint8_t nonce[24],
const uint8_t *ad , size_t ad_size,
const uint8_t *ad, size_t ad_size,
const uint8_t *plain_text, size_t text_size);
int crypto_unlock_aead(uint8_t *plain_text,
const uint8_t key[32],
int crypto_aead_unlock(uint8_t *plain_text,
const uint8_t mac [16],
const uint8_t key [32],
const uint8_t nonce[24],
const uint8_t mac[16],
const uint8_t *ad , size_t ad_size,
const uint8_t *ad, size_t ad_size,
const uint8_t *cipher_text, size_t text_size);
// Authenticated stream
// --------------------
typedef struct {
uint64_t counter;
uint8_t key[32];
uint8_t nonce[8];
} crypto_aead_ctx;
void crypto_aead_init_x(crypto_aead_ctx *ctx,
const uint8_t key[32], const uint8_t nonce[24]);
void crypto_aead_init_djb(crypto_aead_ctx *ctx,
const uint8_t key[32], const uint8_t nonce[8]);
void crypto_aead_init_ietf(crypto_aead_ctx *ctx,
const uint8_t key[32], const uint8_t nonce[12]);
void crypto_aead_write(crypto_aead_ctx *ctx,
uint8_t *cipher_text,
uint8_t mac[16],
const uint8_t *ad , size_t ad_size,
const uint8_t *plain_text, size_t text_size);
int crypto_aead_read(crypto_aead_ctx *ctx,
uint8_t *plain_text,
const uint8_t mac[16],
const uint8_t *ad , size_t ad_size,
const uint8_t *cipher_text, size_t text_size);
// General purpose hash (BLAKE2b)
// ------------------------------
// Direct interface
void crypto_blake2b(uint8_t hash[64],
void crypto_blake2b(uint8_t *hash, size_t hash_size,
const uint8_t *message, size_t message_size);
void crypto_blake2b_general(uint8_t *hash , size_t hash_size,
const uint8_t *key , size_t key_size, // optional
const uint8_t *message, size_t message_size);
void crypto_blake2b_keyed(uint8_t *hash, size_t hash_size,
const uint8_t *key, size_t key_size,
const uint8_t *message, size_t message_size);
// Incremental interface
void crypto_blake2b_init (crypto_blake2b_ctx *ctx);
typedef struct {
// Do not rely on the size or contents of this type,
// for they may change without notice.
uint64_t hash[8];
uint64_t input_offset[2];
uint64_t input[16];
size_t input_idx;
size_t hash_size;
} crypto_blake2b_ctx;
void crypto_blake2b_init(crypto_blake2b_ctx *ctx, size_t hash_size);
void crypto_blake2b_keyed_init(crypto_blake2b_ctx *ctx, size_t hash_size,
const uint8_t *key, size_t key_size);
void crypto_blake2b_update(crypto_blake2b_ctx *ctx,
const uint8_t *message, size_t message_size);
void crypto_blake2b_final (crypto_blake2b_ctx *ctx, uint8_t *hash);
void crypto_blake2b_general_init(crypto_blake2b_ctx *ctx, size_t hash_size,
const uint8_t *key, size_t key_size);
// vtable for signatures
extern const crypto_sign_vtable crypto_blake2b_vtable;
void crypto_blake2b_final(crypto_blake2b_ctx *ctx, uint8_t *hash);
// Password key derivation (Argon2 i)
// ----------------------------------
void crypto_argon2i(uint8_t *hash, uint32_t hash_size, // >= 4
void *work_area, uint32_t nb_blocks, // >= 8
uint32_t nb_iterations, // >= 3
const uint8_t *password, uint32_t password_size,
const uint8_t *salt, uint32_t salt_size); // >= 8
// Password key derivation (Argon2)
// --------------------------------
#define CRYPTO_ARGON2_D 0
#define CRYPTO_ARGON2_I 1
#define CRYPTO_ARGON2_ID 2
void crypto_argon2i_general(uint8_t *hash, uint32_t hash_size,// >= 4
void *work_area, uint32_t nb_blocks,// >= 8
uint32_t nb_iterations, // >= 3
const uint8_t *password, uint32_t password_size,
const uint8_t *salt, uint32_t salt_size,// >= 8
const uint8_t *key, uint32_t key_size,
const uint8_t *ad, uint32_t ad_size);
typedef struct {
uint32_t algorithm; // Argon2d, Argon2i, Argon2id
uint32_t nb_blocks; // memory hardness, >= 8 * nb_lanes
uint32_t nb_passes; // CPU hardness, >= 1 (>= 3 recommended for Argon2i)
uint32_t nb_lanes; // parallelism level (single threaded anyway)
} crypto_argon2_config;
typedef struct {
const uint8_t *pass;
const uint8_t *salt;
uint32_t pass_size;
uint32_t salt_size; // 16 bytes recommended
} crypto_argon2_inputs;
typedef struct {
const uint8_t *key; // may be NULL if no key
const uint8_t *ad; // may be NULL if no additional data
uint32_t key_size; // 0 if no key (32 bytes recommended otherwise)
uint32_t ad_size; // 0 if no additional data
} crypto_argon2_extras;
extern const crypto_argon2_extras crypto_argon2_no_extras;
void crypto_argon2(uint8_t *hash, uint32_t hash_size, void *work_area,
crypto_argon2_config config,
crypto_argon2_inputs inputs,
crypto_argon2_extras extras);
// Key exchange (x25519 + HChacha20)
// ---------------------------------
#define crypto_key_exchange_public_key crypto_x25519_public_key
void crypto_key_exchange(uint8_t shared_key [32],
const uint8_t your_secret_key [32],
const uint8_t their_public_key[32]);
// Key exchange (X-25519)
// ----------------------
// Shared secrets are not quite random.
// Hash them to derive an actual shared key.
void crypto_x25519_public_key(uint8_t public_key[32],
const uint8_t secret_key[32]);
void crypto_x25519(uint8_t raw_shared_secret[32],
const uint8_t your_secret_key [32],
const uint8_t their_public_key [32]);
// Conversion to EdDSA
void crypto_x25519_to_eddsa(uint8_t eddsa[32], const uint8_t x25519[32]);
// scalar "division"
// Used for OPRF. Be aware that exponential blinding is less secure
// than Diffie-Hellman key exchange.
void crypto_x25519_inverse(uint8_t blind_salt [32],
const uint8_t private_key[32],
const uint8_t curve_point[32]);
// "Dirty" versions of x25519_public_key().
// Use with crypto_elligator_rev().
// Leaks 3 bits of the private key.
void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]);
void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]);
// Signatures (EdDSA with curve25519 + BLAKE2b)
// --------------------------------------------
// Signatures
// ----------
// Generate public key
void crypto_sign_public_key(uint8_t public_key[32],
const uint8_t secret_key[32]);
// EdDSA with curve25519 + BLAKE2b
void crypto_eddsa_key_pair(uint8_t secret_key[64],
uint8_t public_key[32],
uint8_t seed[32]);
void crypto_eddsa_sign(uint8_t signature [64],
const uint8_t secret_key[64],
const uint8_t *message, size_t message_size);
int crypto_eddsa_check(const uint8_t signature [64],
const uint8_t public_key[32],
const uint8_t *message, size_t message_size);
// Direct interface
void crypto_sign(uint8_t signature [64],
const uint8_t secret_key[32],
const uint8_t public_key[32], // optional, may be 0
const uint8_t *message, size_t message_size);
int crypto_check(const uint8_t signature [64],
const uint8_t public_key[32],
const uint8_t *message, size_t message_size);
// Conversion to X25519
void crypto_eddsa_to_x25519(uint8_t x25519[32], const uint8_t eddsa[32]);
////////////////////////////
/// Low level primitives ///
////////////////////////////
// EdDSA building blocks
void crypto_eddsa_trim_scalar(uint8_t out[32], const uint8_t in[32]);
void crypto_eddsa_reduce(uint8_t reduced[32], const uint8_t expanded[64]);
void crypto_eddsa_mul_add(uint8_t r[32],
const uint8_t a[32],
const uint8_t b[32],
const uint8_t c[32]);
void crypto_eddsa_scalarbase(uint8_t point[32], const uint8_t scalar[32]);
int crypto_eddsa_check_equation(const uint8_t signature[64],
const uint8_t public_key[32],
const uint8_t h_ram[32]);
// For experts only. You have been warned.
// Chacha20
// --------
// Specialised hash.
// Used to hash X25519 shared secrets.
void crypto_hchacha20(uint8_t out[32],
const uint8_t key[32],
const uint8_t in [16]);
void crypto_chacha20_h(uint8_t out[32],
const uint8_t key[32],
const uint8_t in [16]);
// Unauthenticated stream cipher.
// Don't forget to add authentication.
void crypto_chacha20(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[8]);
void crypto_xchacha20(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[24]);
void crypto_ietf_chacha20(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[12]);
uint64_t crypto_chacha20_ctr(uint8_t *cipher_text,
uint64_t crypto_chacha20_djb(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[8],
uint64_t ctr);
uint64_t crypto_xchacha20_ctr(uint8_t *cipher_text,
uint32_t crypto_chacha20_ietf(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[24],
uint64_t ctr);
uint32_t crypto_ietf_chacha20_ctr(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[12],
uint32_t ctr);
const uint8_t nonce[12],
uint32_t ctr);
uint64_t crypto_chacha20_x(uint8_t *cipher_text,
const uint8_t *plain_text,
size_t text_size,
const uint8_t key[32],
const uint8_t nonce[24],
uint64_t ctr);
// Poly 1305
// ---------
@@ -289,93 +286,33 @@ void crypto_poly1305(uint8_t mac[16],
const uint8_t key[32]);
// Incremental interface
typedef struct {
// Do not rely on the size or contents of this type,
// for they may change without notice.
uint8_t c[16]; // chunk of the message
size_t c_idx; // How many bytes are there in the chunk.
uint32_t r [4]; // constant multiplier (from the secret key)
uint32_t pad[4]; // random number added at the end (from the secret key)
uint32_t h [5]; // accumulated hash
} crypto_poly1305_ctx;
void crypto_poly1305_init (crypto_poly1305_ctx *ctx, const uint8_t key[32]);
void crypto_poly1305_update(crypto_poly1305_ctx *ctx,
const uint8_t *message, size_t message_size);
void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]);
// X-25519
// -------
// Shared secrets are not quite random.
// Hash them to derive an actual shared key.
void crypto_x25519_public_key(uint8_t public_key[32],
const uint8_t secret_key[32]);
void crypto_x25519(uint8_t raw_shared_secret[32],
const uint8_t your_secret_key [32],
const uint8_t their_public_key [32]);
// "Dirty" versions of x25519_public_key()
// Only use to generate ephemeral keys you want to hide.
// Note that those functions leaks 3 bits of the private key.
void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]);
void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]);
// scalar "division"
// Used for OPRF. Be aware that exponential blinding is less secure
// than Diffie-Hellman key exchange.
void crypto_x25519_inverse(uint8_t blind_salt [32],
const uint8_t private_key[32],
const uint8_t curve_point[32]);
// EdDSA to X25519
// ---------------
void crypto_from_eddsa_private(uint8_t x25519[32], const uint8_t eddsa[32]);
void crypto_from_eddsa_public (uint8_t x25519[32], const uint8_t eddsa[32]);
// EdDSA -- Incremental interface
// ------------------------------
// Signing (2 passes)
// Make sure the two passes hash the same message,
// else you might reveal the private key.
void crypto_sign_init_first_pass(crypto_sign_ctx_abstract *ctx,
const uint8_t secret_key[32],
const uint8_t public_key[32]);
void crypto_sign_update(crypto_sign_ctx_abstract *ctx,
const uint8_t *message, size_t message_size);
void crypto_sign_init_second_pass(crypto_sign_ctx_abstract *ctx);
// use crypto_sign_update() again.
void crypto_sign_final(crypto_sign_ctx_abstract *ctx, uint8_t signature[64]);
// Verification (1 pass)
// Make sure you don't use (parts of) the message
// before you're done checking it.
void crypto_check_init (crypto_check_ctx_abstract *ctx,
const uint8_t signature[64],
const uint8_t public_key[32]);
void crypto_check_update(crypto_check_ctx_abstract *ctx,
const uint8_t *message, size_t message_size);
int crypto_check_final (crypto_check_ctx_abstract *ctx);
// Custom hash interface
void crypto_sign_public_key_custom_hash(uint8_t public_key[32],
const uint8_t secret_key[32],
const crypto_sign_vtable *hash);
void crypto_sign_init_first_pass_custom_hash(crypto_sign_ctx_abstract *ctx,
const uint8_t secret_key[32],
const uint8_t public_key[32],
const crypto_sign_vtable *hash);
void crypto_check_init_custom_hash(crypto_check_ctx_abstract *ctx,
const uint8_t signature[64],
const uint8_t public_key[32],
const crypto_sign_vtable *hash);
// Elligator 2
// -----------
// Elligator mappings proper
void crypto_hidden_to_curve(uint8_t curve [32], const uint8_t hidden[32]);
int crypto_curve_to_hidden(uint8_t hidden[32], const uint8_t curve [32],
uint8_t tweak);
void crypto_elligator_map(uint8_t curve [32], const uint8_t hidden[32]);
int crypto_elligator_rev(uint8_t hidden[32], const uint8_t curve [32],
uint8_t tweak);
// Easy to use key pair generation
void crypto_hidden_key_pair(uint8_t hidden[32], uint8_t secret_key[32],
uint8_t seed[32]);
void crypto_elligator_key_pair(uint8_t hidden[32], uint8_t secret_key[32],
uint8_t seed[32]);
#ifdef __cplusplus
}

7
src/network/network.cpp
View File

@@ -235,19 +235,16 @@ std::vector<uint8> GenerateGeneralPasswordHash(const std::string &password, cons
if (password.empty()) return {};
std::vector<byte> data;
data.reserve(password.size() + password_server_id.size() + 6);
data.reserve(password_server_id.size() + password.size() + 10);
BufferSerialiser buffer(data);
/* key field */
buffer.Send_uint64(password_game_seed);
/* message field */
buffer.Send_string(password_server_id);
buffer.Send_string(password);
std::vector<byte> output;
output.resize(64);
crypto_blake2b_general(output.data(), output.size(), data.data(), 8, data.data() + 8, data.size() - 8);
crypto_blake2b(output.data(), output.size(), data.data(), data.size());
return output;
}

4
src/sl/company_sl.cpp
View File

@@ -605,7 +605,7 @@ static void Load_PLYP()
std::vector<uint8> buffer(size - 16 - 24 - 16);
ReadBuffer::GetCurrent()->CopyBytes(buffer.data(), buffer.size());
if (crypto_unlock(buffer.data(), _network_company_password_storage_key, nonce, mac, buffer.data(), buffer.size()) == 0) {
if (crypto_aead_unlock(buffer.data(), mac, _network_company_password_storage_key, nonce, nullptr, 0, buffer.data(), buffer.size()) == 0) {
SlLoadFromBuffer(buffer.data(), buffer.size(), [invalid_mask]() {
_network_company_server_id.resize(SlReadUint32());
ReadBuffer::GetCurrent()->CopyBytes((uint8 *)_network_company_server_id.data(), _network_company_server_id.size());
@@ -684,7 +684,7 @@ static void Save_PLYP()
uint8 mac[16]; /* Message authentication code */
/* Encrypt in place */
crypto_lock(mac, buffer.data(), _network_company_password_storage_key, nonce, buffer.data(), buffer.size());
crypto_aead_lock(buffer.data(), mac, _network_company_password_storage_key, nonce, nullptr, 0, buffer.data(), buffer.size());
SlSetLength(2 + 16 + 24 + 16 + buffer.size());
SlWriteUint16(0); // Invalid mask