- name: Run tests with clang sanitizers
run: |
- make clean; make test; make test-legacy -j4
+ make clean; make test -j4
echo "Make with O3 optimization and no blake2 loop unrolling"
make clean; make test CFLAGS="-DBLAKE2_NO_UNROLLING -O3" -j4
+++ /dev/null
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2019, 2021 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2019 and 2021 by Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd June 11, 2021
-.Dt CRYPTO_CHACHA20_ENCRYPT 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_chacha20_encrypt ,
-.Nm crypto_chacha20_init ,
-.Nm crypto_chacha20_x_init ,
-.Nm crypto_chacha20_stream ,
-.Nm crypto_chacha20_set_ctr
-.Nd deprecated ChaCha20 and XChaCha20 encryption functions
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_chacha20_init
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[8]"
-.Fc
-.Ft void
-.Fo crypto_chacha20_x_init
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft void
-.Fo crypto_chacha20_encrypt
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_chacha20_stream
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "uint8_t *stream"
-.Fa "size_t stream_size"
-.Fc
-.Ft void
-.Fo crypto_chacha20_set_ctr
-.Fa "crypto_chacha_ctx *ctx"
-.Fa "uint64_t ctr"
-.Fc
-.Sh DESCRIPTION
-These functions provided an incremental interface for the ChaCha20
-cipher.
-They were deprecated in favour of
-.Xr crypto_chacha20 3monocypher ,
-.Xr crypto_chacha20_ctr 3monocypher ,
-.Xr crypto_xchacha20 3monocypher , and
-.Xr crypto_xchacha20_ctr 3monocypher .
-.Pp
-For encryption, you can achieve an identical effect
-as the deprecated functions by using
-.Xr crypto_chacha20_ctr 3monocypher
-or
-.Xr crypto_xchacha20_ctr 3monocypher .
-However,
-care needs to be taken with regards to handling the counter value
-when migrating old code to use the new functions.
-The new functions
-.Em always return the next counter value .
-This means that input ciphertexts or plaintexts
-whose lengths are not exactly multiples of 64 bytes
-advance the counter, even though there is theoretically some space left
-in a ChaCha20 block.
-New applications should design their code so that either
-the protocol is not reliant on the counter covering the entire text
-(e.g. by cutting input into independent chunks) or
-inputs are always such that their lengths are multiples of 64 bytes
-(e.g. by buffering input until 64 bytes have been obtained).
-.Pp
-To obtain the raw ChaCha20 stream previously provided by
-.Fn crypto_chacha20_stream ,
-pass
-.Dv NULL
-to
-.Xr crypto_chacha20
-as plaintext.
-.Sh RETURN VALUES
-These functions return nothing.
-.Sh SEE ALSO
-.Xr crypto_chacha20 3monocypher ,
-.Xr crypto_chacha20_ctr 3monocypher ,
-.Xr crypto_xchacha20 3monocypher ,
-.Xr crypto_xchacha20_ctr 3monocypher ,
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_wipe 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_chacha20_encrypt
-and
-.Fn crypto_chacha20_init
-functions first appeared in Monocypher 0.1.
-.Fn crypto_chacha20_stream
-was added in Monocypher 0.2.
-.Fn crypto_chacha20_x_init
-and
-.Fn crypto_chacha20_set_ctr
-were added in Monocypher 1.0.
-They were deprecated in Monocypher 3.0.0
-and will be removed in Monocypher 4.0.0.
+++ /dev/null
-crypto_chacha20_encrypt.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_chacha20_encrypt.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_chacha20_encrypt.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_chacha20_encrypt.3monocypher
\ No newline at end of file
+++ /dev/null
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2021 Loup Vaillant
-.\" Copyright (c) 2017-2018 Michael Savage
-.\" Copyright (c) 2017, 2019-2021 Fabio Scotoni
-.\" Copyright (c) 2020 Richard Walmsley
-.\" Copyright (c) 2022 Samuel Lucas
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2022 by Loup Vaillant, Michael Savage, Fabio Scotoni,
-.\" Richard Walmsley and Samuel Lucas
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd February 12, 2022
-.Dt CRYPTO_KEY_EXCHANGE 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_key_exchange ,
-.Nm crypto_key_exchange_public_key
-.Nd Key Exchange (Public Key Cryptography)
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_key_exchange
-.Fa "uint8_t shared_key[32]"
-.Fa "const uint8_t your_secret_key[32]"
-.Fa "const uint8_t their_public_key[32]"
-.Fc
-.Ft void
-.Fo crypto_key_exchange_public_key
-.Fa "uint8_t your_public_key[32]"
-.Fa "const uint8_t your_secret_key[32]"
-.Fc
-.Sh DESCRIPTION
-.Fn crypto_key_exchange
-computes a shared key with your secret key and their public key.
-.Pp
-.Fn crypto_key_exchange_public_key
-deterministically computes the public key from a random secret key.
-.Pp
-These functions are
-.Sy deprecated
-in favor of using a higher level protocol with
-.Xr crypto_x25519 3monocypher .
-.Pp
-The arguments are:
-.Bl -tag -width Ds
-.It Fa shared_key
-The shared secret, known only to those who know a relevant secret key
-(yours or theirs).
-It is cryptographically random and suitable for use with the
-.Xr crypto_lock 3monocypher
-family of functions.
-.It Fa your_secret_key
-A 32-byte random number known only to you.
-See
-.Xr intro 3monocypher
-for advice about generating random bytes (use the operating system's
-random number generator).
-.It Fa their_public_key
-The public key of the other party.
-.It Fa your_public_key
-Your public key, generated from
-.Fa your_secret_key
-with
-.Fn crypto_key_exchange_public_key .
-.El
-.Pp
-.Fa shared_key
-and
-.Fa your_secret_key
-may overlap if the secret is no longer required.
-.Pp
-Some poorly designed protocols require a test for
-.Dq contributory
-behaviour, which ensures that no untrusted party forces the shared
-secret to a known constant.
-Protocols should instead be designed in such a way that no such check
-is necessary; namely, by authenticating the other party or exchanging
-keys over a trusted channel.
-.Pp
-Do not use the same secret key for both key exchanges and signatures.
-The public keys are different and revealing both may leak information.
-If there really is no room to store or derive two different secret keys,
-consider generating a key pair for signatures and then converting it
-with
-.Xr crypto_from_eddsa_private 3monocypher
-and
-.Xr crypto_from_eddsa_public 3monocypher .
-.Sh RETURN VALUES
-.Fn crypto_key_exchange
-and
-.Fn crypto_key_exchange_public_key
-return nothing.
-.Sh EXAMPLES
-The following examples assume the existence of
-.Fn arc4random_buf ,
-which fills the given buffer with cryptographically secure random bytes.
-If
-.Fn arc4random_buf
-does not exist on your system, see
-.Xr intro 3monocypher
-for advice about how to generate cryptographically secure random bytes.
-.Pp
-Generate a public key from a randomly generated secret key:
-.Bd -literal -offset indent
-uint8_t sk[32]; /* Random secret key */
-uint8_t pk[32]; /* Public key */
-arc4random_buf(sk, 32);
-crypto_key_exchange_public_key(pk, sk);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(sk, 32);
-.Ed
-.Pp
-Generate a shared, symmetric key with your secret key and their public
-key.
-(The other party will generate the same shared key with your public
-key and their secret key.)
-.Bd -literal -offset indent
-const uint8_t their_pk [32]; /* Their public key */
-uint8_t your_sk [32]; /* Your secret key */
-uint8_t shared_key[32]; /* Shared session key */
-crypto_key_exchange(shared_key, your_sk, their_pk);
-/* Wipe secrets if they are no longer needed */
-crypto_wipe(your_sk, 32);
-.Ed
-.Sh SEE ALSO
-.Xr crypto_lock 3monocypher ,
-.Xr intro 3monocypher
-.Sh STANDARDS
-These functions implement X25519, described in RFC 7748.
-.Fn crypto_key_exchange
-uses HChaCha20 as well.
-.Sh HISTORY
-The
-.Fn crypto_key_exchange
-function first appeared in Monocypher 0.2.
-The
-.Fn crypto_key_exchange_public_key
-macro alias first appeared in Monocypher 1.1.0.
-Both were deprecated in Monocypher 3.1.3
-and are planned to be removed in Monocypher 4.0.0.
-.Sh SECURITY CONSIDERATIONS
-If either of the long-term secret keys leaks, it may compromise
-.Em all past messages .
-This can be avoided by using protocols that provide forward secrecy,
-such as the X3DH key agreement protocol.
-.Pp
-Many (private, public) key pairs produce the same shared secret.
-Therefore, not including the public keys in the key derivation can
-lead to subtle vulnerabilities.
-This can be avoided by hashing the shared secret concatenated with
-both public keys.
-For example,
-.D1 BLAKE2b(shared_secret || your_pk || their_pk)
-using
-.Xr crypto_blake2b 3monocypher .
-.Sh IMPLEMENTATION DETAILS
-.Fn crypto_key_exchange_public_key
-is an alias to
-.Xr crypto_x25519_public_key 3monocypher .
+++ /dev/null
-crypto_key_exchange.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-.\" This file is dual-licensed. Choose whichever you want.
-.\"
-.\" The first licence is a regular 2-clause BSD licence. The second licence
-.\" is the CC-0 from Creative Commons. It is intended to release Monocypher
-.\" to the public domain. The BSD licence serves as a fallback option.
-.\"
-.\" SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Copyright (c) 2017-2019, 2022 Loup Vaillant
-.\" Copyright (c) 2017 Michael Savage
-.\" Copyright (c) 2017, 2019 Fabio Scotoni
-.\" All rights reserved.
-.\"
-.\"
-.\" Redistribution and use in source and binary forms, with or without
-.\" modification, are permitted provided that the following conditions are
-.\" met:
-.\"
-.\" 1. Redistributions of source code must retain the above copyright
-.\" notice, this list of conditions and the following disclaimer.
-.\"
-.\" 2. Redistributions in binary form must reproduce the above copyright
-.\" notice, this list of conditions and the following disclaimer in the
-.\" documentation and/or other materials provided with the
-.\" distribution.
-.\"
-.\" THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-.\" "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-.\" LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-.\" A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-.\" HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-.\" SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-.\" LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-.\" DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-.\" THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-.\" OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-.\"
-.\" ----------------------------------------------------------------------------
-.\"
-.\" Written in 2017-2022 by Loup Vaillant, Michael Savage and Fabio Scotoni
-.\"
-.\" To the extent possible under law, the author(s) have dedicated all copyright
-.\" and related neighboring rights to this software to the public domain
-.\" worldwide. This software is distributed without any warranty.
-.\"
-.\" You should have received a copy of the CC0 Public Domain Dedication along
-.\" with this software. If not, see
-.\" <https://creativecommons.org/publicdomain/zero/1.0/>
-.\"
-.Dd February 14, 2022
-.Dt CRYPTO_LOCK_INIT 3MONOCYPHER
-.Os
-.Sh NAME
-.Nm crypto_lock_init ,
-.Nm crypto_lock_auth_ad ,
-.Nm crypto_lock_auth_message ,
-.Nm crypto_lock_update ,
-.Nm crypto_lock_final ,
-.Nm crypto_unlock_init ,
-.Nm crypto_unlock_auth_ad ,
-.Nm crypto_unlock_auth_message ,
-.Nm crypto_unlock_update ,
-.Nm crypto_unlock_final
-.Nd incremental authenticated encryption with additional data
-.Sh SYNOPSIS
-.In monocypher.h
-.Ft void
-.Fo crypto_lock_init
-.Fa "crypto_lock_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft void
-.Fo crypto_lock_auth_ad
-.Fa "crypto_lock_ctx *ctx"
-.Fa "const uint8_t *ad"
-.Fa "size_t ad_size"
-.Fc
-.Ft void
-.Fo crypto_lock_auth_message
-.Fa "crypto_lock_ctx *ctx"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_lock_update
-.Fa "crypto_lock_ctx *ctx"
-.Fa "uint8_t *cipher_text"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_lock_final
-.Fa "crypto_lock_ctx *ctx"
-.Fa "uint8_t mac[16]"
-.Fc
-.Ft void
-.Fo crypto_unlock_init
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t key[32]"
-.Fa "const uint8_t nonce[24]"
-.Fc
-.Ft void
-.Fo crypto_unlock_auth_ad
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t *ad"
-.Fa "size_t ad_size"
-.Fc
-.Ft void
-.Fo crypto_unlock_auth_message
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t *plain_text"
-.Fa "size_t text_size"
-.Fc
-.Ft void
-.Fo crypto_unlock_update
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "uint8_t *plain_text"
-.Fa "const uint8_t *cipher_text"
-.Fa "size_t text_size"
-.Fc
-.Ft int
-.Fo crypto_unlock_final
-.Fa "crypto_unlock_ctx *ctx"
-.Fa "const uint8_t mac[16]"
-.Fc
-.Sh DESCRIPTION
-These functions were variants of
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_unlock 3monocypher ,
-.Xr crypto_lock_aead 3monocypher
-and
-.Xr crypto_unlock_aead 3monocypher .
-They are deprecated in favor of
-those simpler functions.
-.Pp
-Change your protocol so that it does not rely on the removed functions,
-namely by splitting the data into chunks that you can individually use
-.Xr crypto_lock 3monocypher
-and
-.Xr crypto_unlock 3monocypher
-on.
-.Pp
-For files in particular,
-you may alternatively (and suboptimally)
-attempt to use
-.Fn mmap
-(on *NIX)
-or
-.Fn MapViewOfFile
-(on Windows)
-and pass the files as mapped memory into
-.Xr crypto_lock 3monocypher
-and
-.Xr crypto_unlock 3monocypher
-instead.
-.El
-.Sh RETURN VALUES
-.Fn crypto_lock_init ,
-.Fn crypto_unlock_init ,
-.Fn crypto_lock_auth_ad ,
-.Fn crypto_unlock_auth_ad ,
-.Fn crypto_lock_auth_message ,
-.Fn crypto_unlock_auth_message ,
-.Fn crypto_lock_update ,
-.Fn crypto_unlock_update ,
-and
-.Fn crypto_lock_final
-return nothing.
-.Pp
-.Fn crypto_unlock_final
-returns 0 on success or -1 if the message was corrupted.
-Corruption can be caused by transmission errors, programmer error, or an
-attacker's interference.
-.Em Always check the return value .
-.Sh SEE ALSO
-.Xr crypto_lock 3monocypher ,
-.Xr crypto_lock_aead 3monocypher ,
-.Xr crypto_unlock 3monocypher ,
-.Xr crypto_unlock_aead 3monocypher ,
-.Xr intro 3monocypher
-.Sh HISTORY
-The
-.Fn crypto_lock_init ,
-.Fn crypto_lock_auth_ad ,
-.Fn crypto_lock_auth_message ,
-.Fn crypto_lock_update ,
-.Fn crypto_lock_final ,
-.Fn crypto_unlock_init ,
-.Fn crypto_unlock_auth_ad ,
-.Fn crypto_unlock_auth_message ,
-.Fn crypto_unlock_update ,
-and
-.Fn crypto_unlock_final
-functions first appeared in Monocypher 1.1.0.
-.Fn crypto_lock_aead_auth
-and
-.Fn crypto_unlock_aead_auth
-were renamed to
-.Fn crypto_lock_auth_ad
-and
-.Fn crypto_unlock_auth_ad
-respectively in Monocypher 2.0.0.
-They were deprecated in Monocypher 3.0.0
-and will be removed in Monocypher 4.0.0.
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
+++ /dev/null
-crypto_lock_init.3monocypher
\ No newline at end of file
mkdir -p "$DIR/html"
mkdir -p "$DIR/html/advanced"
mkdir -p "$DIR/html/optional"
-mkdir -p "$DIR/html/deprecated"
convert "$DIR/man/man3" "."
convert "$DIR/man/man3/advanced" "advanced"
convert "$DIR/man/man3/optional" "optional"
-convert "$DIR/man/man3/deprecated" "deprecated"
substitute() {
HTML=$1
substitute "$DIR/html"
substitute "$DIR/html/advanced"
substitute "$DIR/html/optional"
-substitute "$DIR/html/deprecated"
for file in $(ls -1 "$DIR/html" | grep ".html$")
do
check: test
test : test.out
-test-legacy : test-legacy.out
speed : speed.out
speed-sodium : speed-sodium.out
speed-tweetnacl: speed-tweetnacl.out
speed-hydrogen : speed-hydrogen.out
speed-c25519 : speed-c25519.out
speed-donna : speed-donna.out
-test test-legacy speed speed-sodium speed-tweetnacl speed-hydrogen speed-c25519 speed-donna:
+test speed speed-sodium speed-tweetnacl speed-hydrogen speed-c25519 speed-donna:
./$<
ctgrind: ctgrind.out
# Test & speed libraries
TEST_COMMON = tests/utils.h src/monocypher.h src/optional/monocypher-ed25519.h
-TEST_LEGACY = $(TEST_COMMON) src/deprecated/chacha20.h src/deprecated/aead-incr.h
SPEED = tests/speed
lib/utils.o :tests/utils.c
lib/test.o :tests/test.c $(TEST_COMMON) tests/vectors.h
-lib/test-legacy.o :tests/test-legacy.c $(TEST_LEGACY) tests/vectors.h
lib/ctgrind.o :tests/ctgrind.c $(TEST_COMMON)
lib/speed.o :$(SPEED)/speed.c $(TEST_COMMON) $(SPEED)/speed.h
lib/speed-tweetnacl.o:$(SPEED)/speed-tweetnacl.c $(TEST_COMMON) $(SPEED)/speed.h
-lib/utils.o lib/test.o lib/test-legacy.o lib/speed.o:
+lib/utils.o lib/test.o lib/speed.o:
@mkdir -p $(@D)
$(CC) $(CFLAGS) \
-I src -I src/optional -I tests \
# test & speed executables
TEST_OBJ= lib/utils.o lib/monocypher.o
test.out : lib/test.o $(TEST_OBJ) lib/monocypher-ed25519.o
-test-legacy.out: lib/test-legacy.o $(TEST_OBJ) lib/chacha20.o lib/aead-incr.o
ctgrind.out : lib/ctgrind.o $(TEST_OBJ) lib/monocypher-ed25519.o
speed.out : lib/speed.o $(TEST_OBJ) lib/monocypher-ed25519.o
-test.out test-legacy.out speed.out:
+test.out speed.out:
$(CC) $(CFLAGS) -I src -I src/optional -o $@ $^
ctgrind.out:
$(CC) $(CFLAGS) -O0 -I src -I src/optional -o $@ $^
+++ /dev/null
-// Deprecated incremental API for authenticated encryption
-//
-// This file *temporarily* provides compatibility with Monocypher 2.x.
-// Do not rely on its continued existence.
-//
-// Deprecated in : 3.0.0
-// Will be removed in: 4.0.0
-//
-// Deprecated functions & types:
-// crypto_unlock_ctx
-// crypto_lock_ctx
-// crypto_lock_init
-// crypto_lock_auth_ad
-// crypto_lock_auth_message
-// crypto_lock_update
-// crypto_lock_final
-// crypto_unlock_init
-// crypto_unlock_auth_ad
-// crypto_unlock_auth_message
-// crypto_unlock_update
-// crypto_unlock_final
-//
-// For existing deployments that can no longer be updated or modified,
-// use the 2.x family, which will receive security updates until 2024.
-//
-// upgrade strategy:
-// Change your protocol in a way that it does not rely on the removed
-// functions, namely by splitting the file into chunks you each use the
-// crypto_lock() and crypto_unlock() functions on.
-//
-// For files, you may alternatively (and suboptimally) attempt to
-// mmap()/MapViewOfFile() and pass the files as mapped memory into
-// crypto_lock() and crypto_unlock() this way instead.
-//
-// ---
-//
-// This file is dual-licensed. Choose whichever licence you want from
-// the two licences listed below.
-//
-// The first licence is a regular 2-clause BSD licence. The second licence
-// is the CC-0 from Creative Commons. It is intended to release Monocypher
-// to the public domain. The BSD licence serves as a fallback option.
-//
-// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-//
-// ------------------------------------------------------------------------
-//
-// Copyright (c) 2017-2019, Loup Vaillant
-// All rights reserved.
-//
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// 1. Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright
-// notice, this list of conditions and the following disclaimer in the
-// documentation and/or other materials provided with the
-// distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// ------------------------------------------------------------------------
-//
-// Written in 2017-2019 by Loup Vaillant
-//
-// To the extent possible under law, the author(s) have dedicated all copyright
-// and related neighboring rights to this software to the public domain
-// worldwide. This software is distributed without any warranty.
-//
-// You should have received a copy of the CC0 Public Domain Dedication along
-// with this software. If not, see
-// <https://creativecommons.org/publicdomain/zero/1.0/>
-
-#include "aead-incr.h"
-
-#ifdef MONOCYPHER_CPP_NAMESPACE
-namespace MONOCYPHER_CPP_NAMESPACE {
-#endif
-
-#define FOR_T(type, i, start, end) for (type i = (start); i < (end); i++)
-#define FOR(i, start, end) FOR_T(size_t, i, start, end)
-#define WIPE_CTX(ctx) crypto_wipe(ctx , sizeof(*(ctx)))
-#define WIPE_BUFFER(buffer) crypto_wipe(buffer, sizeof(buffer))
-#define MIN(a, b) ((a) <= (b) ? (a) : (b))
-#define MAX(a, b) ((a) >= (b) ? (a) : (b))
-#define ALIGN(x, block_size) ((~(x) + 1) & ((block_size) - 1))
-typedef int8_t i8;
-typedef uint8_t u8;
-typedef int16_t i16;
-typedef uint32_t u32;
-typedef int32_t i32;
-typedef int64_t i64;
-typedef uint64_t u64;
-
-static const u8 zero[16] = {0};
-
-static void store64_le(u8 out[8], u64 in)
-{
- out[0] = in & 0xff;
- out[1] = (in >> 8) & 0xff;
- out[2] = (in >> 16) & 0xff;
- out[3] = (in >> 24) & 0xff;
- out[4] = (in >> 32) & 0xff;
- out[5] = (in >> 40) & 0xff;
- out[6] = (in >> 48) & 0xff;
- out[7] = (in >> 56) & 0xff;
-}
-
-////////////////////////////////////
-/// Incremental API for Chacha20 ///
-////////////////////////////////////
-static void chacha20_x_init(crypto_lock_ctx *ctx,
- const u8 key[32], const u8 nonce[24])
-{
- crypto_hchacha20(ctx->key, key, nonce);
- FOR (i, 0, 8) { ctx->nonce[i] = nonce[i + 16]; }
- ctx->ctr = 0;
- ctx->pool_idx = 64; // The random pool starts empty
-}
-
-static void chacha20_encrypt(crypto_lock_ctx *ctx, u8 *cipher_text,
- const u8 *plain_text, size_t text_size)
-{
- FOR (i, 0, text_size) {
- if (ctx->pool_idx == 64) {
- crypto_chacha20_ctr(ctx->pool, 0, 64,
- ctx->key, ctx-> nonce, ctx->ctr);
- ctx->pool_idx = 0;
- ctx->ctr++;
- }
- u8 plain = 0;
- if (plain_text != 0) {
- plain = *plain_text;
- plain_text++;
- }
- *cipher_text = ctx->pool[ctx->pool_idx] ^ plain;
- ctx->pool_idx++;
- cipher_text++;
- }
-}
-
-static void chacha20_stream(crypto_lock_ctx *ctx, u8 *stream, size_t size)
-{
- chacha20_encrypt(ctx, stream, 0, size);
-}
-
-
-////////////////////////////////
-/// Incremental API for AEAD ///
-////////////////////////////////
-static void lock_ad_padding(crypto_lock_ctx *ctx)
-{
- if (ctx->ad_phase) {
- ctx->ad_phase = 0;
- crypto_poly1305_update(&ctx->poly, zero, ALIGN(ctx->ad_size, 16));
- }
-}
-
-void crypto_lock_init(crypto_lock_ctx *ctx,
- const u8 key[32], const u8 nonce[24])
-{
- u8 auth_key[64]; // "Wasting" the whole Chacha block is faster
- ctx->ad_phase = 1;
- ctx->ad_size = 0;
- ctx->message_size = 0;
- chacha20_x_init(ctx, key, nonce);
- chacha20_stream(ctx, auth_key, 64);
- crypto_poly1305_init (&ctx->poly , auth_key);
- WIPE_BUFFER(auth_key);
-}
-
-void crypto_lock_auth_ad(crypto_lock_ctx *ctx, const u8 *msg, size_t msg_size)
-{
- crypto_poly1305_update(&ctx->poly, msg, msg_size);
- ctx->ad_size += msg_size;
-}
-
-void crypto_lock_auth_message(crypto_lock_ctx *ctx,
- const u8 *cipher_text, size_t text_size)
-{
- lock_ad_padding(ctx);
- ctx->message_size += text_size;
- crypto_poly1305_update(&ctx->poly, cipher_text, text_size);
-}
-
-void crypto_lock_update(crypto_lock_ctx *ctx, u8 *cipher_text,
- const u8 *plain_text, size_t text_size)
-{
- chacha20_encrypt(ctx, cipher_text, plain_text, text_size);
- crypto_lock_auth_message(ctx, cipher_text, text_size);
-}
-
-void crypto_lock_final(crypto_lock_ctx *ctx, u8 mac[16])
-{
- lock_ad_padding(ctx);
- u8 sizes[16]; // Not secret, not wiped
- store64_le(sizes + 0, ctx->ad_size);
- store64_le(sizes + 8, ctx->message_size);
- crypto_poly1305_update(&ctx->poly, zero, ALIGN(ctx->message_size, 16));
- crypto_poly1305_update(&ctx->poly, sizes, 16);
- crypto_poly1305_final (&ctx->poly, mac);
- WIPE_CTX(ctx);
-}
-
-void crypto_unlock_update(crypto_lock_ctx *ctx, u8 *plain_text,
- const u8 *cipher_text, size_t text_size)
-{
- crypto_unlock_auth_message(ctx, cipher_text, text_size);
- chacha20_encrypt(ctx, plain_text, cipher_text, text_size);
-}
-
-int crypto_unlock_final(crypto_lock_ctx *ctx, const u8 mac[16])
-{
- u8 real_mac[16];
- crypto_lock_final(ctx, real_mac);
- int mismatch = crypto_verify16(real_mac, mac);
- WIPE_BUFFER(real_mac);
- return mismatch;
-}
-
-#ifdef MONOCYPHER_CPP_NAMESPACE
-}
-#endif
+++ /dev/null
-// Deprecated incremental API for authenticated encryption
-//
-// This file *temporarily* provides compatibility with Monocypher 2.x.
-// Do not rely on its continued existence.
-//
-// Deprecated in : 3.0.0
-// Will be removed in: 4.0.0
-//
-// Deprecated functions & types:
-// crypto_unlock_ctx
-// crypto_lock_ctx
-// crypto_lock_init
-// crypto_lock_auth_ad
-// crypto_lock_auth_message
-// crypto_lock_update
-// crypto_lock_final
-// crypto_unlock_init
-// crypto_unlock_auth_ad
-// crypto_unlock_auth_message
-// crypto_unlock_update
-// crypto_unlock_final
-//
-// For existing deployments that can no longer be updated or modified,
-// use the 2.x family, which will receive security updates until 2024.
-//
-// upgrade strategy:
-// Change your protocol in a way that it does not rely on the removed
-// functions, namely by splitting the file into chunks you each use the
-// crypto_lock() and crypto_unlock() functions on.
-//
-// For files, you may alternatively (and suboptimally) attempt to
-// mmap()/MapViewOfFile() and pass the files as mapped memory into
-// crypto_lock() and crypto_unlock() this way instead.
-//
-// ---
-//
-// This file is dual-licensed. Choose whichever licence you want from
-// the two licences listed below.
-//
-// The first licence is a regular 2-clause BSD licence. The second licence
-// is the CC-0 from Creative Commons. It is intended to release Monocypher
-// to the public domain. The BSD licence serves as a fallback option.
-//
-// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-//
-// ------------------------------------------------------------------------
-//
-// Copyright (c) 2017-2019, Loup Vaillant
-// All rights reserved.
-//
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// 1. Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright
-// notice, this list of conditions and the following disclaimer in the
-// documentation and/or other materials provided with the
-// distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// ------------------------------------------------------------------------
-//
-// Written in 2017-2019 by Loup Vaillant
-//
-// To the extent possible under law, the author(s) have dedicated all copyright
-// and related neighboring rights to this software to the public domain
-// worldwide. This software is distributed without any warranty.
-//
-// You should have received a copy of the CC0 Public Domain Dedication along
-// with this software. If not, see
-// <https://creativecommons.org/publicdomain/zero/1.0/>
-
-#ifndef AEAD_INCR_H
-#define AEAD_INCR_H
-
-#include <stddef.h>
-#include <inttypes.h>
-#include "monocypher.h"
-
-#ifdef MONOCYPHER_CPP_NAMESPACE
-namespace MONOCYPHER_CPP_NAMESPACE {
-#elif defined(__cplusplus)
-extern "C" {
-#endif
-
-typedef struct {
- crypto_poly1305_ctx poly;
- uint64_t ad_size;
- uint64_t message_size;
- int ad_phase;
- // Chacha20 context
- uint8_t key[32];
- uint8_t nonce[8];
- uint64_t ctr;
- uint8_t pool[64];
- size_t pool_idx;
-} crypto_lock_ctx;
-#define crypto_unlock_ctx crypto_lock_ctx
-
-// Encryption
-void crypto_lock_init(crypto_lock_ctx *ctx,
- const uint8_t key[32],
- const uint8_t nonce[24]);
-void crypto_lock_auth_ad(crypto_lock_ctx *ctx,
- const uint8_t *message,
- size_t message_size);
-void crypto_lock_auth_message(crypto_lock_ctx *ctx,
- const uint8_t *cipher_text, size_t text_size);
-void crypto_lock_update(crypto_lock_ctx *ctx,
- uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size);
-void crypto_lock_final(crypto_lock_ctx *ctx, uint8_t mac[16]);
-
-// Decryption
-#define crypto_unlock_init crypto_lock_init
-#define crypto_unlock_auth_ad crypto_lock_auth_ad
-#define crypto_unlock_auth_message crypto_lock_auth_message
-void crypto_unlock_update(crypto_unlock_ctx *ctx,
- uint8_t *plain_text,
- const uint8_t *cipher_text,
- size_t text_size);
-int crypto_unlock_final(crypto_unlock_ctx *ctx, const uint8_t mac[16]);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // AEAD_INCR_H
+++ /dev/null
-// Deprecated incremental API for Chacha20
-//
-// This file *temporarily* provides compatibility with Monocypher 2.x.
-// Do not rely on its continued existence.
-//
-// Deprecated in : 3.0.0
-// Will be removed in: 4.0.0
-//
-// Deprecated functions & types:
-// crypto_chacha_ctx
-// crypto_chacha20_H
-// crypto_chacha20_init
-// crypto_chacha20_x_init
-// crypto_chacha20_set_ctr
-// crypto_chacha20_encrypt
-// crypto_chacha20_stream
-//
-// For existing deployments that can no longer be updated or modified,
-// use the 2.x family, which will receive security updates until 2024.
-//
-// Upgrade strategy:
-// The new 3.x API can emulate incremental capabilities by setting a
-// custom counter. Make sure you authenticate each chunk before you
-// decrypt them, though.
-//
-// ---
-//
-// This file is dual-licensed. Choose whichever licence you want from
-// the two licences listed below.
-//
-// The first licence is a regular 2-clause BSD licence. The second licence
-// is the CC-0 from Creative Commons. It is intended to release Monocypher
-// to the public domain. The BSD licence serves as a fallback option.
-//
-// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-//
-// ------------------------------------------------------------------------
-//
-// Copyright (c) 2017-2019, Loup Vaillant
-// All rights reserved.
-//
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// 1. Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright
-// notice, this list of conditions and the following disclaimer in the
-// documentation and/or other materials provided with the
-// distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// ------------------------------------------------------------------------
-//
-// Written in 2017-2019 by Loup Vaillant
-//
-// To the extent possible under law, the author(s) have dedicated all copyright
-// and related neighboring rights to this software to the public domain
-// worldwide. This software is distributed without any warranty.
-//
-// You should have received a copy of the CC0 Public Domain Dedication along
-// with this software. If not, see
-// <https://creativecommons.org/publicdomain/zero/1.0/>
-
-#include "chacha20.h"
-#include "monocypher.h"
-
-#ifdef MONOCYPHER_CPP_NAMESPACE
-namespace MONOCYPHER_CPP_NAMESPACE {
-#endif
-
-#define FOR_T(type, i, start, end) for (type i = (start); i < (end); i++)
-#define FOR(i, start, end) FOR_T(size_t, i, start, end)
-#define WIPE_CTX(ctx) crypto_wipe(ctx , sizeof(*(ctx)))
-#define WIPE_BUFFER(buffer) crypto_wipe(buffer, sizeof(buffer))
-#define MIN(a, b) ((a) <= (b) ? (a) : (b))
-#define MAX(a, b) ((a) >= (b) ? (a) : (b))
-#define ALIGN(x, block_size) ((~(x) + 1) & ((block_size) - 1))
-typedef int8_t i8;
-typedef uint8_t u8;
-typedef int16_t i16;
-typedef uint32_t u32;
-typedef int32_t i32;
-typedef int64_t i64;
-typedef uint64_t u64;
-
-void crypto_chacha20_H(u8 out[32], const u8 key[32], const u8 in[16])
-{
- crypto_hchacha20(out, key, in);
-}
-
-void crypto_chacha20_init(crypto_chacha_ctx *ctx,
- const u8 key[32], const u8 nonce[8])
-{
- FOR (i, 0, 32) { ctx->key [i] = key [i]; }
- FOR (i, 0, 8) { ctx->nonce[i] = nonce[i]; }
- crypto_chacha20_set_ctr(ctx, 0);
-}
-
-void crypto_chacha20_x_init(crypto_chacha_ctx *ctx,
- const u8 key[32], const u8 nonce[24])
-{
- crypto_hchacha20(ctx->key, key, nonce);
- FOR (i, 0, 8) { ctx->nonce[i] = nonce[i + 16]; }
- crypto_chacha20_set_ctr(ctx, 0);
-}
-
-void crypto_chacha20_set_ctr(crypto_chacha_ctx *ctx, u64 ctr)
-{
- ctx->ctr = ctr;
- ctx->pool_idx = 64; // The random pool (re)starts empty
-}
-
-void crypto_chacha20_encrypt(crypto_chacha_ctx *ctx, u8 *cipher_text,
- const u8 *plain_text, size_t text_size)
-{
- FOR (i, 0, text_size) {
- if (ctx->pool_idx == 64) {
- crypto_chacha20_ctr(ctx->pool, 0, 64,
- ctx->key, ctx-> nonce, ctx->ctr);
- ctx->pool_idx = 0;
- ctx->ctr++;
- }
- u8 plain = 0;
- if (plain_text != 0) {
- plain = *plain_text;
- plain_text++;
- }
- *cipher_text = ctx->pool[ctx->pool_idx] ^ plain;
- ctx->pool_idx++;
- cipher_text++;
- }
-}
-
-void crypto_chacha20_stream(crypto_chacha_ctx *ctx, u8 *stream, size_t size)
-{
- crypto_chacha20_encrypt(ctx, stream, 0, size);
-}
-
-#ifdef MONOCYPHER_CPP_NAMESPACE
-}
-#endif
+++ /dev/null
-// Deprecated incremental API for Chacha20
-//
-// This file *temporarily* provides compatibility with Monocypher 2.x.
-// Do not rely on its continued existence.
-//
-// Deprecated in : 3.0.0
-// Will be removed in: 4.0.0
-//
-// Deprecated functions & types:
-// crypto_chacha_ctx
-// crypto_chacha20_H
-// crypto_chacha20_init
-// crypto_chacha20_x_init
-// crypto_chacha20_set_ctr
-// crypto_chacha20_encrypt
-// crypto_chacha20_stream
-//
-// For existing deployments that can no longer be updated or modified,
-// use the 2.x family, which will receive security updates until 2024.
-//
-// Upgrade strategy:
-// The new 3.x API can emulate incremental capabilities by setting a
-// custom counter. Make sure you authenticate each chunk before you
-// decrypt them, though.
-//
-// ---
-//
-// This file is dual-licensed. Choose whichever licence you want from
-// the two licences listed below.
-//
-// The first licence is a regular 2-clause BSD licence. The second licence
-// is the CC-0 from Creative Commons. It is intended to release Monocypher
-// to the public domain. The BSD licence serves as a fallback option.
-//
-// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-//
-// ------------------------------------------------------------------------
-//
-// Copyright (c) 2017-2019, Loup Vaillant
-// All rights reserved.
-//
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// 1. Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright
-// notice, this list of conditions and the following disclaimer in the
-// documentation and/or other materials provided with the
-// distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// ------------------------------------------------------------------------
-//
-// Written in 2017-2019 by Loup Vaillant
-//
-// To the extent possible under law, the author(s) have dedicated all copyright
-// and related neighboring rights to this software to the public domain
-// worldwide. This software is distributed without any warranty.
-//
-// You should have received a copy of the CC0 Public Domain Dedication along
-// with this software. If not, see
-// <https://creativecommons.org/publicdomain/zero/1.0/>
-
-#ifndef CHACHA20_H
-#define CHACHA20_H
-
-#include <stddef.h>
-#include <inttypes.h>
-
-#ifdef MONOCYPHER_CPP_NAMESPACE
-namespace MONOCYPHER_CPP_NAMESPACE {
-#elif defined(__cplusplus)
-extern "C" {
-#endif
-
-// Chacha20
-typedef struct {
- uint8_t key[32];
- uint8_t nonce[8];
- uint64_t ctr;
- uint8_t pool[64];
- size_t pool_idx;
-} crypto_chacha_ctx;
-
-// Chacha20 (old API)
-// ------------------
-
-// Specialised hash.
-void crypto_chacha20_H(uint8_t out[32],
- const uint8_t key[32],
- const uint8_t in [16]);
-
-void crypto_chacha20_init(crypto_chacha_ctx *ctx,
- const uint8_t key[32],
- const uint8_t nonce[8]);
-
-void crypto_chacha20_x_init(crypto_chacha_ctx *ctx,
- const uint8_t key[32],
- const uint8_t nonce[24]);
-
-void crypto_chacha20_set_ctr(crypto_chacha_ctx *ctx, uint64_t ctr);
-
-void crypto_chacha20_encrypt(crypto_chacha_ctx *ctx,
- uint8_t *cipher_text,
- const uint8_t *plain_text,
- size_t text_size);
-
-void crypto_chacha20_stream(crypto_chacha_ctx *ctx,
- uint8_t *stream, size_t size);
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif // CHACHA20_H
+++ /dev/null
-// This file is dual-licensed. Choose whichever licence you want from
-// the two licences listed below.
-//
-// The first licence is a regular 2-clause BSD licence. The second licence
-// is the CC-0 from Creative Commons. It is intended to release Monocypher
-// to the public domain. The BSD licence serves as a fallback option.
-//
-// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.0
-//
-// ------------------------------------------------------------------------
-//
-// Copyright (c) 2017-2019, Loup Vaillant
-// All rights reserved.
-//
-//
-// Redistribution and use in source and binary forms, with or without
-// modification, are permitted provided that the following conditions are
-// met:
-//
-// 1. Redistributions of source code must retain the above copyright
-// notice, this list of conditions and the following disclaimer.
-//
-// 2. Redistributions in binary form must reproduce the above copyright
-// notice, this list of conditions and the following disclaimer in the
-// documentation and/or other materials provided with the
-// distribution.
-//
-// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
-// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
-// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
-// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
-// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
-// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
-// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
-// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
-// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
-// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
-// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
-//
-// ------------------------------------------------------------------------
-//
-// Written in 2017-2019 by Loup Vaillant
-//
-// To the extent possible under law, the author(s) have dedicated all copyright
-// and related neighboring rights to this software to the public domain
-// worldwide. This software is distributed without any warranty.
-//
-// You should have received a copy of the CC0 Public Domain Dedication along
-// with this software. If not, see
-// <https://creativecommons.org/publicdomain/zero/1.0/>
-
-#include <stdio.h>
-#include <stdlib.h>
-#include <string.h>
-#include "monocypher.h"
-#include "deprecated/chacha20.h"
-#include "deprecated/aead-incr.h"
-#include "utils.h"
-#include "vectors.h"
-
-#define CHACHA_BLOCK_SIZE 64
-#define CHACHA_NB_BLOCKS 10
-#define POLY1305_BLOCK_SIZE 16
-#define BLAKE2B_BLOCK_SIZE 128
-#define SHA_512_BLOCK_SIZE 128
-
-////////////////////////////
-/// Tests aginst vectors ///
-////////////////////////////
-static void chacha20(vector_reader *reader)
-{
- vector key = next_input(reader);
- vector nonce = next_input(reader);
- vector plain = next_input(reader);
- u64 ctr = load64_le(next_input(reader).buf);
- vector out = next_output(reader);
-
- crypto_chacha_ctx ctx;
- crypto_chacha20_init (&ctx, key.buf, nonce.buf);
- crypto_chacha20_set_ctr(&ctx, ctr);
- crypto_chacha20_encrypt(&ctx, out.buf, plain.buf, plain.size);
-}
-
-static void hchacha20(vector_reader *reader)
-{
- vector key = next_input(reader);
- vector nonce = next_input(reader);
- vector out = next_output(reader);
- crypto_chacha20_H(out.buf, key.buf, nonce.buf);
-}
-
-static void xchacha20(vector_reader *reader)
-{
- vector key = next_input(reader);
- vector nonce = next_input(reader);
- vector plain = next_input(reader);
- u64 ctr = load64_le(next_input(reader).buf);
- vector out = next_output(reader);
- crypto_chacha_ctx ctx;
- crypto_chacha20_x_init (&ctx, key.buf, nonce.buf);
- crypto_chacha20_set_ctr(&ctx, ctr);
- crypto_chacha20_encrypt(&ctx, out.buf, plain.buf, plain.size);
-}
-
-//////////////////////////////
-/// Self consistency tests ///
-//////////////////////////////
-
-// Tests that encrypting in chunks yields the same result than
-// encrypting all at once.
-static int p_chacha20()
-{
-#undef INPUT_SIZE
-#define INPUT_SIZE (CHACHA_BLOCK_SIZE * 4) // total input size
- int status = 0;
- FOR (i, 0, INPUT_SIZE) {
- // outputs
- u8 output_chunk[INPUT_SIZE];
- u8 output_whole[INPUT_SIZE];
- // inputs
- RANDOM_INPUT(input, INPUT_SIZE);
- RANDOM_INPUT(key , 32);
- RANDOM_INPUT(nonce, 8);
-
- // Encrypt in chunks
- crypto_chacha_ctx ctx;
- crypto_chacha20_init(&ctx, key, nonce);
- crypto_chacha20_encrypt(&ctx, output_chunk , input , i);
- crypto_chacha20_encrypt(&ctx, output_chunk+i, input+i, INPUT_SIZE-i);
- // Encrypt all at once
- crypto_chacha20_init(&ctx, key, nonce);
- crypto_chacha20_encrypt(&ctx, output_whole, input, INPUT_SIZE);
- // Compare
- status |= memcmp(output_chunk, output_whole, INPUT_SIZE);
-
- // Stream in chunks
- crypto_chacha20_init(&ctx, key, nonce);
- crypto_chacha20_stream(&ctx, output_chunk , i);
- crypto_chacha20_stream(&ctx, output_chunk + i, INPUT_SIZE - i);
- // Stream all at once
- crypto_chacha20_init(&ctx, key, nonce);
- crypto_chacha20_stream(&ctx, output_whole, INPUT_SIZE);
- // Compare
- status |= memcmp(output_chunk, output_whole, INPUT_SIZE);
- }
- printf("%s: Chacha20 (incremental)\n", status != 0 ? "FAILED" : "OK");
- return status;
-}
-
-// Tests that output and input can be the same pointer
-static int p_chacha20_same_ptr()
-{
- int status = 0;
- u8 output[INPUT_SIZE];
- RANDOM_INPUT(input, INPUT_SIZE);
- RANDOM_INPUT(key , 32);
- RANDOM_INPUT(nonce, 8);
- crypto_chacha_ctx ctx;
- crypto_chacha20_init (&ctx, key, nonce);
- crypto_chacha20_encrypt(&ctx, output, input, INPUT_SIZE);
- crypto_chacha20_init (&ctx, key, nonce);
- crypto_chacha20_encrypt(&ctx, input, input, INPUT_SIZE);
- status |= memcmp(output, input, CHACHA_BLOCK_SIZE);
- printf("%s: Chacha20 (output == input)\n", status != 0 ? "FAILED" : "OK");
- return status;
-}
-
-static int p_chacha20_set_ctr()
-{
-#define STREAM_SIZE (CHACHA_BLOCK_SIZE * CHACHA_NB_BLOCKS)
- int status = 0;
- FOR (i, 0, CHACHA_NB_BLOCKS) {
- u8 output_part[STREAM_SIZE ];
- u8 output_all [STREAM_SIZE ];
- u8 output_more[STREAM_SIZE * 2];
- RANDOM_INPUT(key , 32);
- RANDOM_INPUT(nonce, 8);
- size_t limit = i * CHACHA_BLOCK_SIZE;
- // Encrypt all at once
- crypto_chacha_ctx ctx;
- crypto_chacha20_init(&ctx, key, nonce);
- crypto_chacha20_stream(&ctx, output_all, STREAM_SIZE);
- // Encrypt second part
- crypto_chacha20_set_ctr(&ctx, i);
- crypto_chacha20_stream(&ctx, output_part + limit, STREAM_SIZE - limit);
- // Encrypt first part
- crypto_chacha20_set_ctr(&ctx, 0);
- crypto_chacha20_stream(&ctx, output_part, limit);
- // Compare the results (must be the same)
- status |= memcmp(output_part, output_all, STREAM_SIZE);
-
- // Encrypt before the begining
- crypto_chacha20_set_ctr(&ctx, -(u64)i);
- crypto_chacha20_stream(&ctx,
- output_more + STREAM_SIZE - limit,
- STREAM_SIZE + limit);
- // Compare the results (must be the same)
- status |= memcmp(output_more + STREAM_SIZE, output_all, STREAM_SIZE);
- }
- printf("%s: Chacha20 (set counter)\n", status != 0 ? "FAILED" : "OK");
- return status;
-}
-
-static int p_chacha20_H()
-{
- int status = 0;
- FOR (i, 0, 100) {
- RANDOM_INPUT(buffer, 80);
- size_t out_idx = rand64() % 48;
- size_t key_idx = rand64() % 48;
- size_t in_idx = rand64() % 64;
- u8 key[32]; FOR (j, 0, 32) { key[j] = buffer[j + key_idx]; }
- u8 in [16]; FOR (j, 0, 16) { in [j] = buffer[j + in_idx]; }
-
- // Run with and without overlap, then compare
- u8 out[32];
- crypto_chacha20_H(out, key, in);
- crypto_chacha20_H(buffer + out_idx, buffer + key_idx, buffer + in_idx);
- status |= memcmp(out, buffer + out_idx, 32);
- }
- printf("%s: HChacha20 (overlap)\n", status != 0 ? "FAILED" : "OK");
- return status;
-}
-
-static int p_lock_incremental()
-{
- int status = 0;
- FOR (i, 0, 1000) {
- RANDOM_INPUT(key , 32);
- RANDOM_INPUT(nonce, 24);
- RANDOM_INPUT(ad , 128);
- RANDOM_INPUT(plain, 256);
- // total sizes
- size_t ad_size = rand64() % 128;
- size_t text_size = rand64() % 256;
- // incremental sizes
- size_t ad_size1 = ad_size == 0 ? 0 : rand64() % ad_size;
- size_t text_size1 = text_size == 0 ? 0 : rand64() % text_size;
- size_t ad_size2 = ad_size - ad_size1;
- size_t text_size2 = text_size - text_size1;
- // incremental buffers
- u8 *ad1 = ad; u8 *ad2 = ad + ad_size1;
- u8 *plain1 = plain; u8 *plain2 = plain + text_size1;
-
- u8 mac1[16], cipher1[256];
- u8 mac2[16], cipher2[256];
- crypto_lock_aead(mac1, cipher1, key, nonce,
- ad, ad_size, plain, text_size);
- crypto_lock_ctx ctx;
- crypto_lock_init (&ctx, key, nonce);
- crypto_lock_auth_ad(&ctx, ad1, ad_size1); // just to show ad also have
- crypto_lock_auth_ad(&ctx, ad2, ad_size2); // an incremental interface
- crypto_lock_update (&ctx, cipher2 , plain1, text_size1);
- crypto_lock_update (&ctx, cipher2 + text_size1, plain2, text_size2);
- crypto_lock_final (&ctx, mac2);
- status |= memcmp(mac1 , mac2 , 16 );
- status |= memcmp(cipher1, cipher2, text_size);
-
- // Now test the round trip.
- u8 re_plain1[256];
- u8 re_plain2[256];
- status |= crypto_unlock_aead(re_plain1, key, nonce, mac1,
- ad, ad_size, cipher1, text_size);
- crypto_unlock_init (&ctx, key, nonce);
- crypto_unlock_auth_ad(&ctx, ad, ad_size);
- crypto_unlock_update (&ctx, re_plain2, cipher2, text_size);
- status |= crypto_unlock_final(&ctx, mac2);
- status |= memcmp(mac1 , mac2 , 16 );
- status |= memcmp(plain, re_plain1, text_size);
- status |= memcmp(plain, re_plain2, text_size);
-
- // Test authentication without decryption
- crypto_unlock_init (&ctx, key, nonce);
- crypto_unlock_auth_ad (&ctx, ad , ad_size );
- crypto_unlock_auth_message(&ctx, cipher2, text_size);
- status |= crypto_unlock_final(&ctx, mac2);
- // The same, except we're supposed to reject forgeries
- if (text_size > 0) {
- cipher2[0]++; // forgery attempt
- crypto_unlock_init (&ctx, key, nonce);
- crypto_unlock_auth_ad (&ctx, ad , ad_size );
- crypto_unlock_auth_message(&ctx, cipher2, text_size);
- status |= !crypto_unlock_final(&ctx, mac2);
- }
- }
- printf("%s: aead (incremental)\n", status != 0 ? "FAILED" : "OK");
- return status;
-}
-
-// Only additionnal data
-static int p_auth()
-{
- int status = 0;
- FOR (i, 0, 128) {
- RANDOM_INPUT(key , 32);
- RANDOM_INPUT(nonce , 24);
- RANDOM_INPUT(ad , 128);
- u8 mac1[16];
- u8 mac2[16];
- // roundtrip
- {
- crypto_lock_ctx ctx;
- crypto_lock_init (&ctx, key, nonce);
- crypto_lock_auth_ad(&ctx, ad, i);
- crypto_lock_final (&ctx, mac1);
- crypto_lock_aead(mac2, 0, key, nonce, ad, i, 0, 0);
- status |= memcmp(mac1, mac2, 16);
- }
- {
- crypto_unlock_ctx ctx;
- crypto_unlock_init (&ctx, key, nonce);
- crypto_unlock_auth_ad(&ctx, ad, i);
- status |= crypto_unlock_final(&ctx, mac1);
- status |= crypto_unlock_aead(0, key, nonce, mac1, ad, i, 0, 0);
- }
- }
- printf("%s: aead (authentication)\n", status != 0 ? "FAILED" : "OK");
- return status;
-}
-
-#define TEST(name) vector_test(name, #name, nb_##name##_vectors, name##_vectors)
-
-int main(int argc, char *argv[])
-{
- if (argc > 1) {
- sscanf(argv[1], "%" PRIu64 "", &random_state);
- }
- printf("\nRandom seed: %" PRIu64 "\n", random_state);
-
- int status = 0;
- printf("\nTest against vectors");
- printf("\n--------------------\n");
- status |= TEST(chacha20);
- status |= TEST(hchacha20);
- status |= TEST(xchacha20);
-
- printf("\nProperty based tests");
- printf("\n--------------------\n");
- status |= p_chacha20();
- status |= p_chacha20_same_ptr();
- status |= p_chacha20_set_ctr();
- status |= p_chacha20_H();
- status |= p_lock_incremental();
- status |= p_auth();
- printf("\n%s\n\n", status != 0 ? "SOME TESTS FAILED" : "All tests OK!");
- return status;
-}
set -e
-make clean; make test; make test-legacy
make clean; make test CFLAGS="-DBLAKE2_NO_UNROLLING -O3"
make clean; make test CC="clang -std=c99" CFLAGS="-g -fsanitize=address"
make clean; make test CC="clang -std=c99" CFLAGS="-g -fsanitize=memory"
projects / Monocypher.git / commitdiff