Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place. Commercial Alternative to JupyterHub.
Path: blob/master/libraries/AP_CheckFirmware/monocypher.h
Views: 1798
// Monocypher version 3.1.21//2// This file is dual-licensed. Choose whichever licence you want from3// the two licences listed below.4//5// The first licence is a regular 2-clause BSD licence. The second licence6// is the CC-0 from Creative Commons. It is intended to release Monocypher7// to the public domain. The BSD licence serves as a fallback option.8//9// SPDX-License-Identifier: BSD-2-Clause OR CC0-1.010//11// ------------------------------------------------------------------------12//13// Copyright (c) 2017-2019, Loup Vaillant14// All rights reserved.15//16//17// Redistribution and use in source and binary forms, with or without18// modification, are permitted provided that the following conditions are19// met:20//21// 1. Redistributions of source code must retain the above copyright22// notice, this list of conditions and the following disclaimer.23//24// 2. Redistributions in binary form must reproduce the above copyright25// notice, this list of conditions and the following disclaimer in the26// documentation and/or other materials provided with the27// distribution.28//29// THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS30// "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT31// LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR32// A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT33// HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,34// SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT35// LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,36// DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY37// THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT38// (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE39// OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.40//41// ------------------------------------------------------------------------42//43// Written in 2017-2019 by Loup Vaillant44//45// To the extent possible under law, the author(s) have dedicated all copyright46// and related neighboring rights to this software to the public domain47// worldwide. This software is distributed without any warranty.48//49// You should have received a copy of the CC0 Public Domain Dedication along50// with this software. If not, see51// <https://creativecommons.org/publicdomain/zero/1.0/>5253#ifndef MONOCYPHER_H54#define MONOCYPHER_H5556#include <stddef.h>57#include <stdint.h>5859////////////////////////60/// Type definitions ///61////////////////////////6263// Vtable for EdDSA with a custom hash.64// Instantiate it to define a custom hash.65// Its size, contents, and layout, are part of the public API.66typedef struct {67void (*hash)(uint8_t hash[64], const uint8_t *message, size_t message_size);68void (*init )(void *ctx);69void (*update)(void *ctx, const uint8_t *message, size_t message_size);70void (*final )(void *ctx, uint8_t hash[64]);71size_t ctx_size;72} crypto_sign_vtable;7374// Do not rely on the size or contents of any of the types below,75// they may change without notice.7677// Poly130578typedef struct {79uint32_t r[4]; // constant multiplier (from the secret key)80uint32_t h[5]; // accumulated hash81uint32_t c[5]; // chunk of the message82uint32_t pad[4]; // random number added at the end (from the secret key)83size_t c_idx; // How many bytes are there in the chunk.84} crypto_poly1305_ctx;8586// Hash (Blake2b)87typedef struct {88uint64_t hash[8];89uint64_t input_offset[2];90uint64_t input[16];91size_t input_idx;92size_t hash_size;93} crypto_blake2b_ctx;9495// Signatures (EdDSA)96typedef struct {97const crypto_sign_vtable *hash;98uint8_t buf[96];99uint8_t pk [32];100} crypto_sign_ctx_abstract;101typedef crypto_sign_ctx_abstract crypto_check_ctx_abstract;102103typedef struct {104crypto_sign_ctx_abstract ctx;105crypto_blake2b_ctx hash;106} crypto_sign_ctx;107typedef crypto_sign_ctx crypto_check_ctx;108109////////////////////////////110/// High level interface ///111////////////////////////////112113// Constant time comparisons114// -------------------------115116// Return 0 if a and b are equal, -1 otherwise117int crypto_verify16(const uint8_t a[16], const uint8_t b[16]);118int crypto_verify32(const uint8_t a[32], const uint8_t b[32]);119int crypto_verify64(const uint8_t a[64], const uint8_t b[64]);120121// Erase sensitive data122// --------------------123124// Please erase all copies125void crypto_wipe(void *secret, size_t size);126127128// Authenticated encryption129// ------------------------130void crypto_lock(uint8_t mac[16],131uint8_t *cipher_text,132const uint8_t key[32],133const uint8_t nonce[24],134const uint8_t *plain_text, size_t text_size);135int crypto_unlock(uint8_t *plain_text,136const uint8_t key[32],137const uint8_t nonce[24],138const uint8_t mac[16],139const uint8_t *cipher_text, size_t text_size);140141// With additional data142void crypto_lock_aead(uint8_t mac[16],143uint8_t *cipher_text,144const uint8_t key[32],145const uint8_t nonce[24],146const uint8_t *ad , size_t ad_size,147const uint8_t *plain_text, size_t text_size);148int crypto_unlock_aead(uint8_t *plain_text,149const uint8_t key[32],150const uint8_t nonce[24],151const uint8_t mac[16],152const uint8_t *ad , size_t ad_size,153const uint8_t *cipher_text, size_t text_size);154155156// General purpose hash (Blake2b)157// ------------------------------158159// Direct interface160void crypto_blake2b(uint8_t hash[64],161const uint8_t *message, size_t message_size);162163void crypto_blake2b_general(uint8_t *hash , size_t hash_size,164const uint8_t *key , size_t key_size, // optional165const uint8_t *message, size_t message_size);166167// Incremental interface168void crypto_blake2b_init (crypto_blake2b_ctx *ctx);169void crypto_blake2b_update(crypto_blake2b_ctx *ctx,170const uint8_t *message, size_t message_size);171void crypto_blake2b_final (crypto_blake2b_ctx *ctx, uint8_t *hash);172173void crypto_blake2b_general_init(crypto_blake2b_ctx *ctx, size_t hash_size,174const uint8_t *key, size_t key_size);175176// vtable for signatures177extern const crypto_sign_vtable crypto_blake2b_vtable;178179180// Password key derivation (Argon2 i)181// ----------------------------------182void crypto_argon2i(uint8_t *hash, uint32_t hash_size, // >= 4183void *work_area, uint32_t nb_blocks, // >= 8184uint32_t nb_iterations, // >= 3185const uint8_t *password, uint32_t password_size,186const uint8_t *salt, uint32_t salt_size); // >= 8187188void crypto_argon2i_general(uint8_t *hash, uint32_t hash_size,// >= 4189void *work_area, uint32_t nb_blocks,// >= 8190uint32_t nb_iterations, // >= 3191const uint8_t *password, uint32_t password_size,192const uint8_t *salt, uint32_t salt_size,// >= 8193const uint8_t *key, uint32_t key_size,194const uint8_t *ad, uint32_t ad_size);195196197// Key exchange (x25519 + HChacha20)198// ---------------------------------199#define crypto_key_exchange_public_key crypto_x25519_public_key200void crypto_key_exchange(uint8_t shared_key [32],201const uint8_t your_secret_key [32],202const uint8_t their_public_key[32]);203204205// Signatures (EdDSA with curve25519 + Blake2b)206// --------------------------------------------207208// Generate public key209void crypto_sign_public_key(uint8_t public_key[32],210const uint8_t secret_key[32]);211212// Direct interface213void crypto_sign(uint8_t signature [64],214const uint8_t secret_key[32],215const uint8_t public_key[32], // optional, may be 0216const uint8_t *message, size_t message_size);217int crypto_check(const uint8_t signature [64],218const uint8_t public_key[32],219const uint8_t *message, size_t message_size);220221////////////////////////////222/// Low level primitives ///223////////////////////////////224225// For experts only. You have been warned.226227// Chacha20228// --------229230// Specialised hash.231// Used to hash X25519 shared secrets.232void crypto_hchacha20(uint8_t out[32],233const uint8_t key[32],234const uint8_t in [16]);235236// Unauthenticated stream cipher.237// Don't forget to add authentication.238void crypto_chacha20(uint8_t *cipher_text,239const uint8_t *plain_text,240size_t text_size,241const uint8_t key[32],242const uint8_t nonce[8]);243void crypto_xchacha20(uint8_t *cipher_text,244const uint8_t *plain_text,245size_t text_size,246const uint8_t key[32],247const uint8_t nonce[24]);248void crypto_ietf_chacha20(uint8_t *cipher_text,249const uint8_t *plain_text,250size_t text_size,251const uint8_t key[32],252const uint8_t nonce[12]);253uint64_t crypto_chacha20_ctr(uint8_t *cipher_text,254const uint8_t *plain_text,255size_t text_size,256const uint8_t key[32],257const uint8_t nonce[8],258uint64_t ctr);259uint64_t crypto_xchacha20_ctr(uint8_t *cipher_text,260const uint8_t *plain_text,261size_t text_size,262const uint8_t key[32],263const uint8_t nonce[24],264uint64_t ctr);265uint32_t crypto_ietf_chacha20_ctr(uint8_t *cipher_text,266const uint8_t *plain_text,267size_t text_size,268const uint8_t key[32],269const uint8_t nonce[12],270uint32_t ctr);271272// Poly 1305273// ---------274275// This is a *one time* authenticator.276// Disclosing the mac reveals the key.277// See crypto_lock() on how to use it properly.278279// Direct interface280void crypto_poly1305(uint8_t mac[16],281const uint8_t *message, size_t message_size,282const uint8_t key[32]);283284// Incremental interface285void crypto_poly1305_init (crypto_poly1305_ctx *ctx, const uint8_t key[32]);286void crypto_poly1305_update(crypto_poly1305_ctx *ctx,287const uint8_t *message, size_t message_size);288void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]);289290291// X-25519292// -------293294// Shared secrets are not quite random.295// Hash them to derive an actual shared key.296void crypto_x25519_public_key(uint8_t public_key[32],297const uint8_t secret_key[32]);298void crypto_x25519(uint8_t raw_shared_secret[32],299const uint8_t your_secret_key [32],300const uint8_t their_public_key [32]);301302// "Dirty" versions of x25519_public_key()303// Only use to generate ephemeral keys you want to hide.304// Note that those functions leaks 3 bits of the private key.305void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]);306void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]);307308// scalar "division"309// Used for OPRF. Be aware that exponential blinding is less secure310// than Diffie-Hellman key exchange.311void crypto_x25519_inverse(uint8_t blind_salt [32],312const uint8_t private_key[32],313const uint8_t curve_point[32]);314315316// EdDSA to X25519317// ---------------318void crypto_from_eddsa_private(uint8_t x25519[32], const uint8_t eddsa[32]);319void crypto_from_eddsa_public (uint8_t x25519[32], const uint8_t eddsa[32]);320321322// EdDSA -- Incremental interface323// ------------------------------324325// Signing (2 passes)326// Make sure the two passes hash the same message,327// else you might reveal the private key.328void crypto_sign_init_first_pass(crypto_sign_ctx_abstract *ctx,329const uint8_t secret_key[32],330const uint8_t public_key[32]);331void crypto_sign_update(crypto_sign_ctx_abstract *ctx,332const uint8_t *message, size_t message_size);333void crypto_sign_init_second_pass(crypto_sign_ctx_abstract *ctx);334// use crypto_sign_update() again.335void crypto_sign_final(crypto_sign_ctx_abstract *ctx, uint8_t signature[64]);336337// Verification (1 pass)338// Make sure you don't use (parts of) the message339// before you're done checking it.340void crypto_check_init (crypto_check_ctx_abstract *ctx,341const uint8_t signature[64],342const uint8_t public_key[32]);343void crypto_check_update(crypto_check_ctx_abstract *ctx,344const uint8_t *message, size_t message_size);345int crypto_check_final (crypto_check_ctx_abstract *ctx);346347// Custom hash interface348void crypto_sign_public_key_custom_hash(uint8_t public_key[32],349const uint8_t secret_key[32],350const crypto_sign_vtable *hash);351void crypto_sign_init_first_pass_custom_hash(crypto_sign_ctx_abstract *ctx,352const uint8_t secret_key[32],353const uint8_t public_key[32],354const crypto_sign_vtable *hash);355void crypto_check_init_custom_hash(crypto_check_ctx_abstract *ctx,356const uint8_t signature[64],357const uint8_t public_key[32],358const crypto_sign_vtable *hash);359360// Elligator 2361// -----------362363// Elligator mappings proper364void crypto_hidden_to_curve(uint8_t curve [32], const uint8_t hidden[32]);365int crypto_curve_to_hidden(uint8_t hidden[32], const uint8_t curve [32],366uint8_t tweak);367368// Easy to use key pair generation369void crypto_hidden_key_pair(uint8_t hidden[32], uint8_t secret_key[32],370uint8_t seed[32]);371372373#endif // MONOCYPHER_H374375376