summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
Diffstat
-rw-r--r--3rd_party/Makefile.am6
-rw-r--r--3rd_party/README.md36
-rw-r--r--3rd_party/ed25519/LICENSE16
-rw-r--r--3rd_party/ed25519/Makefile.am26
-rw-r--r--3rd_party/ed25519/README.md165
-rw-r--r--3rd_party/ed25519/add_scalar.c69
-rw-r--r--3rd_party/ed25519/ed25519.h38
-rw-r--r--3rd_party/ed25519/fe.c1491
-rw-r--r--3rd_party/ed25519/fe.h41
-rw-r--r--3rd_party/ed25519/fixedint.h72
-rw-r--r--3rd_party/ed25519/ge.c467
-rw-r--r--3rd_party/ed25519/ge.h74
-rw-r--r--3rd_party/ed25519/key_exchange.c79
-rw-r--r--3rd_party/ed25519/keypair.c16
-rw-r--r--3rd_party/ed25519/precomp_data.h1391
-rw-r--r--3rd_party/ed25519/sc.c809
-rw-r--r--3rd_party/ed25519/sc.h12
-rw-r--r--3rd_party/ed25519/seed.c40
-rw-r--r--3rd_party/ed25519/sha512.c275
-rw-r--r--3rd_party/ed25519/sha512.h21
-rw-r--r--3rd_party/ed25519/sign.c31
-rw-r--r--3rd_party/ed25519/verify.c77
-rw-r--r--3rd_party/libsrp6a-sha512/LICENSE62
-rw-r--r--3rd_party/libsrp6a-sha512/Makefile.am31
-rw-r--r--3rd_party/libsrp6a-sha512/README.md35
-rw-r--r--3rd_party/libsrp6a-sha512/cstr.c226
-rw-r--r--3rd_party/libsrp6a-sha512/cstr.h94
-rw-r--r--3rd_party/libsrp6a-sha512/srp.c274
-rw-r--r--3rd_party/libsrp6a-sha512/srp.h372
-rw-r--r--3rd_party/libsrp6a-sha512/srp6a_sha512_client.c363
-rw-r--r--3rd_party/libsrp6a-sha512/srp_aux.h146
-rw-r--r--3rd_party/libsrp6a-sha512/t_conv.c258
-rw-r--r--3rd_party/libsrp6a-sha512/t_defines.h137
-rw-r--r--3rd_party/libsrp6a-sha512/t_math.c1008
-rw-r--r--3rd_party/libsrp6a-sha512/t_misc.c450
-rw-r--r--3rd_party/libsrp6a-sha512/t_pwd.h246
-rw-r--r--3rd_party/libsrp6a-sha512/t_sha.c276
-rw-r--r--3rd_party/libsrp6a-sha512/t_sha.h125
-rw-r--r--3rd_party/libsrp6a-sha512/t_truerand.c241
-rw-r--r--Makefile.am2
-rw-r--r--configure.ac23
-rw-r--r--docs/idevicepair.126
-rw-r--r--include/endianness.h11
-rw-r--r--include/libimobiledevice/lockdown.h96
-rw-r--r--src/Makefile.am9
-rw-r--r--src/idevice.c5
-rw-r--r--src/lockdown-cu.c1192
-rw-r--r--src/lockdown.c12
-rw-r--r--src/lockdown.h4
-rw-r--r--tools/idevicepair.c185
50 files changed, 11148 insertions, 13 deletions
diff --git a/3rd_party/Makefile.am b/3rd_party/Makefile.am
new file mode 100644
index 0000000..a196ea3
--- /dev/null
+++ b/3rd_party/Makefile.am
@@ -0,0 +1,6 @@
1AUTOMAKE_OPTIONS = foreign
2ACLOCAL_AMFLAGS = -I m4
3SUBDIRS =
4if HAVE_WIRELESS_PAIRING
5SUBDIRS += ed25519 libsrp6a-sha512
6endif
diff --git a/3rd_party/README.md b/3rd_party/README.md
new file mode 100644
index 0000000..0bec640
--- /dev/null
+++ b/3rd_party/README.md
@@ -0,0 +1,36 @@
1# Third party components/libraries
2
3This folder contains third party components or libraries that are used
4within the libimobiledevice project. They have been bundled since they
5are either not readily available on the intended target platforms and/or
6have been modified.
7
8Their respective licenses are provided in each corresponding folder in a
9file called LICENSE.
10
11
12## ed25519
13
14Source: https://github.com/orlp/ed25519
15Based on commit 7fa6712ef5d581a6981ec2b08ee623314cd1d1c4.
16[LICENCE](ed25519/LICENSE)
17
18The original source has not been modified, except that the file `test.c`
19and the contained DLL files have been removed. To allow building within
20libimobiledevice, a `Makefile.am` has been added.
21
22
23## libsrp6a-sha512
24
25Source: https://github.com/secure-remote-password/stanford-srp
26Based on commit 587900d32777348f98477cb25123d5761fbe3725.
27[LICENCE](libsrp6a-sha512/LICENSE)
28
29For the usage within libimobiledevice, only [libsrp](https://github.com/secure-remote-password/stanford-srp/tree/master/libsrp)
30has been used as a basis.
31It has been adapted to the needs of the libimobiledevice project, and
32contains just a part of the original code; it only supports the SRP6a
33client method which has been modified to use SHA512 instead of SHA1,
34hence the name was changed to `libsrp6a-sha512`.
35More details about the modifications can be found in [libsrp6a-sha512/README.md](libsrp6a-sha512/README.md).
36
diff --git a/3rd_party/ed25519/LICENSE b/3rd_party/ed25519/LICENSE
new file mode 100644
index 0000000..c1503f9
--- /dev/null
+++ b/3rd_party/ed25519/LICENSE
@@ -0,0 +1,16 @@
1Copyright (c) 2015 Orson Peters <orsonpeters@gmail.com>
2
3This software is provided 'as-is', without any express or implied warranty. In no event will the
4authors be held liable for any damages arising from the use of this software.
5
6Permission is granted to anyone to use this software for any purpose, including commercial
7applications, and to alter it and redistribute it freely, subject to the following restrictions:
8
91. The origin of this software must not be misrepresented; you must not claim that you wrote the
10 original software. If you use this software in a product, an acknowledgment in the product
11 documentation would be appreciated but is not required.
12
132. Altered source versions must be plainly marked as such, and must not be misrepresented as
14 being the original software.
15
163. This notice may not be removed or altered from any source distribution.
diff --git a/3rd_party/ed25519/Makefile.am b/3rd_party/ed25519/Makefile.am
new file mode 100644
index 0000000..c475331
--- /dev/null
+++ b/3rd_party/ed25519/Makefile.am
@@ -0,0 +1,26 @@
1AUTOMAKE_OPTIONS = foreign no-dependencies
2
3AM_CPPFLAGS = \
4 -I$(top_srcdir)/include \
5 -I$(top_srcdir)
6
7AM_CFLAGS = \
8 $(GLOBAL_CFLAGS) \
9 $(openssl_CFLAGS)
10
11AM_LDFLAGS =
12
13noinst_LTLIBRARIES = libed25519.la
14libed25519_la_LIBADD =
15libed25519_la_LDFLAGS = $(AM_LDFLAGS) -no-undefined
16libed25519_la_SOURCES = \
17 add_scalar.c \
18 fe.c \
19 ge.c \
20 keypair.c \
21 key_exchange.c \
22 sc.c \
23 seed.c \
24 sign.c \
25 sha512.c \
26 verify.c
diff --git a/3rd_party/ed25519/README.md b/3rd_party/ed25519/README.md
new file mode 100644
index 0000000..2c431c2
--- /dev/null
+++ b/3rd_party/ed25519/README.md
@@ -0,0 +1,165 @@
1Ed25519
2=======
3
4This is a portable implementation of [Ed25519](http://ed25519.cr.yp.to/) based
5on the SUPERCOP "ref10" implementation. Additionally there is key exchanging
6and scalar addition included to further aid building a PKI using Ed25519. All
7code is licensed under the permissive zlib license.
8
9All code is pure ANSI C without any dependencies, except for the random seed
10generation which uses standard OS cryptography APIs (`CryptGenRandom` on
11Windows, `/dev/urandom` on nix). If you wish to be entirely portable define
12`ED25519_NO_SEED`. This disables the `ed25519_create_seed` function, so if your
13application requires key generation you must supply your own seeding function
14(which is simply a 256 bit (32 byte) cryptographic random number generator).
15
16
17Performance
18-----------
19
20On a Windows machine with an Intel Pentium B970 @ 2.3GHz I got the following
21speeds (running on only one a single core):
22
23 Seed generation: 64us (15625 per second)
24 Key generation: 88us (11364 per second)
25 Message signing (short message): 87us (11494 per second)
26 Message verifying (short message): 228us (4386 per second)
27 Scalar addition: 100us (10000 per second)
28 Key exchange: 220us (4545 per second)
29
30The speeds on other machines may vary. Sign/verify times will be higher with
31longer messages. The implementation significantly benefits from 64 bit
32architectures, if possible compile as 64 bit.
33
34
35Usage
36-----
37
38Simply add all .c and .h files in the `src/` folder to your project and include
39`ed25519.h` in any file you want to use the API. If you prefer to use a shared
40library, only copy `ed25519.h` and define `ED25519_DLL` before importing.
41
42There are no defined types for seeds, private keys, public keys, shared secrets
43or signatures. Instead simple `unsigned char` buffers are used with the
44following sizes:
45
46```c
47unsigned char seed[32];
48unsigned char signature[64];
49unsigned char public_key[32];
50unsigned char private_key[64];
51unsigned char scalar[32];
52unsigned char shared_secret[32];
53```
54
55API
56---
57
58```c
59int ed25519_create_seed(unsigned char *seed);
60```
61
62Creates a 32 byte random seed in `seed` for key generation. `seed` must be a
63writable 32 byte buffer. Returns 0 on success, and nonzero on failure.
64
65```c
66void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key,
67 const unsigned char *seed);
68```
69
70Creates a new key pair from the given seed. `public_key` must be a writable 32
71byte buffer, `private_key` must be a writable 64 byte buffer and `seed` must be
72a 32 byte buffer.
73
74```c
75void ed25519_sign(unsigned char *signature,
76 const unsigned char *message, size_t message_len,
77 const unsigned char *public_key, const unsigned char *private_key);
78```
79
80Creates a signature of the given message with the given key pair. `signature`
81must be a writable 64 byte buffer. `message` must have at least `message_len`
82bytes to be read.
83
84```c
85int ed25519_verify(const unsigned char *signature,
86 const unsigned char *message, size_t message_len,
87 const unsigned char *public_key);
88```
89
90Verifies the signature on the given message using `public_key`. `signature`
91must be a readable 64 byte buffer. `message` must have at least `message_len`
92bytes to be read. Returns 1 if the signature matches, 0 otherwise.
93
94```c
95void ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key,
96 const unsigned char *scalar);
97```
98
99Adds `scalar` to the given key pair where scalar is a 32 byte buffer (possibly
100generated with `ed25519_create_seed`), generating a new key pair. You can
101calculate the public key sum without knowing the private key and vice versa by
102passing in `NULL` for the key you don't know. This is useful for enforcing
103randomness on a key pair by a third party while only knowing the public key,
104among other things. Warning: the last bit of the scalar is ignored - if
105comparing scalars make sure to clear it with `scalar[31] &= 127`.
106
107
108```c
109void ed25519_key_exchange(unsigned char *shared_secret,
110 const unsigned char *public_key, const unsigned char *private_key);
111```
112
113Performs a key exchange on the given public key and private key, producing a
114shared secret. It is recommended to hash the shared secret before using it.
115`shared_secret` must be a 32 byte writable buffer where the shared secret will
116be stored.
117
118Example
119-------
120
121```c
122unsigned char seed[32], public_key[32], private_key[64], signature[64];
123unsigned char other_public_key[32], other_private_key[64], shared_secret[32];
124const unsigned char message[] = "TEST MESSAGE";
125
126/* create a random seed, and a key pair out of that seed */
127if (ed25519_create_seed(seed)) {
128 printf("error while generating seed\n");
129 exit(1);
130}
131
132ed25519_create_keypair(public_key, private_key, seed);
133
134/* create signature on the message with the key pair */
135ed25519_sign(signature, message, strlen(message), public_key, private_key);
136
137/* verify the signature */
138if (ed25519_verify(signature, message, strlen(message), public_key)) {
139 printf("valid signature\n");
140} else {
141 printf("invalid signature\n");
142}
143
144/* create a dummy keypair to use for a key exchange, normally you'd only have
145the public key and receive it through some communication channel */
146if (ed25519_create_seed(seed)) {
147 printf("error while generating seed\n");
148 exit(1);
149}
150
151ed25519_create_keypair(other_public_key, other_private_key, seed);
152
153/* do a key exchange with other_public_key */
154ed25519_key_exchange(shared_secret, other_public_key, private_key);
155
156/*
157 the magic here is that ed25519_key_exchange(shared_secret, public_key,
158 other_private_key); would result in the same shared_secret
159*/
160
161```
162
163License
164-------
165All code is released under the zlib license. See LICENSE for details.
diff --git a/3rd_party/ed25519/add_scalar.c b/3rd_party/ed25519/add_scalar.c
new file mode 100644
index 0000000..7528a7a
--- /dev/null
+++ b/3rd_party/ed25519/add_scalar.c
@@ -0,0 +1,69 @@
1#include "ed25519.h"
2#include "ge.h"
3#include "sc.h"
4#include "sha512.h"
5
6
7/* see http://crypto.stackexchange.com/a/6215/4697 */
8void ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key, const unsigned char *scalar) {
9 const unsigned char SC_1[32] = {1}; /* scalar with value 1 */
10
11 unsigned char n[32];
12 ge_p3 nB;
13 ge_p1p1 A_p1p1;
14 ge_p3 A;
15 ge_p3 public_key_unpacked;
16 ge_cached T;
17
18 sha512_context hash;
19 unsigned char hashbuf[64];
20
21 int i;
22
23 /* copy the scalar and clear highest bit */
24 for (i = 0; i < 31; ++i) {
25 n[i] = scalar[i];
26 }
27 n[31] = scalar[31] & 127;
28
29 /* private key: a = n + t */
30 if (private_key) {
31 sc_muladd(private_key, SC_1, n, private_key);
32
33 // https://github.com/orlp/ed25519/issues/3
34 sha512_init(&hash);
35 sha512_update(&hash, private_key + 32, 32);
36 sha512_update(&hash, scalar, 32);
37 sha512_final(&hash, hashbuf);
38 for (i = 0; i < 32; ++i) {
39 private_key[32 + i] = hashbuf[i];
40 }
41 }
42
43 /* public key: A = nB + T */
44 if (public_key) {
45 /* if we know the private key we don't need a point addition, which is faster */
46 /* using a "timing attack" you could find out wether or not we know the private
47 key, but this information seems rather useless - if this is important pass
48 public_key and private_key seperately in 2 function calls */
49 if (private_key) {
50 ge_scalarmult_base(&A, private_key);
51 } else {
52 /* unpack public key into T */
53 ge_frombytes_negate_vartime(&public_key_unpacked, public_key);
54 fe_neg(public_key_unpacked.X, public_key_unpacked.X); /* undo negate */
55 fe_neg(public_key_unpacked.T, public_key_unpacked.T); /* undo negate */
56 ge_p3_to_cached(&T, &public_key_unpacked);
57
58 /* calculate n*B */
59 ge_scalarmult_base(&nB, n);
60
61 /* A = n*B + T */
62 ge_add(&A_p1p1, &nB, &T);
63 ge_p1p1_to_p3(&A, &A_p1p1);
64 }
65
66 /* pack public key */
67 ge_p3_tobytes(public_key, &A);
68 }
69}
diff --git a/3rd_party/ed25519/ed25519.h b/3rd_party/ed25519/ed25519.h
new file mode 100644
index 0000000..8924659
--- /dev/null
+++ b/3rd_party/ed25519/ed25519.h
@@ -0,0 +1,38 @@
1#ifndef ED25519_H
2#define ED25519_H
3
4#include <stddef.h>
5
6#if defined(_WIN32)
7 #if defined(ED25519_BUILD_DLL)
8 #define ED25519_DECLSPEC __declspec(dllexport)
9 #elif defined(ED25519_DLL)
10 #define ED25519_DECLSPEC __declspec(dllimport)
11 #else
12 #define ED25519_DECLSPEC
13 #endif
14#else
15 #define ED25519_DECLSPEC
16#endif
17
18
19#ifdef __cplusplus
20extern "C" {
21#endif
22
23#ifndef ED25519_NO_SEED
24int ED25519_DECLSPEC ed25519_create_seed(unsigned char *seed);
25#endif
26
27void ED25519_DECLSPEC ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed);
28void ED25519_DECLSPEC ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key);
29int ED25519_DECLSPEC ed25519_verify(const unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key);
30void ED25519_DECLSPEC ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key, const unsigned char *scalar);
31void ED25519_DECLSPEC ed25519_key_exchange(unsigned char *shared_secret, const unsigned char *public_key, const unsigned char *private_key);
32
33
34#ifdef __cplusplus
35}
36#endif
37
38#endif
diff --git a/3rd_party/ed25519/fe.c b/3rd_party/ed25519/fe.c
new file mode 100644
index 0000000..2105eb7
--- /dev/null
+++ b/3rd_party/ed25519/fe.c
@@ -0,0 +1,1491 @@
1#include "fixedint.h"
2#include "fe.h"
3
4
5/*
6 helper functions
7*/
8static uint64_t load_3(const unsigned char *in) {
9 uint64_t result;
10
11 result = (uint64_t) in[0];
12 result |= ((uint64_t) in[1]) << 8;
13 result |= ((uint64_t) in[2]) << 16;
14
15 return result;
16}
17
18static uint64_t load_4(const unsigned char *in) {
19 uint64_t result;
20
21 result = (uint64_t) in[0];
22 result |= ((uint64_t) in[1]) << 8;
23 result |= ((uint64_t) in[2]) << 16;
24 result |= ((uint64_t) in[3]) << 24;
25
26 return result;
27}
28
29
30
31/*
32 h = 0
33*/
34
35void fe_0(fe h) {
36 h[0] = 0;
37 h[1] = 0;
38 h[2] = 0;
39 h[3] = 0;
40 h[4] = 0;
41 h[5] = 0;
42 h[6] = 0;
43 h[7] = 0;
44 h[8] = 0;
45 h[9] = 0;
46}
47
48
49
50/*
51 h = 1
52*/
53
54void fe_1(fe h) {
55 h[0] = 1;
56 h[1] = 0;
57 h[2] = 0;
58 h[3] = 0;
59 h[4] = 0;
60 h[5] = 0;
61 h[6] = 0;
62 h[7] = 0;
63 h[8] = 0;
64 h[9] = 0;
65}
66
67
68
69/*
70 h = f + g
71 Can overlap h with f or g.
72
73 Preconditions:
74 |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
75 |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
76
77 Postconditions:
78 |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
79*/
80
81void fe_add(fe h, const fe f, const fe g) {
82 int32_t f0 = f[0];
83 int32_t f1 = f[1];
84 int32_t f2 = f[2];
85 int32_t f3 = f[3];
86 int32_t f4 = f[4];
87 int32_t f5 = f[5];
88 int32_t f6 = f[6];
89 int32_t f7 = f[7];
90 int32_t f8 = f[8];
91 int32_t f9 = f[9];
92 int32_t g0 = g[0];
93 int32_t g1 = g[1];
94 int32_t g2 = g[2];
95 int32_t g3 = g[3];
96 int32_t g4 = g[4];
97 int32_t g5 = g[5];
98 int32_t g6 = g[6];
99 int32_t g7 = g[7];
100 int32_t g8 = g[8];
101 int32_t g9 = g[9];
102 int32_t h0 = f0 + g0;
103 int32_t h1 = f1 + g1;
104 int32_t h2 = f2 + g2;
105 int32_t h3 = f3 + g3;
106 int32_t h4 = f4 + g4;
107 int32_t h5 = f5 + g5;
108 int32_t h6 = f6 + g6;
109 int32_t h7 = f7 + g7;
110 int32_t h8 = f8 + g8;
111 int32_t h9 = f9 + g9;
112
113 h[0] = h0;
114 h[1] = h1;
115 h[2] = h2;
116 h[3] = h3;
117 h[4] = h4;
118 h[5] = h5;
119 h[6] = h6;
120 h[7] = h7;
121 h[8] = h8;
122 h[9] = h9;
123}
124
125
126
127/*
128 Replace (f,g) with (g,g) if b == 1;
129 replace (f,g) with (f,g) if b == 0.
130
131 Preconditions: b in {0,1}.
132*/
133
134void fe_cmov(fe f, const fe g, unsigned int b) {
135 int32_t f0 = f[0];
136 int32_t f1 = f[1];
137 int32_t f2 = f[2];
138 int32_t f3 = f[3];
139 int32_t f4 = f[4];
140 int32_t f5 = f[5];
141 int32_t f6 = f[6];
142 int32_t f7 = f[7];
143 int32_t f8 = f[8];
144 int32_t f9 = f[9];
145 int32_t g0 = g[0];
146 int32_t g1 = g[1];
147 int32_t g2 = g[2];
148 int32_t g3 = g[3];
149 int32_t g4 = g[4];
150 int32_t g5 = g[5];
151 int32_t g6 = g[6];
152 int32_t g7 = g[7];
153 int32_t g8 = g[8];
154 int32_t g9 = g[9];
155 int32_t x0 = f0 ^ g0;
156 int32_t x1 = f1 ^ g1;
157 int32_t x2 = f2 ^ g2;
158 int32_t x3 = f3 ^ g3;
159 int32_t x4 = f4 ^ g4;
160 int32_t x5 = f5 ^ g5;
161 int32_t x6 = f6 ^ g6;
162 int32_t x7 = f7 ^ g7;
163 int32_t x8 = f8 ^ g8;
164 int32_t x9 = f9 ^ g9;
165
166 b = (unsigned int) (- (int) b); /* silence warning */
167 x0 &= b;
168 x1 &= b;
169 x2 &= b;
170 x3 &= b;
171 x4 &= b;
172 x5 &= b;
173 x6 &= b;
174 x7 &= b;
175 x8 &= b;
176 x9 &= b;
177
178 f[0] = f0 ^ x0;
179 f[1] = f1 ^ x1;
180 f[2] = f2 ^ x2;
181 f[3] = f3 ^ x3;
182 f[4] = f4 ^ x4;
183 f[5] = f5 ^ x5;
184 f[6] = f6 ^ x6;
185 f[7] = f7 ^ x7;
186 f[8] = f8 ^ x8;
187 f[9] = f9 ^ x9;
188}
189
190/*
191 Replace (f,g) with (g,f) if b == 1;
192 replace (f,g) with (f,g) if b == 0.
193
194 Preconditions: b in {0,1}.
195*/
196
197void fe_cswap(fe f,fe g,unsigned int b) {
198 int32_t f0 = f[0];
199 int32_t f1 = f[1];
200 int32_t f2 = f[2];
201 int32_t f3 = f[3];
202 int32_t f4 = f[4];
203 int32_t f5 = f[5];
204 int32_t f6 = f[6];
205 int32_t f7 = f[7];
206 int32_t f8 = f[8];
207 int32_t f9 = f[9];
208 int32_t g0 = g[0];
209 int32_t g1 = g[1];
210 int32_t g2 = g[2];
211 int32_t g3 = g[3];
212 int32_t g4 = g[4];
213 int32_t g5 = g[5];
214 int32_t g6 = g[6];
215 int32_t g7 = g[7];
216 int32_t g8 = g[8];
217 int32_t g9 = g[9];
218 int32_t x0 = f0 ^ g0;
219 int32_t x1 = f1 ^ g1;
220 int32_t x2 = f2 ^ g2;
221 int32_t x3 = f3 ^ g3;
222 int32_t x4 = f4 ^ g4;
223 int32_t x5 = f5 ^ g5;
224 int32_t x6 = f6 ^ g6;
225 int32_t x7 = f7 ^ g7;
226 int32_t x8 = f8 ^ g8;
227 int32_t x9 = f9 ^ g9;
228 b = (unsigned int) (- (int) b); /* silence warning */
229 x0 &= b;
230 x1 &= b;
231 x2 &= b;
232 x3 &= b;
233 x4 &= b;
234 x5 &= b;
235 x6 &= b;
236 x7 &= b;
237 x8 &= b;
238 x9 &= b;
239 f[0] = f0 ^ x0;
240 f[1] = f1 ^ x1;
241 f[2] = f2 ^ x2;
242 f[3] = f3 ^ x3;
243 f[4] = f4 ^ x4;
244 f[5] = f5 ^ x5;
245 f[6] = f6 ^ x6;
246 f[7] = f7 ^ x7;
247 f[8] = f8 ^ x8;
248 f[9] = f9 ^ x9;
249 g[0] = g0 ^ x0;
250 g[1] = g1 ^ x1;
251 g[2] = g2 ^ x2;
252 g[3] = g3 ^ x3;
253 g[4] = g4 ^ x4;
254 g[5] = g5 ^ x5;
255 g[6] = g6 ^ x6;
256 g[7] = g7 ^ x7;
257 g[8] = g8 ^ x8;
258 g[9] = g9 ^ x9;
259}
260
261
262
263/*
264 h = f
265*/
266
267void fe_copy(fe h, const fe f) {
268 int32_t f0 = f[0];
269 int32_t f1 = f[1];
270 int32_t f2 = f[2];
271 int32_t f3 = f[3];
272 int32_t f4 = f[4];
273 int32_t f5 = f[5];
274 int32_t f6 = f[6];
275 int32_t f7 = f[7];
276 int32_t f8 = f[8];
277 int32_t f9 = f[9];
278
279 h[0] = f0;
280 h[1] = f1;
281 h[2] = f2;
282 h[3] = f3;
283 h[4] = f4;
284 h[5] = f5;
285 h[6] = f6;
286 h[7] = f7;
287 h[8] = f8;
288 h[9] = f9;
289}
290
291
292
293/*
294 Ignores top bit of h.
295*/
296
297void fe_frombytes(fe h, const unsigned char *s) {
298 int64_t h0 = load_4(s);
299 int64_t h1 = load_3(s + 4) << 6;
300 int64_t h2 = load_3(s + 7) << 5;
301 int64_t h3 = load_3(s + 10) << 3;
302 int64_t h4 = load_3(s + 13) << 2;
303 int64_t h5 = load_4(s + 16);
304 int64_t h6 = load_3(s + 20) << 7;
305 int64_t h7 = load_3(s + 23) << 5;
306 int64_t h8 = load_3(s + 26) << 4;
307 int64_t h9 = (load_3(s + 29) & 8388607) << 2;
308 int64_t carry0;
309 int64_t carry1;
310 int64_t carry2;
311 int64_t carry3;
312 int64_t carry4;
313 int64_t carry5;
314 int64_t carry6;
315 int64_t carry7;
316 int64_t carry8;
317 int64_t carry9;
318
319 carry9 = (h9 + (int64_t) (1 << 24)) >> 25;
320 h0 += carry9 * 19;
321 h9 -= carry9 << 25;
322 carry1 = (h1 + (int64_t) (1 << 24)) >> 25;
323 h2 += carry1;
324 h1 -= carry1 << 25;
325 carry3 = (h3 + (int64_t) (1 << 24)) >> 25;
326 h4 += carry3;
327 h3 -= carry3 << 25;
328 carry5 = (h5 + (int64_t) (1 << 24)) >> 25;
329 h6 += carry5;
330 h5 -= carry5 << 25;
331 carry7 = (h7 + (int64_t) (1 << 24)) >> 25;
332 h8 += carry7;
333 h7 -= carry7 << 25;
334 carry0 = (h0 + (int64_t) (1 << 25)) >> 26;
335 h1 += carry0;
336 h0 -= carry0 << 26;
337 carry2 = (h2 + (int64_t) (1 << 25)) >> 26;
338 h3 += carry2;
339 h2 -= carry2 << 26;
340 carry4 = (h4 + (int64_t) (1 << 25)) >> 26;
341 h5 += carry4;
342 h4 -= carry4 << 26;
343 carry6 = (h6 + (int64_t) (1 << 25)) >> 26;
344 h7 += carry6;
345 h6 -= carry6 << 26;
346 carry8 = (h8 + (int64_t) (1 << 25)) >> 26;
347 h9 += carry8;
348 h8 -= carry8 << 26;
349
350 h[0] = (int32_t) h0;
351 h[1] = (int32_t) h1;
352 h[2] = (int32_t) h2;
353 h[3] = (int32_t) h3;
354 h[4] = (int32_t) h4;
355 h[5] = (int32_t) h5;
356 h[6] = (int32_t) h6;
357 h[7] = (int32_t) h7;
358 h[8] = (int32_t) h8;
359 h[9] = (int32_t) h9;
360}
361
362
363
364void fe_invert(fe out, const fe z) {
365 fe t0;
366 fe t1;
367 fe t2;
368 fe t3;
369 int i;
370
371 fe_sq(t0, z);
372
373 for (i = 1; i < 1; ++i) {
374 fe_sq(t0, t0);
375 }
376
377 fe_sq(t1, t0);
378
379 for (i = 1; i < 2; ++i) {
380 fe_sq(t1, t1);
381 }
382
383 fe_mul(t1, z, t1);
384 fe_mul(t0, t0, t1);
385 fe_sq(t2, t0);
386
387 for (i = 1; i < 1; ++i) {
388 fe_sq(t2, t2);
389 }
390
391 fe_mul(t1, t1, t2);
392 fe_sq(t2, t1);
393
394 for (i = 1; i < 5; ++i) {
395 fe_sq(t2, t2);
396 }
397
398 fe_mul(t1, t2, t1);
399 fe_sq(t2, t1);
400
401 for (i = 1; i < 10; ++i) {
402 fe_sq(t2, t2);
403 }
404
405 fe_mul(t2, t2, t1);
406 fe_sq(t3, t2);
407
408 for (i = 1; i < 20; ++i) {
409 fe_sq(t3, t3);
410 }
411
412 fe_mul(t2, t3, t2);
413 fe_sq(t2, t2);
414
415 for (i = 1; i < 10; ++i) {
416 fe_sq(t2, t2);
417 }
418
419 fe_mul(t1, t2, t1);
420 fe_sq(t2, t1);
421
422 for (i = 1; i < 50; ++i) {
423 fe_sq(t2, t2);
424 }
425
426 fe_mul(t2, t2, t1);
427 fe_sq(t3, t2);
428
429 for (i = 1; i < 100; ++i) {
430 fe_sq(t3, t3);
431 }
432
433 fe_mul(t2, t3, t2);
434 fe_sq(t2, t2);
435
436 for (i = 1; i < 50; ++i) {
437 fe_sq(t2, t2);
438 }
439
440 fe_mul(t1, t2, t1);
441 fe_sq(t1, t1);
442
443 for (i = 1; i < 5; ++i) {
444 fe_sq(t1, t1);
445 }
446
447 fe_mul(out, t1, t0);
448}
449
450
451
452/*
453 return 1 if f is in {1,3,5,...,q-2}
454 return 0 if f is in {0,2,4,...,q-1}
455
456 Preconditions:
457 |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
458*/
459
460int fe_isnegative(const fe f) {
461 unsigned char s[32];
462
463 fe_tobytes(s, f);
464
465 return s[0] & 1;
466}
467
468
469
470/*
471 return 1 if f == 0
472 return 0 if f != 0
473
474 Preconditions:
475 |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
476*/
477
478int fe_isnonzero(const fe f) {
479 unsigned char s[32];
480 unsigned char r;
481
482 fe_tobytes(s, f);
483
484 r = s[0];
485 #define F(i) r |= s[i]
486 F(1);
487 F(2);
488 F(3);
489 F(4);
490 F(5);
491 F(6);
492 F(7);
493 F(8);
494 F(9);
495 F(10);
496 F(11);
497 F(12);
498 F(13);
499 F(14);
500 F(15);
501 F(16);
502 F(17);
503 F(18);
504 F(19);
505 F(20);
506 F(21);
507 F(22);
508 F(23);
509 F(24);
510 F(25);
511 F(26);
512 F(27);
513 F(28);
514 F(29);
515 F(30);
516 F(31);
517 #undef F
518
519 return r != 0;
520}
521
522
523
524/*
525 h = f * g
526 Can overlap h with f or g.
527
528 Preconditions:
529 |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
530 |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
531
532 Postconditions:
533 |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
534 */
535
536 /*
537 Notes on implementation strategy:
538
539 Using schoolbook multiplication.
540 Karatsuba would save a little in some cost models.
541
542 Most multiplications by 2 and 19 are 32-bit precomputations;
543 cheaper than 64-bit postcomputations.
544
545 There is one remaining multiplication by 19 in the carry chain;
546 one *19 precomputation can be merged into this,
547 but the resulting data flow is considerably less clean.
548
549 There are 12 carries below.
550 10 of them are 2-way parallelizable and vectorizable.
551 Can get away with 11 carries, but then data flow is much deeper.
552
553 With tighter constraints on inputs can squeeze carries into int32.
554*/
555
556void fe_mul(fe h, const fe f, const fe g) {
557 int32_t f0 = f[0];
558 int32_t f1 = f[1];
559 int32_t f2 = f[2];
560 int32_t f3 = f[3];
561 int32_t f4 = f[4];
562 int32_t f5 = f[5];
563 int32_t f6 = f[6];
564 int32_t f7 = f[7];
565 int32_t f8 = f[8];
566 int32_t f9 = f[9];
567 int32_t g0 = g[0];
568 int32_t g1 = g[1];
569 int32_t g2 = g[2];
570 int32_t g3 = g[3];
571 int32_t g4 = g[4];
572 int32_t g5 = g[5];
573 int32_t g6 = g[6];
574 int32_t g7 = g[7];
575 int32_t g8 = g[8];
576 int32_t g9 = g[9];
577 int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */
578 int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */
579 int32_t g3_19 = 19 * g3;
580 int32_t g4_19 = 19 * g4;
581 int32_t g5_19 = 19 * g5;
582 int32_t g6_19 = 19 * g6;
583 int32_t g7_19 = 19 * g7;
584 int32_t g8_19 = 19 * g8;
585 int32_t g9_19 = 19 * g9;
586 int32_t f1_2 = 2 * f1;
587 int32_t f3_2 = 2 * f3;
588 int32_t f5_2 = 2 * f5;
589 int32_t f7_2 = 2 * f7;
590 int32_t f9_2 = 2 * f9;
591 int64_t f0g0 = f0 * (int64_t) g0;
592 int64_t f0g1 = f0 * (int64_t) g1;
593 int64_t f0g2 = f0 * (int64_t) g2;
594 int64_t f0g3 = f0 * (int64_t) g3;
595 int64_t f0g4 = f0 * (int64_t) g4;
596 int64_t f0g5 = f0 * (int64_t) g5;
597 int64_t f0g6 = f0 * (int64_t) g6;
598 int64_t f0g7 = f0 * (int64_t) g7;
599 int64_t f0g8 = f0 * (int64_t) g8;
600 int64_t f0g9 = f0 * (int64_t) g9;
601 int64_t f1g0 = f1 * (int64_t) g0;
602 int64_t f1g1_2 = f1_2 * (int64_t) g1;
603 int64_t f1g2 = f1 * (int64_t) g2;
604 int64_t f1g3_2 = f1_2 * (int64_t) g3;
605 int64_t f1g4 = f1 * (int64_t) g4;
606 int64_t f1g5_2 = f1_2 * (int64_t) g5;
607 int64_t f1g6 = f1 * (int64_t) g6;
608 int64_t f1g7_2 = f1_2 * (int64_t) g7;
609 int64_t f1g8 = f1 * (int64_t) g8;
610 int64_t f1g9_38 = f1_2 * (int64_t) g9_19;
611 int64_t f2g0 = f2 * (int64_t) g0;
612 int64_t f2g1 = f2 * (int64_t) g1;
613 int64_t f2g2 = f2 * (int64_t) g2;
614 int64_t f2g3 = f2 * (int64_t) g3;
615 int64_t f2g4 = f2 * (int64_t) g4;
616 int64_t f2g5 = f2 * (int64_t) g5;
617 int64_t f2g6 = f2 * (int64_t) g6;
618 int64_t f2g7 = f2 * (int64_t) g7;
619 int64_t f2g8_19 = f2 * (int64_t) g8_19;
620 int64_t f2g9_19 = f2 * (int64_t) g9_19;
621 int64_t f3g0 = f3 * (int64_t) g0;
622 int64_t f3g1_2 = f3_2 * (int64_t) g1;
623 int64_t f3g2 = f3 * (int64_t) g2;
624 int64_t f3g3_2 = f3_2 * (int64_t) g3;
625 int64_t f3g4 = f3 * (int64_t) g4;
626 int64_t f3g5_2 = f3_2 * (int64_t) g5;
627 int64_t f3g6 = f3 * (int64_t) g6;
628 int64_t f3g7_38 = f3_2 * (int64_t) g7_19;
629 int64_t f3g8_19 = f3 * (int64_t) g8_19;
630 int64_t f3g9_38 = f3_2 * (int64_t) g9_19;
631 int64_t f4g0 = f4 * (int64_t) g0;
632 int64_t f4g1 = f4 * (int64_t) g1;
633 int64_t f4g2 = f4 * (int64_t) g2;
634 int64_t f4g3 = f4 * (int64_t) g3;
635 int64_t f4g4 = f4 * (int64_t) g4;
636 int64_t f4g5 = f4 * (int64_t) g5;
637 int64_t f4g6_19 = f4 * (int64_t) g6_19;
638 int64_t f4g7_19 = f4 * (int64_t) g7_19;
639 int64_t f4g8_19 = f4 * (int64_t) g8_19;
640 int64_t f4g9_19 = f4 * (int64_t) g9_19;
641 int64_t f5g0 = f5 * (int64_t) g0;
642 int64_t f5g1_2 = f5_2 * (int64_t) g1;
643 int64_t f5g2 = f5 * (int64_t) g2;
644 int64_t f5g3_2 = f5_2 * (int64_t) g3;
645 int64_t f5g4 = f5 * (int64_t) g4;
646 int64_t f5g5_38 = f5_2 * (int64_t) g5_19;
647 int64_t f5g6_19 = f5 * (int64_t) g6_19;
648 int64_t f5g7_38 = f5_2 * (int64_t) g7_19;
649 int64_t f5g8_19 = f5 * (int64_t) g8_19;
650 int64_t f5g9_38 = f5_2 * (int64_t) g9_19;
651 int64_t f6g0 = f6 * (int64_t) g0;
652 int64_t f6g1 = f6 * (int64_t) g1;
653 int64_t f6g2 = f6 * (int64_t) g2;
654 int64_t f6g3 = f6 * (int64_t) g3;
655 int64_t f6g4_19 = f6 * (int64_t) g4_19;
656 int64_t f6g5_19 = f6 * (int64_t) g5_19;
657 int64_t f6g6_19 = f6 * (int64_t) g6_19;
658 int64_t f6g7_19 = f6 * (int64_t) g7_19;
659 int64_t f6g8_19 = f6 * (int64_t) g8_19;
660 int64_t f6g9_19 = f6 * (int64_t) g9_19;
661 int64_t f7g0 = f7 * (int64_t) g0;
662 int64_t f7g1_2 = f7_2 * (int64_t) g1;
663 int64_t f7g2 = f7 * (int64_t) g2;
664 int64_t f7g3_38 = f7_2 * (int64_t) g3_19;
665 int64_t f7g4_19 = f7 * (int64_t) g4_19;
666 int64_t f7g5_38 = f7_2 * (int64_t) g5_19;
667 int64_t f7g6_19 = f7 * (int64_t) g6_19;
668 int64_t f7g7_38 = f7_2 * (int64_t) g7_19;
669 int64_t f7g8_19 = f7 * (int64_t) g8_19;
670 int64_t f7g9_38 = f7_2 * (int64_t) g9_19;
671 int64_t f8g0 = f8 * (int64_t) g0;
672 int64_t f8g1 = f8 * (int64_t) g1;
673 int64_t f8g2_19 = f8 * (int64_t) g2_19;
674 int64_t f8g3_19 = f8 * (int64_t) g3_19;
675 int64_t f8g4_19 = f8 * (int64_t) g4_19;
676 int64_t f8g5_19 = f8 * (int64_t) g5_19;
677 int64_t f8g6_19 = f8 * (int64_t) g6_19;
678 int64_t f8g7_19 = f8 * (int64_t) g7_19;
679 int64_t f8g8_19 = f8 * (int64_t) g8_19;
680 int64_t f8g9_19 = f8 * (int64_t) g9_19;
681 int64_t f9g0 = f9 * (int64_t) g0;
682 int64_t f9g1_38 = f9_2 * (int64_t) g1_19;
683 int64_t f9g2_19 = f9 * (int64_t) g2_19;
684 int64_t f9g3_38 = f9_2 * (int64_t) g3_19;
685 int64_t f9g4_19 = f9 * (int64_t) g4_19;
686 int64_t f9g5_38 = f9_2 * (int64_t) g5_19;
687 int64_t f9g6_19 = f9 * (int64_t) g6_19;
688 int64_t f9g7_38 = f9_2 * (int64_t) g7_19;
689 int64_t f9g8_19 = f9 * (int64_t) g8_19;
690 int64_t f9g9_38 = f9_2 * (int64_t) g9_19;
691 int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38;
692 int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19;
693 int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38;
694 int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19;
695 int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38;
696 int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19;
697 int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38;
698 int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19;
699 int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38;
700 int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0 ;
701 int64_t carry0;
702 int64_t carry1;
703 int64_t carry2;
704 int64_t carry3;
705 int64_t carry4;
706 int64_t carry5;
707 int64_t carry6;
708 int64_t carry7;
709 int64_t carry8;
710 int64_t carry9;
711
712 carry0 = (h0 + (int64_t) (1 << 25)) >> 26;
713 h1 += carry0;
714 h0 -= carry0 << 26;
715 carry4 = (h4 + (int64_t) (1 << 25)) >> 26;
716 h5 += carry4;
717 h4 -= carry4 << 26;
718
719 carry1 = (h1 + (int64_t) (1 << 24)) >> 25;
720 h2 += carry1;
721 h1 -= carry1 << 25;
722 carry5 = (h5 + (int64_t) (1 << 24)) >> 25;
723 h6 += carry5;
724 h5 -= carry5 << 25;
725
726 carry2 = (h2 + (int64_t) (1 << 25)) >> 26;
727 h3 += carry2;
728 h2 -= carry2 << 26;
729 carry6 = (h6 + (int64_t) (1 << 25)) >> 26;
730 h7 += carry6;
731 h6 -= carry6 << 26;
732
733 carry3 = (h3 + (int64_t) (1 << 24)) >> 25;
734 h4 += carry3;
735 h3 -= carry3 << 25;
736 carry7 = (h7 + (int64_t) (1 << 24)) >> 25;
737 h8 += carry7;
738 h7 -= carry7 << 25;
739
740 carry4 = (h4 + (int64_t) (1 << 25)) >> 26;
741 h5 += carry4;
742 h4 -= carry4 << 26;
743 carry8 = (h8 + (int64_t) (1 << 25)) >> 26;
744 h9 += carry8;
745 h8 -= carry8 << 26;
746
747 carry9 = (h9 + (int64_t) (1 << 24)) >> 25;
748 h0 += carry9 * 19;
749 h9 -= carry9 << 25;
750
751 carry0 = (h0 + (int64_t) (1 << 25)) >> 26;
752 h1 += carry0;
753 h0 -= carry0 << 26;
754
755 h[0] = (int32_t) h0;
756 h[1] = (int32_t) h1;
757 h[2] = (int32_t) h2;
758 h[3] = (int32_t) h3;
759 h[4] = (int32_t) h4;
760 h[5] = (int32_t) h5;
761 h[6] = (int32_t) h6;
762 h[7] = (int32_t) h7;
763 h[8] = (int32_t) h8;
764 h[9] = (int32_t) h9;
765}
766
767
768/*
769h = f * 121666
770Can overlap h with f.
771
772Preconditions:
773 |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
774
775Postconditions:
776 |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
777*/
778
779void fe_mul121666(fe h, fe f) {
780 int32_t f0 = f[0];
781 int32_t f1 = f[1];
782 int32_t f2 = f[2];
783 int32_t f3 = f[3];
784 int32_t f4 = f[4];
785 int32_t f5 = f[5];
786 int32_t f6 = f[6];
787 int32_t f7 = f[7];
788 int32_t f8 = f[8];
789 int32_t f9 = f[9];
790 int64_t h0 = f0 * (int64_t) 121666;
791 int64_t h1 = f1 * (int64_t) 121666;
792 int64_t h2 = f2 * (int64_t) 121666;
793 int64_t h3 = f3 * (int64_t) 121666;
794 int64_t h4 = f4 * (int64_t) 121666;
795 int64_t h5 = f5 * (int64_t) 121666;
796 int64_t h6 = f6 * (int64_t) 121666;
797 int64_t h7 = f7 * (int64_t) 121666;
798 int64_t h8 = f8 * (int64_t) 121666;
799 int64_t h9 = f9 * (int64_t) 121666;
800 int64_t carry0;
801 int64_t carry1;
802 int64_t carry2;
803 int64_t carry3;
804 int64_t carry4;
805 int64_t carry5;
806 int64_t carry6;
807 int64_t carry7;
808 int64_t carry8;
809 int64_t carry9;
810
811 carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25;
812 carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25;
813 carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25;
814 carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25;
815 carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25;
816
817 carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26;
818 carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26;
819 carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26;
820 carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26;
821 carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26;
822
823 h[0] = (int32_t) h0;
824 h[1] = (int32_t) h1;
825 h[2] = (int32_t) h2;
826 h[3] = (int32_t) h3;
827 h[4] = (int32_t) h4;
828 h[5] = (int32_t) h5;
829 h[6] = (int32_t) h6;
830 h[7] = (int32_t) h7;
831 h[8] = (int32_t) h8;
832 h[9] = (int32_t) h9;
833}
834
835
836/*
837h = -f
838
839Preconditions:
840 |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
841
842Postconditions:
843 |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
844*/
845
846void fe_neg(fe h, const fe f) {
847 int32_t f0 = f[0];
848 int32_t f1 = f[1];
849 int32_t f2 = f[2];
850 int32_t f3 = f[3];
851 int32_t f4 = f[4];
852 int32_t f5 = f[5];
853 int32_t f6 = f[6];
854 int32_t f7 = f[7];
855 int32_t f8 = f[8];
856 int32_t f9 = f[9];
857 int32_t h0 = -f0;
858 int32_t h1 = -f1;
859 int32_t h2 = -f2;
860 int32_t h3 = -f3;
861 int32_t h4 = -f4;
862 int32_t h5 = -f5;
863 int32_t h6 = -f6;
864 int32_t h7 = -f7;
865 int32_t h8 = -f8;
866 int32_t h9 = -f9;
867
868 h[0] = h0;
869 h[1] = h1;
870 h[2] = h2;
871 h[3] = h3;
872 h[4] = h4;
873 h[5] = h5;
874 h[6] = h6;
875 h[7] = h7;
876 h[8] = h8;
877 h[9] = h9;
878}
879
880
881void fe_pow22523(fe out, const fe z) {
882 fe t0;
883 fe t1;
884 fe t2;
885 int i;
886 fe_sq(t0, z);
887
888 for (i = 1; i < 1; ++i) {
889 fe_sq(t0, t0);
890 }
891
892 fe_sq(t1, t0);
893
894 for (i = 1; i < 2; ++i) {
895 fe_sq(t1, t1);
896 }
897
898 fe_mul(t1, z, t1);
899 fe_mul(t0, t0, t1);
900 fe_sq(t0, t0);
901
902 for (i = 1; i < 1; ++i) {
903 fe_sq(t0, t0);
904 }
905
906 fe_mul(t0, t1, t0);
907 fe_sq(t1, t0);
908
909 for (i = 1; i < 5; ++i) {
910 fe_sq(t1, t1);
911 }
912
913 fe_mul(t0, t1, t0);
914 fe_sq(t1, t0);
915
916 for (i = 1; i < 10; ++i) {
917 fe_sq(t1, t1);
918 }
919
920 fe_mul(t1, t1, t0);
921 fe_sq(t2, t1);
922
923 for (i = 1; i < 20; ++i) {
924 fe_sq(t2, t2);
925 }
926
927 fe_mul(t1, t2, t1);
928 fe_sq(t1, t1);
929
930 for (i = 1; i < 10; ++i) {
931 fe_sq(t1, t1);
932 }
933
934 fe_mul(t0, t1, t0);
935 fe_sq(t1, t0);
936
937 for (i = 1; i < 50; ++i) {
938 fe_sq(t1, t1);
939 }
940
941 fe_mul(t1, t1, t0);
942 fe_sq(t2, t1);
943
944 for (i = 1; i < 100; ++i) {
945 fe_sq(t2, t2);
946 }
947
948 fe_mul(t1, t2, t1);
949 fe_sq(t1, t1);
950
951 for (i = 1; i < 50; ++i) {
952 fe_sq(t1, t1);
953 }
954
955 fe_mul(t0, t1, t0);
956 fe_sq(t0, t0);
957
958 for (i = 1; i < 2; ++i) {
959 fe_sq(t0, t0);
960 }
961
962 fe_mul(out, t0, z);
963 return;
964}
965
966
967/*
968h = f * f
969Can overlap h with f.
970
971Preconditions:
972 |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
973
974Postconditions:
975 |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
976*/
977
978/*
979See fe_mul.c for discussion of implementation strategy.
980*/
981
982void fe_sq(fe h, const fe f) {
983 int32_t f0 = f[0];
984 int32_t f1 = f[1];
985 int32_t f2 = f[2];
986 int32_t f3 = f[3];
987 int32_t f4 = f[4];
988 int32_t f5 = f[5];
989 int32_t f6 = f[6];
990 int32_t f7 = f[7];
991 int32_t f8 = f[8];
992 int32_t f9 = f[9];
993 int32_t f0_2 = 2 * f0;
994 int32_t f1_2 = 2 * f1;
995 int32_t f2_2 = 2 * f2;
996 int32_t f3_2 = 2 * f3;
997 int32_t f4_2 = 2 * f4;
998 int32_t f5_2 = 2 * f5;
999 int32_t f6_2 = 2 * f6;
1000 int32_t f7_2 = 2 * f7;
1001 int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
1002 int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
1003 int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
1004 int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
1005 int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
1006 int64_t f0f0 = f0 * (int64_t) f0;
1007 int64_t f0f1_2 = f0_2 * (int64_t) f1;
1008 int64_t f0f2_2 = f0_2 * (int64_t) f2;
1009 int64_t f0f3_2 = f0_2 * (int64_t) f3;
1010 int64_t f0f4_2 = f0_2 * (int64_t) f4;
1011 int64_t f0f5_2 = f0_2 * (int64_t) f5;
1012 int64_t f0f6_2 = f0_2 * (int64_t) f6;
1013 int64_t f0f7_2 = f0_2 * (int64_t) f7;
1014 int64_t f0f8_2 = f0_2 * (int64_t) f8;
1015 int64_t f0f9_2 = f0_2 * (int64_t) f9;
1016 int64_t f1f1_2 = f1_2 * (int64_t) f1;
1017 int64_t f1f2_2 = f1_2 * (int64_t) f2;
1018 int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
1019 int64_t f1f4_2 = f1_2 * (int64_t) f4;
1020 int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
1021 int64_t f1f6_2 = f1_2 * (int64_t) f6;
1022 int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
1023 int64_t f1f8_2 = f1_2 * (int64_t) f8;
1024 int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
1025 int64_t f2f2 = f2 * (int64_t) f2;
1026 int64_t f2f3_2 = f2_2 * (int64_t) f3;
1027 int64_t f2f4_2 = f2_2 * (int64_t) f4;
1028 int64_t f2f5_2 = f2_2 * (int64_t) f5;
1029 int64_t f2f6_2 = f2_2 * (int64_t) f6;
1030 int64_t f2f7_2 = f2_2 * (int64_t) f7;
1031 int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
1032 int64_t f2f9_38 = f2 * (int64_t) f9_38;
1033 int64_t f3f3_2 = f3_2 * (int64_t) f3;
1034 int64_t f3f4_2 = f3_2 * (int64_t) f4;
1035 int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
1036 int64_t f3f6_2 = f3_2 * (int64_t) f6;
1037 int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
1038 int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
1039 int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
1040 int64_t f4f4 = f4 * (int64_t) f4;
1041 int64_t f4f5_2 = f4_2 * (int64_t) f5;
1042 int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
1043 int64_t f4f7_38 = f4 * (int64_t) f7_38;
1044 int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
1045 int64_t f4f9_38 = f4 * (int64_t) f9_38;
1046 int64_t f5f5_38 = f5 * (int64_t) f5_38;
1047 int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
1048 int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
1049 int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
1050 int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
1051 int64_t f6f6_19 = f6 * (int64_t) f6_19;
1052 int64_t f6f7_38 = f6 * (int64_t) f7_38;
1053 int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
1054 int64_t f6f9_38 = f6 * (int64_t) f9_38;
1055 int64_t f7f7_38 = f7 * (int64_t) f7_38;
1056 int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
1057 int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
1058 int64_t f8f8_19 = f8 * (int64_t) f8_19;
1059 int64_t f8f9_38 = f8 * (int64_t) f9_38;
1060 int64_t f9f9_38 = f9 * (int64_t) f9_38;
1061 int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
1062 int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
1063 int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
1064 int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
1065 int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
1066 int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
1067 int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
1068 int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
1069 int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
1070 int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
1071 int64_t carry0;
1072 int64_t carry1;
1073 int64_t carry2;
1074 int64_t carry3;
1075 int64_t carry4;
1076 int64_t carry5;
1077 int64_t carry6;
1078 int64_t carry7;
1079 int64_t carry8;
1080 int64_t carry9;
1081 carry0 = (h0 + (int64_t) (1 << 25)) >> 26;
1082 h1 += carry0;
1083 h0 -= carry0 << 26;
1084 carry4 = (h4 + (int64_t) (1 << 25)) >> 26;
1085 h5 += carry4;
1086 h4 -= carry4 << 26;
1087 carry1 = (h1 + (int64_t) (1 << 24)) >> 25;
1088 h2 += carry1;
1089 h1 -= carry1 << 25;
1090 carry5 = (h5 + (int64_t) (1 << 24)) >> 25;
1091 h6 += carry5;
1092 h5 -= carry5 << 25;
1093 carry2 = (h2 + (int64_t) (1 << 25)) >> 26;
1094 h3 += carry2;
1095 h2 -= carry2 << 26;
1096 carry6 = (h6 + (int64_t) (1 << 25)) >> 26;
1097 h7 += carry6;
1098 h6 -= carry6 << 26;
1099 carry3 = (h3 + (int64_t) (1 << 24)) >> 25;
1100 h4 += carry3;
1101 h3 -= carry3 << 25;
1102 carry7 = (h7 + (int64_t) (1 << 24)) >> 25;
1103 h8 += carry7;
1104 h7 -= carry7 << 25;
1105 carry4 = (h4 + (int64_t) (1 << 25)) >> 26;
1106 h5 += carry4;
1107 h4 -= carry4 << 26;
1108 carry8 = (h8 + (int64_t) (1 << 25)) >> 26;
1109 h9 += carry8;
1110 h8 -= carry8 << 26;
1111 carry9 = (h9 + (int64_t) (1 << 24)) >> 25;
1112 h0 += carry9 * 19;
1113 h9 -= carry9 << 25;
1114 carry0 = (h0 + (int64_t) (1 << 25)) >> 26;
1115 h1 += carry0;
1116 h0 -= carry0 << 26;
1117 h[0] = (int32_t) h0;
1118 h[1] = (int32_t) h1;
1119 h[2] = (int32_t) h2;
1120 h[3] = (int32_t) h3;
1121 h[4] = (int32_t) h4;
1122 h[5] = (int32_t) h5;
1123 h[6] = (int32_t) h6;
1124 h[7] = (int32_t) h7;
1125 h[8] = (int32_t) h8;
1126 h[9] = (int32_t) h9;
1127}
1128
1129
1130/*
1131h = 2 * f * f
1132Can overlap h with f.
1133
1134Preconditions:
1135 |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc.
1136
1137Postconditions:
1138 |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc.
1139*/
1140
1141/*
1142See fe_mul.c for discussion of implementation strategy.
1143*/
1144
1145void fe_sq2(fe h, const fe f) {
1146 int32_t f0 = f[0];
1147 int32_t f1 = f[1];
1148 int32_t f2 = f[2];
1149 int32_t f3 = f[3];
1150 int32_t f4 = f[4];
1151 int32_t f5 = f[5];
1152 int32_t f6 = f[6];
1153 int32_t f7 = f[7];
1154 int32_t f8 = f[8];
1155 int32_t f9 = f[9];
1156 int32_t f0_2 = 2 * f0;
1157 int32_t f1_2 = 2 * f1;
1158 int32_t f2_2 = 2 * f2;
1159 int32_t f3_2 = 2 * f3;
1160 int32_t f4_2 = 2 * f4;
1161 int32_t f5_2 = 2 * f5;
1162 int32_t f6_2 = 2 * f6;
1163 int32_t f7_2 = 2 * f7;
1164 int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */
1165 int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */
1166 int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */
1167 int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */
1168 int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */
1169 int64_t f0f0 = f0 * (int64_t) f0;
1170 int64_t f0f1_2 = f0_2 * (int64_t) f1;
1171 int64_t f0f2_2 = f0_2 * (int64_t) f2;
1172 int64_t f0f3_2 = f0_2 * (int64_t) f3;
1173 int64_t f0f4_2 = f0_2 * (int64_t) f4;
1174 int64_t f0f5_2 = f0_2 * (int64_t) f5;
1175 int64_t f0f6_2 = f0_2 * (int64_t) f6;
1176 int64_t f0f7_2 = f0_2 * (int64_t) f7;
1177 int64_t f0f8_2 = f0_2 * (int64_t) f8;
1178 int64_t f0f9_2 = f0_2 * (int64_t) f9;
1179 int64_t f1f1_2 = f1_2 * (int64_t) f1;
1180 int64_t f1f2_2 = f1_2 * (int64_t) f2;
1181 int64_t f1f3_4 = f1_2 * (int64_t) f3_2;
1182 int64_t f1f4_2 = f1_2 * (int64_t) f4;
1183 int64_t f1f5_4 = f1_2 * (int64_t) f5_2;
1184 int64_t f1f6_2 = f1_2 * (int64_t) f6;
1185 int64_t f1f7_4 = f1_2 * (int64_t) f7_2;
1186 int64_t f1f8_2 = f1_2 * (int64_t) f8;
1187 int64_t f1f9_76 = f1_2 * (int64_t) f9_38;
1188 int64_t f2f2 = f2 * (int64_t) f2;
1189 int64_t f2f3_2 = f2_2 * (int64_t) f3;
1190 int64_t f2f4_2 = f2_2 * (int64_t) f4;
1191 int64_t f2f5_2 = f2_2 * (int64_t) f5;
1192 int64_t f2f6_2 = f2_2 * (int64_t) f6;
1193 int64_t f2f7_2 = f2_2 * (int64_t) f7;
1194 int64_t f2f8_38 = f2_2 * (int64_t) f8_19;
1195 int64_t f2f9_38 = f2 * (int64_t) f9_38;
1196 int64_t f3f3_2 = f3_2 * (int64_t) f3;
1197 int64_t f3f4_2 = f3_2 * (int64_t) f4;
1198 int64_t f3f5_4 = f3_2 * (int64_t) f5_2;
1199 int64_t f3f6_2 = f3_2 * (int64_t) f6;
1200 int64_t f3f7_76 = f3_2 * (int64_t) f7_38;
1201 int64_t f3f8_38 = f3_2 * (int64_t) f8_19;
1202 int64_t f3f9_76 = f3_2 * (int64_t) f9_38;
1203 int64_t f4f4 = f4 * (int64_t) f4;
1204 int64_t f4f5_2 = f4_2 * (int64_t) f5;
1205 int64_t f4f6_38 = f4_2 * (int64_t) f6_19;
1206 int64_t f4f7_38 = f4 * (int64_t) f7_38;
1207 int64_t f4f8_38 = f4_2 * (int64_t) f8_19;
1208 int64_t f4f9_38 = f4 * (int64_t) f9_38;
1209 int64_t f5f5_38 = f5 * (int64_t) f5_38;
1210 int64_t f5f6_38 = f5_2 * (int64_t) f6_19;
1211 int64_t f5f7_76 = f5_2 * (int64_t) f7_38;
1212 int64_t f5f8_38 = f5_2 * (int64_t) f8_19;
1213 int64_t f5f9_76 = f5_2 * (int64_t) f9_38;
1214 int64_t f6f6_19 = f6 * (int64_t) f6_19;
1215 int64_t f6f7_38 = f6 * (int64_t) f7_38;
1216 int64_t f6f8_38 = f6_2 * (int64_t) f8_19;
1217 int64_t f6f9_38 = f6 * (int64_t) f9_38;
1218 int64_t f7f7_38 = f7 * (int64_t) f7_38;
1219 int64_t f7f8_38 = f7_2 * (int64_t) f8_19;
1220 int64_t f7f9_76 = f7_2 * (int64_t) f9_38;
1221 int64_t f8f8_19 = f8 * (int64_t) f8_19;
1222 int64_t f8f9_38 = f8 * (int64_t) f9_38;
1223 int64_t f9f9_38 = f9 * (int64_t) f9_38;
1224 int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38;
1225 int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38;
1226 int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19;
1227 int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38;
1228 int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38;
1229 int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38;
1230 int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19;
1231 int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38;
1232 int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38;
1233 int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2;
1234 int64_t carry0;
1235 int64_t carry1;
1236 int64_t carry2;
1237 int64_t carry3;
1238 int64_t carry4;
1239 int64_t carry5;
1240 int64_t carry6;
1241 int64_t carry7;
1242 int64_t carry8;
1243 int64_t carry9;
1244 h0 += h0;
1245 h1 += h1;
1246 h2 += h2;
1247 h3 += h3;
1248 h4 += h4;
1249 h5 += h5;
1250 h6 += h6;
1251 h7 += h7;
1252 h8 += h8;
1253 h9 += h9;
1254 carry0 = (h0 + (int64_t) (1 << 25)) >> 26;
1255 h1 += carry0;
1256 h0 -= carry0 << 26;
1257 carry4 = (h4 + (int64_t) (1 << 25)) >> 26;
1258 h5 += carry4;
1259 h4 -= carry4 << 26;
1260 carry1 = (h1 + (int64_t) (1 << 24)) >> 25;
1261 h2 += carry1;
1262 h1 -= carry1 << 25;
1263 carry5 = (h5 + (int64_t) (1 << 24)) >> 25;
1264 h6 += carry5;
1265 h5 -= carry5 << 25;
1266 carry2 = (h2 + (int64_t) (1 << 25)) >> 26;
1267 h3 += carry2;
1268 h2 -= carry2 << 26;
1269 carry6 = (h6 + (int64_t) (1 << 25)) >> 26;
1270 h7 += carry6;
1271 h6 -= carry6 << 26;
1272 carry3 = (h3 + (int64_t) (1 << 24)) >> 25;
1273 h4 += carry3;
1274 h3 -= carry3 << 25;
1275 carry7 = (h7 + (int64_t) (1 << 24)) >> 25;
1276 h8 += carry7;
1277 h7 -= carry7 << 25;
1278 carry4 = (h4 + (int64_t) (1 << 25)) >> 26;
1279 h5 += carry4;
1280 h4 -= carry4 << 26;
1281 carry8 = (h8 + (int64_t) (1 << 25)) >> 26;
1282 h9 += carry8;
1283 h8 -= carry8 << 26;
1284 carry9 = (h9 + (int64_t) (1 << 24)) >> 25;
1285 h0 += carry9 * 19;
1286 h9 -= carry9 << 25;
1287 carry0 = (h0 + (int64_t) (1 << 25)) >> 26;
1288 h1 += carry0;
1289 h0 -= carry0 << 26;
1290 h[0] = (int32_t) h0;
1291 h[1] = (int32_t) h1;
1292 h[2] = (int32_t) h2;
1293 h[3] = (int32_t) h3;
1294 h[4] = (int32_t) h4;
1295 h[5] = (int32_t) h5;
1296 h[6] = (int32_t) h6;
1297 h[7] = (int32_t) h7;
1298 h[8] = (int32_t) h8;
1299 h[9] = (int32_t) h9;
1300}
1301
1302
1303/*
1304h = f - g
1305Can overlap h with f or g.
1306
1307Preconditions:
1308 |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
1309 |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
1310
1311Postconditions:
1312 |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
1313*/
1314
1315void fe_sub(fe h, const fe f, const fe g) {
1316 int32_t f0 = f[0];
1317 int32_t f1 = f[1];
1318 int32_t f2 = f[2];
1319 int32_t f3 = f[3];
1320 int32_t f4 = f[4];
1321 int32_t f5 = f[5];
1322 int32_t f6 = f[6];
1323 int32_t f7 = f[7];
1324 int32_t f8 = f[8];
1325 int32_t f9 = f[9];
1326 int32_t g0 = g[0];
1327 int32_t g1 = g[1];
1328 int32_t g2 = g[2];
1329 int32_t g3 = g[3];
1330 int32_t g4 = g[4];
1331 int32_t g5 = g[5];
1332 int32_t g6 = g[6];
1333 int32_t g7 = g[7];
1334 int32_t g8 = g[8];
1335 int32_t g9 = g[9];
1336 int32_t h0 = f0 - g0;
1337 int32_t h1 = f1 - g1;
1338 int32_t h2 = f2 - g2;
1339 int32_t h3 = f3 - g3;
1340 int32_t h4 = f4 - g4;
1341 int32_t h5 = f5 - g5;
1342 int32_t h6 = f6 - g6;
1343 int32_t h7 = f7 - g7;
1344 int32_t h8 = f8 - g8;
1345 int32_t h9 = f9 - g9;
1346
1347 h[0] = h0;
1348 h[1] = h1;
1349 h[2] = h2;
1350 h[3] = h3;
1351 h[4] = h4;
1352 h[5] = h5;
1353 h[6] = h6;
1354 h[7] = h7;
1355 h[8] = h8;
1356 h[9] = h9;
1357}
1358
1359
1360
1361/*
1362Preconditions:
1363 |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
1364
1365Write p=2^255-19; q=floor(h/p).
1366Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))).
1367
1368Proof:
1369 Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4.
1370 Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4.
1371
1372 Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9).
1373 Then 0<y<1.
1374
1375 Write r=h-pq.
1376 Have 0<=r<=p-1=2^255-20.
1377 Thus 0<=r+19(2^-255)r<r+19(2^-255)2^255<=2^255-1.
1378
1379 Write x=r+19(2^-255)r+y.
1380 Then 0<x<2^255 so floor(2^(-255)x) = 0 so floor(q+2^(-255)x) = q.
1381
1382 Have q+2^(-255)x = 2^(-255)(h + 19 2^(-25) h9 + 2^(-1))
1383 so floor(2^(-255)(h + 19 2^(-25) h9 + 2^(-1))) = q.
1384*/
1385
1386void fe_tobytes(unsigned char *s, const fe h) {
1387 int32_t h0 = h[0];
1388 int32_t h1 = h[1];
1389 int32_t h2 = h[2];
1390 int32_t h3 = h[3];
1391 int32_t h4 = h[4];
1392 int32_t h5 = h[5];
1393 int32_t h6 = h[6];
1394 int32_t h7 = h[7];
1395 int32_t h8 = h[8];
1396 int32_t h9 = h[9];
1397 int32_t q;
1398 int32_t carry0;
1399 int32_t carry1;
1400 int32_t carry2;
1401 int32_t carry3;
1402 int32_t carry4;
1403 int32_t carry5;
1404 int32_t carry6;
1405 int32_t carry7;
1406 int32_t carry8;
1407 int32_t carry9;
1408 q = (19 * h9 + (((int32_t) 1) << 24)) >> 25;
1409 q = (h0 + q) >> 26;
1410 q = (h1 + q) >> 25;
1411 q = (h2 + q) >> 26;
1412 q = (h3 + q) >> 25;
1413 q = (h4 + q) >> 26;
1414 q = (h5 + q) >> 25;
1415 q = (h6 + q) >> 26;
1416 q = (h7 + q) >> 25;
1417 q = (h8 + q) >> 26;
1418 q = (h9 + q) >> 25;
1419 /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */
1420 h0 += 19 * q;
1421 /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */
1422 carry0 = h0 >> 26;
1423 h1 += carry0;
1424 h0 -= carry0 << 26;
1425 carry1 = h1 >> 25;
1426 h2 += carry1;
1427 h1 -= carry1 << 25;
1428 carry2 = h2 >> 26;
1429 h3 += carry2;
1430 h2 -= carry2 << 26;
1431 carry3 = h3 >> 25;
1432 h4 += carry3;
1433 h3 -= carry3 << 25;
1434 carry4 = h4 >> 26;
1435 h5 += carry4;
1436 h4 -= carry4 << 26;
1437 carry5 = h5 >> 25;
1438 h6 += carry5;
1439 h5 -= carry5 << 25;
1440 carry6 = h6 >> 26;
1441 h7 += carry6;
1442 h6 -= carry6 << 26;
1443 carry7 = h7 >> 25;
1444 h8 += carry7;
1445 h7 -= carry7 << 25;
1446 carry8 = h8 >> 26;
1447 h9 += carry8;
1448 h8 -= carry8 << 26;
1449 carry9 = h9 >> 25;
1450 h9 -= carry9 << 25;
1451
1452 /* h10 = carry9 */
1453 /*
1454 Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20.
1455 Have h0+...+2^230 h9 between 0 and 2^255-1;
1456 evidently 2^255 h10-2^255 q = 0.
1457 Goal: Output h0+...+2^230 h9.
1458 */
1459 s[0] = (unsigned char) (h0 >> 0);
1460 s[1] = (unsigned char) (h0 >> 8);
1461 s[2] = (unsigned char) (h0 >> 16);
1462 s[3] = (unsigned char) ((h0 >> 24) | (h1 << 2));
1463 s[4] = (unsigned char) (h1 >> 6);
1464 s[5] = (unsigned char) (h1 >> 14);
1465 s[6] = (unsigned char) ((h1 >> 22) | (h2 << 3));
1466 s[7] = (unsigned char) (h2 >> 5);
1467 s[8] = (unsigned char) (h2 >> 13);
1468 s[9] = (unsigned char) ((h2 >> 21) | (h3 << 5));
1469 s[10] = (unsigned char) (h3 >> 3);
1470 s[11] = (unsigned char) (h3 >> 11);
1471 s[12] = (unsigned char) ((h3 >> 19) | (h4 << 6));
1472 s[13] = (unsigned char) (h4 >> 2);
1473 s[14] = (unsigned char) (h4 >> 10);
1474 s[15] = (unsigned char) (h4 >> 18);
1475 s[16] = (unsigned char) (h5 >> 0);
1476 s[17] = (unsigned char) (h5 >> 8);
1477 s[18] = (unsigned char) (h5 >> 16);
1478 s[19] = (unsigned char) ((h5 >> 24) | (h6 << 1));
1479 s[20] = (unsigned char) (h6 >> 7);
1480 s[21] = (unsigned char) (h6 >> 15);
1481 s[22] = (unsigned char) ((h6 >> 23) | (h7 << 3));
1482 s[23] = (unsigned char) (h7 >> 5);
1483 s[24] = (unsigned char) (h7 >> 13);
1484 s[25] = (unsigned char) ((h7 >> 21) | (h8 << 4));
1485 s[26] = (unsigned char) (h8 >> 4);
1486 s[27] = (unsigned char) (h8 >> 12);
1487 s[28] = (unsigned char) ((h8 >> 20) | (h9 << 6));
1488 s[29] = (unsigned char) (h9 >> 2);
1489 s[30] = (unsigned char) (h9 >> 10);
1490 s[31] = (unsigned char) (h9 >> 18);
1491}
diff --git a/3rd_party/ed25519/fe.h b/3rd_party/ed25519/fe.h
new file mode 100644
index 0000000..b4b62d2
--- /dev/null
+++ b/3rd_party/ed25519/fe.h
@@ -0,0 +1,41 @@
1#ifndef FE_H
2#define FE_H
3
4#include "fixedint.h"
5
6
7/*
8 fe means field element.
9 Here the field is \Z/(2^255-19).
10 An element t, entries t[0]...t[9], represents the integer
11 t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9].
12 Bounds on each t[i] vary depending on context.
13*/
14
15
16typedef int32_t fe[10];
17
18
19void fe_0(fe h);
20void fe_1(fe h);
21
22void fe_frombytes(fe h, const unsigned char *s);
23void fe_tobytes(unsigned char *s, const fe h);
24
25void fe_copy(fe h, const fe f);
26int fe_isnegative(const fe f);
27int fe_isnonzero(const fe f);
28void fe_cmov(fe f, const fe g, unsigned int b);
29void fe_cswap(fe f, fe g, unsigned int b);
30
31void fe_neg(fe h, const fe f);
32void fe_add(fe h, const fe f, const fe g);
33void fe_invert(fe out, const fe z);
34void fe_sq(fe h, const fe f);
35void fe_sq2(fe h, const fe f);
36void fe_mul(fe h, const fe f, const fe g);
37void fe_mul121666(fe h, fe f);
38void fe_pow22523(fe out, const fe z);
39void fe_sub(fe h, const fe f, const fe g);
40
41#endif
diff --git a/3rd_party/ed25519/fixedint.h b/3rd_party/ed25519/fixedint.h
new file mode 100644
index 0000000..1a8745b
--- /dev/null
+++ b/3rd_party/ed25519/fixedint.h
@@ -0,0 +1,72 @@
1/*
2 Portable header to provide the 32 and 64 bits type.
3
4 Not a compatible replacement for <stdint.h>, do not blindly use it as such.
5*/
6
7#if ((defined(__STDC__) && __STDC__ && __STDC_VERSION__ >= 199901L) || (defined(__WATCOMC__) && (defined(_STDINT_H_INCLUDED) || __WATCOMC__ >= 1250)) || (defined(__GNUC__) && (defined(_STDINT_H) || defined(_STDINT_H_) || defined(__UINT_FAST64_TYPE__)) )) && !defined(FIXEDINT_H_INCLUDED)
8 #include <stdint.h>
9 #define FIXEDINT_H_INCLUDED
10
11 #if defined(__WATCOMC__) && __WATCOMC__ >= 1250 && !defined(UINT64_C)
12 #include <limits.h>
13 #define UINT64_C(x) (x + (UINT64_MAX - UINT64_MAX))
14 #endif
15#endif
16
17
18#ifndef FIXEDINT_H_INCLUDED
19 #define FIXEDINT_H_INCLUDED
20
21 #include <limits.h>
22
23 /* (u)int32_t */
24 #ifndef uint32_t
25 #if (ULONG_MAX == 0xffffffffUL)
26 typedef unsigned long uint32_t;
27 #elif (UINT_MAX == 0xffffffffUL)
28 typedef unsigned int uint32_t;
29 #elif (USHRT_MAX == 0xffffffffUL)
30 typedef unsigned short uint32_t;
31 #endif
32 #endif
33
34
35 #ifndef int32_t
36 #if (LONG_MAX == 0x7fffffffL)
37 typedef signed long int32_t;
38 #elif (INT_MAX == 0x7fffffffL)
39 typedef signed int int32_t;
40 #elif (SHRT_MAX == 0x7fffffffL)
41 typedef signed short int32_t;
42 #endif
43 #endif
44
45
46 /* (u)int64_t */
47 #if (defined(__STDC__) && defined(__STDC_VERSION__) && __STDC__ && __STDC_VERSION__ >= 199901L)
48 typedef long long int64_t;
49 typedef unsigned long long uint64_t;
50
51 #define UINT64_C(v) v ##ULL
52 #define INT64_C(v) v ##LL
53 #elif defined(__GNUC__)
54 __extension__ typedef long long int64_t;
55 __extension__ typedef unsigned long long uint64_t;
56
57 #define UINT64_C(v) v ##ULL
58 #define INT64_C(v) v ##LL
59 #elif defined(__MWERKS__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) || defined(__APPLE_CC__) || defined(_LONG_LONG) || defined(_CRAYC)
60 typedef long long int64_t;
61 typedef unsigned long long uint64_t;
62
63 #define UINT64_C(v) v ##ULL
64 #define INT64_C(v) v ##LL
65 #elif (defined(__WATCOMC__) && defined(__WATCOM_INT64__)) || (defined(_MSC_VER) && _INTEGRAL_MAX_BITS >= 64) || (defined(__BORLANDC__) && __BORLANDC__ > 0x460) || defined(__alpha) || defined(__DECC)
66 typedef __int64 int64_t;
67 typedef unsigned __int64 uint64_t;
68
69 #define UINT64_C(v) v ##UI64
70 #define INT64_C(v) v ##I64
71 #endif
72#endif
diff --git a/3rd_party/ed25519/ge.c b/3rd_party/ed25519/ge.c
new file mode 100644
index 0000000..87c691b
--- /dev/null
+++ b/3rd_party/ed25519/ge.c
@@ -0,0 +1,467 @@
1#include "ge.h"
2#include "precomp_data.h"
3
4
5/*
6r = p + q
7*/
8
9void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
10 fe t0;
11 fe_add(r->X, p->Y, p->X);
12 fe_sub(r->Y, p->Y, p->X);
13 fe_mul(r->Z, r->X, q->YplusX);
14 fe_mul(r->Y, r->Y, q->YminusX);
15 fe_mul(r->T, q->T2d, p->T);
16 fe_mul(r->X, p->Z, q->Z);
17 fe_add(t0, r->X, r->X);
18 fe_sub(r->X, r->Z, r->Y);
19 fe_add(r->Y, r->Z, r->Y);
20 fe_add(r->Z, t0, r->T);
21 fe_sub(r->T, t0, r->T);
22}
23
24
25static void slide(signed char *r, const unsigned char *a) {
26 int i;
27 int b;
28 int k;
29
30 for (i = 0; i < 256; ++i) {
31 r[i] = 1 & (a[i >> 3] >> (i & 7));
32 }
33
34 for (i = 0; i < 256; ++i)
35 if (r[i]) {
36 for (b = 1; b <= 6 && i + b < 256; ++b) {
37 if (r[i + b]) {
38 if (r[i] + (r[i + b] << b) <= 15) {
39 r[i] += r[i + b] << b;
40 r[i + b] = 0;
41 } else if (r[i] - (r[i + b] << b) >= -15) {
42 r[i] -= r[i + b] << b;
43
44 for (k = i + b; k < 256; ++k) {
45 if (!r[k]) {
46 r[k] = 1;
47 break;
48 }
49
50 r[k] = 0;
51 }
52 } else {
53 break;
54 }
55 }
56 }
57 }
58}
59
60/*
61r = a * A + b * B
62where a = a[0]+256*a[1]+...+256^31 a[31].
63and b = b[0]+256*b[1]+...+256^31 b[31].
64B is the Ed25519 base point (x,4/5) with x positive.
65*/
66
67void ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b) {
68 signed char aslide[256];
69 signed char bslide[256];
70 ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */
71 ge_p1p1 t;
72 ge_p3 u;
73 ge_p3 A2;
74 int i;
75 slide(aslide, a);
76 slide(bslide, b);
77 ge_p3_to_cached(&Ai[0], A);
78 ge_p3_dbl(&t, A);
79 ge_p1p1_to_p3(&A2, &t);
80 ge_add(&t, &A2, &Ai[0]);
81 ge_p1p1_to_p3(&u, &t);
82 ge_p3_to_cached(&Ai[1], &u);
83 ge_add(&t, &A2, &Ai[1]);
84 ge_p1p1_to_p3(&u, &t);
85 ge_p3_to_cached(&Ai[2], &u);
86 ge_add(&t, &A2, &Ai[2]);
87 ge_p1p1_to_p3(&u, &t);
88 ge_p3_to_cached(&Ai[3], &u);
89 ge_add(&t, &A2, &Ai[3]);
90 ge_p1p1_to_p3(&u, &t);
91 ge_p3_to_cached(&Ai[4], &u);
92 ge_add(&t, &A2, &Ai[4]);
93 ge_p1p1_to_p3(&u, &t);
94 ge_p3_to_cached(&Ai[5], &u);
95 ge_add(&t, &A2, &Ai[5]);
96 ge_p1p1_to_p3(&u, &t);
97 ge_p3_to_cached(&Ai[6], &u);
98 ge_add(&t, &A2, &Ai[6]);
99 ge_p1p1_to_p3(&u, &t);
100 ge_p3_to_cached(&Ai[7], &u);
101 ge_p2_0(r);
102
103 for (i = 255; i >= 0; --i) {
104 if (aslide[i] || bslide[i]) {
105 break;
106 }
107 }
108
109 for (; i >= 0; --i) {
110 ge_p2_dbl(&t, r);
111
112 if (aslide[i] > 0) {
113 ge_p1p1_to_p3(&u, &t);
114 ge_add(&t, &u, &Ai[aslide[i] / 2]);
115 } else if (aslide[i] < 0) {
116 ge_p1p1_to_p3(&u, &t);
117 ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]);
118 }
119
120 if (bslide[i] > 0) {
121 ge_p1p1_to_p3(&u, &t);
122 ge_madd(&t, &u, &Bi[bslide[i] / 2]);
123 } else if (bslide[i] < 0) {
124 ge_p1p1_to_p3(&u, &t);
125 ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]);
126 }
127
128 ge_p1p1_to_p2(r, &t);
129 }
130}
131
132
133static const fe d = {
134 -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116
135};
136
137static const fe sqrtm1 = {
138 -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482
139};
140
141int ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s) {
142 fe u;
143 fe v;
144 fe v3;
145 fe vxx;
146 fe check;
147 fe_frombytes(h->Y, s);
148 fe_1(h->Z);
149 fe_sq(u, h->Y);
150 fe_mul(v, u, d);
151 fe_sub(u, u, h->Z); /* u = y^2-1 */
152 fe_add(v, v, h->Z); /* v = dy^2+1 */
153 fe_sq(v3, v);
154 fe_mul(v3, v3, v); /* v3 = v^3 */
155 fe_sq(h->X, v3);
156 fe_mul(h->X, h->X, v);
157 fe_mul(h->X, h->X, u); /* x = uv^7 */
158 fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */
159 fe_mul(h->X, h->X, v3);
160 fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */
161 fe_sq(vxx, h->X);
162 fe_mul(vxx, vxx, v);
163 fe_sub(check, vxx, u); /* vx^2-u */
164
165 if (fe_isnonzero(check)) {
166 fe_add(check, vxx, u); /* vx^2+u */
167
168 if (fe_isnonzero(check)) {
169 return -1;
170 }
171
172 fe_mul(h->X, h->X, sqrtm1);
173 }
174
175 if (fe_isnegative(h->X) == (s[31] >> 7)) {
176 fe_neg(h->X, h->X);
177 }
178
179 fe_mul(h->T, h->X, h->Y);
180 return 0;
181}
182
183
184/*
185r = p + q
186*/
187
188void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
189 fe t0;
190 fe_add(r->X, p->Y, p->X);
191 fe_sub(r->Y, p->Y, p->X);
192 fe_mul(r->Z, r->X, q->yplusx);
193 fe_mul(r->Y, r->Y, q->yminusx);
194 fe_mul(r->T, q->xy2d, p->T);
195 fe_add(t0, p->Z, p->Z);
196 fe_sub(r->X, r->Z, r->Y);
197 fe_add(r->Y, r->Z, r->Y);
198 fe_add(r->Z, t0, r->T);
199 fe_sub(r->T, t0, r->T);
200}
201
202
203/*
204r = p - q
205*/
206
207void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) {
208 fe t0;
209
210 fe_add(r->X, p->Y, p->X);
211 fe_sub(r->Y, p->Y, p->X);
212 fe_mul(r->Z, r->X, q->yminusx);
213 fe_mul(r->Y, r->Y, q->yplusx);
214 fe_mul(r->T, q->xy2d, p->T);
215 fe_add(t0, p->Z, p->Z);
216 fe_sub(r->X, r->Z, r->Y);
217 fe_add(r->Y, r->Z, r->Y);
218 fe_sub(r->Z, t0, r->T);
219 fe_add(r->T, t0, r->T);
220}
221
222
223/*
224r = p
225*/
226
227void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) {
228 fe_mul(r->X, p->X, p->T);
229 fe_mul(r->Y, p->Y, p->Z);
230 fe_mul(r->Z, p->Z, p->T);
231}
232
233
234
235/*
236r = p
237*/
238
239void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) {
240 fe_mul(r->X, p->X, p->T);
241 fe_mul(r->Y, p->Y, p->Z);
242 fe_mul(r->Z, p->Z, p->T);
243 fe_mul(r->T, p->X, p->Y);
244}
245
246
247void ge_p2_0(ge_p2 *h) {
248 fe_0(h->X);
249 fe_1(h->Y);
250 fe_1(h->Z);
251}
252
253
254
255/*
256r = 2 * p
257*/
258
259void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) {
260 fe t0;
261
262 fe_sq(r->X, p->X);
263 fe_sq(r->Z, p->Y);
264 fe_sq2(r->T, p->Z);
265 fe_add(r->Y, p->X, p->Y);
266 fe_sq(t0, r->Y);
267 fe_add(r->Y, r->Z, r->X);
268 fe_sub(r->Z, r->Z, r->X);
269 fe_sub(r->X, t0, r->Y);
270 fe_sub(r->T, r->T, r->Z);
271}
272
273
274void ge_p3_0(ge_p3 *h) {
275 fe_0(h->X);
276 fe_1(h->Y);
277 fe_1(h->Z);
278 fe_0(h->T);
279}
280
281
282/*
283r = 2 * p
284*/
285
286void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) {
287 ge_p2 q;
288 ge_p3_to_p2(&q, p);
289 ge_p2_dbl(r, &q);
290}
291
292
293
294/*
295r = p
296*/
297
298static const fe d2 = {
299 -21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199
300};
301
302void ge_p3_to_cached(ge_cached *r, const ge_p3 *p) {
303 fe_add(r->YplusX, p->Y, p->X);
304 fe_sub(r->YminusX, p->Y, p->X);
305 fe_copy(r->Z, p->Z);
306 fe_mul(r->T2d, p->T, d2);
307}
308
309
310/*
311r = p
312*/
313
314void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) {
315 fe_copy(r->X, p->X);
316 fe_copy(r->Y, p->Y);
317 fe_copy(r->Z, p->Z);
318}
319
320
321void ge_p3_tobytes(unsigned char *s, const ge_p3 *h) {
322 fe recip;
323 fe x;
324 fe y;
325 fe_invert(recip, h->Z);
326 fe_mul(x, h->X, recip);
327 fe_mul(y, h->Y, recip);
328 fe_tobytes(s, y);
329 s[31] ^= fe_isnegative(x) << 7;
330}
331
332
333static unsigned char equal(signed char b, signed char c) {
334 unsigned char ub = b;
335 unsigned char uc = c;
336 unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */
337 uint64_t y = x; /* 0: yes; 1..255: no */
338 y -= 1; /* large: yes; 0..254: no */
339 y >>= 63; /* 1: yes; 0: no */
340 return (unsigned char) y;
341}
342
343static unsigned char negative(signed char b) {
344 uint64_t x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */
345 x >>= 63; /* 1: yes; 0: no */
346 return (unsigned char) x;
347}
348
349static void cmov(ge_precomp *t, const ge_precomp *u, unsigned char b) {
350 fe_cmov(t->yplusx, u->yplusx, b);
351 fe_cmov(t->yminusx, u->yminusx, b);
352 fe_cmov(t->xy2d, u->xy2d, b);
353}
354
355
356static void select(ge_precomp *t, int pos, signed char b) {
357 ge_precomp minust;
358 unsigned char bnegative = negative(b);
359 unsigned char babs = b - (((-bnegative) & b) << 1);
360 fe_1(t->yplusx);
361 fe_1(t->yminusx);
362 fe_0(t->xy2d);
363 cmov(t, &base[pos][0], equal(babs, 1));
364 cmov(t, &base[pos][1], equal(babs, 2));
365 cmov(t, &base[pos][2], equal(babs, 3));
366 cmov(t, &base[pos][3], equal(babs, 4));
367 cmov(t, &base[pos][4], equal(babs, 5));
368 cmov(t, &base[pos][5], equal(babs, 6));
369 cmov(t, &base[pos][6], equal(babs, 7));
370 cmov(t, &base[pos][7], equal(babs, 8));
371 fe_copy(minust.yplusx, t->yminusx);
372 fe_copy(minust.yminusx, t->yplusx);
373 fe_neg(minust.xy2d, t->xy2d);
374 cmov(t, &minust, bnegative);
375}
376
377/*
378h = a * B
379where a = a[0]+256*a[1]+...+256^31 a[31]
380B is the Ed25519 base point (x,4/5) with x positive.
381
382Preconditions:
383 a[31] <= 127
384*/
385
386void ge_scalarmult_base(ge_p3 *h, const unsigned char *a) {
387 signed char e[64];
388 signed char carry;
389 ge_p1p1 r;
390 ge_p2 s;
391 ge_precomp t;
392 int i;
393
394 for (i = 0; i < 32; ++i) {
395 e[2 * i + 0] = (a[i] >> 0) & 15;
396 e[2 * i + 1] = (a[i] >> 4) & 15;
397 }
398
399 /* each e[i] is between 0 and 15 */
400 /* e[63] is between 0 and 7 */
401 carry = 0;
402
403 for (i = 0; i < 63; ++i) {
404 e[i] += carry;
405 carry = e[i] + 8;
406 carry >>= 4;
407 e[i] -= carry << 4;
408 }
409
410 e[63] += carry;
411 /* each e[i] is between -8 and 8 */
412 ge_p3_0(h);
413
414 for (i = 1; i < 64; i += 2) {
415 select(&t, i / 2, e[i]);
416 ge_madd(&r, h, &t);
417 ge_p1p1_to_p3(h, &r);
418 }
419
420 ge_p3_dbl(&r, h);
421 ge_p1p1_to_p2(&s, &r);
422 ge_p2_dbl(&r, &s);
423 ge_p1p1_to_p2(&s, &r);
424 ge_p2_dbl(&r, &s);
425 ge_p1p1_to_p2(&s, &r);
426 ge_p2_dbl(&r, &s);
427 ge_p1p1_to_p3(h, &r);
428
429 for (i = 0; i < 64; i += 2) {
430 select(&t, i / 2, e[i]);
431 ge_madd(&r, h, &t);
432 ge_p1p1_to_p3(h, &r);
433 }
434}
435
436
437/*
438r = p - q
439*/
440
441void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) {
442 fe t0;
443
444 fe_add(r->X, p->Y, p->X);
445 fe_sub(r->Y, p->Y, p->X);
446 fe_mul(r->Z, r->X, q->YminusX);
447 fe_mul(r->Y, r->Y, q->YplusX);
448 fe_mul(r->T, q->T2d, p->T);
449 fe_mul(r->X, p->Z, q->Z);
450 fe_add(t0, r->X, r->X);
451 fe_sub(r->X, r->Z, r->Y);
452 fe_add(r->Y, r->Z, r->Y);
453 fe_sub(r->Z, t0, r->T);
454 fe_add(r->T, t0, r->T);
455}
456
457
458void ge_tobytes(unsigned char *s, const ge_p2 *h) {
459 fe recip;
460 fe x;
461 fe y;
462 fe_invert(recip, h->Z);
463 fe_mul(x, h->X, recip);
464 fe_mul(y, h->Y, recip);
465 fe_tobytes(s, y);
466 s[31] ^= fe_isnegative(x) << 7;
467}
diff --git a/3rd_party/ed25519/ge.h b/3rd_party/ed25519/ge.h
new file mode 100644
index 0000000..17fde2d
--- /dev/null
+++ b/3rd_party/ed25519/ge.h
@@ -0,0 +1,74 @@
1#ifndef GE_H
2#define GE_H
3
4#include "fe.h"
5
6
7/*
8ge means group element.
9
10Here the group is the set of pairs (x,y) of field elements (see fe.h)
11satisfying -x^2 + y^2 = 1 + d x^2y^2
12where d = -121665/121666.
13
14Representations:
15 ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
16 ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
17 ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
18 ge_precomp (Duif): (y+x,y-x,2dxy)
19*/
20
21typedef struct {
22 fe X;
23 fe Y;
24 fe Z;
25} ge_p2;
26
27typedef struct {
28 fe X;
29 fe Y;
30 fe Z;
31 fe T;
32} ge_p3;
33
34typedef struct {
35 fe X;
36 fe Y;
37 fe Z;
38 fe T;
39} ge_p1p1;
40
41typedef struct {
42 fe yplusx;
43 fe yminusx;
44 fe xy2d;
45} ge_precomp;
46
47typedef struct {
48 fe YplusX;
49 fe YminusX;
50 fe Z;
51 fe T2d;
52} ge_cached;
53
54void ge_p3_tobytes(unsigned char *s, const ge_p3 *h);
55void ge_tobytes(unsigned char *s, const ge_p2 *h);
56int ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s);
57
58void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
59void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q);
60void ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b);
61void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q);
62void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q);
63void ge_scalarmult_base(ge_p3 *h, const unsigned char *a);
64
65void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p);
66void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p);
67void ge_p2_0(ge_p2 *h);
68void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p);
69void ge_p3_0(ge_p3 *h);
70void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p);
71void ge_p3_to_cached(ge_cached *r, const ge_p3 *p);
72void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p);
73
74#endif
diff --git a/3rd_party/ed25519/key_exchange.c b/3rd_party/ed25519/key_exchange.c
new file mode 100644
index 0000000..abd75da
--- /dev/null
+++ b/3rd_party/ed25519/key_exchange.c
@@ -0,0 +1,79 @@
1#include "ed25519.h"
2#include "fe.h"
3
4void ed25519_key_exchange(unsigned char *shared_secret, const unsigned char *public_key, const unsigned char *private_key) {
5 unsigned char e[32];
6 unsigned int i;
7
8 fe x1;
9 fe x2;
10 fe z2;
11 fe x3;
12 fe z3;
13 fe tmp0;
14 fe tmp1;
15
16 int pos;
17 unsigned int swap;
18 unsigned int b;
19
20 /* copy the private key and make sure it's valid */
21 for (i = 0; i < 32; ++i) {
22 e[i] = private_key[i];
23 }
24
25 e[0] &= 248;
26 e[31] &= 63;
27 e[31] |= 64;
28
29 /* unpack the public key and convert edwards to montgomery */
30 /* due to CodesInChaos: montgomeryX = (edwardsY + 1)*inverse(1 - edwardsY) mod p */
31 fe_frombytes(x1, public_key);
32 fe_1(tmp1);
33 fe_add(tmp0, x1, tmp1);
34 fe_sub(tmp1, tmp1, x1);
35 fe_invert(tmp1, tmp1);
36 fe_mul(x1, tmp0, tmp1);
37
38 fe_1(x2);
39 fe_0(z2);
40 fe_copy(x3, x1);
41 fe_1(z3);
42
43 swap = 0;
44 for (pos = 254; pos >= 0; --pos) {
45 b = e[pos / 8] >> (pos & 7);
46 b &= 1;
47 swap ^= b;
48 fe_cswap(x2, x3, swap);
49 fe_cswap(z2, z3, swap);
50 swap = b;
51
52 /* from montgomery.h */
53 fe_sub(tmp0, x3, z3);
54 fe_sub(tmp1, x2, z2);
55 fe_add(x2, x2, z2);
56 fe_add(z2, x3, z3);
57 fe_mul(z3, tmp0, x2);
58 fe_mul(z2, z2, tmp1);
59 fe_sq(tmp0, tmp1);
60 fe_sq(tmp1, x2);
61 fe_add(x3, z3, z2);
62 fe_sub(z2, z3, z2);
63 fe_mul(x2, tmp1, tmp0);
64 fe_sub(tmp1, tmp1, tmp0);
65 fe_sq(z2, z2);
66 fe_mul121666(z3, tmp1);
67 fe_sq(x3, x3);
68 fe_add(tmp0, tmp0, z3);
69 fe_mul(z3, x1, z2);
70 fe_mul(z2, tmp1, tmp0);
71 }
72
73 fe_cswap(x2, x3, swap);
74 fe_cswap(z2, z3, swap);
75
76 fe_invert(z2, z2);
77 fe_mul(x2, x2, z2);
78 fe_tobytes(shared_secret, x2);
79}
diff --git a/3rd_party/ed25519/keypair.c b/3rd_party/ed25519/keypair.c
new file mode 100644
index 0000000..dc1b8ec
--- /dev/null
+++ b/3rd_party/ed25519/keypair.c
@@ -0,0 +1,16 @@
1#include "ed25519.h"
2#include "sha512.h"
3#include "ge.h"
4
5
6void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed) {
7 ge_p3 A;
8
9 sha512(seed, 32, private_key);
10 private_key[0] &= 248;
11 private_key[31] &= 63;
12 private_key[31] |= 64;
13
14 ge_scalarmult_base(&A, private_key);
15 ge_p3_tobytes(public_key, &A);
16}
diff --git a/3rd_party/ed25519/precomp_data.h b/3rd_party/ed25519/precomp_data.h
new file mode 100644
index 0000000..ff23986
--- /dev/null
+++ b/3rd_party/ed25519/precomp_data.h
@@ -0,0 +1,1391 @@
1static const ge_precomp Bi[8] = {
2 {
3 { 25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605 },
4 { -12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378 },
5 { -8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546 },
6 },
7 {
8 { 15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024 },
9 { 16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574 },
10 { 30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357 },
11 },
12 {
13 { 10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380 },
14 { 4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306 },
15 { 19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942 },
16 },
17 {
18 { 5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766 },
19 { -30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701 },
20 { 28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300 },
21 },
22 {
23 { -22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877 },
24 { -6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951 },
25 { 4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784 },
26 },
27 {
28 { -25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436 },
29 { 25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918 },
30 { 23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877 },
31 },
32 {
33 { -33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800 },
34 { -25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305 },
35 { -13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300 },
36 },
37 {
38 { -3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876 },
39 { -24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619 },
40 { -3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683 },
41 },
42};
43
44
45/* base[i][j] = (j+1)*256^i*B */
46static const ge_precomp base[32][8] = {
47 {
48 {
49 { 25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605 },
50 { -12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378 },
51 { -8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546 },
52 },
53 {
54 { -12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303 },
55 { -21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081 },
56 { 26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697 },
57 },
58 {
59 { 15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024 },
60 { 16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574 },
61 { 30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357 },
62 },
63 {
64 { -17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540 },
65 { 23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397 },
66 { 7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325 },
67 },
68 {
69 { 10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380 },
70 { 4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306 },
71 { 19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942 },
72 },
73 {
74 { -15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777 },
75 { -8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737 },
76 { -18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652 },
77 },
78 {
79 { 5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766 },
80 { -30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701 },
81 { 28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300 },
82 },
83 {
84 { 14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726 },
85 { -7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955 },
86 { 27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425 },
87 },
88 },
89 {
90 {
91 { -13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171 },
92 { 27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510 },
93 { 17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660 },
94 },
95 {
96 { -10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639 },
97 { 29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963 },
98 { 5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950 },
99 },
100 {
101 { -27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568 },
102 { 12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335 },
103 { 25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628 },
104 },
105 {
106 { -26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007 },
107 { -2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772 },
108 { -22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653 },
109 },
110 {
111 { 2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567 },
112 { 13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686 },
113 { 21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372 },
114 },
115 {
116 { -13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887 },
117 { -23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954 },
118 { -29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953 },
119 },
120 {
121 { 24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833 },
122 { -16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532 },
123 { -22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876 },
124 },
125 {
126 { 2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268 },
127 { 33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214 },
128 { 1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038 },
129 },
130 },
131 {
132 {
133 { 6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800 },
134 { 4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645 },
135 { -4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664 },
136 },
137 {
138 { 1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933 },
139 { -25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182 },
140 { -17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222 },
141 },
142 {
143 { -18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991 },
144 { 20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880 },
145 { 9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092 },
146 },
147 {
148 { -16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295 },
149 { 19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788 },
150 { 8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553 },
151 },
152 {
153 { -15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026 },
154 { 11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347 },
155 { -18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033 },
156 },
157 {
158 { -23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395 },
159 { -27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278 },
160 { 1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890 },
161 },
162 {
163 { 32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995 },
164 { -30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596 },
165 { -11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891 },
166 },
167 {
168 { 31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060 },
169 { 11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608 },
170 { -20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606 },
171 },
172 },
173 {
174 {
175 { 7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389 },
176 { -19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016 },
177 { -11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341 },
178 },
179 {
180 { -22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505 },
181 { 14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553 },
182 { -28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655 },
183 },
184 {
185 { 15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220 },
186 { 12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631 },
187 { -4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099 },
188 },
189 {
190 { 26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556 },
191 { 14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749 },
192 { 236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930 },
193 },
194 {
195 { 1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391 },
196 { 5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253 },
197 { 20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066 },
198 },
199 {
200 { 24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958 },
201 { -11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082 },
202 { -28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383 },
203 },
204 {
205 { -30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521 },
206 { -11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807 },
207 { 23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948 },
208 },
209 {
210 { 9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134 },
211 { -32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455 },
212 { 27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629 },
213 },
214 },
215 {
216 {
217 { -8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069 },
218 { -32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746 },
219 { 24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919 },
220 },
221 {
222 { 11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837 },
223 { 8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906 },
224 { -28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771 },
225 },
226 {
227 { -25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817 },
228 { 10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098 },
229 { 10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409 },
230 },
231 {
232 { -12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504 },
233 { -26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727 },
234 { 28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420 },
235 },
236 {
237 { -32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003 },
238 { -1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605 },
239 { -30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384 },
240 },
241 {
242 { -26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701 },
243 { -23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683 },
244 { 29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708 },
245 },
246 {
247 { -3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563 },
248 { -19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260 },
249 { -5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387 },
250 },
251 {
252 { -19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672 },
253 { 23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686 },
254 { -24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665 },
255 },
256 },
257 {
258 {
259 { 11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182 },
260 { -31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277 },
261 { 14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628 },
262 },
263 {
264 { -4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474 },
265 { -26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539 },
266 { -25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822 },
267 },
268 {
269 { -10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970 },
270 { 19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756 },
271 { -24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508 },
272 },
273 {
274 { -26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683 },
275 { -10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655 },
276 { -20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158 },
277 },
278 {
279 { -4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125 },
280 { -15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839 },
281 { -20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664 },
282 },
283 {
284 { 27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294 },
285 { -18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899 },
286 { -11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070 },
287 },
288 {
289 { 3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294 },
290 { -15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949 },
291 { -21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083 },
292 },
293 {
294 { 31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420 },
295 { -5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940 },
296 { 29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396 },
297 },
298 },
299 {
300 {
301 { -12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567 },
302 { 20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127 },
303 { -16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294 },
304 },
305 {
306 { -12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887 },
307 { 22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964 },
308 { 16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195 },
309 },
310 {
311 { 9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244 },
312 { 24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999 },
313 { -1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762 },
314 },
315 {
316 { -18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274 },
317 { -33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236 },
318 { -16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605 },
319 },
320 {
321 { -13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761 },
322 { -22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884 },
323 { -6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482 },
324 },
325 {
326 { -24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638 },
327 { -11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490 },
328 { -32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170 },
329 },
330 {
331 { 5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736 },
332 { 10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124 },
333 { -17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392 },
334 },
335 {
336 { 8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029 },
337 { 6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048 },
338 { 28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958 },
339 },
340 },
341 {
342 {
343 { 24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593 },
344 { 26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071 },
345 { -11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692 },
346 },
347 {
348 { 11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687 },
349 { -160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441 },
350 { -20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001 },
351 },
352 {
353 { -938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460 },
354 { -19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007 },
355 { -21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762 },
356 },
357 {
358 { 15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005 },
359 { -9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674 },
360 { 4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035 },
361 },
362 {
363 { 7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590 },
364 { -2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957 },
365 { -30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812 },
366 },
367 {
368 { 33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740 },
369 { -18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122 },
370 { -27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158 },
371 },
372 {
373 { 8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885 },
374 { 26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140 },
375 { 19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857 },
376 },
377 {
378 { 801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155 },
379 { 19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260 },
380 { 19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483 },
381 },
382 },
383 {
384 {
385 { -3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677 },
386 { 32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815 },
387 { 22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751 },
388 },
389 {
390 { -16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203 },
391 { -11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208 },
392 { 1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230 },
393 },
394 {
395 { 16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850 },
396 { -21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389 },
397 { -9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968 },
398 },
399 {
400 { -11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689 },
401 { 14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880 },
402 { 5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304 },
403 },
404 {
405 { 30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632 },
406 { -3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412 },
407 { 20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566 },
408 },
409 {
410 { -20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038 },
411 { -26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232 },
412 { -1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943 },
413 },
414 {
415 { 17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856 },
416 { 23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738 },
417 { 15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971 },
418 },
419 {
420 { -27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718 },
421 { -13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697 },
422 { -11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883 },
423 },
424 },
425 {
426 {
427 { 5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912 },
428 { -26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358 },
429 { 3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849 },
430 },
431 {
432 { 29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307 },
433 { -14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977 },
434 { -6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335 },
435 },
436 {
437 { -29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644 },
438 { -22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616 },
439 { -27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735 },
440 },
441 {
442 { -21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099 },
443 { 29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341 },
444 { -936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336 },
445 },
446 {
447 { -23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646 },
448 { 31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425 },
449 { -17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388 },
450 },
451 {
452 { -31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743 },
453 { -16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822 },
454 { -8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462 },
455 },
456 {
457 { 18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985 },
458 { 9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702 },
459 { -22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797 },
460 },
461 {
462 { 21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293 },
463 { 27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100 },
464 { 19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688 },
465 },
466 },
467 {
468 {
469 { 12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186 },
470 { 2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610 },
471 { -2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707 },
472 },
473 {
474 { 7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220 },
475 { 915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025 },
476 { 32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044 },
477 },
478 {
479 { 32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992 },
480 { -4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027 },
481 { 21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197 },
482 },
483 {
484 { 8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901 },
485 { 31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952 },
486 { 19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878 },
487 },
488 {
489 { -28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390 },
490 { 32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730 },
491 { 2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730 },
492 },
493 {
494 { -19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180 },
495 { -30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272 },
496 { -15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715 },
497 },
498 {
499 { -22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970 },
500 { -31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772 },
501 { -17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865 },
502 },
503 {
504 { 15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750 },
505 { 20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373 },
506 { 32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348 },
507 },
508 },
509 {
510 {
511 { 9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144 },
512 { -22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195 },
513 { 5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086 },
514 },
515 {
516 { -13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684 },
517 { -8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518 },
518 { -2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233 },
519 },
520 {
521 { -5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793 },
522 { -2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794 },
523 { 580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435 },
524 },
525 {
526 { 23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921 },
527 { 13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518 },
528 { 2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563 },
529 },
530 {
531 { 14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278 },
532 { -27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024 },
533 { 4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030 },
534 },
535 {
536 { 10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783 },
537 { 27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717 },
538 { 6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844 },
539 },
540 {
541 { 14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333 },
542 { 16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048 },
543 { 22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760 },
544 },
545 {
546 { -4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760 },
547 { -15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757 },
548 { -2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112 },
549 },
550 },
551 {
552 {
553 { -19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468 },
554 { 3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184 },
555 { 10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289 },
556 },
557 {
558 { 15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066 },
559 { 24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882 },
560 { 13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226 },
561 },
562 {
563 { 16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101 },
564 { 29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279 },
565 { -6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811 },
566 },
567 {
568 { 27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709 },
569 { 20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714 },
570 { -2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121 },
571 },
572 {
573 { 9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464 },
574 { 12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847 },
575 { 13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400 },
576 },
577 {
578 { 4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414 },
579 { -15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158 },
580 { 17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045 },
581 },
582 {
583 { -461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415 },
584 { -5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459 },
585 { -31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079 },
586 },
587 {
588 { 21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412 },
589 { -20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743 },
590 { -14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836 },
591 },
592 },
593 {
594 {
595 { 12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022 },
596 { 18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429 },
597 { -6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065 },
598 },
599 {
600 { 30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861 },
601 { 10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000 },
602 { -33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101 },
603 },
604 {
605 { 32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815 },
606 { 29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642 },
607 { 10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966 },
608 },
609 {
610 { 25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574 },
611 { -21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742 },
612 { -18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689 },
613 },
614 {
615 { 12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020 },
616 { -10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772 },
617 { 3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982 },
618 },
619 {
620 { -14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953 },
621 { -16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218 },
622 { -17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265 },
623 },
624 {
625 { 29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073 },
626 { -3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325 },
627 { -11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798 },
628 },
629 {
630 { -4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870 },
631 { -7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863 },
632 { -13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927 },
633 },
634 },
635 {
636 {
637 { -2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267 },
638 { -9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663 },
639 { 22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862 },
640 },
641 {
642 { -25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673 },
643 { 15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943 },
644 { 15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020 },
645 },
646 {
647 { -4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238 },
648 { 11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064 },
649 { 14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795 },
650 },
651 {
652 { 15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052 },
653 { -10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904 },
654 { 29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531 },
655 },
656 {
657 { -13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979 },
658 { -5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841 },
659 { 10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431 },
660 },
661 {
662 { 10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324 },
663 { -31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940 },
664 { 10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320 },
665 },
666 {
667 { -15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184 },
668 { 14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114 },
669 { 30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878 },
670 },
671 {
672 { 12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784 },
673 { -2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091 },
674 { -16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585 },
675 },
676 },
677 {
678 {
679 { -8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208 },
680 { 10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864 },
681 { 17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661 },
682 },
683 {
684 { 7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233 },
685 { 26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212 },
686 { -12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525 },
687 },
688 {
689 { -24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068 },
690 { 9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397 },
691 { -8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988 },
692 },
693 {
694 { 5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889 },
695 { 32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038 },
696 { 14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697 },
697 },
698 {
699 { 20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875 },
700 { -25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905 },
701 { -25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656 },
702 },
703 {
704 { 11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818 },
705 { 27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714 },
706 { 10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203 },
707 },
708 {
709 { 20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931 },
710 { -30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024 },
711 { -23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084 },
712 },
713 {
714 { -1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204 },
715 { 20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817 },
716 { 27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667 },
717 },
718 },
719 {
720 {
721 { 11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504 },
722 { -12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768 },
723 { -19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255 },
724 },
725 {
726 { 6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790 },
727 { 1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438 },
728 { -22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333 },
729 },
730 {
731 { 17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971 },
732 { 31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905 },
733 { 29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409 },
734 },
735 {
736 { 12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409 },
737 { 6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499 },
738 { -8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363 },
739 },
740 {
741 { 28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664 },
742 { -11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324 },
743 { -21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940 },
744 },
745 {
746 { 13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990 },
747 { -17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914 },
748 { -25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290 },
749 },
750 {
751 { 24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257 },
752 { -6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433 },
753 { -16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236 },
754 },
755 {
756 { -12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045 },
757 { 11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093 },
758 { -1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347 },
759 },
760 },
761 {
762 {
763 { -28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191 },
764 { -15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507 },
765 { -12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906 },
766 },
767 {
768 { 3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018 },
769 { -16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109 },
770 { -23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926 },
771 },
772 {
773 { -24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528 },
774 { 8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625 },
775 { -32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286 },
776 },
777 {
778 { 2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033 },
779 { 27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866 },
780 { 21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896 },
781 },
782 {
783 { 30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075 },
784 { 26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347 },
785 { -22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437 },
786 },
787 {
788 { -5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165 },
789 { -18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588 },
790 { -32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193 },
791 },
792 {
793 { -19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017 },
794 { -28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883 },
795 { 21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961 },
796 },
797 {
798 { 8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043 },
799 { 29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663 },
800 { -20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362 },
801 },
802 },
803 {
804 {
805 { -33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860 },
806 { 2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466 },
807 { -24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063 },
808 },
809 {
810 { -26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997 },
811 { -1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295 },
812 { -13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369 },
813 },
814 {
815 { 9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385 },
816 { 18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109 },
817 { 2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906 },
818 },
819 {
820 { 4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424 },
821 { -19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185 },
822 { 7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962 },
823 },
824 {
825 { -7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325 },
826 { 10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593 },
827 { 696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404 },
828 },
829 {
830 { -11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644 },
831 { 17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801 },
832 { 26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804 },
833 },
834 {
835 { -31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884 },
836 { -586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577 },
837 { -9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849 },
838 },
839 {
840 { 32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473 },
841 { -8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644 },
842 { -2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319 },
843 },
844 },
845 {
846 {
847 { -11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599 },
848 { -9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768 },
849 { -27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084 },
850 },
851 {
852 { -27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328 },
853 { -15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369 },
854 { 20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920 },
855 },
856 {
857 { 12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815 },
858 { -32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025 },
859 { -21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397 },
860 },
861 {
862 { -20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448 },
863 { 6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981 },
864 { 30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165 },
865 },
866 {
867 { 32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501 },
868 { 17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073 },
869 { -1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861 },
870 },
871 {
872 { 14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845 },
873 { -1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211 },
874 { 18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870 },
875 },
876 {
877 { 10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096 },
878 { 33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803 },
879 { -32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168 },
880 },
881 {
882 { 30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965 },
883 { -14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505 },
884 { 18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598 },
885 },
886 },
887 {
888 {
889 { 5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782 },
890 { 5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900 },
891 { -31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479 },
892 },
893 {
894 { -12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208 },
895 { 8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232 },
896 { 17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719 },
897 },
898 {
899 { 16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271 },
900 { -4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326 },
901 { -8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132 },
902 },
903 {
904 { 14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300 },
905 { 8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570 },
906 { 15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670 },
907 },
908 {
909 { -2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994 },
910 { -12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913 },
911 { 31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317 },
912 },
913 {
914 { -25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730 },
915 { 842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096 },
916 { -4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078 },
917 },
918 {
919 { -15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411 },
920 { -19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905 },
921 { -9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654 },
922 },
923 {
924 { -28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870 },
925 { -23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498 },
926 { 12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579 },
927 },
928 },
929 {
930 {
931 { 14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677 },
932 { 10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647 },
933 { -2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743 },
934 },
935 {
936 { -25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468 },
937 { 21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375 },
938 { -25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155 },
939 },
940 {
941 { 6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725 },
942 { -12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612 },
943 { -10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943 },
944 },
945 {
946 { -30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944 },
947 { 30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928 },
948 { 9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406 },
949 },
950 {
951 { 22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139 },
952 { -8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963 },
953 { -31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693 },
954 },
955 {
956 { 1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734 },
957 { -448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680 },
958 { -24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410 },
959 },
960 {
961 { -9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931 },
962 { -16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654 },
963 { 22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710 },
964 },
965 {
966 { 29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180 },
967 { -26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684 },
968 { -10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895 },
969 },
970 },
971 {
972 {
973 { 22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501 },
974 { -11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413 },
975 { 6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880 },
976 },
977 {
978 { -8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874 },
979 { 22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962 },
980 { -7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899 },
981 },
982 {
983 { 21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152 },
984 { 9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063 },
985 { 7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080 },
986 },
987 {
988 { -9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146 },
989 { -17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183 },
990 { -19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133 },
991 },
992 {
993 { -32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421 },
994 { -3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622 },
995 { -4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197 },
996 },
997 {
998 { 2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663 },
999 { 31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753 },
1000 { 4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755 },
1001 },
1002 {
1003 { -9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862 },
1004 { -26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118 },
1005 { 26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171 },
1006 },
1007 {
1008 { 15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380 },
1009 { 16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824 },
1010 { 28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270 },
1011 },
1012 },
1013 {
1014 {
1015 { -817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438 },
1016 { -31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584 },
1017 { -594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562 },
1018 },
1019 {
1020 { 30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471 },
1021 { 18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610 },
1022 { 19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269 },
1023 },
1024 {
1025 { -30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650 },
1026 { 14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369 },
1027 { 19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461 },
1028 },
1029 {
1030 { 30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462 },
1031 { -5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793 },
1032 { -2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218 },
1033 },
1034 {
1035 { -24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226 },
1036 { 18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019 },
1037 { -15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037 },
1038 },
1039 {
1040 { 31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171 },
1041 { -17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132 },
1042 { -28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841 },
1043 },
1044 {
1045 { 21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181 },
1046 { -33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210 },
1047 { -1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040 },
1048 },
1049 {
1050 { 3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935 },
1051 { 24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105 },
1052 { -28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814 },
1053 },
1054 },
1055 {
1056 {
1057 { 793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852 },
1058 { 5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581 },
1059 { -4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646 },
1060 },
1061 {
1062 { 10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844 },
1063 { 10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025 },
1064 { 27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453 },
1065 },
1066 {
1067 { -23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068 },
1068 { 4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192 },
1069 { -17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921 },
1070 },
1071 {
1072 { -9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259 },
1073 { -12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426 },
1074 { -5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072 },
1075 },
1076 {
1077 { -17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305 },
1078 { 13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832 },
1079 { 28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943 },
1080 },
1081 {
1082 { -16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011 },
1083 { 24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447 },
1084 { 17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494 },
1085 },
1086 {
1087 { -28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245 },
1088 { -20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859 },
1089 { 28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915 },
1090 },
1091 {
1092 { 16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707 },
1093 { 10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848 },
1094 { -11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224 },
1095 },
1096 },
1097 {
1098 {
1099 { -25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391 },
1100 { 15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215 },
1101 { -23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101 },
1102 },
1103 {
1104 { 23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713 },
1105 { 21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849 },
1106 { -7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930 },
1107 },
1108 {
1109 { -29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940 },
1110 { -21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031 },
1111 { -17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404 },
1112 },
1113 {
1114 { -25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243 },
1115 { -23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116 },
1116 { -24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525 },
1117 },
1118 {
1119 { -23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509 },
1120 { -10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883 },
1121 { 15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865 },
1122 },
1123 {
1124 { -3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660 },
1125 { 4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273 },
1126 { -28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138 },
1127 },
1128 {
1129 { -25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560 },
1130 { -10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135 },
1131 { 2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941 },
1132 },
1133 {
1134 { -4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739 },
1135 { 18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756 },
1136 { -30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819 },
1137 },
1138 },
1139 {
1140 {
1141 { -6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347 },
1142 { -27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028 },
1143 { 21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075 },
1144 },
1145 {
1146 { 16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799 },
1147 { -2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609 },
1148 { -25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817 },
1149 },
1150 {
1151 { -23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989 },
1152 { -30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523 },
1153 { 4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278 },
1154 },
1155 {
1156 { 31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045 },
1157 { 19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377 },
1158 { 24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480 },
1159 },
1160 {
1161 { 17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016 },
1162 { 510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426 },
1163 { 18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525 },
1164 },
1165 {
1166 { 13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396 },
1167 { 9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080 },
1168 { 12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892 },
1169 },
1170 {
1171 { 15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275 },
1172 { 11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074 },
1173 { 20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140 },
1174 },
1175 {
1176 { -16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717 },
1177 { -1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101 },
1178 { 24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127 },
1179 },
1180 },
1181 {
1182 {
1183 { -12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632 },
1184 { -26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415 },
1185 { -31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160 },
1186 },
1187 {
1188 { 31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876 },
1189 { 22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625 },
1190 { -15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478 },
1191 },
1192 {
1193 { 27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164 },
1194 { 26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595 },
1195 { -7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248 },
1196 },
1197 {
1198 { -16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858 },
1199 { 15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193 },
1200 { 8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184 },
1201 },
1202 {
1203 { -18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942 },
1204 { -1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635 },
1205 { 21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948 },
1206 },
1207 {
1208 { 11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935 },
1209 { -25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415 },
1210 { -15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416 },
1211 },
1212 {
1213 { -7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018 },
1214 { 4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778 },
1215 { 366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659 },
1216 },
1217 {
1218 { -24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385 },
1219 { 18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503 },
1220 { 476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329 },
1221 },
1222 },
1223 {
1224 {
1225 { 20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056 },
1226 { -13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838 },
1227 { 24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948 },
1228 },
1229 {
1230 { -3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691 },
1231 { -15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118 },
1232 { -23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517 },
1233 },
1234 {
1235 { -20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269 },
1236 { -6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904 },
1237 { -23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589 },
1238 },
1239 {
1240 { -28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193 },
1241 { -7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910 },
1242 { -30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930 },
1243 },
1244 {
1245 { -7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667 },
1246 { 25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481 },
1247 { -9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876 },
1248 },
1249 {
1250 { 22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640 },
1251 { -8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278 },
1252 { -21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112 },
1253 },
1254 {
1255 { 26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272 },
1256 { 17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012 },
1257 { -10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221 },
1258 },
1259 {
1260 { 30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046 },
1261 { 13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345 },
1262 { -19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310 },
1263 },
1264 },
1265 {
1266 {
1267 { 19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937 },
1268 { 31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636 },
1269 { -9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008 },
1270 },
1271 {
1272 { -2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429 },
1273 { -15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576 },
1274 { 31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066 },
1275 },
1276 {
1277 { -9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490 },
1278 { -12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104 },
1279 { 33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053 },
1280 },
1281 {
1282 { 31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275 },
1283 { -20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511 },
1284 { 22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095 },
1285 },
1286 {
1287 { -28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439 },
1288 { 23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939 },
1289 { -23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424 },
1290 },
1291 {
1292 { 2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310 },
1293 { 3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608 },
1294 { -32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079 },
1295 },
1296 {
1297 { -23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101 },
1298 { 21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418 },
1299 { 18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576 },
1300 },
1301 {
1302 { 30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356 },
1303 { 9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996 },
1304 { -26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099 },
1305 },
1306 },
1307 {
1308 {
1309 { -26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728 },
1310 { -13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658 },
1311 { -10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242 },
1312 },
1313 {
1314 { -21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001 },
1315 { -4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766 },
1316 { 18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373 },
1317 },
1318 {
1319 { 26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458 },
1320 { -17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628 },
1321 { -13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657 },
1322 },
1323 {
1324 { -23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062 },
1325 { 25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616 },
1326 { 31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014 },
1327 },
1328 {
1329 { 24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383 },
1330 { -25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814 },
1331 { -20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718 },
1332 },
1333 {
1334 { 30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417 },
1335 { 2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222 },
1336 { 33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444 },
1337 },
1338 {
1339 { -20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597 },
1340 { 23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970 },
1341 { 1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799 },
1342 },
1343 {
1344 { -5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647 },
1345 { 13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511 },
1346 { -29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032 },
1347 },
1348 },
1349 {
1350 {
1351 { 9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834 },
1352 { -23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461 },
1353 { 29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062 },
1354 },
1355 {
1356 { -25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516 },
1357 { -20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547 },
1358 { -24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240 },
1359 },
1360 {
1361 { -17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038 },
1362 { -33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741 },
1363 { 16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103 },
1364 },
1365 {
1366 { -19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747 },
1367 { -1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323 },
1368 { 31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016 },
1369 },
1370 {
1371 { -14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373 },
1372 { 15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228 },
1373 { -2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141 },
1374 },
1375 {
1376 { 16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399 },
1377 { 11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831 },
1378 { -185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376 },
1379 },
1380 {
1381 { -32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313 },
1382 { -18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958 },
1383 { -6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577 },
1384 },
1385 {
1386 { -22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743 },
1387 { 29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684 },
1388 { -20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476 },
1389 },
1390 },
1391};
diff --git a/3rd_party/ed25519/sc.c b/3rd_party/ed25519/sc.c
new file mode 100644
index 0000000..ca5bad2
--- /dev/null
+++ b/3rd_party/ed25519/sc.c
@@ -0,0 +1,809 @@
1#include "fixedint.h"
2#include "sc.h"
3
4static uint64_t load_3(const unsigned char *in) {
5 uint64_t result;
6
7 result = (uint64_t) in[0];
8 result |= ((uint64_t) in[1]) << 8;
9 result |= ((uint64_t) in[2]) << 16;
10
11 return result;
12}
13
14static uint64_t load_4(const unsigned char *in) {
15 uint64_t result;
16
17 result = (uint64_t) in[0];
18 result |= ((uint64_t) in[1]) << 8;
19 result |= ((uint64_t) in[2]) << 16;
20 result |= ((uint64_t) in[3]) << 24;
21
22 return result;
23}
24
25/*
26Input:
27 s[0]+256*s[1]+...+256^63*s[63] = s
28
29Output:
30 s[0]+256*s[1]+...+256^31*s[31] = s mod l
31 where l = 2^252 + 27742317777372353535851937790883648493.
32 Overwrites s in place.
33*/
34
35void sc_reduce(unsigned char *s) {
36 int64_t s0 = 2097151 & load_3(s);
37 int64_t s1 = 2097151 & (load_4(s + 2) >> 5);
38 int64_t s2 = 2097151 & (load_3(s + 5) >> 2);
39 int64_t s3 = 2097151 & (load_4(s + 7) >> 7);
40 int64_t s4 = 2097151 & (load_4(s + 10) >> 4);
41 int64_t s5 = 2097151 & (load_3(s + 13) >> 1);
42 int64_t s6 = 2097151 & (load_4(s + 15) >> 6);
43 int64_t s7 = 2097151 & (load_3(s + 18) >> 3);
44 int64_t s8 = 2097151 & load_3(s + 21);
45 int64_t s9 = 2097151 & (load_4(s + 23) >> 5);
46 int64_t s10 = 2097151 & (load_3(s + 26) >> 2);
47 int64_t s11 = 2097151 & (load_4(s + 28) >> 7);
48 int64_t s12 = 2097151 & (load_4(s + 31) >> 4);
49 int64_t s13 = 2097151 & (load_3(s + 34) >> 1);
50 int64_t s14 = 2097151 & (load_4(s + 36) >> 6);
51 int64_t s15 = 2097151 & (load_3(s + 39) >> 3);
52 int64_t s16 = 2097151 & load_3(s + 42);
53 int64_t s17 = 2097151 & (load_4(s + 44) >> 5);
54 int64_t s18 = 2097151 & (load_3(s + 47) >> 2);
55 int64_t s19 = 2097151 & (load_4(s + 49) >> 7);
56 int64_t s20 = 2097151 & (load_4(s + 52) >> 4);
57 int64_t s21 = 2097151 & (load_3(s + 55) >> 1);
58 int64_t s22 = 2097151 & (load_4(s + 57) >> 6);
59 int64_t s23 = (load_4(s + 60) >> 3);
60 int64_t carry0;
61 int64_t carry1;
62 int64_t carry2;
63 int64_t carry3;
64 int64_t carry4;
65 int64_t carry5;
66 int64_t carry6;
67 int64_t carry7;
68 int64_t carry8;
69 int64_t carry9;
70 int64_t carry10;
71 int64_t carry11;
72 int64_t carry12;
73 int64_t carry13;
74 int64_t carry14;
75 int64_t carry15;
76 int64_t carry16;
77
78 s11 += s23 * 666643;
79 s12 += s23 * 470296;
80 s13 += s23 * 654183;
81 s14 -= s23 * 997805;
82 s15 += s23 * 136657;
83 s16 -= s23 * 683901;
84 s23 = 0;
85 s10 += s22 * 666643;
86 s11 += s22 * 470296;
87 s12 += s22 * 654183;
88 s13 -= s22 * 997805;
89 s14 += s22 * 136657;
90 s15 -= s22 * 683901;
91 s22 = 0;
92 s9 += s21 * 666643;
93 s10 += s21 * 470296;
94 s11 += s21 * 654183;
95 s12 -= s21 * 997805;
96 s13 += s21 * 136657;
97 s14 -= s21 * 683901;
98 s21 = 0;
99 s8 += s20 * 666643;
100 s9 += s20 * 470296;
101 s10 += s20 * 654183;
102 s11 -= s20 * 997805;
103 s12 += s20 * 136657;
104 s13 -= s20 * 683901;
105 s20 = 0;
106 s7 += s19 * 666643;
107 s8 += s19 * 470296;
108 s9 += s19 * 654183;
109 s10 -= s19 * 997805;
110 s11 += s19 * 136657;
111 s12 -= s19 * 683901;
112 s19 = 0;
113 s6 += s18 * 666643;
114 s7 += s18 * 470296;
115 s8 += s18 * 654183;
116 s9 -= s18 * 997805;
117 s10 += s18 * 136657;
118 s11 -= s18 * 683901;
119 s18 = 0;
120 carry6 = (s6 + (1 << 20)) >> 21;
121 s7 += carry6;
122 s6 -= carry6 << 21;
123 carry8 = (s8 + (1 << 20)) >> 21;
124 s9 += carry8;
125 s8 -= carry8 << 21;
126 carry10 = (s10 + (1 << 20)) >> 21;
127 s11 += carry10;
128 s10 -= carry10 << 21;
129 carry12 = (s12 + (1 << 20)) >> 21;
130 s13 += carry12;
131 s12 -= carry12 << 21;
132 carry14 = (s14 + (1 << 20)) >> 21;
133 s15 += carry14;
134 s14 -= carry14 << 21;
135 carry16 = (s16 + (1 << 20)) >> 21;
136 s17 += carry16;
137 s16 -= carry16 << 21;
138 carry7 = (s7 + (1 << 20)) >> 21;
139 s8 += carry7;
140 s7 -= carry7 << 21;
141 carry9 = (s9 + (1 << 20)) >> 21;
142 s10 += carry9;
143 s9 -= carry9 << 21;
144 carry11 = (s11 + (1 << 20)) >> 21;
145 s12 += carry11;
146 s11 -= carry11 << 21;
147 carry13 = (s13 + (1 << 20)) >> 21;
148 s14 += carry13;
149 s13 -= carry13 << 21;
150 carry15 = (s15 + (1 << 20)) >> 21;
151 s16 += carry15;
152 s15 -= carry15 << 21;
153 s5 += s17 * 666643;
154 s6 += s17 * 470296;
155 s7 += s17 * 654183;
156 s8 -= s17 * 997805;
157 s9 += s17 * 136657;
158 s10 -= s17 * 683901;
159 s17 = 0;
160 s4 += s16 * 666643;
161 s5 += s16 * 470296;
162 s6 += s16 * 654183;
163 s7 -= s16 * 997805;
164 s8 += s16 * 136657;
165 s9 -= s16 * 683901;
166 s16 = 0;
167 s3 += s15 * 666643;
168 s4 += s15 * 470296;
169 s5 += s15 * 654183;
170 s6 -= s15 * 997805;
171 s7 += s15 * 136657;
172 s8 -= s15 * 683901;
173 s15 = 0;
174 s2 += s14 * 666643;
175 s3 += s14 * 470296;
176 s4 += s14 * 654183;
177 s5 -= s14 * 997805;
178 s6 += s14 * 136657;
179 s7 -= s14 * 683901;
180 s14 = 0;
181 s1 += s13 * 666643;
182 s2 += s13 * 470296;
183 s3 += s13 * 654183;
184 s4 -= s13 * 997805;
185 s5 += s13 * 136657;
186 s6 -= s13 * 683901;
187 s13 = 0;
188 s0 += s12 * 666643;
189 s1 += s12 * 470296;
190 s2 += s12 * 654183;
191 s3 -= s12 * 997805;
192 s4 += s12 * 136657;
193 s5 -= s12 * 683901;
194 s12 = 0;
195 carry0 = (s0 + (1 << 20)) >> 21;
196 s1 += carry0;
197 s0 -= carry0 << 21;
198 carry2 = (s2 + (1 << 20)) >> 21;
199 s3 += carry2;
200 s2 -= carry2 << 21;
201 carry4 = (s4 + (1 << 20)) >> 21;
202 s5 += carry4;
203 s4 -= carry4 << 21;
204 carry6 = (s6 + (1 << 20)) >> 21;
205 s7 += carry6;
206 s6 -= carry6 << 21;
207 carry8 = (s8 + (1 << 20)) >> 21;
208 s9 += carry8;
209 s8 -= carry8 << 21;
210 carry10 = (s10 + (1 << 20)) >> 21;
211 s11 += carry10;
212 s10 -= carry10 << 21;
213 carry1 = (s1 + (1 << 20)) >> 21;
214 s2 += carry1;
215 s1 -= carry1 << 21;
216 carry3 = (s3 + (1 << 20)) >> 21;
217 s4 += carry3;
218 s3 -= carry3 << 21;
219 carry5 = (s5 + (1 << 20)) >> 21;
220 s6 += carry5;
221 s5 -= carry5 << 21;
222 carry7 = (s7 + (1 << 20)) >> 21;
223 s8 += carry7;
224 s7 -= carry7 << 21;
225 carry9 = (s9 + (1 << 20)) >> 21;
226 s10 += carry9;
227 s9 -= carry9 << 21;
228 carry11 = (s11 + (1 << 20)) >> 21;
229 s12 += carry11;
230 s11 -= carry11 << 21;
231 s0 += s12 * 666643;
232 s1 += s12 * 470296;
233 s2 += s12 * 654183;
234 s3 -= s12 * 997805;
235 s4 += s12 * 136657;
236 s5 -= s12 * 683901;
237 s12 = 0;
238 carry0 = s0 >> 21;
239 s1 += carry0;
240 s0 -= carry0 << 21;
241 carry1 = s1 >> 21;
242 s2 += carry1;
243 s1 -= carry1 << 21;
244 carry2 = s2 >> 21;
245 s3 += carry2;
246 s2 -= carry2 << 21;
247 carry3 = s3 >> 21;
248 s4 += carry3;
249 s3 -= carry3 << 21;
250 carry4 = s4 >> 21;
251 s5 += carry4;
252 s4 -= carry4 << 21;
253 carry5 = s5 >> 21;
254 s6 += carry5;
255 s5 -= carry5 << 21;
256 carry6 = s6 >> 21;
257 s7 += carry6;
258 s6 -= carry6 << 21;
259 carry7 = s7 >> 21;
260 s8 += carry7;
261 s7 -= carry7 << 21;
262 carry8 = s8 >> 21;
263 s9 += carry8;
264 s8 -= carry8 << 21;
265 carry9 = s9 >> 21;
266 s10 += carry9;
267 s9 -= carry9 << 21;
268 carry10 = s10 >> 21;
269 s11 += carry10;
270 s10 -= carry10 << 21;
271 carry11 = s11 >> 21;
272 s12 += carry11;
273 s11 -= carry11 << 21;
274 s0 += s12 * 666643;
275 s1 += s12 * 470296;
276 s2 += s12 * 654183;
277 s3 -= s12 * 997805;
278 s4 += s12 * 136657;
279 s5 -= s12 * 683901;
280 s12 = 0;
281 carry0 = s0 >> 21;
282 s1 += carry0;
283 s0 -= carry0 << 21;
284 carry1 = s1 >> 21;
285 s2 += carry1;
286 s1 -= carry1 << 21;
287 carry2 = s2 >> 21;
288 s3 += carry2;
289 s2 -= carry2 << 21;
290 carry3 = s3 >> 21;
291 s4 += carry3;
292 s3 -= carry3 << 21;
293 carry4 = s4 >> 21;
294 s5 += carry4;
295 s4 -= carry4 << 21;
296 carry5 = s5 >> 21;
297 s6 += carry5;
298 s5 -= carry5 << 21;
299 carry6 = s6 >> 21;
300 s7 += carry6;
301 s6 -= carry6 << 21;
302 carry7 = s7 >> 21;
303 s8 += carry7;
304 s7 -= carry7 << 21;
305 carry8 = s8 >> 21;
306 s9 += carry8;
307 s8 -= carry8 << 21;
308 carry9 = s9 >> 21;
309 s10 += carry9;
310 s9 -= carry9 << 21;
311 carry10 = s10 >> 21;
312 s11 += carry10;
313 s10 -= carry10 << 21;
314
315 s[0] = (unsigned char) (s0 >> 0);
316 s[1] = (unsigned char) (s0 >> 8);
317 s[2] = (unsigned char) ((s0 >> 16) | (s1 << 5));
318 s[3] = (unsigned char) (s1 >> 3);
319 s[4] = (unsigned char) (s1 >> 11);
320 s[5] = (unsigned char) ((s1 >> 19) | (s2 << 2));
321 s[6] = (unsigned char) (s2 >> 6);
322 s[7] = (unsigned char) ((s2 >> 14) | (s3 << 7));
323 s[8] = (unsigned char) (s3 >> 1);
324 s[9] = (unsigned char) (s3 >> 9);
325 s[10] = (unsigned char) ((s3 >> 17) | (s4 << 4));
326 s[11] = (unsigned char) (s4 >> 4);
327 s[12] = (unsigned char) (s4 >> 12);
328 s[13] = (unsigned char) ((s4 >> 20) | (s5 << 1));
329 s[14] = (unsigned char) (s5 >> 7);
330 s[15] = (unsigned char) ((s5 >> 15) | (s6 << 6));
331 s[16] = (unsigned char) (s6 >> 2);
332 s[17] = (unsigned char) (s6 >> 10);
333 s[18] = (unsigned char) ((s6 >> 18) | (s7 << 3));
334 s[19] = (unsigned char) (s7 >> 5);
335 s[20] = (unsigned char) (s7 >> 13);
336 s[21] = (unsigned char) (s8 >> 0);
337 s[22] = (unsigned char) (s8 >> 8);
338 s[23] = (unsigned char) ((s8 >> 16) | (s9 << 5));
339 s[24] = (unsigned char) (s9 >> 3);
340 s[25] = (unsigned char) (s9 >> 11);
341 s[26] = (unsigned char) ((s9 >> 19) | (s10 << 2));
342 s[27] = (unsigned char) (s10 >> 6);
343 s[28] = (unsigned char) ((s10 >> 14) | (s11 << 7));
344 s[29] = (unsigned char) (s11 >> 1);
345 s[30] = (unsigned char) (s11 >> 9);
346 s[31] = (unsigned char) (s11 >> 17);
347}
348
349
350
351/*
352Input:
353 a[0]+256*a[1]+...+256^31*a[31] = a
354 b[0]+256*b[1]+...+256^31*b[31] = b
355 c[0]+256*c[1]+...+256^31*c[31] = c
356
357Output:
358 s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l
359 where l = 2^252 + 27742317777372353535851937790883648493.
360*/
361
362void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c) {
363 int64_t a0 = 2097151 & load_3(a);
364 int64_t a1 = 2097151 & (load_4(a + 2) >> 5);
365 int64_t a2 = 2097151 & (load_3(a + 5) >> 2);
366 int64_t a3 = 2097151 & (load_4(a + 7) >> 7);
367 int64_t a4 = 2097151 & (load_4(a + 10) >> 4);
368 int64_t a5 = 2097151 & (load_3(a + 13) >> 1);
369 int64_t a6 = 2097151 & (load_4(a + 15) >> 6);
370 int64_t a7 = 2097151 & (load_3(a + 18) >> 3);
371 int64_t a8 = 2097151 & load_3(a + 21);
372 int64_t a9 = 2097151 & (load_4(a + 23) >> 5);
373 int64_t a10 = 2097151 & (load_3(a + 26) >> 2);
374 int64_t a11 = (load_4(a + 28) >> 7);
375 int64_t b0 = 2097151 & load_3(b);
376 int64_t b1 = 2097151 & (load_4(b + 2) >> 5);
377 int64_t b2 = 2097151 & (load_3(b + 5) >> 2);
378 int64_t b3 = 2097151 & (load_4(b + 7) >> 7);
379 int64_t b4 = 2097151 & (load_4(b + 10) >> 4);
380 int64_t b5 = 2097151 & (load_3(b + 13) >> 1);
381 int64_t b6 = 2097151 & (load_4(b + 15) >> 6);
382 int64_t b7 = 2097151 & (load_3(b + 18) >> 3);
383 int64_t b8 = 2097151 & load_3(b + 21);
384 int64_t b9 = 2097151 & (load_4(b + 23) >> 5);
385 int64_t b10 = 2097151 & (load_3(b + 26) >> 2);
386 int64_t b11 = (load_4(b + 28) >> 7);
387 int64_t c0 = 2097151 & load_3(c);
388 int64_t c1 = 2097151 & (load_4(c + 2) >> 5);
389 int64_t c2 = 2097151 & (load_3(c + 5) >> 2);
390 int64_t c3 = 2097151 & (load_4(c + 7) >> 7);
391 int64_t c4 = 2097151 & (load_4(c + 10) >> 4);
392 int64_t c5 = 2097151 & (load_3(c + 13) >> 1);
393 int64_t c6 = 2097151 & (load_4(c + 15) >> 6);
394 int64_t c7 = 2097151 & (load_3(c + 18) >> 3);
395 int64_t c8 = 2097151 & load_3(c + 21);
396 int64_t c9 = 2097151 & (load_4(c + 23) >> 5);
397 int64_t c10 = 2097151 & (load_3(c + 26) >> 2);
398 int64_t c11 = (load_4(c + 28) >> 7);
399 int64_t s0;
400 int64_t s1;
401 int64_t s2;
402 int64_t s3;
403 int64_t s4;
404 int64_t s5;
405 int64_t s6;
406 int64_t s7;
407 int64_t s8;
408 int64_t s9;
409 int64_t s10;
410 int64_t s11;
411 int64_t s12;
412 int64_t s13;
413 int64_t s14;
414 int64_t s15;
415 int64_t s16;
416 int64_t s17;
417 int64_t s18;
418 int64_t s19;
419 int64_t s20;
420 int64_t s21;
421 int64_t s22;
422 int64_t s23;
423 int64_t carry0;
424 int64_t carry1;
425 int64_t carry2;
426 int64_t carry3;
427 int64_t carry4;
428 int64_t carry5;
429 int64_t carry6;
430 int64_t carry7;
431 int64_t carry8;
432 int64_t carry9;
433 int64_t carry10;
434 int64_t carry11;
435 int64_t carry12;
436 int64_t carry13;
437 int64_t carry14;
438 int64_t carry15;
439 int64_t carry16;
440 int64_t carry17;
441 int64_t carry18;
442 int64_t carry19;
443 int64_t carry20;
444 int64_t carry21;
445 int64_t carry22;
446
447 s0 = c0 + a0 * b0;
448 s1 = c1 + a0 * b1 + a1 * b0;
449 s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0;
450 s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0;
451 s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0;
452 s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0;
453 s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0;
454 s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0;
455 s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0;
456 s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0;
457 s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0;
458 s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0;
459 s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1;
460 s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2;
461 s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3;
462 s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4;
463 s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5;
464 s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6;
465 s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7;
466 s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8;
467 s20 = a9 * b11 + a10 * b10 + a11 * b9;
468 s21 = a10 * b11 + a11 * b10;
469 s22 = a11 * b11;
470 s23 = 0;
471 carry0 = (s0 + (1 << 20)) >> 21;
472 s1 += carry0;
473 s0 -= carry0 << 21;
474 carry2 = (s2 + (1 << 20)) >> 21;
475 s3 += carry2;
476 s2 -= carry2 << 21;
477 carry4 = (s4 + (1 << 20)) >> 21;
478 s5 += carry4;
479 s4 -= carry4 << 21;
480 carry6 = (s6 + (1 << 20)) >> 21;
481 s7 += carry6;
482 s6 -= carry6 << 21;
483 carry8 = (s8 + (1 << 20)) >> 21;
484 s9 += carry8;
485 s8 -= carry8 << 21;
486 carry10 = (s10 + (1 << 20)) >> 21;
487 s11 += carry10;
488 s10 -= carry10 << 21;
489 carry12 = (s12 + (1 << 20)) >> 21;
490 s13 += carry12;
491 s12 -= carry12 << 21;
492 carry14 = (s14 + (1 << 20)) >> 21;
493 s15 += carry14;
494 s14 -= carry14 << 21;
495 carry16 = (s16 + (1 << 20)) >> 21;
496 s17 += carry16;
497 s16 -= carry16 << 21;
498 carry18 = (s18 + (1 << 20)) >> 21;
499 s19 += carry18;
500 s18 -= carry18 << 21;
501 carry20 = (s20 + (1 << 20)) >> 21;
502 s21 += carry20;
503 s20 -= carry20 << 21;
504 carry22 = (s22 + (1 << 20)) >> 21;
505 s23 += carry22;
506 s22 -= carry22 << 21;
507 carry1 = (s1 + (1 << 20)) >> 21;
508 s2 += carry1;
509 s1 -= carry1 << 21;
510 carry3 = (s3 + (1 << 20)) >> 21;
511 s4 += carry3;
512 s3 -= carry3 << 21;
513 carry5 = (s5 + (1 << 20)) >> 21;
514 s6 += carry5;
515 s5 -= carry5 << 21;
516 carry7 = (s7 + (1 << 20)) >> 21;
517 s8 += carry7;
518 s7 -= carry7 << 21;
519 carry9 = (s9 + (1 << 20)) >> 21;
520 s10 += carry9;
521 s9 -= carry9 << 21;
522 carry11 = (s11 + (1 << 20)) >> 21;
523 s12 += carry11;
524 s11 -= carry11 << 21;
525 carry13 = (s13 + (1 << 20)) >> 21;
526 s14 += carry13;
527 s13 -= carry13 << 21;
528 carry15 = (s15 + (1 << 20)) >> 21;
529 s16 += carry15;
530 s15 -= carry15 << 21;
531 carry17 = (s17 + (1 << 20)) >> 21;
532 s18 += carry17;
533 s17 -= carry17 << 21;
534 carry19 = (s19 + (1 << 20)) >> 21;
535 s20 += carry19;
536 s19 -= carry19 << 21;
537 carry21 = (s21 + (1 << 20)) >> 21;
538 s22 += carry21;
539 s21 -= carry21 << 21;
540 s11 += s23 * 666643;
541 s12 += s23 * 470296;
542 s13 += s23 * 654183;
543 s14 -= s23 * 997805;
544 s15 += s23 * 136657;
545 s16 -= s23 * 683901;
546 s23 = 0;
547 s10 += s22 * 666643;
548 s11 += s22 * 470296;
549 s12 += s22 * 654183;
550 s13 -= s22 * 997805;
551 s14 += s22 * 136657;
552 s15 -= s22 * 683901;
553 s22 = 0;
554 s9 += s21 * 666643;
555 s10 += s21 * 470296;
556 s11 += s21 * 654183;
557 s12 -= s21 * 997805;
558 s13 += s21 * 136657;
559 s14 -= s21 * 683901;
560 s21 = 0;
561 s8 += s20 * 666643;
562 s9 += s20 * 470296;
563 s10 += s20 * 654183;
564 s11 -= s20 * 997805;
565 s12 += s20 * 136657;
566 s13 -= s20 * 683901;
567 s20 = 0;
568 s7 += s19 * 666643;
569 s8 += s19 * 470296;
570 s9 += s19 * 654183;
571 s10 -= s19 * 997805;
572 s11 += s19 * 136657;
573 s12 -= s19 * 683901;
574 s19 = 0;
575 s6 += s18 * 666643;
576 s7 += s18 * 470296;
577 s8 += s18 * 654183;
578 s9 -= s18 * 997805;
579 s10 += s18 * 136657;
580 s11 -= s18 * 683901;
581 s18 = 0;
582 carry6 = (s6 + (1 << 20)) >> 21;
583 s7 += carry6;
584 s6 -= carry6 << 21;
585 carry8 = (s8 + (1 << 20)) >> 21;
586 s9 += carry8;
587 s8 -= carry8 << 21;
588 carry10 = (s10 + (1 << 20)) >> 21;
589 s11 += carry10;
590 s10 -= carry10 << 21;
591 carry12 = (s12 + (1 << 20)) >> 21;
592 s13 += carry12;
593 s12 -= carry12 << 21;
594 carry14 = (s14 + (1 << 20)) >> 21;
595 s15 += carry14;
596 s14 -= carry14 << 21;
597 carry16 = (s16 + (1 << 20)) >> 21;
598 s17 += carry16;
599 s16 -= carry16 << 21;
600 carry7 = (s7 + (1 << 20)) >> 21;
601 s8 += carry7;
602 s7 -= carry7 << 21;
603 carry9 = (s9 + (1 << 20)) >> 21;
604 s10 += carry9;
605 s9 -= carry9 << 21;
606 carry11 = (s11 + (1 << 20)) >> 21;
607 s12 += carry11;
608 s11 -= carry11 << 21;
609 carry13 = (s13 + (1 << 20)) >> 21;
610 s14 += carry13;
611 s13 -= carry13 << 21;
612 carry15 = (s15 + (1 << 20)) >> 21;
613 s16 += carry15;
614 s15 -= carry15 << 21;
615 s5 += s17 * 666643;
616 s6 += s17 * 470296;
617 s7 += s17 * 654183;
618 s8 -= s17 * 997805;
619 s9 += s17 * 136657;
620 s10 -= s17 * 683901;
621 s17 = 0;
622 s4 += s16 * 666643;
623 s5 += s16 * 470296;
624 s6 += s16 * 654183;
625 s7 -= s16 * 997805;
626 s8 += s16 * 136657;
627 s9 -= s16 * 683901;
628 s16 = 0;
629 s3 += s15 * 666643;
630 s4 += s15 * 470296;
631 s5 += s15 * 654183;
632 s6 -= s15 * 997805;
633 s7 += s15 * 136657;
634 s8 -= s15 * 683901;
635 s15 = 0;
636 s2 += s14 * 666643;
637 s3 += s14 * 470296;
638 s4 += s14 * 654183;
639 s5 -= s14 * 997805;
640 s6 += s14 * 136657;
641 s7 -= s14 * 683901;
642 s14 = 0;
643 s1 += s13 * 666643;
644 s2 += s13 * 470296;
645 s3 += s13 * 654183;
646 s4 -= s13 * 997805;
647 s5 += s13 * 136657;
648 s6 -= s13 * 683901;
649 s13 = 0;
650 s0 += s12 * 666643;
651 s1 += s12 * 470296;
652 s2 += s12 * 654183;
653 s3 -= s12 * 997805;
654 s4 += s12 * 136657;
655 s5 -= s12 * 683901;
656 s12 = 0;
657 carry0 = (s0 + (1 << 20)) >> 21;
658 s1 += carry0;
659 s0 -= carry0 << 21;
660 carry2 = (s2 + (1 << 20)) >> 21;
661 s3 += carry2;
662 s2 -= carry2 << 21;
663 carry4 = (s4 + (1 << 20)) >> 21;
664 s5 += carry4;
665 s4 -= carry4 << 21;
666 carry6 = (s6 + (1 << 20)) >> 21;
667 s7 += carry6;
668 s6 -= carry6 << 21;
669 carry8 = (s8 + (1 << 20)) >> 21;
670 s9 += carry8;
671 s8 -= carry8 << 21;
672 carry10 = (s10 + (1 << 20)) >> 21;
673 s11 += carry10;
674 s10 -= carry10 << 21;
675 carry1 = (s1 + (1 << 20)) >> 21;
676 s2 += carry1;
677 s1 -= carry1 << 21;
678 carry3 = (s3 + (1 << 20)) >> 21;
679 s4 += carry3;
680 s3 -= carry3 << 21;
681 carry5 = (s5 + (1 << 20)) >> 21;
682 s6 += carry5;
683 s5 -= carry5 << 21;
684 carry7 = (s7 + (1 << 20)) >> 21;
685 s8 += carry7;
686 s7 -= carry7 << 21;
687 carry9 = (s9 + (1 << 20)) >> 21;
688 s10 += carry9;
689 s9 -= carry9 << 21;
690 carry11 = (s11 + (1 << 20)) >> 21;
691 s12 += carry11;
692 s11 -= carry11 << 21;
693 s0 += s12 * 666643;
694 s1 += s12 * 470296;
695 s2 += s12 * 654183;
696 s3 -= s12 * 997805;
697 s4 += s12 * 136657;
698 s5 -= s12 * 683901;
699 s12 = 0;
700 carry0 = s0 >> 21;
701 s1 += carry0;
702 s0 -= carry0 << 21;
703 carry1 = s1 >> 21;
704 s2 += carry1;
705 s1 -= carry1 << 21;
706 carry2 = s2 >> 21;
707 s3 += carry2;
708 s2 -= carry2 << 21;
709 carry3 = s3 >> 21;
710 s4 += carry3;
711 s3 -= carry3 << 21;
712 carry4 = s4 >> 21;
713 s5 += carry4;
714 s4 -= carry4 << 21;
715 carry5 = s5 >> 21;
716 s6 += carry5;
717 s5 -= carry5 << 21;
718 carry6 = s6 >> 21;
719 s7 += carry6;
720 s6 -= carry6 << 21;
721 carry7 = s7 >> 21;
722 s8 += carry7;
723 s7 -= carry7 << 21;
724 carry8 = s8 >> 21;
725 s9 += carry8;
726 s8 -= carry8 << 21;
727 carry9 = s9 >> 21;
728 s10 += carry9;
729 s9 -= carry9 << 21;
730 carry10 = s10 >> 21;
731 s11 += carry10;
732 s10 -= carry10 << 21;
733 carry11 = s11 >> 21;
734 s12 += carry11;
735 s11 -= carry11 << 21;
736 s0 += s12 * 666643;
737 s1 += s12 * 470296;
738 s2 += s12 * 654183;
739 s3 -= s12 * 997805;
740 s4 += s12 * 136657;
741 s5 -= s12 * 683901;
742 s12 = 0;
743 carry0 = s0 >> 21;
744 s1 += carry0;
745 s0 -= carry0 << 21;
746 carry1 = s1 >> 21;
747 s2 += carry1;
748 s1 -= carry1 << 21;
749 carry2 = s2 >> 21;
750 s3 += carry2;
751 s2 -= carry2 << 21;
752 carry3 = s3 >> 21;
753 s4 += carry3;
754 s3 -= carry3 << 21;
755 carry4 = s4 >> 21;
756 s5 += carry4;
757 s4 -= carry4 << 21;
758 carry5 = s5 >> 21;
759 s6 += carry5;
760 s5 -= carry5 << 21;
761 carry6 = s6 >> 21;
762 s7 += carry6;
763 s6 -= carry6 << 21;
764 carry7 = s7 >> 21;
765 s8 += carry7;
766 s7 -= carry7 << 21;
767 carry8 = s8 >> 21;
768 s9 += carry8;
769 s8 -= carry8 << 21;
770 carry9 = s9 >> 21;
771 s10 += carry9;
772 s9 -= carry9 << 21;
773 carry10 = s10 >> 21;
774 s11 += carry10;
775 s10 -= carry10 << 21;
776
777 s[0] = (unsigned char) (s0 >> 0);
778 s[1] = (unsigned char) (s0 >> 8);
779 s[2] = (unsigned char) ((s0 >> 16) | (s1 << 5));
780 s[3] = (unsigned char) (s1 >> 3);
781 s[4] = (unsigned char) (s1 >> 11);
782 s[5] = (unsigned char) ((s1 >> 19) | (s2 << 2));
783 s[6] = (unsigned char) (s2 >> 6);
784 s[7] = (unsigned char) ((s2 >> 14) | (s3 << 7));
785 s[8] = (unsigned char) (s3 >> 1);
786 s[9] = (unsigned char) (s3 >> 9);
787 s[10] = (unsigned char) ((s3 >> 17) | (s4 << 4));
788 s[11] = (unsigned char) (s4 >> 4);
789 s[12] = (unsigned char) (s4 >> 12);
790 s[13] = (unsigned char) ((s4 >> 20) | (s5 << 1));
791 s[14] = (unsigned char) (s5 >> 7);
792 s[15] = (unsigned char) ((s5 >> 15) | (s6 << 6));
793 s[16] = (unsigned char) (s6 >> 2);
794 s[17] = (unsigned char) (s6 >> 10);
795 s[18] = (unsigned char) ((s6 >> 18) | (s7 << 3));
796 s[19] = (unsigned char) (s7 >> 5);
797 s[20] = (unsigned char) (s7 >> 13);
798 s[21] = (unsigned char) (s8 >> 0);
799 s[22] = (unsigned char) (s8 >> 8);
800 s[23] = (unsigned char) ((s8 >> 16) | (s9 << 5));
801 s[24] = (unsigned char) (s9 >> 3);
802 s[25] = (unsigned char) (s9 >> 11);
803 s[26] = (unsigned char) ((s9 >> 19) | (s10 << 2));
804 s[27] = (unsigned char) (s10 >> 6);
805 s[28] = (unsigned char) ((s10 >> 14) | (s11 << 7));
806 s[29] = (unsigned char) (s11 >> 1);
807 s[30] = (unsigned char) (s11 >> 9);
808 s[31] = (unsigned char) (s11 >> 17);
809}
diff --git a/3rd_party/ed25519/sc.h b/3rd_party/ed25519/sc.h
new file mode 100644
index 0000000..e29e7fa
--- /dev/null
+++ b/3rd_party/ed25519/sc.h
@@ -0,0 +1,12 @@
1#ifndef SC_H
2#define SC_H
3
4/*
5The set of scalars is \Z/l
6where l = 2^252 + 27742317777372353535851937790883648493.
7*/
8
9void sc_reduce(unsigned char *s);
10void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c);
11
12#endif
diff --git a/3rd_party/ed25519/seed.c b/3rd_party/ed25519/seed.c
new file mode 100644
index 0000000..11a2e3e
--- /dev/null
+++ b/3rd_party/ed25519/seed.c
@@ -0,0 +1,40 @@
1#include "ed25519.h"
2
3#ifndef ED25519_NO_SEED
4
5#ifdef _WIN32
6#include <windows.h>
7#include <wincrypt.h>
8#else
9#include <stdio.h>
10#endif
11
12int ed25519_create_seed(unsigned char *seed) {
13#ifdef _WIN32
14 HCRYPTPROV prov;
15
16 if (!CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) {
17 return 1;
18 }
19
20 if (!CryptGenRandom(prov, 32, seed)) {
21 CryptReleaseContext(prov, 0);
22 return 1;
23 }
24
25 CryptReleaseContext(prov, 0);
26#else
27 FILE *f = fopen("/dev/urandom", "rb");
28
29 if (f == NULL) {
30 return 1;
31 }
32
33 fread(seed, 1, 32, f);
34 fclose(f);
35#endif
36
37 return 0;
38}
39
40#endif
diff --git a/3rd_party/ed25519/sha512.c b/3rd_party/ed25519/sha512.c
new file mode 100644
index 0000000..cb8ae71
--- /dev/null
+++ b/3rd_party/ed25519/sha512.c
@@ -0,0 +1,275 @@
1/* LibTomCrypt, modular cryptographic library -- Tom St Denis
2 *
3 * LibTomCrypt is a library that provides various cryptographic
4 * algorithms in a highly modular and flexible manner.
5 *
6 * The library is free for all purposes without any express
7 * guarantee it works.
8 *
9 * Tom St Denis, tomstdenis@gmail.com, http://libtom.org
10 */
11
12#include "fixedint.h"
13#include "sha512.h"
14
15/* the K array */
16static const uint64_t K[80] = {
17 UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd),
18 UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc),
19 UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019),
20 UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118),
21 UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe),
22 UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2),
23 UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1),
24 UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694),
25 UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3),
26 UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65),
27 UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483),
28 UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5),
29 UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210),
30 UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4),
31 UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725),
32 UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70),
33 UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926),
34 UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df),
35 UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8),
36 UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b),
37 UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001),
38 UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30),
39 UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910),
40 UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8),
41 UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53),
42 UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8),
43 UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb),
44 UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3),
45 UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60),
46 UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec),
47 UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9),
48 UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b),
49 UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207),
50 UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178),
51 UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6),
52 UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b),
53 UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493),
54 UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c),
55 UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a),
56 UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817)
57};
58
59/* Various logical functions */
60
61#define ROR64c(x, y) \
62 ( ((((x)&UINT64_C(0xFFFFFFFFFFFFFFFF))>>((uint64_t)(y)&UINT64_C(63))) | \
63 ((x)<<((uint64_t)(64-((y)&UINT64_C(63)))))) & UINT64_C(0xFFFFFFFFFFFFFFFF))
64
65#define STORE64H(x, y) \
66 { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \
67 (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \
68 (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \
69 (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); }
70
71#define LOAD64H(x, y) \
72 { x = (((uint64_t)((y)[0] & 255))<<56)|(((uint64_t)((y)[1] & 255))<<48) | \
73 (((uint64_t)((y)[2] & 255))<<40)|(((uint64_t)((y)[3] & 255))<<32) | \
74 (((uint64_t)((y)[4] & 255))<<24)|(((uint64_t)((y)[5] & 255))<<16) | \
75 (((uint64_t)((y)[6] & 255))<<8)|(((uint64_t)((y)[7] & 255))); }
76
77
78#define Ch(x,y,z) (z ^ (x & (y ^ z)))
79#define Maj(x,y,z) (((x | y) & z) | (x & y))
80#define S(x, n) ROR64c(x, n)
81#define R(x, n) (((x) &UINT64_C(0xFFFFFFFFFFFFFFFF))>>((uint64_t)n))
82#define Sigma0(x) (S(x, 28) ^ S(x, 34) ^ S(x, 39))
83#define Sigma1(x) (S(x, 14) ^ S(x, 18) ^ S(x, 41))
84#define Gamma0(x) (S(x, 1) ^ S(x, 8) ^ R(x, 7))
85#define Gamma1(x) (S(x, 19) ^ S(x, 61) ^ R(x, 6))
86#ifndef MIN
87 #define MIN(x, y) ( ((x)<(y))?(x):(y) )
88#endif
89
90/* compress 1024-bits */
91static int sha512_compress(sha512_context *md, unsigned char *buf)
92{
93 uint64_t S[8], W[80], t0, t1;
94 int i;
95
96 /* copy state into S */
97 for (i = 0; i < 8; i++) {
98 S[i] = md->state[i];
99 }
100
101 /* copy the state into 1024-bits into W[0..15] */
102 for (i = 0; i < 16; i++) {
103 LOAD64H(W[i], buf + (8*i));
104 }
105
106 /* fill W[16..79] */
107 for (i = 16; i < 80; i++) {
108 W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16];
109 }
110
111/* Compress */
112 #define RND(a,b,c,d,e,f,g,h,i) \
113 t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \
114 t1 = Sigma0(a) + Maj(a, b, c);\
115 d += t0; \
116 h = t0 + t1;
117
118 for (i = 0; i < 80; i += 8) {
119 RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i+0);
120 RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],i+1);
121 RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],i+2);
122 RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],i+3);
123 RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],i+4);
124 RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],i+5);
125 RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],i+6);
126 RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],i+7);
127 }
128
129 #undef RND
130
131
132
133 /* feedback */
134 for (i = 0; i < 8; i++) {
135 md->state[i] = md->state[i] + S[i];
136 }
137
138 return 0;
139}
140
141
142/**
143 Initialize the hash state
144 @param md The hash state you wish to initialize
145 @return 0 if successful
146*/
147int sha512_init(sha512_context * md) {
148 if (md == NULL) return 1;
149
150 md->curlen = 0;
151 md->length = 0;
152 md->state[0] = UINT64_C(0x6a09e667f3bcc908);
153 md->state[1] = UINT64_C(0xbb67ae8584caa73b);
154 md->state[2] = UINT64_C(0x3c6ef372fe94f82b);
155 md->state[3] = UINT64_C(0xa54ff53a5f1d36f1);
156 md->state[4] = UINT64_C(0x510e527fade682d1);
157 md->state[5] = UINT64_C(0x9b05688c2b3e6c1f);
158 md->state[6] = UINT64_C(0x1f83d9abfb41bd6b);
159 md->state[7] = UINT64_C(0x5be0cd19137e2179);
160
161 return 0;
162}
163
164/**
165 Process a block of memory though the hash
166 @param md The hash state
167 @param in The data to hash
168 @param inlen The length of the data (octets)
169 @return 0 if successful
170*/
171int sha512_update (sha512_context * md, const unsigned char *in, size_t inlen)
172{
173 size_t n;
174 size_t i;
175 int err;
176 if (md == NULL) return 1;
177 if (in == NULL) return 1;
178 if (md->curlen > sizeof(md->buf)) {
179 return 1;
180 }
181 while (inlen > 0) {
182 if (md->curlen == 0 && inlen >= 128) {
183 if ((err = sha512_compress (md, (unsigned char *)in)) != 0) {
184 return err;
185 }
186 md->length += 128 * 8;
187 in += 128;
188 inlen -= 128;
189 } else {
190 n = MIN(inlen, (128 - md->curlen));
191
192 for (i = 0; i < n; i++) {
193 md->buf[i + md->curlen] = in[i];
194 }
195
196
197 md->curlen += n;
198 in += n;
199 inlen -= n;
200 if (md->curlen == 128) {
201 if ((err = sha512_compress (md, md->buf)) != 0) {
202 return err;
203 }
204 md->length += 8*128;
205 md->curlen = 0;
206 }
207 }
208 }
209 return 0;
210}
211
212/**
213 Terminate the hash to get the digest
214 @param md The hash state
215 @param out [out] The destination of the hash (64 bytes)
216 @return 0 if successful
217*/
218 int sha512_final(sha512_context * md, unsigned char *out)
219 {
220 int i;
221
222 if (md == NULL) return 1;
223 if (out == NULL) return 1;
224
225 if (md->curlen >= sizeof(md->buf)) {
226 return 1;
227 }
228
229 /* increase the length of the message */
230 md->length += md->curlen * UINT64_C(8);
231
232 /* append the '1' bit */
233 md->buf[md->curlen++] = (unsigned char)0x80;
234
235 /* if the length is currently above 112 bytes we append zeros
236 * then compress. Then we can fall back to padding zeros and length
237 * encoding like normal.
238 */
239 if (md->curlen > 112) {
240 while (md->curlen < 128) {
241 md->buf[md->curlen++] = (unsigned char)0;
242 }
243 sha512_compress(md, md->buf);
244 md->curlen = 0;
245 }
246
247 /* pad upto 120 bytes of zeroes
248 * note: that from 112 to 120 is the 64 MSB of the length. We assume that you won't hash
249 * > 2^64 bits of data... :-)
250 */
251while (md->curlen < 120) {
252 md->buf[md->curlen++] = (unsigned char)0;
253}
254
255 /* store length */
256STORE64H(md->length, md->buf+120);
257sha512_compress(md, md->buf);
258
259 /* copy output */
260for (i = 0; i < 8; i++) {
261 STORE64H(md->state[i], out+(8*i));
262}
263
264return 0;
265}
266
267int sha512(const unsigned char *message, size_t message_len, unsigned char *out)
268{
269 sha512_context ctx;
270 int ret;
271 if ((ret = sha512_init(&ctx))) return ret;
272 if ((ret = sha512_update(&ctx, message, message_len))) return ret;
273 if ((ret = sha512_final(&ctx, out))) return ret;
274 return 0;
275}
diff --git a/3rd_party/ed25519/sha512.h b/3rd_party/ed25519/sha512.h
new file mode 100644
index 0000000..a34dd5e
--- /dev/null
+++ b/3rd_party/ed25519/sha512.h
@@ -0,0 +1,21 @@
1#ifndef SHA512_H
2#define SHA512_H
3
4#include <stddef.h>
5
6#include "fixedint.h"
7
8/* state */
9typedef struct sha512_context_ {
10 uint64_t length, state[8];
11 size_t curlen;
12 unsigned char buf[128];
13} sha512_context;
14
15
16int sha512_init(sha512_context * md);
17int sha512_final(sha512_context * md, unsigned char *out);
18int sha512_update(sha512_context * md, const unsigned char *in, size_t inlen);
19int sha512(const unsigned char *message, size_t message_len, unsigned char *out);
20
21#endif
diff --git a/3rd_party/ed25519/sign.c b/3rd_party/ed25519/sign.c
new file mode 100644
index 0000000..199a839
--- /dev/null
+++ b/3rd_party/ed25519/sign.c
@@ -0,0 +1,31 @@
1#include "ed25519.h"
2#include "sha512.h"
3#include "ge.h"
4#include "sc.h"
5
6
7void ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key) {
8 sha512_context hash;
9 unsigned char hram[64];
10 unsigned char r[64];
11 ge_p3 R;
12
13
14 sha512_init(&hash);
15 sha512_update(&hash, private_key + 32, 32);
16 sha512_update(&hash, message, message_len);
17 sha512_final(&hash, r);
18
19 sc_reduce(r);
20 ge_scalarmult_base(&R, r);
21 ge_p3_tobytes(signature, &R);
22
23 sha512_init(&hash);
24 sha512_update(&hash, signature, 32);
25 sha512_update(&hash, public_key, 32);
26 sha512_update(&hash, message, message_len);
27 sha512_final(&hash, hram);
28
29 sc_reduce(hram);
30 sc_muladd(signature + 32, hram, private_key, r);
31}
diff --git a/3rd_party/ed25519/verify.c b/3rd_party/ed25519/verify.c
new file mode 100644
index 0000000..32f988e
--- /dev/null
+++ b/3rd_party/ed25519/verify.c
@@ -0,0 +1,77 @@
1#include "ed25519.h"
2#include "sha512.h"
3#include "ge.h"
4#include "sc.h"
5
6static int consttime_equal(const unsigned char *x, const unsigned char *y) {
7 unsigned char r = 0;
8
9 r = x[0] ^ y[0];
10 #define F(i) r |= x[i] ^ y[i]
11 F(1);
12 F(2);
13 F(3);
14 F(4);
15 F(5);
16 F(6);
17 F(7);
18 F(8);
19 F(9);
20 F(10);
21 F(11);
22 F(12);
23 F(13);
24 F(14);
25 F(15);
26 F(16);
27 F(17);
28 F(18);
29 F(19);
30 F(20);
31 F(21);
32 F(22);
33 F(23);
34 F(24);
35 F(25);
36 F(26);
37 F(27);
38 F(28);
39 F(29);
40 F(30);
41 F(31);
42 #undef F
43
44 return !r;
45}
46
47int ed25519_verify(const unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key) {
48 unsigned char h[64];
49 unsigned char checker[32];
50 sha512_context hash;
51 ge_p3 A;
52 ge_p2 R;
53
54 if (signature[63] & 224) {
55 return 0;
56 }
57
58 if (ge_frombytes_negate_vartime(&A, public_key) != 0) {
59 return 0;
60 }
61
62 sha512_init(&hash);
63 sha512_update(&hash, signature, 32);
64 sha512_update(&hash, public_key, 32);
65 sha512_update(&hash, message, message_len);
66 sha512_final(&hash, h);
67
68 sc_reduce(h);
69 ge_double_scalarmult_vartime(&R, h, &A, signature + 32);
70 ge_tobytes(checker, &R);
71
72 if (!consttime_equal(checker, signature)) {
73 return 0;
74 }
75
76 return 1;
77}
diff --git a/3rd_party/libsrp6a-sha512/LICENSE b/3rd_party/libsrp6a-sha512/LICENSE
new file mode 100644
index 0000000..7f70640
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/LICENSE
@@ -0,0 +1,62 @@
1Licensing
2---------
3
4SRP is royalty-free worldwide for commercial and non-commercial use.
5The SRP library has been carefully written not to depend on any
6encumbered algorithms, and it is distributed under a standard
7BSD-style Open Source license which is shown below. This license
8covers implementations based on the SRP library as well as
9independent implementations based on RFC 2945.
10
11The SRP distribution itself contains algorithms and code from
12various freeware packages; these parts fall under both the SRP
13Open Source license and the packages' own licenses. Care has
14been taken to ensure that these licenses are compatible with
15Open Source distribution, but it is the responsibility of the
16licensee to comply with the terms of these licenses. This
17disclaimer also applies to third-party libraries that may be
18linked into the distribution, since they may contain patented
19intellectual property. The file "Copyrights" contains a list
20of the copyrights incorporated by portions of the software.
21
22Broader use of the SRP authentication technology, such as variants
23incorporating the use of an explicit server secret (SRP-Z), may
24require a license; please contact the Stanford Office of Technology
25Licensing (http://otl.stanford.edu/) for more information about
26terms and conditions.
27
28This software is covered under the following copyright:
29
30/*
31 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
32 * All Rights Reserved.
33 *
34 * Permission is hereby granted, free of charge, to any person obtaining
35 * a copy of this software and associated documentation files (the
36 * "Software"), to deal in the Software without restriction, including
37 * without limitation the rights to use, copy, modify, merge, publish,
38 * distribute, sublicense, and/or sell copies of the Software, and to
39 * permit persons to whom the Software is furnished to do so, subject to
40 * the following conditions:
41 *
42 * The above copyright notice and this permission notice shall be
43 * included in all copies or substantial portions of the Software.
44 *
45 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
46 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
47 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
48 *
49 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
50 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
51 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
52 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
53 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
54 *
55 * Redistributions in source or binary form must retain an intact copy
56 * of this copyright notice.
57 */
58
59Address all questions regarding this license to:
60
61 Tom Wu
62 tjw@cs.Stanford.EDU
diff --git a/3rd_party/libsrp6a-sha512/Makefile.am b/3rd_party/libsrp6a-sha512/Makefile.am
new file mode 100644
index 0000000..8c6e2f5
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/Makefile.am
@@ -0,0 +1,31 @@
1AUTOMAKE_OPTIONS = foreign no-dependencies
2
3AM_CPPFLAGS = \
4 -I$(top_srcdir)/include \
5 -I$(top_srcdir) \
6 -Wno-incompatible-pointer-types
7
8include_HEADERS = srp.h srp_aux.h cstr.h
9
10AM_CFLAGS = -DHAVE_CONFIG_H
11if HAVE_OPENSSL
12AM_CFLAGS += -DOPENSSL=1 -DOPENSSL_ENGINE=1 $(openssl_CFLAGS)
13else
14if HAVE_GCRYPT
15AM_CFLAGS += -DGCRYPT=1 $(libgcrypt_CFLAGS)
16else
17if HAVE_MBEDTLS
18AM_CFLAGS += -DMBEDTLS=1 $(mbedtls_CFLAGS)
19endif
20endif
21endif
22
23noinst_LTLIBRARIES = libsrp6a-sha512.la
24
25libsrp6a_sha512_la_SOURCES = \
26 t_conv.c t_math.c t_misc.c \
27 t_truerand.c cstr.c \
28 srp.c srp6a_sha512_client.c
29if !HAVE_OPENSSL
30libsrp6a_sha512_la_SOURCES += t_sha.c
31endif
diff --git a/3rd_party/libsrp6a-sha512/README.md b/3rd_party/libsrp6a-sha512/README.md
new file mode 100644
index 0000000..4affe4a
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/README.md
@@ -0,0 +1,35 @@
1# SRP6a-sha512 library
2
3## About
4
5This library is based on Stanford's Secure Remote Password (SRP) protocol
6implementation, or more precise on the `libsrp` part thereof.
7The entire source code for the SRP project can be obtained from [here](https://github.com/secure-remote-password/stanford-srp).
8
9It has been adapted to the needs of the libimobiledevice project, and
10contains just a part of the original code; it only supports the SRP6a
11client method which has been modified to use SHA512 instead of SHA1.
12The only supported SRP method is `SRP6a_sha512_client_method()`.
13Besides that, support for MbedTLS has been added.
14
15Also, all server-side code has been removed, and the client-side code
16has been reduced to a minimum, so that basically only the following
17functions remain operational:
18
19- `SRP_initialize_library`
20- `SRP_new`
21- `SRP_free`
22- `SRP_set_user_raw`
23- `SRP_set_params`
24- `SRP_set_auth_password`
25- `SRP_gen_pub`
26- `SRP_compute_key`
27- `SRP_respond`
28- `SRP_verify`
29
30Anything else has not been tested and must be considered non-functional.
31
32## License
33
34The license of the original work does still apply and can be found in the
35LICENSE file that comes with the code.
diff --git a/3rd_party/libsrp6a-sha512/cstr.c b/3rd_party/libsrp6a-sha512/cstr.c
new file mode 100644
index 0000000..9856f46
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/cstr.c
@@ -0,0 +1,226 @@
1#include <stdlib.h>
2#include <string.h>
3
4#include "config.h"
5#include "cstr.h"
6
7#define EXPFACTOR 2 /* Minimum expansion factor */
8#define MINSIZE 4 /* Absolute minimum - one word */
9
10static char cstr_empty_string[] = { '\0' };
11static cstr_allocator * default_alloc = NULL;
12
13/*
14 * It is assumed, for efficiency, that it is okay to pass more arguments
15 * to a function than are called for, as long as the required arguments
16 * are in proper form. If extra arguments to malloc() and free() cause
17 * problems, define PEDANTIC_ARGS below.
18 */
19#ifdef PEDANTIC_ARGS
20static void * Cmalloc(int n, void * heap) { return malloc(n); }
21static void Cfree(void * p, void * heap) { free(p); }
22static cstr_allocator malloc_allocator = { Cmalloc, Cfree, NULL };
23#else
24static cstr_allocator malloc_allocator = { malloc, free, NULL };
25#endif
26
27_TYPE( void )
28cstr_set_allocator(cstr_allocator * alloc)
29{
30 default_alloc = alloc;
31}
32
33_TYPE( cstr * )
34cstr_new_alloc(cstr_allocator * alloc)
35{
36 cstr * str;
37
38 if(alloc == NULL) {
39 if(default_alloc == NULL) {
40 default_alloc = &malloc_allocator;
41 }
42 alloc = default_alloc;
43 }
44
45 str = (cstr *) (*alloc->alloc)(sizeof(cstr), alloc->heap);
46 if(str) {
47 str->data = cstr_empty_string;
48 str->length = str->cap = 0;
49 str->ref = 1;
50 str->allocator = alloc;
51 }
52 return str;
53}
54
55_TYPE( cstr * )
56cstr_new()
57{
58 return cstr_new_alloc(NULL);
59}
60
61_TYPE( cstr * )
62cstr_dup_alloc(const cstr * str, cstr_allocator * alloc)
63{
64 cstr * nstr = cstr_new_alloc(alloc);
65 if(nstr)
66 cstr_setn(nstr, str->data, str->length);
67 return nstr;
68}
69
70_TYPE( cstr * )
71cstr_dup(const cstr * str)
72{
73 return cstr_dup_alloc(str, NULL);
74}
75
76_TYPE( cstr * )
77cstr_create(const char * s)
78{
79 return cstr_createn(s, strlen(s));
80}
81
82_TYPE( cstr * )
83cstr_createn(const char * s, int len)
84{
85 cstr * str = cstr_new();
86 if(str) {
87 cstr_setn(str, s, len);
88 }
89 return str;
90}
91
92_TYPE( void )
93cstr_use(cstr * str)
94{
95 ++str->ref;
96}
97
98_TYPE( void )
99cstr_clear_free(cstr * str)
100{
101 if(--str->ref == 0) {
102 if(str->cap > 0) {
103 memset(str->data, 0, str->cap);
104 (*str->allocator->free)(str->data, str->allocator->heap);
105 }
106 (*str->allocator->free)(str, str->allocator->heap);
107 }
108}
109
110_TYPE( void )
111cstr_free(cstr * str)
112{
113 if(--str->ref == 0) {
114 if(str->cap > 0)
115 (*str->allocator->free)(str->data, str->allocator->heap);
116 (*str->allocator->free)(str, str->allocator->heap);
117 }
118}
119
120_TYPE( void )
121cstr_empty(cstr * str)
122{
123 if(str->cap > 0)
124 (*str->allocator->free)(str->data, str->allocator->heap);
125 str->data = cstr_empty_string;
126 str->length = str->cap = 0;
127}
128
129static int
130cstr_alloc(cstr * str, int len)
131{
132 char * t;
133
134 if(len > str->cap) {
135 if(len < EXPFACTOR * str->cap)
136 len = EXPFACTOR * str->cap;
137 if(len < MINSIZE)
138 len = MINSIZE;
139
140 t = (char *) (*str->allocator->alloc)(len * sizeof(char),
141 str->allocator->heap);
142 if(t) {
143 if(str->data) {
144 t[str->length] = 0;
145 if(str->cap > 0) {
146 if(str->length > 0)
147 memcpy(t, str->data, str->length);
148 free(str->data);
149 }
150 }
151 str->data = t;
152 str->cap = len;
153 return 1;
154 }
155 else
156 return -1;
157 }
158 else
159 return 0;
160}
161
162_TYPE( int )
163cstr_copy(cstr * dst, const cstr * src)
164{
165 return cstr_setn(dst, src->data, src->length);
166}
167
168_TYPE( int )
169cstr_set(cstr * str, const char * s)
170{
171 return cstr_setn(str, s, strlen(s));
172}
173
174_TYPE( int )
175cstr_setn(cstr * str, const char * s, int len)
176{
177 if(cstr_alloc(str, len + 1) < 0)
178 return -1;
179 str->data[len] = 0;
180 if(s != NULL && len > 0)
181 memmove(str->data, s, len);
182 str->length = len;
183 return 1;
184}
185
186_TYPE( int )
187cstr_set_length(cstr * str, int len)
188{
189 if(len < str->length) {
190 str->data[len] = 0;
191 str->length = len;
192 return 1;
193 }
194 else if(len > str->length) {
195 if(cstr_alloc(str, len + 1) < 0)
196 return -1;
197 memset(str->data + str->length, 0, len - str->length + 1);
198 str->length = len;
199 return 1;
200 }
201 else
202 return 0;
203}
204
205_TYPE( int )
206cstr_append(cstr * str, const char * s)
207{
208 return cstr_appendn(str, s, strlen(s));
209}
210
211_TYPE( int )
212cstr_appendn(cstr * str, const char * s, int len)
213{
214 if(cstr_alloc(str, str->length + len + 1) < 0)
215 return -1;
216 memcpy(str->data + str->length, s, len);
217 str->length += len;
218 str->data[str->length] = 0;
219 return 1;
220}
221
222_TYPE( int )
223cstr_append_str(cstr * dst, const cstr * src)
224{
225 return cstr_appendn(dst, src->data, src->length);
226}
diff --git a/3rd_party/libsrp6a-sha512/cstr.h b/3rd_party/libsrp6a-sha512/cstr.h
new file mode 100644
index 0000000..7cc019a
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/cstr.h
@@ -0,0 +1,94 @@
1#ifndef _CSTR_H_
2#define _CSTR_H_
3
4/* A general-purpose string "class" for C */
5
6#if !defined(P)
7#ifdef __STDC__
8#define P(x) x
9#else
10#define P(x) ()
11#endif
12#endif
13
14/* For building dynamic link libraries under windows, windows NT
15 * using MSVC1.5 or MSVC2.0
16 */
17
18#ifndef _DLLDECL
19#define _DLLDECL
20
21#ifdef MSVC15 /* MSVC1.5 support for 16 bit apps */
22#define _MSVC15EXPORT _export
23#define _MSVC20EXPORT
24#define _DLLAPI _export _pascal
25#define _CDECL
26#define _TYPE(a) a _MSVC15EXPORT
27#define DLLEXPORT 1
28
29#elif defined(MSVC20) || (defined(_USRDLL) && defined(SRP_EXPORTS))
30#define _MSVC15EXPORT
31#define _MSVC20EXPORT _declspec(dllexport)
32#define _DLLAPI
33#define _CDECL
34#define _TYPE(a) _MSVC20EXPORT a
35#define DLLEXPORT 1
36
37#else /* Default, non-dll. Use this for Unix or DOS */
38#define _MSVC15DEXPORT
39#define _MSVC20EXPORT
40#define _DLLAPI
41#if defined(WINDOWS) || defined(WIN32)
42#define _CDECL _cdecl
43#else
44#define _CDECL
45#endif
46#define _TYPE(a) a _CDECL
47#endif
48#endif /* _DLLDECL */
49
50#ifdef __cplusplus
51extern "C" {
52#endif /* __cplusplus */
53
54/* Arguments to allocator methods ordered this way for compatibility */
55typedef struct cstr_alloc_st {
56 void * (_CDECL * alloc)(size_t n, void * heap);
57 void (_CDECL * free)(void * p, void * heap);
58 void * heap;
59} cstr_allocator;
60
61typedef struct cstr_st {
62 char * data; /* Okay to access data and length fields directly */
63 int length;
64 int cap;
65 int ref; /* Simple reference counter */
66 cstr_allocator * allocator;
67} cstr;
68
69_TYPE( void ) cstr_set_allocator P((cstr_allocator * alloc));
70
71_TYPE( cstr * ) cstr_new P((void));
72_TYPE( cstr * ) cstr_new_alloc P((cstr_allocator * alloc));
73_TYPE( cstr * ) cstr_dup P((const cstr * str));
74_TYPE( cstr * ) cstr_dup_alloc P((const cstr * str, cstr_allocator * alloc));
75_TYPE( cstr * ) cstr_create P((const char * s));
76_TYPE( cstr * ) cstr_createn P((const char * s, int len));
77
78_TYPE( void ) cstr_free P((cstr * str));
79_TYPE( void ) cstr_clear_free P((cstr * str));
80_TYPE( void ) cstr_use P((cstr * str));
81_TYPE( void ) cstr_empty P((cstr * str));
82_TYPE( int ) cstr_copy P((cstr * dst, const cstr * src));
83_TYPE( int ) cstr_set P((cstr * str, const char * s));
84_TYPE( int ) cstr_setn P((cstr * str, const char * s, int len));
85_TYPE( int ) cstr_set_length P((cstr * str, int len));
86_TYPE( int ) cstr_append P((cstr * str, const char * s));
87_TYPE( int ) cstr_appendn P((cstr * str, const char * s, int len));
88_TYPE( int ) cstr_append_str P((cstr * dst, const cstr * src));
89
90#ifdef __cplusplus
91}
92#endif /* __cplusplus */
93
94#endif /* _CSTR_H_ */
diff --git a/3rd_party/libsrp6a-sha512/srp.c b/3rd_party/libsrp6a-sha512/srp.c
new file mode 100644
index 0000000..74e1f98
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/srp.c
@@ -0,0 +1,274 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29
30#include "t_defines.h"
31#include "srp.h"
32
33static int library_initialized = 0;
34
35_TYPE( SRP_RESULT )
36SRP_initialize_library()
37{
38 if(library_initialized == 0) {
39 BigIntegerInitialize();
40 t_stronginitrand();
41 library_initialized = 1;
42 }
43 return SRP_SUCCESS;
44}
45
46_TYPE( SRP_RESULT )
47SRP_finalize_library()
48{
49 if(library_initialized > 0) {
50 library_initialized = 0;
51 BigIntegerFinalize();
52 }
53 return SRP_SUCCESS;
54}
55
56static int srp_modulus_min_bits = SRP_DEFAULT_MIN_BITS;
57
58_TYPE( SRP_RESULT )
59SRP_set_modulus_min_bits(int minbits)
60{
61 srp_modulus_min_bits = minbits;
62 return SRP_SUCCESS;
63}
64
65_TYPE( int )
66SRP_get_modulus_min_bits()
67{
68 return srp_modulus_min_bits;
69}
70
71static int
72default_secret_bits_cb(int modsize)
73{
74 return 256;
75 /*return modsize;*/ /* Warning: Very Slow */
76}
77
78static SRP_SECRET_BITS_CB srp_sb_cb = default_secret_bits_cb;
79
80_TYPE( SRP_RESULT )
81SRP_set_secret_bits_cb(SRP_SECRET_BITS_CB cb)
82{
83 srp_sb_cb = cb;
84 return SRP_SUCCESS;
85}
86
87_TYPE( int )
88SRP_get_secret_bits(int modsize)
89{
90 return (*srp_sb_cb)(modsize);
91}
92
93_TYPE( SRP * )
94SRP_new(SRP_METHOD * meth)
95{
96 SRP * srp = (SRP *) malloc(sizeof(SRP));
97
98 if(srp == NULL)
99 return NULL;
100
101 srp->flags = 0;
102 srp->username = cstr_new();
103 srp->bctx = BigIntegerCtxNew();
104 srp->modulus = NULL;
105 srp->accel = NULL;
106 srp->generator = NULL;
107 srp->salt = NULL;
108 srp->verifier = NULL;
109 srp->password = NULL;
110 srp->pubkey = NULL;
111 srp->secret = NULL;
112 srp->u = NULL;
113 srp->key = NULL;
114 srp->ex_data = cstr_new();
115 srp->param_cb = NULL;
116 srp->meth = meth;
117 srp->meth_data = NULL;
118 //srp->slu = NULL;
119 if(srp->meth->init == NULL || (*srp->meth->init)(srp) == SRP_SUCCESS)
120 return srp;
121 free(srp);
122 return NULL;
123}
124
125_TYPE( SRP_RESULT )
126SRP_free(SRP * srp)
127{
128 if(srp->meth->finish)
129 (*srp->meth->finish)(srp);
130
131 if(srp->username)
132 cstr_clear_free(srp->username);
133 if(srp->modulus)
134 BigIntegerFree(srp->modulus);
135 if(srp->accel)
136 BigIntegerModAccelFree(srp->accel);
137 if(srp->generator)
138 BigIntegerFree(srp->generator);
139 if(srp->salt)
140 cstr_clear_free(srp->salt);
141 if(srp->verifier)
142 BigIntegerClearFree(srp->verifier);
143 if(srp->password)
144 BigIntegerClearFree(srp->password);
145 if(srp->pubkey)
146 BigIntegerFree(srp->pubkey);
147 if(srp->secret)
148 BigIntegerClearFree(srp->secret);
149 if(srp->u)
150 BigIntegerFree(srp->u);
151 if(srp->key)
152 BigIntegerClearFree(srp->key);
153 if(srp->bctx)
154 BigIntegerCtxFree(srp->bctx);
155 if(srp->ex_data)
156 cstr_clear_free(srp->ex_data);
157 free(srp);
158 return SRP_SUCCESS;
159}
160
161_TYPE( SRP_RESULT )
162SRP_set_client_param_verify_cb(SRP * srp, SRP_CLIENT_PARAM_VERIFY_CB cb)
163{
164 srp->param_cb = cb;
165 return SRP_SUCCESS;
166}
167
168_TYPE( SRP_RESULT )
169SRP_set_username(SRP * srp, const char * username)
170{
171 cstr_set(srp->username, username);
172 return SRP_SUCCESS;
173}
174
175_TYPE( SRP_RESULT )
176SRP_set_user_raw(SRP * srp, const unsigned char * user, int userlen)
177{
178 cstr_setn(srp->username, (const char*)user, userlen);
179 return SRP_SUCCESS;
180}
181
182_TYPE( SRP_RESULT )
183SRP_set_params(SRP * srp, const unsigned char * modulus, int modlen,
184 const unsigned char * generator, int genlen,
185 const unsigned char * salt, int saltlen)
186{
187 SRP_RESULT rc;
188
189 if(modulus == NULL || generator == NULL || salt == NULL)
190 return SRP_ERROR;
191
192 /* Set fields in SRP context */
193 srp->modulus = BigIntegerFromBytes(modulus, modlen);
194 if(srp->flags & SRP_FLAG_MOD_ACCEL)
195 srp->accel = BigIntegerModAccelNew(srp->modulus, srp->bctx);
196 srp->generator = BigIntegerFromBytes(generator, genlen);
197 if(srp->salt == NULL)
198 srp->salt = cstr_new();
199 cstr_setn(srp->salt, (const char*)salt, saltlen);
200
201 /* Now attempt to validate parameters */
202 if(BigIntegerBitLen(srp->modulus) < SRP_get_modulus_min_bits())
203 return SRP_ERROR;
204
205 if(srp->param_cb) {
206 rc = (*srp->param_cb)(srp, modulus, modlen, generator, genlen);
207 if(!SRP_OK(rc))
208 return rc;
209 }
210
211 return (*srp->meth->params)(srp, modulus, modlen, generator, genlen,
212 salt, saltlen);
213}
214
215_TYPE( SRP_RESULT )
216SRP_set_authenticator(SRP * srp, const unsigned char * a, int alen)
217{
218 return (*srp->meth->auth)(srp, a, alen);
219}
220
221_TYPE( SRP_RESULT )
222SRP_set_auth_password(SRP * srp, const char * password)
223{
224 return (*srp->meth->passwd)(srp, (const unsigned char *)password,
225 strlen(password));
226}
227
228_TYPE( SRP_RESULT )
229SRP_set_auth_password_raw(SRP * srp,
230 const unsigned char * password, int passlen)
231{
232 return (*srp->meth->passwd)(srp, password, passlen);
233}
234
235_TYPE( SRP_RESULT )
236SRP_gen_pub(SRP * srp, cstr ** result)
237{
238 return (*srp->meth->genpub)(srp, result);
239}
240
241_TYPE( SRP_RESULT )
242SRP_add_ex_data(SRP * srp, const unsigned char * data, int datalen)
243{
244 cstr_appendn(srp->ex_data, (const char*)data, datalen);
245 return SRP_SUCCESS;
246}
247
248_TYPE( SRP_RESULT )
249SRP_compute_key(SRP * srp, cstr ** result,
250 const unsigned char * pubkey, int pubkeylen)
251{
252 return (*srp->meth->key)(srp, result, pubkey, pubkeylen);
253}
254
255_TYPE( SRP_RESULT )
256SRP_verify(SRP * srp, const unsigned char * proof, int prooflen)
257{
258 return (*srp->meth->verify)(srp, proof, prooflen);
259}
260
261_TYPE( SRP_RESULT )
262SRP_respond(SRP * srp, cstr ** proof)
263{
264 return (*srp->meth->respond)(srp, proof);
265}
266
267_TYPE( SRP_RESULT )
268SRP_use_engine(const char * engine)
269{
270 if(BigIntegerOK(BigIntegerUseEngine(engine)))
271 return SRP_SUCCESS;
272 else
273 return SRP_ERROR;
274}
diff --git a/3rd_party/libsrp6a-sha512/srp.h b/3rd_party/libsrp6a-sha512/srp.h
new file mode 100644
index 0000000..b1d46af
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/srp.h
@@ -0,0 +1,372 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29#ifndef _SRP_H_
30#define _SRP_H_
31
32#include "cstr.h"
33#include "srp_aux.h"
34
35#ifdef __cplusplus
36extern "C" {
37#endif
38
39/* SRP library version identification */
40#define SRP_VERSION_MAJOR 2
41#define SRP_VERSION_MINOR 0
42#define SRP_VERSION_PATCHLEVEL 1
43
44typedef int SRP_RESULT;
45/* Returned codes for SRP API functions */
46#define SRP_OK(v) ((v) == SRP_SUCCESS)
47#define SRP_SUCCESS 0
48#define SRP_ERROR -1
49
50/* Set the minimum number of bits acceptable in an SRP modulus */
51#define SRP_DEFAULT_MIN_BITS 512
52_TYPE( SRP_RESULT ) SRP_set_modulus_min_bits P((int minbits));
53_TYPE( int ) SRP_get_modulus_min_bits P((void));
54
55/*
56 * Sets the "secret size callback" function.
57 * This function is called with the modulus size in bits,
58 * and returns the size of the secret exponent in bits.
59 * The default function always returns 256 bits.
60 */
61typedef int (_CDECL * SRP_SECRET_BITS_CB)(int modsize);
62_TYPE( SRP_RESULT ) SRP_set_secret_bits_cb P((SRP_SECRET_BITS_CB cb));
63_TYPE( int ) SRP_get_secret_bits P((int modsize));
64
65typedef struct srp_st SRP;
66
67#if 0
68/* Server Lookup API */
69typedef struct srp_server_lu_st SRP_SERVER_LOOKUP;
70
71typedef struct srp_s_lu_meth_st {
72 const char * name;
73
74 SRP_RESULT (_CDECL * init)(SRP_SERVER_LOOKUP * slu);
75 SRP_RESULT (_CDECL * finish)(SRP_SERVER_LOOKUP * slu);
76
77 SRP_RESULT (_CDECL * lookup)(SRP_SERVER_LOOKUP * slu, SRP * srp, cstr * username);
78
79 void * meth_data;
80} SRP_SERVER_LOOKUP_METHOD;
81
82struct srp_server_lu_st {
83 SRP_SERVER_LOOKUP_METHOD * meth;
84 void * data;
85};
86
87/*
88 * The Server Lookup API deals with the server-side issue of
89 * mapping usernames to verifiers. Given a username, a lookup
90 * mechanism needs to provide parameters (N, g), salt (s), and
91 * password verifier (v) for that user.
92 *
93 * A SRP_SERVER_LOOKUP_METHOD describes the general mechanism
94 * for performing lookups (e.g. files, LDAP, database, etc.)
95 * A SRP_SERVER_LOOKUP is an active "object" that is actually
96 * called to do lookups.
97 */
98_TYPE( SRP_SERVER_LOOKUP * )
99 SRP_SERVER_LOOKUP_new P((SRP_SERVER_LOOKUP_METHOD * meth));
100_TYPE( SRP_RESULT ) SRP_SERVER_LOOKUP_free P((SRP_SERVER_LOOKUP * slu));
101_TYPE( SRP_RESULT ) SRP_SERVER_do_lookup P((SRP_SERVER_LOOKUP * slu,
102 SRP * srp, cstr * username));
103
104/*
105 * SRP_SERVER_system_lookup supercedes SRP_server_init_user.
106 */
107_TYPE( SRP_SERVER_LOOKUP * ) SRP_SERVER_system_lookup P((void));
108#endif
109
110/*
111 * Client Parameter Verification API
112 *
113 * This callback is called from the SRP client when the
114 * parameters (modulus and generator) are set. The callback
115 * should return SRP_SUCCESS if the parameters are okay,
116 * otherwise some error code to indicate that the parameters
117 * should be rejected.
118 */
119typedef SRP_RESULT (_CDECL * SRP_CLIENT_PARAM_VERIFY_CB)(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen);
120
121#if 0
122/* The default parameter verifier function */
123_TYPE( SRP_RESULT ) SRP_CLIENT_default_param_verify_cb(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen);
124/* A parameter verifier that only accepts builtin params (no prime test) */
125_TYPE( SRP_RESULT ) SRP_CLIENT_builtin_param_verify_cb(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen);
126/* The "classic" parameter verifier that accepts either builtin params
127 * immediately, and performs safe-prime tests on N and primitive-root
128 * tests on g otherwise. SECURITY WARNING: This may allow for certain
129 * attacks based on "trapdoor" moduli, so this is not recommended. */
130_TYPE( SRP_RESULT ) SRP_CLIENT_compat_param_verify_cb(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen);
131
132#endif
133
134/*
135 * Main SRP API - SRP and SRP_METHOD
136 */
137
138/* SRP method definitions */
139typedef struct srp_meth_st {
140 const char * name;
141
142 SRP_RESULT (_CDECL * init)(SRP * srp);
143 SRP_RESULT (_CDECL * finish)(SRP * srp);
144
145 SRP_RESULT (_CDECL * params)(SRP * srp,
146 const unsigned char * modulus, int modlen,
147 const unsigned char * generator, int genlen,
148 const unsigned char * salt, int saltlen);
149 SRP_RESULT (_CDECL * auth)(SRP * srp, const unsigned char * a, int alen);
150 SRP_RESULT (_CDECL * passwd)(SRP * srp,
151 const unsigned char * pass, int passlen);
152 SRP_RESULT (_CDECL * genpub)(SRP * srp, cstr ** result);
153 SRP_RESULT (_CDECL * key)(SRP * srp, cstr ** result,
154 const unsigned char * pubkey, int pubkeylen);
155 SRP_RESULT (_CDECL * verify)(SRP * srp,
156 const unsigned char * proof, int prooflen);
157 SRP_RESULT (_CDECL * respond)(SRP * srp, cstr ** proof);
158
159 void * data;
160} SRP_METHOD;
161
162/* Magic numbers for the SRP context header */
163#define SRP_MAGIC_CLIENT 12
164#define SRP_MAGIC_SERVER 28
165
166/* Flag bits for SRP struct */
167#define SRP_FLAG_MOD_ACCEL 0x1 /* accelerate modexp operations */
168#define SRP_FLAG_LEFT_PAD 0x2 /* left-pad to length-of-N inside hashes */
169
170/*
171 * A hybrid structure that represents either client or server state.
172 */
173struct srp_st {
174 int magic; /* To distinguish client from server (and for sanity) */
175
176 int flags;
177
178 cstr * username;
179
180 BigInteger modulus;
181 BigInteger generator;
182 cstr * salt;
183
184 BigInteger verifier;
185 BigInteger password;
186
187 BigInteger pubkey;
188 BigInteger secret;
189 BigInteger u;
190
191 BigInteger key;
192
193 cstr * ex_data;
194
195 SRP_METHOD * meth;
196 void * meth_data;
197
198 BigIntegerCtx bctx; /* to cache temporaries if available */
199 BigIntegerModAccel accel; /* to accelerate modexp if available */
200
201 SRP_CLIENT_PARAM_VERIFY_CB param_cb; /* to verify params */
202 //SRP_SERVER_LOOKUP * slu; /* to look up users */
203};
204
205/*
206 * Global initialization/de-initialization functions.
207 * Call SRP_initialize_library before using the library,
208 * and SRP_finalize_library when done.
209 */
210_TYPE( SRP_RESULT ) SRP_initialize_library();
211_TYPE( SRP_RESULT ) SRP_finalize_library();
212
213/*
214 * SRP_new() creates a new SRP context object -
215 * the method determines which "sense" (client or server)
216 * the object operates in. SRP_free() frees it.
217 * (See RFC2945 method definitions below.)
218 */
219_TYPE( SRP * ) SRP_new P((SRP_METHOD * meth));
220_TYPE( SRP_RESULT ) SRP_free P((SRP * srp));
221
222#if 0
223/*
224 * Use the supplied lookup object to look up user parameters and
225 * password verifier. The lookup function gets called during
226 * SRP_set_username/SRP_set_user_raw below. Using this function
227 * means that the server can avoid calling SRP_set_params and
228 * SRP_set_authenticator, since the lookup function handles that
229 * internally.
230 */
231_TYPE( SRP_RESULT ) SRP_set_server_lookup P((SRP * srp,
232 SRP_SERVER_LOOKUP * lookup));
233#endif
234
235/*
236 * Use the supplied callback function to verify parameters
237 * (modulus, generator) given to the client.
238 */
239_TYPE( SRP_RESULT )
240 SRP_set_client_param_verify_cb P((SRP * srp,
241 SRP_CLIENT_PARAM_VERIFY_CB cb));
242
243/*
244 * Both client and server must call both SRP_set_username and
245 * SRP_set_params, in that order, before calling anything else.
246 * SRP_set_user_raw is an alternative to SRP_set_username that
247 * accepts an arbitrary length-bounded octet string as input.
248 */
249_TYPE( SRP_RESULT ) SRP_set_username P((SRP * srp, const char * username));
250_TYPE( SRP_RESULT ) SRP_set_user_raw P((SRP * srp, const unsigned char * user,
251 int userlen));
252_TYPE( SRP_RESULT )
253 SRP_set_params P((SRP * srp,
254 const unsigned char * modulus, int modlen,
255 const unsigned char * generator, int genlen,
256 const unsigned char * salt, int saltlen));
257
258/*
259 * On the client, SRP_set_authenticator, SRP_gen_exp, and
260 * SRP_add_ex_data can be called in any order.
261 * On the server, SRP_set_authenticator must come first,
262 * followed by SRP_gen_exp and SRP_add_ex_data in either order.
263 */
264/*
265 * The authenticator is the secret possessed by either side.
266 * For the server, this is the bigendian verifier, as an octet string.
267 * For the client, this is the bigendian raw secret, as an octet string.
268 * The server's authenticator must be the generator raised to the power
269 * of the client's raw secret modulo the common modulus for authentication
270 * to succeed.
271 *
272 * SRP_set_auth_password computes the authenticator from a plaintext
273 * password and then calls SRP_set_authenticator automatically. This is
274 * usually used on the client side, while the server usually uses
275 * SRP_set_authenticator (since it doesn't know the plaintext password).
276 */
277_TYPE( SRP_RESULT )
278 SRP_set_authenticator P((SRP * srp, const unsigned char * a, int alen));
279_TYPE( SRP_RESULT )
280 SRP_set_auth_password P((SRP * srp, const char * password));
281_TYPE( SRP_RESULT )
282 SRP_set_auth_password_raw P((SRP * srp,
283 const unsigned char * password,
284 int passlen));
285
286/*
287 * SRP_gen_pub generates the random exponential residue to send
288 * to the other side. If using SRP-3/RFC2945, the server must
289 * withhold its result until it receives the client's number.
290 * If using SRP-6, the server can send its value immediately
291 * without waiting for the client.
292 *
293 * If "result" points to a NULL pointer, a new cstr object will be
294 * created to hold the result, and "result" will point to it.
295 * If "result" points to a non-NULL cstr pointer, the result will be
296 * placed there.
297 * If "result" itself is NULL, no result will be returned,
298 * although the big integer value will still be available
299 * through srp->pubkey in the SRP struct.
300 */
301_TYPE( SRP_RESULT ) SRP_gen_pub P((SRP * srp, cstr ** result));
302/*
303 * Append the data to the extra data segment. Authentication will
304 * not succeed unless both sides add precisely the same data in
305 * the same order.
306 */
307_TYPE( SRP_RESULT ) SRP_add_ex_data P((SRP * srp, const unsigned char * data,
308 int datalen));
309
310/*
311 * SRP_compute_key must be called after the previous three methods.
312 */
313_TYPE( SRP_RESULT ) SRP_compute_key P((SRP * srp, cstr ** result,
314 const unsigned char * pubkey,
315 int pubkeylen));
316
317/*
318 * On the client, call SRP_respond first to get the response to send
319 * to the server, and call SRP_verify to verify the server's response.
320 * On the server, call SRP_verify first to verify the client's response,
321 * and call SRP_respond ONLY if verification succeeds.
322 *
323 * It is an error to call SRP_respond with a NULL pointer.
324 */
325_TYPE( SRP_RESULT ) SRP_verify P((SRP * srp,
326 const unsigned char * proof, int prooflen));
327_TYPE( SRP_RESULT ) SRP_respond P((SRP * srp, cstr ** response));
328
329/* RFC2945-style SRP authentication */
330
331#define RFC2945_KEY_LEN 40 /* length of session key (bytes) */
332#define RFC2945_RESP_LEN 20 /* length of proof hashes (bytes) */
333
334/*
335 * RFC2945-style SRP authentication methods. Use these like:
336 * SRP * srp = SRP_new(SRP_RFC2945_client_method());
337 */
338_TYPE( SRP_METHOD * ) SRP_RFC2945_client_method P((void));
339_TYPE( SRP_METHOD * ) SRP_RFC2945_server_method P((void));
340
341/*
342 * SRP-6 and SRP-6a authentication methods.
343 * SRP-6a is recommended for better resistance to 2-for-1 attacks.
344 */
345_TYPE( SRP_METHOD * ) SRP6_client_method P((void));
346_TYPE( SRP_METHOD * ) SRP6_server_method P((void));
347_TYPE( SRP_METHOD * ) SRP6a_client_method P((void));
348_TYPE( SRP_METHOD * ) SRP6a_server_method P((void));
349
350_TYPE( SRP_METHOD * ) SRP6a_sha512_client_method P((void));
351
352/*
353 * Convenience function - SRP_server_init_user
354 * Looks up the username from the system EPS configuration and calls
355 * SRP_set_username, SRP_set_params, and SRP_set_authenticator to
356 * initialize server state for that user.
357 *
358 * This is deprecated in favor of SRP_SERVER_system_lookup() and
359 * the Server Lookup API.
360 */
361_TYPE( SRP_RESULT ) SRP_server_init_user P((SRP * srp, const char * username));
362
363/*
364 * Use the named engine for acceleration.
365 */
366_TYPE( SRP_RESULT ) SRP_use_engine P((const char * engine));
367
368#ifdef __cplusplus
369}
370#endif
371
372#endif /* _SRP_H_ */
diff --git a/3rd_party/libsrp6a-sha512/srp6a_sha512_client.c b/3rd_party/libsrp6a-sha512/srp6a_sha512_client.c
new file mode 100644
index 0000000..db59fe8
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/srp6a_sha512_client.c
@@ -0,0 +1,363 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29#include "t_defines.h"
30#include "srp.h"
31#include "t_sha.h"
32
33/*
34 * SRP-6/6a has two minor refinements relative to SRP-3/RFC2945:
35 * 1. The "g^x" value is multipled by three in the client's
36 * calculation of its session key.
37 * SRP-6a: The "g^x" value is multiplied by the hash of
38 * N and g in the client's session key calculation.
39 * 2. The value of u is taken as the hash of A and B,
40 * instead of the top 32 bits of the hash of B.
41 * This eliminates the old restriction where the
42 * server had to receive A before it could send B.
43 */
44
45/****************************/
46#define SHA512_DIGESTSIZE 64
47#define SRP6_SHA512_KEY_LEN 64
48
49/*
50 * The client keeps track of the running hash
51 * state via SHA512_CTX structures pointed to by the
52 * meth_data pointer. The "hash" member is the hash value that
53 * will be sent to the other side; the "ckhash" member is the
54 * hash value expected from the other side.
55 */
56struct sha512_client_meth_st {
57 SHA512_CTX hash;
58 SHA512_CTX ckhash;
59 unsigned char k[SRP6_SHA512_KEY_LEN];
60};
61
62#define SHA512_CLIENT_CTXP(srp) ((struct sha512_client_meth_st *)(srp)->meth_data)
63
64static SRP_RESULT
65srp6a_sha512_client_init(SRP * srp)
66{
67 srp->magic = SRP_MAGIC_CLIENT;
68 srp->flags = SRP_FLAG_MOD_ACCEL | SRP_FLAG_LEFT_PAD;
69 srp->meth_data = malloc(sizeof(struct sha512_client_meth_st));
70 SHA512Init(&SHA512_CLIENT_CTXP(srp)->hash);
71 SHA512Init(&SHA512_CLIENT_CTXP(srp)->ckhash);
72 return SRP_SUCCESS;
73}
74
75static SRP_RESULT
76srp6_sha512_client_finish(SRP * srp)
77{
78 if(srp->meth_data) {
79 memset(srp->meth_data, 0, sizeof(struct sha512_client_meth_st));
80 free(srp->meth_data);
81 }
82 return SRP_SUCCESS;
83}
84
85static SRP_RESULT
86srp6_sha512_client_params(SRP * srp, const unsigned char * modulus, int modlen,
87 const unsigned char * generator, int genlen,
88 const unsigned char * salt, int saltlen)
89{
90 int i;
91 unsigned char buf1[SHA512_DIGESTSIZE], buf2[SHA512_DIGESTSIZE];
92 SHA512_CTX ctxt;
93
94 /* Fields set by SRP_set_params */
95
96 /* Update hash state */
97 SHA512Init(&ctxt);
98 SHA512Update(&ctxt, modulus, modlen);
99 SHA512Final(buf1, &ctxt); /* buf1 = H(modulus) */
100
101 SHA512Init(&ctxt);
102 SHA512Update(&ctxt, generator, genlen);
103 SHA512Final(buf2, &ctxt); /* buf2 = H(generator) */
104
105 for(i = 0; i < sizeof(buf1); ++i)
106 buf1[i] ^= buf2[i]; /* buf1 = H(modulus) xor H(generator) */
107
108 /* hash: H(N) xor H(g) */
109 SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, buf1, sizeof(buf1));
110
111 SHA512Init(&ctxt);
112 SHA512Update(&ctxt, srp->username->data, srp->username->length);
113 SHA512Final(buf1, &ctxt); /* buf1 = H(user) */
114
115 /* hash: (H(N) xor H(g)) | H(U) */
116 SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, buf1, sizeof(buf1));
117
118 /* hash: (H(N) xor H(g)) | H(U) | s */
119 SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, salt, saltlen);
120
121 return SRP_SUCCESS;
122}
123
124static SRP_RESULT
125srp6_sha512_client_auth(SRP * srp, const unsigned char * a, int alen)
126{
127 /* On the client, the authenticator is the raw password-derived hash */
128 srp->password = BigIntegerFromBytes(a, alen);
129
130 /* verifier = g^x mod N */
131 srp->verifier = BigIntegerFromInt(0);
132 BigIntegerModExp(srp->verifier, srp->generator, srp->password, srp->modulus, srp->bctx, srp->accel);
133
134 return SRP_SUCCESS;
135}
136
137static SRP_RESULT
138srp6_sha512_client_passwd(SRP * srp, const unsigned char * p, int plen)
139{
140 SHA512_CTX ctxt;
141 unsigned char dig[SHA512_DIGESTSIZE];
142 int r;
143
144 SHA512Init(&ctxt);
145 SHA512Update(&ctxt, srp->username->data, srp->username->length);
146 SHA512Update(&ctxt, ":", 1);
147 SHA512Update(&ctxt, p, plen);
148 SHA512Final(dig, &ctxt); /* dig = H(U | ":" | P) */
149
150 SHA512Init(&ctxt);
151 SHA512Update(&ctxt, srp->salt->data, srp->salt->length);
152 SHA512Update(&ctxt, dig, sizeof(dig));
153 SHA512Final(dig, &ctxt); /* dig = H(s | H(U | ":" | P)) */
154 memset(&ctxt, 0, sizeof(ctxt));
155
156 r = SRP_set_authenticator(srp, dig, sizeof(dig));
157 memset(dig, 0, sizeof(dig));
158
159 return r;
160}
161
162static SRP_RESULT
163srp6_sha512_client_genpub(SRP * srp, cstr ** result)
164{
165 cstr * astr;
166 int slen = (SRP_get_secret_bits(BigIntegerBitLen(srp->modulus)) + 7) / 8;
167
168 if(result == NULL)
169 astr = cstr_new();
170 else {
171 if(*result == NULL)
172 *result = cstr_new();
173 astr = *result;
174 }
175
176 cstr_set_length(astr, BigIntegerByteLen(srp->modulus));
177 t_random((unsigned char*)astr->data, slen);
178 srp->secret = BigIntegerFromBytes((const unsigned char*)astr->data, slen);
179 /* Force g^a mod n to "wrap around" by adding log[2](n) to "a". */
180 BigIntegerAddInt(srp->secret, srp->secret, BigIntegerBitLen(srp->modulus));
181 /* A = g^a mod n */
182 srp->pubkey = BigIntegerFromInt(0);
183 BigIntegerModExp(srp->pubkey, srp->generator, srp->secret, srp->modulus, srp->bctx, srp->accel);
184 BigIntegerToCstr(srp->pubkey, astr);
185
186 /* hash: (H(N) xor H(g)) | H(U) | s | A */
187 SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, astr->data, astr->length);
188 /* ckhash: A */
189 SHA512Update(&SHA512_CLIENT_CTXP(srp)->ckhash, astr->data, astr->length);
190
191 if(result == NULL) /* astr was a temporary */
192 cstr_clear_free(astr);
193
194 return SRP_SUCCESS;
195}
196
197static SRP_RESULT
198srp6_sha512_client_key_ex(SRP * srp, cstr ** result,
199 const unsigned char * pubkey, int pubkeylen, BigInteger k)
200{
201 SHA512_CTX ctxt;
202 unsigned char dig[SHA512_DIGESTSIZE];
203 BigInteger gb, e;
204 cstr * s;
205 int modlen;
206
207 modlen = BigIntegerByteLen(srp->modulus);
208 if(pubkeylen > modlen)
209 return SRP_ERROR;
210
211 /* Compute u from client's and server's values */
212 SHA512Init(&ctxt);
213 /* Use s as a temporary to store client's value */
214 s = cstr_new();
215 if(srp->flags & SRP_FLAG_LEFT_PAD) {
216 BigIntegerToCstrEx(srp->pubkey, s, modlen);
217 SHA512Update(&ctxt, s->data, s->length);
218 if(pubkeylen < modlen) {
219 memcpy(s->data + (modlen - pubkeylen), pubkey, pubkeylen);
220 memset(s->data, 0, modlen - pubkeylen);
221 SHA512Update(&ctxt, s->data, modlen);
222 }
223 else
224 SHA512Update(&ctxt, pubkey, pubkeylen);
225 }
226 else {
227 BigIntegerToCstr(srp->pubkey, s);
228 SHA512Update(&ctxt, s->data, s->length);
229 SHA512Update(&ctxt, pubkey, pubkeylen);
230 }
231 SHA512Final(dig, &ctxt);
232 srp->u = BigIntegerFromBytes(dig, SHA512_DIGESTSIZE);
233
234 /* hash: (H(N) xor H(g)) | H(U) | s | A | B */
235 SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, pubkey, pubkeylen);
236
237 gb = BigIntegerFromBytes(pubkey, pubkeylen);
238 /* reject B == 0, B >= modulus */
239 if(BigIntegerCmp(gb, srp->modulus) >= 0 || BigIntegerCmpInt(gb, 0) == 0) {
240 BigIntegerFree(gb);
241 cstr_clear_free(s);
242 return SRP_ERROR;
243 }
244 e = BigIntegerFromInt(0);
245 srp->key = BigIntegerFromInt(0);
246 /* unblind g^b (mod N) */
247 BigIntegerSub(srp->key, srp->modulus, srp->verifier);
248 /* use e as temporary, e == -k*v (mod N) */
249 BigIntegerMul(e, k, srp->key, srp->bctx);
250 BigIntegerAdd(e, e, gb);
251 BigIntegerMod(gb, e, srp->modulus, srp->bctx);
252
253 /* compute gb^(a + ux) (mod N) */
254 BigIntegerMul(e, srp->password, srp->u, srp->bctx);
255 BigIntegerAdd(e, e, srp->secret); /* e = a + ux */
256
257 BigIntegerModExp(srp->key, gb, e, srp->modulus, srp->bctx, srp->accel);
258 BigIntegerClearFree(e);
259 BigIntegerClearFree(gb);
260
261 /* convert srp->key into a session key, update hash states */
262 BigIntegerToCstr(srp->key, s);
263 SHA512Init(&ctxt);
264 SHA512Update(&ctxt, s->data, s->length);
265 SHA512Final((unsigned char*)&SHA512_CLIENT_CTXP(srp)->k, &ctxt);
266 cstr_clear_free(s);
267
268 /* hash: (H(N) xor H(g)) | H(U) | s | A | B | K */
269 SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, SHA512_CLIENT_CTXP(srp)->k, SRP6_SHA512_KEY_LEN);
270 /* hash: (H(N) xor H(g)) | H(U) | s | A | B | K | ex_data */
271 if(srp->ex_data->length > 0)
272 SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash,
273 srp->ex_data->data, srp->ex_data->length);
274 if(result) {
275 if(*result == NULL)
276 *result = cstr_new();
277 cstr_setn(*result, (const char*)SHA512_CLIENT_CTXP(srp)->k, SRP6_SHA512_KEY_LEN);
278 }
279
280 return SRP_SUCCESS;
281}
282
283static SRP_RESULT
284srp6a_sha512_client_key(SRP * srp, cstr ** result,
285 const unsigned char * pubkey, int pubkeylen)
286{
287 SRP_RESULT ret;
288 BigInteger k;
289 cstr * s;
290 SHA512_CTX ctxt;
291 unsigned char dig[SHA512_DIGESTSIZE];
292
293 SHA512Init(&ctxt);
294 s = cstr_new();
295 BigIntegerToCstr(srp->modulus, s);
296 SHA512Update(&ctxt, s->data, s->length);
297 if(srp->flags & SRP_FLAG_LEFT_PAD)
298 BigIntegerToCstrEx(srp->generator, s, s->length);
299 else
300 BigIntegerToCstr(srp->generator, s);
301 SHA512Update(&ctxt, s->data, s->length);
302 SHA512Final(dig, &ctxt);
303 cstr_free(s);
304
305 k = BigIntegerFromBytes(dig, SHA512_DIGESTSIZE);
306 if(BigIntegerCmpInt(k, 0) == 0)
307 ret = SRP_ERROR;
308 else
309 ret = srp6_sha512_client_key_ex(srp, result, pubkey, pubkeylen, k);
310 BigIntegerClearFree(k);
311 return ret;
312}
313
314static SRP_RESULT
315srp6_sha512_client_verify(SRP * srp, const unsigned char * proof, int prooflen)
316{
317 unsigned char expected[SHA512_DIGESTSIZE];
318
319 SHA512Final(expected, &SHA512_CLIENT_CTXP(srp)->ckhash);
320 if(prooflen == SHA512_DIGESTSIZE && memcmp(expected, proof, prooflen) == 0)
321 return SRP_SUCCESS;
322 else
323 return SRP_ERROR;
324}
325
326static SRP_RESULT
327srp6_sha512_client_respond(SRP * srp, cstr ** proof)
328{
329 if(proof == NULL)
330 return SRP_ERROR;
331
332 if(*proof == NULL)
333 *proof = cstr_new();
334
335 /* proof contains client's response */
336 cstr_set_length(*proof, SHA512_DIGESTSIZE);
337 SHA512Final((unsigned char*)(*proof)->data, &SHA512_CLIENT_CTXP(srp)->hash);
338
339 /* ckhash: A | M | K */
340 SHA512Update(&SHA512_CLIENT_CTXP(srp)->ckhash, (*proof)->data, (*proof)->length);
341 SHA512Update(&SHA512_CLIENT_CTXP(srp)->ckhash, SHA512_CLIENT_CTXP(srp)->k, SRP6_SHA512_KEY_LEN);
342 return SRP_SUCCESS;
343}
344
345static SRP_METHOD srp6a_sha512_client_meth = {
346 "SRP-6a sha512 client (tjw)",
347 srp6a_sha512_client_init,
348 srp6_sha512_client_finish,
349 srp6_sha512_client_params,
350 srp6_sha512_client_auth,
351 srp6_sha512_client_passwd,
352 srp6_sha512_client_genpub,
353 srp6a_sha512_client_key,
354 srp6_sha512_client_verify,
355 srp6_sha512_client_respond,
356 NULL
357};
358
359_TYPE( SRP_METHOD * )
360SRP6a_sha512_client_method()
361{
362 return &srp6a_sha512_client_meth;
363}
diff --git a/3rd_party/libsrp6a-sha512/srp_aux.h b/3rd_party/libsrp6a-sha512/srp_aux.h
new file mode 100644
index 0000000..5088f08
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/srp_aux.h
@@ -0,0 +1,146 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29
30#ifndef SRP_AUX_H
31#define SRP_AUX_H
32
33#include "cstr.h"
34
35#ifdef __cplusplus
36extern "C" {
37#endif
38
39/* BigInteger abstraction API */
40
41#ifndef MATH_PRIV
42typedef void * BigInteger;
43typedef void * BigIntegerCtx;
44typedef void * BigIntegerModAccel;
45#endif
46
47/*
48 * Some functions return a BigIntegerResult.
49 * Use BigIntegerOK to test for success.
50 */
51#define BIG_INTEGER_SUCCESS 0
52#define BIG_INTEGER_ERROR -1
53#define BigIntegerOK(v) ((v) == BIG_INTEGER_SUCCESS)
54typedef int BigIntegerResult;
55
56_TYPE( BigInteger ) BigIntegerFromInt P((unsigned int number));
57_TYPE( BigInteger ) BigIntegerFromBytes P((const unsigned char * bytes,
58 int length));
59#define BigIntegerByteLen(X) ((BigIntegerBitLen(X)+7)/8)
60_TYPE( int ) BigIntegerToBytes P((BigInteger src,
61 unsigned char * dest, int destlen));
62_TYPE( BigIntegerResult ) BigIntegerToCstr P((BigInteger src, cstr * dest));
63_TYPE( BigIntegerResult ) BigIntegerToCstrEx P((BigInteger src, cstr * dest, int len));
64_TYPE( BigIntegerResult ) BigIntegerToHex P((BigInteger src,
65 char * dest, int destlen));
66_TYPE( BigIntegerResult ) BigIntegerToString P((BigInteger src,
67 char * dest, int destlen,
68 unsigned int radix));
69_TYPE( int ) BigIntegerBitLen P((BigInteger b));
70_TYPE( int ) BigIntegerCmp P((BigInteger c1, BigInteger c2));
71_TYPE( int ) BigIntegerCmpInt P((BigInteger c1, unsigned int c2));
72_TYPE( BigIntegerResult ) BigIntegerLShift P((BigInteger result, BigInteger x,
73 unsigned int bits));
74_TYPE( BigIntegerResult ) BigIntegerAdd P((BigInteger result,
75 BigInteger a1, BigInteger a2));
76_TYPE( BigIntegerResult ) BigIntegerAddInt P((BigInteger result,
77 BigInteger a1, unsigned int a2));
78_TYPE( BigIntegerResult ) BigIntegerSub P((BigInteger result,
79 BigInteger s1, BigInteger s2));
80_TYPE( BigIntegerResult ) BigIntegerSubInt P((BigInteger result,
81 BigInteger s1, unsigned int s2));
82/* For BigIntegerMul{,Int}: result != m1, m2 */
83_TYPE( BigIntegerResult ) BigIntegerMul P((BigInteger result, BigInteger m1,
84 BigInteger m2, BigIntegerCtx ctx));
85_TYPE( BigIntegerResult ) BigIntegerMulInt P((BigInteger result,
86 BigInteger m1, unsigned int m2,
87 BigIntegerCtx ctx));
88_TYPE( BigIntegerResult ) BigIntegerDivInt P((BigInteger result,
89 BigInteger d, unsigned int m,
90 BigIntegerCtx ctx));
91_TYPE( BigIntegerResult ) BigIntegerMod P((BigInteger result, BigInteger d,
92 BigInteger m, BigIntegerCtx ctx));
93_TYPE( unsigned int ) BigIntegerModInt P((BigInteger d, unsigned int m,
94 BigIntegerCtx ctx));
95_TYPE( BigIntegerResult ) BigIntegerModMul P((BigInteger result,
96 BigInteger m1, BigInteger m2,
97 BigInteger m, BigIntegerCtx ctx));
98_TYPE( BigIntegerResult ) BigIntegerModExp P((BigInteger result,
99 BigInteger base, BigInteger expt,
100 BigInteger modulus,
101 BigIntegerCtx ctx,
102 BigIntegerModAccel accel));
103_TYPE( int ) BigIntegerCheckPrime P((BigInteger n, BigIntegerCtx ctx));
104
105_TYPE( BigIntegerResult ) BigIntegerFree P((BigInteger b));
106_TYPE( BigIntegerResult ) BigIntegerClearFree P((BigInteger b));
107
108_TYPE( BigIntegerCtx ) BigIntegerCtxNew();
109_TYPE( BigIntegerResult ) BigIntegerCtxFree P((BigIntegerCtx ctx));
110
111_TYPE( BigIntegerModAccel ) BigIntegerModAccelNew P((BigInteger m,
112 BigIntegerCtx ctx));
113_TYPE( BigIntegerResult ) BigIntegerModAccelFree P((BigIntegerModAccel accel));
114
115_TYPE( BigIntegerResult ) BigIntegerInitialize();
116_TYPE( BigIntegerResult ) BigIntegerFinalize();
117
118_TYPE( BigIntegerResult ) BigIntegerUseEngine P((const char * engine));
119_TYPE( BigIntegerResult ) BigIntegerReleaseEngine();
120
121/* Miscellaneous functions - formerly in t_pwd.h */
122
123/*
124 * "t_random" is a cryptographic random number generator, which is seeded
125 * from various high-entropy sources and uses a one-way hash function
126 * in a feedback configuration.
127 * "t_sessionkey" is the interleaved hash used to generate session keys
128 * from a large integer.
129 * "t_mgf1" is an implementation of MGF1 using SHA1 to generate session
130 * keys from large integers, and is preferred over the older
131 * interleaved hash, and is used with SRP6.
132 * "t_getpass" reads a password from the terminal without echoing.
133 */
134_TYPE( void ) t_random P((unsigned char *, unsigned));
135_TYPE( void ) t_stronginitrand();
136_TYPE( unsigned char * )
137 t_sessionkey P((unsigned char *, unsigned char *, unsigned));
138_TYPE( void ) t_mgf1 P((unsigned char *, unsigned,
139 const unsigned char *, unsigned));
140_TYPE( int ) t_getpass P((char *, unsigned, const char *));
141
142#ifdef __cplusplus
143}
144#endif
145
146#endif /* SRP_AUX_H */
diff --git a/3rd_party/libsrp6a-sha512/t_conv.c b/3rd_party/libsrp6a-sha512/t_conv.c
new file mode 100644
index 0000000..f7f50e2
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_conv.c
@@ -0,0 +1,258 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29
30/*#define _POSIX_SOURCE*/
31#include <stdio.h>
32#include "t_defines.h"
33#include "cstr.h"
34
35static int
36hexDigitToInt(c)
37 char c;
38{
39 if(c >= '0' && c <= '9')
40 return c - '0';
41 else if(c >= 'a' && c <= 'f')
42 return c - 'a' + 10;
43 else if(c >= 'A' && c <= 'F')
44 return c - 'A' + 10;
45 else
46 return 0;
47}
48
49/*
50 * Convert a hex string to a string of bytes; return size of dst
51 */
52_TYPE( int )
53t_fromhex(dst, src)
54 char * dst;
55 const char * src;
56{
57 register char *chp = dst;
58 register unsigned size = strlen(src);
59
60 /* FIXME: handle whitespace and non-hex digits by setting size and src
61 appropriately. */
62
63 if(size % 2 == 1) {
64 *chp++ = hexDigitToInt(*src++);
65 --size;
66 }
67 while(size > 0) {
68 *chp++ = (hexDigitToInt(*src) << 4) | hexDigitToInt(*(src + 1));
69 src += 2;
70 size -= 2;
71 }
72 return chp - dst;
73}
74
75/*
76 * Convert a string of bytes to their hex representation
77 */
78_TYPE( char * )
79t_tohex(dst, src, size)
80 char * dst;
81 const char * src;
82 unsigned size;
83{
84 int notleading = 0;
85
86 register char *chp = dst;
87 *dst = '\0';
88 if (size != 0) do {
89 if(notleading || *src != '\0') {
90 if(!notleading && (*src & 0xf0) == 0) {
91 sprintf(chp, "%.1X", * (unsigned char *) src);
92 chp += 1;
93 }
94 else {
95 sprintf(chp, "%.2X", * (unsigned char *) src);
96 chp += 2;
97 }
98 notleading = 1;
99 }
100 ++src;
101 } while (--size != 0);
102 return dst;
103}
104
105_TYPE( char * )
106t_tohexcstr(dst, src, size)
107 cstr * dst;
108 const char * src;
109 unsigned size;
110{
111 cstr_set_length(dst, 2 * size + 1);
112 return t_tohex(dst->data, src, size);
113}
114
115static char b64table[] =
116 "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./";
117
118/*
119 * Convert a base64 string into raw byte array representation.
120 */
121_TYPE( int )
122t_fromb64(dst, src)
123 char * dst;
124 const char * src;
125{
126 unsigned char *a;
127 char *loc;
128 int i, j;
129 unsigned int size;
130
131 while(*src && (*src == ' ' || *src == '\t' || *src == '\n'))
132 ++src;
133 size = strlen(src);
134
135 a = malloc((size + 1) * sizeof(unsigned char));
136 if(a == (unsigned char *) 0)
137 return -1;
138
139 i = 0;
140 while(i < size) {
141 loc = strchr(b64table, src[i]);
142 if(loc == (char *) 0)
143 break;
144 else
145 a[i] = loc - b64table;
146 ++i;
147 }
148 size = i;
149
150 i = size - 1;
151 j = size;
152 while(1) {
153 a[j] = a[i];
154 if(--i < 0)
155 break;
156 a[j] |= (a[i] & 3) << 6;
157 --j;
158 a[j] = (unsigned char) ((a[i] & 0x3c) >> 2);
159 if(--i < 0)
160 break;
161 a[j] |= (a[i] & 0xf) << 4;
162 --j;
163 a[j] = (unsigned char) ((a[i] & 0x30) >> 4);
164 if(--i < 0)
165 break;
166 a[j] |= (a[i] << 2);
167
168 a[--j] = 0;
169 if(--i < 0)
170 break;
171 }
172
173 while(a[j] == 0 && j <= size)
174 ++j;
175
176 memcpy(dst, a + j, size - j + 1);
177 free(a);
178 return size - j + 1;
179}
180
181_TYPE( int )
182t_cstrfromb64(dst, src)
183 cstr * dst;
184 const char * src;
185{
186 int len;
187 cstr_set_length(dst, (strlen(src) * 6 + 7) / 8);
188 len = t_fromb64(dst->data, src);
189 cstr_set_length(dst, len);
190 return len;
191}
192
193/*
194 * Convert a raw byte string into a null-terminated base64 ASCII string.
195 */
196_TYPE( char * )
197t_tob64(dst, src, size)
198 char * dst;
199 const char * src;
200 unsigned size;
201{
202 int c, pos = size % 3;
203 unsigned char b0 = 0, b1 = 0, b2 = 0, notleading = 0;
204 char *olddst = dst;
205
206 switch(pos) {
207 case 1:
208 b2 = src[0];
209 break;
210 case 2:
211 b1 = src[0];
212 b2 = src[1];
213 break;
214 }
215
216 while(1) {
217 c = (b0 & 0xfc) >> 2;
218 if(notleading || c != 0) {
219 *dst++ = b64table[c];
220 notleading = 1;
221 }
222 c = ((b0 & 3) << 4) | ((b1 & 0xf0) >> 4);
223 if(notleading || c != 0) {
224 *dst++ = b64table[c];
225 notleading = 1;
226 }
227 c = ((b1 & 0xf) << 2) | ((b2 & 0xc0) >> 6);
228 if(notleading || c != 0) {
229 *dst++ = b64table[c];
230 notleading = 1;
231 }
232 c = b2 & 0x3f;
233 if(notleading || c != 0) {
234 *dst++ = b64table[c];
235 notleading = 1;
236 }
237 if(pos >= size)
238 break;
239 else {
240 b0 = src[pos++];
241 b1 = src[pos++];
242 b2 = src[pos++];
243 }
244 }
245
246 *dst++ = '\0';
247 return olddst;
248}
249
250_TYPE( char * )
251t_tob64cstr(dst, src, sz)
252 cstr * dst;
253 const char * src;
254 unsigned int sz;
255{
256 cstr_set_length(dst, (sz * 8 + 5) / 6 + 1);
257 return t_tob64(dst->data, src, sz);
258}
diff --git a/3rd_party/libsrp6a-sha512/t_defines.h b/3rd_party/libsrp6a-sha512/t_defines.h
new file mode 100644
index 0000000..447263f
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_defines.h
@@ -0,0 +1,137 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29
30#ifndef T_DEFINES_H
31#define T_DEFINES_H
32
33#ifndef P
34#if defined(__STDC__) || defined(__cplusplus)
35#define P(x) x
36#else
37#define P(x) ()
38#endif
39#endif
40
41#ifdef HAVE_CONFIG_H
42#include "config.h"
43#endif /* HAVE_CONFIG_H */
44
45#ifndef _DLLDECL
46#define _DLLDECL
47
48#ifdef MSVC15 /* MSVC1.5 support for 16 bit apps */
49#define _MSVC15EXPORT _export
50#define _MSVC20EXPORT
51#define _DLLAPI _export _pascal
52#define _CDECL
53#define _TYPE(a) a _MSVC15EXPORT
54#define DLLEXPORT 1
55
56#elif defined(MSVC20) || (defined(_USRDLL) && defined(SRP_EXPORTS))
57#define _MSVC15EXPORT
58#define _MSVC20EXPORT _declspec(dllexport)
59#define _DLLAPI
60#define _CDECL
61#define _TYPE(a) _MSVC20EXPORT a
62#define DLLEXPORT 1
63
64#else /* Default, non-dll. Use this for Unix or DOS */
65#define _MSVC15DEXPORT
66#define _MSVC20EXPORT
67#define _DLLAPI
68#if defined(WINDOWS) || defined(WIN32)
69#define _CDECL _cdecl
70#else
71#define _CDECL
72#endif
73#define _TYPE(a) a _CDECL
74#endif
75#endif
76
77#if STDC_HEADERS
78#include <stdlib.h>
79#include <string.h>
80#else /* not STDC_HEADERS */
81#ifndef HAVE_STRCHR
82#define strchr index
83#define strrchr rindex
84#endif
85char *strchr(), *strrchr(), *strtok();
86#ifndef HAVE_MEMCPY
87#define memcpy(d, s, n) bcopy((s), (d), (n))
88#endif
89#endif /* not STDC_HEADERS */
90
91#include <sys/types.h>
92
93#if TIME_WITH_SYS_TIME
94#include <sys/time.h>
95#include <time.h>
96#else /* not TIME_WITH_SYS_TIME */
97#if HAVE_SYS_TIME_H
98#include <sys/time.h>
99#else
100#include <time.h>
101#endif
102#endif /* not TIME_WITH_SYS_TIME */
103
104#if HAVE_TERMIOS_H
105#include <termios.h>
106#define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio)
107#define GTTY(fd, termio) tcgetattr(fd, termio)
108#define TERMIO struct termios
109#define USE_TERMIOS
110#elif HAVE_TERMIO_H
111#include <sys/ioctl.h>
112#include <termio.h>
113#define STTY(fd, termio) ioctl(fd, TCSETA, termio)
114#define GTTY(fd, termio) ioctl(fd, TCGETA, termio)
115#define TEMRIO struct termio
116#define USE_TERMIO
117#elif HAVE_SGTTY_H
118#include <sgtty.h>
119#define STTY(fd, termio) stty(fd, termio)
120#define GTTY(fd, termio) gtty(fd, termio)
121#define TERMIO struct sgttyb
122#define USE_SGTTY
123#endif
124
125#ifdef WIN32
126#define USE_FTIME 1
127#define USE_RENAME 1
128#define NO_FCHMOD 1
129#endif
130
131#ifdef USE_FTIME
132#include <sys/timeb.h>
133#endif
134
135/* Looking for BigInteger math functions? They've moved to <srp_aux.h>. */
136
137#endif
diff --git a/3rd_party/libsrp6a-sha512/t_math.c b/3rd_party/libsrp6a-sha512/t_math.c
new file mode 100644
index 0000000..88ae12f
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_math.c
@@ -0,0 +1,1008 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29
30#include <stdio.h>
31#include <sys/types.h>
32
33#include "config.h"
34
35#ifdef OPENSSL
36# include "openssl/opensslv.h"
37# include "openssl/bn.h"
38typedef BIGNUM * BigInteger;
39typedef BN_CTX * BigIntegerCtx;
40typedef BN_MONT_CTX * BigIntegerModAccel;
41#include <limits.h>
42# ifdef OPENSSL_ENGINE
43# include "openssl/engine.h"
44static ENGINE * default_engine = NULL;
45# endif /* OPENSSL_ENGINE */
46typedef int (*modexp_meth)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p,
47 const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *mctx);
48static modexp_meth default_modexp = NULL;
49#elif defined(CRYPTOLIB)
50# include "libcrypt.h"
51typedef BigInt BigInteger;
52typedef void * BigIntegerCtx;
53typedef void * BigIntegerModAccel;
54#elif defined(GNU_MP)
55# include "gmp.h"
56typedef MP_INT * BigInteger;
57typedef void * BigIntegerCtx;
58typedef void * BigIntegerModAccel;
59# if __GNU_MP_VERSION >= 4 || (__GNU_MP_VERSION == 4 && __GNU_MP_VERSION_MINOR >= 1)
60/* GMP 4.1 and up has fast import/export routines for integer conversion */
61# define GMP_IMPEXP 1
62# endif
63#elif defined(TOMMATH)
64# ifdef TOMCRYPT
65 /* as of v0.96 */
66# include "ltc_tommath.h"
67# else
68# include "tommath.h"
69# endif
70typedef mp_int * BigInteger;
71typedef void * BigIntegerCtx;
72typedef void * BigIntegerModAccel;
73#elif defined(GCRYPT)
74# include "gcrypt.h"
75typedef gcry_mpi_t BigInteger;
76typedef void * BigIntegerCtx;
77typedef void * BigIntegerModAccel;
78#elif defined(MPI)
79# include "mpi.h"
80typedef mp_int * BigInteger;
81typedef void * BigIntegerCtx;
82typedef void * BigIntegerModAccel;
83#elif defined(MBEDTLS)
84#include <mbedtls/bignum.h>
85#include <mbedtls/error.h>
86typedef mbedtls_mpi* BigInteger;
87typedef void * BigIntegerCtx;
88typedef void * BigIntegerModAccel;
89#else
90# error "no math library specified"
91#endif
92#define MATH_PRIV
93
94#include "t_defines.h"
95#include "t_pwd.h"
96#include "srp_aux.h"
97
98/* Math library interface stubs */
99
100BigInteger
101BigIntegerFromInt(n)
102 unsigned int n;
103{
104#ifdef OPENSSL
105 BIGNUM * a = BN_new();
106 if(a)
107 BN_set_word(a, n);
108 return a;
109#elif defined(CRYPTOLIB)
110 return bigInit(n);
111#elif defined(GNU_MP)
112 BigInteger rv = (BigInteger) malloc(sizeof(MP_INT));
113 if(rv)
114 mpz_init_set_ui(rv, n);
115 return rv;
116#elif defined(GCRYPT)
117 BigInteger rv = gcry_mpi_new(32);
118 gcry_mpi_set_ui(rv, n);
119 return rv;
120#elif defined(MPI) || defined(TOMMATH)
121 BigInteger rv = (BigInteger) malloc(sizeof(mp_int));
122 if(rv) {
123 mp_init(rv);
124 mp_set_int(rv, n);
125 }
126 return rv;
127#elif defined(MBEDTLS)
128 mbedtls_mpi* a = (mbedtls_mpi*)malloc(sizeof(mbedtls_mpi));
129 if (a) {
130 mbedtls_mpi_init(a);
131 mbedtls_mpi_lset(a, n);
132 }
133 return a;
134#endif
135}
136
137BigInteger
138BigIntegerFromBytes(bytes, length)
139 const unsigned char * bytes;
140 int length;
141{
142#ifdef OPENSSL
143 BIGNUM * a = BN_new();
144 BN_bin2bn(bytes, length, a);
145 return a;
146#elif defined(CRYPTOLIB)
147 BigInteger rv, t;
148 int i, n;
149
150 rv = bigInit(0);
151 if(rv == NULL)
152 return rv;
153 if(length % 4 == 0)
154 RSA_bufToBig(bytes, length, rv);
155 else { /* Wouldn't need this if cryptolib behaved better */
156 i = length & 0x3;
157 if(length > i)
158 RSA_bufToBig(bytes + i, length - i, rv);
159 for(n = 0; i > 0; --i)
160 n = (n << 8) | *bytes++;
161 t = bigInit(n);
162 bigLeftShift(t, (length & ~0x3) << 3, t);
163 bigAdd(rv, t, rv);
164 freeBignum(t);
165 }
166 return rv;
167#elif defined(GNU_MP)
168 BigInteger rv = (BigInteger) malloc(sizeof(MP_INT));
169
170# ifdef GMP_IMPEXP
171 if(rv) {
172 mpz_init(rv);
173 mpz_import(rv, length, 1, 1, 1, 0, bytes);
174 }
175# else
176 cstr * hexbuf = cstr_new();
177
178 if(hexbuf) {
179 if(rv)
180 mpz_init_set_str(rv, t_tohexcstr(hexbuf, bytes, length), 16);
181 cstr_clear_free(hexbuf);
182 }
183# endif /* GMP_IMPEXP */
184
185 return rv;
186#elif defined(GCRYPT)
187 BigInteger rv;
188 gcry_mpi_scan(&rv, GCRYMPI_FMT_USG, bytes, length, NULL);
189 return rv;
190#elif defined(MPI) || defined(TOMMATH)
191 BigInteger rv = (BigInteger) malloc(sizeof(mp_int));
192 if(rv) {
193 mp_init(rv);
194 mp_read_unsigned_bin(rv, (unsigned char *)bytes, length);
195 }
196 return rv;
197#elif defined(MBEDTLS)
198 mbedtls_mpi* a = (mbedtls_mpi*)malloc(sizeof(mbedtls_mpi));
199 if (a) {
200 mbedtls_mpi_init(a);
201 mbedtls_mpi_read_binary(a, bytes, length);
202 }
203 return a;
204#endif
205}
206
207int
208BigIntegerToBytes(src, dest, destlen)
209 BigInteger src;
210 unsigned char * dest;
211 int destlen;
212{
213#ifdef OPENSSL
214 return BN_bn2bin(src, dest);
215#elif defined(CRYPTOLIB)
216 int i, j;
217 cstr * rawbuf;
218
219 trim(src);
220 i = bigBytes(src);
221 j = (bigBits(src) + 7) / 8;
222 if(i == j)
223 RSA_bigToBuf(src, i, dest);
224 else { /* Wouldn't need this if cryptolib behaved better */
225 rawbuf = cstr_new();
226 cstr_set_length(rawbuf, i);
227 RSA_bigToBuf(src, i, rawbuf->data);
228 memcpy(dest, rawbuf->data + (i-j), j);
229 cstr_clear_free(rawbuf);
230 }
231 return j;
232#elif defined(GNU_MP)
233 size_t r = 0;
234# ifdef GMP_IMPEXP
235 mpz_export(dest, &r, 1, 1, 1, 0, src);
236# else
237 cstr * hexbuf = cstr_new();
238
239 if(hexbuf) {
240 cstr_set_length(hexbuf, mpz_sizeinbase(src, 16) + 1);
241 mpz_get_str(hexbuf->data, 16, src);
242 r = t_fromhex(dest, hexbuf->data);
243 cstr_clear_free(hexbuf);
244 }
245# endif
246 return r;
247#elif defined(GCRYPT)
248 size_t r = 0;
249 gcry_mpi_print(GCRYMPI_FMT_USG, dest, destlen, &r, src);
250 return r;
251#elif defined(MPI) || defined(TOMMATH)
252 mp_to_unsigned_bin(src, dest);
253 return mp_unsigned_bin_size(src);
254#elif defined(MBEDTLS)
255 size_t r = mbedtls_mpi_size(src);
256 mbedtls_mpi_write_binary(src, dest, r);
257 return r;
258#endif
259}
260
261BigIntegerResult
262BigIntegerToCstr(BigInteger x, cstr * out)
263{
264 int n = BigIntegerByteLen(x);
265 if(cstr_set_length(out, n) < 0)
266 return BIG_INTEGER_ERROR;
267 if(cstr_set_length(out, BigIntegerToBytes(x, (unsigned char*)out->data, n)) < 0)
268 return BIG_INTEGER_ERROR;
269 return BIG_INTEGER_SUCCESS;
270}
271
272BigIntegerResult
273BigIntegerToCstrEx(BigInteger x, cstr * out, int len)
274{
275 int n;
276 if(cstr_set_length(out, len) < 0)
277 return BIG_INTEGER_ERROR;
278#if defined(MBEDTLS)
279 /* mbedtls will prefix the output with zeros if the buffer is larger */
280 mbedtls_mpi_write_binary(x, (unsigned char*)out->data, len);
281#else
282 n = BigIntegerToBytes(x, (unsigned char*)out->data, len);
283 if(n < len) {
284 memmove(out->data + (len - n), out->data, n);
285 memset(out->data, 0, len - n);
286 }
287#endif
288 return BIG_INTEGER_SUCCESS;
289}
290
291BigIntegerResult
292BigIntegerToHex(src, dest, destlen)
293 BigInteger src;
294 char * dest;
295 int destlen;
296{
297#ifdef OPENSSL
298 strncpy(dest, BN_bn2hex(src), destlen);
299#elif defined(CRYPTOLIB)
300 trim(src);
301 bigsprint(src, dest);
302#elif defined(GNU_MP)
303 mpz_get_str(dest, 16, src);
304#elif defined(GCRYPT)
305 gcry_mpi_print(GCRYMPI_FMT_HEX, dest, destlen, NULL, src);
306#elif defined(MPI) || defined(TOMMATH)
307 mp_toradix(src, dest, 16);
308#elif defined(MBEDTLS)
309 size_t olen = 0;
310 mbedtls_mpi_write_string(src, 16, dest, destlen, &olen);
311#endif
312 return BIG_INTEGER_SUCCESS;
313}
314
315static char b64table[] =
316 "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./";
317
318BigIntegerResult
319BigIntegerToString(src, dest, destlen, radix)
320 BigInteger src;
321 char * dest;
322 int destlen;
323 unsigned int radix;
324{
325 BigInteger t = BigIntegerFromInt(0);
326 char * p = dest;
327 char c;
328
329 *p++ = b64table[BigIntegerModInt(src, radix, NULL)];
330 BigIntegerDivInt(t, src, radix, NULL);
331 while(BigIntegerCmpInt(t, 0) > 0) {
332 *p++ = b64table[BigIntegerModInt(t, radix, NULL)];
333 BigIntegerDivInt(t, t, radix, NULL);
334 }
335 BigIntegerFree(t);
336 *p-- = '\0';
337 /* reverse the string */
338 while(p > dest) {
339 c = *p;
340 *p-- = *dest;
341 *dest++ = c;
342 }
343 return BIG_INTEGER_SUCCESS;
344}
345
346int
347BigIntegerBitLen(b)
348 BigInteger b;
349{
350#ifdef OPENSSL
351 return BN_num_bits(b);
352#elif defined(CRYPTOLIB)
353 return bigBits(b);
354#elif defined(GNU_MP)
355 return mpz_sizeinbase(b, 2);
356#elif defined(GCRYPT)
357 return gcry_mpi_get_nbits(b);
358#elif defined(MPI) || defined(TOMMATH)
359 return mp_count_bits(b);
360#elif defined(MBEDTLS)
361 return (int)mbedtls_mpi_bitlen(b);
362#endif
363}
364
365int
366BigIntegerCmp(c1, c2)
367 BigInteger c1, c2;
368{
369#ifdef OPENSSL
370 return BN_cmp(c1, c2);
371#elif defined(CRYPTOLIB)
372 return bigCompare(c1, c2);
373#elif defined(GNU_MP)
374 return mpz_cmp(c1, c2);
375#elif defined(GCRYPT)
376 return gcry_mpi_cmp(c1, c2);
377#elif defined(MPI) || defined(TOMMATH)
378 return mp_cmp(c1, c2);
379#elif defined(MBEDTLS)
380 return mbedtls_mpi_cmp_mpi(c1, c2);
381#endif
382}
383
384int
385BigIntegerCmpInt(c1, c2)
386 BigInteger c1;
387 unsigned int c2;
388{
389#ifdef OPENSSL
390 BigInteger bc2 = BigIntegerFromInt(c2);
391 int rv = BigIntegerCmp(c1, bc2);
392 BigIntegerFree(bc2);
393 return rv;
394#elif defined(CRYPTOLIB)
395 BigInteger t;
396 int rv;
397
398 t = bigInit(c2);
399 rv = bigCompare(c1, t);
400 freeBignum(t);
401 return rv;
402#elif defined(GNU_MP)
403 return mpz_cmp_ui(c1, c2);
404#elif defined(TOMMATH)
405 return mp_cmp_d(c1, c2);
406#elif defined(GCRYPT)
407 return gcry_mpi_cmp_ui(c1, c2);
408#elif defined(MPI)
409 return mp_cmp_int(c1, c2);
410#elif defined(MBEDTLS)
411 return mbedtls_mpi_cmp_int(c1, c2);
412#endif
413}
414
415BigIntegerResult
416BigIntegerLShift(result, x, bits)
417 BigInteger result, x;
418 unsigned int bits;
419{
420#ifdef OPENSSL
421 BN_lshift(result, x, bits);
422#elif defined(CRYPTOLIB)
423 bigLeftShift(x, bits, result);
424#elif defined(GNU_MP)
425 mpz_mul_2exp(result, x, bits);
426#elif defined(GCRYPT)
427 gcry_mpi_mul_2exp(result, x, bits);
428#elif defined(MPI) || defined(TOMMATH)
429 mp_mul_2d(x, bits, result);
430#elif defined(MBEDTLS)
431 mbedtls_mpi_copy(result, x);
432 mbedtls_mpi_shift_l(result, bits);
433#endif
434 return BIG_INTEGER_SUCCESS;
435}
436
437BigIntegerResult
438BigIntegerAdd(result, a1, a2)
439 BigInteger result, a1, a2;
440{
441#ifdef OPENSSL
442 BN_add(result, a1, a2);
443#elif defined(CRYPTOLIB)
444 bigAdd(a1, a2, result);
445#elif defined(GNU_MP)
446 mpz_add(result, a1, a2);
447#elif defined(GCRYPT)
448 gcry_mpi_add(result, a1, a2);
449#elif defined(MPI) || defined(TOMMATH)
450 mp_add(a1, a2, result);
451#elif defined(MBEDTLS)
452 mbedtls_mpi_add_mpi(result, a1, a2);
453#endif
454 return BIG_INTEGER_SUCCESS;
455}
456
457BigIntegerResult
458BigIntegerAddInt(result, a1, a2)
459 BigInteger result, a1;
460 unsigned int a2;
461{
462#ifdef OPENSSL
463 if(result != a1)
464 BN_copy(result, a1);
465 BN_add_word(result, a2);
466#elif defined(CRYPTOLIB)
467 BigInteger t;
468
469 t = bigInit(a2);
470 bigAdd(a1, t, result);
471 freeBignum(t);
472#elif defined(GNU_MP)
473 mpz_add_ui(result, a1, a2);
474#elif defined(GCRYPT)
475 gcry_mpi_add_ui(result, a1, a2);
476#elif defined(MPI) || defined(TOMMATH)
477 mp_add_d(a1, a2, result);
478#elif defined(MBEDTLS)
479 mbedtls_mpi_add_int(result, a1, a2);
480#endif
481 return BIG_INTEGER_SUCCESS;
482}
483
484BigIntegerResult
485BigIntegerSub(result, s1, s2)
486 BigInteger result, s1, s2;
487{
488#ifdef OPENSSL
489 BN_sub(result, s1, s2);
490#elif defined(CRYPTOLIB)
491 bigSubtract(s1, s2, result);
492#elif defined(GNU_MP)
493 mpz_sub(result, s1, s2);
494#elif defined(GCRYPT)
495 gcry_mpi_sub(result, s1, s2);
496#elif defined(MPI) || defined(TOMMATH)
497 mp_sub(s1, s2, result);
498#elif defined(MBEDTLS)
499 mbedtls_mpi_sub_mpi(result, s1, s2);
500#endif
501 return BIG_INTEGER_SUCCESS;
502}
503
504BigIntegerResult
505BigIntegerSubInt(result, s1, s2)
506 BigInteger result, s1;
507 unsigned int s2;
508{
509#ifdef OPENSSL
510 if(result != s1)
511 BN_copy(result, s1);
512 BN_sub_word(result, s2);
513#elif defined(CRYPTOLIB)
514 BigInteger t;
515
516 t = bigInit(s2);
517 bigSubtract(s1, t, result);
518 freeBignum(t);
519#elif defined(GNU_MP)
520 mpz_sub_ui(result, s1, s2);
521#elif defined(GCRYPT)
522 gcry_mpi_sub_ui(result, s1, s2);
523#elif defined(MPI) || defined(TOMMATH)
524 mp_sub_d(s1, s2, result);
525#elif defined(MBEDTLS)
526 mbedtls_mpi_sub_int(result, s1, s2);
527#endif
528 return BIG_INTEGER_SUCCESS;
529}
530
531BigIntegerResult
532BigIntegerMul(result, m1, m2, c)
533 BigInteger result, m1, m2;
534 BigIntegerCtx c;
535{
536#ifdef OPENSSL
537 BN_CTX * ctx = NULL;
538 if(c == NULL)
539 c = ctx = BN_CTX_new();
540 BN_mul(result, m1, m2, c);
541 if(ctx)
542 BN_CTX_free(ctx);
543#elif defined(CRYPTOLIB)
544 bigMultiply(m1, m2, result);
545#elif defined(GNU_MP)
546 mpz_mul(result, m1, m2);
547#elif defined(GCRYPT)
548 gcry_mpi_mul(result, m1, m2);
549#elif defined(MPI) || defined(TOMMATH)
550 mp_mul(m1, m2, result);
551#elif defined(MBEDTLS)
552 mbedtls_mpi_mul_mpi(result, m1, m2);
553#endif
554 return BIG_INTEGER_SUCCESS;
555}
556
557BigIntegerResult
558BigIntegerMulInt(result, m1, m2, c)
559 BigInteger result, m1;
560 unsigned int m2;
561 BigIntegerCtx c;
562{
563#ifdef OPENSSL
564 if(result != m1)
565 BN_copy(result, m1);
566 BN_mul_word(result, m2);
567#elif defined(CRYPTOLIB)
568 BigInteger t;
569
570 t = bigInit(m2);
571 bigMultiply(m1, t, result);
572 freeBignum(t);
573#elif defined(GNU_MP)
574 mpz_mul_ui(result, m1, m2);
575#elif defined(GCRYPT)
576 gcry_mpi_mul_ui(result, m1, m2);
577#elif defined(MPI) || defined(TOMMATH)
578 mp_mul_d(m1, m2, result);
579#elif defined(MBEDTLS)
580 mbedtls_mpi_mul_int(result, m1, m2);
581#endif
582 return BIG_INTEGER_SUCCESS;
583}
584
585BigIntegerResult
586BigIntegerDivInt(result, d, m, c)
587 BigInteger result, d;
588 unsigned int m;
589 BigIntegerCtx c;
590{
591#ifdef OPENSSL
592 if(result != d)
593 BN_copy(result, d);
594 BN_div_word(result, m);
595#elif defined(CRYPTOLIB)
596 BigInteger t, u, q;
597
598 t = bigInit(m);
599 u = bigInit(0);
600 /* We use a separate variable q because cryptolib breaks if result == d */
601 q = bigInit(0);
602 bigDivide(d, t, q, u);
603 freeBignum(t);
604 freeBignum(u);
605 bigCopy(q, result);
606 freeBignum(q);
607#elif defined(GNU_MP)
608# ifdef GMP2
609 mpz_fdiv_q_ui(result, d, m);
610# else
611 mpz_div_ui(result, d, m);
612# endif
613#elif defined(GCRYPT)
614 BigInteger t = BigIntegerFromInt(m);
615 gcry_mpi_div(result, NULL, d, t, -1);
616 BigIntegerFree(t);
617#elif defined(MPI) || defined(TOMMATH)
618 mp_div_d(d, m, result, NULL);
619#elif defined(MBEDTLS)
620 mbedtls_mpi_div_int(result, NULL, d, m);
621#endif
622 return BIG_INTEGER_SUCCESS;
623}
624
625BigIntegerResult
626BigIntegerMod(result, d, m, c)
627 BigInteger result, d, m;
628 BigIntegerCtx c;
629{
630#ifdef OPENSSL
631 BN_CTX * ctx = NULL;
632 if(c == NULL)
633 c = ctx = BN_CTX_new();
634 BN_mod(result, d, m, c);
635 if(ctx)
636 BN_CTX_free(ctx);
637#elif defined(CRYPTOLIB)
638 bigMod(d, m, result);
639#elif defined(GNU_MP)
640 mpz_mod(result, d, m);
641#elif defined(GCRYPT)
642 gcry_mpi_mod(result, d, m);
643#elif defined(MPI) || defined(TOMMATH)
644 mp_mod(d, m, result);
645#elif defined(MBEDTLS)
646 mbedtls_mpi_mod_mpi(result, d, m);
647#endif
648 return BIG_INTEGER_SUCCESS;
649}
650
651unsigned int
652BigIntegerModInt(d, m, c)
653 BigInteger d;
654 unsigned int m;
655 BigIntegerCtx c;
656{
657#ifdef OPENSSL
658 return BN_mod_word(d, m);
659#elif defined(CRYPTOLIB)
660 BigInteger t, u;
661 unsigned char r[4];
662
663 t = bigInit(m);
664 u = bigInit(0);
665 bigMod(d, t, u);
666 bigToBuf(u, sizeof(r), r);
667 freeBignum(t);
668 freeBignum(u);
669 return r[0] | (r[1] << 8) | (r[2] << 16) | (r[3] << 24);
670#elif defined(GNU_MP)
671 MP_INT result;
672 unsigned int i;
673
674 mpz_init(&result);
675
676/* Define GMP2 if you're using an old gmp.h but want to link against a
677 * newer libgmp.a (e.g. 2.0 or later). */
678
679# ifdef GMP2
680 mpz_fdiv_r_ui(&result, d, m);
681# else
682 mpz_mod_ui(&result, d, m);
683# endif
684 i = mpz_get_ui(&result);
685 mpz_clear(&result);
686 return i;
687#elif defined(GCRYPT)
688 /* TODO: any way to clean this up??? */
689 unsigned char r[4];
690 size_t len, i;
691 unsigned int ret = 0;
692 BigInteger t = BigIntegerFromInt(m);
693 BigInteger a = BigIntegerFromInt(0);
694 gcry_mpi_mod(a, d, t);
695 gcry_mpi_print(GCRYMPI_FMT_USG, r, 4, &len, a);
696 for(i = 0; i < len; ++i)
697 ret = (ret << 8) | r[i];
698 BigIntegerFree(t);
699 BigIntegerFree(a);
700 return ret;
701#elif defined(MPI) || defined(TOMMATH)
702 mp_digit r;
703 mp_mod_d(d, m, &r);
704 return r;
705#elif defined(MBEDTLS)
706 mbedtls_mpi_uint r = 0;
707 mbedtls_mpi_mod_int(&r, d, m);
708 return r;
709#endif
710}
711
712BigIntegerResult
713BigIntegerModMul(r, m1, m2, modulus, c)
714 BigInteger r, m1, m2, modulus;
715 BigIntegerCtx c;
716{
717#ifdef OPENSSL
718 BN_CTX * ctx = NULL;
719 if(c == NULL)
720 c = ctx = BN_CTX_new();
721 BN_mod_mul(r, m1, m2, modulus, c);
722 if(ctx)
723 BN_CTX_free(ctx);
724#elif defined(CRYPTOLIB)
725 bigMultiply(m1, m2, r);
726 bigMod(r, modulus, r);
727#elif defined(GNU_MP)
728 mpz_mul(r, m1, m2);
729 mpz_mod(r, r, modulus);
730#elif defined(GCRYPT)
731 gcry_mpi_mulm(r, m1, m2, modulus);
732#elif defined(MPI) || defined(TOMMATH)
733 mp_mulmod(m1, m2, modulus, r);
734#elif defined(MBEDTLS)
735 mbedtls_mpi d;
736 mbedtls_mpi_init(&d);
737 mbedtls_mpi_mul_mpi(&d, m1, m2);
738 mbedtls_mpi_mod_mpi(r, &d, modulus);
739 mbedtls_mpi_free(&d);
740#endif
741 return BIG_INTEGER_SUCCESS;
742}
743
744BigIntegerResult
745BigIntegerModExp(r, b, e, m, c, a)
746 BigInteger r, b, e, m;
747 BigIntegerCtx c;
748 BigIntegerModAccel a;
749{
750#ifdef OPENSSL
751#if OPENSSL_VERSION_NUMBER >= 0x00906000
752 BN_ULONG B = BN_get_word(b);
753#endif
754 BN_CTX * ctx = NULL;
755 if(c == NULL)
756 c = ctx = BN_CTX_new();
757 if(default_modexp) {
758 (*default_modexp)(r, b, e, m, c, a);
759 }
760 else if(a == NULL) {
761 BN_mod_exp(r, b, e, m, c);
762 }
763#if OPENSSL_VERSION_NUMBER >= 0x00906000
764 else if(B > 0 && B < ULONG_MAX) { /* 0.9.6 and above has mont_word optimization */
765 BN_mod_exp_mont_word(r, B, e, m, c, a);
766 }
767#endif
768 else
769 BN_mod_exp_mont(r, b, e, m, c, a);
770 if(ctx)
771 BN_CTX_free(ctx);
772#elif defined(CRYPTOLIB)
773 bigPow(b, e, m, r);
774#elif defined(GNU_MP)
775 mpz_powm(r, b, e, m);
776#elif defined(GCRYPT)
777 gcry_mpi_powm(r, b, e, m);
778#elif defined(MPI) || defined(TOMMATH)
779 mp_exptmod(b, e, m, r);
780#elif defined(MBEDTLS)
781 mbedtls_mpi_exp_mod(r, b, e, m, NULL);
782#endif
783 return BIG_INTEGER_SUCCESS;
784}
785
786#if defined(MBEDTLS)
787int _mbedtls_f_rng(void* unused, unsigned char *buf, size_t size)
788{
789 t_random(buf, size);
790 return 0;
791}
792#endif
793
794int
795BigIntegerCheckPrime(n, c)
796 BigInteger n;
797 BigIntegerCtx c;
798{
799#ifdef OPENSSL
800 int rv;
801 BN_CTX * ctx = NULL;
802 if(c == NULL)
803 c = ctx = BN_CTX_new();
804#if OPENSSL_VERSION_NUMBER >= 0x00908000
805 rv = BN_is_prime_ex(n, 25, c, NULL);
806#else
807 rv = BN_is_prime(n, 25, NULL, c, NULL);
808#endif
809 if(ctx)
810 BN_CTX_free(ctx);
811 return rv;
812#elif defined(CRYPTOLIB)
813#if 0
814 /*
815 * Ugh. Not only is cryptolib's bigDivide sensitive to inputs
816 * and outputs being the same, but now the primeTest needs random
817 * numbers, which it gets by calling cryptolib's broken truerand
818 * implementation(!) We have to fake it out by doing our own
819 * seeding explicitly.
820 */
821 static int seeded = 0;
822 static unsigned char seedbuf[64];
823 if(!seeded) {
824 t_random(seedbuf, sizeof(seedbuf));
825 seedDesRandom(seedbuf, sizeof(seedbuf));
826 memset(seedbuf, 0, sizeof(seedbuf));
827 seeded = 1;
828 }
829#endif /* 0 */
830 t_random(NULL, 0);
831 return primeTest(n);
832#elif defined(GNU_MP)
833 return mpz_probab_prime_p(n, 25);
834#elif defined(GCRYPT)
835 return (gcry_prime_check(n, 0) == GPG_ERR_NO_ERROR);
836#elif defined(TOMMATH)
837 int rv;
838 mp_prime_is_prime(n, 25, &rv);
839 return rv;
840#elif defined(MPI)
841 return (mpp_pprime(n, 25) == MP_YES);
842#elif defined(MBEDTLS)
843 return mbedtls_mpi_is_prime_ext(n, 25, _mbedtls_f_rng, NULL);
844#endif
845}
846
847BigIntegerResult
848BigIntegerFree(b)
849 BigInteger b;
850{
851#ifdef OPENSSL
852 BN_free(b);
853#elif defined(CRYPTOLIB)
854 freeBignum(b);
855#elif defined(GNU_MP)
856 mpz_clear(b);
857 free(b);
858#elif defined(GCRYPT)
859 gcry_mpi_release(b);
860#elif defined(MPI) || defined(TOMMATH)
861 mp_clear(b);
862 free(b);
863#elif defined(MBEDTLS)
864 mbedtls_mpi_free(b);
865 free(b);
866#endif
867 return BIG_INTEGER_SUCCESS;
868}
869
870BigIntegerResult
871BigIntegerClearFree(b)
872 BigInteger b;
873{
874#ifdef OPENSSL
875 BN_clear_free(b);
876#elif defined(CRYPTOLIB)
877 /* TODO */
878 freeBignum(b);
879#elif defined(GNU_MP)
880 /* TODO */
881 mpz_clear(b);
882 free(b);
883#elif defined(GCRYPT)
884 /* TODO */
885 gcry_mpi_release(b);
886#elif defined(MPI) || defined(TOMMATH)
887 /* TODO */
888 mp_clear(b);
889 free(b);
890#elif defined(MBEDTLS)
891 mbedtls_mpi_free(b);
892 free(b);
893#endif
894 return BIG_INTEGER_SUCCESS;
895}
896
897BigIntegerCtx
898BigIntegerCtxNew()
899{
900#ifdef OPENSSL
901 return BN_CTX_new();
902#else
903 return NULL;
904#endif
905}
906
907BigIntegerResult
908BigIntegerCtxFree(ctx)
909 BigIntegerCtx ctx;
910{
911#ifdef OPENSSL
912 if(ctx)
913 BN_CTX_free(ctx);
914#endif
915 return BIG_INTEGER_SUCCESS;
916}
917
918BigIntegerModAccel
919BigIntegerModAccelNew(m, c)
920 BigInteger m;
921 BigIntegerCtx c;
922{
923#ifdef OPENSSL
924 BN_CTX * ctx = NULL;
925 BN_MONT_CTX * mctx;
926 if(default_modexp)
927 return NULL;
928 if(c == NULL)
929 c = ctx = BN_CTX_new();
930 mctx = BN_MONT_CTX_new();
931 BN_MONT_CTX_set(mctx, m, c);
932 if(ctx)
933 BN_CTX_free(ctx);
934 return mctx;
935#else
936 return NULL;
937#endif
938}
939
940BigIntegerResult
941BigIntegerModAccelFree(accel)
942 BigIntegerModAccel accel;
943{
944#ifdef OPENSSL
945 if(accel)
946 BN_MONT_CTX_free(accel);
947#endif
948 return BIG_INTEGER_SUCCESS;
949}
950
951BigIntegerResult
952BigIntegerInitialize()
953{
954#if OPENSSL_VERSION_NUMBER >= 0x00907000
955 ENGINE_load_builtin_engines();
956#endif
957 return BIG_INTEGER_SUCCESS;
958}
959
960BigIntegerResult
961BigIntegerFinalize()
962{
963 return BigIntegerReleaseEngine();
964}
965
966BigIntegerResult
967BigIntegerUseEngine(const char * engine)
968{
969#if defined(OPENSSL) && defined(OPENSSL_ENGINE)
970 ENGINE * e = ENGINE_by_id(engine);
971 if(e) {
972 if(ENGINE_init(e) > 0) {
973#if OPENSSL_VERSION_NUMBER >= 0x00907000
974 /* 0.9.7 loses the BN_mod_exp method. Pity. */
975 const RSA_METHOD * rsa = ENGINE_get_RSA(e);
976 if(rsa)
977#if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3000000fL) || (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100005L)
978 default_modexp = (modexp_meth)RSA_meth_get_bn_mod_exp(rsa);
979#else
980 default_modexp = (modexp_meth)rsa->bn_mod_exp;
981#endif
982#else
983 default_modexp = (modexp_meth)ENGINE_get_BN_mod_exp(e);
984#endif
985 BigIntegerReleaseEngine();
986 default_engine = e;
987 return BIG_INTEGER_SUCCESS;
988 }
989 else
990 ENGINE_free(e);
991 }
992#endif
993 return BIG_INTEGER_ERROR;
994}
995
996BigIntegerResult
997BigIntegerReleaseEngine()
998{
999#if defined(OPENSSL) && defined(OPENSSL_ENGINE)
1000 if(default_engine) {
1001 ENGINE_finish(default_engine);
1002 ENGINE_free(default_engine);
1003 default_engine = NULL;
1004 default_modexp = NULL;
1005 }
1006#endif
1007 return BIG_INTEGER_SUCCESS;
1008}
diff --git a/3rd_party/libsrp6a-sha512/t_misc.c b/3rd_party/libsrp6a-sha512/t_misc.c
new file mode 100644
index 0000000..3053358
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_misc.c
@@ -0,0 +1,450 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29
30#include "t_defines.h"
31
32#ifdef HAVE_UNISTD_H
33#include <unistd.h>
34#endif /* HAVE_UNISTD_H */
35
36#include <stdio.h>
37#include <sys/types.h>
38#include <sys/stat.h>
39#include <fcntl.h>
40
41#ifdef WIN32
42#include <process.h>
43#include <io.h>
44#endif
45
46#include "t_sha.h"
47
48#ifndef NULL
49#define NULL 0
50#endif
51
52#ifdef OPENSSL
53#include <openssl/opensslv.h>
54#include <openssl/rand.h>
55#elif defined(TOMCRYPT)
56#include "tomcrypt.h"
57static prng_state g_rng;
58static unsigned char entropy[32];
59#elif defined(CRYPTOLIB)
60# include "libcrypt.h"
61static unsigned char crpool[64];
62#else
63static unsigned char randpool[SHA_DIGESTSIZE], randout[SHA_DIGESTSIZE];
64static unsigned long randcnt = 0;
65static unsigned int outpos = 0;
66SHA1_CTX randctxt;
67#endif /* OPENSSL */
68
69/*
70 * t_envhash - Generate a 160-bit SHA hash of the environment
71 *
72 * This routine performs an SHA hash of all the "name=value" pairs
73 * in the environment concatenated together and dumps them in the
74 * output. While it is true that anyone on the system can see
75 * your environment, someone not on the system will have a very
76 * difficult time guessing it, especially since some systems play
77 * tricks with variable ordering and sometimes define quirky
78 * environment variables like $WINDOWID or $_.
79 */
80extern char ** environ;
81
82static void
83t_envhash(out)
84 unsigned char * out;
85{
86 char ** ptr;
87 char ebuf[256];
88 SHA1_CTX ctxt;
89
90 SHA1Init(&ctxt);
91 for(ptr = environ; *ptr; ++ptr) {
92 strncpy(ebuf, *ptr, 255);
93 ebuf[255] = '\0';
94 SHA1Update(&ctxt, ebuf, strlen(ebuf));
95 }
96 SHA1Final(out, &ctxt);
97}
98
99/*
100 * t_fshash - Generate a 160-bit SHA hash from the file system
101 *
102 * This routine climbs up the directory tree from the current
103 * directory, running stat() on each directory until it hits the
104 * root directory. This information is sensitive to the last
105 * access/modification times of all the directories above you,
106 * so someone who lists one of those directories injects some
107 * entropy into the system. Obviously, this hash is very sensitive
108 * to your current directory when the program is run.
109 *
110 * For good measure, it also performs an fstat on the standard input,
111 * usually your tty, throws that into the buffer, creates a file in
112 * /tmp (the inode is unpredictable on a busy system), and runs stat()
113 * on that before deleting it.
114 *
115 * The entire buffer is run once through SHA to obtain the final result.
116 */
117static void
118t_fshash(out)
119 unsigned char * out;
120{
121 char dotpath[128];
122 struct stat st;
123 SHA1_CTX ctxt;
124 int i, pinode;
125 dev_t pdev;
126
127 SHA1Init(&ctxt);
128 if(stat(".", &st) >= 0) {
129 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
130 pinode = st.st_ino;
131 pdev = st.st_dev;
132 strcpy(dotpath, "..");
133 for(i = 0; i < 40; ++i) {
134 if(stat(dotpath, &st) < 0)
135 break;
136 if(st.st_ino == pinode && st.st_dev == pdev)
137 break;
138 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
139 pinode = st.st_ino;
140 pdev = st.st_dev;
141 strcat(dotpath, "/..");
142 }
143 }
144
145 if(fstat(0, &st) >= 0)
146 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
147
148 sprintf(dotpath, "/tmp/rnd.%d", getpid());
149 if(creat(dotpath, 0600) >= 0 && stat(dotpath, &st) >= 0)
150 SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st));
151 unlink(dotpath);
152
153 SHA1Final(out, &ctxt);
154}
155
156/*
157 * Generate a high-entropy seed for the strong random number generator.
158 * This uses a wide variety of quickly gathered and somewhat unpredictable
159 * system information. The 'preseed' structure is assembled from:
160 *
161 * The system time in seconds
162 * The system time in microseconds
163 * The current process ID
164 * The parent process ID
165 * A hash of the user's environment
166 * A hash gathered from the file system
167 * Input from a random device, if available
168 * Timings of system interrupts
169 *
170 * The entire structure (60 bytes on most systems) is fed to SHA to produce
171 * a 160-bit seed for the strong random number generator. It is believed
172 * that in the worst case (on a quiet system with no random device versus
173 * an attacker who has access to the system already), the seed contains at
174 * least about 80 bits of entropy. Versus an attacker who does not have
175 * access to the system, the entropy should be slightly over 128 bits.
176 */
177static char initialized = 0;
178
179static struct {
180 unsigned int trand1;
181 time_t sec;
182 time_t subsec;
183 short pid;
184 short ppid;
185 unsigned char envh[SHA_DIGESTSIZE];
186 unsigned char fsh[SHA_DIGESTSIZE];
187 unsigned char devrand[20];
188 unsigned int trand2;
189} preseed;
190
191unsigned long raw_truerand();
192
193static void
194t_initrand()
195{
196 SHA1_CTX ctxt;
197#ifdef USE_FTIME
198 struct timeb t;
199#else
200 struct timeval t;
201#endif
202 int i, r=0;
203
204 if(initialized)
205 return;
206
207 initialized = 1;
208
209#if defined(OPENSSL) /* OpenSSL has nifty win32 entropy-gathering code */
210#if OPENSSL_VERSION_NUMBER >= 0x00905100
211 r = RAND_status();
212#if defined(WINDOWS) || defined(WIN32)
213 if(r) /* Don't do the Unix-y stuff on Windows if possible */
214 return;
215#else
216#endif
217#endif
218
219#elif defined(TOMCRYPT)
220 yarrow_start(&g_rng);
221 r = rng_get_bytes(entropy, sizeof(entropy), NULL);
222 if(r > 0) {
223 yarrow_add_entropy(entropy, r, &g_rng);
224 memset(entropy, 0, sizeof(entropy));
225# if defined(WINDOWS) || defined(WIN32)
226 /* Don't do the Unix-y stuff on Windows if possible */
227 yarrow_ready(&g_rng);
228 return;
229# endif
230 }
231#endif
232
233#if !defined(WINDOWS) && !defined(WIN32)
234 i = open("/dev/urandom", O_RDONLY);
235 if(i > 0) {
236 r += read(i, preseed.devrand, sizeof(preseed.devrand));
237 close(i);
238 }
239#endif /* !WINDOWS && !WIN32 */
240
241 /* Resort to truerand only if desperate for some Real entropy */
242 if(r == 0)
243 preseed.trand1 = raw_truerand();
244
245#ifdef USE_FTIME
246 ftime(&t);
247 preseed.sec = t.time;
248 preseed.subsec = t.millitm;
249#else
250 gettimeofday(&t, NULL);
251 preseed.sec = t.tv_sec;
252 preseed.subsec = t.tv_usec;
253#endif
254 preseed.pid = getpid();
255#ifndef WIN32
256 preseed.ppid = getppid();
257#endif
258 t_envhash(preseed.envh);
259 t_fshash(preseed.fsh);
260
261 if(r == 0)
262 preseed.trand2 = raw_truerand();
263
264#ifdef OPENSSL
265 RAND_seed((unsigned char *)&preseed, sizeof(preseed));
266#elif defined(TOMCRYPT)
267 yarrow_add_entropy((unsigned char *)&preseed, sizeof(preseed), &g_rng);
268 yarrow_ready(&g_rng);
269#elif defined(CRYPTOLIB)
270 t_mgf1(crpool, sizeof(crpool), (unsigned char *) &preseed, sizeof(preseed));
271 seedDesRandom(crpool, sizeof(crpool));
272 memset(crpool, 0, sizeof(crpool));
273#elif defined(GCRYPT)
274 gcry_random_add_bytes((unsigned char *)&preseed, sizeof(preseed), -1);
275#else
276 SHA1Init(&ctxt);
277 SHA1Update(&ctxt, (unsigned char *) &preseed, sizeof(preseed));
278 SHA1Final(randpool, &ctxt);
279 memset((unsigned char *) &ctxt, 0, sizeof(ctxt));
280 outpos = 0;
281#endif /* OPENSSL */
282 memset((unsigned char *) &preseed, 0, sizeof(preseed));
283}
284
285#define NUM_RANDOMS 12
286
287_TYPE( void )
288t_stronginitrand()
289{
290#if 1 /* t_initrand() has been improved enough to make this unnecessary */
291 t_initrand();
292#else
293 SHA1_CTX ctxt;
294 unsigned int rawrand[NUM_RANDOMS];
295 int i;
296
297 if(!initialized)
298 t_initrand();
299 for(i = 0; i < NUM_RANDOMS; ++i)
300 rawrand[i] = raw_truerand();
301 SHA1Init(&ctxt);
302 SHA1Update(&ctxt, (unsigned char *) rawrand, sizeof(rawrand));
303 SHA1Final(randkey2, &ctxt);
304 memset(rawrand, 0, sizeof(rawrand));
305#endif
306}
307
308/*
309 * The strong random number generator. This uses a 160-bit seed
310 * and uses SHA-1 in a feedback configuration to generate successive
311 * outputs. If S[0] is set to the initial seed, then:
312 *
313 * S[i+1] = SHA-1(i || S[i])
314 * A[i] = SHA-1(S[i])
315 *
316 * where the A[i] are the output blocks starting with i=0.
317 * Each cycle generates 20 bytes of new output.
318 */
319_TYPE( void )
320t_random(data, size)
321 unsigned char * data;
322 unsigned size;
323{
324 if(!initialized)
325 t_initrand();
326
327 if(size <= 0) /* t_random(NULL, 0) forces seed initialization */
328 return;
329
330#ifdef OPENSSL
331 RAND_bytes(data, size);
332#elif defined(TOMCRYPT)
333 yarrow_read(data, size, &g_rng);
334#elif defined(GCRYPT)
335 gcry_randomize(data, size, GCRY_STRONG_RANDOM);
336#elif defined(CRYPTOLIB)
337 randomBytes(data, size, PSEUDO);
338#else
339 while(size > outpos) {
340 if(outpos > 0) {
341 memcpy(data, randout + (sizeof(randout) - outpos), outpos);
342 data += outpos;
343 size -= outpos;
344 }
345
346 /* Recycle */
347 SHA1Init(&randctxt);
348 SHA1Update(&randctxt, randpool, sizeof(randpool));
349 SHA1Final(randout, &randctxt);
350 SHA1Init(&randctxt);
351 SHA1Update(&randctxt, (unsigned char *) &randcnt, sizeof(randcnt));
352 SHA1Update(&randctxt, randpool, sizeof(randpool));
353 SHA1Final(randpool, &randctxt);
354 ++randcnt;
355 outpos = sizeof(randout);
356 }
357
358 if(size > 0) {
359 memcpy(data, randout + (sizeof(randout) - outpos), size);
360 outpos -= size;
361 }
362#endif
363}
364
365/*
366 * The interleaved session-key hash. This separates the even and the odd
367 * bytes of the input (ignoring the first byte if the input length is odd),
368 * hashes them separately, and re-interleaves the two outputs to form a
369 * single 320-bit value.
370 */
371_TYPE( unsigned char * )
372t_sessionkey(key, sk, sklen)
373 unsigned char * key;
374 unsigned char * sk;
375 unsigned sklen;
376{
377 unsigned i, klen;
378 unsigned char * hbuf;
379 unsigned char hout[SHA_DIGESTSIZE];
380 SHA1_CTX ctxt;
381
382 while(sklen > 0 && *sk == 0) { /* Skip leading 0's */
383 --sklen;
384 ++sk;
385 }
386
387 klen = sklen / 2;
388 if((hbuf = malloc(klen * sizeof(char))) == 0)
389 return 0;
390
391 for(i = 0; i < klen; ++i)
392 hbuf[i] = sk[sklen - 2 * i - 1];
393 SHA1Init(&ctxt);
394 SHA1Update(&ctxt, hbuf, klen);
395 SHA1Final(hout, &ctxt);
396 for(i = 0; i < sizeof(hout); ++i)
397 key[2 * i] = hout[i];
398
399 for(i = 0; i < klen; ++i)
400 hbuf[i] = sk[sklen - 2 * i - 2];
401 SHA1Init(&ctxt);
402 SHA1Update(&ctxt, hbuf, klen);
403 SHA1Final(hout, &ctxt);
404 for(i = 0; i < sizeof(hout); ++i)
405 key[2 * i + 1] = hout[i];
406
407 memset(hout, 0, sizeof(hout));
408 memset(hbuf, 0, klen);
409 free(hbuf);
410 return key;
411}
412
413_TYPE( void )
414t_mgf1(mask, masklen, seed, seedlen)
415 unsigned char * mask;
416 unsigned masklen;
417 const unsigned char * seed;
418 unsigned seedlen;
419{
420 SHA1_CTX ctxt;
421 unsigned i = 0;
422 unsigned pos = 0;
423 unsigned char cnt[4];
424 unsigned char hout[SHA_DIGESTSIZE];
425
426 while(pos < masklen) {
427 cnt[0] = (i >> 24) & 0xFF;
428 cnt[1] = (i >> 16) & 0xFF;
429 cnt[2] = (i >> 8) & 0xFF;
430 cnt[3] = i & 0xFF;
431 SHA1Init(&ctxt);
432 SHA1Update(&ctxt, seed, seedlen);
433 SHA1Update(&ctxt, cnt, 4);
434
435 if(pos + SHA_DIGESTSIZE > masklen) {
436 SHA1Final(hout, &ctxt);
437 memcpy(mask + pos, hout, masklen - pos);
438 pos = masklen;
439 }
440 else {
441 SHA1Final(mask + pos, &ctxt);
442 pos += SHA_DIGESTSIZE;
443 }
444
445 ++i;
446 }
447
448 memset(hout, 0, sizeof(hout));
449 memset((unsigned char *)&ctxt, 0, sizeof(ctxt));
450}
diff --git a/3rd_party/libsrp6a-sha512/t_pwd.h b/3rd_party/libsrp6a-sha512/t_pwd.h
new file mode 100644
index 0000000..a90a364
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_pwd.h
@@ -0,0 +1,246 @@
1/*
2 * Copyright (c) 1997-2007 The Stanford SRP Authentication Project
3 * All Rights Reserved.
4 *
5 * Permission is hereby granted, free of charge, to any person obtaining
6 * a copy of this software and associated documentation files (the
7 * "Software"), to deal in the Software without restriction, including
8 * without limitation the rights to use, copy, modify, merge, publish,
9 * distribute, sublicense, and/or sell copies of the Software, and to
10 * permit persons to whom the Software is furnished to do so, subject to
11 * the following conditions:
12 *
13 * The above copyright notice and this permission notice shall be
14 * included in all copies or substantial portions of the Software.
15 *
16 * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND,
17 * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY
18 * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
19 *
20 * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL,
21 * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER
22 * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF
23 * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT
24 * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
25 *
26 * Redistributions in source or binary form must retain an intact copy
27 * of this copyright notice.
28 */
29
30#ifndef T_PWD_H
31#define T_PWD_H
32
33#include <stdio.h>
34#include "cstr.h"
35
36#define MAXPARAMBITS 2048
37#define MAXPARAMLEN ((MAXPARAMBITS + 7) / 8)
38#define MAXB64PARAMLEN ((MAXPARAMBITS + 5) / 6 + 1)
39#define MAXHEXPARAMLEN ((MAXPARAMBITS + 3) / 4 + 1)
40#define MAXOCTPARAMLEN ((MAXPARAMBITS + 2) / 3 + 1)
41
42#define MAXUSERLEN 32
43#define MAXSALTLEN 32
44#define MAXB64SALTLEN 44 /* 256 bits in b64 + null */
45#define SALTLEN 10 /* Normally 80 bits */
46
47#define RESPONSE_LEN 20 /* 160-bit proof hashes */
48#define SESSION_KEY_LEN (2 * RESPONSE_LEN) /* 320-bit session key */
49
50#define DEFAULT_PASSWD "/etc/tpasswd"
51#define DEFAULT_CONF "/etc/tpasswd.conf"
52
53struct t_num { /* Standard byte-oriented integer representation */
54 int len;
55 unsigned char * data;
56};
57
58struct t_preconf { /* Structure returned by t_getpreparam() */
59 char * mod_b64;
60 char * gen_b64;
61 char * comment;
62
63 struct t_num modulus;
64 struct t_num generator;
65};
66
67/*
68 * The built-in (known good) parameters access routines
69 *
70 * "t_getprecount" returns the number of precompiled parameter sets.
71 * "t_getpreparam" returns the indicated parameter set.
72 * Memory is statically allocated - callers need not perform any memory mgmt.
73 */
74_TYPE( int ) t_getprecount();
75_TYPE( struct t_preconf * ) t_getpreparam P((int));
76
77struct t_confent { /* One configuration file entry (index, N, g) */
78 int index;
79 struct t_num modulus;
80 struct t_num generator;
81};
82
83struct t_conf { /* An open configuration file */
84 FILE * instream;
85 char close_on_exit;
86 cstr * modbuf;
87 cstr * genbuf;
88 struct t_confent tcbuf;
89};
90
91/*
92 * The configuration file routines are designed along the lines of the
93 * "getpw" functions in the standard C library.
94 *
95 * "t_openconf" accepts a stdio stream and interprets it as a config file.
96 * "t_openconfbyname" accepts a filename and does the same thing.
97 * "t_closeconf" closes the config file.
98 * "t_getconfent" fetches the next sequential configuration entry.
99 * "t_getconfbyindex" fetches the configuration entry whose index
100 * matches the one supplied, or NULL if one can't be found.
101 * "t_getconflast" fetches the last configuration entry in the file.
102 * "t_makeconfent" generates a set of configuration entry parameters
103 * randomly.
104 * "t_newconfent" returns an empty configuration entry.
105 * "t_cmpconfent" compares two configuration entries a la strcmp.
106 * "t_checkconfent" verifies that a set of configuration parameters
107 * are suitable. N must be prime and should be a safe prime.
108 * "t_putconfent" writes a configuration entry to a stream.
109 */
110_TYPE( struct t_conf * ) t_openconf P((FILE *));
111_TYPE( struct t_conf * ) t_openconfbyname P((const char *));
112_TYPE( void ) t_closeconf P((struct t_conf *));
113_TYPE( void ) t_rewindconf P((struct t_conf *));
114_TYPE( struct t_confent * ) t_getconfent P((struct t_conf *));
115_TYPE( struct t_confent * ) t_getconfbyindex P((struct t_conf *, int));
116_TYPE( struct t_confent * ) t_getconflast P((struct t_conf *));
117_TYPE( struct t_confent * ) t_makeconfent P((struct t_conf *, int));
118_TYPE( struct t_confent * ) t_makeconfent_c P((struct t_conf *, int));
119_TYPE( struct t_confent * ) t_newconfent P((struct t_conf *));
120_TYPE( int ) t_cmpconfent P((const struct t_confent *, const struct t_confent *));
121_TYPE( int ) t_checkconfent P((const struct t_confent *));
122_TYPE( void ) t_putconfent P((const struct t_confent *, FILE *));
123
124/* libc-style system conf file access */
125_TYPE( struct t_confent *) gettcent();
126_TYPE( struct t_confent *) gettcid P((int));
127_TYPE( void ) settcent();
128_TYPE( void ) endtcent();
129
130#ifdef ENABLE_NSW
131extern struct t_confent * _gettcent();
132extern struct t_confent * _gettcid P((int));
133extern void _settcent();
134extern void _endtcent();
135#endif
136
137/* A hack to support '+'-style entries in the passwd file */
138
139typedef enum fstate {
140 FILE_ONLY, /* Ordinary file, don't consult NIS ever */
141 FILE_NIS, /* Currently accessing file, use NIS if encountered */
142 IN_NIS, /* Currently in a '+' entry; use NIS for getXXent */
143} FILE_STATE;
144
145struct t_pwent { /* A single password file entry */
146 char * name;
147 struct t_num password;
148 struct t_num salt;
149 int index;
150};
151
152struct t_pw { /* An open password file */
153 FILE * instream;
154 char close_on_exit;
155 FILE_STATE state;
156 char userbuf[MAXUSERLEN];
157 cstr * pwbuf;
158 unsigned char saltbuf[SALTLEN];
159 struct t_pwent pebuf;
160};
161
162/*
163 * The password manipulation routines are patterned after the getpw*
164 * standard C library function calls.
165 *
166 * "t_openpw" reads a stream as if it were a password file.
167 * "t_openpwbyname" opens the named file as a password file.
168 * "t_closepw" closes an open password file.
169 * "t_rewindpw" starts the internal file pointer from the beginning
170 * of the password file.
171 * "t_getpwent" retrieves the next sequential password entry.
172 * "t_getpwbyname" looks up the password entry corresponding to the
173 * specified user.
174 * "t_makepwent" constructs a password entry from a username, password,
175 * numeric salt, and configuration entry.
176 * "t_putpwent" writes a password entry to a stream.
177 */
178_TYPE( struct t_pw * ) t_newpw();
179_TYPE( struct t_pw * ) t_openpw P((FILE *));
180_TYPE( struct t_pw * ) t_openpwbyname P((const char *));
181_TYPE( void ) t_closepw P((struct t_pw *));
182_TYPE( void ) t_rewindpw P((struct t_pw *));
183_TYPE( struct t_pwent * ) t_getpwent P((struct t_pw *));
184_TYPE( struct t_pwent * ) t_getpwbyname P((struct t_pw *, const char *));
185_TYPE( struct t_pwent * ) t_makepwent P((struct t_pw *, const char *,
186 const char *, const struct t_num *,
187 const struct t_confent *));
188_TYPE( void ) t_putpwent P((const struct t_pwent *, FILE *));
189
190struct t_passwd {
191 struct t_pwent tp;
192 struct t_confent tc;
193};
194
195/* libc-style system password file access */
196_TYPE( struct t_passwd * ) gettpent();
197_TYPE( struct t_passwd * ) gettpnam P((const char *));
198_TYPE( void ) settpent();
199_TYPE( void ) endtpent();
200
201#ifdef ENABLE_NSW
202extern struct t_passwd * _gettpent();
203extern struct t_passwd * _gettpnam P((const char *));
204extern void _settpent();
205extern void _endtpent();
206#endif
207
208/*
209 * Utility functions
210 *
211 * "t_verifypw" accepts a username and password, and checks against the
212 * system password file to see if the password for that user is correct.
213 * Returns > 0 if it is correct, 0 if not, and -1 if some error occurred
214 * (i.e. the user doesn't exist on the system). This is intended ONLY
215 * for local authentication; for remote authentication, look at the
216 * t_client and t_server source. (That's the whole point of SRP!)
217 * "t_changepw" modifies the specified file, substituting the given password
218 * entry for the one already in the file. If no matching entry is found,
219 * the new entry is simply appended to the file.
220 * "t_deletepw" removes the specified user from the specified file.
221 */
222_TYPE( int ) t_verifypw P((const char *, const char *));
223_TYPE( int ) t_changepw P((const char *, const struct t_pwent *));
224_TYPE( int ) t_deletepw P((const char *, const char *));
225
226/* Conversion utilities */
227
228/*
229 * All these calls accept output as the first parameter. In the case of
230 * t_tohex and t_tob64, the last argument is the length of the byte-string
231 * input.
232 */
233_TYPE( char * ) t_tohex P((char *, const char *, unsigned));
234_TYPE( int ) t_fromhex P((char *, const char *));
235_TYPE( char * ) t_tob64 P((char *, const char *, unsigned));
236_TYPE( int ) t_fromb64 P((char *, const char *));
237
238/* These functions put their output in a cstr object */
239_TYPE( char * ) t_tohexcstr P((cstr *, const char *, unsigned));
240_TYPE( int ) t_cstrfromhex P((cstr *, const char *));
241_TYPE( char * ) t_tob64cstr P((cstr *, const char *, unsigned));
242_TYPE( int ) t_cstrfromb64 P((cstr *, const char *));
243
244/* Miscellaneous utilities (moved to t_defines.h) */
245
246#endif
diff --git a/3rd_party/libsrp6a-sha512/t_sha.c b/3rd_party/libsrp6a-sha512/t_sha.c
new file mode 100644
index 0000000..4029de8
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_sha.c
@@ -0,0 +1,276 @@
1#include "t_defines.h"
2#include "t_sha.h"
3
4#ifdef CRYPTOLIB_SHA
5
6/* A wrapper around CryptoLib's shsFinal that delivers output in octets */
7void
8shsFinalBytes(unsigned char digest[20], SHS_CTX* context)
9{
10 int i;
11 unsigned long r;
12 unsigned char *p = digest;
13
14 shsFinal(context);
15 for(i = 0; i < 5; ++i) {
16 r = context->h[i];
17 *p++ = (unsigned char)((r >> 24) & 0xff);
18 *p++ = (unsigned char)((r >> 16) & 0xff);
19 *p++ = (unsigned char)((r >> 8) & 0xff);
20 *p++ = (unsigned char)(r & 0xff);
21 }
22}
23
24#elif defined(GCRYPT_SHA)
25/* Wrappers for gcrypt's md interface */
26
27void
28SHA1Init_gcry(SHA1_CTX * ctx)
29{
30 gcry_md_open(ctx, GCRY_MD_SHA1, 0);
31}
32
33void
34SHA1Update_gcry(SHA1_CTX * ctx, const void *data, unsigned int len)
35{
36 gcry_md_write(*ctx, data, len);
37}
38
39void
40SHA1Final_gcry(unsigned char digest[20], SHA1_CTX * ctx)
41{
42 memcpy(digest, gcry_md_read(*ctx, GCRY_MD_SHA1), 20);
43 gcry_md_close(*ctx);
44}
45
46void
47SHA512Init_gcry(SHA512_CTX * ctx)
48{
49 gcry_md_open(ctx, GCRY_MD_SHA512, 0);
50}
51
52void
53SHA512Update_gcry(SHA512_CTX * ctx, const void *data, unsigned int len)
54{
55 gcry_md_write(*ctx, data, len);
56}
57
58void
59SHA512Final_gcry(unsigned char digest[64], SHA512_CTX * ctx)
60{
61 memcpy(digest, gcry_md_read(*ctx, GCRY_MD_SHA512), 64);
62 gcry_md_close(*ctx);
63}
64
65#elif defined(MBEDTLS_SHA)
66/* Wrappers for mbedtls's md interface */
67
68void
69SHA1Init_mbed(SHA1_CTX * ctx)
70{
71 mbedtls_md_init(ctx);
72 mbedtls_md_setup(ctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), 0);
73 mbedtls_md_starts(ctx);
74}
75
76void
77SHA1Update_mbed(SHA1_CTX * ctx, const void *data, unsigned int len)
78{
79 mbedtls_md_update(ctx, data, len);
80}
81
82void
83SHA1Final_mbed(unsigned char digest[20], SHA1_CTX * ctx)
84{
85 mbedtls_md_finish(ctx, digest);
86 mbedtls_md_free(ctx);
87}
88
89void
90SHA512Init_mbed(SHA512_CTX * ctx)
91{
92 mbedtls_md_init(ctx);
93 mbedtls_md_setup(ctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA512), 0);
94 mbedtls_md_starts(ctx);
95}
96
97void
98SHA512Update_mbed(SHA512_CTX * ctx, const void *data, unsigned int len)
99{
100 mbedtls_md_update(ctx, data, len);
101}
102
103void
104SHA512Final_mbed(unsigned char digest[64], SHA512_CTX * ctx)
105{
106 mbedtls_md_finish(ctx, digest);
107 mbedtls_md_free(ctx);
108}
109
110#elif !defined(OPENSSL_SHA) && !defined(TOMCRYPT_SHA)
111/* Use the free SHA1 if the library doesn't have it */
112
113/*
114SHA-1 in C
115By Steve Reid <steve@edmweb.com>
116100% Public Domain
117
118Test Vectors (from FIPS PUB 180-1)
119"abc"
120 A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D
121"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq"
122 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1
123A million repetitions of "a"
124 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F
125*/
126
127/* #define LITTLE_ENDIAN * This should be #define'd if true. */
128/* #define SHA1HANDSOFF * Copies data before messing with it. */
129
130#include <stdio.h>
131#include <string.h>
132
133static void SHA1Transform(uint32 state[5], const unsigned char buffer[64]);
134
135#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits))))
136
137/* blk0() and blk() perform the initial expand. */
138/* I got the idea of expanding during the round function from SSLeay */
139#ifndef WORDS_BIGENDIAN
140#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \
141 |(rol(block->l[i],8)&0x00FF00FF))
142#else
143#define blk0(i) block->l[i]
144#endif
145#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \
146 ^block->l[(i+2)&15]^block->l[i&15],1))
147
148/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */
149#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30);
150#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30);
151#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30);
152#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30);
153#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30);
154
155/* Hash a single 512-bit block. This is the core of the algorithm. */
156
157static void SHA1Transform(uint32 state[5], const unsigned char buffer[64])
158{
159uint32 a, b, c, d, e;
160typedef union {
161 unsigned char c[64];
162 uint32 l[16];
163} CHAR64LONG16;
164CHAR64LONG16* block;
165#ifdef SHA1HANDSOFF
166static unsigned char workspace[64];
167 block = (CHAR64LONG16*)workspace;
168 memcpy(block, buffer, 64);
169#else
170 block = (CHAR64LONG16*)buffer;
171#endif
172 /* Copy context->state[] to working vars */
173 a = state[0];
174 b = state[1];
175 c = state[2];
176 d = state[3];
177 e = state[4];
178 /* 4 rounds of 20 operations each. Loop unrolled. */
179 R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3);
180 R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7);
181 R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11);
182 R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15);
183 R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19);
184 R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23);
185 R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27);
186 R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31);
187 R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35);
188 R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39);
189 R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43);
190 R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47);
191 R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51);
192 R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55);
193 R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59);
194 R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63);
195 R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67);
196 R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71);
197 R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75);
198 R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79);
199 /* Add the working vars back into context.state[] */
200 state[0] += a;
201 state[1] += b;
202 state[2] += c;
203 state[3] += d;
204 state[4] += e;
205 /* Wipe variables */
206 a = b = c = d = e = 0;
207}
208
209
210/* SHA1Init - Initialize new context */
211
212void SHA1Init(SHA1_CTX* context)
213{
214 /* SHA1 initialization constants */
215 context->state[0] = 0x67452301;
216 context->state[1] = 0xEFCDAB89;
217 context->state[2] = 0x98BADCFE;
218 context->state[3] = 0x10325476;
219 context->state[4] = 0xC3D2E1F0;
220 context->count[0] = context->count[1] = 0;
221}
222
223
224/* Run your data through this. */
225
226void SHA1Update(SHA1_CTX* context, const unsigned char* data, unsigned int len)
227{
228unsigned int i, j;
229
230 j = (context->count[0] >> 3) & 63;
231 if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++;
232 context->count[1] += (len >> 29);
233 if ((j + len) > 63) {
234 memcpy(&context->buffer[j], data, (i = 64-j));
235 SHA1Transform(context->state, context->buffer);
236 for ( ; i + 63 < len; i += 64) {
237 SHA1Transform(context->state, &data[i]);
238 }
239 j = 0;
240 }
241 else i = 0;
242 memcpy(&context->buffer[j], &data[i], len - i);
243}
244
245
246/* Add padding and return the message digest. */
247
248void SHA1Final(unsigned char digest[20], SHA1_CTX* context)
249{
250uint32 i, j;
251unsigned char finalcount[8];
252
253 for (i = 0; i < 8; i++) {
254 finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)]
255 >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */
256 }
257 SHA1Update(context, (unsigned char *)"\200", 1);
258 while ((context->count[0] & 504) != 448) {
259 SHA1Update(context, (unsigned char *)"\0", 1);
260 }
261 SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */
262 for (i = 0; i < 20; i++) {
263 digest[i] = (unsigned char)
264 ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255);
265 }
266 /* Wipe variables */
267 i = j = 0;
268 memset(context->buffer, 0, 64);
269 memset(context->state, 0, 20);
270 memset(context->count, 0, 8);
271 memset(&finalcount, 0, 8);
272#ifdef SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */
273 SHA1Transform(context->state, context->buffer);
274#endif
275}
276#endif /* OPENSSL */
diff --git a/3rd_party/libsrp6a-sha512/t_sha.h b/3rd_party/libsrp6a-sha512/t_sha.h
new file mode 100644
index 0000000..18deec5
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_sha.h
@@ -0,0 +1,125 @@
1#ifndef T_SHA_H
2#define T_SHA_H
3
4#if !defined(P)
5#ifdef __STDC__
6#define P(x) x
7#else
8#define P(x) ()
9#endif
10#endif
11
12#define SHA_DIGESTSIZE 20
13
14#ifdef OPENSSL
15#define OPENSSL_SHA 1
16#endif
17
18#ifdef TOMCRYPT
19# include <tomcrypt.h>
20# ifdef SHA1
21# define TOMCRYPT_SHA 1
22# endif
23#endif
24
25#ifdef CRYPTOLIB
26/* The SHA (shs) implementation in CryptoLib 1.x breaks when Update
27 * is called multiple times, so we still use our own code.
28 * Uncomment below if you think your copy of CryptoLib is fixed. */
29/*#define CRYPTOLIB_SHA 1*/
30#endif
31
32#ifdef GCRYPT
33# define GCRYPT_SHA 1
34#endif
35
36#ifdef MBEDTLS
37# define MBEDTLS_SHA 1
38#endif
39
40#ifdef OPENSSL_SHA
41#include <openssl/sha.h>
42
43typedef SHA_CTX SHA1_CTX;
44#define SHA1Init SHA1_Init
45#define SHA1Update SHA1_Update
46#define SHA1Final SHA1_Final
47
48#define SHA512Init SHA512_Init
49#define SHA512Update SHA512_Update
50#define SHA512Final SHA512_Final
51
52#elif defined(TOMCRYPT_SHA)
53/* mycrypt.h already included above */
54
55typedef hash_state SHA1_CTX;
56#define SHA1Init sha1_init
57#define SHA1Update sha1_process
58#define SHA1Final(D,C) sha1_done(C,D)
59
60#elif defined(GCRYPT_SHA)
61#include "gcrypt.h"
62
63typedef gcry_md_hd_t SHA1_CTX;
64#define SHA1Init SHA1Init_gcry
65#define SHA1Update SHA1Update_gcry
66#define SHA1Final SHA1Final_gcry
67typedef gcry_md_hd_t SHA512_CTX;
68#define SHA512Init SHA512Init_gcry
69#define SHA512Update SHA512Update_gcry
70#define SHA512Final SHA512Final_gcry
71
72void SHA1Init_gcry(SHA1_CTX * ctx);
73void SHA1Update_gcry(SHA1_CTX * ctx, const void *data, unsigned int len);
74void SHA1Final_gcry(unsigned char digest[20], SHA1_CTX * ctx);
75
76void SHA512Init_gcry(SHA512_CTX * ctx);
77void SHA512Update_gcry(SHA512_CTX * ctx, const void *data, unsigned int len);
78void SHA512Final_gcry(unsigned char digest[64], SHA512_CTX * ctx);
79
80#elif defined(MBEDTLS_SHA)
81#include <mbedtls/md.h>
82
83typedef mbedtls_md_context_t SHA1_CTX;
84#define SHA1Init SHA1Init_mbed
85#define SHA1Update SHA1Update_mbed
86#define SHA1Final SHA1Final_mbed
87
88typedef mbedtls_md_context_t SHA512_CTX;
89#define SHA512Init SHA512Init_mbed
90#define SHA512Update SHA512Update_mbed
91#define SHA512Final SHA512Final_mbed
92
93void SHA1Init_mbed(SHA1_CTX * ctx);
94void SHA1Update_mbed(SHA1_CTX * ctx, const void *data, unsigned int len);
95void SHA1Final_mbed(unsigned char digest[20], SHA1_CTX * ctx);
96
97void SHA512Init_mbed(SHA512_CTX * ctx);
98void SHA512Update_mbed(SHA512_CTX * ctx, const void *data, unsigned int len);
99void SHA512Final_mbed(unsigned char digest[64], SHA512_CTX * ctx);
100
101#elif defined(CRYPTOLIB_SHA)
102#include "libcrypt.h"
103
104typedef SHS_CTX SHA1_CTX;
105#define SHA1Init shsInit
106#define SHA1Update shsUpdate
107#define SHA1Final shsFinalBytes
108
109void shsFinalBytes P((unsigned char digest[20], SHS_CTX* context));
110
111#else
112typedef unsigned int uint32;
113
114typedef struct {
115 uint32 state[5];
116 uint32 count[2];
117 unsigned char buffer[64];
118} SHA1_CTX;
119
120void SHA1Init P((SHA1_CTX* context));
121void SHA1Update P((SHA1_CTX* context, const unsigned char* data, unsigned int len));
122void SHA1Final P((unsigned char digest[20], SHA1_CTX* context));
123#endif /* !OPENSSL && !CRYPTOLIB */
124
125#endif /* T_SHA_H */
diff --git a/3rd_party/libsrp6a-sha512/t_truerand.c b/3rd_party/libsrp6a-sha512/t_truerand.c
new file mode 100644
index 0000000..2617b5e
--- /dev/null
+++ b/3rd_party/libsrp6a-sha512/t_truerand.c
@@ -0,0 +1,241 @@
1/*
2 * Physically random numbers (very nearly uniform)
3 * D. P. Mitchell
4 * Modified by Matt Blaze 7/95
5 */
6/*
7 * The authors of this software are Don Mitchell and Matt Blaze.
8 * Copyright (c) 1995 by AT&T.
9 * Permission to use, copy, and modify this software without fee
10 * is hereby granted, provided that this entire notice is included in
11 * all copies of any software which is or includes a copy or
12 * modification of this software and in all copies of the supporting
13 * documentation for such software.
14 *
15 * This software may be subject to United States export controls.
16 *
17 * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED
18 * WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY
19 * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY
20 * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE.
21 */
22
23/*
24 * WARNING: depending on the particular platform, raw_truerand()
25 * output may be biased or correlated. In general, you can expect
26 * about 16 bits of "pseudo-entropy" out of each 32 bit word returned
27 * by truerand(), but it may not be uniformly diffused. You should
28 * raw_therefore run the output through some post-whitening function
29 * (like MD5 or DES or whatever) before using it to generate key
30 * material. (RSAREF's random package does this for you when you feed
31 * raw_truerand() bits to the seed input function.)
32 *
33 * The application interface, for 8, 16, and 32 bit properly "whitened"
34 * random numbers, can be found in trand8(), trand16(), and trand32().
35 * Use those instead of calling raw_truerand() directly.
36 *
37 * The basic idea here is that between clock "skew" and various
38 * hard-to-predict OS event arrivals, counting a tight loop will yield
39 * a little (maybe a third of a bit or so) of "good" randomness per
40 * interval clock tick. This seems to work well even on unloaded
41 * machines. If there is a human operator at the machine, you should
42 * augment truerand with other measure, like keyboard event timing.
43 * On server machines (e.g., when you need to generate a
44 * Diffie-Hellman secret) truerand alone may be good enough.
45 *
46 * Test these assumptions on your own platform before fielding a
47 * system based on this software or these techniques.
48 *
49 * This software seems to work well (at 10 or so bits per
50 * raw_truerand() call) on a Sun Sparc-20 under SunOS 4.1.3 and on a
51 * P100 under BSDI 2.0. You're on your own elsewhere.
52 *
53 */
54
55#include "t_defines.h"
56
57#ifdef WIN32
58
59# ifdef CRYPTOLIB
60
61/* Cryptolib contains its own truerand() on both UNIX and Windows. */
62/* Only use cryptolib's truerand under Windows */
63
64# include "libcrypt.h"
65
66unsigned long
67raw_truerand()
68{
69 return truerand();
70}
71
72# else /* !CRYPTOLIB && WIN32 */
73
74#include <wtypes.h>
75#include <winbase.h>
76#include <windef.h>
77#include <winnt.h>
78#include <winuser.h>
79#include <process.h>
80
81volatile unsigned long count, ocount, randbuf;
82volatile int dontstop;
83char outbuf[1024], *bufp;
84
85static void counter() {
86 while (dontstop)
87 count++;
88 _endthread();
89}
90
91
92static unsigned long roulette() {
93 unsigned long thread;
94
95 count = 0;
96 dontstop= 1;
97 while ((thread = _beginthread((void *)counter, 1024, NULL)) < 0)
98 ;
99
100 Sleep(16);
101 dontstop = 0;
102 Sleep(1);
103
104 count ^= (count>>3) ^ (count>>6) ^ (ocount);
105 count &= 0x7;
106 ocount = count;
107 randbuf = (randbuf<<3) ^ count;
108 return randbuf;
109}
110
111
112unsigned long
113raw_truerand() {
114
115 roulette();
116 roulette();
117 roulette();
118 roulette();
119 roulette();
120 roulette();
121 roulette();
122 roulette();
123 roulette();
124 roulette();
125 return roulette();
126}
127
128# endif /* CRYPTOLIB */
129
130#else /* !WIN32 */
131
132#include <signal.h>
133#include <setjmp.h>
134#include <sys/time.h>
135#include <math.h>
136#include <stdio.h>
137
138#ifdef OLD_TRUERAND
139static jmp_buf env;
140#endif
141static unsigned volatile count
142#ifndef OLD_TRUERAND
143 , done = 0
144#endif
145;
146
147static unsigned ocount;
148static unsigned buffer;
149
150static void
151tick()
152{
153 struct itimerval it, oit;
154
155 it.it_interval.tv_sec = 0;
156 it.it_interval.tv_usec = 0;
157 it.it_value.tv_sec = 0;
158 it.it_value.tv_usec = 16665;
159 if (setitimer(ITIMER_REAL, &it, &oit) < 0)
160 perror("tick");
161}
162
163static void
164interrupt()
165{
166 if (count) {
167#ifdef OLD_TRUERAND
168 longjmp(env, 1);
169#else
170 ++done;
171 return;
172#endif
173 }
174
175 (void) signal(SIGALRM, interrupt);
176 tick();
177}
178
179static unsigned long
180roulette()
181{
182#ifdef OLD_TRUERAND
183 if (setjmp(env)) {
184 count ^= (count>>3) ^ (count>>6) ^ ocount;
185 count &= 0x7;
186 ocount=count;
187 buffer = (buffer<<3) ^ count;
188 return buffer;
189 }
190#else
191 done = 0;
192#endif
193 (void) signal(SIGALRM, interrupt);
194 count = 0;
195 tick();
196#ifdef OLD_TRUERAND
197 for (;;)
198#else
199 while(done == 0)
200#endif
201 count++; /* about 1 MHz on VAX 11/780 */
202#ifndef OLD_TRUERAND
203 count ^= (count>>3) ^ (count>>6) ^ ocount;
204 count &= 0x7;
205 ocount=count;
206 buffer = (buffer<<3) ^ count;
207 return buffer;
208#endif
209}
210
211unsigned long
212raw_truerand()
213{
214 count=0;
215 (void) roulette();
216 (void) roulette();
217 (void) roulette();
218 (void) roulette();
219 (void) roulette();
220 (void) roulette();
221 (void) roulette();
222 (void) roulette();
223 (void) roulette();
224 (void) roulette();
225 return roulette();
226}
227
228int
229raw_n_truerand(n)
230int n;
231{
232 int slop, v;
233
234 slop = 0x7FFFFFFF % n;
235 do {
236 v = raw_truerand() >> 1;
237 } while (v <= slop);
238 return v % n;
239}
240
241#endif /* !CRYPTOLIB || !WIN32 */
diff --git a/Makefile.am b/Makefile.am
index a50777a..4ef0813 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -1,6 +1,6 @@
1AUTOMAKE_OPTIONS = foreign 1AUTOMAKE_OPTIONS = foreign
2ACLOCAL_AMFLAGS = -I m4 2ACLOCAL_AMFLAGS = -I m4
3SUBDIRS = common src include $(CYTHON_SUB) tools docs 3SUBDIRS = 3rd_party common src include $(CYTHON_SUB) tools docs
4 4
5EXTRA_DIST = \ 5EXTRA_DIST = \
6 docs \ 6 docs \
diff --git a/configure.ac b/configure.ac
index cdd388b..8fb032d 100644
--- a/configure.ac
+++ b/configure.ac
@@ -39,7 +39,7 @@ PKG_CHECK_MODULES(libplist, libplist-2.0 >= $LIBPLIST_VERSION)
39PKG_CHECK_MODULES(limd_glue, libimobiledevice-glue-1.0 >= $LIMD_GLUE_VERSION) 39PKG_CHECK_MODULES(limd_glue, libimobiledevice-glue-1.0 >= $LIMD_GLUE_VERSION)
40 40
41# Checks for header files. 41# Checks for header files.
42AC_CHECK_HEADERS([stdint.h stdlib.h string.h gcrypt.h]) 42AC_CHECK_HEADERS([stdint.h stdlib.h string.h sys/time.h])
43 43
44# Checks for typedefs, structures, and compiler characteristics. 44# Checks for typedefs, structures, and compiler characteristics.
45AC_C_CONST 45AC_C_CONST
@@ -64,6 +64,8 @@ if test "x$ac_cv_have_endian_h" = "xno"; then
64 fi 64 fi
65fi 65fi
66 66
67AC_CHECK_DECL([plist_from_json], [AC_DEFINE([HAVE_PLIST_JSON], [1], [Define if libplist has JSON support])], [], [[#include <plist/plist.h>]])
68
67# Check for operating system 69# Check for operating system
68AC_MSG_CHECKING([for platform-specific build settings]) 70AC_MSG_CHECKING([for platform-specific build settings])
69case ${host_os} in 71case ${host_os} in
@@ -74,6 +76,7 @@ case ${host_os} in
74 ;; 76 ;;
75 darwin*) 77 darwin*)
76 AC_MSG_RESULT([${host_os}]) 78 AC_MSG_RESULT([${host_os}])
79 darwin=true
77 ;; 80 ;;
78 *) 81 *)
79 AC_MSG_RESULT([${host_os}]) 82 AC_MSG_RESULT([${host_os}])
@@ -82,6 +85,7 @@ case ${host_os} in
82 ;; 85 ;;
83esac 86esac
84AM_CONDITIONAL(WIN32, test x$win32 = xtrue) 87AM_CONDITIONAL(WIN32, test x$win32 = xtrue)
88AM_CONDITIONAL(DARWIN, test x$darwin = xtrue)
85 89
86# Check if the C compiler supports __attribute__((constructor)) 90# Check if the C compiler supports __attribute__((constructor))
87AC_CACHE_CHECK([wether the C compiler supports constructor/destructor attributes], 91AC_CACHE_CHECK([wether the C compiler supports constructor/destructor attributes],
@@ -219,9 +223,10 @@ else
219 pkg_req_gnutls="gnutls >= 2.2.0" 223 pkg_req_gnutls="gnutls >= 2.2.0"
220 pkg_req_libtasn1="libtasn1 >= 1.1" 224 pkg_req_libtasn1="libtasn1 >= 1.1"
221 PKG_CHECK_MODULES(libgnutls, $pkg_req_gnutls) 225 PKG_CHECK_MODULES(libgnutls, $pkg_req_gnutls)
226 AC_CHECK_HEADERS([gcrypt.h])
222 AC_CHECK_LIB(gcrypt, gcry_control, [AC_SUBST(libgcrypt_LIBS,[-lgcrypt])], [AC_MSG_ERROR([libgcrypt is required to build libimobiledevice with GnuTLS])]) 227 AC_CHECK_LIB(gcrypt, gcry_control, [AC_SUBST(libgcrypt_LIBS,[-lgcrypt])], [AC_MSG_ERROR([libgcrypt is required to build libimobiledevice with GnuTLS])])
223 PKG_CHECK_MODULES(libtasn1, $pkg_req_libtasn1) 228 PKG_CHECK_MODULES(libtasn1, $pkg_req_libtasn1)
224 229 AC_DEFINE(HAVE_GCRYPT, 1, [Define if you have libgcrypt support])
225 AC_DEFINE(HAVE_GNUTLS, 1, [Define if you have GnuTLS support]) 230 AC_DEFINE(HAVE_GNUTLS, 1, [Define if you have GnuTLS support])
226 ssl_lib_CFLAGS="$libgnutls_CFLAGS $libtasn1_CFLAGS $libgcrypt_CFLAGS" 231 ssl_lib_CFLAGS="$libgnutls_CFLAGS $libtasn1_CFLAGS $libgcrypt_CFLAGS"
227 ssl_lib_LIBS="$libgnutls_LIBS $libtasn1_LIBS $libgcrypt_LIBS" 232 ssl_lib_LIBS="$libgnutls_LIBS $libtasn1_LIBS $libgcrypt_LIBS"
@@ -235,6 +240,17 @@ else
235 fi 240 fi
236 fi 241 fi
237fi 242fi
243AM_CONDITIONAL(HAVE_MBEDTLS, test "x$use_mbedtls" == "xyes")
244AM_CONDITIONAL(HAVE_OPENSSL, test "x$use_openssl" == "xyes")
245AM_CONDITIONAL(HAVE_GCRYPT, test "x$use_gnutls" == "xyes")
246
247AC_ARG_ENABLE([wireless-pairing],
248 [AS_HELP_STRING([--disable-wireless-pairing],
249 [Do not build with wirless pairing support (default is yes)])])
250if test "$enable_wireless_pairing" != "no"; then
251 AC_DEFINE(HAVE_WIRELESS_PAIRING,1,[Define if building with wireless pairing support])
252fi
253AM_CONDITIONAL(HAVE_WIRELESS_PAIRING, test "$enable_wireless_pairing" != "no")
238 254
239AC_ARG_ENABLE([debug], 255AC_ARG_ENABLE([debug],
240 [AS_HELP_STRING([--enable-debug], 256 [AS_HELP_STRING([--enable-debug],
@@ -263,6 +279,9 @@ m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])])
263 279
264AC_CONFIG_FILES([ 280AC_CONFIG_FILES([
265Makefile 281Makefile
2823rd_party/Makefile
2833rd_party/ed25519/Makefile
2843rd_party/libsrp6a-sha512/Makefile
266common/Makefile 285common/Makefile
267src/Makefile 286src/Makefile
268src/libimobiledevice-1.0.pc 287src/libimobiledevice-1.0.pc
diff --git a/docs/idevicepair.1 b/docs/idevicepair.1
index 3576ce9..eb6e7d4 100644
--- a/docs/idevicepair.1
+++ b/docs/idevicepair.1
@@ -13,7 +13,13 @@ Manage host pairings with devices and usbmuxd.
13.TP 13.TP
14.B \-u, \-\-udid UDID 14.B \-u, \-\-udid UDID
15target specific device by UDID. 15target specific device by UDID.
16.TP 16.TP
17.B \-w, \-\-wireless
18perform wireless pairing (\f[B]see NOTE\f[]).
19.TP
20.B \-n, \-\-network
21connect to network device (\f[B]see NOTE\f[]).
22.TP
17.B \-d, \-\-debug 23.B \-d, \-\-debug
18enable communication debugging. 24enable communication debugging.
19.TP 25.TP
@@ -43,6 +49,24 @@ unpair device with this host.
43.B list 49.B list
44list devices paired with this host. 50list devices paired with this host.
45 51
52.SH NOTE
53Pairing over network (wireless pairing) is only supported by Apple TV
54devices. To perform a wireless pairing, you need to use the \f[B]\-w\f[]
55command line switch.
56
57Make sure to put the device into pairing mode first by opening
58Settings > Remotes and Devices > Remote App and Devices.
59
60The pairable device will become visible with a special UDID, and then you
61can run idevicepair like this:
62
63.B idevicepair -u fffc8:ab:cd:12:34:56fff -w pair
64
65idevicepair will then ask for the PIN that the device is displaying and
66continues with the pairing once entered.
67
68Please note that wireless pairing is currently not supported on Linux.
69
46.SH AUTHORS 70.SH AUTHORS
47Nikias Bassen 71Nikias Bassen
48 72
diff --git a/include/endianness.h b/include/endianness.h
index 1d414b3..099877a 100644
--- a/include/endianness.h
+++ b/include/endianness.h
@@ -109,4 +109,15 @@
109#define htole64 le64toh 109#define htole64 le64toh
110#endif 110#endif
111 111
112#if (defined(__BIG_ENDIAN__) \
113 && !defined(__FLOAT_WORD_ORDER__)) \
114 || (defined(__FLOAT_WORD_ORDER__) \
115 && __FLOAT_WORD_ORDER__ == __ORDER_BIG_ENDIAN__)
116#define float_bswap64(x) bswap64(x)
117#define float_bswap32(x) bswap32(x)
118#else
119#define float_bswap64(x) (x)
120#define float_bswap32(x) (x)
121#endif
122
112#endif /* ENDIANNESS_H */ 123#endif /* ENDIANNESS_H */
diff --git a/include/libimobiledevice/lockdown.h b/include/libimobiledevice/lockdown.h
index c35e5e9..1569f44 100644
--- a/include/libimobiledevice/lockdown.h
+++ b/include/libimobiledevice/lockdown.h
@@ -100,6 +100,19 @@ struct lockdownd_service_descriptor {
100}; 100};
101typedef struct lockdownd_service_descriptor *lockdownd_service_descriptor_t; 101typedef struct lockdownd_service_descriptor *lockdownd_service_descriptor_t;
102 102
103
104typedef enum {
105 LOCKDOWN_CU_PAIRING_PIN_REQUESTED, /**< PIN requested: data_ptr is a char* buffer, and data_size points to the size of this buffer that must not be exceeded and has to be updated to the actual number of characters filled into the buffer. */
106 LOCKDOWN_CU_PAIRING_DEVICE_INFO, /**< device information available: data_ptr is a plist_t, and data_size is ignored. The plist_t has to be copied if required, since it is freed when the callback function returns. */
107 LOCKDOWN_CU_PAIRING_ERROR /**< pairing error message available: data_ptr is a NULL-terminated char* buffer containing the error message, and data_size is ignored. Buffer needs to be copied if it shall persist outside the callback. */
108} lockdownd_cu_pairing_cb_type_t;
109
110/* CU pairing callback function prototype */
111/** Callback used to supply the pairing PIN during a CU pairing session,
112 * and to report device information and pairing error messages. */
113typedef void (*lockdownd_cu_pairing_cb_t) (lockdownd_cu_pairing_cb_type_t cb_type, void *user_data, void* data_ptr, unsigned int* data_size);
114
115
103/* Interface */ 116/* Interface */
104 117
105/** 118/**
@@ -399,6 +412,89 @@ lockdownd_error_t lockdownd_enter_recovery(lockdownd_client_t client);
399 */ 412 */
400lockdownd_error_t lockdownd_goodbye(lockdownd_client_t client); 413lockdownd_error_t lockdownd_goodbye(lockdownd_client_t client);
401 414
415/**
416 * Creates a CU pairing session for the current lockdown client.
417 * This is required to allow lockdownd_cu_send_request_and_get_reply(),
418 * lockdownd_get_value_cu() and lockdonwd_pair_cu() requests, and eventually
419 * allows to perform an actual wireless pairing.
420 *
421 * Through the callback function, the PIN displayed on the device has to be
422 * supplied during the process. Currently, only AppleTV devices have this
423 * capability.
424 *
425 * @param client The lockdown client to perform the CU pairing for
426 * @param pairing_callback Callback function that is used to supply the PIN
427 * for the pairing process, but also to receive device information or
428 * pairing error messages.
429 * @param cb_user_data User data that will be passed as additional argument
430 * to the callback function.
431 * @param host_info (Optional) A dictionary containing host information to
432 * send to the device when finalizing the CU pairing. The supplied
433 * values will override the default values gathered for the current host.
434 * @param acl (Optional) A dictionary containing ACL information. Currently
435 * only com.apple.ScreenCapture:true and com.apple.developer:true are known
436 * valid ACL values, which are used as default when NULL is passed.
437 *
438 * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG if one of the
439 * parameters is invalid, LOCKDOWN_E_PAIRING_FAILED if the pairing failed,
440 * or a LOCKDOWN_E_* error code otherwise.
441 */
442lockdownd_error_t lockdownd_cu_pairing_create(lockdownd_client_t client, lockdownd_cu_pairing_cb_t pairing_callback, void* cb_user_data, plist_t host_info, plist_t acl);
443
444/**
445 * Sends a request via lockdown client with established CU pairing session
446 * and attempts to retrieve a reply. This function is used internally
447 * by lockdownd_get_value_cu() and lockdownd_pair_cu(), but exposed here to
448 * allow custom requests being sent and their replies being received.
449 *
450 * @param client A lockdown client with an established CU pairing.
451 * @param request The request to perform.
452 * @param request_payload The payload for the request.
453 * @param reply (Optional) If not NULL, the plist_t will be set to the reply
454 * dictionary that has been received. Consumer is responsible to free it
455 * using plist_free() when no longer required.
456 *
457 * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG if one of the
458 * parameters is invalid, LOCKDOWN_E_NO_RUNNING_SESSION if the current
459 * lockdown client does not have an established CU pairing session,
460 * or a LOCKDOWN_E_* error code otherwise.
461 */
462lockdownd_error_t lockdownd_cu_send_request_and_get_reply(lockdownd_client_t client, const char* request, plist_t request_payload, plist_t* reply);
463
464/**
465 * Retrieves a value using an optional domain and/or key name from a lockdown
466 * client with established CU pairing session.
467 *
468 * This is used to retrieve values that are only accessible after a CU pairing
469 * has been established, and would otherwise only be accessible with a valid
470 * device pairing.
471 *
472 * @param client A lockdown client with an established CU pairing.
473 * @param domain The domain to query on or NULL for global domain
474 * @param key The key name to request or NULL to query for all keys
475 * @param value A plist node representing the result value node
476 *
477 * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG if one of the
478 * parameters is invalid, LOCKDOWN_E_NO_RUNNING_SESSION if the current
479 * lockdown client does not have an established CU pairing session,
480 * or a LOCKDOWN_E_* error code otherwise.
481 */
482lockdownd_error_t lockdownd_get_value_cu(lockdownd_client_t client, const char* domain, const char* key, plist_t* value);
483
484/**
485 * Perform a device pairing with a lockdown client that has an established
486 * CU pairing session.
487 *
488 * @param client A lockdown client with an established CU pairing.
489 *
490 * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG when client
491 * is NULL, LOCKDOWN_E_NO_RUNNING_SESSION if the current lockdown client
492 * does not have an established CU pairing session, or a LOCKDOWN_E_* error
493 * code otherwise.
494 */
495lockdownd_error_t lockdownd_pair_cu(lockdownd_client_t client);
496
497
402/* Helper */ 498/* Helper */
403 499
404/** 500/**
diff --git a/src/Makefile.am b/src/Makefile.am
index 106eef7..13221b9 100644
--- a/src/Makefile.am
+++ b/src/Makefile.am
@@ -1,5 +1,7 @@
1AM_CPPFLAGS = \ 1AM_CPPFLAGS = \
2 -I$(top_srcdir)/include \ 2 -I$(top_srcdir)/include \
3 -I$(top_srcdir)/3rd_party/libsrp6a-sha512 \
4 -I$(top_srcdir)/3rd_party/ed25519 \
3 -I$(top_srcdir) 5 -I$(top_srcdir)
4 6
5AM_CFLAGS = \ 7AM_CFLAGS = \
@@ -20,13 +22,20 @@ AM_LDFLAGS = \
20 22
21lib_LTLIBRARIES = libimobiledevice-1.0.la 23lib_LTLIBRARIES = libimobiledevice-1.0.la
22libimobiledevice_1_0_la_LIBADD = $(top_builddir)/common/libinternalcommon.la 24libimobiledevice_1_0_la_LIBADD = $(top_builddir)/common/libinternalcommon.la
25if HAVE_WIRELESS_PAIRING
26libimobiledevice_1_0_la_LIBADD += $(top_builddir)/3rd_party/ed25519/libed25519.la $(top_builddir)/3rd_party/libsrp6a-sha512/libsrp6a-sha512.la
27endif
23libimobiledevice_1_0_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(LIBIMOBILEDEVICE_SO_VERSION) -no-undefined 28libimobiledevice_1_0_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(LIBIMOBILEDEVICE_SO_VERSION) -no-undefined
29if DARWIN
30libimobiledevice_1_0_la_LDFLAGS += -framework CoreFoundation -framework SystemConfiguration
31endif
24libimobiledevice_1_0_la_SOURCES = \ 32libimobiledevice_1_0_la_SOURCES = \
25 idevice.c idevice.h \ 33 idevice.c idevice.h \
26 service.c service.h \ 34 service.c service.h \
27 property_list_service.c property_list_service.h \ 35 property_list_service.c property_list_service.h \
28 device_link_service.c device_link_service.h \ 36 device_link_service.c device_link_service.h \
29 lockdown.c lockdown.h \ 37 lockdown.c lockdown.h \
38 lockdown-cu.c \
30 afc.c afc.h \ 39 afc.c afc.h \
31 file_relay.c file_relay.h \ 40 file_relay.c file_relay.h \
32 notification_proxy.c notification_proxy.h \ 41 notification_proxy.c notification_proxy.h \
diff --git a/src/idevice.c b/src/idevice.c
index 04189d6..64769d2 100644
--- a/src/idevice.c
+++ b/src/idevice.c
@@ -52,6 +52,7 @@
52#include <libimobiledevice-glue/thread.h> 52#include <libimobiledevice-glue/thread.h>
53 53
54#include "idevice.h" 54#include "idevice.h"
55#include "lockdown.h"
55#include "common/userpref.h" 56#include "common/userpref.h"
56#include "common/debug.h" 57#include "common/debug.h"
57 58
@@ -864,7 +865,9 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_udid(idevice_t device, char **u
864 if (!device || !udid) 865 if (!device || !udid)
865 return IDEVICE_E_INVALID_ARG; 866 return IDEVICE_E_INVALID_ARG;
866 867
867 *udid = strdup(device->udid); 868 if (device->udid) {
869 *udid = strdup(device->udid);
870 }
868 return IDEVICE_E_SUCCESS; 871 return IDEVICE_E_SUCCESS;
869} 872}
870 873
diff --git a/src/lockdown-cu.c b/src/lockdown-cu.c
new file mode 100644
index 0000000..cdaf02c
--- /dev/null
+++ b/src/lockdown-cu.c
@@ -0,0 +1,1192 @@
1/*
2 * lockdown-cu.c
3 * com.apple.mobile.lockdownd service CU additions
4 *
5 * Copyright (c) 2021 Nikias Bassen, All Rights Reserved.
6 *
7 * This library is free software; you can redistribute it and/or
8 * modify it under the terms of the GNU Lesser General Public
9 * License as published by the Free Software Foundation; either
10 * version 2.1 of the License, or (at your option) any later version.
11 *
12 * This library is distributed in the hope that it will be useful,
13 * but WITHOUT ANY WARRANTY; without even the implied warranty of
14 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
15 * Lesser General Public License for more details.
16 *
17 * You should have received a copy of the GNU Lesser General Public
18 * License along with this library; if not, write to the Free Software
19 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
20 */
21
22#ifdef HAVE_CONFIG_H
23#include <config.h>
24#endif
25
26#include <string.h>
27#include <stdlib.h>
28#define _GNU_SOURCE 1
29#define __USE_GNU 1
30#include <stdio.h>
31#include <ctype.h>
32#include <unistd.h>
33#include <plist/plist.h>
34
35#include "idevice.h"
36#include "lockdown.h"
37#include "common/debug.h"
38
39#ifdef HAVE_WIRELESS_PAIRING
40
41#include <libimobiledevice-glue/utils.h>
42#include <libimobiledevice-glue/socket.h>
43#include <libimobiledevice-glue/opack.h>
44#include <libimobiledevice-glue/tlv.h>
45
46#if defined(HAVE_OPENSSL)
47#include <openssl/hmac.h>
48#include <openssl/evp.h>
49#include <openssl/rand.h>
50#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2030200fL)
51#include <openssl/chacha.h>
52#include <openssl/poly1305.h>
53#endif
54#elif defined(HAVE_GCRYPT)
55#include <gcrypt.h>
56#elif defined(HAVE_MBEDTLS)
57#include <mbedtls/md.h>
58#include <mbedtls/chachapoly.h>
59#endif
60
61#ifdef __APPLE__
62#include <sys/sysctl.h>
63#include <SystemConfiguration/SystemConfiguration.h>
64#include <CoreFoundation/CoreFoundation.h>
65#endif
66
67#include "property_list_service.h"
68#include "common/userpref.h"
69
70#include "endianness.h"
71
72#include "srp.h"
73#include "ed25519.h"
74
75/* {{{ SRP6a parameters */
76static const unsigned char kSRPModulus3072[384] = {
77 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34,
78 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74,
79 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd,
80 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37,
81 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6,
82 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed,
83 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6,
84 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d, 0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05,
85 0x98, 0xda, 0x48, 0x36, 0x1c, 0x55, 0xd3, 0x9a, 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f,
86 0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, 0x1c, 0x62, 0xf3, 0x56, 0x20, 0x85, 0x52, 0xbb,
87 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d, 0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04,
88 0xf1, 0x74, 0x6c, 0x08, 0xca, 0x18, 0x21, 0x7c, 0x32, 0x90, 0x5e, 0x46, 0x2e, 0x36, 0xce, 0x3b,
89 0xe3, 0x9e, 0x77, 0x2c, 0x18, 0x0e, 0x86, 0x03, 0x9b, 0x27, 0x83, 0xa2, 0xec, 0x07, 0xa2, 0x8f,
90 0xb5, 0xc5, 0x5d, 0xf0, 0x6f, 0x4c, 0x52, 0xc9, 0xde, 0x2b, 0xcb, 0xf6, 0x95, 0x58, 0x17, 0x18,
91 0x39, 0x95, 0x49, 0x7c, 0xea, 0x95, 0x6a, 0xe5, 0x15, 0xd2, 0x26, 0x18, 0x98, 0xfa, 0x05, 0x10,
92 0x15, 0x72, 0x8e, 0x5a, 0x8a, 0xaa, 0xc4, 0x2d, 0xad, 0x33, 0x17, 0x0d, 0x04, 0x50, 0x7a, 0x33,
93 0xa8, 0x55, 0x21, 0xab, 0xdf, 0x1c, 0xba, 0x64, 0xec, 0xfb, 0x85, 0x04, 0x58, 0xdb, 0xef, 0x0a,
94 0x8a, 0xea, 0x71, 0x57, 0x5d, 0x06, 0x0c, 0x7d, 0xb3, 0x97, 0x0f, 0x85, 0xa6, 0xe1, 0xe4, 0xc7,
95 0xab, 0xf5, 0xae, 0x8c, 0xdb, 0x09, 0x33, 0xd7, 0x1e, 0x8c, 0x94, 0xe0, 0x4a, 0x25, 0x61, 0x9d,
96 0xce, 0xe3, 0xd2, 0x26, 0x1a, 0xd2, 0xee, 0x6b, 0xf1, 0x2f, 0xfa, 0x06, 0xd9, 0x8a, 0x08, 0x64,
97 0xd8, 0x76, 0x02, 0x73, 0x3e, 0xc8, 0x6a, 0x64, 0x52, 0x1f, 0x2b, 0x18, 0x17, 0x7b, 0x20, 0x0c,
98 0xbb, 0xe1, 0x17, 0x57, 0x7a, 0x61, 0x5d, 0x6c, 0x77, 0x09, 0x88, 0xc0, 0xba, 0xd9, 0x46, 0xe2,
99 0x08, 0xe2, 0x4f, 0xa0, 0x74, 0xe5, 0xab, 0x31, 0x43, 0xdb, 0x5b, 0xfc, 0xe0, 0xfd, 0x10, 0x8e,
100 0x4b, 0x82, 0xd1, 0x20, 0xa9, 0x3a, 0xd2, 0xca, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
101};
102
103static const unsigned char kSRPGenerator5 = 5;
104/* }}} */
105
106/* {{{ HKDF */
107#if defined(HAVE_OPENSSL)
108#define MD_ALGO_SHA512 EVP_sha512()
109typedef const EVP_MD* MD_ALGO_TYPE_T;
110#define MD_ALGO_DIGEST_SIZE EVP_MD_size
111#define MD_MAX_DIGEST_SIZE EVP_MAX_MD_SIZE
112
113#elif defined(HAVE_GCRYPT)
114#define MD_ALGO_SHA512 GCRY_MD_SHA512
115typedef int MD_ALGO_TYPE_T;
116#define MD_ALGO_DIGEST_SIZE gcry_md_get_algo_dlen
117#define MD_MAX_DIGEST_SIZE 64
118
119static void HMAC(MD_ALGO_TYPE_T md, unsigned char* key, unsigned int key_len, unsigned char* data, unsigned int data_len, unsigned char* out, unsigned int* out_len)
120{
121 gcry_md_hd_t hd;
122 if (gcry_md_open(&hd, md, GCRY_MD_FLAG_HMAC)) {
123 debug_info("gcry_md_open() failed");
124 return;
125 }
126 if (gcry_md_setkey(hd, key, key_len)) {
127 gcry_md_close (hd);
128 debug_info("gcry_md_setkey() failed");
129 return;
130 }
131 gcry_md_write(hd, data, data_len);
132
133 unsigned char* digest = gcry_md_read(hd, md);
134 if (!digest) {
135 gcry_md_close(hd);
136 debug_info("gcry_md_read() failed");
137 return;
138 }
139
140 *out_len = gcry_md_get_algo_dlen(md);
141 memcpy(out, digest, *out_len);
142 gcry_md_close(hd);
143}
144#elif defined(HAVE_MBEDTLS)
145#define MD_ALGO_SHA512 MBEDTLS_MD_SHA512
146typedef mbedtls_md_type_t MD_ALGO_TYPE_T;
147#define MD_ALGO_DIGEST_SIZE(x) mbedtls_md_get_size(mbedtls_md_info_from_type(x))
148#define MD_MAX_DIGEST_SIZE MBEDTLS_MD_MAX_SIZE
149
150static void HMAC(MD_ALGO_TYPE_T md, unsigned char* key, unsigned int key_len, unsigned char* data, unsigned int data_len, unsigned char* out, unsigned int* out_len)
151{
152 mbedtls_md_context_t mdctx;
153 mbedtls_md_init(&mdctx);
154 int mr = mbedtls_md_setup(&mdctx, mbedtls_md_info_from_type(md), 1);
155 if (mr != 0) {
156 debug_info("mbedtls_md_setup() failed: %d", mr);
157 return;
158 }
159
160 mr = mbedtls_md_hmac_starts(&mdctx, key, key_len);
161 if (mr != 0) {
162 mbedtls_md_free(&mdctx);
163 debug_info("mbedtls_md_hmac_starts() failed: %d", mr);
164 return;
165 }
166
167 mbedtls_md_hmac_update(&mdctx, data, data_len);
168
169 mr = mbedtls_md_hmac_finish(&mdctx, out);
170 if (mr == 0) {
171 *out_len = mbedtls_md_get_size(mbedtls_md_info_from_type(md));
172 } else {
173 debug_info("mbedtls_md_hmac_finish() failed: %d", mr);
174 }
175 mbedtls_md_free(&mdctx);
176}
177#endif
178
179static void hkdf_md_extract(MD_ALGO_TYPE_T md, unsigned char* salt, unsigned int salt_len, unsigned char* input_key_material, unsigned int input_key_material_len, unsigned char* out, unsigned int* out_len)
180{
181 unsigned char empty_salt[MD_MAX_DIGEST_SIZE];
182 if (!md || !out || !out_len || !*out_len) return;
183 if (salt_len == 0) {
184 salt_len = MD_ALGO_DIGEST_SIZE(md);
185 salt = (unsigned char*)empty_salt;
186 }
187 HMAC(md, salt, salt_len, input_key_material, input_key_material_len, out, out_len);
188}
189
190static void hkdf_md_expand(MD_ALGO_TYPE_T md, unsigned char* prk, unsigned int prk_len, unsigned char* info, unsigned int info_len, unsigned char* out, unsigned int* out_len)
191{
192 if (!md || !out || !out_len || !*out_len) return;
193 unsigned int md_size = MD_ALGO_DIGEST_SIZE(md);
194 if (*out_len > 255 * md_size) {
195 *out_len = 0;
196 return;
197 }
198 int blocks_needed = (*out_len) / md_size;
199 if (((*out_len) % md_size) != 0) blocks_needed++;
200 unsigned int okm_len = 0;
201 unsigned char okm_block[MD_MAX_DIGEST_SIZE];
202 unsigned int okm_block_len = 0;
203 int i;
204 for (i = 0; i < blocks_needed; i++) {
205 unsigned int output_block_len = okm_block_len + info_len + 1;
206 unsigned char* output_block = malloc(output_block_len);
207 if (okm_block_len > 0) {
208 memcpy(output_block, okm_block, okm_block_len);
209 }
210 memcpy(output_block + okm_block_len, info, info_len);
211 output_block[okm_block_len + info_len] = (uint8_t)(i+1);
212
213 HMAC(md, prk, prk_len, output_block, output_block_len, okm_block, &okm_block_len);
214 if (okm_len < *out_len) {
215 memcpy(out + okm_len, okm_block, (okm_len + okm_block_len > *out_len) ? *out_len - okm_len : okm_block_len);
216 }
217 okm_len += okm_block_len;
218 free(output_block);
219 }
220}
221
222static void hkdf_md(MD_ALGO_TYPE_T md, unsigned char* salt, unsigned int salt_len, unsigned char* info, unsigned int info_len, unsigned char* initial_key_material, unsigned int initial_key_material_size, unsigned char* out, unsigned int *out_len)
223{
224 if (!md || !initial_key_material || !out || !out_len || !*out_len) return;
225
226 unsigned char prk[MD_MAX_DIGEST_SIZE];
227 unsigned int prk_len = MD_ALGO_DIGEST_SIZE(md);
228
229 hkdf_md_extract(md, salt, salt_len, initial_key_material, initial_key_material_size, prk, &prk_len);
230 if (prk_len > 0) {
231 hkdf_md_expand(md, prk, prk_len, info, info_len, out, out_len);
232 } else {
233 *out_len = 0;
234 }
235}
236/* }}} */
237
238/* {{{ chacha20 poly1305 encryption/decryption */
239#if defined(HAVE_OPENSSL) && defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2030200fL)
240/* {{{ From: OpenBSD's e_chacha20poly1305.c */
241/*
242 * Copyright (c) 2015 Reyk Floter <reyk@openbsd.org>
243 * Copyright (c) 2014, Google Inc.
244 *
245 * Permission to use, copy, modify, and/or distribute this software for any
246 * purpose with or without fee is hereby granted, provided that the above
247 * copyright notice and this permission notice appear in all copies.
248 *
249 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
250 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
251 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY
252 * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
253 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
254 * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
255 * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
256 */
257static void
258poly1305_update_with_length(poly1305_state *poly1305,
259 const unsigned char *data, size_t data_len)
260{
261 size_t j = data_len;
262 unsigned char length_bytes[8];
263 unsigned i;
264
265 for (i = 0; i < sizeof(length_bytes); i++) {
266 length_bytes[i] = j;
267 j >>= 8;
268 }
269
270 if (data != NULL)
271 CRYPTO_poly1305_update(poly1305, data, data_len);
272 CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes));
273}
274
275static void
276poly1305_update_with_pad16(poly1305_state *poly1305,
277 const unsigned char *data, size_t data_len)
278{
279 static const unsigned char zero_pad16[16];
280 size_t pad_len;
281
282 CRYPTO_poly1305_update(poly1305, data, data_len);
283
284 /* pad16() is defined in RFC 7539 2.8.1. */
285 if ((pad_len = data_len % 16) == 0)
286 return;
287
288 CRYPTO_poly1305_update(poly1305, zero_pad16, 16 - pad_len);
289}
290/* }}} */
291#endif
292
293static void chacha20_poly1305_encrypt_96(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len)
294{
295#if defined(HAVE_OPENSSL)
296#if defined(LIBRESSL_VERSION_NUMBER)
297#if (LIBRESSL_VERSION_NUMBER >= 0x2040000fL)
298 const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
299 EVP_AEAD_CTX ctx;
300 EVP_AEAD_CTX_init(&ctx, aead, key, EVP_AEAD_key_length(aead), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
301 EVP_AEAD_CTX_seal(&ctx, out, out_len, *out_len, nonce, 12, in, in_len, ad, ad_len);
302#else
303 unsigned char poly1305_key[32];
304 poly1305_state poly1305;
305 uint64_t ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | nonce[2] << 16 | nonce[3] << 24) << 32;
306 const unsigned char* iv = nonce + 4;
307
308 memset(poly1305_key, 0, sizeof(poly1305_key));
309 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, iv, ctr);
310
311 CRYPTO_poly1305_init(&poly1305, poly1305_key);
312 poly1305_update_with_pad16(&poly1305, ad, ad_len);
313 CRYPTO_chacha_20(out, in, in_len, key, iv, ctr + 1);
314 poly1305_update_with_pad16(&poly1305, out, in_len);
315 poly1305_update_with_length(&poly1305, NULL, ad_len);
316 poly1305_update_with_length(&poly1305, NULL, in_len);
317
318 CRYPTO_poly1305_finish(&poly1305, out + in_len);
319
320 *out_len = in_len + 16;
321#endif
322#elif defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
323 int outl = 0;
324 EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
325 EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, key, nonce);
326 EVP_EncryptUpdate(ctx, out, &outl, in, in_len);
327 *out_len = outl;
328 outl = 0;
329 EVP_EncryptFinal_ex(ctx, out + *out_len, &outl);
330 *out_len += outl;
331 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, out + *out_len);
332 EVP_CIPHER_CTX_free(ctx);
333 *out_len += 16;
334#else
335#error Please use a newer version of OpenSSL (>= 1.1.0)
336#endif
337#elif defined(HAVE_GCRYPT)
338#if defined(GCRYPT_VERSION_NUMBER) && (GCRYPT_VERSION_NUMBER >= 0x010700)
339 gcry_cipher_hd_t hd;
340 if (gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20, GCRY_CIPHER_MODE_POLY1305, 0)) {
341 debug_info("gcry_cipher_open() failed");
342 return;
343 }
344 gcry_cipher_setkey(hd, key, 32);
345 gcry_cipher_setiv(hd, nonce, 12);
346 gcry_cipher_authenticate(hd, ad, ad_len);
347 *out_len = in_len + 16;
348 if (gcry_cipher_encrypt(hd, out, *out_len, in, in_len)) {
349 *out_len = 0;
350 }
351 gcry_cipher_gettag(hd, out+in_len, 16);
352 gcry_cipher_close(hd);
353#else
354#error Please use a newer version of libgcrypt (>= 1.7.0)
355#endif
356#elif defined (HAVE_MBEDTLS)
357 mbedtls_chachapoly_context ctx;
358 mbedtls_chachapoly_init(&ctx);
359 mbedtls_chachapoly_setkey(&ctx, key);
360 if (mbedtls_chachapoly_encrypt_and_tag(&ctx, in_len, nonce, ad, ad_len, in, out, out+in_len) != 0) {
361 *out_len = 0;
362 }
363 mbedtls_chachapoly_free(&ctx);
364#else
365#error chacha20_poly1305_encrypt_96 is not implemented
366#endif
367}
368
369static void chacha20_poly1305_encrypt_64(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len)
370{
371 unsigned char _nonce[12];
372 *(uint32_t*)(&_nonce[0]) = 0;
373 memcpy(&_nonce[4], nonce, 8);
374 chacha20_poly1305_encrypt_96(key, _nonce, ad, ad_len, in, in_len, out, out_len);
375}
376
377static void chacha20_poly1305_decrypt_96(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len)
378{
379#if defined(HAVE_OPENSSL)
380#if defined(LIBRESSL_VERSION_NUMBER)
381#if (LIBRESSL_VERSION_NUMBER >= 0x2040000fL)
382 const EVP_AEAD *aead = EVP_aead_chacha20_poly1305();
383 EVP_AEAD_CTX ctx;
384 EVP_AEAD_CTX_init(&ctx, aead, key, EVP_AEAD_key_length(aead), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL);
385 EVP_AEAD_CTX_open(&ctx, out, out_len, *out_len, nonce, 12, in, in_len, ad, ad_len);
386#else
387 unsigned char mac[16];
388 unsigned char poly1305_key[32];
389 poly1305_state poly1305;
390 size_t plaintext_len = in_len - 16;
391 uint64_t ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | nonce[2] << 16 | nonce[3] << 24) << 32;
392 const unsigned char *iv = nonce + 4;
393
394 memset(poly1305_key, 0, sizeof(poly1305_key));
395 CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, iv, ctr);
396
397 CRYPTO_poly1305_init(&poly1305, poly1305_key);
398 poly1305_update_with_pad16(&poly1305, ad, ad_len);
399 poly1305_update_with_pad16(&poly1305, in, plaintext_len);
400 poly1305_update_with_length(&poly1305, NULL, ad_len);
401 poly1305_update_with_length(&poly1305, NULL, plaintext_len);
402
403 CRYPTO_poly1305_finish(&poly1305, mac);
404
405 if (memcmp(mac, in + plaintext_len, 16) != 0) {
406 *out_len = 0;
407 return;
408 }
409
410 CRYPTO_chacha_20(out, in, plaintext_len, key, iv, ctr + 1);
411 *out_len = plaintext_len;
412#endif
413#elif defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L)
414 int outl = 0;
415 size_t plaintext_len = in_len - 16;
416 EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new();
417 EVP_DecryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, key, nonce);
418 EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, in + plaintext_len);
419 EVP_DecryptUpdate(ctx, out, &outl, in, plaintext_len);
420 *out_len = outl;
421 outl = 0;
422 if (EVP_DecryptFinal_ex(ctx, out + *out_len, &outl) == 1) {
423 *out_len += outl;
424 } else {
425 *out_len = 0;
426 }
427 EVP_CIPHER_CTX_free(ctx);
428#else
429#error Please use a newer version of OpenSSL (>= 1.1.0)
430#endif
431#elif defined(HAVE_GCRYPT)
432#if defined(GCRYPT_VERSION_NUMBER) && (GCRYPT_VERSION_NUMBER >= 0x010700)
433 gcry_cipher_hd_t hd;
434 if (gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20, GCRY_CIPHER_MODE_POLY1305, 0)) {
435 debug_info("gcry_cipher_open() failed");
436 return;
437 }
438 gcry_cipher_setkey(hd, key, 32);
439 gcry_cipher_setiv(hd, nonce, 12);
440 gcry_cipher_authenticate(hd, ad, ad_len);
441 unsigned int plaintext_len = in_len - 16;
442 gcry_cipher_decrypt(hd, out, *out_len, in, plaintext_len);
443 if (gcry_cipher_checktag(hd, in + plaintext_len, 16) == 0) {
444 *out_len = plaintext_len;
445 } else {
446 *out_len = 0;
447 }
448 gcry_cipher_close(hd);
449#else
450#error Please use a newer version of libgcrypt (>= 1.7.0)
451#endif
452#elif defined(HAVE_MBEDTLS)
453 mbedtls_chachapoly_context ctx;
454 mbedtls_chachapoly_init(&ctx);
455 mbedtls_chachapoly_setkey(&ctx, key);
456 unsigned int plaintext_len = in_len - 16;
457 if (mbedtls_chachapoly_auth_decrypt(&ctx, plaintext_len, nonce, ad, ad_len, in + plaintext_len, in, out) == 0) {
458 *out_len = plaintext_len;
459 } else {
460 *out_len = 0;
461 }
462 mbedtls_chachapoly_free(&ctx);
463#else
464#error chacha20_poly1305_decrypt_96 is not implemented
465#endif
466}
467
468static void chacha20_poly1305_decrypt_64(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len)
469{
470 unsigned char _nonce[12];
471 *(uint32_t*)(&_nonce[0]) = 0;
472 memcpy(&_nonce[4], nonce, 8);
473 chacha20_poly1305_decrypt_96(key, _nonce, ad, ad_len, in, in_len, out, out_len);
474}
475/* }}} */
476
477#define PAIRING_ERROR(x) \
478 debug_info(x); \
479 if (pairing_callback) { \
480 pairing_callback(LOCKDOWN_CU_PAIRING_ERROR, cb_user_data, (char*)x, NULL); \
481 }
482
483#define PAIRING_ERROR_FMT(...) \
484 sprintf(tmp, __VA_ARGS__); \
485 debug_info(tmp); \
486 if (pairing_callback) { \
487 pairing_callback(LOCKDOWN_CU_PAIRING_ERROR, cb_user_data, tmp, NULL); \
488 }
489
490#endif /* HAVE_WIRELESS_PAIRING */
491
492LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_cu_pairing_create(lockdownd_client_t client, lockdownd_cu_pairing_cb_t pairing_callback, void* cb_user_data, plist_t host_info, plist_t acl)
493{
494#ifdef HAVE_WIRELESS_PAIRING
495 if (!client || !pairing_callback || (host_info && plist_get_node_type(host_info) != PLIST_DICT) || (acl && plist_get_node_type(acl) != PLIST_DICT))
496 return LOCKDOWN_E_INVALID_ARG;
497
498 lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR;
499
500 if (client->device && client->device->version == 0) {
501 plist_t p_version = NULL;
502 if (lockdownd_get_value(client, NULL, "ProductVersion", &p_version) == LOCKDOWN_E_SUCCESS) {
503 int vers[3] = {0, 0, 0};
504 char *s_version = NULL;
505 plist_get_string_val(p_version, &s_version);
506 if (s_version && sscanf(s_version, "%d.%d.%d", &vers[0], &vers[1], &vers[2]) >= 2) {
507 client->device->version = DEVICE_VERSION(vers[0], vers[1], vers[2]);
508 }
509 free(s_version);
510 }
511 plist_free(p_version);
512 }
513
514 char* pairing_uuid = NULL;
515 if (host_info) {
516 plist_t accountid = plist_dict_get_item(host_info, "accountID");
517 if (accountid && plist_get_node_type(accountid) == PLIST_STRING) {
518 plist_get_string_val(accountid, &pairing_uuid);
519 }
520 }
521 if (!pairing_uuid) {
522 userpref_read_system_buid(&pairing_uuid);
523 }
524 if (!pairing_uuid) {
525 pairing_uuid = generate_uuid();
526 }
527 unsigned int pairing_uuid_len = strlen(pairing_uuid);
528
529 SRP_initialize_library();
530
531 SRP* srp = SRP_new(SRP6a_sha512_client_method());
532 if (!srp) {
533 PAIRING_ERROR("Failed to initialize SRP")
534 return LOCKDOWN_E_UNKNOWN_ERROR;
535 }
536
537 char tmp[256];
538 plist_t dict = NULL;
539 uint8_t current_state = 0;
540 uint8_t final_state = 6;
541
542 unsigned char* salt = NULL;
543 unsigned int salt_size = 0;
544 unsigned char* pubkey = NULL;
545 unsigned int pubkey_size = 0;
546
547 unsigned char setup_encryption_key[32];
548
549 cstr *thekey = NULL;
550
551 do {
552 current_state++;
553
554 dict = plist_new_dict();
555 plist_dict_set_item(dict, "Request", plist_new_string("CUPairingCreate"));
556 if (current_state == 1) {
557 plist_dict_set_item(dict, "Flags", plist_new_uint(1));
558 } else {
559 plist_dict_set_item(dict, "Flags", plist_new_uint(0));
560 }
561
562 tlv_buf_t tlv = tlv_buf_new();
563
564 if (current_state == 1) {
565 /* send method */
566 tlv_buf_append(tlv, 0x00, 1, (void*)"\x00"); // 0x00 (Method), 1 bytes, 00
567 } else if (current_state == 3) {
568 /* generate public key */
569 cstr* own_pub = NULL;
570 SRP_gen_pub(srp, &own_pub);
571
572 if (!own_pub) {
573 PAIRING_ERROR("[SRP] Failed to generate public key")
574 ret = LOCKDOWN_E_PAIRING_FAILED;
575 break;
576 }
577
578 /* compute key from remote's public key */
579 if (SRP_compute_key(srp, &thekey, pubkey, pubkey_size) != 0) {
580 cstr_free(own_pub);
581 PAIRING_ERROR("[SRP] Failed to compute key")
582 ret = LOCKDOWN_E_PAIRING_FAILED;
583 break;
584 }
585
586 /* compute response */
587 cstr *response = NULL;
588 SRP_respond(srp, &response);
589
590 /* send our public key + response */
591 tlv_buf_append(tlv, 0x03, own_pub->length, own_pub->data);
592 tlv_buf_append(tlv, 0x04, response->length, response->data);
593 cstr_free(response);
594 cstr_free(own_pub);
595 } else if (current_state == 5) {
596 /* send encrypted info */
597
598 static const char PAIR_SETUP_ENCRYPT_SALT[] = "Pair-Setup-Encrypt-Salt";
599 static const char PAIR_SETUP_ENCRYPT_INFO[] = "Pair-Setup-Encrypt-Info";
600 static const char PAIR_SETUP_CONTROLLER_SIGN_SALT[] = "Pair-Setup-Controller-Sign-Salt";
601 static const char PAIR_SETUP_CONTROLLER_SIGN_INFO[] = "Pair-Setup-Controller-Sign-Info";
602
603 // HKDF with above computed key (SRP_compute_key) + Pair-Setup-Encrypt-Salt + Pair-Setup-Encrypt-Info
604 // result used as key for chacha20-poly1305
605 unsigned int setup_encryption_key_len = sizeof(setup_encryption_key);
606 hkdf_md(MD_ALGO_SHA512, (unsigned char*)PAIR_SETUP_ENCRYPT_SALT, sizeof(PAIR_SETUP_ENCRYPT_SALT)-1, (unsigned char*)PAIR_SETUP_ENCRYPT_INFO, sizeof(PAIR_SETUP_ENCRYPT_INFO)-1, (unsigned char*)thekey->data, thekey->length, setup_encryption_key, &setup_encryption_key_len);
607
608 unsigned char ed25519_pubkey[32];
609 unsigned char ed25519_privkey[64];
610 unsigned char ed25519seed[32];
611 ed25519_create_seed(ed25519seed);
612
613 ed25519_create_keypair(ed25519_pubkey, ed25519_privkey, ed25519seed);
614
615 unsigned int signbuf_len = pairing_uuid_len + 64;
616 unsigned char* signbuf = malloc(signbuf_len);
617 unsigned int hkdf_len = 32;
618 // HKDF with above computed key (SRP_compute_key) + Pair-Setup-Controller-Sign-Salt + Pair-Setup-Controller-Sign-Info
619 hkdf_md(MD_ALGO_SHA512, (unsigned char*)PAIR_SETUP_CONTROLLER_SIGN_SALT, sizeof(PAIR_SETUP_CONTROLLER_SIGN_SALT)-1, (unsigned char*)PAIR_SETUP_CONTROLLER_SIGN_INFO, sizeof(PAIR_SETUP_CONTROLLER_SIGN_INFO)-1, (unsigned char*)thekey->data, thekey->length, signbuf, &hkdf_len);
620
621 memcpy(signbuf + 32, pairing_uuid, pairing_uuid_len);
622 memcpy(signbuf + 32 + pairing_uuid_len, ed25519_pubkey, 32);
623
624 unsigned char ed_sig[64];
625 ed25519_sign(ed_sig, signbuf, 0x64, ed25519_pubkey, ed25519_privkey);
626
627 tlv_buf_t tlvbuf = tlv_buf_new();
628 tlv_buf_append(tlvbuf, 0x01, pairing_uuid_len, (void*)pairing_uuid);
629 tlv_buf_append(tlvbuf, 0x03, sizeof(ed25519_pubkey), ed25519_pubkey);
630 tlv_buf_append(tlvbuf, 0x0a, sizeof(ed_sig), ed_sig);
631
632 /* ACL */
633 unsigned char* odata = NULL;
634 unsigned int olen = 0;
635 if (acl) {
636 opack_encode_from_plist(acl, &odata, &olen);
637 } else {
638 /* defaut ACL */
639 plist_t acl_plist = plist_new_dict();
640 plist_dict_set_item(acl_plist, "com.apple.ScreenCapture", plist_new_bool(1));
641 plist_dict_set_item(acl_plist, "com.apple.developer", plist_new_bool(1));
642 opack_encode_from_plist(acl_plist, &odata, &olen);
643 plist_free(acl_plist);
644 }
645 tlv_buf_append(tlvbuf, 0x12, olen, odata);
646 free(odata);
647
648 /* HOST INFORMATION */
649 char hostname[256];
650#ifdef __APPLE__
651 CFStringRef cname = SCDynamicStoreCopyComputerName(NULL, NULL);
652 CFStringGetCString(cname, hostname, sizeof(hostname), kCFStringEncodingUTF8);
653 CFRelease(cname);
654#else
655#ifdef WIN32
656 DWORD hostname_len = sizeof(hostname);
657 GetComputerName(hostname, &hostname_len);
658#else
659 gethostname(hostname, sizeof(hostname));
660#endif
661#endif
662
663 char modelname[256];
664 modelname[0] = '\0';
665#ifdef __APPLE__
666 size_t len = sizeof(modelname);
667 sysctlbyname("hw.model", &modelname, &len, NULL, 0);
668#endif
669 if (strlen(modelname) == 0) {
670 strcpy(modelname, "HackbookPro13,37");
671 }
672
673 unsigned char primary_mac_addr[6] = { 0, 0, 0, 0, 0, 0 };
674 if (get_primary_mac_address(primary_mac_addr) != 0) {
675 debug_info("Failed to get primary mac address");
676 }
677 debug_info("Primary mac address: %02x:%02x:%02x:%02x:%02x:%02x\n", primary_mac_addr[0], primary_mac_addr[1], primary_mac_addr[2], primary_mac_addr[3], primary_mac_addr[4], primary_mac_addr[5]);
678
679 // "OPACK" encoded device info
680 plist_t info_plist = plist_new_dict();
681 //plist_dict_set_item(info_plist, "altIRK", plist_new_data((char*)altIRK, 16));
682 plist_dict_set_item(info_plist, "accountID", plist_new_string(pairing_uuid));
683 plist_dict_set_item(info_plist, "model", plist_new_string(modelname));
684 plist_dict_set_item(info_plist, "name", plist_new_string(hostname));
685 plist_dict_set_item(info_plist, "mac", plist_new_data((char*)primary_mac_addr, 6));
686 if (host_info) {
687 plist_dict_merge(&info_plist, host_info);
688 }
689 opack_encode_from_plist(info_plist, &odata, &olen);
690 plist_free(info_plist);
691 tlv_buf_append(tlvbuf, 0x11, olen, odata);
692 free(odata);
693
694 size_t encrypted_len = tlvbuf->length + 16;
695 unsigned char* encrypted_buf = (unsigned char*)malloc(encrypted_len);
696
697 chacha20_poly1305_encrypt_64(setup_encryption_key, (unsigned char*)"PS-Msg05", NULL, 0, tlvbuf->data, tlvbuf->length, encrypted_buf, &encrypted_len);
698
699 tlv_buf_free(tlvbuf);
700
701 tlv_buf_append(tlv, 0x05, encrypted_len, encrypted_buf);
702 free(encrypted_buf);
703 } else {
704 tlv_buf_free(tlv);
705 PAIRING_ERROR("[SRP] Invalid state");
706 ret = LOCKDOWN_E_PAIRING_FAILED;
707 break;
708 }
709 tlv_buf_append(tlv, 0x06, 1, &current_state);
710 plist_dict_set_item(dict, "Payload", plist_new_data((char*)tlv->data, tlv->length));
711 tlv_buf_free(tlv);
712
713 plist_dict_set_item(dict, "Label", plist_new_string(client->label));
714 plist_dict_set_item(dict, "ProtocolVersion", plist_new_uint(2));
715
716 ret = lockdownd_send(client, dict);
717 plist_free(dict);
718 dict = NULL;
719
720 if (ret != LOCKDOWN_E_SUCCESS) {
721 break;
722 }
723
724 current_state++;
725
726 ret = lockdownd_receive(client, &dict);
727 if (ret != LOCKDOWN_E_SUCCESS) {
728 break;
729 }
730 ret = lockdown_check_result(dict, "CUPairingCreate");
731 if (ret != LOCKDOWN_E_SUCCESS) {
732 break;
733 }
734
735 plist_t extresp = plist_dict_get_item(dict, "ExtendedResponse");
736 if (!extresp) {
737 ret = LOCKDOWN_E_PLIST_ERROR;
738 break;
739 }
740 plist_t blob = plist_dict_get_item(extresp, "Payload");
741 if (!blob) {
742 ret = LOCKDOWN_E_PLIST_ERROR;
743 break;
744 }
745 uint64_t data_len = 0;
746 const char* data = plist_get_data_ptr(blob, &data_len);
747
748 uint8_t state = 0;
749 if (!tlv_data_get_uint8(data, data_len, 0x06, &state)) {
750 PAIRING_ERROR("[SRP] ERROR: Could not find state in response");
751 ret = LOCKDOWN_E_PAIRING_FAILED;
752 break;
753 }
754 if (state != current_state) {
755 PAIRING_ERROR_FMT("[SRP] ERROR: Unexpected state %d, expected %d", state, current_state);
756 ret = LOCKDOWN_E_PAIRING_FAILED;
757 break;
758 }
759
760 unsigned int errval = 0;
761 uint64_t u64val = 0;
762 tlv_data_get_uint(data, data_len, 0x07, &u64val);
763debug_buffer(data, data_len);
764 errval = (unsigned int)u64val;
765 if (errval > 0) {
766 if (errval == 3) {
767 u64val = 0;
768 tlv_data_get_uint(data, data_len, 0x08, &u64val);
769 if (u64val > 0) {
770 uint32_t retry_delay = (uint32_t)u64val;
771 PAIRING_ERROR_FMT("[SRP] Pairing is blocked for another %u seconds", retry_delay)
772 ret = LOCKDOWN_E_PAIRING_FAILED;
773 break;
774 }
775 } else if (errval == 2 && state == 4) {
776 PAIRING_ERROR_FMT("[SRP] Invalid PIN")
777 ret = LOCKDOWN_E_PAIRING_FAILED;
778 break;
779 } else {
780 PAIRING_ERROR_FMT("[SRP] Received error %u in state %d.", errval, state);
781 ret = LOCKDOWN_E_PAIRING_FAILED;
782 break;
783 }
784 }
785
786 if (state == 2) {
787 /* receive salt and public key */
788 if (!tlv_data_copy_data(data, data_len, 0x02, (void**)&salt, &salt_size)) {
789 PAIRING_ERROR("[SRP] ERROR: Could not find salt in response");
790 ret = LOCKDOWN_E_PAIRING_FAILED;
791 break;
792 }
793 if (!tlv_data_copy_data(data, data_len, 0x03, (void**)&pubkey, &pubkey_size)) {
794 PAIRING_ERROR("[SRP] ERROR: Could not find public key in response");
795
796 ret = LOCKDOWN_E_PAIRING_FAILED;
797 break;
798 }
799
800 const char PAIR_SETUP[] = "Pair-Setup";
801 if (SRP_set_user_raw(srp, (const unsigned char*)PAIR_SETUP, sizeof(PAIR_SETUP)-1) != 0) {
802 PAIRING_ERROR("[SRP] Failed to set SRP user");
803 ret = LOCKDOWN_E_PAIRING_FAILED;
804 break;
805 }
806
807 /* kSRPParameters_3072_SHA512 */
808 if (SRP_set_params(srp, kSRPModulus3072, sizeof(kSRPModulus3072), &kSRPGenerator5, 1, salt, salt_size) != 0) {
809 PAIRING_ERROR("[SRP] Failed to set SRP parameters");
810 ret = LOCKDOWN_E_PAIRING_FAILED;
811 break;
812
813 }
814
815 if (pairing_callback) {
816 char pin[64];
817 unsigned int pin_len = sizeof(pin);
818 pairing_callback(LOCKDOWN_CU_PAIRING_PIN_REQUESTED, cb_user_data, pin, &pin_len);
819
820 SRP_set_auth_password_raw(srp, (const unsigned char*)pin, pin_len);
821 }
822 } else if (state == 4) {
823 /* receive proof */
824 unsigned char* proof = NULL;
825 unsigned int proof_len = 0;
826
827 if (!tlv_data_copy_data(data, data_len, 0x04, (void**)&proof, &proof_len)) {
828 PAIRING_ERROR("[SRP] ERROR: Could not find proof data in response");
829 ret = LOCKDOWN_E_PAIRING_FAILED;
830 break;
831 }
832
833 /* verify */
834 int vrfy_result = SRP_verify(srp, proof, proof_len);
835 free(proof);
836
837 if (vrfy_result == 0) {
838 debug_info("[SRP] PIN verified successfully");
839 } else {
840 PAIRING_ERROR("[SRP] PIN verification failure");
841 ret = LOCKDOWN_E_PAIRING_FAILED;
842 break;
843 }
844
845 } else if (state == 6) {
846 int srp_pair_success = 0;
847 plist_t node = plist_dict_get_item(extresp, "doSRPPair");
848 if (node) {
849 const char* strv = plist_get_string_ptr(node, NULL);
850 if (strcmp(strv, "succeed") == 0) {
851 srp_pair_success = 1;
852 }
853 }
854 if (!srp_pair_success) {
855 PAIRING_ERROR("SRP Pairing failed");
856 ret = LOCKDOWN_E_PAIRING_FAILED;
857 break;
858 }
859
860 /* receive encrypted info */
861 unsigned char* encrypted_buf = NULL;
862 unsigned int enc_len = 0;
863 if (!tlv_data_copy_data(data, data_len, 0x05, (void**)&encrypted_buf, &enc_len)) {
864 PAIRING_ERROR("[SRP] ERROR: Could not find encrypted data in response");
865 ret = LOCKDOWN_E_PAIRING_FAILED;
866 break;
867 }
868 size_t plain_len = enc_len-16;
869 unsigned char* plain_buf = malloc(plain_len);
870 chacha20_poly1305_decrypt_64(setup_encryption_key, (unsigned char*)"PS-Msg06", NULL, 0, encrypted_buf, enc_len, plain_buf, &plain_len);
871 free(encrypted_buf);
872
873 unsigned char* dev_info = NULL;
874 unsigned int dev_info_len = 0;
875 int res = tlv_data_copy_data(plain_buf, plain_len, 0x11, (void**)&dev_info, &dev_info_len);
876 free(plain_buf);
877 if (!res) {
878 PAIRING_ERROR("[SRP] ERROR: Failed to locate device info in response");
879 ret = LOCKDOWN_E_PAIRING_FAILED;
880 break;
881 }
882 plist_t device_info = NULL;
883 opack_decode_to_plist(dev_info, dev_info_len, &device_info);
884 free(dev_info);
885
886 if (!device_info) {
887 PAIRING_ERROR("[SRP] ERROR: Failed to parse device info");
888 ret = LOCKDOWN_E_PAIRING_FAILED;
889 break;
890 }
891
892 if (pairing_callback) {
893 pairing_callback(LOCKDOWN_CU_PAIRING_DEVICE_INFO, cb_user_data, device_info, NULL);
894 }
895 plist_free(device_info);
896 } else {
897 PAIRING_ERROR("[SRP] ERROR: Invalid state");
898 ret = LOCKDOWN_E_PAIRING_FAILED;
899 break;
900 }
901 plist_free(dict);
902 dict = NULL;
903
904 } while (current_state != final_state);
905
906 plist_free(dict);
907
908 free(salt);
909 free(pubkey);
910
911 SRP_free(srp);
912 srp = NULL;
913
914 if (ret != LOCKDOWN_E_SUCCESS) {
915 if (thekey) {
916 cstr_free(thekey);
917 }
918 return ret;
919 }
920
921 free(client->cu_key);
922 client->cu_key = malloc(thekey->length);
923 memcpy(client->cu_key, thekey->data, thekey->length);
924 client->cu_key_len = thekey->length;
925 cstr_free(thekey);
926
927 return LOCKDOWN_E_SUCCESS;
928#else
929 debug_info("not supported");
930 return LOCKDOWN_E_UNKNOWN_ERROR;
931#endif
932}
933
934LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_cu_send_request_and_get_reply(lockdownd_client_t client, const char* request, plist_t request_payload, plist_t* reply)
935{
936#ifdef HAVE_WIRELESS_PAIRING
937 if (!client || !request)
938 return LOCKDOWN_E_INVALID_ARG;
939
940 if (!client->cu_key)
941 return LOCKDOWN_E_NO_RUNNING_SESSION;
942
943 lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR;
944
945 /* derive keys */
946 unsigned char cu_write_key[32];
947 unsigned int cu_write_key_len = sizeof(cu_write_key);
948 static const char WRITE_KEY_SALT_MDLD[] = "WriteKeySaltMDLD";
949 static const char WRITE_KEY_INFO_MDLD[] = "WriteKeyInfoMDLD";
950 hkdf_md(MD_ALGO_SHA512, (unsigned char*)WRITE_KEY_SALT_MDLD, sizeof(WRITE_KEY_SALT_MDLD)-1, (unsigned char*)WRITE_KEY_INFO_MDLD, sizeof(WRITE_KEY_INFO_MDLD)-1, client->cu_key, client->cu_key_len, cu_write_key, &cu_write_key_len);
951
952 unsigned char cu_read_key[32];
953 unsigned int cu_read_key_len = sizeof(cu_write_key);
954 static const char READ_KEY_SALT_MDLD[] = "ReadKeySaltMDLD";
955 static const char READ_KEY_INFO_MDLD[] = "ReadKeyInfoMDLD";
956 hkdf_md(MD_ALGO_SHA512, (unsigned char*)READ_KEY_SALT_MDLD, sizeof(READ_KEY_SALT_MDLD)-1, (unsigned char*)READ_KEY_INFO_MDLD, sizeof(READ_KEY_INFO_MDLD)-1, client->cu_key, client->cu_key_len, cu_read_key, &cu_read_key_len);
957
958 // Starting with iOS/tvOS 11.2 and WatchOS 4.2, this nonce is random and sent along with the request. Before, the request doesn't have a nonce and it uses hardcoded nonce "sendone01234".
959 unsigned char cu_nonce[12] = "sendone01234"; // guaranteed to be random by fair dice troll
960 if (client->device->version >= DEVICE_VERSION(11,2,0)) {
961#if defined(HAVE_OPENSSL)
962 RAND_bytes(cu_nonce, sizeof(cu_nonce));
963#elif defined(HAVE_GCRYPT)
964 gcry_create_nonce(cu_nonce, sizeof(cu_nonce));
965#endif
966 }
967
968 debug_plist(request_payload);
969
970 /* convert request payload to binary */
971 uint32_t bin_len = 0;
972 char* bin = NULL;
973 plist_to_bin(request_payload, &bin, &bin_len);
974
975 /* encrypt request */
976 size_t encrypted_len = bin_len + 16;
977 unsigned char* encrypted_buf = malloc(encrypted_len);
978 chacha20_poly1305_encrypt_96(cu_write_key, cu_nonce, NULL, 0, (unsigned char*)bin, bin_len, encrypted_buf, &encrypted_len);
979 free(bin);
980 bin = NULL;
981
982 plist_t dict = plist_new_dict();
983 plist_dict_set_item(dict,"Request", plist_new_string(request));
984 plist_dict_set_item(dict, "Payload", plist_new_data((char*)encrypted_buf, encrypted_len));
985 free(encrypted_buf);
986 plist_dict_set_item(dict, "Nonce", plist_new_data((char*)cu_nonce, sizeof(cu_nonce)));
987 plist_dict_set_item(dict, "Label", plist_new_string(client->label));
988 plist_dict_set_item(dict, "ProtocolVersion", plist_new_uint(2));
989
990 /* send to device */
991 ret = lockdownd_send(client, dict);
992 plist_free(dict);
993 dict = NULL;
994
995 if (ret != LOCKDOWN_E_SUCCESS)
996 return ret;
997
998 /* Now get device's answer */
999 ret = lockdownd_receive(client, &dict);
1000 if (ret != LOCKDOWN_E_SUCCESS)
1001 return ret;
1002
1003 ret = lockdown_check_result(dict, request);
1004 if (ret != LOCKDOWN_E_SUCCESS) {
1005 plist_free(dict);
1006 return ret;
1007 }
1008
1009 /* get payload */
1010 plist_t blob = plist_dict_get_item(dict, "Payload");
1011 if (!blob) {
1012 plist_free(dict);
1013 return LOCKDOWN_E_DICT_ERROR;
1014 }
1015
1016 uint64_t dl = 0;
1017 const char* dt = plist_get_data_ptr(blob, &dl);
1018
1019 /* see if we have a nonce */
1020 blob = plist_dict_get_item(dict, "Nonce");
1021 const unsigned char* rnonce = (unsigned char*)"receiveone01";
1022 if (blob) {
1023 uint64_t rl = 0;
1024 rnonce = (const unsigned char*)plist_get_data_ptr(blob, &rl);
1025 }
1026
1027 /* decrypt payload */
1028 size_t decrypted_len = dl-16;
1029 unsigned char* decrypted = malloc(decrypted_len);
1030 chacha20_poly1305_decrypt_96(cu_read_key, (unsigned char*)rnonce, NULL, 0, (unsigned char*)dt, dl, decrypted, &decrypted_len);
1031 plist_free(dict);
1032 dict = NULL;
1033
1034 plist_from_memory((const char*)decrypted, decrypted_len, &dict);
1035 if (!dict) {
1036 ret = LOCKDOWN_E_PLIST_ERROR;
1037 debug_info("Failed to parse PLIST from decrypted payload:");
1038 debug_buffer((const char*)decrypted, decrypted_len);
1039 free(decrypted);
1040 return ret;
1041 }
1042 free(decrypted);
1043
1044 debug_plist(dict);
1045
1046 if (reply) {
1047 *reply = dict;
1048 } else {
1049 plist_free(dict);
1050 }
1051
1052 return LOCKDOWN_E_SUCCESS;
1053#else
1054 debug_info("not supported");
1055 return LOCKDOWN_E_UNKNOWN_ERROR;
1056#endif
1057}
1058
1059LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_get_value_cu(lockdownd_client_t client, const char* domain, const char* key, plist_t* value)
1060{
1061#ifdef HAVE_WIRELESS_PAIRING
1062 if (!client)
1063 return LOCKDOWN_E_INVALID_ARG;
1064
1065 if (!client->cu_key)
1066 return LOCKDOWN_E_NO_RUNNING_SESSION;
1067
1068 lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR;
1069
1070 plist_t request = plist_new_dict();
1071 if (domain) {
1072 plist_dict_set_item(request, "Domain", plist_new_string(domain));
1073 }
1074 if (key) {
1075 plist_dict_set_item(request, "Key", plist_new_string(key));
1076 }
1077
1078 plist_t reply = NULL;
1079 ret = lockdownd_cu_send_request_and_get_reply(client, "GetValueCU", request, &reply);
1080 plist_free(request);
1081 if (ret != LOCKDOWN_E_SUCCESS) {
1082 return ret;
1083 }
1084
1085 plist_t value_node = plist_dict_get_item(reply, "Value");
1086 if (value_node) {
1087 debug_info("has a value");
1088 *value = plist_copy(value_node);
1089 }
1090 plist_free(reply);
1091
1092 return ret;
1093#else
1094 debug_info("not supported");
1095 return LOCKDOWN_E_UNKNOWN_ERROR;
1096#endif
1097}
1098
1099LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_pair_cu(lockdownd_client_t client)
1100{
1101#ifdef HAVE_WIRELESS_PAIRING
1102 if (!client)
1103 return LOCKDOWN_E_INVALID_ARG;
1104
1105 if (!client->cu_key)
1106 return LOCKDOWN_E_NO_RUNNING_SESSION;
1107
1108 lockdownd_error_t ret;
1109
1110 plist_t wifi_mac = NULL;
1111 ret = lockdownd_get_value_cu(client, NULL, "WiFiAddress", &wifi_mac);
1112 if (ret != LOCKDOWN_E_SUCCESS) {
1113 return ret;
1114 }
1115
1116 plist_t pubkey = NULL;
1117 ret = lockdownd_get_value_cu(client, NULL, "DevicePublicKey", &pubkey);
1118 if (ret != LOCKDOWN_E_SUCCESS) {
1119 plist_free(wifi_mac);
1120 return ret;
1121 }
1122
1123 key_data_t public_key = { NULL, 0 };
1124 uint64_t data_len = 0;
1125 plist_get_data_val(pubkey, (char**)&public_key.data, &data_len);
1126 public_key.size = (unsigned int)data_len;
1127 plist_free(pubkey);
1128
1129 plist_t pair_record_plist = plist_new_dict();
1130 pair_record_generate_keys_and_certs(pair_record_plist, public_key);
1131
1132 char* host_id = NULL;
1133 char* system_buid = NULL;
1134
1135 /* set SystemBUID */
1136 userpref_read_system_buid(&system_buid);
1137 if (system_buid) {
1138 plist_dict_set_item(pair_record_plist, USERPREF_SYSTEM_BUID_KEY, plist_new_string(system_buid));
1139 free(system_buid);
1140 }
1141
1142 /* set HostID */
1143 host_id = generate_uuid();
1144 pair_record_set_host_id(pair_record_plist, host_id);
1145 free(host_id);
1146
1147 plist_t request_pair_record = plist_copy(pair_record_plist);
1148 /* remove stuff that is private */
1149 plist_dict_remove_item(request_pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY);
1150 plist_dict_remove_item(request_pair_record, USERPREF_HOST_PRIVATE_KEY_KEY);
1151
1152 plist_t request = plist_new_dict();
1153 plist_dict_set_item(request, "PairRecord", request_pair_record);
1154 plist_t pairing_opts = plist_new_dict();
1155 plist_dict_set_item(pairing_opts, "ExtendedPairingErrors", plist_new_bool(1));
1156 plist_dict_set_item(request, "PairingOptions", pairing_opts);
1157
1158 plist_t reply = NULL;
1159 ret = lockdownd_cu_send_request_and_get_reply(client, "PairCU", request, &reply);
1160 plist_free(request);
1161 if (ret != LOCKDOWN_E_SUCCESS) {
1162 plist_free(wifi_mac);
1163 return ret;
1164 }
1165
1166 char *s_udid = NULL;
1167 plist_t p_udid = plist_dict_get_item(reply, "UDID");
1168 if (p_udid) {
1169 plist_get_string_val(p_udid, &s_udid);
1170 }
1171 plist_t ebag = plist_dict_get_item(reply, "EscrowBag");
1172 if (ebag) {
1173 plist_dict_set_item(pair_record_plist, USERPREF_ESCROW_BAG_KEY, plist_copy(ebag));
1174 }
1175 plist_dict_set_item(pair_record_plist, USERPREF_WIFI_MAC_ADDRESS_KEY, wifi_mac);
1176 plist_free(reply);
1177
1178 if (userpref_save_pair_record(s_udid, 0, pair_record_plist) != 0) {
1179 printf("Failed to save pair record for UDID %s\n", s_udid);
1180 }
1181 free(s_udid);
1182 s_udid = NULL;
1183 plist_free(pair_record_plist);
1184
1185 ret = LOCKDOWN_E_SUCCESS;
1186
1187 return ret;
1188#else
1189 debug_info("not supported");
1190 return LOCKDOWN_E_UNKNOWN_ERROR;
1191#endif
1192}
diff --git a/src/lockdown.c b/src/lockdown.c
index 70db834..1786536 100644
--- a/src/lockdown.c
+++ b/src/lockdown.c
@@ -152,7 +152,7 @@ static lockdownd_error_t lockdownd_error(property_list_service_error_t err)
152 * LOCKDOWN_E_UNKNOWN_ERROR when the result is 'Failure', 152 * LOCKDOWN_E_UNKNOWN_ERROR when the result is 'Failure',
153 * or a specific error code if derieved from the result. 153 * or a specific error code if derieved from the result.
154 */ 154 */
155static lockdownd_error_t lockdown_check_result(plist_t dict, const char *query_match) 155lockdownd_error_t lockdown_check_result(plist_t dict, const char *query_match)
156{ 156{
157 lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR; 157 lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR;
158 158
@@ -314,6 +314,10 @@ static lockdownd_error_t lockdownd_client_free_simple(lockdownd_client_t client)
314 if (client->label) { 314 if (client->label) {
315 free(client->label); 315 free(client->label);
316 } 316 }
317 if (client->cu_key) {
318 free(client->cu_key);
319 client->cu_key = NULL;
320 }
317 321
318 free(client); 322 free(client);
319 client = NULL; 323 client = NULL;
@@ -641,8 +645,12 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new(idevice_t device, lo
641 client_loc->ssl_enabled = 0; 645 client_loc->ssl_enabled = 0;
642 client_loc->session_id = NULL; 646 client_loc->session_id = NULL;
643 client_loc->device = device; 647 client_loc->device = device;
648 client_loc->cu_key = NULL;
649 client_loc->cu_key_len = 0;
644 650
645 debug_info("device udid: %s", device->udid); 651 if (device->udid) {
652 debug_info("device udid: %s", device->udid);
653 }
646 654
647 client_loc->label = label ? strdup(label) : NULL; 655 client_loc->label = label ? strdup(label) : NULL;
648 656
diff --git a/src/lockdown.h b/src/lockdown.h
index 0091f1d..bcd4717 100644
--- a/src/lockdown.h
+++ b/src/lockdown.h
@@ -34,6 +34,10 @@ struct lockdownd_client_private {
34 char *session_id; 34 char *session_id;
35 char *label; 35 char *label;
36 idevice_t device; 36 idevice_t device;
37 unsigned char* cu_key;
38 unsigned int cu_key_len;
37}; 39};
38 40
41lockdownd_error_t lockdown_check_result(plist_t dict, const char *query_match);
42
39#endif 43#endif
diff --git a/tools/idevicepair.c b/tools/idevicepair.c
index 0dcd45f..a2dc944 100644
--- a/tools/idevicepair.c
+++ b/tools/idevicepair.c
@@ -2,7 +2,7 @@
2 * idevicepair.c 2 * idevicepair.c
3 * Manage pairings with devices and this host 3 * Manage pairings with devices and this host
4 * 4 *
5 * Copyright (c) 2010-2019 Nikias Bassen, All Rights Reserved. 5 * Copyright (c) 2010-2021 Nikias Bassen, All Rights Reserved.
6 * Copyright (c) 2014 Martin Szulecki, All Rights Reserved. 6 * Copyright (c) 2014 Martin Szulecki, All Rights Reserved.
7 * 7 *
8 * This library is free software; you can redistribute it and/or 8 * This library is free software; you can redistribute it and/or
@@ -30,16 +30,88 @@
30#include <string.h> 30#include <string.h>
31#include <stdlib.h> 31#include <stdlib.h>
32#include <getopt.h> 32#include <getopt.h>
33#ifndef WIN32 33#include <ctype.h>
34#include <unistd.h>
35#ifdef WIN32
36#include <windows.h>
37#include <conio.h>
38#else
39#include <termios.h>
34#include <signal.h> 40#include <signal.h>
35#endif 41#endif
42
36#include "common/userpref.h" 43#include "common/userpref.h"
44#include <libimobiledevice-glue/utils.h>
37 45
38#include <libimobiledevice/libimobiledevice.h> 46#include <libimobiledevice/libimobiledevice.h>
39#include <libimobiledevice/lockdown.h> 47#include <libimobiledevice/lockdown.h>
48#include <plist/plist.h>
40 49
41static char *udid = NULL; 50static char *udid = NULL;
42 51
52#ifdef HAVE_WIRELESS_PAIRING
53
54#ifdef WIN32
55#define BS_CC '\b'
56#define my_getch getch
57#else
58#define BS_CC 0x7f
59static int my_getch(void)
60{
61 struct termios oldt, newt;
62 int ch;
63 tcgetattr(STDIN_FILENO, &oldt);
64 newt = oldt;
65 newt.c_lflag &= ~(ICANON | ECHO);
66 tcsetattr(STDIN_FILENO, TCSANOW, &newt);
67 ch = getchar();
68 tcsetattr(STDIN_FILENO, TCSANOW, &oldt);
69 return ch;
70}
71#endif
72
73static int get_hidden_input(char *buf, int maxlen)
74{
75 int pwlen = 0;
76 int c;
77
78 while ((c = my_getch())) {
79 if ((c == '\r') || (c == '\n')) {
80 break;
81 } else if (isprint(c)) {
82 if (pwlen < maxlen-1)
83 buf[pwlen++] = c;
84 fputc('*', stderr);
85 } else if (c == BS_CC) {
86 if (pwlen > 0) {
87 fputs("\b \b", stderr);
88 pwlen--;
89 }
90 }
91 }
92 buf[pwlen] = 0;
93 return pwlen;
94}
95
96static void pairing_cb(lockdownd_cu_pairing_cb_type_t cb_type, void *user_data, void* data_ptr, unsigned int* data_size)
97{
98 if (cb_type == LOCKDOWN_CU_PAIRING_PIN_REQUESTED) {
99 printf("Enter PIN: ");
100 fflush(stdout);
101
102 *data_size = get_hidden_input((char*)data_ptr, *data_size);
103
104 printf("\n");
105 } else if (cb_type == LOCKDOWN_CU_PAIRING_DEVICE_INFO) {
106 printf("Device info:\n");
107 plist_print_to_stream_with_indentation((plist_t)data_ptr, stdout, 2);
108 } else if (cb_type == LOCKDOWN_CU_PAIRING_ERROR) {
109 printf("ERROR: %s\n", (data_ptr) ? (char*)data_ptr : "(unknown)");
110 }
111}
112
113#endif /* HAVE_WIRELESS_PAIRING */
114
43static void print_error_message(lockdownd_error_t err) 115static void print_error_message(lockdownd_error_t err)
44{ 116{
45 switch (err) { 117 switch (err) {
@@ -56,6 +128,16 @@ static void print_error_message(lockdownd_error_t err)
56 case LOCKDOWN_E_USER_DENIED_PAIRING: 128 case LOCKDOWN_E_USER_DENIED_PAIRING:
57 printf("ERROR: Device %s said that the user denied the trust dialog.\n", udid); 129 printf("ERROR: Device %s said that the user denied the trust dialog.\n", udid);
58 break; 130 break;
131 case LOCKDOWN_E_PAIRING_FAILED:
132 printf("ERROR: Pairing with device %s failed.\n", udid);
133 break;
134 case LOCKDOWN_E_GET_PROHIBITED:
135 case LOCKDOWN_E_PAIRING_PROHIBITED_OVER_THIS_CONNECTION:
136 printf("ERROR: Pairing is not possible over this connection.\n");
137#ifdef HAVE_WIRELESS_PAIRING
138 printf("To perform a wireless pairing use the -w command line switch. See usage or man page for details.\n");
139#endif
140 break;
59 default: 141 default:
60 printf("ERROR: Device %s returned unhandled error code %d\n", udid, err); 142 printf("ERROR: Device %s returned unhandled error code %d\n", udid, err);
61 break; 143 break;
@@ -81,9 +163,20 @@ static void print_usage(int argc, char **argv)
81 printf("\n"); 163 printf("\n");
82 printf("The following OPTIONS are accepted:\n"); 164 printf("The following OPTIONS are accepted:\n");
83 printf(" -u, --udid UDID target specific device by UDID\n"); 165 printf(" -u, --udid UDID target specific device by UDID\n");
166#ifdef HAVE_WIRELESS_PAIRING
167 printf(" -w, --wireless perform wireless pairing (see NOTE)\n");
168 printf(" -n, --network connect to network device (see NOTE)\n");
169#endif
84 printf(" -d, --debug enable communication debugging\n"); 170 printf(" -d, --debug enable communication debugging\n");
85 printf(" -h, --help prints usage information\n"); 171 printf(" -h, --help prints usage information\n");
86 printf(" -v, --version prints version information\n"); 172 printf(" -v, --version prints version information\n");
173#ifdef HAVE_WIRELESS_PAIRING
174 printf("\n");
175 printf("NOTE: Pairing over network (wireless pairing) is only supported by Apple TV\n");
176 printf("devices. To perform a wireless pairing, you need to use the -w command line\n");
177 printf("switch. Make sure to put the device into pairing mode first by opening\n");
178 printf("Settings > Remotes and Devices > Remote App and Devices.\n");
179#endif
87 printf("\n"); 180 printf("\n");
88 printf("Homepage: <" PACKAGE_URL ">\n"); 181 printf("Homepage: <" PACKAGE_URL ">\n");
89 printf("Bug Reports: <" PACKAGE_BUGREPORT ">\n"); 182 printf("Bug Reports: <" PACKAGE_BUGREPORT ">\n");
@@ -95,10 +188,20 @@ int main(int argc, char **argv)
95 static struct option longopts[] = { 188 static struct option longopts[] = {
96 { "help", no_argument, NULL, 'h' }, 189 { "help", no_argument, NULL, 'h' },
97 { "udid", required_argument, NULL, 'u' }, 190 { "udid", required_argument, NULL, 'u' },
191#ifdef HAVE_WIRELESS_PAIRING
192 { "wireless", no_argument, NULL, 'w' },
193 { "network", no_argument, NULL, 'n' },
194 { "hostinfo", required_argument, NULL, 1 },
195#endif
98 { "debug", no_argument, NULL, 'd' }, 196 { "debug", no_argument, NULL, 'd' },
99 { "version", no_argument, NULL, 'v' }, 197 { "version", no_argument, NULL, 'v' },
100 { NULL, 0, NULL, 0} 198 { NULL, 0, NULL, 0}
101 }; 199 };
200#ifdef HAVE_WIRELESS_PAIRING
201#define SHORT_OPTIONS "hu:wndv"
202#else
203#define SHORT_OPTIONS "hu:dv"
204#endif
102 lockdownd_client_t client = NULL; 205 lockdownd_client_t client = NULL;
103 idevice_t device = NULL; 206 idevice_t device = NULL;
104 idevice_error_t ret = IDEVICE_E_UNKNOWN_ERROR; 207 idevice_error_t ret = IDEVICE_E_UNKNOWN_ERROR;
@@ -106,13 +209,18 @@ int main(int argc, char **argv)
106 int result; 209 int result;
107 210
108 char *type = NULL; 211 char *type = NULL;
212 int use_network = 0;
213 int wireless_pairing = 0;
214#ifdef HAVE_WIRELESS_PAIRING
215 plist_t host_info_plist = NULL;
216#endif
109 char *cmd; 217 char *cmd;
110 typedef enum { 218 typedef enum {
111 OP_NONE = 0, OP_PAIR, OP_VALIDATE, OP_UNPAIR, OP_LIST, OP_HOSTID, OP_SYSTEMBUID 219 OP_NONE = 0, OP_PAIR, OP_VALIDATE, OP_UNPAIR, OP_LIST, OP_HOSTID, OP_SYSTEMBUID
112 } op_t; 220 } op_t;
113 op_t op = OP_NONE; 221 op_t op = OP_NONE;
114 222
115 while ((c = getopt_long(argc, argv, "hu:dv", longopts, NULL)) != -1) { 223 while ((c = getopt_long(argc, argv, SHORT_OPTIONS, longopts, NULL)) != -1) {
116 switch (c) { 224 switch (c) {
117 case 'h': 225 case 'h':
118 print_usage(argc, argv); 226 print_usage(argc, argv);
@@ -127,6 +235,43 @@ int main(int argc, char **argv)
127 free(udid); 235 free(udid);
128 udid = strdup(optarg); 236 udid = strdup(optarg);
129 break; 237 break;
238#ifdef HAVE_WIRELESS_PAIRING
239 case 'w':
240 wireless_pairing = 1;
241 break;
242 case 'n':
243 use_network = 1;
244 break;
245 case 1:
246 if (!*optarg) {
247 fprintf(stderr, "ERROR: --hostinfo argument must not be empty!\n");
248 result = EXIT_FAILURE;
249 goto leave;
250 }
251 if (*optarg == '@') {
252 plist_read_from_filename(&host_info_plist, optarg+1);
253 if (!host_info_plist) {
254 fprintf(stderr, "ERROR: Could not read from file '%s'\n", optarg+1);
255 result = EXIT_FAILURE;
256 goto leave;
257 }
258 }
259#ifdef HAVE_PLIST_JSON
260 else if (*optarg == '{') {
261 if (plist_from_json(optarg, strlen(optarg), &host_info_plist) != PLIST_ERR_SUCCESS) {
262 fprintf(stderr, "ERROR: --hostinfo argument not valid. Make sure it is a JSON dictionary.\n");
263 result = EXIT_FAILURE;
264 goto leave;
265 }
266 }
267#endif
268 else {
269 fprintf(stderr, "ERROR: --hostinfo argument not valid. To specify a path prefix with '@'\n");
270 result = EXIT_FAILURE;
271 goto leave;
272 }
273 break;
274#endif
130 case 'd': 275 case 'd':
131 idevice_set_debug_level(1); 276 idevice_set_debug_level(1);
132 break; 277 break;
@@ -152,6 +297,13 @@ int main(int argc, char **argv)
152 goto leave; 297 goto leave;
153 } 298 }
154 299
300 if (wireless_pairing && use_network) {
301 printf("ERROR: You cannot use -w and -n together.\n");
302 print_usage(argc, argv);
303 result = EXIT_FAILURE;
304 goto leave;
305 }
306
155 cmd = (argv+optind)[0]; 307 cmd = (argv+optind)[0];
156 308
157 if (!strcmp(cmd, "pair")) { 309 if (!strcmp(cmd, "pair")) {
@@ -169,7 +321,18 @@ int main(int argc, char **argv)
169 } else { 321 } else {
170 printf("ERROR: Invalid command '%s' specified\n", cmd); 322 printf("ERROR: Invalid command '%s' specified\n", cmd);
171 print_usage(argc, argv); 323 print_usage(argc, argv);
172 exit(EXIT_FAILURE); 324 result = EXIT_FAILURE;
325 goto leave;
326 }
327
328 if (wireless_pairing) {
329 if (op == OP_VALIDATE || op == OP_UNPAIR) {
330 printf("ERROR: Command '%s' is not supported with -w\n", cmd);
331 print_usage(argc, argv);
332 result = EXIT_FAILURE;
333 goto leave;
334 }
335 use_network = 1;
173 } 336 }
174 337
175 if (op == OP_SYSTEMBUID) { 338 if (op == OP_SYSTEMBUID) {
@@ -198,7 +361,7 @@ int main(int argc, char **argv)
198 goto leave; 361 goto leave;
199 } 362 }
200 363
201 ret = idevice_new(&device, udid); 364 ret = idevice_new_with_options(&device, udid, (use_network) ? IDEVICE_LOOKUP_NETWORK : IDEVICE_LOOKUP_USBMUX);
202 if (ret != IDEVICE_E_SUCCESS) { 365 if (ret != IDEVICE_E_SUCCESS) {
203 if (udid) { 366 if (udid) {
204 printf("No device found with udid %s.\n", udid); 367 printf("No device found with udid %s.\n", udid);
@@ -257,7 +420,17 @@ int main(int argc, char **argv)
257 switch(op) { 420 switch(op) {
258 default: 421 default:
259 case OP_PAIR: 422 case OP_PAIR:
260 lerr = lockdownd_pair(client, NULL); 423#ifdef HAVE_WIRELESS_PAIRING
424 if (wireless_pairing) {
425 lerr = lockdownd_cu_pairing_create(client, pairing_cb, NULL, host_info_plist, NULL);
426 if (lerr == LOCKDOWN_E_SUCCESS) {
427 lerr = lockdownd_pair_cu(client);
428 }
429 } else
430#endif
431 {
432 lerr = lockdownd_pair(client, NULL);
433 }
261 if (lerr == LOCKDOWN_E_SUCCESS) { 434 if (lerr == LOCKDOWN_E_SUCCESS) {
262 printf("SUCCESS: Paired with device %s\n", udid); 435 printf("SUCCESS: Paired with device %s\n", udid);
263 } else { 436 } else {
© 2009-2020 sukimashita.com - Generated by cgit - Icons from Tango - Uses Google Analytics