From e41dbc3ddbe30a414e73fa25d9c7c304ffe6989e Mon Sep 17 00:00:00 2001 From: Nikias Bassen Date: Wed, 9 Feb 2022 04:04:36 +0100 Subject: Add support for wireless pairing --- 3rd_party/Makefile.am | 6 + 3rd_party/README.md | 36 + 3rd_party/ed25519/LICENSE | 16 + 3rd_party/ed25519/Makefile.am | 26 + 3rd_party/ed25519/README.md | 165 +++ 3rd_party/ed25519/add_scalar.c | 69 ++ 3rd_party/ed25519/ed25519.h | 38 + 3rd_party/ed25519/fe.c | 1491 +++++++++++++++++++++++ 3rd_party/ed25519/fe.h | 41 + 3rd_party/ed25519/fixedint.h | 72 ++ 3rd_party/ed25519/ge.c | 467 +++++++ 3rd_party/ed25519/ge.h | 74 ++ 3rd_party/ed25519/key_exchange.c | 79 ++ 3rd_party/ed25519/keypair.c | 16 + 3rd_party/ed25519/precomp_data.h | 1391 +++++++++++++++++++++ 3rd_party/ed25519/sc.c | 809 ++++++++++++ 3rd_party/ed25519/sc.h | 12 + 3rd_party/ed25519/seed.c | 40 + 3rd_party/ed25519/sha512.c | 275 +++++ 3rd_party/ed25519/sha512.h | 21 + 3rd_party/ed25519/sign.c | 31 + 3rd_party/ed25519/verify.c | 77 ++ 3rd_party/libsrp6a-sha512/LICENSE | 62 + 3rd_party/libsrp6a-sha512/Makefile.am | 31 + 3rd_party/libsrp6a-sha512/README.md | 35 + 3rd_party/libsrp6a-sha512/cstr.c | 226 ++++ 3rd_party/libsrp6a-sha512/cstr.h | 94 ++ 3rd_party/libsrp6a-sha512/srp.c | 274 +++++ 3rd_party/libsrp6a-sha512/srp.h | 372 ++++++ 3rd_party/libsrp6a-sha512/srp6a_sha512_client.c | 363 ++++++ 3rd_party/libsrp6a-sha512/srp_aux.h | 146 +++ 3rd_party/libsrp6a-sha512/t_conv.c | 258 ++++ 3rd_party/libsrp6a-sha512/t_defines.h | 137 +++ 3rd_party/libsrp6a-sha512/t_math.c | 1008 +++++++++++++++ 3rd_party/libsrp6a-sha512/t_misc.c | 450 +++++++ 3rd_party/libsrp6a-sha512/t_pwd.h | 246 ++++ 3rd_party/libsrp6a-sha512/t_sha.c | 276 +++++ 3rd_party/libsrp6a-sha512/t_sha.h | 125 ++ 3rd_party/libsrp6a-sha512/t_truerand.c | 241 ++++ Makefile.am | 2 +- configure.ac | 23 +- docs/idevicepair.1 | 26 +- include/endianness.h | 11 + include/libimobiledevice/lockdown.h | 96 ++ src/Makefile.am | 9 + src/idevice.c | 5 +- src/lockdown-cu.c | 1192 ++++++++++++++++++ src/lockdown.c | 12 +- src/lockdown.h | 4 + tools/idevicepair.c | 185 ++- 50 files changed, 11148 insertions(+), 13 deletions(-) create mode 100644 3rd_party/Makefile.am create mode 100644 3rd_party/README.md create mode 100644 3rd_party/ed25519/LICENSE create mode 100644 3rd_party/ed25519/Makefile.am create mode 100644 3rd_party/ed25519/README.md create mode 100644 3rd_party/ed25519/add_scalar.c create mode 100644 3rd_party/ed25519/ed25519.h create mode 100644 3rd_party/ed25519/fe.c create mode 100644 3rd_party/ed25519/fe.h create mode 100644 3rd_party/ed25519/fixedint.h create mode 100644 3rd_party/ed25519/ge.c create mode 100644 3rd_party/ed25519/ge.h create mode 100644 3rd_party/ed25519/key_exchange.c create mode 100644 3rd_party/ed25519/keypair.c create mode 100644 3rd_party/ed25519/precomp_data.h create mode 100644 3rd_party/ed25519/sc.c create mode 100644 3rd_party/ed25519/sc.h create mode 100644 3rd_party/ed25519/seed.c create mode 100644 3rd_party/ed25519/sha512.c create mode 100644 3rd_party/ed25519/sha512.h create mode 100644 3rd_party/ed25519/sign.c create mode 100644 3rd_party/ed25519/verify.c create mode 100644 3rd_party/libsrp6a-sha512/LICENSE create mode 100644 3rd_party/libsrp6a-sha512/Makefile.am create mode 100644 3rd_party/libsrp6a-sha512/README.md create mode 100644 3rd_party/libsrp6a-sha512/cstr.c create mode 100644 3rd_party/libsrp6a-sha512/cstr.h create mode 100644 3rd_party/libsrp6a-sha512/srp.c create mode 100644 3rd_party/libsrp6a-sha512/srp.h create mode 100644 3rd_party/libsrp6a-sha512/srp6a_sha512_client.c create mode 100644 3rd_party/libsrp6a-sha512/srp_aux.h create mode 100644 3rd_party/libsrp6a-sha512/t_conv.c create mode 100644 3rd_party/libsrp6a-sha512/t_defines.h create mode 100644 3rd_party/libsrp6a-sha512/t_math.c create mode 100644 3rd_party/libsrp6a-sha512/t_misc.c create mode 100644 3rd_party/libsrp6a-sha512/t_pwd.h create mode 100644 3rd_party/libsrp6a-sha512/t_sha.c create mode 100644 3rd_party/libsrp6a-sha512/t_sha.h create mode 100644 3rd_party/libsrp6a-sha512/t_truerand.c create mode 100644 src/lockdown-cu.c diff --git a/3rd_party/Makefile.am b/3rd_party/Makefile.am new file mode 100644 index 0000000..a196ea3 --- /dev/null +++ b/3rd_party/Makefile.am @@ -0,0 +1,6 @@ +AUTOMAKE_OPTIONS = foreign +ACLOCAL_AMFLAGS = -I m4 +SUBDIRS = +if HAVE_WIRELESS_PAIRING +SUBDIRS += ed25519 libsrp6a-sha512 +endif diff --git a/3rd_party/README.md b/3rd_party/README.md new file mode 100644 index 0000000..0bec640 --- /dev/null +++ b/3rd_party/README.md @@ -0,0 +1,36 @@ +# Third party components/libraries + +This folder contains third party components or libraries that are used +within the libimobiledevice project. They have been bundled since they +are either not readily available on the intended target platforms and/or +have been modified. + +Their respective licenses are provided in each corresponding folder in a +file called LICENSE. + + +## ed25519 + +Source: https://github.com/orlp/ed25519 +Based on commit 7fa6712ef5d581a6981ec2b08ee623314cd1d1c4. +[LICENCE](ed25519/LICENSE) + +The original source has not been modified, except that the file `test.c` +and the contained DLL files have been removed. To allow building within +libimobiledevice, a `Makefile.am` has been added. + + +## libsrp6a-sha512 + +Source: https://github.com/secure-remote-password/stanford-srp +Based on commit 587900d32777348f98477cb25123d5761fbe3725. +[LICENCE](libsrp6a-sha512/LICENSE) + +For the usage within libimobiledevice, only [libsrp](https://github.com/secure-remote-password/stanford-srp/tree/master/libsrp) +has been used as a basis. +It has been adapted to the needs of the libimobiledevice project, and +contains just a part of the original code; it only supports the SRP6a +client method which has been modified to use SHA512 instead of SHA1, +hence the name was changed to `libsrp6a-sha512`. +More details about the modifications can be found in [libsrp6a-sha512/README.md](libsrp6a-sha512/README.md). + diff --git a/3rd_party/ed25519/LICENSE b/3rd_party/ed25519/LICENSE new file mode 100644 index 0000000..c1503f9 --- /dev/null +++ b/3rd_party/ed25519/LICENSE @@ -0,0 +1,16 @@ +Copyright (c) 2015 Orson Peters + +This software is provided 'as-is', without any express or implied warranty. In no event will the +authors be held liable for any damages arising from the use of this software. + +Permission is granted to anyone to use this software for any purpose, including commercial +applications, and to alter it and redistribute it freely, subject to the following restrictions: + +1. The origin of this software must not be misrepresented; you must not claim that you wrote the + original software. If you use this software in a product, an acknowledgment in the product + documentation would be appreciated but is not required. + +2. Altered source versions must be plainly marked as such, and must not be misrepresented as + being the original software. + +3. This notice may not be removed or altered from any source distribution. diff --git a/3rd_party/ed25519/Makefile.am b/3rd_party/ed25519/Makefile.am new file mode 100644 index 0000000..c475331 --- /dev/null +++ b/3rd_party/ed25519/Makefile.am @@ -0,0 +1,26 @@ +AUTOMAKE_OPTIONS = foreign no-dependencies + +AM_CPPFLAGS = \ + -I$(top_srcdir)/include \ + -I$(top_srcdir) + +AM_CFLAGS = \ + $(GLOBAL_CFLAGS) \ + $(openssl_CFLAGS) + +AM_LDFLAGS = + +noinst_LTLIBRARIES = libed25519.la +libed25519_la_LIBADD = +libed25519_la_LDFLAGS = $(AM_LDFLAGS) -no-undefined +libed25519_la_SOURCES = \ + add_scalar.c \ + fe.c \ + ge.c \ + keypair.c \ + key_exchange.c \ + sc.c \ + seed.c \ + sign.c \ + sha512.c \ + verify.c diff --git a/3rd_party/ed25519/README.md b/3rd_party/ed25519/README.md new file mode 100644 index 0000000..2c431c2 --- /dev/null +++ b/3rd_party/ed25519/README.md @@ -0,0 +1,165 @@ +Ed25519 +======= + +This is a portable implementation of [Ed25519](http://ed25519.cr.yp.to/) based +on the SUPERCOP "ref10" implementation. Additionally there is key exchanging +and scalar addition included to further aid building a PKI using Ed25519. All +code is licensed under the permissive zlib license. + +All code is pure ANSI C without any dependencies, except for the random seed +generation which uses standard OS cryptography APIs (`CryptGenRandom` on +Windows, `/dev/urandom` on nix). If you wish to be entirely portable define +`ED25519_NO_SEED`. This disables the `ed25519_create_seed` function, so if your +application requires key generation you must supply your own seeding function +(which is simply a 256 bit (32 byte) cryptographic random number generator). + + +Performance +----------- + +On a Windows machine with an Intel Pentium B970 @ 2.3GHz I got the following +speeds (running on only one a single core): + + Seed generation: 64us (15625 per second) + Key generation: 88us (11364 per second) + Message signing (short message): 87us (11494 per second) + Message verifying (short message): 228us (4386 per second) + Scalar addition: 100us (10000 per second) + Key exchange: 220us (4545 per second) + +The speeds on other machines may vary. Sign/verify times will be higher with +longer messages. The implementation significantly benefits from 64 bit +architectures, if possible compile as 64 bit. + + +Usage +----- + +Simply add all .c and .h files in the `src/` folder to your project and include +`ed25519.h` in any file you want to use the API. If you prefer to use a shared +library, only copy `ed25519.h` and define `ED25519_DLL` before importing. + +There are no defined types for seeds, private keys, public keys, shared secrets +or signatures. Instead simple `unsigned char` buffers are used with the +following sizes: + +```c +unsigned char seed[32]; +unsigned char signature[64]; +unsigned char public_key[32]; +unsigned char private_key[64]; +unsigned char scalar[32]; +unsigned char shared_secret[32]; +``` + +API +--- + +```c +int ed25519_create_seed(unsigned char *seed); +``` + +Creates a 32 byte random seed in `seed` for key generation. `seed` must be a +writable 32 byte buffer. Returns 0 on success, and nonzero on failure. + +```c +void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, + const unsigned char *seed); +``` + +Creates a new key pair from the given seed. `public_key` must be a writable 32 +byte buffer, `private_key` must be a writable 64 byte buffer and `seed` must be +a 32 byte buffer. + +```c +void ed25519_sign(unsigned char *signature, + const unsigned char *message, size_t message_len, + const unsigned char *public_key, const unsigned char *private_key); +``` + +Creates a signature of the given message with the given key pair. `signature` +must be a writable 64 byte buffer. `message` must have at least `message_len` +bytes to be read. + +```c +int ed25519_verify(const unsigned char *signature, + const unsigned char *message, size_t message_len, + const unsigned char *public_key); +``` + +Verifies the signature on the given message using `public_key`. `signature` +must be a readable 64 byte buffer. `message` must have at least `message_len` +bytes to be read. Returns 1 if the signature matches, 0 otherwise. + +```c +void ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key, + const unsigned char *scalar); +``` + +Adds `scalar` to the given key pair where scalar is a 32 byte buffer (possibly +generated with `ed25519_create_seed`), generating a new key pair. You can +calculate the public key sum without knowing the private key and vice versa by +passing in `NULL` for the key you don't know. This is useful for enforcing +randomness on a key pair by a third party while only knowing the public key, +among other things. Warning: the last bit of the scalar is ignored - if +comparing scalars make sure to clear it with `scalar[31] &= 127`. + + +```c +void ed25519_key_exchange(unsigned char *shared_secret, + const unsigned char *public_key, const unsigned char *private_key); +``` + +Performs a key exchange on the given public key and private key, producing a +shared secret. It is recommended to hash the shared secret before using it. +`shared_secret` must be a 32 byte writable buffer where the shared secret will +be stored. + +Example +------- + +```c +unsigned char seed[32], public_key[32], private_key[64], signature[64]; +unsigned char other_public_key[32], other_private_key[64], shared_secret[32]; +const unsigned char message[] = "TEST MESSAGE"; + +/* create a random seed, and a key pair out of that seed */ +if (ed25519_create_seed(seed)) { + printf("error while generating seed\n"); + exit(1); +} + +ed25519_create_keypair(public_key, private_key, seed); + +/* create signature on the message with the key pair */ +ed25519_sign(signature, message, strlen(message), public_key, private_key); + +/* verify the signature */ +if (ed25519_verify(signature, message, strlen(message), public_key)) { + printf("valid signature\n"); +} else { + printf("invalid signature\n"); +} + +/* create a dummy keypair to use for a key exchange, normally you'd only have +the public key and receive it through some communication channel */ +if (ed25519_create_seed(seed)) { + printf("error while generating seed\n"); + exit(1); +} + +ed25519_create_keypair(other_public_key, other_private_key, seed); + +/* do a key exchange with other_public_key */ +ed25519_key_exchange(shared_secret, other_public_key, private_key); + +/* + the magic here is that ed25519_key_exchange(shared_secret, public_key, + other_private_key); would result in the same shared_secret +*/ + +``` + +License +------- +All code is released under the zlib license. See LICENSE for details. diff --git a/3rd_party/ed25519/add_scalar.c b/3rd_party/ed25519/add_scalar.c new file mode 100644 index 0000000..7528a7a --- /dev/null +++ b/3rd_party/ed25519/add_scalar.c @@ -0,0 +1,69 @@ +#include "ed25519.h" +#include "ge.h" +#include "sc.h" +#include "sha512.h" + + +/* see http://crypto.stackexchange.com/a/6215/4697 */ +void ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key, const unsigned char *scalar) { + const unsigned char SC_1[32] = {1}; /* scalar with value 1 */ + + unsigned char n[32]; + ge_p3 nB; + ge_p1p1 A_p1p1; + ge_p3 A; + ge_p3 public_key_unpacked; + ge_cached T; + + sha512_context hash; + unsigned char hashbuf[64]; + + int i; + + /* copy the scalar and clear highest bit */ + for (i = 0; i < 31; ++i) { + n[i] = scalar[i]; + } + n[31] = scalar[31] & 127; + + /* private key: a = n + t */ + if (private_key) { + sc_muladd(private_key, SC_1, n, private_key); + + // https://github.com/orlp/ed25519/issues/3 + sha512_init(&hash); + sha512_update(&hash, private_key + 32, 32); + sha512_update(&hash, scalar, 32); + sha512_final(&hash, hashbuf); + for (i = 0; i < 32; ++i) { + private_key[32 + i] = hashbuf[i]; + } + } + + /* public key: A = nB + T */ + if (public_key) { + /* if we know the private key we don't need a point addition, which is faster */ + /* using a "timing attack" you could find out wether or not we know the private + key, but this information seems rather useless - if this is important pass + public_key and private_key seperately in 2 function calls */ + if (private_key) { + ge_scalarmult_base(&A, private_key); + } else { + /* unpack public key into T */ + ge_frombytes_negate_vartime(&public_key_unpacked, public_key); + fe_neg(public_key_unpacked.X, public_key_unpacked.X); /* undo negate */ + fe_neg(public_key_unpacked.T, public_key_unpacked.T); /* undo negate */ + ge_p3_to_cached(&T, &public_key_unpacked); + + /* calculate n*B */ + ge_scalarmult_base(&nB, n); + + /* A = n*B + T */ + ge_add(&A_p1p1, &nB, &T); + ge_p1p1_to_p3(&A, &A_p1p1); + } + + /* pack public key */ + ge_p3_tobytes(public_key, &A); + } +} diff --git a/3rd_party/ed25519/ed25519.h b/3rd_party/ed25519/ed25519.h new file mode 100644 index 0000000..8924659 --- /dev/null +++ b/3rd_party/ed25519/ed25519.h @@ -0,0 +1,38 @@ +#ifndef ED25519_H +#define ED25519_H + +#include + +#if defined(_WIN32) + #if defined(ED25519_BUILD_DLL) + #define ED25519_DECLSPEC __declspec(dllexport) + #elif defined(ED25519_DLL) + #define ED25519_DECLSPEC __declspec(dllimport) + #else + #define ED25519_DECLSPEC + #endif +#else + #define ED25519_DECLSPEC +#endif + + +#ifdef __cplusplus +extern "C" { +#endif + +#ifndef ED25519_NO_SEED +int ED25519_DECLSPEC ed25519_create_seed(unsigned char *seed); +#endif + +void ED25519_DECLSPEC ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed); +void ED25519_DECLSPEC ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key); +int ED25519_DECLSPEC ed25519_verify(const unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key); +void ED25519_DECLSPEC ed25519_add_scalar(unsigned char *public_key, unsigned char *private_key, const unsigned char *scalar); +void ED25519_DECLSPEC ed25519_key_exchange(unsigned char *shared_secret, const unsigned char *public_key, const unsigned char *private_key); + + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/3rd_party/ed25519/fe.c b/3rd_party/ed25519/fe.c new file mode 100644 index 0000000..2105eb7 --- /dev/null +++ b/3rd_party/ed25519/fe.c @@ -0,0 +1,1491 @@ +#include "fixedint.h" +#include "fe.h" + + +/* + helper functions +*/ +static uint64_t load_3(const unsigned char *in) { + uint64_t result; + + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + + return result; +} + +static uint64_t load_4(const unsigned char *in) { + uint64_t result; + + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + result |= ((uint64_t) in[3]) << 24; + + return result; +} + + + +/* + h = 0 +*/ + +void fe_0(fe h) { + h[0] = 0; + h[1] = 0; + h[2] = 0; + h[3] = 0; + h[4] = 0; + h[5] = 0; + h[6] = 0; + h[7] = 0; + h[8] = 0; + h[9] = 0; +} + + + +/* + h = 1 +*/ + +void fe_1(fe h) { + h[0] = 1; + h[1] = 0; + h[2] = 0; + h[3] = 0; + h[4] = 0; + h[5] = 0; + h[6] = 0; + h[7] = 0; + h[8] = 0; + h[9] = 0; +} + + + +/* + h = f + g + Can overlap h with f or g. + + Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + + Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +*/ + +void fe_add(fe h, const fe f, const fe g) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t h0 = f0 + g0; + int32_t h1 = f1 + g1; + int32_t h2 = f2 + g2; + int32_t h3 = f3 + g3; + int32_t h4 = f4 + g4; + int32_t h5 = f5 + g5; + int32_t h6 = f6 + g6; + int32_t h7 = f7 + g7; + int32_t h8 = f8 + g8; + int32_t h9 = f9 + g9; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + + + +/* + Replace (f,g) with (g,g) if b == 1; + replace (f,g) with (f,g) if b == 0. + + Preconditions: b in {0,1}. +*/ + +void fe_cmov(fe f, const fe g, unsigned int b) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t x0 = f0 ^ g0; + int32_t x1 = f1 ^ g1; + int32_t x2 = f2 ^ g2; + int32_t x3 = f3 ^ g3; + int32_t x4 = f4 ^ g4; + int32_t x5 = f5 ^ g5; + int32_t x6 = f6 ^ g6; + int32_t x7 = f7 ^ g7; + int32_t x8 = f8 ^ g8; + int32_t x9 = f9 ^ g9; + + b = (unsigned int) (- (int) b); /* silence warning */ + x0 &= b; + x1 &= b; + x2 &= b; + x3 &= b; + x4 &= b; + x5 &= b; + x6 &= b; + x7 &= b; + x8 &= b; + x9 &= b; + + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; + f[5] = f5 ^ x5; + f[6] = f6 ^ x6; + f[7] = f7 ^ x7; + f[8] = f8 ^ x8; + f[9] = f9 ^ x9; +} + +/* + Replace (f,g) with (g,f) if b == 1; + replace (f,g) with (f,g) if b == 0. + + Preconditions: b in {0,1}. +*/ + +void fe_cswap(fe f,fe g,unsigned int b) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t x0 = f0 ^ g0; + int32_t x1 = f1 ^ g1; + int32_t x2 = f2 ^ g2; + int32_t x3 = f3 ^ g3; + int32_t x4 = f4 ^ g4; + int32_t x5 = f5 ^ g5; + int32_t x6 = f6 ^ g6; + int32_t x7 = f7 ^ g7; + int32_t x8 = f8 ^ g8; + int32_t x9 = f9 ^ g9; + b = (unsigned int) (- (int) b); /* silence warning */ + x0 &= b; + x1 &= b; + x2 &= b; + x3 &= b; + x4 &= b; + x5 &= b; + x6 &= b; + x7 &= b; + x8 &= b; + x9 &= b; + f[0] = f0 ^ x0; + f[1] = f1 ^ x1; + f[2] = f2 ^ x2; + f[3] = f3 ^ x3; + f[4] = f4 ^ x4; + f[5] = f5 ^ x5; + f[6] = f6 ^ x6; + f[7] = f7 ^ x7; + f[8] = f8 ^ x8; + f[9] = f9 ^ x9; + g[0] = g0 ^ x0; + g[1] = g1 ^ x1; + g[2] = g2 ^ x2; + g[3] = g3 ^ x3; + g[4] = g4 ^ x4; + g[5] = g5 ^ x5; + g[6] = g6 ^ x6; + g[7] = g7 ^ x7; + g[8] = g8 ^ x8; + g[9] = g9 ^ x9; +} + + + +/* + h = f +*/ + +void fe_copy(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + + h[0] = f0; + h[1] = f1; + h[2] = f2; + h[3] = f3; + h[4] = f4; + h[5] = f5; + h[6] = f6; + h[7] = f7; + h[8] = f8; + h[9] = f9; +} + + + +/* + Ignores top bit of h. +*/ + +void fe_frombytes(fe h, const unsigned char *s) { + int64_t h0 = load_4(s); + int64_t h1 = load_3(s + 4) << 6; + int64_t h2 = load_3(s + 7) << 5; + int64_t h3 = load_3(s + 10) << 3; + int64_t h4 = load_3(s + 13) << 2; + int64_t h5 = load_4(s + 16); + int64_t h6 = load_3(s + 20) << 7; + int64_t h7 = load_3(s + 23) << 5; + int64_t h8 = load_3(s + 26) << 4; + int64_t h9 = (load_3(s + 29) & 8388607) << 2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry9 = (h9 + (int64_t) (1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 << 25; + carry1 = (h1 + (int64_t) (1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry3 = (h3 + (int64_t) (1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry5 = (h5 + (int64_t) (1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 << 25; + carry7 = (h7 + (int64_t) (1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 << 25; + carry0 = (h0 + (int64_t) (1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry2 = (h2 + (int64_t) (1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry4 = (h4 + (int64_t) (1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry6 = (h6 + (int64_t) (1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 << 26; + carry8 = (h8 + (int64_t) (1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 << 26; + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + + + +void fe_invert(fe out, const fe z) { + fe t0; + fe t1; + fe t2; + fe t3; + int i; + + fe_sq(t0, z); + + for (i = 1; i < 1; ++i) { + fe_sq(t0, t0); + } + + fe_sq(t1, t0); + + for (i = 1; i < 2; ++i) { + fe_sq(t1, t1); + } + + fe_mul(t1, z, t1); + fe_mul(t0, t0, t1); + fe_sq(t2, t0); + + for (i = 1; i < 1; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t1, t1, t2); + fe_sq(t2, t1); + + for (i = 1; i < 5; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t1, t2, t1); + fe_sq(t2, t1); + + for (i = 1; i < 10; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t2, t2, t1); + fe_sq(t3, t2); + + for (i = 1; i < 20; ++i) { + fe_sq(t3, t3); + } + + fe_mul(t2, t3, t2); + fe_sq(t2, t2); + + for (i = 1; i < 10; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t1, t2, t1); + fe_sq(t2, t1); + + for (i = 1; i < 50; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t2, t2, t1); + fe_sq(t3, t2); + + for (i = 1; i < 100; ++i) { + fe_sq(t3, t3); + } + + fe_mul(t2, t3, t2); + fe_sq(t2, t2); + + for (i = 1; i < 50; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t1, t2, t1); + fe_sq(t1, t1); + + for (i = 1; i < 5; ++i) { + fe_sq(t1, t1); + } + + fe_mul(out, t1, t0); +} + + + +/* + return 1 if f is in {1,3,5,...,q-2} + return 0 if f is in {0,2,4,...,q-1} + + Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +*/ + +int fe_isnegative(const fe f) { + unsigned char s[32]; + + fe_tobytes(s, f); + + return s[0] & 1; +} + + + +/* + return 1 if f == 0 + return 0 if f != 0 + + Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +*/ + +int fe_isnonzero(const fe f) { + unsigned char s[32]; + unsigned char r; + + fe_tobytes(s, f); + + r = s[0]; + #define F(i) r |= s[i] + F(1); + F(2); + F(3); + F(4); + F(5); + F(6); + F(7); + F(8); + F(9); + F(10); + F(11); + F(12); + F(13); + F(14); + F(15); + F(16); + F(17); + F(18); + F(19); + F(20); + F(21); + F(22); + F(23); + F(24); + F(25); + F(26); + F(27); + F(28); + F(29); + F(30); + F(31); + #undef F + + return r != 0; +} + + + +/* + h = f * g + Can overlap h with f or g. + + Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + |g| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + + Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. + */ + + /* + Notes on implementation strategy: + + Using schoolbook multiplication. + Karatsuba would save a little in some cost models. + + Most multiplications by 2 and 19 are 32-bit precomputations; + cheaper than 64-bit postcomputations. + + There is one remaining multiplication by 19 in the carry chain; + one *19 precomputation can be merged into this, + but the resulting data flow is considerably less clean. + + There are 12 carries below. + 10 of them are 2-way parallelizable and vectorizable. + Can get away with 11 carries, but then data flow is much deeper. + + With tighter constraints on inputs can squeeze carries into int32. +*/ + +void fe_mul(fe h, const fe f, const fe g) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t g1_19 = 19 * g1; /* 1.959375*2^29 */ + int32_t g2_19 = 19 * g2; /* 1.959375*2^30; still ok */ + int32_t g3_19 = 19 * g3; + int32_t g4_19 = 19 * g4; + int32_t g5_19 = 19 * g5; + int32_t g6_19 = 19 * g6; + int32_t g7_19 = 19 * g7; + int32_t g8_19 = 19 * g8; + int32_t g9_19 = 19 * g9; + int32_t f1_2 = 2 * f1; + int32_t f3_2 = 2 * f3; + int32_t f5_2 = 2 * f5; + int32_t f7_2 = 2 * f7; + int32_t f9_2 = 2 * f9; + int64_t f0g0 = f0 * (int64_t) g0; + int64_t f0g1 = f0 * (int64_t) g1; + int64_t f0g2 = f0 * (int64_t) g2; + int64_t f0g3 = f0 * (int64_t) g3; + int64_t f0g4 = f0 * (int64_t) g4; + int64_t f0g5 = f0 * (int64_t) g5; + int64_t f0g6 = f0 * (int64_t) g6; + int64_t f0g7 = f0 * (int64_t) g7; + int64_t f0g8 = f0 * (int64_t) g8; + int64_t f0g9 = f0 * (int64_t) g9; + int64_t f1g0 = f1 * (int64_t) g0; + int64_t f1g1_2 = f1_2 * (int64_t) g1; + int64_t f1g2 = f1 * (int64_t) g2; + int64_t f1g3_2 = f1_2 * (int64_t) g3; + int64_t f1g4 = f1 * (int64_t) g4; + int64_t f1g5_2 = f1_2 * (int64_t) g5; + int64_t f1g6 = f1 * (int64_t) g6; + int64_t f1g7_2 = f1_2 * (int64_t) g7; + int64_t f1g8 = f1 * (int64_t) g8; + int64_t f1g9_38 = f1_2 * (int64_t) g9_19; + int64_t f2g0 = f2 * (int64_t) g0; + int64_t f2g1 = f2 * (int64_t) g1; + int64_t f2g2 = f2 * (int64_t) g2; + int64_t f2g3 = f2 * (int64_t) g3; + int64_t f2g4 = f2 * (int64_t) g4; + int64_t f2g5 = f2 * (int64_t) g5; + int64_t f2g6 = f2 * (int64_t) g6; + int64_t f2g7 = f2 * (int64_t) g7; + int64_t f2g8_19 = f2 * (int64_t) g8_19; + int64_t f2g9_19 = f2 * (int64_t) g9_19; + int64_t f3g0 = f3 * (int64_t) g0; + int64_t f3g1_2 = f3_2 * (int64_t) g1; + int64_t f3g2 = f3 * (int64_t) g2; + int64_t f3g3_2 = f3_2 * (int64_t) g3; + int64_t f3g4 = f3 * (int64_t) g4; + int64_t f3g5_2 = f3_2 * (int64_t) g5; + int64_t f3g6 = f3 * (int64_t) g6; + int64_t f3g7_38 = f3_2 * (int64_t) g7_19; + int64_t f3g8_19 = f3 * (int64_t) g8_19; + int64_t f3g9_38 = f3_2 * (int64_t) g9_19; + int64_t f4g0 = f4 * (int64_t) g0; + int64_t f4g1 = f4 * (int64_t) g1; + int64_t f4g2 = f4 * (int64_t) g2; + int64_t f4g3 = f4 * (int64_t) g3; + int64_t f4g4 = f4 * (int64_t) g4; + int64_t f4g5 = f4 * (int64_t) g5; + int64_t f4g6_19 = f4 * (int64_t) g6_19; + int64_t f4g7_19 = f4 * (int64_t) g7_19; + int64_t f4g8_19 = f4 * (int64_t) g8_19; + int64_t f4g9_19 = f4 * (int64_t) g9_19; + int64_t f5g0 = f5 * (int64_t) g0; + int64_t f5g1_2 = f5_2 * (int64_t) g1; + int64_t f5g2 = f5 * (int64_t) g2; + int64_t f5g3_2 = f5_2 * (int64_t) g3; + int64_t f5g4 = f5 * (int64_t) g4; + int64_t f5g5_38 = f5_2 * (int64_t) g5_19; + int64_t f5g6_19 = f5 * (int64_t) g6_19; + int64_t f5g7_38 = f5_2 * (int64_t) g7_19; + int64_t f5g8_19 = f5 * (int64_t) g8_19; + int64_t f5g9_38 = f5_2 * (int64_t) g9_19; + int64_t f6g0 = f6 * (int64_t) g0; + int64_t f6g1 = f6 * (int64_t) g1; + int64_t f6g2 = f6 * (int64_t) g2; + int64_t f6g3 = f6 * (int64_t) g3; + int64_t f6g4_19 = f6 * (int64_t) g4_19; + int64_t f6g5_19 = f6 * (int64_t) g5_19; + int64_t f6g6_19 = f6 * (int64_t) g6_19; + int64_t f6g7_19 = f6 * (int64_t) g7_19; + int64_t f6g8_19 = f6 * (int64_t) g8_19; + int64_t f6g9_19 = f6 * (int64_t) g9_19; + int64_t f7g0 = f7 * (int64_t) g0; + int64_t f7g1_2 = f7_2 * (int64_t) g1; + int64_t f7g2 = f7 * (int64_t) g2; + int64_t f7g3_38 = f7_2 * (int64_t) g3_19; + int64_t f7g4_19 = f7 * (int64_t) g4_19; + int64_t f7g5_38 = f7_2 * (int64_t) g5_19; + int64_t f7g6_19 = f7 * (int64_t) g6_19; + int64_t f7g7_38 = f7_2 * (int64_t) g7_19; + int64_t f7g8_19 = f7 * (int64_t) g8_19; + int64_t f7g9_38 = f7_2 * (int64_t) g9_19; + int64_t f8g0 = f8 * (int64_t) g0; + int64_t f8g1 = f8 * (int64_t) g1; + int64_t f8g2_19 = f8 * (int64_t) g2_19; + int64_t f8g3_19 = f8 * (int64_t) g3_19; + int64_t f8g4_19 = f8 * (int64_t) g4_19; + int64_t f8g5_19 = f8 * (int64_t) g5_19; + int64_t f8g6_19 = f8 * (int64_t) g6_19; + int64_t f8g7_19 = f8 * (int64_t) g7_19; + int64_t f8g8_19 = f8 * (int64_t) g8_19; + int64_t f8g9_19 = f8 * (int64_t) g9_19; + int64_t f9g0 = f9 * (int64_t) g0; + int64_t f9g1_38 = f9_2 * (int64_t) g1_19; + int64_t f9g2_19 = f9 * (int64_t) g2_19; + int64_t f9g3_38 = f9_2 * (int64_t) g3_19; + int64_t f9g4_19 = f9 * (int64_t) g4_19; + int64_t f9g5_38 = f9_2 * (int64_t) g5_19; + int64_t f9g6_19 = f9 * (int64_t) g6_19; + int64_t f9g7_38 = f9_2 * (int64_t) g7_19; + int64_t f9g8_19 = f9 * (int64_t) g8_19; + int64_t f9g9_38 = f9_2 * (int64_t) g9_19; + int64_t h0 = f0g0 + f1g9_38 + f2g8_19 + f3g7_38 + f4g6_19 + f5g5_38 + f6g4_19 + f7g3_38 + f8g2_19 + f9g1_38; + int64_t h1 = f0g1 + f1g0 + f2g9_19 + f3g8_19 + f4g7_19 + f5g6_19 + f6g5_19 + f7g4_19 + f8g3_19 + f9g2_19; + int64_t h2 = f0g2 + f1g1_2 + f2g0 + f3g9_38 + f4g8_19 + f5g7_38 + f6g6_19 + f7g5_38 + f8g4_19 + f9g3_38; + int64_t h3 = f0g3 + f1g2 + f2g1 + f3g0 + f4g9_19 + f5g8_19 + f6g7_19 + f7g6_19 + f8g5_19 + f9g4_19; + int64_t h4 = f0g4 + f1g3_2 + f2g2 + f3g1_2 + f4g0 + f5g9_38 + f6g8_19 + f7g7_38 + f8g6_19 + f9g5_38; + int64_t h5 = f0g5 + f1g4 + f2g3 + f3g2 + f4g1 + f5g0 + f6g9_19 + f7g8_19 + f8g7_19 + f9g6_19; + int64_t h6 = f0g6 + f1g5_2 + f2g4 + f3g3_2 + f4g2 + f5g1_2 + f6g0 + f7g9_38 + f8g8_19 + f9g7_38; + int64_t h7 = f0g7 + f1g6 + f2g5 + f3g4 + f4g3 + f5g2 + f6g1 + f7g0 + f8g9_19 + f9g8_19; + int64_t h8 = f0g8 + f1g7_2 + f2g6 + f3g5_2 + f4g4 + f5g3_2 + f6g2 + f7g1_2 + f8g0 + f9g9_38; + int64_t h9 = f0g9 + f1g8 + f2g7 + f3g6 + f4g5 + f5g4 + f6g3 + f7g2 + f8g1 + f9g0 ; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry0 = (h0 + (int64_t) (1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry4 = (h4 + (int64_t) (1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + + carry1 = (h1 + (int64_t) (1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry5 = (h5 + (int64_t) (1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 << 25; + + carry2 = (h2 + (int64_t) (1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry6 = (h6 + (int64_t) (1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 << 26; + + carry3 = (h3 + (int64_t) (1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry7 = (h7 + (int64_t) (1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 << 25; + + carry4 = (h4 + (int64_t) (1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry8 = (h8 + (int64_t) (1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 << 26; + + carry9 = (h9 + (int64_t) (1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 << 25; + + carry0 = (h0 + (int64_t) (1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + + +/* +h = f * 121666 +Can overlap h with f. + +Preconditions: + |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + +Postconditions: + |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +*/ + +void fe_mul121666(fe h, fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int64_t h0 = f0 * (int64_t) 121666; + int64_t h1 = f1 * (int64_t) 121666; + int64_t h2 = f2 * (int64_t) 121666; + int64_t h3 = f3 * (int64_t) 121666; + int64_t h4 = f4 * (int64_t) 121666; + int64_t h5 = f5 * (int64_t) 121666; + int64_t h6 = f6 * (int64_t) 121666; + int64_t h7 = f7 * (int64_t) 121666; + int64_t h8 = f8 * (int64_t) 121666; + int64_t h9 = f9 * (int64_t) 121666; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + + carry9 = (h9 + (int64_t) (1<<24)) >> 25; h0 += carry9 * 19; h9 -= carry9 << 25; + carry1 = (h1 + (int64_t) (1<<24)) >> 25; h2 += carry1; h1 -= carry1 << 25; + carry3 = (h3 + (int64_t) (1<<24)) >> 25; h4 += carry3; h3 -= carry3 << 25; + carry5 = (h5 + (int64_t) (1<<24)) >> 25; h6 += carry5; h5 -= carry5 << 25; + carry7 = (h7 + (int64_t) (1<<24)) >> 25; h8 += carry7; h7 -= carry7 << 25; + + carry0 = (h0 + (int64_t) (1<<25)) >> 26; h1 += carry0; h0 -= carry0 << 26; + carry2 = (h2 + (int64_t) (1<<25)) >> 26; h3 += carry2; h2 -= carry2 << 26; + carry4 = (h4 + (int64_t) (1<<25)) >> 26; h5 += carry4; h4 -= carry4 << 26; + carry6 = (h6 + (int64_t) (1<<25)) >> 26; h7 += carry6; h6 -= carry6 << 26; + carry8 = (h8 + (int64_t) (1<<25)) >> 26; h9 += carry8; h8 -= carry8 << 26; + + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + + +/* +h = -f + +Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + +Postconditions: + |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. +*/ + +void fe_neg(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t h0 = -f0; + int32_t h1 = -f1; + int32_t h2 = -f2; + int32_t h3 = -f3; + int32_t h4 = -f4; + int32_t h5 = -f5; + int32_t h6 = -f6; + int32_t h7 = -f7; + int32_t h8 = -f8; + int32_t h9 = -f9; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + + +void fe_pow22523(fe out, const fe z) { + fe t0; + fe t1; + fe t2; + int i; + fe_sq(t0, z); + + for (i = 1; i < 1; ++i) { + fe_sq(t0, t0); + } + + fe_sq(t1, t0); + + for (i = 1; i < 2; ++i) { + fe_sq(t1, t1); + } + + fe_mul(t1, z, t1); + fe_mul(t0, t0, t1); + fe_sq(t0, t0); + + for (i = 1; i < 1; ++i) { + fe_sq(t0, t0); + } + + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + + for (i = 1; i < 5; ++i) { + fe_sq(t1, t1); + } + + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + + for (i = 1; i < 10; ++i) { + fe_sq(t1, t1); + } + + fe_mul(t1, t1, t0); + fe_sq(t2, t1); + + for (i = 1; i < 20; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t1, t2, t1); + fe_sq(t1, t1); + + for (i = 1; i < 10; ++i) { + fe_sq(t1, t1); + } + + fe_mul(t0, t1, t0); + fe_sq(t1, t0); + + for (i = 1; i < 50; ++i) { + fe_sq(t1, t1); + } + + fe_mul(t1, t1, t0); + fe_sq(t2, t1); + + for (i = 1; i < 100; ++i) { + fe_sq(t2, t2); + } + + fe_mul(t1, t2, t1); + fe_sq(t1, t1); + + for (i = 1; i < 50; ++i) { + fe_sq(t1, t1); + } + + fe_mul(t0, t1, t0); + fe_sq(t0, t0); + + for (i = 1; i < 2; ++i) { + fe_sq(t0, t0); + } + + fe_mul(out, t0, z); + return; +} + + +/* +h = f * f +Can overlap h with f. + +Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + +Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. +*/ + +/* +See fe_mul.c for discussion of implementation strategy. +*/ + +void fe_sq(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + carry0 = (h0 + (int64_t) (1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry4 = (h4 + (int64_t) (1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry1 = (h1 + (int64_t) (1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry5 = (h5 + (int64_t) (1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 << 25; + carry2 = (h2 + (int64_t) (1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry6 = (h6 + (int64_t) (1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 << 26; + carry3 = (h3 + (int64_t) (1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry7 = (h7 + (int64_t) (1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 << 25; + carry4 = (h4 + (int64_t) (1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry8 = (h8 + (int64_t) (1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 << 26; + carry9 = (h9 + (int64_t) (1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 << 25; + carry0 = (h0 + (int64_t) (1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + + +/* +h = 2 * f * f +Can overlap h with f. + +Preconditions: + |f| bounded by 1.65*2^26,1.65*2^25,1.65*2^26,1.65*2^25,etc. + +Postconditions: + |h| bounded by 1.01*2^25,1.01*2^24,1.01*2^25,1.01*2^24,etc. +*/ + +/* +See fe_mul.c for discussion of implementation strategy. +*/ + +void fe_sq2(fe h, const fe f) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t f0_2 = 2 * f0; + int32_t f1_2 = 2 * f1; + int32_t f2_2 = 2 * f2; + int32_t f3_2 = 2 * f3; + int32_t f4_2 = 2 * f4; + int32_t f5_2 = 2 * f5; + int32_t f6_2 = 2 * f6; + int32_t f7_2 = 2 * f7; + int32_t f5_38 = 38 * f5; /* 1.959375*2^30 */ + int32_t f6_19 = 19 * f6; /* 1.959375*2^30 */ + int32_t f7_38 = 38 * f7; /* 1.959375*2^30 */ + int32_t f8_19 = 19 * f8; /* 1.959375*2^30 */ + int32_t f9_38 = 38 * f9; /* 1.959375*2^30 */ + int64_t f0f0 = f0 * (int64_t) f0; + int64_t f0f1_2 = f0_2 * (int64_t) f1; + int64_t f0f2_2 = f0_2 * (int64_t) f2; + int64_t f0f3_2 = f0_2 * (int64_t) f3; + int64_t f0f4_2 = f0_2 * (int64_t) f4; + int64_t f0f5_2 = f0_2 * (int64_t) f5; + int64_t f0f6_2 = f0_2 * (int64_t) f6; + int64_t f0f7_2 = f0_2 * (int64_t) f7; + int64_t f0f8_2 = f0_2 * (int64_t) f8; + int64_t f0f9_2 = f0_2 * (int64_t) f9; + int64_t f1f1_2 = f1_2 * (int64_t) f1; + int64_t f1f2_2 = f1_2 * (int64_t) f2; + int64_t f1f3_4 = f1_2 * (int64_t) f3_2; + int64_t f1f4_2 = f1_2 * (int64_t) f4; + int64_t f1f5_4 = f1_2 * (int64_t) f5_2; + int64_t f1f6_2 = f1_2 * (int64_t) f6; + int64_t f1f7_4 = f1_2 * (int64_t) f7_2; + int64_t f1f8_2 = f1_2 * (int64_t) f8; + int64_t f1f9_76 = f1_2 * (int64_t) f9_38; + int64_t f2f2 = f2 * (int64_t) f2; + int64_t f2f3_2 = f2_2 * (int64_t) f3; + int64_t f2f4_2 = f2_2 * (int64_t) f4; + int64_t f2f5_2 = f2_2 * (int64_t) f5; + int64_t f2f6_2 = f2_2 * (int64_t) f6; + int64_t f2f7_2 = f2_2 * (int64_t) f7; + int64_t f2f8_38 = f2_2 * (int64_t) f8_19; + int64_t f2f9_38 = f2 * (int64_t) f9_38; + int64_t f3f3_2 = f3_2 * (int64_t) f3; + int64_t f3f4_2 = f3_2 * (int64_t) f4; + int64_t f3f5_4 = f3_2 * (int64_t) f5_2; + int64_t f3f6_2 = f3_2 * (int64_t) f6; + int64_t f3f7_76 = f3_2 * (int64_t) f7_38; + int64_t f3f8_38 = f3_2 * (int64_t) f8_19; + int64_t f3f9_76 = f3_2 * (int64_t) f9_38; + int64_t f4f4 = f4 * (int64_t) f4; + int64_t f4f5_2 = f4_2 * (int64_t) f5; + int64_t f4f6_38 = f4_2 * (int64_t) f6_19; + int64_t f4f7_38 = f4 * (int64_t) f7_38; + int64_t f4f8_38 = f4_2 * (int64_t) f8_19; + int64_t f4f9_38 = f4 * (int64_t) f9_38; + int64_t f5f5_38 = f5 * (int64_t) f5_38; + int64_t f5f6_38 = f5_2 * (int64_t) f6_19; + int64_t f5f7_76 = f5_2 * (int64_t) f7_38; + int64_t f5f8_38 = f5_2 * (int64_t) f8_19; + int64_t f5f9_76 = f5_2 * (int64_t) f9_38; + int64_t f6f6_19 = f6 * (int64_t) f6_19; + int64_t f6f7_38 = f6 * (int64_t) f7_38; + int64_t f6f8_38 = f6_2 * (int64_t) f8_19; + int64_t f6f9_38 = f6 * (int64_t) f9_38; + int64_t f7f7_38 = f7 * (int64_t) f7_38; + int64_t f7f8_38 = f7_2 * (int64_t) f8_19; + int64_t f7f9_76 = f7_2 * (int64_t) f9_38; + int64_t f8f8_19 = f8 * (int64_t) f8_19; + int64_t f8f9_38 = f8 * (int64_t) f9_38; + int64_t f9f9_38 = f9 * (int64_t) f9_38; + int64_t h0 = f0f0 + f1f9_76 + f2f8_38 + f3f7_76 + f4f6_38 + f5f5_38; + int64_t h1 = f0f1_2 + f2f9_38 + f3f8_38 + f4f7_38 + f5f6_38; + int64_t h2 = f0f2_2 + f1f1_2 + f3f9_76 + f4f8_38 + f5f7_76 + f6f6_19; + int64_t h3 = f0f3_2 + f1f2_2 + f4f9_38 + f5f8_38 + f6f7_38; + int64_t h4 = f0f4_2 + f1f3_4 + f2f2 + f5f9_76 + f6f8_38 + f7f7_38; + int64_t h5 = f0f5_2 + f1f4_2 + f2f3_2 + f6f9_38 + f7f8_38; + int64_t h6 = f0f6_2 + f1f5_4 + f2f4_2 + f3f3_2 + f7f9_76 + f8f8_19; + int64_t h7 = f0f7_2 + f1f6_2 + f2f5_2 + f3f4_2 + f8f9_38; + int64_t h8 = f0f8_2 + f1f7_4 + f2f6_2 + f3f5_4 + f4f4 + f9f9_38; + int64_t h9 = f0f9_2 + f1f8_2 + f2f7_2 + f3f6_2 + f4f5_2; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + h0 += h0; + h1 += h1; + h2 += h2; + h3 += h3; + h4 += h4; + h5 += h5; + h6 += h6; + h7 += h7; + h8 += h8; + h9 += h9; + carry0 = (h0 + (int64_t) (1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry4 = (h4 + (int64_t) (1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry1 = (h1 + (int64_t) (1 << 24)) >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry5 = (h5 + (int64_t) (1 << 24)) >> 25; + h6 += carry5; + h5 -= carry5 << 25; + carry2 = (h2 + (int64_t) (1 << 25)) >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry6 = (h6 + (int64_t) (1 << 25)) >> 26; + h7 += carry6; + h6 -= carry6 << 26; + carry3 = (h3 + (int64_t) (1 << 24)) >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry7 = (h7 + (int64_t) (1 << 24)) >> 25; + h8 += carry7; + h7 -= carry7 << 25; + carry4 = (h4 + (int64_t) (1 << 25)) >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry8 = (h8 + (int64_t) (1 << 25)) >> 26; + h9 += carry8; + h8 -= carry8 << 26; + carry9 = (h9 + (int64_t) (1 << 24)) >> 25; + h0 += carry9 * 19; + h9 -= carry9 << 25; + carry0 = (h0 + (int64_t) (1 << 25)) >> 26; + h1 += carry0; + h0 -= carry0 << 26; + h[0] = (int32_t) h0; + h[1] = (int32_t) h1; + h[2] = (int32_t) h2; + h[3] = (int32_t) h3; + h[4] = (int32_t) h4; + h[5] = (int32_t) h5; + h[6] = (int32_t) h6; + h[7] = (int32_t) h7; + h[8] = (int32_t) h8; + h[9] = (int32_t) h9; +} + + +/* +h = f - g +Can overlap h with f or g. + +Preconditions: + |f| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + |g| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. + +Postconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. +*/ + +void fe_sub(fe h, const fe f, const fe g) { + int32_t f0 = f[0]; + int32_t f1 = f[1]; + int32_t f2 = f[2]; + int32_t f3 = f[3]; + int32_t f4 = f[4]; + int32_t f5 = f[5]; + int32_t f6 = f[6]; + int32_t f7 = f[7]; + int32_t f8 = f[8]; + int32_t f9 = f[9]; + int32_t g0 = g[0]; + int32_t g1 = g[1]; + int32_t g2 = g[2]; + int32_t g3 = g[3]; + int32_t g4 = g[4]; + int32_t g5 = g[5]; + int32_t g6 = g[6]; + int32_t g7 = g[7]; + int32_t g8 = g[8]; + int32_t g9 = g[9]; + int32_t h0 = f0 - g0; + int32_t h1 = f1 - g1; + int32_t h2 = f2 - g2; + int32_t h3 = f3 - g3; + int32_t h4 = f4 - g4; + int32_t h5 = f5 - g5; + int32_t h6 = f6 - g6; + int32_t h7 = f7 - g7; + int32_t h8 = f8 - g8; + int32_t h9 = f9 - g9; + + h[0] = h0; + h[1] = h1; + h[2] = h2; + h[3] = h3; + h[4] = h4; + h[5] = h5; + h[6] = h6; + h[7] = h7; + h[8] = h8; + h[9] = h9; +} + + + +/* +Preconditions: + |h| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. + +Write p=2^255-19; q=floor(h/p). +Basic claim: q = floor(2^(-255)(h + 19 2^(-25)h9 + 2^(-1))). + +Proof: + Have |h|<=p so |q|<=1 so |19^2 2^(-255) q|<1/4. + Also have |h-2^230 h9|<2^231 so |19 2^(-255)(h-2^230 h9)|<1/4. + + Write y=2^(-1)-19^2 2^(-255)q-19 2^(-255)(h-2^230 h9). + Then 0> 25; + q = (h0 + q) >> 26; + q = (h1 + q) >> 25; + q = (h2 + q) >> 26; + q = (h3 + q) >> 25; + q = (h4 + q) >> 26; + q = (h5 + q) >> 25; + q = (h6 + q) >> 26; + q = (h7 + q) >> 25; + q = (h8 + q) >> 26; + q = (h9 + q) >> 25; + /* Goal: Output h-(2^255-19)q, which is between 0 and 2^255-20. */ + h0 += 19 * q; + /* Goal: Output h-2^255 q, which is between 0 and 2^255-20. */ + carry0 = h0 >> 26; + h1 += carry0; + h0 -= carry0 << 26; + carry1 = h1 >> 25; + h2 += carry1; + h1 -= carry1 << 25; + carry2 = h2 >> 26; + h3 += carry2; + h2 -= carry2 << 26; + carry3 = h3 >> 25; + h4 += carry3; + h3 -= carry3 << 25; + carry4 = h4 >> 26; + h5 += carry4; + h4 -= carry4 << 26; + carry5 = h5 >> 25; + h6 += carry5; + h5 -= carry5 << 25; + carry6 = h6 >> 26; + h7 += carry6; + h6 -= carry6 << 26; + carry7 = h7 >> 25; + h8 += carry7; + h7 -= carry7 << 25; + carry8 = h8 >> 26; + h9 += carry8; + h8 -= carry8 << 26; + carry9 = h9 >> 25; + h9 -= carry9 << 25; + + /* h10 = carry9 */ + /* + Goal: Output h0+...+2^255 h10-2^255 q, which is between 0 and 2^255-20. + Have h0+...+2^230 h9 between 0 and 2^255-1; + evidently 2^255 h10-2^255 q = 0. + Goal: Output h0+...+2^230 h9. + */ + s[0] = (unsigned char) (h0 >> 0); + s[1] = (unsigned char) (h0 >> 8); + s[2] = (unsigned char) (h0 >> 16); + s[3] = (unsigned char) ((h0 >> 24) | (h1 << 2)); + s[4] = (unsigned char) (h1 >> 6); + s[5] = (unsigned char) (h1 >> 14); + s[6] = (unsigned char) ((h1 >> 22) | (h2 << 3)); + s[7] = (unsigned char) (h2 >> 5); + s[8] = (unsigned char) (h2 >> 13); + s[9] = (unsigned char) ((h2 >> 21) | (h3 << 5)); + s[10] = (unsigned char) (h3 >> 3); + s[11] = (unsigned char) (h3 >> 11); + s[12] = (unsigned char) ((h3 >> 19) | (h4 << 6)); + s[13] = (unsigned char) (h4 >> 2); + s[14] = (unsigned char) (h4 >> 10); + s[15] = (unsigned char) (h4 >> 18); + s[16] = (unsigned char) (h5 >> 0); + s[17] = (unsigned char) (h5 >> 8); + s[18] = (unsigned char) (h5 >> 16); + s[19] = (unsigned char) ((h5 >> 24) | (h6 << 1)); + s[20] = (unsigned char) (h6 >> 7); + s[21] = (unsigned char) (h6 >> 15); + s[22] = (unsigned char) ((h6 >> 23) | (h7 << 3)); + s[23] = (unsigned char) (h7 >> 5); + s[24] = (unsigned char) (h7 >> 13); + s[25] = (unsigned char) ((h7 >> 21) | (h8 << 4)); + s[26] = (unsigned char) (h8 >> 4); + s[27] = (unsigned char) (h8 >> 12); + s[28] = (unsigned char) ((h8 >> 20) | (h9 << 6)); + s[29] = (unsigned char) (h9 >> 2); + s[30] = (unsigned char) (h9 >> 10); + s[31] = (unsigned char) (h9 >> 18); +} diff --git a/3rd_party/ed25519/fe.h b/3rd_party/ed25519/fe.h new file mode 100644 index 0000000..b4b62d2 --- /dev/null +++ b/3rd_party/ed25519/fe.h @@ -0,0 +1,41 @@ +#ifndef FE_H +#define FE_H + +#include "fixedint.h" + + +/* + fe means field element. + Here the field is \Z/(2^255-19). + An element t, entries t[0]...t[9], represents the integer + t[0]+2^26 t[1]+2^51 t[2]+2^77 t[3]+2^102 t[4]+...+2^230 t[9]. + Bounds on each t[i] vary depending on context. +*/ + + +typedef int32_t fe[10]; + + +void fe_0(fe h); +void fe_1(fe h); + +void fe_frombytes(fe h, const unsigned char *s); +void fe_tobytes(unsigned char *s, const fe h); + +void fe_copy(fe h, const fe f); +int fe_isnegative(const fe f); +int fe_isnonzero(const fe f); +void fe_cmov(fe f, const fe g, unsigned int b); +void fe_cswap(fe f, fe g, unsigned int b); + +void fe_neg(fe h, const fe f); +void fe_add(fe h, const fe f, const fe g); +void fe_invert(fe out, const fe z); +void fe_sq(fe h, const fe f); +void fe_sq2(fe h, const fe f); +void fe_mul(fe h, const fe f, const fe g); +void fe_mul121666(fe h, fe f); +void fe_pow22523(fe out, const fe z); +void fe_sub(fe h, const fe f, const fe g); + +#endif diff --git a/3rd_party/ed25519/fixedint.h b/3rd_party/ed25519/fixedint.h new file mode 100644 index 0000000..1a8745b --- /dev/null +++ b/3rd_party/ed25519/fixedint.h @@ -0,0 +1,72 @@ +/* + Portable header to provide the 32 and 64 bits type. + + Not a compatible replacement for , do not blindly use it as such. +*/ + +#if ((defined(__STDC__) && __STDC__ && __STDC_VERSION__ >= 199901L) || (defined(__WATCOMC__) && (defined(_STDINT_H_INCLUDED) || __WATCOMC__ >= 1250)) || (defined(__GNUC__) && (defined(_STDINT_H) || defined(_STDINT_H_) || defined(__UINT_FAST64_TYPE__)) )) && !defined(FIXEDINT_H_INCLUDED) + #include + #define FIXEDINT_H_INCLUDED + + #if defined(__WATCOMC__) && __WATCOMC__ >= 1250 && !defined(UINT64_C) + #include + #define UINT64_C(x) (x + (UINT64_MAX - UINT64_MAX)) + #endif +#endif + + +#ifndef FIXEDINT_H_INCLUDED + #define FIXEDINT_H_INCLUDED + + #include + + /* (u)int32_t */ + #ifndef uint32_t + #if (ULONG_MAX == 0xffffffffUL) + typedef unsigned long uint32_t; + #elif (UINT_MAX == 0xffffffffUL) + typedef unsigned int uint32_t; + #elif (USHRT_MAX == 0xffffffffUL) + typedef unsigned short uint32_t; + #endif + #endif + + + #ifndef int32_t + #if (LONG_MAX == 0x7fffffffL) + typedef signed long int32_t; + #elif (INT_MAX == 0x7fffffffL) + typedef signed int int32_t; + #elif (SHRT_MAX == 0x7fffffffL) + typedef signed short int32_t; + #endif + #endif + + + /* (u)int64_t */ + #if (defined(__STDC__) && defined(__STDC_VERSION__) && __STDC__ && __STDC_VERSION__ >= 199901L) + typedef long long int64_t; + typedef unsigned long long uint64_t; + + #define UINT64_C(v) v ##ULL + #define INT64_C(v) v ##LL + #elif defined(__GNUC__) + __extension__ typedef long long int64_t; + __extension__ typedef unsigned long long uint64_t; + + #define UINT64_C(v) v ##ULL + #define INT64_C(v) v ##LL + #elif defined(__MWERKS__) || defined(__SUNPRO_C) || defined(__SUNPRO_CC) || defined(__APPLE_CC__) || defined(_LONG_LONG) || defined(_CRAYC) + typedef long long int64_t; + typedef unsigned long long uint64_t; + + #define UINT64_C(v) v ##ULL + #define INT64_C(v) v ##LL + #elif (defined(__WATCOMC__) && defined(__WATCOM_INT64__)) || (defined(_MSC_VER) && _INTEGRAL_MAX_BITS >= 64) || (defined(__BORLANDC__) && __BORLANDC__ > 0x460) || defined(__alpha) || defined(__DECC) + typedef __int64 int64_t; + typedef unsigned __int64 uint64_t; + + #define UINT64_C(v) v ##UI64 + #define INT64_C(v) v ##I64 + #endif +#endif diff --git a/3rd_party/ed25519/ge.c b/3rd_party/ed25519/ge.c new file mode 100644 index 0000000..87c691b --- /dev/null +++ b/3rd_party/ed25519/ge.c @@ -0,0 +1,467 @@ +#include "ge.h" +#include "precomp_data.h" + + +/* +r = p + q +*/ + +void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { + fe t0; + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->YplusX); + fe_mul(r->Y, r->Y, q->YminusX); + fe_mul(r->T, q->T2d, p->T); + fe_mul(r->X, p->Z, q->Z); + fe_add(t0, r->X, r->X); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_add(r->Z, t0, r->T); + fe_sub(r->T, t0, r->T); +} + + +static void slide(signed char *r, const unsigned char *a) { + int i; + int b; + int k; + + for (i = 0; i < 256; ++i) { + r[i] = 1 & (a[i >> 3] >> (i & 7)); + } + + for (i = 0; i < 256; ++i) + if (r[i]) { + for (b = 1; b <= 6 && i + b < 256; ++b) { + if (r[i + b]) { + if (r[i] + (r[i + b] << b) <= 15) { + r[i] += r[i + b] << b; + r[i + b] = 0; + } else if (r[i] - (r[i + b] << b) >= -15) { + r[i] -= r[i + b] << b; + + for (k = i + b; k < 256; ++k) { + if (!r[k]) { + r[k] = 1; + break; + } + + r[k] = 0; + } + } else { + break; + } + } + } + } +} + +/* +r = a * A + b * B +where a = a[0]+256*a[1]+...+256^31 a[31]. +and b = b[0]+256*b[1]+...+256^31 b[31]. +B is the Ed25519 base point (x,4/5) with x positive. +*/ + +void ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b) { + signed char aslide[256]; + signed char bslide[256]; + ge_cached Ai[8]; /* A,3A,5A,7A,9A,11A,13A,15A */ + ge_p1p1 t; + ge_p3 u; + ge_p3 A2; + int i; + slide(aslide, a); + slide(bslide, b); + ge_p3_to_cached(&Ai[0], A); + ge_p3_dbl(&t, A); + ge_p1p1_to_p3(&A2, &t); + ge_add(&t, &A2, &Ai[0]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[1], &u); + ge_add(&t, &A2, &Ai[1]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[2], &u); + ge_add(&t, &A2, &Ai[2]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[3], &u); + ge_add(&t, &A2, &Ai[3]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[4], &u); + ge_add(&t, &A2, &Ai[4]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[5], &u); + ge_add(&t, &A2, &Ai[5]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[6], &u); + ge_add(&t, &A2, &Ai[6]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[7], &u); + ge_p2_0(r); + + for (i = 255; i >= 0; --i) { + if (aslide[i] || bslide[i]) { + break; + } + } + + for (; i >= 0; --i) { + ge_p2_dbl(&t, r); + + if (aslide[i] > 0) { + ge_p1p1_to_p3(&u, &t); + ge_add(&t, &u, &Ai[aslide[i] / 2]); + } else if (aslide[i] < 0) { + ge_p1p1_to_p3(&u, &t); + ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]); + } + + if (bslide[i] > 0) { + ge_p1p1_to_p3(&u, &t); + ge_madd(&t, &u, &Bi[bslide[i] / 2]); + } else if (bslide[i] < 0) { + ge_p1p1_to_p3(&u, &t); + ge_msub(&t, &u, &Bi[(-bslide[i]) / 2]); + } + + ge_p1p1_to_p2(r, &t); + } +} + + +static const fe d = { + -10913610, 13857413, -15372611, 6949391, 114729, -8787816, -6275908, -3247719, -18696448, -12055116 +}; + +static const fe sqrtm1 = { + -32595792, -7943725, 9377950, 3500415, 12389472, -272473, -25146209, -2005654, 326686, 11406482 +}; + +int ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s) { + fe u; + fe v; + fe v3; + fe vxx; + fe check; + fe_frombytes(h->Y, s); + fe_1(h->Z); + fe_sq(u, h->Y); + fe_mul(v, u, d); + fe_sub(u, u, h->Z); /* u = y^2-1 */ + fe_add(v, v, h->Z); /* v = dy^2+1 */ + fe_sq(v3, v); + fe_mul(v3, v3, v); /* v3 = v^3 */ + fe_sq(h->X, v3); + fe_mul(h->X, h->X, v); + fe_mul(h->X, h->X, u); /* x = uv^7 */ + fe_pow22523(h->X, h->X); /* x = (uv^7)^((q-5)/8) */ + fe_mul(h->X, h->X, v3); + fe_mul(h->X, h->X, u); /* x = uv^3(uv^7)^((q-5)/8) */ + fe_sq(vxx, h->X); + fe_mul(vxx, vxx, v); + fe_sub(check, vxx, u); /* vx^2-u */ + + if (fe_isnonzero(check)) { + fe_add(check, vxx, u); /* vx^2+u */ + + if (fe_isnonzero(check)) { + return -1; + } + + fe_mul(h->X, h->X, sqrtm1); + } + + if (fe_isnegative(h->X) == (s[31] >> 7)) { + fe_neg(h->X, h->X); + } + + fe_mul(h->T, h->X, h->Y); + return 0; +} + + +/* +r = p + q +*/ + +void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { + fe t0; + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->yplusx); + fe_mul(r->Y, r->Y, q->yminusx); + fe_mul(r->T, q->xy2d, p->T); + fe_add(t0, p->Z, p->Z); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_add(r->Z, t0, r->T); + fe_sub(r->T, t0, r->T); +} + + +/* +r = p - q +*/ + +void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { + fe t0; + + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->yminusx); + fe_mul(r->Y, r->Y, q->yplusx); + fe_mul(r->T, q->xy2d, p->T); + fe_add(t0, p->Z, p->Z); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_sub(r->Z, t0, r->T); + fe_add(r->T, t0, r->T); +} + + +/* +r = p +*/ + +void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) { + fe_mul(r->X, p->X, p->T); + fe_mul(r->Y, p->Y, p->Z); + fe_mul(r->Z, p->Z, p->T); +} + + + +/* +r = p +*/ + +void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) { + fe_mul(r->X, p->X, p->T); + fe_mul(r->Y, p->Y, p->Z); + fe_mul(r->Z, p->Z, p->T); + fe_mul(r->T, p->X, p->Y); +} + + +void ge_p2_0(ge_p2 *h) { + fe_0(h->X); + fe_1(h->Y); + fe_1(h->Z); +} + + + +/* +r = 2 * p +*/ + +void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) { + fe t0; + + fe_sq(r->X, p->X); + fe_sq(r->Z, p->Y); + fe_sq2(r->T, p->Z); + fe_add(r->Y, p->X, p->Y); + fe_sq(t0, r->Y); + fe_add(r->Y, r->Z, r->X); + fe_sub(r->Z, r->Z, r->X); + fe_sub(r->X, t0, r->Y); + fe_sub(r->T, r->T, r->Z); +} + + +void ge_p3_0(ge_p3 *h) { + fe_0(h->X); + fe_1(h->Y); + fe_1(h->Z); + fe_0(h->T); +} + + +/* +r = 2 * p +*/ + +void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) { + ge_p2 q; + ge_p3_to_p2(&q, p); + ge_p2_dbl(r, &q); +} + + + +/* +r = p +*/ + +static const fe d2 = { + -21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199 +}; + +void ge_p3_to_cached(ge_cached *r, const ge_p3 *p) { + fe_add(r->YplusX, p->Y, p->X); + fe_sub(r->YminusX, p->Y, p->X); + fe_copy(r->Z, p->Z); + fe_mul(r->T2d, p->T, d2); +} + + +/* +r = p +*/ + +void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) { + fe_copy(r->X, p->X); + fe_copy(r->Y, p->Y); + fe_copy(r->Z, p->Z); +} + + +void ge_p3_tobytes(unsigned char *s, const ge_p3 *h) { + fe recip; + fe x; + fe y; + fe_invert(recip, h->Z); + fe_mul(x, h->X, recip); + fe_mul(y, h->Y, recip); + fe_tobytes(s, y); + s[31] ^= fe_isnegative(x) << 7; +} + + +static unsigned char equal(signed char b, signed char c) { + unsigned char ub = b; + unsigned char uc = c; + unsigned char x = ub ^ uc; /* 0: yes; 1..255: no */ + uint64_t y = x; /* 0: yes; 1..255: no */ + y -= 1; /* large: yes; 0..254: no */ + y >>= 63; /* 1: yes; 0: no */ + return (unsigned char) y; +} + +static unsigned char negative(signed char b) { + uint64_t x = b; /* 18446744073709551361..18446744073709551615: yes; 0..255: no */ + x >>= 63; /* 1: yes; 0: no */ + return (unsigned char) x; +} + +static void cmov(ge_precomp *t, const ge_precomp *u, unsigned char b) { + fe_cmov(t->yplusx, u->yplusx, b); + fe_cmov(t->yminusx, u->yminusx, b); + fe_cmov(t->xy2d, u->xy2d, b); +} + + +static void select(ge_precomp *t, int pos, signed char b) { + ge_precomp minust; + unsigned char bnegative = negative(b); + unsigned char babs = b - (((-bnegative) & b) << 1); + fe_1(t->yplusx); + fe_1(t->yminusx); + fe_0(t->xy2d); + cmov(t, &base[pos][0], equal(babs, 1)); + cmov(t, &base[pos][1], equal(babs, 2)); + cmov(t, &base[pos][2], equal(babs, 3)); + cmov(t, &base[pos][3], equal(babs, 4)); + cmov(t, &base[pos][4], equal(babs, 5)); + cmov(t, &base[pos][5], equal(babs, 6)); + cmov(t, &base[pos][6], equal(babs, 7)); + cmov(t, &base[pos][7], equal(babs, 8)); + fe_copy(minust.yplusx, t->yminusx); + fe_copy(minust.yminusx, t->yplusx); + fe_neg(minust.xy2d, t->xy2d); + cmov(t, &minust, bnegative); +} + +/* +h = a * B +where a = a[0]+256*a[1]+...+256^31 a[31] +B is the Ed25519 base point (x,4/5) with x positive. + +Preconditions: + a[31] <= 127 +*/ + +void ge_scalarmult_base(ge_p3 *h, const unsigned char *a) { + signed char e[64]; + signed char carry; + ge_p1p1 r; + ge_p2 s; + ge_precomp t; + int i; + + for (i = 0; i < 32; ++i) { + e[2 * i + 0] = (a[i] >> 0) & 15; + e[2 * i + 1] = (a[i] >> 4) & 15; + } + + /* each e[i] is between 0 and 15 */ + /* e[63] is between 0 and 7 */ + carry = 0; + + for (i = 0; i < 63; ++i) { + e[i] += carry; + carry = e[i] + 8; + carry >>= 4; + e[i] -= carry << 4; + } + + e[63] += carry; + /* each e[i] is between -8 and 8 */ + ge_p3_0(h); + + for (i = 1; i < 64; i += 2) { + select(&t, i / 2, e[i]); + ge_madd(&r, h, &t); + ge_p1p1_to_p3(h, &r); + } + + ge_p3_dbl(&r, h); + ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); + ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); + ge_p1p1_to_p2(&s, &r); + ge_p2_dbl(&r, &s); + ge_p1p1_to_p3(h, &r); + + for (i = 0; i < 64; i += 2) { + select(&t, i / 2, e[i]); + ge_madd(&r, h, &t); + ge_p1p1_to_p3(h, &r); + } +} + + +/* +r = p - q +*/ + +void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { + fe t0; + + fe_add(r->X, p->Y, p->X); + fe_sub(r->Y, p->Y, p->X); + fe_mul(r->Z, r->X, q->YminusX); + fe_mul(r->Y, r->Y, q->YplusX); + fe_mul(r->T, q->T2d, p->T); + fe_mul(r->X, p->Z, q->Z); + fe_add(t0, r->X, r->X); + fe_sub(r->X, r->Z, r->Y); + fe_add(r->Y, r->Z, r->Y); + fe_sub(r->Z, t0, r->T); + fe_add(r->T, t0, r->T); +} + + +void ge_tobytes(unsigned char *s, const ge_p2 *h) { + fe recip; + fe x; + fe y; + fe_invert(recip, h->Z); + fe_mul(x, h->X, recip); + fe_mul(y, h->Y, recip); + fe_tobytes(s, y); + s[31] ^= fe_isnegative(x) << 7; +} diff --git a/3rd_party/ed25519/ge.h b/3rd_party/ed25519/ge.h new file mode 100644 index 0000000..17fde2d --- /dev/null +++ b/3rd_party/ed25519/ge.h @@ -0,0 +1,74 @@ +#ifndef GE_H +#define GE_H + +#include "fe.h" + + +/* +ge means group element. + +Here the group is the set of pairs (x,y) of field elements (see fe.h) +satisfying -x^2 + y^2 = 1 + d x^2y^2 +where d = -121665/121666. + +Representations: + ge_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z + ge_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT + ge_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T + ge_precomp (Duif): (y+x,y-x,2dxy) +*/ + +typedef struct { + fe X; + fe Y; + fe Z; +} ge_p2; + +typedef struct { + fe X; + fe Y; + fe Z; + fe T; +} ge_p3; + +typedef struct { + fe X; + fe Y; + fe Z; + fe T; +} ge_p1p1; + +typedef struct { + fe yplusx; + fe yminusx; + fe xy2d; +} ge_precomp; + +typedef struct { + fe YplusX; + fe YminusX; + fe Z; + fe T2d; +} ge_cached; + +void ge_p3_tobytes(unsigned char *s, const ge_p3 *h); +void ge_tobytes(unsigned char *s, const ge_p2 *h); +int ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s); + +void ge_add(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q); +void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q); +void ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, const unsigned char *b); +void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q); +void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q); +void ge_scalarmult_base(ge_p3 *h, const unsigned char *a); + +void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p); +void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p); +void ge_p2_0(ge_p2 *h); +void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p); +void ge_p3_0(ge_p3 *h); +void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p); +void ge_p3_to_cached(ge_cached *r, const ge_p3 *p); +void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p); + +#endif diff --git a/3rd_party/ed25519/key_exchange.c b/3rd_party/ed25519/key_exchange.c new file mode 100644 index 0000000..abd75da --- /dev/null +++ b/3rd_party/ed25519/key_exchange.c @@ -0,0 +1,79 @@ +#include "ed25519.h" +#include "fe.h" + +void ed25519_key_exchange(unsigned char *shared_secret, const unsigned char *public_key, const unsigned char *private_key) { + unsigned char e[32]; + unsigned int i; + + fe x1; + fe x2; + fe z2; + fe x3; + fe z3; + fe tmp0; + fe tmp1; + + int pos; + unsigned int swap; + unsigned int b; + + /* copy the private key and make sure it's valid */ + for (i = 0; i < 32; ++i) { + e[i] = private_key[i]; + } + + e[0] &= 248; + e[31] &= 63; + e[31] |= 64; + + /* unpack the public key and convert edwards to montgomery */ + /* due to CodesInChaos: montgomeryX = (edwardsY + 1)*inverse(1 - edwardsY) mod p */ + fe_frombytes(x1, public_key); + fe_1(tmp1); + fe_add(tmp0, x1, tmp1); + fe_sub(tmp1, tmp1, x1); + fe_invert(tmp1, tmp1); + fe_mul(x1, tmp0, tmp1); + + fe_1(x2); + fe_0(z2); + fe_copy(x3, x1); + fe_1(z3); + + swap = 0; + for (pos = 254; pos >= 0; --pos) { + b = e[pos / 8] >> (pos & 7); + b &= 1; + swap ^= b; + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + swap = b; + + /* from montgomery.h */ + fe_sub(tmp0, x3, z3); + fe_sub(tmp1, x2, z2); + fe_add(x2, x2, z2); + fe_add(z2, x3, z3); + fe_mul(z3, tmp0, x2); + fe_mul(z2, z2, tmp1); + fe_sq(tmp0, tmp1); + fe_sq(tmp1, x2); + fe_add(x3, z3, z2); + fe_sub(z2, z3, z2); + fe_mul(x2, tmp1, tmp0); + fe_sub(tmp1, tmp1, tmp0); + fe_sq(z2, z2); + fe_mul121666(z3, tmp1); + fe_sq(x3, x3); + fe_add(tmp0, tmp0, z3); + fe_mul(z3, x1, z2); + fe_mul(z2, tmp1, tmp0); + } + + fe_cswap(x2, x3, swap); + fe_cswap(z2, z3, swap); + + fe_invert(z2, z2); + fe_mul(x2, x2, z2); + fe_tobytes(shared_secret, x2); +} diff --git a/3rd_party/ed25519/keypair.c b/3rd_party/ed25519/keypair.c new file mode 100644 index 0000000..dc1b8ec --- /dev/null +++ b/3rd_party/ed25519/keypair.c @@ -0,0 +1,16 @@ +#include "ed25519.h" +#include "sha512.h" +#include "ge.h" + + +void ed25519_create_keypair(unsigned char *public_key, unsigned char *private_key, const unsigned char *seed) { + ge_p3 A; + + sha512(seed, 32, private_key); + private_key[0] &= 248; + private_key[31] &= 63; + private_key[31] |= 64; + + ge_scalarmult_base(&A, private_key); + ge_p3_tobytes(public_key, &A); +} diff --git a/3rd_party/ed25519/precomp_data.h b/3rd_party/ed25519/precomp_data.h new file mode 100644 index 0000000..ff23986 --- /dev/null +++ b/3rd_party/ed25519/precomp_data.h @@ -0,0 +1,1391 @@ +static const ge_precomp Bi[8] = { + { + { 25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605 }, + { -12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378 }, + { -8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546 }, + }, + { + { 15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024 }, + { 16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574 }, + { 30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357 }, + }, + { + { 10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380 }, + { 4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306 }, + { 19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942 }, + }, + { + { 5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766 }, + { -30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701 }, + { 28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300 }, + }, + { + { -22518993, -6692182, 14201702, -8745502, -23510406, 8844726, 18474211, -1361450, -13062696, 13821877 }, + { -6455177, -7839871, 3374702, -4740862, -27098617, -10571707, 31655028, -7212327, 18853322, -14220951 }, + { 4566830, -12963868, -28974889, -12240689, -7602672, -2830569, -8514358, -10431137, 2207753, -3209784 }, + }, + { + { -25154831, -4185821, 29681144, 7868801, -6854661, -9423865, -12437364, -663000, -31111463, -16132436 }, + { 25576264, -2703214, 7349804, -11814844, 16472782, 9300885, 3844789, 15725684, 171356, 6466918 }, + { 23103977, 13316479, 9739013, -16149481, 817875, -15038942, 8965339, -14088058, -30714912, 16193877 }, + }, + { + { -33521811, 3180713, -2394130, 14003687, -16903474, -16270840, 17238398, 4729455, -18074513, 9256800 }, + { -25182317, -4174131, 32336398, 5036987, -21236817, 11360617, 22616405, 9761698, -19827198, 630305 }, + { -13720693, 2639453, -24237460, -7406481, 9494427, -5774029, -6554551, -15960994, -2449256, -14291300 }, + }, + { + { -3151181, -5046075, 9282714, 6866145, -31907062, -863023, -18940575, 15033784, 25105118, -7894876 }, + { -24326370, 15950226, -31801215, -14592823, -11662737, -5090925, 1573892, -2625887, 2198790, -15804619 }, + { -3099351, 10324967, -2241613, 7453183, -5446979, -2735503, -13812022, -16236442, -32461234, -12290683 }, + }, +}; + + +/* base[i][j] = (j+1)*256^i*B */ +static const ge_precomp base[32][8] = { + { + { + { 25967493, -14356035, 29566456, 3660896, -12694345, 4014787, 27544626, -11754271, -6079156, 2047605 }, + { -12545711, 934262, -2722910, 3049990, -727428, 9406986, 12720692, 5043384, 19500929, -15469378 }, + { -8738181, 4489570, 9688441, -14785194, 10184609, -12363380, 29287919, 11864899, -24514362, -4438546 }, + }, + { + { -12815894, -12976347, -21581243, 11784320, -25355658, -2750717, -11717903, -3814571, -358445, -10211303 }, + { -21703237, 6903825, 27185491, 6451973, -29577724, -9554005, -15616551, 11189268, -26829678, -5319081 }, + { 26966642, 11152617, 32442495, 15396054, 14353839, -12752335, -3128826, -9541118, -15472047, -4166697 }, + }, + { + { 15636291, -9688557, 24204773, -7912398, 616977, -16685262, 27787600, -14772189, 28944400, -1550024 }, + { 16568933, 4717097, -11556148, -1102322, 15682896, -11807043, 16354577, -11775962, 7689662, 11199574 }, + { 30464156, -5976125, -11779434, -15670865, 23220365, 15915852, 7512774, 10017326, -17749093, -9920357 }, + }, + { + { -17036878, 13921892, 10945806, -6033431, 27105052, -16084379, -28926210, 15006023, 3284568, -6276540 }, + { 23599295, -8306047, -11193664, -7687416, 13236774, 10506355, 7464579, 9656445, 13059162, 10374397 }, + { 7798556, 16710257, 3033922, 2874086, 28997861, 2835604, 32406664, -3839045, -641708, -101325 }, + }, + { + { 10861363, 11473154, 27284546, 1981175, -30064349, 12577861, 32867885, 14515107, -15438304, 10819380 }, + { 4708026, 6336745, 20377586, 9066809, -11272109, 6594696, -25653668, 12483688, -12668491, 5581306 }, + { 19563160, 16186464, -29386857, 4097519, 10237984, -4348115, 28542350, 13850243, -23678021, -15815942 }, + }, + { + { -15371964, -12862754, 32573250, 4720197, -26436522, 5875511, -19188627, -15224819, -9818940, -12085777 }, + { -8549212, 109983, 15149363, 2178705, 22900618, 4543417, 3044240, -15689887, 1762328, 14866737 }, + { -18199695, -15951423, -10473290, 1707278, -17185920, 3916101, -28236412, 3959421, 27914454, 4383652 }, + }, + { + { 5153746, 9909285, 1723747, -2777874, 30523605, 5516873, 19480852, 5230134, -23952439, -15175766 }, + { -30269007, -3463509, 7665486, 10083793, 28475525, 1649722, 20654025, 16520125, 30598449, 7715701 }, + { 28881845, 14381568, 9657904, 3680757, -20181635, 7843316, -31400660, 1370708, 29794553, -1409300 }, + }, + { + { 14499471, -2729599, -33191113, -4254652, 28494862, 14271267, 30290735, 10876454, -33154098, 2381726 }, + { -7195431, -2655363, -14730155, 462251, -27724326, 3941372, -6236617, 3696005, -32300832, 15351955 }, + { 27431194, 8222322, 16448760, -3907995, -18707002, 11938355, -32961401, -2970515, 29551813, 10109425 }, + }, + }, + { + { + { -13657040, -13155431, -31283750, 11777098, 21447386, 6519384, -2378284, -1627556, 10092783, -4764171 }, + { 27939166, 14210322, 4677035, 16277044, -22964462, -12398139, -32508754, 12005538, -17810127, 12803510 }, + { 17228999, -15661624, -1233527, 300140, -1224870, -11714777, 30364213, -9038194, 18016357, 4397660 }, + }, + { + { -10958843, -7690207, 4776341, -14954238, 27850028, -15602212, -26619106, 14544525, -17477504, 982639 }, + { 29253598, 15796703, -2863982, -9908884, 10057023, 3163536, 7332899, -4120128, -21047696, 9934963 }, + { 5793303, 16271923, -24131614, -10116404, 29188560, 1206517, -14747930, 4559895, -30123922, -10897950 }, + }, + { + { -27643952, -11493006, 16282657, -11036493, 28414021, -15012264, 24191034, 4541697, -13338309, 5500568 }, + { 12650548, -1497113, 9052871, 11355358, -17680037, -8400164, -17430592, 12264343, 10874051, 13524335 }, + { 25556948, -3045990, 714651, 2510400, 23394682, -10415330, 33119038, 5080568, -22528059, 5376628 }, + }, + { + { -26088264, -4011052, -17013699, -3537628, -6726793, 1920897, -22321305, -9447443, 4535768, 1569007 }, + { -2255422, 14606630, -21692440, -8039818, 28430649, 8775819, -30494562, 3044290, 31848280, 12543772 }, + { -22028579, 2943893, -31857513, 6777306, 13784462, -4292203, -27377195, -2062731, 7718482, 14474653 }, + }, + { + { 2385315, 2454213, -22631320, 46603, -4437935, -15680415, 656965, -7236665, 24316168, -5253567 }, + { 13741529, 10911568, -33233417, -8603737, -20177830, -1033297, 33040651, -13424532, -20729456, 8321686 }, + { 21060490, -2212744, 15712757, -4336099, 1639040, 10656336, 23845965, -11874838, -9984458, 608372 }, + }, + { + { -13672732, -15087586, -10889693, -7557059, -6036909, 11305547, 1123968, -6780577, 27229399, 23887 }, + { -23244140, -294205, -11744728, 14712571, -29465699, -2029617, 12797024, -6440308, -1633405, 16678954 }, + { -29500620, 4770662, -16054387, 14001338, 7830047, 9564805, -1508144, -4795045, -17169265, 4904953 }, + }, + { + { 24059557, 14617003, 19037157, -15039908, 19766093, -14906429, 5169211, 16191880, 2128236, -4326833 }, + { -16981152, 4124966, -8540610, -10653797, 30336522, -14105247, -29806336, 916033, -6882542, -2986532 }, + { -22630907, 12419372, -7134229, -7473371, -16478904, 16739175, 285431, 2763829, 15736322, 4143876 }, + }, + { + { 2379352, 11839345, -4110402, -5988665, 11274298, 794957, 212801, -14594663, 23527084, -16458268 }, + { 33431127, -11130478, -17838966, -15626900, 8909499, 8376530, -32625340, 4087881, -15188911, -14416214 }, + { 1767683, 7197987, -13205226, -2022635, -13091350, 448826, 5799055, 4357868, -4774191, -16323038 }, + }, + }, + { + { + { 6721966, 13833823, -23523388, -1551314, 26354293, -11863321, 23365147, -3949732, 7390890, 2759800 }, + { 4409041, 2052381, 23373853, 10530217, 7676779, -12885954, 21302353, -4264057, 1244380, -12919645 }, + { -4421239, 7169619, 4982368, -2957590, 30256825, -2777540, 14086413, 9208236, 15886429, 16489664 }, + }, + { + { 1996075, 10375649, 14346367, 13311202, -6874135, -16438411, -13693198, 398369, -30606455, -712933 }, + { -25307465, 9795880, -2777414, 14878809, -33531835, 14780363, 13348553, 12076947, -30836462, 5113182 }, + { -17770784, 11797796, 31950843, 13929123, -25888302, 12288344, -30341101, -7336386, 13847711, 5387222 }, + }, + { + { -18582163, -3416217, 17824843, -2340966, 22744343, -10442611, 8763061, 3617786, -19600662, 10370991 }, + { 20246567, -14369378, 22358229, -543712, 18507283, -10413996, 14554437, -8746092, 32232924, 16763880 }, + { 9648505, 10094563, 26416693, 14745928, -30374318, -6472621, 11094161, 15689506, 3140038, -16510092 }, + }, + { + { -16160072, 5472695, 31895588, 4744994, 8823515, 10365685, -27224800, 9448613, -28774454, 366295 }, + { 19153450, 11523972, -11096490, -6503142, -24647631, 5420647, 28344573, 8041113, 719605, 11671788 }, + { 8678025, 2694440, -6808014, 2517372, 4964326, 11152271, -15432916, -15266516, 27000813, -10195553 }, + }, + { + { -15157904, 7134312, 8639287, -2814877, -7235688, 10421742, 564065, 5336097, 6750977, -14521026 }, + { 11836410, -3979488, 26297894, 16080799, 23455045, 15735944, 1695823, -8819122, 8169720, 16220347 }, + { -18115838, 8653647, 17578566, -6092619, -8025777, -16012763, -11144307, -2627664, -5990708, -14166033 }, + }, + { + { -23308498, -10968312, 15213228, -10081214, -30853605, -11050004, 27884329, 2847284, 2655861, 1738395 }, + { -27537433, -14253021, -25336301, -8002780, -9370762, 8129821, 21651608, -3239336, -19087449, -11005278 }, + { 1533110, 3437855, 23735889, 459276, 29970501, 11335377, 26030092, 5821408, 10478196, 8544890 }, + }, + { + { 32173121, -16129311, 24896207, 3921497, 22579056, -3410854, 19270449, 12217473, 17789017, -3395995 }, + { -30552961, -2228401, -15578829, -10147201, 13243889, 517024, 15479401, -3853233, 30460520, 1052596 }, + { -11614875, 13323618, 32618793, 8175907, -15230173, 12596687, 27491595, -4612359, 3179268, -9478891 }, + }, + { + { 31947069, -14366651, -4640583, -15339921, -15125977, -6039709, -14756777, -16411740, 19072640, -9511060 }, + { 11685058, 11822410, 3158003, -13952594, 33402194, -4165066, 5977896, -5215017, 473099, 5040608 }, + { -20290863, 8198642, -27410132, 11602123, 1290375, -2799760, 28326862, 1721092, -19558642, -3131606 }, + }, + }, + { + { + { 7881532, 10687937, 7578723, 7738378, -18951012, -2553952, 21820786, 8076149, -27868496, 11538389 }, + { -19935666, 3899861, 18283497, -6801568, -15728660, -11249211, 8754525, 7446702, -5676054, 5797016 }, + { -11295600, -3793569, -15782110, -7964573, 12708869, -8456199, 2014099, -9050574, -2369172, -5877341 }, + }, + { + { -22472376, -11568741, -27682020, 1146375, 18956691, 16640559, 1192730, -3714199, 15123619, 10811505 }, + { 14352098, -3419715, -18942044, 10822655, 32750596, 4699007, -70363, 15776356, -28886779, -11974553 }, + { -28241164, -8072475, -4978962, -5315317, 29416931, 1847569, -20654173, -16484855, 4714547, -9600655 }, + }, + { + { 15200332, 8368572, 19679101, 15970074, -31872674, 1959451, 24611599, -4543832, -11745876, 12340220 }, + { 12876937, -10480056, 33134381, 6590940, -6307776, 14872440, 9613953, 8241152, 15370987, 9608631 }, + { -4143277, -12014408, 8446281, -391603, 4407738, 13629032, -7724868, 15866074, -28210621, -8814099 }, + }, + { + { 26660628, -15677655, 8393734, 358047, -7401291, 992988, -23904233, 858697, 20571223, 8420556 }, + { 14620715, 13067227, -15447274, 8264467, 14106269, 15080814, 33531827, 12516406, -21574435, -12476749 }, + { 236881, 10476226, 57258, -14677024, 6472998, 2466984, 17258519, 7256740, 8791136, 15069930 }, + }, + { + { 1276410, -9371918, 22949635, -16322807, -23493039, -5702186, 14711875, 4874229, -30663140, -2331391 }, + { 5855666, 4990204, -13711848, 7294284, -7804282, 1924647, -1423175, -7912378, -33069337, 9234253 }, + { 20590503, -9018988, 31529744, -7352666, -2706834, 10650548, 31559055, -11609587, 18979186, 13396066 }, + }, + { + { 24474287, 4968103, 22267082, 4407354, 24063882, -8325180, -18816887, 13594782, 33514650, 7021958 }, + { -11566906, -6565505, -21365085, 15928892, -26158305, 4315421, -25948728, -3916677, -21480480, 12868082 }, + { -28635013, 13504661, 19988037, -2132761, 21078225, 6443208, -21446107, 2244500, -12455797, -8089383 }, + }, + { + { -30595528, 13793479, -5852820, 319136, -25723172, -6263899, 33086546, 8957937, -15233648, 5540521 }, + { -11630176, -11503902, -8119500, -7643073, 2620056, 1022908, -23710744, -1568984, -16128528, -14962807 }, + { 23152971, 775386, 27395463, 14006635, -9701118, 4649512, 1689819, 892185, -11513277, -15205948 }, + }, + { + { 9770129, 9586738, 26496094, 4324120, 1556511, -3550024, 27453819, 4763127, -19179614, 5867134 }, + { -32765025, 1927590, 31726409, -4753295, 23962434, -16019500, 27846559, 5931263, -29749703, -16108455 }, + { 27461885, -2977536, 22380810, 1815854, -23033753, -3031938, 7283490, -15148073, -19526700, 7734629 }, + }, + }, + { + { + { -8010264, -9590817, -11120403, 6196038, 29344158, -13430885, 7585295, -3176626, 18549497, 15302069 }, + { -32658337, -6171222, -7672793, -11051681, 6258878, 13504381, 10458790, -6418461, -8872242, 8424746 }, + { 24687205, 8613276, -30667046, -3233545, 1863892, -1830544, 19206234, 7134917, -11284482, -828919 }, + }, + { + { 11334899, -9218022, 8025293, 12707519, 17523892, -10476071, 10243738, -14685461, -5066034, 16498837 }, + { 8911542, 6887158, -9584260, -6958590, 11145641, -9543680, 17303925, -14124238, 6536641, 10543906 }, + { -28946384, 15479763, -17466835, 568876, -1497683, 11223454, -2669190, -16625574, -27235709, 8876771 }, + }, + { + { -25742899, -12566864, -15649966, -846607, -33026686, -796288, -33481822, 15824474, -604426, -9039817 }, + { 10330056, 70051, 7957388, -9002667, 9764902, 15609756, 27698697, -4890037, 1657394, 3084098 }, + { 10477963, -7470260, 12119566, -13250805, 29016247, -5365589, 31280319, 14396151, -30233575, 15272409 }, + }, + { + { -12288309, 3169463, 28813183, 16658753, 25116432, -5630466, -25173957, -12636138, -25014757, 1950504 }, + { -26180358, 9489187, 11053416, -14746161, -31053720, 5825630, -8384306, -8767532, 15341279, 8373727 }, + { 28685821, 7759505, -14378516, -12002860, -31971820, 4079242, 298136, -10232602, -2878207, 15190420 }, + }, + { + { -32932876, 13806336, -14337485, -15794431, -24004620, 10940928, 8669718, 2742393, -26033313, -6875003 }, + { -1580388, -11729417, -25979658, -11445023, -17411874, -10912854, 9291594, -16247779, -12154742, 6048605 }, + { -30305315, 14843444, 1539301, 11864366, 20201677, 1900163, 13934231, 5128323, 11213262, 9168384 }, + }, + { + { -26280513, 11007847, 19408960, -940758, -18592965, -4328580, -5088060, -11105150, 20470157, -16398701 }, + { -23136053, 9282192, 14855179, -15390078, -7362815, -14408560, -22783952, 14461608, 14042978, 5230683 }, + { 29969567, -2741594, -16711867, -8552442, 9175486, -2468974, 21556951, 3506042, -5933891, -12449708 }, + }, + { + { -3144746, 8744661, 19704003, 4581278, -20430686, 6830683, -21284170, 8971513, -28539189, 15326563 }, + { -19464629, 10110288, -17262528, -3503892, -23500387, 1355669, -15523050, 15300988, -20514118, 9168260 }, + { -5353335, 4488613, -23803248, 16314347, 7780487, -15638939, -28948358, 9601605, 33087103, -9011387 }, + }, + { + { -19443170, -15512900, -20797467, -12445323, -29824447, 10229461, -27444329, -15000531, -5996870, 15664672 }, + { 23294591, -16632613, -22650781, -8470978, 27844204, 11461195, 13099750, -2460356, 18151676, 13417686 }, + { -24722913, -4176517, -31150679, 5988919, -26858785, 6685065, 1661597, -12551441, 15271676, -15452665 }, + }, + }, + { + { + { 11433042, -13228665, 8239631, -5279517, -1985436, -725718, -18698764, 2167544, -6921301, -13440182 }, + { -31436171, 15575146, 30436815, 12192228, -22463353, 9395379, -9917708, -8638997, 12215110, 12028277 }, + { 14098400, 6555944, 23007258, 5757252, -15427832, -12950502, 30123440, 4617780, -16900089, -655628 }, + }, + { + { -4026201, -15240835, 11893168, 13718664, -14809462, 1847385, -15819999, 10154009, 23973261, -12684474 }, + { -26531820, -3695990, -1908898, 2534301, -31870557, -16550355, 18341390, -11419951, 32013174, -10103539 }, + { -25479301, 10876443, -11771086, -14625140, -12369567, 1838104, 21911214, 6354752, 4425632, -837822 }, + }, + { + { -10433389, -14612966, 22229858, -3091047, -13191166, 776729, -17415375, -12020462, 4725005, 14044970 }, + { 19268650, -7304421, 1555349, 8692754, -21474059, -9910664, 6347390, -1411784, -19522291, -16109756 }, + { -24864089, 12986008, -10898878, -5558584, -11312371, -148526, 19541418, 8180106, 9282262, 10282508 }, + }, + { + { -26205082, 4428547, -8661196, -13194263, 4098402, -14165257, 15522535, 8372215, 5542595, -10702683 }, + { -10562541, 14895633, 26814552, -16673850, -17480754, -2489360, -2781891, 6993761, -18093885, 10114655 }, + { -20107055, -929418, 31422704, 10427861, -7110749, 6150669, -29091755, -11529146, 25953725, -106158 }, + }, + { + { -4234397, -8039292, -9119125, 3046000, 2101609, -12607294, 19390020, 6094296, -3315279, 12831125 }, + { -15998678, 7578152, 5310217, 14408357, -33548620, -224739, 31575954, 6326196, 7381791, -2421839 }, + { -20902779, 3296811, 24736065, -16328389, 18374254, 7318640, 6295303, 8082724, -15362489, 12339664 }, + }, + { + { 27724736, 2291157, 6088201, -14184798, 1792727, 5857634, 13848414, 15768922, 25091167, 14856294 }, + { -18866652, 8331043, 24373479, 8541013, -701998, -9269457, 12927300, -12695493, -22182473, -9012899 }, + { -11423429, -5421590, 11632845, 3405020, 30536730, -11674039, -27260765, 13866390, 30146206, 9142070 }, + }, + { + { 3924129, -15307516, -13817122, -10054960, 12291820, -668366, -27702774, 9326384, -8237858, 4171294 }, + { -15921940, 16037937, 6713787, 16606682, -21612135, 2790944, 26396185, 3731949, 345228, -5462949 }, + { -21327538, 13448259, 25284571, 1143661, 20614966, -8849387, 2031539, -12391231, -16253183, -13582083 }, + }, + { + { 31016211, -16722429, 26371392, -14451233, -5027349, 14854137, 17477601, 3842657, 28012650, -16405420 }, + { -5075835, 9368966, -8562079, -4600902, -15249953, 6970560, -9189873, 16292057, -8867157, 3507940 }, + { 29439664, 3537914, 23333589, 6997794, -17555561, -11018068, -15209202, -15051267, -9164929, 6580396 }, + }, + }, + { + { + { -12185861, -7679788, 16438269, 10826160, -8696817, -6235611, 17860444, -9273846, -2095802, 9304567 }, + { 20714564, -4336911, 29088195, 7406487, 11426967, -5095705, 14792667, -14608617, 5289421, -477127 }, + { -16665533, -10650790, -6160345, -13305760, 9192020, -1802462, 17271490, 12349094, 26939669, -3752294 }, + }, + { + { -12889898, 9373458, 31595848, 16374215, 21471720, 13221525, -27283495, -12348559, -3698806, 117887 }, + { 22263325, -6560050, 3984570, -11174646, -15114008, -566785, 28311253, 5358056, -23319780, 541964 }, + { 16259219, 3261970, 2309254, -15534474, -16885711, -4581916, 24134070, -16705829, -13337066, -13552195 }, + }, + { + { 9378160, -13140186, -22845982, -12745264, 28198281, -7244098, -2399684, -717351, 690426, 14876244 }, + { 24977353, -314384, -8223969, -13465086, 28432343, -1176353, -13068804, -12297348, -22380984, 6618999 }, + { -1538174, 11685646, 12944378, 13682314, -24389511, -14413193, 8044829, -13817328, 32239829, -5652762 }, + }, + { + { -18603066, 4762990, -926250, 8885304, -28412480, -3187315, 9781647, -10350059, 32779359, 5095274 }, + { -33008130, -5214506, -32264887, -3685216, 9460461, -9327423, -24601656, 14506724, 21639561, -2630236 }, + { -16400943, -13112215, 25239338, 15531969, 3987758, -4499318, -1289502, -6863535, 17874574, 558605 }, + }, + { + { -13600129, 10240081, 9171883, 16131053, -20869254, 9599700, 33499487, 5080151, 2085892, 5119761 }, + { -22205145, -2519528, -16381601, 414691, -25019550, 2170430, 30634760, -8363614, -31999993, -5759884 }, + { -6845704, 15791202, 8550074, -1312654, 29928809, -12092256, 27534430, -7192145, -22351378, 12961482 }, + }, + { + { -24492060, -9570771, 10368194, 11582341, -23397293, -2245287, 16533930, 8206996, -30194652, -5159638 }, + { -11121496, -3382234, 2307366, 6362031, -135455, 8868177, -16835630, 7031275, 7589640, 8945490 }, + { -32152748, 8917967, 6661220, -11677616, -1192060, -15793393, 7251489, -11182180, 24099109, -14456170 }, + }, + { + { 5019558, -7907470, 4244127, -14714356, -26933272, 6453165, -19118182, -13289025, -6231896, -10280736 }, + { 10853594, 10721687, 26480089, 5861829, -22995819, 1972175, -1866647, -10557898, -3363451, -6441124 }, + { -17002408, 5906790, 221599, -6563147, 7828208, -13248918, 24362661, -2008168, -13866408, 7421392 }, + }, + { + { 8139927, -6546497, 32257646, -5890546, 30375719, 1886181, -21175108, 15441252, 28826358, -4123029 }, + { 6267086, 9695052, 7709135, -16603597, -32869068, -1886135, 14795160, -7840124, 13746021, -1742048 }, + { 28584902, 7787108, -6732942, -15050729, 22846041, -7571236, -3181936, -363524, 4771362, -8419958 }, + }, + }, + { + { + { 24949256, 6376279, -27466481, -8174608, -18646154, -9930606, 33543569, -12141695, 3569627, 11342593 }, + { 26514989, 4740088, 27912651, 3697550, 19331575, -11472339, 6809886, 4608608, 7325975, -14801071 }, + { -11618399, -14554430, -24321212, 7655128, -1369274, 5214312, -27400540, 10258390, -17646694, -8186692 }, + }, + { + { 11431204, 15823007, 26570245, 14329124, 18029990, 4796082, -31446179, 15580664, 9280358, -3973687 }, + { -160783, -10326257, -22855316, -4304997, -20861367, -13621002, -32810901, -11181622, -15545091, 4387441 }, + { -20799378, 12194512, 3937617, -5805892, -27154820, 9340370, -24513992, 8548137, 20617071, -7482001 }, + }, + { + { -938825, -3930586, -8714311, 16124718, 24603125, -6225393, -13775352, -11875822, 24345683, 10325460 }, + { -19855277, -1568885, -22202708, 8714034, 14007766, 6928528, 16318175, -1010689, 4766743, 3552007 }, + { -21751364, -16730916, 1351763, -803421, -4009670, 3950935, 3217514, 14481909, 10988822, -3994762 }, + }, + { + { 15564307, -14311570, 3101243, 5684148, 30446780, -8051356, 12677127, -6505343, -8295852, 13296005 }, + { -9442290, 6624296, -30298964, -11913677, -4670981, -2057379, 31521204, 9614054, -30000824, 12074674 }, + { 4771191, -135239, 14290749, -13089852, 27992298, 14998318, -1413936, -1556716, 29832613, -16391035 }, + }, + { + { 7064884, -7541174, -19161962, -5067537, -18891269, -2912736, 25825242, 5293297, -27122660, 13101590 }, + { -2298563, 2439670, -7466610, 1719965, -27267541, -16328445, 32512469, -5317593, -30356070, -4190957 }, + { -30006540, 10162316, -33180176, 3981723, -16482138, -13070044, 14413974, 9515896, 19568978, 9628812 }, + }, + { + { 33053803, 199357, 15894591, 1583059, 27380243, -4580435, -17838894, -6106839, -6291786, 3437740 }, + { -18978877, 3884493, 19469877, 12726490, 15913552, 13614290, -22961733, 70104, 7463304, 4176122 }, + { -27124001, 10659917, 11482427, -16070381, 12771467, -6635117, -32719404, -5322751, 24216882, 5944158 }, + }, + { + { 8894125, 7450974, -2664149, -9765752, -28080517, -12389115, 19345746, 14680796, 11632993, 5847885 }, + { 26942781, -2315317, 9129564, -4906607, 26024105, 11769399, -11518837, 6367194, -9727230, 4782140 }, + { 19916461, -4828410, -22910704, -11414391, 25606324, -5972441, 33253853, 8220911, 6358847, -1873857 }, + }, + { + { 801428, -2081702, 16569428, 11065167, 29875704, 96627, 7908388, -4480480, -13538503, 1387155 }, + { 19646058, 5720633, -11416706, 12814209, 11607948, 12749789, 14147075, 15156355, -21866831, 11835260 }, + { 19299512, 1155910, 28703737, 14890794, 2925026, 7269399, 26121523, 15467869, -26560550, 5052483 }, + }, + }, + { + { + { -3017432, 10058206, 1980837, 3964243, 22160966, 12322533, -6431123, -12618185, 12228557, -7003677 }, + { 32944382, 14922211, -22844894, 5188528, 21913450, -8719943, 4001465, 13238564, -6114803, 8653815 }, + { 22865569, -4652735, 27603668, -12545395, 14348958, 8234005, 24808405, 5719875, 28483275, 2841751 }, + }, + { + { -16420968, -1113305, -327719, -12107856, 21886282, -15552774, -1887966, -315658, 19932058, -12739203 }, + { -11656086, 10087521, -8864888, -5536143, -19278573, -3055912, 3999228, 13239134, -4777469, -13910208 }, + { 1382174, -11694719, 17266790, 9194690, -13324356, 9720081, 20403944, 11284705, -14013818, 3093230 }, + }, + { + { 16650921, -11037932, -1064178, 1570629, -8329746, 7352753, -302424, 16271225, -24049421, -6691850 }, + { -21911077, -5927941, -4611316, -5560156, -31744103, -10785293, 24123614, 15193618, -21652117, -16739389 }, + { -9935934, -4289447, -25279823, 4372842, 2087473, 10399484, 31870908, 14690798, 17361620, 11864968 }, + }, + { + { -11307610, 6210372, 13206574, 5806320, -29017692, -13967200, -12331205, -7486601, -25578460, -16240689 }, + { 14668462, -12270235, 26039039, 15305210, 25515617, 4542480, 10453892, 6577524, 9145645, -6443880 }, + { 5974874, 3053895, -9433049, -10385191, -31865124, 3225009, -7972642, 3936128, -5652273, -3050304 }, + }, + { + { 30625386, -4729400, -25555961, -12792866, -20484575, 7695099, 17097188, -16303496, -27999779, 1803632 }, + { -3553091, 9865099, -5228566, 4272701, -5673832, -16689700, 14911344, 12196514, -21405489, 7047412 }, + { 20093277, 9920966, -11138194, -5343857, 13161587, 12044805, -32856851, 4124601, -32343828, -10257566 }, + }, + { + { -20788824, 14084654, -13531713, 7842147, 19119038, -13822605, 4752377, -8714640, -21679658, 2288038 }, + { -26819236, -3283715, 29965059, 3039786, -14473765, 2540457, 29457502, 14625692, -24819617, 12570232 }, + { -1063558, -11551823, 16920318, 12494842, 1278292, -5869109, -21159943, -3498680, -11974704, 4724943 }, + }, + { + { 17960970, -11775534, -4140968, -9702530, -8876562, -1410617, -12907383, -8659932, -29576300, 1903856 }, + { 23134274, -14279132, -10681997, -1611936, 20684485, 15770816, -12989750, 3190296, 26955097, 14109738 }, + { 15308788, 5320727, -30113809, -14318877, 22902008, 7767164, 29425325, -11277562, 31960942, 11934971 }, + }, + { + { -27395711, 8435796, 4109644, 12222639, -24627868, 14818669, 20638173, 4875028, 10491392, 1379718 }, + { -13159415, 9197841, 3875503, -8936108, -1383712, -5879801, 33518459, 16176658, 21432314, 12180697 }, + { -11787308, 11500838, 13787581, -13832590, -22430679, 10140205, 1465425, 12689540, -10301319, -13872883 }, + }, + }, + { + { + { 5414091, -15386041, -21007664, 9643570, 12834970, 1186149, -2622916, -1342231, 26128231, 6032912 }, + { -26337395, -13766162, 32496025, -13653919, 17847801, -12669156, 3604025, 8316894, -25875034, -10437358 }, + { 3296484, 6223048, 24680646, -12246460, -23052020, 5903205, -8862297, -4639164, 12376617, 3188849 }, + }, + { + { 29190488, -14659046, 27549113, -1183516, 3520066, -10697301, 32049515, -7309113, -16109234, -9852307 }, + { -14744486, -9309156, 735818, -598978, -20407687, -5057904, 25246078, -15795669, 18640741, -960977 }, + { -6928835, -16430795, 10361374, 5642961, 4910474, 12345252, -31638386, -494430, 10530747, 1053335 }, + }, + { + { -29265967, -14186805, -13538216, -12117373, -19457059, -10655384, -31462369, -2948985, 24018831, 15026644 }, + { -22592535, -3145277, -2289276, 5953843, -13440189, 9425631, 25310643, 13003497, -2314791, -15145616 }, + { -27419985, -603321, -8043984, -1669117, -26092265, 13987819, -27297622, 187899, -23166419, -2531735 }, + }, + { + { -21744398, -13810475, 1844840, 5021428, -10434399, -15911473, 9716667, 16266922, -5070217, 726099 }, + { 29370922, -6053998, 7334071, -15342259, 9385287, 2247707, -13661962, -4839461, 30007388, -15823341 }, + { -936379, 16086691, 23751945, -543318, -1167538, -5189036, 9137109, 730663, 9835848, 4555336 }, + }, + { + { -23376435, 1410446, -22253753, -12899614, 30867635, 15826977, 17693930, 544696, -11985298, 12422646 }, + { 31117226, -12215734, -13502838, 6561947, -9876867, -12757670, -5118685, -4096706, 29120153, 13924425 }, + { -17400879, -14233209, 19675799, -2734756, -11006962, -5858820, -9383939, -11317700, 7240931, -237388 }, + }, + { + { -31361739, -11346780, -15007447, -5856218, -22453340, -12152771, 1222336, 4389483, 3293637, -15551743 }, + { -16684801, -14444245, 11038544, 11054958, -13801175, -3338533, -24319580, 7733547, 12796905, -6335822 }, + { -8759414, -10817836, -25418864, 10783769, -30615557, -9746811, -28253339, 3647836, 3222231, -11160462 }, + }, + { + { 18606113, 1693100, -25448386, -15170272, 4112353, 10045021, 23603893, -2048234, -7550776, 2484985 }, + { 9255317, -3131197, -12156162, -1004256, 13098013, -9214866, 16377220, -2102812, -19802075, -3034702 }, + { -22729289, 7496160, -5742199, 11329249, 19991973, -3347502, -31718148, 9936966, -30097688, -10618797 }, + }, + { + { 21878590, -5001297, 4338336, 13643897, -3036865, 13160960, 19708896, 5415497, -7360503, -4109293 }, + { 27736861, 10103576, 12500508, 8502413, -3413016, -9633558, 10436918, -1550276, -23659143, -8132100 }, + { 19492550, -12104365, -29681976, -852630, -3208171, 12403437, 30066266, 8367329, 13243957, 8709688 }, + }, + }, + { + { + { 12015105, 2801261, 28198131, 10151021, 24818120, -4743133, -11194191, -5645734, 5150968, 7274186 }, + { 2831366, -12492146, 1478975, 6122054, 23825128, -12733586, 31097299, 6083058, 31021603, -9793610 }, + { -2529932, -2229646, 445613, 10720828, -13849527, -11505937, -23507731, 16354465, 15067285, -14147707 }, + }, + { + { 7840942, 14037873, -33364863, 15934016, -728213, -3642706, 21403988, 1057586, -19379462, -12403220 }, + { 915865, -16469274, 15608285, -8789130, -24357026, 6060030, -17371319, 8410997, -7220461, 16527025 }, + { 32922597, -556987, 20336074, -16184568, 10903705, -5384487, 16957574, 52992, 23834301, 6588044 }, + }, + { + { 32752030, 11232950, 3381995, -8714866, 22652988, -10744103, 17159699, 16689107, -20314580, -1305992 }, + { -4689649, 9166776, -25710296, -10847306, 11576752, 12733943, 7924251, -2752281, 1976123, -7249027 }, + { 21251222, 16309901, -2983015, -6783122, 30810597, 12967303, 156041, -3371252, 12331345, -8237197 }, + }, + { + { 8651614, -4477032, -16085636, -4996994, 13002507, 2950805, 29054427, -5106970, 10008136, -4667901 }, + { 31486080, 15114593, -14261250, 12951354, 14369431, -7387845, 16347321, -13662089, 8684155, -10532952 }, + { 19443825, 11385320, 24468943, -9659068, -23919258, 2187569, -26263207, -6086921, 31316348, 14219878 }, + }, + { + { -28594490, 1193785, 32245219, 11392485, 31092169, 15722801, 27146014, 6992409, 29126555, 9207390 }, + { 32382935, 1110093, 18477781, 11028262, -27411763, -7548111, -4980517, 10843782, -7957600, -14435730 }, + { 2814918, 7836403, 27519878, -7868156, -20894015, -11553689, -21494559, 8550130, 28346258, 1994730 }, + }, + { + { -19578299, 8085545, -14000519, -3948622, 2785838, -16231307, -19516951, 7174894, 22628102, 8115180 }, + { -30405132, 955511, -11133838, -15078069, -32447087, -13278079, -25651578, 3317160, -9943017, 930272 }, + { -15303681, -6833769, 28856490, 1357446, 23421993, 1057177, 24091212, -1388970, -22765376, -10650715 }, + }, + { + { -22751231, -5303997, -12907607, -12768866, -15811511, -7797053, -14839018, -16554220, -1867018, 8398970 }, + { -31969310, 2106403, -4736360, 1362501, 12813763, 16200670, 22981545, -6291273, 18009408, -15772772 }, + { -17220923, -9545221, -27784654, 14166835, 29815394, 7444469, 29551787, -3727419, 19288549, 1325865 }, + }, + { + { 15100157, -15835752, -23923978, -1005098, -26450192, 15509408, 12376730, -3479146, 33166107, -8042750 }, + { 20909231, 13023121, -9209752, 16251778, -5778415, -8094914, 12412151, 10018715, 2213263, -13878373 }, + { 32529814, -11074689, 30361439, -16689753, -9135940, 1513226, 22922121, 6382134, -5766928, 8371348 }, + }, + }, + { + { + { 9923462, 11271500, 12616794, 3544722, -29998368, -1721626, 12891687, -8193132, -26442943, 10486144 }, + { -22597207, -7012665, 8587003, -8257861, 4084309, -12970062, 361726, 2610596, -23921530, -11455195 }, + { 5408411, -1136691, -4969122, 10561668, 24145918, 14240566, 31319731, -4235541, 19985175, -3436086 }, + }, + { + { -13994457, 16616821, 14549246, 3341099, 32155958, 13648976, -17577068, 8849297, 65030, 8370684 }, + { -8320926, -12049626, 31204563, 5839400, -20627288, -1057277, -19442942, 6922164, 12743482, -9800518 }, + { -2361371, 12678785, 28815050, 4759974, -23893047, 4884717, 23783145, 11038569, 18800704, 255233 }, + }, + { + { -5269658, -1773886, 13957886, 7990715, 23132995, 728773, 13393847, 9066957, 19258688, -14753793 }, + { -2936654, -10827535, -10432089, 14516793, -3640786, 4372541, -31934921, 2209390, -1524053, 2055794 }, + { 580882, 16705327, 5468415, -2683018, -30926419, -14696000, -7203346, -8994389, -30021019, 7394435 }, + }, + { + { 23838809, 1822728, -15738443, 15242727, 8318092, -3733104, -21672180, -3492205, -4821741, 14799921 }, + { 13345610, 9759151, 3371034, -16137791, 16353039, 8577942, 31129804, 13496856, -9056018, 7402518 }, + { 2286874, -4435931, -20042458, -2008336, -13696227, 5038122, 11006906, -15760352, 8205061, 1607563 }, + }, + { + { 14414086, -8002132, 3331830, -3208217, 22249151, -5594188, 18364661, -2906958, 30019587, -9029278 }, + { -27688051, 1585953, -10775053, 931069, -29120221, -11002319, -14410829, 12029093, 9944378, 8024 }, + { 4368715, -3709630, 29874200, -15022983, -20230386, -11410704, -16114594, -999085, -8142388, 5640030 }, + }, + { + { 10299610, 13746483, 11661824, 16234854, 7630238, 5998374, 9809887, -16694564, 15219798, -14327783 }, + { 27425505, -5719081, 3055006, 10660664, 23458024, 595578, -15398605, -1173195, -18342183, 9742717 }, + { 6744077, 2427284, 26042789, 2720740, -847906, 1118974, 32324614, 7406442, 12420155, 1994844 }, + }, + { + { 14012521, -5024720, -18384453, -9578469, -26485342, -3936439, -13033478, -10909803, 24319929, -6446333 }, + { 16412690, -4507367, 10772641, 15929391, -17068788, -4658621, 10555945, -10484049, -30102368, -4739048 }, + { 22397382, -7767684, -9293161, -12792868, 17166287, -9755136, -27333065, 6199366, 21880021, -12250760 }, + }, + { + { -4283307, 5368523, -31117018, 8163389, -30323063, 3209128, 16557151, 8890729, 8840445, 4957760 }, + { -15447727, 709327, -6919446, -10870178, -29777922, 6522332, -21720181, 12130072, -14796503, 5005757 }, + { -2114751, -14308128, 23019042, 15765735, -25269683, 6002752, 10183197, -13239326, -16395286, -2176112 }, + }, + }, + { + { + { -19025756, 1632005, 13466291, -7995100, -23640451, 16573537, -32013908, -3057104, 22208662, 2000468 }, + { 3065073, -1412761, -25598674, -361432, -17683065, -5703415, -8164212, 11248527, -3691214, -7414184 }, + { 10379208, -6045554, 8877319, 1473647, -29291284, -12507580, 16690915, 2553332, -3132688, 16400289 }, + }, + { + { 15716668, 1254266, -18472690, 7446274, -8448918, 6344164, -22097271, -7285580, 26894937, 9132066 }, + { 24158887, 12938817, 11085297, -8177598, -28063478, -4457083, -30576463, 64452, -6817084, -2692882 }, + { 13488534, 7794716, 22236231, 5989356, 25426474, -12578208, 2350710, -3418511, -4688006, 2364226 }, + }, + { + { 16335052, 9132434, 25640582, 6678888, 1725628, 8517937, -11807024, -11697457, 15445875, -7798101 }, + { 29004207, -7867081, 28661402, -640412, -12794003, -7943086, 31863255, -4135540, -278050, -15759279 }, + { -6122061, -14866665, -28614905, 14569919, -10857999, -3591829, 10343412, -6976290, -29828287, -10815811 }, + }, + { + { 27081650, 3463984, 14099042, -4517604, 1616303, -6205604, 29542636, 15372179, 17293797, 960709 }, + { 20263915, 11434237, -5765435, 11236810, 13505955, -10857102, -16111345, 6493122, -19384511, 7639714 }, + { -2830798, -14839232, 25403038, -8215196, -8317012, -16173699, 18006287, -16043750, 29994677, -15808121 }, + }, + { + { 9769828, 5202651, -24157398, -13631392, -28051003, -11561624, -24613141, -13860782, -31184575, 709464 }, + { 12286395, 13076066, -21775189, -1176622, -25003198, 4057652, -32018128, -8890874, 16102007, 13205847 }, + { 13733362, 5599946, 10557076, 3195751, -5557991, 8536970, -25540170, 8525972, 10151379, 10394400 }, + }, + { + { 4024660, -16137551, 22436262, 12276534, -9099015, -2686099, 19698229, 11743039, -33302334, 8934414 }, + { -15879800, -4525240, -8580747, -2934061, 14634845, -698278, -9449077, 3137094, -11536886, 11721158 }, + { 17555939, -5013938, 8268606, 2331751, -22738815, 9761013, 9319229, 8835153, -9205489, -1280045 }, + }, + { + { -461409, -7830014, 20614118, 16688288, -7514766, -4807119, 22300304, 505429, 6108462, -6183415 }, + { -5070281, 12367917, -30663534, 3234473, 32617080, -8422642, 29880583, -13483331, -26898490, -7867459 }, + { -31975283, 5726539, 26934134, 10237677, -3173717, -605053, 24199304, 3795095, 7592688, -14992079 }, + }, + { + { 21594432, -14964228, 17466408, -4077222, 32537084, 2739898, 6407723, 12018833, -28256052, 4298412 }, + { -20650503, -11961496, -27236275, 570498, 3767144, -1717540, 13891942, -1569194, 13717174, 10805743 }, + { -14676630, -15644296, 15287174, 11927123, 24177847, -8175568, -796431, 14860609, -26938930, -5863836 }, + }, + }, + { + { + { 12962541, 5311799, -10060768, 11658280, 18855286, -7954201, 13286263, -12808704, -4381056, 9882022 }, + { 18512079, 11319350, -20123124, 15090309, 18818594, 5271736, -22727904, 3666879, -23967430, -3299429 }, + { -6789020, -3146043, 16192429, 13241070, 15898607, -14206114, -10084880, -6661110, -2403099, 5276065 }, + }, + { + { 30169808, -5317648, 26306206, -11750859, 27814964, 7069267, 7152851, 3684982, 1449224, 13082861 }, + { 10342826, 3098505, 2119311, 193222, 25702612, 12233820, 23697382, 15056736, -21016438, -8202000 }, + { -33150110, 3261608, 22745853, 7948688, 19370557, -15177665, -26171976, 6482814, -10300080, -11060101 }, + }, + { + { 32869458, -5408545, 25609743, 15678670, -10687769, -15471071, 26112421, 2521008, -22664288, 6904815 }, + { 29506923, 4457497, 3377935, -9796444, -30510046, 12935080, 1561737, 3841096, -29003639, -6657642 }, + { 10340844, -6630377, -18656632, -2278430, 12621151, -13339055, 30878497, -11824370, -25584551, 5181966 }, + }, + { + { 25940115, -12658025, 17324188, -10307374, -8671468, 15029094, 24396252, -16450922, -2322852, -12388574 }, + { -21765684, 9916823, -1300409, 4079498, -1028346, 11909559, 1782390, 12641087, 20603771, -6561742 }, + { -18882287, -11673380, 24849422, 11501709, 13161720, -4768874, 1925523, 11914390, 4662781, 7820689 }, + }, + { + { 12241050, -425982, 8132691, 9393934, 32846760, -1599620, 29749456, 12172924, 16136752, 15264020 }, + { -10349955, -14680563, -8211979, 2330220, -17662549, -14545780, 10658213, 6671822, 19012087, 3772772 }, + { 3753511, -3421066, 10617074, 2028709, 14841030, -6721664, 28718732, -15762884, 20527771, 12988982 }, + }, + { + { -14822485, -5797269, -3707987, 12689773, -898983, -10914866, -24183046, -10564943, 3299665, -12424953 }, + { -16777703, -15253301, -9642417, 4978983, 3308785, 8755439, 6943197, 6461331, -25583147, 8991218 }, + { -17226263, 1816362, -1673288, -6086439, 31783888, -8175991, -32948145, 7417950, -30242287, 1507265 }, + }, + { + { 29692663, 6829891, -10498800, 4334896, 20945975, -11906496, -28887608, 8209391, 14606362, -10647073 }, + { -3481570, 8707081, 32188102, 5672294, 22096700, 1711240, -33020695, 9761487, 4170404, -2085325 }, + { -11587470, 14855945, -4127778, -1531857, -26649089, 15084046, 22186522, 16002000, -14276837, -8400798 }, + }, + { + { -4811456, 13761029, -31703877, -2483919, -3312471, 7869047, -7113572, -9620092, 13240845, 10965870 }, + { -7742563, -8256762, -14768334, -13656260, -23232383, 12387166, 4498947, 14147411, 29514390, 4302863 }, + { -13413405, -12407859, 20757302, -13801832, 14785143, 8976368, -5061276, -2144373, 17846988, -13971927 }, + }, + }, + { + { + { -2244452, -754728, -4597030, -1066309, -6247172, 1455299, -21647728, -9214789, -5222701, 12650267 }, + { -9906797, -16070310, 21134160, 12198166, -27064575, 708126, 387813, 13770293, -19134326, 10958663 }, + { 22470984, 12369526, 23446014, -5441109, -21520802, -9698723, -11772496, -11574455, -25083830, 4271862 }, + }, + { + { -25169565, -10053642, -19909332, 15361595, -5984358, 2159192, 75375, -4278529, -32526221, 8469673 }, + { 15854970, 4148314, -8893890, 7259002, 11666551, 13824734, -30531198, 2697372, 24154791, -9460943 }, + { 15446137, -15806644, 29759747, 14019369, 30811221, -9610191, -31582008, 12840104, 24913809, 9815020 }, + }, + { + { -4709286, -5614269, -31841498, -12288893, -14443537, 10799414, -9103676, 13438769, 18735128, 9466238 }, + { 11933045, 9281483, 5081055, -5183824, -2628162, -4905629, -7727821, -10896103, -22728655, 16199064 }, + { 14576810, 379472, -26786533, -8317236, -29426508, -10812974, -102766, 1876699, 30801119, 2164795 }, + }, + { + { 15995086, 3199873, 13672555, 13712240, -19378835, -4647646, -13081610, -15496269, -13492807, 1268052 }, + { -10290614, -3659039, -3286592, 10948818, 23037027, 3794475, -3470338, -12600221, -17055369, 3565904 }, + { 29210088, -9419337, -5919792, -4952785, 10834811, -13327726, -16512102, -10820713, -27162222, -14030531 }, + }, + { + { -13161890, 15508588, 16663704, -8156150, -28349942, 9019123, -29183421, -3769423, 2244111, -14001979 }, + { -5152875, -3800936, -9306475, -6071583, 16243069, 14684434, -25673088, -16180800, 13491506, 4641841 }, + { 10813417, 643330, -19188515, -728916, 30292062, -16600078, 27548447, -7721242, 14476989, -12767431 }, + }, + { + { 10292079, 9984945, 6481436, 8279905, -7251514, 7032743, 27282937, -1644259, -27912810, 12651324 }, + { -31185513, -813383, 22271204, 11835308, 10201545, 15351028, 17099662, 3988035, 21721536, -3148940 }, + { 10202177, -6545839, -31373232, -9574638, -32150642, -8119683, -12906320, 3852694, 13216206, 14842320 }, + }, + { + { -15815640, -10601066, -6538952, -7258995, -6984659, -6581778, -31500847, 13765824, -27434397, 9900184 }, + { 14465505, -13833331, -32133984, -14738873, -27443187, 12990492, 33046193, 15796406, -7051866, -8040114 }, + { 30924417, -8279620, 6359016, -12816335, 16508377, 9071735, -25488601, 15413635, 9524356, -7018878 }, + }, + { + { 12274201, -13175547, 32627641, -1785326, 6736625, 13267305, 5237659, -5109483, 15663516, 4035784 }, + { -2951309, 8903985, 17349946, 601635, -16432815, -4612556, -13732739, -15889334, -22258478, 4659091 }, + { -16916263, -4952973, -30393711, -15158821, 20774812, 15897498, 5736189, 15026997, -2178256, -13455585 }, + }, + }, + { + { + { -8858980, -2219056, 28571666, -10155518, -474467, -10105698, -3801496, 278095, 23440562, -290208 }, + { 10226241, -5928702, 15139956, 120818, -14867693, 5218603, 32937275, 11551483, -16571960, -7442864 }, + { 17932739, -12437276, -24039557, 10749060, 11316803, 7535897, 22503767, 5561594, -3646624, 3898661 }, + }, + { + { 7749907, -969567, -16339731, -16464, -25018111, 15122143, -1573531, 7152530, 21831162, 1245233 }, + { 26958459, -14658026, 4314586, 8346991, -5677764, 11960072, -32589295, -620035, -30402091, -16716212 }, + { -12165896, 9166947, 33491384, 13673479, 29787085, 13096535, 6280834, 14587357, -22338025, 13987525 }, + }, + { + { -24349909, 7778775, 21116000, 15572597, -4833266, -5357778, -4300898, -5124639, -7469781, -2858068 }, + { 9681908, -6737123, -31951644, 13591838, -6883821, 386950, 31622781, 6439245, -14581012, 4091397 }, + { -8426427, 1470727, -28109679, -1596990, 3978627, -5123623, -19622683, 12092163, 29077877, -14741988 }, + }, + { + { 5269168, -6859726, -13230211, -8020715, 25932563, 1763552, -5606110, -5505881, -20017847, 2357889 }, + { 32264008, -15407652, -5387735, -1160093, -2091322, -3946900, 23104804, -12869908, 5727338, 189038 }, + { 14609123, -8954470, -6000566, -16622781, -14577387, -7743898, -26745169, 10942115, -25888931, -14884697 }, + }, + { + { 20513500, 5557931, -15604613, 7829531, 26413943, -2019404, -21378968, 7471781, 13913677, -5137875 }, + { -25574376, 11967826, 29233242, 12948236, -6754465, 4713227, -8940970, 14059180, 12878652, 8511905 }, + { -25656801, 3393631, -2955415, -7075526, -2250709, 9366908, -30223418, 6812974, 5568676, -3127656 }, + }, + { + { 11630004, 12144454, 2116339, 13606037, 27378885, 15676917, -17408753, -13504373, -14395196, 8070818 }, + { 27117696, -10007378, -31282771, -5570088, 1127282, 12772488, -29845906, 10483306, -11552749, -1028714 }, + { 10637467, -5688064, 5674781, 1072708, -26343588, -6982302, -1683975, 9177853, -27493162, 15431203 }, + }, + { + { 20525145, 10892566, -12742472, 12779443, -29493034, 16150075, -28240519, 14943142, -15056790, -7935931 }, + { -30024462, 5626926, -551567, -9981087, 753598, 11981191, 25244767, -3239766, -3356550, 9594024 }, + { -23752644, 2636870, -5163910, -10103818, 585134, 7877383, 11345683, -6492290, 13352335, -10977084 }, + }, + { + { -1931799, -5407458, 3304649, -12884869, 17015806, -4877091, -29783850, -7752482, -13215537, -319204 }, + { 20239939, 6607058, 6203985, 3483793, -18386976, -779229, -20723742, 15077870, -22750759, 14523817 }, + { 27406042, -6041657, 27423596, -4497394, 4996214, 10002360, -28842031, -4545494, -30172742, -4805667 }, + }, + }, + { + { + { 11374242, 12660715, 17861383, -12540833, 10935568, 1099227, -13886076, -9091740, -27727044, 11358504 }, + { -12730809, 10311867, 1510375, 10778093, -2119455, -9145702, 32676003, 11149336, -26123651, 4985768 }, + { -19096303, 341147, -6197485, -239033, 15756973, -8796662, -983043, 13794114, -19414307, -15621255 }, + }, + { + { 6490081, 11940286, 25495923, -7726360, 8668373, -8751316, 3367603, 6970005, -1691065, -9004790 }, + { 1656497, 13457317, 15370807, 6364910, 13605745, 8362338, -19174622, -5475723, -16796596, -5031438 }, + { -22273315, -13524424, -64685, -4334223, -18605636, -10921968, -20571065, -7007978, -99853, -10237333 }, + }, + { + { 17747465, 10039260, 19368299, -4050591, -20630635, -16041286, 31992683, -15857976, -29260363, -5511971 }, + { 31932027, -4986141, -19612382, 16366580, 22023614, 88450, 11371999, -3744247, 4882242, -10626905 }, + { 29796507, 37186, 19818052, 10115756, -11829032, 3352736, 18551198, 3272828, -5190932, -4162409 }, + }, + { + { 12501286, 4044383, -8612957, -13392385, -32430052, 5136599, -19230378, -3529697, 330070, -3659409 }, + { 6384877, 2899513, 17807477, 7663917, -2358888, 12363165, 25366522, -8573892, -271295, 12071499 }, + { -8365515, -4042521, 25133448, -4517355, -6211027, 2265927, -32769618, 1936675, -5159697, 3829363 }, + }, + { + { 28425966, -5835433, -577090, -4697198, -14217555, 6870930, 7921550, -6567787, 26333140, 14267664 }, + { -11067219, 11871231, 27385719, -10559544, -4585914, -11189312, 10004786, -8709488, -21761224, 8930324 }, + { -21197785, -16396035, 25654216, -1725397, 12282012, 11008919, 1541940, 4757911, -26491501, -16408940 }, + }, + { + { 13537262, -7759490, -20604840, 10961927, -5922820, -13218065, -13156584, 6217254, -15943699, 13814990 }, + { -17422573, 15157790, 18705543, 29619, 24409717, -260476, 27361681, 9257833, -1956526, -1776914 }, + { -25045300, -10191966, 15366585, 15166509, -13105086, 8423556, -29171540, 12361135, -18685978, 4578290 }, + }, + { + { 24579768, 3711570, 1342322, -11180126, -27005135, 14124956, -22544529, 14074919, 21964432, 8235257 }, + { -6528613, -2411497, 9442966, -5925588, 12025640, -1487420, -2981514, -1669206, 13006806, 2355433 }, + { -16304899, -13605259, -6632427, -5142349, 16974359, -10911083, 27202044, 1719366, 1141648, -12796236 }, + }, + { + { -12863944, -13219986, -8318266, -11018091, -6810145, -4843894, 13475066, -3133972, 32674895, 13715045 }, + { 11423335, -5468059, 32344216, 8962751, 24989809, 9241752, -13265253, 16086212, -28740881, -15642093 }, + { -1409668, 12530728, -6368726, 10847387, 19531186, -14132160, -11709148, 7791794, -27245943, 4383347 }, + }, + }, + { + { + { -28970898, 5271447, -1266009, -9736989, -12455236, 16732599, -4862407, -4906449, 27193557, 6245191 }, + { -15193956, 5362278, -1783893, 2695834, 4960227, 12840725, 23061898, 3260492, 22510453, 8577507 }, + { -12632451, 11257346, -32692994, 13548177, -721004, 10879011, 31168030, 13952092, -29571492, -3635906 }, + }, + { + { 3877321, -9572739, 32416692, 5405324, -11004407, -13656635, 3759769, 11935320, 5611860, 8164018 }, + { -16275802, 14667797, 15906460, 12155291, -22111149, -9039718, 32003002, -8832289, 5773085, -8422109 }, + { -23788118, -8254300, 1950875, 8937633, 18686727, 16459170, -905725, 12376320, 31632953, 190926 }, + }, + { + { -24593607, -16138885, -8423991, 13378746, 14162407, 6901328, -8288749, 4508564, -25341555, -3627528 }, + { 8884438, -5884009, 6023974, 10104341, -6881569, -4941533, 18722941, -14786005, -1672488, 827625 }, + { -32720583, -16289296, -32503547, 7101210, 13354605, 2659080, -1800575, -14108036, -24878478, 1541286 }, + }, + { + { 2901347, -1117687, 3880376, -10059388, -17620940, -3612781, -21802117, -3567481, 20456845, -1885033 }, + { 27019610, 12299467, -13658288, -1603234, -12861660, -4861471, -19540150, -5016058, 29439641, 15138866 }, + { 21536104, -6626420, -32447818, -10690208, -22408077, 5175814, -5420040, -16361163, 7779328, 109896 }, + }, + { + { 30279744, 14648750, -8044871, 6425558, 13639621, -743509, 28698390, 12180118, 23177719, -554075 }, + { 26572847, 3405927, -31701700, 12890905, -19265668, 5335866, -6493768, 2378492, 4439158, -13279347 }, + { -22716706, 3489070, -9225266, -332753, 18875722, -1140095, 14819434, -12731527, -17717757, -5461437 }, + }, + { + { -5056483, 16566551, 15953661, 3767752, -10436499, 15627060, -820954, 2177225, 8550082, -15114165 }, + { -18473302, 16596775, -381660, 15663611, 22860960, 15585581, -27844109, -3582739, -23260460, -8428588 }, + { -32480551, 15707275, -8205912, -5652081, 29464558, 2713815, -22725137, 15860482, -21902570, 1494193 }, + }, + { + { -19562091, -14087393, -25583872, -9299552, 13127842, 759709, 21923482, 16529112, 8742704, 12967017 }, + { -28464899, 1553205, 32536856, -10473729, -24691605, -406174, -8914625, -2933896, -29903758, 15553883 }, + { 21877909, 3230008, 9881174, 10539357, -4797115, 2841332, 11543572, 14513274, 19375923, -12647961 }, + }, + { + { 8832269, -14495485, 13253511, 5137575, 5037871, 4078777, 24880818, -6222716, 2862653, 9455043 }, + { 29306751, 5123106, 20245049, -14149889, 9592566, 8447059, -2077124, -2990080, 15511449, 4789663 }, + { -20679756, 7004547, 8824831, -9434977, -4045704, -3750736, -5754762, 108893, 23513200, 16652362 }, + }, + }, + { + { + { -33256173, 4144782, -4476029, -6579123, 10770039, -7155542, -6650416, -12936300, -18319198, 10212860 }, + { 2756081, 8598110, 7383731, -6859892, 22312759, -1105012, 21179801, 2600940, -9988298, -12506466 }, + { -24645692, 13317462, -30449259, -15653928, 21365574, -10869657, 11344424, 864440, -2499677, -16710063 }, + }, + { + { -26432803, 6148329, -17184412, -14474154, 18782929, -275997, -22561534, 211300, 2719757, 4940997 }, + { -1323882, 3911313, -6948744, 14759765, -30027150, 7851207, 21690126, 8518463, 26699843, 5276295 }, + { -13149873, -6429067, 9396249, 365013, 24703301, -10488939, 1321586, 149635, -15452774, 7159369 }, + }, + { + { 9987780, -3404759, 17507962, 9505530, 9731535, -2165514, 22356009, 8312176, 22477218, -8403385 }, + { 18155857, -16504990, 19744716, 9006923, 15154154, -10538976, 24256460, -4864995, -22548173, 9334109 }, + { 2986088, -4911893, 10776628, -3473844, 10620590, -7083203, -21413845, 14253545, -22587149, 536906 }, + }, + { + { 4377756, 8115836, 24567078, 15495314, 11625074, 13064599, 7390551, 10589625, 10838060, -15420424 }, + { -19342404, 867880, 9277171, -3218459, -14431572, -1986443, 19295826, -15796950, 6378260, 699185 }, + { 7895026, 4057113, -7081772, -13077756, -17886831, -323126, -716039, 15693155, -5045064, -13373962 }, + }, + { + { -7737563, -5869402, -14566319, -7406919, 11385654, 13201616, 31730678, -10962840, -3918636, -9669325 }, + { 10188286, -15770834, -7336361, 13427543, 22223443, 14896287, 30743455, 7116568, -21786507, 5427593 }, + { 696102, 13206899, 27047647, -10632082, 15285305, -9853179, 10798490, -4578720, 19236243, 12477404 }, + }, + { + { -11229439, 11243796, -17054270, -8040865, -788228, -8167967, -3897669, 11180504, -23169516, 7733644 }, + { 17800790, -14036179, -27000429, -11766671, 23887827, 3149671, 23466177, -10538171, 10322027, 15313801 }, + { 26246234, 11968874, 32263343, -5468728, 6830755, -13323031, -15794704, -101982, -24449242, 10890804 }, + }, + { + { -31365647, 10271363, -12660625, -6267268, 16690207, -13062544, -14982212, 16484931, 25180797, -5334884 }, + { -586574, 10376444, -32586414, -11286356, 19801893, 10997610, 2276632, 9482883, 316878, 13820577 }, + { -9882808, -4510367, -2115506, 16457136, -11100081, 11674996, 30756178, -7515054, 30696930, -3712849 }, + }, + { + { 32988917, -9603412, 12499366, 7910787, -10617257, -11931514, -7342816, -9985397, -32349517, 7392473 }, + { -8855661, 15927861, 9866406, -3649411, -2396914, -16655781, -30409476, -9134995, 25112947, -2926644 }, + { -2504044, -436966, 25621774, -5678772, 15085042, -5479877, -24884878, -13526194, 5537438, -13914319 }, + }, + }, + { + { + { -11225584, 2320285, -9584280, 10149187, -33444663, 5808648, -14876251, -1729667, 31234590, 6090599 }, + { -9633316, 116426, 26083934, 2897444, -6364437, -2688086, 609721, 15878753, -6970405, -9034768 }, + { -27757857, 247744, -15194774, -9002551, 23288161, -10011936, -23869595, 6503646, 20650474, 1804084 }, + }, + { + { -27589786, 15456424, 8972517, 8469608, 15640622, 4439847, 3121995, -10329713, 27842616, -202328 }, + { -15306973, 2839644, 22530074, 10026331, 4602058, 5048462, 28248656, 5031932, -11375082, 12714369 }, + { 20807691, -7270825, 29286141, 11421711, -27876523, -13868230, -21227475, 1035546, -19733229, 12796920 }, + }, + { + { 12076899, -14301286, -8785001, -11848922, -25012791, 16400684, -17591495, -12899438, 3480665, -15182815 }, + { -32361549, 5457597, 28548107, 7833186, 7303070, -11953545, -24363064, -15921875, -33374054, 2771025 }, + { -21389266, 421932, 26597266, 6860826, 22486084, -6737172, -17137485, -4210226, -24552282, 15673397 }, + }, + { + { -20184622, 2338216, 19788685, -9620956, -4001265, -8740893, -20271184, 4733254, 3727144, -12934448 }, + { 6120119, 814863, -11794402, -622716, 6812205, -15747771, 2019594, 7975683, 31123697, -10958981 }, + { 30069250, -11435332, 30434654, 2958439, 18399564, -976289, 12296869, 9204260, -16432438, 9648165 }, + }, + { + { 32705432, -1550977, 30705658, 7451065, -11805606, 9631813, 3305266, 5248604, -26008332, -11377501 }, + { 17219865, 2375039, -31570947, -5575615, -19459679, 9219903, 294711, 15298639, 2662509, -16297073 }, + { -1172927, -7558695, -4366770, -4287744, -21346413, -8434326, 32087529, -1222777, 32247248, -14389861 }, + }, + { + { 14312628, 1221556, 17395390, -8700143, -4945741, -8684635, -28197744, -9637817, -16027623, -13378845 }, + { -1428825, -9678990, -9235681, 6549687, -7383069, -468664, 23046502, 9803137, 17597934, 2346211 }, + { 18510800, 15337574, 26171504, 981392, -22241552, 7827556, -23491134, -11323352, 3059833, -11782870 }, + }, + { + { 10141598, 6082907, 17829293, -1947643, 9830092, 13613136, -25556636, -5544586, -33502212, 3592096 }, + { 33114168, -15889352, -26525686, -13343397, 33076705, 8716171, 1151462, 1521897, -982665, -6837803 }, + { -32939165, -4255815, 23947181, -324178, -33072974, -12305637, -16637686, 3891704, 26353178, 693168 }, + }, + { + { 30374239, 1595580, -16884039, 13186931, 4600344, 406904, 9585294, -400668, 31375464, 14369965 }, + { -14370654, -7772529, 1510301, 6434173, -18784789, -6262728, 32732230, -13108839, 17901441, 16011505 }, + { 18171223, -11934626, -12500402, 15197122, -11038147, -15230035, -19172240, -16046376, 8764035, 12309598 }, + }, + }, + { + { + { 5975908, -5243188, -19459362, -9681747, -11541277, 14015782, -23665757, 1228319, 17544096, -10593782 }, + { 5811932, -1715293, 3442887, -2269310, -18367348, -8359541, -18044043, -15410127, -5565381, 12348900 }, + { -31399660, 11407555, 25755363, 6891399, -3256938, 14872274, -24849353, 8141295, -10632534, -585479 }, + }, + { + { -12675304, 694026, -5076145, 13300344, 14015258, -14451394, -9698672, -11329050, 30944593, 1130208 }, + { 8247766, -6710942, -26562381, -7709309, -14401939, -14648910, 4652152, 2488540, 23550156, -271232 }, + { 17294316, -3788438, 7026748, 15626851, 22990044, 113481, 2267737, -5908146, -408818, -137719 }, + }, + { + { 16091085, -16253926, 18599252, 7340678, 2137637, -1221657, -3364161, 14550936, 3260525, -7166271 }, + { -4910104, -13332887, 18550887, 10864893, -16459325, -7291596, -23028869, -13204905, -12748722, 2701326 }, + { -8574695, 16099415, 4629974, -16340524, -20786213, -6005432, -10018363, 9276971, 11329923, 1862132 }, + }, + { + { 14763076, -15903608, -30918270, 3689867, 3511892, 10313526, -21951088, 12219231, -9037963, -940300 }, + { 8894987, -3446094, 6150753, 3013931, 301220, 15693451, -31981216, -2909717, -15438168, 11595570 }, + { 15214962, 3537601, -26238722, -14058872, 4418657, -15230761, 13947276, 10730794, -13489462, -4363670 }, + }, + { + { -2538306, 7682793, 32759013, 263109, -29984731, -7955452, -22332124, -10188635, 977108, 699994 }, + { -12466472, 4195084, -9211532, 550904, -15565337, 12917920, 19118110, -439841, -30534533, -14337913 }, + { 31788461, -14507657, 4799989, 7372237, 8808585, -14747943, 9408237, -10051775, 12493932, -5409317 }, + }, + { + { -25680606, 5260744, -19235809, -6284470, -3695942, 16566087, 27218280, 2607121, 29375955, 6024730 }, + { 842132, -2794693, -4763381, -8722815, 26332018, -12405641, 11831880, 6985184, -9940361, 2854096 }, + { -4847262, -7969331, 2516242, -5847713, 9695691, -7221186, 16512645, 960770, 12121869, 16648078 }, + }, + { + { -15218652, 14667096, -13336229, 2013717, 30598287, -464137, -31504922, -7882064, 20237806, 2838411 }, + { -19288047, 4453152, 15298546, -16178388, 22115043, -15972604, 12544294, -13470457, 1068881, -12499905 }, + { -9558883, -16518835, 33238498, 13506958, 30505848, -1114596, -8486907, -2630053, 12521378, 4845654 }, + }, + { + { -28198521, 10744108, -2958380, 10199664, 7759311, -13088600, 3409348, -873400, -6482306, -12885870 }, + { -23561822, 6230156, -20382013, 10655314, -24040585, -11621172, 10477734, -1240216, -3113227, 13974498 }, + { 12966261, 15550616, -32038948, -1615346, 21025980, -629444, 5642325, 7188737, 18895762, 12629579 }, + }, + }, + { + { + { 14741879, -14946887, 22177208, -11721237, 1279741, 8058600, 11758140, 789443, 32195181, 3895677 }, + { 10758205, 15755439, -4509950, 9243698, -4879422, 6879879, -2204575, -3566119, -8982069, 4429647 }, + { -2453894, 15725973, -20436342, -10410672, -5803908, -11040220, -7135870, -11642895, 18047436, -15281743 }, + }, + { + { -25173001, -11307165, 29759956, 11776784, -22262383, -15820455, 10993114, -12850837, -17620701, -9408468 }, + { 21987233, 700364, -24505048, 14972008, -7774265, -5718395, 32155026, 2581431, -29958985, 8773375 }, + { -25568350, 454463, -13211935, 16126715, 25240068, 8594567, 20656846, 12017935, -7874389, -13920155 }, + }, + { + { 6028182, 6263078, -31011806, -11301710, -818919, 2461772, -31841174, -5468042, -1721788, -2776725 }, + { -12278994, 16624277, 987579, -5922598, 32908203, 1248608, 7719845, -4166698, 28408820, 6816612 }, + { -10358094, -8237829, 19549651, -12169222, 22082623, 16147817, 20613181, 13982702, -10339570, 5067943 }, + }, + { + { -30505967, -3821767, 12074681, 13582412, -19877972, 2443951, -19719286, 12746132, 5331210, -10105944 }, + { 30528811, 3601899, -1957090, 4619785, -27361822, -15436388, 24180793, -12570394, 27679908, -1648928 }, + { 9402404, -13957065, 32834043, 10838634, -26580150, -13237195, 26653274, -8685565, 22611444, -12715406 }, + }, + { + { 22190590, 1118029, 22736441, 15130463, -30460692, -5991321, 19189625, -4648942, 4854859, 6622139 }, + { -8310738, -2953450, -8262579, -3388049, -10401731, -271929, 13424426, -3567227, 26404409, 13001963 }, + { -31241838, -15415700, -2994250, 8939346, 11562230, -12840670, -26064365, -11621720, -15405155, 11020693 }, + }, + { + { 1866042, -7949489, -7898649, -10301010, 12483315, 13477547, 3175636, -12424163, 28761762, 1406734 }, + { -448555, -1777666, 13018551, 3194501, -9580420, -11161737, 24760585, -4347088, 25577411, -13378680 }, + { -24290378, 4759345, -690653, -1852816, 2066747, 10693769, -29595790, 9884936, -9368926, 4745410 }, + }, + { + { -9141284, 6049714, -19531061, -4341411, -31260798, 9944276, -15462008, -11311852, 10931924, -11931931 }, + { -16561513, 14112680, -8012645, 4817318, -8040464, -11414606, -22853429, 10856641, -20470770, 13434654 }, + { 22759489, -10073434, -16766264, -1871422, 13637442, -10168091, 1765144, -12654326, 28445307, -5364710 }, + }, + { + { 29875063, 12493613, 2795536, -3786330, 1710620, 15181182, -10195717, -8788675, 9074234, 1167180 }, + { -26205683, 11014233, -9842651, -2635485, -26908120, 7532294, -18716888, -9535498, 3843903, 9367684 }, + { -10969595, -6403711, 9591134, 9582310, 11349256, 108879, 16235123, 8601684, -139197, 4242895 }, + }, + }, + { + { + { 22092954, -13191123, -2042793, -11968512, 32186753, -11517388, -6574341, 2470660, -27417366, 16625501 }, + { -11057722, 3042016, 13770083, -9257922, 584236, -544855, -7770857, 2602725, -27351616, 14247413 }, + { 6314175, -10264892, -32772502, 15957557, -10157730, 168750, -8618807, 14290061, 27108877, -1180880 }, + }, + { + { -8586597, -7170966, 13241782, 10960156, -32991015, -13794596, 33547976, -11058889, -27148451, 981874 }, + { 22833440, 9293594, -32649448, -13618667, -9136966, 14756819, -22928859, -13970780, -10479804, -16197962 }, + { -7768587, 3326786, -28111797, 10783824, 19178761, 14905060, 22680049, 13906969, -15933690, 3797899 }, + }, + { + { 21721356, -4212746, -12206123, 9310182, -3882239, -13653110, 23740224, -2709232, 20491983, -8042152 }, + { 9209270, -15135055, -13256557, -6167798, -731016, 15289673, 25947805, 15286587, 30997318, -6703063 }, + { 7392032, 16618386, 23946583, -8039892, -13265164, -1533858, -14197445, -2321576, 17649998, -250080 }, + }, + { + { -9301088, -14193827, 30609526, -3049543, -25175069, -1283752, -15241566, -9525724, -2233253, 7662146 }, + { -17558673, 1763594, -33114336, 15908610, -30040870, -12174295, 7335080, -8472199, -3174674, 3440183 }, + { -19889700, -5977008, -24111293, -9688870, 10799743, -16571957, 40450, -4431835, 4862400, 1133 }, + }, + { + { -32856209, -7873957, -5422389, 14860950, -16319031, 7956142, 7258061, 311861, -30594991, -7379421 }, + { -3773428, -1565936, 28985340, 7499440, 24445838, 9325937, 29727763, 16527196, 18278453, 15405622 }, + { -4381906, 8508652, -19898366, -3674424, -5984453, 15149970, -13313598, 843523, -21875062, 13626197 }, + }, + { + { 2281448, -13487055, -10915418, -2609910, 1879358, 16164207, -10783882, 3953792, 13340839, 15928663 }, + { 31727126, -7179855, -18437503, -8283652, 2875793, -16390330, -25269894, -7014826, -23452306, 5964753 }, + { 4100420, -5959452, -17179337, 6017714, -18705837, 12227141, -26684835, 11344144, 2538215, -7570755 }, + }, + { + { -9433605, 6123113, 11159803, -2156608, 30016280, 14966241, -20474983, 1485421, -629256, -15958862 }, + { -26804558, 4260919, 11851389, 9658551, -32017107, 16367492, -20205425, -13191288, 11659922, -11115118 }, + { 26180396, 10015009, -30844224, -8581293, 5418197, 9480663, 2231568, -10170080, 33100372, -1306171 }, + }, + { + { 15121113, -5201871, -10389905, 15427821, -27509937, -15992507, 21670947, 4486675, -5931810, -14466380 }, + { 16166486, -9483733, -11104130, 6023908, -31926798, -1364923, 2340060, -16254968, -10735770, -10039824 }, + { 28042865, -3557089, -12126526, 12259706, -3717498, -6945899, 6766453, -8689599, 18036436, 5803270 }, + }, + }, + { + { + { -817581, 6763912, 11803561, 1585585, 10958447, -2671165, 23855391, 4598332, -6159431, -14117438 }, + { -31031306, -14256194, 17332029, -2383520, 31312682, -5967183, 696309, 50292, -20095739, 11763584 }, + { -594563, -2514283, -32234153, 12643980, 12650761, 14811489, 665117, -12613632, -19773211, -10713562 }, + }, + { + { 30464590, -11262872, -4127476, -12734478, 19835327, -7105613, -24396175, 2075773, -17020157, 992471 }, + { 18357185, -6994433, 7766382, 16342475, -29324918, 411174, 14578841, 8080033, -11574335, -10601610 }, + { 19598397, 10334610, 12555054, 2555664, 18821899, -10339780, 21873263, 16014234, 26224780, 16452269 }, + }, + { + { -30223925, 5145196, 5944548, 16385966, 3976735, 2009897, -11377804, -7618186, -20533829, 3698650 }, + { 14187449, 3448569, -10636236, -10810935, -22663880, -3433596, 7268410, -10890444, 27394301, 12015369 }, + { 19695761, 16087646, 28032085, 12999827, 6817792, 11427614, 20244189, -1312777, -13259127, -3402461 }, + }, + { + { 30860103, 12735208, -1888245, -4699734, -16974906, 2256940, -8166013, 12298312, -8550524, -10393462 }, + { -5719826, -11245325, -1910649, 15569035, 26642876, -7587760, -5789354, -15118654, -4976164, 12651793 }, + { -2848395, 9953421, 11531313, -5282879, 26895123, -12697089, -13118820, -16517902, 9768698, -2533218 }, + }, + { + { -24719459, 1894651, -287698, -4704085, 15348719, -8156530, 32767513, 12765450, 4940095, 10678226 }, + { 18860224, 15980149, -18987240, -1562570, -26233012, -11071856, -7843882, 13944024, -24372348, 16582019 }, + { -15504260, 4970268, -29893044, 4175593, -20993212, -2199756, -11704054, 15444560, -11003761, 7989037 }, + }, + { + { 31490452, 5568061, -2412803, 2182383, -32336847, 4531686, -32078269, 6200206, -19686113, -14800171 }, + { -17308668, -15879940, -31522777, -2831, -32887382, 16375549, 8680158, -16371713, 28550068, -6857132 }, + { -28126887, -5688091, 16837845, -1820458, -6850681, 12700016, -30039981, 4364038, 1155602, 5988841 }, + }, + { + { 21890435, -13272907, -12624011, 12154349, -7831873, 15300496, 23148983, -4470481, 24618407, 8283181 }, + { -33136107, -10512751, 9975416, 6841041, -31559793, 16356536, 3070187, -7025928, 1466169, 10740210 }, + { -1509399, -15488185, -13503385, -10655916, 32799044, 909394, -13938903, -5779719, -32164649, -15327040 }, + }, + { + { 3960823, -14267803, -28026090, -15918051, -19404858, 13146868, 15567327, 951507, -3260321, -573935 }, + { 24740841, 5052253, -30094131, 8961361, 25877428, 6165135, -24368180, 14397372, -7380369, -6144105 }, + { -28888365, 3510803, -28103278, -1158478, -11238128, -10631454, -15441463, -14453128, -1625486, -6494814 }, + }, + }, + { + { + { 793299, -9230478, 8836302, -6235707, -27360908, -2369593, 33152843, -4885251, -9906200, -621852 }, + { 5666233, 525582, 20782575, -8038419, -24538499, 14657740, 16099374, 1468826, -6171428, -15186581 }, + { -4859255, -3779343, -2917758, -6748019, 7778750, 11688288, -30404353, -9871238, -1558923, -9863646 }, + }, + { + { 10896332, -7719704, 824275, 472601, -19460308, 3009587, 25248958, 14783338, -30581476, -15757844 }, + { 10566929, 12612572, -31944212, 11118703, -12633376, 12362879, 21752402, 8822496, 24003793, 14264025 }, + { 27713862, -7355973, -11008240, 9227530, 27050101, 2504721, 23886875, -13117525, 13958495, -5732453 }, + }, + { + { -23481610, 4867226, -27247128, 3900521, 29838369, -8212291, -31889399, -10041781, 7340521, -15410068 }, + { 4646514, -8011124, -22766023, -11532654, 23184553, 8566613, 31366726, -1381061, -15066784, -10375192 }, + { -17270517, 12723032, -16993061, 14878794, 21619651, -6197576, 27584817, 3093888, -8843694, 3849921 }, + }, + { + { -9064912, 2103172, 25561640, -15125738, -5239824, 9582958, 32477045, -9017955, 5002294, -15550259 }, + { -12057553, -11177906, 21115585, -13365155, 8808712, -12030708, 16489530, 13378448, -25845716, 12741426 }, + { -5946367, 10645103, -30911586, 15390284, -3286982, -7118677, 24306472, 15852464, 28834118, -7646072 }, + }, + { + { -17335748, -9107057, -24531279, 9434953, -8472084, -583362, -13090771, 455841, 20461858, 5491305 }, + { 13669248, -16095482, -12481974, -10203039, -14569770, -11893198, -24995986, 11293807, -28588204, -9421832 }, + { 28497928, 6272777, -33022994, 14470570, 8906179, -1225630, 18504674, -14165166, 29867745, -8795943 }, + }, + { + { -16207023, 13517196, -27799630, -13697798, 24009064, -6373891, -6367600, -13175392, 22853429, -4012011 }, + { 24191378, 16712145, -13931797, 15217831, 14542237, 1646131, 18603514, -11037887, 12876623, -2112447 }, + { 17902668, 4518229, -411702, -2829247, 26878217, 5258055, -12860753, 608397, 16031844, 3723494 }, + }, + { + { -28632773, 12763728, -20446446, 7577504, 33001348, -13017745, 17558842, -7872890, 23896954, -4314245 }, + { -20005381, -12011952, 31520464, 605201, 2543521, 5991821, -2945064, 7229064, -9919646, -8826859 }, + { 28816045, 298879, -28165016, -15920938, 19000928, -1665890, -12680833, -2949325, -18051778, -2082915 }, + }, + { + { 16000882, -344896, 3493092, -11447198, -29504595, -13159789, 12577740, 16041268, -19715240, 7847707 }, + { 10151868, 10572098, 27312476, 7922682, 14825339, 4723128, -32855931, -6519018, -10020567, 3852848 }, + { -11430470, 15697596, -21121557, -4420647, 5386314, 15063598, 16514493, -15932110, 29330899, -15076224 }, + }, + }, + { + { + { -25499735, -4378794, -15222908, -6901211, 16615731, 2051784, 3303702, 15490, -27548796, 12314391 }, + { 15683520, -6003043, 18109120, -9980648, 15337968, -5997823, -16717435, 15921866, 16103996, -3731215 }, + { -23169824, -10781249, 13588192, -1628807, -3798557, -1074929, -19273607, 5402699, -29815713, -9841101 }, + }, + { + { 23190676, 2384583, -32714340, 3462154, -29903655, -1529132, -11266856, 8911517, -25205859, 2739713 }, + { 21374101, -3554250, -33524649, 9874411, 15377179, 11831242, -33529904, 6134907, 4931255, 11987849 }, + { -7732, -2978858, -16223486, 7277597, 105524, -322051, -31480539, 13861388, -30076310, 10117930 }, + }, + { + { -29501170, -10744872, -26163768, 13051539, -25625564, 5089643, -6325503, 6704079, 12890019, 15728940 }, + { -21972360, -11771379, -951059, -4418840, 14704840, 2695116, 903376, -10428139, 12885167, 8311031 }, + { -17516482, 5352194, 10384213, -13811658, 7506451, 13453191, 26423267, 4384730, 1888765, -5435404 }, + }, + { + { -25817338, -3107312, -13494599, -3182506, 30896459, -13921729, -32251644, -12707869, -19464434, -3340243 }, + { -23607977, -2665774, -526091, 4651136, 5765089, 4618330, 6092245, 14845197, 17151279, -9854116 }, + { -24830458, -12733720, -15165978, 10367250, -29530908, -265356, 22825805, -7087279, -16866484, 16176525 }, + }, + { + { -23583256, 6564961, 20063689, 3798228, -4740178, 7359225, 2006182, -10363426, -28746253, -10197509 }, + { -10626600, -4486402, -13320562, -5125317, 3432136, -6393229, 23632037, -1940610, 32808310, 1099883 }, + { 15030977, 5768825, -27451236, -2887299, -6427378, -15361371, -15277896, -6809350, 2051441, -15225865 }, + }, + { + { -3362323, -7239372, 7517890, 9824992, 23555850, 295369, 5148398, -14154188, -22686354, 16633660 }, + { 4577086, -16752288, 13249841, -15304328, 19958763, -14537274, 18559670, -10759549, 8402478, -9864273 }, + { -28406330, -1051581, -26790155, -907698, -17212414, -11030789, 9453451, -14980072, 17983010, 9967138 }, + }, + { + { -25762494, 6524722, 26585488, 9969270, 24709298, 1220360, -1677990, 7806337, 17507396, 3651560 }, + { -10420457, -4118111, 14584639, 15971087, -15768321, 8861010, 26556809, -5574557, -18553322, -11357135 }, + { 2839101, 14284142, 4029895, 3472686, 14402957, 12689363, -26642121, 8459447, -5605463, -7621941 }, + }, + { + { -4839289, -3535444, 9744961, 2871048, 25113978, 3187018, -25110813, -849066, 17258084, -7977739 }, + { 18164541, -10595176, -17154882, -1542417, 19237078, -9745295, 23357533, -15217008, 26908270, 12150756 }, + { -30264870, -7647865, 5112249, -7036672, -1499807, -6974257, 43168, -5537701, -32302074, 16215819 }, + }, + }, + { + { + { -6898905, 9824394, -12304779, -4401089, -31397141, -6276835, 32574489, 12532905, -7503072, -8675347 }, + { -27343522, -16515468, -27151524, -10722951, 946346, 16291093, 254968, 7168080, 21676107, -1943028 }, + { 21260961, -8424752, -16831886, -11920822, -23677961, 3968121, -3651949, -6215466, -3556191, -7913075 }, + }, + { + { 16544754, 13250366, -16804428, 15546242, -4583003, 12757258, -2462308, -8680336, -18907032, -9662799 }, + { -2415239, -15577728, 18312303, 4964443, -15272530, -12653564, 26820651, 16690659, 25459437, -4564609 }, + { -25144690, 11425020, 28423002, -11020557, -6144921, -15826224, 9142795, -2391602, -6432418, -1644817 }, + }, + { + { -23104652, 6253476, 16964147, -3768872, -25113972, -12296437, -27457225, -16344658, 6335692, 7249989 }, + { -30333227, 13979675, 7503222, -12368314, -11956721, -4621693, -30272269, 2682242, 25993170, -12478523 }, + { 4364628, 5930691, 32304656, -10044554, -8054781, 15091131, 22857016, -10598955, 31820368, 15075278 }, + }, + { + { 31879134, -8918693, 17258761, 90626, -8041836, -4917709, 24162788, -9650886, -17970238, 12833045 }, + { 19073683, 14851414, -24403169, -11860168, 7625278, 11091125, -19619190, 2074449, -9413939, 14905377 }, + { 24483667, -11935567, -2518866, -11547418, -1553130, 15355506, -25282080, 9253129, 27628530, -7555480 }, + }, + { + { 17597607, 8340603, 19355617, 552187, 26198470, -3176583, 4593324, -9157582, -14110875, 15297016 }, + { 510886, 14337390, -31785257, 16638632, 6328095, 2713355, -20217417, -11864220, 8683221, 2921426 }, + { 18606791, 11874196, 27155355, -5281482, -24031742, 6265446, -25178240, -1278924, 4674690, 13890525 }, + }, + { + { 13609624, 13069022, -27372361, -13055908, 24360586, 9592974, 14977157, 9835105, 4389687, 288396 }, + { 9922506, -519394, 13613107, 5883594, -18758345, -434263, -12304062, 8317628, 23388070, 16052080 }, + { 12720016, 11937594, -31970060, -5028689, 26900120, 8561328, -20155687, -11632979, -14754271, -10812892 }, + }, + { + { 15961858, 14150409, 26716931, -665832, -22794328, 13603569, 11829573, 7467844, -28822128, 929275 }, + { 11038231, -11582396, -27310482, -7316562, -10498527, -16307831, -23479533, -9371869, -21393143, 2465074 }, + { 20017163, -4323226, 27915242, 1529148, 12396362, 15675764, 13817261, -9658066, 2463391, -4622140 }, + }, + { + { -16358878, -12663911, -12065183, 4996454, -1256422, 1073572, 9583558, 12851107, 4003896, 12673717 }, + { -1731589, -15155870, -3262930, 16143082, 19294135, 13385325, 14741514, -9103726, 7903886, 2348101 }, + { 24536016, -16515207, 12715592, -3862155, 1511293, 10047386, -3842346, -7129159, -28377538, 10048127 }, + }, + }, + { + { + { -12622226, -6204820, 30718825, 2591312, -10617028, 12192840, 18873298, -7297090, -32297756, 15221632 }, + { -26478122, -11103864, 11546244, -1852483, 9180880, 7656409, -21343950, 2095755, 29769758, 6593415 }, + { -31994208, -2907461, 4176912, 3264766, 12538965, -868111, 26312345, -6118678, 30958054, 8292160 }, + }, + { + { 31429822, -13959116, 29173532, 15632448, 12174511, -2760094, 32808831, 3977186, 26143136, -3148876 }, + { 22648901, 1402143, -22799984, 13746059, 7936347, 365344, -8668633, -1674433, -3758243, -2304625 }, + { -15491917, 8012313, -2514730, -12702462, -23965846, -10254029, -1612713, -1535569, -16664475, 8194478 }, + }, + { + { 27338066, -7507420, -7414224, 10140405, -19026427, -6589889, 27277191, 8855376, 28572286, 3005164 }, + { 26287124, 4821776, 25476601, -4145903, -3764513, -15788984, -18008582, 1182479, -26094821, -13079595 }, + { -7171154, 3178080, 23970071, 6201893, -17195577, -4489192, -21876275, -13982627, 32208683, -1198248 }, + }, + { + { -16657702, 2817643, -10286362, 14811298, 6024667, 13349505, -27315504, -10497842, -27672585, -11539858 }, + { 15941029, -9405932, -21367050, 8062055, 31876073, -238629, -15278393, -1444429, 15397331, -4130193 }, + { 8934485, -13485467, -23286397, -13423241, -32446090, 14047986, 31170398, -1441021, -27505566, 15087184 }, + }, + { + { -18357243, -2156491, 24524913, -16677868, 15520427, -6360776, -15502406, 11461896, 16788528, -5868942 }, + { -1947386, 16013773, 21750665, 3714552, -17401782, -16055433, -3770287, -10323320, 31322514, -11615635 }, + { 21426655, -5650218, -13648287, -5347537, -28812189, -4920970, -18275391, -14621414, 13040862, -12112948 }, + }, + { + { 11293895, 12478086, -27136401, 15083750, -29307421, 14748872, 14555558, -13417103, 1613711, 4896935 }, + { -25894883, 15323294, -8489791, -8057900, 25967126, -13425460, 2825960, -4897045, -23971776, -11267415 }, + { -15924766, -5229880, -17443532, 6410664, 3622847, 10243618, 20615400, 12405433, -23753030, -8436416 }, + }, + { + { -7091295, 12556208, -20191352, 9025187, -17072479, 4333801, 4378436, 2432030, 23097949, -566018 }, + { 4565804, -16025654, 20084412, -7842817, 1724999, 189254, 24767264, 10103221, -18512313, 2424778 }, + { 366633, -11976806, 8173090, -6890119, 30788634, 5745705, -7168678, 1344109, -3642553, 12412659 }, + }, + { + { -24001791, 7690286, 14929416, -168257, -32210835, -13412986, 24162697, -15326504, -3141501, 11179385 }, + { 18289522, -14724954, 8056945, 16430056, -21729724, 7842514, -6001441, -1486897, -18684645, -11443503 }, + { 476239, 6601091, -6152790, -9723375, 17503545, -4863900, 27672959, 13403813, 11052904, 5219329 }, + }, + }, + { + { + { 20678546, -8375738, -32671898, 8849123, -5009758, 14574752, 31186971, -3973730, 9014762, -8579056 }, + { -13644050, -10350239, -15962508, 5075808, -1514661, -11534600, -33102500, 9160280, 8473550, -3256838 }, + { 24900749, 14435722, 17209120, -15292541, -22592275, 9878983, -7689309, -16335821, -24568481, 11788948 }, + }, + { + { -3118155, -11395194, -13802089, 14797441, 9652448, -6845904, -20037437, 10410733, -24568470, -1458691 }, + { -15659161, 16736706, -22467150, 10215878, -9097177, 7563911, 11871841, -12505194, -18513325, 8464118 }, + { -23400612, 8348507, -14585951, -861714, -3950205, -6373419, 14325289, 8628612, 33313881, -8370517 }, + }, + { + { -20186973, -4967935, 22367356, 5271547, -1097117, -4788838, -24805667, -10236854, -8940735, -5818269 }, + { -6948785, -1795212, -32625683, -16021179, 32635414, -7374245, 15989197, -12838188, 28358192, -4253904 }, + { -23561781, -2799059, -32351682, -1661963, -9147719, 10429267, -16637684, 4072016, -5351664, 5596589 }, + }, + { + { -28236598, -3390048, 12312896, 6213178, 3117142, 16078565, 29266239, 2557221, 1768301, 15373193 }, + { -7243358, -3246960, -4593467, -7553353, -127927, -912245, -1090902, -4504991, -24660491, 3442910 }, + { -30210571, 5124043, 14181784, 8197961, 18964734, -11939093, 22597931, 7176455, -18585478, 13365930 }, + }, + { + { -7877390, -1499958, 8324673, 4690079, 6261860, 890446, 24538107, -8570186, -9689599, -3031667 }, + { 25008904, -10771599, -4305031, -9638010, 16265036, 15721635, 683793, -11823784, 15723479, -15163481 }, + { -9660625, 12374379, -27006999, -7026148, -7724114, -12314514, 11879682, 5400171, 519526, -1235876 }, + }, + { + { 22258397, -16332233, -7869817, 14613016, -22520255, -2950923, -20353881, 7315967, 16648397, 7605640 }, + { -8081308, -8464597, -8223311, 9719710, 19259459, -15348212, 23994942, -5281555, -9468848, 4763278 }, + { -21699244, 9220969, -15730624, 1084137, -25476107, -2852390, 31088447, -7764523, -11356529, 728112 }, + }, + { + { 26047220, -11751471, -6900323, -16521798, 24092068, 9158119, -4273545, -12555558, -29365436, -5498272 }, + { 17510331, -322857, 5854289, 8403524, 17133918, -3112612, -28111007, 12327945, 10750447, 10014012 }, + { -10312768, 3936952, 9156313, -8897683, 16498692, -994647, -27481051, -666732, 3424691, 7540221 }, + }, + { + { 30322361, -6964110, 11361005, -4143317, 7433304, 4989748, -7071422, -16317219, -9244265, 15258046 }, + { 13054562, -2779497, 19155474, 469045, -12482797, 4566042, 5631406, 2711395, 1062915, -5136345 }, + { -19240248, -11254599, -29509029, -7499965, -5835763, 13005411, -6066489, 12194497, 32960380, 1459310 }, + }, + }, + { + { + { 19852034, 7027924, 23669353, 10020366, 8586503, -6657907, 394197, -6101885, 18638003, -11174937 }, + { 31395534, 15098109, 26581030, 8030562, -16527914, -5007134, 9012486, -7584354, -6643087, -5442636 }, + { -9192165, -2347377, -1997099, 4529534, 25766844, 607986, -13222, 9677543, -32294889, -6456008 }, + }, + { + { -2444496, -149937, 29348902, 8186665, 1873760, 12489863, -30934579, -7839692, -7852844, -8138429 }, + { -15236356, -15433509, 7766470, 746860, 26346930, -10221762, -27333451, 10754588, -9431476, 5203576 }, + { 31834314, 14135496, -770007, 5159118, 20917671, -16768096, -7467973, -7337524, 31809243, 7347066 }, + }, + { + { -9606723, -11874240, 20414459, 13033986, 13716524, -11691881, 19797970, -12211255, 15192876, -2087490 }, + { -12663563, -2181719, 1168162, -3804809, 26747877, -14138091, 10609330, 12694420, 33473243, -13382104 }, + { 33184999, 11180355, 15832085, -11385430, -1633671, 225884, 15089336, -11023903, -6135662, 14480053 }, + }, + { + { 31308717, -5619998, 31030840, -1897099, 15674547, -6582883, 5496208, 13685227, 27595050, 8737275 }, + { -20318852, -15150239, 10933843, -16178022, 8335352, -7546022, -31008351, -12610604, 26498114, 66511 }, + { 22644454, -8761729, -16671776, 4884562, -3105614, -13559366, 30540766, -4286747, -13327787, -7515095 }, + }, + { + { -28017847, 9834845, 18617207, -2681312, -3401956, -13307506, 8205540, 13585437, -17127465, 15115439 }, + { 23711543, -672915, 31206561, -8362711, 6164647, -9709987, -33535882, -1426096, 8236921, 16492939 }, + { -23910559, -13515526, -26299483, -4503841, 25005590, -7687270, 19574902, 10071562, 6708380, -6222424 }, + }, + { + { 2101391, -4930054, 19702731, 2367575, -15427167, 1047675, 5301017, 9328700, 29955601, -11678310 }, + { 3096359, 9271816, -21620864, -15521844, -14847996, -7592937, -25892142, -12635595, -9917575, 6216608 }, + { -32615849, 338663, -25195611, 2510422, -29213566, -13820213, 24822830, -6146567, -26767480, 7525079 }, + }, + { + { -23066649, -13985623, 16133487, -7896178, -3389565, 778788, -910336, -2782495, -19386633, 11994101 }, + { 21691500, -13624626, -641331, -14367021, 3285881, -3483596, -25064666, 9718258, -7477437, 13381418 }, + { 18445390, -4202236, 14979846, 11622458, -1727110, -3582980, 23111648, -6375247, 28535282, 15779576 }, + }, + { + { 30098053, 3089662, -9234387, 16662135, -21306940, 11308411, -14068454, 12021730, 9955285, -16303356 }, + { 9734894, -14576830, -7473633, -9138735, 2060392, 11313496, -18426029, 9924399, 20194861, 13380996 }, + { -26378102, -7965207, -22167821, 15789297, -18055342, -6168792, -1984914, 15707771, 26342023, 10146099 }, + }, + }, + { + { + { -26016874, -219943, 21339191, -41388, 19745256, -2878700, -29637280, 2227040, 21612326, -545728 }, + { -13077387, 1184228, 23562814, -5970442, -20351244, -6348714, 25764461, 12243797, -20856566, 11649658 }, + { -10031494, 11262626, 27384172, 2271902, 26947504, -15997771, 39944, 6114064, 33514190, 2333242 }, + }, + { + { -21433588, -12421821, 8119782, 7219913, -21830522, -9016134, -6679750, -12670638, 24350578, -13450001 }, + { -4116307, -11271533, -23886186, 4843615, -30088339, 690623, -31536088, -10406836, 8317860, 12352766 }, + { 18200138, -14475911, -33087759, -2696619, -23702521, -9102511, -23552096, -2287550, 20712163, 6719373 }, + }, + { + { 26656208, 6075253, -7858556, 1886072, -28344043, 4262326, 11117530, -3763210, 26224235, -3297458 }, + { -17168938, -14854097, -3395676, -16369877, -19954045, 14050420, 21728352, 9493610, 18620611, -16428628 }, + { -13323321, 13325349, 11432106, 5964811, 18609221, 6062965, -5269471, -9725556, -30701573, -16479657 }, + }, + { + { -23860538, -11233159, 26961357, 1640861, -32413112, -16737940, 12248509, -5240639, 13735342, 1934062 }, + { 25089769, 6742589, 17081145, -13406266, 21909293, -16067981, -15136294, -3765346, -21277997, 5473616 }, + { 31883677, -7961101, 1083432, -11572403, 22828471, 13290673, -7125085, 12469656, 29111212, -5451014 }, + }, + { + { 24244947, -15050407, -26262976, 2791540, -14997599, 16666678, 24367466, 6388839, -10295587, 452383 }, + { -25640782, -3417841, 5217916, 16224624, 19987036, -4082269, -24236251, -5915248, 15766062, 8407814 }, + { -20406999, 13990231, 15495425, 16395525, 5377168, 15166495, -8917023, -4388953, -8067909, 2276718 }, + }, + { + { 30157918, 12924066, -17712050, 9245753, 19895028, 3368142, -23827587, 5096219, 22740376, -7303417 }, + { 2041139, -14256350, 7783687, 13876377, -25946985, -13352459, 24051124, 13742383, -15637599, 13295222 }, + { 33338237, -8505733, 12532113, 7977527, 9106186, -1715251, -17720195, -4612972, -4451357, -14669444 }, + }, + { + { -20045281, 5454097, -14346548, 6447146, 28862071, 1883651, -2469266, -4141880, 7770569, 9620597 }, + { 23208068, 7979712, 33071466, 8149229, 1758231, -10834995, 30945528, -1694323, -33502340, -14767970 }, + { 1439958, -16270480, -1079989, -793782, 4625402, 10647766, -5043801, 1220118, 30494170, -11440799 }, + }, + { + { -5037580, -13028295, -2970559, -3061767, 15640974, -6701666, -26739026, 926050, -1684339, -13333647 }, + { 13908495, -3549272, 30919928, -6273825, -21521863, 7989039, 9021034, 9078865, 3353509, 4033511 }, + { -29663431, -15113610, 32259991, -344482, 24295849, -12912123, 23161163, 8839127, 27485041, 7356032 }, + }, + }, + { + { + { 9661027, 705443, 11980065, -5370154, -1628543, 14661173, -6346142, 2625015, 28431036, -16771834 }, + { -23839233, -8311415, -25945511, 7480958, -17681669, -8354183, -22545972, 14150565, 15970762, 4099461 }, + { 29262576, 16756590, 26350592, -8793563, 8529671, -11208050, 13617293, -9937143, 11465739, 8317062 }, + }, + { + { -25493081, -6962928, 32500200, -9419051, -23038724, -2302222, 14898637, 3848455, 20969334, -5157516 }, + { -20384450, -14347713, -18336405, 13884722, -33039454, 2842114, -21610826, -3649888, 11177095, 14989547 }, + { -24496721, -11716016, 16959896, 2278463, 12066309, 10137771, 13515641, 2581286, -28487508, 9930240 }, + }, + { + { -17751622, -2097826, 16544300, -13009300, -15914807, -14949081, 18345767, -13403753, 16291481, -5314038 }, + { -33229194, 2553288, 32678213, 9875984, 8534129, 6889387, -9676774, 6957617, 4368891, 9788741 }, + { 16660756, 7281060, -10830758, 12911820, 20108584, -8101676, -21722536, -8613148, 16250552, -11111103 }, + }, + { + { -19765507, 2390526, -16551031, 14161980, 1905286, 6414907, 4689584, 10604807, -30190403, 4782747 }, + { -1354539, 14736941, -7367442, -13292886, 7710542, -14155590, -9981571, 4383045, 22546403, 437323 }, + { 31665577, -12180464, -16186830, 1491339, -18368625, 3294682, 27343084, 2786261, -30633590, -14097016 }, + }, + { + { -14467279, -683715, -33374107, 7448552, 19294360, 14334329, -19690631, 2355319, -19284671, -6114373 }, + { 15121312, -15796162, 6377020, -6031361, -10798111, -12957845, 18952177, 15496498, -29380133, 11754228 }, + { -2637277, -13483075, 8488727, -14303896, 12728761, -1622493, 7141596, 11724556, 22761615, -10134141 }, + }, + { + { 16918416, 11729663, -18083579, 3022987, -31015732, -13339659, -28741185, -12227393, 32851222, 11717399 }, + { 11166634, 7338049, -6722523, 4531520, -29468672, -7302055, 31474879, 3483633, -1193175, -4030831 }, + { -185635, 9921305, 31456609, -13536438, -12013818, 13348923, 33142652, 6546660, -19985279, -3948376 }, + }, + { + { -32460596, 11266712, -11197107, -7899103, 31703694, 3855903, -8537131, -12833048, -30772034, -15486313 }, + { -18006477, 12709068, 3991746, -6479188, -21491523, -10550425, -31135347, -16049879, 10928917, 3011958 }, + { -6957757, -15594337, 31696059, 334240, 29576716, 14796075, -30831056, -12805180, 18008031, 10258577 }, + }, + { + { -22448644, 15655569, 7018479, -4410003, -30314266, -1201591, -1853465, 1367120, 25127874, 6671743 }, + { 29701166, -14373934, -10878120, 9279288, -17568, 13127210, 21382910, 11042292, 25838796, 4642684 }, + { -20430234, 14955537, -24126347, 8124619, -5369288, -5990470, 30468147, -13900640, 18423289, 4177476 }, + }, + }, +}; diff --git a/3rd_party/ed25519/sc.c b/3rd_party/ed25519/sc.c new file mode 100644 index 0000000..ca5bad2 --- /dev/null +++ b/3rd_party/ed25519/sc.c @@ -0,0 +1,809 @@ +#include "fixedint.h" +#include "sc.h" + +static uint64_t load_3(const unsigned char *in) { + uint64_t result; + + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + + return result; +} + +static uint64_t load_4(const unsigned char *in) { + uint64_t result; + + result = (uint64_t) in[0]; + result |= ((uint64_t) in[1]) << 8; + result |= ((uint64_t) in[2]) << 16; + result |= ((uint64_t) in[3]) << 24; + + return result; +} + +/* +Input: + s[0]+256*s[1]+...+256^63*s[63] = s + +Output: + s[0]+256*s[1]+...+256^31*s[31] = s mod l + where l = 2^252 + 27742317777372353535851937790883648493. + Overwrites s in place. +*/ + +void sc_reduce(unsigned char *s) { + int64_t s0 = 2097151 & load_3(s); + int64_t s1 = 2097151 & (load_4(s + 2) >> 5); + int64_t s2 = 2097151 & (load_3(s + 5) >> 2); + int64_t s3 = 2097151 & (load_4(s + 7) >> 7); + int64_t s4 = 2097151 & (load_4(s + 10) >> 4); + int64_t s5 = 2097151 & (load_3(s + 13) >> 1); + int64_t s6 = 2097151 & (load_4(s + 15) >> 6); + int64_t s7 = 2097151 & (load_3(s + 18) >> 3); + int64_t s8 = 2097151 & load_3(s + 21); + int64_t s9 = 2097151 & (load_4(s + 23) >> 5); + int64_t s10 = 2097151 & (load_3(s + 26) >> 2); + int64_t s11 = 2097151 & (load_4(s + 28) >> 7); + int64_t s12 = 2097151 & (load_4(s + 31) >> 4); + int64_t s13 = 2097151 & (load_3(s + 34) >> 1); + int64_t s14 = 2097151 & (load_4(s + 36) >> 6); + int64_t s15 = 2097151 & (load_3(s + 39) >> 3); + int64_t s16 = 2097151 & load_3(s + 42); + int64_t s17 = 2097151 & (load_4(s + 44) >> 5); + int64_t s18 = 2097151 & (load_3(s + 47) >> 2); + int64_t s19 = 2097151 & (load_4(s + 49) >> 7); + int64_t s20 = 2097151 & (load_4(s + 52) >> 4); + int64_t s21 = 2097151 & (load_3(s + 55) >> 1); + int64_t s22 = 2097151 & (load_4(s + 57) >> 6); + int64_t s23 = (load_4(s + 60) >> 3); + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + int64_t carry12; + int64_t carry13; + int64_t carry14; + int64_t carry15; + int64_t carry16; + + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + s23 = 0; + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + s22 = 0; + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + s21 = 0; + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + s20 = 0; + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + s19 = 0; + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + s18 = 0; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; + s13 += carry12; + s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; + s15 += carry14; + s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; + s17 += carry16; + s16 -= carry16 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; + s14 += carry13; + s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; + s16 += carry15; + s15 -= carry15 << 21; + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + s17 = 0; + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + s16 = 0; + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + s15 = 0; + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + s14 = 0; + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + s13 = 0; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + carry0 = (s0 + (1 << 20)) >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry1 = (s1 + (1 << 20)) >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry11 = s11 >> 21; + s12 += carry11; + s11 -= carry11 << 21; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + s[0] = (unsigned char) (s0 >> 0); + s[1] = (unsigned char) (s0 >> 8); + s[2] = (unsigned char) ((s0 >> 16) | (s1 << 5)); + s[3] = (unsigned char) (s1 >> 3); + s[4] = (unsigned char) (s1 >> 11); + s[5] = (unsigned char) ((s1 >> 19) | (s2 << 2)); + s[6] = (unsigned char) (s2 >> 6); + s[7] = (unsigned char) ((s2 >> 14) | (s3 << 7)); + s[8] = (unsigned char) (s3 >> 1); + s[9] = (unsigned char) (s3 >> 9); + s[10] = (unsigned char) ((s3 >> 17) | (s4 << 4)); + s[11] = (unsigned char) (s4 >> 4); + s[12] = (unsigned char) (s4 >> 12); + s[13] = (unsigned char) ((s4 >> 20) | (s5 << 1)); + s[14] = (unsigned char) (s5 >> 7); + s[15] = (unsigned char) ((s5 >> 15) | (s6 << 6)); + s[16] = (unsigned char) (s6 >> 2); + s[17] = (unsigned char) (s6 >> 10); + s[18] = (unsigned char) ((s6 >> 18) | (s7 << 3)); + s[19] = (unsigned char) (s7 >> 5); + s[20] = (unsigned char) (s7 >> 13); + s[21] = (unsigned char) (s8 >> 0); + s[22] = (unsigned char) (s8 >> 8); + s[23] = (unsigned char) ((s8 >> 16) | (s9 << 5)); + s[24] = (unsigned char) (s9 >> 3); + s[25] = (unsigned char) (s9 >> 11); + s[26] = (unsigned char) ((s9 >> 19) | (s10 << 2)); + s[27] = (unsigned char) (s10 >> 6); + s[28] = (unsigned char) ((s10 >> 14) | (s11 << 7)); + s[29] = (unsigned char) (s11 >> 1); + s[30] = (unsigned char) (s11 >> 9); + s[31] = (unsigned char) (s11 >> 17); +} + + + +/* +Input: + a[0]+256*a[1]+...+256^31*a[31] = a + b[0]+256*b[1]+...+256^31*b[31] = b + c[0]+256*c[1]+...+256^31*c[31] = c + +Output: + s[0]+256*s[1]+...+256^31*s[31] = (ab+c) mod l + where l = 2^252 + 27742317777372353535851937790883648493. +*/ + +void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c) { + int64_t a0 = 2097151 & load_3(a); + int64_t a1 = 2097151 & (load_4(a + 2) >> 5); + int64_t a2 = 2097151 & (load_3(a + 5) >> 2); + int64_t a3 = 2097151 & (load_4(a + 7) >> 7); + int64_t a4 = 2097151 & (load_4(a + 10) >> 4); + int64_t a5 = 2097151 & (load_3(a + 13) >> 1); + int64_t a6 = 2097151 & (load_4(a + 15) >> 6); + int64_t a7 = 2097151 & (load_3(a + 18) >> 3); + int64_t a8 = 2097151 & load_3(a + 21); + int64_t a9 = 2097151 & (load_4(a + 23) >> 5); + int64_t a10 = 2097151 & (load_3(a + 26) >> 2); + int64_t a11 = (load_4(a + 28) >> 7); + int64_t b0 = 2097151 & load_3(b); + int64_t b1 = 2097151 & (load_4(b + 2) >> 5); + int64_t b2 = 2097151 & (load_3(b + 5) >> 2); + int64_t b3 = 2097151 & (load_4(b + 7) >> 7); + int64_t b4 = 2097151 & (load_4(b + 10) >> 4); + int64_t b5 = 2097151 & (load_3(b + 13) >> 1); + int64_t b6 = 2097151 & (load_4(b + 15) >> 6); + int64_t b7 = 2097151 & (load_3(b + 18) >> 3); + int64_t b8 = 2097151 & load_3(b + 21); + int64_t b9 = 2097151 & (load_4(b + 23) >> 5); + int64_t b10 = 2097151 & (load_3(b + 26) >> 2); + int64_t b11 = (load_4(b + 28) >> 7); + int64_t c0 = 2097151 & load_3(c); + int64_t c1 = 2097151 & (load_4(c + 2) >> 5); + int64_t c2 = 2097151 & (load_3(c + 5) >> 2); + int64_t c3 = 2097151 & (load_4(c + 7) >> 7); + int64_t c4 = 2097151 & (load_4(c + 10) >> 4); + int64_t c5 = 2097151 & (load_3(c + 13) >> 1); + int64_t c6 = 2097151 & (load_4(c + 15) >> 6); + int64_t c7 = 2097151 & (load_3(c + 18) >> 3); + int64_t c8 = 2097151 & load_3(c + 21); + int64_t c9 = 2097151 & (load_4(c + 23) >> 5); + int64_t c10 = 2097151 & (load_3(c + 26) >> 2); + int64_t c11 = (load_4(c + 28) >> 7); + int64_t s0; + int64_t s1; + int64_t s2; + int64_t s3; + int64_t s4; + int64_t s5; + int64_t s6; + int64_t s7; + int64_t s8; + int64_t s9; + int64_t s10; + int64_t s11; + int64_t s12; + int64_t s13; + int64_t s14; + int64_t s15; + int64_t s16; + int64_t s17; + int64_t s18; + int64_t s19; + int64_t s20; + int64_t s21; + int64_t s22; + int64_t s23; + int64_t carry0; + int64_t carry1; + int64_t carry2; + int64_t carry3; + int64_t carry4; + int64_t carry5; + int64_t carry6; + int64_t carry7; + int64_t carry8; + int64_t carry9; + int64_t carry10; + int64_t carry11; + int64_t carry12; + int64_t carry13; + int64_t carry14; + int64_t carry15; + int64_t carry16; + int64_t carry17; + int64_t carry18; + int64_t carry19; + int64_t carry20; + int64_t carry21; + int64_t carry22; + + s0 = c0 + a0 * b0; + s1 = c1 + a0 * b1 + a1 * b0; + s2 = c2 + a0 * b2 + a1 * b1 + a2 * b0; + s3 = c3 + a0 * b3 + a1 * b2 + a2 * b1 + a3 * b0; + s4 = c4 + a0 * b4 + a1 * b3 + a2 * b2 + a3 * b1 + a4 * b0; + s5 = c5 + a0 * b5 + a1 * b4 + a2 * b3 + a3 * b2 + a4 * b1 + a5 * b0; + s6 = c6 + a0 * b6 + a1 * b5 + a2 * b4 + a3 * b3 + a4 * b2 + a5 * b1 + a6 * b0; + s7 = c7 + a0 * b7 + a1 * b6 + a2 * b5 + a3 * b4 + a4 * b3 + a5 * b2 + a6 * b1 + a7 * b0; + s8 = c8 + a0 * b8 + a1 * b7 + a2 * b6 + a3 * b5 + a4 * b4 + a5 * b3 + a6 * b2 + a7 * b1 + a8 * b0; + s9 = c9 + a0 * b9 + a1 * b8 + a2 * b7 + a3 * b6 + a4 * b5 + a5 * b4 + a6 * b3 + a7 * b2 + a8 * b1 + a9 * b0; + s10 = c10 + a0 * b10 + a1 * b9 + a2 * b8 + a3 * b7 + a4 * b6 + a5 * b5 + a6 * b4 + a7 * b3 + a8 * b2 + a9 * b1 + a10 * b0; + s11 = c11 + a0 * b11 + a1 * b10 + a2 * b9 + a3 * b8 + a4 * b7 + a5 * b6 + a6 * b5 + a7 * b4 + a8 * b3 + a9 * b2 + a10 * b1 + a11 * b0; + s12 = a1 * b11 + a2 * b10 + a3 * b9 + a4 * b8 + a5 * b7 + a6 * b6 + a7 * b5 + a8 * b4 + a9 * b3 + a10 * b2 + a11 * b1; + s13 = a2 * b11 + a3 * b10 + a4 * b9 + a5 * b8 + a6 * b7 + a7 * b6 + a8 * b5 + a9 * b4 + a10 * b3 + a11 * b2; + s14 = a3 * b11 + a4 * b10 + a5 * b9 + a6 * b8 + a7 * b7 + a8 * b6 + a9 * b5 + a10 * b4 + a11 * b3; + s15 = a4 * b11 + a5 * b10 + a6 * b9 + a7 * b8 + a8 * b7 + a9 * b6 + a10 * b5 + a11 * b4; + s16 = a5 * b11 + a6 * b10 + a7 * b9 + a8 * b8 + a9 * b7 + a10 * b6 + a11 * b5; + s17 = a6 * b11 + a7 * b10 + a8 * b9 + a9 * b8 + a10 * b7 + a11 * b6; + s18 = a7 * b11 + a8 * b10 + a9 * b9 + a10 * b8 + a11 * b7; + s19 = a8 * b11 + a9 * b10 + a10 * b9 + a11 * b8; + s20 = a9 * b11 + a10 * b10 + a11 * b9; + s21 = a10 * b11 + a11 * b10; + s22 = a11 * b11; + s23 = 0; + carry0 = (s0 + (1 << 20)) >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; + s13 += carry12; + s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; + s15 += carry14; + s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; + s17 += carry16; + s16 -= carry16 << 21; + carry18 = (s18 + (1 << 20)) >> 21; + s19 += carry18; + s18 -= carry18 << 21; + carry20 = (s20 + (1 << 20)) >> 21; + s21 += carry20; + s20 -= carry20 << 21; + carry22 = (s22 + (1 << 20)) >> 21; + s23 += carry22; + s22 -= carry22 << 21; + carry1 = (s1 + (1 << 20)) >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; + s14 += carry13; + s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; + s16 += carry15; + s15 -= carry15 << 21; + carry17 = (s17 + (1 << 20)) >> 21; + s18 += carry17; + s17 -= carry17 << 21; + carry19 = (s19 + (1 << 20)) >> 21; + s20 += carry19; + s19 -= carry19 << 21; + carry21 = (s21 + (1 << 20)) >> 21; + s22 += carry21; + s21 -= carry21 << 21; + s11 += s23 * 666643; + s12 += s23 * 470296; + s13 += s23 * 654183; + s14 -= s23 * 997805; + s15 += s23 * 136657; + s16 -= s23 * 683901; + s23 = 0; + s10 += s22 * 666643; + s11 += s22 * 470296; + s12 += s22 * 654183; + s13 -= s22 * 997805; + s14 += s22 * 136657; + s15 -= s22 * 683901; + s22 = 0; + s9 += s21 * 666643; + s10 += s21 * 470296; + s11 += s21 * 654183; + s12 -= s21 * 997805; + s13 += s21 * 136657; + s14 -= s21 * 683901; + s21 = 0; + s8 += s20 * 666643; + s9 += s20 * 470296; + s10 += s20 * 654183; + s11 -= s20 * 997805; + s12 += s20 * 136657; + s13 -= s20 * 683901; + s20 = 0; + s7 += s19 * 666643; + s8 += s19 * 470296; + s9 += s19 * 654183; + s10 -= s19 * 997805; + s11 += s19 * 136657; + s12 -= s19 * 683901; + s19 = 0; + s6 += s18 * 666643; + s7 += s18 * 470296; + s8 += s18 * 654183; + s9 -= s18 * 997805; + s10 += s18 * 136657; + s11 -= s18 * 683901; + s18 = 0; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry12 = (s12 + (1 << 20)) >> 21; + s13 += carry12; + s12 -= carry12 << 21; + carry14 = (s14 + (1 << 20)) >> 21; + s15 += carry14; + s14 -= carry14 << 21; + carry16 = (s16 + (1 << 20)) >> 21; + s17 += carry16; + s16 -= carry16 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + carry13 = (s13 + (1 << 20)) >> 21; + s14 += carry13; + s13 -= carry13 << 21; + carry15 = (s15 + (1 << 20)) >> 21; + s16 += carry15; + s15 -= carry15 << 21; + s5 += s17 * 666643; + s6 += s17 * 470296; + s7 += s17 * 654183; + s8 -= s17 * 997805; + s9 += s17 * 136657; + s10 -= s17 * 683901; + s17 = 0; + s4 += s16 * 666643; + s5 += s16 * 470296; + s6 += s16 * 654183; + s7 -= s16 * 997805; + s8 += s16 * 136657; + s9 -= s16 * 683901; + s16 = 0; + s3 += s15 * 666643; + s4 += s15 * 470296; + s5 += s15 * 654183; + s6 -= s15 * 997805; + s7 += s15 * 136657; + s8 -= s15 * 683901; + s15 = 0; + s2 += s14 * 666643; + s3 += s14 * 470296; + s4 += s14 * 654183; + s5 -= s14 * 997805; + s6 += s14 * 136657; + s7 -= s14 * 683901; + s14 = 0; + s1 += s13 * 666643; + s2 += s13 * 470296; + s3 += s13 * 654183; + s4 -= s13 * 997805; + s5 += s13 * 136657; + s6 -= s13 * 683901; + s13 = 0; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + carry0 = (s0 + (1 << 20)) >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry2 = (s2 + (1 << 20)) >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry4 = (s4 + (1 << 20)) >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry6 = (s6 + (1 << 20)) >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry8 = (s8 + (1 << 20)) >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry10 = (s10 + (1 << 20)) >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry1 = (s1 + (1 << 20)) >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry3 = (s3 + (1 << 20)) >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry5 = (s5 + (1 << 20)) >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry7 = (s7 + (1 << 20)) >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry9 = (s9 + (1 << 20)) >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry11 = (s11 + (1 << 20)) >> 21; + s12 += carry11; + s11 -= carry11 << 21; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + carry11 = s11 >> 21; + s12 += carry11; + s11 -= carry11 << 21; + s0 += s12 * 666643; + s1 += s12 * 470296; + s2 += s12 * 654183; + s3 -= s12 * 997805; + s4 += s12 * 136657; + s5 -= s12 * 683901; + s12 = 0; + carry0 = s0 >> 21; + s1 += carry0; + s0 -= carry0 << 21; + carry1 = s1 >> 21; + s2 += carry1; + s1 -= carry1 << 21; + carry2 = s2 >> 21; + s3 += carry2; + s2 -= carry2 << 21; + carry3 = s3 >> 21; + s4 += carry3; + s3 -= carry3 << 21; + carry4 = s4 >> 21; + s5 += carry4; + s4 -= carry4 << 21; + carry5 = s5 >> 21; + s6 += carry5; + s5 -= carry5 << 21; + carry6 = s6 >> 21; + s7 += carry6; + s6 -= carry6 << 21; + carry7 = s7 >> 21; + s8 += carry7; + s7 -= carry7 << 21; + carry8 = s8 >> 21; + s9 += carry8; + s8 -= carry8 << 21; + carry9 = s9 >> 21; + s10 += carry9; + s9 -= carry9 << 21; + carry10 = s10 >> 21; + s11 += carry10; + s10 -= carry10 << 21; + + s[0] = (unsigned char) (s0 >> 0); + s[1] = (unsigned char) (s0 >> 8); + s[2] = (unsigned char) ((s0 >> 16) | (s1 << 5)); + s[3] = (unsigned char) (s1 >> 3); + s[4] = (unsigned char) (s1 >> 11); + s[5] = (unsigned char) ((s1 >> 19) | (s2 << 2)); + s[6] = (unsigned char) (s2 >> 6); + s[7] = (unsigned char) ((s2 >> 14) | (s3 << 7)); + s[8] = (unsigned char) (s3 >> 1); + s[9] = (unsigned char) (s3 >> 9); + s[10] = (unsigned char) ((s3 >> 17) | (s4 << 4)); + s[11] = (unsigned char) (s4 >> 4); + s[12] = (unsigned char) (s4 >> 12); + s[13] = (unsigned char) ((s4 >> 20) | (s5 << 1)); + s[14] = (unsigned char) (s5 >> 7); + s[15] = (unsigned char) ((s5 >> 15) | (s6 << 6)); + s[16] = (unsigned char) (s6 >> 2); + s[17] = (unsigned char) (s6 >> 10); + s[18] = (unsigned char) ((s6 >> 18) | (s7 << 3)); + s[19] = (unsigned char) (s7 >> 5); + s[20] = (unsigned char) (s7 >> 13); + s[21] = (unsigned char) (s8 >> 0); + s[22] = (unsigned char) (s8 >> 8); + s[23] = (unsigned char) ((s8 >> 16) | (s9 << 5)); + s[24] = (unsigned char) (s9 >> 3); + s[25] = (unsigned char) (s9 >> 11); + s[26] = (unsigned char) ((s9 >> 19) | (s10 << 2)); + s[27] = (unsigned char) (s10 >> 6); + s[28] = (unsigned char) ((s10 >> 14) | (s11 << 7)); + s[29] = (unsigned char) (s11 >> 1); + s[30] = (unsigned char) (s11 >> 9); + s[31] = (unsigned char) (s11 >> 17); +} diff --git a/3rd_party/ed25519/sc.h b/3rd_party/ed25519/sc.h new file mode 100644 index 0000000..e29e7fa --- /dev/null +++ b/3rd_party/ed25519/sc.h @@ -0,0 +1,12 @@ +#ifndef SC_H +#define SC_H + +/* +The set of scalars is \Z/l +where l = 2^252 + 27742317777372353535851937790883648493. +*/ + +void sc_reduce(unsigned char *s); +void sc_muladd(unsigned char *s, const unsigned char *a, const unsigned char *b, const unsigned char *c); + +#endif diff --git a/3rd_party/ed25519/seed.c b/3rd_party/ed25519/seed.c new file mode 100644 index 0000000..11a2e3e --- /dev/null +++ b/3rd_party/ed25519/seed.c @@ -0,0 +1,40 @@ +#include "ed25519.h" + +#ifndef ED25519_NO_SEED + +#ifdef _WIN32 +#include +#include +#else +#include +#endif + +int ed25519_create_seed(unsigned char *seed) { +#ifdef _WIN32 + HCRYPTPROV prov; + + if (!CryptAcquireContext(&prov, NULL, NULL, PROV_RSA_FULL, CRYPT_VERIFYCONTEXT)) { + return 1; + } + + if (!CryptGenRandom(prov, 32, seed)) { + CryptReleaseContext(prov, 0); + return 1; + } + + CryptReleaseContext(prov, 0); +#else + FILE *f = fopen("/dev/urandom", "rb"); + + if (f == NULL) { + return 1; + } + + fread(seed, 1, 32, f); + fclose(f); +#endif + + return 0; +} + +#endif diff --git a/3rd_party/ed25519/sha512.c b/3rd_party/ed25519/sha512.c new file mode 100644 index 0000000..cb8ae71 --- /dev/null +++ b/3rd_party/ed25519/sha512.c @@ -0,0 +1,275 @@ +/* LibTomCrypt, modular cryptographic library -- Tom St Denis + * + * LibTomCrypt is a library that provides various cryptographic + * algorithms in a highly modular and flexible manner. + * + * The library is free for all purposes without any express + * guarantee it works. + * + * Tom St Denis, tomstdenis@gmail.com, http://libtom.org + */ + +#include "fixedint.h" +#include "sha512.h" + +/* the K array */ +static const uint64_t K[80] = { + UINT64_C(0x428a2f98d728ae22), UINT64_C(0x7137449123ef65cd), + UINT64_C(0xb5c0fbcfec4d3b2f), UINT64_C(0xe9b5dba58189dbbc), + UINT64_C(0x3956c25bf348b538), UINT64_C(0x59f111f1b605d019), + UINT64_C(0x923f82a4af194f9b), UINT64_C(0xab1c5ed5da6d8118), + UINT64_C(0xd807aa98a3030242), UINT64_C(0x12835b0145706fbe), + UINT64_C(0x243185be4ee4b28c), UINT64_C(0x550c7dc3d5ffb4e2), + UINT64_C(0x72be5d74f27b896f), UINT64_C(0x80deb1fe3b1696b1), + UINT64_C(0x9bdc06a725c71235), UINT64_C(0xc19bf174cf692694), + UINT64_C(0xe49b69c19ef14ad2), UINT64_C(0xefbe4786384f25e3), + UINT64_C(0x0fc19dc68b8cd5b5), UINT64_C(0x240ca1cc77ac9c65), + UINT64_C(0x2de92c6f592b0275), UINT64_C(0x4a7484aa6ea6e483), + UINT64_C(0x5cb0a9dcbd41fbd4), UINT64_C(0x76f988da831153b5), + UINT64_C(0x983e5152ee66dfab), UINT64_C(0xa831c66d2db43210), + UINT64_C(0xb00327c898fb213f), UINT64_C(0xbf597fc7beef0ee4), + UINT64_C(0xc6e00bf33da88fc2), UINT64_C(0xd5a79147930aa725), + UINT64_C(0x06ca6351e003826f), UINT64_C(0x142929670a0e6e70), + UINT64_C(0x27b70a8546d22ffc), UINT64_C(0x2e1b21385c26c926), + UINT64_C(0x4d2c6dfc5ac42aed), UINT64_C(0x53380d139d95b3df), + UINT64_C(0x650a73548baf63de), UINT64_C(0x766a0abb3c77b2a8), + UINT64_C(0x81c2c92e47edaee6), UINT64_C(0x92722c851482353b), + UINT64_C(0xa2bfe8a14cf10364), UINT64_C(0xa81a664bbc423001), + UINT64_C(0xc24b8b70d0f89791), UINT64_C(0xc76c51a30654be30), + UINT64_C(0xd192e819d6ef5218), UINT64_C(0xd69906245565a910), + UINT64_C(0xf40e35855771202a), UINT64_C(0x106aa07032bbd1b8), + UINT64_C(0x19a4c116b8d2d0c8), UINT64_C(0x1e376c085141ab53), + UINT64_C(0x2748774cdf8eeb99), UINT64_C(0x34b0bcb5e19b48a8), + UINT64_C(0x391c0cb3c5c95a63), UINT64_C(0x4ed8aa4ae3418acb), + UINT64_C(0x5b9cca4f7763e373), UINT64_C(0x682e6ff3d6b2b8a3), + UINT64_C(0x748f82ee5defb2fc), UINT64_C(0x78a5636f43172f60), + UINT64_C(0x84c87814a1f0ab72), UINT64_C(0x8cc702081a6439ec), + UINT64_C(0x90befffa23631e28), UINT64_C(0xa4506cebde82bde9), + UINT64_C(0xbef9a3f7b2c67915), UINT64_C(0xc67178f2e372532b), + UINT64_C(0xca273eceea26619c), UINT64_C(0xd186b8c721c0c207), + UINT64_C(0xeada7dd6cde0eb1e), UINT64_C(0xf57d4f7fee6ed178), + UINT64_C(0x06f067aa72176fba), UINT64_C(0x0a637dc5a2c898a6), + UINT64_C(0x113f9804bef90dae), UINT64_C(0x1b710b35131c471b), + UINT64_C(0x28db77f523047d84), UINT64_C(0x32caab7b40c72493), + UINT64_C(0x3c9ebe0a15c9bebc), UINT64_C(0x431d67c49c100d4c), + UINT64_C(0x4cc5d4becb3e42b6), UINT64_C(0x597f299cfc657e2a), + UINT64_C(0x5fcb6fab3ad6faec), UINT64_C(0x6c44198c4a475817) +}; + +/* Various logical functions */ + +#define ROR64c(x, y) \ + ( ((((x)&UINT64_C(0xFFFFFFFFFFFFFFFF))>>((uint64_t)(y)&UINT64_C(63))) | \ + ((x)<<((uint64_t)(64-((y)&UINT64_C(63)))))) & UINT64_C(0xFFFFFFFFFFFFFFFF)) + +#define STORE64H(x, y) \ + { (y)[0] = (unsigned char)(((x)>>56)&255); (y)[1] = (unsigned char)(((x)>>48)&255); \ + (y)[2] = (unsigned char)(((x)>>40)&255); (y)[3] = (unsigned char)(((x)>>32)&255); \ + (y)[4] = (unsigned char)(((x)>>24)&255); (y)[5] = (unsigned char)(((x)>>16)&255); \ + (y)[6] = (unsigned char)(((x)>>8)&255); (y)[7] = (unsigned char)((x)&255); } + +#define LOAD64H(x, y) \ + { x = (((uint64_t)((y)[0] & 255))<<56)|(((uint64_t)((y)[1] & 255))<<48) | \ + (((uint64_t)((y)[2] & 255))<<40)|(((uint64_t)((y)[3] & 255))<<32) | \ + (((uint64_t)((y)[4] & 255))<<24)|(((uint64_t)((y)[5] & 255))<<16) | \ + (((uint64_t)((y)[6] & 255))<<8)|(((uint64_t)((y)[7] & 255))); } + + +#define Ch(x,y,z) (z ^ (x & (y ^ z))) +#define Maj(x,y,z) (((x | y) & z) | (x & y)) +#define S(x, n) ROR64c(x, n) +#define R(x, n) (((x) &UINT64_C(0xFFFFFFFFFFFFFFFF))>>((uint64_t)n)) +#define Sigma0(x) (S(x, 28) ^ S(x, 34) ^ S(x, 39)) +#define Sigma1(x) (S(x, 14) ^ S(x, 18) ^ S(x, 41)) +#define Gamma0(x) (S(x, 1) ^ S(x, 8) ^ R(x, 7)) +#define Gamma1(x) (S(x, 19) ^ S(x, 61) ^ R(x, 6)) +#ifndef MIN + #define MIN(x, y) ( ((x)<(y))?(x):(y) ) +#endif + +/* compress 1024-bits */ +static int sha512_compress(sha512_context *md, unsigned char *buf) +{ + uint64_t S[8], W[80], t0, t1; + int i; + + /* copy state into S */ + for (i = 0; i < 8; i++) { + S[i] = md->state[i]; + } + + /* copy the state into 1024-bits into W[0..15] */ + for (i = 0; i < 16; i++) { + LOAD64H(W[i], buf + (8*i)); + } + + /* fill W[16..79] */ + for (i = 16; i < 80; i++) { + W[i] = Gamma1(W[i - 2]) + W[i - 7] + Gamma0(W[i - 15]) + W[i - 16]; + } + +/* Compress */ + #define RND(a,b,c,d,e,f,g,h,i) \ + t0 = h + Sigma1(e) + Ch(e, f, g) + K[i] + W[i]; \ + t1 = Sigma0(a) + Maj(a, b, c);\ + d += t0; \ + h = t0 + t1; + + for (i = 0; i < 80; i += 8) { + RND(S[0],S[1],S[2],S[3],S[4],S[5],S[6],S[7],i+0); + RND(S[7],S[0],S[1],S[2],S[3],S[4],S[5],S[6],i+1); + RND(S[6],S[7],S[0],S[1],S[2],S[3],S[4],S[5],i+2); + RND(S[5],S[6],S[7],S[0],S[1],S[2],S[3],S[4],i+3); + RND(S[4],S[5],S[6],S[7],S[0],S[1],S[2],S[3],i+4); + RND(S[3],S[4],S[5],S[6],S[7],S[0],S[1],S[2],i+5); + RND(S[2],S[3],S[4],S[5],S[6],S[7],S[0],S[1],i+6); + RND(S[1],S[2],S[3],S[4],S[5],S[6],S[7],S[0],i+7); + } + + #undef RND + + + + /* feedback */ + for (i = 0; i < 8; i++) { + md->state[i] = md->state[i] + S[i]; + } + + return 0; +} + + +/** + Initialize the hash state + @param md The hash state you wish to initialize + @return 0 if successful +*/ +int sha512_init(sha512_context * md) { + if (md == NULL) return 1; + + md->curlen = 0; + md->length = 0; + md->state[0] = UINT64_C(0x6a09e667f3bcc908); + md->state[1] = UINT64_C(0xbb67ae8584caa73b); + md->state[2] = UINT64_C(0x3c6ef372fe94f82b); + md->state[3] = UINT64_C(0xa54ff53a5f1d36f1); + md->state[4] = UINT64_C(0x510e527fade682d1); + md->state[5] = UINT64_C(0x9b05688c2b3e6c1f); + md->state[6] = UINT64_C(0x1f83d9abfb41bd6b); + md->state[7] = UINT64_C(0x5be0cd19137e2179); + + return 0; +} + +/** + Process a block of memory though the hash + @param md The hash state + @param in The data to hash + @param inlen The length of the data (octets) + @return 0 if successful +*/ +int sha512_update (sha512_context * md, const unsigned char *in, size_t inlen) +{ + size_t n; + size_t i; + int err; + if (md == NULL) return 1; + if (in == NULL) return 1; + if (md->curlen > sizeof(md->buf)) { + return 1; + } + while (inlen > 0) { + if (md->curlen == 0 && inlen >= 128) { + if ((err = sha512_compress (md, (unsigned char *)in)) != 0) { + return err; + } + md->length += 128 * 8; + in += 128; + inlen -= 128; + } else { + n = MIN(inlen, (128 - md->curlen)); + + for (i = 0; i < n; i++) { + md->buf[i + md->curlen] = in[i]; + } + + + md->curlen += n; + in += n; + inlen -= n; + if (md->curlen == 128) { + if ((err = sha512_compress (md, md->buf)) != 0) { + return err; + } + md->length += 8*128; + md->curlen = 0; + } + } + } + return 0; +} + +/** + Terminate the hash to get the digest + @param md The hash state + @param out [out] The destination of the hash (64 bytes) + @return 0 if successful +*/ + int sha512_final(sha512_context * md, unsigned char *out) + { + int i; + + if (md == NULL) return 1; + if (out == NULL) return 1; + + if (md->curlen >= sizeof(md->buf)) { + return 1; + } + + /* increase the length of the message */ + md->length += md->curlen * UINT64_C(8); + + /* append the '1' bit */ + md->buf[md->curlen++] = (unsigned char)0x80; + + /* if the length is currently above 112 bytes we append zeros + * then compress. Then we can fall back to padding zeros and length + * encoding like normal. + */ + if (md->curlen > 112) { + while (md->curlen < 128) { + md->buf[md->curlen++] = (unsigned char)0; + } + sha512_compress(md, md->buf); + md->curlen = 0; + } + + /* pad upto 120 bytes of zeroes + * note: that from 112 to 120 is the 64 MSB of the length. We assume that you won't hash + * > 2^64 bits of data... :-) + */ +while (md->curlen < 120) { + md->buf[md->curlen++] = (unsigned char)0; +} + + /* store length */ +STORE64H(md->length, md->buf+120); +sha512_compress(md, md->buf); + + /* copy output */ +for (i = 0; i < 8; i++) { + STORE64H(md->state[i], out+(8*i)); +} + +return 0; +} + +int sha512(const unsigned char *message, size_t message_len, unsigned char *out) +{ + sha512_context ctx; + int ret; + if ((ret = sha512_init(&ctx))) return ret; + if ((ret = sha512_update(&ctx, message, message_len))) return ret; + if ((ret = sha512_final(&ctx, out))) return ret; + return 0; +} diff --git a/3rd_party/ed25519/sha512.h b/3rd_party/ed25519/sha512.h new file mode 100644 index 0000000..a34dd5e --- /dev/null +++ b/3rd_party/ed25519/sha512.h @@ -0,0 +1,21 @@ +#ifndef SHA512_H +#define SHA512_H + +#include + +#include "fixedint.h" + +/* state */ +typedef struct sha512_context_ { + uint64_t length, state[8]; + size_t curlen; + unsigned char buf[128]; +} sha512_context; + + +int sha512_init(sha512_context * md); +int sha512_final(sha512_context * md, unsigned char *out); +int sha512_update(sha512_context * md, const unsigned char *in, size_t inlen); +int sha512(const unsigned char *message, size_t message_len, unsigned char *out); + +#endif diff --git a/3rd_party/ed25519/sign.c b/3rd_party/ed25519/sign.c new file mode 100644 index 0000000..199a839 --- /dev/null +++ b/3rd_party/ed25519/sign.c @@ -0,0 +1,31 @@ +#include "ed25519.h" +#include "sha512.h" +#include "ge.h" +#include "sc.h" + + +void ed25519_sign(unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key, const unsigned char *private_key) { + sha512_context hash; + unsigned char hram[64]; + unsigned char r[64]; + ge_p3 R; + + + sha512_init(&hash); + sha512_update(&hash, private_key + 32, 32); + sha512_update(&hash, message, message_len); + sha512_final(&hash, r); + + sc_reduce(r); + ge_scalarmult_base(&R, r); + ge_p3_tobytes(signature, &R); + + sha512_init(&hash); + sha512_update(&hash, signature, 32); + sha512_update(&hash, public_key, 32); + sha512_update(&hash, message, message_len); + sha512_final(&hash, hram); + + sc_reduce(hram); + sc_muladd(signature + 32, hram, private_key, r); +} diff --git a/3rd_party/ed25519/verify.c b/3rd_party/ed25519/verify.c new file mode 100644 index 0000000..32f988e --- /dev/null +++ b/3rd_party/ed25519/verify.c @@ -0,0 +1,77 @@ +#include "ed25519.h" +#include "sha512.h" +#include "ge.h" +#include "sc.h" + +static int consttime_equal(const unsigned char *x, const unsigned char *y) { + unsigned char r = 0; + + r = x[0] ^ y[0]; + #define F(i) r |= x[i] ^ y[i] + F(1); + F(2); + F(3); + F(4); + F(5); + F(6); + F(7); + F(8); + F(9); + F(10); + F(11); + F(12); + F(13); + F(14); + F(15); + F(16); + F(17); + F(18); + F(19); + F(20); + F(21); + F(22); + F(23); + F(24); + F(25); + F(26); + F(27); + F(28); + F(29); + F(30); + F(31); + #undef F + + return !r; +} + +int ed25519_verify(const unsigned char *signature, const unsigned char *message, size_t message_len, const unsigned char *public_key) { + unsigned char h[64]; + unsigned char checker[32]; + sha512_context hash; + ge_p3 A; + ge_p2 R; + + if (signature[63] & 224) { + return 0; + } + + if (ge_frombytes_negate_vartime(&A, public_key) != 0) { + return 0; + } + + sha512_init(&hash); + sha512_update(&hash, signature, 32); + sha512_update(&hash, public_key, 32); + sha512_update(&hash, message, message_len); + sha512_final(&hash, h); + + sc_reduce(h); + ge_double_scalarmult_vartime(&R, h, &A, signature + 32); + ge_tobytes(checker, &R); + + if (!consttime_equal(checker, signature)) { + return 0; + } + + return 1; +} diff --git a/3rd_party/libsrp6a-sha512/LICENSE b/3rd_party/libsrp6a-sha512/LICENSE new file mode 100644 index 0000000..7f70640 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/LICENSE @@ -0,0 +1,62 @@ +Licensing +--------- + +SRP is royalty-free worldwide for commercial and non-commercial use. +The SRP library has been carefully written not to depend on any +encumbered algorithms, and it is distributed under a standard +BSD-style Open Source license which is shown below. This license +covers implementations based on the SRP library as well as +independent implementations based on RFC 2945. + +The SRP distribution itself contains algorithms and code from +various freeware packages; these parts fall under both the SRP +Open Source license and the packages' own licenses. Care has +been taken to ensure that these licenses are compatible with +Open Source distribution, but it is the responsibility of the +licensee to comply with the terms of these licenses. This +disclaimer also applies to third-party libraries that may be +linked into the distribution, since they may contain patented +intellectual property. The file "Copyrights" contains a list +of the copyrights incorporated by portions of the software. + +Broader use of the SRP authentication technology, such as variants +incorporating the use of an explicit server secret (SRP-Z), may +require a license; please contact the Stanford Office of Technology +Licensing (http://otl.stanford.edu/) for more information about +terms and conditions. + +This software is covered under the following copyright: + +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +Address all questions regarding this license to: + + Tom Wu + tjw@cs.Stanford.EDU diff --git a/3rd_party/libsrp6a-sha512/Makefile.am b/3rd_party/libsrp6a-sha512/Makefile.am new file mode 100644 index 0000000..8c6e2f5 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/Makefile.am @@ -0,0 +1,31 @@ +AUTOMAKE_OPTIONS = foreign no-dependencies + +AM_CPPFLAGS = \ + -I$(top_srcdir)/include \ + -I$(top_srcdir) \ + -Wno-incompatible-pointer-types + +include_HEADERS = srp.h srp_aux.h cstr.h + +AM_CFLAGS = -DHAVE_CONFIG_H +if HAVE_OPENSSL +AM_CFLAGS += -DOPENSSL=1 -DOPENSSL_ENGINE=1 $(openssl_CFLAGS) +else +if HAVE_GCRYPT +AM_CFLAGS += -DGCRYPT=1 $(libgcrypt_CFLAGS) +else +if HAVE_MBEDTLS +AM_CFLAGS += -DMBEDTLS=1 $(mbedtls_CFLAGS) +endif +endif +endif + +noinst_LTLIBRARIES = libsrp6a-sha512.la + +libsrp6a_sha512_la_SOURCES = \ + t_conv.c t_math.c t_misc.c \ + t_truerand.c cstr.c \ + srp.c srp6a_sha512_client.c +if !HAVE_OPENSSL +libsrp6a_sha512_la_SOURCES += t_sha.c +endif diff --git a/3rd_party/libsrp6a-sha512/README.md b/3rd_party/libsrp6a-sha512/README.md new file mode 100644 index 0000000..4affe4a --- /dev/null +++ b/3rd_party/libsrp6a-sha512/README.md @@ -0,0 +1,35 @@ +# SRP6a-sha512 library + +## About + +This library is based on Stanford's Secure Remote Password (SRP) protocol +implementation, or more precise on the `libsrp` part thereof. +The entire source code for the SRP project can be obtained from [here](https://github.com/secure-remote-password/stanford-srp). + +It has been adapted to the needs of the libimobiledevice project, and +contains just a part of the original code; it only supports the SRP6a +client method which has been modified to use SHA512 instead of SHA1. +The only supported SRP method is `SRP6a_sha512_client_method()`. +Besides that, support for MbedTLS has been added. + +Also, all server-side code has been removed, and the client-side code +has been reduced to a minimum, so that basically only the following +functions remain operational: + +- `SRP_initialize_library` +- `SRP_new` +- `SRP_free` +- `SRP_set_user_raw` +- `SRP_set_params` +- `SRP_set_auth_password` +- `SRP_gen_pub` +- `SRP_compute_key` +- `SRP_respond` +- `SRP_verify` + +Anything else has not been tested and must be considered non-functional. + +## License + +The license of the original work does still apply and can be found in the +LICENSE file that comes with the code. diff --git a/3rd_party/libsrp6a-sha512/cstr.c b/3rd_party/libsrp6a-sha512/cstr.c new file mode 100644 index 0000000..9856f46 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/cstr.c @@ -0,0 +1,226 @@ +#include +#include + +#include "config.h" +#include "cstr.h" + +#define EXPFACTOR 2 /* Minimum expansion factor */ +#define MINSIZE 4 /* Absolute minimum - one word */ + +static char cstr_empty_string[] = { '\0' }; +static cstr_allocator * default_alloc = NULL; + +/* + * It is assumed, for efficiency, that it is okay to pass more arguments + * to a function than are called for, as long as the required arguments + * are in proper form. If extra arguments to malloc() and free() cause + * problems, define PEDANTIC_ARGS below. + */ +#ifdef PEDANTIC_ARGS +static void * Cmalloc(int n, void * heap) { return malloc(n); } +static void Cfree(void * p, void * heap) { free(p); } +static cstr_allocator malloc_allocator = { Cmalloc, Cfree, NULL }; +#else +static cstr_allocator malloc_allocator = { malloc, free, NULL }; +#endif + +_TYPE( void ) +cstr_set_allocator(cstr_allocator * alloc) +{ + default_alloc = alloc; +} + +_TYPE( cstr * ) +cstr_new_alloc(cstr_allocator * alloc) +{ + cstr * str; + + if(alloc == NULL) { + if(default_alloc == NULL) { + default_alloc = &malloc_allocator; + } + alloc = default_alloc; + } + + str = (cstr *) (*alloc->alloc)(sizeof(cstr), alloc->heap); + if(str) { + str->data = cstr_empty_string; + str->length = str->cap = 0; + str->ref = 1; + str->allocator = alloc; + } + return str; +} + +_TYPE( cstr * ) +cstr_new() +{ + return cstr_new_alloc(NULL); +} + +_TYPE( cstr * ) +cstr_dup_alloc(const cstr * str, cstr_allocator * alloc) +{ + cstr * nstr = cstr_new_alloc(alloc); + if(nstr) + cstr_setn(nstr, str->data, str->length); + return nstr; +} + +_TYPE( cstr * ) +cstr_dup(const cstr * str) +{ + return cstr_dup_alloc(str, NULL); +} + +_TYPE( cstr * ) +cstr_create(const char * s) +{ + return cstr_createn(s, strlen(s)); +} + +_TYPE( cstr * ) +cstr_createn(const char * s, int len) +{ + cstr * str = cstr_new(); + if(str) { + cstr_setn(str, s, len); + } + return str; +} + +_TYPE( void ) +cstr_use(cstr * str) +{ + ++str->ref; +} + +_TYPE( void ) +cstr_clear_free(cstr * str) +{ + if(--str->ref == 0) { + if(str->cap > 0) { + memset(str->data, 0, str->cap); + (*str->allocator->free)(str->data, str->allocator->heap); + } + (*str->allocator->free)(str, str->allocator->heap); + } +} + +_TYPE( void ) +cstr_free(cstr * str) +{ + if(--str->ref == 0) { + if(str->cap > 0) + (*str->allocator->free)(str->data, str->allocator->heap); + (*str->allocator->free)(str, str->allocator->heap); + } +} + +_TYPE( void ) +cstr_empty(cstr * str) +{ + if(str->cap > 0) + (*str->allocator->free)(str->data, str->allocator->heap); + str->data = cstr_empty_string; + str->length = str->cap = 0; +} + +static int +cstr_alloc(cstr * str, int len) +{ + char * t; + + if(len > str->cap) { + if(len < EXPFACTOR * str->cap) + len = EXPFACTOR * str->cap; + if(len < MINSIZE) + len = MINSIZE; + + t = (char *) (*str->allocator->alloc)(len * sizeof(char), + str->allocator->heap); + if(t) { + if(str->data) { + t[str->length] = 0; + if(str->cap > 0) { + if(str->length > 0) + memcpy(t, str->data, str->length); + free(str->data); + } + } + str->data = t; + str->cap = len; + return 1; + } + else + return -1; + } + else + return 0; +} + +_TYPE( int ) +cstr_copy(cstr * dst, const cstr * src) +{ + return cstr_setn(dst, src->data, src->length); +} + +_TYPE( int ) +cstr_set(cstr * str, const char * s) +{ + return cstr_setn(str, s, strlen(s)); +} + +_TYPE( int ) +cstr_setn(cstr * str, const char * s, int len) +{ + if(cstr_alloc(str, len + 1) < 0) + return -1; + str->data[len] = 0; + if(s != NULL && len > 0) + memmove(str->data, s, len); + str->length = len; + return 1; +} + +_TYPE( int ) +cstr_set_length(cstr * str, int len) +{ + if(len < str->length) { + str->data[len] = 0; + str->length = len; + return 1; + } + else if(len > str->length) { + if(cstr_alloc(str, len + 1) < 0) + return -1; + memset(str->data + str->length, 0, len - str->length + 1); + str->length = len; + return 1; + } + else + return 0; +} + +_TYPE( int ) +cstr_append(cstr * str, const char * s) +{ + return cstr_appendn(str, s, strlen(s)); +} + +_TYPE( int ) +cstr_appendn(cstr * str, const char * s, int len) +{ + if(cstr_alloc(str, str->length + len + 1) < 0) + return -1; + memcpy(str->data + str->length, s, len); + str->length += len; + str->data[str->length] = 0; + return 1; +} + +_TYPE( int ) +cstr_append_str(cstr * dst, const cstr * src) +{ + return cstr_appendn(dst, src->data, src->length); +} diff --git a/3rd_party/libsrp6a-sha512/cstr.h b/3rd_party/libsrp6a-sha512/cstr.h new file mode 100644 index 0000000..7cc019a --- /dev/null +++ b/3rd_party/libsrp6a-sha512/cstr.h @@ -0,0 +1,94 @@ +#ifndef _CSTR_H_ +#define _CSTR_H_ + +/* A general-purpose string "class" for C */ + +#if !defined(P) +#ifdef __STDC__ +#define P(x) x +#else +#define P(x) () +#endif +#endif + +/* For building dynamic link libraries under windows, windows NT + * using MSVC1.5 or MSVC2.0 + */ + +#ifndef _DLLDECL +#define _DLLDECL + +#ifdef MSVC15 /* MSVC1.5 support for 16 bit apps */ +#define _MSVC15EXPORT _export +#define _MSVC20EXPORT +#define _DLLAPI _export _pascal +#define _CDECL +#define _TYPE(a) a _MSVC15EXPORT +#define DLLEXPORT 1 + +#elif defined(MSVC20) || (defined(_USRDLL) && defined(SRP_EXPORTS)) +#define _MSVC15EXPORT +#define _MSVC20EXPORT _declspec(dllexport) +#define _DLLAPI +#define _CDECL +#define _TYPE(a) _MSVC20EXPORT a +#define DLLEXPORT 1 + +#else /* Default, non-dll. Use this for Unix or DOS */ +#define _MSVC15DEXPORT +#define _MSVC20EXPORT +#define _DLLAPI +#if defined(WINDOWS) || defined(WIN32) +#define _CDECL _cdecl +#else +#define _CDECL +#endif +#define _TYPE(a) a _CDECL +#endif +#endif /* _DLLDECL */ + +#ifdef __cplusplus +extern "C" { +#endif /* __cplusplus */ + +/* Arguments to allocator methods ordered this way for compatibility */ +typedef struct cstr_alloc_st { + void * (_CDECL * alloc)(size_t n, void * heap); + void (_CDECL * free)(void * p, void * heap); + void * heap; +} cstr_allocator; + +typedef struct cstr_st { + char * data; /* Okay to access data and length fields directly */ + int length; + int cap; + int ref; /* Simple reference counter */ + cstr_allocator * allocator; +} cstr; + +_TYPE( void ) cstr_set_allocator P((cstr_allocator * alloc)); + +_TYPE( cstr * ) cstr_new P((void)); +_TYPE( cstr * ) cstr_new_alloc P((cstr_allocator * alloc)); +_TYPE( cstr * ) cstr_dup P((const cstr * str)); +_TYPE( cstr * ) cstr_dup_alloc P((const cstr * str, cstr_allocator * alloc)); +_TYPE( cstr * ) cstr_create P((const char * s)); +_TYPE( cstr * ) cstr_createn P((const char * s, int len)); + +_TYPE( void ) cstr_free P((cstr * str)); +_TYPE( void ) cstr_clear_free P((cstr * str)); +_TYPE( void ) cstr_use P((cstr * str)); +_TYPE( void ) cstr_empty P((cstr * str)); +_TYPE( int ) cstr_copy P((cstr * dst, const cstr * src)); +_TYPE( int ) cstr_set P((cstr * str, const char * s)); +_TYPE( int ) cstr_setn P((cstr * str, const char * s, int len)); +_TYPE( int ) cstr_set_length P((cstr * str, int len)); +_TYPE( int ) cstr_append P((cstr * str, const char * s)); +_TYPE( int ) cstr_appendn P((cstr * str, const char * s, int len)); +_TYPE( int ) cstr_append_str P((cstr * dst, const cstr * src)); + +#ifdef __cplusplus +} +#endif /* __cplusplus */ + +#endif /* _CSTR_H_ */ diff --git a/3rd_party/libsrp6a-sha512/srp.c b/3rd_party/libsrp6a-sha512/srp.c new file mode 100644 index 0000000..74e1f98 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/srp.c @@ -0,0 +1,274 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +#include "t_defines.h" +#include "srp.h" + +static int library_initialized = 0; + +_TYPE( SRP_RESULT ) +SRP_initialize_library() +{ + if(library_initialized == 0) { + BigIntegerInitialize(); + t_stronginitrand(); + library_initialized = 1; + } + return SRP_SUCCESS; +} + +_TYPE( SRP_RESULT ) +SRP_finalize_library() +{ + if(library_initialized > 0) { + library_initialized = 0; + BigIntegerFinalize(); + } + return SRP_SUCCESS; +} + +static int srp_modulus_min_bits = SRP_DEFAULT_MIN_BITS; + +_TYPE( SRP_RESULT ) +SRP_set_modulus_min_bits(int minbits) +{ + srp_modulus_min_bits = minbits; + return SRP_SUCCESS; +} + +_TYPE( int ) +SRP_get_modulus_min_bits() +{ + return srp_modulus_min_bits; +} + +static int +default_secret_bits_cb(int modsize) +{ + return 256; + /*return modsize;*/ /* Warning: Very Slow */ +} + +static SRP_SECRET_BITS_CB srp_sb_cb = default_secret_bits_cb; + +_TYPE( SRP_RESULT ) +SRP_set_secret_bits_cb(SRP_SECRET_BITS_CB cb) +{ + srp_sb_cb = cb; + return SRP_SUCCESS; +} + +_TYPE( int ) +SRP_get_secret_bits(int modsize) +{ + return (*srp_sb_cb)(modsize); +} + +_TYPE( SRP * ) +SRP_new(SRP_METHOD * meth) +{ + SRP * srp = (SRP *) malloc(sizeof(SRP)); + + if(srp == NULL) + return NULL; + + srp->flags = 0; + srp->username = cstr_new(); + srp->bctx = BigIntegerCtxNew(); + srp->modulus = NULL; + srp->accel = NULL; + srp->generator = NULL; + srp->salt = NULL; + srp->verifier = NULL; + srp->password = NULL; + srp->pubkey = NULL; + srp->secret = NULL; + srp->u = NULL; + srp->key = NULL; + srp->ex_data = cstr_new(); + srp->param_cb = NULL; + srp->meth = meth; + srp->meth_data = NULL; + //srp->slu = NULL; + if(srp->meth->init == NULL || (*srp->meth->init)(srp) == SRP_SUCCESS) + return srp; + free(srp); + return NULL; +} + +_TYPE( SRP_RESULT ) +SRP_free(SRP * srp) +{ + if(srp->meth->finish) + (*srp->meth->finish)(srp); + + if(srp->username) + cstr_clear_free(srp->username); + if(srp->modulus) + BigIntegerFree(srp->modulus); + if(srp->accel) + BigIntegerModAccelFree(srp->accel); + if(srp->generator) + BigIntegerFree(srp->generator); + if(srp->salt) + cstr_clear_free(srp->salt); + if(srp->verifier) + BigIntegerClearFree(srp->verifier); + if(srp->password) + BigIntegerClearFree(srp->password); + if(srp->pubkey) + BigIntegerFree(srp->pubkey); + if(srp->secret) + BigIntegerClearFree(srp->secret); + if(srp->u) + BigIntegerFree(srp->u); + if(srp->key) + BigIntegerClearFree(srp->key); + if(srp->bctx) + BigIntegerCtxFree(srp->bctx); + if(srp->ex_data) + cstr_clear_free(srp->ex_data); + free(srp); + return SRP_SUCCESS; +} + +_TYPE( SRP_RESULT ) +SRP_set_client_param_verify_cb(SRP * srp, SRP_CLIENT_PARAM_VERIFY_CB cb) +{ + srp->param_cb = cb; + return SRP_SUCCESS; +} + +_TYPE( SRP_RESULT ) +SRP_set_username(SRP * srp, const char * username) +{ + cstr_set(srp->username, username); + return SRP_SUCCESS; +} + +_TYPE( SRP_RESULT ) +SRP_set_user_raw(SRP * srp, const unsigned char * user, int userlen) +{ + cstr_setn(srp->username, (const char*)user, userlen); + return SRP_SUCCESS; +} + +_TYPE( SRP_RESULT ) +SRP_set_params(SRP * srp, const unsigned char * modulus, int modlen, + const unsigned char * generator, int genlen, + const unsigned char * salt, int saltlen) +{ + SRP_RESULT rc; + + if(modulus == NULL || generator == NULL || salt == NULL) + return SRP_ERROR; + + /* Set fields in SRP context */ + srp->modulus = BigIntegerFromBytes(modulus, modlen); + if(srp->flags & SRP_FLAG_MOD_ACCEL) + srp->accel = BigIntegerModAccelNew(srp->modulus, srp->bctx); + srp->generator = BigIntegerFromBytes(generator, genlen); + if(srp->salt == NULL) + srp->salt = cstr_new(); + cstr_setn(srp->salt, (const char*)salt, saltlen); + + /* Now attempt to validate parameters */ + if(BigIntegerBitLen(srp->modulus) < SRP_get_modulus_min_bits()) + return SRP_ERROR; + + if(srp->param_cb) { + rc = (*srp->param_cb)(srp, modulus, modlen, generator, genlen); + if(!SRP_OK(rc)) + return rc; + } + + return (*srp->meth->params)(srp, modulus, modlen, generator, genlen, + salt, saltlen); +} + +_TYPE( SRP_RESULT ) +SRP_set_authenticator(SRP * srp, const unsigned char * a, int alen) +{ + return (*srp->meth->auth)(srp, a, alen); +} + +_TYPE( SRP_RESULT ) +SRP_set_auth_password(SRP * srp, const char * password) +{ + return (*srp->meth->passwd)(srp, (const unsigned char *)password, + strlen(password)); +} + +_TYPE( SRP_RESULT ) +SRP_set_auth_password_raw(SRP * srp, + const unsigned char * password, int passlen) +{ + return (*srp->meth->passwd)(srp, password, passlen); +} + +_TYPE( SRP_RESULT ) +SRP_gen_pub(SRP * srp, cstr ** result) +{ + return (*srp->meth->genpub)(srp, result); +} + +_TYPE( SRP_RESULT ) +SRP_add_ex_data(SRP * srp, const unsigned char * data, int datalen) +{ + cstr_appendn(srp->ex_data, (const char*)data, datalen); + return SRP_SUCCESS; +} + +_TYPE( SRP_RESULT ) +SRP_compute_key(SRP * srp, cstr ** result, + const unsigned char * pubkey, int pubkeylen) +{ + return (*srp->meth->key)(srp, result, pubkey, pubkeylen); +} + +_TYPE( SRP_RESULT ) +SRP_verify(SRP * srp, const unsigned char * proof, int prooflen) +{ + return (*srp->meth->verify)(srp, proof, prooflen); +} + +_TYPE( SRP_RESULT ) +SRP_respond(SRP * srp, cstr ** proof) +{ + return (*srp->meth->respond)(srp, proof); +} + +_TYPE( SRP_RESULT ) +SRP_use_engine(const char * engine) +{ + if(BigIntegerOK(BigIntegerUseEngine(engine))) + return SRP_SUCCESS; + else + return SRP_ERROR; +} diff --git a/3rd_party/libsrp6a-sha512/srp.h b/3rd_party/libsrp6a-sha512/srp.h new file mode 100644 index 0000000..b1d46af --- /dev/null +++ b/3rd_party/libsrp6a-sha512/srp.h @@ -0,0 +1,372 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ +#ifndef _SRP_H_ +#define _SRP_H_ + +#include "cstr.h" +#include "srp_aux.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* SRP library version identification */ +#define SRP_VERSION_MAJOR 2 +#define SRP_VERSION_MINOR 0 +#define SRP_VERSION_PATCHLEVEL 1 + +typedef int SRP_RESULT; +/* Returned codes for SRP API functions */ +#define SRP_OK(v) ((v) == SRP_SUCCESS) +#define SRP_SUCCESS 0 +#define SRP_ERROR -1 + +/* Set the minimum number of bits acceptable in an SRP modulus */ +#define SRP_DEFAULT_MIN_BITS 512 +_TYPE( SRP_RESULT ) SRP_set_modulus_min_bits P((int minbits)); +_TYPE( int ) SRP_get_modulus_min_bits P((void)); + +/* + * Sets the "secret size callback" function. + * This function is called with the modulus size in bits, + * and returns the size of the secret exponent in bits. + * The default function always returns 256 bits. + */ +typedef int (_CDECL * SRP_SECRET_BITS_CB)(int modsize); +_TYPE( SRP_RESULT ) SRP_set_secret_bits_cb P((SRP_SECRET_BITS_CB cb)); +_TYPE( int ) SRP_get_secret_bits P((int modsize)); + +typedef struct srp_st SRP; + +#if 0 +/* Server Lookup API */ +typedef struct srp_server_lu_st SRP_SERVER_LOOKUP; + +typedef struct srp_s_lu_meth_st { + const char * name; + + SRP_RESULT (_CDECL * init)(SRP_SERVER_LOOKUP * slu); + SRP_RESULT (_CDECL * finish)(SRP_SERVER_LOOKUP * slu); + + SRP_RESULT (_CDECL * lookup)(SRP_SERVER_LOOKUP * slu, SRP * srp, cstr * username); + + void * meth_data; +} SRP_SERVER_LOOKUP_METHOD; + +struct srp_server_lu_st { + SRP_SERVER_LOOKUP_METHOD * meth; + void * data; +}; + +/* + * The Server Lookup API deals with the server-side issue of + * mapping usernames to verifiers. Given a username, a lookup + * mechanism needs to provide parameters (N, g), salt (s), and + * password verifier (v) for that user. + * + * A SRP_SERVER_LOOKUP_METHOD describes the general mechanism + * for performing lookups (e.g. files, LDAP, database, etc.) + * A SRP_SERVER_LOOKUP is an active "object" that is actually + * called to do lookups. + */ +_TYPE( SRP_SERVER_LOOKUP * ) + SRP_SERVER_LOOKUP_new P((SRP_SERVER_LOOKUP_METHOD * meth)); +_TYPE( SRP_RESULT ) SRP_SERVER_LOOKUP_free P((SRP_SERVER_LOOKUP * slu)); +_TYPE( SRP_RESULT ) SRP_SERVER_do_lookup P((SRP_SERVER_LOOKUP * slu, + SRP * srp, cstr * username)); + +/* + * SRP_SERVER_system_lookup supercedes SRP_server_init_user. + */ +_TYPE( SRP_SERVER_LOOKUP * ) SRP_SERVER_system_lookup P((void)); +#endif + +/* + * Client Parameter Verification API + * + * This callback is called from the SRP client when the + * parameters (modulus and generator) are set. The callback + * should return SRP_SUCCESS if the parameters are okay, + * otherwise some error code to indicate that the parameters + * should be rejected. + */ +typedef SRP_RESULT (_CDECL * SRP_CLIENT_PARAM_VERIFY_CB)(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen); + +#if 0 +/* The default parameter verifier function */ +_TYPE( SRP_RESULT ) SRP_CLIENT_default_param_verify_cb(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen); +/* A parameter verifier that only accepts builtin params (no prime test) */ +_TYPE( SRP_RESULT ) SRP_CLIENT_builtin_param_verify_cb(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen); +/* The "classic" parameter verifier that accepts either builtin params + * immediately, and performs safe-prime tests on N and primitive-root + * tests on g otherwise. SECURITY WARNING: This may allow for certain + * attacks based on "trapdoor" moduli, so this is not recommended. */ +_TYPE( SRP_RESULT ) SRP_CLIENT_compat_param_verify_cb(SRP * srp, const unsigned char * mod, int modlen, const unsigned char * gen, int genlen); + +#endif + +/* + * Main SRP API - SRP and SRP_METHOD + */ + +/* SRP method definitions */ +typedef struct srp_meth_st { + const char * name; + + SRP_RESULT (_CDECL * init)(SRP * srp); + SRP_RESULT (_CDECL * finish)(SRP * srp); + + SRP_RESULT (_CDECL * params)(SRP * srp, + const unsigned char * modulus, int modlen, + const unsigned char * generator, int genlen, + const unsigned char * salt, int saltlen); + SRP_RESULT (_CDECL * auth)(SRP * srp, const unsigned char * a, int alen); + SRP_RESULT (_CDECL * passwd)(SRP * srp, + const unsigned char * pass, int passlen); + SRP_RESULT (_CDECL * genpub)(SRP * srp, cstr ** result); + SRP_RESULT (_CDECL * key)(SRP * srp, cstr ** result, + const unsigned char * pubkey, int pubkeylen); + SRP_RESULT (_CDECL * verify)(SRP * srp, + const unsigned char * proof, int prooflen); + SRP_RESULT (_CDECL * respond)(SRP * srp, cstr ** proof); + + void * data; +} SRP_METHOD; + +/* Magic numbers for the SRP context header */ +#define SRP_MAGIC_CLIENT 12 +#define SRP_MAGIC_SERVER 28 + +/* Flag bits for SRP struct */ +#define SRP_FLAG_MOD_ACCEL 0x1 /* accelerate modexp operations */ +#define SRP_FLAG_LEFT_PAD 0x2 /* left-pad to length-of-N inside hashes */ + +/* + * A hybrid structure that represents either client or server state. + */ +struct srp_st { + int magic; /* To distinguish client from server (and for sanity) */ + + int flags; + + cstr * username; + + BigInteger modulus; + BigInteger generator; + cstr * salt; + + BigInteger verifier; + BigInteger password; + + BigInteger pubkey; + BigInteger secret; + BigInteger u; + + BigInteger key; + + cstr * ex_data; + + SRP_METHOD * meth; + void * meth_data; + + BigIntegerCtx bctx; /* to cache temporaries if available */ + BigIntegerModAccel accel; /* to accelerate modexp if available */ + + SRP_CLIENT_PARAM_VERIFY_CB param_cb; /* to verify params */ + //SRP_SERVER_LOOKUP * slu; /* to look up users */ +}; + +/* + * Global initialization/de-initialization functions. + * Call SRP_initialize_library before using the library, + * and SRP_finalize_library when done. + */ +_TYPE( SRP_RESULT ) SRP_initialize_library(); +_TYPE( SRP_RESULT ) SRP_finalize_library(); + +/* + * SRP_new() creates a new SRP context object - + * the method determines which "sense" (client or server) + * the object operates in. SRP_free() frees it. + * (See RFC2945 method definitions below.) + */ +_TYPE( SRP * ) SRP_new P((SRP_METHOD * meth)); +_TYPE( SRP_RESULT ) SRP_free P((SRP * srp)); + +#if 0 +/* + * Use the supplied lookup object to look up user parameters and + * password verifier. The lookup function gets called during + * SRP_set_username/SRP_set_user_raw below. Using this function + * means that the server can avoid calling SRP_set_params and + * SRP_set_authenticator, since the lookup function handles that + * internally. + */ +_TYPE( SRP_RESULT ) SRP_set_server_lookup P((SRP * srp, + SRP_SERVER_LOOKUP * lookup)); +#endif + +/* + * Use the supplied callback function to verify parameters + * (modulus, generator) given to the client. + */ +_TYPE( SRP_RESULT ) + SRP_set_client_param_verify_cb P((SRP * srp, + SRP_CLIENT_PARAM_VERIFY_CB cb)); + +/* + * Both client and server must call both SRP_set_username and + * SRP_set_params, in that order, before calling anything else. + * SRP_set_user_raw is an alternative to SRP_set_username that + * accepts an arbitrary length-bounded octet string as input. + */ +_TYPE( SRP_RESULT ) SRP_set_username P((SRP * srp, const char * username)); +_TYPE( SRP_RESULT ) SRP_set_user_raw P((SRP * srp, const unsigned char * user, + int userlen)); +_TYPE( SRP_RESULT ) + SRP_set_params P((SRP * srp, + const unsigned char * modulus, int modlen, + const unsigned char * generator, int genlen, + const unsigned char * salt, int saltlen)); + +/* + * On the client, SRP_set_authenticator, SRP_gen_exp, and + * SRP_add_ex_data can be called in any order. + * On the server, SRP_set_authenticator must come first, + * followed by SRP_gen_exp and SRP_add_ex_data in either order. + */ +/* + * The authenticator is the secret possessed by either side. + * For the server, this is the bigendian verifier, as an octet string. + * For the client, this is the bigendian raw secret, as an octet string. + * The server's authenticator must be the generator raised to the power + * of the client's raw secret modulo the common modulus for authentication + * to succeed. + * + * SRP_set_auth_password computes the authenticator from a plaintext + * password and then calls SRP_set_authenticator automatically. This is + * usually used on the client side, while the server usually uses + * SRP_set_authenticator (since it doesn't know the plaintext password). + */ +_TYPE( SRP_RESULT ) + SRP_set_authenticator P((SRP * srp, const unsigned char * a, int alen)); +_TYPE( SRP_RESULT ) + SRP_set_auth_password P((SRP * srp, const char * password)); +_TYPE( SRP_RESULT ) + SRP_set_auth_password_raw P((SRP * srp, + const unsigned char * password, + int passlen)); + +/* + * SRP_gen_pub generates the random exponential residue to send + * to the other side. If using SRP-3/RFC2945, the server must + * withhold its result until it receives the client's number. + * If using SRP-6, the server can send its value immediately + * without waiting for the client. + * + * If "result" points to a NULL pointer, a new cstr object will be + * created to hold the result, and "result" will point to it. + * If "result" points to a non-NULL cstr pointer, the result will be + * placed there. + * If "result" itself is NULL, no result will be returned, + * although the big integer value will still be available + * through srp->pubkey in the SRP struct. + */ +_TYPE( SRP_RESULT ) SRP_gen_pub P((SRP * srp, cstr ** result)); +/* + * Append the data to the extra data segment. Authentication will + * not succeed unless both sides add precisely the same data in + * the same order. + */ +_TYPE( SRP_RESULT ) SRP_add_ex_data P((SRP * srp, const unsigned char * data, + int datalen)); + +/* + * SRP_compute_key must be called after the previous three methods. + */ +_TYPE( SRP_RESULT ) SRP_compute_key P((SRP * srp, cstr ** result, + const unsigned char * pubkey, + int pubkeylen)); + +/* + * On the client, call SRP_respond first to get the response to send + * to the server, and call SRP_verify to verify the server's response. + * On the server, call SRP_verify first to verify the client's response, + * and call SRP_respond ONLY if verification succeeds. + * + * It is an error to call SRP_respond with a NULL pointer. + */ +_TYPE( SRP_RESULT ) SRP_verify P((SRP * srp, + const unsigned char * proof, int prooflen)); +_TYPE( SRP_RESULT ) SRP_respond P((SRP * srp, cstr ** response)); + +/* RFC2945-style SRP authentication */ + +#define RFC2945_KEY_LEN 40 /* length of session key (bytes) */ +#define RFC2945_RESP_LEN 20 /* length of proof hashes (bytes) */ + +/* + * RFC2945-style SRP authentication methods. Use these like: + * SRP * srp = SRP_new(SRP_RFC2945_client_method()); + */ +_TYPE( SRP_METHOD * ) SRP_RFC2945_client_method P((void)); +_TYPE( SRP_METHOD * ) SRP_RFC2945_server_method P((void)); + +/* + * SRP-6 and SRP-6a authentication methods. + * SRP-6a is recommended for better resistance to 2-for-1 attacks. + */ +_TYPE( SRP_METHOD * ) SRP6_client_method P((void)); +_TYPE( SRP_METHOD * ) SRP6_server_method P((void)); +_TYPE( SRP_METHOD * ) SRP6a_client_method P((void)); +_TYPE( SRP_METHOD * ) SRP6a_server_method P((void)); + +_TYPE( SRP_METHOD * ) SRP6a_sha512_client_method P((void)); + +/* + * Convenience function - SRP_server_init_user + * Looks up the username from the system EPS configuration and calls + * SRP_set_username, SRP_set_params, and SRP_set_authenticator to + * initialize server state for that user. + * + * This is deprecated in favor of SRP_SERVER_system_lookup() and + * the Server Lookup API. + */ +_TYPE( SRP_RESULT ) SRP_server_init_user P((SRP * srp, const char * username)); + +/* + * Use the named engine for acceleration. + */ +_TYPE( SRP_RESULT ) SRP_use_engine P((const char * engine)); + +#ifdef __cplusplus +} +#endif + +#endif /* _SRP_H_ */ diff --git a/3rd_party/libsrp6a-sha512/srp6a_sha512_client.c b/3rd_party/libsrp6a-sha512/srp6a_sha512_client.c new file mode 100644 index 0000000..db59fe8 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/srp6a_sha512_client.c @@ -0,0 +1,363 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ +#include "t_defines.h" +#include "srp.h" +#include "t_sha.h" + +/* + * SRP-6/6a has two minor refinements relative to SRP-3/RFC2945: + * 1. The "g^x" value is multipled by three in the client's + * calculation of its session key. + * SRP-6a: The "g^x" value is multiplied by the hash of + * N and g in the client's session key calculation. + * 2. The value of u is taken as the hash of A and B, + * instead of the top 32 bits of the hash of B. + * This eliminates the old restriction where the + * server had to receive A before it could send B. + */ + +/****************************/ +#define SHA512_DIGESTSIZE 64 +#define SRP6_SHA512_KEY_LEN 64 + +/* + * The client keeps track of the running hash + * state via SHA512_CTX structures pointed to by the + * meth_data pointer. The "hash" member is the hash value that + * will be sent to the other side; the "ckhash" member is the + * hash value expected from the other side. + */ +struct sha512_client_meth_st { + SHA512_CTX hash; + SHA512_CTX ckhash; + unsigned char k[SRP6_SHA512_KEY_LEN]; +}; + +#define SHA512_CLIENT_CTXP(srp) ((struct sha512_client_meth_st *)(srp)->meth_data) + +static SRP_RESULT +srp6a_sha512_client_init(SRP * srp) +{ + srp->magic = SRP_MAGIC_CLIENT; + srp->flags = SRP_FLAG_MOD_ACCEL | SRP_FLAG_LEFT_PAD; + srp->meth_data = malloc(sizeof(struct sha512_client_meth_st)); + SHA512Init(&SHA512_CLIENT_CTXP(srp)->hash); + SHA512Init(&SHA512_CLIENT_CTXP(srp)->ckhash); + return SRP_SUCCESS; +} + +static SRP_RESULT +srp6_sha512_client_finish(SRP * srp) +{ + if(srp->meth_data) { + memset(srp->meth_data, 0, sizeof(struct sha512_client_meth_st)); + free(srp->meth_data); + } + return SRP_SUCCESS; +} + +static SRP_RESULT +srp6_sha512_client_params(SRP * srp, const unsigned char * modulus, int modlen, + const unsigned char * generator, int genlen, + const unsigned char * salt, int saltlen) +{ + int i; + unsigned char buf1[SHA512_DIGESTSIZE], buf2[SHA512_DIGESTSIZE]; + SHA512_CTX ctxt; + + /* Fields set by SRP_set_params */ + + /* Update hash state */ + SHA512Init(&ctxt); + SHA512Update(&ctxt, modulus, modlen); + SHA512Final(buf1, &ctxt); /* buf1 = H(modulus) */ + + SHA512Init(&ctxt); + SHA512Update(&ctxt, generator, genlen); + SHA512Final(buf2, &ctxt); /* buf2 = H(generator) */ + + for(i = 0; i < sizeof(buf1); ++i) + buf1[i] ^= buf2[i]; /* buf1 = H(modulus) xor H(generator) */ + + /* hash: H(N) xor H(g) */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, buf1, sizeof(buf1)); + + SHA512Init(&ctxt); + SHA512Update(&ctxt, srp->username->data, srp->username->length); + SHA512Final(buf1, &ctxt); /* buf1 = H(user) */ + + /* hash: (H(N) xor H(g)) | H(U) */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, buf1, sizeof(buf1)); + + /* hash: (H(N) xor H(g)) | H(U) | s */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, salt, saltlen); + + return SRP_SUCCESS; +} + +static SRP_RESULT +srp6_sha512_client_auth(SRP * srp, const unsigned char * a, int alen) +{ + /* On the client, the authenticator is the raw password-derived hash */ + srp->password = BigIntegerFromBytes(a, alen); + + /* verifier = g^x mod N */ + srp->verifier = BigIntegerFromInt(0); + BigIntegerModExp(srp->verifier, srp->generator, srp->password, srp->modulus, srp->bctx, srp->accel); + + return SRP_SUCCESS; +} + +static SRP_RESULT +srp6_sha512_client_passwd(SRP * srp, const unsigned char * p, int plen) +{ + SHA512_CTX ctxt; + unsigned char dig[SHA512_DIGESTSIZE]; + int r; + + SHA512Init(&ctxt); + SHA512Update(&ctxt, srp->username->data, srp->username->length); + SHA512Update(&ctxt, ":", 1); + SHA512Update(&ctxt, p, plen); + SHA512Final(dig, &ctxt); /* dig = H(U | ":" | P) */ + + SHA512Init(&ctxt); + SHA512Update(&ctxt, srp->salt->data, srp->salt->length); + SHA512Update(&ctxt, dig, sizeof(dig)); + SHA512Final(dig, &ctxt); /* dig = H(s | H(U | ":" | P)) */ + memset(&ctxt, 0, sizeof(ctxt)); + + r = SRP_set_authenticator(srp, dig, sizeof(dig)); + memset(dig, 0, sizeof(dig)); + + return r; +} + +static SRP_RESULT +srp6_sha512_client_genpub(SRP * srp, cstr ** result) +{ + cstr * astr; + int slen = (SRP_get_secret_bits(BigIntegerBitLen(srp->modulus)) + 7) / 8; + + if(result == NULL) + astr = cstr_new(); + else { + if(*result == NULL) + *result = cstr_new(); + astr = *result; + } + + cstr_set_length(astr, BigIntegerByteLen(srp->modulus)); + t_random((unsigned char*)astr->data, slen); + srp->secret = BigIntegerFromBytes((const unsigned char*)astr->data, slen); + /* Force g^a mod n to "wrap around" by adding log[2](n) to "a". */ + BigIntegerAddInt(srp->secret, srp->secret, BigIntegerBitLen(srp->modulus)); + /* A = g^a mod n */ + srp->pubkey = BigIntegerFromInt(0); + BigIntegerModExp(srp->pubkey, srp->generator, srp->secret, srp->modulus, srp->bctx, srp->accel); + BigIntegerToCstr(srp->pubkey, astr); + + /* hash: (H(N) xor H(g)) | H(U) | s | A */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, astr->data, astr->length); + /* ckhash: A */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->ckhash, astr->data, astr->length); + + if(result == NULL) /* astr was a temporary */ + cstr_clear_free(astr); + + return SRP_SUCCESS; +} + +static SRP_RESULT +srp6_sha512_client_key_ex(SRP * srp, cstr ** result, + const unsigned char * pubkey, int pubkeylen, BigInteger k) +{ + SHA512_CTX ctxt; + unsigned char dig[SHA512_DIGESTSIZE]; + BigInteger gb, e; + cstr * s; + int modlen; + + modlen = BigIntegerByteLen(srp->modulus); + if(pubkeylen > modlen) + return SRP_ERROR; + + /* Compute u from client's and server's values */ + SHA512Init(&ctxt); + /* Use s as a temporary to store client's value */ + s = cstr_new(); + if(srp->flags & SRP_FLAG_LEFT_PAD) { + BigIntegerToCstrEx(srp->pubkey, s, modlen); + SHA512Update(&ctxt, s->data, s->length); + if(pubkeylen < modlen) { + memcpy(s->data + (modlen - pubkeylen), pubkey, pubkeylen); + memset(s->data, 0, modlen - pubkeylen); + SHA512Update(&ctxt, s->data, modlen); + } + else + SHA512Update(&ctxt, pubkey, pubkeylen); + } + else { + BigIntegerToCstr(srp->pubkey, s); + SHA512Update(&ctxt, s->data, s->length); + SHA512Update(&ctxt, pubkey, pubkeylen); + } + SHA512Final(dig, &ctxt); + srp->u = BigIntegerFromBytes(dig, SHA512_DIGESTSIZE); + + /* hash: (H(N) xor H(g)) | H(U) | s | A | B */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, pubkey, pubkeylen); + + gb = BigIntegerFromBytes(pubkey, pubkeylen); + /* reject B == 0, B >= modulus */ + if(BigIntegerCmp(gb, srp->modulus) >= 0 || BigIntegerCmpInt(gb, 0) == 0) { + BigIntegerFree(gb); + cstr_clear_free(s); + return SRP_ERROR; + } + e = BigIntegerFromInt(0); + srp->key = BigIntegerFromInt(0); + /* unblind g^b (mod N) */ + BigIntegerSub(srp->key, srp->modulus, srp->verifier); + /* use e as temporary, e == -k*v (mod N) */ + BigIntegerMul(e, k, srp->key, srp->bctx); + BigIntegerAdd(e, e, gb); + BigIntegerMod(gb, e, srp->modulus, srp->bctx); + + /* compute gb^(a + ux) (mod N) */ + BigIntegerMul(e, srp->password, srp->u, srp->bctx); + BigIntegerAdd(e, e, srp->secret); /* e = a + ux */ + + BigIntegerModExp(srp->key, gb, e, srp->modulus, srp->bctx, srp->accel); + BigIntegerClearFree(e); + BigIntegerClearFree(gb); + + /* convert srp->key into a session key, update hash states */ + BigIntegerToCstr(srp->key, s); + SHA512Init(&ctxt); + SHA512Update(&ctxt, s->data, s->length); + SHA512Final((unsigned char*)&SHA512_CLIENT_CTXP(srp)->k, &ctxt); + cstr_clear_free(s); + + /* hash: (H(N) xor H(g)) | H(U) | s | A | B | K */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, SHA512_CLIENT_CTXP(srp)->k, SRP6_SHA512_KEY_LEN); + /* hash: (H(N) xor H(g)) | H(U) | s | A | B | K | ex_data */ + if(srp->ex_data->length > 0) + SHA512Update(&SHA512_CLIENT_CTXP(srp)->hash, + srp->ex_data->data, srp->ex_data->length); + if(result) { + if(*result == NULL) + *result = cstr_new(); + cstr_setn(*result, (const char*)SHA512_CLIENT_CTXP(srp)->k, SRP6_SHA512_KEY_LEN); + } + + return SRP_SUCCESS; +} + +static SRP_RESULT +srp6a_sha512_client_key(SRP * srp, cstr ** result, + const unsigned char * pubkey, int pubkeylen) +{ + SRP_RESULT ret; + BigInteger k; + cstr * s; + SHA512_CTX ctxt; + unsigned char dig[SHA512_DIGESTSIZE]; + + SHA512Init(&ctxt); + s = cstr_new(); + BigIntegerToCstr(srp->modulus, s); + SHA512Update(&ctxt, s->data, s->length); + if(srp->flags & SRP_FLAG_LEFT_PAD) + BigIntegerToCstrEx(srp->generator, s, s->length); + else + BigIntegerToCstr(srp->generator, s); + SHA512Update(&ctxt, s->data, s->length); + SHA512Final(dig, &ctxt); + cstr_free(s); + + k = BigIntegerFromBytes(dig, SHA512_DIGESTSIZE); + if(BigIntegerCmpInt(k, 0) == 0) + ret = SRP_ERROR; + else + ret = srp6_sha512_client_key_ex(srp, result, pubkey, pubkeylen, k); + BigIntegerClearFree(k); + return ret; +} + +static SRP_RESULT +srp6_sha512_client_verify(SRP * srp, const unsigned char * proof, int prooflen) +{ + unsigned char expected[SHA512_DIGESTSIZE]; + + SHA512Final(expected, &SHA512_CLIENT_CTXP(srp)->ckhash); + if(prooflen == SHA512_DIGESTSIZE && memcmp(expected, proof, prooflen) == 0) + return SRP_SUCCESS; + else + return SRP_ERROR; +} + +static SRP_RESULT +srp6_sha512_client_respond(SRP * srp, cstr ** proof) +{ + if(proof == NULL) + return SRP_ERROR; + + if(*proof == NULL) + *proof = cstr_new(); + + /* proof contains client's response */ + cstr_set_length(*proof, SHA512_DIGESTSIZE); + SHA512Final((unsigned char*)(*proof)->data, &SHA512_CLIENT_CTXP(srp)->hash); + + /* ckhash: A | M | K */ + SHA512Update(&SHA512_CLIENT_CTXP(srp)->ckhash, (*proof)->data, (*proof)->length); + SHA512Update(&SHA512_CLIENT_CTXP(srp)->ckhash, SHA512_CLIENT_CTXP(srp)->k, SRP6_SHA512_KEY_LEN); + return SRP_SUCCESS; +} + +static SRP_METHOD srp6a_sha512_client_meth = { + "SRP-6a sha512 client (tjw)", + srp6a_sha512_client_init, + srp6_sha512_client_finish, + srp6_sha512_client_params, + srp6_sha512_client_auth, + srp6_sha512_client_passwd, + srp6_sha512_client_genpub, + srp6a_sha512_client_key, + srp6_sha512_client_verify, + srp6_sha512_client_respond, + NULL +}; + +_TYPE( SRP_METHOD * ) +SRP6a_sha512_client_method() +{ + return &srp6a_sha512_client_meth; +} diff --git a/3rd_party/libsrp6a-sha512/srp_aux.h b/3rd_party/libsrp6a-sha512/srp_aux.h new file mode 100644 index 0000000..5088f08 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/srp_aux.h @@ -0,0 +1,146 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +#ifndef SRP_AUX_H +#define SRP_AUX_H + +#include "cstr.h" + +#ifdef __cplusplus +extern "C" { +#endif + +/* BigInteger abstraction API */ + +#ifndef MATH_PRIV +typedef void * BigInteger; +typedef void * BigIntegerCtx; +typedef void * BigIntegerModAccel; +#endif + +/* + * Some functions return a BigIntegerResult. + * Use BigIntegerOK to test for success. + */ +#define BIG_INTEGER_SUCCESS 0 +#define BIG_INTEGER_ERROR -1 +#define BigIntegerOK(v) ((v) == BIG_INTEGER_SUCCESS) +typedef int BigIntegerResult; + +_TYPE( BigInteger ) BigIntegerFromInt P((unsigned int number)); +_TYPE( BigInteger ) BigIntegerFromBytes P((const unsigned char * bytes, + int length)); +#define BigIntegerByteLen(X) ((BigIntegerBitLen(X)+7)/8) +_TYPE( int ) BigIntegerToBytes P((BigInteger src, + unsigned char * dest, int destlen)); +_TYPE( BigIntegerResult ) BigIntegerToCstr P((BigInteger src, cstr * dest)); +_TYPE( BigIntegerResult ) BigIntegerToCstrEx P((BigInteger src, cstr * dest, int len)); +_TYPE( BigIntegerResult ) BigIntegerToHex P((BigInteger src, + char * dest, int destlen)); +_TYPE( BigIntegerResult ) BigIntegerToString P((BigInteger src, + char * dest, int destlen, + unsigned int radix)); +_TYPE( int ) BigIntegerBitLen P((BigInteger b)); +_TYPE( int ) BigIntegerCmp P((BigInteger c1, BigInteger c2)); +_TYPE( int ) BigIntegerCmpInt P((BigInteger c1, unsigned int c2)); +_TYPE( BigIntegerResult ) BigIntegerLShift P((BigInteger result, BigInteger x, + unsigned int bits)); +_TYPE( BigIntegerResult ) BigIntegerAdd P((BigInteger result, + BigInteger a1, BigInteger a2)); +_TYPE( BigIntegerResult ) BigIntegerAddInt P((BigInteger result, + BigInteger a1, unsigned int a2)); +_TYPE( BigIntegerResult ) BigIntegerSub P((BigInteger result, + BigInteger s1, BigInteger s2)); +_TYPE( BigIntegerResult ) BigIntegerSubInt P((BigInteger result, + BigInteger s1, unsigned int s2)); +/* For BigIntegerMul{,Int}: result != m1, m2 */ +_TYPE( BigIntegerResult ) BigIntegerMul P((BigInteger result, BigInteger m1, + BigInteger m2, BigIntegerCtx ctx)); +_TYPE( BigIntegerResult ) BigIntegerMulInt P((BigInteger result, + BigInteger m1, unsigned int m2, + BigIntegerCtx ctx)); +_TYPE( BigIntegerResult ) BigIntegerDivInt P((BigInteger result, + BigInteger d, unsigned int m, + BigIntegerCtx ctx)); +_TYPE( BigIntegerResult ) BigIntegerMod P((BigInteger result, BigInteger d, + BigInteger m, BigIntegerCtx ctx)); +_TYPE( unsigned int ) BigIntegerModInt P((BigInteger d, unsigned int m, + BigIntegerCtx ctx)); +_TYPE( BigIntegerResult ) BigIntegerModMul P((BigInteger result, + BigInteger m1, BigInteger m2, + BigInteger m, BigIntegerCtx ctx)); +_TYPE( BigIntegerResult ) BigIntegerModExp P((BigInteger result, + BigInteger base, BigInteger expt, + BigInteger modulus, + BigIntegerCtx ctx, + BigIntegerModAccel accel)); +_TYPE( int ) BigIntegerCheckPrime P((BigInteger n, BigIntegerCtx ctx)); + +_TYPE( BigIntegerResult ) BigIntegerFree P((BigInteger b)); +_TYPE( BigIntegerResult ) BigIntegerClearFree P((BigInteger b)); + +_TYPE( BigIntegerCtx ) BigIntegerCtxNew(); +_TYPE( BigIntegerResult ) BigIntegerCtxFree P((BigIntegerCtx ctx)); + +_TYPE( BigIntegerModAccel ) BigIntegerModAccelNew P((BigInteger m, + BigIntegerCtx ctx)); +_TYPE( BigIntegerResult ) BigIntegerModAccelFree P((BigIntegerModAccel accel)); + +_TYPE( BigIntegerResult ) BigIntegerInitialize(); +_TYPE( BigIntegerResult ) BigIntegerFinalize(); + +_TYPE( BigIntegerResult ) BigIntegerUseEngine P((const char * engine)); +_TYPE( BigIntegerResult ) BigIntegerReleaseEngine(); + +/* Miscellaneous functions - formerly in t_pwd.h */ + +/* + * "t_random" is a cryptographic random number generator, which is seeded + * from various high-entropy sources and uses a one-way hash function + * in a feedback configuration. + * "t_sessionkey" is the interleaved hash used to generate session keys + * from a large integer. + * "t_mgf1" is an implementation of MGF1 using SHA1 to generate session + * keys from large integers, and is preferred over the older + * interleaved hash, and is used with SRP6. + * "t_getpass" reads a password from the terminal without echoing. + */ +_TYPE( void ) t_random P((unsigned char *, unsigned)); +_TYPE( void ) t_stronginitrand(); +_TYPE( unsigned char * ) + t_sessionkey P((unsigned char *, unsigned char *, unsigned)); +_TYPE( void ) t_mgf1 P((unsigned char *, unsigned, + const unsigned char *, unsigned)); +_TYPE( int ) t_getpass P((char *, unsigned, const char *)); + +#ifdef __cplusplus +} +#endif + +#endif /* SRP_AUX_H */ diff --git a/3rd_party/libsrp6a-sha512/t_conv.c b/3rd_party/libsrp6a-sha512/t_conv.c new file mode 100644 index 0000000..f7f50e2 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_conv.c @@ -0,0 +1,258 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +/*#define _POSIX_SOURCE*/ +#include +#include "t_defines.h" +#include "cstr.h" + +static int +hexDigitToInt(c) + char c; +{ + if(c >= '0' && c <= '9') + return c - '0'; + else if(c >= 'a' && c <= 'f') + return c - 'a' + 10; + else if(c >= 'A' && c <= 'F') + return c - 'A' + 10; + else + return 0; +} + +/* + * Convert a hex string to a string of bytes; return size of dst + */ +_TYPE( int ) +t_fromhex(dst, src) + char * dst; + const char * src; +{ + register char *chp = dst; + register unsigned size = strlen(src); + + /* FIXME: handle whitespace and non-hex digits by setting size and src + appropriately. */ + + if(size % 2 == 1) { + *chp++ = hexDigitToInt(*src++); + --size; + } + while(size > 0) { + *chp++ = (hexDigitToInt(*src) << 4) | hexDigitToInt(*(src + 1)); + src += 2; + size -= 2; + } + return chp - dst; +} + +/* + * Convert a string of bytes to their hex representation + */ +_TYPE( char * ) +t_tohex(dst, src, size) + char * dst; + const char * src; + unsigned size; +{ + int notleading = 0; + + register char *chp = dst; + *dst = '\0'; + if (size != 0) do { + if(notleading || *src != '\0') { + if(!notleading && (*src & 0xf0) == 0) { + sprintf(chp, "%.1X", * (unsigned char *) src); + chp += 1; + } + else { + sprintf(chp, "%.2X", * (unsigned char *) src); + chp += 2; + } + notleading = 1; + } + ++src; + } while (--size != 0); + return dst; +} + +_TYPE( char * ) +t_tohexcstr(dst, src, size) + cstr * dst; + const char * src; + unsigned size; +{ + cstr_set_length(dst, 2 * size + 1); + return t_tohex(dst->data, src, size); +} + +static char b64table[] = + "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; + +/* + * Convert a base64 string into raw byte array representation. + */ +_TYPE( int ) +t_fromb64(dst, src) + char * dst; + const char * src; +{ + unsigned char *a; + char *loc; + int i, j; + unsigned int size; + + while(*src && (*src == ' ' || *src == '\t' || *src == '\n')) + ++src; + size = strlen(src); + + a = malloc((size + 1) * sizeof(unsigned char)); + if(a == (unsigned char *) 0) + return -1; + + i = 0; + while(i < size) { + loc = strchr(b64table, src[i]); + if(loc == (char *) 0) + break; + else + a[i] = loc - b64table; + ++i; + } + size = i; + + i = size - 1; + j = size; + while(1) { + a[j] = a[i]; + if(--i < 0) + break; + a[j] |= (a[i] & 3) << 6; + --j; + a[j] = (unsigned char) ((a[i] & 0x3c) >> 2); + if(--i < 0) + break; + a[j] |= (a[i] & 0xf) << 4; + --j; + a[j] = (unsigned char) ((a[i] & 0x30) >> 4); + if(--i < 0) + break; + a[j] |= (a[i] << 2); + + a[--j] = 0; + if(--i < 0) + break; + } + + while(a[j] == 0 && j <= size) + ++j; + + memcpy(dst, a + j, size - j + 1); + free(a); + return size - j + 1; +} + +_TYPE( int ) +t_cstrfromb64(dst, src) + cstr * dst; + const char * src; +{ + int len; + cstr_set_length(dst, (strlen(src) * 6 + 7) / 8); + len = t_fromb64(dst->data, src); + cstr_set_length(dst, len); + return len; +} + +/* + * Convert a raw byte string into a null-terminated base64 ASCII string. + */ +_TYPE( char * ) +t_tob64(dst, src, size) + char * dst; + const char * src; + unsigned size; +{ + int c, pos = size % 3; + unsigned char b0 = 0, b1 = 0, b2 = 0, notleading = 0; + char *olddst = dst; + + switch(pos) { + case 1: + b2 = src[0]; + break; + case 2: + b1 = src[0]; + b2 = src[1]; + break; + } + + while(1) { + c = (b0 & 0xfc) >> 2; + if(notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + c = ((b0 & 3) << 4) | ((b1 & 0xf0) >> 4); + if(notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + c = ((b1 & 0xf) << 2) | ((b2 & 0xc0) >> 6); + if(notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + c = b2 & 0x3f; + if(notleading || c != 0) { + *dst++ = b64table[c]; + notleading = 1; + } + if(pos >= size) + break; + else { + b0 = src[pos++]; + b1 = src[pos++]; + b2 = src[pos++]; + } + } + + *dst++ = '\0'; + return olddst; +} + +_TYPE( char * ) +t_tob64cstr(dst, src, sz) + cstr * dst; + const char * src; + unsigned int sz; +{ + cstr_set_length(dst, (sz * 8 + 5) / 6 + 1); + return t_tob64(dst->data, src, sz); +} diff --git a/3rd_party/libsrp6a-sha512/t_defines.h b/3rd_party/libsrp6a-sha512/t_defines.h new file mode 100644 index 0000000..447263f --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_defines.h @@ -0,0 +1,137 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +#ifndef T_DEFINES_H +#define T_DEFINES_H + +#ifndef P +#if defined(__STDC__) || defined(__cplusplus) +#define P(x) x +#else +#define P(x) () +#endif +#endif + +#ifdef HAVE_CONFIG_H +#include "config.h" +#endif /* HAVE_CONFIG_H */ + +#ifndef _DLLDECL +#define _DLLDECL + +#ifdef MSVC15 /* MSVC1.5 support for 16 bit apps */ +#define _MSVC15EXPORT _export +#define _MSVC20EXPORT +#define _DLLAPI _export _pascal +#define _CDECL +#define _TYPE(a) a _MSVC15EXPORT +#define DLLEXPORT 1 + +#elif defined(MSVC20) || (defined(_USRDLL) && defined(SRP_EXPORTS)) +#define _MSVC15EXPORT +#define _MSVC20EXPORT _declspec(dllexport) +#define _DLLAPI +#define _CDECL +#define _TYPE(a) _MSVC20EXPORT a +#define DLLEXPORT 1 + +#else /* Default, non-dll. Use this for Unix or DOS */ +#define _MSVC15DEXPORT +#define _MSVC20EXPORT +#define _DLLAPI +#if defined(WINDOWS) || defined(WIN32) +#define _CDECL _cdecl +#else +#define _CDECL +#endif +#define _TYPE(a) a _CDECL +#endif +#endif + +#if STDC_HEADERS +#include +#include +#else /* not STDC_HEADERS */ +#ifndef HAVE_STRCHR +#define strchr index +#define strrchr rindex +#endif +char *strchr(), *strrchr(), *strtok(); +#ifndef HAVE_MEMCPY +#define memcpy(d, s, n) bcopy((s), (d), (n)) +#endif +#endif /* not STDC_HEADERS */ + +#include + +#if TIME_WITH_SYS_TIME +#include +#include +#else /* not TIME_WITH_SYS_TIME */ +#if HAVE_SYS_TIME_H +#include +#else +#include +#endif +#endif /* not TIME_WITH_SYS_TIME */ + +#if HAVE_TERMIOS_H +#include +#define STTY(fd, termio) tcsetattr(fd, TCSANOW, termio) +#define GTTY(fd, termio) tcgetattr(fd, termio) +#define TERMIO struct termios +#define USE_TERMIOS +#elif HAVE_TERMIO_H +#include +#include +#define STTY(fd, termio) ioctl(fd, TCSETA, termio) +#define GTTY(fd, termio) ioctl(fd, TCGETA, termio) +#define TEMRIO struct termio +#define USE_TERMIO +#elif HAVE_SGTTY_H +#include +#define STTY(fd, termio) stty(fd, termio) +#define GTTY(fd, termio) gtty(fd, termio) +#define TERMIO struct sgttyb +#define USE_SGTTY +#endif + +#ifdef WIN32 +#define USE_FTIME 1 +#define USE_RENAME 1 +#define NO_FCHMOD 1 +#endif + +#ifdef USE_FTIME +#include +#endif + +/* Looking for BigInteger math functions? They've moved to . */ + +#endif diff --git a/3rd_party/libsrp6a-sha512/t_math.c b/3rd_party/libsrp6a-sha512/t_math.c new file mode 100644 index 0000000..88ae12f --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_math.c @@ -0,0 +1,1008 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +#include +#include + +#include "config.h" + +#ifdef OPENSSL +# include "openssl/opensslv.h" +# include "openssl/bn.h" +typedef BIGNUM * BigInteger; +typedef BN_CTX * BigIntegerCtx; +typedef BN_MONT_CTX * BigIntegerModAccel; +#include +# ifdef OPENSSL_ENGINE +# include "openssl/engine.h" +static ENGINE * default_engine = NULL; +# endif /* OPENSSL_ENGINE */ +typedef int (*modexp_meth)(BIGNUM *r, const BIGNUM *a, const BIGNUM *p, + const BIGNUM *m, BN_CTX *ctx, BN_MONT_CTX *mctx); +static modexp_meth default_modexp = NULL; +#elif defined(CRYPTOLIB) +# include "libcrypt.h" +typedef BigInt BigInteger; +typedef void * BigIntegerCtx; +typedef void * BigIntegerModAccel; +#elif defined(GNU_MP) +# include "gmp.h" +typedef MP_INT * BigInteger; +typedef void * BigIntegerCtx; +typedef void * BigIntegerModAccel; +# if __GNU_MP_VERSION >= 4 || (__GNU_MP_VERSION == 4 && __GNU_MP_VERSION_MINOR >= 1) +/* GMP 4.1 and up has fast import/export routines for integer conversion */ +# define GMP_IMPEXP 1 +# endif +#elif defined(TOMMATH) +# ifdef TOMCRYPT + /* as of v0.96 */ +# include "ltc_tommath.h" +# else +# include "tommath.h" +# endif +typedef mp_int * BigInteger; +typedef void * BigIntegerCtx; +typedef void * BigIntegerModAccel; +#elif defined(GCRYPT) +# include "gcrypt.h" +typedef gcry_mpi_t BigInteger; +typedef void * BigIntegerCtx; +typedef void * BigIntegerModAccel; +#elif defined(MPI) +# include "mpi.h" +typedef mp_int * BigInteger; +typedef void * BigIntegerCtx; +typedef void * BigIntegerModAccel; +#elif defined(MBEDTLS) +#include +#include +typedef mbedtls_mpi* BigInteger; +typedef void * BigIntegerCtx; +typedef void * BigIntegerModAccel; +#else +# error "no math library specified" +#endif +#define MATH_PRIV + +#include "t_defines.h" +#include "t_pwd.h" +#include "srp_aux.h" + +/* Math library interface stubs */ + +BigInteger +BigIntegerFromInt(n) + unsigned int n; +{ +#ifdef OPENSSL + BIGNUM * a = BN_new(); + if(a) + BN_set_word(a, n); + return a; +#elif defined(CRYPTOLIB) + return bigInit(n); +#elif defined(GNU_MP) + BigInteger rv = (BigInteger) malloc(sizeof(MP_INT)); + if(rv) + mpz_init_set_ui(rv, n); + return rv; +#elif defined(GCRYPT) + BigInteger rv = gcry_mpi_new(32); + gcry_mpi_set_ui(rv, n); + return rv; +#elif defined(MPI) || defined(TOMMATH) + BigInteger rv = (BigInteger) malloc(sizeof(mp_int)); + if(rv) { + mp_init(rv); + mp_set_int(rv, n); + } + return rv; +#elif defined(MBEDTLS) + mbedtls_mpi* a = (mbedtls_mpi*)malloc(sizeof(mbedtls_mpi)); + if (a) { + mbedtls_mpi_init(a); + mbedtls_mpi_lset(a, n); + } + return a; +#endif +} + +BigInteger +BigIntegerFromBytes(bytes, length) + const unsigned char * bytes; + int length; +{ +#ifdef OPENSSL + BIGNUM * a = BN_new(); + BN_bin2bn(bytes, length, a); + return a; +#elif defined(CRYPTOLIB) + BigInteger rv, t; + int i, n; + + rv = bigInit(0); + if(rv == NULL) + return rv; + if(length % 4 == 0) + RSA_bufToBig(bytes, length, rv); + else { /* Wouldn't need this if cryptolib behaved better */ + i = length & 0x3; + if(length > i) + RSA_bufToBig(bytes + i, length - i, rv); + for(n = 0; i > 0; --i) + n = (n << 8) | *bytes++; + t = bigInit(n); + bigLeftShift(t, (length & ~0x3) << 3, t); + bigAdd(rv, t, rv); + freeBignum(t); + } + return rv; +#elif defined(GNU_MP) + BigInteger rv = (BigInteger) malloc(sizeof(MP_INT)); + +# ifdef GMP_IMPEXP + if(rv) { + mpz_init(rv); + mpz_import(rv, length, 1, 1, 1, 0, bytes); + } +# else + cstr * hexbuf = cstr_new(); + + if(hexbuf) { + if(rv) + mpz_init_set_str(rv, t_tohexcstr(hexbuf, bytes, length), 16); + cstr_clear_free(hexbuf); + } +# endif /* GMP_IMPEXP */ + + return rv; +#elif defined(GCRYPT) + BigInteger rv; + gcry_mpi_scan(&rv, GCRYMPI_FMT_USG, bytes, length, NULL); + return rv; +#elif defined(MPI) || defined(TOMMATH) + BigInteger rv = (BigInteger) malloc(sizeof(mp_int)); + if(rv) { + mp_init(rv); + mp_read_unsigned_bin(rv, (unsigned char *)bytes, length); + } + return rv; +#elif defined(MBEDTLS) + mbedtls_mpi* a = (mbedtls_mpi*)malloc(sizeof(mbedtls_mpi)); + if (a) { + mbedtls_mpi_init(a); + mbedtls_mpi_read_binary(a, bytes, length); + } + return a; +#endif +} + +int +BigIntegerToBytes(src, dest, destlen) + BigInteger src; + unsigned char * dest; + int destlen; +{ +#ifdef OPENSSL + return BN_bn2bin(src, dest); +#elif defined(CRYPTOLIB) + int i, j; + cstr * rawbuf; + + trim(src); + i = bigBytes(src); + j = (bigBits(src) + 7) / 8; + if(i == j) + RSA_bigToBuf(src, i, dest); + else { /* Wouldn't need this if cryptolib behaved better */ + rawbuf = cstr_new(); + cstr_set_length(rawbuf, i); + RSA_bigToBuf(src, i, rawbuf->data); + memcpy(dest, rawbuf->data + (i-j), j); + cstr_clear_free(rawbuf); + } + return j; +#elif defined(GNU_MP) + size_t r = 0; +# ifdef GMP_IMPEXP + mpz_export(dest, &r, 1, 1, 1, 0, src); +# else + cstr * hexbuf = cstr_new(); + + if(hexbuf) { + cstr_set_length(hexbuf, mpz_sizeinbase(src, 16) + 1); + mpz_get_str(hexbuf->data, 16, src); + r = t_fromhex(dest, hexbuf->data); + cstr_clear_free(hexbuf); + } +# endif + return r; +#elif defined(GCRYPT) + size_t r = 0; + gcry_mpi_print(GCRYMPI_FMT_USG, dest, destlen, &r, src); + return r; +#elif defined(MPI) || defined(TOMMATH) + mp_to_unsigned_bin(src, dest); + return mp_unsigned_bin_size(src); +#elif defined(MBEDTLS) + size_t r = mbedtls_mpi_size(src); + mbedtls_mpi_write_binary(src, dest, r); + return r; +#endif +} + +BigIntegerResult +BigIntegerToCstr(BigInteger x, cstr * out) +{ + int n = BigIntegerByteLen(x); + if(cstr_set_length(out, n) < 0) + return BIG_INTEGER_ERROR; + if(cstr_set_length(out, BigIntegerToBytes(x, (unsigned char*)out->data, n)) < 0) + return BIG_INTEGER_ERROR; + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerToCstrEx(BigInteger x, cstr * out, int len) +{ + int n; + if(cstr_set_length(out, len) < 0) + return BIG_INTEGER_ERROR; +#if defined(MBEDTLS) + /* mbedtls will prefix the output with zeros if the buffer is larger */ + mbedtls_mpi_write_binary(x, (unsigned char*)out->data, len); +#else + n = BigIntegerToBytes(x, (unsigned char*)out->data, len); + if(n < len) { + memmove(out->data + (len - n), out->data, n); + memset(out->data, 0, len - n); + } +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerToHex(src, dest, destlen) + BigInteger src; + char * dest; + int destlen; +{ +#ifdef OPENSSL + strncpy(dest, BN_bn2hex(src), destlen); +#elif defined(CRYPTOLIB) + trim(src); + bigsprint(src, dest); +#elif defined(GNU_MP) + mpz_get_str(dest, 16, src); +#elif defined(GCRYPT) + gcry_mpi_print(GCRYMPI_FMT_HEX, dest, destlen, NULL, src); +#elif defined(MPI) || defined(TOMMATH) + mp_toradix(src, dest, 16); +#elif defined(MBEDTLS) + size_t olen = 0; + mbedtls_mpi_write_string(src, 16, dest, destlen, &olen); +#endif + return BIG_INTEGER_SUCCESS; +} + +static char b64table[] = + "0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz./"; + +BigIntegerResult +BigIntegerToString(src, dest, destlen, radix) + BigInteger src; + char * dest; + int destlen; + unsigned int radix; +{ + BigInteger t = BigIntegerFromInt(0); + char * p = dest; + char c; + + *p++ = b64table[BigIntegerModInt(src, radix, NULL)]; + BigIntegerDivInt(t, src, radix, NULL); + while(BigIntegerCmpInt(t, 0) > 0) { + *p++ = b64table[BigIntegerModInt(t, radix, NULL)]; + BigIntegerDivInt(t, t, radix, NULL); + } + BigIntegerFree(t); + *p-- = '\0'; + /* reverse the string */ + while(p > dest) { + c = *p; + *p-- = *dest; + *dest++ = c; + } + return BIG_INTEGER_SUCCESS; +} + +int +BigIntegerBitLen(b) + BigInteger b; +{ +#ifdef OPENSSL + return BN_num_bits(b); +#elif defined(CRYPTOLIB) + return bigBits(b); +#elif defined(GNU_MP) + return mpz_sizeinbase(b, 2); +#elif defined(GCRYPT) + return gcry_mpi_get_nbits(b); +#elif defined(MPI) || defined(TOMMATH) + return mp_count_bits(b); +#elif defined(MBEDTLS) + return (int)mbedtls_mpi_bitlen(b); +#endif +} + +int +BigIntegerCmp(c1, c2) + BigInteger c1, c2; +{ +#ifdef OPENSSL + return BN_cmp(c1, c2); +#elif defined(CRYPTOLIB) + return bigCompare(c1, c2); +#elif defined(GNU_MP) + return mpz_cmp(c1, c2); +#elif defined(GCRYPT) + return gcry_mpi_cmp(c1, c2); +#elif defined(MPI) || defined(TOMMATH) + return mp_cmp(c1, c2); +#elif defined(MBEDTLS) + return mbedtls_mpi_cmp_mpi(c1, c2); +#endif +} + +int +BigIntegerCmpInt(c1, c2) + BigInteger c1; + unsigned int c2; +{ +#ifdef OPENSSL + BigInteger bc2 = BigIntegerFromInt(c2); + int rv = BigIntegerCmp(c1, bc2); + BigIntegerFree(bc2); + return rv; +#elif defined(CRYPTOLIB) + BigInteger t; + int rv; + + t = bigInit(c2); + rv = bigCompare(c1, t); + freeBignum(t); + return rv; +#elif defined(GNU_MP) + return mpz_cmp_ui(c1, c2); +#elif defined(TOMMATH) + return mp_cmp_d(c1, c2); +#elif defined(GCRYPT) + return gcry_mpi_cmp_ui(c1, c2); +#elif defined(MPI) + return mp_cmp_int(c1, c2); +#elif defined(MBEDTLS) + return mbedtls_mpi_cmp_int(c1, c2); +#endif +} + +BigIntegerResult +BigIntegerLShift(result, x, bits) + BigInteger result, x; + unsigned int bits; +{ +#ifdef OPENSSL + BN_lshift(result, x, bits); +#elif defined(CRYPTOLIB) + bigLeftShift(x, bits, result); +#elif defined(GNU_MP) + mpz_mul_2exp(result, x, bits); +#elif defined(GCRYPT) + gcry_mpi_mul_2exp(result, x, bits); +#elif defined(MPI) || defined(TOMMATH) + mp_mul_2d(x, bits, result); +#elif defined(MBEDTLS) + mbedtls_mpi_copy(result, x); + mbedtls_mpi_shift_l(result, bits); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerAdd(result, a1, a2) + BigInteger result, a1, a2; +{ +#ifdef OPENSSL + BN_add(result, a1, a2); +#elif defined(CRYPTOLIB) + bigAdd(a1, a2, result); +#elif defined(GNU_MP) + mpz_add(result, a1, a2); +#elif defined(GCRYPT) + gcry_mpi_add(result, a1, a2); +#elif defined(MPI) || defined(TOMMATH) + mp_add(a1, a2, result); +#elif defined(MBEDTLS) + mbedtls_mpi_add_mpi(result, a1, a2); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerAddInt(result, a1, a2) + BigInteger result, a1; + unsigned int a2; +{ +#ifdef OPENSSL + if(result != a1) + BN_copy(result, a1); + BN_add_word(result, a2); +#elif defined(CRYPTOLIB) + BigInteger t; + + t = bigInit(a2); + bigAdd(a1, t, result); + freeBignum(t); +#elif defined(GNU_MP) + mpz_add_ui(result, a1, a2); +#elif defined(GCRYPT) + gcry_mpi_add_ui(result, a1, a2); +#elif defined(MPI) || defined(TOMMATH) + mp_add_d(a1, a2, result); +#elif defined(MBEDTLS) + mbedtls_mpi_add_int(result, a1, a2); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerSub(result, s1, s2) + BigInteger result, s1, s2; +{ +#ifdef OPENSSL + BN_sub(result, s1, s2); +#elif defined(CRYPTOLIB) + bigSubtract(s1, s2, result); +#elif defined(GNU_MP) + mpz_sub(result, s1, s2); +#elif defined(GCRYPT) + gcry_mpi_sub(result, s1, s2); +#elif defined(MPI) || defined(TOMMATH) + mp_sub(s1, s2, result); +#elif defined(MBEDTLS) + mbedtls_mpi_sub_mpi(result, s1, s2); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerSubInt(result, s1, s2) + BigInteger result, s1; + unsigned int s2; +{ +#ifdef OPENSSL + if(result != s1) + BN_copy(result, s1); + BN_sub_word(result, s2); +#elif defined(CRYPTOLIB) + BigInteger t; + + t = bigInit(s2); + bigSubtract(s1, t, result); + freeBignum(t); +#elif defined(GNU_MP) + mpz_sub_ui(result, s1, s2); +#elif defined(GCRYPT) + gcry_mpi_sub_ui(result, s1, s2); +#elif defined(MPI) || defined(TOMMATH) + mp_sub_d(s1, s2, result); +#elif defined(MBEDTLS) + mbedtls_mpi_sub_int(result, s1, s2); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerMul(result, m1, m2, c) + BigInteger result, m1, m2; + BigIntegerCtx c; +{ +#ifdef OPENSSL + BN_CTX * ctx = NULL; + if(c == NULL) + c = ctx = BN_CTX_new(); + BN_mul(result, m1, m2, c); + if(ctx) + BN_CTX_free(ctx); +#elif defined(CRYPTOLIB) + bigMultiply(m1, m2, result); +#elif defined(GNU_MP) + mpz_mul(result, m1, m2); +#elif defined(GCRYPT) + gcry_mpi_mul(result, m1, m2); +#elif defined(MPI) || defined(TOMMATH) + mp_mul(m1, m2, result); +#elif defined(MBEDTLS) + mbedtls_mpi_mul_mpi(result, m1, m2); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerMulInt(result, m1, m2, c) + BigInteger result, m1; + unsigned int m2; + BigIntegerCtx c; +{ +#ifdef OPENSSL + if(result != m1) + BN_copy(result, m1); + BN_mul_word(result, m2); +#elif defined(CRYPTOLIB) + BigInteger t; + + t = bigInit(m2); + bigMultiply(m1, t, result); + freeBignum(t); +#elif defined(GNU_MP) + mpz_mul_ui(result, m1, m2); +#elif defined(GCRYPT) + gcry_mpi_mul_ui(result, m1, m2); +#elif defined(MPI) || defined(TOMMATH) + mp_mul_d(m1, m2, result); +#elif defined(MBEDTLS) + mbedtls_mpi_mul_int(result, m1, m2); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerDivInt(result, d, m, c) + BigInteger result, d; + unsigned int m; + BigIntegerCtx c; +{ +#ifdef OPENSSL + if(result != d) + BN_copy(result, d); + BN_div_word(result, m); +#elif defined(CRYPTOLIB) + BigInteger t, u, q; + + t = bigInit(m); + u = bigInit(0); + /* We use a separate variable q because cryptolib breaks if result == d */ + q = bigInit(0); + bigDivide(d, t, q, u); + freeBignum(t); + freeBignum(u); + bigCopy(q, result); + freeBignum(q); +#elif defined(GNU_MP) +# ifdef GMP2 + mpz_fdiv_q_ui(result, d, m); +# else + mpz_div_ui(result, d, m); +# endif +#elif defined(GCRYPT) + BigInteger t = BigIntegerFromInt(m); + gcry_mpi_div(result, NULL, d, t, -1); + BigIntegerFree(t); +#elif defined(MPI) || defined(TOMMATH) + mp_div_d(d, m, result, NULL); +#elif defined(MBEDTLS) + mbedtls_mpi_div_int(result, NULL, d, m); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerMod(result, d, m, c) + BigInteger result, d, m; + BigIntegerCtx c; +{ +#ifdef OPENSSL + BN_CTX * ctx = NULL; + if(c == NULL) + c = ctx = BN_CTX_new(); + BN_mod(result, d, m, c); + if(ctx) + BN_CTX_free(ctx); +#elif defined(CRYPTOLIB) + bigMod(d, m, result); +#elif defined(GNU_MP) + mpz_mod(result, d, m); +#elif defined(GCRYPT) + gcry_mpi_mod(result, d, m); +#elif defined(MPI) || defined(TOMMATH) + mp_mod(d, m, result); +#elif defined(MBEDTLS) + mbedtls_mpi_mod_mpi(result, d, m); +#endif + return BIG_INTEGER_SUCCESS; +} + +unsigned int +BigIntegerModInt(d, m, c) + BigInteger d; + unsigned int m; + BigIntegerCtx c; +{ +#ifdef OPENSSL + return BN_mod_word(d, m); +#elif defined(CRYPTOLIB) + BigInteger t, u; + unsigned char r[4]; + + t = bigInit(m); + u = bigInit(0); + bigMod(d, t, u); + bigToBuf(u, sizeof(r), r); + freeBignum(t); + freeBignum(u); + return r[0] | (r[1] << 8) | (r[2] << 16) | (r[3] << 24); +#elif defined(GNU_MP) + MP_INT result; + unsigned int i; + + mpz_init(&result); + +/* Define GMP2 if you're using an old gmp.h but want to link against a + * newer libgmp.a (e.g. 2.0 or later). */ + +# ifdef GMP2 + mpz_fdiv_r_ui(&result, d, m); +# else + mpz_mod_ui(&result, d, m); +# endif + i = mpz_get_ui(&result); + mpz_clear(&result); + return i; +#elif defined(GCRYPT) + /* TODO: any way to clean this up??? */ + unsigned char r[4]; + size_t len, i; + unsigned int ret = 0; + BigInteger t = BigIntegerFromInt(m); + BigInteger a = BigIntegerFromInt(0); + gcry_mpi_mod(a, d, t); + gcry_mpi_print(GCRYMPI_FMT_USG, r, 4, &len, a); + for(i = 0; i < len; ++i) + ret = (ret << 8) | r[i]; + BigIntegerFree(t); + BigIntegerFree(a); + return ret; +#elif defined(MPI) || defined(TOMMATH) + mp_digit r; + mp_mod_d(d, m, &r); + return r; +#elif defined(MBEDTLS) + mbedtls_mpi_uint r = 0; + mbedtls_mpi_mod_int(&r, d, m); + return r; +#endif +} + +BigIntegerResult +BigIntegerModMul(r, m1, m2, modulus, c) + BigInteger r, m1, m2, modulus; + BigIntegerCtx c; +{ +#ifdef OPENSSL + BN_CTX * ctx = NULL; + if(c == NULL) + c = ctx = BN_CTX_new(); + BN_mod_mul(r, m1, m2, modulus, c); + if(ctx) + BN_CTX_free(ctx); +#elif defined(CRYPTOLIB) + bigMultiply(m1, m2, r); + bigMod(r, modulus, r); +#elif defined(GNU_MP) + mpz_mul(r, m1, m2); + mpz_mod(r, r, modulus); +#elif defined(GCRYPT) + gcry_mpi_mulm(r, m1, m2, modulus); +#elif defined(MPI) || defined(TOMMATH) + mp_mulmod(m1, m2, modulus, r); +#elif defined(MBEDTLS) + mbedtls_mpi d; + mbedtls_mpi_init(&d); + mbedtls_mpi_mul_mpi(&d, m1, m2); + mbedtls_mpi_mod_mpi(r, &d, modulus); + mbedtls_mpi_free(&d); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerModExp(r, b, e, m, c, a) + BigInteger r, b, e, m; + BigIntegerCtx c; + BigIntegerModAccel a; +{ +#ifdef OPENSSL +#if OPENSSL_VERSION_NUMBER >= 0x00906000 + BN_ULONG B = BN_get_word(b); +#endif + BN_CTX * ctx = NULL; + if(c == NULL) + c = ctx = BN_CTX_new(); + if(default_modexp) { + (*default_modexp)(r, b, e, m, c, a); + } + else if(a == NULL) { + BN_mod_exp(r, b, e, m, c); + } +#if OPENSSL_VERSION_NUMBER >= 0x00906000 + else if(B > 0 && B < ULONG_MAX) { /* 0.9.6 and above has mont_word optimization */ + BN_mod_exp_mont_word(r, B, e, m, c, a); + } +#endif + else + BN_mod_exp_mont(r, b, e, m, c, a); + if(ctx) + BN_CTX_free(ctx); +#elif defined(CRYPTOLIB) + bigPow(b, e, m, r); +#elif defined(GNU_MP) + mpz_powm(r, b, e, m); +#elif defined(GCRYPT) + gcry_mpi_powm(r, b, e, m); +#elif defined(MPI) || defined(TOMMATH) + mp_exptmod(b, e, m, r); +#elif defined(MBEDTLS) + mbedtls_mpi_exp_mod(r, b, e, m, NULL); +#endif + return BIG_INTEGER_SUCCESS; +} + +#if defined(MBEDTLS) +int _mbedtls_f_rng(void* unused, unsigned char *buf, size_t size) +{ + t_random(buf, size); + return 0; +} +#endif + +int +BigIntegerCheckPrime(n, c) + BigInteger n; + BigIntegerCtx c; +{ +#ifdef OPENSSL + int rv; + BN_CTX * ctx = NULL; + if(c == NULL) + c = ctx = BN_CTX_new(); +#if OPENSSL_VERSION_NUMBER >= 0x00908000 + rv = BN_is_prime_ex(n, 25, c, NULL); +#else + rv = BN_is_prime(n, 25, NULL, c, NULL); +#endif + if(ctx) + BN_CTX_free(ctx); + return rv; +#elif defined(CRYPTOLIB) +#if 0 + /* + * Ugh. Not only is cryptolib's bigDivide sensitive to inputs + * and outputs being the same, but now the primeTest needs random + * numbers, which it gets by calling cryptolib's broken truerand + * implementation(!) We have to fake it out by doing our own + * seeding explicitly. + */ + static int seeded = 0; + static unsigned char seedbuf[64]; + if(!seeded) { + t_random(seedbuf, sizeof(seedbuf)); + seedDesRandom(seedbuf, sizeof(seedbuf)); + memset(seedbuf, 0, sizeof(seedbuf)); + seeded = 1; + } +#endif /* 0 */ + t_random(NULL, 0); + return primeTest(n); +#elif defined(GNU_MP) + return mpz_probab_prime_p(n, 25); +#elif defined(GCRYPT) + return (gcry_prime_check(n, 0) == GPG_ERR_NO_ERROR); +#elif defined(TOMMATH) + int rv; + mp_prime_is_prime(n, 25, &rv); + return rv; +#elif defined(MPI) + return (mpp_pprime(n, 25) == MP_YES); +#elif defined(MBEDTLS) + return mbedtls_mpi_is_prime_ext(n, 25, _mbedtls_f_rng, NULL); +#endif +} + +BigIntegerResult +BigIntegerFree(b) + BigInteger b; +{ +#ifdef OPENSSL + BN_free(b); +#elif defined(CRYPTOLIB) + freeBignum(b); +#elif defined(GNU_MP) + mpz_clear(b); + free(b); +#elif defined(GCRYPT) + gcry_mpi_release(b); +#elif defined(MPI) || defined(TOMMATH) + mp_clear(b); + free(b); +#elif defined(MBEDTLS) + mbedtls_mpi_free(b); + free(b); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerClearFree(b) + BigInteger b; +{ +#ifdef OPENSSL + BN_clear_free(b); +#elif defined(CRYPTOLIB) + /* TODO */ + freeBignum(b); +#elif defined(GNU_MP) + /* TODO */ + mpz_clear(b); + free(b); +#elif defined(GCRYPT) + /* TODO */ + gcry_mpi_release(b); +#elif defined(MPI) || defined(TOMMATH) + /* TODO */ + mp_clear(b); + free(b); +#elif defined(MBEDTLS) + mbedtls_mpi_free(b); + free(b); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerCtx +BigIntegerCtxNew() +{ +#ifdef OPENSSL + return BN_CTX_new(); +#else + return NULL; +#endif +} + +BigIntegerResult +BigIntegerCtxFree(ctx) + BigIntegerCtx ctx; +{ +#ifdef OPENSSL + if(ctx) + BN_CTX_free(ctx); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerModAccel +BigIntegerModAccelNew(m, c) + BigInteger m; + BigIntegerCtx c; +{ +#ifdef OPENSSL + BN_CTX * ctx = NULL; + BN_MONT_CTX * mctx; + if(default_modexp) + return NULL; + if(c == NULL) + c = ctx = BN_CTX_new(); + mctx = BN_MONT_CTX_new(); + BN_MONT_CTX_set(mctx, m, c); + if(ctx) + BN_CTX_free(ctx); + return mctx; +#else + return NULL; +#endif +} + +BigIntegerResult +BigIntegerModAccelFree(accel) + BigIntegerModAccel accel; +{ +#ifdef OPENSSL + if(accel) + BN_MONT_CTX_free(accel); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerInitialize() +{ +#if OPENSSL_VERSION_NUMBER >= 0x00907000 + ENGINE_load_builtin_engines(); +#endif + return BIG_INTEGER_SUCCESS; +} + +BigIntegerResult +BigIntegerFinalize() +{ + return BigIntegerReleaseEngine(); +} + +BigIntegerResult +BigIntegerUseEngine(const char * engine) +{ +#if defined(OPENSSL) && defined(OPENSSL_ENGINE) + ENGINE * e = ENGINE_by_id(engine); + if(e) { + if(ENGINE_init(e) > 0) { +#if OPENSSL_VERSION_NUMBER >= 0x00907000 + /* 0.9.7 loses the BN_mod_exp method. Pity. */ + const RSA_METHOD * rsa = ENGINE_get_RSA(e); + if(rsa) +#if (defined(LIBRESSL_VERSION_NUMBER) && LIBRESSL_VERSION_NUMBER >= 0x3000000fL) || (!defined(LIBRESSL_VERSION_NUMBER) && OPENSSL_VERSION_NUMBER >= 0x10100005L) + default_modexp = (modexp_meth)RSA_meth_get_bn_mod_exp(rsa); +#else + default_modexp = (modexp_meth)rsa->bn_mod_exp; +#endif +#else + default_modexp = (modexp_meth)ENGINE_get_BN_mod_exp(e); +#endif + BigIntegerReleaseEngine(); + default_engine = e; + return BIG_INTEGER_SUCCESS; + } + else + ENGINE_free(e); + } +#endif + return BIG_INTEGER_ERROR; +} + +BigIntegerResult +BigIntegerReleaseEngine() +{ +#if defined(OPENSSL) && defined(OPENSSL_ENGINE) + if(default_engine) { + ENGINE_finish(default_engine); + ENGINE_free(default_engine); + default_engine = NULL; + default_modexp = NULL; + } +#endif + return BIG_INTEGER_SUCCESS; +} diff --git a/3rd_party/libsrp6a-sha512/t_misc.c b/3rd_party/libsrp6a-sha512/t_misc.c new file mode 100644 index 0000000..3053358 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_misc.c @@ -0,0 +1,450 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +#include "t_defines.h" + +#ifdef HAVE_UNISTD_H +#include +#endif /* HAVE_UNISTD_H */ + +#include +#include +#include +#include + +#ifdef WIN32 +#include +#include +#endif + +#include "t_sha.h" + +#ifndef NULL +#define NULL 0 +#endif + +#ifdef OPENSSL +#include +#include +#elif defined(TOMCRYPT) +#include "tomcrypt.h" +static prng_state g_rng; +static unsigned char entropy[32]; +#elif defined(CRYPTOLIB) +# include "libcrypt.h" +static unsigned char crpool[64]; +#else +static unsigned char randpool[SHA_DIGESTSIZE], randout[SHA_DIGESTSIZE]; +static unsigned long randcnt = 0; +static unsigned int outpos = 0; +SHA1_CTX randctxt; +#endif /* OPENSSL */ + +/* + * t_envhash - Generate a 160-bit SHA hash of the environment + * + * This routine performs an SHA hash of all the "name=value" pairs + * in the environment concatenated together and dumps them in the + * output. While it is true that anyone on the system can see + * your environment, someone not on the system will have a very + * difficult time guessing it, especially since some systems play + * tricks with variable ordering and sometimes define quirky + * environment variables like $WINDOWID or $_. + */ +extern char ** environ; + +static void +t_envhash(out) + unsigned char * out; +{ + char ** ptr; + char ebuf[256]; + SHA1_CTX ctxt; + + SHA1Init(&ctxt); + for(ptr = environ; *ptr; ++ptr) { + strncpy(ebuf, *ptr, 255); + ebuf[255] = '\0'; + SHA1Update(&ctxt, ebuf, strlen(ebuf)); + } + SHA1Final(out, &ctxt); +} + +/* + * t_fshash - Generate a 160-bit SHA hash from the file system + * + * This routine climbs up the directory tree from the current + * directory, running stat() on each directory until it hits the + * root directory. This information is sensitive to the last + * access/modification times of all the directories above you, + * so someone who lists one of those directories injects some + * entropy into the system. Obviously, this hash is very sensitive + * to your current directory when the program is run. + * + * For good measure, it also performs an fstat on the standard input, + * usually your tty, throws that into the buffer, creates a file in + * /tmp (the inode is unpredictable on a busy system), and runs stat() + * on that before deleting it. + * + * The entire buffer is run once through SHA to obtain the final result. + */ +static void +t_fshash(out) + unsigned char * out; +{ + char dotpath[128]; + struct stat st; + SHA1_CTX ctxt; + int i, pinode; + dev_t pdev; + + SHA1Init(&ctxt); + if(stat(".", &st) >= 0) { + SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st)); + pinode = st.st_ino; + pdev = st.st_dev; + strcpy(dotpath, ".."); + for(i = 0; i < 40; ++i) { + if(stat(dotpath, &st) < 0) + break; + if(st.st_ino == pinode && st.st_dev == pdev) + break; + SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st)); + pinode = st.st_ino; + pdev = st.st_dev; + strcat(dotpath, "/.."); + } + } + + if(fstat(0, &st) >= 0) + SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st)); + + sprintf(dotpath, "/tmp/rnd.%d", getpid()); + if(creat(dotpath, 0600) >= 0 && stat(dotpath, &st) >= 0) + SHA1Update(&ctxt, (unsigned char *) &st, sizeof(st)); + unlink(dotpath); + + SHA1Final(out, &ctxt); +} + +/* + * Generate a high-entropy seed for the strong random number generator. + * This uses a wide variety of quickly gathered and somewhat unpredictable + * system information. The 'preseed' structure is assembled from: + * + * The system time in seconds + * The system time in microseconds + * The current process ID + * The parent process ID + * A hash of the user's environment + * A hash gathered from the file system + * Input from a random device, if available + * Timings of system interrupts + * + * The entire structure (60 bytes on most systems) is fed to SHA to produce + * a 160-bit seed for the strong random number generator. It is believed + * that in the worst case (on a quiet system with no random device versus + * an attacker who has access to the system already), the seed contains at + * least about 80 bits of entropy. Versus an attacker who does not have + * access to the system, the entropy should be slightly over 128 bits. + */ +static char initialized = 0; + +static struct { + unsigned int trand1; + time_t sec; + time_t subsec; + short pid; + short ppid; + unsigned char envh[SHA_DIGESTSIZE]; + unsigned char fsh[SHA_DIGESTSIZE]; + unsigned char devrand[20]; + unsigned int trand2; +} preseed; + +unsigned long raw_truerand(); + +static void +t_initrand() +{ + SHA1_CTX ctxt; +#ifdef USE_FTIME + struct timeb t; +#else + struct timeval t; +#endif + int i, r=0; + + if(initialized) + return; + + initialized = 1; + +#if defined(OPENSSL) /* OpenSSL has nifty win32 entropy-gathering code */ +#if OPENSSL_VERSION_NUMBER >= 0x00905100 + r = RAND_status(); +#if defined(WINDOWS) || defined(WIN32) + if(r) /* Don't do the Unix-y stuff on Windows if possible */ + return; +#else +#endif +#endif + +#elif defined(TOMCRYPT) + yarrow_start(&g_rng); + r = rng_get_bytes(entropy, sizeof(entropy), NULL); + if(r > 0) { + yarrow_add_entropy(entropy, r, &g_rng); + memset(entropy, 0, sizeof(entropy)); +# if defined(WINDOWS) || defined(WIN32) + /* Don't do the Unix-y stuff on Windows if possible */ + yarrow_ready(&g_rng); + return; +# endif + } +#endif + +#if !defined(WINDOWS) && !defined(WIN32) + i = open("/dev/urandom", O_RDONLY); + if(i > 0) { + r += read(i, preseed.devrand, sizeof(preseed.devrand)); + close(i); + } +#endif /* !WINDOWS && !WIN32 */ + + /* Resort to truerand only if desperate for some Real entropy */ + if(r == 0) + preseed.trand1 = raw_truerand(); + +#ifdef USE_FTIME + ftime(&t); + preseed.sec = t.time; + preseed.subsec = t.millitm; +#else + gettimeofday(&t, NULL); + preseed.sec = t.tv_sec; + preseed.subsec = t.tv_usec; +#endif + preseed.pid = getpid(); +#ifndef WIN32 + preseed.ppid = getppid(); +#endif + t_envhash(preseed.envh); + t_fshash(preseed.fsh); + + if(r == 0) + preseed.trand2 = raw_truerand(); + +#ifdef OPENSSL + RAND_seed((unsigned char *)&preseed, sizeof(preseed)); +#elif defined(TOMCRYPT) + yarrow_add_entropy((unsigned char *)&preseed, sizeof(preseed), &g_rng); + yarrow_ready(&g_rng); +#elif defined(CRYPTOLIB) + t_mgf1(crpool, sizeof(crpool), (unsigned char *) &preseed, sizeof(preseed)); + seedDesRandom(crpool, sizeof(crpool)); + memset(crpool, 0, sizeof(crpool)); +#elif defined(GCRYPT) + gcry_random_add_bytes((unsigned char *)&preseed, sizeof(preseed), -1); +#else + SHA1Init(&ctxt); + SHA1Update(&ctxt, (unsigned char *) &preseed, sizeof(preseed)); + SHA1Final(randpool, &ctxt); + memset((unsigned char *) &ctxt, 0, sizeof(ctxt)); + outpos = 0; +#endif /* OPENSSL */ + memset((unsigned char *) &preseed, 0, sizeof(preseed)); +} + +#define NUM_RANDOMS 12 + +_TYPE( void ) +t_stronginitrand() +{ +#if 1 /* t_initrand() has been improved enough to make this unnecessary */ + t_initrand(); +#else + SHA1_CTX ctxt; + unsigned int rawrand[NUM_RANDOMS]; + int i; + + if(!initialized) + t_initrand(); + for(i = 0; i < NUM_RANDOMS; ++i) + rawrand[i] = raw_truerand(); + SHA1Init(&ctxt); + SHA1Update(&ctxt, (unsigned char *) rawrand, sizeof(rawrand)); + SHA1Final(randkey2, &ctxt); + memset(rawrand, 0, sizeof(rawrand)); +#endif +} + +/* + * The strong random number generator. This uses a 160-bit seed + * and uses SHA-1 in a feedback configuration to generate successive + * outputs. If S[0] is set to the initial seed, then: + * + * S[i+1] = SHA-1(i || S[i]) + * A[i] = SHA-1(S[i]) + * + * where the A[i] are the output blocks starting with i=0. + * Each cycle generates 20 bytes of new output. + */ +_TYPE( void ) +t_random(data, size) + unsigned char * data; + unsigned size; +{ + if(!initialized) + t_initrand(); + + if(size <= 0) /* t_random(NULL, 0) forces seed initialization */ + return; + +#ifdef OPENSSL + RAND_bytes(data, size); +#elif defined(TOMCRYPT) + yarrow_read(data, size, &g_rng); +#elif defined(GCRYPT) + gcry_randomize(data, size, GCRY_STRONG_RANDOM); +#elif defined(CRYPTOLIB) + randomBytes(data, size, PSEUDO); +#else + while(size > outpos) { + if(outpos > 0) { + memcpy(data, randout + (sizeof(randout) - outpos), outpos); + data += outpos; + size -= outpos; + } + + /* Recycle */ + SHA1Init(&randctxt); + SHA1Update(&randctxt, randpool, sizeof(randpool)); + SHA1Final(randout, &randctxt); + SHA1Init(&randctxt); + SHA1Update(&randctxt, (unsigned char *) &randcnt, sizeof(randcnt)); + SHA1Update(&randctxt, randpool, sizeof(randpool)); + SHA1Final(randpool, &randctxt); + ++randcnt; + outpos = sizeof(randout); + } + + if(size > 0) { + memcpy(data, randout + (sizeof(randout) - outpos), size); + outpos -= size; + } +#endif +} + +/* + * The interleaved session-key hash. This separates the even and the odd + * bytes of the input (ignoring the first byte if the input length is odd), + * hashes them separately, and re-interleaves the two outputs to form a + * single 320-bit value. + */ +_TYPE( unsigned char * ) +t_sessionkey(key, sk, sklen) + unsigned char * key; + unsigned char * sk; + unsigned sklen; +{ + unsigned i, klen; + unsigned char * hbuf; + unsigned char hout[SHA_DIGESTSIZE]; + SHA1_CTX ctxt; + + while(sklen > 0 && *sk == 0) { /* Skip leading 0's */ + --sklen; + ++sk; + } + + klen = sklen / 2; + if((hbuf = malloc(klen * sizeof(char))) == 0) + return 0; + + for(i = 0; i < klen; ++i) + hbuf[i] = sk[sklen - 2 * i - 1]; + SHA1Init(&ctxt); + SHA1Update(&ctxt, hbuf, klen); + SHA1Final(hout, &ctxt); + for(i = 0; i < sizeof(hout); ++i) + key[2 * i] = hout[i]; + + for(i = 0; i < klen; ++i) + hbuf[i] = sk[sklen - 2 * i - 2]; + SHA1Init(&ctxt); + SHA1Update(&ctxt, hbuf, klen); + SHA1Final(hout, &ctxt); + for(i = 0; i < sizeof(hout); ++i) + key[2 * i + 1] = hout[i]; + + memset(hout, 0, sizeof(hout)); + memset(hbuf, 0, klen); + free(hbuf); + return key; +} + +_TYPE( void ) +t_mgf1(mask, masklen, seed, seedlen) + unsigned char * mask; + unsigned masklen; + const unsigned char * seed; + unsigned seedlen; +{ + SHA1_CTX ctxt; + unsigned i = 0; + unsigned pos = 0; + unsigned char cnt[4]; + unsigned char hout[SHA_DIGESTSIZE]; + + while(pos < masklen) { + cnt[0] = (i >> 24) & 0xFF; + cnt[1] = (i >> 16) & 0xFF; + cnt[2] = (i >> 8) & 0xFF; + cnt[3] = i & 0xFF; + SHA1Init(&ctxt); + SHA1Update(&ctxt, seed, seedlen); + SHA1Update(&ctxt, cnt, 4); + + if(pos + SHA_DIGESTSIZE > masklen) { + SHA1Final(hout, &ctxt); + memcpy(mask + pos, hout, masklen - pos); + pos = masklen; + } + else { + SHA1Final(mask + pos, &ctxt); + pos += SHA_DIGESTSIZE; + } + + ++i; + } + + memset(hout, 0, sizeof(hout)); + memset((unsigned char *)&ctxt, 0, sizeof(ctxt)); +} diff --git a/3rd_party/libsrp6a-sha512/t_pwd.h b/3rd_party/libsrp6a-sha512/t_pwd.h new file mode 100644 index 0000000..a90a364 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_pwd.h @@ -0,0 +1,246 @@ +/* + * Copyright (c) 1997-2007 The Stanford SRP Authentication Project + * All Rights Reserved. + * + * Permission is hereby granted, free of charge, to any person obtaining + * a copy of this software and associated documentation files (the + * "Software"), to deal in the Software without restriction, including + * without limitation the rights to use, copy, modify, merge, publish, + * distribute, sublicense, and/or sell copies of the Software, and to + * permit persons to whom the Software is furnished to do so, subject to + * the following conditions: + * + * The above copyright notice and this permission notice shall be + * included in all copies or substantial portions of the Software. + * + * THE SOFTWARE IS PROVIDED "AS-IS" AND WITHOUT WARRANTY OF ANY KIND, + * EXPRESS, IMPLIED OR OTHERWISE, INCLUDING WITHOUT LIMITATION, ANY + * WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. + * + * IN NO EVENT SHALL STANFORD BE LIABLE FOR ANY SPECIAL, INCIDENTAL, + * INDIRECT OR CONSEQUENTIAL DAMAGES OF ANY KIND, OR ANY DAMAGES WHATSOEVER + * RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER OR NOT ADVISED OF + * THE POSSIBILITY OF DAMAGE, AND ON ANY THEORY OF LIABILITY, ARISING OUT + * OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + * + * Redistributions in source or binary form must retain an intact copy + * of this copyright notice. + */ + +#ifndef T_PWD_H +#define T_PWD_H + +#include +#include "cstr.h" + +#define MAXPARAMBITS 2048 +#define MAXPARAMLEN ((MAXPARAMBITS + 7) / 8) +#define MAXB64PARAMLEN ((MAXPARAMBITS + 5) / 6 + 1) +#define MAXHEXPARAMLEN ((MAXPARAMBITS + 3) / 4 + 1) +#define MAXOCTPARAMLEN ((MAXPARAMBITS + 2) / 3 + 1) + +#define MAXUSERLEN 32 +#define MAXSALTLEN 32 +#define MAXB64SALTLEN 44 /* 256 bits in b64 + null */ +#define SALTLEN 10 /* Normally 80 bits */ + +#define RESPONSE_LEN 20 /* 160-bit proof hashes */ +#define SESSION_KEY_LEN (2 * RESPONSE_LEN) /* 320-bit session key */ + +#define DEFAULT_PASSWD "/etc/tpasswd" +#define DEFAULT_CONF "/etc/tpasswd.conf" + +struct t_num { /* Standard byte-oriented integer representation */ + int len; + unsigned char * data; +}; + +struct t_preconf { /* Structure returned by t_getpreparam() */ + char * mod_b64; + char * gen_b64; + char * comment; + + struct t_num modulus; + struct t_num generator; +}; + +/* + * The built-in (known good) parameters access routines + * + * "t_getprecount" returns the number of precompiled parameter sets. + * "t_getpreparam" returns the indicated parameter set. + * Memory is statically allocated - callers need not perform any memory mgmt. + */ +_TYPE( int ) t_getprecount(); +_TYPE( struct t_preconf * ) t_getpreparam P((int)); + +struct t_confent { /* One configuration file entry (index, N, g) */ + int index; + struct t_num modulus; + struct t_num generator; +}; + +struct t_conf { /* An open configuration file */ + FILE * instream; + char close_on_exit; + cstr * modbuf; + cstr * genbuf; + struct t_confent tcbuf; +}; + +/* + * The configuration file routines are designed along the lines of the + * "getpw" functions in the standard C library. + * + * "t_openconf" accepts a stdio stream and interprets it as a config file. + * "t_openconfbyname" accepts a filename and does the same thing. + * "t_closeconf" closes the config file. + * "t_getconfent" fetches the next sequential configuration entry. + * "t_getconfbyindex" fetches the configuration entry whose index + * matches the one supplied, or NULL if one can't be found. + * "t_getconflast" fetches the last configuration entry in the file. + * "t_makeconfent" generates a set of configuration entry parameters + * randomly. + * "t_newconfent" returns an empty configuration entry. + * "t_cmpconfent" compares two configuration entries a la strcmp. + * "t_checkconfent" verifies that a set of configuration parameters + * are suitable. N must be prime and should be a safe prime. + * "t_putconfent" writes a configuration entry to a stream. + */ +_TYPE( struct t_conf * ) t_openconf P((FILE *)); +_TYPE( struct t_conf * ) t_openconfbyname P((const char *)); +_TYPE( void ) t_closeconf P((struct t_conf *)); +_TYPE( void ) t_rewindconf P((struct t_conf *)); +_TYPE( struct t_confent * ) t_getconfent P((struct t_conf *)); +_TYPE( struct t_confent * ) t_getconfbyindex P((struct t_conf *, int)); +_TYPE( struct t_confent * ) t_getconflast P((struct t_conf *)); +_TYPE( struct t_confent * ) t_makeconfent P((struct t_conf *, int)); +_TYPE( struct t_confent * ) t_makeconfent_c P((struct t_conf *, int)); +_TYPE( struct t_confent * ) t_newconfent P((struct t_conf *)); +_TYPE( int ) t_cmpconfent P((const struct t_confent *, const struct t_confent *)); +_TYPE( int ) t_checkconfent P((const struct t_confent *)); +_TYPE( void ) t_putconfent P((const struct t_confent *, FILE *)); + +/* libc-style system conf file access */ +_TYPE( struct t_confent *) gettcent(); +_TYPE( struct t_confent *) gettcid P((int)); +_TYPE( void ) settcent(); +_TYPE( void ) endtcent(); + +#ifdef ENABLE_NSW +extern struct t_confent * _gettcent(); +extern struct t_confent * _gettcid P((int)); +extern void _settcent(); +extern void _endtcent(); +#endif + +/* A hack to support '+'-style entries in the passwd file */ + +typedef enum fstate { + FILE_ONLY, /* Ordinary file, don't consult NIS ever */ + FILE_NIS, /* Currently accessing file, use NIS if encountered */ + IN_NIS, /* Currently in a '+' entry; use NIS for getXXent */ +} FILE_STATE; + +struct t_pwent { /* A single password file entry */ + char * name; + struct t_num password; + struct t_num salt; + int index; +}; + +struct t_pw { /* An open password file */ + FILE * instream; + char close_on_exit; + FILE_STATE state; + char userbuf[MAXUSERLEN]; + cstr * pwbuf; + unsigned char saltbuf[SALTLEN]; + struct t_pwent pebuf; +}; + +/* + * The password manipulation routines are patterned after the getpw* + * standard C library function calls. + * + * "t_openpw" reads a stream as if it were a password file. + * "t_openpwbyname" opens the named file as a password file. + * "t_closepw" closes an open password file. + * "t_rewindpw" starts the internal file pointer from the beginning + * of the password file. + * "t_getpwent" retrieves the next sequential password entry. + * "t_getpwbyname" looks up the password entry corresponding to the + * specified user. + * "t_makepwent" constructs a password entry from a username, password, + * numeric salt, and configuration entry. + * "t_putpwent" writes a password entry to a stream. + */ +_TYPE( struct t_pw * ) t_newpw(); +_TYPE( struct t_pw * ) t_openpw P((FILE *)); +_TYPE( struct t_pw * ) t_openpwbyname P((const char *)); +_TYPE( void ) t_closepw P((struct t_pw *)); +_TYPE( void ) t_rewindpw P((struct t_pw *)); +_TYPE( struct t_pwent * ) t_getpwent P((struct t_pw *)); +_TYPE( struct t_pwent * ) t_getpwbyname P((struct t_pw *, const char *)); +_TYPE( struct t_pwent * ) t_makepwent P((struct t_pw *, const char *, + const char *, const struct t_num *, + const struct t_confent *)); +_TYPE( void ) t_putpwent P((const struct t_pwent *, FILE *)); + +struct t_passwd { + struct t_pwent tp; + struct t_confent tc; +}; + +/* libc-style system password file access */ +_TYPE( struct t_passwd * ) gettpent(); +_TYPE( struct t_passwd * ) gettpnam P((const char *)); +_TYPE( void ) settpent(); +_TYPE( void ) endtpent(); + +#ifdef ENABLE_NSW +extern struct t_passwd * _gettpent(); +extern struct t_passwd * _gettpnam P((const char *)); +extern void _settpent(); +extern void _endtpent(); +#endif + +/* + * Utility functions + * + * "t_verifypw" accepts a username and password, and checks against the + * system password file to see if the password for that user is correct. + * Returns > 0 if it is correct, 0 if not, and -1 if some error occurred + * (i.e. the user doesn't exist on the system). This is intended ONLY + * for local authentication; for remote authentication, look at the + * t_client and t_server source. (That's the whole point of SRP!) + * "t_changepw" modifies the specified file, substituting the given password + * entry for the one already in the file. If no matching entry is found, + * the new entry is simply appended to the file. + * "t_deletepw" removes the specified user from the specified file. + */ +_TYPE( int ) t_verifypw P((const char *, const char *)); +_TYPE( int ) t_changepw P((const char *, const struct t_pwent *)); +_TYPE( int ) t_deletepw P((const char *, const char *)); + +/* Conversion utilities */ + +/* + * All these calls accept output as the first parameter. In the case of + * t_tohex and t_tob64, the last argument is the length of the byte-string + * input. + */ +_TYPE( char * ) t_tohex P((char *, const char *, unsigned)); +_TYPE( int ) t_fromhex P((char *, const char *)); +_TYPE( char * ) t_tob64 P((char *, const char *, unsigned)); +_TYPE( int ) t_fromb64 P((char *, const char *)); + +/* These functions put their output in a cstr object */ +_TYPE( char * ) t_tohexcstr P((cstr *, const char *, unsigned)); +_TYPE( int ) t_cstrfromhex P((cstr *, const char *)); +_TYPE( char * ) t_tob64cstr P((cstr *, const char *, unsigned)); +_TYPE( int ) t_cstrfromb64 P((cstr *, const char *)); + +/* Miscellaneous utilities (moved to t_defines.h) */ + +#endif diff --git a/3rd_party/libsrp6a-sha512/t_sha.c b/3rd_party/libsrp6a-sha512/t_sha.c new file mode 100644 index 0000000..4029de8 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_sha.c @@ -0,0 +1,276 @@ +#include "t_defines.h" +#include "t_sha.h" + +#ifdef CRYPTOLIB_SHA + +/* A wrapper around CryptoLib's shsFinal that delivers output in octets */ +void +shsFinalBytes(unsigned char digest[20], SHS_CTX* context) +{ + int i; + unsigned long r; + unsigned char *p = digest; + + shsFinal(context); + for(i = 0; i < 5; ++i) { + r = context->h[i]; + *p++ = (unsigned char)((r >> 24) & 0xff); + *p++ = (unsigned char)((r >> 16) & 0xff); + *p++ = (unsigned char)((r >> 8) & 0xff); + *p++ = (unsigned char)(r & 0xff); + } +} + +#elif defined(GCRYPT_SHA) +/* Wrappers for gcrypt's md interface */ + +void +SHA1Init_gcry(SHA1_CTX * ctx) +{ + gcry_md_open(ctx, GCRY_MD_SHA1, 0); +} + +void +SHA1Update_gcry(SHA1_CTX * ctx, const void *data, unsigned int len) +{ + gcry_md_write(*ctx, data, len); +} + +void +SHA1Final_gcry(unsigned char digest[20], SHA1_CTX * ctx) +{ + memcpy(digest, gcry_md_read(*ctx, GCRY_MD_SHA1), 20); + gcry_md_close(*ctx); +} + +void +SHA512Init_gcry(SHA512_CTX * ctx) +{ + gcry_md_open(ctx, GCRY_MD_SHA512, 0); +} + +void +SHA512Update_gcry(SHA512_CTX * ctx, const void *data, unsigned int len) +{ + gcry_md_write(*ctx, data, len); +} + +void +SHA512Final_gcry(unsigned char digest[64], SHA512_CTX * ctx) +{ + memcpy(digest, gcry_md_read(*ctx, GCRY_MD_SHA512), 64); + gcry_md_close(*ctx); +} + +#elif defined(MBEDTLS_SHA) +/* Wrappers for mbedtls's md interface */ + +void +SHA1Init_mbed(SHA1_CTX * ctx) +{ + mbedtls_md_init(ctx); + mbedtls_md_setup(ctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA1), 0); + mbedtls_md_starts(ctx); +} + +void +SHA1Update_mbed(SHA1_CTX * ctx, const void *data, unsigned int len) +{ + mbedtls_md_update(ctx, data, len); +} + +void +SHA1Final_mbed(unsigned char digest[20], SHA1_CTX * ctx) +{ + mbedtls_md_finish(ctx, digest); + mbedtls_md_free(ctx); +} + +void +SHA512Init_mbed(SHA512_CTX * ctx) +{ + mbedtls_md_init(ctx); + mbedtls_md_setup(ctx, mbedtls_md_info_from_type(MBEDTLS_MD_SHA512), 0); + mbedtls_md_starts(ctx); +} + +void +SHA512Update_mbed(SHA512_CTX * ctx, const void *data, unsigned int len) +{ + mbedtls_md_update(ctx, data, len); +} + +void +SHA512Final_mbed(unsigned char digest[64], SHA512_CTX * ctx) +{ + mbedtls_md_finish(ctx, digest); + mbedtls_md_free(ctx); +} + +#elif !defined(OPENSSL_SHA) && !defined(TOMCRYPT_SHA) +/* Use the free SHA1 if the library doesn't have it */ + +/* +SHA-1 in C +By Steve Reid +100% Public Domain + +Test Vectors (from FIPS PUB 180-1) +"abc" + A9993E36 4706816A BA3E2571 7850C26C 9CD0D89D +"abcdbcdecdefdefgefghfghighijhijkijkljklmklmnlmnomnopnopq" + 84983E44 1C3BD26E BAAE4AA1 F95129E5 E54670F1 +A million repetitions of "a" + 34AA973C D4C4DAA4 F61EEB2B DBAD2731 6534016F +*/ + +/* #define LITTLE_ENDIAN * This should be #define'd if true. */ +/* #define SHA1HANDSOFF * Copies data before messing with it. */ + +#include +#include + +static void SHA1Transform(uint32 state[5], const unsigned char buffer[64]); + +#define rol(value, bits) (((value) << (bits)) | ((value) >> (32 - (bits)))) + +/* blk0() and blk() perform the initial expand. */ +/* I got the idea of expanding during the round function from SSLeay */ +#ifndef WORDS_BIGENDIAN +#define blk0(i) (block->l[i] = (rol(block->l[i],24)&0xFF00FF00) \ + |(rol(block->l[i],8)&0x00FF00FF)) +#else +#define blk0(i) block->l[i] +#endif +#define blk(i) (block->l[i&15] = rol(block->l[(i+13)&15]^block->l[(i+8)&15] \ + ^block->l[(i+2)&15]^block->l[i&15],1)) + +/* (R0+R1), R2, R3, R4 are the different operations used in SHA1 */ +#define R0(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk0(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R1(v,w,x,y,z,i) z+=((w&(x^y))^y)+blk(i)+0x5A827999+rol(v,5);w=rol(w,30); +#define R2(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0x6ED9EBA1+rol(v,5);w=rol(w,30); +#define R3(v,w,x,y,z,i) z+=(((w|x)&y)|(w&x))+blk(i)+0x8F1BBCDC+rol(v,5);w=rol(w,30); +#define R4(v,w,x,y,z,i) z+=(w^x^y)+blk(i)+0xCA62C1D6+rol(v,5);w=rol(w,30); + +/* Hash a single 512-bit block. This is the core of the algorithm. */ + +static void SHA1Transform(uint32 state[5], const unsigned char buffer[64]) +{ +uint32 a, b, c, d, e; +typedef union { + unsigned char c[64]; + uint32 l[16]; +} CHAR64LONG16; +CHAR64LONG16* block; +#ifdef SHA1HANDSOFF +static unsigned char workspace[64]; + block = (CHAR64LONG16*)workspace; + memcpy(block, buffer, 64); +#else + block = (CHAR64LONG16*)buffer; +#endif + /* Copy context->state[] to working vars */ + a = state[0]; + b = state[1]; + c = state[2]; + d = state[3]; + e = state[4]; + /* 4 rounds of 20 operations each. Loop unrolled. */ + R0(a,b,c,d,e, 0); R0(e,a,b,c,d, 1); R0(d,e,a,b,c, 2); R0(c,d,e,a,b, 3); + R0(b,c,d,e,a, 4); R0(a,b,c,d,e, 5); R0(e,a,b,c,d, 6); R0(d,e,a,b,c, 7); + R0(c,d,e,a,b, 8); R0(b,c,d,e,a, 9); R0(a,b,c,d,e,10); R0(e,a,b,c,d,11); + R0(d,e,a,b,c,12); R0(c,d,e,a,b,13); R0(b,c,d,e,a,14); R0(a,b,c,d,e,15); + R1(e,a,b,c,d,16); R1(d,e,a,b,c,17); R1(c,d,e,a,b,18); R1(b,c,d,e,a,19); + R2(a,b,c,d,e,20); R2(e,a,b,c,d,21); R2(d,e,a,b,c,22); R2(c,d,e,a,b,23); + R2(b,c,d,e,a,24); R2(a,b,c,d,e,25); R2(e,a,b,c,d,26); R2(d,e,a,b,c,27); + R2(c,d,e,a,b,28); R2(b,c,d,e,a,29); R2(a,b,c,d,e,30); R2(e,a,b,c,d,31); + R2(d,e,a,b,c,32); R2(c,d,e,a,b,33); R2(b,c,d,e,a,34); R2(a,b,c,d,e,35); + R2(e,a,b,c,d,36); R2(d,e,a,b,c,37); R2(c,d,e,a,b,38); R2(b,c,d,e,a,39); + R3(a,b,c,d,e,40); R3(e,a,b,c,d,41); R3(d,e,a,b,c,42); R3(c,d,e,a,b,43); + R3(b,c,d,e,a,44); R3(a,b,c,d,e,45); R3(e,a,b,c,d,46); R3(d,e,a,b,c,47); + R3(c,d,e,a,b,48); R3(b,c,d,e,a,49); R3(a,b,c,d,e,50); R3(e,a,b,c,d,51); + R3(d,e,a,b,c,52); R3(c,d,e,a,b,53); R3(b,c,d,e,a,54); R3(a,b,c,d,e,55); + R3(e,a,b,c,d,56); R3(d,e,a,b,c,57); R3(c,d,e,a,b,58); R3(b,c,d,e,a,59); + R4(a,b,c,d,e,60); R4(e,a,b,c,d,61); R4(d,e,a,b,c,62); R4(c,d,e,a,b,63); + R4(b,c,d,e,a,64); R4(a,b,c,d,e,65); R4(e,a,b,c,d,66); R4(d,e,a,b,c,67); + R4(c,d,e,a,b,68); R4(b,c,d,e,a,69); R4(a,b,c,d,e,70); R4(e,a,b,c,d,71); + R4(d,e,a,b,c,72); R4(c,d,e,a,b,73); R4(b,c,d,e,a,74); R4(a,b,c,d,e,75); + R4(e,a,b,c,d,76); R4(d,e,a,b,c,77); R4(c,d,e,a,b,78); R4(b,c,d,e,a,79); + /* Add the working vars back into context.state[] */ + state[0] += a; + state[1] += b; + state[2] += c; + state[3] += d; + state[4] += e; + /* Wipe variables */ + a = b = c = d = e = 0; +} + + +/* SHA1Init - Initialize new context */ + +void SHA1Init(SHA1_CTX* context) +{ + /* SHA1 initialization constants */ + context->state[0] = 0x67452301; + context->state[1] = 0xEFCDAB89; + context->state[2] = 0x98BADCFE; + context->state[3] = 0x10325476; + context->state[4] = 0xC3D2E1F0; + context->count[0] = context->count[1] = 0; +} + + +/* Run your data through this. */ + +void SHA1Update(SHA1_CTX* context, const unsigned char* data, unsigned int len) +{ +unsigned int i, j; + + j = (context->count[0] >> 3) & 63; + if ((context->count[0] += len << 3) < (len << 3)) context->count[1]++; + context->count[1] += (len >> 29); + if ((j + len) > 63) { + memcpy(&context->buffer[j], data, (i = 64-j)); + SHA1Transform(context->state, context->buffer); + for ( ; i + 63 < len; i += 64) { + SHA1Transform(context->state, &data[i]); + } + j = 0; + } + else i = 0; + memcpy(&context->buffer[j], &data[i], len - i); +} + + +/* Add padding and return the message digest. */ + +void SHA1Final(unsigned char digest[20], SHA1_CTX* context) +{ +uint32 i, j; +unsigned char finalcount[8]; + + for (i = 0; i < 8; i++) { + finalcount[i] = (unsigned char)((context->count[(i >= 4 ? 0 : 1)] + >> ((3-(i & 3)) * 8) ) & 255); /* Endian independent */ + } + SHA1Update(context, (unsigned char *)"\200", 1); + while ((context->count[0] & 504) != 448) { + SHA1Update(context, (unsigned char *)"\0", 1); + } + SHA1Update(context, finalcount, 8); /* Should cause a SHA1Transform() */ + for (i = 0; i < 20; i++) { + digest[i] = (unsigned char) + ((context->state[i>>2] >> ((3-(i & 3)) * 8) ) & 255); + } + /* Wipe variables */ + i = j = 0; + memset(context->buffer, 0, 64); + memset(context->state, 0, 20); + memset(context->count, 0, 8); + memset(&finalcount, 0, 8); +#ifdef SHA1HANDSOFF /* make SHA1Transform overwrite it's own static vars */ + SHA1Transform(context->state, context->buffer); +#endif +} +#endif /* OPENSSL */ diff --git a/3rd_party/libsrp6a-sha512/t_sha.h b/3rd_party/libsrp6a-sha512/t_sha.h new file mode 100644 index 0000000..18deec5 --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_sha.h @@ -0,0 +1,125 @@ +#ifndef T_SHA_H +#define T_SHA_H + +#if !defined(P) +#ifdef __STDC__ +#define P(x) x +#else +#define P(x) () +#endif +#endif + +#define SHA_DIGESTSIZE 20 + +#ifdef OPENSSL +#define OPENSSL_SHA 1 +#endif + +#ifdef TOMCRYPT +# include +# ifdef SHA1 +# define TOMCRYPT_SHA 1 +# endif +#endif + +#ifdef CRYPTOLIB +/* The SHA (shs) implementation in CryptoLib 1.x breaks when Update + * is called multiple times, so we still use our own code. + * Uncomment below if you think your copy of CryptoLib is fixed. */ +/*#define CRYPTOLIB_SHA 1*/ +#endif + +#ifdef GCRYPT +# define GCRYPT_SHA 1 +#endif + +#ifdef MBEDTLS +# define MBEDTLS_SHA 1 +#endif + +#ifdef OPENSSL_SHA +#include + +typedef SHA_CTX SHA1_CTX; +#define SHA1Init SHA1_Init +#define SHA1Update SHA1_Update +#define SHA1Final SHA1_Final + +#define SHA512Init SHA512_Init +#define SHA512Update SHA512_Update +#define SHA512Final SHA512_Final + +#elif defined(TOMCRYPT_SHA) +/* mycrypt.h already included above */ + +typedef hash_state SHA1_CTX; +#define SHA1Init sha1_init +#define SHA1Update sha1_process +#define SHA1Final(D,C) sha1_done(C,D) + +#elif defined(GCRYPT_SHA) +#include "gcrypt.h" + +typedef gcry_md_hd_t SHA1_CTX; +#define SHA1Init SHA1Init_gcry +#define SHA1Update SHA1Update_gcry +#define SHA1Final SHA1Final_gcry +typedef gcry_md_hd_t SHA512_CTX; +#define SHA512Init SHA512Init_gcry +#define SHA512Update SHA512Update_gcry +#define SHA512Final SHA512Final_gcry + +void SHA1Init_gcry(SHA1_CTX * ctx); +void SHA1Update_gcry(SHA1_CTX * ctx, const void *data, unsigned int len); +void SHA1Final_gcry(unsigned char digest[20], SHA1_CTX * ctx); + +void SHA512Init_gcry(SHA512_CTX * ctx); +void SHA512Update_gcry(SHA512_CTX * ctx, const void *data, unsigned int len); +void SHA512Final_gcry(unsigned char digest[64], SHA512_CTX * ctx); + +#elif defined(MBEDTLS_SHA) +#include + +typedef mbedtls_md_context_t SHA1_CTX; +#define SHA1Init SHA1Init_mbed +#define SHA1Update SHA1Update_mbed +#define SHA1Final SHA1Final_mbed + +typedef mbedtls_md_context_t SHA512_CTX; +#define SHA512Init SHA512Init_mbed +#define SHA512Update SHA512Update_mbed +#define SHA512Final SHA512Final_mbed + +void SHA1Init_mbed(SHA1_CTX * ctx); +void SHA1Update_mbed(SHA1_CTX * ctx, const void *data, unsigned int len); +void SHA1Final_mbed(unsigned char digest[20], SHA1_CTX * ctx); + +void SHA512Init_mbed(SHA512_CTX * ctx); +void SHA512Update_mbed(SHA512_CTX * ctx, const void *data, unsigned int len); +void SHA512Final_mbed(unsigned char digest[64], SHA512_CTX * ctx); + +#elif defined(CRYPTOLIB_SHA) +#include "libcrypt.h" + +typedef SHS_CTX SHA1_CTX; +#define SHA1Init shsInit +#define SHA1Update shsUpdate +#define SHA1Final shsFinalBytes + +void shsFinalBytes P((unsigned char digest[20], SHS_CTX* context)); + +#else +typedef unsigned int uint32; + +typedef struct { + uint32 state[5]; + uint32 count[2]; + unsigned char buffer[64]; +} SHA1_CTX; + +void SHA1Init P((SHA1_CTX* context)); +void SHA1Update P((SHA1_CTX* context, const unsigned char* data, unsigned int len)); +void SHA1Final P((unsigned char digest[20], SHA1_CTX* context)); +#endif /* !OPENSSL && !CRYPTOLIB */ + +#endif /* T_SHA_H */ diff --git a/3rd_party/libsrp6a-sha512/t_truerand.c b/3rd_party/libsrp6a-sha512/t_truerand.c new file mode 100644 index 0000000..2617b5e --- /dev/null +++ b/3rd_party/libsrp6a-sha512/t_truerand.c @@ -0,0 +1,241 @@ +/* + * Physically random numbers (very nearly uniform) + * D. P. Mitchell + * Modified by Matt Blaze 7/95 + */ +/* + * The authors of this software are Don Mitchell and Matt Blaze. + * Copyright (c) 1995 by AT&T. + * Permission to use, copy, and modify this software without fee + * is hereby granted, provided that this entire notice is included in + * all copies of any software which is or includes a copy or + * modification of this software and in all copies of the supporting + * documentation for such software. + * + * This software may be subject to United States export controls. + * + * THIS SOFTWARE IS BEING PROVIDED "AS IS", WITHOUT ANY EXPRESS OR IMPLIED + * WARRANTY. IN PARTICULAR, NEITHER THE AUTHORS NOR AT&T MAKE ANY + * REPRESENTATION OR WARRANTY OF ANY KIND CONCERNING THE MERCHANTABILITY + * OF THIS SOFTWARE OR ITS FITNESS FOR ANY PARTICULAR PURPOSE. + */ + +/* + * WARNING: depending on the particular platform, raw_truerand() + * output may be biased or correlated. In general, you can expect + * about 16 bits of "pseudo-entropy" out of each 32 bit word returned + * by truerand(), but it may not be uniformly diffused. You should + * raw_therefore run the output through some post-whitening function + * (like MD5 or DES or whatever) before using it to generate key + * material. (RSAREF's random package does this for you when you feed + * raw_truerand() bits to the seed input function.) + * + * The application interface, for 8, 16, and 32 bit properly "whitened" + * random numbers, can be found in trand8(), trand16(), and trand32(). + * Use those instead of calling raw_truerand() directly. + * + * The basic idea here is that between clock "skew" and various + * hard-to-predict OS event arrivals, counting a tight loop will yield + * a little (maybe a third of a bit or so) of "good" randomness per + * interval clock tick. This seems to work well even on unloaded + * machines. If there is a human operator at the machine, you should + * augment truerand with other measure, like keyboard event timing. + * On server machines (e.g., when you need to generate a + * Diffie-Hellman secret) truerand alone may be good enough. + * + * Test these assumptions on your own platform before fielding a + * system based on this software or these techniques. + * + * This software seems to work well (at 10 or so bits per + * raw_truerand() call) on a Sun Sparc-20 under SunOS 4.1.3 and on a + * P100 under BSDI 2.0. You're on your own elsewhere. + * + */ + +#include "t_defines.h" + +#ifdef WIN32 + +# ifdef CRYPTOLIB + +/* Cryptolib contains its own truerand() on both UNIX and Windows. */ +/* Only use cryptolib's truerand under Windows */ + +# include "libcrypt.h" + +unsigned long +raw_truerand() +{ + return truerand(); +} + +# else /* !CRYPTOLIB && WIN32 */ + +#include +#include +#include +#include +#include +#include + +volatile unsigned long count, ocount, randbuf; +volatile int dontstop; +char outbuf[1024], *bufp; + +static void counter() { + while (dontstop) + count++; + _endthread(); +} + + +static unsigned long roulette() { + unsigned long thread; + + count = 0; + dontstop= 1; + while ((thread = _beginthread((void *)counter, 1024, NULL)) < 0) + ; + + Sleep(16); + dontstop = 0; + Sleep(1); + + count ^= (count>>3) ^ (count>>6) ^ (ocount); + count &= 0x7; + ocount = count; + randbuf = (randbuf<<3) ^ count; + return randbuf; +} + + +unsigned long +raw_truerand() { + + roulette(); + roulette(); + roulette(); + roulette(); + roulette(); + roulette(); + roulette(); + roulette(); + roulette(); + roulette(); + return roulette(); +} + +# endif /* CRYPTOLIB */ + +#else /* !WIN32 */ + +#include +#include +#include +#include +#include + +#ifdef OLD_TRUERAND +static jmp_buf env; +#endif +static unsigned volatile count +#ifndef OLD_TRUERAND + , done = 0 +#endif +; + +static unsigned ocount; +static unsigned buffer; + +static void +tick() +{ + struct itimerval it, oit; + + it.it_interval.tv_sec = 0; + it.it_interval.tv_usec = 0; + it.it_value.tv_sec = 0; + it.it_value.tv_usec = 16665; + if (setitimer(ITIMER_REAL, &it, &oit) < 0) + perror("tick"); +} + +static void +interrupt() +{ + if (count) { +#ifdef OLD_TRUERAND + longjmp(env, 1); +#else + ++done; + return; +#endif + } + + (void) signal(SIGALRM, interrupt); + tick(); +} + +static unsigned long +roulette() +{ +#ifdef OLD_TRUERAND + if (setjmp(env)) { + count ^= (count>>3) ^ (count>>6) ^ ocount; + count &= 0x7; + ocount=count; + buffer = (buffer<<3) ^ count; + return buffer; + } +#else + done = 0; +#endif + (void) signal(SIGALRM, interrupt); + count = 0; + tick(); +#ifdef OLD_TRUERAND + for (;;) +#else + while(done == 0) +#endif + count++; /* about 1 MHz on VAX 11/780 */ +#ifndef OLD_TRUERAND + count ^= (count>>3) ^ (count>>6) ^ ocount; + count &= 0x7; + ocount=count; + buffer = (buffer<<3) ^ count; + return buffer; +#endif +} + +unsigned long +raw_truerand() +{ + count=0; + (void) roulette(); + (void) roulette(); + (void) roulette(); + (void) roulette(); + (void) roulette(); + (void) roulette(); + (void) roulette(); + (void) roulette(); + (void) roulette(); + (void) roulette(); + return roulette(); +} + +int +raw_n_truerand(n) +int n; +{ + int slop, v; + + slop = 0x7FFFFFFF % n; + do { + v = raw_truerand() >> 1; + } while (v <= slop); + return v % n; +} + +#endif /* !CRYPTOLIB || !WIN32 */ diff --git a/Makefile.am b/Makefile.am index a50777a..4ef0813 100644 --- a/Makefile.am +++ b/Makefile.am @@ -1,6 +1,6 @@ AUTOMAKE_OPTIONS = foreign ACLOCAL_AMFLAGS = -I m4 -SUBDIRS = common src include $(CYTHON_SUB) tools docs +SUBDIRS = 3rd_party common src include $(CYTHON_SUB) tools docs EXTRA_DIST = \ docs \ diff --git a/configure.ac b/configure.ac index cdd388b..8fb032d 100644 --- a/configure.ac +++ b/configure.ac @@ -39,7 +39,7 @@ PKG_CHECK_MODULES(libplist, libplist-2.0 >= $LIBPLIST_VERSION) PKG_CHECK_MODULES(limd_glue, libimobiledevice-glue-1.0 >= $LIMD_GLUE_VERSION) # Checks for header files. -AC_CHECK_HEADERS([stdint.h stdlib.h string.h gcrypt.h]) +AC_CHECK_HEADERS([stdint.h stdlib.h string.h sys/time.h]) # Checks for typedefs, structures, and compiler characteristics. AC_C_CONST @@ -64,6 +64,8 @@ if test "x$ac_cv_have_endian_h" = "xno"; then fi fi +AC_CHECK_DECL([plist_from_json], [AC_DEFINE([HAVE_PLIST_JSON], [1], [Define if libplist has JSON support])], [], [[#include ]]) + # Check for operating system AC_MSG_CHECKING([for platform-specific build settings]) case ${host_os} in @@ -74,6 +76,7 @@ case ${host_os} in ;; darwin*) AC_MSG_RESULT([${host_os}]) + darwin=true ;; *) AC_MSG_RESULT([${host_os}]) @@ -82,6 +85,7 @@ case ${host_os} in ;; esac AM_CONDITIONAL(WIN32, test x$win32 = xtrue) +AM_CONDITIONAL(DARWIN, test x$darwin = xtrue) # Check if the C compiler supports __attribute__((constructor)) AC_CACHE_CHECK([wether the C compiler supports constructor/destructor attributes], @@ -219,9 +223,10 @@ else pkg_req_gnutls="gnutls >= 2.2.0" pkg_req_libtasn1="libtasn1 >= 1.1" PKG_CHECK_MODULES(libgnutls, $pkg_req_gnutls) + AC_CHECK_HEADERS([gcrypt.h]) AC_CHECK_LIB(gcrypt, gcry_control, [AC_SUBST(libgcrypt_LIBS,[-lgcrypt])], [AC_MSG_ERROR([libgcrypt is required to build libimobiledevice with GnuTLS])]) PKG_CHECK_MODULES(libtasn1, $pkg_req_libtasn1) - + AC_DEFINE(HAVE_GCRYPT, 1, [Define if you have libgcrypt support]) AC_DEFINE(HAVE_GNUTLS, 1, [Define if you have GnuTLS support]) ssl_lib_CFLAGS="$libgnutls_CFLAGS $libtasn1_CFLAGS $libgcrypt_CFLAGS" ssl_lib_LIBS="$libgnutls_LIBS $libtasn1_LIBS $libgcrypt_LIBS" @@ -235,6 +240,17 @@ else fi fi fi +AM_CONDITIONAL(HAVE_MBEDTLS, test "x$use_mbedtls" == "xyes") +AM_CONDITIONAL(HAVE_OPENSSL, test "x$use_openssl" == "xyes") +AM_CONDITIONAL(HAVE_GCRYPT, test "x$use_gnutls" == "xyes") + +AC_ARG_ENABLE([wireless-pairing], + [AS_HELP_STRING([--disable-wireless-pairing], + [Do not build with wirless pairing support (default is yes)])]) +if test "$enable_wireless_pairing" != "no"; then + AC_DEFINE(HAVE_WIRELESS_PAIRING,1,[Define if building with wireless pairing support]) +fi +AM_CONDITIONAL(HAVE_WIRELESS_PAIRING, test "$enable_wireless_pairing" != "no") AC_ARG_ENABLE([debug], [AS_HELP_STRING([--enable-debug], @@ -263,6 +279,9 @@ m4_ifdef([AM_SILENT_RULES],[AM_SILENT_RULES([yes])]) AC_CONFIG_FILES([ Makefile +3rd_party/Makefile +3rd_party/ed25519/Makefile +3rd_party/libsrp6a-sha512/Makefile common/Makefile src/Makefile src/libimobiledevice-1.0.pc diff --git a/docs/idevicepair.1 b/docs/idevicepair.1 index 3576ce9..eb6e7d4 100644 --- a/docs/idevicepair.1 +++ b/docs/idevicepair.1 @@ -13,7 +13,13 @@ Manage host pairings with devices and usbmuxd. .TP .B \-u, \-\-udid UDID target specific device by UDID. -.TP +.TP +.B \-w, \-\-wireless +perform wireless pairing (\f[B]see NOTE\f[]). +.TP +.B \-n, \-\-network +connect to network device (\f[B]see NOTE\f[]). +.TP .B \-d, \-\-debug enable communication debugging. .TP @@ -43,6 +49,24 @@ unpair device with this host. .B list list devices paired with this host. +.SH NOTE +Pairing over network (wireless pairing) is only supported by Apple TV +devices. To perform a wireless pairing, you need to use the \f[B]\-w\f[] +command line switch. + +Make sure to put the device into pairing mode first by opening +Settings > Remotes and Devices > Remote App and Devices. + +The pairable device will become visible with a special UDID, and then you +can run idevicepair like this: + +.B idevicepair -u fffc8:ab:cd:12:34:56fff -w pair + +idevicepair will then ask for the PIN that the device is displaying and +continues with the pairing once entered. + +Please note that wireless pairing is currently not supported on Linux. + .SH AUTHORS Nikias Bassen diff --git a/include/endianness.h b/include/endianness.h index 1d414b3..099877a 100644 --- a/include/endianness.h +++ b/include/endianness.h @@ -109,4 +109,15 @@ #define htole64 le64toh #endif +#if (defined(__BIG_ENDIAN__) \ + && !defined(__FLOAT_WORD_ORDER__)) \ + || (defined(__FLOAT_WORD_ORDER__) \ + && __FLOAT_WORD_ORDER__ == __ORDER_BIG_ENDIAN__) +#define float_bswap64(x) bswap64(x) +#define float_bswap32(x) bswap32(x) +#else +#define float_bswap64(x) (x) +#define float_bswap32(x) (x) +#endif + #endif /* ENDIANNESS_H */ diff --git a/include/libimobiledevice/lockdown.h b/include/libimobiledevice/lockdown.h index c35e5e9..1569f44 100644 --- a/include/libimobiledevice/lockdown.h +++ b/include/libimobiledevice/lockdown.h @@ -100,6 +100,19 @@ struct lockdownd_service_descriptor { }; typedef struct lockdownd_service_descriptor *lockdownd_service_descriptor_t; + +typedef enum { + LOCKDOWN_CU_PAIRING_PIN_REQUESTED, /**< PIN requested: data_ptr is a char* buffer, and data_size points to the size of this buffer that must not be exceeded and has to be updated to the actual number of characters filled into the buffer. */ + LOCKDOWN_CU_PAIRING_DEVICE_INFO, /**< device information available: data_ptr is a plist_t, and data_size is ignored. The plist_t has to be copied if required, since it is freed when the callback function returns. */ + LOCKDOWN_CU_PAIRING_ERROR /**< pairing error message available: data_ptr is a NULL-terminated char* buffer containing the error message, and data_size is ignored. Buffer needs to be copied if it shall persist outside the callback. */ +} lockdownd_cu_pairing_cb_type_t; + +/* CU pairing callback function prototype */ +/** Callback used to supply the pairing PIN during a CU pairing session, + * and to report device information and pairing error messages. */ +typedef void (*lockdownd_cu_pairing_cb_t) (lockdownd_cu_pairing_cb_type_t cb_type, void *user_data, void* data_ptr, unsigned int* data_size); + + /* Interface */ /** @@ -399,6 +412,89 @@ lockdownd_error_t lockdownd_enter_recovery(lockdownd_client_t client); */ lockdownd_error_t lockdownd_goodbye(lockdownd_client_t client); +/** + * Creates a CU pairing session for the current lockdown client. + * This is required to allow lockdownd_cu_send_request_and_get_reply(), + * lockdownd_get_value_cu() and lockdonwd_pair_cu() requests, and eventually + * allows to perform an actual wireless pairing. + * + * Through the callback function, the PIN displayed on the device has to be + * supplied during the process. Currently, only AppleTV devices have this + * capability. + * + * @param client The lockdown client to perform the CU pairing for + * @param pairing_callback Callback function that is used to supply the PIN + * for the pairing process, but also to receive device information or + * pairing error messages. + * @param cb_user_data User data that will be passed as additional argument + * to the callback function. + * @param host_info (Optional) A dictionary containing host information to + * send to the device when finalizing the CU pairing. The supplied + * values will override the default values gathered for the current host. + * @param acl (Optional) A dictionary containing ACL information. Currently + * only com.apple.ScreenCapture:true and com.apple.developer:true are known + * valid ACL values, which are used as default when NULL is passed. + * + * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG if one of the + * parameters is invalid, LOCKDOWN_E_PAIRING_FAILED if the pairing failed, + * or a LOCKDOWN_E_* error code otherwise. + */ +lockdownd_error_t lockdownd_cu_pairing_create(lockdownd_client_t client, lockdownd_cu_pairing_cb_t pairing_callback, void* cb_user_data, plist_t host_info, plist_t acl); + +/** + * Sends a request via lockdown client with established CU pairing session + * and attempts to retrieve a reply. This function is used internally + * by lockdownd_get_value_cu() and lockdownd_pair_cu(), but exposed here to + * allow custom requests being sent and their replies being received. + * + * @param client A lockdown client with an established CU pairing. + * @param request The request to perform. + * @param request_payload The payload for the request. + * @param reply (Optional) If not NULL, the plist_t will be set to the reply + * dictionary that has been received. Consumer is responsible to free it + * using plist_free() when no longer required. + * + * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG if one of the + * parameters is invalid, LOCKDOWN_E_NO_RUNNING_SESSION if the current + * lockdown client does not have an established CU pairing session, + * or a LOCKDOWN_E_* error code otherwise. + */ +lockdownd_error_t lockdownd_cu_send_request_and_get_reply(lockdownd_client_t client, const char* request, plist_t request_payload, plist_t* reply); + +/** + * Retrieves a value using an optional domain and/or key name from a lockdown + * client with established CU pairing session. + * + * This is used to retrieve values that are only accessible after a CU pairing + * has been established, and would otherwise only be accessible with a valid + * device pairing. + * + * @param client A lockdown client with an established CU pairing. + * @param domain The domain to query on or NULL for global domain + * @param key The key name to request or NULL to query for all keys + * @param value A plist node representing the result value node + * + * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG if one of the + * parameters is invalid, LOCKDOWN_E_NO_RUNNING_SESSION if the current + * lockdown client does not have an established CU pairing session, + * or a LOCKDOWN_E_* error code otherwise. + */ +lockdownd_error_t lockdownd_get_value_cu(lockdownd_client_t client, const char* domain, const char* key, plist_t* value); + +/** + * Perform a device pairing with a lockdown client that has an established + * CU pairing session. + * + * @param client A lockdown client with an established CU pairing. + * + * @return LOCKDOWN_E_SUCCESS on success, LOCKDOWN_E_INVALID_ARG when client + * is NULL, LOCKDOWN_E_NO_RUNNING_SESSION if the current lockdown client + * does not have an established CU pairing session, or a LOCKDOWN_E_* error + * code otherwise. + */ +lockdownd_error_t lockdownd_pair_cu(lockdownd_client_t client); + + /* Helper */ /** diff --git a/src/Makefile.am b/src/Makefile.am index 106eef7..13221b9 100644 --- a/src/Makefile.am +++ b/src/Makefile.am @@ -1,5 +1,7 @@ AM_CPPFLAGS = \ -I$(top_srcdir)/include \ + -I$(top_srcdir)/3rd_party/libsrp6a-sha512 \ + -I$(top_srcdir)/3rd_party/ed25519 \ -I$(top_srcdir) AM_CFLAGS = \ @@ -20,13 +22,20 @@ AM_LDFLAGS = \ lib_LTLIBRARIES = libimobiledevice-1.0.la libimobiledevice_1_0_la_LIBADD = $(top_builddir)/common/libinternalcommon.la +if HAVE_WIRELESS_PAIRING +libimobiledevice_1_0_la_LIBADD += $(top_builddir)/3rd_party/ed25519/libed25519.la $(top_builddir)/3rd_party/libsrp6a-sha512/libsrp6a-sha512.la +endif libimobiledevice_1_0_la_LDFLAGS = $(AM_LDFLAGS) -version-info $(LIBIMOBILEDEVICE_SO_VERSION) -no-undefined +if DARWIN +libimobiledevice_1_0_la_LDFLAGS += -framework CoreFoundation -framework SystemConfiguration +endif libimobiledevice_1_0_la_SOURCES = \ idevice.c idevice.h \ service.c service.h \ property_list_service.c property_list_service.h \ device_link_service.c device_link_service.h \ lockdown.c lockdown.h \ + lockdown-cu.c \ afc.c afc.h \ file_relay.c file_relay.h \ notification_proxy.c notification_proxy.h \ diff --git a/src/idevice.c b/src/idevice.c index 04189d6..64769d2 100644 --- a/src/idevice.c +++ b/src/idevice.c @@ -52,6 +52,7 @@ #include #include "idevice.h" +#include "lockdown.h" #include "common/userpref.h" #include "common/debug.h" @@ -864,7 +865,9 @@ LIBIMOBILEDEVICE_API idevice_error_t idevice_get_udid(idevice_t device, char **u if (!device || !udid) return IDEVICE_E_INVALID_ARG; - *udid = strdup(device->udid); + if (device->udid) { + *udid = strdup(device->udid); + } return IDEVICE_E_SUCCESS; } diff --git a/src/lockdown-cu.c b/src/lockdown-cu.c new file mode 100644 index 0000000..cdaf02c --- /dev/null +++ b/src/lockdown-cu.c @@ -0,0 +1,1192 @@ +/* + * lockdown-cu.c + * com.apple.mobile.lockdownd service CU additions + * + * Copyright (c) 2021 Nikias Bassen, All Rights Reserved. + * + * This library is free software; you can redistribute it and/or + * modify it under the terms of the GNU Lesser General Public + * License as published by the Free Software Foundation; either + * version 2.1 of the License, or (at your option) any later version. + * + * This library is distributed in the hope that it will be useful, + * but WITHOUT ANY WARRANTY; without even the implied warranty of + * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + * Lesser General Public License for more details. + * + * You should have received a copy of the GNU Lesser General Public + * License along with this library; if not, write to the Free Software + * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA + */ + +#ifdef HAVE_CONFIG_H +#include +#endif + +#include +#include +#define _GNU_SOURCE 1 +#define __USE_GNU 1 +#include +#include +#include +#include + +#include "idevice.h" +#include "lockdown.h" +#include "common/debug.h" + +#ifdef HAVE_WIRELESS_PAIRING + +#include +#include +#include +#include + +#if defined(HAVE_OPENSSL) +#include +#include +#include +#if defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2030200fL) +#include +#include +#endif +#elif defined(HAVE_GCRYPT) +#include +#elif defined(HAVE_MBEDTLS) +#include +#include +#endif + +#ifdef __APPLE__ +#include +#include +#include +#endif + +#include "property_list_service.h" +#include "common/userpref.h" + +#include "endianness.h" + +#include "srp.h" +#include "ed25519.h" + +/* {{{ SRP6a parameters */ +static const unsigned char kSRPModulus3072[384] = { + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xc9, 0x0f, 0xda, 0xa2, 0x21, 0x68, 0xc2, 0x34, + 0xc4, 0xc6, 0x62, 0x8b, 0x80, 0xdc, 0x1c, 0xd1, 0x29, 0x02, 0x4e, 0x08, 0x8a, 0x67, 0xcc, 0x74, + 0x02, 0x0b, 0xbe, 0xa6, 0x3b, 0x13, 0x9b, 0x22, 0x51, 0x4a, 0x08, 0x79, 0x8e, 0x34, 0x04, 0xdd, + 0xef, 0x95, 0x19, 0xb3, 0xcd, 0x3a, 0x43, 0x1b, 0x30, 0x2b, 0x0a, 0x6d, 0xf2, 0x5f, 0x14, 0x37, + 0x4f, 0xe1, 0x35, 0x6d, 0x6d, 0x51, 0xc2, 0x45, 0xe4, 0x85, 0xb5, 0x76, 0x62, 0x5e, 0x7e, 0xc6, + 0xf4, 0x4c, 0x42, 0xe9, 0xa6, 0x37, 0xed, 0x6b, 0x0b, 0xff, 0x5c, 0xb6, 0xf4, 0x06, 0xb7, 0xed, + 0xee, 0x38, 0x6b, 0xfb, 0x5a, 0x89, 0x9f, 0xa5, 0xae, 0x9f, 0x24, 0x11, 0x7c, 0x4b, 0x1f, 0xe6, + 0x49, 0x28, 0x66, 0x51, 0xec, 0xe4, 0x5b, 0x3d, 0xc2, 0x00, 0x7c, 0xb8, 0xa1, 0x63, 0xbf, 0x05, + 0x98, 0xda, 0x48, 0x36, 0x1c, 0x55, 0xd3, 0x9a, 0x69, 0x16, 0x3f, 0xa8, 0xfd, 0x24, 0xcf, 0x5f, + 0x83, 0x65, 0x5d, 0x23, 0xdc, 0xa3, 0xad, 0x96, 0x1c, 0x62, 0xf3, 0x56, 0x20, 0x85, 0x52, 0xbb, + 0x9e, 0xd5, 0x29, 0x07, 0x70, 0x96, 0x96, 0x6d, 0x67, 0x0c, 0x35, 0x4e, 0x4a, 0xbc, 0x98, 0x04, + 0xf1, 0x74, 0x6c, 0x08, 0xca, 0x18, 0x21, 0x7c, 0x32, 0x90, 0x5e, 0x46, 0x2e, 0x36, 0xce, 0x3b, + 0xe3, 0x9e, 0x77, 0x2c, 0x18, 0x0e, 0x86, 0x03, 0x9b, 0x27, 0x83, 0xa2, 0xec, 0x07, 0xa2, 0x8f, + 0xb5, 0xc5, 0x5d, 0xf0, 0x6f, 0x4c, 0x52, 0xc9, 0xde, 0x2b, 0xcb, 0xf6, 0x95, 0x58, 0x17, 0x18, + 0x39, 0x95, 0x49, 0x7c, 0xea, 0x95, 0x6a, 0xe5, 0x15, 0xd2, 0x26, 0x18, 0x98, 0xfa, 0x05, 0x10, + 0x15, 0x72, 0x8e, 0x5a, 0x8a, 0xaa, 0xc4, 0x2d, 0xad, 0x33, 0x17, 0x0d, 0x04, 0x50, 0x7a, 0x33, + 0xa8, 0x55, 0x21, 0xab, 0xdf, 0x1c, 0xba, 0x64, 0xec, 0xfb, 0x85, 0x04, 0x58, 0xdb, 0xef, 0x0a, + 0x8a, 0xea, 0x71, 0x57, 0x5d, 0x06, 0x0c, 0x7d, 0xb3, 0x97, 0x0f, 0x85, 0xa6, 0xe1, 0xe4, 0xc7, + 0xab, 0xf5, 0xae, 0x8c, 0xdb, 0x09, 0x33, 0xd7, 0x1e, 0x8c, 0x94, 0xe0, 0x4a, 0x25, 0x61, 0x9d, + 0xce, 0xe3, 0xd2, 0x26, 0x1a, 0xd2, 0xee, 0x6b, 0xf1, 0x2f, 0xfa, 0x06, 0xd9, 0x8a, 0x08, 0x64, + 0xd8, 0x76, 0x02, 0x73, 0x3e, 0xc8, 0x6a, 0x64, 0x52, 0x1f, 0x2b, 0x18, 0x17, 0x7b, 0x20, 0x0c, + 0xbb, 0xe1, 0x17, 0x57, 0x7a, 0x61, 0x5d, 0x6c, 0x77, 0x09, 0x88, 0xc0, 0xba, 0xd9, 0x46, 0xe2, + 0x08, 0xe2, 0x4f, 0xa0, 0x74, 0xe5, 0xab, 0x31, 0x43, 0xdb, 0x5b, 0xfc, 0xe0, 0xfd, 0x10, 0x8e, + 0x4b, 0x82, 0xd1, 0x20, 0xa9, 0x3a, 0xd2, 0xca, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, +}; + +static const unsigned char kSRPGenerator5 = 5; +/* }}} */ + +/* {{{ HKDF */ +#if defined(HAVE_OPENSSL) +#define MD_ALGO_SHA512 EVP_sha512() +typedef const EVP_MD* MD_ALGO_TYPE_T; +#define MD_ALGO_DIGEST_SIZE EVP_MD_size +#define MD_MAX_DIGEST_SIZE EVP_MAX_MD_SIZE + +#elif defined(HAVE_GCRYPT) +#define MD_ALGO_SHA512 GCRY_MD_SHA512 +typedef int MD_ALGO_TYPE_T; +#define MD_ALGO_DIGEST_SIZE gcry_md_get_algo_dlen +#define MD_MAX_DIGEST_SIZE 64 + +static void HMAC(MD_ALGO_TYPE_T md, unsigned char* key, unsigned int key_len, unsigned char* data, unsigned int data_len, unsigned char* out, unsigned int* out_len) +{ + gcry_md_hd_t hd; + if (gcry_md_open(&hd, md, GCRY_MD_FLAG_HMAC)) { + debug_info("gcry_md_open() failed"); + return; + } + if (gcry_md_setkey(hd, key, key_len)) { + gcry_md_close (hd); + debug_info("gcry_md_setkey() failed"); + return; + } + gcry_md_write(hd, data, data_len); + + unsigned char* digest = gcry_md_read(hd, md); + if (!digest) { + gcry_md_close(hd); + debug_info("gcry_md_read() failed"); + return; + } + + *out_len = gcry_md_get_algo_dlen(md); + memcpy(out, digest, *out_len); + gcry_md_close(hd); +} +#elif defined(HAVE_MBEDTLS) +#define MD_ALGO_SHA512 MBEDTLS_MD_SHA512 +typedef mbedtls_md_type_t MD_ALGO_TYPE_T; +#define MD_ALGO_DIGEST_SIZE(x) mbedtls_md_get_size(mbedtls_md_info_from_type(x)) +#define MD_MAX_DIGEST_SIZE MBEDTLS_MD_MAX_SIZE + +static void HMAC(MD_ALGO_TYPE_T md, unsigned char* key, unsigned int key_len, unsigned char* data, unsigned int data_len, unsigned char* out, unsigned int* out_len) +{ + mbedtls_md_context_t mdctx; + mbedtls_md_init(&mdctx); + int mr = mbedtls_md_setup(&mdctx, mbedtls_md_info_from_type(md), 1); + if (mr != 0) { + debug_info("mbedtls_md_setup() failed: %d", mr); + return; + } + + mr = mbedtls_md_hmac_starts(&mdctx, key, key_len); + if (mr != 0) { + mbedtls_md_free(&mdctx); + debug_info("mbedtls_md_hmac_starts() failed: %d", mr); + return; + } + + mbedtls_md_hmac_update(&mdctx, data, data_len); + + mr = mbedtls_md_hmac_finish(&mdctx, out); + if (mr == 0) { + *out_len = mbedtls_md_get_size(mbedtls_md_info_from_type(md)); + } else { + debug_info("mbedtls_md_hmac_finish() failed: %d", mr); + } + mbedtls_md_free(&mdctx); +} +#endif + +static void hkdf_md_extract(MD_ALGO_TYPE_T md, unsigned char* salt, unsigned int salt_len, unsigned char* input_key_material, unsigned int input_key_material_len, unsigned char* out, unsigned int* out_len) +{ + unsigned char empty_salt[MD_MAX_DIGEST_SIZE]; + if (!md || !out || !out_len || !*out_len) return; + if (salt_len == 0) { + salt_len = MD_ALGO_DIGEST_SIZE(md); + salt = (unsigned char*)empty_salt; + } + HMAC(md, salt, salt_len, input_key_material, input_key_material_len, out, out_len); +} + +static void hkdf_md_expand(MD_ALGO_TYPE_T md, unsigned char* prk, unsigned int prk_len, unsigned char* info, unsigned int info_len, unsigned char* out, unsigned int* out_len) +{ + if (!md || !out || !out_len || !*out_len) return; + unsigned int md_size = MD_ALGO_DIGEST_SIZE(md); + if (*out_len > 255 * md_size) { + *out_len = 0; + return; + } + int blocks_needed = (*out_len) / md_size; + if (((*out_len) % md_size) != 0) blocks_needed++; + unsigned int okm_len = 0; + unsigned char okm_block[MD_MAX_DIGEST_SIZE]; + unsigned int okm_block_len = 0; + int i; + for (i = 0; i < blocks_needed; i++) { + unsigned int output_block_len = okm_block_len + info_len + 1; + unsigned char* output_block = malloc(output_block_len); + if (okm_block_len > 0) { + memcpy(output_block, okm_block, okm_block_len); + } + memcpy(output_block + okm_block_len, info, info_len); + output_block[okm_block_len + info_len] = (uint8_t)(i+1); + + HMAC(md, prk, prk_len, output_block, output_block_len, okm_block, &okm_block_len); + if (okm_len < *out_len) { + memcpy(out + okm_len, okm_block, (okm_len + okm_block_len > *out_len) ? *out_len - okm_len : okm_block_len); + } + okm_len += okm_block_len; + free(output_block); + } +} + +static void hkdf_md(MD_ALGO_TYPE_T md, unsigned char* salt, unsigned int salt_len, unsigned char* info, unsigned int info_len, unsigned char* initial_key_material, unsigned int initial_key_material_size, unsigned char* out, unsigned int *out_len) +{ + if (!md || !initial_key_material || !out || !out_len || !*out_len) return; + + unsigned char prk[MD_MAX_DIGEST_SIZE]; + unsigned int prk_len = MD_ALGO_DIGEST_SIZE(md); + + hkdf_md_extract(md, salt, salt_len, initial_key_material, initial_key_material_size, prk, &prk_len); + if (prk_len > 0) { + hkdf_md_expand(md, prk, prk_len, info, info_len, out, out_len); + } else { + *out_len = 0; + } +} +/* }}} */ + +/* {{{ chacha20 poly1305 encryption/decryption */ +#if defined(HAVE_OPENSSL) && defined(LIBRESSL_VERSION_NUMBER) && (LIBRESSL_VERSION_NUMBER < 0x2030200fL) +/* {{{ From: OpenBSD's e_chacha20poly1305.c */ +/* + * Copyright (c) 2015 Reyk Floter + * Copyright (c) 2014, Google Inc. + * + * Permission to use, copy, modify, and/or distribute this software for any + * purpose with or without fee is hereby granted, provided that the above + * copyright notice and this permission notice appear in all copies. + * + * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES + * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF + * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY + * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES + * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION + * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN + * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. + */ +static void +poly1305_update_with_length(poly1305_state *poly1305, + const unsigned char *data, size_t data_len) +{ + size_t j = data_len; + unsigned char length_bytes[8]; + unsigned i; + + for (i = 0; i < sizeof(length_bytes); i++) { + length_bytes[i] = j; + j >>= 8; + } + + if (data != NULL) + CRYPTO_poly1305_update(poly1305, data, data_len); + CRYPTO_poly1305_update(poly1305, length_bytes, sizeof(length_bytes)); +} + +static void +poly1305_update_with_pad16(poly1305_state *poly1305, + const unsigned char *data, size_t data_len) +{ + static const unsigned char zero_pad16[16]; + size_t pad_len; + + CRYPTO_poly1305_update(poly1305, data, data_len); + + /* pad16() is defined in RFC 7539 2.8.1. */ + if ((pad_len = data_len % 16) == 0) + return; + + CRYPTO_poly1305_update(poly1305, zero_pad16, 16 - pad_len); +} +/* }}} */ +#endif + +static void chacha20_poly1305_encrypt_96(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len) +{ +#if defined(HAVE_OPENSSL) +#if defined(LIBRESSL_VERSION_NUMBER) +#if (LIBRESSL_VERSION_NUMBER >= 0x2040000fL) + const EVP_AEAD *aead = EVP_aead_chacha20_poly1305(); + EVP_AEAD_CTX ctx; + EVP_AEAD_CTX_init(&ctx, aead, key, EVP_AEAD_key_length(aead), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL); + EVP_AEAD_CTX_seal(&ctx, out, out_len, *out_len, nonce, 12, in, in_len, ad, ad_len); +#else + unsigned char poly1305_key[32]; + poly1305_state poly1305; + uint64_t ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | nonce[2] << 16 | nonce[3] << 24) << 32; + const unsigned char* iv = nonce + 4; + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, iv, ctr); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + CRYPTO_chacha_20(out, in, in_len, key, iv, ctr + 1); + poly1305_update_with_pad16(&poly1305, out, in_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, in_len); + + CRYPTO_poly1305_finish(&poly1305, out + in_len); + + *out_len = in_len + 16; +#endif +#elif defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) + int outl = 0; + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + EVP_EncryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, key, nonce); + EVP_EncryptUpdate(ctx, out, &outl, in, in_len); + *out_len = outl; + outl = 0; + EVP_EncryptFinal_ex(ctx, out + *out_len, &outl); + *out_len += outl; + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_GET_TAG, 16, out + *out_len); + EVP_CIPHER_CTX_free(ctx); + *out_len += 16; +#else +#error Please use a newer version of OpenSSL (>= 1.1.0) +#endif +#elif defined(HAVE_GCRYPT) +#if defined(GCRYPT_VERSION_NUMBER) && (GCRYPT_VERSION_NUMBER >= 0x010700) + gcry_cipher_hd_t hd; + if (gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20, GCRY_CIPHER_MODE_POLY1305, 0)) { + debug_info("gcry_cipher_open() failed"); + return; + } + gcry_cipher_setkey(hd, key, 32); + gcry_cipher_setiv(hd, nonce, 12); + gcry_cipher_authenticate(hd, ad, ad_len); + *out_len = in_len + 16; + if (gcry_cipher_encrypt(hd, out, *out_len, in, in_len)) { + *out_len = 0; + } + gcry_cipher_gettag(hd, out+in_len, 16); + gcry_cipher_close(hd); +#else +#error Please use a newer version of libgcrypt (>= 1.7.0) +#endif +#elif defined (HAVE_MBEDTLS) + mbedtls_chachapoly_context ctx; + mbedtls_chachapoly_init(&ctx); + mbedtls_chachapoly_setkey(&ctx, key); + if (mbedtls_chachapoly_encrypt_and_tag(&ctx, in_len, nonce, ad, ad_len, in, out, out+in_len) != 0) { + *out_len = 0; + } + mbedtls_chachapoly_free(&ctx); +#else +#error chacha20_poly1305_encrypt_96 is not implemented +#endif +} + +static void chacha20_poly1305_encrypt_64(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len) +{ + unsigned char _nonce[12]; + *(uint32_t*)(&_nonce[0]) = 0; + memcpy(&_nonce[4], nonce, 8); + chacha20_poly1305_encrypt_96(key, _nonce, ad, ad_len, in, in_len, out, out_len); +} + +static void chacha20_poly1305_decrypt_96(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len) +{ +#if defined(HAVE_OPENSSL) +#if defined(LIBRESSL_VERSION_NUMBER) +#if (LIBRESSL_VERSION_NUMBER >= 0x2040000fL) + const EVP_AEAD *aead = EVP_aead_chacha20_poly1305(); + EVP_AEAD_CTX ctx; + EVP_AEAD_CTX_init(&ctx, aead, key, EVP_AEAD_key_length(aead), EVP_AEAD_DEFAULT_TAG_LENGTH, NULL); + EVP_AEAD_CTX_open(&ctx, out, out_len, *out_len, nonce, 12, in, in_len, ad, ad_len); +#else + unsigned char mac[16]; + unsigned char poly1305_key[32]; + poly1305_state poly1305; + size_t plaintext_len = in_len - 16; + uint64_t ctr = (uint64_t)(nonce[0] | nonce[1] << 8 | nonce[2] << 16 | nonce[3] << 24) << 32; + const unsigned char *iv = nonce + 4; + + memset(poly1305_key, 0, sizeof(poly1305_key)); + CRYPTO_chacha_20(poly1305_key, poly1305_key, sizeof(poly1305_key), key, iv, ctr); + + CRYPTO_poly1305_init(&poly1305, poly1305_key); + poly1305_update_with_pad16(&poly1305, ad, ad_len); + poly1305_update_with_pad16(&poly1305, in, plaintext_len); + poly1305_update_with_length(&poly1305, NULL, ad_len); + poly1305_update_with_length(&poly1305, NULL, plaintext_len); + + CRYPTO_poly1305_finish(&poly1305, mac); + + if (memcmp(mac, in + plaintext_len, 16) != 0) { + *out_len = 0; + return; + } + + CRYPTO_chacha_20(out, in, plaintext_len, key, iv, ctr + 1); + *out_len = plaintext_len; +#endif +#elif defined(OPENSSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x10100000L) + int outl = 0; + size_t plaintext_len = in_len - 16; + EVP_CIPHER_CTX* ctx = EVP_CIPHER_CTX_new(); + EVP_DecryptInit_ex(ctx, EVP_chacha20_poly1305(), NULL, key, nonce); + EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_AEAD_SET_TAG, 16, in + plaintext_len); + EVP_DecryptUpdate(ctx, out, &outl, in, plaintext_len); + *out_len = outl; + outl = 0; + if (EVP_DecryptFinal_ex(ctx, out + *out_len, &outl) == 1) { + *out_len += outl; + } else { + *out_len = 0; + } + EVP_CIPHER_CTX_free(ctx); +#else +#error Please use a newer version of OpenSSL (>= 1.1.0) +#endif +#elif defined(HAVE_GCRYPT) +#if defined(GCRYPT_VERSION_NUMBER) && (GCRYPT_VERSION_NUMBER >= 0x010700) + gcry_cipher_hd_t hd; + if (gcry_cipher_open(&hd, GCRY_CIPHER_CHACHA20, GCRY_CIPHER_MODE_POLY1305, 0)) { + debug_info("gcry_cipher_open() failed"); + return; + } + gcry_cipher_setkey(hd, key, 32); + gcry_cipher_setiv(hd, nonce, 12); + gcry_cipher_authenticate(hd, ad, ad_len); + unsigned int plaintext_len = in_len - 16; + gcry_cipher_decrypt(hd, out, *out_len, in, plaintext_len); + if (gcry_cipher_checktag(hd, in + plaintext_len, 16) == 0) { + *out_len = plaintext_len; + } else { + *out_len = 0; + } + gcry_cipher_close(hd); +#else +#error Please use a newer version of libgcrypt (>= 1.7.0) +#endif +#elif defined(HAVE_MBEDTLS) + mbedtls_chachapoly_context ctx; + mbedtls_chachapoly_init(&ctx); + mbedtls_chachapoly_setkey(&ctx, key); + unsigned int plaintext_len = in_len - 16; + if (mbedtls_chachapoly_auth_decrypt(&ctx, plaintext_len, nonce, ad, ad_len, in + plaintext_len, in, out) == 0) { + *out_len = plaintext_len; + } else { + *out_len = 0; + } + mbedtls_chachapoly_free(&ctx); +#else +#error chacha20_poly1305_decrypt_96 is not implemented +#endif +} + +static void chacha20_poly1305_decrypt_64(unsigned char* key, unsigned char* nonce, unsigned char* ad, size_t ad_len, unsigned char* in, size_t in_len, unsigned char* out, size_t* out_len) +{ + unsigned char _nonce[12]; + *(uint32_t*)(&_nonce[0]) = 0; + memcpy(&_nonce[4], nonce, 8); + chacha20_poly1305_decrypt_96(key, _nonce, ad, ad_len, in, in_len, out, out_len); +} +/* }}} */ + +#define PAIRING_ERROR(x) \ + debug_info(x); \ + if (pairing_callback) { \ + pairing_callback(LOCKDOWN_CU_PAIRING_ERROR, cb_user_data, (char*)x, NULL); \ + } + +#define PAIRING_ERROR_FMT(...) \ + sprintf(tmp, __VA_ARGS__); \ + debug_info(tmp); \ + if (pairing_callback) { \ + pairing_callback(LOCKDOWN_CU_PAIRING_ERROR, cb_user_data, tmp, NULL); \ + } + +#endif /* HAVE_WIRELESS_PAIRING */ + +LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_cu_pairing_create(lockdownd_client_t client, lockdownd_cu_pairing_cb_t pairing_callback, void* cb_user_data, plist_t host_info, plist_t acl) +{ +#ifdef HAVE_WIRELESS_PAIRING + if (!client || !pairing_callback || (host_info && plist_get_node_type(host_info) != PLIST_DICT) || (acl && plist_get_node_type(acl) != PLIST_DICT)) + return LOCKDOWN_E_INVALID_ARG; + + lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR; + + if (client->device && client->device->version == 0) { + plist_t p_version = NULL; + if (lockdownd_get_value(client, NULL, "ProductVersion", &p_version) == LOCKDOWN_E_SUCCESS) { + int vers[3] = {0, 0, 0}; + char *s_version = NULL; + plist_get_string_val(p_version, &s_version); + if (s_version && sscanf(s_version, "%d.%d.%d", &vers[0], &vers[1], &vers[2]) >= 2) { + client->device->version = DEVICE_VERSION(vers[0], vers[1], vers[2]); + } + free(s_version); + } + plist_free(p_version); + } + + char* pairing_uuid = NULL; + if (host_info) { + plist_t accountid = plist_dict_get_item(host_info, "accountID"); + if (accountid && plist_get_node_type(accountid) == PLIST_STRING) { + plist_get_string_val(accountid, &pairing_uuid); + } + } + if (!pairing_uuid) { + userpref_read_system_buid(&pairing_uuid); + } + if (!pairing_uuid) { + pairing_uuid = generate_uuid(); + } + unsigned int pairing_uuid_len = strlen(pairing_uuid); + + SRP_initialize_library(); + + SRP* srp = SRP_new(SRP6a_sha512_client_method()); + if (!srp) { + PAIRING_ERROR("Failed to initialize SRP") + return LOCKDOWN_E_UNKNOWN_ERROR; + } + + char tmp[256]; + plist_t dict = NULL; + uint8_t current_state = 0; + uint8_t final_state = 6; + + unsigned char* salt = NULL; + unsigned int salt_size = 0; + unsigned char* pubkey = NULL; + unsigned int pubkey_size = 0; + + unsigned char setup_encryption_key[32]; + + cstr *thekey = NULL; + + do { + current_state++; + + dict = plist_new_dict(); + plist_dict_set_item(dict, "Request", plist_new_string("CUPairingCreate")); + if (current_state == 1) { + plist_dict_set_item(dict, "Flags", plist_new_uint(1)); + } else { + plist_dict_set_item(dict, "Flags", plist_new_uint(0)); + } + + tlv_buf_t tlv = tlv_buf_new(); + + if (current_state == 1) { + /* send method */ + tlv_buf_append(tlv, 0x00, 1, (void*)"\x00"); // 0x00 (Method), 1 bytes, 00 + } else if (current_state == 3) { + /* generate public key */ + cstr* own_pub = NULL; + SRP_gen_pub(srp, &own_pub); + + if (!own_pub) { + PAIRING_ERROR("[SRP] Failed to generate public key") + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + /* compute key from remote's public key */ + if (SRP_compute_key(srp, &thekey, pubkey, pubkey_size) != 0) { + cstr_free(own_pub); + PAIRING_ERROR("[SRP] Failed to compute key") + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + /* compute response */ + cstr *response = NULL; + SRP_respond(srp, &response); + + /* send our public key + response */ + tlv_buf_append(tlv, 0x03, own_pub->length, own_pub->data); + tlv_buf_append(tlv, 0x04, response->length, response->data); + cstr_free(response); + cstr_free(own_pub); + } else if (current_state == 5) { + /* send encrypted info */ + + static const char PAIR_SETUP_ENCRYPT_SALT[] = "Pair-Setup-Encrypt-Salt"; + static const char PAIR_SETUP_ENCRYPT_INFO[] = "Pair-Setup-Encrypt-Info"; + static const char PAIR_SETUP_CONTROLLER_SIGN_SALT[] = "Pair-Setup-Controller-Sign-Salt"; + static const char PAIR_SETUP_CONTROLLER_SIGN_INFO[] = "Pair-Setup-Controller-Sign-Info"; + + // HKDF with above computed key (SRP_compute_key) + Pair-Setup-Encrypt-Salt + Pair-Setup-Encrypt-Info + // result used as key for chacha20-poly1305 + unsigned int setup_encryption_key_len = sizeof(setup_encryption_key); + hkdf_md(MD_ALGO_SHA512, (unsigned char*)PAIR_SETUP_ENCRYPT_SALT, sizeof(PAIR_SETUP_ENCRYPT_SALT)-1, (unsigned char*)PAIR_SETUP_ENCRYPT_INFO, sizeof(PAIR_SETUP_ENCRYPT_INFO)-1, (unsigned char*)thekey->data, thekey->length, setup_encryption_key, &setup_encryption_key_len); + + unsigned char ed25519_pubkey[32]; + unsigned char ed25519_privkey[64]; + unsigned char ed25519seed[32]; + ed25519_create_seed(ed25519seed); + + ed25519_create_keypair(ed25519_pubkey, ed25519_privkey, ed25519seed); + + unsigned int signbuf_len = pairing_uuid_len + 64; + unsigned char* signbuf = malloc(signbuf_len); + unsigned int hkdf_len = 32; + // HKDF with above computed key (SRP_compute_key) + Pair-Setup-Controller-Sign-Salt + Pair-Setup-Controller-Sign-Info + hkdf_md(MD_ALGO_SHA512, (unsigned char*)PAIR_SETUP_CONTROLLER_SIGN_SALT, sizeof(PAIR_SETUP_CONTROLLER_SIGN_SALT)-1, (unsigned char*)PAIR_SETUP_CONTROLLER_SIGN_INFO, sizeof(PAIR_SETUP_CONTROLLER_SIGN_INFO)-1, (unsigned char*)thekey->data, thekey->length, signbuf, &hkdf_len); + + memcpy(signbuf + 32, pairing_uuid, pairing_uuid_len); + memcpy(signbuf + 32 + pairing_uuid_len, ed25519_pubkey, 32); + + unsigned char ed_sig[64]; + ed25519_sign(ed_sig, signbuf, 0x64, ed25519_pubkey, ed25519_privkey); + + tlv_buf_t tlvbuf = tlv_buf_new(); + tlv_buf_append(tlvbuf, 0x01, pairing_uuid_len, (void*)pairing_uuid); + tlv_buf_append(tlvbuf, 0x03, sizeof(ed25519_pubkey), ed25519_pubkey); + tlv_buf_append(tlvbuf, 0x0a, sizeof(ed_sig), ed_sig); + + /* ACL */ + unsigned char* odata = NULL; + unsigned int olen = 0; + if (acl) { + opack_encode_from_plist(acl, &odata, &olen); + } else { + /* defaut ACL */ + plist_t acl_plist = plist_new_dict(); + plist_dict_set_item(acl_plist, "com.apple.ScreenCapture", plist_new_bool(1)); + plist_dict_set_item(acl_plist, "com.apple.developer", plist_new_bool(1)); + opack_encode_from_plist(acl_plist, &odata, &olen); + plist_free(acl_plist); + } + tlv_buf_append(tlvbuf, 0x12, olen, odata); + free(odata); + + /* HOST INFORMATION */ + char hostname[256]; +#ifdef __APPLE__ + CFStringRef cname = SCDynamicStoreCopyComputerName(NULL, NULL); + CFStringGetCString(cname, hostname, sizeof(hostname), kCFStringEncodingUTF8); + CFRelease(cname); +#else +#ifdef WIN32 + DWORD hostname_len = sizeof(hostname); + GetComputerName(hostname, &hostname_len); +#else + gethostname(hostname, sizeof(hostname)); +#endif +#endif + + char modelname[256]; + modelname[0] = '\0'; +#ifdef __APPLE__ + size_t len = sizeof(modelname); + sysctlbyname("hw.model", &modelname, &len, NULL, 0); +#endif + if (strlen(modelname) == 0) { + strcpy(modelname, "HackbookPro13,37"); + } + + unsigned char primary_mac_addr[6] = { 0, 0, 0, 0, 0, 0 }; + if (get_primary_mac_address(primary_mac_addr) != 0) { + debug_info("Failed to get primary mac address"); + } + debug_info("Primary mac address: %02x:%02x:%02x:%02x:%02x:%02x\n", primary_mac_addr[0], primary_mac_addr[1], primary_mac_addr[2], primary_mac_addr[3], primary_mac_addr[4], primary_mac_addr[5]); + + // "OPACK" encoded device info + plist_t info_plist = plist_new_dict(); + //plist_dict_set_item(info_plist, "altIRK", plist_new_data((char*)altIRK, 16)); + plist_dict_set_item(info_plist, "accountID", plist_new_string(pairing_uuid)); + plist_dict_set_item(info_plist, "model", plist_new_string(modelname)); + plist_dict_set_item(info_plist, "name", plist_new_string(hostname)); + plist_dict_set_item(info_plist, "mac", plist_new_data((char*)primary_mac_addr, 6)); + if (host_info) { + plist_dict_merge(&info_plist, host_info); + } + opack_encode_from_plist(info_plist, &odata, &olen); + plist_free(info_plist); + tlv_buf_append(tlvbuf, 0x11, olen, odata); + free(odata); + + size_t encrypted_len = tlvbuf->length + 16; + unsigned char* encrypted_buf = (unsigned char*)malloc(encrypted_len); + + chacha20_poly1305_encrypt_64(setup_encryption_key, (unsigned char*)"PS-Msg05", NULL, 0, tlvbuf->data, tlvbuf->length, encrypted_buf, &encrypted_len); + + tlv_buf_free(tlvbuf); + + tlv_buf_append(tlv, 0x05, encrypted_len, encrypted_buf); + free(encrypted_buf); + } else { + tlv_buf_free(tlv); + PAIRING_ERROR("[SRP] Invalid state"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + tlv_buf_append(tlv, 0x06, 1, ¤t_state); + plist_dict_set_item(dict, "Payload", plist_new_data((char*)tlv->data, tlv->length)); + tlv_buf_free(tlv); + + plist_dict_set_item(dict, "Label", plist_new_string(client->label)); + plist_dict_set_item(dict, "ProtocolVersion", plist_new_uint(2)); + + ret = lockdownd_send(client, dict); + plist_free(dict); + dict = NULL; + + if (ret != LOCKDOWN_E_SUCCESS) { + break; + } + + current_state++; + + ret = lockdownd_receive(client, &dict); + if (ret != LOCKDOWN_E_SUCCESS) { + break; + } + ret = lockdown_check_result(dict, "CUPairingCreate"); + if (ret != LOCKDOWN_E_SUCCESS) { + break; + } + + plist_t extresp = plist_dict_get_item(dict, "ExtendedResponse"); + if (!extresp) { + ret = LOCKDOWN_E_PLIST_ERROR; + break; + } + plist_t blob = plist_dict_get_item(extresp, "Payload"); + if (!blob) { + ret = LOCKDOWN_E_PLIST_ERROR; + break; + } + uint64_t data_len = 0; + const char* data = plist_get_data_ptr(blob, &data_len); + + uint8_t state = 0; + if (!tlv_data_get_uint8(data, data_len, 0x06, &state)) { + PAIRING_ERROR("[SRP] ERROR: Could not find state in response"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + if (state != current_state) { + PAIRING_ERROR_FMT("[SRP] ERROR: Unexpected state %d, expected %d", state, current_state); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + unsigned int errval = 0; + uint64_t u64val = 0; + tlv_data_get_uint(data, data_len, 0x07, &u64val); +debug_buffer(data, data_len); + errval = (unsigned int)u64val; + if (errval > 0) { + if (errval == 3) { + u64val = 0; + tlv_data_get_uint(data, data_len, 0x08, &u64val); + if (u64val > 0) { + uint32_t retry_delay = (uint32_t)u64val; + PAIRING_ERROR_FMT("[SRP] Pairing is blocked for another %u seconds", retry_delay) + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + } else if (errval == 2 && state == 4) { + PAIRING_ERROR_FMT("[SRP] Invalid PIN") + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } else { + PAIRING_ERROR_FMT("[SRP] Received error %u in state %d.", errval, state); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + } + + if (state == 2) { + /* receive salt and public key */ + if (!tlv_data_copy_data(data, data_len, 0x02, (void**)&salt, &salt_size)) { + PAIRING_ERROR("[SRP] ERROR: Could not find salt in response"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + if (!tlv_data_copy_data(data, data_len, 0x03, (void**)&pubkey, &pubkey_size)) { + PAIRING_ERROR("[SRP] ERROR: Could not find public key in response"); + + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + const char PAIR_SETUP[] = "Pair-Setup"; + if (SRP_set_user_raw(srp, (const unsigned char*)PAIR_SETUP, sizeof(PAIR_SETUP)-1) != 0) { + PAIRING_ERROR("[SRP] Failed to set SRP user"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + /* kSRPParameters_3072_SHA512 */ + if (SRP_set_params(srp, kSRPModulus3072, sizeof(kSRPModulus3072), &kSRPGenerator5, 1, salt, salt_size) != 0) { + PAIRING_ERROR("[SRP] Failed to set SRP parameters"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + + } + + if (pairing_callback) { + char pin[64]; + unsigned int pin_len = sizeof(pin); + pairing_callback(LOCKDOWN_CU_PAIRING_PIN_REQUESTED, cb_user_data, pin, &pin_len); + + SRP_set_auth_password_raw(srp, (const unsigned char*)pin, pin_len); + } + } else if (state == 4) { + /* receive proof */ + unsigned char* proof = NULL; + unsigned int proof_len = 0; + + if (!tlv_data_copy_data(data, data_len, 0x04, (void**)&proof, &proof_len)) { + PAIRING_ERROR("[SRP] ERROR: Could not find proof data in response"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + /* verify */ + int vrfy_result = SRP_verify(srp, proof, proof_len); + free(proof); + + if (vrfy_result == 0) { + debug_info("[SRP] PIN verified successfully"); + } else { + PAIRING_ERROR("[SRP] PIN verification failure"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + } else if (state == 6) { + int srp_pair_success = 0; + plist_t node = plist_dict_get_item(extresp, "doSRPPair"); + if (node) { + const char* strv = plist_get_string_ptr(node, NULL); + if (strcmp(strv, "succeed") == 0) { + srp_pair_success = 1; + } + } + if (!srp_pair_success) { + PAIRING_ERROR("SRP Pairing failed"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + /* receive encrypted info */ + unsigned char* encrypted_buf = NULL; + unsigned int enc_len = 0; + if (!tlv_data_copy_data(data, data_len, 0x05, (void**)&encrypted_buf, &enc_len)) { + PAIRING_ERROR("[SRP] ERROR: Could not find encrypted data in response"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + size_t plain_len = enc_len-16; + unsigned char* plain_buf = malloc(plain_len); + chacha20_poly1305_decrypt_64(setup_encryption_key, (unsigned char*)"PS-Msg06", NULL, 0, encrypted_buf, enc_len, plain_buf, &plain_len); + free(encrypted_buf); + + unsigned char* dev_info = NULL; + unsigned int dev_info_len = 0; + int res = tlv_data_copy_data(plain_buf, plain_len, 0x11, (void**)&dev_info, &dev_info_len); + free(plain_buf); + if (!res) { + PAIRING_ERROR("[SRP] ERROR: Failed to locate device info in response"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + plist_t device_info = NULL; + opack_decode_to_plist(dev_info, dev_info_len, &device_info); + free(dev_info); + + if (!device_info) { + PAIRING_ERROR("[SRP] ERROR: Failed to parse device info"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + + if (pairing_callback) { + pairing_callback(LOCKDOWN_CU_PAIRING_DEVICE_INFO, cb_user_data, device_info, NULL); + } + plist_free(device_info); + } else { + PAIRING_ERROR("[SRP] ERROR: Invalid state"); + ret = LOCKDOWN_E_PAIRING_FAILED; + break; + } + plist_free(dict); + dict = NULL; + + } while (current_state != final_state); + + plist_free(dict); + + free(salt); + free(pubkey); + + SRP_free(srp); + srp = NULL; + + if (ret != LOCKDOWN_E_SUCCESS) { + if (thekey) { + cstr_free(thekey); + } + return ret; + } + + free(client->cu_key); + client->cu_key = malloc(thekey->length); + memcpy(client->cu_key, thekey->data, thekey->length); + client->cu_key_len = thekey->length; + cstr_free(thekey); + + return LOCKDOWN_E_SUCCESS; +#else + debug_info("not supported"); + return LOCKDOWN_E_UNKNOWN_ERROR; +#endif +} + +LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_cu_send_request_and_get_reply(lockdownd_client_t client, const char* request, plist_t request_payload, plist_t* reply) +{ +#ifdef HAVE_WIRELESS_PAIRING + if (!client || !request) + return LOCKDOWN_E_INVALID_ARG; + + if (!client->cu_key) + return LOCKDOWN_E_NO_RUNNING_SESSION; + + lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR; + + /* derive keys */ + unsigned char cu_write_key[32]; + unsigned int cu_write_key_len = sizeof(cu_write_key); + static const char WRITE_KEY_SALT_MDLD[] = "WriteKeySaltMDLD"; + static const char WRITE_KEY_INFO_MDLD[] = "WriteKeyInfoMDLD"; + hkdf_md(MD_ALGO_SHA512, (unsigned char*)WRITE_KEY_SALT_MDLD, sizeof(WRITE_KEY_SALT_MDLD)-1, (unsigned char*)WRITE_KEY_INFO_MDLD, sizeof(WRITE_KEY_INFO_MDLD)-1, client->cu_key, client->cu_key_len, cu_write_key, &cu_write_key_len); + + unsigned char cu_read_key[32]; + unsigned int cu_read_key_len = sizeof(cu_write_key); + static const char READ_KEY_SALT_MDLD[] = "ReadKeySaltMDLD"; + static const char READ_KEY_INFO_MDLD[] = "ReadKeyInfoMDLD"; + hkdf_md(MD_ALGO_SHA512, (unsigned char*)READ_KEY_SALT_MDLD, sizeof(READ_KEY_SALT_MDLD)-1, (unsigned char*)READ_KEY_INFO_MDLD, sizeof(READ_KEY_INFO_MDLD)-1, client->cu_key, client->cu_key_len, cu_read_key, &cu_read_key_len); + + // Starting with iOS/tvOS 11.2 and WatchOS 4.2, this nonce is random and sent along with the request. Before, the request doesn't have a nonce and it uses hardcoded nonce "sendone01234". + unsigned char cu_nonce[12] = "sendone01234"; // guaranteed to be random by fair dice troll + if (client->device->version >= DEVICE_VERSION(11,2,0)) { +#if defined(HAVE_OPENSSL) + RAND_bytes(cu_nonce, sizeof(cu_nonce)); +#elif defined(HAVE_GCRYPT) + gcry_create_nonce(cu_nonce, sizeof(cu_nonce)); +#endif + } + + debug_plist(request_payload); + + /* convert request payload to binary */ + uint32_t bin_len = 0; + char* bin = NULL; + plist_to_bin(request_payload, &bin, &bin_len); + + /* encrypt request */ + size_t encrypted_len = bin_len + 16; + unsigned char* encrypted_buf = malloc(encrypted_len); + chacha20_poly1305_encrypt_96(cu_write_key, cu_nonce, NULL, 0, (unsigned char*)bin, bin_len, encrypted_buf, &encrypted_len); + free(bin); + bin = NULL; + + plist_t dict = plist_new_dict(); + plist_dict_set_item(dict,"Request", plist_new_string(request)); + plist_dict_set_item(dict, "Payload", plist_new_data((char*)encrypted_buf, encrypted_len)); + free(encrypted_buf); + plist_dict_set_item(dict, "Nonce", plist_new_data((char*)cu_nonce, sizeof(cu_nonce))); + plist_dict_set_item(dict, "Label", plist_new_string(client->label)); + plist_dict_set_item(dict, "ProtocolVersion", plist_new_uint(2)); + + /* send to device */ + ret = lockdownd_send(client, dict); + plist_free(dict); + dict = NULL; + + if (ret != LOCKDOWN_E_SUCCESS) + return ret; + + /* Now get device's answer */ + ret = lockdownd_receive(client, &dict); + if (ret != LOCKDOWN_E_SUCCESS) + return ret; + + ret = lockdown_check_result(dict, request); + if (ret != LOCKDOWN_E_SUCCESS) { + plist_free(dict); + return ret; + } + + /* get payload */ + plist_t blob = plist_dict_get_item(dict, "Payload"); + if (!blob) { + plist_free(dict); + return LOCKDOWN_E_DICT_ERROR; + } + + uint64_t dl = 0; + const char* dt = plist_get_data_ptr(blob, &dl); + + /* see if we have a nonce */ + blob = plist_dict_get_item(dict, "Nonce"); + const unsigned char* rnonce = (unsigned char*)"receiveone01"; + if (blob) { + uint64_t rl = 0; + rnonce = (const unsigned char*)plist_get_data_ptr(blob, &rl); + } + + /* decrypt payload */ + size_t decrypted_len = dl-16; + unsigned char* decrypted = malloc(decrypted_len); + chacha20_poly1305_decrypt_96(cu_read_key, (unsigned char*)rnonce, NULL, 0, (unsigned char*)dt, dl, decrypted, &decrypted_len); + plist_free(dict); + dict = NULL; + + plist_from_memory((const char*)decrypted, decrypted_len, &dict); + if (!dict) { + ret = LOCKDOWN_E_PLIST_ERROR; + debug_info("Failed to parse PLIST from decrypted payload:"); + debug_buffer((const char*)decrypted, decrypted_len); + free(decrypted); + return ret; + } + free(decrypted); + + debug_plist(dict); + + if (reply) { + *reply = dict; + } else { + plist_free(dict); + } + + return LOCKDOWN_E_SUCCESS; +#else + debug_info("not supported"); + return LOCKDOWN_E_UNKNOWN_ERROR; +#endif +} + +LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_get_value_cu(lockdownd_client_t client, const char* domain, const char* key, plist_t* value) +{ +#ifdef HAVE_WIRELESS_PAIRING + if (!client) + return LOCKDOWN_E_INVALID_ARG; + + if (!client->cu_key) + return LOCKDOWN_E_NO_RUNNING_SESSION; + + lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR; + + plist_t request = plist_new_dict(); + if (domain) { + plist_dict_set_item(request, "Domain", plist_new_string(domain)); + } + if (key) { + plist_dict_set_item(request, "Key", plist_new_string(key)); + } + + plist_t reply = NULL; + ret = lockdownd_cu_send_request_and_get_reply(client, "GetValueCU", request, &reply); + plist_free(request); + if (ret != LOCKDOWN_E_SUCCESS) { + return ret; + } + + plist_t value_node = plist_dict_get_item(reply, "Value"); + if (value_node) { + debug_info("has a value"); + *value = plist_copy(value_node); + } + plist_free(reply); + + return ret; +#else + debug_info("not supported"); + return LOCKDOWN_E_UNKNOWN_ERROR; +#endif +} + +LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_pair_cu(lockdownd_client_t client) +{ +#ifdef HAVE_WIRELESS_PAIRING + if (!client) + return LOCKDOWN_E_INVALID_ARG; + + if (!client->cu_key) + return LOCKDOWN_E_NO_RUNNING_SESSION; + + lockdownd_error_t ret; + + plist_t wifi_mac = NULL; + ret = lockdownd_get_value_cu(client, NULL, "WiFiAddress", &wifi_mac); + if (ret != LOCKDOWN_E_SUCCESS) { + return ret; + } + + plist_t pubkey = NULL; + ret = lockdownd_get_value_cu(client, NULL, "DevicePublicKey", &pubkey); + if (ret != LOCKDOWN_E_SUCCESS) { + plist_free(wifi_mac); + return ret; + } + + key_data_t public_key = { NULL, 0 }; + uint64_t data_len = 0; + plist_get_data_val(pubkey, (char**)&public_key.data, &data_len); + public_key.size = (unsigned int)data_len; + plist_free(pubkey); + + plist_t pair_record_plist = plist_new_dict(); + pair_record_generate_keys_and_certs(pair_record_plist, public_key); + + char* host_id = NULL; + char* system_buid = NULL; + + /* set SystemBUID */ + userpref_read_system_buid(&system_buid); + if (system_buid) { + plist_dict_set_item(pair_record_plist, USERPREF_SYSTEM_BUID_KEY, plist_new_string(system_buid)); + free(system_buid); + } + + /* set HostID */ + host_id = generate_uuid(); + pair_record_set_host_id(pair_record_plist, host_id); + free(host_id); + + plist_t request_pair_record = plist_copy(pair_record_plist); + /* remove stuff that is private */ + plist_dict_remove_item(request_pair_record, USERPREF_ROOT_PRIVATE_KEY_KEY); + plist_dict_remove_item(request_pair_record, USERPREF_HOST_PRIVATE_KEY_KEY); + + plist_t request = plist_new_dict(); + plist_dict_set_item(request, "PairRecord", request_pair_record); + plist_t pairing_opts = plist_new_dict(); + plist_dict_set_item(pairing_opts, "ExtendedPairingErrors", plist_new_bool(1)); + plist_dict_set_item(request, "PairingOptions", pairing_opts); + + plist_t reply = NULL; + ret = lockdownd_cu_send_request_and_get_reply(client, "PairCU", request, &reply); + plist_free(request); + if (ret != LOCKDOWN_E_SUCCESS) { + plist_free(wifi_mac); + return ret; + } + + char *s_udid = NULL; + plist_t p_udid = plist_dict_get_item(reply, "UDID"); + if (p_udid) { + plist_get_string_val(p_udid, &s_udid); + } + plist_t ebag = plist_dict_get_item(reply, "EscrowBag"); + if (ebag) { + plist_dict_set_item(pair_record_plist, USERPREF_ESCROW_BAG_KEY, plist_copy(ebag)); + } + plist_dict_set_item(pair_record_plist, USERPREF_WIFI_MAC_ADDRESS_KEY, wifi_mac); + plist_free(reply); + + if (userpref_save_pair_record(s_udid, 0, pair_record_plist) != 0) { + printf("Failed to save pair record for UDID %s\n", s_udid); + } + free(s_udid); + s_udid = NULL; + plist_free(pair_record_plist); + + ret = LOCKDOWN_E_SUCCESS; + + return ret; +#else + debug_info("not supported"); + return LOCKDOWN_E_UNKNOWN_ERROR; +#endif +} diff --git a/src/lockdown.c b/src/lockdown.c index 70db834..1786536 100644 --- a/src/lockdown.c +++ b/src/lockdown.c @@ -152,7 +152,7 @@ static lockdownd_error_t lockdownd_error(property_list_service_error_t err) * LOCKDOWN_E_UNKNOWN_ERROR when the result is 'Failure', * or a specific error code if derieved from the result. */ -static lockdownd_error_t lockdown_check_result(plist_t dict, const char *query_match) +lockdownd_error_t lockdown_check_result(plist_t dict, const char *query_match) { lockdownd_error_t ret = LOCKDOWN_E_UNKNOWN_ERROR; @@ -314,6 +314,10 @@ static lockdownd_error_t lockdownd_client_free_simple(lockdownd_client_t client) if (client->label) { free(client->label); } + if (client->cu_key) { + free(client->cu_key); + client->cu_key = NULL; + } free(client); client = NULL; @@ -641,8 +645,12 @@ LIBIMOBILEDEVICE_API lockdownd_error_t lockdownd_client_new(idevice_t device, lo client_loc->ssl_enabled = 0; client_loc->session_id = NULL; client_loc->device = device; + client_loc->cu_key = NULL; + client_loc->cu_key_len = 0; - debug_info("device udid: %s", device->udid); + if (device->udid) { + debug_info("device udid: %s", device->udid); + } client_loc->label = label ? strdup(label) : NULL; diff --git a/src/lockdown.h b/src/lockdown.h index 0091f1d..bcd4717 100644 --- a/src/lockdown.h +++ b/src/lockdown.h @@ -34,6 +34,10 @@ struct lockdownd_client_private { char *session_id; char *label; idevice_t device; + unsigned char* cu_key; + unsigned int cu_key_len; }; +lockdownd_error_t lockdown_check_result(plist_t dict, const char *query_match); + #endif diff --git a/tools/idevicepair.c b/tools/idevicepair.c index 0dcd45f..a2dc944 100644 --- a/tools/idevicepair.c +++ b/tools/idevicepair.c @@ -2,7 +2,7 @@ * idevicepair.c * Manage pairings with devices and this host * - * Copyright (c) 2010-2019 Nikias Bassen, All Rights Reserved. + * Copyright (c) 2010-2021 Nikias Bassen, All Rights Reserved. * Copyright (c) 2014 Martin Szulecki, All Rights Reserved. * * This library is free software; you can redistribute it and/or @@ -30,16 +30,88 @@ #include #include #include -#ifndef WIN32 +#include +#include +#ifdef WIN32 +#include +#include +#else +#include #include #endif + #include "common/userpref.h" +#include #include #include +#include static char *udid = NULL; +#ifdef HAVE_WIRELESS_PAIRING + +#ifdef WIN32 +#define BS_CC '\b' +#define my_getch getch +#else +#define BS_CC 0x7f +static int my_getch(void) +{ + struct termios oldt, newt; + int ch; + tcgetattr(STDIN_FILENO, &oldt); + newt = oldt; + newt.c_lflag &= ~(ICANON | ECHO); + tcsetattr(STDIN_FILENO, TCSANOW, &newt); + ch = getchar(); + tcsetattr(STDIN_FILENO, TCSANOW, &oldt); + return ch; +} +#endif + +static int get_hidden_input(char *buf, int maxlen) +{ + int pwlen = 0; + int c; + + while ((c = my_getch())) { + if ((c == '\r') || (c == '\n')) { + break; + } else if (isprint(c)) { + if (pwlen < maxlen-1) + buf[pwlen++] = c; + fputc('*', stderr); + } else if (c == BS_CC) { + if (pwlen > 0) { + fputs("\b \b", stderr); + pwlen--; + } + } + } + buf[pwlen] = 0; + return pwlen; +} + +static void pairing_cb(lockdownd_cu_pairing_cb_type_t cb_type, void *user_data, void* data_ptr, unsigned int* data_size) +{ + if (cb_type == LOCKDOWN_CU_PAIRING_PIN_REQUESTED) { + printf("Enter PIN: "); + fflush(stdout); + + *data_size = get_hidden_input((char*)data_ptr, *data_size); + + printf("\n"); + } else if (cb_type == LOCKDOWN_CU_PAIRING_DEVICE_INFO) { + printf("Device info:\n"); + plist_print_to_stream_with_indentation((plist_t)data_ptr, stdout, 2); + } else if (cb_type == LOCKDOWN_CU_PAIRING_ERROR) { + printf("ERROR: %s\n", (data_ptr) ? (char*)data_ptr : "(unknown)"); + } +} + +#endif /* HAVE_WIRELESS_PAIRING */ + static void print_error_message(lockdownd_error_t err) { switch (err) { @@ -56,6 +128,16 @@ static void print_error_message(lockdownd_error_t err) case LOCKDOWN_E_USER_DENIED_PAIRING: printf("ERROR: Device %s said that the user denied the trust dialog.\n", udid); break; + case LOCKDOWN_E_PAIRING_FAILED: + printf("ERROR: Pairing with device %s failed.\n", udid); + break; + case LOCKDOWN_E_GET_PROHIBITED: + case LOCKDOWN_E_PAIRING_PROHIBITED_OVER_THIS_CONNECTION: + printf("ERROR: Pairing is not possible over this connection.\n"); +#ifdef HAVE_WIRELESS_PAIRING + printf("To perform a wireless pairing use the -w command line switch. See usage or man page for details.\n"); +#endif + break; default: printf("ERROR: Device %s returned unhandled error code %d\n", udid, err); break; @@ -81,9 +163,20 @@ static void print_usage(int argc, char **argv) printf("\n"); printf("The following OPTIONS are accepted:\n"); printf(" -u, --udid UDID target specific device by UDID\n"); +#ifdef HAVE_WIRELESS_PAIRING + printf(" -w, --wireless perform wireless pairing (see NOTE)\n"); + printf(" -n, --network connect to network device (see NOTE)\n"); +#endif printf(" -d, --debug enable communication debugging\n"); printf(" -h, --help prints usage information\n"); printf(" -v, --version prints version information\n"); +#ifdef HAVE_WIRELESS_PAIRING + printf("\n"); + printf("NOTE: Pairing over network (wireless pairing) is only supported by Apple TV\n"); + printf("devices. To perform a wireless pairing, you need to use the -w command line\n"); + printf("switch. Make sure to put the device into pairing mode first by opening\n"); + printf("Settings > Remotes and Devices > Remote App and Devices.\n"); +#endif printf("\n"); printf("Homepage: <" PACKAGE_URL ">\n"); printf("Bug Reports: <" PACKAGE_BUGREPORT ">\n"); @@ -95,10 +188,20 @@ int main(int argc, char **argv) static struct option longopts[] = { { "help", no_argument, NULL, 'h' }, { "udid", required_argument, NULL, 'u' }, +#ifdef HAVE_WIRELESS_PAIRING + { "wireless", no_argument, NULL, 'w' }, + { "network", no_argument, NULL, 'n' }, + { "hostinfo", required_argument, NULL, 1 }, +#endif { "debug", no_argument, NULL, 'd' }, { "version", no_argument, NULL, 'v' }, { NULL, 0, NULL, 0} }; +#ifdef HAVE_WIRELESS_PAIRING +#define SHORT_OPTIONS "hu:wndv" +#else +#define SHORT_OPTIONS "hu:dv" +#endif lockdownd_client_t client = NULL; idevice_t device = NULL; idevice_error_t ret = IDEVICE_E_UNKNOWN_ERROR; @@ -106,13 +209,18 @@ int main(int argc, char **argv) int result; char *type = NULL; + int use_network = 0; + int wireless_pairing = 0; +#ifdef HAVE_WIRELESS_PAIRING + plist_t host_info_plist = NULL; +#endif char *cmd; typedef enum { OP_NONE = 0, OP_PAIR, OP_VALIDATE, OP_UNPAIR, OP_LIST, OP_HOSTID, OP_SYSTEMBUID } op_t; op_t op = OP_NONE; - while ((c = getopt_long(argc, argv, "hu:dv", longopts, NULL)) != -1) { + while ((c = getopt_long(argc, argv, SHORT_OPTIONS, longopts, NULL)) != -1) { switch (c) { case 'h': print_usage(argc, argv); @@ -127,6 +235,43 @@ int main(int argc, char **argv) free(udid); udid = strdup(optarg); break; +#ifdef HAVE_WIRELESS_PAIRING + case 'w': + wireless_pairing = 1; + break; + case 'n': + use_network = 1; + break; + case 1: + if (!*optarg) { + fprintf(stderr, "ERROR: --hostinfo argument must not be empty!\n"); + result = EXIT_FAILURE; + goto leave; + } + if (*optarg == '@') { + plist_read_from_filename(&host_info_plist, optarg+1); + if (!host_info_plist) { + fprintf(stderr, "ERROR: Could not read from file '%s'\n", optarg+1); + result = EXIT_FAILURE; + goto leave; + } + } +#ifdef HAVE_PLIST_JSON + else if (*optarg == '{') { + if (plist_from_json(optarg, strlen(optarg), &host_info_plist) != PLIST_ERR_SUCCESS) { + fprintf(stderr, "ERROR: --hostinfo argument not valid. Make sure it is a JSON dictionary.\n"); + result = EXIT_FAILURE; + goto leave; + } + } +#endif + else { + fprintf(stderr, "ERROR: --hostinfo argument not valid. To specify a path prefix with '@'\n"); + result = EXIT_FAILURE; + goto leave; + } + break; +#endif case 'd': idevice_set_debug_level(1); break; @@ -152,6 +297,13 @@ int main(int argc, char **argv) goto leave; } + if (wireless_pairing && use_network) { + printf("ERROR: You cannot use -w and -n together.\n"); + print_usage(argc, argv); + result = EXIT_FAILURE; + goto leave; + } + cmd = (argv+optind)[0]; if (!strcmp(cmd, "pair")) { @@ -169,7 +321,18 @@ int main(int argc, char **argv) } else { printf("ERROR: Invalid command '%s' specified\n", cmd); print_usage(argc, argv); - exit(EXIT_FAILURE); + result = EXIT_FAILURE; + goto leave; + } + + if (wireless_pairing) { + if (op == OP_VALIDATE || op == OP_UNPAIR) { + printf("ERROR: Command '%s' is not supported with -w\n", cmd); + print_usage(argc, argv); + result = EXIT_FAILURE; + goto leave; + } + use_network = 1; } if (op == OP_SYSTEMBUID) { @@ -198,7 +361,7 @@ int main(int argc, char **argv) goto leave; } - ret = idevice_new(&device, udid); + ret = idevice_new_with_options(&device, udid, (use_network) ? IDEVICE_LOOKUP_NETWORK : IDEVICE_LOOKUP_USBMUX); if (ret != IDEVICE_E_SUCCESS) { if (udid) { printf("No device found with udid %s.\n", udid); @@ -257,7 +420,17 @@ int main(int argc, char **argv) switch(op) { default: case OP_PAIR: - lerr = lockdownd_pair(client, NULL); +#ifdef HAVE_WIRELESS_PAIRING + if (wireless_pairing) { + lerr = lockdownd_cu_pairing_create(client, pairing_cb, NULL, host_info_plist, NULL); + if (lerr == LOCKDOWN_E_SUCCESS) { + lerr = lockdownd_pair_cu(client); + } + } else +#endif + { + lerr = lockdownd_pair(client, NULL); + } if (lerr == LOCKDOWN_E_SUCCESS) { printf("SUCCESS: Paired with device %s\n", udid); } else { -- cgit v1.1-32-gdbae