diff options
| author |  Tim Segers <tsegers@pm.me> | 2025-10-30 23:29:08 +0100 |
|---|---|---|
| committer | Tim Segers <tsegers@pm.me> | 2025-11-01 10:24:48 +0100 |
| commit | 945f3a935d85d55c23d5cfe4b98b064532dc6bcd (patch) | |
| tree | b08f0656671c23b191ff3d5be3a309fd9d62d8b5 /src | |
| parent | c52ae66fa564fef0e55b5b80f0fd65679daf5abc (diff) | |
| download | tweetpipe-945f3a935d85d55c23d5cfe4b98b064532dc6bcd.tar.gz | |
Replace libhydrogen by tweetnacl and tweetpwhash
Diffstat (limited to 'src')
| -rw-r--r-- | src/encpipe.c | 64 | ||||
| -rw-r--r-- | src/encpipe_p.h | 7 |
2 files changed, 37 insertions, 34 deletions
diff --git a/src/encpipe.c b/src/encpipe.c index 183a14a..a41a222 100644 --- a/src/encpipe.c +++ b/src/encpipe.c @@ -1,4 +1,6 @@ #include "encpipe_p.h" +#include "tweetpwhash.h" +#include "util.h" static struct option getopt_long_options[] = { { "help", 0, NULL, 'h' }, { "decrypt", 0, NULL, 'd' }, { "encrypt", 0, NULL, 'e' }, @@ -46,17 +48,15 @@ file_open(const char *file, int create) static void derive_key(Context *ctx, char *password, size_t password_len) { - static uint8_t master_key[hydro_pwhash_MASTERKEYBYTES] = { 0 }; + static uint8_t master_key[crypto_pwhash_SALTBYTES] = { 0 }; if (ctx->has_key) { die(0, "A single key is enough"); } - if (hydro_pwhash_deterministic(ctx->key, sizeof ctx->key, password, password_len, HYDRO_CONTEXT, - master_key, PWHASH_OPSLIMIT, PWHASH_MEMLIMIT, - PWHASH_THREADS) != 0) { + if (crypto_pwhash(ctx->key, sizeof ctx->key, (unsigned char *) password, password_len, master_key, PWHASH_OPSLIMIT) != 0) { die(0, "Password hashing failed"); } - hydro_memzero(password, password_len); + memzero(password, password_len); ctx->has_key = 1; } @@ -64,22 +64,28 @@ static int stream_encrypt(Context *ctx) { unsigned char *const chunk_size_p = ctx->buf; - unsigned char *const chunk = chunk_size_p + 4; + unsigned char *const chunk_nonce = chunk_size_p + 4; + unsigned char *const chunk_base = chunk_size_p + 4 + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES; + unsigned char *const chunk_msg = chunk_size_p + 4 + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES; + unsigned char nonce[crypto_secretbox_NONCEBYTES]; uint64_t chunk_id; ssize_t max_chunk_size; ssize_t chunk_size; - assert(ctx->sizeof_buf >= 4 + hydro_secretbox_HEADERBYTES); - max_chunk_size = ctx->sizeof_buf - 4 - hydro_secretbox_HEADERBYTES; + assert(ctx->sizeof_buf >= 4 + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES); + max_chunk_size = ctx->sizeof_buf - 4 - crypto_secretbox_NONCEBYTES + crypto_secretbox_BOXZEROBYTES - crypto_secretbox_ZEROBYTES; assert(max_chunk_size <= 0x7fffffff); chunk_id = 0; - while ((chunk_size = safe_read_partial(ctx->fd_in, chunk, max_chunk_size)) >= 0) { + while ((chunk_size = safe_read_partial(ctx->fd_in, chunk_msg, max_chunk_size)) >= 0) { STORE32_LE(chunk_size_p, (uint32_t) chunk_size); - if (hydro_secretbox_encrypt(chunk, chunk, chunk_size, chunk_id, HYDRO_CONTEXT, ctx->key) != + memzero(chunk_nonce, crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES); + randombytes(nonce, crypto_secretbox_NONCEBYTES); + if (crypto_secretbox(chunk_base, chunk_base, chunk_size + crypto_secretbox_ZEROBYTES, nonce, ctx->key) != 0) { die(0, "Encryption error"); } - if (safe_write(ctx->fd_out, chunk_size_p, 4 + hydro_secretbox_HEADERBYTES + chunk_size, + memcpy(chunk_nonce, nonce, crypto_secretbox_NONCEBYTES); + if (safe_write(ctx->fd_out, chunk_size_p, 4 + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES + chunk_size, -1) < 0) { die(1, "write()"); } @@ -98,14 +104,17 @@ static int stream_decrypt(Context *ctx) { unsigned char *const chunk_size_p = ctx->buf; - unsigned char *const chunk = chunk_size_p + 4; + unsigned char *const chunk_nonce = chunk_size_p + 4; + unsigned char *const chunk_base = chunk_size_p + 4 + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES; + unsigned char *const chunk_msg = chunk_size_p + 4 + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES; + unsigned char nonce[crypto_secretbox_NONCEBYTES]; uint64_t chunk_id; ssize_t readnb; ssize_t max_chunk_size; ssize_t chunk_size; - assert(ctx->sizeof_buf >= 4 + hydro_secretbox_HEADERBYTES); - max_chunk_size = ctx->sizeof_buf - 4 - hydro_secretbox_HEADERBYTES; + assert(ctx->sizeof_buf >= 4 + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES); + max_chunk_size = ctx->sizeof_buf - 4 - crypto_secretbox_NONCEBYTES + crypto_secretbox_BOXZEROBYTES - crypto_secretbox_ZEROBYTES; assert(max_chunk_size <= 0x7fffffff); chunk_id = 0; while ((readnb = safe_read(ctx->fd_in, chunk_size_p, 4)) == 4) { @@ -113,13 +122,14 @@ stream_decrypt(Context *ctx) if (chunk_size > max_chunk_size) { die(0, "Chunk size too large ([%zd] > [%zd])", chunk_size, max_chunk_size); } - if (safe_read(ctx->fd_in, chunk, chunk_size + hydro_secretbox_HEADERBYTES) != - chunk_size + hydro_secretbox_HEADERBYTES) { + if (safe_read(ctx->fd_in, chunk_nonce, crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES + chunk_size) != + crypto_secretbox_NONCEBYTES - crypto_secretbox_BOXZEROBYTES + crypto_secretbox_ZEROBYTES + chunk_size) { die(0, "Chunk too short ([%zd] bytes expected)", chunk_size); } - if (hydro_secretbox_decrypt(chunk, chunk, chunk_size + hydro_secretbox_HEADERBYTES, - chunk_id, HYDRO_CONTEXT, ctx->key) != 0) { - fprintf(stderr, "Unable to decrypt chunk #%" PRIu64 " - ", chunk_id); + memcpy(nonce, chunk_nonce, crypto_secretbox_NONCEBYTES); + memzero(chunk_nonce, crypto_secretbox_NONCEBYTES); + if (crypto_secretbox_open(chunk_base, chunk_base, chunk_size + crypto_secretbox_ZEROBYTES, nonce, ctx->key) != 0) { + printf("Unable to decrypt chunk #%" PRIu64 " - ", chunk_id); if (chunk_id == 0) { die(0, "Wrong password or key?"); } else { @@ -129,7 +139,7 @@ stream_decrypt(Context *ctx) if (chunk_size == 0) { break; } - if (safe_write(ctx->fd_out, chunk, chunk_size, -1) < 0) { + if (safe_write(ctx->fd_out, chunk_msg, chunk_size, -1) < 0) { die(1, "write()"); } chunk_id++; @@ -198,11 +208,11 @@ passgen(void) unsigned char password[32]; char hex[32 * 2 + 1]; - hydro_random_buf(password, sizeof password); - hydro_bin2hex(hex, sizeof hex, password, sizeof password); + randombytes(password, sizeof password); + bin2hex(hex, sizeof hex, password, sizeof password); puts(hex); - hydro_memzero(password, sizeof password); - hydro_memzero(hex, sizeof hex); + memzero(password, sizeof password); + memzero(hex, sizeof hex); exit(0); } @@ -263,9 +273,6 @@ main(int argc, char *argv[]) { Context ctx; - if (hydro_init() < 0) { - die(1, "Unable to initialize the crypto library"); - } memset(&ctx, 0, sizeof ctx); options_parse(&ctx, argc, argv); ctx.sizeof_buf = DEFAULT_BUFFER_SIZE; @@ -277,7 +284,6 @@ main(int argc, char *argv[]) if ((ctx.buf = (unsigned char *) malloc(ctx.sizeof_buf)) == NULL) { die(1, "malloc()"); } - assert(sizeof HYDRO_CONTEXT == hydro_secretbox_CONTEXTBYTES); ctx.fd_in = file_open(ctx.in, 0); ctx.fd_out = file_open(ctx.out, 1); @@ -289,7 +295,7 @@ main(int argc, char *argv[]) free(ctx.buf); close(ctx.fd_out); close(ctx.fd_in); - hydro_memzero(&ctx, sizeof ctx); + memzero(&ctx, sizeof ctx); return 0; } diff --git a/src/encpipe_p.h b/src/encpipe_p.h index 98afe94..06fc523 100644 --- a/src/encpipe_p.h +++ b/src/encpipe_p.h @@ -16,7 +16,7 @@ #include <string.h> #include <unistd.h> -#include <hydrogen.h> +#include <tweetnacl.h> #include "common.h" #include "safe_rw.h" @@ -24,15 +24,12 @@ #define MIN_BUFFER_SIZE 512 #define MAX_BUFFER_SIZE 0x7fffffff #define DEFAULT_BUFFER_SIZE (1 * 1024 * 1024) -#define HYDRO_CONTEXT "EncPipe" #define PWHASH_OPSLIMIT 1000000 -#define PWHASH_MEMLIMIT 0 -#define PWHASH_THREADS 1 typedef struct Context_ { char * in; char * out; - unsigned char key[hydro_secretbox_KEYBYTES]; + unsigned char key[crypto_secretbox_KEYBYTES]; unsigned char *buf; size_t sizeof_buf; int fd_in; |