aboutsummaryrefslogtreecommitdiff
path: root/frozen_deps/Cryptodome/Protocol
diff options
context:
space:
mode:
Diffstat (limited to 'frozen_deps/Cryptodome/Protocol')
-rw-r--r--frozen_deps/Cryptodome/Protocol/KDF.py574
-rw-r--r--frozen_deps/Cryptodome/Protocol/KDF.pyi24
-rw-r--r--frozen_deps/Cryptodome/Protocol/SecretSharing.py278
-rw-r--r--frozen_deps/Cryptodome/Protocol/SecretSharing.pyi22
-rw-r--r--frozen_deps/Cryptodome/Protocol/__init__.py31
-rw-r--r--frozen_deps/Cryptodome/Protocol/__init__.pyi1
-rwxr-xr-xfrozen_deps/Cryptodome/Protocol/_scrypt.cpython-38-x86_64-linux-gnu.sobin0 -> 16510 bytes
7 files changed, 930 insertions, 0 deletions
diff --git a/frozen_deps/Cryptodome/Protocol/KDF.py b/frozen_deps/Cryptodome/Protocol/KDF.py
new file mode 100644
index 0000000..4baa276
--- /dev/null
+++ b/frozen_deps/Cryptodome/Protocol/KDF.py
@@ -0,0 +1,574 @@
+# coding=utf-8
+#
+# KDF.py : a collection of Key Derivation Functions
+#
+# Part of the Python Cryptography Toolkit
+#
+# ===================================================================
+# The contents of this file are dedicated to the public domain. To
+# the extent that dedication to the public domain is not available,
+# everyone is granted a worldwide, perpetual, royalty-free,
+# non-exclusive license to exercise all rights associated with the
+# contents of this file for any purpose whatsoever.
+# No rights are reserved.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+# EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+# MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+# NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
+# BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
+# ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+# SOFTWARE.
+# ===================================================================
+
+import re
+import struct
+from functools import reduce
+
+from Cryptodome.Util.py3compat import (tobytes, bord, _copy_bytes, iter_range,
+ tostr, bchr, bstr)
+
+from Cryptodome.Hash import SHA1, SHA256, HMAC, CMAC, BLAKE2s
+from Cryptodome.Util.strxor import strxor
+from Cryptodome.Random import get_random_bytes
+from Cryptodome.Util.number import size as bit_size, long_to_bytes, bytes_to_long
+
+from Cryptodome.Util._raw_api import (load_pycryptodome_raw_lib,
+ create_string_buffer,
+ get_raw_buffer, c_size_t)
+
+_raw_salsa20_lib = load_pycryptodome_raw_lib("Cryptodome.Cipher._Salsa20",
+ """
+ int Salsa20_8_core(const uint8_t *x, const uint8_t *y,
+ uint8_t *out);
+ """)
+
+_raw_scrypt_lib = load_pycryptodome_raw_lib("Cryptodome.Protocol._scrypt",
+ """
+ typedef int (core_t)(const uint8_t [64], const uint8_t [64], uint8_t [64]);
+ int scryptROMix(const uint8_t *data_in, uint8_t *data_out,
+ size_t data_len, unsigned N, core_t *core);
+ """)
+
+
+def PBKDF1(password, salt, dkLen, count=1000, hashAlgo=None):
+ """Derive one key from a password (or passphrase).
+
+ This function performs key derivation according to an old version of
+ the PKCS#5 standard (v1.5) or `RFC2898
+ <https://www.ietf.org/rfc/rfc2898.txt>`_.
+
+ Args:
+ password (string):
+ The secret password to generate the key from.
+ salt (byte string):
+ An 8 byte string to use for better protection from dictionary attacks.
+ This value does not need to be kept secret, but it should be randomly
+ chosen for each derivation.
+ dkLen (integer):
+ The length of the desired key. The default is 16 bytes, suitable for
+ instance for :mod:`Cryptodome.Cipher.AES`.
+ count (integer):
+ The number of iterations to carry out. The recommendation is 1000 or
+ more.
+ hashAlgo (module):
+ The hash algorithm to use, as a module or an object from the :mod:`Cryptodome.Hash` package.
+ The digest length must be no shorter than ``dkLen``.
+ The default algorithm is :mod:`Cryptodome.Hash.SHA1`.
+
+ Return:
+ A byte string of length ``dkLen`` that can be used as key.
+ """
+
+ if not hashAlgo:
+ hashAlgo = SHA1
+ password = tobytes(password)
+ pHash = hashAlgo.new(password+salt)
+ digest = pHash.digest_size
+ if dkLen > digest:
+ raise TypeError("Selected hash algorithm has a too short digest (%d bytes)." % digest)
+ if len(salt) != 8:
+ raise ValueError("Salt is not 8 bytes long (%d bytes instead)." % len(salt))
+ for i in iter_range(count-1):
+ pHash = pHash.new(pHash.digest())
+ return pHash.digest()[:dkLen]
+
+
+def PBKDF2(password, salt, dkLen=16, count=1000, prf=None, hmac_hash_module=None):
+ """Derive one or more keys from a password (or passphrase).
+
+ This function performs key derivation according to the PKCS#5 standard (v2.0).
+
+ Args:
+ password (string or byte string):
+ The secret password to generate the key from.
+ salt (string or byte string):
+ A (byte) string to use for better protection from dictionary attacks.
+ This value does not need to be kept secret, but it should be randomly
+ chosen for each derivation. It is recommended to use at least 16 bytes.
+ dkLen (integer):
+ The cumulative length of the keys to produce.
+
+ Due to a flaw in the PBKDF2 design, you should not request more bytes
+ than the ``prf`` can output. For instance, ``dkLen`` should not exceed
+ 20 bytes in combination with ``HMAC-SHA1``.
+ count (integer):
+ The number of iterations to carry out. The higher the value, the slower
+ and the more secure the function becomes.
+
+ You should find the maximum number of iterations that keeps the
+ key derivation still acceptable on the slowest hardware you must support.
+
+ Although the default value is 1000, **it is recommended to use at least
+ 1000000 (1 million) iterations**.
+ prf (callable):
+ A pseudorandom function. It must be a function that returns a
+ pseudorandom byte string from two parameters: a secret and a salt.
+ The slower the algorithm, the more secure the derivation function.
+ If not specified, **HMAC-SHA1** is used.
+ hmac_hash_module (module):
+ A module from ``Cryptodome.Hash`` implementing a Merkle-Damgard cryptographic
+ hash, which PBKDF2 must use in combination with HMAC.
+ This parameter is mutually exclusive with ``prf``.
+
+ Return:
+ A byte string of length ``dkLen`` that can be used as key material.
+ If you want multiple keys, just break up this string into segments of the desired length.
+ """
+
+ password = tobytes(password)
+ salt = tobytes(salt)
+
+ if prf and hmac_hash_module:
+ raise ValueError("'prf' and 'hmac_hash_module' are mutually exlusive")
+
+ if prf is None and hmac_hash_module is None:
+ hmac_hash_module = SHA1
+
+ if prf or not hasattr(hmac_hash_module, "_pbkdf2_hmac_assist"):
+ # Generic (and slow) implementation
+
+ if prf is None:
+ prf = lambda p,s: HMAC.new(p, s, hmac_hash_module).digest()
+
+ def link(s):
+ s[0], s[1] = s[1], prf(password, s[1])
+ return s[0]
+
+ key = b''
+ i = 1
+ while len(key) < dkLen:
+ s = [ prf(password, salt + struct.pack(">I", i)) ] * 2
+ key += reduce(strxor, (link(s) for j in range(count)) )
+ i += 1
+
+ else:
+ # Optimized implementation
+ key = b''
+ i = 1
+ while len(key)<dkLen:
+ base = HMAC.new(password, b"", hmac_hash_module)
+ first_digest = base.copy().update(salt + struct.pack(">I", i)).digest()
+ key += base._pbkdf2_hmac_assist(first_digest, count)
+ i += 1
+
+ return key[:dkLen]
+
+
+class _S2V(object):
+ """String-to-vector PRF as defined in `RFC5297`_.
+
+ This class implements a pseudorandom function family
+ based on CMAC that takes as input a vector of strings.
+
+ .. _RFC5297: http://tools.ietf.org/html/rfc5297
+ """
+
+ def __init__(self, key, ciphermod, cipher_params=None):
+ """Initialize the S2V PRF.
+
+ :Parameters:
+ key : byte string
+ A secret that can be used as key for CMACs
+ based on ciphers from ``ciphermod``.
+ ciphermod : module
+ A block cipher module from `Cryptodome.Cipher`.
+ cipher_params : dictionary
+ A set of extra parameters to use to create a cipher instance.
+ """
+
+ self._key = _copy_bytes(None, None, key)
+ self._ciphermod = ciphermod
+ self._last_string = self._cache = b'\x00' * ciphermod.block_size
+
+ # Max number of update() call we can process
+ self._n_updates = ciphermod.block_size * 8 - 1
+
+ if cipher_params is None:
+ self._cipher_params = {}
+ else:
+ self._cipher_params = dict(cipher_params)
+
+ @staticmethod
+ def new(key, ciphermod):
+ """Create a new S2V PRF.
+
+ :Parameters:
+ key : byte string
+ A secret that can be used as key for CMACs
+ based on ciphers from ``ciphermod``.
+ ciphermod : module
+ A block cipher module from `Cryptodome.Cipher`.
+ """
+ return _S2V(key, ciphermod)
+
+ def _double(self, bs):
+ doubled = bytes_to_long(bs)<<1
+ if bord(bs[0]) & 0x80:
+ doubled ^= 0x87
+ return long_to_bytes(doubled, len(bs))[-len(bs):]
+
+ def update(self, item):
+ """Pass the next component of the vector.
+
+ The maximum number of components you can pass is equal to the block
+ length of the cipher (in bits) minus 1.
+
+ :Parameters:
+ item : byte string
+ The next component of the vector.
+ :Raise TypeError: when the limit on the number of components has been reached.
+ """
+
+ if self._n_updates == 0:
+ raise TypeError("Too many components passed to S2V")
+ self._n_updates -= 1
+
+ mac = CMAC.new(self._key,
+ msg=self._last_string,
+ ciphermod=self._ciphermod,
+ cipher_params=self._cipher_params)
+ self._cache = strxor(self._double(self._cache), mac.digest())
+ self._last_string = _copy_bytes(None, None, item)
+
+ def derive(self):
+ """"Derive a secret from the vector of components.
+
+ :Return: a byte string, as long as the block length of the cipher.
+ """
+
+ if len(self._last_string) >= 16:
+ # xorend
+ final = self._last_string[:-16] + strxor(self._last_string[-16:], self._cache)
+ else:
+ # zero-pad & xor
+ padded = (self._last_string + b'\x80' + b'\x00' * 15)[:16]
+ final = strxor(padded, self._double(self._cache))
+ mac = CMAC.new(self._key,
+ msg=final,
+ ciphermod=self._ciphermod,
+ cipher_params=self._cipher_params)
+ return mac.digest()
+
+
+def HKDF(master, key_len, salt, hashmod, num_keys=1, context=None):
+ """Derive one or more keys from a master secret using
+ the HMAC-based KDF defined in RFC5869_.
+
+ Args:
+ master (byte string):
+ The unguessable value used by the KDF to generate the other keys.
+ It must be a high-entropy secret, though not necessarily uniform.
+ It must not be a password.
+ salt (byte string):
+ A non-secret, reusable value that strengthens the randomness
+ extraction step.
+ Ideally, it is as long as the digest size of the chosen hash.
+ If empty, a string of zeroes in used.
+ key_len (integer):
+ The length in bytes of every derived key.
+ hashmod (module):
+ A cryptographic hash algorithm from :mod:`Cryptodome.Hash`.
+ :mod:`Cryptodome.Hash.SHA512` is a good choice.
+ num_keys (integer):
+ The number of keys to derive. Every key is :data:`key_len` bytes long.
+ The maximum cumulative length of all keys is
+ 255 times the digest size.
+ context (byte string):
+ Optional identifier describing what the keys are used for.
+
+ Return:
+ A byte string or a tuple of byte strings.
+
+ .. _RFC5869: http://tools.ietf.org/html/rfc5869
+ """
+
+ output_len = key_len * num_keys
+ if output_len > (255 * hashmod.digest_size):
+ raise ValueError("Too much secret data to derive")
+ if not salt:
+ salt = b'\x00' * hashmod.digest_size
+ if context is None:
+ context = b""
+
+ # Step 1: extract
+ hmac = HMAC.new(salt, master, digestmod=hashmod)
+ prk = hmac.digest()
+
+ # Step 2: expand
+ t = [ b"" ]
+ n = 1
+ tlen = 0
+ while tlen < output_len:
+ hmac = HMAC.new(prk, t[-1] + context + struct.pack('B', n), digestmod=hashmod)
+ t.append(hmac.digest())
+ tlen += hashmod.digest_size
+ n += 1
+ derived_output = b"".join(t)
+ if num_keys == 1:
+ return derived_output[:key_len]
+ kol = [derived_output[idx:idx + key_len]
+ for idx in iter_range(0, output_len, key_len)]
+ return list(kol[:num_keys])
+
+
+
+def scrypt(password, salt, key_len, N, r, p, num_keys=1):
+ """Derive one or more keys from a passphrase.
+
+ Args:
+ password (string):
+ The secret pass phrase to generate the keys from.
+ salt (string):
+ A string to use for better protection from dictionary attacks.
+ This value does not need to be kept secret,
+ but it should be randomly chosen for each derivation.
+ It is recommended to be at least 16 bytes long.
+ key_len (integer):
+ The length in bytes of every derived key.
+ N (integer):
+ CPU/Memory cost parameter. It must be a power of 2 and less
+ than :math:`2^{32}`.
+ r (integer):
+ Block size parameter.
+ p (integer):
+ Parallelization parameter.
+ It must be no greater than :math:`(2^{32}-1)/(4r)`.
+ num_keys (integer):
+ The number of keys to derive. Every key is :data:`key_len` bytes long.
+ By default, only 1 key is generated.
+ The maximum cumulative length of all keys is :math:`(2^{32}-1)*32`
+ (that is, 128TB).
+
+ A good choice of parameters *(N, r , p)* was suggested
+ by Colin Percival in his `presentation in 2009`__:
+
+ - *( 2¹⁴, 8, 1 )* for interactive logins (≤100ms)
+ - *( 2²⁰, 8, 1 )* for file encryption (≤5s)
+
+ Return:
+ A byte string or a tuple of byte strings.
+
+ .. __: http://www.tarsnap.com/scrypt/scrypt-slides.pdf
+ """
+
+ if 2 ** (bit_size(N) - 1) != N:
+ raise ValueError("N must be a power of 2")
+ if N >= 2 ** 32:
+ raise ValueError("N is too big")
+ if p > ((2 ** 32 - 1) * 32) // (128 * r):
+ raise ValueError("p or r are too big")
+
+ prf_hmac_sha256 = lambda p, s: HMAC.new(p, s, SHA256).digest()
+
+ stage_1 = PBKDF2(password, salt, p * 128 * r, 1, prf=prf_hmac_sha256)
+
+ scryptROMix = _raw_scrypt_lib.scryptROMix
+ core = _raw_salsa20_lib.Salsa20_8_core
+
+ # Parallelize into p flows
+ data_out = []
+ for flow in iter_range(p):
+ idx = flow * 128 * r
+ buffer_out = create_string_buffer(128 * r)
+ result = scryptROMix(stage_1[idx : idx + 128 * r],
+ buffer_out,
+ c_size_t(128 * r),
+ N,
+ core)
+ if result:
+ raise ValueError("Error %X while running scrypt" % result)
+ data_out += [ get_raw_buffer(buffer_out) ]
+
+ dk = PBKDF2(password,
+ b"".join(data_out),
+ key_len * num_keys, 1,
+ prf=prf_hmac_sha256)
+
+ if num_keys == 1:
+ return dk
+
+ kol = [dk[idx:idx + key_len]
+ for idx in iter_range(0, key_len * num_keys, key_len)]
+ return kol
+
+
+def _bcrypt_encode(data):
+ s = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+
+ bits = []
+ for c in data:
+ bits_c = bin(bord(c))[2:].zfill(8)
+ bits.append(bstr(bits_c))
+ bits = b"".join(bits)
+
+ bits6 = [ bits[idx:idx+6] for idx in range(0, len(bits), 6) ]
+
+ result = []
+ for g in bits6[:-1]:
+ idx = int(g, 2)
+ result.append(s[idx])
+
+ g = bits6[-1]
+ idx = int(g, 2) << (6 - len(g))
+ result.append(s[idx])
+ result = "".join(result)
+
+ return tobytes(result)
+
+
+def _bcrypt_decode(data):
+ s = "./ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"
+
+ bits = []
+ for c in tostr(data):
+ idx = s.find(c)
+ bits6 = bin(idx)[2:].zfill(6)
+ bits.append(bits6)
+ bits = "".join(bits)
+
+ modulo4 = len(data) % 4
+ if modulo4 == 1:
+ raise ValueError("Incorrect length")
+ elif modulo4 == 2:
+ bits = bits[:-4]
+ elif modulo4 == 3:
+ bits = bits[:-2]
+
+ bits8 = [ bits[idx:idx+8] for idx in range(0, len(bits), 8) ]
+
+ result = []
+ for g in bits8:
+ result.append(bchr(int(g, 2)))
+ result = b"".join(result)
+
+ return result
+
+
+def _bcrypt_hash(password, cost, salt, constant, invert):
+ from Cryptodome.Cipher import _EKSBlowfish
+
+ if len(password) > 72:
+ raise ValueError("The password is too long. It must be 72 bytes at most.")
+
+ if not (4 <= cost <= 31):
+ raise ValueError("bcrypt cost factor must be in the range 4..31")
+
+ cipher = _EKSBlowfish.new(password, _EKSBlowfish.MODE_ECB, salt, cost, invert)
+ ctext = constant
+ for _ in range(64):
+ ctext = cipher.encrypt(ctext)
+ return ctext
+
+
+def bcrypt(password, cost, salt=None):
+ """Hash a password into a key, using the OpenBSD bcrypt protocol.
+
+ Args:
+ password (byte string or string):
+ The secret password or pass phrase.
+ It must be at most 72 bytes long.
+ It must not contain the zero byte.
+ Unicode strings will be encoded as UTF-8.
+ cost (integer):
+ The exponential factor that makes it slower to compute the hash.
+ It must be in the range 4 to 31.
+ A value of at least 12 is recommended.
+ salt (byte string):
+ Optional. Random byte string to thwarts dictionary and rainbow table
+ attacks. It must be 16 bytes long.
+ If not passed, a random value is generated.
+
+ Return (byte string):
+ The bcrypt hash
+
+ Raises:
+ ValueError: if password is longer than 72 bytes or if it contains the zero byte
+
+ """
+
+ password = tobytes(password, "utf-8")
+
+ if password.find(bchr(0)[0]) != -1:
+ raise ValueError("The password contains the zero byte")
+
+ if len(password) < 72:
+ password += b"\x00"
+
+ if salt is None:
+ salt = get_random_bytes(16)
+ if len(salt) != 16:
+ raise ValueError("bcrypt salt must be 16 bytes long")
+
+ ctext = _bcrypt_hash(password, cost, salt, b"OrpheanBeholderScryDoubt", True)
+
+ cost_enc = b"$" + bstr(str(cost).zfill(2))
+ salt_enc = b"$" + _bcrypt_encode(salt)
+ hash_enc = _bcrypt_encode(ctext[:-1]) # only use 23 bytes, not 24
+ return b"$2a" + cost_enc + salt_enc + hash_enc
+
+
+def bcrypt_check(password, bcrypt_hash):
+ """Verify if the provided password matches the given bcrypt hash.
+
+ Args:
+ password (byte string or string):
+ The secret password or pass phrase to test.
+ It must be at most 72 bytes long.
+ It must not contain the zero byte.
+ Unicode strings will be encoded as UTF-8.
+ bcrypt_hash (byte string, bytearray):
+ The reference bcrypt hash the password needs to be checked against.
+
+ Raises:
+ ValueError: if the password does not match
+ """
+
+ bcrypt_hash = tobytes(bcrypt_hash)
+
+ if len(bcrypt_hash) != 60:
+ raise ValueError("Incorrect length of the bcrypt hash: %d bytes instead of 60" % len(bcrypt_hash))
+
+ if bcrypt_hash[:4] != b'$2a$':
+ raise ValueError("Unsupported prefix")
+
+ p = re.compile(br'\$2a\$([0-9][0-9])\$([A-Za-z0-9./]{22,22})([A-Za-z0-9./]{31,31})')
+ r = p.match(bcrypt_hash)
+ if not r:
+ raise ValueError("Incorrect bcrypt hash format")
+
+ cost = int(r.group(1))
+ if not (4 <= cost <= 31):
+ raise ValueError("Incorrect cost")
+
+ salt = _bcrypt_decode(r.group(2))
+
+ bcrypt_hash2 = bcrypt(password, cost, salt)
+
+ secret = get_random_bytes(16)
+
+ mac1 = BLAKE2s.new(digest_bits=160, key=secret, data=bcrypt_hash).digest()
+ mac2 = BLAKE2s.new(digest_bits=160, key=secret, data=bcrypt_hash2).digest()
+ if mac1 != mac2:
+ raise ValueError("Incorrect bcrypt hash")
diff --git a/frozen_deps/Cryptodome/Protocol/KDF.pyi b/frozen_deps/Cryptodome/Protocol/KDF.pyi
new file mode 100644
index 0000000..fb004bf
--- /dev/null
+++ b/frozen_deps/Cryptodome/Protocol/KDF.pyi
@@ -0,0 +1,24 @@
+from types import ModuleType
+from typing import Optional, Callable, Tuple, Union, Dict, Any
+
+RNG = Callable[[int], bytes]
+
+def PBKDF1(password: str, salt: bytes, dkLen: int, count: Optional[int]=1000, hashAlgo: Optional[ModuleType]=None) -> bytes: ...
+def PBKDF2(password: str, salt: bytes, dkLen: Optional[int]=16, count: Optional[int]=1000, prf: Optional[RNG]=None, hmac_hash_module: Optional[ModuleType]=None) -> bytes: ...
+
+class _S2V(object):
+ def __init__(self, key: bytes, ciphermod: ModuleType, cipher_params: Optional[Dict[Any, Any]]=None) -> None: ...
+
+ @staticmethod
+ def new(key: bytes, ciphermod: ModuleType) -> None: ...
+ def update(self, item: bytes) -> None: ...
+ def derive(self) -> bytes: ...
+
+def HKDF(master: bytes, key_len: int, salt: bytes, hashmod: ModuleType, num_keys: Optional[int]=1, context: Optional[bytes]=None) -> Union[bytes, Tuple[bytes, ...]]: ...
+
+def scrypt(password: str, salt: str, key_len: int, N: int, r: int, p: int, num_keys: Optional[int]=1) -> Union[bytes, Tuple[bytes, ...]]: ...
+
+def _bcrypt_decode(data: bytes) -> bytes: ...
+def _bcrypt_hash(password:bytes , cost: int, salt: bytes, constant:bytes, invert:bool) -> bytes: ...
+def bcrypt(password: Union[bytes, str], cost: int, salt: Optional[bytes]=None) -> bytes: ...
+def bcrypt_check(password: Union[bytes, str], bcrypt_hash: Union[bytes, bytearray, str]) -> None: ...
diff --git a/frozen_deps/Cryptodome/Protocol/SecretSharing.py b/frozen_deps/Cryptodome/Protocol/SecretSharing.py
new file mode 100644
index 0000000..6fdc9b4
--- /dev/null
+++ b/frozen_deps/Cryptodome/Protocol/SecretSharing.py
@@ -0,0 +1,278 @@
+#
+# SecretSharing.py : distribute a secret amongst a group of participants
+#
+# ===================================================================
+#
+# Copyright (c) 2014, Legrandin <[email protected]>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+# ===================================================================
+
+from Cryptodome.Util.py3compat import is_native_int
+from Cryptodome.Util import number
+from Cryptodome.Util.number import long_to_bytes, bytes_to_long
+from Cryptodome.Random import get_random_bytes as rng
+
+
+def _mult_gf2(f1, f2):
+ """Multiply two polynomials in GF(2)"""
+
+ # Ensure f2 is the smallest
+ if f2 > f1:
+ f1, f2 = f2, f1
+ z = 0
+ while f2:
+ if f2 & 1:
+ z ^= f1
+ f1 <<= 1
+ f2 >>= 1
+ return z
+
+
+def _div_gf2(a, b):
+ """
+ Compute division of polynomials over GF(2).
+ Given a and b, it finds two polynomials q and r such that:
+
+ a = b*q + r with deg(r)<deg(b)
+ """
+
+ if (a < b):
+ return 0, a
+
+ deg = number.size
+ q = 0
+ r = a
+ d = deg(b)
+ while deg(r) >= d:
+ s = 1 << (deg(r) - d)
+ q ^= s
+ r ^= _mult_gf2(b, s)
+ return (q, r)
+
+
+class _Element(object):
+ """Element of GF(2^128) field"""
+
+ # The irreducible polynomial defining this field is 1+x+x^2+x^7+x^128
+ irr_poly = 1 + 2 + 4 + 128 + 2 ** 128
+
+ def __init__(self, encoded_value):
+ """Initialize the element to a certain value.
+
+ The value passed as parameter is internally encoded as
+ a 128-bit integer, where each bit represents a polynomial
+ coefficient. The LSB is the constant coefficient.
+ """
+
+ if is_native_int(encoded_value):
+ self._value = encoded_value
+ elif len(encoded_value) == 16:
+ self._value = bytes_to_long(encoded_value)
+ else:
+ raise ValueError("The encoded value must be an integer or a 16 byte string")
+
+ def __eq__(self, other):
+ return self._value == other._value
+
+ def __int__(self):
+ """Return the field element, encoded as a 128-bit integer."""
+ return self._value
+
+ def encode(self):
+ """Return the field element, encoded as a 16 byte string."""
+ return long_to_bytes(self._value, 16)
+
+ def __mul__(self, factor):
+
+ f1 = self._value
+ f2 = factor._value
+
+ # Make sure that f2 is the smallest, to speed up the loop
+ if f2 > f1:
+ f1, f2 = f2, f1
+
+ if self.irr_poly in (f1, f2):
+ return _Element(0)
+
+ mask1 = 2 ** 128
+ v, z = f1, 0
+ while f2:
+ # if f2 ^ 1: z ^= v
+ mask2 = int(bin(f2 & 1)[2:] * 128, base=2)
+ z = (mask2 & (z ^ v)) | ((mask1 - mask2 - 1) & z)
+ v <<= 1
+ # if v & mask1: v ^= self.irr_poly
+ mask3 = int(bin((v >> 128) & 1)[2:] * 128, base=2)
+ v = (mask3 & (v ^ self.irr_poly)) | ((mask1 - mask3 - 1) & v)
+ f2 >>= 1
+ return _Element(z)
+
+ def __add__(self, term):
+ return _Element(self._value ^ term._value)
+
+ def inverse(self):
+ """Return the inverse of this element in GF(2^128)."""
+
+ # We use the Extended GCD algorithm
+ # http://en.wikipedia.org/wiki/Polynomial_greatest_common_divisor
+
+ if self._value == 0:
+ raise ValueError("Inversion of zero")
+
+ r0, r1 = self._value, self.irr_poly
+ s0, s1 = 1, 0
+ while r1 > 0:
+ q = _div_gf2(r0, r1)[0]
+ r0, r1 = r1, r0 ^ _mult_gf2(q, r1)
+ s0, s1 = s1, s0 ^ _mult_gf2(q, s1)
+ return _Element(s0)
+
+ def __pow__(self, exponent):
+ result = _Element(self._value)
+ for _ in range(exponent - 1):
+ result = result * self
+ return result
+
+
+class Shamir(object):
+ """Shamir's secret sharing scheme.
+
+ A secret is split into ``n`` shares, and it is sufficient to collect
+ ``k`` of them to reconstruct the secret.
+ """
+
+ @staticmethod
+ def split(k, n, secret, ssss=False):
+ """Split a secret into ``n`` shares.
+
+ The secret can be reconstructed later using just ``k`` shares
+ out of the original ``n``.
+ Each share must be kept confidential to the person it was
+ assigned to.
+
+ Each share is associated to an index (starting from 1).
+
+ Args:
+ k (integer):
+ The sufficient number of shares to reconstruct the secret (``k < n``).
+ n (integer):
+ The number of shares that this method will create.
+ secret (byte string):
+ A byte string of 16 bytes (e.g. the AES 128 key).
+ ssss (bool):
+ If ``True``, the shares can be used with the ``ssss`` utility.
+ Default: ``False``.
+
+ Return (tuples):
+ ``n`` tuples. A tuple is meant for each participant and it contains two items:
+
+ 1. the unique index (an integer)
+ 2. the share (a byte string, 16 bytes)
+ """
+
+ #
+ # We create a polynomial with random coefficients in GF(2^128):
+ #
+ # p(x) = \sum_{i=0}^{k-1} c_i * x^i
+ #
+ # c_0 is the encoded secret
+ #
+
+ coeffs = [_Element(rng(16)) for i in range(k - 1)]
+ coeffs.append(_Element(secret))
+
+ # Each share is y_i = p(x_i) where x_i is the public index
+ # associated to each of the n users.
+
+ def make_share(user, coeffs, ssss):
+ idx = _Element(user)
+ share = _Element(0)
+ for coeff in coeffs:
+ share = idx * share + coeff
+ if ssss:
+ share += _Element(user) ** len(coeffs)
+ return share.encode()
+
+ return [(i, make_share(i, coeffs, ssss)) for i in range(1, n + 1)]
+
+ @staticmethod
+ def combine(shares, ssss=False):
+ """Recombine a secret, if enough shares are presented.
+
+ Args:
+ shares (tuples):
+ The *k* tuples, each containin the index (an integer) and
+ the share (a byte string, 16 bytes long) that were assigned to
+ a participant.
+ ssss (bool):
+ If ``True``, the shares were produced by the ``ssss`` utility.
+ Default: ``False``.
+
+ Return:
+ The original secret, as a byte string (16 bytes long).
+ """
+
+ #
+ # Given k points (x,y), the interpolation polynomial of degree k-1 is:
+ #
+ # L(x) = \sum_{j=0}^{k-1} y_i * l_j(x)
+ #
+ # where:
+ #
+ # l_j(x) = \prod_{ \overset{0 \le m \le k-1}{m \ne j} }
+ # \frac{x - x_m}{x_j - x_m}
+ #
+ # However, in this case we are purely interested in the constant
+ # coefficient of L(x).
+ #
+
+ k = len(shares)
+
+ gf_shares = []
+ for x in shares:
+ idx = _Element(x[0])
+ value = _Element(x[1])
+ if any(y[0] == idx for y in gf_shares):
+ raise ValueError("Duplicate share")
+ if ssss:
+ value += idx ** k
+ gf_shares.append((idx, value))
+
+ result = _Element(0)
+ for j in range(k):
+ x_j, y_j = gf_shares[j]
+
+ numerator = _Element(1)
+ denominator = _Element(1)
+
+ for m in range(k):
+ x_m = gf_shares[m][0]
+ if m != j:
+ numerator *= x_m
+ denominator *= x_j + x_m
+ result += y_j * numerator * denominator.inverse()
+ return result.encode()
diff --git a/frozen_deps/Cryptodome/Protocol/SecretSharing.pyi b/frozen_deps/Cryptodome/Protocol/SecretSharing.pyi
new file mode 100644
index 0000000..5952c99
--- /dev/null
+++ b/frozen_deps/Cryptodome/Protocol/SecretSharing.pyi
@@ -0,0 +1,22 @@
+from typing import Union, List, Tuple, Optional
+
+def _mult_gf2(f1: int, f2: int) -> int : ...
+def _div_gf2(a: int, b: int) -> int : ...
+
+class _Element(object):
+ irr_poly: int
+ def __init__(self, encoded_value: Union[int, bytes]) -> None: ...
+ def __eq__(self, other) -> bool: ...
+ def __int__(self) -> int: ...
+ def encode(self) -> bytes: ...
+ def __mul__(self, factor: int) -> _Element: ...
+ def __add__(self, term: _Element) -> _Element: ...
+ def inverse(self) -> _Element: ...
+ def __pow__(self, exponent) -> _Element: ...
+
+class Shamir(object):
+ @staticmethod
+ def split(k: int, n: int, secret: bytes, ssss: Optional[bool]) -> List[Tuple[int, bytes]]: ...
+ @staticmethod
+ def combine(shares: List[Tuple[int, bytes]], ssss: Optional[bool]) -> bytes: ...
+
diff --git a/frozen_deps/Cryptodome/Protocol/__init__.py b/frozen_deps/Cryptodome/Protocol/__init__.py
new file mode 100644
index 0000000..efdf034
--- /dev/null
+++ b/frozen_deps/Cryptodome/Protocol/__init__.py
@@ -0,0 +1,31 @@
+# ===================================================================
+#
+# Copyright (c) 2014, Legrandin <[email protected]>
+# All rights reserved.
+#
+# Redistribution and use in source and binary forms, with or without
+# modification, are permitted provided that the following conditions
+# are met:
+#
+# 1. Redistributions of source code must retain the above copyright
+# notice, this list of conditions and the following disclaimer.
+# 2. Redistributions in binary form must reproduce the above copyright
+# notice, this list of conditions and the following disclaimer in
+# the documentation and/or other materials provided with the
+# distribution.
+#
+# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
+# "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
+# LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
+# FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE
+# COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT,
+# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING,
+# BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
+# LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER
+# CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
+# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN
+# ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE
+# POSSIBILITY OF SUCH DAMAGE.
+# ===================================================================
+
+__all__ = ['KDF', 'SecretSharing']
diff --git a/frozen_deps/Cryptodome/Protocol/__init__.pyi b/frozen_deps/Cryptodome/Protocol/__init__.pyi
new file mode 100644
index 0000000..377ed90
--- /dev/null
+++ b/frozen_deps/Cryptodome/Protocol/__init__.pyi
@@ -0,0 +1 @@
+__all__ = ['KDF.pyi', 'SecretSharing.pyi']
diff --git a/frozen_deps/Cryptodome/Protocol/_scrypt.cpython-38-x86_64-linux-gnu.so b/frozen_deps/Cryptodome/Protocol/_scrypt.cpython-38-x86_64-linux-gnu.so
new file mode 100755
index 0000000..dbc8ca2
--- /dev/null
+++ b/frozen_deps/Cryptodome/Protocol/_scrypt.cpython-38-x86_64-linux-gnu.so
Binary files differ