kevin/libsodium
1
Fork 0
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-19 10:05:05 -07:00
Code Releases Wiki Activity
4,397 Commits 7 Branches 36 Tags 16 MiB
master
Commit Graph

2059 Commits

Author SHA1 Message Date
Frank Denis
4aa74923d2 pwhash never supported "in-place" operation - return EINVAL 2020-11-24 22:50:15 +01:00
David CARLIER
d250858c74
DragonFlyBSD supports getrandom too since 5.7 2020-11-08 15:58:29 +01:00
Frank Denis
b302c8e8e1 secretbox_xchacha: don't do useless rounds for the first block 2020-10-29 18:39:40 +01:00
Frank Denis
31436eb1df secretbox_open: no need to encrypt the first block twice 2020-10-29 18:30:14 +01:00
Frank Denis
82652f0a0b Merge branch 'master' of github.com:jedisct1/libsodium into master 
* 'master' of github.com:jedisct1/libsodium:
  docs: fix simple typo, interoperatibility -> interoperability (#1002)
  Repair AEGIS on aarch64
 2020-10-12 11:51:13 +02:00
Tim Gates
b3fafe1291
docs: fix simple typo, interoperatibility -> interoperability (#1002) 
There is a small typo in src/libsodium/include/sodium/crypto_hash.h, src/libsodium/include/sodium/crypto_hash_sha256.h, src/libsodium/include/sodium/crypto_hash_sha512.h.

Should read `interoperability` rather than `interoperatibility`.
 2020-10-12 11:37:24 +02:00
Frank Denis
0263be7a15 Unbreak unchecked_sqrt if pointers are distinct 2020-10-06 13:27:09 +02:00
Frank Denis
29041d8ba1 Comment 2020-10-06 12:58:31 +02:00
Frank Denis
ae4add8681 Repair AEGIS on aarch64 
fixes #999
 2020-10-04 15:24:03 +02:00
Frank Denis
3993b1a682 aegis mac: flip parameters to match their representation order 2020-09-27 23:38:02 +02:00
Frank Denis
3c83aeb4fa Shorten 2020-09-27 22:42:57 +02:00
Frank Denis
0454ae61c8 aegis: use more self-explanatory names for keys and nonces 2020-09-27 22:40:57 +02:00
Frank Denis
dfcc95cb64 Merge branch 'master' of github.com:jedisct1/libsodium into master 
* 'master' of github.com:jedisct1/libsodium:
  Add hash_to_ristretto255
  Move 2^511 -> 2^255-19 reduction to its own function
  Constify
 2020-09-20 15:13:03 +02:00
Frank Denis
33b935921c Add hash_to_ristretto255 
Identifier should be ristretto255_XMD:SHA-512_R255MAP_RO_
 2020-08-23 18:28:58 +02:00
Frank Denis
ee962b33ae Move 2^511 -> 2^255-19 reduction to its own function 2020-08-23 18:28:17 +02:00
Frank Denis
3b8891540b Constify 2020-08-23 18:27:36 +02:00
Frank Denis
3d27ee0898 Nits 2020-08-21 07:07:17 +02:00
Frank Denis
ae330742cb Indent 2020-08-16 13:59:23 +02:00
Frank Denis
ee6f457225 argon2 - copy raw hash after possible encoding, not before 
(irrelevant in libsodium)
 2020-08-16 11:35:08 +02:00
Frank Denis
bc3b6a4694 Validate argon2 lanes before memory cost 2020-08-16 11:31:20 +02:00
Frank Denis
e919f86257 Comments 2020-08-15 13:51:04 +02:00
Frank Denis
b2d94a6da1 Cleaner ladder 2020-08-15 13:50:49 +02:00
Frank Denis
679f448d38 Indent 2020-08-14 08:37:39 +02:00
Frank Denis
c02379fe8e Shorten 2020-08-05 16:34:30 +02:00
Frank Denis
1f5f71b015 Simplify 128<->64 bit casts 2020-08-02 19:59:22 +02:00
Frank Denis
290197ba3e Add comments on wrong alignment 2020-07-01 23:32:43 +02:00
P.I.E. Security Team
4744636721
Language Improvements (#972) 
* Language Improvements

https://github.com/paragonie/sodium_compat/pull/121

* Update ed25519_ref10.c
 2020-06-18 19:40:04 +02:00
Frank Denis
6497abb4bc Faster Jacobi symbol computation 
From 261sq/11m down to 253sq/11m.

Also rename confusing was_square.
 2020-06-15 09:25:22 +02:00
Frank Denis
6499766fb6 Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium:
  Don't even include signal.h on WASI
  Use unsigned long long for opslimit
 2020-06-04 16:00:29 +02:00
Frank Denis
4e9e110031 No need to save %rdi 2020-06-04 16:00:16 +02:00
Frank Denis
a8fa837aac Don't even include signal.h on WASI 
Since version 11, wasi-sysroot doesn't ignore it but spits out
an error instead.
 2020-06-04 10:54:53 +02:00
Frank Denis
0cb4db084f Use unsigned long long for opslimit 
Fixes #966
 2020-06-03 17:36:07 +02:00
Frank Denis
3c49e89c19 Add memory clobber 
Fixes #965
 2020-05-30 23:21:17 +02:00
Frank Denis
d854d39b51 Shorten 2020-05-26 14:03:49 +02:00
Frank Denis
f9ef57db0b Faster sc25519 inversion, with one less squaring 2020-05-26 13:15:19 +02:00
Frank Denis
b0369e7391 Update prototypes 2020-05-26 00:15:42 +02:00
Frank Denis
214076fc09 Replace the multiplication by the group order with an addition chain. 
Rename ge25519_{add,sub,madd,msub} for clarity.
 2020-05-25 23:54:43 +02:00
Frank Denis
1127c43278 Add extra box_seal() tests 2020-05-21 18:38:55 +02:00
Frank Denis
23bba4a2b2 crypto_box_seal(): copy the key after encryption to support in-place encryption 
Fixes #961
 2020-05-21 18:22:37 +02:00
Frank Denis
da3fc4dd91 Add explicit casts and make things a bit more consistent 2020-05-19 17:40:18 +02:00
Frank Denis
c3ca08913c Add AEGIS-128L for no good reasons 2020-05-19 15:36:22 +02:00
Frank Denis
8706f2e8d7 Indent 2020-05-19 15:00:51 +02:00
Frank Denis
4cc7d9027c Constify 2020-05-18 20:46:09 +02:00
Frank Denis
a85afdc5ba Remove unused code 2020-05-14 18:45:56 +02:00
Frank Denis
62c6dbcf36 Comment 2020-05-14 12:21:09 +02:00
Frank Denis
056a1aeef5 Avoid & and && mix without brackets 2020-05-13 23:08:19 +02:00
Frank Denis
c2efce113d Add crypto_core_{ed25519,ristretto255}_scalar_is_canonical() 2020-05-13 22:59:08 +02:00
Frank Denis
d39dd88301 Remove unreferenced variables, fix Windows build 2020-05-13 22:38:59 +02:00
Frank Denis
cc2bcbc217 aes256gcm: handle 8 blocks at a time instead of 4 
Keep using 4 blocks at time for AD, as AD is usually short.

Decrypt-and-verify instead of verify-then-decrypt.
 2020-05-13 17:36:01 +02:00
Frank Denis
c4b08fb208 Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium: (55 commits)
  H2C: change sign computation for Ell2 to match BHKL13
  Deprecate non-easy secretbox
  Remove memory shielding
  Deprecate low-level non-easy crypto boxes as well
  Deprecate the non-easy crypto_box API
  Nits
  Remove unneeded casts
  Indent
  Use inline asm if supported
  Nits
  Inline
  space
  Simplify scalarmult{2,5} tests
  Add a scalarmult test to show that the high bit is ignored
  Fix wasi-sdk path
  One more test vector cannot hurt
  ristretto255_is_canonical(): sync with wasm-crypto
  Rename a few things
  Merge mont->ed conversion
  Revert "Add the BlaBla2000 stream cipher - will eventually become the default"
  ...
 2020-05-13 14:10:14 +02:00
Frank Denis
06e219e165 Format 2020-05-13 14:10:04 +02:00
Frank Denis
f23c932d74 H2C: change sign computation for Ell2 to match BHKL13 
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/pull/250
 2020-05-12 16:33:13 +02:00
Frank Denis
3f1586623c Deprecate non-easy secretbox 2020-05-10 22:29:25 +02:00
Frank Denis
67a9e79655 Remove memory shielding 
That was a great idea to protect against information leak through
speculative loads.

Realistically, nobody is going to use this.
 2020-05-10 21:05:24 +02:00
Frank Denis
bf2238bbc4 Deprecate low-level non-easy crypto boxes as well 2020-05-10 20:32:42 +02:00
Frank Denis
5bb0cdc616 Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium:
  Nits
  Remove unneeded casts
  Indent
 2020-05-10 20:28:39 +02:00
Frank Denis
507409d59e Deprecate the non-easy crypto_box API 
It is really too complicated to use.
 2020-05-10 20:27:50 +02:00
Frank Denis
ce19bc7a69 Remove unneeded casts 
Fixes #954
 2020-05-05 01:25:42 +02:00
Frank Denis
c68b071e52 Indent 2020-05-05 01:09:22 +02:00
Frank Denis
4967aa8f23 Use inline asm if supported 2020-05-04 18:23:09 +02:00
Frank Denis
88c568a035 Nits 2020-05-02 17:54:02 +02:00
Frank Denis
809a9f9d7e Inline 2020-05-02 17:42:25 +02:00
Frank Denis
300f12c6a3 space 2020-05-02 17:13:41 +02:00
Frank Denis
8b6f5ef505 ristretto255_is_canonical(): sync with wasm-crypto 
Reject string with the top bit set.
 2020-04-25 12:15:30 +02:00
Frank Denis
e768eae76d Rename a few things 2020-04-23 11:10:19 +02:00
Frank Denis
599cb10246 Merge mont->ed conversion 2020-04-21 16:13:05 +02:00
Frank Denis
29f098d237 Revert "Add the BlaBla2000 stream cipher - will eventually become the default" 
This reverts commit a31fe2a966.
 2020-04-21 13:35:29 +02:00
Frank Denis
72ec06c189 Comment 2020-04-21 13:35:29 +02:00
Frank Denis
f582db039f Handle identity; fix comment 2020-04-21 13:35:26 +02:00
Frank Denis
6f1c987d2e Add an assertion 2020-04-18 23:37:12 +02:00
Frank Denis
d01c49df02 H2C: convert DST encoding to suffix free 
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/pull/241
 2020-04-10 09:48:26 +02:00
Frank Denis
a31fe2a966 Add the BlaBla2000 stream cipher - will eventually become the default 
2000 rounds variant of the BlaBla20 cipher
for Very Post Quantum (VPQ) security.
 2020-03-31 21:42:54 +02:00
Frank Denis
7d0aea6d5e Remove unused code 2020-03-31 17:37:06 +02:00
Frank Denis
d9844396e3 Fix and add HKDF tests 2020-03-31 17:14:04 +02:00
Frank Denis
5f39c3ce09 Don't force include the suite ID in tags 2020-03-31 14:33:40 +02:00
Frank Denis
89eb497efa Handle oversized contexts 2020-03-31 14:16:16 +02:00
Frank Denis
728b26c2c1 Remove edwards25519sha512batch 
Tagged as deprecated for years, never imported by `<sodium.h>`, and
intentionally never documented.

`edwards25519sha512batch` was just around for ABI compatibility
with NaCl, but no projects seem to be using it.
 2020-03-31 12:11:32 +02:00
Frank Denis
ac48996492 Remove crypto_core_ed25519_from_hash() 
Undocumented, was deprecated for a while in stable versions,
obsoleted by `_from_string()` and `from_string_ro()`.
 2020-03-31 12:04:47 +02:00
Frank Denis
2d5b9547d1 yield in spinlock on aarch64 2020-03-30 22:00:35 +02:00
Frank Denis
bf3bc8c386 Add nonnull attributes for new functions 2020-03-30 17:44:17 +02:00
Frank Denis
5fdd12fa97 Add crypto_core_ed25519_from_string() and crypto_core_ed25519_from_string_ro() 2020-03-30 17:19:36 +02:00
Frank Denis
1cedeee7fe Code cleanup 2020-03-30 16:41:21 +02:00
Frank Denis
1e7562f59b Remove useless self inclusion 2020-03-28 21:36:01 +01:00
Frank Denis
eab70f79c0 Add HKDF/SHA-512 and HKDF/SHA-256 2020-03-28 21:35:54 +01:00
Frank Denis
451bafc0d3 Include private/common.h wherever HAVE_*TRIN_H is required, for MSVC 2020-03-18 17:19:58 +01:00
Frank Denis
3881198254 Bring back explicit 64 bit xor on 64 bit archs for gcc 
gcc doesn't seem to be very efficient here, especially with -O2

up
 2020-03-14 17:06:16 +01:00
Frank Denis
2105fbfd46 Remove XOP stub 
XOP is dead
 2020-03-14 15:56:08 +01:00
Frank Denis
cce4a86f99 Reformat comments 2020-03-14 00:22:41 +01:00
Frank Denis
8e21cab950 Simplify integerify() 
Make offsets 64 bit in the SSE scrypt impl
 2020-03-14 00:20:23 +01:00
Frank Denis
6c4437d987 Get rid of escrypt_block_t 
Fixes #937
 2020-03-13 23:21:27 +01:00
Frank Denis
f3b0e32d64 Format multi-line comments consistently 2020-03-11 19:14:54 +01:00
Loup Vaillant
e7e378fad1
Secretbox: explained non-portable behavior (#936) 
Addresses #934

Some tools believe that comparing pointers, *even after converting them
to integers*, is undefined. A comment acknowledging this (as well as the
necessity of the comparison to begin with), can facilitate audits.

Co-authored-by: Frank Denis <124872+jedisct1@users.noreply.github.com>
 2020-03-11 19:07:54 +01:00
Loup Vaillant
4bbc34c09c
Avoid memmove() call when buffers are already the same. (#935) 
This completes the work started in commit
fbe3eb265f
 2020-03-11 19:05:57 +01:00
Frank Denis
a0a8706c9d Revert "Use CMOV on x86_64" 
This reverts commit afae623190.
 2020-02-26 15:02:21 +01:00
Frank Denis
afae623190 Use CMOV on x86_64 
CMOV has been constant time on all generations of x86_64 CPUs, even when
reading from memory.
 2020-02-25 09:22:47 +01:00
Frank Denis
a6d317b2f3 Don't even define a .mult_base placeholder for sandy2x 
Avoid two indirections for fixed base multiplication until another
implementation possibly exists.
 2020-02-06 00:47:18 +01:00
Frank Denis
6a7fbccfd8 Remove sandy2x fixed base scalar multiplication 
Thanks to precomputation, the generic implementation is faster.
 2020-02-06 00:34:08 +01:00
Frank Denis
41c7e47efd Set a default page size to 64K (wasm/linux large pages) 2020-01-05 21:01:28 -05:00
Frank Denis
a72abb0ae1 Add missing randombytes.h inclusion in aead_aegis256.c 2019-12-04 21:07:33 +01:00
Frank Denis
066150a94d Swapped aegis256_is_available implementations 2019-10-31 09:23:33 +01:00
Frank Denis
0f8e034f97 Reorganize aead_aegis256 a bit 2019-10-23 20:03:23 +02:00
Frank Denis
728b7ef237 Add libarmcrypto.la 2019-10-23 19:30:48 +02:00
Frank Denis
c8b6906c60 has_armcrypto_aes -> has_armcrypto 2019-10-23 19:07:33 +02:00
Frank Denis
c9d80901bf __ARM_NEON is enough 2019-10-23 19:02:54 +02:00
Frank Denis
a8dc93192d On Apple devices, the ARM64_V8 subtype always has the crypto extensions 2019-10-23 17:59:17 +02:00
Frank Denis
dd5fbb632b Check for AT_HWCAP2 instead of AT_HWCAP where it's used 2019-10-22 23:24:16 +02:00
Frank Denis
1910ca83d8 Detect NEON and ARMCRYPTO on ARM32 
Which doesn't mean that the compiler will support these opcodes, so
we need to autoconf magic as well.
 2019-10-22 23:20:15 +02:00
Frank Denis
456a57f235 __arm__ => __ARM_ARCH 2019-10-22 22:59:45 +02:00
Frank Denis
acaed459ce Add ARM NEON and AES runtime checks 2019-10-22 22:51:58 +02:00
Frank Denis
9e22cb4ad2 Nits 2019-10-21 15:14:13 +02:00
Frank Denis
111f99a2d4 Nits. No binary code change. 2019-10-21 14:52:20 +02:00
Frank Denis
8a76789de3 Add required headers for aegis256_armcrypto 2019-10-21 14:23:15 +02:00
Adrien Gallouët
fd5bc21b60 Rework NEON version of AEGIS256 
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
 2019-10-21 10:56:09 +00:00
Adrien Gallouët
4542a04e1d Indent 
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
 2019-10-12 06:54:58 +00:00
Frank Denis
ef89aea64e
Merge pull request #884 from isislovecruft/feature/scalar-succeed-fast 
Optimisation to succeed fast when checking signature scalar is reduced.
 2019-10-12 02:19:42 +02:00
Frank Denis
6abc6c292a Compile only the NEON version of AEGIS256 on relevant platforms 2019-10-12 02:18:36 +02:00
Isis Lovecruft
6136871607
Optimisation to succeed fast when checking signature scalar is reduced. 
This provides a minor optimisation for ed25519 signature verification, when used
without the -DED25519_COMPAT feature, to strictly check for a fully reduced
scalar, `s`, component in variable time by first checking that the most
significant *four* bits are unset, and only if any of them are set proceed to
the `sc25519_is_canonical` check which performs the full reduction.  This should
result in succeeding fast for the check on roughly half of all well-formed,
canonicalised signatures.

This is safely backwards compatible with the previous implementation
of strict checking for signature scalars.
 2019-10-11 21:58:15 +00:00
Frank Denis
e1bff2608f Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium:
  Add -S for curl
  randombytes: make the emscripten version consistent with others
 2019-09-25 17:16:43 +02:00
Frank Denis
2f915846ff randombytes: make the emscripten version consistent with others 2019-09-24 16:56:49 +02:00
Frank Denis
44b4526309 Add ARM implementation of aegis256 - Not connected to builds yet 2019-09-16 14:52:10 +02:00
Frank Denis
5990dc00d0 Fix crypto_aead_aegis256_MESSAGEBYTES_MAX 2019-09-13 19:46:57 +02:00
Frank Denis
cb4160b82c
Merge pull request #869 from angt/aegis256-mac-verification 
aegis256: Support mac verification when m is NULL
 2019-09-13 10:39:43 +02:00
Frank Denis
1d536ffab7 Indent 2019-09-13 00:17:46 +02:00
Adrien Gallouët
0a31dd5a31 aegis256: Support mac verification when m is NULL 
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
 2019-09-12 21:11:07 +00:00
Frank Denis
f537541a0a For clarity, don't use different terms for the same thing 2019-09-12 22:24:39 +02:00
Frank Denis
4de2620fb1 Indent 2019-09-12 20:48:52 +02:00
Adrien Gallouët
4520c080cc Define ENOSYS where it is useful 
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
 2019-09-12 18:13:19 +00:00
Adrien Gallouët
0eecb81466 aegis256: Remove restrict 
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
 2019-09-11 13:14:32 +00:00
Adrien Gallouët
452ac1f3ee Add AEGIS-256 (aesni only) 
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
 2019-09-11 12:53:22 +00:00
mpex
fb8e4d00df
Update utils.c 
I noticed that the shielding_key is not used in sodium_mshield() (only filled in crypto_generichash())
Is the wrong key used in crypto_stream_xor?
 2019-06-24 13:41:09 +02:00
Frank Denis
495fdb3693 mshield requires memory protection 2019-06-22 17:02:34 +02:00
Frank Denis
bfeca0eb73 Implement key shielding to protect against side channels 
We may want to fold this into `sodium_mprotect_*()` instead of
exposing these functions.

The drawback is that a transition from PROT_NONE to PROT_READ
(or the other way round) would need an intermediary state in PROT_WRITE
for shielding/unshielding.

Shielding is also not thread-safe, while the `mprotect_*()` functions
are, and adding locks would make things more complicated than they
probably should.
 2019-06-22 14:56:16 +02:00
Frank Denis
2dd3b91628 Try to rename internal symbols that were visible in static libraries 
Fixes #839
 2019-06-10 23:08:21 +02:00
Frank Denis
a97ab7085f argon2_pick_best_implementation() can be static 2019-06-10 20:35:43 +02:00
Frank Denis
47153bb56e Style: remove unneeded extern 2019-06-10 20:35:38 +02:00
Frank Denis
42a06fdecc common.h -> private/common.h 2019-06-10 16:24:47 +02:00
Frank Denis
7214dff083 Rename the remaining unprefixed functions 
argon2_fill_first_blocks() can be static
 2019-06-09 01:01:20 +02:00
Frank Denis
550622b04b Rename fill_segment_* to argon2_fill_segment_* 2019-06-09 00:19:41 +02:00
Frank Denis
9f14962388 Rename a few common internal symbols 2019-06-09 00:14:48 +02:00
Frank Denis
6723e22907 Rename PBKDF2_SHA256 to escrypt_PBKDF2_SHA256 2019-06-09 00:02:23 +02:00
Frank Denis
bdc4db7c9c Remove useless macros hiding the actual symbol names 2019-06-08 23:26:49 +02:00
Frank Denis
d855d30826 Use MAP_CONCEAL on OpenBSD 2019-06-06 11:51:57 +02:00
Frank Denis
d54f0721cd getentropy() may be defined but NULL on older iOS versions 2019-06-02 21:11:30 +02:00
Frank Denis
1707281a3a Revert "scrypt: reject r == 0 and p == 0" 
This reverts commit 00c8ecd1c4.
 2019-06-01 15:33:37 +02:00
Frank Denis
3e5c2531eb Back to dev mode 2019-05-30 23:05:07 +02:00
Frank Denis
252fda724c Bump 2019-05-30 15:52:09 +02:00
Frank Denis
00c8ecd1c4 scrypt: reject r == 0 and p == 0 2019-05-21 14:11:03 +02:00
Frank Denis
e24847c364 Comment 2019-05-21 10:17:35 +02:00
Frank Denis
12277ee6b5 More tests 2019-05-06 12:40:21 +02:00
Frank Denis
141de9be13 Indent 2019-05-06 12:32:42 +02:00
Frank Denis
06e4a485c4 More tests 2019-05-06 11:40:57 +02:00
Frank Denis
ed4e053fb0 lcov exclusions 2019-05-06 11:13:31 +02:00
Frank Denis
3d379746ee Use size_t 2019-05-06 10:57:36 +02:00
Frank Denis
c9e8e47049 SHA2 uses big-endian, but we use little-endian internally 
So, we need to swap encodings in hash2base()
 2019-05-05 22:50:15 +02:00
Frank Denis
80206ada63 10% speedup on AVX2 for BLAKE2b 
Thanks to Shunsuke Shimizu (@grafi-tt)
 2019-05-03 20:14:05 +02:00
Frank Denis
8a1ac8e11f from_hash: clear the high bit 2019-05-03 18:51:40 +02:00
Frank Denis
f1309fd752 Avoid useless pack/unpack operation 2019-05-02 15:04:31 +02:00
Frank Denis
4b7e497a92 Revert "Postpone from_hash()" 
Use proper reduction, and don't mask the high bit, so that
H2C-Curve25519-SHA512-Elligator-Clear can be implemented if required
 2019-05-02 13:51:12 +02:00
Frank Denis
ab1e720a30 Postpone from_hash() 2019-05-02 10:12:12 +02:00
Frank Denis
24c54073a8 Add core_ed25519_from_hash() and core_{ed25519, ristretto255}_random() 2019-05-02 00:51:17 +02:00
Frank Denis
689407c36d Rename ristretto_from_uniform() to ristretto_from_hash() 2019-05-01 19:56:08 +02:00
Fraser Hutchison
261761a02c Fix placement of alignment specifier 2019-04-27 20:34:07 +02:00
Frank Denis
39701c6157 Add missing prototype 2019-04-15 10:21:04 +02:00
Frank Denis
db6f43d25e Add crypto_core_{ed25519,ristretto255}_scalar_mul 2019-04-15 10:12:19 +02:00
Frank Denis
4d1c4bf0ba Do not include sys/random.h after defining getrandom() on Linux 2019-04-07 23:54:47 +02:00
Frank Denis
d653963ab7 Travis: reduce build verbosity 2019-04-02 16:05:33 +02:00
Frank Denis
1765c79705 Fix pasto, unbreak linux builds 2019-04-02 07:38:30 +02:00
Frank Denis
5b12922d14 Revert "Drastically improve the password hashing functions" 
April fool's day is over.

This reverts commit 5dff93005e.
 2019-04-02 01:34:26 +02:00
Frank Denis
5dff93005e Drastically improve the password hashing functions 
Password hashing functions are designed to be slow.

Make them slower, but also useful.
 2019-03-31 19:03:22 +02:00
Frank Denis
015dfe9978 getentropy() only returns 0 or -1 and is atomic 2019-03-26 15:06:36 +01:00
Frank Denis
0299203305 Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium:
  One more safe arc4random() implementation
  Be positive
  Just use some test vectors around the counter overflow
  Remove useless tests, add more meaningful ones.
  Remove unused var
  Additional salsa20 tests
 2019-03-26 14:39:50 +01:00
Frank Denis
a6ef940634 raise() may not be available 2019-03-26 14:39:39 +01:00
Frank Denis
764742ef55 Remove unnecessary brackets 2019-03-26 14:39:34 +01:00
Frank Denis
0f1c303bf1 One more safe arc4random() implementation 2019-03-24 03:57:55 +01:00
Frank Denis
1412885351 Remove unused var 2019-03-21 01:15:35 +01:00
Frank Denis
32e36af97e Move the randombytes_block_on_dev_random() function up 2019-03-17 19:40:32 +01:00
Frank Denis
e1abc1de7e Rename randombytes_salsa20 to randombytes_internal and switch to ChaCha20 2019-03-17 19:25:32 +01:00
Frank Denis
0ea9a8f0e9 Use getentropy(2) if available, cleanup salsa20/randombytes by the way 2019-03-17 18:55:40 +01:00
Frank Denis
b5975f97e4 Nits 2019-02-23 21:32:23 +01:00
Frank Denis
eeb1f26924 Explicit cast 2019-02-20 01:02:54 +01:00
Frank Denis
d287ef763b Nits 2019-02-19 22:46:09 +01:00
Frank Denis
db0319fb8e Initial support for ristretto255 2019-02-18 00:56:48 +01:00
Frank Denis
bc5e9056eb ge25519_select() -> ge25519_cmov8() 2019-02-16 17:44:01 +01:00
Frank Denis
e6aa7e1da4 The time has come to remove support for (p)nacl 2019-02-14 14:41:09 +01:00
Frank Denis
d47ded1867 Only memset() may have issues with a zero length. 2019-02-09 20:28:41 +01:00
Ilya Maykov
6934a8d0c8 Relax most __attribute__ ((nonnull)) to allow 0-length inputs to be NULL. 
Justifications:
- crypto_(auth|hash|generichash|onetimeauth|shorthash)*:
  it's legal to hash or HMAC a 0-length message
- crypto_box*: it's legal to encrypt a 0-length message
- crypto_sign*: it's legal to sign a 0-length message
- utils:
  comparing two 0-length byte arrays is legal
  memzero on a 0-length byte array is a no-op
  converting an empty hex string to binary results in an empty binary string
  converting an empty binary string to hex results in an empty hex string
  converting an empty b64 string to binary results in an empty binary string
  converting an empty binary string to b64 results in an empty b64 string
  sodium_add / sodium_sub on zero-length arrays is a no-op

For the functions declared in utils.h, I moved the logic into private functions that
have the __attribute__ ((nonnull)) check, but they are only called when the
corresponding length argument is non-0. I didn't do this for the hash/box/sign
functions since it would have been a lot more work and quite a large refactor.
 2019-02-09 20:26:10 +01:00
Frank Denis
b3725dc2c9 Force clear the high bit in _noclamp variants 
_noclamp variants should always be used with a scalar < L, but
if this is not the case, at least explicitly ignore the high bit.
 2019-01-14 04:02:48 +01:00
Frank Denis
7eec5b8716 Back to dev mode 2019-01-07 11:48:14 +01:00
Frank Denis
358767f238 Set nonce in randombytes_salsa20_random_stir() instead of random_init() 2019-01-06 04:31:44 +01:00
Frank Denis
531b545578 Avoid partial array initialization 2019-01-05 22:58:07 +01:00
Frank Denis
48852da7cd Improve clarity 2019-01-05 14:31:44 +01:00
Frank Denis
3ab71f873f must -> should 2019-01-04 11:55:17 +01:00
Frank Denis
e45fadffb1 Add comments, avoid implicit array initialization 2019-01-03 22:44:58 +01:00
Frank Denis
1647f0d53a Add comments 2019-01-03 22:28:59 +01:00
Frank Denis
32385c6b9a Avoid negative indices, especially with unsigned types 2019-01-03 22:28:42 +01:00
Frank Denis
1cd6641cde Add an extra compile-time assertion 2019-01-03 18:52:43 +01:00
Frank Denis
74ccac9e83 Do not assume that CRYPTO_ALIGN works 2019-01-03 18:34:24 +01:00
Frank Denis
3c59cebe91 Make the blake2b and poly1305 state opaque 2019-01-03 18:18:20 +01:00
Frank Denis
e614671fc8 More paranoid AVX512 detection 2019-01-02 17:33:57 +01:00
Frank Denis
6bbcab33ed Consistent initialization 2019-01-01 22:59:23 +01:00