Frank Denis
0f8e034f97
Reorganize aead_aegis256 a bit
2019-10-23 20:03:23 +02:00
Frank Denis
728b7ef237
Add libarmcrypto.la
2019-10-23 19:30:48 +02:00
Frank Denis
c8b6906c60
has_armcrypto_aes -> has_armcrypto
2019-10-23 19:07:33 +02:00
Frank Denis
c9d80901bf
__ARM_NEON is enough
2019-10-23 19:02:54 +02:00
Frank Denis
a8dc93192d
On Apple devices, the ARM64_V8 subtype always has the crypto extensions
2019-10-23 17:59:17 +02:00
Frank Denis
dd5fbb632b
Check for AT_HWCAP2 instead of AT_HWCAP where it's used
2019-10-22 23:24:16 +02:00
Frank Denis
1910ca83d8
Detect NEON and ARMCRYPTO on ARM32
...
Which doesn't mean that the compiler will support these opcodes, so
we need to autoconf magic as well.
2019-10-22 23:20:15 +02:00
Frank Denis
456a57f235
__arm__ => __ARM_ARCH
2019-10-22 22:59:45 +02:00
Frank Denis
acaed459ce
Add ARM NEON and AES runtime checks
2019-10-22 22:51:58 +02:00
Frank Denis
9e22cb4ad2
Nits
2019-10-21 15:14:13 +02:00
Frank Denis
111f99a2d4
Nits. No binary code change.
2019-10-21 14:52:20 +02:00
Frank Denis
8a76789de3
Add required headers for aegis256_armcrypto
2019-10-21 14:23:15 +02:00
Adrien Gallouët
fd5bc21b60
Rework NEON version of AEGIS256
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-21 10:56:09 +00:00
Adrien Gallouët
4542a04e1d
Indent
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-12 06:54:58 +00:00
Frank Denis
ef89aea64e
Merge pull request #884 from isislovecruft/feature/scalar-succeed-fast
...
Optimisation to succeed fast when checking signature scalar is reduced.
2019-10-12 02:19:42 +02:00
Frank Denis
6abc6c292a
Compile only the NEON version of AEGIS256 on relevant platforms
2019-10-12 02:18:36 +02:00
Isis Lovecruft
6136871607
Optimisation to succeed fast when checking signature scalar is reduced.
...
This provides a minor optimisation for ed25519 signature verification, when used
without the -DED25519_COMPAT feature, to strictly check for a fully reduced
scalar, `s`, component in variable time by first checking that the most
significant *four* bits are unset, and only if any of them are set proceed to
the `sc25519_is_canonical` check which performs the full reduction. This should
result in succeeding fast for the check on roughly half of all well-formed,
canonicalised signatures.
This is safely backwards compatible with the previous implementation
of strict checking for signature scalars.
2019-10-11 21:58:15 +00:00
Frank Denis
e1bff2608f
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
Add -S for curl
randombytes: make the emscripten version consistent with others
2019-09-25 17:16:43 +02:00
Frank Denis
2f915846ff
randombytes: make the emscripten version consistent with others
2019-09-24 16:56:49 +02:00
Frank Denis
44b4526309
Add ARM implementation of aegis256 - Not connected to builds yet
2019-09-16 14:52:10 +02:00
Frank Denis
5990dc00d0
Fix crypto_aead_aegis256_MESSAGEBYTES_MAX
2019-09-13 19:46:57 +02:00
Frank Denis
cb4160b82c
Merge pull request #869 from angt/aegis256-mac-verification
...
aegis256: Support mac verification when m is NULL
2019-09-13 10:39:43 +02:00
Frank Denis
1d536ffab7
Indent
2019-09-13 00:17:46 +02:00
Adrien Gallouët
0a31dd5a31
aegis256: Support mac verification when m is NULL
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 21:11:07 +00:00
Frank Denis
f537541a0a
For clarity, don't use different terms for the same thing
2019-09-12 22:24:39 +02:00
Frank Denis
4de2620fb1
Indent
2019-09-12 20:48:52 +02:00
Adrien Gallouët
4520c080cc
Define ENOSYS where it is useful
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 18:13:19 +00:00
Adrien Gallouët
0eecb81466
aegis256: Remove restrict
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 13:14:32 +00:00
Adrien Gallouët
452ac1f3ee
Add AEGIS-256 (aesni only)
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 12:53:22 +00:00
mpex
fb8e4d00df
Update utils.c
...
I noticed that the shielding_key is not used in sodium_mshield() (only filled in crypto_generichash())
Is the wrong key used in crypto_stream_xor?
2019-06-24 13:41:09 +02:00
Frank Denis
495fdb3693
mshield requires memory protection
2019-06-22 17:02:34 +02:00
Frank Denis
bfeca0eb73
Implement key shielding to protect against side channels
...
We may want to fold this into `sodium_mprotect_*()` instead of
exposing these functions.
The drawback is that a transition from PROT_NONE to PROT_READ
(or the other way round) would need an intermediary state in PROT_WRITE
for shielding/unshielding.
Shielding is also not thread-safe, while the `mprotect_*()` functions
are, and adding locks would make things more complicated than they
probably should.
2019-06-22 14:56:16 +02:00
Frank Denis
2dd3b91628
Try to rename internal symbols that were visible in static libraries
...
Fixes #839
2019-06-10 23:08:21 +02:00
Frank Denis
a97ab7085f
argon2_pick_best_implementation() can be static
2019-06-10 20:35:43 +02:00
Frank Denis
47153bb56e
Style: remove unneeded extern
2019-06-10 20:35:38 +02:00
Frank Denis
42a06fdecc
common.h -> private/common.h
2019-06-10 16:24:47 +02:00
Frank Denis
7214dff083
Rename the remaining unprefixed functions
...
argon2_fill_first_blocks() can be static
2019-06-09 01:01:20 +02:00
Frank Denis
550622b04b
Rename fill_segment_* to argon2_fill_segment_*
2019-06-09 00:19:41 +02:00
Frank Denis
9f14962388
Rename a few common internal symbols
2019-06-09 00:14:48 +02:00
Frank Denis
6723e22907
Rename PBKDF2_SHA256 to escrypt_PBKDF2_SHA256
2019-06-09 00:02:23 +02:00
Frank Denis
bdc4db7c9c
Remove useless macros hiding the actual symbol names
2019-06-08 23:26:49 +02:00
Frank Denis
d855d30826
Use MAP_CONCEAL on OpenBSD
2019-06-06 11:51:57 +02:00
Frank Denis
d54f0721cd
getentropy() may be defined but NULL on older iOS versions
2019-06-02 21:11:30 +02:00
Frank Denis
1707281a3a
Revert "scrypt: reject r == 0 and p == 0"
...
This reverts commit 00c8ecd1c4
.
2019-06-01 15:33:37 +02:00
Frank Denis
3e5c2531eb
Back to dev mode
2019-05-30 23:05:07 +02:00
Frank Denis
252fda724c
Bump
2019-05-30 15:52:09 +02:00
Frank Denis
00c8ecd1c4
scrypt: reject r == 0 and p == 0
2019-05-21 14:11:03 +02:00
Frank Denis
e24847c364
Comment
2019-05-21 10:17:35 +02:00
Frank Denis
12277ee6b5
More tests
2019-05-06 12:40:21 +02:00
Frank Denis
141de9be13
Indent
2019-05-06 12:32:42 +02:00
Frank Denis
06e4a485c4
More tests
2019-05-06 11:40:57 +02:00
Frank Denis
ed4e053fb0
lcov exclusions
2019-05-06 11:13:31 +02:00
Frank Denis
3d379746ee
Use size_t
2019-05-06 10:57:36 +02:00
Frank Denis
c9e8e47049
SHA2 uses big-endian, but we use little-endian internally
...
So, we need to swap encodings in hash2base()
2019-05-05 22:50:15 +02:00
Frank Denis
80206ada63
10% speedup on AVX2 for BLAKE2b
...
Thanks to Shunsuke Shimizu (@grafi-tt)
2019-05-03 20:14:05 +02:00
Frank Denis
8a1ac8e11f
from_hash: clear the high bit
2019-05-03 18:51:40 +02:00
Frank Denis
f1309fd752
Avoid useless pack/unpack operation
2019-05-02 15:04:31 +02:00
Frank Denis
4b7e497a92
Revert "Postpone from_hash()"
...
Use proper reduction, and don't mask the high bit, so that
H2C-Curve25519-SHA512-Elligator-Clear can be implemented if required
2019-05-02 13:51:12 +02:00
Frank Denis
ab1e720a30
Postpone from_hash()
2019-05-02 10:12:12 +02:00
Frank Denis
24c54073a8
Add core_ed25519_from_hash() and core_{ed25519, ristretto255}_random()
2019-05-02 00:51:17 +02:00
Frank Denis
689407c36d
Rename ristretto_from_uniform() to ristretto_from_hash()
2019-05-01 19:56:08 +02:00
Fraser Hutchison
261761a02c
Fix placement of alignment specifier
2019-04-27 20:34:07 +02:00
Frank Denis
39701c6157
Add missing prototype
2019-04-15 10:21:04 +02:00
Frank Denis
db6f43d25e
Add crypto_core_{ed25519,ristretto255}_scalar_mul
2019-04-15 10:12:19 +02:00
Frank Denis
4d1c4bf0ba
Do not include sys/random.h after defining getrandom() on Linux
2019-04-07 23:54:47 +02:00
Frank Denis
d653963ab7
Travis: reduce build verbosity
2019-04-02 16:05:33 +02:00
Frank Denis
1765c79705
Fix pasto, unbreak linux builds
2019-04-02 07:38:30 +02:00
Frank Denis
5b12922d14
Revert "Drastically improve the password hashing functions"
...
April fool's day is over.
This reverts commit 5dff93005e
.
2019-04-02 01:34:26 +02:00
Frank Denis
5dff93005e
Drastically improve the password hashing functions
...
Password hashing functions are designed to be slow.
Make them slower, but also useful.
2019-03-31 19:03:22 +02:00
Frank Denis
015dfe9978
getentropy() only returns 0 or -1 and is atomic
2019-03-26 15:06:36 +01:00
Frank Denis
0299203305
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
One more safe arc4random() implementation
Be positive
Just use some test vectors around the counter overflow
Remove useless tests, add more meaningful ones.
Remove unused var
Additional salsa20 tests
2019-03-26 14:39:50 +01:00
Frank Denis
a6ef940634
raise() may not be available
2019-03-26 14:39:39 +01:00
Frank Denis
764742ef55
Remove unnecessary brackets
2019-03-26 14:39:34 +01:00
Frank Denis
0f1c303bf1
One more safe arc4random() implementation
2019-03-24 03:57:55 +01:00
Frank Denis
1412885351
Remove unused var
2019-03-21 01:15:35 +01:00
Frank Denis
32e36af97e
Move the randombytes_block_on_dev_random() function up
2019-03-17 19:40:32 +01:00
Frank Denis
e1abc1de7e
Rename randombytes_salsa20 to randombytes_internal and switch to ChaCha20
2019-03-17 19:25:32 +01:00
Frank Denis
0ea9a8f0e9
Use getentropy(2) if available, cleanup salsa20/randombytes by the way
2019-03-17 18:55:40 +01:00
Frank Denis
b5975f97e4
Nits
2019-02-23 21:32:23 +01:00
Frank Denis
eeb1f26924
Explicit cast
2019-02-20 01:02:54 +01:00
Frank Denis
d287ef763b
Nits
2019-02-19 22:46:09 +01:00
Frank Denis
db0319fb8e
Initial support for ristretto255
2019-02-18 00:56:48 +01:00
Frank Denis
bc5e9056eb
ge25519_select() -> ge25519_cmov8()
2019-02-16 17:44:01 +01:00
Frank Denis
e6aa7e1da4
The time has come to remove support for (p)nacl
2019-02-14 14:41:09 +01:00
Frank Denis
d47ded1867
Only memset() may have issues with a zero length.
2019-02-09 20:28:41 +01:00
Ilya Maykov
6934a8d0c8
Relax most __attribute__ ((nonnull)) to allow 0-length inputs to be NULL.
...
Justifications:
- crypto_(auth|hash|generichash|onetimeauth|shorthash)*:
it's legal to hash or HMAC a 0-length message
- crypto_box*: it's legal to encrypt a 0-length message
- crypto_sign*: it's legal to sign a 0-length message
- utils:
comparing two 0-length byte arrays is legal
memzero on a 0-length byte array is a no-op
converting an empty hex string to binary results in an empty binary string
converting an empty binary string to hex results in an empty hex string
converting an empty b64 string to binary results in an empty binary string
converting an empty binary string to b64 results in an empty b64 string
sodium_add / sodium_sub on zero-length arrays is a no-op
For the functions declared in utils.h, I moved the logic into private functions that
have the __attribute__ ((nonnull)) check, but they are only called when the
corresponding length argument is non-0. I didn't do this for the hash/box/sign
functions since it would have been a lot more work and quite a large refactor.
2019-02-09 20:26:10 +01:00
Frank Denis
b3725dc2c9
Force clear the high bit in _noclamp variants
...
_noclamp variants should always be used with a scalar < L, but
if this is not the case, at least explicitly ignore the high bit.
2019-01-14 04:02:48 +01:00
Frank Denis
7eec5b8716
Back to dev mode
2019-01-07 11:48:14 +01:00
Frank Denis
358767f238
Set nonce in randombytes_salsa20_random_stir() instead of random_init()
2019-01-06 04:31:44 +01:00
Frank Denis
531b545578
Avoid partial array initialization
2019-01-05 22:58:07 +01:00
Frank Denis
48852da7cd
Improve clarity
2019-01-05 14:31:44 +01:00
Frank Denis
3ab71f873f
must -> should
2019-01-04 11:55:17 +01:00
Frank Denis
e45fadffb1
Add comments, avoid implicit array initialization
2019-01-03 22:44:58 +01:00
Frank Denis
1647f0d53a
Add comments
2019-01-03 22:28:59 +01:00
Frank Denis
32385c6b9a
Avoid negative indices, especially with unsigned types
2019-01-03 22:28:42 +01:00
Frank Denis
1cd6641cde
Add an extra compile-time assertion
2019-01-03 18:52:43 +01:00
Frank Denis
74ccac9e83
Do not assume that CRYPTO_ALIGN works
2019-01-03 18:34:24 +01:00
Frank Denis
3c59cebe91
Make the blake2b and poly1305 state opaque
2019-01-03 18:18:20 +01:00
Frank Denis
e614671fc8
More paranoid AVX512 detection
2019-01-02 17:33:57 +01:00
Frank Denis
6bbcab33ed
Consistent initialization
2019-01-01 22:59:23 +01:00
Frank Denis
f3ce049a98
Bump to 1.0.17
...
Not released yet. This is just to encourage people to test the current
code.
2018-12-30 12:04:52 +01:00
Frank Denis
f2942b9c88
Add sodium_sub(), simplify scalar_complement() and scalar_negate()
2018-12-30 10:26:44 +01:00
Frank Denis
1542d473da
Add crypto_core_ed25519_scalar_complement(), _negate(), _add(), _sub()
2018-12-30 01:48:58 +01:00
Frank Denis
cff3d7f6c7
Remove unused variables
2018-12-29 16:42:09 +01:00
Frank Denis
52ff9c8980
Constify, add missing private include
2018-12-26 18:32:39 +01:00
Frank Denis
0a6e10f75f
Constify
2018-12-26 18:25:16 +01:00
Frank Denis
7bc5a3da66
Constify
2018-12-26 18:19:37 +01:00
Frank Denis
c9842d9af9
Make allocate_memory() error path less confusing
2018-12-26 17:57:06 +01:00
Frank Denis
e60049aad1
Revert "Add crypto_kx_ed25519" and "Add low-level kx_curve25519 functions"
...
This reverts commit 2d736dc2bc
.
This reverts commit 7f3bc5cd08
.
2018-12-25 19:22:33 +01:00
Frank Denis
d3976446a0
ED25519_NONDETERMINISTIC: derive keys from the seed the same way
...
as when ED25519_NONDETERMINISTIC is not defined
2018-12-25 13:25:57 +01:00
Frank Denis
2d736dc2bc
Add crypto_kx_ed25519
2018-12-25 12:46:21 +01:00
Frank Denis
7f3bc5cd08
Add low-level kx_curve25519 functions
2018-12-25 11:10:33 +01:00
Frank Denis
4cba5ff49b
In prototypes, use pointers, not arrays for consistency
2018-12-24 17:38:22 +01:00
Frank Denis
59bd82edab
Add a crypto_core_ed25519_NONREDUCEDSCALARBYTES constant
...
and reject 0 in crypto_core_ed25519_random()
2018-12-24 17:26:38 +01:00
Frank Denis
2916230061
Add a guideline
2018-12-23 18:49:56 +01:00
Frank Denis
b4617940f3
Correct sc25519_reduce() prototype
2018-12-23 18:45:28 +01:00
Frank Denis
63573bb98c
Add crypto_core_ed25519_scalar_random()
2018-12-23 12:32:07 +01:00
Frank Denis
6fa0220302
Export crypto_core_ed25519_scalar_reduce, add tests
2018-12-23 02:56:11 +01:00
Frank Denis
36f2d99fac
Add crypto_core_ed25519_{scalar_invert, ed25519_scalar_reduce)()
...
These new low-level APIs are especially useful for blinding.
2018-12-20 20:05:34 +01:00
Frank Denis
b42082d6d2
Add unclamped versions of scalarmult_ed25519*()
2018-12-18 22:46:56 +01:00
Frank Denis
536ed00d2c
Merge branch 'master' of github.com:jedisct1/libsodium
2018-12-10 21:05:47 +01:00
Frank Denis
055e0ae82c
Even in non-deterministic EdDSA, the actual secret key is H(sk).
2018-12-10 21:05:40 +01:00
Ilya Maykov
c60df7b9ff
Made sig parameter of crypto_sign_final_verify() const
2018-12-03 21:02:31 +01:00
Frank Denis
a1dff41891
LONG_LONG_* -> LLONG_*
2018-11-11 00:00:13 +01:00
Frank Denis
52f814e50c
Avoid memset(NULL, _, 0)
2018-10-18 13:49:12 +02:00
Frank Denis
67b0b476d8
Add incomplete nonnull attributes
2018-10-18 13:22:37 +02:00
Frank Denis
c4f03ededb
Add a dummy return value
2018-09-30 23:49:34 +02:00
Frank Denis
82b1739b98
Add getrandom(2) support for FreeBSD 12
2018-09-30 16:44:27 -05:00
Frank Denis
9771795351
Revert "Add getrandom(2) support for FreeBSD 12"
...
This reverts commit 52fdd7ab39
.
Due to TinyC crashing.
2018-09-29 22:53:05 +02:00
Frank Denis
9d5fcef52e
Revert "TinyC now crashes on Travis when compiling sysrandom"
...
This reverts commit 44dccfe6d4
.
2018-09-29 22:52:56 +02:00
Frank Denis
44dccfe6d4
TinyC now crashes on Travis when compiling sysrandom
2018-09-29 22:48:53 +02:00
Frank Denis
52fdd7ab39
Add getrandom(2) support for FreeBSD 12
...
Fixes #762
2018-09-29 22:37:39 +02:00
David Carlier
b3ba348d08
Provides explicit_memset supports/NetBSD.
...
Similar to explicit_bzero function is to defeat
compiler optimisation.
2018-09-29 19:19:23 +01:00
Frank Denis
b7abc4542e
No need to provison for the tag if we are below SIZE_MAX
2018-09-12 15:22:30 +02:00
Frank Denis
f0e5c3940d
Substract the number of blocks, and make similar code more uniform
2018-09-12 15:19:56 +02:00
Frank Denis
3574ab879e
Do not even use untested code in non-production environments
2018-09-12 14:53:16 +02:00
Frank Denis
5a7290ce6a
Make this warning more difficult to ignore
2018-09-12 14:51:03 +02:00
Frank Denis
43909c1ffb
Allow ic + mlen to overflow a size_t in chacha20_ietf_xor_ic()
2018-09-12 08:40:22 +02:00
Frank Denis
bea8839c6b
Do not count the overhead in xchacha20poly1305_MESSAGEBYTES_MAX
2018-09-12 08:19:12 +02:00
Frank Denis
04a7ab95f2
Don't mix lengths and block sizes
2018-09-10 19:57:06 +02:00
Frank Denis
3e9d341d06
Add crypto_stream_chacha20_ietf_ext, use _ext suffix everywhere for consistency
2018-09-08 14:54:12 +02:00
Frank Denis
cf217e3dfc
Call misuse() if we ask too much data from the IETF variant of ChaCha20
...
Fix #753
2018-09-08 02:12:23 +02:00
Frank Denis
ab4ab23d57
x25519_ref: ignore the high bit in the small order PK check
2018-08-29 16:04:40 +02:00
Frank Denis
1ec6edc1a8
Indent
2018-08-27 12:29:49 +02:00
Jakob Rieck
543b5ad068
Fixes padding for blocksizes > 256
2018-08-27 11:42:49 +02:00
Frank Denis
7cdf3f0e84
strnlen() may not be available everywhere
2018-07-22 21:54:38 +02:00
Frank Denis
922e4dcd9e
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
Invert (1-y) just before the multiplication by (1+y) for readability
Nits
2018-07-22 21:40:39 +02:00
Frank Denis
74ba82210e
memchr() can process its input in any order
...
Fixes #737
2018-07-22 21:26:31 +02:00
Frank Denis
d25d6ce7fb
Invert (1-y) just before the multiplication by (1+y) for readability
2018-07-21 00:43:39 +02:00
Frank Denis
91d9051bce
Nits
2018-07-19 14:44:17 +02:00
Anton Maklakov
f16896146a
Fix warnings that appeared in GCC7+ (related to -Wimplicit-fallthrough)
2018-07-04 23:29:33 +07:00
Frank Denis
cfb0f94704
Visual Studio documentation states that eax/ecx/edx don't need to be
...
preserved in inline assembly code. But that doesn't seem to always
hold true on Visual Studio 2010.
2018-05-12 09:12:36 +02:00
Tom Auger
462a8ab775
Use _MESSAGEBYTES_MAX in crypto_aead_xchacha20poly1305
2018-04-29 15:12:39 +01:00
Frank Denis
10207d5aa6
This reverts commit 38b19412e8
.
2018-04-01 23:25:06 +02:00
Frank Denis
38b19412e8
Introduce pwhash_ntlm() for low-sodium, salt-free password hashing
...
. #passthesalt
2018-03-31 21:46:37 +02:00
Frank Denis
19f5c4f620
Include limits.h for ancient Android NDKs. Sigh.
2018-01-19 16:48:06 +01:00
Frank Denis
57ca449c7e
Include <stdint.h> for SIZE_MAX, and <stddef.h> as a dependency
2018-01-19 15:25:01 +01:00
Frank Denis
13513e886b
Keep things simple; directly initialize the example RNG from the system one
2018-01-17 15:11:18 +01:00
Frank Denis
e2581d9105
Swap #ifdef branches for clarity
2018-01-16 01:06:03 +01:00
Frank Denis
958060e2ec
Signatures: do not reject weak public keys if ED25519_COMPAT is defined
2018-01-16 01:02:29 +01:00
Frank Denis
0468e778d2
Revert "Solaris Studio apparently supports __attribute__()"
...
This reverts commit 74a4496cc5
.
2018-01-15 13:34:31 +01:00
Frank Denis
74a4496cc5
Solaris Studio apparently supports __attribute__()
...
Fixes #660
2018-01-14 23:09:46 +01:00
Frank Denis
764656443f
Check if we can use inline asm code, not only on x86_64
2017-12-31 01:23:58 +01:00
Frank Denis
a18e21b49d
Use (""::"r"(pnt):"memory") instead of (""::"p"(pnt)) for the barrier
2017-12-31 01:11:45 +01:00
Ryan Lester
607d9b7943
Closure fix
2017-12-26 22:39:17 -05:00
Frank Denis
0187ba70ad
Require the generichash state to be aligned
...
Alignment is already required by other functions anyway.
2017-12-21 18:21:43 +01:00
Frank Denis
1e7839a90c
Lift alignment requirements in crypto_generichash()
2017-12-21 18:14:17 +01:00
Frank Denis
2604a41774
Add extra align statements
2017-12-21 17:24:23 +01:00
Frank Denis
ffb8475a4a
Brace yourself
2017-12-21 17:24:01 +01:00
Frank Denis
3383fd1bdf
Extra braces
2017-12-21 16:57:27 +01:00
Frank Denis
107b42af3f
Remove unused LOAD128() and STORE128() macros
2017-12-21 16:48:15 +01:00
Frank Denis
1f1b0afb5c
Do not assume that __clang__ being defined implied __GNUC__ defined as well
2017-12-19 21:44:48 +01:00
Frank Denis
b1273b0411
Back to dev mode
2017-12-19 21:44:25 +01:00
Frank Denis
77e7d88d89
We really don't need an intermediate variable here
2017-12-16 13:04:59 +01:00
Frank Denis
675149b9b8
Comment
2017-12-13 10:24:13 +01:00
Frank Denis
a1d438c8ba
Comments
2017-12-13 00:03:01 +01:00
Frank Denis
95a7dc5e46
Always prefer vararrays to alloca()
2017-12-12 22:27:21 +01:00
Frank Denis
2f56443631
Don't redefine alloca
2017-12-12 22:23:37 +01:00
Frank Denis
ac8dffbecb
Return -1 if the scalar is 0 in crypto_scalarmult_ed25519()
...
For consistency with _base()
2017-12-12 14:35:08 +01:00
Frank Denis
ec67b0890f
Do not wipe the workspace after argon2 completes
...
The overhead can be really prohibitive on servers.
2017-12-11 23:38:20 +01:00
Frank Denis
534250a833
Give the compiler a change to inline index_alpha()
2017-12-11 23:22:34 +01:00
Frank Denis
5aa2b913f4
Immediately allocate all required memory in argon2/scrypt
2017-12-11 23:15:15 +01:00
Frank Denis
bd9e859e52
Coverage exclusion -- this is just an extra, redundant check
2017-12-11 20:08:56 +01:00
Frank Denis
11f217fec8
Undef devel
2017-12-09 11:14:28 +01:00
Frank Denis
e985fe204c
Spacing
2017-12-06 15:34:06 +00:00
Frank Denis
a916fff400
Reorder
2017-12-06 15:19:15 +00:00
Frank Denis
715cb6ba33
Faster scalarmult_ed25519()
2017-12-06 15:13:18 +00:00
Frank Denis
3e588a48e3
scalarmult_ed25519_base(): return -1 if the scalar (not the result) is all zero
2017-12-03 20:53:54 +01:00
Frank Denis
3d6cd63b2a
Add an empty line for consistency
2017-12-01 17:41:45 +01:00
Frank Denis
ccdad9d68d
Coverage exclusion
2017-12-01 17:34:03 +01:00
Frank Denis
307503df96
Coverage exclusion
2017-12-01 17:31:45 +01:00
Frank Denis
cc92e26a6b
Coverage exclusion
2017-12-01 17:23:16 +01:00
Frank Denis
5ecaeb33aa
Correct argument names in internal prototype
2017-12-01 15:22:33 +01:00
Frank Denis
4098a12635
Improve clarity
2017-11-26 13:05:47 +01:00
Frank Denis
f5a4064646
CompCert seems to be fine with S_* macros now
2017-11-26 12:31:31 +01:00
Frank Denis
06a523423a
Oh, the joy of compilers pretending to support C99, but that actually don't
2017-11-26 00:11:56 +01:00
Frank Denis
7df2a1ae91
Remove unused variable
2017-11-25 23:16:39 +01:00
Frank Denis
b9cbbef03b
Use __declspec(thread) on Visual Studio
2017-11-25 23:16:35 +01:00
Frank Denis
a261eec0aa
Make the salsa20 random stream thread local
2017-11-25 22:29:20 +01:00
Frank Denis
cf521f05e2
Reorder
2017-11-25 22:18:35 +01:00
Frank Denis
a7074ffc18
Split global information and stream information
2017-11-25 22:08:40 +01:00
Frank Denis
5117b1adc5
Optionally use RDRAND to mitigate prediction of future values
...
if a key is compromised.
2017-11-25 21:07:05 +01:00
Frank Denis
56cef5e01a
Revert "Add crypto_core_curve25519_is_valid_point()"
...
I'm not convinced that there are actual use cases for this, but I'd be
glad to re-merge it if you can show me some.
This reverts commit 2a031b95ff
.
2017-11-25 19:52:55 +01:00
Frank Denis
f24bfdc3ca
Revert "destatic fe25519_pow22523()"
...
This reverts commit 3998cd7228
.
2017-11-25 19:52:41 +01:00
Frank Denis
23af44d1ed
No need to add a dependency on blake2 here, use salsa20 as an extractor
2017-11-25 19:43:25 +01:00
Frank Denis
3998cd7228
destatic fe25519_pow22523()
2017-11-25 18:00:19 +01:00
Frank Denis
ee2403deba
Check for RDRAND presence
2017-11-25 17:53:33 +01:00
Frank Denis
3cef66a853
Rename random_rekey() to random_xorkey() for clarity
...
Zero the xor key after having used it
2017-11-25 17:49:30 +01:00
Frank Denis
2a031b95ff
Add crypto_core_curve25519_is_valid_point()
2017-11-18 17:48:56 +01:00
Frank Denis
933b3e8ec1
Help compilers with vectorization
2017-11-18 13:19:00 +01:00
Frank Denis
686c6a210d
Help compilers vectorize
2017-11-18 13:09:13 +01:00
Frank Denis
c190574cee
x25519-ref10: reject low order points before the multiplication
2017-11-17 10:47:00 +01:00
Frank Denis
3d8889560e
Export constants
2017-11-15 01:47:54 +01:00
Frank Denis
1df2285362
Add a preliminary test for core_ed25519
2017-11-15 01:34:43 +01:00
Frank Denis
d5634850e4
Consistency check
2017-11-14 23:11:16 +01:00
Frank Denis
150de39b2b
Move sign addition where it makes more sense
2017-11-14 22:11:35 +01:00
Frank Denis
5257cceda8
Merge crypto_core_ed25519_from_uniform()
...
Fixes #628
although we need another one that keeps montgomery coordinates.
2017-11-14 22:05:37 +01:00
Frank Denis
c44d847207
Format & add A
2017-11-14 21:58:15 +01:00
Frank Denis
75d507a434
+ crypto_core_ed25519_is_valid_point()
2017-11-13 14:36:40 +01:00
Frank Denis
57dac9eb60
+ crypto_core_ed25519_add(), crypto_core_ed25519_sub()
2017-11-13 14:22:44 +01:00
Frank Denis
d5a90f8f45
Adjust #include
2017-11-11 18:06:29 +01:00
Frank Denis
569778b517
Rename core/curve25519 to core/ed25519
2017-11-11 17:44:00 +01:00
Frank Denis
82efb10fc1
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
Register sodium_stackzero()
Add sodium_stackzero()
Check for alloca()
2017-11-11 17:31:55 +01:00
Frank Denis
27872ca13c
Add an empty assembly statement to the memzero() weak symbol
2017-11-11 17:31:22 +01:00
Frank Denis
b93d773f7b
Add sodium_stackzero()
2017-11-10 20:48:05 +01:00
Frank Denis
40070b342a
Initialize the argon2 position structure a bit earlier
2017-11-08 12:56:33 +01:00
Frank Denis
8ab638b983
argon2: let fill_memory_blocks() accept a pass counter
2017-11-08 12:53:37 +01:00
Frank Denis
06f5c9a773
Funky indentation
2017-11-08 00:16:53 +01:00
Frank Denis
aa06d871ba
Indent
2017-11-07 01:07:22 +01:00
Frank Denis
a9b6eda279
+ UNPOISON macro
2017-11-06 23:57:23 +01:00
Frank Denis
ce3ca605a3
Better poison
2017-11-06 23:42:40 +01:00
Frank Denis
e73e2ee2c2
Define a POISON macro
2017-11-06 23:41:50 +01:00
Frank Denis
bd0e0303f9
Comment
2017-11-06 23:34:41 +01:00
Frank Denis
f8de352e6d
Reduce nesting, improve readability
2017-11-06 21:55:20 +01:00
Frank Denis
1621448f6c
Consistent spacing
2017-11-06 21:31:46 +01:00
Frank Denis
fd14a458d7
Use verbose prototypes
...
Having only parameter types in prototypes is confusing.
So, include parameter names as well.
2017-11-06 20:19:50 +01:00
Frank Denis
780974a109
sc_* -> sc25519_*
2017-11-06 20:13:47 +01:00
Frank Denis
e371a870f3
ge_* -> ge25519_*
2017-11-06 20:05:33 +01:00
Frank Denis
fb2e83a4d1
fe -> fe25519
2017-11-06 19:40:28 +01:00
Frank Denis
4bd6196c96
Move functions not worth inlining back to core
2017-11-06 15:06:21 +01:00
Frank Denis
221350c78a
Import fe constants
2017-11-06 14:35:41 +01:00
Frank Denis
f954997fc3
Move field arithmetic to include/private/, and make everything static
...
to get some inlining.
2017-11-06 14:32:01 +01:00
Frank Denis
2e7b8e1de9
Still #define the fe & ge types for now
2017-11-06 11:47:00 +01:00
Frank Denis
55a6b6bb46
Remove these useless #define
2017-11-06 11:42:02 +01:00
Frank Denis
1e57b1d455
Update comment
2017-11-06 11:10:29 +01:00
Frank Denis
7eacdc6ff0
Remove X25519-donna
2017-11-06 11:03:18 +01:00
Frank Denis
cdfd98e908
Move fe_cswap and fe_scalar_product to core
2017-11-06 10:52:03 +01:00
Frank Denis
8730d16d4b
Fix comment
2017-11-06 02:09:47 +01:00
Frank Denis
0a20032a8f
KNF
2017-11-06 02:00:32 +01:00
Frank Denis
a5b9c381e5
Shrink x25519_donna_c64; reuse functions from core
2017-11-06 01:57:05 +01:00
Frank Denis
1947a49020
Symbolically clear the round keys after aes256gcm_(en|de)crypt()
...
Fixes #617
2017-11-05 23:46:55 +01:00
Frank Denis
820bf58b93
Reduce the diff between fe_25_5/fe.h and fe_51/fe.h
2017-11-05 21:27:53 +01:00
Frank Denis
f49dd35fdf
Update paths
2017-11-05 18:26:25 +01:00
Frank Denis
bfd656b67b
core/25519: Use 51-bit limbs on platforms supporting 128 bit arithmetic
2017-11-05 17:50:15 +01:00
Frank Denis
bd82e08337
Move 25.5 bit field arithmetic to ref10/fe_25_5
2017-11-05 17:35:22 +01:00
Frank Denis
9f71f5aade
Ed25519 synthetic nonces: pad to 128 bytes boundaries, not 16.
...
Spotted by Trevor Perrin. Good catch, thanks!
2017-11-04 09:53:44 +01:00
Frank Denis
b45d52a8cf
Tolerate sodium_crit_leave() to be called on an unlocked mutex
2017-11-03 15:46:19 +01:00
Frank Denis
8e364d29db
Move d2 definition close to the d definition
2017-11-01 19:38:16 +01:00
Frank Denis
f57fcb9c26
Use the correct type for the cmov mask
2017-11-01 19:37:34 +01:00
Frank Denis
8d5b6b1fc9
Leave and immediately reenter the critical section in sodium_misuse()
...
Keep running everything in the critical section from there.
2017-11-01 01:45:02 +01:00
Frank Denis
802830e4e6
Regen precomputation tables
2017-11-01 00:08:34 +01:00
Frank Denis
a366ea0839
Tidy up curve25519_ref10, remove comments that are not relevant any more
2017-10-31 20:22:48 +01:00
Frank Denis
a3f96045d4
Remove ge_scalarmult_vartime() which is not used any more
2017-10-31 16:10:51 +01:00
Frank Denis
0b734963db
edwards25519sha512batch_open(): check order before decoding instead of after
2017-10-31 16:09:43 +01:00
Frank Denis
1cd0633186
Accept non-canonical PKs if ED25519_COMPAT is defined
2017-10-31 16:08:45 +01:00
Frank Denis
5808b83092
ed25519_open(): reject all small order public keys and non-canonical representations
2017-10-31 16:07:01 +01:00
Frank Denis
ce56bb596f
edwards25519sha512batch: reuse ge_scalarmult()
...
Check public key and R order by the way.
2017-10-31 15:56:31 +01:00
Frank Denis
52fce922f4
Add constant-time edx recovery; use it in ed25519_scalarmult()
2017-10-31 15:41:40 +01:00
Frank Denis
5468c39d7d
Don't hardcode the number of rounds
2017-10-28 21:36:01 +02:00
Frank Denis
68d8e33a55
blake2: use the same code on little & big endian for finalization
2017-10-24 22:35:23 +02:00
Frank Denis
5935cf7a7e
Use uint instead of uint64_t for SHA* padding
...
Workaround for a clang bug
2017-10-24 21:57:30 +02:00
Frank Denis
58fa4172a5
Use the output buffer as a temporary buffer to store clamped private scalars
...
This might help avoid leaving a copy of the scalar on the stack.
Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
2017-10-24 17:41:32 +02:00
Frank Denis
e254a654dc
Return -1 is the scalar was zero
...
This realistically only happen on misuse or with a completely broken PRG.
Calling misuse() would be a bit too intrusive here. So, we still store
the result (might be better than uninitialized memory if the application
doesn't check the return code), but return -1.
2017-10-24 17:25:37 +02:00
Frank Denis
c150ceb677
Clear the high bit the same way everywhere
2017-10-24 17:10:16 +02:00
Frank Denis
134eb2c29d
Add a comment on scalarmult usage
2017-10-23 16:27:04 +02:00
Frank Denis
f5076db5f8
Do not include scalarmult_ed25519 in minimal builds
2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f
Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper,
...
check that the result of scalarmult_ed25519() is not the point at infinity
2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e
Update prototype (fe_isnonzero() -> fe_iszero())
2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c
Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519()
2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976
*_is_less_than_*() -> *_is_canonical()
...
and reject non-canonical public keys in ed25519_scalarmult()
2017-10-23 01:09:38 +02:00
Frank Denis
15649c5849
+ ge_is_less_than_p()
2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d
Comment
2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a
Order
2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738
Remove neg parameter; always check with both signs; adjust blacklist
2017-10-22 20:59:54 +02:00
Frank Denis
0b835b4479
+ ge_is_on_curve()
2017-10-22 17:44:51 +02:00
Frank Denis
88417977e3
Move a couple functions from crypto_sign to crypto_core/curve25519
...
This improves clarity and makes it easier to reuse these in a
different context.
Also change fe_isnonzero() to fe_zero() and make it work as
documented.
2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9
Remove unused blake2b code
2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9
Define uint128_t only once in private/common.h
2017-10-21 19:59:16 +02:00
Frank Denis
5a6deebd39
Add an argument to ed25519_small_order to optionally invert the sign
2017-10-20 16:07:52 +02:00
Frank Denis
bab680f35b
Implement crypto_sign_ed25519_scalarmult()
2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b
Remove extraneous "return"
2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029
Move precomputed table where it's actually used
2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52
Define a generic ge_select() in additino to ge_select_base()
2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493
cmov() -> ge_cmov() ; ge_select() -> ge_select_base()
2017-10-19 22:57:09 +02:00
Frank Denis
a944db7a76
slide() -> slide_vartime() and move comments to the right place
2017-10-19 22:11:43 +02:00
Frank Denis
f783552773
Just use constants instead of macros
...
In this context, they are actually less confusing.
2017-10-12 13:14:25 +02:00
Frank Denis
b1bf478086
Repair crypto_sign_ed25519_seed_keypair()
2017-10-12 13:05:57 +02:00
Frank Denis
18ab679429
sk is actually skpk, so use the right size in the prototype
2017-10-11 21:45:39 +02:00
Frank Denis
f54c6db981
sign_keygen(): don't hash the secret scalar in non-deterministic mode
2017-10-11 21:27:48 +02:00
Frank Denis
68feb75f1d
nonce -> Z for clarity
2017-10-11 18:15:36 +02:00