kevin/libsodium
1
Fork 0
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-20 10:37:24 -07:00
Code Releases Wiki Activity
4,036 Commits 7 Branches 36 Tags 16 MiB
443617d750
Commit Graph

1879 Commits

Author SHA1 Message Date
Frank Denis
57ca449c7e Include <stdint.h> for SIZE_MAX, and <stddef.h> as a dependency 2018-01-19 15:25:01 +01:00
Frank Denis
13513e886b Keep things simple; directly initialize the example RNG from the system one 2018-01-17 15:11:18 +01:00
Frank Denis
e2581d9105 Swap #ifdef branches for clarity 2018-01-16 01:06:03 +01:00
Frank Denis
958060e2ec Signatures: do not reject weak public keys if ED25519_COMPAT is defined 2018-01-16 01:02:29 +01:00
Frank Denis
0468e778d2 Revert "Solaris Studio apparently supports __attribute__()" 
This reverts commit 74a4496cc5.
 2018-01-15 13:34:31 +01:00
Frank Denis
74a4496cc5 Solaris Studio apparently supports __attribute__() 
Fixes #660
 2018-01-14 23:09:46 +01:00
Frank Denis
59f8556bfa Check if we can use inline asm code, not only on x86_64 2017-12-31 01:24:26 +01:00
Frank Denis
764656443f Check if we can use inline asm code, not only on x86_64 2017-12-31 01:23:58 +01:00
Frank Denis
a18e21b49d Use (""::"r"(pnt):"memory") instead of (""::"p"(pnt)) for the barrier 2017-12-31 01:11:45 +01:00
Frank Denis
8c2e89d109 Use (""::"r"(pnt):"memory") instead of (""::"p"(pnt)) for the barrier 2017-12-31 01:10:48 +01:00
Ryan Lester
0ceb245eea Closure fix 2017-12-27 08:54:20 +01:00
Ryan Lester
607d9b7943
Closure fix 2017-12-26 22:39:17 -05:00
Frank Denis
b92e7b40ed Brace yourself 2017-12-22 17:06:38 +01:00
Frank Denis
0187ba70ad Require the generichash state to be aligned 
Alignment is already required by other functions anyway.
 2017-12-21 18:21:43 +01:00
Frank Denis
1e7839a90c Lift alignment requirements in crypto_generichash() 2017-12-21 18:14:17 +01:00
Frank Denis
2604a41774 Add extra align statements 2017-12-21 17:24:23 +01:00
Frank Denis
ffb8475a4a Brace yourself 2017-12-21 17:24:01 +01:00
Frank Denis
3383fd1bdf Extra braces 2017-12-21 16:57:27 +01:00
Frank Denis
bee480cfd3 Extra braces 2017-12-21 16:57:04 +01:00
Frank Denis
fb53590047 Remove unused LOAD128() and STORE128() macros 2017-12-21 16:48:52 +01:00
Frank Denis
107b42af3f Remove unused LOAD128() and STORE128() macros 2017-12-21 16:48:15 +01:00
Frank Denis
1f1b0afb5c Do not assume that __clang__ being defined implied __GNUC__ defined as well 2017-12-19 21:44:48 +01:00
Frank Denis
b1273b0411 Back to dev mode 2017-12-19 21:44:25 +01:00
Frank Denis
bf1444f976 Do not assume that __clang__ being defined implied __GNUC__ defined as well 2017-12-19 21:41:56 +01:00
Frank Denis
8fed6e5b46 We really don't need an intermediate variable here 2017-12-16 13:29:44 +01:00
Frank Denis
77e7d88d89 We really don't need an intermediate variable here 2017-12-16 13:04:59 +01:00
Frank Denis
5bc564cac1 1.0.16 
* master: (221 commits)
  Comment
  Comments
  msys2 build scripts: just use -Ofast
  Always prefer vararrays to alloca()
  Don't redefine alloca
  Return -1 if the scalar is 0 in crypto_scalarmult_ed25519()
  Remove trailing space
  Import the regen-msvc script
  Update ChangeLog
  Do not wipe the workspace after argon2 completes
  Remove tests for deprecated functions
  Give the compiler a change to inline index_alpha()
  Immediately allocate all required memory in argon2/scrypt
  Check reduced-round salsa variants in non-minimal mode
  Coverage exclusion -- this is just an extra, redundant check
  Remove incorrect and useless cast
  -fomit-frame-pointer makes a different on mips
  WebAssembly benefits from the 128-bit types, too
  Remove extra spaces
  Undef devel
  ...
 2017-12-13 16:21:20 +01:00
Frank Denis
675149b9b8 Comment 2017-12-13 10:24:13 +01:00
Frank Denis
a1d438c8ba Comments 2017-12-13 00:03:01 +01:00
Frank Denis
95a7dc5e46 Always prefer vararrays to alloca() 2017-12-12 22:27:21 +01:00
Frank Denis
2f56443631 Don't redefine alloca 2017-12-12 22:23:37 +01:00
Frank Denis
ac8dffbecb Return -1 if the scalar is 0 in crypto_scalarmult_ed25519() 
For consistency with _base()
 2017-12-12 14:35:08 +01:00
Frank Denis
ec67b0890f Do not wipe the workspace after argon2 completes 
The overhead can be really prohibitive on servers.
 2017-12-11 23:38:20 +01:00
Frank Denis
534250a833 Give the compiler a change to inline index_alpha() 2017-12-11 23:22:34 +01:00
Frank Denis
5aa2b913f4 Immediately allocate all required memory in argon2/scrypt 2017-12-11 23:15:15 +01:00
Frank Denis
bd9e859e52 Coverage exclusion -- this is just an extra, redundant check 2017-12-11 20:08:56 +01:00
Frank Denis
11f217fec8 Undef devel 2017-12-09 11:14:28 +01:00
Frank Denis
e985fe204c Spacing 2017-12-06 15:34:06 +00:00
Frank Denis
a916fff400 Reorder 2017-12-06 15:19:15 +00:00
Frank Denis
715cb6ba33 Faster scalarmult_ed25519() 2017-12-06 15:13:18 +00:00
Frank Denis
3e588a48e3 scalarmult_ed25519_base(): return -1 if the scalar (not the result) is all zero 2017-12-03 20:53:54 +01:00
Frank Denis
3d6cd63b2a Add an empty line for consistency 2017-12-01 17:41:45 +01:00
Frank Denis
ccdad9d68d Coverage exclusion 2017-12-01 17:34:03 +01:00
Frank Denis
307503df96 Coverage exclusion 2017-12-01 17:31:45 +01:00
Frank Denis
cc92e26a6b Coverage exclusion 2017-12-01 17:23:16 +01:00
Frank Denis
07c5764d5e Correct argument names in internal prototype 2017-12-01 15:23:01 +01:00
Frank Denis
5ecaeb33aa Correct argument names in internal prototype 2017-12-01 15:22:33 +01:00
Frank Denis
4098a12635 Improve clarity 2017-11-26 13:05:47 +01:00
Frank Denis
f5a4064646 CompCert seems to be fine with S_* macros now 2017-11-26 12:31:31 +01:00
Frank Denis
06a523423a Oh, the joy of compilers pretending to support C99, but that actually don't 2017-11-26 00:11:56 +01:00
Frank Denis
7df2a1ae91 Remove unused variable 2017-11-25 23:16:39 +01:00
Frank Denis
b9cbbef03b Use __declspec(thread) on Visual Studio 2017-11-25 23:16:35 +01:00
Frank Denis
a261eec0aa Make the salsa20 random stream thread local 2017-11-25 22:29:20 +01:00
Frank Denis
cf521f05e2 Reorder 2017-11-25 22:18:35 +01:00
Frank Denis
a7074ffc18 Split global information and stream information 2017-11-25 22:08:40 +01:00
Frank Denis
5117b1adc5 Optionally use RDRAND to mitigate prediction of future values 
if a key is compromised.
 2017-11-25 21:07:05 +01:00
Frank Denis
56cef5e01a Revert "Add crypto_core_curve25519_is_valid_point()" 
I'm not convinced that there are actual use cases for this, but I'd be
glad to re-merge it if you can show me some.

This reverts commit 2a031b95ff.
 2017-11-25 19:52:55 +01:00
Frank Denis
f24bfdc3ca Revert "destatic fe25519_pow22523()" 
This reverts commit 3998cd7228.
 2017-11-25 19:52:41 +01:00
Frank Denis
23af44d1ed No need to add a dependency on blake2 here, use salsa20 as an extractor 2017-11-25 19:43:25 +01:00
Frank Denis
3998cd7228 destatic fe25519_pow22523() 2017-11-25 18:00:19 +01:00
Frank Denis
ee2403deba Check for RDRAND presence 2017-11-25 17:53:33 +01:00
Frank Denis
3cef66a853 Rename random_rekey() to random_xorkey() for clarity 
Zero the xor key after having used it
 2017-11-25 17:49:30 +01:00
Frank Denis
2a031b95ff Add crypto_core_curve25519_is_valid_point() 2017-11-18 17:48:56 +01:00
Frank Denis
933b3e8ec1 Help compilers with vectorization 2017-11-18 13:19:00 +01:00
Frank Denis
686c6a210d Help compilers vectorize 2017-11-18 13:09:13 +01:00
Frank Denis
c190574cee x25519-ref10: reject low order points before the multiplication 2017-11-17 10:47:00 +01:00
Frank Denis
3d8889560e Export constants 2017-11-15 01:47:54 +01:00
Frank Denis
1df2285362 Add a preliminary test for core_ed25519 2017-11-15 01:34:43 +01:00
Frank Denis
d5634850e4 Consistency check 2017-11-14 23:11:16 +01:00
Frank Denis
150de39b2b Move sign addition where it makes more sense 2017-11-14 22:11:35 +01:00
Frank Denis
5257cceda8 Merge crypto_core_ed25519_from_uniform() 
Fixes #628
although we need another one that keeps montgomery coordinates.
 2017-11-14 22:05:37 +01:00
Frank Denis
c44d847207 Format & add A 2017-11-14 21:58:15 +01:00
Frank Denis
75d507a434 + crypto_core_ed25519_is_valid_point() 2017-11-13 14:36:40 +01:00
Frank Denis
57dac9eb60 + crypto_core_ed25519_add(), crypto_core_ed25519_sub() 2017-11-13 14:22:44 +01:00
Frank Denis
d5a90f8f45 Adjust #include 2017-11-11 18:06:29 +01:00
Frank Denis
569778b517 Rename core/curve25519 to core/ed25519 2017-11-11 17:44:00 +01:00
Frank Denis
82efb10fc1 Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium:
  Register sodium_stackzero()
  Add sodium_stackzero()
  Check for alloca()
 2017-11-11 17:31:55 +01:00
Frank Denis
27872ca13c Add an empty assembly statement to the memzero() weak symbol 2017-11-11 17:31:22 +01:00
Frank Denis
b93d773f7b Add sodium_stackzero() 2017-11-10 20:48:05 +01:00
Frank Denis
40070b342a Initialize the argon2 position structure a bit earlier 2017-11-08 12:56:33 +01:00
Frank Denis
8ab638b983 argon2: let fill_memory_blocks() accept a pass counter 2017-11-08 12:53:37 +01:00
Frank Denis
06f5c9a773 Funky indentation 2017-11-08 00:16:53 +01:00
Frank Denis
aa06d871ba Indent 2017-11-07 01:07:22 +01:00
Frank Denis
a9b6eda279 + UNPOISON macro 2017-11-06 23:57:23 +01:00
Frank Denis
ce3ca605a3 Better poison 2017-11-06 23:42:40 +01:00
Frank Denis
e73e2ee2c2 Define a POISON macro 2017-11-06 23:41:50 +01:00
Frank Denis
bd0e0303f9 Comment 2017-11-06 23:34:41 +01:00
Frank Denis
f8de352e6d Reduce nesting, improve readability 2017-11-06 21:55:20 +01:00
Frank Denis
1621448f6c Consistent spacing 2017-11-06 21:31:46 +01:00
Frank Denis
fd14a458d7 Use verbose prototypes 
Having only parameter types in prototypes is confusing.
So, include parameter names as well.
 2017-11-06 20:19:50 +01:00
Frank Denis
780974a109 sc_* -> sc25519_* 2017-11-06 20:13:47 +01:00
Frank Denis
e371a870f3 ge_* -> ge25519_* 2017-11-06 20:05:33 +01:00
Frank Denis
fb2e83a4d1 fe -> fe25519 2017-11-06 19:40:28 +01:00
Frank Denis
4bd6196c96 Move functions not worth inlining back to core 2017-11-06 15:06:21 +01:00
Frank Denis
221350c78a Import fe constants 2017-11-06 14:35:41 +01:00
Frank Denis
f954997fc3 Move field arithmetic to include/private/, and make everything static 
to get some inlining.
 2017-11-06 14:32:01 +01:00
Frank Denis
2e7b8e1de9 Still #define the fe & ge types for now 2017-11-06 11:47:00 +01:00
Frank Denis
55a6b6bb46 Remove these useless #define 2017-11-06 11:42:02 +01:00
Frank Denis
1e57b1d455 Update comment 2017-11-06 11:10:29 +01:00
Frank Denis
7eacdc6ff0 Remove X25519-donna 2017-11-06 11:03:18 +01:00
Frank Denis
cdfd98e908 Move fe_cswap and fe_scalar_product to core 2017-11-06 10:52:03 +01:00
Frank Denis
8730d16d4b Fix comment 2017-11-06 02:09:47 +01:00
Frank Denis
0a20032a8f KNF 2017-11-06 02:00:32 +01:00
Frank Denis
a5b9c381e5 Shrink x25519_donna_c64; reuse functions from core 2017-11-06 01:57:05 +01:00
Frank Denis
28cac20a7b Symbolically clear the round keys after aes256gcm_(en|de)crypt() 
Fixes #617
 2017-11-05 23:53:25 +01:00
Frank Denis
1947a49020 Symbolically clear the round keys after aes256gcm_(en|de)crypt() 
Fixes #617
 2017-11-05 23:46:55 +01:00
Frank Denis
820bf58b93 Reduce the diff between fe_25_5/fe.h and fe_51/fe.h 2017-11-05 21:27:53 +01:00
Frank Denis
f49dd35fdf Update paths 2017-11-05 18:26:25 +01:00
Frank Denis
bfd656b67b core/25519: Use 51-bit limbs on platforms supporting 128 bit arithmetic 2017-11-05 17:50:15 +01:00
Frank Denis
bd82e08337 Move 25.5 bit field arithmetic to ref10/fe_25_5 2017-11-05 17:35:22 +01:00
Frank Denis
7b05b7da50 Ed25519 synthetic nonces: pad to 128 bytes boundaries, not 16. 
Spotted by Trevor Perrin. Good catch, thanks!
 2017-11-04 09:57:06 +01:00
Frank Denis
9f71f5aade Ed25519 synthetic nonces: pad to 128 bytes boundaries, not 16. 
Spotted by Trevor Perrin. Good catch, thanks!
 2017-11-04 09:53:44 +01:00
Frank Denis
bfcaab49f3 Tolerate sodium_crit_leave() to be called on an unlocked mutex 2017-11-03 15:47:02 +01:00
Frank Denis
b45d52a8cf Tolerate sodium_crit_leave() to be called on an unlocked mutex 2017-11-03 15:46:19 +01:00
Frank Denis
8e364d29db Move d2 definition close to the d definition 2017-11-01 19:38:16 +01:00
Frank Denis
f57fcb9c26 Use the correct type for the cmov mask 2017-11-01 19:37:34 +01:00
Frank Denis
5d484e6cb2 Leave and immediately reenter the critical section in sodium_misuse() 
Keep running everything in the critical section from there.
 2017-11-01 01:48:23 +01:00
Frank Denis
8d5b6b1fc9 Leave and immediately reenter the critical section in sodium_misuse() 
Keep running everything in the critical section from there.
 2017-11-01 01:45:02 +01:00
Frank Denis
802830e4e6 Regen precomputation tables 2017-11-01 00:08:34 +01:00
Frank Denis
a366ea0839 Tidy up curve25519_ref10, remove comments that are not relevant any more 2017-10-31 20:22:48 +01:00
Frank Denis
a3f96045d4 Remove ge_scalarmult_vartime() which is not used any more 2017-10-31 16:10:51 +01:00
Frank Denis
0b734963db edwards25519sha512batch_open(): check order before decoding instead of after 2017-10-31 16:09:43 +01:00
Frank Denis
1cd0633186 Accept non-canonical PKs if ED25519_COMPAT is defined 2017-10-31 16:08:45 +01:00
Frank Denis
5808b83092 ed25519_open(): reject all small order public keys and non-canonical representations 2017-10-31 16:07:01 +01:00
Frank Denis
ce56bb596f edwards25519sha512batch: reuse ge_scalarmult() 
Check public key and R order by the way.
 2017-10-31 15:56:31 +01:00
Frank Denis
52fce922f4 Add constant-time edx recovery; use it in ed25519_scalarmult() 2017-10-31 15:41:40 +01:00
Frank Denis
4bd18252d4 Don't hardcode the number of rounds 2017-10-28 21:37:01 +02:00
Frank Denis
5468c39d7d Don't hardcode the number of rounds 2017-10-28 21:36:01 +02:00
Frank Denis
68d8e33a55 blake2: use the same code on little & big endian for finalization 2017-10-24 22:35:23 +02:00
Frank Denis
5935cf7a7e Use uint instead of uint64_t for SHA* padding 
Workaround for a clang bug
 2017-10-24 21:57:30 +02:00
Frank Denis
58fa4172a5 Use the output buffer as a temporary buffer to store clamped private scalars 
This might help avoid leaving a copy of the scalar on the stack.

Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
 2017-10-24 17:41:32 +02:00
Frank Denis
e254a654dc Return -1 is the scalar was zero 
This realistically only happen on misuse or with a completely broken PRG.

Calling misuse() would be a bit too intrusive here. So, we still store
the result (might be better than uninitialized memory if the application
doesn't check the return code), but return -1.
 2017-10-24 17:25:37 +02:00
Frank Denis
c150ceb677 Clear the high bit the same way everywhere 2017-10-24 17:10:16 +02:00
Frank Denis
134eb2c29d Add a comment on scalarmult usage 2017-10-23 16:27:04 +02:00
Frank Denis
f5076db5f8 Do not include scalarmult_ed25519 in minimal builds 2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper, 
check that the result of scalarmult_ed25519() is not the point at infinity
 2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e Update prototype (fe_isnonzero() -> fe_iszero()) 2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519() 2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976 *_is_less_than_*() -> *_is_canonical() 
and reject non-canonical public keys in ed25519_scalarmult()
 2017-10-23 01:09:38 +02:00
Frank Denis
2cee8ae850 Backport _crypto_sign_ed25519_small_order() changes 2017-10-23 00:15:52 +02:00
Frank Denis
15649c5849 + ge_is_less_than_p() 2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d Comment 2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a Order 2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738 Remove neg parameter; always check with both signs; adjust blacklist 2017-10-22 20:59:54 +02:00
Frank Denis
0b835b4479 + ge_is_on_curve() 2017-10-22 17:44:51 +02:00
Frank Denis
3e6e734605 Fix misleading comment 2017-10-21 21:27:12 +02:00
Frank Denis
88417977e3 Move a couple functions from crypto_sign to crypto_core/curve25519 
This improves clarity and makes it easier to reuse these in a
different context.

Also change fe_isnonzero() to fe_zero() and make it work as
documented.
 2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9 Remove unused blake2b code 2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9 Define uint128_t only once in private/common.h 2017-10-21 19:59:16 +02:00
Frank Denis
5a6deebd39 Add an argument to ed25519_small_order to optionally invert the sign 2017-10-20 16:07:52 +02:00
Frank Denis
415691dcea memcpy() -> memmove() in case the seed and secret key overlap 2017-10-20 09:54:05 +02:00
Frank Denis
bab680f35b Implement crypto_sign_ed25519_scalarmult() 2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b Remove extraneous "return" 2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029 Move precomputed table where it's actually used 2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52 Define a generic ge_select() in additino to ge_select_base() 2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493 cmov() -> ge_cmov() ; ge_select() -> ge_select_base() 2017-10-19 22:57:09 +02:00
Frank Denis
a944db7a76 slide() -> slide_vartime() and move comments to the right place 2017-10-19 22:11:43 +02:00
Frank Denis
b28a8ad896 Just use constants instead of macros 
In this context, they are actually less confusing.
 2017-10-12 13:14:58 +02:00
Frank Denis
f783552773 Just use constants instead of macros 
In this context, they are actually less confusing.
 2017-10-12 13:14:25 +02:00
Frank Denis
b1bf478086 Repair crypto_sign_ed25519_seed_keypair() 2017-10-12 13:05:57 +02:00
Frank Denis
64604f8eef Repair crypto_sign_ed25519_seed_keypair() 2017-10-12 13:03:54 +02:00
Frank Denis
348ef69b79 sk is actually skpk, so use the right size in the prototype 2017-10-11 21:46:17 +02:00
Frank Denis
18ab679429 sk is actually skpk, so use the right size in the prototype 2017-10-11 21:45:39 +02:00
Frank Denis
f5e1767b22 sign_keygen(): don't hash the secret scalar in non-deterministic mode 
Improve clarity
No need to clamp the key prior to computing a synthetic nonce
nonce -> Z for clarity
 2017-10-11 21:30:52 +02:00
Frank Denis
f54c6db981 sign_keygen(): don't hash the secret scalar in non-deterministic mode 2017-10-11 21:27:48 +02:00
Frank Denis
68feb75f1d nonce -> Z for clarity 2017-10-11 18:15:36 +02:00
Frank Denis
ebb614cb0e Improve clarity 
No need to clamp the key prior to computing a synthetic nonce
 2017-10-11 18:09:30 +02:00
Frank Denis
b6bad22149 Use the generalized eddsa algorithm for non-deterministic r 2017-10-06 22:02:46 +02:00
Frank Denis
9080766246 crypto_sign(): memzero the nonce after use 2017-10-06 22:02:46 +02:00
Frank Denis
90f5b55a0a Move computation of synthetic nonces to a dedicated function 
for clarity
 2017-10-06 22:01:06 +02:00
Frank Denis
067cd6749d inline 2017-10-06 21:41:35 +02:00
Frank Denis
d56007a6fa crypto_sign(): memzero the nonce after use 2017-10-06 21:35:52 +02:00
Frank Denis
291859874b Use the generalized eddsa algorithm for non-deterministic r 2017-10-06 21:28:02 +02:00
Frank Denis
99eee854fe Add a compile-time switch to create non-deterministic signatures 2017-10-06 16:36:06 +02:00
Frank Denis
9f98f2329c Back to dev mode 2017-10-06 15:37:24 +02:00
Frank Denis
0dd8338b83 Add a compile-time switch to create non-deterministic signatures 2017-10-06 15:35:07 +02:00
Frank Denis
affaecabcd Include prototypes before declarations 2017-10-05 10:15:24 +02:00
Frank Denis
cd1b97d5a2 Regen autoconf files 2017-10-01 17:17:11 +02:00
Frank Denis
d3e20869af crypto_pwhash_ALG_DEFAULT is now Argon2id 2017-10-01 12:12:13 +02:00
Frank Denis
d49d7e8d4f pwhash: don't enforce the same limits for argon2i and argon2id 
Fixes #606

Also, keep enforcing a minimum number of iterations to create argon2i
hashes, but relax that restriction for verification, as it can be
useful to migrate from hashes made using other libraries.
 2017-10-01 11:02:46 +02:00
Frank Denis
2542367c2d secretstream: set the initial counter to 1 
Avoids using the first block for two different purposes, and will be more
consistent with the AES-based version.

This breaks backwards compatibility, but better do it now that most distro are
still shipping < 1.0.14, that no applications seem to be already using that new
API, and that there will be an update to the library major due to the aes128ctr
removal.
 2017-10-01 10:08:04 +02:00
Frank Denis
96be673f82 Remove aes128ctr 2017-09-27 15:07:54 +02:00
Frank Denis
2a9c81b5c4 Explain why pwhash parameters must be stored 2017-09-26 21:33:54 +02:00
Frank Denis
93c386cb6c Mention when the state will eventually be cleared 2017-09-26 21:28:08 +02:00
Frank Denis
d338ae9512 Properly support Argon2id in crypto_pwhash() 2017-09-26 17:12:58 +02:00
Frank Denis
491f785274 deinit 2017-09-25 16:33:30 +02:00
Frank Denis
94550cefd5 Remove dev #warning 2017-09-21 11:41:01 +02:00
Frank Denis
3e0b4dec6e Add sodium_base64_encoded_len() 2017-09-21 11:25:09 +02:00
Frank Denis
4ce2856a5d Avoid negations on unsigned values 2017-09-21 11:23:37 +02:00
Frank Denis
7e06a6a991 Annotate 2017-09-21 00:30:37 +02:00
Frank Denis
91233a0143 Tag salsa208 as deprecated 2017-09-19 23:56:12 +02:00
Frank Denis
3db75fc647 No need for ge_scalarmult_vartime() in minimal mode 2017-09-19 22:16:49 +02:00
Frank Denis
7423408cd3 Make the behavior of hex2bin() consistent with base642bin() 
Return -1 on incomplete sequences and on complete sequences
with trailing, non-ignored characters if no pointers to store the
last parsed byte has been provided
 2017-09-19 18:45:23 +02:00
Frank Denis
c7fe84cfb0 Skip trailing ignored characters in base64 decoding 2017-09-19 15:09:29 +02:00
Frank Denis
70e5ff5e14 Add a helper macro to compute the length of a base64 string 
Modern compilers should optimize these common subexpressions fairly well.
 2017-09-19 14:08:09 +02:00
Frank Denis
61214ba6b9 Remove redundant test 2017-09-18 23:57:03 +02:00
Frank Denis
77f3b71354 Indent 2017-09-18 23:29:33 +02:00
Frank Denis
5b9680ead6 More tests 2017-09-18 23:13:50 +02:00
Frank Denis
4828c5923a ~ 80 columns please 2017-09-18 20:52:38 +02:00
Frank Denis
66c621f417 Faster; doesn't require to wipe the output stream 2017-09-18 20:51:47 +02:00
Frank Denis
5da8f4fbc6 Add a global xor_buf() private helper function 2017-09-18 19:39:41 +02:00
Frank Denis
7d756fab96 xor the key and the nonce on rekey for better separation 2017-09-18 19:25:06 +02:00
Frank Denis
bb1b27fa36 Improve readability 2017-09-18 18:55:56 +02:00
Frank Denis
10bb28b27e One more COMPILER_ASSERT() 2017-09-18 18:15:53 +02:00
Frank Denis
2ce41de29b Define macros instead of repeated offsets 
Improves readability, removes bugs
 2017-09-18 18:11:29 +02:00
Frank Denis
a029b352af Don't generate SSE2 code if that instruction set hasn't been enabled 2017-09-17 18:23:31 +02:00
Frank Denis
09fd953fce Revert "__SSE2__ may need to be explicitly enabled" 
This reverts commit 35d8aa5d3e.
 2017-09-17 18:19:57 +02:00
Frank Denis
35d8aa5d3e __SSE2__ may need to be explicitly enabled 2017-09-17 18:15:18 +02:00
Frank Denis
a161dd9fa1 On 32-bit systems, the limit is SIZE_MAX 2017-09-17 16:36:01 +02:00
Frank Denis
d8a8201bb2 Avoid "in" and "out". Use "c" to represent the ciphertext. 2017-09-16 23:43:46 +02:00
Frank Denis
1181a47cb4 Proper xchacha20poly1305_MESSAGEBYTES_MAX definition 2017-09-16 23:37:52 +02:00
Frank Denis
bfab44aa40 initbytes -> headerbytes for clarity 2017-09-16 23:21:28 +02:00
Frank Denis
e8f1c0be66 secretstream: use "header" instead of "in" and "out" for clarity 2017-09-16 23:15:28 +02:00
Frank Denis
9e0ff55ebd Add the ability to use only strong symbols, even on ELF targets 2017-09-15 18:52:04 +02:00
Frank Denis
b0420b32d7 Define SODIUM_EXPORT_WEAK instead of adding __attribute__((weak)) tags 2017-09-15 18:28:42 +02:00
Frank Denis
3df3fabb87 No default clause needed 2017-09-15 15:43:16 +02:00
Frank Denis
383705ffc2 The AVX512 optimized BLAKE2B implementation hasn't been imported yet 2017-09-15 13:15:43 +02:00
Frank Denis
dcd60ba661 Force inline 2017-09-15 00:06:37 +02:00
Frank Denis
5cc334b33c Add AVX512F optimized Argon2 implementation 2017-09-15 00:04:18 +02:00
Frank Denis
6866b3d555 Use macros instead of magic numbers 2017-09-13 23:42:21 +02:00
Frank Denis
1c0677b09f Check for AVX512F support 2017-09-13 23:35:20 +02:00
Frank Denis
62c41c703e Avoid untagged unions 2017-09-13 12:42:00 +02:00
Frank Denis
5cf1de94ad Remove trailing coma 2017-09-13 12:03:24 +02:00
Frank Denis
3aa1c71de1 Don't return void 2017-09-13 11:43:39 +02:00
Frank Denis
d0a418a863 + _crypto_pwhash_scryptsalsa208sha256_str_needs_rehash() 2017-09-13 00:36:29 +02:00
Frank Denis
0ae678b0f9 Avoid multiple declarations in an EN_ASM({}) block 
Some emscripten versions don't seem to support it.
 2017-09-11 11:49:59 +02:00
Frank Denis
b26de68a67 Use single quotes inside EM_ASM 2017-09-11 02:13:38 +02:00
Frank Denis
1aae564da3 Avoid duplicate initializations; reorder for consistency w/ decl 2017-09-10 22:19:51 +02:00
Frank Denis
81cf1ff6d1 Use unsigned for loop counters 2017-09-10 22:15:23 +02:00
Frank Denis
e2efa6d7e0 Remove unused variable 2017-09-10 22:09:06 +02:00
Frank Denis
e06c70afe8 Use the dedicated type for the argon2 type id 2017-09-07 13:53:21 +02:00
Frank Denis
e8828eef79 Don't bother verifying hashes whose length is >= crypto_pwhash_STRBYTES 2017-09-06 20:26:36 +02:00
Frank Denis
7cc4825231 Add crypto_pwhash_str_needs_rehash() 2017-09-06 20:08:20 +02:00
Frank Denis
c65189a0cb Explicit casts 2017-09-06 16:04:28 +02:00
Frank Denis
c72ef48f01 Static-ify what we currently don't need in crypto_core/curve25519_ref10 2017-08-31 21:08:59 +02:00
Frank Denis
5c8b8ea01c Simplify 2017-08-31 20:14:16 +02:00
Frank Denis
0af31aeb26 Fill the max output buffer size in sodium_bin2base64() 
Unlike hex encoding, due to optional padding, computing the correct size is
not straightforward. Ensuring that the string ends with `\0` is fine, but
if the size is not exact, some unrelated data might be send around by the
application. So, zero it to be safe.
 2017-08-31 19:32:14 +02:00
Frank Denis
e236df63e1 Trim empty lines 2017-08-26 17:56:18 +02:00
Frank Denis
75cfcf208c Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium:
  Do not clear the padding (for alignment) section of a blake2b state
 2017-08-26 17:48:13 +02:00
Frank Denis
e40e0f6ddb Adjust secretstream_..._rekey() after e84336ac 2017-08-26 17:47:41 +02:00
Frank Denis
514150d8b3 Merge branch 'master' of github.com:jedisct1/libsodium 
* 'master' of github.com:jedisct1/libsodium:
  Remove RUNNING_JS_OPTS for WebAssembly
  chmod +x *.sh
  chmod +x *.sh
  One more compiler assertion
  secretstream: assume the internal nonce is little endian
  Test sodium_pad() with a NULL pointer
  Regen emscripten symbols
  messagesbytes -> messagebytes
  Have generate-emscripten-symbols.sh automatically update the js/wasm build script
  Add secretstream constants
  salsa208: messagebyte -> messagebytes
  constcheck: grab a few more constants
  Update emscripten symbols list
  Update emscripten symbols list
  Bump
  Accept a NULL pointer for the padded length in sodium_pad()
 2017-08-26 08:25:27 +02:00
Frank Denis
394e21884c Do not clear the padding (for alignment) section of a blake2b state 
So that it's acceptable for an application to provide a state that
doesn't include padding.
 2017-08-26 08:19:58 +02:00
Frank Denis
ce2ecc5966 One more compiler assertion 2017-08-25 16:21:20 +02:00
Frank Denis
e84336ac48 secretstream: assume the internal nonce is little endian 
Put the counter before the random part of the nonce instead of after
 2017-08-25 16:03:07 +02:00
Frank Denis
f8e535a446 messagesbytes -> messagebytes 2017-08-25 15:12:35 +02:00
Frank Denis
aa20d2e86e Add secretstream constants 2017-08-25 14:51:02 +02:00
Frank Denis
49f1d87cfe salsa208: messagebyte -> messagebytes 
Spotted by constcheck
 2017-08-25 14:50:24 +02:00
Frank Denis
be58b2e666 Accept a NULL pointer for the padded length in sodium_pad() 2017-08-24 15:49:50 +02:00
Frank Denis
d5574a69fa Complete sodium_pad/unpad() and add a couple tests 2017-08-17 20:54:20 +02:00
Frank Denis
b9ed93fcb8 Change the sodium_pad() API to accept a maximum buffer length 
Of course, this is not required. Just like `strcat()` can be used
safely. But since the cost of this extra check is negligible, better
return `-1` than potentially overwrite unrelated memory locations.
 2017-08-17 17:23:53 +02:00