1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-24 12:36:01 -07:00
Commit Graph

1909 Commits

Author SHA1 Message Date
Frank Denis
06e219e165 Format 2020-05-13 14:10:04 +02:00
Frank Denis
f23c932d74 H2C: change sign computation for Ell2 to match BHKL13
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/pull/250
2020-05-12 16:33:13 +02:00
Frank Denis
3f1586623c Deprecate non-easy secretbox 2020-05-10 22:29:25 +02:00
Frank Denis
67a9e79655 Remove memory shielding
That was a great idea to protect against information leak through
speculative loads.

Realistically, nobody is going to use this.
2020-05-10 21:05:24 +02:00
Frank Denis
bf2238bbc4 Deprecate low-level non-easy crypto boxes as well 2020-05-10 20:32:42 +02:00
Frank Denis
5bb0cdc616 Merge branch 'master' of github.com:jedisct1/libsodium
* 'master' of github.com:jedisct1/libsodium:
  Nits
  Remove unneeded casts
  Indent
2020-05-10 20:28:39 +02:00
Frank Denis
507409d59e Deprecate the non-easy crypto_box API
It is really too complicated to use.
2020-05-10 20:27:50 +02:00
Frank Denis
ce19bc7a69 Remove unneeded casts
Fixes #954
2020-05-05 01:25:42 +02:00
Frank Denis
c68b071e52 Indent 2020-05-05 01:09:22 +02:00
Frank Denis
4967aa8f23 Use inline asm if supported 2020-05-04 18:23:09 +02:00
Frank Denis
88c568a035 Nits 2020-05-02 17:54:02 +02:00
Frank Denis
809a9f9d7e Inline 2020-05-02 17:42:25 +02:00
Frank Denis
300f12c6a3 space 2020-05-02 17:13:41 +02:00
Frank Denis
8b6f5ef505 ristretto255_is_canonical(): sync with wasm-crypto
Reject string with the top bit set.
2020-04-25 12:15:30 +02:00
Frank Denis
e768eae76d Rename a few things 2020-04-23 11:10:19 +02:00
Frank Denis
599cb10246 Merge mont->ed conversion 2020-04-21 16:13:05 +02:00
Frank Denis
29f098d237 Revert "Add the BlaBla2000 stream cipher - will eventually become the default"
This reverts commit a31fe2a966.
2020-04-21 13:35:29 +02:00
Frank Denis
72ec06c189 Comment 2020-04-21 13:35:29 +02:00
Frank Denis
f582db039f Handle identity; fix comment 2020-04-21 13:35:26 +02:00
Frank Denis
6f1c987d2e Add an assertion 2020-04-18 23:37:12 +02:00
Frank Denis
d01c49df02 H2C: convert DST encoding to suffix free
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/pull/241
2020-04-10 09:48:26 +02:00
Frank Denis
a31fe2a966 Add the BlaBla2000 stream cipher - will eventually become the default
2000 rounds variant of the BlaBla20 cipher
for Very Post Quantum (VPQ) security.
2020-03-31 21:42:54 +02:00
Frank Denis
7d0aea6d5e Remove unused code 2020-03-31 17:37:06 +02:00
Frank Denis
d9844396e3 Fix and add HKDF tests 2020-03-31 17:14:04 +02:00
Frank Denis
5f39c3ce09 Don't force include the suite ID in tags 2020-03-31 14:33:40 +02:00
Frank Denis
89eb497efa Handle oversized contexts 2020-03-31 14:16:16 +02:00
Frank Denis
728b26c2c1 Remove edwards25519sha512batch
Tagged as deprecated for years, never imported by `<sodium.h>`, and
intentionally never documented.

`edwards25519sha512batch` was just around for ABI compatibility
with NaCl, but no projects seem to be using it.
2020-03-31 12:11:32 +02:00
Frank Denis
ac48996492 Remove crypto_core_ed25519_from_hash()
Undocumented, was deprecated for a while in stable versions,
obsoleted by `_from_string()` and `from_string_ro()`.
2020-03-31 12:04:47 +02:00
Frank Denis
2d5b9547d1 yield in spinlock on aarch64 2020-03-30 22:00:35 +02:00
Frank Denis
bf3bc8c386 Add nonnull attributes for new functions 2020-03-30 17:44:17 +02:00
Frank Denis
5fdd12fa97 Add crypto_core_ed25519_from_string() and crypto_core_ed25519_from_string_ro() 2020-03-30 17:19:36 +02:00
Frank Denis
1cedeee7fe Code cleanup 2020-03-30 16:41:21 +02:00
Frank Denis
1e7562f59b Remove useless self inclusion 2020-03-28 21:36:01 +01:00
Frank Denis
eab70f79c0 Add HKDF/SHA-512 and HKDF/SHA-256 2020-03-28 21:35:54 +01:00
Frank Denis
451bafc0d3 Include private/common.h wherever HAVE_*TRIN_H is required, for MSVC 2020-03-18 17:19:58 +01:00
Frank Denis
3881198254 Bring back explicit 64 bit xor on 64 bit archs for gcc
gcc doesn't seem to be very efficient here, especially with -O2

up
2020-03-14 17:06:16 +01:00
Frank Denis
2105fbfd46 Remove XOP stub
XOP is dead
2020-03-14 15:56:08 +01:00
Frank Denis
cce4a86f99 Reformat comments 2020-03-14 00:22:41 +01:00
Frank Denis
8e21cab950 Simplify integerify()
Make offsets 64 bit in the SSE scrypt impl
2020-03-14 00:20:23 +01:00
Frank Denis
6c4437d987 Get rid of escrypt_block_t
Fixes #937
2020-03-13 23:21:27 +01:00
Frank Denis
f3b0e32d64 Format multi-line comments consistently 2020-03-11 19:14:54 +01:00
Loup Vaillant
e7e378fad1
Secretbox: explained non-portable behavior (#936)
Addresses #934

Some tools believe that comparing pointers, *even after converting them
to integers*, is undefined. A comment acknowledging this (as well as the
necessity of the comparison to begin with), can facilitate audits.

Co-authored-by: Frank Denis <124872+jedisct1@users.noreply.github.com>
2020-03-11 19:07:54 +01:00
Loup Vaillant
4bbc34c09c
Avoid memmove() call when buffers are already the same. (#935)
This completes the work started in commit
fbe3eb265f
2020-03-11 19:05:57 +01:00
Frank Denis
a0a8706c9d Revert "Use CMOV on x86_64"
This reverts commit afae623190.
2020-02-26 15:02:21 +01:00
Frank Denis
afae623190 Use CMOV on x86_64
CMOV has been constant time on all generations of x86_64 CPUs, even when
reading from memory.
2020-02-25 09:22:47 +01:00
Frank Denis
a6d317b2f3 Don't even define a .mult_base placeholder for sandy2x
Avoid two indirections for fixed base multiplication until another
implementation possibly exists.
2020-02-06 00:47:18 +01:00
Frank Denis
6a7fbccfd8 Remove sandy2x fixed base scalar multiplication
Thanks to precomputation, the generic implementation is faster.
2020-02-06 00:34:08 +01:00
Frank Denis
41c7e47efd Set a default page size to 64K (wasm/linux large pages) 2020-01-05 21:01:28 -05:00
Frank Denis
a72abb0ae1 Add missing randombytes.h inclusion in aead_aegis256.c 2019-12-04 21:07:33 +01:00
Frank Denis
066150a94d Swapped aegis256_is_available implementations 2019-10-31 09:23:33 +01:00
Frank Denis
0f8e034f97 Reorganize aead_aegis256 a bit 2019-10-23 20:03:23 +02:00
Frank Denis
728b7ef237 Add libarmcrypto.la 2019-10-23 19:30:48 +02:00
Frank Denis
c8b6906c60 has_armcrypto_aes -> has_armcrypto 2019-10-23 19:07:33 +02:00
Frank Denis
c9d80901bf __ARM_NEON is enough 2019-10-23 19:02:54 +02:00
Frank Denis
a8dc93192d On Apple devices, the ARM64_V8 subtype always has the crypto extensions 2019-10-23 17:59:17 +02:00
Frank Denis
dd5fbb632b Check for AT_HWCAP2 instead of AT_HWCAP where it's used 2019-10-22 23:24:16 +02:00
Frank Denis
1910ca83d8 Detect NEON and ARMCRYPTO on ARM32
Which doesn't mean that the compiler will support these opcodes, so
we need to autoconf magic as well.
2019-10-22 23:20:15 +02:00
Frank Denis
456a57f235 __arm__ => __ARM_ARCH 2019-10-22 22:59:45 +02:00
Frank Denis
acaed459ce Add ARM NEON and AES runtime checks 2019-10-22 22:51:58 +02:00
Frank Denis
9e22cb4ad2 Nits 2019-10-21 15:14:13 +02:00
Frank Denis
111f99a2d4 Nits. No binary code change. 2019-10-21 14:52:20 +02:00
Frank Denis
8a76789de3 Add required headers for aegis256_armcrypto 2019-10-21 14:23:15 +02:00
Adrien Gallouët
fd5bc21b60 Rework NEON version of AEGIS256
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-21 10:56:09 +00:00
Adrien Gallouët
4542a04e1d Indent
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-12 06:54:58 +00:00
Frank Denis
ef89aea64e
Merge pull request #884 from isislovecruft/feature/scalar-succeed-fast
Optimisation to succeed fast when checking signature scalar is reduced.
2019-10-12 02:19:42 +02:00
Frank Denis
6abc6c292a Compile only the NEON version of AEGIS256 on relevant platforms 2019-10-12 02:18:36 +02:00
Isis Lovecruft
6136871607
Optimisation to succeed fast when checking signature scalar is reduced.
This provides a minor optimisation for ed25519 signature verification, when used
without the -DED25519_COMPAT feature, to strictly check for a fully reduced
scalar, `s`, component in variable time by first checking that the most
significant *four* bits are unset, and only if any of them are set proceed to
the `sc25519_is_canonical` check which performs the full reduction.  This should
result in succeeding fast for the check on roughly half of all well-formed,
canonicalised signatures.

This is safely backwards compatible with the previous implementation
of strict checking for signature scalars.
2019-10-11 21:58:15 +00:00
Frank Denis
e1bff2608f Merge branch 'master' of github.com:jedisct1/libsodium
* 'master' of github.com:jedisct1/libsodium:
  Add -S for curl
  randombytes: make the emscripten version consistent with others
2019-09-25 17:16:43 +02:00
Frank Denis
2f915846ff randombytes: make the emscripten version consistent with others 2019-09-24 16:56:49 +02:00
Frank Denis
44b4526309 Add ARM implementation of aegis256 - Not connected to builds yet 2019-09-16 14:52:10 +02:00
Frank Denis
5990dc00d0 Fix crypto_aead_aegis256_MESSAGEBYTES_MAX 2019-09-13 19:46:57 +02:00
Frank Denis
cb4160b82c
Merge pull request #869 from angt/aegis256-mac-verification
aegis256: Support mac verification when m is NULL
2019-09-13 10:39:43 +02:00
Frank Denis
1d536ffab7 Indent 2019-09-13 00:17:46 +02:00
Adrien Gallouët
0a31dd5a31 aegis256: Support mac verification when m is NULL
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 21:11:07 +00:00
Frank Denis
f537541a0a For clarity, don't use different terms for the same thing 2019-09-12 22:24:39 +02:00
Frank Denis
4de2620fb1 Indent 2019-09-12 20:48:52 +02:00
Adrien Gallouët
4520c080cc Define ENOSYS where it is useful
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 18:13:19 +00:00
Adrien Gallouët
0eecb81466 aegis256: Remove restrict
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 13:14:32 +00:00
Adrien Gallouët
452ac1f3ee Add AEGIS-256 (aesni only)
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 12:53:22 +00:00
mpex
fb8e4d00df
Update utils.c
I noticed that the shielding_key is not used in sodium_mshield() (only filled in crypto_generichash())
Is the wrong key used in crypto_stream_xor?
2019-06-24 13:41:09 +02:00
Frank Denis
495fdb3693 mshield requires memory protection 2019-06-22 17:02:34 +02:00
Frank Denis
bfeca0eb73 Implement key shielding to protect against side channels
We may want to fold this into `sodium_mprotect_*()` instead of
exposing these functions.

The drawback is that a transition from PROT_NONE to PROT_READ
(or the other way round) would need an intermediary state in PROT_WRITE
for shielding/unshielding.

Shielding is also not thread-safe, while the `mprotect_*()` functions
are, and adding locks would make things more complicated than they
probably should.
2019-06-22 14:56:16 +02:00
Frank Denis
2dd3b91628 Try to rename internal symbols that were visible in static libraries
Fixes #839
2019-06-10 23:08:21 +02:00
Frank Denis
a97ab7085f argon2_pick_best_implementation() can be static 2019-06-10 20:35:43 +02:00
Frank Denis
47153bb56e Style: remove unneeded extern 2019-06-10 20:35:38 +02:00
Frank Denis
42a06fdecc common.h -> private/common.h 2019-06-10 16:24:47 +02:00
Frank Denis
7214dff083 Rename the remaining unprefixed functions
argon2_fill_first_blocks() can be static
2019-06-09 01:01:20 +02:00
Frank Denis
550622b04b Rename fill_segment_* to argon2_fill_segment_* 2019-06-09 00:19:41 +02:00
Frank Denis
9f14962388 Rename a few common internal symbols 2019-06-09 00:14:48 +02:00
Frank Denis
6723e22907 Rename PBKDF2_SHA256 to escrypt_PBKDF2_SHA256 2019-06-09 00:02:23 +02:00
Frank Denis
bdc4db7c9c Remove useless macros hiding the actual symbol names 2019-06-08 23:26:49 +02:00
Frank Denis
d855d30826 Use MAP_CONCEAL on OpenBSD 2019-06-06 11:51:57 +02:00
Frank Denis
d54f0721cd getentropy() may be defined but NULL on older iOS versions 2019-06-02 21:11:30 +02:00
Frank Denis
1707281a3a Revert "scrypt: reject r == 0 and p == 0"
This reverts commit 00c8ecd1c4.
2019-06-01 15:33:37 +02:00
Frank Denis
3e5c2531eb Back to dev mode 2019-05-30 23:05:07 +02:00
Frank Denis
252fda724c Bump 2019-05-30 15:52:09 +02:00
Frank Denis
00c8ecd1c4 scrypt: reject r == 0 and p == 0 2019-05-21 14:11:03 +02:00
Frank Denis
e24847c364 Comment 2019-05-21 10:17:35 +02:00
Frank Denis
12277ee6b5 More tests 2019-05-06 12:40:21 +02:00
Frank Denis
141de9be13 Indent 2019-05-06 12:32:42 +02:00