Frank Denis
06e219e165
Format
2020-05-13 14:10:04 +02:00
Frank Denis
f23c932d74
H2C: change sign computation for Ell2 to match BHKL13
...
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/pull/250
2020-05-12 16:33:13 +02:00
Frank Denis
3f1586623c
Deprecate non-easy secretbox
2020-05-10 22:29:25 +02:00
Frank Denis
67a9e79655
Remove memory shielding
...
That was a great idea to protect against information leak through
speculative loads.
Realistically, nobody is going to use this.
2020-05-10 21:05:24 +02:00
Frank Denis
bf2238bbc4
Deprecate low-level non-easy crypto boxes as well
2020-05-10 20:32:42 +02:00
Frank Denis
5bb0cdc616
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
Nits
Remove unneeded casts
Indent
2020-05-10 20:28:39 +02:00
Frank Denis
507409d59e
Deprecate the non-easy crypto_box API
...
It is really too complicated to use.
2020-05-10 20:27:50 +02:00
Frank Denis
ce19bc7a69
Remove unneeded casts
...
Fixes #954
2020-05-05 01:25:42 +02:00
Frank Denis
c68b071e52
Indent
2020-05-05 01:09:22 +02:00
Frank Denis
4967aa8f23
Use inline asm if supported
2020-05-04 18:23:09 +02:00
Frank Denis
88c568a035
Nits
2020-05-02 17:54:02 +02:00
Frank Denis
809a9f9d7e
Inline
2020-05-02 17:42:25 +02:00
Frank Denis
300f12c6a3
space
2020-05-02 17:13:41 +02:00
Frank Denis
8b6f5ef505
ristretto255_is_canonical(): sync with wasm-crypto
...
Reject string with the top bit set.
2020-04-25 12:15:30 +02:00
Frank Denis
e768eae76d
Rename a few things
2020-04-23 11:10:19 +02:00
Frank Denis
599cb10246
Merge mont->ed conversion
2020-04-21 16:13:05 +02:00
Frank Denis
29f098d237
Revert "Add the BlaBla2000 stream cipher - will eventually become the default"
...
This reverts commit a31fe2a966
.
2020-04-21 13:35:29 +02:00
Frank Denis
72ec06c189
Comment
2020-04-21 13:35:29 +02:00
Frank Denis
f582db039f
Handle identity; fix comment
2020-04-21 13:35:26 +02:00
Frank Denis
6f1c987d2e
Add an assertion
2020-04-18 23:37:12 +02:00
Frank Denis
d01c49df02
H2C: convert DST encoding to suffix free
...
https://github.com/cfrg/draft-irtf-cfrg-hash-to-curve/pull/241
2020-04-10 09:48:26 +02:00
Frank Denis
a31fe2a966
Add the BlaBla2000 stream cipher - will eventually become the default
...
2000 rounds variant of the BlaBla20 cipher
for Very Post Quantum (VPQ) security.
2020-03-31 21:42:54 +02:00
Frank Denis
7d0aea6d5e
Remove unused code
2020-03-31 17:37:06 +02:00
Frank Denis
d9844396e3
Fix and add HKDF tests
2020-03-31 17:14:04 +02:00
Frank Denis
5f39c3ce09
Don't force include the suite ID in tags
2020-03-31 14:33:40 +02:00
Frank Denis
89eb497efa
Handle oversized contexts
2020-03-31 14:16:16 +02:00
Frank Denis
728b26c2c1
Remove edwards25519sha512batch
...
Tagged as deprecated for years, never imported by `<sodium.h>`, and
intentionally never documented.
`edwards25519sha512batch` was just around for ABI compatibility
with NaCl, but no projects seem to be using it.
2020-03-31 12:11:32 +02:00
Frank Denis
ac48996492
Remove crypto_core_ed25519_from_hash()
...
Undocumented, was deprecated for a while in stable versions,
obsoleted by `_from_string()` and `from_string_ro()`.
2020-03-31 12:04:47 +02:00
Frank Denis
2d5b9547d1
yield in spinlock on aarch64
2020-03-30 22:00:35 +02:00
Frank Denis
bf3bc8c386
Add nonnull attributes for new functions
2020-03-30 17:44:17 +02:00
Frank Denis
5fdd12fa97
Add crypto_core_ed25519_from_string() and crypto_core_ed25519_from_string_ro()
2020-03-30 17:19:36 +02:00
Frank Denis
1cedeee7fe
Code cleanup
2020-03-30 16:41:21 +02:00
Frank Denis
1e7562f59b
Remove useless self inclusion
2020-03-28 21:36:01 +01:00
Frank Denis
eab70f79c0
Add HKDF/SHA-512 and HKDF/SHA-256
2020-03-28 21:35:54 +01:00
Frank Denis
451bafc0d3
Include private/common.h wherever HAVE_*TRIN_H is required, for MSVC
2020-03-18 17:19:58 +01:00
Frank Denis
3881198254
Bring back explicit 64 bit xor on 64 bit archs for gcc
...
gcc doesn't seem to be very efficient here, especially with -O2
up
2020-03-14 17:06:16 +01:00
Frank Denis
2105fbfd46
Remove XOP stub
...
XOP is dead
2020-03-14 15:56:08 +01:00
Frank Denis
cce4a86f99
Reformat comments
2020-03-14 00:22:41 +01:00
Frank Denis
8e21cab950
Simplify integerify()
...
Make offsets 64 bit in the SSE scrypt impl
2020-03-14 00:20:23 +01:00
Frank Denis
6c4437d987
Get rid of escrypt_block_t
...
Fixes #937
2020-03-13 23:21:27 +01:00
Frank Denis
f3b0e32d64
Format multi-line comments consistently
2020-03-11 19:14:54 +01:00
Loup Vaillant
e7e378fad1
Secretbox: explained non-portable behavior ( #936 )
...
Addresses #934
Some tools believe that comparing pointers, *even after converting them
to integers*, is undefined. A comment acknowledging this (as well as the
necessity of the comparison to begin with), can facilitate audits.
Co-authored-by: Frank Denis <124872+jedisct1@users.noreply.github.com>
2020-03-11 19:07:54 +01:00
Loup Vaillant
4bbc34c09c
Avoid memmove() call when buffers are already the same. ( #935 )
...
This completes the work started in commit
fbe3eb265f
2020-03-11 19:05:57 +01:00
Frank Denis
a0a8706c9d
Revert "Use CMOV on x86_64"
...
This reverts commit afae623190
.
2020-02-26 15:02:21 +01:00
Frank Denis
afae623190
Use CMOV on x86_64
...
CMOV has been constant time on all generations of x86_64 CPUs, even when
reading from memory.
2020-02-25 09:22:47 +01:00
Frank Denis
a6d317b2f3
Don't even define a .mult_base placeholder for sandy2x
...
Avoid two indirections for fixed base multiplication until another
implementation possibly exists.
2020-02-06 00:47:18 +01:00
Frank Denis
6a7fbccfd8
Remove sandy2x fixed base scalar multiplication
...
Thanks to precomputation, the generic implementation is faster.
2020-02-06 00:34:08 +01:00
Frank Denis
41c7e47efd
Set a default page size to 64K (wasm/linux large pages)
2020-01-05 21:01:28 -05:00
Frank Denis
a72abb0ae1
Add missing randombytes.h inclusion in aead_aegis256.c
2019-12-04 21:07:33 +01:00
Frank Denis
066150a94d
Swapped aegis256_is_available implementations
2019-10-31 09:23:33 +01:00
Frank Denis
0f8e034f97
Reorganize aead_aegis256 a bit
2019-10-23 20:03:23 +02:00
Frank Denis
728b7ef237
Add libarmcrypto.la
2019-10-23 19:30:48 +02:00
Frank Denis
c8b6906c60
has_armcrypto_aes -> has_armcrypto
2019-10-23 19:07:33 +02:00
Frank Denis
c9d80901bf
__ARM_NEON is enough
2019-10-23 19:02:54 +02:00
Frank Denis
a8dc93192d
On Apple devices, the ARM64_V8 subtype always has the crypto extensions
2019-10-23 17:59:17 +02:00
Frank Denis
dd5fbb632b
Check for AT_HWCAP2 instead of AT_HWCAP where it's used
2019-10-22 23:24:16 +02:00
Frank Denis
1910ca83d8
Detect NEON and ARMCRYPTO on ARM32
...
Which doesn't mean that the compiler will support these opcodes, so
we need to autoconf magic as well.
2019-10-22 23:20:15 +02:00
Frank Denis
456a57f235
__arm__ => __ARM_ARCH
2019-10-22 22:59:45 +02:00
Frank Denis
acaed459ce
Add ARM NEON and AES runtime checks
2019-10-22 22:51:58 +02:00
Frank Denis
9e22cb4ad2
Nits
2019-10-21 15:14:13 +02:00
Frank Denis
111f99a2d4
Nits. No binary code change.
2019-10-21 14:52:20 +02:00
Frank Denis
8a76789de3
Add required headers for aegis256_armcrypto
2019-10-21 14:23:15 +02:00
Adrien Gallouët
fd5bc21b60
Rework NEON version of AEGIS256
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-21 10:56:09 +00:00
Adrien Gallouët
4542a04e1d
Indent
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-12 06:54:58 +00:00
Frank Denis
ef89aea64e
Merge pull request #884 from isislovecruft/feature/scalar-succeed-fast
...
Optimisation to succeed fast when checking signature scalar is reduced.
2019-10-12 02:19:42 +02:00
Frank Denis
6abc6c292a
Compile only the NEON version of AEGIS256 on relevant platforms
2019-10-12 02:18:36 +02:00
Isis Lovecruft
6136871607
Optimisation to succeed fast when checking signature scalar is reduced.
...
This provides a minor optimisation for ed25519 signature verification, when used
without the -DED25519_COMPAT feature, to strictly check for a fully reduced
scalar, `s`, component in variable time by first checking that the most
significant *four* bits are unset, and only if any of them are set proceed to
the `sc25519_is_canonical` check which performs the full reduction. This should
result in succeeding fast for the check on roughly half of all well-formed,
canonicalised signatures.
This is safely backwards compatible with the previous implementation
of strict checking for signature scalars.
2019-10-11 21:58:15 +00:00
Frank Denis
e1bff2608f
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
Add -S for curl
randombytes: make the emscripten version consistent with others
2019-09-25 17:16:43 +02:00
Frank Denis
2f915846ff
randombytes: make the emscripten version consistent with others
2019-09-24 16:56:49 +02:00
Frank Denis
44b4526309
Add ARM implementation of aegis256 - Not connected to builds yet
2019-09-16 14:52:10 +02:00
Frank Denis
5990dc00d0
Fix crypto_aead_aegis256_MESSAGEBYTES_MAX
2019-09-13 19:46:57 +02:00
Frank Denis
cb4160b82c
Merge pull request #869 from angt/aegis256-mac-verification
...
aegis256: Support mac verification when m is NULL
2019-09-13 10:39:43 +02:00
Frank Denis
1d536ffab7
Indent
2019-09-13 00:17:46 +02:00
Adrien Gallouët
0a31dd5a31
aegis256: Support mac verification when m is NULL
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 21:11:07 +00:00
Frank Denis
f537541a0a
For clarity, don't use different terms for the same thing
2019-09-12 22:24:39 +02:00
Frank Denis
4de2620fb1
Indent
2019-09-12 20:48:52 +02:00
Adrien Gallouët
4520c080cc
Define ENOSYS where it is useful
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 18:13:19 +00:00
Adrien Gallouët
0eecb81466
aegis256: Remove restrict
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 13:14:32 +00:00
Adrien Gallouët
452ac1f3ee
Add AEGIS-256 (aesni only)
...
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 12:53:22 +00:00
mpex
fb8e4d00df
Update utils.c
...
I noticed that the shielding_key is not used in sodium_mshield() (only filled in crypto_generichash())
Is the wrong key used in crypto_stream_xor?
2019-06-24 13:41:09 +02:00
Frank Denis
495fdb3693
mshield requires memory protection
2019-06-22 17:02:34 +02:00
Frank Denis
bfeca0eb73
Implement key shielding to protect against side channels
...
We may want to fold this into `sodium_mprotect_*()` instead of
exposing these functions.
The drawback is that a transition from PROT_NONE to PROT_READ
(or the other way round) would need an intermediary state in PROT_WRITE
for shielding/unshielding.
Shielding is also not thread-safe, while the `mprotect_*()` functions
are, and adding locks would make things more complicated than they
probably should.
2019-06-22 14:56:16 +02:00
Frank Denis
2dd3b91628
Try to rename internal symbols that were visible in static libraries
...
Fixes #839
2019-06-10 23:08:21 +02:00
Frank Denis
a97ab7085f
argon2_pick_best_implementation() can be static
2019-06-10 20:35:43 +02:00
Frank Denis
47153bb56e
Style: remove unneeded extern
2019-06-10 20:35:38 +02:00
Frank Denis
42a06fdecc
common.h -> private/common.h
2019-06-10 16:24:47 +02:00
Frank Denis
7214dff083
Rename the remaining unprefixed functions
...
argon2_fill_first_blocks() can be static
2019-06-09 01:01:20 +02:00
Frank Denis
550622b04b
Rename fill_segment_* to argon2_fill_segment_*
2019-06-09 00:19:41 +02:00
Frank Denis
9f14962388
Rename a few common internal symbols
2019-06-09 00:14:48 +02:00
Frank Denis
6723e22907
Rename PBKDF2_SHA256 to escrypt_PBKDF2_SHA256
2019-06-09 00:02:23 +02:00
Frank Denis
bdc4db7c9c
Remove useless macros hiding the actual symbol names
2019-06-08 23:26:49 +02:00
Frank Denis
d855d30826
Use MAP_CONCEAL on OpenBSD
2019-06-06 11:51:57 +02:00
Frank Denis
d54f0721cd
getentropy() may be defined but NULL on older iOS versions
2019-06-02 21:11:30 +02:00
Frank Denis
1707281a3a
Revert "scrypt: reject r == 0 and p == 0"
...
This reverts commit 00c8ecd1c4
.
2019-06-01 15:33:37 +02:00
Frank Denis
3e5c2531eb
Back to dev mode
2019-05-30 23:05:07 +02:00
Frank Denis
252fda724c
Bump
2019-05-30 15:52:09 +02:00
Frank Denis
00c8ecd1c4
scrypt: reject r == 0 and p == 0
2019-05-21 14:11:03 +02:00
Frank Denis
e24847c364
Comment
2019-05-21 10:17:35 +02:00
Frank Denis
12277ee6b5
More tests
2019-05-06 12:40:21 +02:00
Frank Denis
141de9be13
Indent
2019-05-06 12:32:42 +02:00