1
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-24 12:36:01 -07:00
Commit Graph

1909 Commits

Author SHA1 Message Date
Frank Denis
0f8e034f97 Reorganize aead_aegis256 a bit 2019-10-23 20:03:23 +02:00
Frank Denis
728b7ef237 Add libarmcrypto.la 2019-10-23 19:30:48 +02:00
Frank Denis
c8b6906c60 has_armcrypto_aes -> has_armcrypto 2019-10-23 19:07:33 +02:00
Frank Denis
c9d80901bf __ARM_NEON is enough 2019-10-23 19:02:54 +02:00
Frank Denis
a8dc93192d On Apple devices, the ARM64_V8 subtype always has the crypto extensions 2019-10-23 17:59:17 +02:00
Frank Denis
dd5fbb632b Check for AT_HWCAP2 instead of AT_HWCAP where it's used 2019-10-22 23:24:16 +02:00
Frank Denis
1910ca83d8 Detect NEON and ARMCRYPTO on ARM32
Which doesn't mean that the compiler will support these opcodes, so
we need to autoconf magic as well.
2019-10-22 23:20:15 +02:00
Frank Denis
456a57f235 __arm__ => __ARM_ARCH 2019-10-22 22:59:45 +02:00
Frank Denis
acaed459ce Add ARM NEON and AES runtime checks 2019-10-22 22:51:58 +02:00
Frank Denis
9e22cb4ad2 Nits 2019-10-21 15:14:13 +02:00
Frank Denis
111f99a2d4 Nits. No binary code change. 2019-10-21 14:52:20 +02:00
Frank Denis
8a76789de3 Add required headers for aegis256_armcrypto 2019-10-21 14:23:15 +02:00
Adrien Gallouët
fd5bc21b60 Rework NEON version of AEGIS256
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-21 10:56:09 +00:00
Adrien Gallouët
4542a04e1d Indent
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-10-12 06:54:58 +00:00
Frank Denis
ef89aea64e
Merge pull request #884 from isislovecruft/feature/scalar-succeed-fast
Optimisation to succeed fast when checking signature scalar is reduced.
2019-10-12 02:19:42 +02:00
Frank Denis
6abc6c292a Compile only the NEON version of AEGIS256 on relevant platforms 2019-10-12 02:18:36 +02:00
Isis Lovecruft
6136871607
Optimisation to succeed fast when checking signature scalar is reduced.
This provides a minor optimisation for ed25519 signature verification, when used
without the -DED25519_COMPAT feature, to strictly check for a fully reduced
scalar, `s`, component in variable time by first checking that the most
significant *four* bits are unset, and only if any of them are set proceed to
the `sc25519_is_canonical` check which performs the full reduction.  This should
result in succeeding fast for the check on roughly half of all well-formed,
canonicalised signatures.

This is safely backwards compatible with the previous implementation
of strict checking for signature scalars.
2019-10-11 21:58:15 +00:00
Frank Denis
e1bff2608f Merge branch 'master' of github.com:jedisct1/libsodium
* 'master' of github.com:jedisct1/libsodium:
  Add -S for curl
  randombytes: make the emscripten version consistent with others
2019-09-25 17:16:43 +02:00
Frank Denis
2f915846ff randombytes: make the emscripten version consistent with others 2019-09-24 16:56:49 +02:00
Frank Denis
44b4526309 Add ARM implementation of aegis256 - Not connected to builds yet 2019-09-16 14:52:10 +02:00
Frank Denis
5990dc00d0 Fix crypto_aead_aegis256_MESSAGEBYTES_MAX 2019-09-13 19:46:57 +02:00
Frank Denis
cb4160b82c
Merge pull request #869 from angt/aegis256-mac-verification
aegis256: Support mac verification when m is NULL
2019-09-13 10:39:43 +02:00
Frank Denis
1d536ffab7 Indent 2019-09-13 00:17:46 +02:00
Adrien Gallouët
0a31dd5a31 aegis256: Support mac verification when m is NULL
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 21:11:07 +00:00
Frank Denis
f537541a0a For clarity, don't use different terms for the same thing 2019-09-12 22:24:39 +02:00
Frank Denis
4de2620fb1 Indent 2019-09-12 20:48:52 +02:00
Adrien Gallouët
4520c080cc Define ENOSYS where it is useful
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-12 18:13:19 +00:00
Adrien Gallouët
0eecb81466 aegis256: Remove restrict
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 13:14:32 +00:00
Adrien Gallouët
452ac1f3ee Add AEGIS-256 (aesni only)
Signed-off-by: Adrien Gallouët <adrien@gallouet.fr>
2019-09-11 12:53:22 +00:00
mpex
fb8e4d00df
Update utils.c
I noticed that the shielding_key is not used in sodium_mshield() (only filled in crypto_generichash())
Is the wrong key used in crypto_stream_xor?
2019-06-24 13:41:09 +02:00
Frank Denis
495fdb3693 mshield requires memory protection 2019-06-22 17:02:34 +02:00
Frank Denis
bfeca0eb73 Implement key shielding to protect against side channels
We may want to fold this into `sodium_mprotect_*()` instead of
exposing these functions.

The drawback is that a transition from PROT_NONE to PROT_READ
(or the other way round) would need an intermediary state in PROT_WRITE
for shielding/unshielding.

Shielding is also not thread-safe, while the `mprotect_*()` functions
are, and adding locks would make things more complicated than they
probably should.
2019-06-22 14:56:16 +02:00
Frank Denis
2dd3b91628 Try to rename internal symbols that were visible in static libraries
Fixes #839
2019-06-10 23:08:21 +02:00
Frank Denis
a97ab7085f argon2_pick_best_implementation() can be static 2019-06-10 20:35:43 +02:00
Frank Denis
47153bb56e Style: remove unneeded extern 2019-06-10 20:35:38 +02:00
Frank Denis
42a06fdecc common.h -> private/common.h 2019-06-10 16:24:47 +02:00
Frank Denis
7214dff083 Rename the remaining unprefixed functions
argon2_fill_first_blocks() can be static
2019-06-09 01:01:20 +02:00
Frank Denis
550622b04b Rename fill_segment_* to argon2_fill_segment_* 2019-06-09 00:19:41 +02:00
Frank Denis
9f14962388 Rename a few common internal symbols 2019-06-09 00:14:48 +02:00
Frank Denis
6723e22907 Rename PBKDF2_SHA256 to escrypt_PBKDF2_SHA256 2019-06-09 00:02:23 +02:00
Frank Denis
bdc4db7c9c Remove useless macros hiding the actual symbol names 2019-06-08 23:26:49 +02:00
Frank Denis
d855d30826 Use MAP_CONCEAL on OpenBSD 2019-06-06 11:51:57 +02:00
Frank Denis
d54f0721cd getentropy() may be defined but NULL on older iOS versions 2019-06-02 21:11:30 +02:00
Frank Denis
1707281a3a Revert "scrypt: reject r == 0 and p == 0"
This reverts commit 00c8ecd1c4.
2019-06-01 15:33:37 +02:00
Frank Denis
3e5c2531eb Back to dev mode 2019-05-30 23:05:07 +02:00
Frank Denis
252fda724c Bump 2019-05-30 15:52:09 +02:00
Frank Denis
00c8ecd1c4 scrypt: reject r == 0 and p == 0 2019-05-21 14:11:03 +02:00
Frank Denis
e24847c364 Comment 2019-05-21 10:17:35 +02:00
Frank Denis
12277ee6b5 More tests 2019-05-06 12:40:21 +02:00
Frank Denis
141de9be13 Indent 2019-05-06 12:32:42 +02:00
Frank Denis
06e4a485c4 More tests 2019-05-06 11:40:57 +02:00
Frank Denis
ed4e053fb0 lcov exclusions 2019-05-06 11:13:31 +02:00
Frank Denis
3d379746ee Use size_t 2019-05-06 10:57:36 +02:00
Frank Denis
c9e8e47049 SHA2 uses big-endian, but we use little-endian internally
So, we need to swap encodings in hash2base()
2019-05-05 22:50:15 +02:00
Frank Denis
80206ada63 10% speedup on AVX2 for BLAKE2b
Thanks to Shunsuke Shimizu (@grafi-tt)
2019-05-03 20:14:05 +02:00
Frank Denis
8a1ac8e11f from_hash: clear the high bit 2019-05-03 18:51:40 +02:00
Frank Denis
f1309fd752 Avoid useless pack/unpack operation 2019-05-02 15:04:31 +02:00
Frank Denis
4b7e497a92 Revert "Postpone from_hash()"
Use proper reduction, and don't mask the high bit, so that
H2C-Curve25519-SHA512-Elligator-Clear can be implemented if required
2019-05-02 13:51:12 +02:00
Frank Denis
ab1e720a30 Postpone from_hash() 2019-05-02 10:12:12 +02:00
Frank Denis
24c54073a8 Add core_ed25519_from_hash() and core_{ed25519, ristretto255}_random() 2019-05-02 00:51:17 +02:00
Frank Denis
689407c36d Rename ristretto_from_uniform() to ristretto_from_hash() 2019-05-01 19:56:08 +02:00
Fraser Hutchison
261761a02c Fix placement of alignment specifier 2019-04-27 20:34:07 +02:00
Frank Denis
39701c6157 Add missing prototype 2019-04-15 10:21:04 +02:00
Frank Denis
db6f43d25e Add crypto_core_{ed25519,ristretto255}_scalar_mul 2019-04-15 10:12:19 +02:00
Frank Denis
4d1c4bf0ba Do not include sys/random.h after defining getrandom() on Linux 2019-04-07 23:54:47 +02:00
Frank Denis
d653963ab7 Travis: reduce build verbosity 2019-04-02 16:05:33 +02:00
Frank Denis
1765c79705 Fix pasto, unbreak linux builds 2019-04-02 07:38:30 +02:00
Frank Denis
5b12922d14 Revert "Drastically improve the password hashing functions"
April fool's day is over.

This reverts commit 5dff93005e.
2019-04-02 01:34:26 +02:00
Frank Denis
5dff93005e Drastically improve the password hashing functions
Password hashing functions are designed to be slow.

Make them slower, but also useful.
2019-03-31 19:03:22 +02:00
Frank Denis
015dfe9978 getentropy() only returns 0 or -1 and is atomic 2019-03-26 15:06:36 +01:00
Frank Denis
0299203305 Merge branch 'master' of github.com:jedisct1/libsodium
* 'master' of github.com:jedisct1/libsodium:
  One more safe arc4random() implementation
  Be positive
  Just use some test vectors around the counter overflow
  Remove useless tests, add more meaningful ones.
  Remove unused var
  Additional salsa20 tests
2019-03-26 14:39:50 +01:00
Frank Denis
a6ef940634 raise() may not be available 2019-03-26 14:39:39 +01:00
Frank Denis
764742ef55 Remove unnecessary brackets 2019-03-26 14:39:34 +01:00
Frank Denis
0f1c303bf1 One more safe arc4random() implementation 2019-03-24 03:57:55 +01:00
Frank Denis
1412885351 Remove unused var 2019-03-21 01:15:35 +01:00
Frank Denis
32e36af97e Move the randombytes_block_on_dev_random() function up 2019-03-17 19:40:32 +01:00
Frank Denis
e1abc1de7e Rename randombytes_salsa20 to randombytes_internal and switch to ChaCha20 2019-03-17 19:25:32 +01:00
Frank Denis
0ea9a8f0e9 Use getentropy(2) if available, cleanup salsa20/randombytes by the way 2019-03-17 18:55:40 +01:00
Frank Denis
b5975f97e4 Nits 2019-02-23 21:32:23 +01:00
Frank Denis
eeb1f26924 Explicit cast 2019-02-20 01:02:54 +01:00
Frank Denis
d287ef763b Nits 2019-02-19 22:46:09 +01:00
Frank Denis
db0319fb8e Initial support for ristretto255 2019-02-18 00:56:48 +01:00
Frank Denis
bc5e9056eb ge25519_select() -> ge25519_cmov8() 2019-02-16 17:44:01 +01:00
Frank Denis
e6aa7e1da4 The time has come to remove support for (p)nacl 2019-02-14 14:41:09 +01:00
Frank Denis
d47ded1867 Only memset() may have issues with a zero length. 2019-02-09 20:28:41 +01:00
Ilya Maykov
6934a8d0c8 Relax most __attribute__ ((nonnull)) to allow 0-length inputs to be NULL.
Justifications:
- crypto_(auth|hash|generichash|onetimeauth|shorthash)*:
  it's legal to hash or HMAC a 0-length message
- crypto_box*: it's legal to encrypt a 0-length message
- crypto_sign*: it's legal to sign a 0-length message
- utils:
  comparing two 0-length byte arrays is legal
  memzero on a 0-length byte array is a no-op
  converting an empty hex string to binary results in an empty binary string
  converting an empty binary string to hex results in an empty hex string
  converting an empty b64 string to binary results in an empty binary string
  converting an empty binary string to b64 results in an empty b64 string
  sodium_add / sodium_sub on zero-length arrays is a no-op

For the functions declared in utils.h, I moved the logic into private functions that
have the __attribute__ ((nonnull)) check, but they are only called when the
corresponding length argument is non-0. I didn't do this for the hash/box/sign
functions since it would have been a lot more work and quite a large refactor.
2019-02-09 20:26:10 +01:00
Frank Denis
b3725dc2c9 Force clear the high bit in _noclamp variants
_noclamp variants should always be used with a scalar < L, but
if this is not the case, at least explicitly ignore the high bit.
2019-01-14 04:02:48 +01:00
Frank Denis
7eec5b8716 Back to dev mode 2019-01-07 11:48:14 +01:00
Frank Denis
358767f238 Set nonce in randombytes_salsa20_random_stir() instead of random_init() 2019-01-06 04:31:44 +01:00
Frank Denis
531b545578 Avoid partial array initialization 2019-01-05 22:58:07 +01:00
Frank Denis
48852da7cd Improve clarity 2019-01-05 14:31:44 +01:00
Frank Denis
3ab71f873f must -> should 2019-01-04 11:55:17 +01:00
Frank Denis
e45fadffb1 Add comments, avoid implicit array initialization 2019-01-03 22:44:58 +01:00
Frank Denis
1647f0d53a Add comments 2019-01-03 22:28:59 +01:00
Frank Denis
32385c6b9a Avoid negative indices, especially with unsigned types 2019-01-03 22:28:42 +01:00
Frank Denis
1cd6641cde Add an extra compile-time assertion 2019-01-03 18:52:43 +01:00
Frank Denis
74ccac9e83 Do not assume that CRYPTO_ALIGN works 2019-01-03 18:34:24 +01:00
Frank Denis
3c59cebe91 Make the blake2b and poly1305 state opaque 2019-01-03 18:18:20 +01:00
Frank Denis
e614671fc8 More paranoid AVX512 detection 2019-01-02 17:33:57 +01:00
Frank Denis
6bbcab33ed Consistent initialization 2019-01-01 22:59:23 +01:00
Frank Denis
f3ce049a98 Bump to 1.0.17
Not released yet. This is just to encourage people to test the current
code.
2018-12-30 12:04:52 +01:00
Frank Denis
f2942b9c88 Add sodium_sub(), simplify scalar_complement() and scalar_negate() 2018-12-30 10:26:44 +01:00
Frank Denis
1542d473da Add crypto_core_ed25519_scalar_complement(), _negate(), _add(), _sub() 2018-12-30 01:48:58 +01:00
Frank Denis
cff3d7f6c7 Remove unused variables 2018-12-29 16:42:09 +01:00
Frank Denis
52ff9c8980 Constify, add missing private include 2018-12-26 18:32:39 +01:00
Frank Denis
0a6e10f75f Constify 2018-12-26 18:25:16 +01:00
Frank Denis
7bc5a3da66 Constify 2018-12-26 18:19:37 +01:00
Frank Denis
c9842d9af9 Make allocate_memory() error path less confusing 2018-12-26 17:57:06 +01:00
Frank Denis
e60049aad1 Revert "Add crypto_kx_ed25519" and "Add low-level kx_curve25519 functions"
This reverts commit 2d736dc2bc.
This reverts commit 7f3bc5cd08.
2018-12-25 19:22:33 +01:00
Frank Denis
d3976446a0 ED25519_NONDETERMINISTIC: derive keys from the seed the same way
as when ED25519_NONDETERMINISTIC is not defined
2018-12-25 13:25:57 +01:00
Frank Denis
2d736dc2bc Add crypto_kx_ed25519 2018-12-25 12:46:21 +01:00
Frank Denis
7f3bc5cd08 Add low-level kx_curve25519 functions 2018-12-25 11:10:33 +01:00
Frank Denis
4cba5ff49b In prototypes, use pointers, not arrays for consistency 2018-12-24 17:38:22 +01:00
Frank Denis
59bd82edab Add a crypto_core_ed25519_NONREDUCEDSCALARBYTES constant
and reject 0 in crypto_core_ed25519_random()
2018-12-24 17:26:38 +01:00
Frank Denis
2916230061 Add a guideline 2018-12-23 18:49:56 +01:00
Frank Denis
b4617940f3 Correct sc25519_reduce() prototype 2018-12-23 18:45:28 +01:00
Frank Denis
63573bb98c Add crypto_core_ed25519_scalar_random() 2018-12-23 12:32:07 +01:00
Frank Denis
6fa0220302 Export crypto_core_ed25519_scalar_reduce, add tests 2018-12-23 02:56:11 +01:00
Frank Denis
36f2d99fac Add crypto_core_ed25519_{scalar_invert, ed25519_scalar_reduce)()
These new low-level APIs are especially useful for blinding.
2018-12-20 20:05:34 +01:00
Frank Denis
b42082d6d2 Add unclamped versions of scalarmult_ed25519*() 2018-12-18 22:46:56 +01:00
Frank Denis
536ed00d2c Merge branch 'master' of github.com:jedisct1/libsodium 2018-12-10 21:05:47 +01:00
Frank Denis
055e0ae82c Even in non-deterministic EdDSA, the actual secret key is H(sk). 2018-12-10 21:05:40 +01:00
Ilya Maykov
c60df7b9ff Made sig parameter of crypto_sign_final_verify() const 2018-12-03 21:02:31 +01:00
Frank Denis
a1dff41891 LONG_LONG_* -> LLONG_* 2018-11-11 00:00:13 +01:00
Frank Denis
52f814e50c Avoid memset(NULL, _, 0) 2018-10-18 13:49:12 +02:00
Frank Denis
67b0b476d8 Add incomplete nonnull attributes 2018-10-18 13:22:37 +02:00
Frank Denis
c4f03ededb Add a dummy return value 2018-09-30 23:49:34 +02:00
Frank Denis
82b1739b98 Add getrandom(2) support for FreeBSD 12 2018-09-30 16:44:27 -05:00
Frank Denis
9771795351 Revert "Add getrandom(2) support for FreeBSD 12"
This reverts commit 52fdd7ab39.

Due to TinyC crashing.
2018-09-29 22:53:05 +02:00
Frank Denis
9d5fcef52e Revert "TinyC now crashes on Travis when compiling sysrandom"
This reverts commit 44dccfe6d4.
2018-09-29 22:52:56 +02:00
Frank Denis
44dccfe6d4 TinyC now crashes on Travis when compiling sysrandom 2018-09-29 22:48:53 +02:00
Frank Denis
52fdd7ab39 Add getrandom(2) support for FreeBSD 12
Fixes #762
2018-09-29 22:37:39 +02:00
David Carlier
b3ba348d08 Provides explicit_memset supports/NetBSD.
Similar to explicit_bzero function is to defeat
compiler optimisation.
2018-09-29 19:19:23 +01:00
Frank Denis
b7abc4542e No need to provison for the tag if we are below SIZE_MAX 2018-09-12 15:22:30 +02:00
Frank Denis
f0e5c3940d Substract the number of blocks, and make similar code more uniform 2018-09-12 15:19:56 +02:00
Frank Denis
3574ab879e Do not even use untested code in non-production environments 2018-09-12 14:53:16 +02:00
Frank Denis
5a7290ce6a Make this warning more difficult to ignore 2018-09-12 14:51:03 +02:00
Frank Denis
43909c1ffb Allow ic + mlen to overflow a size_t in chacha20_ietf_xor_ic() 2018-09-12 08:40:22 +02:00
Frank Denis
bea8839c6b Do not count the overhead in xchacha20poly1305_MESSAGEBYTES_MAX 2018-09-12 08:19:12 +02:00
Frank Denis
04a7ab95f2 Don't mix lengths and block sizes 2018-09-10 19:57:06 +02:00
Frank Denis
3e9d341d06 Add crypto_stream_chacha20_ietf_ext, use _ext suffix everywhere for consistency 2018-09-08 14:54:12 +02:00
Frank Denis
cf217e3dfc Call misuse() if we ask too much data from the IETF variant of ChaCha20
Fix #753
2018-09-08 02:12:23 +02:00
Frank Denis
ab4ab23d57 x25519_ref: ignore the high bit in the small order PK check 2018-08-29 16:04:40 +02:00
Frank Denis
1ec6edc1a8 Indent 2018-08-27 12:29:49 +02:00
Jakob Rieck
543b5ad068 Fixes padding for blocksizes > 256 2018-08-27 11:42:49 +02:00
Frank Denis
7cdf3f0e84 strnlen() may not be available everywhere 2018-07-22 21:54:38 +02:00
Frank Denis
922e4dcd9e Merge branch 'master' of github.com:jedisct1/libsodium
* 'master' of github.com:jedisct1/libsodium:
  Invert (1-y) just before the multiplication by (1+y) for readability
  Nits
2018-07-22 21:40:39 +02:00
Frank Denis
74ba82210e memchr() can process its input in any order
Fixes #737
2018-07-22 21:26:31 +02:00
Frank Denis
d25d6ce7fb Invert (1-y) just before the multiplication by (1+y) for readability 2018-07-21 00:43:39 +02:00
Frank Denis
91d9051bce Nits 2018-07-19 14:44:17 +02:00