Frank Denis
68d8e33a55
blake2: use the same code on little & big endian for finalization
2017-10-24 22:35:23 +02:00
Frank Denis
5935cf7a7e
Use uint instead of uint64_t for SHA* padding
...
Workaround for a clang bug
2017-10-24 21:57:30 +02:00
Frank Denis
58fa4172a5
Use the output buffer as a temporary buffer to store clamped private scalars
...
This might help avoid leaving a copy of the scalar on the stack.
Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
2017-10-24 17:41:32 +02:00
Frank Denis
e254a654dc
Return -1 is the scalar was zero
...
This realistically only happen on misuse or with a completely broken PRG.
Calling misuse() would be a bit too intrusive here. So, we still store
the result (might be better than uninitialized memory if the application
doesn't check the return code), but return -1.
2017-10-24 17:25:37 +02:00
Frank Denis
c150ceb677
Clear the high bit the same way everywhere
2017-10-24 17:10:16 +02:00
Frank Denis
7e75ad4ca9
Remove unused var
2017-10-23 23:43:19 +02:00
Frank Denis
134eb2c29d
Add a comment on scalarmult usage
2017-10-23 16:27:04 +02:00
Frank Denis
8996c7d53d
Regen emscripten symbols
2017-10-23 16:13:01 +02:00
Frank Denis
f5076db5f8
Do not include scalarmult_ed25519 in minimal builds
2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f
Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper,
...
check that the result of scalarmult_ed25519() is not the point at infinity
2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e
Update prototype (fe_isnonzero() -> fe_iszero())
2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c
Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519()
2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976
*_is_less_than_*() -> *_is_canonical()
...
and reject non-canonical public keys in ed25519_scalarmult()
2017-10-23 01:09:38 +02:00
Frank Denis
15649c5849
+ ge_is_less_than_p()
2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d
Comment
2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a
Order
2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738
Remove neg parameter; always check with both signs; adjust blacklist
2017-10-22 20:59:54 +02:00
Frank Denis
d0e009e59d
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
disable ssp/pie for emscripten
2017-10-22 17:45:05 +02:00
Frank Denis
0b835b4479
+ ge_is_on_curve()
2017-10-22 17:44:51 +02:00
Frank Denis
a84d222d07
disable ssp/pie for emscripten
2017-10-22 01:55:28 +02:00
Frank Denis
88417977e3
Move a couple functions from crypto_sign to crypto_core/curve25519
...
This improves clarity and makes it easier to reuse these in a
different context.
Also change fe_isnonzero() to fe_zero() and make it work as
documented.
2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9
Remove unused blake2b code
2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9
Define uint128_t only once in private/common.h
2017-10-21 19:59:16 +02:00
Frank Denis
58fc2dcf5b
Add crypto_sign_ed25519_scalarmult to emscripten symbols
2017-10-21 19:00:54 +02:00
Frank Denis
5a6deebd39
Add an argument to ed25519_small_order to optionally invert the sign
2017-10-20 16:07:52 +02:00
Frank Denis
30ad01bdba
memcpy() -> memmove() in case the seed and secret key overlap
2017-10-20 09:55:00 +02:00
Frank Denis
bab680f35b
Implement crypto_sign_ed25519_scalarmult()
2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b
Remove extraneous "return"
2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029
Move precomputed table where it's actually used
2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52
Define a generic ge_select() in additino to ge_select_base()
2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493
cmov() -> ge_cmov() ; ge_select() -> ge_select_base()
2017-10-19 22:57:09 +02:00
Frank Denis
a944db7a76
slide() -> slide_vartime() and move comments to the right place
2017-10-19 22:11:43 +02:00
Frank Denis
9f3a2e775b
Add js & wasm to the list
2017-10-18 19:23:59 +02:00
Frank Denis
08387eea8b
emscripten: actually print the installation prefix
2017-10-18 13:11:15 +02:00
Frank Denis
002fb0e82b
Update AUTHORS
2017-10-14 15:37:06 +02:00
Frank Denis
f783552773
Just use constants instead of macros
...
In this context, they are actually less confusing.
2017-10-12 13:14:25 +02:00
Frank Denis
b1bf478086
Repair crypto_sign_ed25519_seed_keypair()
2017-10-12 13:05:57 +02:00
Frank Denis
18ab679429
sk is actually skpk, so use the right size in the prototype
2017-10-11 21:45:39 +02:00
Frank Denis
f54c6db981
sign_keygen(): don't hash the secret scalar in non-deterministic mode
2017-10-11 21:27:48 +02:00
Frank Denis
68feb75f1d
nonce -> Z for clarity
2017-10-11 18:15:36 +02:00
Frank Denis
ebb614cb0e
Improve clarity
...
No need to clamp the key prior to computing a synthetic nonce
2017-10-11 18:09:30 +02:00
Frank Denis
90f5b55a0a
Move computation of synthetic nonces to a dedicated function
...
for clarity
2017-10-06 22:01:06 +02:00
Frank Denis
067cd6749d
inline
2017-10-06 21:41:35 +02:00
Frank Denis
d56007a6fa
crypto_sign(): memzero the nonce after use
2017-10-06 21:35:52 +02:00
Frank Denis
291859874b
Use the generalized eddsa algorithm for non-deterministic r
2017-10-06 21:28:02 +02:00
Frank Denis
9f98f2329c
Back to dev mode
2017-10-06 15:37:24 +02:00
Frank Denis
0dd8338b83
Add a compile-time switch to create non-deterministic signatures
2017-10-06 15:35:07 +02:00
Ryan Lester
381080bf02
libsodium.js totalMemory minor fix ( #610 )
2017-10-05 10:45:31 +02:00
Frank Denis
09ecb47a53
Use -O in debug mode
2017-10-05 10:41:15 +02:00
Frank Denis
c19946296c
FORTIFY_SOURCE -> _FORTIFY_SOURCE
2017-10-05 10:35:50 +02:00