Frank Denis
134eb2c29d
Add a comment on scalarmult usage
2017-10-23 16:27:04 +02:00
Frank Denis
f5076db5f8
Do not include scalarmult_ed25519 in minimal builds
2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f
Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper,
...
check that the result of scalarmult_ed25519() is not the point at infinity
2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e
Update prototype (fe_isnonzero() -> fe_iszero())
2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c
Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519()
2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976
*_is_less_than_*() -> *_is_canonical()
...
and reject non-canonical public keys in ed25519_scalarmult()
2017-10-23 01:09:38 +02:00
Frank Denis
15649c5849
+ ge_is_less_than_p()
2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d
Comment
2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a
Order
2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738
Remove neg parameter; always check with both signs; adjust blacklist
2017-10-22 20:59:54 +02:00
Frank Denis
0b835b4479
+ ge_is_on_curve()
2017-10-22 17:44:51 +02:00
Frank Denis
88417977e3
Move a couple functions from crypto_sign to crypto_core/curve25519
...
This improves clarity and makes it easier to reuse these in a
different context.
Also change fe_isnonzero() to fe_zero() and make it work as
documented.
2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9
Remove unused blake2b code
2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9
Define uint128_t only once in private/common.h
2017-10-21 19:59:16 +02:00
Frank Denis
5a6deebd39
Add an argument to ed25519_small_order to optionally invert the sign
2017-10-20 16:07:52 +02:00
Frank Denis
bab680f35b
Implement crypto_sign_ed25519_scalarmult()
2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b
Remove extraneous "return"
2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029
Move precomputed table where it's actually used
2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52
Define a generic ge_select() in additino to ge_select_base()
2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493
cmov() -> ge_cmov() ; ge_select() -> ge_select_base()
2017-10-19 22:57:09 +02:00
Frank Denis
a944db7a76
slide() -> slide_vartime() and move comments to the right place
2017-10-19 22:11:43 +02:00
Frank Denis
f783552773
Just use constants instead of macros
...
In this context, they are actually less confusing.
2017-10-12 13:14:25 +02:00
Frank Denis
b1bf478086
Repair crypto_sign_ed25519_seed_keypair()
2017-10-12 13:05:57 +02:00
Frank Denis
18ab679429
sk is actually skpk, so use the right size in the prototype
2017-10-11 21:45:39 +02:00
Frank Denis
f54c6db981
sign_keygen(): don't hash the secret scalar in non-deterministic mode
2017-10-11 21:27:48 +02:00
Frank Denis
68feb75f1d
nonce -> Z for clarity
2017-10-11 18:15:36 +02:00
Frank Denis
ebb614cb0e
Improve clarity
...
No need to clamp the key prior to computing a synthetic nonce
2017-10-11 18:09:30 +02:00
Frank Denis
90f5b55a0a
Move computation of synthetic nonces to a dedicated function
...
for clarity
2017-10-06 22:01:06 +02:00
Frank Denis
067cd6749d
inline
2017-10-06 21:41:35 +02:00
Frank Denis
d56007a6fa
crypto_sign(): memzero the nonce after use
2017-10-06 21:35:52 +02:00
Frank Denis
291859874b
Use the generalized eddsa algorithm for non-deterministic r
2017-10-06 21:28:02 +02:00
Frank Denis
9f98f2329c
Back to dev mode
2017-10-06 15:37:24 +02:00
Frank Denis
0dd8338b83
Add a compile-time switch to create non-deterministic signatures
2017-10-06 15:35:07 +02:00
Frank Denis
affaecabcd
Include prototypes before declarations
2017-10-05 10:15:24 +02:00
Frank Denis
d3e20869af
crypto_pwhash_ALG_DEFAULT is now Argon2id
2017-10-01 12:12:13 +02:00
Frank Denis
d49d7e8d4f
pwhash: don't enforce the same limits for argon2i and argon2id
...
Fixes #606
Also, keep enforcing a minimum number of iterations to create argon2i
hashes, but relax that restriction for verification, as it can be
useful to migrate from hashes made using other libraries.
2017-10-01 11:02:46 +02:00
Frank Denis
2542367c2d
secretstream: set the initial counter to 1
...
Avoids using the first block for two different purposes, and will be more
consistent with the AES-based version.
This breaks backwards compatibility, but better do it now that most distro are
still shipping < 1.0.14, that no applications seem to be already using that new
API, and that there will be an update to the library major due to the aes128ctr
removal.
2017-10-01 10:08:04 +02:00
Frank Denis
96be673f82
Remove aes128ctr
2017-09-27 15:07:54 +02:00
Frank Denis
2a9c81b5c4
Explain why pwhash parameters must be stored
2017-09-26 21:33:54 +02:00
Frank Denis
93c386cb6c
Mention when the state will eventually be cleared
2017-09-26 21:28:08 +02:00
Frank Denis
d338ae9512
Properly support Argon2id in crypto_pwhash()
2017-09-26 17:12:58 +02:00
Frank Denis
491f785274
deinit
2017-09-25 16:33:30 +02:00
Frank Denis
94550cefd5
Remove dev #warning
2017-09-21 11:41:01 +02:00
Frank Denis
3e0b4dec6e
Add sodium_base64_encoded_len()
2017-09-21 11:25:09 +02:00
Frank Denis
4ce2856a5d
Avoid negations on unsigned values
2017-09-21 11:23:37 +02:00
Frank Denis
7e06a6a991
Annotate
2017-09-21 00:30:37 +02:00
Frank Denis
91233a0143
Tag salsa208 as deprecated
2017-09-19 23:56:12 +02:00
Frank Denis
3db75fc647
No need for ge_scalarmult_vartime() in minimal mode
2017-09-19 22:16:49 +02:00
Frank Denis
7423408cd3
Make the behavior of hex2bin() consistent with base642bin()
...
Return -1 on incomplete sequences and on complete sequences
with trailing, non-ignored characters if no pointers to store the
last parsed byte has been provided
2017-09-19 18:45:23 +02:00
Frank Denis
c7fe84cfb0
Skip trailing ignored characters in base64 decoding
2017-09-19 15:09:29 +02:00