Frank Denis
07b4176eca
pwhash: fill output buffer with junk prior to running the actual KDF
...
These functions are a little bit special, because unlike everything
else, they do dynamic memory allocations, and are more likely to fail.
Applications are expected to check the return code, and these functions
are tagged with ((warn_unused_result)) but applications may still
ignore these.
This is also an issue with JavaScript, when total memory hasn't been
properly configured.
To be safe, fill the buffer with non-deterministic bytes, that are
unlikely to ever verify later.
2023-02-15 20:16:10 +01:00
Frank Denis
48af322b7a
AES-256-GCM (AES-NI): prefetch the next blocks
...
...while computing the GHASH of the previous blocks.
For AMD CPUs with disabled hardware prefetchers, the gain may
be significant.
2023-01-14 00:03:27 +01:00
Frank Denis
1bd73c1a68
Add crypto_kdf_hkdf_sha{256,512}_extract_{init,update,final}
2023-01-08 22:16:34 +01:00
Frank Denis
337fba6c23
2023
2023-01-05 14:06:26 +01:00
Frank Denis
415331e73b
Mention that mlock() failing is not a hard error for sodium_malloc()
2022-12-19 12:12:05 +01:00
Frank Denis
c4a9f1b2af
Add missing <stdint.h> includes
2022-12-13 20:33:09 +01:00
Frank Denis
1994ad93bd
Sync the AESNI aes_gcm_decrypt_generic() impl with the ARM one
2022-12-11 23:47:46 +01:00
Frank Denis
4482067df9
Add a test for aes256gcm_decrypt with long inputs, make it pass
2022-12-11 23:44:50 +01:00
Frank Denis
ff480f17f0
Nits
2022-12-11 23:15:06 +01:00
Frank Denis
408125a72b
Add AEGIS-256 software support
2022-12-10 00:03:42 +01:00
Frank Denis
15cceaad90
MSVC compat
2022-12-09 21:29:33 +01:00
Frank Denis
11d2fa5bb0
Add AEGIS-128L software support
2022-12-09 21:12:35 +01:00
Frank Denis
0f767c7d07
Get rid of the has_small_order() lookup table
2022-11-27 15:28:15 +01:00
Frank Denis
87ba2c4d36
Unexport _cached_ symbols, regen quirks.h
2022-11-26 22:28:08 +01:00
Frank Denis
f29f58e6ed
Leverage p3_add()/p3_sub()
2022-11-26 22:20:37 +01:00
Frank Denis
d2d8f573b7
Add ge25519_p2_to_p3(), ge25519_p3_add(), ge25519_p3_sub()
2022-11-26 22:14:24 +01:00
Frank Denis
42b4a295fc
crypto_sign_verify(): add and match the Zig test vectors
2022-11-26 21:25:47 +01:00
Frank Denis
6e8468d875
Support memset_explicit() if available
...
NetBSD has explicit_memset(), but C23 decided to implement the
same thing but call it memset_explicit() instead. Go figure.
2022-11-21 15:29:44 +01:00
Frank Denis
ece8e60524
AEGIS: add a specialized function to absorb the AD
2022-11-20 18:16:13 +01:00
Frank Denis
dd5c2bf23c
Make the AEGIS code for ARM and Intel similar
2022-11-17 22:32:37 +01:00
Frank Denis
af679cfb66
Add _mm_set_epi64x emulation if required
2022-11-17 13:48:45 +01:00
Frank Denis
de83673ae4
Add some sanity checks
2022-11-17 13:04:22 +01:00
Frank Denis
104de0dcd1
clsq128(): simplify squaring
2022-11-16 22:51:44 +01:00
Frank Denis
9590e64fce
salsa20: initialize partial block
...
A compiler trying to be too smart could notice that we are shifting
ununitialized data (even though we then discard it), and apply
unwanted optimizations.
2022-11-16 13:39:20 +01:00
Frank Denis
3105de25da
Simplify
2022-11-16 13:25:00 +01:00
Frank Denis
ae82b44b70
ghash: move addmul operation into inline functions
2022-11-14 22:07:02 +01:00
Frank Denis
8489b4d124
__vectorcall didn't exist prior to Visual Studio 2012
2022-11-14 13:12:15 +01:00
Frank Denis
ad3241a0da
Add __vectorcall to please MSVC
2022-11-14 12:51:11 +01:00
Frank Denis
479c370bc1
Require zig cc or clang for the amazing __builtin_shufflevector()
2022-11-13 23:53:28 +01:00
Frank Denis
b677924b2e
Use enum instead of integers for C++ compat
2022-11-13 22:36:54 +01:00
Frank Denis
495a16cbe0
MSVC cannot compile AES-GCM for now
2022-11-13 21:26:04 +01:00
Frank Denis
379cd8303b
Avoid C99isms
2022-11-13 21:23:19 +01:00
Frank Denis
ae8f462ad3
Avoid gcc extensions in aead_aes256gcm_aesni
2022-11-13 21:18:03 +01:00
Frank Denis
36d0196a4a
Don't try ARM Crypto implementations on big-endian yet
2022-11-13 20:56:21 +01:00
Frank Denis
f3cf71edd7
Add AES256-GCM support for ARM crypto
2022-11-13 20:23:15 +01:00
Frank Denis
45a0cef2fc
AES-NI can be available on i386
2022-11-13 19:40:39 +01:00
Frank Denis
73d039d8ca
Remove unused macro
2022-11-13 18:46:22 +01:00
Frank Denis
9b623852bd
Rewrite the AES256-GCM implementation
...
Faster, way more readable, easier to port to other architectures.
2022-11-13 18:42:38 +01:00
Frank Denis
a972fe6498
Indent
2022-10-21 17:54:39 +02:00
Frank Denis
992168c50f
Win32: SecureZeroMemory may not be available
2022-10-20 14:42:55 +02:00
Frank Denis
b4c5d37fb5
scalarmult(): don't use the output as a temporary buffer
...
So that application can use the same pointer for the public key
and the shared secret.
2022-10-11 14:02:29 +02:00
Steve Thomas
0a6178f203
Clear decrypted block from stack ( #1190 )
2022-06-18 20:32:35 +02:00
Frank Denis
4bffcc63b1
sodium_compare(): cast operands to unsigned int
...
This matches the Zig implementation and
fixes #1184
2022-06-05 14:28:54 +02:00
Frank Denis
0124c4cddb
Indent
2022-05-11 18:13:08 +02:00
Frank Denis
f425d4d96f
Simplify blkxor()
2022-05-11 18:02:10 +02:00
Frank Denis
75bde19055
Revert "Add the shifumi128 ZKP system"
...
This reverts commit 6efe9ee2b5
.
2022-04-02 09:32:22 +02:00
Frank Denis
6efe9ee2b5
Add the shifumi128 ZKP system
2022-03-31 20:04:51 +02:00
Frank Denis
69d15f1123
Support gcc-like and C11-like memory fences
2022-03-07 16:47:43 +01:00
Frank Denis
d4ee08ab8a
Add memory fences where supported
2022-03-07 16:38:37 +01:00
Frank Denis
fbe2c92f0d
AEGIS: rename constants to match the draft
2022-01-04 16:06:44 +01:00