kevin/libsodium
1
Fork 0
mirror of https://github.com/jedisct1/libsodium.git synced 2024-12-29 22:31:05 -07:00
Code Releases Wiki Activity
2,962 Commits 7 Branches 36 Tags 16 MiB
bd69a3083a
Commit Graph

1474 Commits

Author SHA1 Message Date
Frank Denis
c58cbcbd90 Indent 2017-02-26 17:13:55 +01:00
Frank Denis
9294e2e699 Revamp the salsa20 implmentations and structure 
- Factorize core_salsa20{20,12,8}
- Add support for multiple salsa20 implementations
- Replace the assembly SSE2 implementation with its equivalent using intrisics
 2017-02-26 16:49:15 +01:00
Frank Denis
881f8ab599 initstate -> initial_state 2017-02-26 00:11:58 +01:00
Frank Denis
4e6091b347 Merge branch 'master' of https://github.com/jedisct1/libsodium 
* 'master' of https://github.com/jedisct1/libsodium:
  spelling fixes (touches code in tests) (#494)
  Feature/spelling (#495)
 2017-02-25 21:00:52 +01:00
Frank Denis
1295857ae5 Remove unused macros 2017-02-25 20:59:45 +01:00
ka7
21174cddc3 Feature/spelling (#495) 
* spelling fixes (comments only)

* spelling fixes (comments only)
 2017-02-25 14:21:10 +01:00
Frank Denis
81e37c6aa6 Add shorthash_siphashx24_*(): 128-bit Siphash 2017-02-24 19:06:21 +01:00
Frank Denis
710c36deb9 s/portable/nacl/g 2017-02-23 12:05:09 +01:00
Frank Denis
d26c8adf84 Get rid of core_hchacha20.h 2017-02-23 12:02:56 +01:00
Frank Denis
9cd732c88d Indent 2017-02-23 11:12:18 +01:00
Frank Denis
0ccc6d7661 Indent 2017-02-23 11:06:27 +01:00
Frank Denis
32a084222a Indent 2017-02-23 10:57:18 +01:00
Frank Denis
9626d7af59 Indent, remove duplicate includes 2017-02-23 10:51:42 +01:00
Frank Denis
61adf7f777 Leverage COMPILER_ASSERT 2017-02-23 10:49:53 +01:00
Frank Denis
02c2def25e inline 2017-02-23 10:40:42 +01:00
Frank Denis
5535ff8946 Indent 2017-02-23 10:38:37 +01:00
Frank Denis
68466a7ed7 Ident, reuse COMPILER_ASSERT 2017-02-23 10:37:57 +01:00
Frank Denis
14d54b9d22 Do not invent your own types 2017-02-23 10:34:32 +01:00
Frank Denis
a60ac31ba4 Clean up the aes128ctr code 2017-02-23 10:30:44 +01:00
Frank Denis
2be6fc4800 Indent 2017-02-23 10:14:13 +01:00
Frank Denis
2838bcd04c Indent 2017-02-23 10:12:43 +01:00
Frank Denis
a70446a127 Indent 2017-02-23 10:12:04 +01:00
Frank Denis
6980d47ec2 Indent 2017-02-23 10:09:08 +01:00
Frank Denis
2a24a27afa Indent 2017-02-23 09:57:09 +01:00
Frank Denis
a1c4cf5b3c Indent 2017-02-23 09:47:12 +01:00
Frank Denis
cad6561799 Indent 2017-02-23 09:42:15 +01:00
Frank Denis
9fbd5c0c18 Indent 2017-02-23 09:39:59 +01:00
Frank Denis
b25cffb7f1 Indent 2017-02-23 09:39:02 +01:00
Frank Denis
5a843719b1 Use inlined functions instead of macros 2017-02-23 09:35:41 +01:00
Frank Denis
fe3ed40a76 Reuse ROTR64 2017-02-23 09:27:47 +01:00
Frank Denis
a3d7bc065e Reuse macros 2017-02-23 09:24:15 +01:00
Frank Denis
c06418a382 Indent 2017-02-23 09:05:47 +01:00
Frank Denis
05349aa14d Avoid multiple definitions of ROTL/ROTR macros 2017-02-23 09:01:50 +01:00
Frank Denis
9fdca4a8c9 There's pretty much nothing left from the original code 2017-02-20 21:13:59 +01:00
Frank Denis
f5673c7cc0 Avoid negating unsigned values 2017-02-20 21:12:33 +01:00
Frank Denis
76e8776839 Merge a couple more files 2017-02-20 10:32:23 +01:00
Frank Denis
bb67b383ef Drop the _api suffixes 2017-02-20 09:50:34 +01:00
Frank Denis
7e5d64834c untab 2017-02-19 21:17:42 +01:00
Frank Denis
7f7e7235c5 Add a keygen function to all the primitives 2017-02-19 21:15:54 +01:00
Frank Denis
fe3e60392c C++ compat 2017-02-19 19:03:18 +01:00
Frank Denis
eb5ff7270e Use the IETF ChaCha20 version for randombytes_buf_deterministic() 
It doesn't make any difference except by limiting the maximum
length to 256 Gb. But the code for the IETF version has a higher
probability to already be used by something else than the original
version.
Enforcing a 256 Gb limit can also prevent surprises from happening
in other implementations.
 2017-02-19 18:55:32 +01:00
Frank Denis
4c6b0ac762 Add aliases for stream_chacha20 sizes, similar to chacha20poly1305 2017-02-19 18:54:25 +01:00
Frank Denis
cafb0a695b Add randombytes_buf_deterministic() 2017-02-19 18:40:29 +01:00
Frank Denis
70c2796ae5 + crypto_kdf high-level API 
This is a common need, and people end up reimplementing HKDF.

So, add a crypto_kdf() API similiar to libhydrogen's. The later has a
higher limit for the output length using BLAKE2X if required.

We can implement the same strategy later in libsodium if needed.
 2017-02-19 18:13:10 +01:00
Frank Denis
7555ae37f0 blake2 -> blake2b 2017-02-19 17:15:41 +01:00
Frank Denis
e0150faf56 Always zero the argon2 output buffer prior to doing anything 
This is consistent with what we are doing with scrypt.
On error/misuse, the buffer is zeroed; this may prevent bugs with
reused/invalid buffers.
 2017-02-19 12:40:28 +01:00
Frank Denis
2c6fb87708 Set crypto_pwhash_scryptsalsa208sha256_BYTES_MIN to 128 bits 2017-02-19 12:31:05 +01:00
Frank Denis
2e4e1c66a0 Complete 08c0e03f83 2017-02-19 12:23:37 +01:00
Emil Bay
08c0e03f83 WIP: crypto_pwhash constants (#464) 
* Test exposed constraint constants on crypto_pwhash

This includes the following constants for crypto_pwhash, crypto_pwhash_argon2i,
and crypto_pwhash_scryptsalsa208sha256:

- crypto_pwhash_BYTES_MIN
- crypto_pwhash_BYTES_MAX
- crypto_pwhash_PASSWD_MIN
- crypto_pwhash_PASSWD_MAX
- crypto_pwhash_OPSLIMIT_MIN
- crypto_pwhash_OPSLIMIT_MAX
- crypto_pwhash_MEMLIMIT_MIN
- crypto_pwhash_MEMLIMIT_MAX

* Expose constraint constants for crypto_pwhash

* Expose constant methods for crypto_pwhash
 2017-02-19 11:19:01 +01:00
Frank Denis
20d1d048fd Merge a couple files 
These are unlikely to have multiple implementations ever, unlike their
underlying primitives, so move them one folder up instead and take it
as an opportunity to merge small files.
 2017-02-18 21:53:32 +01:00
Frank Denis
a329340d90 Remove the NaCl-like APIs from *xchacha20 additions 
These APIs were useful with the salsa20 constructions for compatibility
with NaCl, but they are tricky to use and don't provide any benefits over
the _easy APIs.

Having them around was good for consistency with the salsa20-based ones,
but this is code that is unlikely to be used in actual projects.

So, don't include them, unless people actually ask for them.
 2017-02-18 21:22:39 +01:00
Frank Denis
4c2cf071f8 Include <intrin.h> on Visual Studio for __cpuid() 2017-02-16 09:24:33 +01:00
Frank Denis
727dae49e2 Back out locks in randombytes_salsa20 
These functions were not supposed to be thread-safe, and we can't
use crit_*() in the randombytes implementations anyway.
 2017-02-10 18:01:06 +01:00
Frank Denis
d5fc01b317 Merge branch 'master' of https://github.com/jedisct1/libsodium 
* 'master' of https://github.com/jedisct1/libsodium:
  C++ compat
 2017-02-04 11:41:49 +01:00
Frank Denis
5095fc9afa Reorder 2017-02-04 11:40:20 +01:00
Frank DENIS
e59bfee281 C++ compat 2017-01-31 17:14:12 +01:00
Frank Denis
8439df646b Favor the Windows API over pthreads on mingw 2017-01-26 20:34:46 +01:00
Frank Denis
de3c0ff85e Indent 2017-01-18 20:03:26 +01:00
Frank Denis
f053b98b64 Use getrandom() on dietlibc -- via Felix von Leitner 2017-01-18 20:00:25 +01:00
Frank Denis
3633726d56 Indent 2017-01-13 19:28:18 +01:00
Frank Denis
1686da3d3c Remove the non-IETF versions of crypto_aead_xchacha20poly1305 2017-01-13 19:24:48 +01:00
Frank Denis
4e8832ed57 Merge branch 'master' of https://github.com/jedisct1/libsodium 
* 'master' of https://github.com/jedisct1/libsodium:
  Indent
  xchacha20poly1305: optimize and be compatible with ietf chacha20poly1305 (#461)
 2016-12-27 21:03:12 +01:00
Frank DENIS
24fd77ded3 Indent 2016-12-24 02:24:24 +01:00
Jason A. Donenfeld
6abad20323 xchacha20poly1305: optimize and be compatible with ietf chacha20poly1305 (#461) 
Due to SSL, the IETF version of chacha20poly1305 is going to be the one
that's in libraries places. While the 12-byte nonce thing is a little
weird, it has other benefits, like adding padding to the auth tag, which
might help fend off certain attacks.

But more importantly, since chacha20poly1305 in the IETF construction is
lots of places, it would be useful to be able to build xchacha20poly1305
out of it. Fortunately it's very easy to make hchacha20 (either
stand-alone, or out of the normal chacha20 block function), and then
that can be composed with an existing library's chacha20poly1305. It
looks a bit like this:

    xchacha20poly1305(input, key, nonce) {
        new_key = hchacha20(key, nonce)
        return chacha20poly1305(input, new_key, nonce + 16)
    }

This is also an efficient way to do it, since it means hchacha20 must
only be computed once.

Unfortuantely, non-IETF xchacha20poly1305 means that you deprive
virtually all other libraries that only support the more common
IETF construction the ability the ability to interoperate with
libsodium, through the simple construction. Rather, it forces
everyone to reimplement the AEAD part.

So, this commit adds a xchacha20poly1305 that uses the IETF construction
with the padding.

While we're at it, we redefine xchacha20poly1305 in terms of
chacha20poly1305, which gives the same output, but computes one less
hchacha20 and is generally a lot cleaner and simpler to understand.

Signed-off-by: Jason A. Donenfeld <Jason@zx2c4.com>
 2016-12-24 02:17:33 +01:00
Frank Denis
c5735ef215 Merge branch 'master' of https://github.com/jedisct1/libsodium 
* 'master' of https://github.com/jedisct1/libsodium:
  Check if atomic operations are supported
  Remove a whitespace following trailing backslash in a Makefile
 2016-12-17 19:00:59 +01:00
Frank Denis
d54b0b8d69 Do not include xchacha20poly1305 in minimal mode 2016-12-17 18:59:17 +01:00
Frank Denis
db97a35502 Check if atomic operations are supported 2016-12-16 16:37:12 +01:00
Frank Denis
4c6f704084 Remove a whitespace following trailing backslash in a Makefile 2016-12-16 16:20:30 +01:00
Frank Denis
9d2ac5f747 Correct an assertion and prefer compile-time assertions 2016-12-11 20:28:03 +01:00
Frank Denis
9979762bbe Indent 2016-12-11 00:01:40 +01:00
Winston Durand
9cae7b6b7c fixed GCC2 bug seeing empty statement (#449) 2016-11-30 06:52:18 +01:00
Frank Denis
157c4a80c1 + crypto_aead_xchacha20poly1305 2016-11-26 21:29:26 +01:00
Frank Denis
8b7f03ddf7 Indent 2016-11-26 21:16:42 +01:00
Frank Denis
184110ccc5 + crypto_box_curve25519xchacha20poly1305_* 2016-11-26 21:06:23 +01:00
Frank Denis
54a1357ce3 Indent 2016-11-26 20:24:58 +01:00
Frank Denis
2ace041fd9 Add secretbox_xchacha20poly1305_easy 2016-11-26 19:45:24 +01:00
Frank Denis
d4f384e388 Make crypto_secretbox_xsalsa20poly1305_open() as __warn_unused_result__ 2016-11-26 19:44:51 +01:00
Frank Denis
669ed597d0 Rename box_x*poly1305.c -> secretbox_x*poly1305.c for consistency 2016-11-26 14:12:47 +01:00
Frank Denis
2848984edf + secretbox_xchacha20poly1305 2016-11-26 14:04:23 +01:00
Frank Denis
a86ac590d6 Reformat to make the style more consistent 2016-11-26 13:40:34 +01:00
Frank Denis
5eed910c11 Cast the scalar instead of the coefficient 2016-10-30 01:13:22 +02:00
Frank Denis
71f0693ee7 Argon2i: fix encoding issues 
For compatibility with hashes might have been encoded using other libraries.
 2016-10-26 22:50:38 +02:00
Frank Denis
aff4aaeabf Change the garbage value to 0xdb 
If that garbage value becomes the LSB of a pointer, the pointer is more
likely to be unaligned, an trigger more bugs.
 2016-10-15 18:54:56 +02:00
Frank Denis
49741c59e8 Allows RANDOMBYTES_DEFAULT_IMPLEMENTATION to be overriden 2016-10-13 22:57:01 +02:00
Frank Denis
583c16707c + crypto_stream_xchacha20 2016-09-30 22:57:56 +02:00
Frank Denis
42dc78b38b Indent 2016-09-30 08:40:15 +02:00
Frank Denis
b20d227f37 Avoid collision with a possibly existing int128 type definition 2016-09-30 08:36:50 +02:00
Frank Denis
53ee1fe758 Remove commented out code and avoid inconsistent indentation 2016-09-30 08:30:22 +02:00
Frank Denis
f257413772 uint32 -> uint32_t 2016-09-30 08:26:24 +02:00
Robert Spychala
94ea419247 add preprocessor flag to skip blocking /dev/random during libsodium init (#429) 2016-09-20 21:13:07 +02:00
Frank Denis
26e8b0253f Argon2: check that m_cost/t_cost/lanes decode to uint32 2016-09-18 09:33:35 +02:00
Frank Denis
6035c0779b Back to dev mode 2016-08-04 02:28:21 +02:00
Frank Denis
2f4f718cd9 Remove dev flag 2016-07-31 16:34:11 +02:00
Frank Denis
19a9d18b9c _MSC_VER > 1600 -> _MSC_VER >= 1700 for consistency 2016-07-24 19:58:00 +02:00
Jan-E
6b739fc821 Fix VS2010 (and VC9) x64 build 2016-07-24 02:13:22 +02:00
Frank Denis
89918e94f1 crit_{enter,leave} can fail 2016-07-06 12:03:08 +02:00
Frank Denis
29492143ab Warn if the library is being compiled in a custom way 2016-07-02 10:07:38 +02:00
Frank Denis
2cc0bab0e3 Update comment 2016-06-29 15:31:23 +02:00
Frank Denis
648f46d22a Expose sodium_crit_enter() and sodium_crit_leave() internally 2016-06-29 15:28:15 +02:00
Frank Denis
5a3ff833fd Slightly change how the length of argon2 strings is checked 2016-06-19 23:26:08 +02:00
Frank Denis
6fad3644b5 Nits 2016-06-15 16:00:59 +02:00
Aaron Zauner
77c05fce0c document why RtlGenRandom is used 2016-06-15 21:50:33 +08:00
Frank Denis
aaf6854edf Remove extra space 2016-06-08 08:34:45 +02:00
Frank Denis
9c12da0362 Don't include <immintrin.h> if it is not needed 
Some environments provide <wmmintrin.h> but not <immintrin.h>
 2016-05-26 06:08:26 -07:00
Frank Denis
fa4e4bf174 Fix & simplify MADV_DO{NO}DUMP alternatives 2016-05-18 22:12:07 +02:00
Lev Serebryakov
7a4c4459f8 Support madvise() on FreeBSD 
FreeBSD have madvise() behaviors equivalent to MADV_DONTDUMP and MADV_DODUMP but with its own names.
Add definitions for these behaviors used in sodium_mlock() and sodium_munlock() if FreeBSD names are found and Linux ones don't.
 2016-05-18 23:04:09 +03:00
Frank Denis
f01299a91b Indent 2016-05-17 23:05:04 +02:00
Samuel Neves
998bacf375 don't crash on Win32 2016-05-17 21:40:56 +01:00
Frank Denis
efb81c7290 CRLF 2016-05-17 01:41:06 +02:00
Thomas Waldmann
b9c266181b fix avx2 feature detection, fixes #395 
cpuid needed to get called with EAX = 7 to get the "extended features"
(not with EAX = 1 for the "features").
 2016-05-17 01:28:03 +02:00
Frank Denis
263101cfaf sandy2x: don't mix VEX and non-VEX instructions 2016-05-17 00:24:33 +02:00
Frank Denis
080dcadb69 Merge pull request #396 from langboost/master 
Fixing a small documentation typo
 2016-05-16 23:42:20 +02:00
Frank Denis
f361d1ccec sandy2x: clean the upper halves of the AVX registers 
On Linux, with dynamic linking, upper AVX registers are not 0, which
introduces a massive performance penalty due to state transitions.

Thanks to to Tung Chou and Samuel Neves for catching this, and to
@theakman2 for his initial report.
 2016-05-16 23:34:03 +02:00
Jeff R
0b8cb8a543 Fixing a small documentation typo 2016-05-16 16:05:24 -05:00
Frank Denis
593599a11a Align loops 2016-05-16 12:25:35 +02:00
Frank Denis
c303c1f709 sandy2x: align branch targets 2016-05-16 12:20:15 +02:00
Frank Denis
c752eb55d9 On ancient Linux kernels, block on /dev/random before using /dev/urandom 2016-05-15 17:26:22 +02:00
Frank Denis
248f381404 Rewrite aesni_key256_expand() for clarity 2016-05-05 19:10:11 +02:00
Frank Denis
a37d2b87bf Rename REDUCE4 to MULREDUCE4 for clarity 2016-05-04 23:31:09 +02:00
Frank Denis
0f053aea52 Grammar 2016-05-04 23:09:07 +02:00
Frank Denis
44cd974be2 Remove extra CRLF 2016-04-30 11:20:14 +02:00
Frank Denis
7a667edbd0 NativeClient: use get_random_bytes directly instead of the wrapper 2016-04-29 10:51:13 +02:00
Frank Denis
681176e187 abort() if nacl_secure_random() ever returns 0 but the wrong size 2016-04-29 10:08:45 +02:00
Frank Denis
fbad64f6ef Disable asm on native client 2016-04-28 21:31:18 +02:00
Frank Denis
5f3b59c8b0 Tabify 2016-04-27 11:37:21 +02:00
Frank Denis
46539b9381 Indent 2016-04-27 00:11:00 +02:00
Frank Denis
ffd5987e7c Proper lock test on Windows 2016-04-26 01:43:00 +02:00
Frank Denis
d908d08b0d Simplify the fallback _sodium_crit_enter() code 2016-04-25 20:15:33 +02:00
Frank Denis
f8ff8ebf66 Add locks around sodium_init() 2016-04-25 18:33:11 +02:00
Frank Denis
14211cd7ea Update include guard 2016-04-22 12:01:56 +02:00
Frank Denis
b2586f5402 Use the same convention for include guards everywhere 2016-04-22 11:46:37 +02:00
Frank Denis
801fbde757 scrypt/sse - Note that B's layout is permuted compared to nosse 2016-04-21 20:37:11 +02:00
Frank Denis
2de4b3f514 Hand-roll zeroing instead of relying on memset() 2016-04-21 17:17:24 +02:00
Frank Denis
492d4b1dd6 Repair NativeClient support 2016-04-18 21:40:18 +02:00
Frank Denis
8ab4334945 if -> ifdef 2016-04-18 16:53:34 +02:00
Frank Denis
531ce5bd32 Do not use getrandom(2) on SLES11 service pack 4 2016-04-14 17:21:42 +02:00
Frank Denis
34aeee6ba5 Replace two more memcpy() with a local loop 2016-04-12 07:30:54 +02:00
Frank Denis
d7294320c4 sha{512,256}: use a local loop instead of if + memcpy() 
Compilers can't figure out the max inlen value, so help them with an
explicit AND.

Unify the name of the input pointer by the way.
 2016-04-12 02:14:45 +02:00
Frank Denis
bbf1e17983 Avoid bit shifting with signed values 2016-04-12 00:51:41 +02:00
Frank Denis
50e11be472 memcpy(): pointers must be valid even if the size is 0 2016-04-12 00:41:37 +02:00
Frank Denis
0a590b07b2 Decryption functions can now accept a NULL pointer for the output 
This checks the MAC without writing the decrypted message.
 2016-04-11 18:33:50 +02:00
Frank Denis
80310ef56c Set randombytes_implementation to NULL by default, to cope with Visual Studio 2008 2016-04-08 17:50:18 +02:00
Frank Denis
a53a9c98d2 Back to dev mode 2016-04-08 08:25:42 +02:00
Frank Denis
22ab28be0a Require Visual Studio 2010+ for AESNI 2016-04-07 18:57:07 +02:00
Frank Denis
292969b3b5 Argon2: initialize ctx{.pwd,.pwdlen} in the verify function 
Keep initializing the length for clarity;
Compilers know how to optimize this out.
 2016-04-07 08:19:50 +02:00
Frank Denis
1818267d64 Return -1 if crypto_generichash_final() is called twice 2016-04-06 01:00:49 +02:00
Frank Denis
97b09aba0b Move curve25519_ref10.h to include/sodium/private/ 2016-04-04 18:03:08 +02:00
Frank Denis
8df895b3ec include/sodium/private.h -> include/sodium/private/common.h 2016-04-04 17:16:32 +02:00
Frank Denis
3927cad829 Relocate sodium/common.h 2016-04-04 16:28:40 +02:00
Frank Denis
501ec7a679 Adjust another relative path for sodium/common.h 2016-04-04 08:44:59 +02:00
David Renshaw
c3b68c12d6 Fix up relative includes of sodium/common.h 2016-04-04 03:18:24 +00:00
Frank Denis
1550026a9a Explain why blake2b_param_set_digest_length() is not needed 2016-04-03 13:52:55 +02:00
Frank Denis
0716b7701e Initialize constant 2016-04-02 12:17:47 +02:00
Frank Denis
1853248f0a Consistency 2016-04-02 12:08:41 +02:00
Frank Denis
e50f1e95ab Reuse STORE64_LE whenever possible 2016-04-02 11:46:53 +02:00
Frank Denis
6ee06a9242 Include missing structures definitions 2016-04-02 09:01:03 +02:00
Frank Denis
698efbdc23 Consistency 2016-04-02 01:20:38 +02:00
Frank Denis
531c51e7a3 Stronger types for >= 16 bits shifts 2016-04-02 01:06:04 +02:00
Frank Denis
ca71815db3 ((unsigned long long) 1) -> 1ULL 2016-04-02 00:57:33 +02:00
Frank Denis
42535e0b40 (1 << x) -> (1UL << x) for compilers where sizeof(int) == 2 2016-04-02 00:54:17 +02:00
Frank Denis
95114d8592 l -> L 2016-04-02 00:44:41 +02:00
Frank Denis
5cdd950c5c Reformat 2016-04-01 20:51:05 +02:00
Frank Denis
d7f5877df5 Add crypto_pwhash_argon2i_ALG_ARGON2I13 2016-04-01 20:48:34 +02:00
Frank Denis
384e08b7f4 Require an algorithm identifier in crypto_pwhash() 2016-04-01 20:29:28 +02:00
Frank Denis
5d8c878ffb Remove mlen_p from the AEAD detached interface 2016-03-30 21:20:34 +02:00
Frank Denis
de22f38da2 Mark the _out_of_bounds() function as noreturn 2016-03-27 00:21:04 +01:00
Frank Denis
25faa47b46 Include blake2b_long prototype 2016-03-27 00:11:32 +01:00
Frank Denis
20bf121fcd 1.0.9 is almost ready to be tagged 2016-03-25 16:30:36 +01:00
Frank Denis
2aa703fcc7 Restore the previous sodium_malloc(0) behavior 
If aligned memory cannot be obtained, allocate 1 byte
to always return a non-NULL pointer.
 2016-03-25 16:26:37 +01:00
Frank Denis
811bdb2c5f Explicit cast; length is already checked by the caller 2016-03-25 16:00:52 +01:00
Frank Denis
fb865c9a5c More tests / lcov exclusions 2016-03-25 15:36:57 +01:00
Frank Denis
58e4cdf809 Make Argon2 encode/decode return codes consistent with other functions 2016-03-25 14:54:14 +01:00
Frank Denis
e9b7a71a38 Remove unused code 2016-03-25 12:29:25 +01:00
Frank Denis
a25569320c The version in Argon2i strings is separated from other parameters 2016-03-25 12:27:04 +01:00
Frank Denis
321e9eab2e Remove useless check 2016-03-25 10:38:50 +01:00
Frank Denis
da448c38e4 Nits 2016-03-25 09:55:37 +01:00
Frank Denis
eb13ec0cff Make sodium_malloc(0) well-defined. It always returns NULL. 2016-03-25 09:44:41 +01:00
Frank Denis
02e4b3b842 Check memory base instead of the aligned pointer 
No behavior change, but it is less confusing to static analyzers
 2016-03-25 09:42:32 +01:00
Frank Denis
346f8c131e More tests 2016-03-24 22:16:52 +01:00
Frank Denis
7a08f643bf Remove unused declaration 2016-03-24 21:06:07 +01:00
Frank Denis
a3a2b74bd8 Use existing functions for unaligned access in hash_sha* 2016-03-24 15:02:34 +01:00
Frank Denis
3295752821 Of course, GNU ld doesn't know about .private_extern 2016-03-22 21:26:39 +01:00
Frank Denis
bafc9c70e1 Only use .private_extern if this is supported 2016-03-22 20:42:07 +01:00
Frank Denis
26e4cf479a Reduce symbols visibility in curve25519_sandy2x 2016-03-22 19:55:07 +01:00
Frank Denis
3fb2ee07cb Add crypto_pwhash_primitive() 2016-03-21 20:59:43 +01:00
Frank Denis
1820a4239d Add missing SODIUM_EXPORT statements 2016-03-21 19:29:33 +01:00
Frank Denis
de451c23a0 Add detached versions of ChaCha20-Poly1305 2016-03-21 13:11:04 +01:00
Frank Denis
89a6f58e4d Replace some constants 2016-03-21 12:55:24 +01:00
Frank Denis
e34f3512ad clen -> clen_p 2016-03-21 12:13:11 +01:00
Frank Denis
359553f07d Add support for optional parameters to future-proof crypto_pwhash() 2016-03-21 09:38:43 +01:00
Frank Denis
33f406892f Rename CPUID bits constants for clarity 2016-03-21 03:54:10 +01:00
Frank Denis
fd440e7b4d AVX2 bit is in %ebx, not %ecx 2016-03-21 03:42:33 +01:00
Frank Denis
2b71f28c4c Double crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE 2016-03-20 17:50:27 +01:00
Frank Denis
05d82ad147 Simplify quirks for C++Builder 2016-03-18 22:13:23 +01:00
Frank Denis
a456244a95 Merge pull request #373 from jcolli44/master 
Introduce C++Builder compatibility
 2016-03-18 22:06:59 +01:00
Frank Denis
f0e3cb0d50 Some platforms don't define ENOSYS - use ENXIO instead on these. 2016-03-18 22:01:35 +01:00
unknown
2085693c32 Introduce C++Builder compatibility 
Add new preprocessor directives to allow libsodium to be easily
built in C++Builder.
 2016-03-18 14:46:00 -04:00
Frank Denis
0c06979260 Verify at compile time that blake2b_param is packed as expected 2016-03-18 10:20:56 +01:00
Frank Denis
76e3e91576 Remove unnecessary extern "C" and unused prototypes 2016-03-18 10:17:02 +01:00
Frank Denis
6c94f968e4 Remove BLAKE2s-related declarations 2016-03-18 09:59:32 +01:00
Frank Denis
0a18d18daf Consistent comment style 2016-03-18 09:56:21 +01:00
Frank Denis
a54e9402c5 Avoid BLAKE2 AVX2 implementation on Win32 2016-03-17 17:31:57 +01:00
Frank Denis
4b6667a9d3 Update Makefiles and MSVC solutions 2016-03-17 17:07:43 +01:00
Frank Denis
64fe1b2353 Indent 2016-03-17 16:53:30 +01:00
Frank Denis
7583cb26b5 Merge branch 'blakeavx2' 
* blakeavx2:
  BLAKE2b AVX2 implementation By the marvellous Samuel Neves - https://github.com/sneves/blake2-avx2
 2016-03-17 16:29:12 +01:00
Frank Denis
0131a72082 BLAKE2b AVX2 implementation 
By the marvellous Samuel Neves - https://github.com/sneves/blake2-avx2
 2016-03-17 16:24:04 +01:00
Frank Denis
8a24608fd2 Luminous beings are we, not this crude matter 2016-03-17 12:21:10 +01:00
Frank Denis
81f87df6a2 The Yoda style avoiding we can. 
In a similar test above, that style we didn't use.
 2016-03-17 12:21:09 +01:00
Frank Denis
6f2be3633f Argon2: avoid initial zeroing by calling fill_block() on the first pass 2016-03-17 12:21:06 +01:00
Frank Denis
7611ea6018 Add AVX2 detection 2016-03-17 11:15:18 +01:00
Frank Denis
42d906d3e9 Cacheline alignment 2016-03-17 09:27:39 +01:00
Frank Denis
a4327a90f4 Spacing 2016-03-17 09:22:09 +01:00
Frank Denis
e8dfc764d3 Add a detached API for aes256gcm 2016-03-15 11:02:25 +01:00
Frank Denis
d8845c04dd Update blake2b licensing 2016-03-13 09:12:34 +01:00
Frank Denis
630ac0913b We only support data independent addressing for Argon2 
Let the compiler automatically remove unused code
 2016-03-11 16:41:06 +01:00
Frank Denis
5a00dff84d p -> R for clarity 2016-03-11 13:45:39 +01:00
Frank Denis
676950d206 Remove superflous constant type qualifiers 2016-03-10 16:43:42 +01:00
Frank Denis
ab2f22137e ed25519_verify: check for small-order R 2016-03-10 16:39:54 +01:00
Frank Denis
7597b7cc13 Check what the implications of versioned Argon2 strings will be 2016-03-10 12:26:17 +01:00
Frank Denis
805fd3589d The version number in Argon2 strings will require 5 extra bytes 
Round `crypto_pwhash_argon2i_STRBYTES` up to 128
 2016-03-10 12:22:13 +01:00
Frank Denis
7c5d30a6a3 Consistent indentation 2016-03-09 15:37:47 +01:00
Frank Denis
62911edb7f Ed25519: verify 0<=s<2^252+27742317777372353535851937790883648493 
This reintroduces removed code to match the irtf-cfrg-eddsa draft

ED25519_COMPAT can be defined to keep the old behavior
 2016-03-08 20:35:21 +01:00
Frank Denis
7d4cfbf7af pwhash_argon2i_str(): zero the output buffer even on error path 2016-03-08 13:55:04 +01:00
Frank Denis
3853d5a824 Require a least 128 bits for an Argon2i digest 2016-03-08 13:51:23 +01:00
Frank Denis
7e4f83a54d Revisit Argon2i predefined parameters 2016-03-08 11:55:03 +01:00
Frank Denis
0158b2b1fd Argon2: use negative error codes 2016-03-08 09:32:37 +01:00
Frank Denis
f4397f12d0 Remove unneeded prototypes 2016-03-06 13:55:04 +01:00
Frank Denis
ddc1bbad73 Remove unused variables 2016-03-06 13:51:42 +01:00
Frank Denis
2fb69179cd scrypt: zeroize the temporary output buffer 2016-03-06 00:08:35 +01:00
Frank Denis
edcd258417 inttypes.h -> stdint.h 2016-03-05 18:23:53 +01:00
Frank Denis
8b139cdc31 Compile optimized Argon2i impl on 32-bit MSVC 2016-03-05 18:21:59 +01:00
Frank Denis
db139ced5f MSVC analyzer FP 2016-03-05 17:56:40 +01:00
Frank Denis
b55febaafa Bump ARGON2_MIN_TIME to 3, adjust tests accordingly 2016-03-01 14:08:31 +01:00
Frank Denis
0868222732 Let core_salsa20* accept a default constant 2016-02-29 12:04:34 +01:00
Frank Denis
9fbb822281 Use stdint types a bit more 2016-02-27 16:33:22 +01:00
Frank Denis
4e9b0b67ce Let crypto_core_hsalsa20() accept NULL for the default constants 2016-02-27 16:19:38 +01:00
Frank Denis
bb596e8eb7 Trim/untab/indent 2016-02-27 13:26:42 +01:00
Frank Denis
6dc466ee8b Use a single way to do unaligned memory access/endianness conversion 2016-02-27 12:46:07 +01:00
Frank Denis
d9493834b2 Hide store32()/load32() in the header 2016-02-26 13:22:33 +01:00
Frank Denis
49c57dfe0a Faster HChaCha20 2016-02-26 13:15:36 +01:00
Frank Denis
1e2a9eb062 Faster with clang 2016-02-26 12:59:14 +01:00
Frank Denis
4d5c3976db Add HChaCha20 2016-02-26 12:50:17 +01:00
Frank Denis
ecdcfba07e Argon2: issue different error codes for VERIFY_MISMATCH and DECODING_FAIL 
Only used internally, not exposed in the Sodium API
 2016-02-23 15:24:37 +01:00
Frank Denis
80d24c00cc Use calloc() instead of malloc()+memset() 2016-02-19 07:40:09 +01:00
Frank Denis
4b6a909d8a Argon2: fill_block() now XORs blocks instead of overwriting them 2016-02-17 16:26:37 +01:00
Frank Denis
e153debd0d Remove ...edwards25519sha512batch_*() wrappers for the constants 
The ...edwards25519sha512batch_*() functions are only here for ABI
compatibility with NaCl, where constants were only defined as macros.

Plus, these functions were only present as prototypes since 1.0.6;
the actual symbols were no defined any more.
 2016-02-13 08:15:00 +01:00
Frank Denis
54915743f4 Define ZEROBYTES as BOXZEROBYTES + MACBYTES 
ZEROBYTES and BOXZEROBYTES are rarely used compared to MACBYTES,
so it makes more sense to define MACBYTES and define the compat macros
based on it that the other way round.
 2016-02-11 15:19:58 +01:00
Frank Denis
36e60b2d28 Wipe secret keys before public keys and nonces 2016-02-03 01:19:24 +01:00
Frank Denis
1b63773986 Comments cleanup 2016-02-01 16:08:29 +01:00
Frank Denis
7035bbb8b8 Indent 2016-01-28 14:44:41 +01:00
Frank Denis
aa2ae5642b aes256gcm_encrypt_afternm() - abort() if mlen > 2^39-256 bits 2016-01-27 14:42:32 +01:00
Frank Denis
113091b2a0 On non-ELF platforms, mark pointers as volatile, not just what they point to. 
See http://sk.tl/Wj3pmI vs http://sk.tl/VNsyd9
 2016-01-27 08:24:19 +01:00
Frank Denis
bd15b68569 Argon2: explicitly initialize ctx.secret to NULL 2016-01-26 11:14:40 +01:00
Frank Denis
367afac0bf Sync argon2 implementation with upstream 2016-01-24 20:35:00 +01:00
Frank Denis
31a153c937 argon2_core() -> argon2_ctx() 2016-01-23 22:52:11 +01:00
Frank Denis
8bd6c9e289 Caps 2016-01-22 16:16:15 +01:00
Frank Denis
dc4a9791a7 Add comments to argon2-encoding.c 
Upstream `decode_string()` can return `ARGON2_INCORRECT_TYPE`.
This change is not merged. Either have a function return an ARGON2 constant,
have it return 0/1, or have it return 0/-1, but mixing different systems
is confusing. (encode|decode)_string() should probably all return an ARGON2
code.
 2016-01-22 16:12:24 +01:00
Frank Denis
921507cc59 Add extra sodium_memzero() in Argon2 2016-01-22 16:03:09 +01:00
Frank Denis
a814810a43 Relax max sizes in argon2 decoding 2016-01-22 15:59:54 +01:00
Frank Denis
17248540e3 Add aes256gcm stubs for platforms where it is not available 2016-01-22 10:21:24 +01:00
Frank Denis
d1b028abe3 Initialize ctx->pwdlen in argon2 string decoder 2016-01-21 08:42:23 +01:00
Frank Denis
82c7c45924 zero the context, in case we forget to initialize some members 2016-01-21 08:39:47 +01:00
Frank Denis
ba415e1f4d Argon2: use existing constants more consistently 
By @technion via the reference implementation
 2016-01-21 08:35:53 +01:00
Frank Denis
53419d7b06 Merge pull request #348 from betafive/pbarker/blake2 
Add crypt_generichash_blake2b_statebytes function
 2016-01-16 20:15:00 +01:00
Paul Barker
e20291d78e Add crypt_generichash_blake2b_statebytes function 
The function crypto_generichash_statebytes exists to dynamically determine the
size of a crypto_generichash_state struct. This is useful when using libsodium
from a language which can't use sizeof on C types. However, no equivalent
existed for the crypto_generichash_blake2b_state struct for users who want to
explicitly use the blake2b algorithm.

The function crypt_generichash_blake2b_statebytes is added to fill this gap.
 2016-01-16 17:25:14 +00:00
Frank Denis
8c0b916729 Add new macros for chacha20poly1305_ietf constants, for clarity 2016-01-16 12:36:30 +01:00
Frank Denis
18cc1b5682 The occasional absence of braces is disturbing. 2016-01-15 21:12:34 +01:00
Frank Denis
08d3b8a19c Reuse validate_inputs() to validate parameters in argon2-encoding.c 2016-01-15 20:58:50 +01:00
Frank Denis
936667e3f1 Untab 2016-01-12 09:26:46 +01:00
Frank Denis
20ccc09018 Argon2: Let fill_{memory_blocks,segment} return an error code 2016-01-12 09:24:50 +01:00
Frank Denis
751f3b3753 Visual Studio's preprocessor doesn't support #warning 2016-01-11 11:11:43 +01:00
Frank Denis
f1ab1fd377 Add extra CRYPTO_ALIGN() required for Minix 2016-01-07 15:33:17 +01:00
Frank Denis
82ed2169b0 Make argon2i blocks allocation functions static 2015-12-30 17:30:59 +01:00
Frank Denis
ff32e8f34b argon2: memory usage is m_cost KiB, not 2^m_cost KiB 2015-12-30 00:10:57 +01:00
Frank Denis
dfa0ee2753 We don't need no external memory allocators 2015-12-30 00:09:16 +01:00
Frank Denis
1635f98638 Add sodium/crypto_pwhash.h to the distribution 2015-12-29 22:42:33 +01:00
Frank Denis
69cfab0522 We don't need the ability to use a custom allocator 2015-12-29 22:33:36 +01:00
Frank Denis
28ca446f73 argon2: don't dereference a pointer before testing it for NULL 2015-12-29 22:22:54 +01:00
Frank Denis
b5ed4cc34b Add high-level crypto_pwhash() API 2015-12-29 21:49:55 +01:00
Frank Denis
c7b9178d5a Consistent #include guards 2015-12-29 21:35:45 +01:00
Frank Denis
2bd822b1c9 Pasto 2015-12-29 19:13:48 +01:00
Frank Denis
6d9f2cae79 argon2: ensure that memory is cacheline aligned; use mmap(2) if possible 2015-12-29 19:00:52 +01:00
Frank Denis
9788147270 Require less indentation 2015-12-29 18:41:38 +01:00
Frank Denis
9ef45f8456 argon2: make blocks allocation indirect, keep the base address 2015-12-29 18:38:33 +01:00
Frank Denis
0ec2f464c8 Comment doesn't seem to be relevant any more 2015-12-29 17:53:13 +01:00
Frank Denis
96c37fc9a4 Indent 2015-12-29 17:51:00 +01:00
Frank Denis
bd44342a1e Remove unneeded extern "C" 2015-12-29 17:24:31 +01:00
Frank Denis
71056e2f75 Add missing header 2015-12-29 17:22:45 +01:00
Frank Denis
dfdf65c4f0 Add crypto_pwhash_argon2i_(memlimit|opslimit)_moderate() 
Import missing crypto_pwhash_argon2i.h by the way
 2015-12-29 16:07:47 +01:00
Frank Denis
387dd75e88 Require at least SSSE3 for optimized implementations 2015-12-29 15:34:16 +01:00
Frank Denis
a916ec93c1 crypto_pwhash_argon2i_*() 2015-12-29 13:29:24 +01:00
Frank Denis
da927a985f Argon2 bits - Not exposed in the API yet 2015-12-29 11:24:11 +01:00
Frank Denis
9abc0fdbd0 Back go to dev mode 2015-12-28 18:51:25 +01:00
Frank Denis
35b0264cdd Get ready for the xmas release 2015-12-25 11:58:08 +01:00
Frank Denis
61fbc8eb63 lcov exclusion 2015-12-25 02:12:09 +01:00
Frank Denis
d839d74c89 lcov exclusion 2015-12-25 02:09:12 +01:00
Frank Denis
2f4603ff7e lcov exclusion 2015-12-25 02:03:27 +01:00
Frank Denis
cdd45e413a lcov exclusion 2015-12-25 01:54:49 +01:00
Frank Denis
8ca2c79a19 Annotations 2015-12-23 20:40:32 +01:00
Frank Denis
82831cb7a6 Document constants 2015-12-22 12:19:32 +01:00