Commit Graph

3299 Commits

Author SHA1 Message Date
Frank Denis
0b734963db edwards25519sha512batch_open(): check order before decoding instead of after 2017-10-31 16:09:43 +01:00
Frank Denis
1cd0633186 Accept non-canonical PKs if ED25519_COMPAT is defined 2017-10-31 16:08:45 +01:00
Frank Denis
5808b83092 ed25519_open(): reject all small order public keys and non-canonical representations 2017-10-31 16:07:01 +01:00
Frank Denis
ce56bb596f edwards25519sha512batch: reuse ge_scalarmult()
Check public key and R order by the way.
2017-10-31 15:56:31 +01:00
Frank Denis
52fce922f4 Add constant-time edx recovery; use it in ed25519_scalarmult() 2017-10-31 15:41:40 +01:00
Frank Denis
5468c39d7d Don't hardcode the number of rounds 2017-10-28 21:36:01 +02:00
Michael Ellery
5dcf78a14c CMake find module fixes for static linking: (#621)
Enclose option() declaration in a defined check to allow simple caller
set() use case. Provide default static lib name for find_library since
pkgconfig for libsodium currently does not provide it.
2017-10-27 22:01:20 +02:00
Frank Denis
68d8e33a55 blake2: use the same code on little & big endian for finalization 2017-10-24 22:35:23 +02:00
Frank Denis
5935cf7a7e Use uint instead of uint64_t for SHA* padding
Workaround for a clang bug
2017-10-24 21:57:30 +02:00
Frank Denis
58fa4172a5 Use the output buffer as a temporary buffer to store clamped private scalars
This might help avoid leaving a copy of the scalar on the stack.

Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
2017-10-24 17:41:32 +02:00
Frank Denis
e254a654dc Return -1 is the scalar was zero
This realistically only happen on misuse or with a completely broken PRG.

Calling misuse() would be a bit too intrusive here. So, we still store
the result (might be better than uninitialized memory if the application
doesn't check the return code), but return -1.
2017-10-24 17:25:37 +02:00
Frank Denis
c150ceb677 Clear the high bit the same way everywhere 2017-10-24 17:10:16 +02:00
Frank Denis
7e75ad4ca9 Remove unused var 2017-10-23 23:43:19 +02:00
Frank Denis
134eb2c29d Add a comment on scalarmult usage 2017-10-23 16:27:04 +02:00
Frank Denis
8996c7d53d Regen emscripten symbols 2017-10-23 16:13:01 +02:00
Frank Denis
f5076db5f8 Do not include scalarmult_ed25519 in minimal builds 2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper,
check that the result of scalarmult_ed25519() is not the point at infinity
2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e Update prototype (fe_isnonzero() -> fe_iszero()) 2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519() 2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976 *_is_less_than_*() -> *_is_canonical()
and reject non-canonical public keys in ed25519_scalarmult()
2017-10-23 01:09:38 +02:00
Frank Denis
15649c5849 + ge_is_less_than_p() 2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d Comment 2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a Order 2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738 Remove neg parameter; always check with both signs; adjust blacklist 2017-10-22 20:59:54 +02:00
Frank Denis
d0e009e59d Merge branch 'master' of github.com:jedisct1/libsodium
* 'master' of github.com:jedisct1/libsodium:
  disable ssp/pie for emscripten
2017-10-22 17:45:05 +02:00
Frank Denis
0b835b4479 + ge_is_on_curve() 2017-10-22 17:44:51 +02:00
Frank Denis
a84d222d07 disable ssp/pie for emscripten 2017-10-22 01:55:28 +02:00
Frank Denis
88417977e3 Move a couple functions from crypto_sign to crypto_core/curve25519
This improves clarity and makes it easier to reuse these in a
different context.

Also change fe_isnonzero() to fe_zero() and make it work as
documented.
2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9 Remove unused blake2b code 2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9 Define uint128_t only once in private/common.h 2017-10-21 19:59:16 +02:00
Frank Denis
58fc2dcf5b Add crypto_sign_ed25519_scalarmult to emscripten symbols 2017-10-21 19:00:54 +02:00
Frank Denis
5a6deebd39 Add an argument to ed25519_small_order to optionally invert the sign 2017-10-20 16:07:52 +02:00
Frank Denis
30ad01bdba memcpy() -> memmove() in case the seed and secret key overlap 2017-10-20 09:55:00 +02:00
Frank Denis
bab680f35b Implement crypto_sign_ed25519_scalarmult() 2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b Remove extraneous "return" 2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029 Move precomputed table where it's actually used 2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52 Define a generic ge_select() in additino to ge_select_base() 2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493 cmov() -> ge_cmov() ; ge_select() -> ge_select_base() 2017-10-19 22:57:09 +02:00
Frank Denis
a944db7a76 slide() -> slide_vartime() and move comments to the right place 2017-10-19 22:11:43 +02:00
Frank Denis
9f3a2e775b Add js & wasm to the list 2017-10-18 19:23:59 +02:00
Frank Denis
08387eea8b emscripten: actually print the installation prefix 2017-10-18 13:11:15 +02:00
Frank Denis
002fb0e82b Update AUTHORS 2017-10-14 15:37:06 +02:00
Frank Denis
f783552773 Just use constants instead of macros
In this context, they are actually less confusing.
2017-10-12 13:14:25 +02:00
Frank Denis
b1bf478086 Repair crypto_sign_ed25519_seed_keypair() 2017-10-12 13:05:57 +02:00
Frank Denis
18ab679429 sk is actually skpk, so use the right size in the prototype 2017-10-11 21:45:39 +02:00
Frank Denis
f54c6db981 sign_keygen(): don't hash the secret scalar in non-deterministic mode 2017-10-11 21:27:48 +02:00
Frank Denis
68feb75f1d nonce -> Z for clarity 2017-10-11 18:15:36 +02:00
Frank Denis
ebb614cb0e Improve clarity
No need to clamp the key prior to computing a synthetic nonce
2017-10-11 18:09:30 +02:00
Frank Denis
90f5b55a0a Move computation of synthetic nonces to a dedicated function
for clarity
2017-10-06 22:01:06 +02:00
Frank Denis
067cd6749d inline 2017-10-06 21:41:35 +02:00