Frank Denis
1e57b1d455
Update comment
2017-11-06 11:10:29 +01:00
Frank Denis
7eacdc6ff0
Remove X25519-donna
2017-11-06 11:03:18 +01:00
Frank Denis
cdfd98e908
Move fe_cswap and fe_scalar_product to core
2017-11-06 10:52:03 +01:00
Frank Denis
8730d16d4b
Fix comment
2017-11-06 02:09:47 +01:00
Frank Denis
0a20032a8f
KNF
2017-11-06 02:00:32 +01:00
Frank Denis
a5b9c381e5
Shrink x25519_donna_c64; reuse functions from core
2017-11-06 01:57:05 +01:00
Frank Denis
1947a49020
Symbolically clear the round keys after aes256gcm_(en|de)crypt()
...
Fixes #617
2017-11-05 23:46:55 +01:00
Frank Denis
820bf58b93
Reduce the diff between fe_25_5/fe.h and fe_51/fe.h
2017-11-05 21:27:53 +01:00
Frank Denis
f49dd35fdf
Update paths
2017-11-05 18:26:25 +01:00
Frank Denis
bfd656b67b
core/25519: Use 51-bit limbs on platforms supporting 128 bit arithmetic
2017-11-05 17:50:15 +01:00
Frank Denis
bd82e08337
Move 25.5 bit field arithmetic to ref10/fe_25_5
2017-11-05 17:35:22 +01:00
Frank Denis
9f71f5aade
Ed25519 synthetic nonces: pad to 128 bytes boundaries, not 16.
...
Spotted by Trevor Perrin. Good catch, thanks!
2017-11-04 09:53:44 +01:00
Frank Denis
b45d52a8cf
Tolerate sodium_crit_leave() to be called on an unlocked mutex
2017-11-03 15:46:19 +01:00
Frank Denis
8e364d29db
Move d2 definition close to the d definition
2017-11-01 19:38:16 +01:00
Frank Denis
f57fcb9c26
Use the correct type for the cmov mask
2017-11-01 19:37:34 +01:00
Frank Denis
8d5b6b1fc9
Leave and immediately reenter the critical section in sodium_misuse()
...
Keep running everything in the critical section from there.
2017-11-01 01:45:02 +01:00
Frank Denis
802830e4e6
Regen precomputation tables
2017-11-01 00:08:34 +01:00
Frank Denis
a366ea0839
Tidy up curve25519_ref10, remove comments that are not relevant any more
2017-10-31 20:22:48 +01:00
Frank Denis
a3f96045d4
Remove ge_scalarmult_vartime() which is not used any more
2017-10-31 16:10:51 +01:00
Frank Denis
0b734963db
edwards25519sha512batch_open(): check order before decoding instead of after
2017-10-31 16:09:43 +01:00
Frank Denis
1cd0633186
Accept non-canonical PKs if ED25519_COMPAT is defined
2017-10-31 16:08:45 +01:00
Frank Denis
5808b83092
ed25519_open(): reject all small order public keys and non-canonical representations
2017-10-31 16:07:01 +01:00
Frank Denis
ce56bb596f
edwards25519sha512batch: reuse ge_scalarmult()
...
Check public key and R order by the way.
2017-10-31 15:56:31 +01:00
Frank Denis
52fce922f4
Add constant-time edx recovery; use it in ed25519_scalarmult()
2017-10-31 15:41:40 +01:00
Frank Denis
5468c39d7d
Don't hardcode the number of rounds
2017-10-28 21:36:01 +02:00
Frank Denis
68d8e33a55
blake2: use the same code on little & big endian for finalization
2017-10-24 22:35:23 +02:00
Frank Denis
5935cf7a7e
Use uint instead of uint64_t for SHA* padding
...
Workaround for a clang bug
2017-10-24 21:57:30 +02:00
Frank Denis
58fa4172a5
Use the output buffer as a temporary buffer to store clamped private scalars
...
This might help avoid leaving a copy of the scalar on the stack.
Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
2017-10-24 17:41:32 +02:00
Frank Denis
e254a654dc
Return -1 is the scalar was zero
...
This realistically only happen on misuse or with a completely broken PRG.
Calling misuse() would be a bit too intrusive here. So, we still store
the result (might be better than uninitialized memory if the application
doesn't check the return code), but return -1.
2017-10-24 17:25:37 +02:00
Frank Denis
c150ceb677
Clear the high bit the same way everywhere
2017-10-24 17:10:16 +02:00
Frank Denis
134eb2c29d
Add a comment on scalarmult usage
2017-10-23 16:27:04 +02:00
Frank Denis
f5076db5f8
Do not include scalarmult_ed25519 in minimal builds
2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f
Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper,
...
check that the result of scalarmult_ed25519() is not the point at infinity
2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e
Update prototype (fe_isnonzero() -> fe_iszero())
2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c
Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519()
2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976
*_is_less_than_*() -> *_is_canonical()
...
and reject non-canonical public keys in ed25519_scalarmult()
2017-10-23 01:09:38 +02:00
Frank Denis
15649c5849
+ ge_is_less_than_p()
2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d
Comment
2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a
Order
2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738
Remove neg parameter; always check with both signs; adjust blacklist
2017-10-22 20:59:54 +02:00
Frank Denis
0b835b4479
+ ge_is_on_curve()
2017-10-22 17:44:51 +02:00
Frank Denis
88417977e3
Move a couple functions from crypto_sign to crypto_core/curve25519
...
This improves clarity and makes it easier to reuse these in a
different context.
Also change fe_isnonzero() to fe_zero() and make it work as
documented.
2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9
Remove unused blake2b code
2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9
Define uint128_t only once in private/common.h
2017-10-21 19:59:16 +02:00
Frank Denis
5a6deebd39
Add an argument to ed25519_small_order to optionally invert the sign
2017-10-20 16:07:52 +02:00
Frank Denis
bab680f35b
Implement crypto_sign_ed25519_scalarmult()
2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b
Remove extraneous "return"
2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029
Move precomputed table where it's actually used
2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52
Define a generic ge_select() in additino to ge_select_base()
2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493
cmov() -> ge_cmov() ; ge_select() -> ge_select_base()
2017-10-19 22:57:09 +02:00