Frank Denis
b93d773f7b
Add sodium_stackzero()
2017-11-10 20:48:05 +01:00
Frank Denis
40070b342a
Initialize the argon2 position structure a bit earlier
2017-11-08 12:56:33 +01:00
Frank Denis
8ab638b983
argon2: let fill_memory_blocks() accept a pass counter
2017-11-08 12:53:37 +01:00
Frank Denis
06f5c9a773
Funky indentation
2017-11-08 00:16:53 +01:00
Frank Denis
aa06d871ba
Indent
2017-11-07 01:07:22 +01:00
Frank Denis
a9b6eda279
+ UNPOISON macro
2017-11-06 23:57:23 +01:00
Frank Denis
ce3ca605a3
Better poison
2017-11-06 23:42:40 +01:00
Frank Denis
e73e2ee2c2
Define a POISON macro
2017-11-06 23:41:50 +01:00
Frank Denis
bd0e0303f9
Comment
2017-11-06 23:34:41 +01:00
Frank Denis
f8de352e6d
Reduce nesting, improve readability
2017-11-06 21:55:20 +01:00
Frank Denis
1621448f6c
Consistent spacing
2017-11-06 21:31:46 +01:00
Frank Denis
fd14a458d7
Use verbose prototypes
...
Having only parameter types in prototypes is confusing.
So, include parameter names as well.
2017-11-06 20:19:50 +01:00
Frank Denis
780974a109
sc_* -> sc25519_*
2017-11-06 20:13:47 +01:00
Frank Denis
e371a870f3
ge_* -> ge25519_*
2017-11-06 20:05:33 +01:00
Frank Denis
fb2e83a4d1
fe -> fe25519
2017-11-06 19:40:28 +01:00
Frank Denis
4bd6196c96
Move functions not worth inlining back to core
2017-11-06 15:06:21 +01:00
Frank Denis
221350c78a
Import fe constants
2017-11-06 14:35:41 +01:00
Frank Denis
f954997fc3
Move field arithmetic to include/private/, and make everything static
...
to get some inlining.
2017-11-06 14:32:01 +01:00
Frank Denis
2e7b8e1de9
Still #define the fe & ge types for now
2017-11-06 11:47:00 +01:00
Frank Denis
55a6b6bb46
Remove these useless #define
2017-11-06 11:42:02 +01:00
Frank Denis
1e57b1d455
Update comment
2017-11-06 11:10:29 +01:00
Frank Denis
7eacdc6ff0
Remove X25519-donna
2017-11-06 11:03:18 +01:00
Frank Denis
cdfd98e908
Move fe_cswap and fe_scalar_product to core
2017-11-06 10:52:03 +01:00
Frank Denis
8730d16d4b
Fix comment
2017-11-06 02:09:47 +01:00
Frank Denis
0a20032a8f
KNF
2017-11-06 02:00:32 +01:00
Frank Denis
a5b9c381e5
Shrink x25519_donna_c64; reuse functions from core
2017-11-06 01:57:05 +01:00
Frank Denis
28cac20a7b
Symbolically clear the round keys after aes256gcm_(en|de)crypt()
...
Fixes #617
2017-11-05 23:53:25 +01:00
Frank Denis
1947a49020
Symbolically clear the round keys after aes256gcm_(en|de)crypt()
...
Fixes #617
2017-11-05 23:46:55 +01:00
Frank Denis
820bf58b93
Reduce the diff between fe_25_5/fe.h and fe_51/fe.h
2017-11-05 21:27:53 +01:00
Frank Denis
f49dd35fdf
Update paths
2017-11-05 18:26:25 +01:00
Frank Denis
bfd656b67b
core/25519: Use 51-bit limbs on platforms supporting 128 bit arithmetic
2017-11-05 17:50:15 +01:00
Frank Denis
bd82e08337
Move 25.5 bit field arithmetic to ref10/fe_25_5
2017-11-05 17:35:22 +01:00
Frank Denis
7b05b7da50
Ed25519 synthetic nonces: pad to 128 bytes boundaries, not 16.
...
Spotted by Trevor Perrin. Good catch, thanks!
2017-11-04 09:57:06 +01:00
Frank Denis
9f71f5aade
Ed25519 synthetic nonces: pad to 128 bytes boundaries, not 16.
...
Spotted by Trevor Perrin. Good catch, thanks!
2017-11-04 09:53:44 +01:00
Frank Denis
bfcaab49f3
Tolerate sodium_crit_leave() to be called on an unlocked mutex
2017-11-03 15:47:02 +01:00
Frank Denis
b45d52a8cf
Tolerate sodium_crit_leave() to be called on an unlocked mutex
2017-11-03 15:46:19 +01:00
Frank Denis
8e364d29db
Move d2 definition close to the d definition
2017-11-01 19:38:16 +01:00
Frank Denis
f57fcb9c26
Use the correct type for the cmov mask
2017-11-01 19:37:34 +01:00
Frank Denis
5d484e6cb2
Leave and immediately reenter the critical section in sodium_misuse()
...
Keep running everything in the critical section from there.
2017-11-01 01:48:23 +01:00
Frank Denis
8d5b6b1fc9
Leave and immediately reenter the critical section in sodium_misuse()
...
Keep running everything in the critical section from there.
2017-11-01 01:45:02 +01:00
Frank Denis
802830e4e6
Regen precomputation tables
2017-11-01 00:08:34 +01:00
Frank Denis
a366ea0839
Tidy up curve25519_ref10, remove comments that are not relevant any more
2017-10-31 20:22:48 +01:00
Frank Denis
a3f96045d4
Remove ge_scalarmult_vartime() which is not used any more
2017-10-31 16:10:51 +01:00
Frank Denis
0b734963db
edwards25519sha512batch_open(): check order before decoding instead of after
2017-10-31 16:09:43 +01:00
Frank Denis
1cd0633186
Accept non-canonical PKs if ED25519_COMPAT is defined
2017-10-31 16:08:45 +01:00
Frank Denis
5808b83092
ed25519_open(): reject all small order public keys and non-canonical representations
2017-10-31 16:07:01 +01:00
Frank Denis
ce56bb596f
edwards25519sha512batch: reuse ge_scalarmult()
...
Check public key and R order by the way.
2017-10-31 15:56:31 +01:00
Frank Denis
52fce922f4
Add constant-time edx recovery; use it in ed25519_scalarmult()
2017-10-31 15:41:40 +01:00
Frank Denis
4bd18252d4
Don't hardcode the number of rounds
2017-10-28 21:37:01 +02:00
Frank Denis
5468c39d7d
Don't hardcode the number of rounds
2017-10-28 21:36:01 +02:00
Frank Denis
68d8e33a55
blake2: use the same code on little & big endian for finalization
2017-10-24 22:35:23 +02:00
Frank Denis
5935cf7a7e
Use uint instead of uint64_t for SHA* padding
...
Workaround for a clang bug
2017-10-24 21:57:30 +02:00
Frank Denis
58fa4172a5
Use the output buffer as a temporary buffer to store clamped private scalars
...
This might help avoid leaving a copy of the scalar on the stack.
Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
2017-10-24 17:41:32 +02:00
Frank Denis
e254a654dc
Return -1 is the scalar was zero
...
This realistically only happen on misuse or with a completely broken PRG.
Calling misuse() would be a bit too intrusive here. So, we still store
the result (might be better than uninitialized memory if the application
doesn't check the return code), but return -1.
2017-10-24 17:25:37 +02:00
Frank Denis
c150ceb677
Clear the high bit the same way everywhere
2017-10-24 17:10:16 +02:00
Frank Denis
134eb2c29d
Add a comment on scalarmult usage
2017-10-23 16:27:04 +02:00
Frank Denis
f5076db5f8
Do not include scalarmult_ed25519 in minimal builds
2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f
Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper,
...
check that the result of scalarmult_ed25519() is not the point at infinity
2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e
Update prototype (fe_isnonzero() -> fe_iszero())
2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c
Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519()
2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976
*_is_less_than_*() -> *_is_canonical()
...
and reject non-canonical public keys in ed25519_scalarmult()
2017-10-23 01:09:38 +02:00
Frank Denis
2cee8ae850
Backport _crypto_sign_ed25519_small_order() changes
2017-10-23 00:15:52 +02:00
Frank Denis
15649c5849
+ ge_is_less_than_p()
2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d
Comment
2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a
Order
2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738
Remove neg parameter; always check with both signs; adjust blacklist
2017-10-22 20:59:54 +02:00
Frank Denis
0b835b4479
+ ge_is_on_curve()
2017-10-22 17:44:51 +02:00
Frank Denis
3e6e734605
Fix misleading comment
2017-10-21 21:27:12 +02:00
Frank Denis
88417977e3
Move a couple functions from crypto_sign to crypto_core/curve25519
...
This improves clarity and makes it easier to reuse these in a
different context.
Also change fe_isnonzero() to fe_zero() and make it work as
documented.
2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9
Remove unused blake2b code
2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9
Define uint128_t only once in private/common.h
2017-10-21 19:59:16 +02:00
Frank Denis
5a6deebd39
Add an argument to ed25519_small_order to optionally invert the sign
2017-10-20 16:07:52 +02:00
Frank Denis
415691dcea
memcpy() -> memmove() in case the seed and secret key overlap
2017-10-20 09:54:05 +02:00
Frank Denis
bab680f35b
Implement crypto_sign_ed25519_scalarmult()
2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b
Remove extraneous "return"
2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029
Move precomputed table where it's actually used
2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52
Define a generic ge_select() in additino to ge_select_base()
2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493
cmov() -> ge_cmov() ; ge_select() -> ge_select_base()
2017-10-19 22:57:09 +02:00
Frank Denis
a944db7a76
slide() -> slide_vartime() and move comments to the right place
2017-10-19 22:11:43 +02:00
Frank Denis
b28a8ad896
Just use constants instead of macros
...
In this context, they are actually less confusing.
2017-10-12 13:14:58 +02:00
Frank Denis
f783552773
Just use constants instead of macros
...
In this context, they are actually less confusing.
2017-10-12 13:14:25 +02:00
Frank Denis
b1bf478086
Repair crypto_sign_ed25519_seed_keypair()
2017-10-12 13:05:57 +02:00
Frank Denis
64604f8eef
Repair crypto_sign_ed25519_seed_keypair()
2017-10-12 13:03:54 +02:00
Frank Denis
348ef69b79
sk is actually skpk, so use the right size in the prototype
2017-10-11 21:46:17 +02:00
Frank Denis
18ab679429
sk is actually skpk, so use the right size in the prototype
2017-10-11 21:45:39 +02:00
Frank Denis
f5e1767b22
sign_keygen(): don't hash the secret scalar in non-deterministic mode
...
Improve clarity
No need to clamp the key prior to computing a synthetic nonce
nonce -> Z for clarity
2017-10-11 21:30:52 +02:00
Frank Denis
f54c6db981
sign_keygen(): don't hash the secret scalar in non-deterministic mode
2017-10-11 21:27:48 +02:00
Frank Denis
68feb75f1d
nonce -> Z for clarity
2017-10-11 18:15:36 +02:00
Frank Denis
ebb614cb0e
Improve clarity
...
No need to clamp the key prior to computing a synthetic nonce
2017-10-11 18:09:30 +02:00
Frank Denis
b6bad22149
Use the generalized eddsa algorithm for non-deterministic r
2017-10-06 22:02:46 +02:00
Frank Denis
9080766246
crypto_sign(): memzero the nonce after use
2017-10-06 22:02:46 +02:00
Frank Denis
90f5b55a0a
Move computation of synthetic nonces to a dedicated function
...
for clarity
2017-10-06 22:01:06 +02:00
Frank Denis
067cd6749d
inline
2017-10-06 21:41:35 +02:00
Frank Denis
d56007a6fa
crypto_sign(): memzero the nonce after use
2017-10-06 21:35:52 +02:00
Frank Denis
291859874b
Use the generalized eddsa algorithm for non-deterministic r
2017-10-06 21:28:02 +02:00
Frank Denis
99eee854fe
Add a compile-time switch to create non-deterministic signatures
2017-10-06 16:36:06 +02:00
Frank Denis
9f98f2329c
Back to dev mode
2017-10-06 15:37:24 +02:00
Frank Denis
0dd8338b83
Add a compile-time switch to create non-deterministic signatures
2017-10-06 15:35:07 +02:00
Frank Denis
affaecabcd
Include prototypes before declarations
2017-10-05 10:15:24 +02:00
Frank Denis
cd1b97d5a2
Regen autoconf files
2017-10-01 17:17:11 +02:00
Frank Denis
d3e20869af
crypto_pwhash_ALG_DEFAULT is now Argon2id
2017-10-01 12:12:13 +02:00
Frank Denis
d49d7e8d4f
pwhash: don't enforce the same limits for argon2i and argon2id
...
Fixes #606
Also, keep enforcing a minimum number of iterations to create argon2i
hashes, but relax that restriction for verification, as it can be
useful to migrate from hashes made using other libraries.
2017-10-01 11:02:46 +02:00
Frank Denis
2542367c2d
secretstream: set the initial counter to 1
...
Avoids using the first block for two different purposes, and will be more
consistent with the AES-based version.
This breaks backwards compatibility, but better do it now that most distro are
still shipping < 1.0.14, that no applications seem to be already using that new
API, and that there will be an update to the library major due to the aes128ctr
removal.
2017-10-01 10:08:04 +02:00
Frank Denis
96be673f82
Remove aes128ctr
2017-09-27 15:07:54 +02:00
Frank Denis
2a9c81b5c4
Explain why pwhash parameters must be stored
2017-09-26 21:33:54 +02:00
Frank Denis
93c386cb6c
Mention when the state will eventually be cleared
2017-09-26 21:28:08 +02:00
Frank Denis
d338ae9512
Properly support Argon2id in crypto_pwhash()
2017-09-26 17:12:58 +02:00
Frank Denis
491f785274
deinit
2017-09-25 16:33:30 +02:00
Frank Denis
94550cefd5
Remove dev #warning
2017-09-21 11:41:01 +02:00
Frank Denis
3e0b4dec6e
Add sodium_base64_encoded_len()
2017-09-21 11:25:09 +02:00
Frank Denis
4ce2856a5d
Avoid negations on unsigned values
2017-09-21 11:23:37 +02:00
Frank Denis
7e06a6a991
Annotate
2017-09-21 00:30:37 +02:00
Frank Denis
91233a0143
Tag salsa208 as deprecated
2017-09-19 23:56:12 +02:00
Frank Denis
3db75fc647
No need for ge_scalarmult_vartime() in minimal mode
2017-09-19 22:16:49 +02:00
Frank Denis
7423408cd3
Make the behavior of hex2bin() consistent with base642bin()
...
Return -1 on incomplete sequences and on complete sequences
with trailing, non-ignored characters if no pointers to store the
last parsed byte has been provided
2017-09-19 18:45:23 +02:00
Frank Denis
c7fe84cfb0
Skip trailing ignored characters in base64 decoding
2017-09-19 15:09:29 +02:00
Frank Denis
70e5ff5e14
Add a helper macro to compute the length of a base64 string
...
Modern compilers should optimize these common subexpressions fairly well.
2017-09-19 14:08:09 +02:00
Frank Denis
61214ba6b9
Remove redundant test
2017-09-18 23:57:03 +02:00
Frank Denis
77f3b71354
Indent
2017-09-18 23:29:33 +02:00
Frank Denis
5b9680ead6
More tests
2017-09-18 23:13:50 +02:00
Frank Denis
4828c5923a
~ 80 columns please
2017-09-18 20:52:38 +02:00
Frank Denis
66c621f417
Faster; doesn't require to wipe the output stream
2017-09-18 20:51:47 +02:00
Frank Denis
5da8f4fbc6
Add a global xor_buf() private helper function
2017-09-18 19:39:41 +02:00
Frank Denis
7d756fab96
xor the key and the nonce on rekey for better separation
2017-09-18 19:25:06 +02:00
Frank Denis
bb1b27fa36
Improve readability
2017-09-18 18:55:56 +02:00
Frank Denis
10bb28b27e
One more COMPILER_ASSERT()
2017-09-18 18:15:53 +02:00
Frank Denis
2ce41de29b
Define macros instead of repeated offsets
...
Improves readability, removes bugs
2017-09-18 18:11:29 +02:00
Frank Denis
a029b352af
Don't generate SSE2 code if that instruction set hasn't been enabled
2017-09-17 18:23:31 +02:00
Frank Denis
09fd953fce
Revert "__SSE2__ may need to be explicitly enabled"
...
This reverts commit 35d8aa5d3e
.
2017-09-17 18:19:57 +02:00
Frank Denis
35d8aa5d3e
__SSE2__ may need to be explicitly enabled
2017-09-17 18:15:18 +02:00
Frank Denis
a161dd9fa1
On 32-bit systems, the limit is SIZE_MAX
2017-09-17 16:36:01 +02:00
Frank Denis
d8a8201bb2
Avoid "in" and "out". Use "c" to represent the ciphertext.
2017-09-16 23:43:46 +02:00
Frank Denis
1181a47cb4
Proper xchacha20poly1305_MESSAGEBYTES_MAX definition
2017-09-16 23:37:52 +02:00
Frank Denis
bfab44aa40
initbytes -> headerbytes for clarity
2017-09-16 23:21:28 +02:00
Frank Denis
e8f1c0be66
secretstream: use "header" instead of "in" and "out" for clarity
2017-09-16 23:15:28 +02:00
Frank Denis
9e0ff55ebd
Add the ability to use only strong symbols, even on ELF targets
2017-09-15 18:52:04 +02:00
Frank Denis
b0420b32d7
Define SODIUM_EXPORT_WEAK instead of adding __attribute__((weak)) tags
2017-09-15 18:28:42 +02:00
Frank Denis
3df3fabb87
No default clause needed
2017-09-15 15:43:16 +02:00
Frank Denis
383705ffc2
The AVX512 optimized BLAKE2B implementation hasn't been imported yet
2017-09-15 13:15:43 +02:00
Frank Denis
dcd60ba661
Force inline
2017-09-15 00:06:37 +02:00
Frank Denis
5cc334b33c
Add AVX512F optimized Argon2 implementation
2017-09-15 00:04:18 +02:00
Frank Denis
6866b3d555
Use macros instead of magic numbers
2017-09-13 23:42:21 +02:00
Frank Denis
1c0677b09f
Check for AVX512F support
2017-09-13 23:35:20 +02:00
Frank Denis
62c41c703e
Avoid untagged unions
2017-09-13 12:42:00 +02:00
Frank Denis
5cf1de94ad
Remove trailing coma
2017-09-13 12:03:24 +02:00
Frank Denis
3aa1c71de1
Don't return void
2017-09-13 11:43:39 +02:00
Frank Denis
d0a418a863
+ _crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()
2017-09-13 00:36:29 +02:00
Frank Denis
0ae678b0f9
Avoid multiple declarations in an EN_ASM({}) block
...
Some emscripten versions don't seem to support it.
2017-09-11 11:49:59 +02:00
Frank Denis
b26de68a67
Use single quotes inside EM_ASM
2017-09-11 02:13:38 +02:00
Frank Denis
1aae564da3
Avoid duplicate initializations; reorder for consistency w/ decl
2017-09-10 22:19:51 +02:00
Frank Denis
81cf1ff6d1
Use unsigned for loop counters
2017-09-10 22:15:23 +02:00
Frank Denis
e2efa6d7e0
Remove unused variable
2017-09-10 22:09:06 +02:00
Frank Denis
e06c70afe8
Use the dedicated type for the argon2 type id
2017-09-07 13:53:21 +02:00
Frank Denis
e8828eef79
Don't bother verifying hashes whose length is >= crypto_pwhash_STRBYTES
2017-09-06 20:26:36 +02:00
Frank Denis
7cc4825231
Add crypto_pwhash_str_needs_rehash()
2017-09-06 20:08:20 +02:00
Frank Denis
c65189a0cb
Explicit casts
2017-09-06 16:04:28 +02:00
Frank Denis
c72ef48f01
Static-ify what we currently don't need in crypto_core/curve25519_ref10
2017-08-31 21:08:59 +02:00
Frank Denis
5c8b8ea01c
Simplify
2017-08-31 20:14:16 +02:00
Frank Denis
0af31aeb26
Fill the max output buffer size in sodium_bin2base64()
...
Unlike hex encoding, due to optional padding, computing the correct size is
not straightforward. Ensuring that the string ends with `\0` is fine, but
if the size is not exact, some unrelated data might be send around by the
application. So, zero it to be safe.
2017-08-31 19:32:14 +02:00
Frank Denis
e236df63e1
Trim empty lines
2017-08-26 17:56:18 +02:00
Frank Denis
75cfcf208c
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
Do not clear the padding (for alignment) section of a blake2b state
2017-08-26 17:48:13 +02:00
Frank Denis
e40e0f6ddb
Adjust secretstream_..._rekey() after e84336ac
2017-08-26 17:47:41 +02:00
Frank Denis
514150d8b3
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
Remove RUNNING_JS_OPTS for WebAssembly
chmod +x *.sh
chmod +x *.sh
One more compiler assertion
secretstream: assume the internal nonce is little endian
Test sodium_pad() with a NULL pointer
Regen emscripten symbols
messagesbytes -> messagebytes
Have generate-emscripten-symbols.sh automatically update the js/wasm build script
Add secretstream constants
salsa208: messagebyte -> messagebytes
constcheck: grab a few more constants
Update emscripten symbols list
Update emscripten symbols list
Bump
Accept a NULL pointer for the padded length in sodium_pad()
2017-08-26 08:25:27 +02:00
Frank Denis
394e21884c
Do not clear the padding (for alignment) section of a blake2b state
...
So that it's acceptable for an application to provide a state that
doesn't include padding.
2017-08-26 08:19:58 +02:00
Frank Denis
ce2ecc5966
One more compiler assertion
2017-08-25 16:21:20 +02:00
Frank Denis
e84336ac48
secretstream: assume the internal nonce is little endian
...
Put the counter before the random part of the nonce instead of after
2017-08-25 16:03:07 +02:00
Frank Denis
f8e535a446
messagesbytes -> messagebytes
2017-08-25 15:12:35 +02:00
Frank Denis
aa20d2e86e
Add secretstream constants
2017-08-25 14:51:02 +02:00
Frank Denis
49f1d87cfe
salsa208: messagebyte -> messagebytes
...
Spotted by constcheck
2017-08-25 14:50:24 +02:00
Frank Denis
be58b2e666
Accept a NULL pointer for the padded length in sodium_pad()
2017-08-24 15:49:50 +02:00
Frank Denis
d5574a69fa
Complete sodium_pad/unpad() and add a couple tests
2017-08-17 20:54:20 +02:00
Frank Denis
b9ed93fcb8
Change the sodium_pad() API to accept a maximum buffer length
...
Of course, this is not required. Just like `strcat()` can be used
safely. But since the cost of this extra check is negligible, better
return `-1` than potentially overwrite unrelated memory locations.
2017-08-17 17:23:53 +02:00
Frank Denis
4fd66e3ad7
Name similar things the same way in sodium_pad() and sodium_unpad()
2017-08-17 14:13:13 +02:00
Frank Denis
50c7632cc3
+ sodium_pad() / sodium_unpad()
2017-08-17 14:05:23 +02:00
Frank Denis
55a578d625
Merge branch 'master' of github.com:jedisct1/libsodium
...
* 'master' of github.com:jedisct1/libsodium:
+ Firefox
Some notes about RtlGenRandom
Format paragraphs
Explain that sodium_misuse() still aborts by default
+ crypto_secretstream_*()
THANKS += PIA
2017-08-16 22:06:59 +02:00
Frank Denis
b277148983
Reorder crypto_secretstream_*() prototypes in a more intuitive sequence
2017-08-16 22:06:22 +02:00
Frank Denis
c3b315ec76
+ Firefox
2017-08-16 21:12:48 +02:00
Frank Denis
80296be947
Some notes about RtlGenRandom
2017-08-16 20:58:22 +02:00
Frank Denis
6e8e0a93f9
Add a couple tests for crypto_secretstream_*()
2017-08-16 14:53:54 +02:00
Frank Denis
88c0b6538f
Trigger sodium_misuse() if mlen > secretstream_MESSAGESBYTES_MAX
2017-08-16 13:59:56 +02:00
Frank Denis
72d5d506d5
Sort
2017-08-16 13:58:36 +02:00
Frank Denis
df7ad26328
Introduce a new crypto_secretstream_*() API
...
No high-level API yet, since there is no high-level AEAD API.
2017-08-16 13:26:23 +02:00
Frank Denis
100a055a54
Indent
2017-08-12 16:38:11 +02:00
Frank Denis
76995c52ff
Argon2: use sodium_{bin2base64,base642bin} instead of a private implementation
2017-08-09 22:41:26 +02:00
Frank Denis
265bdcfe07
bin2hex & bin2base64: return a null size on error
...
This might prevent applications that don't properly check return codes
from reusing previous data.
2017-08-09 22:41:20 +02:00
Frank Denis
ad5a5232a2
Make that a size_t
2017-08-09 16:07:10 +02:00
Frank Denis
cdbb43f444
base64 tests
2017-08-09 15:56:58 +02:00
Frank Denis
eb84b00b75
glibc requires <stdint.h> for SIZE_MAX
2017-08-09 02:09:46 +02:00
Frank Denis
3f272cbbfc
Add a base64 codec, due to popular request
...
I still think that base64 is awful, but users have spoken.
2017-08-09 01:54:57 +02:00
Frank Denis
308684790f
Move the codecs from sodium/utils.c to a dedicated file
2017-08-09 01:38:14 +02:00
Frank Denis
dd9416fd59
Doc
2017-08-08 14:28:12 +02:00
Frank Denis
5b141eb9ec
Add some blank lines for readability
2017-08-06 19:17:25 +02:00
Frank Denis
7e91aa3f89
s/the//
2017-08-06 19:15:26 +02:00
Frank Denis
4baea3575b
Merge branch 'master' of github.com:jedisct1/libsodium
2017-08-06 19:11:49 +02:00
Frank Denis
9b7db7c3f3
Document crypto_aead_aes256gcm_*() limitations
2017-08-06 19:11:19 +02:00
Frank Denis
a894ec93f2
Add crypto_pwhash_str_alg()
2017-08-05 20:56:59 +02:00
Frank Denis
e1fa9cc90c
Add *_messagebytes_max() wrappers
2017-08-03 13:34:31 +02:00
Frank Denis
f02770b2ad
Revert "+ sodium_alloc_overhead()"
...
This reverts commit c5b61d8129
.
2017-08-02 14:26:56 +02:00
Frank Denis
c5b61d8129
+ sodium_alloc_overhead()
2017-08-02 12:34:56 +02:00
Frank Denis
c56fa3ccf9
Include private/common.h for COMPILER_ASSERT
2017-08-01 11:40:32 +02:00
Frank Denis
56eb70f8bb
Sort
2017-08-01 10:38:23 +02:00
Frank Denis
6ac18dae42
The MESSAGEBYTES_MAX constants are to be used with the libsodium API
...
Projects using the legacy API are unlikely to use these new macros.
OTOH, people using the Sodium API would be puzzled about the missing
16 bytes in the secretbox and box APIs.
More importantly, these macros are designed for bindings.
Having these bindings enforce proper limits (for the *_easy API
that they all use) and yet have the underlying library call
sodium_misuse() would be sad.
2017-07-29 23:29:58 +02:00
Frank Denis
90bd94e4e4
Coverage exclusion
2017-07-29 22:31:13 +02:00
Frank Denis
3dd56fa91b
Coverage exclusions
2017-07-29 22:07:36 +02:00
Frank Denis
ff8bb6705a
More tests for scrypt
2017-07-29 22:01:13 +02:00
Frank Denis
52bfc0325b
Initialize the base&aligned addresses in argon2's allocate_memory
...
Also memzero() pseudo_rands, not the segments twice.
2017-07-29 18:54:52 +02:00
Frank Denis
fc90887921
Add missing include "core.h"
2017-07-29 18:42:39 +02:00
Frank Denis
c15173de1e
Turn a few calls with an insane message length into a sodium_misuse()
2017-07-29 18:37:55 +02:00
Frank Denis
f28fe0ae29
Cap argon2*_BYTES_MAX to SODIUM_SIZE_MAX
2017-07-29 18:05:08 +02:00
Frank Denis
bac61ebf50
BYTES_MAX -> MESSAGEBYTES_MAX
2017-07-29 17:58:18 +02:00
Frank Denis
16179b87f3
Introduce *_BYTES_MAX constants
...
*_BYTES_MAX constants constants represent the maximum size of
a message.
No accessor functions for now. They will be renamed, as the
*_BYTES_MAX suffix was previously also used for the maximum output
size of stream ciphers.
These macros are designed to be used by language bindings, so they
can perform some sanity checks before calling the sodium API.
2017-07-29 17:39:31 +02:00
Frank Denis
568adb570d
Trim crypto_pwhash_scryptsalsa208sha256_BYTES_MAX down to ~127 GB
2017-07-29 15:02:51 +02:00
Frank Denis
3525f032df
Inline
2017-07-28 18:51:04 +02:00
Frank Denis
3ee2151f1d
memzero(): with weak symbols, just call memset()
2017-07-28 18:26:36 +02:00
Frank Denis
105f7108d6
Argon2: wipe all blocks if the ARGON2_FLAG_CLEAR_MEMORY flag is set
...
Not ARGON2_FLAG_CLEAR_PASSWORD
2017-07-28 18:22:51 +02:00
Frank Denis
dc2c68067b
C++ compat
2017-07-28 18:08:10 +02:00
Frank Denis
fb739acd7b
fill_memory_blocks() cannot possibly fail
2017-07-28 18:07:45 +02:00
Frank Denis
c3908f87d6
Argon2: deallocate memory if fill_memory_blocks() ever fails
...
Also perform a single allocation to store random numbers.
2017-07-28 17:58:16 +02:00
Frank Denis
2a2ed3df3a
Volatilify the accumulator, at least for consistency with sodium_is_zero()
2017-07-24 22:20:51 +02:00
Frank Denis
cd51ff29e9
Coverage exclusions
2017-07-24 22:19:50 +02:00
Frank Denis
f92c82537b
More tests
2017-07-24 15:16:22 +02:00
Frank Denis
47796a5b89
Indent
2017-07-23 20:17:53 +02:00
Frank Denis
d7ecf04d68
Comment randombytes_uniform()
2017-07-23 19:44:22 +02:00
Frank Denis
eaab512788
Add specialized ge_mul_l() to multiply by the order of the main subgroup
2017-07-23 13:50:10 +02:00
Frank Denis
6de26b59d7
ed25519_pk_to_curve25519: check that the input is in the right subgroup
2017-07-23 13:25:02 +02:00
Frank Denis
571915ea2c
ed25519: un-static the check for low-order points
2017-07-23 13:15:50 +02:00
Frank Denis
cc51916072
Tag sodium_runtime_has_*() symbols as weak
2017-07-19 12:30:40 +02:00
Frank Denis
8b9b6a54be
Remove error string from sodium_misuse()
...
Returning the name of an internal function to bindings is useless.
They need way more context to recover from these errors, and
their own backtrace will be way more useful for diagnostics.
2017-07-19 00:57:19 +02:00
Frank Denis
97486f7d45
Clear the BLAKE2B state only once, on finalization
...
No need to clear everything, and no need to clear again
if _final() is called more than once.
2017-07-18 20:16:47 +02:00
Frank Denis
1090fcfd4d
memzero() the state if we call generichash_final() twice
2017-07-18 19:19:04 +02:00
Frank Denis
6768d82ea2
Add missing return value in set_misuse_handler()
2017-07-18 03:49:58 +02:00
Frank Denis
5d56821d3d
More tests, and start testing misuse cases
2017-07-17 23:09:44 +02:00
Frank Denis
0e8d7c9268
Implement sodium_set_misuse_handler()
2017-07-17 01:00:00 +02:00
Frank Denis
8a70f258fd
No more abort() calls!
2017-07-16 23:11:36 +02:00
Frank Denis
c3b24c1d22
Explain why some abort() calls are still around
2017-07-16 20:09:27 +02:00
Frank Denis
74703c63a6
More abort() -> sodium_misuse()
2017-07-16 20:03:03 +02:00
Frank Denis
a0e997b8ae
More abort() -> sodium_misuse()
...
Keep the abort() call on the hash function, which should never fail.
2017-07-16 19:51:08 +02:00
Frank Denis
ea9281cb03
More abort() -> sodium_misuse()
2017-07-16 19:24:46 +02:00
Frank Denis
a61dddd496
Back to dev mode. If you want a stable version, use the stable branch.
2017-07-16 19:07:43 +02:00
Frank Denis
bcf98b5546
Start replacing abort() with an internal sodium_misuse() function
...
This function will eventually be able to call a user-defined hook,
that may be useful to people writing bindings for other languages.
The function will not return, though, and will keep calling
abort() after the hook. So, hooks should not return either.
They should gracefully kill the current process or thread instead.
There are many more abort() instances to replace.
This is long and boring.
2017-07-16 19:01:22 +02:00
Frank Denis
c86080e7b9
Fix funky indentation
2017-07-16 18:50:50 +02:00
Frank Denis
8b99f44ff9
Abort on misuse in crypto_kx_server_session_keys() too
2017-07-16 16:43:47 +02:00
Frank Denis
765ba55cdc
crypto_kx(): abort if the function is called without any non-NULL pointer
2017-07-16 16:37:47 +02:00
Frank Denis
90658321d3
Only include sodium/crypto_pwhash_scryptsalsa208sha256.h on !minimal
2017-07-16 12:15:06 +02:00
Frank Denis
1f826df2d4
is_zero(): volatilize the accumulator
2017-07-16 01:07:38 +02:00
Frank Denis
3d400363b6
sodium_compare: x1, x2 don't have to be volatile
2017-07-16 01:05:47 +02:00
Frank Denis
99f8c19a1b
memzero(): call the weak function after zeroing
...
A weak function cannot be inlined, but even if it's a little bit
far stretched, a compiler could add code taking different paths
according to the callee.
With a weak function called after the zeroing, we can be sure
that the zeroing has to happen.
2017-07-16 00:49:31 +02:00
Frank Denis
f0c15da02f
We don't need these extra loads
2017-07-15 20:54:57 +02:00
Frank Denis
bcdb042ad9
Revert "Explicitly include <limits.h>"
...
This reverts commit 0fd9aae17a
.
2017-07-15 20:33:34 +02:00
Frank Denis
7dbbd266b5
Simple SSE2 implementation of crypto_verify*()
...
`z` being volatile implies more load/store than needed, but this should
be safer if we want to stick with pure C code, and gives us a chance to
zero the registers.
It's still way faster than byte-by-byte comparisons anyway.
Xored secrets don't matter much when compared byte-by-byte, but they
can be more annoying in 128-bit registers.
2017-07-15 20:29:27 +02:00