cheng/libsodium
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3,101 Commits 1 Branch 0 Tags 32 MiB
a366ea0839
Commit Graph

1548 Commits

Author SHA1 Message Date
Frank Denis
a366ea0839 Tidy up curve25519_ref10, remove comments that are not relevant any more 2017-10-31 20:22:48 +01:00
Frank Denis
a3f96045d4 Remove ge_scalarmult_vartime() which is not used any more 2017-10-31 16:10:51 +01:00
Frank Denis
0b734963db edwards25519sha512batch_open(): check order before decoding instead of after 2017-10-31 16:09:43 +01:00
Frank Denis
1cd0633186 Accept non-canonical PKs if ED25519_COMPAT is defined 2017-10-31 16:08:45 +01:00
Frank Denis
5808b83092 ed25519_open(): reject all small order public keys and non-canonical representations 2017-10-31 16:07:01 +01:00
Frank Denis
ce56bb596f edwards25519sha512batch: reuse ge_scalarmult() 
Check public key and R order by the way.
 2017-10-31 15:56:31 +01:00
Frank Denis
52fce922f4 Add constant-time edx recovery; use it in ed25519_scalarmult() 2017-10-31 15:41:40 +01:00
Frank Denis
5468c39d7d Don't hardcode the number of rounds 2017-10-28 21:36:01 +02:00
Frank Denis
68d8e33a55 blake2: use the same code on little & big endian for finalization 2017-10-24 22:35:23 +02:00
Frank Denis
5935cf7a7e Use uint instead of uint64_t for SHA* padding 
Workaround for a clang bug
 2017-10-24 21:57:30 +02:00
Frank Denis
58fa4172a5 Use the output buffer as a temporary buffer to store clamped private scalars 
This might help avoid leaving a copy of the scalar on the stack.

Also use the same parameters names in donna as other implementations.
Maybe not the best possible names, but at least, things are consistent.
 2017-10-24 17:41:32 +02:00
Frank Denis
e254a654dc Return -1 is the scalar was zero 
This realistically only happen on misuse or with a completely broken PRG.

Calling misuse() would be a bit too intrusive here. So, we still store
the result (might be better than uninitialized memory if the application
doesn't check the return code), but return -1.
 2017-10-24 17:25:37 +02:00
Frank Denis
c150ceb677 Clear the high bit the same way everywhere 2017-10-24 17:10:16 +02:00
Frank Denis
134eb2c29d Add a comment on scalarmult usage 2017-10-23 16:27:04 +02:00
Frank Denis
f5076db5f8 Do not include scalarmult_ed25519 in minimal builds 2017-10-23 16:12:06 +02:00
Frank Denis
b5797ec61f Add scalarmult_ed25519_base, correct is_canonical() test, add clamping helper, 
check that the result of scalarmult_ed25519() is not the point at infinity
 2017-10-23 15:36:40 +02:00
Frank Denis
d3cce09f4e Update prototype (fe_isnonzero() -> fe_iszero()) 2017-10-23 15:35:20 +02:00
Frank Denis
f1e9acef5c Rename crypto_sign_ed25519_scalarmult() to crypto_scalarmult_ed25519() 2017-10-23 13:22:34 +02:00
Frank Denis
89bc2d6976 *_is_less_than_*() -> *_is_canonical() 
and reject non-canonical public keys in ed25519_scalarmult()
 2017-10-23 01:09:38 +02:00
Frank Denis
15649c5849 + ge_is_less_than_p() 2017-10-23 00:00:25 +02:00
Frank Denis
9acbc82a6d Comment 2017-10-22 23:00:37 +02:00
Frank Denis
7ae346a54a Order 2017-10-22 21:17:03 +02:00
Frank Denis
afabd7e738 Remove neg parameter; always check with both signs; adjust blacklist 2017-10-22 20:59:54 +02:00
Frank Denis
0b835b4479 + ge_is_on_curve() 2017-10-22 17:44:51 +02:00
Frank Denis
88417977e3 Move a couple functions from crypto_sign to crypto_core/curve25519 
This improves clarity and makes it easier to reuse these in a
different context.

Also change fe_isnonzero() to fe_zero() and make it work as
documented.
 2017-10-21 21:24:25 +02:00
Frank Denis
9fc0ece3d9 Remove unused blake2b code 2017-10-21 20:00:56 +02:00
Frank Denis
3d374fe8a9 Define uint128_t only once in private/common.h 2017-10-21 19:59:16 +02:00
Frank Denis
5a6deebd39 Add an argument to ed25519_small_order to optionally invert the sign 2017-10-20 16:07:52 +02:00
Frank Denis
bab680f35b Implement crypto_sign_ed25519_scalarmult() 2017-10-20 02:06:02 +02:00
Frank Denis
fe5d65853b Remove extraneous "return" 2017-10-19 23:49:32 +02:00
Frank Denis
2e8d656029 Move precomputed table where it's actually used 2017-10-19 23:13:28 +02:00
Frank Denis
8a1e08cc52 Define a generic ge_select() in additino to ge_select_base() 2017-10-19 23:11:52 +02:00
Frank Denis
fc3a62a493 cmov() -> ge_cmov() ; ge_select() -> ge_select_base() 2017-10-19 22:57:09 +02:00
Frank Denis
a944db7a76 slide() -> slide_vartime() and move comments to the right place 2017-10-19 22:11:43 +02:00
Frank Denis
f783552773 Just use constants instead of macros 
In this context, they are actually less confusing.
 2017-10-12 13:14:25 +02:00
Frank Denis
b1bf478086 Repair crypto_sign_ed25519_seed_keypair() 2017-10-12 13:05:57 +02:00
Frank Denis
18ab679429 sk is actually skpk, so use the right size in the prototype 2017-10-11 21:45:39 +02:00
Frank Denis
f54c6db981 sign_keygen(): don't hash the secret scalar in non-deterministic mode 2017-10-11 21:27:48 +02:00
Frank Denis
68feb75f1d nonce -> Z for clarity 2017-10-11 18:15:36 +02:00
Frank Denis
ebb614cb0e Improve clarity 
No need to clamp the key prior to computing a synthetic nonce
 2017-10-11 18:09:30 +02:00
Frank Denis
90f5b55a0a Move computation of synthetic nonces to a dedicated function 
for clarity
 2017-10-06 22:01:06 +02:00
Frank Denis
067cd6749d inline 2017-10-06 21:41:35 +02:00
Frank Denis
d56007a6fa crypto_sign(): memzero the nonce after use 2017-10-06 21:35:52 +02:00
Frank Denis
291859874b Use the generalized eddsa algorithm for non-deterministic r 2017-10-06 21:28:02 +02:00
Frank Denis
9f98f2329c Back to dev mode 2017-10-06 15:37:24 +02:00
Frank Denis
0dd8338b83 Add a compile-time switch to create non-deterministic signatures 2017-10-06 15:35:07 +02:00
Frank Denis
affaecabcd Include prototypes before declarations 2017-10-05 10:15:24 +02:00
Frank Denis
d3e20869af crypto_pwhash_ALG_DEFAULT is now Argon2id 2017-10-01 12:12:13 +02:00
Frank Denis
d49d7e8d4f pwhash: don't enforce the same limits for argon2i and argon2id 
Fixes #606

Also, keep enforcing a minimum number of iterations to create argon2i
hashes, but relax that restriction for verification, as it can be
useful to migrate from hashes made using other libraries.
 2017-10-01 11:02:46 +02:00
Frank Denis
2542367c2d secretstream: set the initial counter to 1 
Avoids using the first block for two different purposes, and will be more
consistent with the AES-based version.

This breaks backwards compatibility, but better do it now that most distro are
still shipping < 1.0.14, that no applications seem to be already using that new
API, and that there will be an update to the library major due to the aes128ctr
removal.
 2017-10-01 10:08:04 +02:00