rbnacl-libsodium 1.0.15.1 → 1.0.16

Sign up to get free protection for your applications and to get access to all the features.
Files changed (157) hide show
  1. checksums.yaml +4 -4
  2. data/.travis.yml +4 -6
  3. data/CHANGES.md +50 -42
  4. data/Gemfile +1 -1
  5. data/README.md +3 -1
  6. data/Rakefile +46 -0
  7. data/ext/rbnacl/extconf.rb +16 -1
  8. data/lib/rbnacl/libsodium.rb +16 -8
  9. data/lib/rbnacl/libsodium/version.rb +1 -1
  10. data/rbnacl-libsodium.gemspec +3 -0
  11. data/vendor/libsodium/AUTHORS +20 -5
  12. data/vendor/libsodium/ChangeLog +25 -0
  13. data/vendor/libsodium/Makefile.in +3 -1
  14. data/vendor/libsodium/README.markdown +2 -1
  15. data/vendor/libsodium/aclocal.m4 +1 -0
  16. data/vendor/libsodium/autom4te.cache/output.1 +836 -123
  17. data/vendor/libsodium/autom4te.cache/output.4 +21342 -0
  18. data/vendor/libsodium/autom4te.cache/requests +801 -554
  19. data/vendor/libsodium/autom4te.cache/traces.1 +717 -596
  20. data/vendor/libsodium/autom4te.cache/traces.4 +4355 -0
  21. data/vendor/libsodium/builds/Makefile.in +3 -1
  22. data/vendor/libsodium/builds/msvc/resource.h +1 -1
  23. data/vendor/libsodium/builds/msvc/resource.rc +2 -2
  24. data/vendor/libsodium/builds/msvc/version.h +2 -2
  25. data/vendor/libsodium/builds/msvc/vs2010/libsodium/libsodium.vcxproj +17 -8
  26. data/vendor/libsodium/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters +60 -24
  27. data/vendor/libsodium/builds/msvc/vs2012/libsodium/libsodium.vcxproj +17 -8
  28. data/vendor/libsodium/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters +60 -24
  29. data/vendor/libsodium/builds/msvc/vs2013/libsodium/libsodium.vcxproj +17 -8
  30. data/vendor/libsodium/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters +60 -24
  31. data/vendor/libsodium/builds/msvc/vs2015/libsodium/libsodium.vcxproj +17 -8
  32. data/vendor/libsodium/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters +60 -24
  33. data/vendor/libsodium/builds/msvc/vs2017/libsodium/libsodium.vcxproj +17 -8
  34. data/vendor/libsodium/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters +60 -24
  35. data/vendor/libsodium/configure +834 -121
  36. data/vendor/libsodium/configure.ac +55 -13
  37. data/vendor/libsodium/contrib/Findsodium.cmake +22 -3
  38. data/vendor/libsodium/contrib/Makefile.in +3 -1
  39. data/vendor/libsodium/dist-build/Makefile.in +3 -1
  40. data/vendor/libsodium/dist-build/android-build.sh +2 -2
  41. data/vendor/libsodium/dist-build/emscripten-symbols.def +38 -26
  42. data/vendor/libsodium/dist-build/emscripten.sh +23 -8
  43. data/vendor/libsodium/dist-build/msys2-win32.sh +1 -1
  44. data/vendor/libsodium/dist-build/msys2-win64.sh +1 -1
  45. data/vendor/libsodium/libsodium.vcxproj +17 -8
  46. data/vendor/libsodium/libsodium.vcxproj.filters +41 -14
  47. data/vendor/libsodium/m4/ax_tls.m4 +74 -0
  48. data/vendor/libsodium/msvc-scripts/Makefile.in +3 -1
  49. data/vendor/libsodium/msvc-scripts/process.bat +2 -2
  50. data/vendor/libsodium/packaging/dotnet-core/README.md +5 -5
  51. data/vendor/libsodium/packaging/dotnet-core/prepare.py +7 -7
  52. data/vendor/libsodium/packaging/nuget/package.config +1 -1
  53. data/vendor/libsodium/regen-msvc/libsodium.vcxproj +326 -0
  54. data/vendor/libsodium/regen-msvc/libsodium.vcxproj.filters +23 -0
  55. data/vendor/libsodium/regen-msvc/libsodium.vcxproj.filters.tpl +35 -0
  56. data/vendor/libsodium/regen-msvc/libsodium.vcxproj.tpl +93 -0
  57. data/vendor/libsodium/regen-msvc/regen-msvc.py +136 -0
  58. data/vendor/libsodium/regen-msvc/tl_libsodium.vcxproj.filters.tpl +23 -0
  59. data/vendor/libsodium/regen-msvc/tl_libsodium.vcxproj.tpl +331 -0
  60. data/vendor/libsodium/src/Makefile.in +3 -1
  61. data/vendor/libsodium/src/libsodium/Makefile.am +40 -24
  62. data/vendor/libsodium/src/libsodium/Makefile.in +238 -180
  63. data/vendor/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c +10 -2
  64. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/core_ed25519.c +79 -0
  65. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/ed25519_ref10.c +2031 -0
  66. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/base.h +1344 -0
  67. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/base2.h +40 -0
  68. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/constants.h +20 -0
  69. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_25_5/fe.h +220 -0
  70. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/base.h +1344 -0
  71. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/base2.h +40 -0
  72. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/constants.h +21 -0
  73. data/vendor/libsodium/src/libsodium/crypto_core/ed25519/ref10/fe_51/fe.h +116 -0
  74. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/blake2.h +1 -1
  75. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/blake2b-compress-ref.c +2 -1
  76. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c +14 -82
  77. data/vendor/libsodium/src/libsodium/crypto_generichash/blake2b/ref/generichash_blake2b.c +1 -0
  78. data/vendor/libsodium/src/libsodium/crypto_hash/sha256/cp/hash_sha256_cp.c +3 -3
  79. data/vendor/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c +3 -3
  80. data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h +1 -7
  81. data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/onetimeauth_poly1305.c +1 -0
  82. data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c +0 -6
  83. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.c +19 -92
  84. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h +72 -4
  85. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.c +5 -1
  86. data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2.h +1 -1
  87. data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c +10 -7
  88. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c +108 -231
  89. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.h +1 -1
  90. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/curve25519_sandy2x.c +27 -27
  91. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe51_invert.c +2 -1
  92. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/sandy2x/fe_frombytes_sandy2x.c +6 -3
  93. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c +3 -11
  94. data/vendor/libsodium/src/libsodium/crypto_scalarmult/ed25519/ref10/scalarmult_ed25519_ref10.c +86 -0
  95. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +28 -26
  96. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c +32 -30
  97. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c +14 -115
  98. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c +56 -13
  99. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/{ed25519_ref10.h → sign_ed25519_ref10.h} +2 -5
  100. data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/sign_ed25519.c +1 -1
  101. data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/stream_chacha20.c +1 -0
  102. data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/stream_salsa20.c +1 -0
  103. data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h +1 -1
  104. data/vendor/libsodium/src/libsodium/include/Makefile.am +2 -0
  105. data/vendor/libsodium/src/libsodium/include/Makefile.in +13 -9
  106. data/vendor/libsodium/src/libsodium/include/sodium.h +2 -0
  107. data/vendor/libsodium/src/libsodium/include/sodium/crypto_core_ed25519.h +37 -0
  108. data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult.h +8 -0
  109. data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h +8 -0
  110. data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h +41 -0
  111. data/vendor/libsodium/src/libsodium/include/sodium/private/common.h +18 -0
  112. data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10.h +125 -0
  113. data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10_fe_25_5.h +1050 -0
  114. data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10_fe_51.h +518 -0
  115. data/vendor/libsodium/src/libsodium/include/sodium/runtime.h +3 -0
  116. data/vendor/libsodium/src/libsodium/include/sodium/utils.h +3 -0
  117. data/vendor/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c +182 -102
  118. data/vendor/libsodium/src/libsodium/sodium/core.c +30 -2
  119. data/vendor/libsodium/src/libsodium/sodium/runtime.c +14 -0
  120. data/vendor/libsodium/src/libsodium/sodium/utils.c +46 -0
  121. data/vendor/libsodium/test/Makefile.in +3 -1
  122. data/vendor/libsodium/test/default/Makefile.am +16 -0
  123. data/vendor/libsodium/test/default/Makefile.in +71 -23
  124. data/vendor/libsodium/test/default/aead_aes256gcm.c +1 -1
  125. data/vendor/libsodium/test/default/cmptest.h +4 -0
  126. data/vendor/libsodium/test/default/core3.c +44 -4
  127. data/vendor/libsodium/test/default/core3.exp +2 -0
  128. data/vendor/libsodium/test/default/core4.c +1 -1
  129. data/vendor/libsodium/test/default/core_ed25519.c +151 -0
  130. data/vendor/libsodium/test/default/core_ed25519.exp +1 -0
  131. data/vendor/libsodium/test/default/ed25519_convert.c +9 -1
  132. data/vendor/libsodium/test/default/index.html.tpl +17 -3
  133. data/vendor/libsodium/test/default/kdf.c +4 -2
  134. data/vendor/libsodium/test/default/metamorphic.c +8 -8
  135. data/vendor/libsodium/test/default/misuse.c +29 -1
  136. data/vendor/libsodium/test/default/pwhash_argon2i.c +9 -3
  137. data/vendor/libsodium/test/default/pwhash_argon2i.exp +2 -2
  138. data/vendor/libsodium/test/default/pwhash_argon2id.c +7 -2
  139. data/vendor/libsodium/test/default/pwhash_argon2id.exp +2 -2
  140. data/vendor/libsodium/test/default/scalarmult.c +0 -2
  141. data/vendor/libsodium/test/default/scalarmult.exp +0 -1
  142. data/vendor/libsodium/test/default/scalarmult_ed25519.c +90 -0
  143. data/vendor/libsodium/test/default/scalarmult_ed25519.exp +1 -0
  144. data/vendor/libsodium/test/default/secretbox_easy2.c +1 -1
  145. data/vendor/libsodium/test/default/secretstream.c +52 -3
  146. data/vendor/libsodium/test/default/sign.c +16 -0
  147. data/vendor/libsodium/test/default/sodium_core.c +1 -0
  148. data/vendor/libsodium/test/default/sodium_utils.c +2 -1
  149. data/vendor/libsodium/test/default/xchacha20.c +2 -1
  150. metadata +63 -12
  151. data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/base.h +0 -1344
  152. data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/base2.h +0 -40
  153. data/vendor/libsodium/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c +0 -2797
  154. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c +0 -545
  155. data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.h +0 -10
  156. data/vendor/libsodium/src/libsodium/include/sodium/private/curve25519_ref10.h +0 -132
  157. data/vendor/libsodium/test/default/index-wasm.html.tpl +0 -118
@@ -96,6 +96,7 @@ typedef struct Argon2_instance_t {
96
96
  block_region *region; /* Memory region pointer */
97
97
  uint64_t *pseudo_rands;
98
98
  uint32_t passes; /* Number of passes */
99
+ uint32_t current_pass;
99
100
  uint32_t memory_blocks; /* Number of blocks in memory */
100
101
  uint32_t segment_length;
101
102
  uint32_t lane_length;
@@ -135,9 +136,76 @@ typedef struct Argon2_thread_data {
135
136
  * If so we can reference the current segment
136
137
  * @pre All pointers must be valid
137
138
  */
138
- uint32_t index_alpha(const argon2_instance_t *instance,
139
- const argon2_position_t *position, uint32_t pseudo_rand,
140
- int same_lane);
139
+ static uint32_t index_alpha(const argon2_instance_t *instance,
140
+ const argon2_position_t *position, uint32_t pseudo_rand,
141
+ int same_lane)
142
+ {
143
+ /*
144
+ * Pass 0:
145
+ * This lane : all already finished segments plus already constructed
146
+ * blocks in this segment
147
+ * Other lanes : all already finished segments
148
+ * Pass 1+:
149
+ * This lane : (SYNC_POINTS - 1) last segments plus already constructed
150
+ * blocks in this segment
151
+ * Other lanes : (SYNC_POINTS - 1) last segments
152
+ */
153
+ uint32_t reference_area_size;
154
+ uint64_t relative_position;
155
+ uint32_t start_position, absolute_position;
156
+
157
+ if (position->pass == 0) {
158
+ /* First pass */
159
+ if (position->slice == 0) {
160
+ /* First slice */
161
+ reference_area_size =
162
+ position->index - 1; /* all but the previous */
163
+ } else {
164
+ if (same_lane) {
165
+ /* The same lane => add current segment */
166
+ reference_area_size =
167
+ position->slice * instance->segment_length +
168
+ position->index - 1;
169
+ } else {
170
+ reference_area_size =
171
+ position->slice * instance->segment_length +
172
+ ((position->index == 0) ? (-1) : 0);
173
+ }
174
+ }
175
+ } else {
176
+ /* Second pass */
177
+ if (same_lane) {
178
+ reference_area_size = instance->lane_length -
179
+ instance->segment_length + position->index -
180
+ 1;
181
+ } else {
182
+ reference_area_size = instance->lane_length -
183
+ instance->segment_length +
184
+ ((position->index == 0) ? (-1) : 0);
185
+ }
186
+ }
187
+
188
+ /* 1.2.4. Mapping pseudo_rand to 0..<reference_area_size-1> and produce
189
+ * relative position */
190
+ relative_position = pseudo_rand;
191
+ relative_position = relative_position * relative_position >> 32;
192
+ relative_position = reference_area_size - 1 -
193
+ (reference_area_size * relative_position >> 32);
194
+
195
+ /* 1.2.5 Computing starting position */
196
+ start_position = 0;
197
+
198
+ if (position->pass != 0) {
199
+ start_position = (position->slice == ARGON2_SYNC_POINTS - 1)
200
+ ? 0
201
+ : (position->slice + 1) * instance->segment_length;
202
+ }
203
+
204
+ /* 1.2.6. Computing absolute position */
205
+ absolute_position = (start_position + relative_position) %
206
+ instance->lane_length; /* absolute position */
207
+ return absolute_position;
208
+ }
141
209
 
142
210
  /*
143
211
  * Function that validates all inputs against predefined restrictions and return
@@ -224,6 +292,6 @@ void fill_segment_ref(const argon2_instance_t *instance,
224
292
  * @param instance Pointer to the current instance
225
293
  * @return Zero if successful, -1 if memory failed to allocate
226
294
  */
227
- void fill_memory_blocks(argon2_instance_t *instance);
295
+ void fill_memory_blocks(argon2_instance_t *instance, uint32_t pass);
228
296
 
229
297
  #endif
@@ -29,6 +29,7 @@ argon2_ctx(argon2_context *context, argon2_type type)
29
29
  /* 1. Validate all inputs */
30
30
  int result = validate_inputs(context);
31
31
  uint32_t memory_blocks, segment_length;
32
+ uint32_t pass;
32
33
  argon2_instance_t instance;
33
34
 
34
35
  if (ARGON2_OK != result) {
@@ -53,6 +54,7 @@ argon2_ctx(argon2_context *context, argon2_type type)
53
54
 
54
55
  instance.region = NULL;
55
56
  instance.passes = context->t_cost;
57
+ instance.current_pass = ~ 0U;
56
58
  instance.memory_blocks = memory_blocks;
57
59
  instance.segment_length = segment_length;
58
60
  instance.lane_length = segment_length * ARGON2_SYNC_POINTS;
@@ -70,7 +72,9 @@ argon2_ctx(argon2_context *context, argon2_type type)
70
72
  }
71
73
 
72
74
  /* 4. Filling memory */
73
- fill_memory_blocks(&instance);
75
+ for (pass = 0; pass < instance.passes; pass++) {
76
+ fill_memory_blocks(&instance, pass);
77
+ }
74
78
 
75
79
  /* 5. Finalization */
76
80
  finalize(context, &instance);
@@ -69,7 +69,7 @@
69
69
  #define ARGON2_FLAG_CLEAR_PASSWORD (UINT32_C(1) << 0)
70
70
  #define ARGON2_FLAG_CLEAR_SECRET (UINT32_C(1) << 1)
71
71
  #define ARGON2_FLAG_CLEAR_MEMORY (UINT32_C(1) << 2)
72
- #define ARGON2_DEFAULT_FLAGS (ARGON2_FLAG_CLEAR_MEMORY)
72
+ #define ARGON2_DEFAULT_FLAGS (UINT32_C(0))
73
73
 
74
74
  /* Error codes */
75
75
  typedef enum Argon2_ErrorCodes {
@@ -28,7 +28,13 @@
28
28
  #include "runtime.h"
29
29
 
30
30
  #if !defined(MAP_ANON) && defined(MAP_ANONYMOUS)
31
- #define MAP_ANON MAP_ANONYMOUS
31
+ # define MAP_ANON MAP_ANONYMOUS
32
+ #endif
33
+ #ifndef MAP_NOCORE
34
+ # define MAP_NOCORE 0
35
+ #endif
36
+ #ifndef MAP_POPULATE
37
+ # define MAP_POPULATE 0
32
38
  #endif
33
39
 
34
40
  void *
@@ -37,13 +43,10 @@ alloc_region(escrypt_region_t *region, size_t size)
37
43
  uint8_t *base, *aligned;
38
44
  #if defined(MAP_ANON) && defined(HAVE_MMAP)
39
45
  if ((base = (uint8_t *) mmap(NULL, size, PROT_READ | PROT_WRITE,
40
- #ifdef MAP_NOCORE
41
- MAP_ANON | MAP_PRIVATE | MAP_NOCORE,
42
- #else
43
- MAP_ANON | MAP_PRIVATE,
44
- #endif
45
- -1, 0)) == MAP_FAILED)
46
+ MAP_ANON | MAP_PRIVATE | MAP_NOCORE | MAP_POPULATE,
47
+ -1, 0)) == MAP_FAILED) {
46
48
  base = NULL; /* LCOV_EXCL_LINE */
49
+ } /* LCOV_EXCL_LINE */
47
50
  aligned = base;
48
51
  #elif defined(HAVE_POSIX_MEMALIGN)
49
52
  if ((errno = posix_memalign((void **) &base, 64, size)) != 0) {
@@ -2,174 +2,50 @@
2
2
  #include <stddef.h>
3
3
  #include <stdint.h>
4
4
 
5
- #ifndef HAVE_TI_MODE
6
-
7
5
  #include "../scalarmult_curve25519.h"
8
- #include "private/curve25519_ref10.h"
6
+ #include "export.h"
7
+ #include "private/ed25519_ref10.h"
9
8
  #include "utils.h"
10
9
  #include "x25519_ref10.h"
11
10
 
12
11
  /*
13
- Replace (f,g) with (g,f) if b == 1;
14
- replace (f,g) with (f,g) if b == 0.
15
-
16
- Preconditions: b in {0,1}.
17
- */
18
-
19
- static void
20
- fe_cswap(fe f, fe g, unsigned int b)
21
- {
22
- int32_t f0 = f[0];
23
- int32_t f1 = f[1];
24
- int32_t f2 = f[2];
25
- int32_t f3 = f[3];
26
- int32_t f4 = f[4];
27
- int32_t f5 = f[5];
28
- int32_t f6 = f[6];
29
- int32_t f7 = f[7];
30
- int32_t f8 = f[8];
31
- int32_t f9 = f[9];
32
- int32_t g0 = g[0];
33
- int32_t g1 = g[1];
34
- int32_t g2 = g[2];
35
- int32_t g3 = g[3];
36
- int32_t g4 = g[4];
37
- int32_t g5 = g[5];
38
- int32_t g6 = g[6];
39
- int32_t g7 = g[7];
40
- int32_t g8 = g[8];
41
- int32_t g9 = g[9];
42
- int32_t x0 = f0 ^ g0;
43
- int32_t x1 = f1 ^ g1;
44
- int32_t x2 = f2 ^ g2;
45
- int32_t x3 = f3 ^ g3;
46
- int32_t x4 = f4 ^ g4;
47
- int32_t x5 = f5 ^ g5;
48
- int32_t x6 = f6 ^ g6;
49
- int32_t x7 = f7 ^ g7;
50
- int32_t x8 = f8 ^ g8;
51
- int32_t x9 = f9 ^ g9;
52
-
53
- b = (unsigned int)(-(int)b);
54
- x0 &= b;
55
- x1 &= b;
56
- x2 &= b;
57
- x3 &= b;
58
- x4 &= b;
59
- x5 &= b;
60
- x6 &= b;
61
- x7 &= b;
62
- x8 &= b;
63
- x9 &= b;
64
- f[0] = f0 ^ x0;
65
- f[1] = f1 ^ x1;
66
- f[2] = f2 ^ x2;
67
- f[3] = f3 ^ x3;
68
- f[4] = f4 ^ x4;
69
- f[5] = f5 ^ x5;
70
- f[6] = f6 ^ x6;
71
- f[7] = f7 ^ x7;
72
- f[8] = f8 ^ x8;
73
- f[9] = f9 ^ x9;
74
- g[0] = g0 ^ x0;
75
- g[1] = g1 ^ x1;
76
- g[2] = g2 ^ x2;
77
- g[3] = g3 ^ x3;
78
- g[4] = g4 ^ x4;
79
- g[5] = g5 ^ x5;
80
- g[6] = g6 ^ x6;
81
- g[7] = g7 ^ x7;
82
- g[8] = g8 ^ x8;
83
- g[9] = g9 ^ x9;
84
- }
85
-
86
- /*
87
- h = f * 121666
88
- Can overlap h with f.
89
-
90
- Preconditions:
91
- |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc.
92
-
93
- Postconditions:
94
- |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc.
95
- */
96
-
97
- static void
98
- fe_mul121666(fe h, const fe f)
12
+ * Reject small order points early to mitigate the implications of
13
+ * unexpected optimizations that would affect the ref10 code.
14
+ * See https://eprint.iacr.org/2017/806.pdf for reference.
15
+ */
16
+ static int
17
+ has_small_order(const unsigned char s[32])
99
18
  {
100
- int32_t f0 = f[0];
101
- int32_t f1 = f[1];
102
- int32_t f2 = f[2];
103
- int32_t f3 = f[3];
104
- int32_t f4 = f[4];
105
- int32_t f5 = f[5];
106
- int32_t f6 = f[6];
107
- int32_t f7 = f[7];
108
- int32_t f8 = f[8];
109
- int32_t f9 = f[9];
110
- int64_t h0 = f0 * (int64_t)121666;
111
- int64_t h1 = f1 * (int64_t)121666;
112
- int64_t h2 = f2 * (int64_t)121666;
113
- int64_t h3 = f3 * (int64_t)121666;
114
- int64_t h4 = f4 * (int64_t)121666;
115
- int64_t h5 = f5 * (int64_t)121666;
116
- int64_t h6 = f6 * (int64_t)121666;
117
- int64_t h7 = f7 * (int64_t)121666;
118
- int64_t h8 = f8 * (int64_t)121666;
119
- int64_t h9 = f9 * (int64_t)121666;
120
- int64_t carry0;
121
- int64_t carry1;
122
- int64_t carry2;
123
- int64_t carry3;
124
- int64_t carry4;
125
- int64_t carry5;
126
- int64_t carry6;
127
- int64_t carry7;
128
- int64_t carry8;
129
- int64_t carry9;
130
-
131
- carry9 = (h9 + ((int64_t)1 << 24)) >> 25;
132
- h0 += carry9 * 19;
133
- h9 -= carry9 * ((int64_t)1 << 25);
134
- carry1 = (h1 + ((int64_t)1 << 24)) >> 25;
135
- h2 += carry1;
136
- h1 -= carry1 * ((int64_t)1 << 25);
137
- carry3 = (h3 + ((int64_t)1 << 24)) >> 25;
138
- h4 += carry3;
139
- h3 -= carry3 * ((int64_t)1 << 25);
140
- carry5 = (h5 + ((int64_t)1 << 24)) >> 25;
141
- h6 += carry5;
142
- h5 -= carry5 * ((int64_t)1 << 25);
143
- carry7 = (h7 + ((int64_t)1 << 24)) >> 25;
144
- h8 += carry7;
145
- h7 -= carry7 * ((int64_t)1 << 25);
146
-
147
- carry0 = (h0 + ((int64_t)1 << 25)) >> 26;
148
- h1 += carry0;
149
- h0 -= carry0 * ((int64_t)1 << 26);
150
- carry2 = (h2 + ((int64_t)1 << 25)) >> 26;
151
- h3 += carry2;
152
- h2 -= carry2 * ((int64_t)1 << 26);
153
- carry4 = (h4 + ((int64_t)1 << 25)) >> 26;
154
- h5 += carry4;
155
- h4 -= carry4 * ((int64_t)1 << 26);
156
- carry6 = (h6 + ((int64_t)1 << 25)) >> 26;
157
- h7 += carry6;
158
- h6 -= carry6 * ((int64_t)1 << 26);
159
- carry8 = (h8 + ((int64_t)1 << 25)) >> 26;
160
- h9 += carry8;
161
- h8 -= carry8 * ((int64_t)1 << 26);
162
-
163
- h[0] = (int32_t) h0;
164
- h[1] = (int32_t) h1;
165
- h[2] = (int32_t) h2;
166
- h[3] = (int32_t) h3;
167
- h[4] = (int32_t) h4;
168
- h[5] = (int32_t) h5;
169
- h[6] = (int32_t) h6;
170
- h[7] = (int32_t) h7;
171
- h[8] = (int32_t) h8;
172
- h[9] = (int32_t) h9;
19
+ CRYPTO_ALIGN(16)
20
+ static const unsigned char blacklist[][32] = {
21
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
22
+ { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
23
+ { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
24
+ { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
25
+ { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
26
+ { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
27
+ { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
28
+ { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
29
+ { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
30
+ { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
31
+ { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
32
+ { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }
33
+ };
34
+ unsigned char c[12] = { 0 };
35
+ unsigned int k;
36
+ size_t i, j;
37
+
38
+ COMPILER_ASSERT(12 == sizeof blacklist / sizeof blacklist[0]);
39
+ for (j = 0; j < 32; j++) {
40
+ for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
41
+ c[i] |= s[j] ^ blacklist[i][j];
42
+ }
43
+ }
44
+ k = 0;
45
+ for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
46
+ k |= (c[i] - 1);
47
+ }
48
+ return (int) ((k >> 8) & 1);
173
49
  }
174
50
 
175
51
  static int
@@ -177,98 +53,101 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
177
53
  const unsigned char *n,
178
54
  const unsigned char *p)
179
55
  {
180
- unsigned char e[32];
181
- unsigned int i;
182
- fe x1;
183
- fe x2;
184
- fe z2;
185
- fe x3;
186
- fe z3;
187
- fe tmp0;
188
- fe tmp1;
189
- int pos;
190
- unsigned int swap;
191
- unsigned int b;
192
-
193
- for (i = 0; i < 32; ++i) {
194
- e[i] = n[i];
56
+ unsigned char *t = q;
57
+ unsigned int i;
58
+ fe25519 x1;
59
+ fe25519 x2;
60
+ fe25519 z2;
61
+ fe25519 x3;
62
+ fe25519 z3;
63
+ fe25519 tmp0;
64
+ fe25519 tmp1;
65
+ int pos;
66
+ unsigned int swap;
67
+ unsigned int b;
68
+
69
+ if (has_small_order(p)) {
70
+ return -1;
195
71
  }
196
- e[0] &= 248;
197
- e[31] &= 127;
198
- e[31] |= 64;
199
- fe_frombytes(x1, p);
200
- fe_1(x2);
201
- fe_0(z2);
202
- fe_copy(x3, x1);
203
- fe_1(z3);
72
+ for (i = 0; i < 32; i++) {
73
+ t[i] = n[i];
74
+ }
75
+ t[0] &= 248;
76
+ t[31] &= 127;
77
+ t[31] |= 64;
78
+ fe25519_frombytes(x1, p);
79
+ fe25519_1(x2);
80
+ fe25519_0(z2);
81
+ fe25519_copy(x3, x1);
82
+ fe25519_1(z3);
204
83
 
205
84
  swap = 0;
206
85
  for (pos = 254; pos >= 0; --pos) {
207
- b = e[pos / 8] >> (pos & 7);
86
+ b = t[pos / 8] >> (pos & 7);
208
87
  b &= 1;
209
88
  swap ^= b;
210
- fe_cswap(x2, x3, swap);
211
- fe_cswap(z2, z3, swap);
89
+ fe25519_cswap(x2, x3, swap);
90
+ fe25519_cswap(z2, z3, swap);
212
91
  swap = b;
213
- fe_sub(tmp0, x3, z3);
214
- fe_sub(tmp1, x2, z2);
215
- fe_add(x2, x2, z2);
216
- fe_add(z2, x3, z3);
217
- fe_mul(z3, tmp0, x2);
218
- fe_mul(z2, z2, tmp1);
219
- fe_sq(tmp0, tmp1);
220
- fe_sq(tmp1, x2);
221
- fe_add(x3, z3, z2);
222
- fe_sub(z2, z3, z2);
223
- fe_mul(x2, tmp1, tmp0);
224
- fe_sub(tmp1, tmp1, tmp0);
225
- fe_sq(z2, z2);
226
- fe_mul121666(z3, tmp1);
227
- fe_sq(x3, x3);
228
- fe_add(tmp0, tmp0, z3);
229
- fe_mul(z3, x1, z2);
230
- fe_mul(z2, tmp1, tmp0);
92
+ fe25519_sub(tmp0, x3, z3);
93
+ fe25519_sub(tmp1, x2, z2);
94
+ fe25519_add(x2, x2, z2);
95
+ fe25519_add(z2, x3, z3);
96
+ fe25519_mul(z3, tmp0, x2);
97
+ fe25519_mul(z2, z2, tmp1);
98
+ fe25519_sq(tmp0, tmp1);
99
+ fe25519_sq(tmp1, x2);
100
+ fe25519_add(x3, z3, z2);
101
+ fe25519_sub(z2, z3, z2);
102
+ fe25519_mul(x2, tmp1, tmp0);
103
+ fe25519_sub(tmp1, tmp1, tmp0);
104
+ fe25519_sq(z2, z2);
105
+ fe25519_scalar_product(z3, tmp1, 121666);
106
+ fe25519_sq(x3, x3);
107
+ fe25519_add(tmp0, tmp0, z3);
108
+ fe25519_mul(z3, x1, z2);
109
+ fe25519_mul(z2, tmp1, tmp0);
231
110
  }
232
- fe_cswap(x2, x3, swap);
233
- fe_cswap(z2, z3, swap);
111
+ fe25519_cswap(x2, x3, swap);
112
+ fe25519_cswap(z2, z3, swap);
234
113
 
235
- fe_invert(z2, z2);
236
- fe_mul(x2, x2, z2);
237
- fe_tobytes(q, x2);
114
+ fe25519_invert(z2, z2);
115
+ fe25519_mul(x2, x2, z2);
116
+ fe25519_tobytes(q, x2);
238
117
 
239
118
  return 0;
240
119
  }
241
120
 
242
121
  static void
243
- edwards_to_montgomery(fe montgomeryX, const fe edwardsY, const fe edwardsZ)
122
+ edwards_to_montgomery(fe25519 montgomeryX, const fe25519 edwardsY, const fe25519 edwardsZ)
244
123
  {
245
- fe tempX;
246
- fe tempZ;
124
+ fe25519 tempX;
125
+ fe25519 tempZ;
247
126
 
248
- fe_add(tempX, edwardsZ, edwardsY);
249
- fe_sub(tempZ, edwardsZ, edwardsY);
250
- fe_invert(tempZ, tempZ);
251
- fe_mul(montgomeryX, tempX, tempZ);
127
+ fe25519_add(tempX, edwardsZ, edwardsY);
128
+ fe25519_sub(tempZ, edwardsZ, edwardsY);
129
+ fe25519_invert(tempZ, tempZ);
130
+ fe25519_mul(montgomeryX, tempX, tempZ);
252
131
  }
253
132
 
254
133
  static int
255
134
  crypto_scalarmult_curve25519_ref10_base(unsigned char *q,
256
135
  const unsigned char *n)
257
136
  {
258
- unsigned char e[32];
259
- ge_p3 A;
260
- fe pk;
261
- unsigned int i;
137
+ unsigned char *t = q;
138
+ ge25519_p3 A;
139
+ fe25519 pk;
140
+ unsigned int i;
262
141
 
263
- for (i = 0; i < 32; ++i) {
264
- e[i] = n[i];
142
+ for (i = 0; i < 32; i++) {
143
+ t[i] = n[i];
265
144
  }
266
- e[0] &= 248;
267
- e[31] &= 127;
268
- e[31] |= 64;
269
- ge_scalarmult_base(&A, e);
145
+ t[0] &= 248;
146
+ t[31] &= 127;
147
+ t[31] |= 64;
148
+ ge25519_scalarmult_base(&A, t);
270
149
  edwards_to_montgomery(pk, A.Y, A.Z);
271
- fe_tobytes(q, pk);
150
+ fe25519_tobytes(q, pk);
272
151
 
273
152
  return 0;
274
153
  }
@@ -278,5 +157,3 @@ struct crypto_scalarmult_curve25519_implementation
278
157
  SODIUM_C99(.mult =) crypto_scalarmult_curve25519_ref10,
279
158
  SODIUM_C99(.mult_base =) crypto_scalarmult_curve25519_ref10_base
280
159
  };
281
-
282
- #endif