RubyGems - rbnacl-libsodium - Versions diffs - 1.0.15.1 → 1.0.16 - Mend

rbnacl-libsodium 1.0.15.1 → 1.0.16

Files changed (157) hide show

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c CHANGED

@@ -3,8 +3,9 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_sign_ed25519.h"
-#include "ed25519_ref10.h"
-#include "private/curve25519_ref10.h"
+#include "sign_ed25519_ref10.h"
+#include "private/ed25519_ref10.h"
+#include "randombytes.h"
 #include "utils.h"
 void
@@ -23,6 +24,43 @@ _crypto_sign_ed25519_ref10_hinit(crypto_hash_sha512_state *hs, int prehashed)
     }
 }
+static inline void
+_crypto_sign_ed25519_clamp(unsigned char k[32])
+{
+    k[0] &= 248;
+    k[31] &= 127;
+    k[31] |= 64;
+}
+#ifdef ED25519_NONDETERMINISTIC
+/* r = hash(B || empty_labelset || Z || pad1 || k || pad2 || empty_labelset || K || extra || M) (mod q) */
+static void
+_crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
+                                    unsigned char Z[32],
+                                    const unsigned char sk[64])
+{
+    static const unsigned char B[32] = {
+        0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+    };
+    static const unsigned char zeros[128] = { 0x00 };
+    static const unsigned char empty_labelset[3] = { 0x02, 0x00, 0x00 };
+    crypto_hash_sha512_update(hs, B, 32);
+    crypto_hash_sha512_update(hs, empty_labelset, 3);
+    randombytes_buf(Z, 32);
+    crypto_hash_sha512_update(hs, Z, 32);
+    crypto_hash_sha512_update(hs, zeros, 128 - (32 + 3 + 32) % 128);
+    crypto_hash_sha512_update(hs, sk, 32);
+    crypto_hash_sha512_update(hs, zeros, 128 - 32 % 128);
+    crypto_hash_sha512_update(hs, empty_labelset, 3);
+    crypto_hash_sha512_update(hs, sk + 32, 32);
+    /* empty extra */
+}
+#endif
 int
 _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
                               const unsigned char *m, unsigned long long mlen,
@@ -32,33 +70,38 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
     unsigned char            az[64];
     unsigned char            nonce[64];
     unsigned char            hram[64];
-    ge_p3                    R;
-    crypto_hash_sha512(az, sk, 32);
-    az[0] &= 248;
-    az[31] &= 63;
-    az[31] |= 64;
+    ge25519_p3               R;
     _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
+#ifdef ED25519_NONDETERMINISTIC
+    memcpy(az, sk, 32);
+    _crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az);
+#else
+    crypto_hash_sha512(az, sk, 32);
     crypto_hash_sha512_update(&hs, az + 32, 32);
+#endif
     crypto_hash_sha512_update(&hs, m, mlen);
     crypto_hash_sha512_final(&hs, nonce);
     memmove(sig + 32, sk + 32, 32);
-    sc_reduce(nonce);
-    ge_scalarmult_base(&R, nonce);
-    ge_p3_tobytes(sig, &R);
+    sc25519_reduce(nonce);
+    ge25519_scalarmult_base(&R, nonce);
+    ge25519_p3_tobytes(sig, &R);
     _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
     crypto_hash_sha512_update(&hs, sig, 64);
     crypto_hash_sha512_update(&hs, m, mlen);
     crypto_hash_sha512_final(&hs, hram);
-    sc_reduce(hram);
-    sc_muladd(sig + 32, hram, az, nonce);
+    sc25519_reduce(hram);
+    _crypto_sign_ed25519_clamp(az);
+    sc25519_muladd(sig + 32, hram, az, nonce);
     sodium_memzero(az, sizeof az);
+    sodium_memzero(nonce, sizeof nonce);
     if (siglen_p != NULL) {
         *siglen_p = 64U;

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/{ed25519_ref10.h → sign_ed25519_ref10.h} RENAMED

@@ -1,5 +1,5 @@
-#ifndef ed25519_ref10_H
-#define ed25519_ref10_H
+#ifndef sign_ed25519_ref10_H
+#define sign_ed25519_ref10_H
 void _crypto_sign_ed25519_ref10_hinit(crypto_hash_sha512_state *hs,
                                       int prehashed);
@@ -15,7 +15,4 @@ int _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                          unsigned long long   mlen,
                                          const unsigned char *pk,
                                          int prehashed);
-int _crypto_sign_ed25519_small_order(const unsigned char p[32]);
 #endif

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/sign_ed25519.c CHANGED

@@ -3,7 +3,7 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_sign_ed25519.h"
-#include "ref10/ed25519_ref10.h"
+#include "ref10/sign_ed25519_ref10.h"
 size_t
 crypto_sign_ed25519ph_statebytes(void)

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/stream_chacha20.c CHANGED

@@ -1,5 +1,6 @@
 #include "crypto_stream_chacha20.h"
 #include "private/common.h"
+#include "private/implementations.h"
 #include "randombytes.h"
 #include "runtime.h"
 #include "stream_chacha20.h"

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/stream_salsa20.c CHANGED

@@ -1,5 +1,6 @@
 #include "crypto_stream_salsa20.h"
 #include "private/common.h"
+#include "private/implementations.h"
 #include "randombytes.h"
 #include "runtime.h"
 #include "stream_salsa20.h"

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h CHANGED

@@ -96,7 +96,7 @@ if (bytes >= 512) {
         z4  = orig4;
         z8  = orig8;
-        for (i = 0; i < 20; i += 2) {
+        for (i = 0; i < ROUNDS; i += 2) {
             /* the inner loop is a direct translation (regexp search/replace)
              * from the amd64-xmm6 ASM */
             __m256i r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13,

data/vendor/libsodium/src/libsodium/include/Makefile.am CHANGED

@@ -12,6 +12,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_box.h \
 	sodium/crypto_box_curve25519xchacha20poly1305.h \
 	sodium/crypto_box_curve25519xsalsa20poly1305.h \
+	sodium/crypto_core_ed25519.h \
 	sodium/crypto_core_hchacha20.h \
 	sodium/crypto_core_hsalsa20.h \
 	sodium/crypto_core_salsa20.h \
@@ -33,6 +34,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
+	sodium/crypto_scalarmult_ed25519.h \
 	sodium/crypto_secretbox.h \
 	sodium/crypto_secretbox_xchacha20poly1305.h \
 	sodium/crypto_secretbox_xsalsa20poly1305.h \

data/vendor/libsodium/src/libsodium/include/Makefile.in CHANGED

@@ -98,7 +98,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_catchable_abrt.m4 \
 	$(top_srcdir)/m4/ax_check_compile_flag.m4 \
 	$(top_srcdir)/m4/ax_check_define.m4 \
 	$(top_srcdir)/m4/ax_check_link_flag.m4 \
-	$(top_srcdir)/m4/ax_pthread.m4 \
+	$(top_srcdir)/m4/ax_pthread.m4 $(top_srcdir)/m4/ax_tls.m4 \
 	$(top_srcdir)/m4/ax_valgrind_check.m4 \
 	$(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \
 	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@@ -139,9 +139,10 @@ am__nobase_include_HEADERS_DIST = sodium.h sodium/core.h \
 	sodium/crypto_auth_hmacsha512256.h sodium/crypto_box.h \
 	sodium/crypto_box_curve25519xchacha20poly1305.h \
 	sodium/crypto_box_curve25519xsalsa20poly1305.h \
-	sodium/crypto_core_hchacha20.h sodium/crypto_core_hsalsa20.h \
-	sodium/crypto_core_salsa20.h sodium/crypto_core_salsa2012.h \
-	sodium/crypto_core_salsa208.h sodium/crypto_generichash.h \
+	sodium/crypto_core_ed25519.h sodium/crypto_core_hchacha20.h \
+	sodium/crypto_core_hsalsa20.h sodium/crypto_core_salsa20.h \
+	sodium/crypto_core_salsa2012.h sodium/crypto_core_salsa208.h \
+	sodium/crypto_generichash.h \
 	sodium/crypto_generichash_blake2b.h sodium/crypto_hash.h \
 	sodium/crypto_hash_sha256.h sodium/crypto_hash_sha512.h \
 	sodium/crypto_kdf.h sodium/crypto_kdf_blake2b.h \
@@ -151,7 +152,7 @@ am__nobase_include_HEADERS_DIST = sodium.h sodium/core.h \
 	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
-	sodium/crypto_secretbox.h \
+	sodium/crypto_scalarmult_ed25519.h sodium/crypto_secretbox.h \
 	sodium/crypto_secretbox_xchacha20poly1305.h \
 	sodium/crypto_secretbox_xsalsa20poly1305.h \
 	sodium/crypto_secretstream_xchacha20poly1305.h \
@@ -220,6 +221,7 @@ CTAGS = ctags
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
@@ -240,6 +242,7 @@ CFLAGS_AVX2 = @CFLAGS_AVX2@
 CFLAGS_AVX512F = @CFLAGS_AVX512F@
 CFLAGS_MMX = @CFLAGS_MMX@
 CFLAGS_PCLMUL = @CFLAGS_PCLMUL@
+CFLAGS_RDRAND = @CFLAGS_RDRAND@
 CFLAGS_SSE2 = @CFLAGS_SSE2@
 CFLAGS_SSE3 = @CFLAGS_SSE3@
 CFLAGS_SSE41 = @CFLAGS_SSE41@
@@ -384,9 +387,10 @@ SODIUM_EXPORT = sodium.h sodium/core.h sodium/crypto_aead_aes256gcm.h \
 	sodium/crypto_auth_hmacsha512256.h sodium/crypto_box.h \
 	sodium/crypto_box_curve25519xchacha20poly1305.h \
 	sodium/crypto_box_curve25519xsalsa20poly1305.h \
-	sodium/crypto_core_hchacha20.h sodium/crypto_core_hsalsa20.h \
-	sodium/crypto_core_salsa20.h sodium/crypto_core_salsa2012.h \
-	sodium/crypto_core_salsa208.h sodium/crypto_generichash.h \
+	sodium/crypto_core_ed25519.h sodium/crypto_core_hchacha20.h \
+	sodium/crypto_core_hsalsa20.h sodium/crypto_core_salsa20.h \
+	sodium/crypto_core_salsa2012.h sodium/crypto_core_salsa208.h \
+	sodium/crypto_generichash.h \
 	sodium/crypto_generichash_blake2b.h sodium/crypto_hash.h \
 	sodium/crypto_hash_sha256.h sodium/crypto_hash_sha512.h \
 	sodium/crypto_kdf.h sodium/crypto_kdf_blake2b.h \
@@ -396,7 +400,7 @@ SODIUM_EXPORT = sodium.h sodium/core.h sodium/crypto_aead_aes256gcm.h \
 	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
-	sodium/crypto_secretbox.h \
+	sodium/crypto_scalarmult_ed25519.h sodium/crypto_secretbox.h \
 	sodium/crypto_secretbox_xchacha20poly1305.h \
 	sodium/crypto_secretbox_xsalsa20poly1305.h \
 	sodium/crypto_secretstream_xchacha20poly1305.h \

data/vendor/libsodium/src/libsodium/include/sodium.h CHANGED

@@ -58,6 +58,8 @@
 #ifndef SODIUM_LIBRARY_MINIMAL
 # include "sodium/crypto_box_curve25519xchacha20poly1305.h"
+# include "sodium/crypto_core_ed25519.h"
+# include "sodium/crypto_scalarmult_ed25519.h"
 # include "sodium/crypto_secretbox_xchacha20poly1305.h"
 # include "sodium/crypto_pwhash_scryptsalsa208sha256.h"
 # include "sodium/crypto_stream_salsa2012.h"

data/vendor/libsodium/src/libsodium/include/sodium/crypto_core_ed25519.h ADDED

@@ -0,0 +1,37 @@
+#ifndef crypto_core_ed25519_H
+#define crypto_core_ed25519_H
+#include <stddef.h>
+#include "export.h"
+#ifdef __cplusplus
+extern "C" {
+#endif
+#define crypto_core_ed25519_BYTES 32
+SODIUM_EXPORT
+size_t crypto_core_ed25519_bytes(void);
+#define crypto_core_ed25519_UNIFORMBYTES 32
+SODIUM_EXPORT
+size_t crypto_core_ed25519_uniformbytes(void);
+SODIUM_EXPORT
+int crypto_core_ed25519_is_valid_point(const unsigned char *p);
+SODIUM_EXPORT
+int crypto_core_ed25519_add(unsigned char *r,
+                            const unsigned char *p, const unsigned char *q);
+SODIUM_EXPORT
+int crypto_core_ed25519_sub(unsigned char *r,
+                            const unsigned char *p, const unsigned char *q);
+SODIUM_EXPORT
+int crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r);
+#ifdef __cplusplus
+}
+#endif
+#endif

data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult.h CHANGED

@@ -25,6 +25,14 @@ const char *crypto_scalarmult_primitive(void);
 SODIUM_EXPORT
 int crypto_scalarmult_base(unsigned char *q, const unsigned char *n);
+/*
+ * NOTE: Do not use the result of this function directly.
+ *
+ * Hash the result with the public keys in order to compute a shared
+ * secret key: H(q || client_pk || server_pk)
+ *
+ * Or unless this is not an option, use the crypto_kx() API instead.
+ */
 SODIUM_EXPORT
 int crypto_scalarmult(unsigned char *q, const unsigned char *n,
                       const unsigned char *p)

data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h CHANGED

@@ -17,6 +17,14 @@ size_t crypto_scalarmult_curve25519_bytes(void);
 SODIUM_EXPORT
 size_t crypto_scalarmult_curve25519_scalarbytes(void);
+/*
+ * NOTE: Do not use the result of this function directly.
+ *
+ * Hash the result with the public keys in order to compute a shared
+ * secret key: H(q || client_pk || server_pk)
+ *
+ * Or unless this is not an option, use the crypto_kx() API instead.
+ */
 SODIUM_EXPORT
 int crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n,
                                  const unsigned char *p)

data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h ADDED

@@ -0,0 +1,41 @@
+#ifndef crypto_scalarmult_ed25519_H
+#define crypto_scalarmult_ed25519_H
+#include <stddef.h>
+#include "export.h"
+#ifdef __cplusplus
+extern "C" {
+#endif
+#define crypto_scalarmult_ed25519_BYTES 32U
+SODIUM_EXPORT
+size_t crypto_scalarmult_ed25519_bytes(void);
+#define crypto_scalarmult_ed25519_SCALARBYTES 32U
+SODIUM_EXPORT
+size_t crypto_scalarmult_ed25519_scalarbytes(void);
+/*
+ * NOTE: Do not use the result of this function directly.
+ *
+ * Hash the result with the public keys in order to compute a shared
+ * secret key: H(q || client_pk || server_pk)
+ *
+ * Or unless this is not an option, use the crypto_kx() API instead.
+ */
+SODIUM_EXPORT
+int crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
+                              const unsigned char *p)
+            __attribute__ ((warn_unused_result));
+SODIUM_EXPORT
+int crypto_scalarmult_ed25519_base(unsigned char *q, const unsigned char *n);
+#ifdef __cplusplus
+}
+#endif
+#endif

data/vendor/libsodium/src/libsodium/include/sodium/private/common.h CHANGED

@@ -7,6 +7,14 @@
 #define COMPILER_ASSERT(X) (void) sizeof(char[(X) ? 1 : -1])
+#ifdef HAVE_TI_MODE
+# if defined(__SIZEOF_INT128__)
+typedef unsigned __int128 uint128_t;
+# else
+typedef unsigned uint128_t __attribute__((mode(TI)));
+# endif
+#endif
 #define ROTL32(X, B) rotl32((X), (B))
 static inline uint32_t
 rotl32(const uint32_t x, const int b)
@@ -225,4 +233,14 @@ xor_buf(unsigned char *out, const unsigned char *in, size_t n)
 # include <intrin.h>
 #endif
+#ifdef HAVE_LIBCTGRIND
+extern void ct_poison  (const void *, size_t);
+extern void ct_unpoison(const void *, size_t);
+# define POISON(X, L)   ct_poison((X), (L))
+# define UNPOISON(X, L) ct_unpoison((X), (L))
+#else
+# define POISON(X, L)   (void) 0
+# define UNPOISON(X, L) (void) 0
+#endif
 #endif

data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10.h ADDED

@@ -0,0 +1,125 @@
+#ifndef ed25519_ref10_H
+#define ed25519_ref10_H
+#include <stddef.h>
+#include <stdint.h>
+/*
+ fe means field element.
+ Here the field is \Z/(2^255-19).
+ */
+#ifdef HAVE_TI_MODE
+typedef uint64_t fe25519[5];
+#else
+typedef int32_t fe25519[10];
+#endif
+void fe25519_invert(fe25519 out, const fe25519 z);
+void fe25519_frombytes(fe25519 h, const unsigned char *s);
+void fe25519_tobytes(unsigned char *s, const fe25519 h);
+#ifdef HAVE_TI_MODE
+# include "ed25519_ref10_fe_51.h"
+#else
+# include "ed25519_ref10_fe_25_5.h"
+#endif
+/*
+ ge means group element.
+ Here the group is the set of pairs (x,y) of field elements
+ satisfying -x^2 + y^2 = 1 + d x^2y^2
+ where d = -121665/121666.
+ Representations:
+ ge25519_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
+ ge25519_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
+ ge25519_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
+ ge25519_precomp (Duif): (y+x,y-x,2dxy)
+ */
+typedef struct {
+    fe25519 X;
+    fe25519 Y;
+    fe25519 Z;
+} ge25519_p2;
+typedef struct {
+    fe25519 X;
+    fe25519 Y;
+    fe25519 Z;
+    fe25519 T;
+} ge25519_p3;
+typedef struct {
+    fe25519 X;
+    fe25519 Y;
+    fe25519 Z;
+    fe25519 T;
+} ge25519_p1p1;
+typedef struct {
+    fe25519 yplusx;
+    fe25519 yminusx;
+    fe25519 xy2d;
+} ge25519_precomp;
+typedef struct {
+    fe25519 YplusX;
+    fe25519 YminusX;
+    fe25519 Z;
+    fe25519 T2d;
+} ge25519_cached;
+void ge25519_tobytes(unsigned char *s, const ge25519_p2 *h);
+void ge25519_p3_tobytes(unsigned char *s, const ge25519_p3 *h);
+int ge25519_frombytes(ge25519_p3 *h, const unsigned char *s);
+int ge25519_frombytes_negate_vartime(ge25519_p3 *h, const unsigned char *s);
+void ge25519_p3_to_cached(ge25519_cached *r, const ge25519_p3 *p);
+void ge25519_p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p);
+void ge25519_p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p);
+void ge25519_add(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q);
+void ge25519_sub(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q);
+void ge25519_scalarmult_base(ge25519_p3 *h, const unsigned char *a);
+void ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a,
+                                       const ge25519_p3 *A,
+                                       const unsigned char *b);
+void ge25519_scalarmult(ge25519_p3 *h, const unsigned char *a,
+                        const ge25519_p3 *p);
+int ge25519_is_canonical(const unsigned char *s);
+int ge25519_is_on_curve(const ge25519_p3 *p);
+int ge25519_is_on_main_subgroup(const ge25519_p3 *p);
+int ge25519_has_small_order(const unsigned char s[32]);
+void ge25519_from_uniform(unsigned char s[32], const unsigned char r[32]);
+/*
+ The set of scalars is \Z/l
+ where l = 2^252 + 27742317777372353535851937790883648493.
+ */
+void sc25519_reduce(unsigned char *s);
+void sc25519_muladd(unsigned char *s, const unsigned char *a,
+                    const unsigned char *b, const unsigned char *c);
+int sc25519_is_canonical(const unsigned char *s);
+#endif