RubyGems - rbnacl-libsodium - Versions diffs - 1.0.15.1 → 1.0.16 - Mend

rbnacl-libsodium 1.0.15.1 → 1.0.16

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (157) hide show

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c CHANGED

@@ -3,8 +3,9 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_sign_ed25519.h"
-#include "ed25519_ref10.h"
-#include "private/curve25519_ref10.h"
+#include "sign_ed25519_ref10.h"
+#include "private/ed25519_ref10.h"
+#include "randombytes.h"
 #include "utils.h"
 void
@@ -23,6 +24,43 @@ _crypto_sign_ed25519_ref10_hinit(crypto_hash_sha512_state *hs, int prehashed)
     }
 }
+static inline void
+_crypto_sign_ed25519_clamp(unsigned char k[32])
+{
+    k[0] &= 248;
+    k[31] &= 127;
+    k[31] |= 64;
+}
+#ifdef ED25519_NONDETERMINISTIC
+/* r = hash(B || empty_labelset || Z || pad1 || k || pad2 || empty_labelset || K || extra || M) (mod q) */
+static void
+_crypto_sign_ed25519_synthetic_r_hv(crypto_hash_sha512_state *hs,
+                                    unsigned char Z[32],
+                                    const unsigned char sk[64])
+{
+    static const unsigned char B[32] = {
+        0x58, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+        0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66, 0x66,
+    };
+    static const unsigned char zeros[128] = { 0x00 };
+    static const unsigned char empty_labelset[3] = { 0x02, 0x00, 0x00 };
+    crypto_hash_sha512_update(hs, B, 32);
+    crypto_hash_sha512_update(hs, empty_labelset, 3);
+    randombytes_buf(Z, 32);
+    crypto_hash_sha512_update(hs, Z, 32);
+    crypto_hash_sha512_update(hs, zeros, 128 - (32 + 3 + 32) % 128);
+    crypto_hash_sha512_update(hs, sk, 32);
+    crypto_hash_sha512_update(hs, zeros, 128 - 32 % 128);
+    crypto_hash_sha512_update(hs, empty_labelset, 3);
+    crypto_hash_sha512_update(hs, sk + 32, 32);
+    /* empty extra */
+}
+#endif
 int
 _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
                               const unsigned char *m, unsigned long long mlen,
@@ -32,33 +70,38 @@ _crypto_sign_ed25519_detached(unsigned char *sig, unsigned long long *siglen_p,
     unsigned char            az[64];
     unsigned char            nonce[64];
     unsigned char            hram[64];
-    ge_p3                    R;
-    crypto_hash_sha512(az, sk, 32);
-    az[0] &= 248;
-    az[31] &= 63;
-    az[31] |= 64;
+    ge25519_p3               R;
     _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
+#ifdef ED25519_NONDETERMINISTIC
+    memcpy(az, sk, 32);
+    _crypto_sign_ed25519_synthetic_r_hv(&hs, nonce, az);
+#else
+    crypto_hash_sha512(az, sk, 32);
     crypto_hash_sha512_update(&hs, az + 32, 32);
+#endif
     crypto_hash_sha512_update(&hs, m, mlen);
     crypto_hash_sha512_final(&hs, nonce);
     memmove(sig + 32, sk + 32, 32);
-    sc_reduce(nonce);
-    ge_scalarmult_base(&R, nonce);
-    ge_p3_tobytes(sig, &R);
+    sc25519_reduce(nonce);
+    ge25519_scalarmult_base(&R, nonce);
+    ge25519_p3_tobytes(sig, &R);
     _crypto_sign_ed25519_ref10_hinit(&hs, prehashed);
     crypto_hash_sha512_update(&hs, sig, 64);
     crypto_hash_sha512_update(&hs, m, mlen);
     crypto_hash_sha512_final(&hs, hram);
-    sc_reduce(hram);
-    sc_muladd(sig + 32, hram, az, nonce);
+    sc25519_reduce(hram);
+    _crypto_sign_ed25519_clamp(az);
+    sc25519_muladd(sig + 32, hram, az, nonce);
     sodium_memzero(az, sizeof az);
+    sodium_memzero(nonce, sizeof nonce);
     if (siglen_p != NULL) {
         *siglen_p = 64U;

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/{ed25519_ref10.h → sign_ed25519_ref10.h} RENAMED

@@ -1,5 +1,5 @@
-#ifndef ed25519_ref10_H
-#define ed25519_ref10_H
+#ifndef sign_ed25519_ref10_H
+#define sign_ed25519_ref10_H
 void _crypto_sign_ed25519_ref10_hinit(crypto_hash_sha512_state *hs,
                                       int prehashed);
@@ -15,7 +15,4 @@ int _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                          unsigned long long   mlen,
                                          const unsigned char *pk,
                                          int prehashed);
-int _crypto_sign_ed25519_small_order(const unsigned char p[32]);
 #endif

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/sign_ed25519.c CHANGED

@@ -3,7 +3,7 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_sign_ed25519.h"
-#include "ref10/ed25519_ref10.h"
+#include "ref10/sign_ed25519_ref10.h"
 size_t
 crypto_sign_ed25519ph_statebytes(void)

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/stream_chacha20.c CHANGED

@@ -1,5 +1,6 @@
 #include "crypto_stream_chacha20.h"
 #include "private/common.h"
+#include "private/implementations.h"
 #include "randombytes.h"
 #include "runtime.h"
 #include "stream_chacha20.h"

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/stream_salsa20.c CHANGED

@@ -1,5 +1,6 @@
 #include "crypto_stream_salsa20.h"
 #include "private/common.h"
+#include "private/implementations.h"
 #include "randombytes.h"
 #include "runtime.h"
 #include "stream_salsa20.h"

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/xmm6int/u8.h CHANGED

@@ -96,7 +96,7 @@ if (bytes >= 512) {
         z4  = orig4;
         z8  = orig8;
-        for (i = 0; i < 20; i += 2) {
+        for (i = 0; i < ROUNDS; i += 2) {
             /* the inner loop is a direct translation (regexp search/replace)
              * from the amd64-xmm6 ASM */
             __m256i r0, r1, r2, r3, r4, r5, r6, r7, r8, r9, r10, r11, r12, r13,

data/vendor/libsodium/src/libsodium/include/Makefile.am CHANGED

@@ -12,6 +12,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_box.h \
 	sodium/crypto_box_curve25519xchacha20poly1305.h \
 	sodium/crypto_box_curve25519xsalsa20poly1305.h \
+	sodium/crypto_core_ed25519.h \
 	sodium/crypto_core_hchacha20.h \
 	sodium/crypto_core_hsalsa20.h \
 	sodium/crypto_core_salsa20.h \
@@ -33,6 +34,7 @@ SODIUM_EXPORT = \
 	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
+	sodium/crypto_scalarmult_ed25519.h \
 	sodium/crypto_secretbox.h \
 	sodium/crypto_secretbox_xchacha20poly1305.h \
 	sodium/crypto_secretbox_xsalsa20poly1305.h \

data/vendor/libsodium/src/libsodium/include/Makefile.in CHANGED

@@ -98,7 +98,7 @@ am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_catchable_abrt.m4 \
 	$(top_srcdir)/m4/ax_check_compile_flag.m4 \
 	$(top_srcdir)/m4/ax_check_define.m4 \
 	$(top_srcdir)/m4/ax_check_link_flag.m4 \
-	$(top_srcdir)/m4/ax_pthread.m4 \
+	$(top_srcdir)/m4/ax_pthread.m4 $(top_srcdir)/m4/ax_tls.m4 \
 	$(top_srcdir)/m4/ax_valgrind_check.m4 \
 	$(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \
 	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@@ -139,9 +139,10 @@ am__nobase_include_HEADERS_DIST = sodium.h sodium/core.h \
 	sodium/crypto_auth_hmacsha512256.h sodium/crypto_box.h \
 	sodium/crypto_box_curve25519xchacha20poly1305.h \
 	sodium/crypto_box_curve25519xsalsa20poly1305.h \
-	sodium/crypto_core_hchacha20.h sodium/crypto_core_hsalsa20.h \
-	sodium/crypto_core_salsa20.h sodium/crypto_core_salsa2012.h \
-	sodium/crypto_core_salsa208.h sodium/crypto_generichash.h \
+	sodium/crypto_core_ed25519.h sodium/crypto_core_hchacha20.h \
+	sodium/crypto_core_hsalsa20.h sodium/crypto_core_salsa20.h \
+	sodium/crypto_core_salsa2012.h sodium/crypto_core_salsa208.h \
+	sodium/crypto_generichash.h \
 	sodium/crypto_generichash_blake2b.h sodium/crypto_hash.h \
 	sodium/crypto_hash_sha256.h sodium/crypto_hash_sha512.h \
 	sodium/crypto_kdf.h sodium/crypto_kdf_blake2b.h \
@@ -151,7 +152,7 @@ am__nobase_include_HEADERS_DIST = sodium.h sodium/core.h \
 	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
-	sodium/crypto_secretbox.h \
+	sodium/crypto_scalarmult_ed25519.h sodium/crypto_secretbox.h \
 	sodium/crypto_secretbox_xchacha20poly1305.h \
 	sodium/crypto_secretbox_xsalsa20poly1305.h \
 	sodium/crypto_secretstream_xchacha20poly1305.h \
@@ -220,6 +221,7 @@ CTAGS = ctags
 am__DIST_COMMON = $(srcdir)/Makefile.in
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
+ALLOCA = @ALLOCA@
 AMTAR = @AMTAR@
 AM_DEFAULT_VERBOSITY = @AM_DEFAULT_VERBOSITY@
 AR = @AR@
@@ -240,6 +242,7 @@ CFLAGS_AVX2 = @CFLAGS_AVX2@
 CFLAGS_AVX512F = @CFLAGS_AVX512F@
 CFLAGS_MMX = @CFLAGS_MMX@
 CFLAGS_PCLMUL = @CFLAGS_PCLMUL@
+CFLAGS_RDRAND = @CFLAGS_RDRAND@
 CFLAGS_SSE2 = @CFLAGS_SSE2@
 CFLAGS_SSE3 = @CFLAGS_SSE3@
 CFLAGS_SSE41 = @CFLAGS_SSE41@
@@ -384,9 +387,10 @@ SODIUM_EXPORT = sodium.h sodium/core.h sodium/crypto_aead_aes256gcm.h \
 	sodium/crypto_auth_hmacsha512256.h sodium/crypto_box.h \
 	sodium/crypto_box_curve25519xchacha20poly1305.h \
 	sodium/crypto_box_curve25519xsalsa20poly1305.h \
-	sodium/crypto_core_hchacha20.h sodium/crypto_core_hsalsa20.h \
-	sodium/crypto_core_salsa20.h sodium/crypto_core_salsa2012.h \
-	sodium/crypto_core_salsa208.h sodium/crypto_generichash.h \
+	sodium/crypto_core_ed25519.h sodium/crypto_core_hchacha20.h \
+	sodium/crypto_core_hsalsa20.h sodium/crypto_core_salsa20.h \
+	sodium/crypto_core_salsa2012.h sodium/crypto_core_salsa208.h \
+	sodium/crypto_generichash.h \
 	sodium/crypto_generichash_blake2b.h sodium/crypto_hash.h \
 	sodium/crypto_hash_sha256.h sodium/crypto_hash_sha512.h \
 	sodium/crypto_kdf.h sodium/crypto_kdf_blake2b.h \
@@ -396,7 +400,7 @@ SODIUM_EXPORT = sodium.h sodium/core.h sodium/crypto_aead_aes256gcm.h \
 	sodium/crypto_pwhash_scryptsalsa208sha256.h \
 	sodium/crypto_scalarmult.h \
 	sodium/crypto_scalarmult_curve25519.h \
-	sodium/crypto_secretbox.h \
+	sodium/crypto_scalarmult_ed25519.h sodium/crypto_secretbox.h \
 	sodium/crypto_secretbox_xchacha20poly1305.h \
 	sodium/crypto_secretbox_xsalsa20poly1305.h \
 	sodium/crypto_secretstream_xchacha20poly1305.h \

data/vendor/libsodium/src/libsodium/include/sodium.h CHANGED

@@ -58,6 +58,8 @@
 #ifndef SODIUM_LIBRARY_MINIMAL
 # include "sodium/crypto_box_curve25519xchacha20poly1305.h"
+# include "sodium/crypto_core_ed25519.h"
+# include "sodium/crypto_scalarmult_ed25519.h"
 # include "sodium/crypto_secretbox_xchacha20poly1305.h"
 # include "sodium/crypto_pwhash_scryptsalsa208sha256.h"
 # include "sodium/crypto_stream_salsa2012.h"

data/vendor/libsodium/src/libsodium/include/sodium/crypto_core_ed25519.h ADDED

@@ -0,0 +1,37 @@
+#ifndef crypto_core_ed25519_H
+#define crypto_core_ed25519_H
+#include <stddef.h>
+#include "export.h"
+#ifdef __cplusplus
+extern "C" {
+#endif
+#define crypto_core_ed25519_BYTES 32
+SODIUM_EXPORT
+size_t crypto_core_ed25519_bytes(void);
+#define crypto_core_ed25519_UNIFORMBYTES 32
+SODIUM_EXPORT
+size_t crypto_core_ed25519_uniformbytes(void);
+SODIUM_EXPORT
+int crypto_core_ed25519_is_valid_point(const unsigned char *p);
+SODIUM_EXPORT
+int crypto_core_ed25519_add(unsigned char *r,
+                            const unsigned char *p, const unsigned char *q);
+SODIUM_EXPORT
+int crypto_core_ed25519_sub(unsigned char *r,
+                            const unsigned char *p, const unsigned char *q);
+SODIUM_EXPORT
+int crypto_core_ed25519_from_uniform(unsigned char *p, const unsigned char *r);
+#ifdef __cplusplus
+}
+#endif
+#endif

data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult.h CHANGED

@@ -25,6 +25,14 @@ const char *crypto_scalarmult_primitive(void);
 SODIUM_EXPORT
 int crypto_scalarmult_base(unsigned char *q, const unsigned char *n);
+/*
+ * NOTE: Do not use the result of this function directly.
+ *
+ * Hash the result with the public keys in order to compute a shared
+ * secret key: H(q || client_pk || server_pk)
+ *
+ * Or unless this is not an option, use the crypto_kx() API instead.
+ */
 SODIUM_EXPORT
 int crypto_scalarmult(unsigned char *q, const unsigned char *n,
                       const unsigned char *p)

data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_curve25519.h CHANGED

@@ -17,6 +17,14 @@ size_t crypto_scalarmult_curve25519_bytes(void);
 SODIUM_EXPORT
 size_t crypto_scalarmult_curve25519_scalarbytes(void);
+/*
+ * NOTE: Do not use the result of this function directly.
+ *
+ * Hash the result with the public keys in order to compute a shared
+ * secret key: H(q || client_pk || server_pk)
+ *
+ * Or unless this is not an option, use the crypto_kx() API instead.
+ */
 SODIUM_EXPORT
 int crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n,
                                  const unsigned char *p)

data/vendor/libsodium/src/libsodium/include/sodium/crypto_scalarmult_ed25519.h ADDED

@@ -0,0 +1,41 @@
+#ifndef crypto_scalarmult_ed25519_H
+#define crypto_scalarmult_ed25519_H
+#include <stddef.h>
+#include "export.h"
+#ifdef __cplusplus
+extern "C" {
+#endif
+#define crypto_scalarmult_ed25519_BYTES 32U
+SODIUM_EXPORT
+size_t crypto_scalarmult_ed25519_bytes(void);
+#define crypto_scalarmult_ed25519_SCALARBYTES 32U
+SODIUM_EXPORT
+size_t crypto_scalarmult_ed25519_scalarbytes(void);
+/*
+ * NOTE: Do not use the result of this function directly.
+ *
+ * Hash the result with the public keys in order to compute a shared
+ * secret key: H(q || client_pk || server_pk)
+ *
+ * Or unless this is not an option, use the crypto_kx() API instead.
+ */
+SODIUM_EXPORT
+int crypto_scalarmult_ed25519(unsigned char *q, const unsigned char *n,
+                              const unsigned char *p)
+            __attribute__ ((warn_unused_result));
+SODIUM_EXPORT
+int crypto_scalarmult_ed25519_base(unsigned char *q, const unsigned char *n);
+#ifdef __cplusplus
+}
+#endif
+#endif

data/vendor/libsodium/src/libsodium/include/sodium/private/common.h CHANGED

@@ -7,6 +7,14 @@
 #define COMPILER_ASSERT(X) (void) sizeof(char[(X) ? 1 : -1])
+#ifdef HAVE_TI_MODE
+# if defined(__SIZEOF_INT128__)
+typedef unsigned __int128 uint128_t;
+# else
+typedef unsigned uint128_t __attribute__((mode(TI)));
+# endif
+#endif
 #define ROTL32(X, B) rotl32((X), (B))
 static inline uint32_t
 rotl32(const uint32_t x, const int b)
@@ -225,4 +233,14 @@ xor_buf(unsigned char *out, const unsigned char *in, size_t n)
 # include <intrin.h>
 #endif
+#ifdef HAVE_LIBCTGRIND
+extern void ct_poison  (const void *, size_t);
+extern void ct_unpoison(const void *, size_t);
+# define POISON(X, L)   ct_poison((X), (L))
+# define UNPOISON(X, L) ct_unpoison((X), (L))
+#else
+# define POISON(X, L)   (void) 0
+# define UNPOISON(X, L) (void) 0
+#endif
 #endif

data/vendor/libsodium/src/libsodium/include/sodium/private/ed25519_ref10.h ADDED

@@ -0,0 +1,125 @@
+#ifndef ed25519_ref10_H
+#define ed25519_ref10_H
+#include <stddef.h>
+#include <stdint.h>
+/*
+ fe means field element.
+ Here the field is \Z/(2^255-19).
+ */
+#ifdef HAVE_TI_MODE
+typedef uint64_t fe25519[5];
+#else
+typedef int32_t fe25519[10];
+#endif
+void fe25519_invert(fe25519 out, const fe25519 z);
+void fe25519_frombytes(fe25519 h, const unsigned char *s);
+void fe25519_tobytes(unsigned char *s, const fe25519 h);
+#ifdef HAVE_TI_MODE
+# include "ed25519_ref10_fe_51.h"
+#else
+# include "ed25519_ref10_fe_25_5.h"
+#endif
+/*
+ ge means group element.
+ Here the group is the set of pairs (x,y) of field elements
+ satisfying -x^2 + y^2 = 1 + d x^2y^2
+ where d = -121665/121666.
+ Representations:
+ ge25519_p2 (projective): (X:Y:Z) satisfying x=X/Z, y=Y/Z
+ ge25519_p3 (extended): (X:Y:Z:T) satisfying x=X/Z, y=Y/Z, XY=ZT
+ ge25519_p1p1 (completed): ((X:Z),(Y:T)) satisfying x=X/Z, y=Y/T
+ ge25519_precomp (Duif): (y+x,y-x,2dxy)
+ */
+typedef struct {
+    fe25519 X;
+    fe25519 Y;
+    fe25519 Z;
+} ge25519_p2;
+typedef struct {
+    fe25519 X;
+    fe25519 Y;
+    fe25519 Z;
+    fe25519 T;
+} ge25519_p3;
+typedef struct {
+    fe25519 X;
+    fe25519 Y;
+    fe25519 Z;
+    fe25519 T;
+} ge25519_p1p1;
+typedef struct {
+    fe25519 yplusx;
+    fe25519 yminusx;
+    fe25519 xy2d;
+} ge25519_precomp;
+typedef struct {
+    fe25519 YplusX;
+    fe25519 YminusX;
+    fe25519 Z;
+    fe25519 T2d;
+} ge25519_cached;
+void ge25519_tobytes(unsigned char *s, const ge25519_p2 *h);
+void ge25519_p3_tobytes(unsigned char *s, const ge25519_p3 *h);
+int ge25519_frombytes(ge25519_p3 *h, const unsigned char *s);
+int ge25519_frombytes_negate_vartime(ge25519_p3 *h, const unsigned char *s);
+void ge25519_p3_to_cached(ge25519_cached *r, const ge25519_p3 *p);
+void ge25519_p1p1_to_p2(ge25519_p2 *r, const ge25519_p1p1 *p);
+void ge25519_p1p1_to_p3(ge25519_p3 *r, const ge25519_p1p1 *p);
+void ge25519_add(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q);
+void ge25519_sub(ge25519_p1p1 *r, const ge25519_p3 *p, const ge25519_cached *q);
+void ge25519_scalarmult_base(ge25519_p3 *h, const unsigned char *a);
+void ge25519_double_scalarmult_vartime(ge25519_p2 *r, const unsigned char *a,
+                                       const ge25519_p3 *A,
+                                       const unsigned char *b);
+void ge25519_scalarmult(ge25519_p3 *h, const unsigned char *a,
+                        const ge25519_p3 *p);
+int ge25519_is_canonical(const unsigned char *s);
+int ge25519_is_on_curve(const ge25519_p3 *p);
+int ge25519_is_on_main_subgroup(const ge25519_p3 *p);
+int ge25519_has_small_order(const unsigned char s[32]);
+void ge25519_from_uniform(unsigned char s[32], const unsigned char r[32]);
+/*
+ The set of scalars is \Z/l
+ where l = 2^252 + 27742317777372353535851937790883648493.
+ */
+void sc25519_reduce(unsigned char *s);
+void sc25519_muladd(unsigned char *s, const unsigned char *a,
+                    const unsigned char *b, const unsigned char *c);
+int sc25519_is_canonical(const unsigned char *s);
+#endif