Loup Vaillant [Sat, 8 Feb 2020 17:23:51 +0000 (18:23 +0100)]
Added warning in the Git version of the README
I noticed that some careless hurried people tend to use Monocypher from
the git repository directly. They don't even grab the releases from
GitHub. That's not ideal for two reasons:
1. The master branch isn't always stable.
2. The Git repository misses some automatically generated files.
This patch attempts to get end users away from the Git repository,
towards well tested official releases. Also, for users who think the
tarball are binary releases (they're source releases), or just want to
be done as quickly as possible, I also gave direct links to the main
source and header files.
Loup Vaillant [Fri, 24 Jan 2020 21:19:32 +0000 (22:19 +0100)]
Improved readability of EdDSA verification
Basically, we separated the computation of R_check from the verification
that it is equal to R. The computation of R_check takes s, h_ram and the
public key as parameter, and output R_check.
The primary advantage is a better separation of concerns, which makes
the code more readable in my opinion.
A secondary advantage is that we could now test ge_r_check() separately,
with arbitrary values of s and h_ram. This lets us test difficult to
trigger edge cases, like having s or h_ram exceeding 2^252, and is just
plain more general than only testing valid and invalid signatures.
I very much like this secondary advantage, because EdDSA is to this day
the part of Monocypher that makes me the most nervous.
Loup Vaillant [Thu, 23 Jan 2020 22:27:47 +0000 (23:27 +0100)]
Easier to use ge_madd() and ge_msub()
There are two main changes:
1. ge_madd() and ge_msub() now take a ge_precomp as second argument.
2. ge_msub() can now process secrets.
The pre-computed table have been adjusted accordingly. They're now
arrays of ge_precomp instead of being multiple arrays of fe.
We can also expect a (mostly negligible) performance increase:
- The new tables have slightly better locality.
- ge_msub() is the mirror of ge_madd() instead of using it.
- Using ge_msub() for signatures is now slightly more direct.
Fabio Scotoni [Wed, 15 Jan 2020 12:50:09 +0000 (13:50 +0100)]
Add some comments about what the EC functions do
This hopefully helps both auditing the code (by giving a clear
indication of what a function is supposed to be doing),
and trying to work with it (by minimizing the amount of time people need
to determine if a function is relevant to their interests).
Loup Vaillant [Sat, 11 Jan 2020 12:59:09 +0000 (13:59 +0100)]
Cosmetic/consistency in Argon2i
The functions g_copy() and g_xor() both take a pointer to a temporary,
to avoid wiping them again and again. unary_g(), however, did not, and
instead managed its temporary block internally.
Since unary_g() is called less often, this is not really a problem. I
thought it would be cleaner however to have all three functions work the
same way.
This should have a negligible, positive impact on performance as well.
Fabio Scotoni [Sat, 28 Dec 2019 14:05:14 +0000 (15:05 +0100)]
dist.sh: Forgot copyright header for myself
Was just a one-line find(1) change, so one could argue removal of me in
the CC-0 header would've been cleaner,
but Loup wanted me to take credit for it (e-mail of Oct 21, 2019).
Fabio Scotoni [Fri, 13 Dec 2019 08:42:28 +0000 (09:42 +0100)]
LICENCE.md: Clarifications
!!! important !!!
No change to the licensing situation of Monocypher is intended.
These are meant to be clarifications only.
No action is required on any user's part.
!!! /important !!!
These changes are highly delicate, so I feel obliged to give a detailed
explanation of each change.
(For my own sanity, I'll use U.S. spelling for "license",
even if the LICENCE.md is written in British English.)
---
"Monocypher is dual-licensed" -> "Monocypher as a whole is
dual-licensed"
This new wording matches the phrasing found in the top-level license
file of musl and mandoc, both of which are notable and fairly large
BSD-licensed projects.
The file headers added in an earlier commit are part of this:
The copyright notices are an *integral* part of the BSD 2-clause
license;
there has been no formal copyright assignment agreement,
so the copyright notices of all contributors who have made copyrightable
changes are really meant to be in all applicable files.
Pro forma it should be noted, however, that Michael Savage and I have
agreed to the LICENCE.md as it was before this commit by e-mail.
This makes no difference for everyone who's taken just the
monocypher.[ch] files and added those to their project because the
individual files' copyright notices for those two files match the
original LICENCE.md.
(And again, we don't *actually* care about compliance with the BSD
2-clause license from our end because we've waived copyright to the
greatest extent possible for CC-0, so the only ones who would actually
care live in your company's legal department.)
---
"Choose whichever you want" -> "Choose whichever you want from the two
licences listed below"
This change is mainly intended to clarify that you're not meant to
choose an *arbitrary* license, but rather one of the two below.
In practice, this should not matter because if you didn't choose the
2-clause BSD license, you chose CC-0, where copyright is maximally
waived anyway, which allows you to do whatever.
---
"The BSD licence serves as a fallback" -> "The BSD licence serves as a
fallback option"
This change clarifies that using the BSD 2-clause license is just an
option, to be exercised at the recipient's discretion,
without diluting the actual intent of placing Monocypher in the public
domain.
This matters because the CC-0 license *itself* has a section called
"Public License Fallback"; it is NOT the intent to replace section 3 of
CC-0 with a BSD 2-clause license.
The previous wording could, however, have been misconstrued like this
and thus could've butchered the very idea of using CC-0 in the first
place.
---
Added: "See the individual files for specific information about who
contributed to what file during which years. See below for special
notes."
This text was inspired by mandoc's licensing document.
It is necessary because the "total" copyright notice differs from the
copyright notice that applies to individual files,
so per-file compliance with the 2-clause BSD license differs.
About the special notes, see the section immediately below.
---
I also added a section called "Special notes",
which notes that we're allowed to include the externals because they've
been placed in the public domain by their respective authors.
This should help some people who are very careful about copyright and
distribution rights when redistributing Monocypher as a whole,
as they'll know where to look and all the heavy lifting has already been
done for them.
---
There are a number of files without the headers affixed to them.
Doing so would clutter them (e.g. README.md, CHANGELOG.md, AUTHORS.md)
and bring no actual value.
LICENCE.md applies to them indirectly.
---
(Digressions:
There's probably an interesting relationship between CC-0 and BSD
2-clause to be determined where any contributor agreeing to place their
work under the CC-0 license technically permits relicensing under the
BSD 2-clause in any case with no attribution.
I kind of wonder if CC-0 and a BSD 2-clause license aren't inherently
mutually exclusive -- it's conceptually difficult to grant rights that
you're immediately waiving in the next section of the same document.
But github.com/nothings/stb seems to take a similar approach with
MIT/Unlicense, and that evidently seems to make lawyers happy, so who am
I to judge?
But let's ignore all of these technicalities and be upstanding citizens
of the free software world that provide as much legal certainty as they
can.)
Fabio Scotoni [Thu, 12 Dec 2019 10:32:33 +0000 (11:32 +0100)]
Licensing header additions
+50 lines for every file.
The abbreviated CC0 license header was taken from the CC0 FAQ
(https://wiki.creativecommons.org/wiki/CC0_FAQ).
There's no commonly accepted way to shorten the 2-clause BSD license,
so it has to be copied in full every time.
The copyright notices are important for 2-clause BSD license,
so adding a reference to LICENCE.md was impractical.
While already there, affix a SPDX license identifier to all files.
This helps automated license identification programs along,
such as GitHub and scancode-toolkit.
License headers are useful to clarify what license conditions apply
to a particular file.
Loup Vaillant [Fri, 20 Dec 2019 11:54:39 +0000 (12:54 +0100)]
Expunged Monokex test vectors
Monokex is unlikely to be added to Monocypher in the near future, for
a couple reasons:
- It is a high level protocol, and Monocypher is fairly low level.
- It is not yet ready for production.
- It takes a significant amount of code.
Maybe it will be added later, but first, Monokex must focus on being its
own library, with Monocypher as a dependency. (We could also have a
version that uses Libsodium instead.)
Fabio Scotoni [Thu, 12 Dec 2019 08:58:05 +0000 (09:58 +0100)]
makefile: Add LIBDIR option
This is useful for multiarch, where you may have the library
installed in a subdirectory of /usr/lib/,
e.g. /usr/lib/x86_64-linux-gnu/.
Debian and Ubuntu appear to make use of this extensively;
having this in the makefile will avoid hacks when doing multiarch.
Autotools has a similar feature (passing --libdir to configure).
Fabio Scotoni [Thu, 12 Dec 2019 08:48:36 +0000 (09:48 +0100)]
makefile: Honor LDFLAGS variable if given
This allows specifying e.g. hardening options like -Wl,-z,relro
for link-time options.
It *is* normally possible to add these to CFLAGS,
but LDFLAGS is the established way to do this and tooling expects
it to work.
See also POSIX on make(1), whose default rules use LDFLAGS.
Fabio Scotoni [Fri, 6 Dec 2019 07:32:47 +0000 (08:32 +0100)]
Documentation: complete SEE ALSO in intro(3monocypher)
This is supposed to be a complete and exhaustive list of
all documented functions,
as can be seen with all incremental functions being listed
separately, rather than only the "main" page that is symlinked to.
Fabio Scotoni [Fri, 6 Dec 2019 07:23:06 +0000 (08:23 +0100)]
Documentation: Address Loup's review via GitHub PR #137
- Fix typo in crypto_sign_init_first_pass_custom_hash(3monocypher)
- Wipe sk in crypto_sign_init_first_pass_custom_hash(3monocypher);
while it is just a test program, it is arguably good form to do so
in any case, especially in documentation code that people might be
copying and pasting.
- Note that HMACs can be safely truncated.
Loup Vaillant [Thu, 5 Dec 2019 21:07:26 +0000 (22:07 +0100)]
Prefixed optional files with "monocypher-"
Monocypher is a "single file" library, with optional files. As a single
file library, it is best to occupy the global namespace directly. It's
only one include, no need for a folder.
The optional file kinda throw things off. We could put it in a
sub-folder, but we probably want both header to be at the same
place. And we certainly don't want to put monocypher.h itself in
sub-folder.
The solution is to have those files, none in a sub folder.
Namespace pollution is limited to a prefix. Should be reasonable both
for projects that import those files directly, or for packaging in a
Linux or BSD distribution.
Loup Vaillant [Wed, 4 Dec 2019 18:24:59 +0000 (19:24 +0100)]
Renamed "crypto_hmac_*" to "crypto_hmac_sha512_*"
There are several types of HMAC, and users may want to use other
versions of HMAC as well. (For instance, they could code their own
Blake2b HMAC to implement Noise). Plus, most primitives are named by
their technical name. "hmac" alone is not enough.
The names are longer, but this is the optional part, after all.
Loup Vaillant [Tue, 3 Dec 2019 07:52:01 +0000 (08:52 +0100)]
Moved SHA 512 work area to local stack
While some users could perhaps benefit from saving 640 bytes of stack
space by allocating the context statically, or in the heap, in practice
it's not he bottleneck. Besides, putting the work area there actually
*increases* stack usage on signatures and signature verification, which
are the most stack hungry parts of Monocypher to begin with.
Loup Vaillant [Mon, 2 Dec 2019 22:49:25 +0000 (23:49 +0100)]
Fixed HMAC SHA-512 (and added tests)
Test vectors were generated with Libsodium, with various key sizes (both
shorter and longer than the message), and every message size from 0 to
256 (twice the SHA 512 block size).
Also added Test vectors from RFC 4231, except the one with truncated
output (we don't support truncated outputs, users will have to do that
manually).
Loup Vaillant [Sun, 1 Dec 2019 21:36:00 +0000 (22:36 +0100)]
Added HMAC SHA512
EXPERIMENTAL. MAY BE REMOVED.
Monocypher is supposed to be small. This is why we use Blake2b for both
Argon2 and EdDSA signatures. Some users however need Ed25519 for
compatibility with other tools. This means using SHA 512.
We could hide SHA 512 from the public interface entirely, but this seems
like a waste: it could replace Blake2b to make the library smaller. It
will come at a performance loss, but when you verify signatures on a
small device, the hash is rarely the bottleneck.
The main problem with SHA 512 is length extension attacks. It just
cannot be used as a prefix MAC like Blake2b can. We need HMAC if we
want SHA 512 to entirely displace Blake2b, so the Monocypher binary
stays small.
Users could use Poly1305 and our version of RFC 8439 of course, but if
they're so tight on space, they're likely to get rid of Poly1305 as
well. When we have SHA 512 already, HMAC requires much less code.
This is kind of a special corner case. But it could come in handy.
Loup Vaillant [Sun, 1 Dec 2019 12:57:17 +0000 (13:57 +0100)]
Renamed crypto_hash_vtable into crypto_sign_vtable
The vtable holds hash functions, but it's really a vtable for
crypto_sign_ctx_abstract (and its check typedef). It's more tied to
EdDSA than to the hash itself.
Loup Vaillant [Sun, 1 Dec 2019 11:01:15 +0000 (12:01 +0100)]
Renamed crypto_sign_blake2b_ctx back to crypto_sign_ctx
Also renamed crypto_check_blake2b_ctx back to crypto_check_ctx.
This serves two purposes: avoid breaking the API when users upgrade from
Monocypher 2.x, and keep the idea that Blake2b is the default hash (the
default settings are implied and need not be named).
Note that although old code is not broken, it will still have warnings.
Those are easily silenced by casting to (void*).
projects / Monocypher.git / log