The values d and e will only use 128bits, so speed up the scalar multiplication
by using the new reduced-bitlength scalar multiplication functions.
This change requires the current development version of libuecc.
This message will be printed for every packet in severe reordering situtations,
so better not print it by default.
In the future, we'll need a rate limiting mechanism...
* Update CMake files to work with android-cmake
* Use unix domain socket for communicating with Android GUI
* May also run standalone but requires rooted Android device
Unfortunately, Doxygen stopped interpreting the .c.in files as C source files
a while ago. Move the comments to the header files to avoid the Doxygen
warnings.
Skipping this check will significantly speed up startup with many peers. As we
now do embedded group order verification, an attacker can't gain anything from
small-subgroup attacks, so skipping the check isn't a security issue.
Using the embedded group element verification allows us to get away without
explicit verification, thus needing one scalar multiplication less. This reduces
the number of expensive operations needed for a handshake to three: one Galois
field square root (for key unpacking) and two scalar multiplications.
For this optimization to be secure, private keys must be divisible by 8. This is
the case for all keys generated with all but extremely old versions of fastd
(pre-0.4). If fastd finds that its secret is not divisible by 8, it will refuse
to start now.
Because of strange dicisions in the past, fastd currently uses little endian
type and length values in its handshake. As the common network byte order is
big endian, changing the handshake format would be preferable.
This commit adds support for a new big-endian handshake. For now, fastd will
continue to send little-endian handshakes so ensure backwarts compatiblity, but
if it receives a big-endian handshake, it will respond with a big-endian one.
Until now, it wasn't checked if a public key was the identity element. I don't
think this mistake allows any actual attacks against the handshake though.
