Rename 'salt' import alias to 'sodium'

Author: jagerman

contrib/auth-example.py

@@ -1,6 +1,6 @@
 # Example script for demonstrating X-SOGS-* authentication calculation.
 
-import nacl.bindings as salt
+import nacl.bindings as sodium
 from nacl.signing import SigningKey
 from hashlib import blake2b, sha512
 from base64 import b64encode
@@ -29,10 +29,12 @@ def blinded_ed25519_signature(message_parts, s: SigningKey, ka: bytes, kA: bytes
     domain separation for different blinded pubkeys.  (This doesn't affect verification at all).
     """
     H_rh = sha512(s.encode()).digest()[32:]
-    r = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(H_rh, kA, message_parts))
-    sig_R = salt.crypto_scalarmult_ed25519_base_noclamp(r)
-    HRAM = salt.crypto_core_ed25519_scalar_reduce(sha512_multipart(sig_R, kA, message_parts))
-    sig_s = salt.crypto_core_ed25519_scalar_add(r, salt.crypto_core_ed25519_scalar_mul(HRAM, ka))
+    r = sodium.crypto_core_ed25519_scalar_reduce(sha512_multipart(H_rh, kA, message_parts))
+    sig_R = sodium.crypto_scalarmult_ed25519_base_noclamp(r)
+    HRAM = sodium.crypto_core_ed25519_scalar_reduce(sha512_multipart(sig_R, kA, message_parts))
+    sig_s = sodium.crypto_core_ed25519_scalar_add(
+        r, sodium.crypto_core_ed25519_scalar_mul(HRAM, ka)
+    )
     return sig_R + sig_s
 
 
@@ -52,7 +54,7 @@ def get_signing_headers(
 
     if blinded:
         # 64-byte blake2b hash then reduce to get the blinding factor:
-        k = salt.crypto_core_ed25519_scalar_reduce(blake2b(server_pk, digest_size=64).digest())
+        k = sodium.crypto_core_ed25519_scalar_reduce(blake2b(server_pk, digest_size=64).digest())
 
         # Calculate k*a.  To get 'a' (the Ed25519 private key scalar) we call the sodium function to
         # convert to an *x* secret key, which seems wrong--but isn't because converted keys use the
@@ -61,8 +63,8 @@ def get_signing_headers(
         a = s.to_curve25519_private_key().encode()
 
         # Our blinded keypair:
-        ka = salt.crypto_core_ed25519_scalar_mul(k, a)
-        kA = salt.crypto_scalarmult_ed25519_base_noclamp(ka)
+        ka = sodium.crypto_core_ed25519_scalar_mul(k, a)
+        kA = sodium.crypto_scalarmult_ed25519_base_noclamp(ka)
 
         # Blinded session id:
         pubkey = '15' + kA.hex()

contrib/blinding.py

@@ -1,5 +1,5 @@
 from nacl.signing import SigningKey, VerifyKey
-import nacl.bindings as salt
+import nacl.bindings as sodium
 from nacl.utils import random
 import nacl.hash
 from hashlib import blake2b
@@ -16,24 +16,26 @@
 
     # This seems a bit weird, but: sodium's sk-to-curve uses the same private key scalar (a) for
     # both curves, so getting `a` for the curve25519 implicitly gives us the ed25519 `a` as well.
-    a = salt.crypto_sign_ed25519_sk_to_curve25519(s.encode() + A)
+    a = sodium.crypto_sign_ed25519_sk_to_curve25519(s.encode() + A)
 
     A_xpk = s.to_curve25519_private_key().public_key.encode()  # session id is 05 + this
 
-    assert salt.crypto_scalarmult_ed25519_base_noclamp(a) == A
-    assert salt.crypto_scalarmult_base(a) == A_xpk
-    assert salt.crypto_core_ed25519_is_valid_point(A)
+    assert sodium.crypto_scalarmult_ed25519_base_noclamp(a) == A
+    assert sodium.crypto_scalarmult_base(a) == A_xpk
+    assert sodium.crypto_core_ed25519_is_valid_point(A)
 
     server_pubkey = random(32)
-    k = salt.crypto_core_ed25519_scalar_reduce(nacl.hash.generichash(server_pubkey, digest_size=64))
+    k = sodium.crypto_core_ed25519_scalar_reduce(
+        nacl.hash.generichash(server_pubkey, digest_size=64)
+    )
 
-    ka = salt.crypto_core_ed25519_scalar_mul(k, a)
+    ka = sodium.crypto_core_ed25519_scalar_mul(k, a)
     # kA will be my blinded pubkey visible from my posts, with '15' prepended, and is an *Ed*
     # pubkey, not an X pubkey.
-    kA = salt.crypto_scalarmult_ed25519_noclamp(k, A)
+    kA = sodium.crypto_scalarmult_ed25519_noclamp(k, A)
 
-    assert salt.crypto_scalarmult_ed25519_base_noclamp(ka) == kA
-    assert salt.crypto_core_ed25519_is_valid_point(kA)
+    assert sodium.crypto_scalarmult_ed25519_base_noclamp(ka) == kA
+    assert sodium.crypto_core_ed25519_is_valid_point(kA)
 
     #############################
     # Signing (e.g. for X-SOGS-*) with a blinded keypair ka/kA
@@ -45,13 +47,17 @@
     # which gives us a bog standard Ed25519 that can be verified using the kA pubkey with standard
     # verification code.
     message_to_sign = b'omg happy days'
-    H_rh = salt.crypto_hash_sha512(s.encode())[32:]
-    r = salt.crypto_core_ed25519_scalar_reduce(salt.crypto_hash_sha512(H_rh + kA + message_to_sign))
-    sig_R = salt.crypto_scalarmult_ed25519_base_noclamp(r)
-    HRAM = salt.crypto_core_ed25519_scalar_reduce(
-        salt.crypto_hash_sha512(sig_R + kA + message_to_sign)
+    H_rh = sodium.crypto_hash_sha512(s.encode())[32:]
+    r = sodium.crypto_core_ed25519_scalar_reduce(
+        sodium.crypto_hash_sha512(H_rh + kA + message_to_sign)
+    )
+    sig_R = sodium.crypto_scalarmult_ed25519_base_noclamp(r)
+    HRAM = sodium.crypto_core_ed25519_scalar_reduce(
+        sodium.crypto_hash_sha512(sig_R + kA + message_to_sign)
+    )
+    sig_s = sodium.crypto_core_ed25519_scalar_add(
+        r, sodium.crypto_core_ed25519_scalar_mul(HRAM, ka)
     )
-    sig_s = salt.crypto_core_ed25519_scalar_add(r, salt.crypto_core_ed25519_scalar_mul(HRAM, ka))
     full_sig = sig_R + sig_s
 
     assert VerifyKey(kA).verify(message_to_sign, full_sig)
@@ -62,29 +68,29 @@
     # Our user A above wants to send a SOGS DM to another user B:
     s2 = SigningKey.generate()
     B = s2.verify_key.encode()
-    b = salt.crypto_sign_ed25519_sk_to_curve25519(s2.encode() + B)
+    b = sodium.crypto_sign_ed25519_sk_to_curve25519(s2.encode() + B)
 
     # with blinded keys:
-    kb = salt.crypto_core_ed25519_scalar_mul(k, b)
-    kB = salt.crypto_scalarmult_ed25519_noclamp(k, B)
+    kb = sodium.crypto_core_ed25519_scalar_mul(k, b)
+    kB = sodium.crypto_scalarmult_ed25519_noclamp(k, B)
 
     B_xpk = s2.to_curve25519_private_key().public_key.encode()
 
-    assert salt.crypto_scalarmult_ed25519_base_noclamp(kb) == kB
-    assert salt.crypto_core_ed25519_is_valid_point(kB)
+    assert sodium.crypto_scalarmult_ed25519_base_noclamp(kb) == kB
+    assert sodium.crypto_core_ed25519_is_valid_point(kB)
 
     #############################
     # Finding friends:
 
     # For example (in reality this would come directly from the known session id):
-    friend_xpk = salt.crypto_sign_ed25519_pk_to_curve25519(A)
+    friend_xpk = sodium.crypto_sign_ed25519_pk_to_curve25519(A)
 
     # From the session id (ignoring 05 prefix) we have two possible ed25519 pubkeys; the first is
     # the positive (which is what Signal's XEd25519 conversion always uses):
     pk1 = xed25519.pubkey(friend_xpk)
 
     # Blind it:
-    pk1 = salt.crypto_scalarmult_ed25519_noclamp(k, pk1)
+    pk1 = sodium.crypto_scalarmult_ed25519_noclamp(k, pk1)
 
     # For the negative, what we're going to get out of the above is simply the negative of pk1, so
     # flip the sign bit to get pk2:
@@ -102,7 +108,7 @@
     # around gives the same result as the shortcut:
     pk2_alt = xed25519.pubkey(friend_xpk)
     pk2_alt = pk2_alt[0:31] + bytes([pk2_alt[31] | 0b1000_0000])
-    pk2_alt = salt.crypto_scalarmult_ed25519_noclamp(k, pk2_alt)
+    pk2_alt = sodium.crypto_scalarmult_ed25519_noclamp(k, pk2_alt)
     assert pk2 == pk2_alt
 
     # Now, if this is really my friend, his blinded key will equal one of these blinded keys:
@@ -128,15 +134,15 @@
     # BLAKE2b(b kA || kA || kB)
     #
     enc_key = blake2b(
-        salt.crypto_scalarmult_ed25519_noclamp(a, kB) + kA + kB, digest_size=32
+        sodium.crypto_scalarmult_ed25519_noclamp(a, kB) + kA + kB, digest_size=32
     ).digest()
 
     # Inner data: msg || A   (i.e. the sender's ed25519 master pubkey, *not* kA blinded pubkey)
     plaintext = msg.encode() + A
 
     # Encrypt using xchacha20-poly1305
     nonce = random(24)
-    ciphertext = salt.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(
         plaintext, aad=None, nonce=nonce, key=enc_key
     )
 
@@ -151,7 +157,7 @@
 
     # Calculate the shared encryption key (see above)
     dec_key = blake2b(
-        salt.crypto_scalarmult_ed25519_noclamp(b, kA) + kA + kB, digest_size=32
+        sodium.crypto_scalarmult_ed25519_noclamp(b, kA) + kA + kB, digest_size=32
     ).digest()
 
     assert enc_key == dec_key
@@ -162,19 +168,21 @@
     assert v == 0x00  # Make sure our encryption version is okay
 
     # Decrypt
-    plaintext = salt.crypto_aead_xchacha20poly1305_ietf_decrypt(ct, aad=None, nonce=nc, key=dec_key)
+    plaintext = sodium.crypto_aead_xchacha20poly1305_ietf_decrypt(
+        ct, aad=None, nonce=nc, key=dec_key
+    )
 
     assert len(plaintext) > 32
 
     # Split up: the last 32 bytes are the sender's *unblinded* ed25519 key
     message, sender_edpk = plaintext[:-32], plaintext[-32:]
 
     # Verify that the inner sender_edpk (A) yields the same outer kA we got with the message
-    assert kA == salt.crypto_scalarmult_ed25519_noclamp(k, sender_edpk)
+    assert kA == sodium.crypto_scalarmult_ed25519_noclamp(k, sender_edpk)
 
     message = message.decode()  # utf-8 bytes back to str
 
-    sender_session_id = '05' + salt.crypto_sign_ed25519_pk_to_curve25519(sender_edpk).hex()
+    sender_session_id = '05' + sodium.crypto_sign_ed25519_pk_to_curve25519(sender_edpk).hex()
 
     assert message == msg
     assert sender_edpk == A

sogs/routes/auth.py

@@ -9,7 +9,7 @@
 import nacl
 from nacl.signing import VerifyKey
 import nacl.exceptions
-import nacl.bindings as salt
+import nacl.bindings as sodium
 import sqlalchemy.exc
 from functools import wraps
 
@@ -238,7 +238,7 @@ def handle_http_auth():
     blinded_pk = pk[0] == 0x15
     pk = pk[1:]
 
-    if not salt.crypto_core_ed25519_is_valid_point(pk):
+    if not sodium.crypto_core_ed25519_is_valid_point(pk):
         abort_with_reason(
             http.BAD_REQUEST,
             "Invalid authentication: given X-SOGS-Pubkey is not a valid Ed25519 pubkey",

tests/auth.py

@@ -3,7 +3,7 @@
 from typing import Optional
 import time
 from sogs.hashing import blake2b, sha512
-import nacl.bindings as salt
+import nacl.bindings as sodium
 from nacl.utils import random
 
 import sogs.utils
@@ -37,11 +37,11 @@ def x_sogs_raw(
 
     if blinded:
         a = s.to_curve25519_private_key().encode()
-        k = salt.crypto_core_ed25519_scalar_reduce(
+        k = sodium.crypto_core_ed25519_scalar_reduce(
             blake2b(sogs.crypto.server_pubkey_bytes, digest_size=64)
         )
-        ka = salt.crypto_core_ed25519_scalar_mul(k, a)
-        kA = salt.crypto_scalarmult_ed25519_base_noclamp(ka)
+        ka = sodium.crypto_core_ed25519_scalar_mul(k, a)
+        kA = sodium.crypto_scalarmult_ed25519_base_noclamp(ka)
         pubkey = '15' + kA.hex()
     else:
         pubkey = '00' + s.verify_key.encode().hex()
@@ -52,11 +52,11 @@ def x_sogs_raw(
 
     if blinded:
         H_rh = sha512(s.encode())[32:]
-        r = salt.crypto_core_ed25519_scalar_reduce(sha512([H_rh, kA, *to_sign]))
-        sig_R = salt.crypto_scalarmult_ed25519_base_noclamp(r)
-        HRAM = salt.crypto_core_ed25519_scalar_reduce(sha512([sig_R, kA, *to_sign]))
-        sig_s = salt.crypto_core_ed25519_scalar_add(
-            r, salt.crypto_core_ed25519_scalar_mul(HRAM, ka)
+        r = sodium.crypto_core_ed25519_scalar_reduce(sha512([H_rh, kA, *to_sign]))
+        sig_R = sodium.crypto_scalarmult_ed25519_base_noclamp(r)
+        HRAM = sodium.crypto_core_ed25519_scalar_reduce(sha512([sig_R, kA, *to_sign]))
+        sig_s = sodium.crypto_core_ed25519_scalar_add(
+            r, sodium.crypto_core_ed25519_scalar_mul(HRAM, ka)
         )
         sig = sig_R + sig_s
 

tests/test_auth.py

@@ -6,7 +6,7 @@
 
 import json
 from nacl.signing import SigningKey
-import nacl.bindings as salt
+import nacl.bindings as sodium
 
 
 @app.get("/auth_test/whoami")
@@ -507,15 +507,15 @@ def test_small_subgroups(client, db):
 
     assert A == a.verify_key.encode()
 
-    if hasattr(salt, 'crypto_core_ed25519_is_valid_point'):
-        assert salt.crypto_core_ed25519_is_valid_point(A)
+    if hasattr(sodium, 'crypto_core_ed25519_is_valid_point'):
+        assert sodium.crypto_core_ed25519_is_valid_point(A)
 
-    Abad = salt.crypto_core_ed25519_add(
+    Abad = sodium.crypto_core_ed25519_add(
         A, bytes.fromhex('0000000000000000000000000000000000000000000000000000000000000000')
     )
 
-    if hasattr(salt, 'crypto_core_ed25519_is_valid_point'):
-        assert not salt.crypto_core_ed25519_is_valid_point(Abad)
+    if hasattr(sodium, 'crypto_core_ed25519_is_valid_point'):
+        assert not sodium.crypto_core_ed25519_is_valid_point(Abad)
 
     headers['X-SOGS-Pubkey'] = '00' + Abad.hex()
 
@@ -528,12 +528,12 @@ def test_small_subgroups(client, db):
     assert headers['X-SOGS-Pubkey'].startswith('15')
     A = bytes.fromhex(headers['X-SOGS-Pubkey'][2:])
 
-    Abad = salt.crypto_core_ed25519_add(
+    Abad = sodium.crypto_core_ed25519_add(
         A, bytes.fromhex('c7176a703d4dd84fba3c0b760d10670f2a2053fa2c39ccc64ec7fd7792ac037a')
     )
 
-    if hasattr(salt, 'crypto_core_ed25519_is_valid_point'):
-        assert not salt.crypto_core_ed25519_is_valid_point(Abad)
+    if hasattr(sodium, 'crypto_core_ed25519_is_valid_point'):
+        assert not sodium.crypto_core_ed25519_is_valid_point(Abad)
 
     headers['X-SOGS-Pubkey'] = '15' + Abad.hex()
     r = client.get("/auth_test/whoami", headers=headers)

tests/test_dm.py

@@ -3,7 +3,7 @@
 from sogs.hashing import blake2b
 from sogs.utils import encode_base64
 from sogs.model.user import SystemUser
-import nacl.bindings as salt
+import nacl.bindings as sodium
 from nacl.utils import random
 from util import from_now
 
@@ -25,12 +25,12 @@ def make_post(message, sender, to):
     a = sender.ed_key.to_curve25519_private_key().encode()
     kA = bytes.fromhex(sender.session_id[2:])
     kB = bytes.fromhex(to.session_id[2:])
-    key = blake2b(salt.crypto_scalarmult_ed25519_noclamp(a, kB) + kA + kB, digest_size=32)
+    key = blake2b(sodium.crypto_scalarmult_ed25519_noclamp(a, kB) + kA + kB, digest_size=32)
 
     # MESSAGE || UNBLINDED_ED_PUBKEY
     plaintext = message + sender.ed_key.verify_key.encode()
     nonce = random(24)
-    ciphertext = salt.crypto_aead_xchacha20poly1305_ietf_encrypt(
+    ciphertext = sodium.crypto_aead_xchacha20poly1305_ietf_encrypt(
         plaintext, aad=None, nonce=nonce, key=key
     )
     data = b'\x00' + ciphertext + nonce

tests/user.py

@@ -1,6 +1,6 @@
 import sogs.model.user
 from nacl.signing import SigningKey
-import nacl.bindings as salt
+import nacl.bindings as sodium
 from sogs.hashing import blake2b
 import sogs.crypto
 
@@ -11,11 +11,11 @@ def __init__(self, blinded=False):
 
         if blinded:
             a = self.ed_key.to_curve25519_private_key().encode()
-            k = salt.crypto_core_ed25519_scalar_reduce(
+            k = sodium.crypto_core_ed25519_scalar_reduce(
                 blake2b(sogs.crypto.server_pubkey_bytes, digest_size=64)
             )
-            ka = salt.crypto_core_ed25519_scalar_mul(k, a)
-            kA = salt.crypto_scalarmult_ed25519_base_noclamp(ka)
+            ka = sodium.crypto_core_ed25519_scalar_mul(k, a)
+            kA = sodium.crypto_scalarmult_ed25519_base_noclamp(ka)
             session_id = '15' + kA.hex()
         else:
             session_id = '05' + self.ed_key.to_curve25519_private_key().public_key.encode().hex()