diff options
Diffstat (limited to 'libs/libsodium')
27 files changed, 498 insertions, 165 deletions
diff --git a/libs/libsodium/docs/ChangeLog b/libs/libsodium/docs/ChangeLog index 2c6f7f1777..2504a9b64a 100644 --- a/libs/libsodium/docs/ChangeLog +++ b/libs/libsodium/docs/ChangeLog @@ -1,4 +1,19 @@ +* Version 1.0.17 + - Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes. + - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly +module; fall back to Javascript on these. + - JS/WebAssembly: compatibility with newer Emscripten versions. + - Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and +`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return +`EINVAL` on input strings with a short length, unlike their high-level +counterpart. + - Added a workaround for Visual Studio 2010 bug causing CPU features +not to be detected. + - The library now enables compilation with retpoline by default. + - Portability improvements. + - Test vectors from Project Wycheproof have been added. + * Version 1.0.16 - Signatures computations and verifications are now way faster on 64-bit platforms with compilers supporting 128-bit arithmetic (gcc, diff --git a/libs/libsodium/docs/THANKS b/libs/libsodium/docs/THANKS new file mode 100644 index 0000000000..0d0da788f3 --- /dev/null +++ b/libs/libsodium/docs/THANKS @@ -0,0 +1,91 @@ +Special thanks to people, companies and organizations having written +libsodium bindings for their favorite programming languages: + +@alethia7 +@artemisc +@carblue +@dnaq +@ektrah +@graxrabble +@harleqin +@joshjdevl +@jrmarino +@jshahbazi +@lvh +@neheb + +Adam Caudill (@adamcaudill) +Alexander Morris (@alexpmorris) +Amit Murthy (@amitmurthy) +Andrew Bennett (@potatosalad) +Andrew Lambert (@charonn0) +Bruce Mitchener (@waywardmonkeys) +Bruno Oliveira (@abstractj) +Caolan McMahon (@caolan) +Chris Rebert (@cvrebert) +Christian Hermann (@bitbeans) +Christian Wiese (@morfoh) +Christian Wiese (@morfoh) +Colm MacCárthaigh (@colmmacc) +David Parrish (@dmp1ce) +Donald Stufft (@dstufft) +Douglas Campos (@qmx) +Drew Crawford (@drewcrawford) +Emil Bay (@emilbayes) +Eric Dong (@quantum1423) +Eric Voskuil (@evoskuil) +Farid Hajji (@fhajji) +Frank Siebenlist (@franks42) +Gabriel Handford (@gabriel) +Geo Carncross (@geocar) +Henrik Gassmann (BurningEnlightenment) +Jachym Holecek (@freza) +Jack Wink (@jackwink) +James Ruan (@jamesruan) +Jan de Muijnck-Hughes (@jfdm) +Jason McCampbell (@jasonmccampbell) +Jeroen Habraken (@VeXocide) +Jeroen Ooms (@jeroen) +Jesper Louis Andersen (@jlouis) +Joe Eli McIlvain (@jemc) +Jonathan Stowe (@jonathanstowe) +Joseph Abrahamson (@tel) +Julien Kauffmann (@ereOn) +Kenneth Ballenegger (@kballenegger) +Loic Maury (@loicmaury) +Michael Gorlick (@mgorlick) +Michael Gregorowicz (@mgregoro) +Michał Zieliński (@zielmicha) +Omar Ayub (@electricFeel) +Pedro Paixao (@paixaop) +Project ArteMisc (@artemisc) +Rich FitzJohn (@richfitz) +Ruben De Visscher (@rubendv) +Rudolf Von Krugstein (@rudolfvonkrugstein) +Samuel Neves (@sneves) +Scott Arciszewski (@paragonie-scott) +Stanislav Ovsiannikov (@naphaso) +Stefan Marsiske (@stef) +Stephan Touset (@stouset) +Stephen Chavez (@redragonx) +Steve Gibson (@sggrc) +Tony Arcieri (@bascule) +Tony Garnock-Jones (@tonyg) +Y. T. Chung (@zonyitoo) + +Bytecurry Software +Cryptotronix +Facebook +FSF France +MaidSafe +Paragonie Initiative Enterprises +Python Cryptographic Authority + +(this list may not be complete, if you don't see your name, please +submit a pull request!) + +Also thanks to: + +- Coverity, Inc. to provide static analysis. +- FSF France for providing access to their compilation servers. +- Private Internet Access for having sponsored a complete security audit. diff --git a/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c b/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c index c79407a185..c354087975 100644 --- a/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c +++ b/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c @@ -12,6 +12,7 @@ #include "randombytes.h" #include "utils.h" +#include "private/chacha20_ietf_ext.h" #include "private/common.h" static const unsigned char _pad0[16] = { 0 }; diff --git a/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c b/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c index 04971a82a7..07e3655731 100644 --- a/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c +++ b/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c @@ -5,14 +5,118 @@ #include <string.h> #include "core.h" -#include "crypto_aead_xchacha20poly1305.h" #include "crypto_aead_chacha20poly1305.h" +#include "crypto_aead_xchacha20poly1305.h" #include "crypto_core_hchacha20.h" +#include "crypto_onetimeauth_poly1305.h" +#include "crypto_stream_chacha20.h" +#include "crypto_verify_16.h" #include "randombytes.h" #include "utils.h" +#include "private/chacha20_ietf_ext.h" #include "private/common.h" +static const unsigned char _pad0[16] = { 0 }; + +static int +_encrypt_detached(unsigned char *c, + unsigned char *mac, + unsigned long long *maclen_p, + const unsigned char *m, + unsigned long long mlen, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *nsec, + const unsigned char *npub, + const unsigned char *k) +{ + crypto_onetimeauth_poly1305_state state; + unsigned char block0[64U]; + unsigned char slen[8U]; + + (void) nsec; + crypto_stream_chacha20_ietf_ext(block0, sizeof block0, npub, k); + crypto_onetimeauth_poly1305_init(&state, block0); + sodium_memzero(block0, sizeof block0); + + crypto_onetimeauth_poly1305_update(&state, ad, adlen); + crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf); + + crypto_stream_chacha20_ietf_ext_xor_ic(c, m, mlen, npub, 1U, k); + + crypto_onetimeauth_poly1305_update(&state, c, mlen); + crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf); + + STORE64_LE(slen, (uint64_t) adlen); + crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); + + STORE64_LE(slen, (uint64_t) mlen); + crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); + + crypto_onetimeauth_poly1305_final(&state, mac); + sodium_memzero(&state, sizeof state); + + if (maclen_p != NULL) { + *maclen_p = crypto_aead_chacha20poly1305_ietf_ABYTES; + } + return 0; +} + +static int +_decrypt_detached(unsigned char *m, + unsigned char *nsec, + const unsigned char *c, + unsigned long long clen, + const unsigned char *mac, + const unsigned char *ad, + unsigned long long adlen, + const unsigned char *npub, + const unsigned char *k) +{ + crypto_onetimeauth_poly1305_state state; + unsigned char block0[64U]; + unsigned char slen[8U]; + unsigned char computed_mac[crypto_aead_chacha20poly1305_ietf_ABYTES]; + unsigned long long mlen; + int ret; + + (void) nsec; + crypto_stream_chacha20_ietf_ext(block0, sizeof block0, npub, k); + crypto_onetimeauth_poly1305_init(&state, block0); + sodium_memzero(block0, sizeof block0); + + crypto_onetimeauth_poly1305_update(&state, ad, adlen); + crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf); + + mlen = clen; + crypto_onetimeauth_poly1305_update(&state, c, mlen); + crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf); + + STORE64_LE(slen, (uint64_t) adlen); + crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); + + STORE64_LE(slen, (uint64_t) mlen); + crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen); + + crypto_onetimeauth_poly1305_final(&state, computed_mac); + sodium_memzero(&state, sizeof state); + + COMPILER_ASSERT(sizeof computed_mac == 16U); + ret = crypto_verify_16(computed_mac, mac); + sodium_memzero(computed_mac, sizeof computed_mac); + if (m == NULL) { + return ret; + } + if (ret != 0) { + memset(m, 0, mlen); + return -1; + } + crypto_stream_chacha20_ietf_ext_xor_ic(m, c, mlen, npub, 1U, k); + + return 0; +} + int crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c, unsigned char *mac, @@ -32,8 +136,8 @@ crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c, crypto_core_hchacha20(k2, npub, k, NULL); memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES, crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4); - ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached - (c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub2, k2); + ret = _encrypt_detached(c, mac, maclen_p, m, mlen, ad, adlen, + nsec, npub2, k2); sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES); return ret; @@ -85,12 +189,10 @@ crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m, crypto_core_hchacha20(k2, npub, k, NULL); memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES, crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4); - ret = crypto_aead_chacha20poly1305_ietf_decrypt_detached - (m, nsec, c, clen, mac, ad, adlen, npub2, k2); + ret = _decrypt_detached(m, nsec, c, clen, mac, ad, adlen, npub2, k2); sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES); return ret; - } int @@ -105,7 +207,7 @@ crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m, const unsigned char *k) { unsigned long long mlen = 0ULL; - int ret = -1; + int ret = -1; if (clen >= crypto_aead_xchacha20poly1305_ietf_ABYTES) { ret = crypto_aead_xchacha20poly1305_ietf_decrypt_detached diff --git a/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c b/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c index b52b04d36d..530778e4ae 100644 --- a/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c +++ b/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c @@ -67,7 +67,7 @@ store_block(void *output, const block *src) * @param m_cost number of blocks to allocate in the memory * @return ARGON2_OK if @memory is a valid pointer and memory is allocated */ -static int allocate_memory(block_region **memory, uint32_t m_cost); +static int allocate_memory(block_region **region, uint32_t m_cost); static int allocate_memory(block_region **region, uint32_t m_cost) @@ -153,7 +153,7 @@ clear_memory(argon2_instance_t *instance, int clear) /* Deallocates memory * @param memory pointer to the blocks */ -static void free_memory(block_region *memory); +static void free_memory(block_region *region); static void free_memory(block_region *region) diff --git a/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c b/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c index 8168f96216..a229b9f798 100644 --- a/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c +++ b/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c @@ -168,6 +168,7 @@ crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES], } sodium_misuse(); /* NOTREACHED */ + return -1; } int diff --git a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c index 9e31352dc2..402885907d 100644 --- a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c +++ b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c @@ -163,8 +163,9 @@ salsa20_8(uint32_t B[16]) x[15] ^= R(x[14] + x[13], 18); #undef R } - for (i = 0; i < 16; i++) + for (i = 0; i < 16; i++) { B[i] += x[i]; + } } /** diff --git a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c index d1afd91afe..b77588fa5e 100644 --- a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c +++ b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c @@ -52,6 +52,17 @@ pickparams(unsigned long long opslimit, const size_t memlimit, return 0; } +static size_t +sodium_strnlen(const char *str, size_t maxlen) +{ + size_t i = 0U; + + while (i < maxlen && str[i] != 0) { + i++; + } + return i; +} + size_t crypto_pwhash_scryptsalsa208sha256_bytes_min(void) { @@ -234,8 +245,8 @@ crypto_pwhash_scryptsalsa208sha256_str_verify( escrypt_local_t escrypt_local; int ret = -1; - if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) != - &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) { + if (sodium_strnlen(str, crypto_pwhash_scryptsalsa208sha256_STRBYTES) != + crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U) { return -1; } if (escrypt_init_local(&escrypt_local) != 0) { @@ -268,8 +279,8 @@ crypto_pwhash_scryptsalsa208sha256_str_needs_rehash( errno = EINVAL; return -1; } - if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) != - &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) { + if (sodium_strnlen(str, crypto_pwhash_scryptsalsa208sha256_STRBYTES) != + crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U) { errno = EINVAL; return -1; } diff --git a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c index 139a7df286..cbd68aa1b8 100644 --- a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c +++ b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c @@ -55,9 +55,9 @@ alloc_region(escrypt_region_t *region, size_t size) aligned = base; #else base = aligned = NULL; - if (size + 63 < size) + if (size + 63 < size) { errno = ENOMEM; - else if ((base = (uint8_t *) malloc(size + 63)) != NULL) { + } else if ((base = (uint8_t *) malloc(size + 63)) != NULL) { aligned = base + 63; aligned -= (uintptr_t) aligned & 63; } diff --git a/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c b/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c index 7b93a7247b..4272ae24c0 100644 --- a/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c +++ b/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c @@ -18,29 +18,50 @@ has_small_order(const unsigned char s[32]) { CRYPTO_ALIGN(16) static const unsigned char blacklist[][32] = { - { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, - { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 }, - { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 }, - { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, - { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 }, - { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 }, - { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }, - { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff } + /* 0 (order 4) */ + { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + /* 1 (order 1) */ + { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }, + /* 325606250916557431795983626356110631294008115727848805560023387167927233504 + (order 8) */ + { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, + 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, + 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 }, + /* 39382357235489614581723060781553021112529911719440698176882885853963445705823 + (order 8) */ + { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, + 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, + 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 }, + /* p-1 (order 2) */ + { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + /* p (=0, order 4) */ + { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }, + /* p+1 (=1, order 1) */ + { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, + 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f } }; - unsigned char c[12] = { 0 }; + unsigned char c[7] = { 0 }; unsigned int k; size_t i, j; - COMPILER_ASSERT(12 == sizeof blacklist / sizeof blacklist[0]); - for (j = 0; j < 32; j++) { + COMPILER_ASSERT(7 == sizeof blacklist / sizeof blacklist[0]); + for (j = 0; j < 31; j++) { for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { c[i] |= s[j] ^ blacklist[i][j]; } } + for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { + c[i] |= (s[j] & 0x7f) ^ blacklist[i][j]; + } k = 0; for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { k |= (c[i] - 1); diff --git a/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c b/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c index ef000d16c7..2754a91c92 100644 --- a/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c +++ b/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c @@ -123,6 +123,8 @@ crypto_secretstream_xchacha20poly1305_push if (outlen_p != NULL) { *outlen_p = 0U; } + COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX + <= crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX); if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) { sodium_misuse(); } diff --git a/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c b/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c index 8bf3cec8fd..4b9bf0dc8c 100644 --- a/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c +++ b/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c @@ -61,9 +61,9 @@ crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, } fe25519_1(one_minus_y); fe25519_sub(one_minus_y, one_minus_y, A.Y); - fe25519_invert(one_minus_y, one_minus_y); fe25519_1(x); fe25519_add(x, x, A.Y); + fe25519_invert(one_minus_y, one_minus_y); fe25519_mul(x, x, one_minus_y); fe25519_tobytes(curve25519_pk, x); diff --git a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c index 6149af3942..f63e055265 100644 --- a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c +++ b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c @@ -77,9 +77,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c, if (!bytes) { return; /* LCOV_EXCL_LINE */ } - if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) { - sodium_misuse(); - } # include "u8.h" # include "u4.h" # include "u1.h" @@ -106,8 +103,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n, } static int -stream_ietf_ref(unsigned char *c, unsigned long long clen, - const unsigned char *n, const unsigned char *k) +stream_ietf_ext_ref(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) { struct chacha_ctx ctx; @@ -150,9 +147,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m, } static int -stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m, - unsigned long long mlen, const unsigned char *n, - uint32_t ic, const unsigned char *k) +stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + uint32_t ic, const unsigned char *k) { struct chacha_ctx ctx; uint8_t ic_bytes[4]; @@ -172,9 +169,9 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m, struct crypto_stream_chacha20_implementation crypto_stream_chacha20_dolbeau_avx2_implementation = { SODIUM_C99(.stream =) stream_ref, - SODIUM_C99(.stream_ietf =) stream_ietf_ref, + SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref, SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic, - SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic + SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic }; #endif diff --git a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c index b7b9aa4ad3..6f5d3851c3 100644 --- a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c +++ b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c @@ -72,9 +72,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c, if (!bytes) { return; /* LCOV_EXCL_LINE */ } - if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) { - sodium_misuse(); - } # include "u4.h" # include "u1.h" # include "u0.h" @@ -100,8 +97,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n, } static int -stream_ietf_ref(unsigned char *c, unsigned long long clen, - const unsigned char *n, const unsigned char *k) +stream_ietf_ext_ref(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) { struct chacha_ctx ctx; @@ -144,9 +141,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m, } static int -stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m, - unsigned long long mlen, const unsigned char *n, - uint32_t ic, const unsigned char *k) +stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + uint32_t ic, const unsigned char *k) { struct chacha_ctx ctx; uint8_t ic_bytes[4]; @@ -166,9 +163,9 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m, struct crypto_stream_chacha20_implementation crypto_stream_chacha20_dolbeau_ssse3_implementation = { SODIUM_C99(.stream =) stream_ref, - SODIUM_C99(.stream_ietf =) stream_ietf_ref, + SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref, SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic, - SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic + SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic }; #endif diff --git a/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c b/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c index f88a99dbdf..40cccbf8f8 100644 --- a/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c +++ b/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c @@ -92,9 +92,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c, if (!bytes) { return; /* LCOV_EXCL_LINE */ } - if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) { - sodium_misuse(); - } j0 = ctx->input[0]; j1 = ctx->input[1]; j2 = ctx->input[2]; @@ -243,8 +240,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n, } static int -stream_ietf_ref(unsigned char *c, unsigned long long clen, - const unsigned char *n, const unsigned char *k) +stream_ietf_ext_ref(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) { struct chacha_ctx ctx; @@ -287,9 +284,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m, } static int -stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m, - unsigned long long mlen, const unsigned char *n, - uint32_t ic, const unsigned char *k) +stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + uint32_t ic, const unsigned char *k) { struct chacha_ctx ctx; uint8_t ic_bytes[4]; @@ -309,7 +306,7 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m, struct crypto_stream_chacha20_implementation crypto_stream_chacha20_ref_implementation = { SODIUM_C99(.stream =) stream_ref, - SODIUM_C99(.stream_ietf =) stream_ietf_ref, + SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref, SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic, - SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic + SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic }; diff --git a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c index 3b0895112c..c98d60907f 100644 --- a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c +++ b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c @@ -1,4 +1,5 @@ #include "crypto_stream_chacha20.h" +#include "core.h" #include "private/common.h" #include "private/implementations.h" #include "randombytes.h" @@ -53,48 +54,100 @@ int crypto_stream_chacha20(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k) { + if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } return implementation->stream(c, clen, n, k); } int -crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen, - const unsigned char *n, const unsigned char *k) -{ - return implementation->stream_ietf(c, clen, n, k); -} - -int crypto_stream_chacha20_xor_ic(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, uint64_t ic, const unsigned char *k) { + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } return implementation->stream_xor_ic(c, m, mlen, n, ic, k); } int -crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m, - unsigned long long mlen, - const unsigned char *n, uint32_t ic, - const unsigned char *k) -{ - return implementation->stream_ietf_xor_ic(c, m, mlen, n, ic, k); -} - -int crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *k) { + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } return implementation->stream_xor_ic(c, m, mlen, n, 0U, k); } int +crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) +{ + if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_ietf_ext(c, clen, n, k); +} + +int +crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k) +{ + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, ic, k); +} + +static int +crypto_stream_chacha20_ietf_ext_xor(unsigned char *c, const unsigned char *m, + unsigned long long mlen, const unsigned char *n, + const unsigned char *k) +{ + if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, 0U, k); +} + +int +crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k) +{ + if (clen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return crypto_stream_chacha20_ietf_ext(c, clen, n, k); +} + +int +crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k) +{ + if ((unsigned long long) ic > + (64ULL * (1ULL << 32)) / 64ULL - (mlen + 63ULL) / 64ULL) { + sodium_misuse(); + } + return crypto_stream_chacha20_ietf_ext_xor_ic(c, m, mlen, n, ic, k); +} + +int crypto_stream_chacha20_ietf_xor(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *k) { - return implementation->stream_ietf_xor_ic(c, m, mlen, n, 0U, k); + if (mlen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + return crypto_stream_chacha20_ietf_ext_xor(c, m, mlen, n, k); } void diff --git a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h index d6b71c5e0d..40f782f418 100644 --- a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h +++ b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h @@ -7,16 +7,16 @@ typedef struct crypto_stream_chacha20_implementation { int (*stream)(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k); - int (*stream_ietf)(unsigned char *c, unsigned long long clen, - const unsigned char *n, const unsigned char *k); + int (*stream_ietf_ext)(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k); int (*stream_xor_ic)(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, uint64_t ic, const unsigned char *k); - int (*stream_ietf_xor_ic)(unsigned char *c, const unsigned char *m, - unsigned long long mlen, - const unsigned char *n, uint32_t ic, - const unsigned char *k); + int (*stream_ietf_ext_xor_ic)(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k); } crypto_stream_chacha20_implementation; #endif diff --git a/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h b/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h index 46a3800f37..5e67aa99c5 100644 --- a/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h +++ b/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h @@ -52,7 +52,7 @@ size_t crypto_aead_aes256gcm_abytes(void); #define crypto_aead_aes256gcm_MESSAGEBYTES_MAX \ SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_aes256gcm_ABYTES, \ - (16ULL * ((1ULL << 32) - 2ULL)) - crypto_aead_aes256gcm_ABYTES) + (16ULL * ((1ULL << 32) - 2ULL))) SODIUM_EXPORT size_t crypto_aead_aes256gcm_messagebytes_max(void); diff --git a/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h b/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h index a575ec7173..8ab31243ff 100644 --- a/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h +++ b/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h @@ -32,7 +32,7 @@ size_t crypto_aead_chacha20poly1305_ietf_abytes(void); #define crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX \ SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES, \ - (64ULL * (1ULL << 32) - 64ULL) - crypto_aead_chacha20poly1305_ietf_ABYTES) + (64ULL * ((1ULL << 32) - 1ULL))) SODIUM_EXPORT size_t crypto_aead_chacha20poly1305_ietf_messagebytes_max(void); diff --git a/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h b/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h index 7d3fa2a9e3..dac273b599 100644 --- a/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h +++ b/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h @@ -30,7 +30,8 @@ SODIUM_EXPORT size_t crypto_secretstream_xchacha20poly1305_keybytes(void); #define crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX \ - SODIUM_MIN(SODIUM_SIZE_MAX, ((1ULL << 32) - 2ULL) * 64ULL) + SODIUM_MIN(SODIUM_SIZE_MAX - crypto_secretstream_xchacha20poly1305_ABYTES, \ + (64ULL * ((1ULL << 32) - 2ULL))) SODIUM_EXPORT size_t crypto_secretstream_xchacha20poly1305_messagebytes_max(void); diff --git a/libs/libsodium/src/include/sodium/private/chacha20_ietf_ext.h b/libs/libsodium/src/include/sodium/private/chacha20_ietf_ext.h new file mode 100644 index 0000000000..2c80b96aa7 --- /dev/null +++ b/libs/libsodium/src/include/sodium/private/chacha20_ietf_ext.h @@ -0,0 +1,16 @@ +#ifndef chacha20_ietf_ext_H +#define chacha20_ietf_ext_H + +#include <stdint.h> + +/* The ietf_ext variant allows the internal counter to overflow into the IV */ + +int crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen, + const unsigned char *n, const unsigned char *k); + +int crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m, + unsigned long long mlen, + const unsigned char *n, uint32_t ic, + const unsigned char *k); +#endif + diff --git a/libs/libsodium/src/include/sodium/private/common.h b/libs/libsodium/src/include/sodium/private/common.h index 632fc8a73c..f87d682e53 100644 --- a/libs/libsodium/src/include/sodium/private/common.h +++ b/libs/libsodium/src/include/sodium/private/common.h @@ -1,6 +1,21 @@ #ifndef common_H #define common_H 1 +#if !defined(_MSC_VER) && 1 +# warning *** This is unstable, untested, development code. +# warning It might not compile. It might not work as expected. +# warning It might be totally insecure. +# warning Do not use this except if you are planning to contribute code. +# warning Use releases available at https://download.libsodium.org/libsodium/releases/ instead. +# warning Alternatively, use the "stable" branch in the git repository. +#endif + +#if !defined(_MSC_VER) && (!defined(CONFIGURED) || CONFIGURED != 1) +# warning *** The library is being compiled using an undocumented method. +# warning This is not supported. It has not been tested, it might not +# warning work as expected, and performance is likely to be suboptimal. +#endif + #include <stdint.h> #include <stdlib.h> #include <string.h> diff --git a/libs/libsodium/src/include/sodium/version.h b/libs/libsodium/src/include/sodium/version.h index 56ec2b9550..fc5f462da1 100644 --- a/libs/libsodium/src/include/sodium/version.h +++ b/libs/libsodium/src/include/sodium/version.h @@ -4,7 +4,7 @@ #include "export.h" -#define SODIUM_VERSION_STRING "1.0.16" +#define SODIUM_VERSION_STRING "1.0.17" #define SODIUM_LIBRARY_VERSION_MAJOR 10 #define SODIUM_LIBRARY_VERSION_MINOR 1 @@ -13,17 +13,17 @@ extern "C" { #endif -SODIUM_EXPORT -const char *sodium_version_string(void); + SODIUM_EXPORT + const char *sodium_version_string(void); -SODIUM_EXPORT -int sodium_library_version_major(void); + SODIUM_EXPORT + int sodium_library_version_major(void); -SODIUM_EXPORT -int sodium_library_version_minor(void); + SODIUM_EXPORT + int sodium_library_version_minor(void); -SODIUM_EXPORT -int sodium_library_minimal(void); + SODIUM_EXPORT + int sodium_library_minimal(void); #ifdef __cplusplus } diff --git a/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c b/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c index 477fda1c39..e3ec30ff7a 100644 --- a/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c +++ b/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c @@ -19,9 +19,26 @@ #ifdef __linux__ # ifdef __dietlibc__ # define _LINUX_SOURCE -# else +# include <sys/random.h> +# define HAVE_LINUX_COMPATIBLE_GETRANDOM +# else /* __dietlibc__ */ # include <sys/syscall.h> +# if defined(SYS_getrandom) && defined(__NR_getrandom) +# define getrandom(B, S, F) syscall(SYS_getrandom, (B), (int) (S), (F)) +# define HAVE_LINUX_COMPATIBLE_GETRANDOM +# endif +# endif /* __dietlibc__ */ +#elif defined(__FreeBSD__) +# include <sys/param.h> +# if defined(__FreeBSD_version) && __FreeBSD_version >= 1200000 +# include <sys/random.h> +# define HAVE_LINUX_COMPATIBLE_GETRANDOM # endif +#endif +#if !defined(NO_BLOCKING_RANDOM_POLL) && defined(__linux__) +# define BLOCK_ON_DEV_RANDOM +#endif +#ifdef BLOCK_ON_DEV_RANDOM # include <poll.h> #endif #ifdef HAVE_RDRAND @@ -177,7 +194,7 @@ safe_read(const int fd, void * const buf_, size_t size) return (ssize_t) (buf - (unsigned char *) buf_); } -# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL) +# ifdef BLOCK_ON_DEV_RANDOM static int randombytes_block_on_dev_random(void) { @@ -219,11 +236,11 @@ randombytes_salsa20_random_random_dev_open(void) const char **device = devices; int fd; -# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL) +# ifdef BLOCK_ON_DEV_RANDOM if (randombytes_block_on_dev_random() != 0) { return -1; } -# endif +# endif do { fd = open(*device, O_RDONLY); if (fd != -1) { @@ -246,7 +263,7 @@ randombytes_salsa20_random_random_dev_open(void) } # endif -# if defined(__dietlibc__) || (defined(SYS_getrandom) && defined(__NR_getrandom)) +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM static int _randombytes_linux_getrandom(void * const buf, const size_t size) { @@ -254,11 +271,7 @@ _randombytes_linux_getrandom(void * const buf, const size_t size) assert(size <= 256U); do { -# ifdef __dietlibc__ readnb = getrandom(buf, size, 0); -# else - readnb = syscall(SYS_getrandom, buf, (int) size, 0); -# endif } while (readnb < 0 && (errno == EINTR || errno == EAGAIN)); return (readnb == (int) size) - 1; @@ -299,7 +312,7 @@ randombytes_salsa20_random_init(void) errno = errno_save; # else -# if defined(SYS_getrandom) && defined(__NR_getrandom) +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM { unsigned char fodder[16]; @@ -310,7 +323,7 @@ randombytes_salsa20_random_init(void) } global.getrandom_available = 0; } -# endif /* SYS_getrandom */ +# endif /* HAVE_LINUX_COMPATIBLE_GETRANDOM */ if ((global.random_data_source_fd = randombytes_salsa20_random_random_dev_open()) == -1) { @@ -343,7 +356,7 @@ randombytes_salsa20_random_stir(void) # ifdef HAVE_SAFE_ARC4RANDOM arc4random_buf(stream.key, sizeof stream.key); -# elif defined(SYS_getrandom) && defined(__NR_getrandom) +# elif defined(HAVE_LINUX_COMPATIBLE_GETRANDOM) if (global.getrandom_available != 0) { if (randombytes_linux_getrandom(stream.key, sizeof stream.key) != 0) { sodium_misuse(); /* LCOV_EXCL_LINE */ @@ -428,7 +441,7 @@ randombytes_salsa20_random_close(void) ret = 0; # endif -# if defined(SYS_getrandom) && defined(__NR_getrandom) +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM if (global.getrandom_available != 0) { ret = 0; } diff --git a/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c b/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c index f4dec08f5b..c24122f9f2 100644 --- a/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c +++ b/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c @@ -18,9 +18,26 @@ #ifdef __linux__ # ifdef __dietlibc__ # define _LINUX_SOURCE -# else +# include <sys/random.h> +# define HAVE_LINUX_COMPATIBLE_GETRANDOM +# else /* __dietlibc__ */ # include <sys/syscall.h> +# if defined(SYS_getrandom) && defined(__NR_getrandom) +# define getrandom(B, S, F) syscall(SYS_getrandom, (B), (int) (S), (F)) +# define HAVE_LINUX_COMPATIBLE_GETRANDOM +# endif +# endif /* __dietlibc */ +#elif defined(__FreeBSD__) +# include <sys/param.h> +# if defined(__FreeBSD_version) && __FreeBSD_version >= 1200000 +# include <sys/random.h> +# define HAVE_LINUX_COMPATIBLE_GETRANDOM # endif +#endif +#if !defined(NO_BLOCKING_RANDOM_POLL) && defined(__linux__) +# define BLOCK_ON_DEV_RANDOM +#endif +#ifdef BLOCK_ON_DEV_RANDOM # include <poll.h> #endif @@ -102,7 +119,7 @@ static SysRandom stream = { SODIUM_C99(.getrandom_available =) 0 }; -#ifndef _WIN32 +# ifndef _WIN32 static ssize_t safe_read(const int fd, void * const buf_, size_t size) { @@ -126,10 +143,8 @@ safe_read(const int fd, void * const buf_, size_t size) return (ssize_t) (buf - (unsigned char *) buf_); } -#endif -#ifndef _WIN32 -# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL) +# ifdef BLOCK_ON_DEV_RANDOM static int randombytes_block_on_dev_random(void) { @@ -154,7 +169,7 @@ randombytes_block_on_dev_random(void) } return close(fd); } -# endif +# endif /* BLOCK_ON_DEV_RANDOM */ static int randombytes_sysrandom_random_dev_open(void) @@ -162,34 +177,34 @@ randombytes_sysrandom_random_dev_open(void) /* LCOV_EXCL_START */ struct stat st; static const char *devices[] = { -# ifndef USE_BLOCKING_RANDOM +# ifndef USE_BLOCKING_RANDOM "/dev/urandom", -# endif +# endif "/dev/random", NULL }; const char **device = devices; int fd; -# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL) +# ifdef BLOCK_ON_DEV_RANDOM if (randombytes_block_on_dev_random() != 0) { return -1; } -# endif +# endif do { fd = open(*device, O_RDONLY); if (fd != -1) { if (fstat(fd, &st) == 0 && -# ifdef __COMPCERT__ +# ifdef __COMPCERT__ 1 -# elif defined(S_ISNAM) +# elif defined(S_ISNAM) (S_ISNAM(st.st_mode) || S_ISCHR(st.st_mode)) -# else +# else S_ISCHR(st.st_mode) -# endif +# endif ) { -# if defined(F_SETFD) && defined(FD_CLOEXEC) +# if defined(F_SETFD) && defined(FD_CLOEXEC) (void) fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC); -# endif +# endif return fd; } (void) close(fd); @@ -204,7 +219,7 @@ randombytes_sysrandom_random_dev_open(void) /* LCOV_EXCL_STOP */ } -# if defined(__dietlibc__) || (defined(SYS_getrandom) && defined(__NR_getrandom)) +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM static int _randombytes_linux_getrandom(void * const buf, const size_t size) { @@ -212,11 +227,7 @@ _randombytes_linux_getrandom(void * const buf, const size_t size) assert(size <= 256U); do { -# ifdef __dietlibc__ readnb = getrandom(buf, size, 0); -# else - readnb = syscall(SYS_getrandom, buf, (int) size, 0); -# endif } while (readnb < 0 && (errno == EINTR || errno == EAGAIN)); return (readnb == (int) size) - 1; @@ -242,14 +253,14 @@ randombytes_linux_getrandom(void * const buf_, size_t size) return 0; } -# endif +# endif /* HAVE_LINUX_COMPATIBLE_GETRANDOM */ static void randombytes_sysrandom_init(void) { const int errno_save = errno; -# if defined(SYS_getrandom) && defined(__NR_getrandom) +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM { unsigned char fodder[16]; @@ -260,7 +271,7 @@ randombytes_sysrandom_init(void) } stream.getrandom_available = 0; } -# endif +# endif if ((stream.random_data_source_fd = randombytes_sysrandom_random_dev_open()) == -1) { @@ -269,13 +280,13 @@ randombytes_sysrandom_init(void) errno = errno_save; } -#else /* _WIN32 */ +# else /* _WIN32 */ static void randombytes_sysrandom_init(void) { } -#endif +# endif /* _WIN32 */ static void randombytes_sysrandom_stir(void) @@ -299,24 +310,24 @@ randombytes_sysrandom_close(void) { int ret = -1; -#ifndef _WIN32 +# ifndef _WIN32 if (stream.random_data_source_fd != -1 && close(stream.random_data_source_fd) == 0) { stream.random_data_source_fd = -1; stream.initialized = 0; ret = 0; } -# if defined(SYS_getrandom) && defined(__NR_getrandom) +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM if (stream.getrandom_available != 0) { ret = 0; } -# endif -#else /* _WIN32 */ +# endif +# else /* _WIN32 */ if (stream.initialized != 0) { stream.initialized = 0; ret = 0; } -#endif +# endif /* _WIN32 */ return ret; } @@ -324,26 +335,26 @@ static void randombytes_sysrandom_buf(void * const buf, const size_t size) { randombytes_sysrandom_stir_if_needed(); -#if defined(ULONG_LONG_MAX) && defined(SIZE_MAX) -# if SIZE_MAX > ULONG_LONG_MAX +# if defined(ULONG_LONG_MAX) && defined(SIZE_MAX) +# if SIZE_MAX > ULONG_LONG_MAX /* coverity[result_independent_of_operands] */ assert(size <= ULONG_LONG_MAX); +# endif # endif -#endif -#ifndef _WIN32 -# if defined(SYS_getrandom) && defined(__NR_getrandom) +# ifndef _WIN32 +# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM if (stream.getrandom_available != 0) { if (randombytes_linux_getrandom(buf, size) != 0) { sodium_misuse(); /* LCOV_EXCL_LINE */ } return; } -# endif +# endif if (stream.random_data_source_fd == -1 || safe_read(stream.random_data_source_fd, buf, size) != (ssize_t) size) { sodium_misuse(); /* LCOV_EXCL_LINE */ } -#else +# else /* _WIN32 */ COMPILER_ASSERT(randombytes_BYTES_MAX <= 0xffffffffUL); if (size > (size_t) 0xffffffffUL) { sodium_misuse(); /* LCOV_EXCL_LINE */ @@ -351,7 +362,7 @@ randombytes_sysrandom_buf(void * const buf, const size_t size) if (! RtlGenRandom((PVOID) buf, (ULONG) size)) { sodium_misuse(); /* LCOV_EXCL_LINE */ } -#endif +# endif /* _WIN32 */ } static uint32_t diff --git a/libs/libsodium/src/sodium/core.c b/libs/libsodium/src/sodium/core.c index d667312f19..2241a2ea5b 100644 --- a/libs/libsodium/src/sodium/core.c +++ b/libs/libsodium/src/sodium/core.c @@ -21,21 +21,6 @@ #include "private/implementations.h" #include "private/mutex.h" -#if !defined(_MSC_VER) && 1 -# warning *** This is unstable, untested, development code. -# warning It might not compile. It might not work as expected. -# warning It might be totally insecure. -# warning Do not use this in production. -# warning Use releases available at https://download.libsodium.org/libsodium/releases/ instead. -# warning Alternatively, use the "stable" branch in the git repository. -#endif - -#if !defined(_MSC_VER) && (!defined(CONFIGURED) || CONFIGURED != 1) -# warning *** The library is being compiled using an undocumented method. -# warning This is not supported. It has not been tested, it might not -# warning work as expected, and performance is likely to be suboptimal. -#endif - static volatile int initialized; static volatile int locked; diff --git a/libs/libsodium/src/sodium/utils.c b/libs/libsodium/src/sodium/utils.c index 3a5f835b9f..007f284aeb 100644 --- a/libs/libsodium/src/sodium/utils.c +++ b/libs/libsodium/src/sodium/utils.c @@ -110,6 +110,8 @@ sodium_memzero(void *const pnt, const size_t len) } #elif defined(HAVE_EXPLICIT_BZERO) explicit_bzero(pnt, len); +#elif defined(HAVE_EXPLICIT_MEMSET) + explicit_memset(pnt, 0, len); #elif HAVE_WEAK_SYMBOLS memset(pnt, 0, len); _sodium_dummy_symbol_to_prevent_memzero_lto(pnt, len); @@ -695,7 +697,8 @@ sodium_pad(size_t *padded_buflen_p, unsigned char *buf, } mask = 0U; for (i = 0; i < blocksize; i++) { - barrier_mask = (unsigned char) (((i ^ xpadlen) - 1U) >> 8); + barrier_mask = (unsigned char) (((i ^ xpadlen) - 1U) + >> ((sizeof(size_t) - 1) * CHAR_BIT)); tail[-i] = (tail[-i] & mask) | (0x80 & barrier_mask); mask |= barrier_mask; } |