summaryrefslogtreecommitdiff
path: root/libs/libsodium
diff options
context:
space:
mode:
Diffstat (limited to 'libs/libsodium')
-rw-r--r--libs/libsodium/docs/ChangeLog15
-rw-r--r--libs/libsodium/docs/THANKS91
-rw-r--r--libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c1
-rw-r--r--libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c116
-rw-r--r--libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c4
-rw-r--r--libs/libsodium/src/crypto_pwhash/crypto_pwhash.c1
-rw-r--r--libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c3
-rw-r--r--libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c19
-rw-r--r--libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c4
-rw-r--r--libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c51
-rw-r--r--libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c2
-rw-r--r--libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c2
-rw-r--r--libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c17
-rw-r--r--libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c17
-rw-r--r--libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c17
-rw-r--r--libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c87
-rw-r--r--libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h12
-rw-r--r--libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h2
-rw-r--r--libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h2
-rw-r--r--libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h3
-rw-r--r--libs/libsodium/src/include/sodium/private/chacha20_ietf_ext.h16
-rw-r--r--libs/libsodium/src/include/sodium/private/common.h15
-rw-r--r--libs/libsodium/src/include/sodium/version.h18
-rw-r--r--libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c39
-rw-r--r--libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c89
-rw-r--r--libs/libsodium/src/sodium/core.c15
-rw-r--r--libs/libsodium/src/sodium/utils.c5
27 files changed, 498 insertions, 165 deletions
diff --git a/libs/libsodium/docs/ChangeLog b/libs/libsodium/docs/ChangeLog
index 2c6f7f1777..2504a9b64a 100644
--- a/libs/libsodium/docs/ChangeLog
+++ b/libs/libsodium/docs/ChangeLog
@@ -1,4 +1,19 @@
+* Version 1.0.17
+ - Bug fix: `sodium_pad()` didn't properly support block sizes >= 256 bytes.
+ - JS/WebAssembly: some old iOS versions can't instantiate the WebAssembly
+module; fall back to Javascript on these.
+ - JS/WebAssembly: compatibility with newer Emscripten versions.
+ - Bug fix: `crypto_pwhash_scryptsalsa208sha256_str_verify()` and
+`crypto_pwhash_scryptsalsa208sha256_str_needs_rehash()` didn't return
+`EINVAL` on input strings with a short length, unlike their high-level
+counterpart.
+ - Added a workaround for Visual Studio 2010 bug causing CPU features
+not to be detected.
+ - The library now enables compilation with retpoline by default.
+ - Portability improvements.
+ - Test vectors from Project Wycheproof have been added.
+
* Version 1.0.16
- Signatures computations and verifications are now way faster on
64-bit platforms with compilers supporting 128-bit arithmetic (gcc,
diff --git a/libs/libsodium/docs/THANKS b/libs/libsodium/docs/THANKS
new file mode 100644
index 0000000000..0d0da788f3
--- /dev/null
+++ b/libs/libsodium/docs/THANKS
@@ -0,0 +1,91 @@
+Special thanks to people, companies and organizations having written
+libsodium bindings for their favorite programming languages:
+
+@alethia7
+@artemisc
+@carblue
+@dnaq
+@ektrah
+@graxrabble
+@harleqin
+@joshjdevl
+@jrmarino
+@jshahbazi
+@lvh
+@neheb
+
+Adam Caudill (@adamcaudill)
+Alexander Morris (@alexpmorris)
+Amit Murthy (@amitmurthy)
+Andrew Bennett (@potatosalad)
+Andrew Lambert (@charonn0)
+Bruce Mitchener (@waywardmonkeys)
+Bruno Oliveira (@abstractj)
+Caolan McMahon (@caolan)
+Chris Rebert (@cvrebert)
+Christian Hermann (@bitbeans)
+Christian Wiese (@morfoh)
+Christian Wiese (@morfoh)
+Colm MacCárthaigh (@colmmacc)
+David Parrish (@dmp1ce)
+Donald Stufft (@dstufft)
+Douglas Campos (@qmx)
+Drew Crawford (@drewcrawford)
+Emil Bay (@emilbayes)
+Eric Dong (@quantum1423)
+Eric Voskuil (@evoskuil)
+Farid Hajji (@fhajji)
+Frank Siebenlist (@franks42)
+Gabriel Handford (@gabriel)
+Geo Carncross (@geocar)
+Henrik Gassmann (BurningEnlightenment)
+Jachym Holecek (@freza)
+Jack Wink (@jackwink)
+James Ruan (@jamesruan)
+Jan de Muijnck-Hughes (@jfdm)
+Jason McCampbell (@jasonmccampbell)
+Jeroen Habraken (@VeXocide)
+Jeroen Ooms (@jeroen)
+Jesper Louis Andersen (@jlouis)
+Joe Eli McIlvain (@jemc)
+Jonathan Stowe (@jonathanstowe)
+Joseph Abrahamson (@tel)
+Julien Kauffmann (@ereOn)
+Kenneth Ballenegger (@kballenegger)
+Loic Maury (@loicmaury)
+Michael Gorlick (@mgorlick)
+Michael Gregorowicz (@mgregoro)
+Michał Zieliński (@zielmicha)
+Omar Ayub (@electricFeel)
+Pedro Paixao (@paixaop)
+Project ArteMisc (@artemisc)
+Rich FitzJohn (@richfitz)
+Ruben De Visscher (@rubendv)
+Rudolf Von Krugstein (@rudolfvonkrugstein)
+Samuel Neves (@sneves)
+Scott Arciszewski (@paragonie-scott)
+Stanislav Ovsiannikov (@naphaso)
+Stefan Marsiske (@stef)
+Stephan Touset (@stouset)
+Stephen Chavez (@redragonx)
+Steve Gibson (@sggrc)
+Tony Arcieri (@bascule)
+Tony Garnock-Jones (@tonyg)
+Y. T. Chung (@zonyitoo)
+
+Bytecurry Software
+Cryptotronix
+Facebook
+FSF France
+MaidSafe
+Paragonie Initiative Enterprises
+Python Cryptographic Authority
+
+(this list may not be complete, if you don't see your name, please
+submit a pull request!)
+
+Also thanks to:
+
+- Coverity, Inc. to provide static analysis.
+- FSF France for providing access to their compilation servers.
+- Private Internet Access for having sponsored a complete security audit.
diff --git a/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c b/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c
index c79407a185..c354087975 100644
--- a/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c
+++ b/libs/libsodium/src/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c
@@ -12,6 +12,7 @@
#include "randombytes.h"
#include "utils.h"
+#include "private/chacha20_ietf_ext.h"
#include "private/common.h"
static const unsigned char _pad0[16] = { 0 };
diff --git a/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c b/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c
index 04971a82a7..07e3655731 100644
--- a/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c
+++ b/libs/libsodium/src/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c
@@ -5,14 +5,118 @@
#include <string.h>
#include "core.h"
-#include "crypto_aead_xchacha20poly1305.h"
#include "crypto_aead_chacha20poly1305.h"
+#include "crypto_aead_xchacha20poly1305.h"
#include "crypto_core_hchacha20.h"
+#include "crypto_onetimeauth_poly1305.h"
+#include "crypto_stream_chacha20.h"
+#include "crypto_verify_16.h"
#include "randombytes.h"
#include "utils.h"
+#include "private/chacha20_ietf_ext.h"
#include "private/common.h"
+static const unsigned char _pad0[16] = { 0 };
+
+static int
+_encrypt_detached(unsigned char *c,
+ unsigned char *mac,
+ unsigned long long *maclen_p,
+ const unsigned char *m,
+ unsigned long long mlen,
+ const unsigned char *ad,
+ unsigned long long adlen,
+ const unsigned char *nsec,
+ const unsigned char *npub,
+ const unsigned char *k)
+{
+ crypto_onetimeauth_poly1305_state state;
+ unsigned char block0[64U];
+ unsigned char slen[8U];
+
+ (void) nsec;
+ crypto_stream_chacha20_ietf_ext(block0, sizeof block0, npub, k);
+ crypto_onetimeauth_poly1305_init(&state, block0);
+ sodium_memzero(block0, sizeof block0);
+
+ crypto_onetimeauth_poly1305_update(&state, ad, adlen);
+ crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf);
+
+ crypto_stream_chacha20_ietf_ext_xor_ic(c, m, mlen, npub, 1U, k);
+
+ crypto_onetimeauth_poly1305_update(&state, c, mlen);
+ crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
+
+ STORE64_LE(slen, (uint64_t) adlen);
+ crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+ STORE64_LE(slen, (uint64_t) mlen);
+ crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+ crypto_onetimeauth_poly1305_final(&state, mac);
+ sodium_memzero(&state, sizeof state);
+
+ if (maclen_p != NULL) {
+ *maclen_p = crypto_aead_chacha20poly1305_ietf_ABYTES;
+ }
+ return 0;
+}
+
+static int
+_decrypt_detached(unsigned char *m,
+ unsigned char *nsec,
+ const unsigned char *c,
+ unsigned long long clen,
+ const unsigned char *mac,
+ const unsigned char *ad,
+ unsigned long long adlen,
+ const unsigned char *npub,
+ const unsigned char *k)
+{
+ crypto_onetimeauth_poly1305_state state;
+ unsigned char block0[64U];
+ unsigned char slen[8U];
+ unsigned char computed_mac[crypto_aead_chacha20poly1305_ietf_ABYTES];
+ unsigned long long mlen;
+ int ret;
+
+ (void) nsec;
+ crypto_stream_chacha20_ietf_ext(block0, sizeof block0, npub, k);
+ crypto_onetimeauth_poly1305_init(&state, block0);
+ sodium_memzero(block0, sizeof block0);
+
+ crypto_onetimeauth_poly1305_update(&state, ad, adlen);
+ crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - adlen) & 0xf);
+
+ mlen = clen;
+ crypto_onetimeauth_poly1305_update(&state, c, mlen);
+ crypto_onetimeauth_poly1305_update(&state, _pad0, (0x10 - mlen) & 0xf);
+
+ STORE64_LE(slen, (uint64_t) adlen);
+ crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+ STORE64_LE(slen, (uint64_t) mlen);
+ crypto_onetimeauth_poly1305_update(&state, slen, sizeof slen);
+
+ crypto_onetimeauth_poly1305_final(&state, computed_mac);
+ sodium_memzero(&state, sizeof state);
+
+ COMPILER_ASSERT(sizeof computed_mac == 16U);
+ ret = crypto_verify_16(computed_mac, mac);
+ sodium_memzero(computed_mac, sizeof computed_mac);
+ if (m == NULL) {
+ return ret;
+ }
+ if (ret != 0) {
+ memset(m, 0, mlen);
+ return -1;
+ }
+ crypto_stream_chacha20_ietf_ext_xor_ic(m, c, mlen, npub, 1U, k);
+
+ return 0;
+}
+
int
crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
unsigned char *mac,
@@ -32,8 +136,8 @@ crypto_aead_xchacha20poly1305_ietf_encrypt_detached(unsigned char *c,
crypto_core_hchacha20(k2, npub, k, NULL);
memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES,
crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4);
- ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached
- (c, mac, maclen_p, m, mlen, ad, adlen, nsec, npub2, k2);
+ ret = _encrypt_detached(c, mac, maclen_p, m, mlen, ad, adlen,
+ nsec, npub2, k2);
sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
return ret;
@@ -85,12 +189,10 @@ crypto_aead_xchacha20poly1305_ietf_decrypt_detached(unsigned char *m,
crypto_core_hchacha20(k2, npub, k, NULL);
memcpy(npub2 + 4, npub + crypto_core_hchacha20_INPUTBYTES,
crypto_aead_chacha20poly1305_ietf_NPUBBYTES - 4);
- ret = crypto_aead_chacha20poly1305_ietf_decrypt_detached
- (m, nsec, c, clen, mac, ad, adlen, npub2, k2);
+ ret = _decrypt_detached(m, nsec, c, clen, mac, ad, adlen, npub2, k2);
sodium_memzero(k2, crypto_core_hchacha20_OUTPUTBYTES);
return ret;
-
}
int
@@ -105,7 +207,7 @@ crypto_aead_xchacha20poly1305_ietf_decrypt(unsigned char *m,
const unsigned char *k)
{
unsigned long long mlen = 0ULL;
- int ret = -1;
+ int ret = -1;
if (clen >= crypto_aead_xchacha20poly1305_ietf_ABYTES) {
ret = crypto_aead_xchacha20poly1305_ietf_decrypt_detached
diff --git a/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c b/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c
index b52b04d36d..530778e4ae 100644
--- a/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c
+++ b/libs/libsodium/src/crypto_pwhash/argon2/argon2-core.c
@@ -67,7 +67,7 @@ store_block(void *output, const block *src)
* @param m_cost number of blocks to allocate in the memory
* @return ARGON2_OK if @memory is a valid pointer and memory is allocated
*/
-static int allocate_memory(block_region **memory, uint32_t m_cost);
+static int allocate_memory(block_region **region, uint32_t m_cost);
static int
allocate_memory(block_region **region, uint32_t m_cost)
@@ -153,7 +153,7 @@ clear_memory(argon2_instance_t *instance, int clear)
/* Deallocates memory
* @param memory pointer to the blocks
*/
-static void free_memory(block_region *memory);
+static void free_memory(block_region *region);
static void
free_memory(block_region *region)
diff --git a/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c b/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c
index 8168f96216..a229b9f798 100644
--- a/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c
+++ b/libs/libsodium/src/crypto_pwhash/crypto_pwhash.c
@@ -168,6 +168,7 @@ crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES],
}
sodium_misuse();
/* NOTREACHED */
+ return -1;
}
int
diff --git a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
index 9e31352dc2..402885907d 100644
--- a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
+++ b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c
@@ -163,8 +163,9 @@ salsa20_8(uint32_t B[16])
x[15] ^= R(x[14] + x[13], 18);
#undef R
}
- for (i = 0; i < 16; i++)
+ for (i = 0; i < 16; i++) {
B[i] += x[i];
+ }
}
/**
diff --git a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c
index d1afd91afe..b77588fa5e 100644
--- a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c
+++ b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c
@@ -52,6 +52,17 @@ pickparams(unsigned long long opslimit, const size_t memlimit,
return 0;
}
+static size_t
+sodium_strnlen(const char *str, size_t maxlen)
+{
+ size_t i = 0U;
+
+ while (i < maxlen && str[i] != 0) {
+ i++;
+ }
+ return i;
+}
+
size_t
crypto_pwhash_scryptsalsa208sha256_bytes_min(void)
{
@@ -234,8 +245,8 @@ crypto_pwhash_scryptsalsa208sha256_str_verify(
escrypt_local_t escrypt_local;
int ret = -1;
- if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) !=
- &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) {
+ if (sodium_strnlen(str, crypto_pwhash_scryptsalsa208sha256_STRBYTES) !=
+ crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U) {
return -1;
}
if (escrypt_init_local(&escrypt_local) != 0) {
@@ -268,8 +279,8 @@ crypto_pwhash_scryptsalsa208sha256_str_needs_rehash(
errno = EINVAL;
return -1;
}
- if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) !=
- &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) {
+ if (sodium_strnlen(str, crypto_pwhash_scryptsalsa208sha256_STRBYTES) !=
+ crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U) {
errno = EINVAL;
return -1;
}
diff --git a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c
index 139a7df286..cbd68aa1b8 100644
--- a/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c
+++ b/libs/libsodium/src/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c
@@ -55,9 +55,9 @@ alloc_region(escrypt_region_t *region, size_t size)
aligned = base;
#else
base = aligned = NULL;
- if (size + 63 < size)
+ if (size + 63 < size) {
errno = ENOMEM;
- else if ((base = (uint8_t *) malloc(size + 63)) != NULL) {
+ } else if ((base = (uint8_t *) malloc(size + 63)) != NULL) {
aligned = base + 63;
aligned -= (uintptr_t) aligned & 63;
}
diff --git a/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c b/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
index 7b93a7247b..4272ae24c0 100644
--- a/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
+++ b/libs/libsodium/src/crypto_scalarmult/curve25519/ref10/x25519_ref10.c
@@ -18,29 +18,50 @@ has_small_order(const unsigned char s[32])
{
CRYPTO_ALIGN(16)
static const unsigned char blacklist[][32] = {
- { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
- { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
- { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
- { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
- { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
- { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
- { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
- { 0xcd, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x80 },
- { 0x4c, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1, 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c, 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0xd7 },
- { 0xd9, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
- { 0xda, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff },
- { 0xdb, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }
+ /* 0 (order 4) */
+ { 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ /* 1 (order 1) */
+ { 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 },
+ /* 325606250916557431795983626356110631294008115727848805560023387167927233504
+ (order 8) */
+ { 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3,
+ 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32,
+ 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 },
+ /* 39382357235489614581723060781553021112529911719440698176882885853963445705823
+ (order 8) */
+ { 0x5f, 0x9c, 0x95, 0xbc, 0xa3, 0x50, 0x8c, 0x24, 0xb1, 0xd0, 0xb1,
+ 0x55, 0x9c, 0x83, 0xef, 0x5b, 0x04, 0x44, 0x5c, 0xc4, 0x58, 0x1c,
+ 0x8e, 0x86, 0xd8, 0x22, 0x4e, 0xdd, 0xd0, 0x9f, 0x11, 0x57 },
+ /* p-1 (order 2) */
+ { 0xec, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
+ /* p (=0, order 4) */
+ { 0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f },
+ /* p+1 (=1, order 1) */
+ { 0xee, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+ 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f }
};
- unsigned char c[12] = { 0 };
+ unsigned char c[7] = { 0 };
unsigned int k;
size_t i, j;
- COMPILER_ASSERT(12 == sizeof blacklist / sizeof blacklist[0]);
- for (j = 0; j < 32; j++) {
+ COMPILER_ASSERT(7 == sizeof blacklist / sizeof blacklist[0]);
+ for (j = 0; j < 31; j++) {
for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
c[i] |= s[j] ^ blacklist[i][j];
}
}
+ for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
+ c[i] |= (s[j] & 0x7f) ^ blacklist[i][j];
+ }
k = 0;
for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
k |= (c[i] - 1);
diff --git a/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c b/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
index ef000d16c7..2754a91c92 100644
--- a/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
+++ b/libs/libsodium/src/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c
@@ -123,6 +123,8 @@ crypto_secretstream_xchacha20poly1305_push
if (outlen_p != NULL) {
*outlen_p = 0U;
}
+ COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX
+ <= crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX);
if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) {
sodium_misuse();
}
diff --git a/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c b/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c
index 8bf3cec8fd..4b9bf0dc8c 100644
--- a/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c
+++ b/libs/libsodium/src/crypto_sign/ed25519/ref10/keypair.c
@@ -61,9 +61,9 @@ crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
}
fe25519_1(one_minus_y);
fe25519_sub(one_minus_y, one_minus_y, A.Y);
- fe25519_invert(one_minus_y, one_minus_y);
fe25519_1(x);
fe25519_add(x, x, A.Y);
+ fe25519_invert(one_minus_y, one_minus_y);
fe25519_mul(x, x, one_minus_y);
fe25519_tobytes(curve25519_pk, x);
diff --git a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c
index 6149af3942..f63e055265 100644
--- a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c
+++ b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c
@@ -77,9 +77,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
if (!bytes) {
return; /* LCOV_EXCL_LINE */
}
- if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
- sodium_misuse();
- }
# include "u8.h"
# include "u4.h"
# include "u1.h"
@@ -106,8 +103,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n,
}
static int
-stream_ietf_ref(unsigned char *c, unsigned long long clen,
- const unsigned char *n, const unsigned char *k)
+stream_ietf_ext_ref(unsigned char *c, unsigned long long clen,
+ const unsigned char *n, const unsigned char *k)
{
struct chacha_ctx ctx;
@@ -150,9 +147,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m,
}
static int
-stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
- unsigned long long mlen, const unsigned char *n,
- uint32_t ic, const unsigned char *k)
+stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen, const unsigned char *n,
+ uint32_t ic, const unsigned char *k)
{
struct chacha_ctx ctx;
uint8_t ic_bytes[4];
@@ -172,9 +169,9 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
struct crypto_stream_chacha20_implementation
crypto_stream_chacha20_dolbeau_avx2_implementation = {
SODIUM_C99(.stream =) stream_ref,
- SODIUM_C99(.stream_ietf =) stream_ietf_ref,
+ SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref,
SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic,
- SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic
+ SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic
};
#endif
diff --git a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c
index b7b9aa4ad3..6f5d3851c3 100644
--- a/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c
+++ b/libs/libsodium/src/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c
@@ -72,9 +72,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
if (!bytes) {
return; /* LCOV_EXCL_LINE */
}
- if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
- sodium_misuse();
- }
# include "u4.h"
# include "u1.h"
# include "u0.h"
@@ -100,8 +97,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n,
}
static int
-stream_ietf_ref(unsigned char *c, unsigned long long clen,
- const unsigned char *n, const unsigned char *k)
+stream_ietf_ext_ref(unsigned char *c, unsigned long long clen,
+ const unsigned char *n, const unsigned char *k)
{
struct chacha_ctx ctx;
@@ -144,9 +141,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m,
}
static int
-stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
- unsigned long long mlen, const unsigned char *n,
- uint32_t ic, const unsigned char *k)
+stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen, const unsigned char *n,
+ uint32_t ic, const unsigned char *k)
{
struct chacha_ctx ctx;
uint8_t ic_bytes[4];
@@ -166,9 +163,9 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
struct crypto_stream_chacha20_implementation
crypto_stream_chacha20_dolbeau_ssse3_implementation = {
SODIUM_C99(.stream =) stream_ref,
- SODIUM_C99(.stream_ietf =) stream_ietf_ref,
+ SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref,
SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic,
- SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic
+ SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic
};
#endif
diff --git a/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c b/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c
index f88a99dbdf..40cccbf8f8 100644
--- a/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c
+++ b/libs/libsodium/src/crypto_stream/chacha20/ref/chacha20_ref.c
@@ -92,9 +92,6 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
if (!bytes) {
return; /* LCOV_EXCL_LINE */
}
- if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
- sodium_misuse();
- }
j0 = ctx->input[0];
j1 = ctx->input[1];
j2 = ctx->input[2];
@@ -243,8 +240,8 @@ stream_ref(unsigned char *c, unsigned long long clen, const unsigned char *n,
}
static int
-stream_ietf_ref(unsigned char *c, unsigned long long clen,
- const unsigned char *n, const unsigned char *k)
+stream_ietf_ext_ref(unsigned char *c, unsigned long long clen,
+ const unsigned char *n, const unsigned char *k)
{
struct chacha_ctx ctx;
@@ -287,9 +284,9 @@ stream_ref_xor_ic(unsigned char *c, const unsigned char *m,
}
static int
-stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
- unsigned long long mlen, const unsigned char *n,
- uint32_t ic, const unsigned char *k)
+stream_ietf_ext_ref_xor_ic(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen, const unsigned char *n,
+ uint32_t ic, const unsigned char *k)
{
struct chacha_ctx ctx;
uint8_t ic_bytes[4];
@@ -309,7 +306,7 @@ stream_ietf_ref_xor_ic(unsigned char *c, const unsigned char *m,
struct crypto_stream_chacha20_implementation
crypto_stream_chacha20_ref_implementation = {
SODIUM_C99(.stream =) stream_ref,
- SODIUM_C99(.stream_ietf =) stream_ietf_ref,
+ SODIUM_C99(.stream_ietf_ext =) stream_ietf_ext_ref,
SODIUM_C99(.stream_xor_ic =) stream_ref_xor_ic,
- SODIUM_C99(.stream_ietf_xor_ic =) stream_ietf_ref_xor_ic
+ SODIUM_C99(.stream_ietf_ext_xor_ic =) stream_ietf_ext_ref_xor_ic
};
diff --git a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c
index 3b0895112c..c98d60907f 100644
--- a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c
+++ b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.c
@@ -1,4 +1,5 @@
#include "crypto_stream_chacha20.h"
+#include "core.h"
#include "private/common.h"
#include "private/implementations.h"
#include "randombytes.h"
@@ -53,48 +54,100 @@ int
crypto_stream_chacha20(unsigned char *c, unsigned long long clen,
const unsigned char *n, const unsigned char *k)
{
+ if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
return implementation->stream(c, clen, n, k);
}
int
-crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen,
- const unsigned char *n, const unsigned char *k)
-{
- return implementation->stream_ietf(c, clen, n, k);
-}
-
-int
crypto_stream_chacha20_xor_ic(unsigned char *c, const unsigned char *m,
unsigned long long mlen,
const unsigned char *n, uint64_t ic,
const unsigned char *k)
{
+ if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
return implementation->stream_xor_ic(c, m, mlen, n, ic, k);
}
int
-crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m,
- unsigned long long mlen,
- const unsigned char *n, uint32_t ic,
- const unsigned char *k)
-{
- return implementation->stream_ietf_xor_ic(c, m, mlen, n, ic, k);
-}
-
-int
crypto_stream_chacha20_xor(unsigned char *c, const unsigned char *m,
unsigned long long mlen, const unsigned char *n,
const unsigned char *k)
{
+ if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
return implementation->stream_xor_ic(c, m, mlen, n, 0U, k);
}
int
+crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen,
+ const unsigned char *n, const unsigned char *k)
+{
+ if (clen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
+ return implementation->stream_ietf_ext(c, clen, n, k);
+}
+
+int
+crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen,
+ const unsigned char *n, uint32_t ic,
+ const unsigned char *k)
+{
+ if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
+ return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, ic, k);
+}
+
+static int
+crypto_stream_chacha20_ietf_ext_xor(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen, const unsigned char *n,
+ const unsigned char *k)
+{
+ if (mlen > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
+ return implementation->stream_ietf_ext_xor_ic(c, m, mlen, n, 0U, k);
+}
+
+int
+crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen,
+ const unsigned char *n, const unsigned char *k)
+{
+ if (clen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
+ return crypto_stream_chacha20_ietf_ext(c, clen, n, k);
+}
+
+int
+crypto_stream_chacha20_ietf_xor_ic(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen,
+ const unsigned char *n, uint32_t ic,
+ const unsigned char *k)
+{
+ if ((unsigned long long) ic >
+ (64ULL * (1ULL << 32)) / 64ULL - (mlen + 63ULL) / 64ULL) {
+ sodium_misuse();
+ }
+ return crypto_stream_chacha20_ietf_ext_xor_ic(c, m, mlen, n, ic, k);
+}
+
+int
crypto_stream_chacha20_ietf_xor(unsigned char *c, const unsigned char *m,
unsigned long long mlen, const unsigned char *n,
const unsigned char *k)
{
- return implementation->stream_ietf_xor_ic(c, m, mlen, n, 0U, k);
+ if (mlen > crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX) {
+ sodium_misuse();
+ }
+ return crypto_stream_chacha20_ietf_ext_xor(c, m, mlen, n, k);
}
void
diff --git a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h
index d6b71c5e0d..40f782f418 100644
--- a/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h
+++ b/libs/libsodium/src/crypto_stream/chacha20/stream_chacha20.h
@@ -7,16 +7,16 @@
typedef struct crypto_stream_chacha20_implementation {
int (*stream)(unsigned char *c, unsigned long long clen,
const unsigned char *n, const unsigned char *k);
- int (*stream_ietf)(unsigned char *c, unsigned long long clen,
- const unsigned char *n, const unsigned char *k);
+ int (*stream_ietf_ext)(unsigned char *c, unsigned long long clen,
+ const unsigned char *n, const unsigned char *k);
int (*stream_xor_ic)(unsigned char *c, const unsigned char *m,
unsigned long long mlen,
const unsigned char *n, uint64_t ic,
const unsigned char *k);
- int (*stream_ietf_xor_ic)(unsigned char *c, const unsigned char *m,
- unsigned long long mlen,
- const unsigned char *n, uint32_t ic,
- const unsigned char *k);
+ int (*stream_ietf_ext_xor_ic)(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen,
+ const unsigned char *n, uint32_t ic,
+ const unsigned char *k);
} crypto_stream_chacha20_implementation;
#endif
diff --git a/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h b/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h
index 46a3800f37..5e67aa99c5 100644
--- a/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h
+++ b/libs/libsodium/src/include/sodium/crypto_aead_aes256gcm.h
@@ -52,7 +52,7 @@ size_t crypto_aead_aes256gcm_abytes(void);
#define crypto_aead_aes256gcm_MESSAGEBYTES_MAX \
SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_aes256gcm_ABYTES, \
- (16ULL * ((1ULL << 32) - 2ULL)) - crypto_aead_aes256gcm_ABYTES)
+ (16ULL * ((1ULL << 32) - 2ULL)))
SODIUM_EXPORT
size_t crypto_aead_aes256gcm_messagebytes_max(void);
diff --git a/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h b/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h
index a575ec7173..8ab31243ff 100644
--- a/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h
+++ b/libs/libsodium/src/include/sodium/crypto_aead_chacha20poly1305.h
@@ -32,7 +32,7 @@ size_t crypto_aead_chacha20poly1305_ietf_abytes(void);
#define crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX \
SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES, \
- (64ULL * (1ULL << 32) - 64ULL) - crypto_aead_chacha20poly1305_ietf_ABYTES)
+ (64ULL * ((1ULL << 32) - 1ULL)))
SODIUM_EXPORT
size_t crypto_aead_chacha20poly1305_ietf_messagebytes_max(void);
diff --git a/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h b/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h
index 7d3fa2a9e3..dac273b599 100644
--- a/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h
+++ b/libs/libsodium/src/include/sodium/crypto_secretstream_xchacha20poly1305.h
@@ -30,7 +30,8 @@ SODIUM_EXPORT
size_t crypto_secretstream_xchacha20poly1305_keybytes(void);
#define crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX \
- SODIUM_MIN(SODIUM_SIZE_MAX, ((1ULL << 32) - 2ULL) * 64ULL)
+ SODIUM_MIN(SODIUM_SIZE_MAX - crypto_secretstream_xchacha20poly1305_ABYTES, \
+ (64ULL * ((1ULL << 32) - 2ULL)))
SODIUM_EXPORT
size_t crypto_secretstream_xchacha20poly1305_messagebytes_max(void);
diff --git a/libs/libsodium/src/include/sodium/private/chacha20_ietf_ext.h b/libs/libsodium/src/include/sodium/private/chacha20_ietf_ext.h
new file mode 100644
index 0000000000..2c80b96aa7
--- /dev/null
+++ b/libs/libsodium/src/include/sodium/private/chacha20_ietf_ext.h
@@ -0,0 +1,16 @@
+#ifndef chacha20_ietf_ext_H
+#define chacha20_ietf_ext_H
+
+#include <stdint.h>
+
+/* The ietf_ext variant allows the internal counter to overflow into the IV */
+
+int crypto_stream_chacha20_ietf_ext(unsigned char *c, unsigned long long clen,
+ const unsigned char *n, const unsigned char *k);
+
+int crypto_stream_chacha20_ietf_ext_xor_ic(unsigned char *c, const unsigned char *m,
+ unsigned long long mlen,
+ const unsigned char *n, uint32_t ic,
+ const unsigned char *k);
+#endif
+
diff --git a/libs/libsodium/src/include/sodium/private/common.h b/libs/libsodium/src/include/sodium/private/common.h
index 632fc8a73c..f87d682e53 100644
--- a/libs/libsodium/src/include/sodium/private/common.h
+++ b/libs/libsodium/src/include/sodium/private/common.h
@@ -1,6 +1,21 @@
#ifndef common_H
#define common_H 1
+#if !defined(_MSC_VER) && 1
+# warning *** This is unstable, untested, development code.
+# warning It might not compile. It might not work as expected.
+# warning It might be totally insecure.
+# warning Do not use this except if you are planning to contribute code.
+# warning Use releases available at https://download.libsodium.org/libsodium/releases/ instead.
+# warning Alternatively, use the "stable" branch in the git repository.
+#endif
+
+#if !defined(_MSC_VER) && (!defined(CONFIGURED) || CONFIGURED != 1)
+# warning *** The library is being compiled using an undocumented method.
+# warning This is not supported. It has not been tested, it might not
+# warning work as expected, and performance is likely to be suboptimal.
+#endif
+
#include <stdint.h>
#include <stdlib.h>
#include <string.h>
diff --git a/libs/libsodium/src/include/sodium/version.h b/libs/libsodium/src/include/sodium/version.h
index 56ec2b9550..fc5f462da1 100644
--- a/libs/libsodium/src/include/sodium/version.h
+++ b/libs/libsodium/src/include/sodium/version.h
@@ -4,7 +4,7 @@
#include "export.h"
-#define SODIUM_VERSION_STRING "1.0.16"
+#define SODIUM_VERSION_STRING "1.0.17"
#define SODIUM_LIBRARY_VERSION_MAJOR 10
#define SODIUM_LIBRARY_VERSION_MINOR 1
@@ -13,17 +13,17 @@
extern "C" {
#endif
-SODIUM_EXPORT
-const char *sodium_version_string(void);
+ SODIUM_EXPORT
+ const char *sodium_version_string(void);
-SODIUM_EXPORT
-int sodium_library_version_major(void);
+ SODIUM_EXPORT
+ int sodium_library_version_major(void);
-SODIUM_EXPORT
-int sodium_library_version_minor(void);
+ SODIUM_EXPORT
+ int sodium_library_version_minor(void);
-SODIUM_EXPORT
-int sodium_library_minimal(void);
+ SODIUM_EXPORT
+ int sodium_library_minimal(void);
#ifdef __cplusplus
}
diff --git a/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c b/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c
index 477fda1c39..e3ec30ff7a 100644
--- a/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c
+++ b/libs/libsodium/src/randombytes/salsa20/randombytes_salsa20_random.c
@@ -19,9 +19,26 @@
#ifdef __linux__
# ifdef __dietlibc__
# define _LINUX_SOURCE
-# else
+# include <sys/random.h>
+# define HAVE_LINUX_COMPATIBLE_GETRANDOM
+# else /* __dietlibc__ */
# include <sys/syscall.h>
+# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# define getrandom(B, S, F) syscall(SYS_getrandom, (B), (int) (S), (F))
+# define HAVE_LINUX_COMPATIBLE_GETRANDOM
+# endif
+# endif /* __dietlibc__ */
+#elif defined(__FreeBSD__)
+# include <sys/param.h>
+# if defined(__FreeBSD_version) && __FreeBSD_version >= 1200000
+# include <sys/random.h>
+# define HAVE_LINUX_COMPATIBLE_GETRANDOM
# endif
+#endif
+#if !defined(NO_BLOCKING_RANDOM_POLL) && defined(__linux__)
+# define BLOCK_ON_DEV_RANDOM
+#endif
+#ifdef BLOCK_ON_DEV_RANDOM
# include <poll.h>
#endif
#ifdef HAVE_RDRAND
@@ -177,7 +194,7 @@ safe_read(const int fd, void * const buf_, size_t size)
return (ssize_t) (buf - (unsigned char *) buf_);
}
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+# ifdef BLOCK_ON_DEV_RANDOM
static int
randombytes_block_on_dev_random(void)
{
@@ -219,11 +236,11 @@ randombytes_salsa20_random_random_dev_open(void)
const char **device = devices;
int fd;
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+# ifdef BLOCK_ON_DEV_RANDOM
if (randombytes_block_on_dev_random() != 0) {
return -1;
}
-# endif
+# endif
do {
fd = open(*device, O_RDONLY);
if (fd != -1) {
@@ -246,7 +263,7 @@ randombytes_salsa20_random_random_dev_open(void)
}
# endif
-# if defined(__dietlibc__) || (defined(SYS_getrandom) && defined(__NR_getrandom))
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
static int
_randombytes_linux_getrandom(void * const buf, const size_t size)
{
@@ -254,11 +271,7 @@ _randombytes_linux_getrandom(void * const buf, const size_t size)
assert(size <= 256U);
do {
-# ifdef __dietlibc__
readnb = getrandom(buf, size, 0);
-# else
- readnb = syscall(SYS_getrandom, buf, (int) size, 0);
-# endif
} while (readnb < 0 && (errno == EINTR || errno == EAGAIN));
return (readnb == (int) size) - 1;
@@ -299,7 +312,7 @@ randombytes_salsa20_random_init(void)
errno = errno_save;
# else
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
{
unsigned char fodder[16];
@@ -310,7 +323,7 @@ randombytes_salsa20_random_init(void)
}
global.getrandom_available = 0;
}
-# endif /* SYS_getrandom */
+# endif /* HAVE_LINUX_COMPATIBLE_GETRANDOM */
if ((global.random_data_source_fd =
randombytes_salsa20_random_random_dev_open()) == -1) {
@@ -343,7 +356,7 @@ randombytes_salsa20_random_stir(void)
# ifdef HAVE_SAFE_ARC4RANDOM
arc4random_buf(stream.key, sizeof stream.key);
-# elif defined(SYS_getrandom) && defined(__NR_getrandom)
+# elif defined(HAVE_LINUX_COMPATIBLE_GETRANDOM)
if (global.getrandom_available != 0) {
if (randombytes_linux_getrandom(stream.key, sizeof stream.key) != 0) {
sodium_misuse(); /* LCOV_EXCL_LINE */
@@ -428,7 +441,7 @@ randombytes_salsa20_random_close(void)
ret = 0;
# endif
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
if (global.getrandom_available != 0) {
ret = 0;
}
diff --git a/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c b/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c
index f4dec08f5b..c24122f9f2 100644
--- a/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c
+++ b/libs/libsodium/src/randombytes/sysrandom/randombytes_sysrandom.c
@@ -18,9 +18,26 @@
#ifdef __linux__
# ifdef __dietlibc__
# define _LINUX_SOURCE
-# else
+# include <sys/random.h>
+# define HAVE_LINUX_COMPATIBLE_GETRANDOM
+# else /* __dietlibc__ */
# include <sys/syscall.h>
+# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# define getrandom(B, S, F) syscall(SYS_getrandom, (B), (int) (S), (F))
+# define HAVE_LINUX_COMPATIBLE_GETRANDOM
+# endif
+# endif /* __dietlibc */
+#elif defined(__FreeBSD__)
+# include <sys/param.h>
+# if defined(__FreeBSD_version) && __FreeBSD_version >= 1200000
+# include <sys/random.h>
+# define HAVE_LINUX_COMPATIBLE_GETRANDOM
# endif
+#endif
+#if !defined(NO_BLOCKING_RANDOM_POLL) && defined(__linux__)
+# define BLOCK_ON_DEV_RANDOM
+#endif
+#ifdef BLOCK_ON_DEV_RANDOM
# include <poll.h>
#endif
@@ -102,7 +119,7 @@ static SysRandom stream = {
SODIUM_C99(.getrandom_available =) 0
};
-#ifndef _WIN32
+# ifndef _WIN32
static ssize_t
safe_read(const int fd, void * const buf_, size_t size)
{
@@ -126,10 +143,8 @@ safe_read(const int fd, void * const buf_, size_t size)
return (ssize_t) (buf - (unsigned char *) buf_);
}
-#endif
-#ifndef _WIN32
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+# ifdef BLOCK_ON_DEV_RANDOM
static int
randombytes_block_on_dev_random(void)
{
@@ -154,7 +169,7 @@ randombytes_block_on_dev_random(void)
}
return close(fd);
}
-# endif
+# endif /* BLOCK_ON_DEV_RANDOM */
static int
randombytes_sysrandom_random_dev_open(void)
@@ -162,34 +177,34 @@ randombytes_sysrandom_random_dev_open(void)
/* LCOV_EXCL_START */
struct stat st;
static const char *devices[] = {
-# ifndef USE_BLOCKING_RANDOM
+# ifndef USE_BLOCKING_RANDOM
"/dev/urandom",
-# endif
+# endif
"/dev/random", NULL
};
const char **device = devices;
int fd;
-# if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
+# ifdef BLOCK_ON_DEV_RANDOM
if (randombytes_block_on_dev_random() != 0) {
return -1;
}
-# endif
+# endif
do {
fd = open(*device, O_RDONLY);
if (fd != -1) {
if (fstat(fd, &st) == 0 &&
-# ifdef __COMPCERT__
+# ifdef __COMPCERT__
1
-# elif defined(S_ISNAM)
+# elif defined(S_ISNAM)
(S_ISNAM(st.st_mode) || S_ISCHR(st.st_mode))
-# else
+# else
S_ISCHR(st.st_mode)
-# endif
+# endif
) {
-# if defined(F_SETFD) && defined(FD_CLOEXEC)
+# if defined(F_SETFD) && defined(FD_CLOEXEC)
(void) fcntl(fd, F_SETFD, fcntl(fd, F_GETFD) | FD_CLOEXEC);
-# endif
+# endif
return fd;
}
(void) close(fd);
@@ -204,7 +219,7 @@ randombytes_sysrandom_random_dev_open(void)
/* LCOV_EXCL_STOP */
}
-# if defined(__dietlibc__) || (defined(SYS_getrandom) && defined(__NR_getrandom))
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
static int
_randombytes_linux_getrandom(void * const buf, const size_t size)
{
@@ -212,11 +227,7 @@ _randombytes_linux_getrandom(void * const buf, const size_t size)
assert(size <= 256U);
do {
-# ifdef __dietlibc__
readnb = getrandom(buf, size, 0);
-# else
- readnb = syscall(SYS_getrandom, buf, (int) size, 0);
-# endif
} while (readnb < 0 && (errno == EINTR || errno == EAGAIN));
return (readnb == (int) size) - 1;
@@ -242,14 +253,14 @@ randombytes_linux_getrandom(void * const buf_, size_t size)
return 0;
}
-# endif
+# endif /* HAVE_LINUX_COMPATIBLE_GETRANDOM */
static void
randombytes_sysrandom_init(void)
{
const int errno_save = errno;
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
{
unsigned char fodder[16];
@@ -260,7 +271,7 @@ randombytes_sysrandom_init(void)
}
stream.getrandom_available = 0;
}
-# endif
+# endif
if ((stream.random_data_source_fd =
randombytes_sysrandom_random_dev_open()) == -1) {
@@ -269,13 +280,13 @@ randombytes_sysrandom_init(void)
errno = errno_save;
}
-#else /* _WIN32 */
+# else /* _WIN32 */
static void
randombytes_sysrandom_init(void)
{
}
-#endif
+# endif /* _WIN32 */
static void
randombytes_sysrandom_stir(void)
@@ -299,24 +310,24 @@ randombytes_sysrandom_close(void)
{
int ret = -1;
-#ifndef _WIN32
+# ifndef _WIN32
if (stream.random_data_source_fd != -1 &&
close(stream.random_data_source_fd) == 0) {
stream.random_data_source_fd = -1;
stream.initialized = 0;
ret = 0;
}
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
if (stream.getrandom_available != 0) {
ret = 0;
}
-# endif
-#else /* _WIN32 */
+# endif
+# else /* _WIN32 */
if (stream.initialized != 0) {
stream.initialized = 0;
ret = 0;
}
-#endif
+# endif /* _WIN32 */
return ret;
}
@@ -324,26 +335,26 @@ static void
randombytes_sysrandom_buf(void * const buf, const size_t size)
{
randombytes_sysrandom_stir_if_needed();
-#if defined(ULONG_LONG_MAX) && defined(SIZE_MAX)
-# if SIZE_MAX > ULONG_LONG_MAX
+# if defined(ULONG_LONG_MAX) && defined(SIZE_MAX)
+# if SIZE_MAX > ULONG_LONG_MAX
/* coverity[result_independent_of_operands] */
assert(size <= ULONG_LONG_MAX);
+# endif
# endif
-#endif
-#ifndef _WIN32
-# if defined(SYS_getrandom) && defined(__NR_getrandom)
+# ifndef _WIN32
+# ifdef HAVE_LINUX_COMPATIBLE_GETRANDOM
if (stream.getrandom_available != 0) {
if (randombytes_linux_getrandom(buf, size) != 0) {
sodium_misuse(); /* LCOV_EXCL_LINE */
}
return;
}
-# endif
+# endif
if (stream.random_data_source_fd == -1 ||
safe_read(stream.random_data_source_fd, buf, size) != (ssize_t) size) {
sodium_misuse(); /* LCOV_EXCL_LINE */
}
-#else
+# else /* _WIN32 */
COMPILER_ASSERT(randombytes_BYTES_MAX <= 0xffffffffUL);
if (size > (size_t) 0xffffffffUL) {
sodium_misuse(); /* LCOV_EXCL_LINE */
@@ -351,7 +362,7 @@ randombytes_sysrandom_buf(void * const buf, const size_t size)
if (! RtlGenRandom((PVOID) buf, (ULONG) size)) {
sodium_misuse(); /* LCOV_EXCL_LINE */
}
-#endif
+# endif /* _WIN32 */
}
static uint32_t
diff --git a/libs/libsodium/src/sodium/core.c b/libs/libsodium/src/sodium/core.c
index d667312f19..2241a2ea5b 100644
--- a/libs/libsodium/src/sodium/core.c
+++ b/libs/libsodium/src/sodium/core.c
@@ -21,21 +21,6 @@
#include "private/implementations.h"
#include "private/mutex.h"
-#if !defined(_MSC_VER) && 1
-# warning *** This is unstable, untested, development code.
-# warning It might not compile. It might not work as expected.
-# warning It might be totally insecure.
-# warning Do not use this in production.
-# warning Use releases available at https://download.libsodium.org/libsodium/releases/ instead.
-# warning Alternatively, use the "stable" branch in the git repository.
-#endif
-
-#if !defined(_MSC_VER) && (!defined(CONFIGURED) || CONFIGURED != 1)
-# warning *** The library is being compiled using an undocumented method.
-# warning This is not supported. It has not been tested, it might not
-# warning work as expected, and performance is likely to be suboptimal.
-#endif
-
static volatile int initialized;
static volatile int locked;
diff --git a/libs/libsodium/src/sodium/utils.c b/libs/libsodium/src/sodium/utils.c
index 3a5f835b9f..007f284aeb 100644
--- a/libs/libsodium/src/sodium/utils.c
+++ b/libs/libsodium/src/sodium/utils.c
@@ -110,6 +110,8 @@ sodium_memzero(void *const pnt, const size_t len)
}
#elif defined(HAVE_EXPLICIT_BZERO)
explicit_bzero(pnt, len);
+#elif defined(HAVE_EXPLICIT_MEMSET)
+ explicit_memset(pnt, 0, len);
#elif HAVE_WEAK_SYMBOLS
memset(pnt, 0, len);
_sodium_dummy_symbol_to_prevent_memzero_lto(pnt, len);
@@ -695,7 +697,8 @@ sodium_pad(size_t *padded_buflen_p, unsigned char *buf,
}
mask = 0U;
for (i = 0; i < blocksize; i++) {
- barrier_mask = (unsigned char) (((i ^ xpadlen) - 1U) >> 8);
+ barrier_mask = (unsigned char) (((i ^ xpadlen) - 1U)
+ >> ((sizeof(size_t) - 1) * CHAR_BIT));
tail[-i] = (tail[-i] & mask) | (0x80 & barrier_mask);
mask |= barrier_mask;
}