From 4e2658e3fdc005bfd9a15d61a1a3e6e28d7982fb Mon Sep 17 00:00:00 2001 From: Andrew Bettison Date: Wed, 27 Sep 2017 14:52:05 +0930 Subject: [PATCH] Squashed 'libsodium/' changes from 7d5d9204e..18609cffa 4c37368f9 Nits 94550cefd Remove dev #warning 3e0b4dec6 Add sodium_base64_encoded_len() 4ce2856a5 Avoid negations on unsigned values 7e06a6a99 Annotate 18f0fff89 More tests: verify that they key gets updated after the counter wraps e061abc2b The documentation is not a work in progress any more 91233a014 Tag salsa208 as deprecated ee1d5c96d Move the codecs tests to their own test file 558355e56 Check if SIGABRT can be trapped multiple times in a row 8ee67b1dd More tests 1f72dec89 More tests 3db75fc64 No need for ge_scalarmult_vartime() in minimal mode 41dc93322 More tests aec433cec Additional check 87af832ae Do not trigger Travis+Coverity in the master branch 7423408cd Make the behavior of hex2bin() consistent with base642bin() 00660d79b secretstream test: don't pull twice if we don't test with AD 3c8a7f17f Add tests for short, invalid unpadded base64 strings c7fe84cfb Skip trailing ignored characters in base64 decoding 70e5ff5e1 Add a helper macro to compute the length of a base64 string 9209e89d9 More tests 31e9a5541 More tests 61214ba6b Remove redundant test 525c21ed1 Tests 77f3b7135 Indent 1875980d3 More tests 5b9680ead More tests 4828c5923 ~ 80 columns please 66c621f41 Faster; doesn't require to wipe the output stream 5da8f4fbc Add a global xor_buf() private helper function 7d756fab9 xor the key and the nonce on rekey for better separation bb1b27fa3 Improve readability 10bb28b27 One more COMPILER_ASSERT() 2ce41de29 Define macros instead of repeated offsets e878bc141 More keygen tests f244f658d int -> size_t 9c53da4a6 metamorphic tests for HMAC bd69a3083 metamorphic tests for onetimeauth a7b75a2d7 + simple metamorphic tests for crypto_generichash() a029b352a Don't generate SSE2 code if that instruction set hasn't been enabled 09fd953fc Revert "__SSE2__ may need to be explicitly enabled" 35d8aa5d3 __SSE2__ may need to be explicitly enabled a161dd9fa On 32-bit systems, the limit is SIZE_MAX 251751e69 Update ChangeLog d8a8201bb Avoid "in" and "out". Use "c" to represent the ciphertext. 1181a47cb Proper xchacha20poly1305_MESSAGEBYTES_MAX definition bfab44aa4 initbytes -> headerbytes for clarity e8f1c0be6 secretstream: use "header" instead of "in" and "out" for clarity 9e0ff55eb Add the ability to use only strong symbols, even on ELF targets b0420b32d Define SODIUM_EXPORT_WEAK instead of adding __attribute__((weak)) tags ae515a16a Bring back -fno-asynchronous-unwind-tables on MingW 3df3fabb8 No default clause needed 1f8056ab1 Use #error in autoconf tests 147d8b620 Disable AVX512 on MingW even harder ffce4334e Disable AVX512 on MingW for now 07de00bc9 Revert -fno-asynchronous-unwind-tables addition 9aa116531 up eb8c283dd Add -fno-asynchronous-unwind-tables to optimized builds 186b398a2 -fno-asynchronous-unwind-tables is now required on MingW 7de597f05 Update m4 deps ; remove pkg.m4 383705ffc The AVX512 optimized BLAKE2B implementation hasn't been imported yet f86f021ac Travis CI : Move the tcc check to the install step 19496bcc0 Don't try to access /usr/local on Travis CI ca43a1268 Old tcc versions miscompile `while (++in[x])` 10edd16b4 Modernize the core3 test dcde773e5 Travis CI: don't run multiple jobs in parallel due to memory requirements 150c6930e Travis CI: avoid duplicate addons section cdfb0aaa3 tcc + travis... 9f4011197 tcc doesn't seem to work on Travis CI 7e8cdd827 Travis: start with a quick compilation using tcc c6aa04108 Move #ifdef up b31a3f247 Disable AVX512 optimizations on clang < 4 4aba976d5 Explicit casts 15ee95c64 Remove unused var dcd60ba66 Force inline 5cc334b33 Add AVX512F optimized Argon2 implementation 70f66c9a6 Check for avx/avx2/avx512f linkage 6866b3d55 Use macros instead of magic numbers 1c0677b09 Check for AVX512F support 80095105b Missing pieces of a version bump 390f865e3 Add tests for scrypt rehash 2a2b85eee Add tests for crypto_pwhash_str_needs_rehash() 979b21d67 Remove extra semicolumns 62c41c703 Avoid untagged unions 5cf1de94a Remove trailing coma 3aa1c71de Don't return void d0a418a86 + _crypto_pwhash_scryptsalsa208sha256_str_needs_rehash() 6dcba550c Confirm that emcc is actually being used if EMSCRIPTEN is defined 0ae678b0f Avoid multiple declarations in an EN_ASM({}) block b26de68a6 Use single quotes inside EM_ASM 1aae564da Avoid duplicate initializations; reorder for consistency w/ decl 81cf1ff6d Use unsigned for loop counters e2efa6d7e Remove unused variable e06c70afe Use the dedicated type for the argon2 type id 378304f81 Export crypto_pwhash_str_needs_rehash() to Javascript/WebAssembly e8828eef7 Don't bother verifying hashes whose length is >= crypto_pwhash_STRBYTES 7cc482523 Add crypto_pwhash_str_needs_rehash() c65189a0c Explicit casts 7b687bb45 + Jonathan Stowe for Natrium (Perl 6 bindings) c72ef48f0 Static-ify what we currently don't need in crypto_core/curve25519_ref10 5c8b8ea01 Simplify 0af31aeb2 Fill the max output buffer size in sodium_bin2base64() 6b43c1ddb Javascript: don't define crypto_pwhash constants in non-sumo builds e236df63e Trim empty lines 75cfcf208 Merge branch 'master' of github.com:jedisct1/libsodium e40e0f6dd Adjust secretstream_..._rekey() after e84336ac 514150d8b Merge branch 'master' of github.com:jedisct1/libsodium 394e21884 Do not clear the padding (for alignment) section of a blake2b state a0fea6965 Remove RUNNING_JS_OPTS for WebAssembly d863c9665 chmod +x *.sh 957c251f8 chmod +x *.sh ce2ecc596 One more compiler assertion e84336ac4 secretstream: assume the internal nonce is little endian fd4478288 Test sodium_pad() with a NULL pointer f61a121b8 Regen emscripten symbols f8e535a44 messagesbytes -> messagebytes cd721cfc1 Have generate-emscripten-symbols.sh automatically update the js/wasm build script aa20d2e86 Add secretstream constants 49f1d87cf salsa208: messagebyte -> messagebytes a0b9bc46e constcheck: grab a few more constants 0ccdfd0c8 Update emscripten symbols list 242045cb4 Update emscripten symbols list 30a25dbb2 Bump be58b2e66 Accept a NULL pointer for the padded length in sodium_pad() b503d75e4 Add crypto_secretstream_*() to MSVC solutions a55e13246 Update packaging for .NET Core (#583) 4c93d0391 C++ compat 0850e5580 Check that a zero blocksize returns -1 a27c18d0e No need for two buffers in the padding test d5574a69f Complete sodium_pad/unpad() and add a couple tests b9ed93fcb Change the sodium_pad() API to accept a maximum buffer length 4fd66e3ad Name similar things the same way in sodium_pad() and sodium_unpad() fb4dc083e Update ChangeLog 50c7632cc + sodium_pad() / sodium_unpad() 55a578d62 Merge branch 'master' of github.com:jedisct1/libsodium b27714898 Reorder crypto_secretstream_*() prototypes in a more intuitive sequence c3b315ec7 + Firefox 80296be94 Some notes about RtlGenRandom 914ff8757 Format paragraphs c65426147 Explain that sodium_misuse() still aborts by default 901c49203 + crypto_secretstream_*() a335fc2da Merge branch 'master' of github.com:jedisct1/libsodium 5f1f6f747 THANKS += PIA 6e8e0a93f Add a couple tests for crypto_secretstream_*() 88c0b6538 Trigger sodium_misuse() if mlen > secretstream_MESSAGESBYTES_MAX 72d5d506d Sort df7ad2632 Introduce a new crypto_secretstream_*() API 45f2759d8 Update packaging scripts to .NET Core 2.0 (#582) c39ecb245 Update packaging for .NET Core (#581) 100a055a5 Indent e6e3f7dd8 ChangeLog 76995c52f Argon2: use sodium_{bin2base64,base642bin} instead of a private implementation 265bdcfe0 bin2hex & bin2base64: return a null size on error a6480aec4 b64 test: intentionally overestimate sizes 74fd8fd1c C++ compat ad5a5232a Make that a size_t f42390a55 Update Visual Studio solutions cdbb43f44 base64 tests eb84b00b7 glibc requires for SIZE_MAX 3f272cbbf Add a base64 codec, due to popular request 308684790 Move the codecs from sodium/utils.c to a dedicated file b49054ff8 Merge branch 'master' of github.com:jedisct1/libsodium ef7c9f44c Sort c87e6f5e1 Add -Wold-style-declaration dd9416fd5 Doc 1c573d4cb Update 5b141eb9e Add some blank lines for readability 7e91aa3f8 s/the// 4baea3575 Merge branch 'master' of github.com:jedisct1/libsodium 9b7db7c3f Document crypto_aead_aes256gcm_*() limitations 8f0953b31 Merge branch 'master' of github.com:jedisct1/libsodium 9e0e77a3f Update ChangeLog a894ec93f Add crypto_pwhash_str_alg() cde31281d Bench: don't tie the printed result to the number of iterations 6d59a5897 Make the number of iterations configurable; reduce the default 28a1e6886 Add an interesting test case for a custom randombytes_uniform implementation 5b4db091d Add a benchmark mode 8813c36ff randombytes test: restore the salsa20-based rng at the end, for benchmarks a8cc1634f Indent 9d03fbb38 Merge branch 'master' of github.com:jedisct1/libsodium 196e03299 Preliminary ChangeLog 19f76d7cb Simplify 544ce6400 Just a simple script to match constants with functions f711c6d04 + emscripten-wasm.sh 1a3b474f7 Update the exported list of JS symbols e1fa9cc90 Add *_messagebytes_max() wrappers 53280aa28 Revert "wasm tests: skip over *.asm.js files" ac8111c31 wasm tests: skip over *.asm.js files 29914ec82 [Findsodium.cmake] DON'T OVERWRITE LIBRARY SUFFIXES (#576) f02770b2a Revert "+ sodium_alloc_overhead()" c5b61d812 + sodium_alloc_overhead() 23c36615c Remove TOTAL_MEMORY from wasm builds c56fa3ccf Include private/common.h for COMPILER_ASSERT 56eb70f8b Sort 3c3214fbd Node need for --expose-wasm any more with recent nodejs versions b5b67d074 Add -fembed-bitcode to the iOS 64 target, for WatchOS and TVOS 580bf7a19 emscripten-wasm.sh: generate HTML files even if we don't use them ae8cd7208 emscript-wasm: don't use --enable-minimal on sumo builds f2a7b6123 Update symbols 774ec67e2 Repair sodium_core test 8a14f5c16 Don't call sodium_misuse() in the sodium_core test for Javascript/wasm targets 0ce03b6ce misuse test: just return from main() on unsupported platforms 6ac18dae4 The MESSAGEBYTES_MAX constants are to be used with the libsodium API 180a89cb2 More tests for signatures 90bd94e4e Coverage exclusion b34b89ab3 secrebox: add a test with in/out buffers next to each other 3dd56fa91 Coverage exclusions ff8bb6705 More tests for scrypt a3f90d602 Indent 63d8a896f Test KX with a weak PK 7ad9a46cb More tests a9a21a7df Test Ed->X conversion with x not being a square root 982cde1a7 Test crypto_box_open_detached() with a weak PK 52bfc0325 Initialize the base&aligned addresses in argon2's allocate_memory fc9088792 Add missing include "core.h" c15173de1 Turn a few calls with an insane message length into a sodium_misuse() f28fe0ae2 Cap argon2*_BYTES_MAX to SODIUM_SIZE_MAX bac61ebf5 BYTES_MAX -> MESSAGEBYTES_MAX 16179b87f Introduce *_BYTES_MAX constants 568adb570 Trim crypto_pwhash_scryptsalsa208sha256_BYTES_MAX down to ~127 GB 3525f032d Inline 3ee2151f1 memzero(): with weak symbols, just call memset() 105f7108d Argon2: wipe all blocks if the ARGON2_FLAG_CLEAR_MEMORY flag is set dc2c68067 C++ compat fb739acd7 fill_memory_blocks() cannot possibly fail c3908f87d Argon2: deallocate memory if fill_memory_blocks() ever fails 8d91a3275 Add more tests for crypto_sign_ed25519_pk_to_curve25519() 214fe473f Add an invalid key to the signature tests e1b044820 Test crypto_secretbox_open_detached() with a NULL message pointer c90ddae75 Use the right state type for the auth256 test 51a0b96f1 Test crypto_hmac_sha256_update() with empty chunks 2a2ed3df3 Volatilify the accumulator, at least for consistency with sodium_is_zero() cd51ff29e Coverage exclusions 33d6908f9 Test crypto_auth_hmacsha256_*() f92c82537 More tests 67a7df73b Add all the Visual Studio files in the tarball 56efb47ab .13 -> .14 334738cf2 Add resource.rc to the Visual Studio filters files 47796a5b8 Indent d7ecf04d6 Comment randombytes_uniform() eaab51278 Add specialized ge_mul_l() to multiply by the order of the main subgroup 6de26b59d ed25519_pk_to_curve25519: check that the input is in the right subgroup 571915ea2 ed25519: un-static the check for low-order points b57f9668f More tests cc5191607 Tag sodium_runtime_has_*() symbols as weak 8b9b6a54b Remove error string from sodium_misuse() 9361070f9 Merge branch 'master' of github.com:jedisct1/libsodium * 'master' of github.com:jedisct1/libsodium: Tweak emscripten-wasm.sh Clear the BLAKE2B state only once, on finalization memzero() the state if we call generichash_final() twice 63cbad750 Visual Studio doesn't like abort() chains 21fd252ac Tweak emscripten-wasm.sh 97486f7d4 Clear the BLAKE2B state only once, on finalization 1090fcfd4 memzero() the state if we call generichash_final() twice 6768d82ea Add missing return value in set_misuse_handler() 9df008a78 Add some invalid base64 strings to pwhash_str_verify() tests 5d56821d3 More tests, and start testing misuse cases 0238cbcf6 Bump NuGet package 0e8d7c926 Implement sodium_set_misuse_handler() 9def4d9a8 Add tests for crypto_kx_*() when a single key is required 8a70f258f No more abort() calls! c3b24c1d2 Explain why some abort() calls are still around 74703c63a More abort() -> sodium_misuse() a0e997b8a More abort() -> sodium_misuse() ea9281cb0 More abort() -> sodium_misuse() c7459c125 Remove the useless donations button a61dddd49 Back to dev mode. If you want a stable version, use the stable branch. bcf98b554 Start replacing abort() with an internal sodium_misuse() function c86080e7b Fix funky indentation 608e103e4 Finish the Argon2id tests 8b99f44ff Abort on misuse in crypto_kx_server_session_keys() too 765ba55cd crypto_kx(): abort if the function is called without any non-NULL pointer 90658321d Only include sodium/crypto_pwhash_scryptsalsa208sha256.h on !minimal 1f826df2d is_zero(): volatilize the accumulator 3d400363b sodium_compare: x1, x2 don't have to be volatile 99f8c19a1 memzero(): call the weak function after zeroing 30e8a2b23 The time has come to use memset_s() if available f0c15da02 We don't need these extra loads bcdb042ad Revert "Explicitly include " 7dbbd266b Simple SSE2 implementation of crypto_verify*() 94a8b3327 Simplify crypto_verify_*() 37e99aa4f Make it more difficult for the compiler to optimize crypto_verify_*() c746eb277 Revert "Bail out if SIZE_MAX < crypto_pwhash_MEMLIMIT_MAX" 0fd9aae17 Explicitly include c2ef7d088 Bail out if SIZE_MAX < crypto_pwhash_MEMLIMIT_MAX git-subtree-dir: libsodium git-subtree-split: 18609cffafed6ccfcac77088d402074e1d74f02c --- .gitignore | 4 + .travis.yml | 28 +- ChangeLog | 47 +++ Makefile.am | 1 + README.markdown | 4 +- THANKS | 16 +- builds/Makefile.am | 65 ++++ builds/msvc/resource.rc | 4 +- builds/msvc/version.h | 4 +- .../msvc/vs2010/libsodium/libsodium.vcxproj | 6 + .../libsodium/libsodium.vcxproj.filters | 27 ++ .../msvc/vs2012/libsodium/libsodium.vcxproj | 6 + .../libsodium/libsodium.vcxproj.filters | 27 ++ .../msvc/vs2013/libsodium/libsodium.vcxproj | 6 + .../libsodium/libsodium.vcxproj.filters | 27 ++ .../msvc/vs2015/libsodium/libsodium.vcxproj | 6 + .../libsodium/libsodium.vcxproj.filters | 27 ++ .../msvc/vs2017/libsodium/libsodium.vcxproj | 6 + .../libsodium/libsodium.vcxproj.filters | 27 ++ configure.ac | 65 +++- contrib/Findsodium.cmake | 2 + dist-build/Makefile.am | 1 + dist-build/emscripten-symbols.def | 96 +++-- dist-build/emscripten-wasm.sh | 22 +- dist-build/emscripten.sh | 4 +- dist-build/generate-emscripten-symbols.sh | 94 +++-- dist-build/ios.sh | 4 +- libsodium.vcxproj | 6 + libsodium.vcxproj.filters | 18 + m4/ax_check_catchable_abrt.m4 | 57 +++ m4/ax_check_gnu_make.m4 | 4 +- m4/ax_pthread.m4 | 4 +- m4/pkg.m4 | 214 ----------- msvc-scripts/process.bat | 4 +- packaging/dotnet-core/README.md | 10 +- packaging/dotnet-core/desktop.targets | 16 - packaging/dotnet-core/libsodium.props | 7 +- packaging/dotnet-core/prepare.py | 44 +-- packaging/dotnet-core/recipes/linux-x64 | 4 + packaging/nuget/package.config | 2 +- src/libsodium/Makefile.am | 13 +- .../aes256gcm/aesni/aead_aes256gcm_aesni.c | 15 +- .../sodium/aead_chacha20poly1305.c | 21 +- .../sodium/aead_xchacha20poly1305.c | 9 +- src/libsodium/crypto_box/crypto_box.c | 6 + src/libsodium/crypto_box/crypto_box_easy.c | 9 +- .../box_curve25519xchacha20poly1305.c | 15 +- .../box_curve25519xsalsa20poly1305.c | 6 + .../curve25519/ref10/curve25519_ref10.c | 95 ++++- .../blake2b/ref/blake2b-ref.c | 138 ++++---- .../crypto_hash/sha512/cp/hash_sha512_cp.c | 2 + src/libsodium/crypto_kx/crypto_kx.c | 7 + .../poly1305/sse2/poly1305_sse2.c | 34 +- .../crypto_pwhash/argon2/argon2-core.c | 101 +++--- .../crypto_pwhash/argon2/argon2-core.h | 48 ++- .../crypto_pwhash/argon2/argon2-encoding.c | 202 ++--------- .../argon2/argon2-fill-block-avx2.c | 16 +- .../argon2/argon2-fill-block-avx512f.c | 244 +++++++++++++ .../argon2/argon2-fill-block-ref.c | 15 +- .../argon2/argon2-fill-block-ssse3.c | 16 +- src/libsodium/crypto_pwhash/argon2/argon2.c | 6 +- .../argon2/blamka-round-avx512f.h | 145 ++++++++ .../crypto_pwhash/argon2/pwhash_argon2i.c | 56 +++ src/libsodium/crypto_pwhash/crypto_pwhash.c | 35 ++ .../crypto_scrypt-common.c | 48 ++- .../scryptsalsa208sha256/crypto_scrypt.h | 4 + .../scryptsalsa208sha256/pbkdf2-sha256.c | 6 +- .../pwhash_scryptsalsa208sha256.c | 29 ++ .../sse/pwhash_scryptsalsa208sha256_sse.c | 8 + .../curve25519/scalarmult_curve25519.c | 6 +- .../crypto_secretbox/crypto_secretbox.c | 6 + .../crypto_secretbox/crypto_secretbox_easy.c | 9 +- .../secretbox_xchacha20poly1305.c | 15 +- .../secretbox_xsalsa20poly1305.c | 6 + .../secretstream_xchacha20poly1305.c | 303 ++++++++++++++++ src/libsodium/crypto_sign/crypto_sign.c | 6 + .../crypto_sign/ed25519/ref10/ed25519_ref10.h | 3 + .../crypto_sign/ed25519/ref10/keypair.c | 11 +- .../crypto_sign/ed25519/ref10/obsolete.c | 2 +- .../crypto_sign/ed25519/ref10/open.c | 11 +- .../crypto_sign/ed25519/sign_ed25519.c | 6 + .../chacha20/dolbeau/chacha20_dolbeau-avx2.c | 5 +- .../chacha20/dolbeau/chacha20_dolbeau-ssse3.c | 5 +- .../crypto_stream/chacha20/dolbeau/u0.h | 2 +- .../crypto_stream/chacha20/ref/chacha20_ref.c | 5 +- .../crypto_stream/chacha20/stream_chacha20.c | 12 + src/libsodium/crypto_stream/crypto_stream.c | 6 + .../crypto_stream/salsa20/stream_salsa20.c | 8 +- .../crypto_stream/salsa20/xmm6int/u0.h | 2 +- .../salsa2012/stream_salsa2012.c | 6 + .../crypto_stream/salsa208/stream_salsa208.c | 6 + .../xchacha20/stream_xchacha20.c | 6 + .../crypto_stream/xsalsa20/stream_xsalsa20.c | 6 + src/libsodium/crypto_verify/sodium/verify.c | 109 ++++-- src/libsodium/include/Makefile.am | 1 + src/libsodium/include/sodium.h | 3 +- src/libsodium/include/sodium/core.h | 9 + .../include/sodium/crypto_aead_aes256gcm.h | 26 ++ .../sodium/crypto_aead_chacha20poly1305.h | 20 +- .../sodium/crypto_aead_xchacha20poly1305.h | 14 +- src/libsodium/include/sodium/crypto_box.h | 4 + .../crypto_box_curve25519xchacha20poly1305.h | 6 + .../crypto_box_curve25519xsalsa20poly1305.h | 39 +- .../include/sodium/crypto_core_salsa208.h | 12 +- src/libsodium/include/sodium/crypto_pwhash.h | 20 ++ .../include/sodium/crypto_pwhash_argon2i.h | 10 +- .../include/sodium/crypto_pwhash_argon2id.h | 10 +- .../crypto_pwhash_scryptsalsa208sha256.h | 14 +- .../include/sodium/crypto_secretbox.h | 4 + .../crypto_secretbox_xchacha20poly1305.h | 6 + .../crypto_secretbox_xsalsa20poly1305.h | 25 +- .../crypto_secretstream_xchacha20poly1305.h | 102 ++++++ src/libsodium/include/sodium/crypto_sign.h | 4 + .../include/sodium/crypto_sign_ed25519.h | 4 + .../crypto_sign_edwards25519sha512batch.h | 1 + src/libsodium/include/sodium/crypto_stream.h | 4 + .../include/sodium/crypto_stream_aes128ctr.h | 3 + .../include/sodium/crypto_stream_chacha20.h | 10 + .../include/sodium/crypto_stream_salsa20.h | 4 + .../include/sodium/crypto_stream_salsa2012.h | 4 + .../include/sodium/crypto_stream_salsa208.h | 20 +- .../include/sodium/crypto_stream_xchacha20.h | 4 + .../include/sodium/crypto_stream_xsalsa20.h | 4 + src/libsodium/include/sodium/export.h | 9 + src/libsodium/include/sodium/private/common.h | 11 + .../include/sodium/private/curve25519_ref10.h | 32 +- src/libsodium/include/sodium/randombytes.h | 2 + src/libsodium/include/sodium/runtime.h | 21 +- src/libsodium/include/sodium/utils.h | 36 ++ .../nativeclient/randombytes_nativeclient.c | 5 +- src/libsodium/randombytes/randombytes.c | 32 +- .../salsa20/randombytes_salsa20_random.c | 21 +- .../sysrandom/randombytes_sysrandom.c | 28 +- src/libsodium/sodium/codecs.c | 333 ++++++++++++++++++ src/libsodium/sodium/core.c | 40 ++- src/libsodium/sodium/runtime.c | 18 + src/libsodium/sodium/utils.c | 187 +++++----- test/constcheck.sh | 19 + test/default/Makefile.am | 32 ++ test/default/aead_aes256gcm.c | 6 + test/default/aead_chacha20poly1305.c | 16 + test/default/aead_xchacha20poly1305.c | 40 ++- test/default/auth.c | 13 + test/default/auth.exp | 8 + test/default/box.c | 3 + test/default/box2.c | 2 + test/default/box_easy.c | 5 +- test/default/box_easy2.c | 10 +- test/default/chacha20.c | 11 +- test/default/cmptest.h | 48 ++- test/default/codecs.c | 226 ++++++++++++ test/default/codecs.exp | 28 ++ test/default/core3.c | 57 ++- test/default/ed25519_convert.c | 17 + test/default/kdf.c | 12 +- test/default/keygen.c | 7 +- test/default/kx.c | 30 ++ test/default/metamorphic.c | 187 ++++++++++ test/default/metamorphic.exp | 1 + test/default/misuse.c | 145 ++++++++ test/default/misuse.exp | 0 test/default/onetimeauth.c | 2 + test/default/pwhash.c | 103 +++++- test/default/pwhash_argon2id.c | 60 ++-- test/default/pwhash_argon2id.exp | 2 +- test/default/pwhash_scrypt.c | 79 ++++- test/default/pwhash_scrypt.exp | 6 + test/default/randombytes.c | 11 +- test/default/secretbox.c | 8 + test/default/secretbox2.c | 5 + test/default/secretbox_easy.c | 20 +- test/default/secretbox_easy.exp | 2 + test/default/secretbox_easy2.c | 4 + test/default/secretstream.c | 279 +++++++++++++++ test/default/secretstream.exp | 1 + test/default/sign.c | 31 ++ test/default/sodium_core.c | 24 +- test/default/sodium_core.exp | 2 +- test/default/sodium_utils.c | 101 +++--- test/default/sodium_utils.exp | 8 - test/default/stream.c | 2 + test/default/stream2.c | 1 + test/default/xchacha20.c | 65 +++- 183 files changed, 4560 insertions(+), 1268 deletions(-) create mode 100644 builds/Makefile.am create mode 100644 m4/ax_check_catchable_abrt.m4 delete mode 100644 m4/pkg.m4 delete mode 100644 packaging/dotnet-core/desktop.targets create mode 100644 packaging/dotnet-core/recipes/linux-x64 create mode 100644 src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx512f.c create mode 100644 src/libsodium/crypto_pwhash/argon2/blamka-round-avx512f.h create mode 100644 src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c create mode 100644 src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h create mode 100644 src/libsodium/sodium/codecs.c create mode 100755 test/constcheck.sh create mode 100644 test/default/codecs.c create mode 100644 test/default/codecs.exp create mode 100644 test/default/metamorphic.c create mode 100644 test/default/metamorphic.exp create mode 100644 test/default/misuse.c create mode 100644 test/default/misuse.exp create mode 100644 test/default/secretstream.c create mode 100644 test/default/secretstream.exp diff --git a/.gitignore b/.gitignore index ef9853af..5a2e2a6f 100644 --- a/.gitignore +++ b/.gitignore @@ -99,6 +99,7 @@ test/default/box_easy2 test/default/box_seal test/default/box_seed test/default/chacha20 +test/default/codecs test/default/core1 test/default/core2 test/default/core3 @@ -114,6 +115,8 @@ test/default/hash3 test/default/kdf test/default/keygen test/default/kx +test/default/metamorphic +test/default/misuse test/default/onetimeauth test/default/onetimeauth2 test/default/onetimeauth7 @@ -133,6 +136,7 @@ test/default/secretbox7 test/default/secretbox8 test/default/secretbox_easy test/default/secretbox_easy2 +test/default/secretstream test/default/shorthash test/default/sign test/default/siphashx24 diff --git a/.travis.yml b/.travis.yml index 04acffb1..a0d298fe 100644 --- a/.travis.yml +++ b/.travis.yml @@ -10,30 +10,24 @@ compiler: - gcc - g++ -before_script: +install: - ./autogen.sh + - env CC=tcc CFLAGS='-w' ./configure --prefix=/tmp --disable-dependency-tracking --disable-shared || cat config.log + - make -j $(nproc) && make check && make install + - env CC=tcc CPPFLAGS='-I/tmp/include' LDFLAGS='-L/tmp/lib' LD_LIBRARY_PATH='/tmp/lib' ./test/constcheck.sh + - make uninstall + - make distclean script: - ./configure --disable-dependency-tracking - - > - if [ "$TRAVIS_OS_NAME" = 'linux' -a "$CC" = 'gcc' ]; then make CFLAGS='-g0' > /dev/null && cp src/libsodium/.libs/libsodium.so lib.so && make clean > /dev/null && make CFLAGS='-g0' CPPFLAGS='-DSODIUM_C99\(X\)=' > /dev/null && cp src/libsodium/.libs/libsodium.so lib-oldc.so && cmp lib.so lib-oldc.so && echo No binary changes && make clean > /dev/null ; fi + - if [ "$TRAVIS_OS_NAME" = 'linux' -a "$CC" = 'gcc' ]; then make -j $(nproc) CFLAGS='-g0' > /dev/null && cp src/libsodium/.libs/libsodium.so lib.so && make clean > /dev/null && make CFLAGS='-g0' CPPFLAGS='-DSODIUM_C99\(X\)=' > /dev/null && cp src/libsodium/.libs/libsodium.so lib-oldc.so && cmp lib.so lib-oldc.so && echo No binary changes && make clean > /dev/null ; fi - make distcheck - make distclean > /dev/null - ./configure --disable-dependency-tracking --enable-minimal - - make distcheck + - make check - ( echo '#include ' ; echo 'int main(void) { return sodium_init(); }' ) > /tmp/main.c && gcc -Isrc/libsodium/include -Isrc/libsodium/include/sodium $(find src -name '*.c' -o -name '*.S') /tmp/main.c -env: - global: - - secure: "OyX+ypmU5NLRiSsIg1HvaGYvlaHSN2S/0AyCIQt63PNdcG7o1xa9Sv1Tcujr/xuvSvNbchNVEyBvCbNgqp/R8kRRhNPqFo2pxMMjkEKrJQqOm8sjvwMqTV4k6axEq+WwKylQaNJSDq1G9n5J/s7hlVPaiKAjsOPKnMN5ThNAr8o=" - addons: - coverity_scan: - project: - name: jedisct1/libsodium - version: 1.0.13 - description: libsodium - notification_email: coverityscan@pureftpd.org - build_command_prepend: ./autogen.sh ; ./configure - build_command: make -j4 - branch_pattern: coverity_scan + apt: + packages: + - tcc diff --git a/ChangeLog b/ChangeLog index a02b57d3..d6cac044 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,4 +1,51 @@ +* Version 1.0.14 + - iOS binaries should now be compatible with WatchOS and TVOS. + - WebAssembly is now officially supported. Special thanks to +@facekapow and @pepyakin who helped to make it happen. + - Internal consistency checks failing and primitives used with +dangerous/out-of-bounds/invalid parameters used to call abort(3). +Now, a custom handler *that doesn't return* can be set with the +`set_sodium_misuse()` function. It still aborts by default or if the +handler ever returns. This is not a replacement for non-fatal, +expected runtime errors. This handler will be only called in +unexpected situations due to potential bugs in the library or in +language bindings. + - `*_MESSAGEBYTES_MAX` macros (and the corresponding +`_messagebytes_max()` symbols) have been added to represent the +maximum message size that can be safely handled by a primitive. +Language bindings are encouraged to check user inputs against these +maximum lengths. + - The test suite has been extended to cover more edge cases. + - crypto_sign_ed25519_pk_to_curve25519() now rejects points that are +not on the curve, or not in the main subgroup. + - Further changes have been made to ensure that smart compilers will +not optimize out code that we don't want to be optimized. + - Visual Studio solutions are now included in distribution tarballs. + - The `sodium_runtime_has_*` symbols for CPU features detection are +now defined as weak symbols, i.e. they can be replaced with an +application-defined implementation. This can be useful to disable +AVX* when temperature/power consumption is a concern. + - `crypto_kx_*()` now aborts if called with no non-NULL pointers to +store keys to. + - SSE2 implementations of `crypto_verify_*()` have been added. + - Passwords can be hashed using a specific algorithm with the new +`crypto_pwhash_str_alg()` function. + - Due to popular demand, base64 encoding (`sodium_bin2base64()`) and +decoding (`sodium_base642bin()`) have been implemented. + - A new `crypto_secretstream_*()` API was added to safely encrypt files +and multi-part messages. + - The `sodium_pad()` and `sodium_unpad()` helper functions have been +added in order to add & remove padding. + - An AVX512 optimized implementation of Argon2 has been added (written +by Ondrej Mosnáček, thanks!) + - The `crypto_pwhash_str_needs_rehash()` function was added to check if +a password hash string matches the given parameters, or if it needs an +update. + - The library can now be compiled with recent versions of +emscripten/binaryen that don't allow multiple variables declarations +using a single `var` statement. + * Version 1.0.13 - Javascript: the sumo builds now include all symbols. They were previously limited to symbols defined in minimal builds. diff --git a/Makefile.am b/Makefile.am index 2f777b36..1f43ff31 100644 --- a/Makefile.am +++ b/Makefile.am @@ -10,6 +10,7 @@ EXTRA_DIST = \ THANKS SUBDIRS = \ + builds \ contrib \ dist-build \ msvc-scripts \ diff --git a/README.markdown b/README.markdown index 54e988db..8e406e7f 100644 --- a/README.markdown +++ b/README.markdown @@ -1,7 +1,6 @@ [![Build Status](https://travis-ci.org/jedisct1/libsodium.svg?branch=master)](https://travis-ci.org/jedisct1/libsodium?branch=master) [![Windows build status](https://ci.appveyor.com/api/projects/status/fu8s2elx25il98hj?svg=true)](https://ci.appveyor.com/project/jedisct1/libsodium) [![Coverity Scan Build Status](https://scan.coverity.com/projects/2397/badge.svg)](https://scan.coverity.com/projects/2397) -[![Make a donation to support this project](https://img.shields.io/badge/donate-PayPal-green.svg?style=flat)](https://www.libsodium.org/donate) ![libsodium](https://raw.github.com/jedisct1/libsodium/master/logo.png) ============ @@ -21,8 +20,7 @@ including Windows (with MingW or Visual Studio, x86 and x64), iOS and Android. ## Documentation -The documentation is a work-in-progress, and is being written using -Gitbook: +The documentation is available on Gitbook: * [libsodium documentation](https://download.libsodium.org/doc/) - online, requires Javascript. diff --git a/THANKS b/THANKS index b8b69be3..0d0da788 100644 --- a/THANKS +++ b/THANKS @@ -1,3 +1,6 @@ +Special thanks to people, companies and organizations having written +libsodium bindings for their favorite programming languages: + @alethia7 @artemisc @carblue @@ -45,6 +48,7 @@ Jeroen Habraken (@VeXocide) Jeroen Ooms (@jeroen) Jesper Louis Andersen (@jlouis) Joe Eli McIlvain (@jemc) +Jonathan Stowe (@jonathanstowe) Joseph Abrahamson (@tel) Julien Kauffmann (@ereOn) Kenneth Ballenegger (@kballenegger) @@ -70,12 +74,18 @@ Tony Garnock-Jones (@tonyg) Y. T. Chung (@zonyitoo) Bytecurry Software -Cisco -Coverity, Inc. Cryptotronix +Facebook FSF France MaidSafe -OVH Paragonie Initiative Enterprises Python Cryptographic Authority +(this list may not be complete, if you don't see your name, please +submit a pull request!) + +Also thanks to: + +- Coverity, Inc. to provide static analysis. +- FSF France for providing access to their compilation servers. +- Private Internet Access for having sponsored a complete security audit. diff --git a/builds/Makefile.am b/builds/Makefile.am new file mode 100644 index 00000000..4d0cc469 --- /dev/null +++ b/builds/Makefile.am @@ -0,0 +1,65 @@ +EXTRA_DIST = \ + msvc/build/buildall.bat \ + msvc/build/buildbase.bat \ + msvc/properties/Common.props \ + msvc/properties/Debug.props \ + msvc/properties/DebugDEXE.props \ + msvc/properties/DebugDLL.props \ + msvc/properties/DebugLEXE.props \ + msvc/properties/DebugLIB.props \ + msvc/properties/DebugLTCG.props \ + msvc/properties/DebugSEXE.props \ + msvc/properties/DLL.props \ + msvc/properties/EXE.props \ + msvc/properties/LIB.props \ + msvc/properties/Link.props \ + msvc/properties/LTCG.props \ + msvc/properties/Messages.props \ + msvc/properties/Output.props \ + msvc/properties/Release.props \ + msvc/properties/ReleaseDEXE.props \ + msvc/properties/ReleaseDLL.props \ + msvc/properties/ReleaseLEXE.props \ + msvc/properties/ReleaseLIB.props \ + msvc/properties/ReleaseLTCG.props \ + msvc/properties/ReleaseSEXE.props \ + msvc/properties/Win32.props \ + msvc/properties/x64.props \ + msvc/resource.h \ + msvc/resource.rc \ + msvc/version.h \ + msvc/vs2010/libsodium/libsodium.props \ + msvc/vs2010/libsodium/libsodium.vcxproj \ + msvc/vs2010/libsodium/libsodium.vcxproj.filters \ + msvc/vs2010/libsodium/libsodium.xml \ + msvc/vs2010/libsodium.import.props \ + msvc/vs2010/libsodium.import.xml \ + msvc/vs2010/libsodium.sln \ + msvc/vs2012/libsodium/libsodium.props \ + msvc/vs2012/libsodium/libsodium.vcxproj \ + msvc/vs2012/libsodium/libsodium.vcxproj.filters \ + msvc/vs2012/libsodium/libsodium.xml \ + msvc/vs2012/libsodium.import.props \ + msvc/vs2012/libsodium.import.xml \ + msvc/vs2012/libsodium.sln \ + msvc/vs2013/libsodium/libsodium.props \ + msvc/vs2013/libsodium/libsodium.vcxproj \ + msvc/vs2013/libsodium/libsodium.vcxproj.filters \ + msvc/vs2013/libsodium/libsodium.xml \ + msvc/vs2013/libsodium.import.props \ + msvc/vs2013/libsodium.import.xml \ + msvc/vs2013/libsodium.sln \ + msvc/vs2015/libsodium/libsodium.props \ + msvc/vs2015/libsodium/libsodium.vcxproj \ + msvc/vs2015/libsodium/libsodium.vcxproj.filters \ + msvc/vs2015/libsodium/libsodium.xml \ + msvc/vs2015/libsodium.import.props \ + msvc/vs2015/libsodium.import.xml \ + msvc/vs2015/libsodium.sln \ + msvc/vs2017/libsodium/libsodium.props \ + msvc/vs2017/libsodium/libsodium.vcxproj \ + msvc/vs2017/libsodium/libsodium.vcxproj.filters \ + msvc/vs2017/libsodium/libsodium.xml \ + msvc/vs2017/libsodium.import.props \ + msvc/vs2017/libsodium.import.xml \ + msvc/vs2017/libsodium.sln diff --git a/builds/msvc/resource.rc b/builds/msvc/resource.rc index 4617c25c..38c21d05 100644 --- a/builds/msvc/resource.rc +++ b/builds/msvc/resource.rc @@ -4,8 +4,8 @@ #include "windows.h" //specify the version numbers for the dll's -#define LIBSODIUM_VERSION_STRING "1.0.13.0" -#define LIBSODIUM_VERSION_BIN 1,0,13,0 +#define LIBSODIUM_VERSION_STRING "1.0.14.0" +#define LIBSODIUM_VERSION_BIN 1,0,14,0 //specify the product name for the dlls based on the platform we are compiling for #if defined(x64) diff --git a/builds/msvc/version.h b/builds/msvc/version.h index ce7bd1f7..5540b998 100644 --- a/builds/msvc/version.h +++ b/builds/msvc/version.h @@ -4,10 +4,10 @@ #include "export.h" -#define SODIUM_VERSION_STRING "1.0.13" +#define SODIUM_VERSION_STRING "1.0.14" #define SODIUM_LIBRARY_VERSION_MAJOR 9 -#define SODIUM_LIBRARY_VERSION_MINOR 5 +#define SODIUM_LIBRARY_VERSION_MINOR 6 #ifdef __cplusplus extern "C" { diff --git a/builds/msvc/vs2010/libsodium/libsodium.vcxproj b/builds/msvc/vs2010/libsodium/libsodium.vcxproj index 122b5330..b8a3a6f4 100644 --- a/builds/msvc/vs2010/libsodium/libsodium.vcxproj +++ b/builds/msvc/vs2010/libsodium/libsodium.vcxproj @@ -119,6 +119,7 @@ + @@ -142,6 +143,7 @@ + @@ -181,6 +183,7 @@ + @@ -206,6 +209,7 @@ + @@ -280,6 +284,7 @@ + @@ -303,6 +308,7 @@ + diff --git a/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters index 99cfa569..f3453f82 100644 --- a/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters +++ b/builds/msvc/vs2010/libsodium/libsodium.vcxproj.filters @@ -20,6 +20,9 @@ packaging + + + crypto_aead\aes256gcm\aesni @@ -147,6 +150,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -216,6 +222,9 @@ crypto_secretbox\xsalsa20poly1305 + + crypto_secretstream\xchacha20poly1305 + crypto_shorthash @@ -333,6 +342,9 @@ randombytes\sysrandom + + sodium + sodium @@ -404,6 +416,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -626,6 +641,9 @@ include\sodium + + include\sodium + include\sodium @@ -695,6 +713,9 @@ include\sodium + + include\sodium + include\sodium\private @@ -862,6 +883,12 @@ {8bf11d29-2f5a-3f10-8ae6-82229d19c5b0} + + {62f7ae38-4ce6-3976-acc3-47c462db4fbe} + + + {e07a28cd-775a-3798-bfdb-97842d3614d6} + {bb073c16-adc8-3cff-80b9-99cf5a28de6c} diff --git a/builds/msvc/vs2012/libsodium/libsodium.vcxproj b/builds/msvc/vs2012/libsodium/libsodium.vcxproj index 2430855f..6c6d8f15 100644 --- a/builds/msvc/vs2012/libsodium/libsodium.vcxproj +++ b/builds/msvc/vs2012/libsodium/libsodium.vcxproj @@ -119,6 +119,7 @@ + @@ -142,6 +143,7 @@ + @@ -181,6 +183,7 @@ + @@ -206,6 +209,7 @@ + @@ -280,6 +284,7 @@ + @@ -303,6 +308,7 @@ + diff --git a/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters index 99cfa569..f3453f82 100644 --- a/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters +++ b/builds/msvc/vs2012/libsodium/libsodium.vcxproj.filters @@ -20,6 +20,9 @@ packaging + + + crypto_aead\aes256gcm\aesni @@ -147,6 +150,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -216,6 +222,9 @@ crypto_secretbox\xsalsa20poly1305 + + crypto_secretstream\xchacha20poly1305 + crypto_shorthash @@ -333,6 +342,9 @@ randombytes\sysrandom + + sodium + sodium @@ -404,6 +416,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -626,6 +641,9 @@ include\sodium + + include\sodium + include\sodium @@ -695,6 +713,9 @@ include\sodium + + include\sodium + include\sodium\private @@ -862,6 +883,12 @@ {8bf11d29-2f5a-3f10-8ae6-82229d19c5b0} + + {62f7ae38-4ce6-3976-acc3-47c462db4fbe} + + + {e07a28cd-775a-3798-bfdb-97842d3614d6} + {bb073c16-adc8-3cff-80b9-99cf5a28de6c} diff --git a/builds/msvc/vs2013/libsodium/libsodium.vcxproj b/builds/msvc/vs2013/libsodium/libsodium.vcxproj index d4fa9fb2..4a800f41 100644 --- a/builds/msvc/vs2013/libsodium/libsodium.vcxproj +++ b/builds/msvc/vs2013/libsodium/libsodium.vcxproj @@ -119,6 +119,7 @@ + @@ -142,6 +143,7 @@ + @@ -181,6 +183,7 @@ + @@ -206,6 +209,7 @@ + @@ -280,6 +284,7 @@ + @@ -303,6 +308,7 @@ + diff --git a/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters index 99cfa569..f3453f82 100644 --- a/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters +++ b/builds/msvc/vs2013/libsodium/libsodium.vcxproj.filters @@ -20,6 +20,9 @@ packaging + + + crypto_aead\aes256gcm\aesni @@ -147,6 +150,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -216,6 +222,9 @@ crypto_secretbox\xsalsa20poly1305 + + crypto_secretstream\xchacha20poly1305 + crypto_shorthash @@ -333,6 +342,9 @@ randombytes\sysrandom + + sodium + sodium @@ -404,6 +416,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -626,6 +641,9 @@ include\sodium + + include\sodium + include\sodium @@ -695,6 +713,9 @@ include\sodium + + include\sodium + include\sodium\private @@ -862,6 +883,12 @@ {8bf11d29-2f5a-3f10-8ae6-82229d19c5b0} + + {62f7ae38-4ce6-3976-acc3-47c462db4fbe} + + + {e07a28cd-775a-3798-bfdb-97842d3614d6} + {bb073c16-adc8-3cff-80b9-99cf5a28de6c} diff --git a/builds/msvc/vs2015/libsodium/libsodium.vcxproj b/builds/msvc/vs2015/libsodium/libsodium.vcxproj index 87379646..65cd6e47 100644 --- a/builds/msvc/vs2015/libsodium/libsodium.vcxproj +++ b/builds/msvc/vs2015/libsodium/libsodium.vcxproj @@ -119,6 +119,7 @@ + @@ -142,6 +143,7 @@ + @@ -181,6 +183,7 @@ + @@ -206,6 +209,7 @@ + @@ -280,6 +284,7 @@ + @@ -303,6 +308,7 @@ + diff --git a/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters index 99cfa569..f3453f82 100644 --- a/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters +++ b/builds/msvc/vs2015/libsodium/libsodium.vcxproj.filters @@ -20,6 +20,9 @@ packaging + + + crypto_aead\aes256gcm\aesni @@ -147,6 +150,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -216,6 +222,9 @@ crypto_secretbox\xsalsa20poly1305 + + crypto_secretstream\xchacha20poly1305 + crypto_shorthash @@ -333,6 +342,9 @@ randombytes\sysrandom + + sodium + sodium @@ -404,6 +416,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -626,6 +641,9 @@ include\sodium + + include\sodium + include\sodium @@ -695,6 +713,9 @@ include\sodium + + include\sodium + include\sodium\private @@ -862,6 +883,12 @@ {8bf11d29-2f5a-3f10-8ae6-82229d19c5b0} + + {62f7ae38-4ce6-3976-acc3-47c462db4fbe} + + + {e07a28cd-775a-3798-bfdb-97842d3614d6} + {bb073c16-adc8-3cff-80b9-99cf5a28de6c} diff --git a/builds/msvc/vs2017/libsodium/libsodium.vcxproj b/builds/msvc/vs2017/libsodium/libsodium.vcxproj index 8b59d53e..4629e406 100644 --- a/builds/msvc/vs2017/libsodium/libsodium.vcxproj +++ b/builds/msvc/vs2017/libsodium/libsodium.vcxproj @@ -119,6 +119,7 @@ + @@ -142,6 +143,7 @@ + @@ -181,6 +183,7 @@ + @@ -206,6 +209,7 @@ + @@ -280,6 +284,7 @@ + @@ -303,6 +308,7 @@ + diff --git a/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters b/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters index 99cfa569..f3453f82 100644 --- a/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters +++ b/builds/msvc/vs2017/libsodium/libsodium.vcxproj.filters @@ -20,6 +20,9 @@ packaging + + + crypto_aead\aes256gcm\aesni @@ -147,6 +150,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -216,6 +222,9 @@ crypto_secretbox\xsalsa20poly1305 + + crypto_secretstream\xchacha20poly1305 + crypto_shorthash @@ -333,6 +342,9 @@ randombytes\sysrandom + + sodium + sodium @@ -404,6 +416,9 @@ crypto_pwhash\argon2 + + crypto_pwhash\argon2 + crypto_pwhash\argon2 @@ -626,6 +641,9 @@ include\sodium + + include\sodium + include\sodium @@ -695,6 +713,9 @@ include\sodium + + include\sodium + include\sodium\private @@ -862,6 +883,12 @@ {8bf11d29-2f5a-3f10-8ae6-82229d19c5b0} + + {62f7ae38-4ce6-3976-acc3-47c462db4fbe} + + + {e07a28cd-775a-3798-bfdb-97842d3614d6} + {bb073c16-adc8-3cff-80b9-99cf5a28de6c} diff --git a/configure.ac b/configure.ac index e7c71857..71a2443a 100644 --- a/configure.ac +++ b/configure.ac @@ -1,5 +1,5 @@ AC_PREREQ([2.65]) -AC_INIT([libsodium],[1.0.13], +AC_INIT([libsodium],[1.0.14], [https://github.com/jedisct1/libsodium/issues], [libsodium], [https://github.com/jedisct1/libsodium]) @@ -17,9 +17,9 @@ ISODATE=`date +%Y-%m-%d` AC_SUBST(ISODATE) SODIUM_LIBRARY_VERSION_MAJOR=9 -SODIUM_LIBRARY_VERSION_MINOR=5 +SODIUM_LIBRARY_VERSION_MINOR=6 DLL_VERSION=8 -SODIUM_LIBRARY_VERSION=21:0:3 +SODIUM_LIBRARY_VERSION=22:0:4 # | | | # +------+ | +---+ # | | | @@ -74,8 +74,14 @@ AC_ARG_ENABLE(asm, ]) AS_IF([test "x$EMSCRIPTEN" != "x"], [ - enable_asm="no" - AC_MSG_WARN([compiling to JavaScript - asm implementations disabled]) + AX_CHECK_COMPILE_FLAG([-s ASSERTIONS=0], [ + enable_asm="no" + AC_MSG_WARN([compiling to JavaScript - asm implementations disabled]) + ], [ + AC_MSG_WARN([EMSCRIPTEN environment variable defined, but emcc doesn't appear to be used - Assuming compilation to native code]) + CFLAGS="$CFLAGS -U__EMSCRIPTEN__" + unset EMSCRIPTEN + ]) ]) AS_IF([test "$host_os" = "nacl" -o "$host_os" = "pnacl"], [ enable_asm="no" @@ -236,6 +242,13 @@ AS_CASE([$host_os], AX_CHECK_LINK_FLAG([-Wl,--nxcompat], [LDFLAGS="$LDFLAGS -Wl,--nxcompat"]) ]) +AS_CASE([$host_os], + [cygwin*|mingw*|msys|pw32*|cegcc*], [ + AX_CHECK_COMPILE_FLAG([-fno-asynchronous-unwind-tables], [ + [CFLAGS="$CFLAGS -fno-asynchronous-unwind-tables"] + ]) +]) + AS_IF([test "x$enable_ssp" != "xno"],[ AS_CASE([$host_os], @@ -261,7 +274,7 @@ AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wextra], [CWFLAGS="$CWFLAGS -Wextra"]) AC_MSG_CHECKING(for clang) AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[ #ifndef __clang__ -be sad +#error Not clang #endif ]])], [AC_MSG_RESULT(yes) @@ -280,22 +293,37 @@ AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wformat=2], [CWFLAGS="$CWFLAGS -Wformat=2"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wmissing-declarations], [CWFLAGS="$CWFLAGS -Wmissing-declarations"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wmissing-prototypes], [CWFLAGS="$CWFLAGS -Wmissing-prototypes"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wnested-externs], [CWFLAGS="$CWFLAGS -Wnested-externs"]) +AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wno-type-limits], [CWFLAGS="$CWFLAGS -Wno-type-limits"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wno-unknown-pragmas], [CWFLAGS="$CWFLAGS -Wno-unknown-pragmas"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wnormalized=id], [CWFLAGS="$CWFLAGS -Wnormalized=id"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wnull-dereference], [CWFLAGS="$CWFLAGS -Wnull-dereference"]) +AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wold-style-declaration], [CWFLAGS="$CWFLAGS -Wold-style-declaration"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wpointer-arith], [CWFLAGS="$CWFLAGS -Wpointer-arith"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wredundant-decls], [CWFLAGS="$CWFLAGS -Wredundant-decls"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wshorten-64-to-32], [CWFLAGS="$CWFLAGS -Wshorten-64-to-32"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wstrict-prototypes], [CWFLAGS="$CWFLAGS -Wstrict-prototypes"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wswitch-enum], [CWFLAGS="$CWFLAGS -Wswitch-enum"]) AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wvariable-decl], [CWFLAGS="$CWFLAGS -Wvariable-decl"]) -AX_CHECK_COMPILE_FLAG([$CWFLAGS -Wno-type-limits], [CWFLAGS="$CWFLAGS -Wno-type-limits"]) AX_CHECK_LINK_FLAG([-Wl,-z,relro], [LDFLAGS="$LDFLAGS -Wl,-z,relro"]) AX_CHECK_LINK_FLAG([-Wl,-z,now], [LDFLAGS="$LDFLAGS -Wl,-z,now"]) AX_CHECK_LINK_FLAG([-Wl,-z,noexecstack], [LDFLAGS="$LDFLAGS -Wl,-z,noexecstack"]) +AC_MSG_CHECKING(for a broken clang + AVX512 combination) +AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[]], [[ +#if !(defined(__AVX512F__) && defined(__clang__) && __clang_major__ < 4) +#error Not a broken clang + AVX512 combination +#endif +]])], + [AC_MSG_RESULT(yes - disabling AVX512 optimizations) + AX_CHECK_COMPILE_FLAG([$CFLAGS -mno-avx512f], + [CFLAGS="$CFLAGS -mno-avx512f"]) + ], + [AC_MSG_RESULT(no) +]) + AX_CHECK_CATCHABLE_SEGV +AX_CHECK_CATCHABLE_ABRT LT_INIT AC_SUBST(LIBTOOL_DEPS) @@ -426,6 +454,25 @@ return _mm256_movemask_ps(_mm256_cmp_ps(x, y, _CMP_NEQ_OQ)); [AC_MSG_RESULT(no)]) CFLAGS="$oldcflags" + oldcflags="$CFLAGS" + AX_CHECK_COMPILE_FLAG([-mavx512f], [CFLAGS="$CFLAGS -mavx512f"]) + AC_MSG_CHECKING(for AVX512F instructions set) + AC_COMPILE_IFELSE([AC_LANG_PROGRAM([[ +#ifdef __native_client__ +# error NativeClient detected - Avoiding AVX512F opcodes +#endif +#pragma GCC target("avx512f") +#include +]], [[ +__m512i x = _mm512_setzero_epi32(); +__m512i y = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), x); +]])], + [AC_MSG_RESULT(yes) + AC_DEFINE([HAVE_AVX512FINTRIN_H], [1], [AVX512F is available]) + AX_CHECK_COMPILE_FLAG([-mavx512f], [CFLAGS_AVX512F="-mavx512f"])], + [AC_MSG_RESULT(no)]) + CFLAGS="$oldcflags" + oldcflags="$CFLAGS" AX_CHECK_COMPILE_FLAG([-maes], [CFLAGS="$CFLAGS -maes"]) AX_CHECK_COMPILE_FLAG([-mpclmul], [CFLAGS="$CFLAGS -mpclmul"]) @@ -456,6 +503,7 @@ AC_SUBST(CFLAGS_SSSE3) AC_SUBST(CFLAGS_SSE41) AC_SUBST(CFLAGS_AVX) AC_SUBST(CFLAGS_AVX2) +AC_SUBST(CFLAGS_AVX512F) AC_SUBST(CFLAGS_AESNI) AC_SUBST(CFLAGS_PCLMUL) @@ -686,7 +734,7 @@ dnl Checks for functions and headers AS_IF([test "x$EMSCRIPTEN" = "x"],[ AC_CHECK_FUNCS([arc4random arc4random_buf]) - AC_CHECK_FUNCS([mmap mlock madvise mprotect explicit_bzero nanosleep]) + AC_CHECK_FUNCS([mmap mlock madvise mprotect memset_s explicit_bzero nanosleep]) ]) AC_CHECK_FUNCS([posix_memalign getpid]) @@ -718,6 +766,7 @@ AH_VERBATIM([NDEBUG], [/* Always evaluate assert() calls */ #endif]) AC_CONFIG_FILES([Makefile + builds/Makefile contrib/Makefile dist-build/Makefile libsodium.pc diff --git a/contrib/Findsodium.cmake b/contrib/Findsodium.cmake index ad7031e5..9d306d15 100644 --- a/contrib/Findsodium.cmake +++ b/contrib/Findsodium.cmake @@ -130,6 +130,7 @@ elseif (WIN32) PATH_SUFFIXES ${_RELEASE_PATH_SUFFIX} ) if (NOT sodium_USE_STATIC_LIBS) + set(CMAKE_FIND_LIBRARY_SUFFIXES_BCK ${CMAKE_FIND_LIBRARY_SUFFIXES}) set(CMAKE_FIND_LIBRARY_SUFFIXES ".dll") find_library(sodium_DLL_DEBUG libsodium HINTS ${sodium_DIR} @@ -139,6 +140,7 @@ elseif (WIN32) HINTS ${sodium_DIR} PATH_SUFFIXES ${_RELEASE_PATH_SUFFIX} ) + set(CMAKE_FIND_LIBRARY_SUFFIXES ${CMAKE_FIND_LIBRARY_SUFFIXES_BCK}) endif() elseif(_GCC_COMPATIBLE) diff --git a/dist-build/Makefile.am b/dist-build/Makefile.am index 3d0a0e63..d01107b9 100644 --- a/dist-build/Makefile.am +++ b/dist-build/Makefile.am @@ -9,6 +9,7 @@ EXTRA_DIST = \ android-x86.sh \ android-x86_64.sh \ emscripten.sh \ + emscripten-wasm.sh \ ios.sh \ msys2-win32.sh \ msys2-win64.sh \ diff --git a/dist-build/emscripten-symbols.def b/dist-build/emscripten-symbols.def index 0f3f8040..45b824bc 100644 --- a/dist-build/emscripten-symbols.def +++ b/dist-build/emscripten-symbols.def @@ -11,6 +11,7 @@ _crypto_aead_aes256gcm_encrypt_detached_afternm 0 0 _crypto_aead_aes256gcm_is_available 0 0 _crypto_aead_aes256gcm_keybytes 0 0 _crypto_aead_aes256gcm_keygen 0 0 +_crypto_aead_aes256gcm_messagebytes_max 0 0 _crypto_aead_aes256gcm_npubbytes 0 0 _crypto_aead_aes256gcm_nsecbytes 0 0 _crypto_aead_aes256gcm_statebytes 0 0 @@ -25,13 +26,15 @@ _crypto_aead_chacha20poly1305_ietf_decrypt_detached 1 1 _crypto_aead_chacha20poly1305_ietf_encrypt 1 1 _crypto_aead_chacha20poly1305_ietf_encrypt_detached 1 1 _crypto_aead_chacha20poly1305_ietf_keybytes 1 1 +_crypto_aead_chacha20poly1305_ietf_keygen 1 1 +_crypto_aead_chacha20poly1305_ietf_messagebytes_max 0 0 _crypto_aead_chacha20poly1305_ietf_npubbytes 1 1 _crypto_aead_chacha20poly1305_ietf_nsecbytes 1 1 _crypto_aead_chacha20poly1305_keybytes 1 1 +_crypto_aead_chacha20poly1305_keygen 1 1 +_crypto_aead_chacha20poly1305_messagebytes_max 0 0 _crypto_aead_chacha20poly1305_npubbytes 1 1 _crypto_aead_chacha20poly1305_nsecbytes 1 1 -_crypto_aead_chacha20poly1305_ietf_keygen 1 1 -_crypto_aead_chacha20poly1305_keygen 1 1 _crypto_aead_xchacha20poly1305_ietf_abytes 1 1 _crypto_aead_xchacha20poly1305_ietf_decrypt 1 1 _crypto_aead_xchacha20poly1305_ietf_decrypt_detached 1 1 @@ -39,6 +42,7 @@ _crypto_aead_xchacha20poly1305_ietf_encrypt 1 1 _crypto_aead_xchacha20poly1305_ietf_encrypt_detached 1 1 _crypto_aead_xchacha20poly1305_ietf_keybytes 1 1 _crypto_aead_xchacha20poly1305_ietf_keygen 1 1 +_crypto_aead_xchacha20poly1305_ietf_messagebytes_max 0 0 _crypto_aead_xchacha20poly1305_ietf_npubbytes 1 1 _crypto_aead_xchacha20poly1305_ietf_nsecbytes 1 1 _crypto_auth 1 1 @@ -87,6 +91,7 @@ _crypto_box_curve25519xchacha20poly1305_easy 0 1 _crypto_box_curve25519xchacha20poly1305_easy_afternm 0 1 _crypto_box_curve25519xchacha20poly1305_keypair 0 1 _crypto_box_curve25519xchacha20poly1305_macbytes 0 1 +_crypto_box_curve25519xchacha20poly1305_messagebytes_max 0 0 _crypto_box_curve25519xchacha20poly1305_noncebytes 0 1 _crypto_box_curve25519xchacha20poly1305_open_detached 0 1 _crypto_box_curve25519xchacha20poly1305_open_detached_afternm 0 1 @@ -106,6 +111,7 @@ _crypto_box_curve25519xsalsa20poly1305_beforenmbytes 0 1 _crypto_box_curve25519xsalsa20poly1305_boxzerobytes 0 1 _crypto_box_curve25519xsalsa20poly1305_keypair 0 1 _crypto_box_curve25519xsalsa20poly1305_macbytes 0 1 +_crypto_box_curve25519xsalsa20poly1305_messagebytes_max 0 0 _crypto_box_curve25519xsalsa20poly1305_noncebytes 0 1 _crypto_box_curve25519xsalsa20poly1305_open 0 1 _crypto_box_curve25519xsalsa20poly1305_open_afternm 0 1 @@ -120,6 +126,7 @@ _crypto_box_easy 1 1 _crypto_box_easy_afternm 1 1 _crypto_box_keypair 1 1 _crypto_box_macbytes 1 1 +_crypto_box_messagebytes_max 0 0 _crypto_box_noncebytes 1 1 _crypto_box_open 0 1 _crypto_box_open_afternm 0 1 @@ -247,29 +254,30 @@ _crypto_onetimeauth_update 0 1 _crypto_onetimeauth_verify 0 1 _crypto_pwhash 0 1 _crypto_pwhash_alg_argon2i13 0 1 +_crypto_pwhash_alg_argon2id13 0 1 _crypto_pwhash_alg_default 0 1 _crypto_pwhash_argon2i 0 1 _crypto_pwhash_argon2i_alg_argon2i13 0 1 _crypto_pwhash_argon2i_bytes_max 0 1 _crypto_pwhash_argon2i_bytes_min 0 1 _crypto_pwhash_argon2i_memlimit_interactive 0 1 -_crypto_pwhash_argon2i_memlimit_moderate 0 1 -_crypto_pwhash_argon2i_memlimit_sensitive 0 1 _crypto_pwhash_argon2i_memlimit_max 0 1 _crypto_pwhash_argon2i_memlimit_min 0 1 +_crypto_pwhash_argon2i_memlimit_moderate 0 1 +_crypto_pwhash_argon2i_memlimit_sensitive 0 1 _crypto_pwhash_argon2i_opslimit_interactive 0 1 -_crypto_pwhash_argon2i_opslimit_moderate 0 1 -_crypto_pwhash_argon2i_opslimit_sensitive 0 1 _crypto_pwhash_argon2i_opslimit_max 0 1 _crypto_pwhash_argon2i_opslimit_min 0 1 +_crypto_pwhash_argon2i_opslimit_moderate 0 1 +_crypto_pwhash_argon2i_opslimit_sensitive 0 1 _crypto_pwhash_argon2i_passwd_max 0 1 _crypto_pwhash_argon2i_passwd_min 0 1 _crypto_pwhash_argon2i_saltbytes 0 1 _crypto_pwhash_argon2i_str 0 1 +_crypto_pwhash_argon2i_str_needs_rehash 0 1 _crypto_pwhash_argon2i_str_verify 0 1 _crypto_pwhash_argon2i_strbytes 0 1 _crypto_pwhash_argon2i_strprefix 0 1 -_crypto_pwhash_alg_argon2id13 0 1 _crypto_pwhash_argon2id 0 1 _crypto_pwhash_argon2id_alg_argon2id13 0 1 _crypto_pwhash_argon2id_bytes_max 0 1 @@ -288,45 +296,49 @@ _crypto_pwhash_argon2id_passwd_max 0 1 _crypto_pwhash_argon2id_passwd_min 0 1 _crypto_pwhash_argon2id_saltbytes 0 1 _crypto_pwhash_argon2id_str 0 1 +_crypto_pwhash_argon2id_str_needs_rehash 0 1 _crypto_pwhash_argon2id_str_verify 0 1 _crypto_pwhash_argon2id_strbytes 0 1 _crypto_pwhash_argon2id_strprefix 0 1 -_crypto_pwhash_bytes_max 1 1 -_crypto_pwhash_bytes_min 1 1 +_crypto_pwhash_bytes_max 0 1 +_crypto_pwhash_bytes_min 0 1 _crypto_pwhash_memlimit_interactive 0 1 -_crypto_pwhash_memlimit_max 1 1 -_crypto_pwhash_memlimit_min 1 1 +_crypto_pwhash_memlimit_max 0 1 +_crypto_pwhash_memlimit_min 0 1 _crypto_pwhash_memlimit_moderate 0 1 _crypto_pwhash_memlimit_sensitive 0 1 _crypto_pwhash_opslimit_interactive 0 1 -_crypto_pwhash_opslimit_max 1 1 -_crypto_pwhash_opslimit_min 1 1 +_crypto_pwhash_opslimit_max 0 1 +_crypto_pwhash_opslimit_min 0 1 _crypto_pwhash_opslimit_moderate 0 1 _crypto_pwhash_opslimit_sensitive 0 1 -_crypto_pwhash_passwd_max 1 1 -_crypto_pwhash_passwd_min 1 1 +_crypto_pwhash_passwd_max 0 1 +_crypto_pwhash_passwd_min 0 1 _crypto_pwhash_primitive 0 1 _crypto_pwhash_saltbytes 0 1 _crypto_pwhash_scryptsalsa208sha256 0 1 +_crypto_pwhash_scryptsalsa208sha256_bytes_max 0 1 +_crypto_pwhash_scryptsalsa208sha256_bytes_min 0 1 _crypto_pwhash_scryptsalsa208sha256_ll 0 1 _crypto_pwhash_scryptsalsa208sha256_memlimit_interactive 0 1 +_crypto_pwhash_scryptsalsa208sha256_memlimit_max 0 1 +_crypto_pwhash_scryptsalsa208sha256_memlimit_min 0 1 _crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive 0 1 _crypto_pwhash_scryptsalsa208sha256_opslimit_interactive 0 1 +_crypto_pwhash_scryptsalsa208sha256_opslimit_max 0 1 +_crypto_pwhash_scryptsalsa208sha256_opslimit_min 0 1 _crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive 0 1 +_crypto_pwhash_scryptsalsa208sha256_passwd_max 0 1 +_crypto_pwhash_scryptsalsa208sha256_passwd_min 0 1 _crypto_pwhash_scryptsalsa208sha256_saltbytes 0 1 _crypto_pwhash_scryptsalsa208sha256_str 0 1 +_crypto_pwhash_scryptsalsa208sha256_str_needs_rehash 0 1 _crypto_pwhash_scryptsalsa208sha256_str_verify 0 1 _crypto_pwhash_scryptsalsa208sha256_strbytes 0 1 _crypto_pwhash_scryptsalsa208sha256_strprefix 0 1 -_crypto_pwhash_scryptsalsa208sha256_bytes_max 0 1 -_crypto_pwhash_scryptsalsa208sha256_bytes_min 0 1 -_crypto_pwhash_scryptsalsa208sha256_memlimit_max 0 1 -_crypto_pwhash_scryptsalsa208sha256_memlimit_min 0 1 -_crypto_pwhash_scryptsalsa208sha256_opslimit_max 0 1 -_crypto_pwhash_scryptsalsa208sha256_opslimit_min 0 1 -_crypto_pwhash_scryptsalsa208sha256_passwd_max 0 1 -_crypto_pwhash_scryptsalsa208sha256_passwd_min 0 1 _crypto_pwhash_str 0 1 +_crypto_pwhash_str_alg 0 1 +_crypto_pwhash_str_needs_rehash 0 1 _crypto_pwhash_str_verify 0 1 _crypto_pwhash_strbytes 0 1 _crypto_pwhash_strprefix 0 1 @@ -346,6 +358,7 @@ _crypto_secretbox_easy 1 1 _crypto_secretbox_keybytes 1 1 _crypto_secretbox_keygen 1 1 _crypto_secretbox_macbytes 1 1 +_crypto_secretbox_messagebytes_max 0 0 _crypto_secretbox_noncebytes 1 1 _crypto_secretbox_open 0 1 _crypto_secretbox_open_detached 1 1 @@ -355,18 +368,35 @@ _crypto_secretbox_xchacha20poly1305_detached 0 1 _crypto_secretbox_xchacha20poly1305_easy 0 1 _crypto_secretbox_xchacha20poly1305_keybytes 0 1 _crypto_secretbox_xchacha20poly1305_macbytes 0 1 +_crypto_secretbox_xchacha20poly1305_messagebytes_max 0 0 _crypto_secretbox_xchacha20poly1305_noncebytes 0 1 _crypto_secretbox_xchacha20poly1305_open_detached 0 1 _crypto_secretbox_xchacha20poly1305_open_easy 0 1 _crypto_secretbox_xsalsa20poly1305 0 1 _crypto_secretbox_xsalsa20poly1305_boxzerobytes 0 1 _crypto_secretbox_xsalsa20poly1305_keybytes 0 1 +_crypto_secretbox_xsalsa20poly1305_keygen 0 1 _crypto_secretbox_xsalsa20poly1305_macbytes 0 1 +_crypto_secretbox_xsalsa20poly1305_messagebytes_max 0 0 _crypto_secretbox_xsalsa20poly1305_noncebytes 0 1 _crypto_secretbox_xsalsa20poly1305_open 0 1 _crypto_secretbox_xsalsa20poly1305_zerobytes 0 1 -_crypto_secretbox_xsalsa20poly1305_keygen 0 1 _crypto_secretbox_zerobytes 0 1 +_crypto_secretstream_xchacha20poly1305_abytes 1 1 +_crypto_secretstream_xchacha20poly1305_init_pull 1 1 +_crypto_secretstream_xchacha20poly1305_init_push 1 1 +_crypto_secretstream_xchacha20poly1305_headerbytes 1 1 +_crypto_secretstream_xchacha20poly1305_keybytes 1 1 +_crypto_secretstream_xchacha20poly1305_keygen 1 1 +_crypto_secretstream_xchacha20poly1305_messagebytes_max 1 1 +_crypto_secretstream_xchacha20poly1305_pull 1 1 +_crypto_secretstream_xchacha20poly1305_push 1 1 +_crypto_secretstream_xchacha20poly1305_rekey 1 1 +_crypto_secretstream_xchacha20poly1305_statebytes 1 1 +_crypto_secretstream_xchacha20poly1305_tag_final 1 1 +_crypto_secretstream_xchacha20poly1305_tag_message 1 1 +_crypto_secretstream_xchacha20poly1305_tag_push 1 1 +_crypto_secretstream_xchacha20poly1305_tag_rekey 1 1 _crypto_shorthash 1 1 _crypto_shorthash_bytes 1 1 _crypto_shorthash_keybytes 1 1 @@ -385,6 +415,7 @@ _crypto_sign_ed25519 0 1 _crypto_sign_ed25519_bytes 0 1 _crypto_sign_ed25519_detached 0 1 _crypto_sign_ed25519_keypair 0 1 +_crypto_sign_ed25519_messagebytes_max 0 0 _crypto_sign_ed25519_open 0 1 _crypto_sign_ed25519_pk_to_curve25519 1 1 _crypto_sign_ed25519_publickeybytes 0 1 @@ -407,6 +438,7 @@ _crypto_sign_final_create 1 1 _crypto_sign_final_verify 1 1 _crypto_sign_init 1 1 _crypto_sign_keypair 1 1 +_crypto_sign_messagebytes_max 0 0 _crypto_sign_open 1 1 _crypto_sign_primitive 0 1 _crypto_sign_publickeybytes 1 1 @@ -429,37 +461,44 @@ _crypto_stream_chacha20 0 1 _crypto_stream_chacha20_ietf 0 1 _crypto_stream_chacha20_ietf_keybytes 0 1 _crypto_stream_chacha20_ietf_keygen 0 1 +_crypto_stream_chacha20_ietf_messagebytes_max 0 0 _crypto_stream_chacha20_ietf_noncebytes 0 1 _crypto_stream_chacha20_ietf_xor 0 1 _crypto_stream_chacha20_ietf_xor_ic 0 1 _crypto_stream_chacha20_keybytes 0 1 _crypto_stream_chacha20_keygen 0 1 +_crypto_stream_chacha20_messagebytes_max 0 0 _crypto_stream_chacha20_noncebytes 0 1 _crypto_stream_chacha20_xor 0 1 _crypto_stream_chacha20_xor_ic 0 1 _crypto_stream_keybytes 0 1 _crypto_stream_keygen 1 1 +_crypto_stream_messagebytes_max 0 0 _crypto_stream_noncebytes 0 1 _crypto_stream_primitive 0 1 _crypto_stream_salsa20 0 1 _crypto_stream_salsa2012 0 1 _crypto_stream_salsa2012_keybytes 0 1 _crypto_stream_salsa2012_keygen 0 1 +_crypto_stream_salsa2012_messagebytes_max 0 0 _crypto_stream_salsa2012_noncebytes 0 1 _crypto_stream_salsa2012_xor 0 1 _crypto_stream_salsa208 0 1 _crypto_stream_salsa208_keybytes 0 1 _crypto_stream_salsa208_keygen 0 1 +_crypto_stream_salsa208_messagebytes_max 0 1 _crypto_stream_salsa208_noncebytes 0 1 _crypto_stream_salsa208_xor 0 1 _crypto_stream_salsa20_keybytes 0 1 _crypto_stream_salsa20_keygen 0 1 +_crypto_stream_salsa20_messagebytes_max 0 0 _crypto_stream_salsa20_noncebytes 0 1 _crypto_stream_salsa20_xor 0 1 _crypto_stream_salsa20_xor_ic 0 1 _crypto_stream_xchacha20 0 1 _crypto_stream_xchacha20_keybytes 0 1 _crypto_stream_xchacha20_keygen 0 1 +_crypto_stream_xchacha20_messagebytes_max 0 0 _crypto_stream_xchacha20_noncebytes 0 1 _crypto_stream_xchacha20_xor 0 1 _crypto_stream_xchacha20_xor_ic 0 1 @@ -467,6 +506,7 @@ _crypto_stream_xor 0 1 _crypto_stream_xsalsa20 0 1 _crypto_stream_xsalsa20_keybytes 0 1 _crypto_stream_xsalsa20_keygen 0 1 +_crypto_stream_xsalsa20_messagebytes_max 0 0 _crypto_stream_xsalsa20_noncebytes 0 1 _crypto_stream_xsalsa20_xor 0 1 _crypto_stream_xsalsa20_xor_ic 0 1 @@ -488,6 +528,9 @@ _randombytes_stir 1 1 _randombytes_uniform 1 1 _sodium_add 0 0 _sodium_allocarray 0 0 +_sodium_base64_encoded_len 1 1 +_sodium_base642bin 1 1 +_sodium_bin2base64 1 1 _sodium_bin2hex 1 1 _sodium_compare 0 0 _sodium_free 0 0 @@ -501,18 +544,23 @@ _sodium_library_version_minor 1 1 _sodium_malloc 0 0 _sodium_memcmp 0 0 _sodium_memzero 0 0 +_sodium_misuse 0 0 _sodium_mlock 0 0 _sodium_mprotect_noaccess 0 0 _sodium_mprotect_readonly 0 0 _sodium_mprotect_readwrite 0 0 _sodium_munlock 0 0 +_sodium_pad 1 1 _sodium_runtime_has_aesni 0 0 _sodium_runtime_has_avx 0 0 _sodium_runtime_has_avx2 0 0 +_sodium_runtime_has_avx512f 0 0 _sodium_runtime_has_neon 0 0 _sodium_runtime_has_pclmul 0 0 _sodium_runtime_has_sse2 0 0 _sodium_runtime_has_sse3 0 0 _sodium_runtime_has_sse41 0 0 _sodium_runtime_has_ssse3 0 0 +_sodium_set_misuse_handler 0 0 +_sodium_unpad 1 1 _sodium_version_string 1 1 diff --git a/dist-build/emscripten-wasm.sh b/dist-build/emscripten-wasm.sh index 67cffcaf..a4d7d9da 100755 --- a/dist-build/emscripten-wasm.sh +++ b/dist-build/emscripten-wasm.sh @@ -1,16 +1,13 @@ #! /bin/sh export MAKE_FLAGS='-j4' -export EXPORTED_FUNCTIONS_STANDARD='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream_keygen","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_version_string"]' -export EXPORTED_FUNCTIONS_SUMO='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_hmacsha256","_crypto_auth_hmacsha256_bytes","_crypto_auth_hmacsha256_final","_crypto_auth_hmacsha256_init","_crypto_auth_hmacsha256_keybytes","_crypto_auth_hmacsha256_keygen","_crypto_auth_hmacsha256_statebytes","_crypto_auth_hmacsha256_update","_crypto_auth_hmacsha256_verify","_crypto_auth_hmacsha512","_crypto_auth_hmacsha512256","_crypto_auth_hmacsha512256_bytes","_crypto_auth_hmacsha512256_final","_crypto_auth_hmacsha512256_init","_crypto_auth_hmacsha512256_keybytes","_crypto_auth_hmacsha512256_keygen","_crypto_auth_hmacsha512256_statebytes","_crypto_auth_hmacsha512256_update","_crypto_auth_hmacsha512256_verify","_crypto_auth_hmacsha512_bytes","_crypto_auth_hmacsha512_final","_crypto_auth_hmacsha512_init","_crypto_auth_hmacsha512_keybytes","_crypto_auth_hmacsha512_keygen","_crypto_auth_hmacsha512_statebytes","_crypto_auth_hmacsha512_update","_crypto_auth_hmacsha512_verify","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_primitive","_crypto_auth_verify","_crypto_box","_crypto_box_afternm","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_boxzerobytes","_crypto_box_curve25519xchacha20poly1305_beforenm","_crypto_box_curve25519xchacha20poly1305_beforenmbytes","_crypto_box_curve25519xchacha20poly1305_detached","_crypto_box_curve25519xchacha20poly1305_detached_afternm","_crypto_box_curve25519xchacha20poly1305_easy","_crypto_box_curve25519xchacha20poly1305_easy_afternm","_crypto_box_curve25519xchacha20poly1305_keypair","_crypto_box_curve25519xchacha20poly1305_macbytes","_crypto_box_curve25519xchacha20poly1305_noncebytes","_crypto_box_curve25519xchacha20poly1305_open_detached","_crypto_box_curve25519xchacha20poly1305_open_detached_afternm","_crypto_box_curve25519xchacha20poly1305_open_easy","_crypto_box_curve25519xchacha20poly1305_open_easy_afternm","_crypto_box_curve25519xchacha20poly1305_publickeybytes","_crypto_box_curve25519xchacha20poly1305_secretkeybytes","_crypto_box_curve25519xchacha20poly1305_seed_keypair","_crypto_box_curve25519xchacha20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305","_crypto_box_curve25519xsalsa20poly1305_afternm","_crypto_box_curve25519xsalsa20poly1305_beforenm","_crypto_box_curve25519xsalsa20poly1305_beforenmbytes","_crypto_box_curve25519xsalsa20poly1305_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305_keypair","_crypto_box_curve25519xsalsa20poly1305_macbytes","_crypto_box_curve25519xsalsa20poly1305_noncebytes","_crypto_box_curve25519xsalsa20poly1305_open","_crypto_box_curve25519xsalsa20poly1305_open_afternm","_crypto_box_curve25519xsalsa20poly1305_publickeybytes","_crypto_box_curve25519xsalsa20poly1305_secretkeybytes","_crypto_box_curve25519xsalsa20poly1305_seed_keypair","_crypto_box_curve25519xsalsa20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305_zerobytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open","_crypto_box_open_afternm","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_primitive","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_box_zerobytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_core_hsalsa20","_crypto_core_hsalsa20_constbytes","_crypto_core_hsalsa20_inputbytes","_crypto_core_hsalsa20_keybytes","_crypto_core_hsalsa20_outputbytes","_crypto_core_salsa20","_crypto_core_salsa2012","_crypto_core_salsa2012_constbytes","_crypto_core_salsa2012_inputbytes","_crypto_core_salsa2012_keybytes","_crypto_core_salsa2012_outputbytes","_crypto_core_salsa208","_crypto_core_salsa208_constbytes","_crypto_core_salsa208_inputbytes","_crypto_core_salsa208_keybytes","_crypto_core_salsa208_outputbytes","_crypto_core_salsa20_constbytes","_crypto_core_salsa20_inputbytes","_crypto_core_salsa20_keybytes","_crypto_core_salsa20_outputbytes","_crypto_generichash","_crypto_generichash_blake2b","_crypto_generichash_blake2b_bytes","_crypto_generichash_blake2b_bytes_max","_crypto_generichash_blake2b_bytes_min","_crypto_generichash_blake2b_final","_crypto_generichash_blake2b_init","_crypto_generichash_blake2b_init_salt_personal","_crypto_generichash_blake2b_keybytes","_crypto_generichash_blake2b_keybytes_max","_crypto_generichash_blake2b_keybytes_min","_crypto_generichash_blake2b_keygen","_crypto_generichash_blake2b_personalbytes","_crypto_generichash_blake2b_salt_personal","_crypto_generichash_blake2b_saltbytes","_crypto_generichash_blake2b_statebytes","_crypto_generichash_blake2b_update","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_hash_primitive","_crypto_hash_sha256","_crypto_hash_sha256_bytes","_crypto_hash_sha256_final","_crypto_hash_sha256_init","_crypto_hash_sha256_statebytes","_crypto_hash_sha256_update","_crypto_hash_sha512","_crypto_hash_sha512_bytes","_crypto_hash_sha512_final","_crypto_hash_sha512_init","_crypto_hash_sha512_statebytes","_crypto_hash_sha512_update","_crypto_kdf_blake2b_bytes_max","_crypto_kdf_blake2b_bytes_min","_crypto_kdf_blake2b_contextbytes","_crypto_kdf_blake2b_derive_from_key","_crypto_kdf_blake2b_keybytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kdf_primitive","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_keygen","_crypto_onetimeauth_poly1305","_crypto_onetimeauth_poly1305_bytes","_crypto_onetimeauth_poly1305_final","_crypto_onetimeauth_poly1305_init","_crypto_onetimeauth_poly1305_keybytes","_crypto_onetimeauth_poly1305_keygen","_crypto_onetimeauth_poly1305_statebytes","_crypto_onetimeauth_poly1305_update","_crypto_onetimeauth_poly1305_verify","_crypto_onetimeauth_primitive","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_default","_crypto_pwhash_argon2i","_crypto_pwhash_argon2i_alg_argon2i13","_crypto_pwhash_argon2i_bytes_max","_crypto_pwhash_argon2i_bytes_min","_crypto_pwhash_argon2i_memlimit_interactive","_crypto_pwhash_argon2i_memlimit_max","_crypto_pwhash_argon2i_memlimit_min","_crypto_pwhash_argon2i_memlimit_moderate","_crypto_pwhash_argon2i_memlimit_sensitive","_crypto_pwhash_argon2i_opslimit_interactive","_crypto_pwhash_argon2i_opslimit_max","_crypto_pwhash_argon2i_opslimit_min","_crypto_pwhash_argon2i_opslimit_moderate","_crypto_pwhash_argon2i_opslimit_sensitive","_crypto_pwhash_argon2i_passwd_max","_crypto_pwhash_argon2i_passwd_min","_crypto_pwhash_argon2i_saltbytes","_crypto_pwhash_argon2i_str","_crypto_pwhash_argon2i_str_verify","_crypto_pwhash_argon2i_strbytes","_crypto_pwhash_argon2i_strprefix","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_bytes_max","_crypto_pwhash_scryptsalsa208sha256_bytes_min","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_max","_crypto_pwhash_scryptsalsa208sha256_memlimit_min","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_max","_crypto_pwhash_scryptsalsa208sha256_opslimit_min","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_passwd_max","_crypto_pwhash_scryptsalsa208sha256_passwd_min","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_curve25519","_crypto_scalarmult_curve25519_base","_crypto_scalarmult_curve25519_bytes","_crypto_scalarmult_curve25519_scalarbytes","_crypto_scalarmult_primitive","_crypto_scalarmult_scalarbytes","_crypto_secretbox","_crypto_secretbox_boxzerobytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretbox_primitive","_crypto_secretbox_xchacha20poly1305_detached","_crypto_secretbox_xchacha20poly1305_easy","_crypto_secretbox_xchacha20poly1305_keybytes","_crypto_secretbox_xchacha20poly1305_macbytes","_crypto_secretbox_xchacha20poly1305_noncebytes","_crypto_secretbox_xchacha20poly1305_open_detached","_crypto_secretbox_xchacha20poly1305_open_easy","_crypto_secretbox_xsalsa20poly1305","_crypto_secretbox_xsalsa20poly1305_boxzerobytes","_crypto_secretbox_xsalsa20poly1305_keybytes","_crypto_secretbox_xsalsa20poly1305_keygen","_crypto_secretbox_xsalsa20poly1305_macbytes","_crypto_secretbox_xsalsa20poly1305_noncebytes","_crypto_secretbox_xsalsa20poly1305_open","_crypto_secretbox_xsalsa20poly1305_zerobytes","_crypto_secretbox_zerobytes","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_shorthash_primitive","_crypto_shorthash_siphash24","_crypto_shorthash_siphash24_bytes","_crypto_shorthash_siphash24_keybytes","_crypto_shorthash_siphashx24","_crypto_shorthash_siphashx24_bytes","_crypto_shorthash_siphashx24_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519","_crypto_sign_ed25519_bytes","_crypto_sign_ed25519_detached","_crypto_sign_ed25519_keypair","_crypto_sign_ed25519_open","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_publickeybytes","_crypto_sign_ed25519_secretkeybytes","_crypto_sign_ed25519_seed_keypair","_crypto_sign_ed25519_seedbytes","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_ed25519_sk_to_pk","_crypto_sign_ed25519_sk_to_seed","_crypto_sign_ed25519_verify_detached","_crypto_sign_ed25519ph_final_create","_crypto_sign_ed25519ph_final_verify","_crypto_sign_ed25519ph_init","_crypto_sign_ed25519ph_statebytes","_crypto_sign_ed25519ph_update","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_primitive","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream","_crypto_stream_aes128ctr","_crypto_stream_aes128ctr_afternm","_crypto_stream_aes128ctr_beforenm","_crypto_stream_aes128ctr_beforenmbytes","_crypto_stream_aes128ctr_keybytes","_crypto_stream_aes128ctr_noncebytes","_crypto_stream_aes128ctr_xor","_crypto_stream_aes128ctr_xor_afternm","_crypto_stream_chacha20","_crypto_stream_chacha20_ietf","_crypto_stream_chacha20_ietf_keybytes","_crypto_stream_chacha20_ietf_keygen","_crypto_stream_chacha20_ietf_noncebytes","_crypto_stream_chacha20_ietf_xor","_crypto_stream_chacha20_ietf_xor_ic","_crypto_stream_chacha20_keybytes","_crypto_stream_chacha20_keygen","_crypto_stream_chacha20_noncebytes","_crypto_stream_chacha20_xor","_crypto_stream_chacha20_xor_ic","_crypto_stream_keybytes","_crypto_stream_keygen","_crypto_stream_noncebytes","_crypto_stream_primitive","_crypto_stream_salsa20","_crypto_stream_salsa2012","_crypto_stream_salsa2012_keybytes","_crypto_stream_salsa2012_keygen","_crypto_stream_salsa2012_noncebytes","_crypto_stream_salsa2012_xor","_crypto_stream_salsa208","_crypto_stream_salsa208_keybytes","_crypto_stream_salsa208_keygen","_crypto_stream_salsa208_noncebytes","_crypto_stream_salsa208_xor","_crypto_stream_salsa20_keybytes","_crypto_stream_salsa20_keygen","_crypto_stream_salsa20_noncebytes","_crypto_stream_salsa20_xor","_crypto_stream_salsa20_xor_ic","_crypto_stream_xchacha20","_crypto_stream_xchacha20_keybytes","_crypto_stream_xchacha20_keygen","_crypto_stream_xchacha20_noncebytes","_crypto_stream_xchacha20_xor","_crypto_stream_xchacha20_xor_ic","_crypto_stream_xor","_crypto_stream_xsalsa20","_crypto_stream_xsalsa20_keybytes","_crypto_stream_xsalsa20_keygen","_crypto_stream_xsalsa20_noncebytes","_crypto_stream_xsalsa20_xor","_crypto_stream_xsalsa20_xor_ic","_crypto_verify_16","_crypto_verify_16_bytes","_crypto_verify_32","_crypto_verify_32_bytes","_crypto_verify_64","_crypto_verify_64_bytes","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_implementation_name","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_version_string"]' -export TOTAL_MEMORY=16777216 -export TOTAL_MEMORY_SUMO=67108864 +export EXPORTED_FUNCTIONS_STANDARD='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream_keygen","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]' +export EXPORTED_FUNCTIONS_SUMO='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_hmacsha256","_crypto_auth_hmacsha256_bytes","_crypto_auth_hmacsha256_final","_crypto_auth_hmacsha256_init","_crypto_auth_hmacsha256_keybytes","_crypto_auth_hmacsha256_keygen","_crypto_auth_hmacsha256_statebytes","_crypto_auth_hmacsha256_update","_crypto_auth_hmacsha256_verify","_crypto_auth_hmacsha512","_crypto_auth_hmacsha512256","_crypto_auth_hmacsha512256_bytes","_crypto_auth_hmacsha512256_final","_crypto_auth_hmacsha512256_init","_crypto_auth_hmacsha512256_keybytes","_crypto_auth_hmacsha512256_keygen","_crypto_auth_hmacsha512256_statebytes","_crypto_auth_hmacsha512256_update","_crypto_auth_hmacsha512256_verify","_crypto_auth_hmacsha512_bytes","_crypto_auth_hmacsha512_final","_crypto_auth_hmacsha512_init","_crypto_auth_hmacsha512_keybytes","_crypto_auth_hmacsha512_keygen","_crypto_auth_hmacsha512_statebytes","_crypto_auth_hmacsha512_update","_crypto_auth_hmacsha512_verify","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_primitive","_crypto_auth_verify","_crypto_box","_crypto_box_afternm","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_boxzerobytes","_crypto_box_curve25519xchacha20poly1305_beforenm","_crypto_box_curve25519xchacha20poly1305_beforenmbytes","_crypto_box_curve25519xchacha20poly1305_detached","_crypto_box_curve25519xchacha20poly1305_detached_afternm","_crypto_box_curve25519xchacha20poly1305_easy","_crypto_box_curve25519xchacha20poly1305_easy_afternm","_crypto_box_curve25519xchacha20poly1305_keypair","_crypto_box_curve25519xchacha20poly1305_macbytes","_crypto_box_curve25519xchacha20poly1305_noncebytes","_crypto_box_curve25519xchacha20poly1305_open_detached","_crypto_box_curve25519xchacha20poly1305_open_detached_afternm","_crypto_box_curve25519xchacha20poly1305_open_easy","_crypto_box_curve25519xchacha20poly1305_open_easy_afternm","_crypto_box_curve25519xchacha20poly1305_publickeybytes","_crypto_box_curve25519xchacha20poly1305_seal","_crypto_box_curve25519xchacha20poly1305_seal_open","_crypto_box_curve25519xchacha20poly1305_sealbytes","_crypto_box_curve25519xchacha20poly1305_secretkeybytes","_crypto_box_curve25519xchacha20poly1305_seed_keypair","_crypto_box_curve25519xchacha20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305","_crypto_box_curve25519xsalsa20poly1305_afternm","_crypto_box_curve25519xsalsa20poly1305_beforenm","_crypto_box_curve25519xsalsa20poly1305_beforenmbytes","_crypto_box_curve25519xsalsa20poly1305_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305_keypair","_crypto_box_curve25519xsalsa20poly1305_macbytes","_crypto_box_curve25519xsalsa20poly1305_noncebytes","_crypto_box_curve25519xsalsa20poly1305_open","_crypto_box_curve25519xsalsa20poly1305_open_afternm","_crypto_box_curve25519xsalsa20poly1305_publickeybytes","_crypto_box_curve25519xsalsa20poly1305_secretkeybytes","_crypto_box_curve25519xsalsa20poly1305_seed_keypair","_crypto_box_curve25519xsalsa20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305_zerobytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open","_crypto_box_open_afternm","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_primitive","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_box_zerobytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_core_hsalsa20","_crypto_core_hsalsa20_constbytes","_crypto_core_hsalsa20_inputbytes","_crypto_core_hsalsa20_keybytes","_crypto_core_hsalsa20_outputbytes","_crypto_core_salsa20","_crypto_core_salsa2012","_crypto_core_salsa2012_constbytes","_crypto_core_salsa2012_inputbytes","_crypto_core_salsa2012_keybytes","_crypto_core_salsa2012_outputbytes","_crypto_core_salsa208","_crypto_core_salsa208_constbytes","_crypto_core_salsa208_inputbytes","_crypto_core_salsa208_keybytes","_crypto_core_salsa208_outputbytes","_crypto_core_salsa20_constbytes","_crypto_core_salsa20_inputbytes","_crypto_core_salsa20_keybytes","_crypto_core_salsa20_outputbytes","_crypto_generichash","_crypto_generichash_blake2b","_crypto_generichash_blake2b_bytes","_crypto_generichash_blake2b_bytes_max","_crypto_generichash_blake2b_bytes_min","_crypto_generichash_blake2b_final","_crypto_generichash_blake2b_init","_crypto_generichash_blake2b_init_salt_personal","_crypto_generichash_blake2b_keybytes","_crypto_generichash_blake2b_keybytes_max","_crypto_generichash_blake2b_keybytes_min","_crypto_generichash_blake2b_keygen","_crypto_generichash_blake2b_personalbytes","_crypto_generichash_blake2b_salt_personal","_crypto_generichash_blake2b_saltbytes","_crypto_generichash_blake2b_statebytes","_crypto_generichash_blake2b_update","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_hash_primitive","_crypto_hash_sha256","_crypto_hash_sha256_bytes","_crypto_hash_sha256_final","_crypto_hash_sha256_init","_crypto_hash_sha256_statebytes","_crypto_hash_sha256_update","_crypto_hash_sha512","_crypto_hash_sha512_bytes","_crypto_hash_sha512_final","_crypto_hash_sha512_init","_crypto_hash_sha512_statebytes","_crypto_hash_sha512_update","_crypto_kdf_blake2b_bytes_max","_crypto_kdf_blake2b_bytes_min","_crypto_kdf_blake2b_contextbytes","_crypto_kdf_blake2b_derive_from_key","_crypto_kdf_blake2b_keybytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kdf_primitive","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_primitive","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_keygen","_crypto_onetimeauth_poly1305","_crypto_onetimeauth_poly1305_bytes","_crypto_onetimeauth_poly1305_final","_crypto_onetimeauth_poly1305_init","_crypto_onetimeauth_poly1305_keybytes","_crypto_onetimeauth_poly1305_keygen","_crypto_onetimeauth_poly1305_statebytes","_crypto_onetimeauth_poly1305_update","_crypto_onetimeauth_poly1305_verify","_crypto_onetimeauth_primitive","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_argon2id13","_crypto_pwhash_alg_default","_crypto_pwhash_argon2i","_crypto_pwhash_argon2i_alg_argon2i13","_crypto_pwhash_argon2i_bytes_max","_crypto_pwhash_argon2i_bytes_min","_crypto_pwhash_argon2i_memlimit_interactive","_crypto_pwhash_argon2i_memlimit_max","_crypto_pwhash_argon2i_memlimit_min","_crypto_pwhash_argon2i_memlimit_moderate","_crypto_pwhash_argon2i_memlimit_sensitive","_crypto_pwhash_argon2i_opslimit_interactive","_crypto_pwhash_argon2i_opslimit_max","_crypto_pwhash_argon2i_opslimit_min","_crypto_pwhash_argon2i_opslimit_moderate","_crypto_pwhash_argon2i_opslimit_sensitive","_crypto_pwhash_argon2i_passwd_max","_crypto_pwhash_argon2i_passwd_min","_crypto_pwhash_argon2i_saltbytes","_crypto_pwhash_argon2i_str","_crypto_pwhash_argon2i_str_needs_rehash","_crypto_pwhash_argon2i_str_verify","_crypto_pwhash_argon2i_strbytes","_crypto_pwhash_argon2i_strprefix","_crypto_pwhash_argon2id","_crypto_pwhash_argon2id_alg_argon2id13","_crypto_pwhash_argon2id_bytes_max","_crypto_pwhash_argon2id_bytes_min","_crypto_pwhash_argon2id_memlimit_interactive","_crypto_pwhash_argon2id_memlimit_max","_crypto_pwhash_argon2id_memlimit_min","_crypto_pwhash_argon2id_memlimit_moderate","_crypto_pwhash_argon2id_memlimit_sensitive","_crypto_pwhash_argon2id_opslimit_interactive","_crypto_pwhash_argon2id_opslimit_max","_crypto_pwhash_argon2id_opslimit_min","_crypto_pwhash_argon2id_opslimit_moderate","_crypto_pwhash_argon2id_opslimit_sensitive","_crypto_pwhash_argon2id_passwd_max","_crypto_pwhash_argon2id_passwd_min","_crypto_pwhash_argon2id_saltbytes","_crypto_pwhash_argon2id_str","_crypto_pwhash_argon2id_str_needs_rehash","_crypto_pwhash_argon2id_str_verify","_crypto_pwhash_argon2id_strbytes","_crypto_pwhash_argon2id_strprefix","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_bytes_max","_crypto_pwhash_scryptsalsa208sha256_bytes_min","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_max","_crypto_pwhash_scryptsalsa208sha256_memlimit_min","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_max","_crypto_pwhash_scryptsalsa208sha256_opslimit_min","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_passwd_max","_crypto_pwhash_scryptsalsa208sha256_passwd_min","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_needs_rehash","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_alg","_crypto_pwhash_str_needs_rehash","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_curve25519","_crypto_scalarmult_curve25519_base","_crypto_scalarmult_curve25519_bytes","_crypto_scalarmult_curve25519_scalarbytes","_crypto_scalarmult_primitive","_crypto_scalarmult_scalarbytes","_crypto_secretbox","_crypto_secretbox_boxzerobytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretbox_primitive","_crypto_secretbox_xchacha20poly1305_detached","_crypto_secretbox_xchacha20poly1305_easy","_crypto_secretbox_xchacha20poly1305_keybytes","_crypto_secretbox_xchacha20poly1305_macbytes","_crypto_secretbox_xchacha20poly1305_noncebytes","_crypto_secretbox_xchacha20poly1305_open_detached","_crypto_secretbox_xchacha20poly1305_open_easy","_crypto_secretbox_xsalsa20poly1305","_crypto_secretbox_xsalsa20poly1305_boxzerobytes","_crypto_secretbox_xsalsa20poly1305_keybytes","_crypto_secretbox_xsalsa20poly1305_keygen","_crypto_secretbox_xsalsa20poly1305_macbytes","_crypto_secretbox_xsalsa20poly1305_noncebytes","_crypto_secretbox_xsalsa20poly1305_open","_crypto_secretbox_xsalsa20poly1305_zerobytes","_crypto_secretbox_zerobytes","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_shorthash_primitive","_crypto_shorthash_siphash24","_crypto_shorthash_siphash24_bytes","_crypto_shorthash_siphash24_keybytes","_crypto_shorthash_siphashx24","_crypto_shorthash_siphashx24_bytes","_crypto_shorthash_siphashx24_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519","_crypto_sign_ed25519_bytes","_crypto_sign_ed25519_detached","_crypto_sign_ed25519_keypair","_crypto_sign_ed25519_open","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_publickeybytes","_crypto_sign_ed25519_secretkeybytes","_crypto_sign_ed25519_seed_keypair","_crypto_sign_ed25519_seedbytes","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_ed25519_sk_to_pk","_crypto_sign_ed25519_sk_to_seed","_crypto_sign_ed25519_verify_detached","_crypto_sign_ed25519ph_final_create","_crypto_sign_ed25519ph_final_verify","_crypto_sign_ed25519ph_init","_crypto_sign_ed25519ph_statebytes","_crypto_sign_ed25519ph_update","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_primitive","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream","_crypto_stream_aes128ctr","_crypto_stream_aes128ctr_afternm","_crypto_stream_aes128ctr_beforenm","_crypto_stream_aes128ctr_beforenmbytes","_crypto_stream_aes128ctr_keybytes","_crypto_stream_aes128ctr_noncebytes","_crypto_stream_aes128ctr_xor","_crypto_stream_aes128ctr_xor_afternm","_crypto_stream_chacha20","_crypto_stream_chacha20_ietf","_crypto_stream_chacha20_ietf_keybytes","_crypto_stream_chacha20_ietf_keygen","_crypto_stream_chacha20_ietf_noncebytes","_crypto_stream_chacha20_ietf_xor","_crypto_stream_chacha20_ietf_xor_ic","_crypto_stream_chacha20_keybytes","_crypto_stream_chacha20_keygen","_crypto_stream_chacha20_noncebytes","_crypto_stream_chacha20_xor","_crypto_stream_chacha20_xor_ic","_crypto_stream_keybytes","_crypto_stream_keygen","_crypto_stream_noncebytes","_crypto_stream_primitive","_crypto_stream_salsa20","_crypto_stream_salsa2012","_crypto_stream_salsa2012_keybytes","_crypto_stream_salsa2012_keygen","_crypto_stream_salsa2012_noncebytes","_crypto_stream_salsa2012_xor","_crypto_stream_salsa208","_crypto_stream_salsa208_keybytes","_crypto_stream_salsa208_keygen","_crypto_stream_salsa208_messagebytes_max","_crypto_stream_salsa208_noncebytes","_crypto_stream_salsa208_xor","_crypto_stream_salsa20_keybytes","_crypto_stream_salsa20_keygen","_crypto_stream_salsa20_noncebytes","_crypto_stream_salsa20_xor","_crypto_stream_salsa20_xor_ic","_crypto_stream_xchacha20","_crypto_stream_xchacha20_keybytes","_crypto_stream_xchacha20_keygen","_crypto_stream_xchacha20_noncebytes","_crypto_stream_xchacha20_xor","_crypto_stream_xchacha20_xor_ic","_crypto_stream_xor","_crypto_stream_xsalsa20","_crypto_stream_xsalsa20_keybytes","_crypto_stream_xsalsa20_keygen","_crypto_stream_xsalsa20_noncebytes","_crypto_stream_xsalsa20_xor","_crypto_stream_xsalsa20_xor_ic","_crypto_verify_16","_crypto_verify_16_bytes","_crypto_verify_32","_crypto_verify_32_bytes","_crypto_verify_64","_crypto_verify_64_bytes","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_implementation_name","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]' export LDFLAGS="-s RESERVED_FUNCTION_POINTERS=8" export LDFLAGS="${LDFLAGS} -s WASM=1" -export LDFLAGS="${LDFLAGS} -s NO_DYNAMIC_EXECUTION=1 -s RUNNING_JS_OPTS=1 -s ASSERTIONS=0" +export LDFLAGS="${LDFLAGS} -s NO_DYNAMIC_EXECUTION=1 -s ASSERTIONS=0" export LDFLAGS="${LDFLAGS} -s AGGRESSIVE_VARIABLE_ELIMINATION=1 -s ALIASING_FUNCTION_POINTERS=1" export LDFLAGS="${LDFLAGS} -s FUNCTION_POINTER_ALIGNMENT=1 -s DISABLE_EXCEPTION_CATCHING=1" -export LDFLAGS="${LDFLAGS} -s ELIMINATE_DUPLICATE_FUNCTIONS=1" export LDFLAGS="${LDFLAGS} -s ALLOW_MEMORY_GROWTH=1" export LDFLAGS_DIST="-s NO_FILESYSTEM=1" export CFLAGS="-Os" @@ -19,21 +16,19 @@ echo if [ "x$1" = "x--standard" ]; then echo "Building a standard distribution in ${PREFIX}" export EXPORTED_FUNCTIONS="$EXPORTED_FUNCTIONS_STANDARD" - export LDFLAGS="${LDFLAGS} ${LDFLAGS_DIST} -s TOTAL_MEMORY=${TOTAL_MEMORY}" export PREFIX="$(pwd)/libsodium-js" export DONE_FILE="$(pwd)/js.done" + export CONFIG_EXTRA="--enable-minimal" export DIST='yes' elif [ "x$1" = "x--sumo" ]; then echo "Building a sumo distribution in ${PREFIX}" export EXPORTED_FUNCTIONS="$EXPORTED_FUNCTIONS_SUMO" - export LDFLAGS="${LDFLAGS} ${LDFLAGS_DIST} -s TOTAL_MEMORY=${TOTAL_MEMORY_SUMO}" export PREFIX="$(pwd)/libsodium-js-sumo" export DONE_FILE="$(pwd)/js-sumo.done" export DIST='yes' elif [ "x$1" = "x--browser-tests" ]; then echo "Building tests for web browsers" export EXPORTED_FUNCTIONS="$EXPORTED_FUNCTIONS_SUMO" - export LDFLAGS="${LDFLAGS} -s TOTAL_MEMORY=${TOTAL_MEMORY_SUMO}" export PREFIX="$(pwd)/libsodium-js-tests" export DONE_FILE="$(pwd)/js-tests-browser.done" export BROWSER_TESTS='yes' @@ -41,8 +36,6 @@ elif [ "x$1" = "x--browser-tests" ]; then elif [ "x$1" = "x--tests" ]; then echo "Building for testing" export EXPORTED_FUNCTIONS="$EXPORTED_FUNCTIONS_SUMO" - export CFLAGS="${CFLAGS} -s BINARYEN_METHOD='interpret-binary'" - export LDFLAGS="${LDFLAGS} -s TOTAL_MEMORY=${TOTAL_MEMORY_SUMO}" export PREFIX="$(pwd)/libsodium-js-tests" export DONE_FILE="$(pwd)/js-tests.done" export DIST='no' @@ -57,7 +50,7 @@ export JS_EXPORTS_FLAGS="-s EXPORTED_FUNCTIONS=${EXPORTED_FUNCTIONS}" rm -f "$DONE_FILE" echo -emconfigure ./configure --enable-minimal --disable-shared --prefix="$PREFIX" \ +emconfigure ./configure $CONFIG_EXTRA --disable-shared --prefix="$PREFIX" \ --without-pthreads CFLAGS="$CFLAGS" && \ emmake make clean [ $? = 0 ] || exit 1 @@ -89,7 +82,6 @@ else echo 'node.js not found - test suite skipped' >&2 exit 1 fi - export NODE="${NODE} --expose-wasm" echo "Using [${NODE}] as a Javascript runtime" echo 'Compiling the test suite...' && \ emmake make $MAKE_FLAGS check > /dev/null 2>&1 @@ -103,7 +95,9 @@ if [ "x$BROWSER_TESTS" != "x" ]; then rm -f browser-wasm/tests.txt && \ for file in *.js; do tname=$(echo "$file" | sed 's/.js$//') - echo "$tname" | egrep -q '[.]asm$' && continue + if echo "$tname" | egrep -q '[.]asm$'; then + continue + fi echo "[${tname}]" fgrep -v "#! /usr/bin/env ${NODE}" "$file" > "browser-wasm/${file}" cp -f "${tname}.exp" "browser-wasm/${tname}.exp" 2> /dev/null diff --git a/dist-build/emscripten.sh b/dist-build/emscripten.sh index ecc10d63..a0fd4acd 100755 --- a/dist-build/emscripten.sh +++ b/dist-build/emscripten.sh @@ -1,8 +1,8 @@ #! /bin/sh export MAKE_FLAGS='-j4' -export EXPORTED_FUNCTIONS_STANDARD='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream_keygen","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_version_string"]' -export EXPORTED_FUNCTIONS_SUMO='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_hmacsha256","_crypto_auth_hmacsha256_bytes","_crypto_auth_hmacsha256_final","_crypto_auth_hmacsha256_init","_crypto_auth_hmacsha256_keybytes","_crypto_auth_hmacsha256_keygen","_crypto_auth_hmacsha256_statebytes","_crypto_auth_hmacsha256_update","_crypto_auth_hmacsha256_verify","_crypto_auth_hmacsha512","_crypto_auth_hmacsha512256","_crypto_auth_hmacsha512256_bytes","_crypto_auth_hmacsha512256_final","_crypto_auth_hmacsha512256_init","_crypto_auth_hmacsha512256_keybytes","_crypto_auth_hmacsha512256_keygen","_crypto_auth_hmacsha512256_statebytes","_crypto_auth_hmacsha512256_update","_crypto_auth_hmacsha512256_verify","_crypto_auth_hmacsha512_bytes","_crypto_auth_hmacsha512_final","_crypto_auth_hmacsha512_init","_crypto_auth_hmacsha512_keybytes","_crypto_auth_hmacsha512_keygen","_crypto_auth_hmacsha512_statebytes","_crypto_auth_hmacsha512_update","_crypto_auth_hmacsha512_verify","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_primitive","_crypto_auth_verify","_crypto_box","_crypto_box_afternm","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_boxzerobytes","_crypto_box_curve25519xchacha20poly1305_beforenm","_crypto_box_curve25519xchacha20poly1305_beforenmbytes","_crypto_box_curve25519xchacha20poly1305_detached","_crypto_box_curve25519xchacha20poly1305_detached_afternm","_crypto_box_curve25519xchacha20poly1305_easy","_crypto_box_curve25519xchacha20poly1305_easy_afternm","_crypto_box_curve25519xchacha20poly1305_keypair","_crypto_box_curve25519xchacha20poly1305_macbytes","_crypto_box_curve25519xchacha20poly1305_noncebytes","_crypto_box_curve25519xchacha20poly1305_open_detached","_crypto_box_curve25519xchacha20poly1305_open_detached_afternm","_crypto_box_curve25519xchacha20poly1305_open_easy","_crypto_box_curve25519xchacha20poly1305_open_easy_afternm","_crypto_box_curve25519xchacha20poly1305_publickeybytes","_crypto_box_curve25519xchacha20poly1305_seal","_crypto_box_curve25519xchacha20poly1305_seal_open","_crypto_box_curve25519xchacha20poly1305_sealbytes","_crypto_box_curve25519xchacha20poly1305_secretkeybytes","_crypto_box_curve25519xchacha20poly1305_seed_keypair","_crypto_box_curve25519xchacha20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305","_crypto_box_curve25519xsalsa20poly1305_afternm","_crypto_box_curve25519xsalsa20poly1305_beforenm","_crypto_box_curve25519xsalsa20poly1305_beforenmbytes","_crypto_box_curve25519xsalsa20poly1305_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305_keypair","_crypto_box_curve25519xsalsa20poly1305_macbytes","_crypto_box_curve25519xsalsa20poly1305_noncebytes","_crypto_box_curve25519xsalsa20poly1305_open","_crypto_box_curve25519xsalsa20poly1305_open_afternm","_crypto_box_curve25519xsalsa20poly1305_publickeybytes","_crypto_box_curve25519xsalsa20poly1305_secretkeybytes","_crypto_box_curve25519xsalsa20poly1305_seed_keypair","_crypto_box_curve25519xsalsa20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305_zerobytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open","_crypto_box_open_afternm","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_primitive","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_box_zerobytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_core_hsalsa20","_crypto_core_hsalsa20_constbytes","_crypto_core_hsalsa20_inputbytes","_crypto_core_hsalsa20_keybytes","_crypto_core_hsalsa20_outputbytes","_crypto_core_salsa20","_crypto_core_salsa2012","_crypto_core_salsa2012_constbytes","_crypto_core_salsa2012_inputbytes","_crypto_core_salsa2012_keybytes","_crypto_core_salsa2012_outputbytes","_crypto_core_salsa208","_crypto_core_salsa208_constbytes","_crypto_core_salsa208_inputbytes","_crypto_core_salsa208_keybytes","_crypto_core_salsa208_outputbytes","_crypto_core_salsa20_constbytes","_crypto_core_salsa20_inputbytes","_crypto_core_salsa20_keybytes","_crypto_core_salsa20_outputbytes","_crypto_generichash","_crypto_generichash_blake2b","_crypto_generichash_blake2b_bytes","_crypto_generichash_blake2b_bytes_max","_crypto_generichash_blake2b_bytes_min","_crypto_generichash_blake2b_final","_crypto_generichash_blake2b_init","_crypto_generichash_blake2b_init_salt_personal","_crypto_generichash_blake2b_keybytes","_crypto_generichash_blake2b_keybytes_max","_crypto_generichash_blake2b_keybytes_min","_crypto_generichash_blake2b_keygen","_crypto_generichash_blake2b_personalbytes","_crypto_generichash_blake2b_salt_personal","_crypto_generichash_blake2b_saltbytes","_crypto_generichash_blake2b_statebytes","_crypto_generichash_blake2b_update","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_hash_primitive","_crypto_hash_sha256","_crypto_hash_sha256_bytes","_crypto_hash_sha256_final","_crypto_hash_sha256_init","_crypto_hash_sha256_statebytes","_crypto_hash_sha256_update","_crypto_hash_sha512","_crypto_hash_sha512_bytes","_crypto_hash_sha512_final","_crypto_hash_sha512_init","_crypto_hash_sha512_statebytes","_crypto_hash_sha512_update","_crypto_kdf_blake2b_bytes_max","_crypto_kdf_blake2b_bytes_min","_crypto_kdf_blake2b_contextbytes","_crypto_kdf_blake2b_derive_from_key","_crypto_kdf_blake2b_keybytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kdf_primitive","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_primitive","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_keygen","_crypto_onetimeauth_poly1305","_crypto_onetimeauth_poly1305_bytes","_crypto_onetimeauth_poly1305_final","_crypto_onetimeauth_poly1305_init","_crypto_onetimeauth_poly1305_keybytes","_crypto_onetimeauth_poly1305_keygen","_crypto_onetimeauth_poly1305_statebytes","_crypto_onetimeauth_poly1305_update","_crypto_onetimeauth_poly1305_verify","_crypto_onetimeauth_primitive","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_argon2id13","_crypto_pwhash_alg_default","_crypto_pwhash_argon2i","_crypto_pwhash_argon2i_alg_argon2i13","_crypto_pwhash_argon2i_bytes_max","_crypto_pwhash_argon2i_bytes_min","_crypto_pwhash_argon2i_memlimit_interactive","_crypto_pwhash_argon2i_memlimit_max","_crypto_pwhash_argon2i_memlimit_min","_crypto_pwhash_argon2i_memlimit_moderate","_crypto_pwhash_argon2i_memlimit_sensitive","_crypto_pwhash_argon2i_opslimit_interactive","_crypto_pwhash_argon2i_opslimit_max","_crypto_pwhash_argon2i_opslimit_min","_crypto_pwhash_argon2i_opslimit_moderate","_crypto_pwhash_argon2i_opslimit_sensitive","_crypto_pwhash_argon2i_passwd_max","_crypto_pwhash_argon2i_passwd_min","_crypto_pwhash_argon2i_saltbytes","_crypto_pwhash_argon2i_str","_crypto_pwhash_argon2i_str_verify","_crypto_pwhash_argon2i_strbytes","_crypto_pwhash_argon2i_strprefix","_crypto_pwhash_argon2id","_crypto_pwhash_argon2id_alg_argon2id13","_crypto_pwhash_argon2id_bytes_max","_crypto_pwhash_argon2id_bytes_min","_crypto_pwhash_argon2id_memlimit_interactive","_crypto_pwhash_argon2id_memlimit_max","_crypto_pwhash_argon2id_memlimit_min","_crypto_pwhash_argon2id_memlimit_moderate","_crypto_pwhash_argon2id_memlimit_sensitive","_crypto_pwhash_argon2id_opslimit_interactive","_crypto_pwhash_argon2id_opslimit_max","_crypto_pwhash_argon2id_opslimit_min","_crypto_pwhash_argon2id_opslimit_moderate","_crypto_pwhash_argon2id_opslimit_sensitive","_crypto_pwhash_argon2id_passwd_max","_crypto_pwhash_argon2id_passwd_min","_crypto_pwhash_argon2id_saltbytes","_crypto_pwhash_argon2id_str","_crypto_pwhash_argon2id_str_verify","_crypto_pwhash_argon2id_strbytes","_crypto_pwhash_argon2id_strprefix","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_bytes_max","_crypto_pwhash_scryptsalsa208sha256_bytes_min","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_max","_crypto_pwhash_scryptsalsa208sha256_memlimit_min","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_max","_crypto_pwhash_scryptsalsa208sha256_opslimit_min","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_passwd_max","_crypto_pwhash_scryptsalsa208sha256_passwd_min","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_curve25519","_crypto_scalarmult_curve25519_base","_crypto_scalarmult_curve25519_bytes","_crypto_scalarmult_curve25519_scalarbytes","_crypto_scalarmult_primitive","_crypto_scalarmult_scalarbytes","_crypto_secretbox","_crypto_secretbox_boxzerobytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretbox_primitive","_crypto_secretbox_xchacha20poly1305_detached","_crypto_secretbox_xchacha20poly1305_easy","_crypto_secretbox_xchacha20poly1305_keybytes","_crypto_secretbox_xchacha20poly1305_macbytes","_crypto_secretbox_xchacha20poly1305_noncebytes","_crypto_secretbox_xchacha20poly1305_open_detached","_crypto_secretbox_xchacha20poly1305_open_easy","_crypto_secretbox_xsalsa20poly1305","_crypto_secretbox_xsalsa20poly1305_boxzerobytes","_crypto_secretbox_xsalsa20poly1305_keybytes","_crypto_secretbox_xsalsa20poly1305_keygen","_crypto_secretbox_xsalsa20poly1305_macbytes","_crypto_secretbox_xsalsa20poly1305_noncebytes","_crypto_secretbox_xsalsa20poly1305_open","_crypto_secretbox_xsalsa20poly1305_zerobytes","_crypto_secretbox_zerobytes","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_shorthash_primitive","_crypto_shorthash_siphash24","_crypto_shorthash_siphash24_bytes","_crypto_shorthash_siphash24_keybytes","_crypto_shorthash_siphashx24","_crypto_shorthash_siphashx24_bytes","_crypto_shorthash_siphashx24_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519","_crypto_sign_ed25519_bytes","_crypto_sign_ed25519_detached","_crypto_sign_ed25519_keypair","_crypto_sign_ed25519_open","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_publickeybytes","_crypto_sign_ed25519_secretkeybytes","_crypto_sign_ed25519_seed_keypair","_crypto_sign_ed25519_seedbytes","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_ed25519_sk_to_pk","_crypto_sign_ed25519_sk_to_seed","_crypto_sign_ed25519_verify_detached","_crypto_sign_ed25519ph_final_create","_crypto_sign_ed25519ph_final_verify","_crypto_sign_ed25519ph_init","_crypto_sign_ed25519ph_statebytes","_crypto_sign_ed25519ph_update","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_primitive","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream","_crypto_stream_aes128ctr","_crypto_stream_aes128ctr_afternm","_crypto_stream_aes128ctr_beforenm","_crypto_stream_aes128ctr_beforenmbytes","_crypto_stream_aes128ctr_keybytes","_crypto_stream_aes128ctr_noncebytes","_crypto_stream_aes128ctr_xor","_crypto_stream_aes128ctr_xor_afternm","_crypto_stream_chacha20","_crypto_stream_chacha20_ietf","_crypto_stream_chacha20_ietf_keybytes","_crypto_stream_chacha20_ietf_keygen","_crypto_stream_chacha20_ietf_noncebytes","_crypto_stream_chacha20_ietf_xor","_crypto_stream_chacha20_ietf_xor_ic","_crypto_stream_chacha20_keybytes","_crypto_stream_chacha20_keygen","_crypto_stream_chacha20_noncebytes","_crypto_stream_chacha20_xor","_crypto_stream_chacha20_xor_ic","_crypto_stream_keybytes","_crypto_stream_keygen","_crypto_stream_noncebytes","_crypto_stream_primitive","_crypto_stream_salsa20","_crypto_stream_salsa2012","_crypto_stream_salsa2012_keybytes","_crypto_stream_salsa2012_keygen","_crypto_stream_salsa2012_noncebytes","_crypto_stream_salsa2012_xor","_crypto_stream_salsa208","_crypto_stream_salsa208_keybytes","_crypto_stream_salsa208_keygen","_crypto_stream_salsa208_noncebytes","_crypto_stream_salsa208_xor","_crypto_stream_salsa20_keybytes","_crypto_stream_salsa20_keygen","_crypto_stream_salsa20_noncebytes","_crypto_stream_salsa20_xor","_crypto_stream_salsa20_xor_ic","_crypto_stream_xchacha20","_crypto_stream_xchacha20_keybytes","_crypto_stream_xchacha20_keygen","_crypto_stream_xchacha20_noncebytes","_crypto_stream_xchacha20_xor","_crypto_stream_xchacha20_xor_ic","_crypto_stream_xor","_crypto_stream_xsalsa20","_crypto_stream_xsalsa20_keybytes","_crypto_stream_xsalsa20_keygen","_crypto_stream_xsalsa20_noncebytes","_crypto_stream_xsalsa20_xor","_crypto_stream_xsalsa20_xor_ic","_crypto_verify_16","_crypto_verify_16_bytes","_crypto_verify_32","_crypto_verify_32_bytes","_crypto_verify_64","_crypto_verify_64_bytes","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_implementation_name","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_version_string"]' +export EXPORTED_FUNCTIONS_STANDARD='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_verify","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_generichash","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_scalarbytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream_keygen","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]' +export EXPORTED_FUNCTIONS_SUMO='["_crypto_aead_chacha20poly1305_abytes","_crypto_aead_chacha20poly1305_decrypt","_crypto_aead_chacha20poly1305_decrypt_detached","_crypto_aead_chacha20poly1305_encrypt","_crypto_aead_chacha20poly1305_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_abytes","_crypto_aead_chacha20poly1305_ietf_decrypt","_crypto_aead_chacha20poly1305_ietf_decrypt_detached","_crypto_aead_chacha20poly1305_ietf_encrypt","_crypto_aead_chacha20poly1305_ietf_encrypt_detached","_crypto_aead_chacha20poly1305_ietf_keybytes","_crypto_aead_chacha20poly1305_ietf_keygen","_crypto_aead_chacha20poly1305_ietf_npubbytes","_crypto_aead_chacha20poly1305_ietf_nsecbytes","_crypto_aead_chacha20poly1305_keybytes","_crypto_aead_chacha20poly1305_keygen","_crypto_aead_chacha20poly1305_npubbytes","_crypto_aead_chacha20poly1305_nsecbytes","_crypto_aead_xchacha20poly1305_ietf_abytes","_crypto_aead_xchacha20poly1305_ietf_decrypt","_crypto_aead_xchacha20poly1305_ietf_decrypt_detached","_crypto_aead_xchacha20poly1305_ietf_encrypt","_crypto_aead_xchacha20poly1305_ietf_encrypt_detached","_crypto_aead_xchacha20poly1305_ietf_keybytes","_crypto_aead_xchacha20poly1305_ietf_keygen","_crypto_aead_xchacha20poly1305_ietf_npubbytes","_crypto_aead_xchacha20poly1305_ietf_nsecbytes","_crypto_auth","_crypto_auth_bytes","_crypto_auth_hmacsha256","_crypto_auth_hmacsha256_bytes","_crypto_auth_hmacsha256_final","_crypto_auth_hmacsha256_init","_crypto_auth_hmacsha256_keybytes","_crypto_auth_hmacsha256_keygen","_crypto_auth_hmacsha256_statebytes","_crypto_auth_hmacsha256_update","_crypto_auth_hmacsha256_verify","_crypto_auth_hmacsha512","_crypto_auth_hmacsha512256","_crypto_auth_hmacsha512256_bytes","_crypto_auth_hmacsha512256_final","_crypto_auth_hmacsha512256_init","_crypto_auth_hmacsha512256_keybytes","_crypto_auth_hmacsha512256_keygen","_crypto_auth_hmacsha512256_statebytes","_crypto_auth_hmacsha512256_update","_crypto_auth_hmacsha512256_verify","_crypto_auth_hmacsha512_bytes","_crypto_auth_hmacsha512_final","_crypto_auth_hmacsha512_init","_crypto_auth_hmacsha512_keybytes","_crypto_auth_hmacsha512_keygen","_crypto_auth_hmacsha512_statebytes","_crypto_auth_hmacsha512_update","_crypto_auth_hmacsha512_verify","_crypto_auth_keybytes","_crypto_auth_keygen","_crypto_auth_primitive","_crypto_auth_verify","_crypto_box","_crypto_box_afternm","_crypto_box_beforenm","_crypto_box_beforenmbytes","_crypto_box_boxzerobytes","_crypto_box_curve25519xchacha20poly1305_beforenm","_crypto_box_curve25519xchacha20poly1305_beforenmbytes","_crypto_box_curve25519xchacha20poly1305_detached","_crypto_box_curve25519xchacha20poly1305_detached_afternm","_crypto_box_curve25519xchacha20poly1305_easy","_crypto_box_curve25519xchacha20poly1305_easy_afternm","_crypto_box_curve25519xchacha20poly1305_keypair","_crypto_box_curve25519xchacha20poly1305_macbytes","_crypto_box_curve25519xchacha20poly1305_noncebytes","_crypto_box_curve25519xchacha20poly1305_open_detached","_crypto_box_curve25519xchacha20poly1305_open_detached_afternm","_crypto_box_curve25519xchacha20poly1305_open_easy","_crypto_box_curve25519xchacha20poly1305_open_easy_afternm","_crypto_box_curve25519xchacha20poly1305_publickeybytes","_crypto_box_curve25519xchacha20poly1305_seal","_crypto_box_curve25519xchacha20poly1305_seal_open","_crypto_box_curve25519xchacha20poly1305_sealbytes","_crypto_box_curve25519xchacha20poly1305_secretkeybytes","_crypto_box_curve25519xchacha20poly1305_seed_keypair","_crypto_box_curve25519xchacha20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305","_crypto_box_curve25519xsalsa20poly1305_afternm","_crypto_box_curve25519xsalsa20poly1305_beforenm","_crypto_box_curve25519xsalsa20poly1305_beforenmbytes","_crypto_box_curve25519xsalsa20poly1305_boxzerobytes","_crypto_box_curve25519xsalsa20poly1305_keypair","_crypto_box_curve25519xsalsa20poly1305_macbytes","_crypto_box_curve25519xsalsa20poly1305_noncebytes","_crypto_box_curve25519xsalsa20poly1305_open","_crypto_box_curve25519xsalsa20poly1305_open_afternm","_crypto_box_curve25519xsalsa20poly1305_publickeybytes","_crypto_box_curve25519xsalsa20poly1305_secretkeybytes","_crypto_box_curve25519xsalsa20poly1305_seed_keypair","_crypto_box_curve25519xsalsa20poly1305_seedbytes","_crypto_box_curve25519xsalsa20poly1305_zerobytes","_crypto_box_detached","_crypto_box_detached_afternm","_crypto_box_easy","_crypto_box_easy_afternm","_crypto_box_keypair","_crypto_box_macbytes","_crypto_box_noncebytes","_crypto_box_open","_crypto_box_open_afternm","_crypto_box_open_detached","_crypto_box_open_detached_afternm","_crypto_box_open_easy","_crypto_box_open_easy_afternm","_crypto_box_primitive","_crypto_box_publickeybytes","_crypto_box_seal","_crypto_box_seal_open","_crypto_box_sealbytes","_crypto_box_secretkeybytes","_crypto_box_seed_keypair","_crypto_box_seedbytes","_crypto_box_zerobytes","_crypto_core_hchacha20","_crypto_core_hchacha20_constbytes","_crypto_core_hchacha20_inputbytes","_crypto_core_hchacha20_keybytes","_crypto_core_hchacha20_outputbytes","_crypto_core_hsalsa20","_crypto_core_hsalsa20_constbytes","_crypto_core_hsalsa20_inputbytes","_crypto_core_hsalsa20_keybytes","_crypto_core_hsalsa20_outputbytes","_crypto_core_salsa20","_crypto_core_salsa2012","_crypto_core_salsa2012_constbytes","_crypto_core_salsa2012_inputbytes","_crypto_core_salsa2012_keybytes","_crypto_core_salsa2012_outputbytes","_crypto_core_salsa208","_crypto_core_salsa208_constbytes","_crypto_core_salsa208_inputbytes","_crypto_core_salsa208_keybytes","_crypto_core_salsa208_outputbytes","_crypto_core_salsa20_constbytes","_crypto_core_salsa20_inputbytes","_crypto_core_salsa20_keybytes","_crypto_core_salsa20_outputbytes","_crypto_generichash","_crypto_generichash_blake2b","_crypto_generichash_blake2b_bytes","_crypto_generichash_blake2b_bytes_max","_crypto_generichash_blake2b_bytes_min","_crypto_generichash_blake2b_final","_crypto_generichash_blake2b_init","_crypto_generichash_blake2b_init_salt_personal","_crypto_generichash_blake2b_keybytes","_crypto_generichash_blake2b_keybytes_max","_crypto_generichash_blake2b_keybytes_min","_crypto_generichash_blake2b_keygen","_crypto_generichash_blake2b_personalbytes","_crypto_generichash_blake2b_salt_personal","_crypto_generichash_blake2b_saltbytes","_crypto_generichash_blake2b_statebytes","_crypto_generichash_blake2b_update","_crypto_generichash_bytes","_crypto_generichash_bytes_max","_crypto_generichash_bytes_min","_crypto_generichash_final","_crypto_generichash_init","_crypto_generichash_keybytes","_crypto_generichash_keybytes_max","_crypto_generichash_keybytes_min","_crypto_generichash_keygen","_crypto_generichash_primitive","_crypto_generichash_statebytes","_crypto_generichash_update","_crypto_hash","_crypto_hash_bytes","_crypto_hash_primitive","_crypto_hash_sha256","_crypto_hash_sha256_bytes","_crypto_hash_sha256_final","_crypto_hash_sha256_init","_crypto_hash_sha256_statebytes","_crypto_hash_sha256_update","_crypto_hash_sha512","_crypto_hash_sha512_bytes","_crypto_hash_sha512_final","_crypto_hash_sha512_init","_crypto_hash_sha512_statebytes","_crypto_hash_sha512_update","_crypto_kdf_blake2b_bytes_max","_crypto_kdf_blake2b_bytes_min","_crypto_kdf_blake2b_contextbytes","_crypto_kdf_blake2b_derive_from_key","_crypto_kdf_blake2b_keybytes","_crypto_kdf_bytes_max","_crypto_kdf_bytes_min","_crypto_kdf_contextbytes","_crypto_kdf_derive_from_key","_crypto_kdf_keybytes","_crypto_kdf_keygen","_crypto_kdf_primitive","_crypto_kx_client_session_keys","_crypto_kx_keypair","_crypto_kx_primitive","_crypto_kx_publickeybytes","_crypto_kx_secretkeybytes","_crypto_kx_seed_keypair","_crypto_kx_seedbytes","_crypto_kx_server_session_keys","_crypto_kx_sessionkeybytes","_crypto_onetimeauth","_crypto_onetimeauth_bytes","_crypto_onetimeauth_final","_crypto_onetimeauth_init","_crypto_onetimeauth_keybytes","_crypto_onetimeauth_keygen","_crypto_onetimeauth_poly1305","_crypto_onetimeauth_poly1305_bytes","_crypto_onetimeauth_poly1305_final","_crypto_onetimeauth_poly1305_init","_crypto_onetimeauth_poly1305_keybytes","_crypto_onetimeauth_poly1305_keygen","_crypto_onetimeauth_poly1305_statebytes","_crypto_onetimeauth_poly1305_update","_crypto_onetimeauth_poly1305_verify","_crypto_onetimeauth_primitive","_crypto_onetimeauth_statebytes","_crypto_onetimeauth_update","_crypto_onetimeauth_verify","_crypto_pwhash","_crypto_pwhash_alg_argon2i13","_crypto_pwhash_alg_argon2id13","_crypto_pwhash_alg_default","_crypto_pwhash_argon2i","_crypto_pwhash_argon2i_alg_argon2i13","_crypto_pwhash_argon2i_bytes_max","_crypto_pwhash_argon2i_bytes_min","_crypto_pwhash_argon2i_memlimit_interactive","_crypto_pwhash_argon2i_memlimit_max","_crypto_pwhash_argon2i_memlimit_min","_crypto_pwhash_argon2i_memlimit_moderate","_crypto_pwhash_argon2i_memlimit_sensitive","_crypto_pwhash_argon2i_opslimit_interactive","_crypto_pwhash_argon2i_opslimit_max","_crypto_pwhash_argon2i_opslimit_min","_crypto_pwhash_argon2i_opslimit_moderate","_crypto_pwhash_argon2i_opslimit_sensitive","_crypto_pwhash_argon2i_passwd_max","_crypto_pwhash_argon2i_passwd_min","_crypto_pwhash_argon2i_saltbytes","_crypto_pwhash_argon2i_str","_crypto_pwhash_argon2i_str_needs_rehash","_crypto_pwhash_argon2i_str_verify","_crypto_pwhash_argon2i_strbytes","_crypto_pwhash_argon2i_strprefix","_crypto_pwhash_argon2id","_crypto_pwhash_argon2id_alg_argon2id13","_crypto_pwhash_argon2id_bytes_max","_crypto_pwhash_argon2id_bytes_min","_crypto_pwhash_argon2id_memlimit_interactive","_crypto_pwhash_argon2id_memlimit_max","_crypto_pwhash_argon2id_memlimit_min","_crypto_pwhash_argon2id_memlimit_moderate","_crypto_pwhash_argon2id_memlimit_sensitive","_crypto_pwhash_argon2id_opslimit_interactive","_crypto_pwhash_argon2id_opslimit_max","_crypto_pwhash_argon2id_opslimit_min","_crypto_pwhash_argon2id_opslimit_moderate","_crypto_pwhash_argon2id_opslimit_sensitive","_crypto_pwhash_argon2id_passwd_max","_crypto_pwhash_argon2id_passwd_min","_crypto_pwhash_argon2id_saltbytes","_crypto_pwhash_argon2id_str","_crypto_pwhash_argon2id_str_needs_rehash","_crypto_pwhash_argon2id_str_verify","_crypto_pwhash_argon2id_strbytes","_crypto_pwhash_argon2id_strprefix","_crypto_pwhash_bytes_max","_crypto_pwhash_bytes_min","_crypto_pwhash_memlimit_interactive","_crypto_pwhash_memlimit_max","_crypto_pwhash_memlimit_min","_crypto_pwhash_memlimit_moderate","_crypto_pwhash_memlimit_sensitive","_crypto_pwhash_opslimit_interactive","_crypto_pwhash_opslimit_max","_crypto_pwhash_opslimit_min","_crypto_pwhash_opslimit_moderate","_crypto_pwhash_opslimit_sensitive","_crypto_pwhash_passwd_max","_crypto_pwhash_passwd_min","_crypto_pwhash_primitive","_crypto_pwhash_saltbytes","_crypto_pwhash_scryptsalsa208sha256","_crypto_pwhash_scryptsalsa208sha256_bytes_max","_crypto_pwhash_scryptsalsa208sha256_bytes_min","_crypto_pwhash_scryptsalsa208sha256_ll","_crypto_pwhash_scryptsalsa208sha256_memlimit_interactive","_crypto_pwhash_scryptsalsa208sha256_memlimit_max","_crypto_pwhash_scryptsalsa208sha256_memlimit_min","_crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_opslimit_interactive","_crypto_pwhash_scryptsalsa208sha256_opslimit_max","_crypto_pwhash_scryptsalsa208sha256_opslimit_min","_crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive","_crypto_pwhash_scryptsalsa208sha256_passwd_max","_crypto_pwhash_scryptsalsa208sha256_passwd_min","_crypto_pwhash_scryptsalsa208sha256_saltbytes","_crypto_pwhash_scryptsalsa208sha256_str","_crypto_pwhash_scryptsalsa208sha256_str_needs_rehash","_crypto_pwhash_scryptsalsa208sha256_str_verify","_crypto_pwhash_scryptsalsa208sha256_strbytes","_crypto_pwhash_scryptsalsa208sha256_strprefix","_crypto_pwhash_str","_crypto_pwhash_str_alg","_crypto_pwhash_str_needs_rehash","_crypto_pwhash_str_verify","_crypto_pwhash_strbytes","_crypto_pwhash_strprefix","_crypto_scalarmult","_crypto_scalarmult_base","_crypto_scalarmult_bytes","_crypto_scalarmult_curve25519","_crypto_scalarmult_curve25519_base","_crypto_scalarmult_curve25519_bytes","_crypto_scalarmult_curve25519_scalarbytes","_crypto_scalarmult_primitive","_crypto_scalarmult_scalarbytes","_crypto_secretbox","_crypto_secretbox_boxzerobytes","_crypto_secretbox_detached","_crypto_secretbox_easy","_crypto_secretbox_keybytes","_crypto_secretbox_keygen","_crypto_secretbox_macbytes","_crypto_secretbox_noncebytes","_crypto_secretbox_open","_crypto_secretbox_open_detached","_crypto_secretbox_open_easy","_crypto_secretbox_primitive","_crypto_secretbox_xchacha20poly1305_detached","_crypto_secretbox_xchacha20poly1305_easy","_crypto_secretbox_xchacha20poly1305_keybytes","_crypto_secretbox_xchacha20poly1305_macbytes","_crypto_secretbox_xchacha20poly1305_noncebytes","_crypto_secretbox_xchacha20poly1305_open_detached","_crypto_secretbox_xchacha20poly1305_open_easy","_crypto_secretbox_xsalsa20poly1305","_crypto_secretbox_xsalsa20poly1305_boxzerobytes","_crypto_secretbox_xsalsa20poly1305_keybytes","_crypto_secretbox_xsalsa20poly1305_keygen","_crypto_secretbox_xsalsa20poly1305_macbytes","_crypto_secretbox_xsalsa20poly1305_noncebytes","_crypto_secretbox_xsalsa20poly1305_open","_crypto_secretbox_xsalsa20poly1305_zerobytes","_crypto_secretbox_zerobytes","_crypto_secretstream_xchacha20poly1305_abytes","_crypto_secretstream_xchacha20poly1305_headerbytes","_crypto_secretstream_xchacha20poly1305_init_pull","_crypto_secretstream_xchacha20poly1305_init_push","_crypto_secretstream_xchacha20poly1305_keybytes","_crypto_secretstream_xchacha20poly1305_keygen","_crypto_secretstream_xchacha20poly1305_messagebytes_max","_crypto_secretstream_xchacha20poly1305_pull","_crypto_secretstream_xchacha20poly1305_push","_crypto_secretstream_xchacha20poly1305_rekey","_crypto_secretstream_xchacha20poly1305_statebytes","_crypto_secretstream_xchacha20poly1305_tag_final","_crypto_secretstream_xchacha20poly1305_tag_message","_crypto_secretstream_xchacha20poly1305_tag_push","_crypto_secretstream_xchacha20poly1305_tag_rekey","_crypto_shorthash","_crypto_shorthash_bytes","_crypto_shorthash_keybytes","_crypto_shorthash_keygen","_crypto_shorthash_primitive","_crypto_shorthash_siphash24","_crypto_shorthash_siphash24_bytes","_crypto_shorthash_siphash24_keybytes","_crypto_shorthash_siphashx24","_crypto_shorthash_siphashx24_bytes","_crypto_shorthash_siphashx24_keybytes","_crypto_sign","_crypto_sign_bytes","_crypto_sign_detached","_crypto_sign_ed25519","_crypto_sign_ed25519_bytes","_crypto_sign_ed25519_detached","_crypto_sign_ed25519_keypair","_crypto_sign_ed25519_open","_crypto_sign_ed25519_pk_to_curve25519","_crypto_sign_ed25519_publickeybytes","_crypto_sign_ed25519_secretkeybytes","_crypto_sign_ed25519_seed_keypair","_crypto_sign_ed25519_seedbytes","_crypto_sign_ed25519_sk_to_curve25519","_crypto_sign_ed25519_sk_to_pk","_crypto_sign_ed25519_sk_to_seed","_crypto_sign_ed25519_verify_detached","_crypto_sign_ed25519ph_final_create","_crypto_sign_ed25519ph_final_verify","_crypto_sign_ed25519ph_init","_crypto_sign_ed25519ph_statebytes","_crypto_sign_ed25519ph_update","_crypto_sign_final_create","_crypto_sign_final_verify","_crypto_sign_init","_crypto_sign_keypair","_crypto_sign_open","_crypto_sign_primitive","_crypto_sign_publickeybytes","_crypto_sign_secretkeybytes","_crypto_sign_seed_keypair","_crypto_sign_seedbytes","_crypto_sign_statebytes","_crypto_sign_update","_crypto_sign_verify_detached","_crypto_stream","_crypto_stream_aes128ctr","_crypto_stream_aes128ctr_afternm","_crypto_stream_aes128ctr_beforenm","_crypto_stream_aes128ctr_beforenmbytes","_crypto_stream_aes128ctr_keybytes","_crypto_stream_aes128ctr_noncebytes","_crypto_stream_aes128ctr_xor","_crypto_stream_aes128ctr_xor_afternm","_crypto_stream_chacha20","_crypto_stream_chacha20_ietf","_crypto_stream_chacha20_ietf_keybytes","_crypto_stream_chacha20_ietf_keygen","_crypto_stream_chacha20_ietf_noncebytes","_crypto_stream_chacha20_ietf_xor","_crypto_stream_chacha20_ietf_xor_ic","_crypto_stream_chacha20_keybytes","_crypto_stream_chacha20_keygen","_crypto_stream_chacha20_noncebytes","_crypto_stream_chacha20_xor","_crypto_stream_chacha20_xor_ic","_crypto_stream_keybytes","_crypto_stream_keygen","_crypto_stream_noncebytes","_crypto_stream_primitive","_crypto_stream_salsa20","_crypto_stream_salsa2012","_crypto_stream_salsa2012_keybytes","_crypto_stream_salsa2012_keygen","_crypto_stream_salsa2012_noncebytes","_crypto_stream_salsa2012_xor","_crypto_stream_salsa208","_crypto_stream_salsa208_keybytes","_crypto_stream_salsa208_keygen","_crypto_stream_salsa208_messagebytes_max","_crypto_stream_salsa208_noncebytes","_crypto_stream_salsa208_xor","_crypto_stream_salsa20_keybytes","_crypto_stream_salsa20_keygen","_crypto_stream_salsa20_noncebytes","_crypto_stream_salsa20_xor","_crypto_stream_salsa20_xor_ic","_crypto_stream_xchacha20","_crypto_stream_xchacha20_keybytes","_crypto_stream_xchacha20_keygen","_crypto_stream_xchacha20_noncebytes","_crypto_stream_xchacha20_xor","_crypto_stream_xchacha20_xor_ic","_crypto_stream_xor","_crypto_stream_xsalsa20","_crypto_stream_xsalsa20_keybytes","_crypto_stream_xsalsa20_keygen","_crypto_stream_xsalsa20_noncebytes","_crypto_stream_xsalsa20_xor","_crypto_stream_xsalsa20_xor_ic","_crypto_verify_16","_crypto_verify_16_bytes","_crypto_verify_32","_crypto_verify_32_bytes","_crypto_verify_64","_crypto_verify_64_bytes","_randombytes","_randombytes_buf","_randombytes_buf_deterministic","_randombytes_close","_randombytes_implementation_name","_randombytes_random","_randombytes_seedbytes","_randombytes_stir","_randombytes_uniform","_sodium_base642bin","_sodium_base64_encoded_len","_sodium_bin2base64","_sodium_bin2hex","_sodium_hex2bin","_sodium_init","_sodium_library_minimal","_sodium_library_version_major","_sodium_library_version_minor","_sodium_pad","_sodium_unpad","_sodium_version_string"]' export TOTAL_MEMORY=16777216 export TOTAL_MEMORY_SUMO=67108864 export LDFLAGS="-s RESERVED_FUNCTION_POINTERS=8" diff --git a/dist-build/generate-emscripten-symbols.sh b/dist-build/generate-emscripten-symbols.sh index b81556d2..b35dbf9f 100755 --- a/dist-build/generate-emscripten-symbols.sh +++ b/dist-build/generate-emscripten-symbols.sh @@ -1,43 +1,61 @@ #! /bin/sh -if [ "x$1" = "x--sumo" ]; then - SUMO=yes -fi +set -e -{ -while read symbol standard sumo; do - found="$standard" - if [ "x$SUMO" != "x" ]; then - found="$sumo" - fi - if [ "$found" = "1" ]; then - eval "defined_${symbol}=yes" - else - eval "defined_${symbol}=no" - fi -done < emscripten-symbols.def - -nm /usr/local/lib/libsodium.18.dylib | \ -fgrep ' T _' | \ -cut -d' ' -f3 | { - while read symbol; do - eval "found=\$defined_${symbol}" - if [ "$found" = "yes" ]; then - echo "$symbol" - elif [ "$found" != "no" ]; then - echo >&2 - echo "*** [$symbol] was not expected ***" >&2 - echo >&2 - exit 1 +symbols() { + { + SUMO="$1" + while read symbol standard sumo; do + found="$standard" + if [ "x$SUMO" = "xsumo" ]; then + found="$sumo" fi - done - } -} | \ -sort | \ -{ -out='' -while read symbol ; do - out="${out},\"${symbol}\"" -done -echo $out + if [ "$found" = "1" ]; then + eval "defined_${symbol}=yes" + else + eval "defined_${symbol}=no" + fi + done < emscripten-symbols.def + + nm /usr/local/lib/libsodium.18.dylib | \ + fgrep ' T _' | \ + cut -d' ' -f3 | { + while read symbol; do + eval "found=\$defined_${symbol}" + if [ "$found" = "yes" ]; then + echo "$symbol" + elif [ "$found" != "no" ]; then + echo >&2 + echo "*** [$symbol] was not expected ***" >&2 + echo >&2 + exit 1 + fi + done + } + } | \ + sort | \ + { + out='' + while read symbol ; do + if [ ! -z "$out" ]; then + out="${out}," + fi + out="${out}\"${symbol}\"" + done + echo "[${out}]" + } } + +out=$(symbols standard) +sed s/EXPORTED_FUNCTIONS_STANDARD=\'.*\'/EXPORTED_FUNCTIONS_STANDARD=\'${out}\'/ < emscripten.sh > emscripten.sh.tmp && \ + mv -f emscripten.sh.tmp emscripten.sh +sed s/EXPORTED_FUNCTIONS_STANDARD=\'.*\'/EXPORTED_FUNCTIONS_STANDARD=\'${out}\'/ < emscripten-wasm.sh > emscripten-wasm.sh.tmp && \ + mv -f emscripten-wasm.sh.tmp emscripten-wasm.sh + +out=$(symbols sumo) +sed s/EXPORTED_FUNCTIONS_SUMO=\'.*\'/EXPORTED_FUNCTIONS_SUMO=\'${out}\'/ < emscripten.sh > emscripten.sh.tmp && \ + mv -f emscripten.sh.tmp emscripten.sh +sed s/EXPORTED_FUNCTIONS_SUMO=\'.*\'/EXPORTED_FUNCTIONS_SUMO=\'${out}\'/ < emscripten-wasm.sh > emscripten-wasm.sh.tmp && \ + mv -f emscripten-wasm.sh.tmp emscripten-wasm.sh + +chmod +x emscripten.sh emscripten-wasm.sh diff --git a/dist-build/ios.sh b/dist-build/ios.sh index a84aaf99..c08b85ff 100755 --- a/dist-build/ios.sh +++ b/dist-build/ios.sh @@ -91,8 +91,8 @@ make distclean > /dev/null make -j3 install || exit 1 ## 64-bit iOS -export CFLAGS="-O2 -arch arm64 -isysroot ${SDK} -mios-version-min=${IOS_VERSION_MIN} -flto" -export LDFLAGS="-arch arm64 -isysroot ${SDK} -mios-version-min=${IOS_VERSION_MIN} -flto" +export CFLAGS="-O2 -arch arm64 -isysroot ${SDK} -mios-version-min=${IOS_VERSION_MIN} -flto -fembed-bitcode" +export LDFLAGS="-arch arm64 -isysroot ${SDK} -mios-version-min=${IOS_VERSION_MIN} -flto -fembed-bitcode" make distclean > /dev/null diff --git a/libsodium.vcxproj b/libsodium.vcxproj index cd0b7299..f79ac1a9 100644 --- a/libsodium.vcxproj +++ b/libsodium.vcxproj @@ -357,6 +357,7 @@ + @@ -380,6 +381,7 @@ + @@ -419,6 +421,7 @@ + @@ -444,6 +447,7 @@ + @@ -518,6 +522,7 @@ + @@ -541,6 +546,7 @@ + diff --git a/libsodium.vcxproj.filters b/libsodium.vcxproj.filters index b0536551..96d13605 100644 --- a/libsodium.vcxproj.filters +++ b/libsodium.vcxproj.filters @@ -141,6 +141,9 @@ Source Files + + Source Files + Source Files @@ -210,6 +213,9 @@ Source Files + + Source Files + Source Files @@ -327,6 +333,9 @@ Source Files + + Source Files + Source Files @@ -398,6 +407,9 @@ Header Files + + Header Files + Header Files @@ -620,6 +632,9 @@ Header Files + + Header Files + Header Files @@ -689,6 +704,9 @@ Header Files + + Header Files + Header Files diff --git a/m4/ax_check_catchable_abrt.m4 b/m4/ax_check_catchable_abrt.m4 new file mode 100644 index 00000000..140ab856 --- /dev/null +++ b/m4/ax_check_catchable_abrt.m4 @@ -0,0 +1,57 @@ +# SYNOPSIS +# +# AX_CHECK_CATCHABLE_ABRT +# +# DESCRIPTION +# +# Check whether SIGABRT can be caught using signal handlers. + +#serial 1 + +AC_DEFUN([AX_CHECK_CATCHABLE_ABRT], [dnl + AC_PREREQ(2.64) + AS_VAR_PUSHDEF([CACHEVAR], [ax_cv_check_[]_AC_LANG_ABBREV[]CATCHABLE_ABRT])dnl + AC_CACHE_CHECK([whether SIGABRT can be caught when using the _AC_LANG compiler], CACHEVAR, [ + AC_RUN_IFELSE([ + AC_LANG_PROGRAM([[ +#include +#include + +#ifndef SIGABRT +# error SIGABRT is not defined +#endif + +static void sigabrt_handler_3(int _) +{ + exit(0); +} + +static void sigabrt_handler_2(int _) +{ + signal(SIGABRT, sigabrt_handler_3); + abort(); + exit(1); +} + +static void sigabrt_handler_1(int _) +{ + signal(SIGABRT, sigabrt_handler_2); + abort(); + exit(1); +} + ]], [[ +signal(SIGABRT, sigabrt_handler_1); +abort(); +exit(1); + ]])], + [AS_VAR_SET(CACHEVAR, [yes])], + [AS_VAR_SET(CACHEVAR, [no])], + [AS_VAR_SET(CACHEVAR, [unknown])] + ) + ]) + AS_VAR_IF(CACHEVAR, yes, + [AC_DEFINE([HAVE_CATCHABLE_ABRT], [1], [Define if SIGABRT can be caught using signal handlers])], + [AC_MSG_WARN([On this platform, SIGABRT cannot be caught using signal handlers.])] + ) + AS_VAR_POPDEF([CACHEVAR])dnl +]) diff --git a/m4/ax_check_gnu_make.m4 b/m4/ax_check_gnu_make.m4 index 6762e9ed..4c761ea0 100644 --- a/m4/ax_check_gnu_make.m4 +++ b/m4/ax_check_gnu_make.m4 @@ -1,5 +1,5 @@ # =========================================================================== -# http://www.gnu.org/software/autoconf-archive/ax_check_gnu_make.html +# https://www.gnu.org/software/autoconf-archive/ax_check_gnu_make.html # =========================================================================== # # SYNOPSIS @@ -61,7 +61,7 @@ # and this notice are preserved. This file is offered as-is, without any # warranty. -#serial 8 +#serial 9 AC_DEFUN([AX_CHECK_GNU_MAKE],dnl [AC_PROG_AWK diff --git a/m4/ax_pthread.m4 b/m4/ax_pthread.m4 index fff77db6..5fbf9fe0 100644 --- a/m4/ax_pthread.m4 +++ b/m4/ax_pthread.m4 @@ -1,5 +1,5 @@ # =========================================================================== -# http://www.gnu.org/software/autoconf-archive/ax_pthread.html +# https://www.gnu.org/software/autoconf-archive/ax_pthread.html # =========================================================================== # # SYNOPSIS @@ -67,7 +67,7 @@ # Public License for more details. # # You should have received a copy of the GNU General Public License along -# with this program. If not, see . +# with this program. If not, see . # # As a special exception, the respective Autoconf Macro's copyright owner # gives unlimited permission to copy, distribute and modify the configure diff --git a/m4/pkg.m4 b/m4/pkg.m4 deleted file mode 100644 index c0a8d3d7..00000000 --- a/m4/pkg.m4 +++ /dev/null @@ -1,214 +0,0 @@ -# pkg.m4 - Macros to locate and utilise pkg-config. -*- Autoconf -*- -# serial 1 (pkg-config-0.24) -# -# Copyright © 2004 Scott James Remnant . -# -# This program is free software; you can redistribute it and/or modify -# it under the terms of the GNU General Public License as published by -# the Free Software Foundation; either version 2 of the License, or -# (at your option) any later version. -# -# This program is distributed in the hope that it will be useful, but -# WITHOUT ANY WARRANTY; without even the implied warranty of -# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU -# General Public License for more details. -# -# You should have received a copy of the GNU General Public License -# along with this program; if not, write to the Free Software -# Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. -# -# As a special exception to the GNU General Public License, if you -# distribute this file as part of a program that contains a -# configuration script generated by Autoconf, you may include it under -# the same distribution terms that you use for the rest of that program. - -# PKG_PROG_PKG_CONFIG([MIN-VERSION]) -# ---------------------------------- -AC_DEFUN([PKG_PROG_PKG_CONFIG], -[m4_pattern_forbid([^_?PKG_[A-Z_]+$]) -m4_pattern_allow([^PKG_CONFIG(_(PATH|LIBDIR|SYSROOT_DIR|ALLOW_SYSTEM_(CFLAGS|LIBS)))?$]) -m4_pattern_allow([^PKG_CONFIG_(DISABLE_UNINSTALLED|TOP_BUILD_DIR|DEBUG_SPEW)$]) -AC_ARG_VAR([PKG_CONFIG], [path to pkg-config utility]) -AC_ARG_VAR([PKG_CONFIG_PATH], [directories to add to pkg-config's search path]) -AC_ARG_VAR([PKG_CONFIG_LIBDIR], [path overriding pkg-config's built-in search path]) - -if test "x$ac_cv_env_PKG_CONFIG_set" != "xset"; then - AC_PATH_TOOL([PKG_CONFIG], [pkg-config]) -fi -if test -n "$PKG_CONFIG"; then - _pkg_min_version=m4_default([$1], [0.9.0]) - AC_MSG_CHECKING([pkg-config is at least version $_pkg_min_version]) - if $PKG_CONFIG --atleast-pkgconfig-version $_pkg_min_version; then - AC_MSG_RESULT([yes]) - else - AC_MSG_RESULT([no]) - PKG_CONFIG="" - fi -fi[]dnl -])# PKG_PROG_PKG_CONFIG - -# PKG_CHECK_EXISTS(MODULES, [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -# -# Check to see whether a particular set of modules exists. Similar -# to PKG_CHECK_MODULES(), but does not set variables or print errors. -# -# Please remember that m4 expands AC_REQUIRE([PKG_PROG_PKG_CONFIG]) -# only at the first occurrence in configure.ac, so if the first place -# it's called might be skipped (such as if it is within an "if", you -# have to call PKG_CHECK_EXISTS manually -# -------------------------------------------------------------- -AC_DEFUN([PKG_CHECK_EXISTS], -[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -if test -n "$PKG_CONFIG" && \ - AC_RUN_LOG([$PKG_CONFIG --exists --print-errors "$1"]); then - m4_default([$2], [:]) -m4_ifvaln([$3], [else - $3])dnl -fi]) - -# _PKG_CONFIG([VARIABLE], [COMMAND], [MODULES]) -# --------------------------------------------- -m4_define([_PKG_CONFIG], -[if test -n "$$1"; then - pkg_cv_[]$1="$$1" - elif test -n "$PKG_CONFIG"; then - PKG_CHECK_EXISTS([$3], - [pkg_cv_[]$1=`$PKG_CONFIG --[]$2 "$3" 2>/dev/null` - test "x$?" != "x0" && pkg_failed=yes ], - [pkg_failed=yes]) - else - pkg_failed=untried -fi[]dnl -])# _PKG_CONFIG - -# _PKG_SHORT_ERRORS_SUPPORTED -# ----------------------------- -AC_DEFUN([_PKG_SHORT_ERRORS_SUPPORTED], -[AC_REQUIRE([PKG_PROG_PKG_CONFIG]) -if $PKG_CONFIG --atleast-pkgconfig-version 0.20; then - _pkg_short_errors_supported=yes -else - _pkg_short_errors_supported=no -fi[]dnl -])# _PKG_SHORT_ERRORS_SUPPORTED - - -# PKG_CHECK_MODULES(VARIABLE-PREFIX, MODULES, [ACTION-IF-FOUND], -# [ACTION-IF-NOT-FOUND]) -# -# -# Note that if there is a possibility the first call to -# PKG_CHECK_MODULES might not happen, you should be sure to include an -# explicit call to PKG_PROG_PKG_CONFIG in your configure.ac -# -# -# -------------------------------------------------------------- -AC_DEFUN([PKG_CHECK_MODULES], -[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -AC_ARG_VAR([$1][_CFLAGS], [C compiler flags for $1, overriding pkg-config])dnl -AC_ARG_VAR([$1][_LIBS], [linker flags for $1, overriding pkg-config])dnl - -pkg_failed=no -AC_MSG_CHECKING([for $1]) - -_PKG_CONFIG([$1][_CFLAGS], [cflags], [$2]) -_PKG_CONFIG([$1][_LIBS], [libs], [$2]) - -m4_define([_PKG_TEXT], [Alternatively, you may set the environment variables $1[]_CFLAGS -and $1[]_LIBS to avoid the need to call pkg-config. -See the pkg-config man page for more details.]) - -if test $pkg_failed = yes; then - AC_MSG_RESULT([no]) - _PKG_SHORT_ERRORS_SUPPORTED - if test $_pkg_short_errors_supported = yes; then - $1[]_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors --cflags --libs "$2" 2>&1` - else - $1[]_PKG_ERRORS=`$PKG_CONFIG --print-errors --cflags --libs "$2" 2>&1` - fi - # Put the nasty error message in config.log where it belongs - echo "$$1[]_PKG_ERRORS" >&AS_MESSAGE_LOG_FD - - m4_default([$4], [AC_MSG_ERROR( -[Package requirements ($2) were not met: - -$$1_PKG_ERRORS - -Consider adjusting the PKG_CONFIG_PATH environment variable if you -installed software in a non-standard prefix. - -_PKG_TEXT])[]dnl - ]) -elif test $pkg_failed = untried; then - AC_MSG_RESULT([no]) - m4_default([$4], [AC_MSG_FAILURE( -[The pkg-config script could not be found or is too old. Make sure it -is in your PATH or set the PKG_CONFIG environment variable to the full -path to pkg-config. - -_PKG_TEXT - -To get pkg-config, see .])[]dnl - ]) -else - $1[]_CFLAGS=$pkg_cv_[]$1[]_CFLAGS - $1[]_LIBS=$pkg_cv_[]$1[]_LIBS - AC_MSG_RESULT([yes]) - $3 -fi[]dnl -])# PKG_CHECK_MODULES - - -# PKG_INSTALLDIR(DIRECTORY) -# ------------------------- -# Substitutes the variable pkgconfigdir as the location where a module -# should install pkg-config .pc files. By default the directory is -# $libdir/pkgconfig, but the default can be changed by passing -# DIRECTORY. The user can override through the --with-pkgconfigdir -# parameter. -AC_DEFUN([PKG_INSTALLDIR], -[m4_pushdef([pkg_default], [m4_default([$1], ['${libdir}/pkgconfig'])]) -m4_pushdef([pkg_description], - [pkg-config installation directory @<:@]pkg_default[@:>@]) -AC_ARG_WITH([pkgconfigdir], - [AS_HELP_STRING([--with-pkgconfigdir], pkg_description)],, - [with_pkgconfigdir=]pkg_default) -AC_SUBST([pkgconfigdir], [$with_pkgconfigdir]) -m4_popdef([pkg_default]) -m4_popdef([pkg_description]) -]) dnl PKG_INSTALLDIR - - -# PKG_NOARCH_INSTALLDIR(DIRECTORY) -# ------------------------- -# Substitutes the variable noarch_pkgconfigdir as the location where a -# module should install arch-independent pkg-config .pc files. By -# default the directory is $datadir/pkgconfig, but the default can be -# changed by passing DIRECTORY. The user can override through the -# --with-noarch-pkgconfigdir parameter. -AC_DEFUN([PKG_NOARCH_INSTALLDIR], -[m4_pushdef([pkg_default], [m4_default([$1], ['${datadir}/pkgconfig'])]) -m4_pushdef([pkg_description], - [pkg-config arch-independent installation directory @<:@]pkg_default[@:>@]) -AC_ARG_WITH([noarch-pkgconfigdir], - [AS_HELP_STRING([--with-noarch-pkgconfigdir], pkg_description)],, - [with_noarch_pkgconfigdir=]pkg_default) -AC_SUBST([noarch_pkgconfigdir], [$with_noarch_pkgconfigdir]) -m4_popdef([pkg_default]) -m4_popdef([pkg_description]) -]) dnl PKG_NOARCH_INSTALLDIR - - -# PKG_CHECK_VAR(VARIABLE, MODULE, CONFIG-VARIABLE, -# [ACTION-IF-FOUND], [ACTION-IF-NOT-FOUND]) -# ------------------------------------------- -# Retrieves the value of the pkg-config variable for the given module. -AC_DEFUN([PKG_CHECK_VAR], -[AC_REQUIRE([PKG_PROG_PKG_CONFIG])dnl -AC_ARG_VAR([$1], [value of $3 for $2, overriding pkg-config])dnl - -_PKG_CONFIG([$1], [variable="][$3]["], [$2]) -AS_VAR_COPY([$1], [pkg_cv_][$1]) - -AS_VAR_IF([$1], [""], [$5], [$4])dnl -])# PKG_CHECK_VAR diff --git a/msvc-scripts/process.bat b/msvc-scripts/process.bat index 22d87a52..1daf5ff2 100755 --- a/msvc-scripts/process.bat +++ b/msvc-scripts/process.bat @@ -1,5 +1,5 @@ -cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.13/ < src\libsodium\include\sodium\version.h.in > tmp +cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.14/ < src\libsodium\include\sodium\version.h.in > tmp cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MAJOR@/9/ < tmp > tmp2 -cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/5/ < tmp2 > tmp3 +cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/6/ < tmp2 > tmp3 cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_MINIMAL_DEF@// < tmp3 > src\libsodium\include\sodium\version.h del tmp tmp2 tmp3 diff --git a/packaging/dotnet-core/README.md b/packaging/dotnet-core/README.md index 7cb03fd9..b15d4a8f 100644 --- a/packaging/dotnet-core/README.md +++ b/packaging/dotnet-core/README.md @@ -31,15 +31,15 @@ Version numbers for the packages for .NET Core consist of three components: It may be necessary to release more than one package for a libsodium version, e.g., when adding support for a new platform or if a release contains a broken binary. In this case, a package revision number is added as a fourth part to - the libsodium version, starting at `1`. For example, `1.0.13` is the initial - release of the package for libsodium 1.0.13 and `1.0.13.5` is the fifth + the libsodium version, starting at `1`. For example, `1.0.14` is the initial + release of the package for libsodium 1.0.14 and `1.0.14.5` is the fifth revision (sixth release) of that package. * *pre-release label* If a package is a pre-release, a label is appended to the version number in `-preview-##` format where `##` is the number of the pre-release, starting at - `01`. For example, `1.0.13-preview-01` is the first pre-release of the package - for libsodium 1.0.13 and `1.0.13.5-preview-02` the second pre-release of the - fifth revision of the package for libsodium 1.0.13. + `01`. For example, `1.0.14-preview-01` is the first pre-release of the package + for libsodium 1.0.14 and `1.0.14.5-preview-02` the second pre-release of the + fifth revision of the package for libsodium 1.0.14. **Making a release** diff --git a/packaging/dotnet-core/desktop.targets b/packaging/dotnet-core/desktop.targets deleted file mode 100644 index b117c478..00000000 --- a/packaging/dotnet-core/desktop.targets +++ /dev/null @@ -1,16 +0,0 @@ - - - - x86\libsodium.dll - PreserveNewest - PreserveNewest - false - - - x64\libsodium.dll - PreserveNewest - PreserveNewest - false - - - \ No newline at end of file diff --git a/packaging/dotnet-core/libsodium.props b/packaging/dotnet-core/libsodium.props index 1986e39b..b72266ef 100644 --- a/packaging/dotnet-core/libsodium.props +++ b/packaging/dotnet-core/libsodium.props @@ -2,7 +2,7 @@ - netstandard1.1;net46 + netstandard1.1 true true false @@ -22,12 +22,15 @@ 4.0 + + + + - diff --git a/packaging/dotnet-core/prepare.py b/packaging/dotnet-core/prepare.py index 54151f1b..610e4ebd 100755 --- a/packaging/dotnet-core/prepare.py +++ b/packaging/dotnet-core/prepare.py @@ -8,8 +8,8 @@ WINDOWS = [ # --------------------- ----------------- # # Runtime ID Platform # # --------------------- ----------------- # - ( 'win7-x64', 'x64' ), - ( 'win7-x86', 'Win32' ), + ( 'win-x64', 'x64' ), + ( 'win-x86', 'Win32' ), # --------------------- ----------------- # ] @@ -17,9 +17,7 @@ MACOS = [ # --------------------- ----------------- # # Runtime ID Codename # # --------------------- ----------------- # - ( 'osx.10.10-x64', 'yosemite' ), - ( 'osx.10.11-x64', 'el_capitan' ), - ( 'osx.10.12-x64', 'sierra' ), + ( 'osx-x64', 'sierra' ), # --------------------- ----------------- # ] @@ -27,22 +25,13 @@ LINUX = [ # --------------------- ----------------- # # Runtime ID Docker Image # # --------------------- ----------------- # - ( 'centos.7-x64', 'centos:7.1.1503' ), - ( 'debian.8-x64', 'debian:8.2' ), - ( 'fedora.24-x64', 'fedora:24' ), - ( 'fedora.25-x64', 'fedora:25' ), - ( 'fedora.26-x64', 'fedora:26' ), - ( 'opensuse.42.1-x64', 'opensuse:42.1' ), - ( 'ubuntu.14.04-x64', 'ubuntu:trusty' ), - ( 'ubuntu.16.04-x64', 'ubuntu:xenial' ), - ( 'ubuntu.16.10-x64', 'ubuntu:yakkety' ), + ( 'linux-x64', 'debian:stretch' ), # --------------------- ----------------- # ] EXTRAS = [ 'LICENSE', 'AUTHORS', 'ChangeLog' ] PROPSFILE = 'libsodium.props' -DESKTOPTARGETSFILE = 'desktop.targets' MAKEFILE = 'Makefile' BUILDDIR = 'build' CACHEDIR = 'cache' @@ -64,7 +53,6 @@ class Version: self.projfile = os.path.join(self.builddir, '{0}.{1}.pkgproj'.format(PACKAGE, package_version)) self.propsfile = os.path.join(self.builddir, '{0}.props'.format(PACKAGE)) self.pkgfile = os.path.join(BUILDDIR, '{0}.{1}.nupkg'.format(PACKAGE, package_version)) - self.desktoptargetsfile = os.path.join(self.builddir, 'build', 'net46', '{0}.targets'.format(PACKAGE)) class WindowsItem: @@ -182,13 +170,13 @@ def main(args): print(' python3 prepare.py ') print() print('Examples:') - print(' python3 prepare.py 1.0.13-preview-01') - print(' python3 prepare.py 1.0.13-preview-02') - print(' python3 prepare.py 1.0.13-preview-03') - print(' python3 prepare.py 1.0.13') - print(' python3 prepare.py 1.0.13.1-preview-01') - print(' python3 prepare.py 1.0.13.1') - print(' python3 prepare.py 1.0.13.2') + print(' python3 prepare.py 1.0.14-preview-01') + print(' python3 prepare.py 1.0.14-preview-02') + print(' python3 prepare.py 1.0.14-preview-03') + print(' python3 prepare.py 1.0.14') + print(' python3 prepare.py 1.0.14.1-preview-01') + print(' python3 prepare.py 1.0.14.1') + print(' python3 prepare.py 1.0.14.2') return 1 version = Version(m.group(2), m.group(0)) @@ -212,11 +200,6 @@ def main(args): for item in items: item.make(f) - f.write('\n') - f.write('{0}: {1}\n'.format(version.desktoptargetsfile, DESKTOPTARGETSFILE)) - f.write('\t@mkdir -p $(dir $@)\n') - f.write('\tcp -f $< $@\n') - f.write('\n') f.write('{0}: {1}\n'.format(version.propsfile, PROPSFILE)) f.write('\t@mkdir -p $(dir $@)\n') @@ -237,7 +220,6 @@ def main(args): f.write('{0}:'.format(version.pkgfile)) f.write(' \\\n\t\t{0}'.format(version.projfile)) f.write(' \\\n\t\t{0}'.format(version.propsfile)) - f.write(' \\\n\t\t{0}'.format(version.desktoptargetsfile)) for item in items: f.write(' \\\n\t\t{0}'.format(item.packfile)) f.write('\n') @@ -246,14 +228,14 @@ def main(args): '-v $(abspath recipes):/io/recipes ' + '-v $(abspath $(dir $<)):/io/input ' + '-v $(abspath $(dir $@)):/io/output ' + - '{0} sh -x -e /io/recipes/{1} {2}\n'.format('microsoft/dotnet:1.1-sdk', 'pack', os.path.relpath(version.projfile, version.builddir))) + '{0} sh -x -e /io/recipes/{1} {2}\n'.format('microsoft/dotnet:2.0-sdk', 'pack', os.path.relpath(version.projfile, version.builddir))) f.write('\n') f.write('test: {0}\n'.format(version.pkgfile)) f.write('\t{0} run --rm '.format(DOCKER) + '-v $(abspath recipes):/io/recipes ' + '-v $(abspath $(dir $<)):/io/packages ' + - '{0} sh -x -e /io/recipes/{1} "{2}"\n'.format('microsoft/dotnet:1.1-sdk', 'test', version.package_version)) + '{0} sh -x -e /io/recipes/{1} "{2}"\n'.format('microsoft/dotnet:2.0-sdk', 'test', version.package_version)) print('prepared', MAKEFILE, 'to make', version.pkgfile, 'for libsodium', version.libsodium_version) return 0 diff --git a/packaging/dotnet-core/recipes/linux-x64 b/packaging/dotnet-core/recipes/linux-x64 new file mode 100644 index 00000000..e22c9efc --- /dev/null +++ b/packaging/dotnet-core/recipes/linux-x64 @@ -0,0 +1,4 @@ +apt-get update +apt-get install -y --no-install-recommends build-essential + +. $(dirname $0)/build diff --git a/packaging/nuget/package.config b/packaging/nuget/package.config index 5c543997..7b1cbff6 100644 --- a/packaging/nuget/package.config +++ b/packaging/nuget/package.config @@ -1,4 +1,4 @@ - + diff --git a/src/libsodium/Makefile.am b/src/libsodium/Makefile.am index cf0cffb3..c0480ac6 100644 --- a/src/libsodium/Makefile.am +++ b/src/libsodium/Makefile.am @@ -62,6 +62,7 @@ libsodium_la_SOURCES = \ crypto_secretbox/crypto_secretbox.c \ crypto_secretbox/crypto_secretbox_easy.c \ crypto_secretbox/xsalsa20poly1305/secretbox_xsalsa20poly1305.c \ + crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c \ crypto_shorthash/crypto_shorthash.c \ crypto_shorthash/siphash24/shorthash_siphash24.c \ crypto_shorthash/siphash24/ref/shorthash_siphash24_ref.c \ @@ -87,6 +88,7 @@ libsodium_la_SOURCES = \ include/sodium/private/mutex.h \ include/sodium/private/sse2_64_32.h \ randombytes/randombytes.c \ + sodium/codecs.c \ sodium/core.c \ sodium/runtime.c \ sodium/utils.c \ @@ -206,8 +208,8 @@ endif SUBDIRS = \ include -libsodium_la_LIBADD = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la -noinst_LTLIBRARIES = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la +libsodium_la_LIBADD = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la libavx512f.la +noinst_LTLIBRARIES = libaesni.la libsse2.la libssse3.la libsse41.la libavx2.la libavx512f.la libaesni_la_LDFLAGS = $(libsodium_la_LDFLAGS) libaesni_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ @@ -273,3 +275,10 @@ libavx2_la_SOURCES = \ crypto_stream/salsa20/xmm6int/u1.h \ crypto_stream/salsa20/xmm6int/u4.h \ crypto_stream/salsa20/xmm6int/u8.h + +libavx512f_la_LDFLAGS = $(libsodium_la_LDFLAGS) +libavx512f_la_CPPFLAGS = $(libsodium_la_CPPFLAGS) \ + @CFLAGS_SSE2@ @CFLAGS_SSSE3@ @CFLAGS_SSE41@ @CFLAGS_AVX@ @CFLAGS_AVX2@ @CFLAGS_AVX512F@ +libavx512f_la_SOURCES = \ + crypto_pwhash/argon2/argon2-fill-block-avx512f.c \ + crypto_pwhash/argon2/blamka-round-avx512f.h diff --git a/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c b/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c index d21f3173..fbfa208a 100644 --- a/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c +++ b/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c @@ -10,6 +10,7 @@ #include #include +#include "core.h" #include "crypto_aead_aes256gcm.h" #include "export.h" #include "private/common.h" @@ -523,8 +524,8 @@ crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c, (void) nsec; memcpy(H, ctx->H, sizeof H); - if (mlen > 16ULL * ((1ULL << 32) - 2)) { - abort(); /* LCOV_EXCL_LINE */ + if (mlen > crypto_aead_aes256gcm_MESSAGEBYTES_MAX) { + sodium_misuse(); /* LCOV_EXCL_LINE */ } memcpy(&n2[0], npub, 3 * 4); n2[3] = 0x01000000; @@ -661,8 +662,8 @@ crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char * CRYPTO_ALIGN(16) unsigned char fb[16]; (void) nsec; - if (clen > 16ULL * (1ULL << 32)) { - abort(); /* LCOV_EXCL_LINE */ + if (clen > crypto_aead_aes256gcm_MESSAGEBYTES_MAX) { + sodium_misuse(); /* LCOV_EXCL_LINE */ } mlen = clen; @@ -1057,6 +1058,12 @@ crypto_aead_aes256gcm_statebytes(void) return (sizeof(crypto_aead_aes256gcm_state) + (size_t) 15U) & ~(size_t) 15U; } +size_t +crypto_aead_aes256gcm_messagebytes_max(void) +{ + return crypto_aead_aes256gcm_MESSAGEBYTES_MAX; +} + void crypto_aead_aes256gcm_keygen(unsigned char k[crypto_aead_aes256gcm_KEYBYTES]) { diff --git a/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c b/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c index 406dcf25..c79407a1 100644 --- a/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c +++ b/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c @@ -4,6 +4,7 @@ #include #include +#include "core.h" #include "crypto_aead_chacha20poly1305.h" #include "crypto_onetimeauth_poly1305.h" #include "crypto_stream_chacha20.h" @@ -69,8 +70,8 @@ crypto_aead_chacha20poly1305_encrypt(unsigned char *c, unsigned long long clen = 0ULL; int ret; - if (mlen > UINT64_MAX - crypto_aead_chacha20poly1305_ABYTES) { - abort(); /* LCOV_EXCL_LINE */ + if (mlen > crypto_aead_chacha20poly1305_MESSAGEBYTES_MAX) { + sodium_misuse(); } ret = crypto_aead_chacha20poly1305_encrypt_detached(c, c + mlen, NULL, @@ -144,8 +145,8 @@ crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, unsigned long long clen = 0ULL; int ret; - if (mlen > UINT64_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES) { - abort(); /* LCOV_EXCL_LINE */ + if (mlen > crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX) { + sodium_misuse(); } ret = crypto_aead_chacha20poly1305_ietf_encrypt_detached(c, c + mlen, NULL, @@ -349,6 +350,12 @@ crypto_aead_chacha20poly1305_ietf_abytes(void) return crypto_aead_chacha20poly1305_ietf_ABYTES; } +size_t +crypto_aead_chacha20poly1305_ietf_messagebytes_max(void) +{ + return crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX; +} + void crypto_aead_chacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_chacha20poly1305_ietf_KEYBYTES]) { @@ -379,6 +386,12 @@ crypto_aead_chacha20poly1305_abytes(void) return crypto_aead_chacha20poly1305_ABYTES; } +size_t +crypto_aead_chacha20poly1305_messagebytes_max(void) +{ + return crypto_aead_chacha20poly1305_MESSAGEBYTES_MAX; +} + void crypto_aead_chacha20poly1305_keygen(unsigned char k[crypto_aead_chacha20poly1305_KEYBYTES]) { diff --git a/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c b/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c index 38385c84..c18cdf94 100644 --- a/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c +++ b/src/libsodium/crypto_aead/xchacha20poly1305/sodium/aead_xchacha20poly1305.c @@ -4,6 +4,7 @@ #include #include +#include "core.h" #include "crypto_aead_xchacha20poly1305.h" #include "crypto_aead_chacha20poly1305.h" #include "crypto_core_hchacha20.h" @@ -53,7 +54,7 @@ crypto_aead_xchacha20poly1305_ietf_encrypt(unsigned char *c, int ret; if (mlen > UINT64_MAX - crypto_aead_xchacha20poly1305_ietf_ABYTES) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); } ret = crypto_aead_xchacha20poly1305_ietf_encrypt_detached (c, c + mlen, NULL, m, mlen, ad, adlen, nsec, npub, k); @@ -146,6 +147,12 @@ crypto_aead_xchacha20poly1305_ietf_abytes(void) return crypto_aead_xchacha20poly1305_ietf_ABYTES; } +size_t +crypto_aead_xchacha20poly1305_ietf_messagebytes_max(void) +{ + return crypto_aead_xchacha20poly1305_ietf_MESSAGEBYTES_MAX; +} + void crypto_aead_xchacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_xchacha20poly1305_ietf_KEYBYTES]) { diff --git a/src/libsodium/crypto_box/crypto_box.c b/src/libsodium/crypto_box/crypto_box.c index 7ae4297c..7e4f00bd 100644 --- a/src/libsodium/crypto_box/crypto_box.c +++ b/src/libsodium/crypto_box/crypto_box.c @@ -49,6 +49,12 @@ crypto_box_macbytes(void) return crypto_box_MACBYTES; } +size_t +crypto_box_messagebytes_max(void) +{ + return crypto_box_MESSAGEBYTES_MAX; +} + const char * crypto_box_primitive(void) { diff --git a/src/libsodium/crypto_box/crypto_box_easy.c b/src/libsodium/crypto_box/crypto_box_easy.c index 364a359c..deb40b40 100644 --- a/src/libsodium/crypto_box/crypto_box_easy.c +++ b/src/libsodium/crypto_box/crypto_box_easy.c @@ -3,6 +3,7 @@ #include #include +#include "core.h" #include "crypto_box.h" #include "crypto_secretbox.h" #include "private/common.h" @@ -40,8 +41,8 @@ crypto_box_easy_afternm(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *k) { - if (mlen > SIZE_MAX - crypto_box_MACBYTES) { - return -1; + if (mlen > crypto_box_MESSAGEBYTES_MAX) { + sodium_misuse(); } return crypto_box_detached_afternm(c + crypto_box_MACBYTES, c, m, mlen, n, k); @@ -52,8 +53,8 @@ crypto_box_easy(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *pk, const unsigned char *sk) { - if (mlen > SIZE_MAX - crypto_box_MACBYTES) { - return -1; + if (mlen > crypto_box_MESSAGEBYTES_MAX) { + sodium_misuse(); } return crypto_box_detached(c + crypto_box_MACBYTES, c, m, mlen, n, pk, sk); diff --git a/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c b/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c index 1a4d26be..5e2532ea 100644 --- a/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c +++ b/src/libsodium/crypto_box/curve25519xchacha20poly1305/box_curve25519xchacha20poly1305.c @@ -4,6 +4,7 @@ #include #include +#include "core.h" #include "crypto_box_curve25519xchacha20poly1305.h" #include "crypto_core_hchacha20.h" #include "crypto_hash_sha512.h" @@ -86,8 +87,8 @@ crypto_box_curve25519xchacha20poly1305_easy_afternm(unsigned char *c, const unsigned char *n, const unsigned char *k) { - if (mlen > SIZE_MAX - crypto_box_curve25519xchacha20poly1305_MACBYTES) { - return -1; + if (mlen > crypto_box_curve25519xchacha20poly1305_MESSAGEBYTES_MAX) { + sodium_misuse(); } return crypto_box_curve25519xchacha20poly1305_detached_afternm( c + crypto_box_curve25519xchacha20poly1305_MACBYTES, c, m, mlen, n, k); @@ -98,8 +99,8 @@ crypto_box_curve25519xchacha20poly1305_easy( unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *pk, const unsigned char *sk) { - if (mlen > SIZE_MAX - crypto_box_curve25519xchacha20poly1305_MACBYTES) { - return -1; + if (mlen > crypto_box_curve25519xchacha20poly1305_MESSAGEBYTES_MAX) { + sodium_misuse(); } return crypto_box_curve25519xchacha20poly1305_detached( c + crypto_box_curve25519xchacha20poly1305_MACBYTES, c, m, mlen, n, pk, @@ -195,3 +196,9 @@ crypto_box_curve25519xchacha20poly1305_macbytes(void) { return crypto_box_curve25519xchacha20poly1305_MACBYTES; } + +size_t +crypto_box_curve25519xchacha20poly1305_messagebytes_max(void) +{ + return crypto_box_curve25519xchacha20poly1305_MESSAGEBYTES_MAX; +} diff --git a/src/libsodium/crypto_box/curve25519xsalsa20poly1305/box_curve25519xsalsa20poly1305.c b/src/libsodium/crypto_box/curve25519xsalsa20poly1305/box_curve25519xsalsa20poly1305.c index 7d6d603a..4c1d62ed 100644 --- a/src/libsodium/crypto_box/curve25519xsalsa20poly1305/box_curve25519xsalsa20poly1305.c +++ b/src/libsodium/crypto_box/curve25519xsalsa20poly1305/box_curve25519xsalsa20poly1305.c @@ -148,3 +148,9 @@ crypto_box_curve25519xsalsa20poly1305_macbytes(void) { return crypto_box_curve25519xsalsa20poly1305_MACBYTES; } + +size_t +crypto_box_curve25519xsalsa20poly1305_messagebytes_max(void) +{ + return crypto_box_curve25519xsalsa20poly1305_MESSAGEBYTES_MAX; +} diff --git a/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c b/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c index 64d15819..9375274d 100644 --- a/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c +++ b/src/libsodium/crypto_core/curve25519/ref10/curve25519_ref10.c @@ -119,7 +119,7 @@ fe_add(fe h, const fe f, const fe g) Preconditions: b in {0,1}. */ -void +static void fe_cmov(fe f, const fe g, unsigned int b) { int32_t f0 = f[0]; @@ -428,7 +428,7 @@ fe_tobytes(unsigned char *s, const fe h) |f| bounded by 1.1*2^26,1.1*2^25,1.1*2^26,1.1*2^25,etc. */ -int +static int fe_isnegative(const fe f) { unsigned char s[32]; @@ -759,7 +759,7 @@ fe_mul(fe h, const fe f, const fe g) |h| bounded by 1.1*2^25,1.1*2^24,1.1*2^25,1.1*2^24,etc. */ -void +static void fe_neg(fe h, const fe f) { int32_t f0 = f[0]; @@ -987,7 +987,7 @@ fe_sq(fe h, const fe f) See fe_mul.c for discussion of implementation strategy. */ -void +static void fe_sq2(fe h, const fe f) { int32_t f0 = f[0]; @@ -1217,7 +1217,7 @@ fe_invert(fe out, const fe z) fe_mul(out, t1, t0); } -void +static void fe_pow22523(fe out, const fe z) { fe t0; @@ -1457,7 +1457,7 @@ ge_frombytes_negate_vartime(ge_p3 *h, const unsigned char *s) r = p + q */ -void +static void ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { fe t0; @@ -1478,7 +1478,7 @@ ge_madd(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) r = p - q */ -void +static void ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) { fe t0; @@ -1499,7 +1499,7 @@ ge_msub(ge_p1p1 *r, const ge_p3 *p, const ge_precomp *q) r = p */ -extern void +void ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) { fe_mul(r->X, p->X, p->T); @@ -1511,7 +1511,7 @@ ge_p1p1_to_p2(ge_p2 *r, const ge_p1p1 *p) r = p */ -extern void +static void ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) { fe_mul(r->X, p->X, p->T); @@ -1520,7 +1520,7 @@ ge_p1p1_to_p3(ge_p3 *r, const ge_p1p1 *p) fe_mul(r->T, p->X, p->Y); } -void +static void ge_p2_0(ge_p2 *h) { fe_0(h->X); @@ -1532,7 +1532,7 @@ ge_p2_0(ge_p2 *h) r = 2 * p */ -void +static void ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) { fe t0; @@ -1548,7 +1548,7 @@ ge_p2_dbl(ge_p1p1 *r, const ge_p2 *p) fe_sub(r->T, r->T, r->Z); } -void +static void ge_p3_0(ge_p3 *h) { fe_0(h->X); @@ -1567,7 +1567,7 @@ ge_p3_0(ge_p3 *h) static const fe d2 = { -21827239, -5839606, -30745221, 13898782, 229458, 15978800, -12551817, -6495438, 29715968, 9444199 }; -extern void +void ge_p3_to_cached(ge_cached *r, const ge_p3 *p) { fe_add(r->YplusX, p->Y, p->X); @@ -1580,7 +1580,7 @@ ge_p3_to_cached(ge_cached *r, const ge_p3 *p) r = p */ -extern void +static void ge_p3_to_p2(ge_p2 *r, const ge_p3 *p) { fe_copy(r->X, p->X); @@ -1606,7 +1606,7 @@ ge_p3_tobytes(unsigned char *s, const ge_p3 *h) r = 2 * p */ -void +static void ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) { ge_p2 q; @@ -1614,7 +1614,7 @@ ge_p3_dbl(ge_p1p1 *r, const ge_p3 *p) ge_p2_dbl(r, &q); } -void +static void ge_precomp_0(ge_precomp *h) { fe_1(h->yplusx); @@ -1686,7 +1686,7 @@ ge_select(ge_precomp *t, int pos, signed char b) r = p - q */ -void +static void ge_sub(ge_p1p1 *r, const ge_p3 *p, const ge_cached *q) { fe t0; @@ -1804,6 +1804,10 @@ ge_double_scalarmult_vartime(ge_p2 *r, const unsigned char *a, const ge_p3 *A, } } +#ifndef MINIMAL + +/* only used for verification of legacy (edwards25519sha512batch) signatures */ + void ge_scalarmult_vartime(ge_p3 *r, const unsigned char *a, const ge_p3 *A) { @@ -1863,6 +1867,8 @@ ge_scalarmult_vartime(ge_p3 *r, const unsigned char *a, const ge_p3 *A) } } +#endif + void ge_scalarmult_base(ge_p3 *h, const unsigned char *a) { @@ -1913,6 +1919,61 @@ ge_scalarmult_base(ge_p3 *h, const unsigned char *a) } } +/* multiply by the order of the main subgroup l = 2^252+27742317777372353535851937790883648493 */ +void +ge_mul_l(ge_p3 *r, const ge_p3 *A) +{ + static const signed char aslide[253] = { + 13, 0, 0, 0, 0, -1, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, -5, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 7, 0, 0, 0, 0, 0, 3, 0, 0, 0, 0, -13, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, 0, 11, 0, 0, 0, 0, -13, 0, 0, 0, 0, 0, 0, -3, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, 3, 0, 0, 0, 0, -11, 0, 0, 0, 0, 0, 0, 0, 15, 0, 0, 0, 0, 0, -1, 0, 0, 0, 0, -1, 0, 0, 0, 0, 7, 0, 0, 0, 0, 5, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 1 + }; + ge_cached Ai[8]; + ge_p1p1 t; + ge_p3 u; + ge_p3 A2; + int i; + + ge_p3_to_cached(&Ai[0], A); + ge_p3_dbl(&t, A); + ge_p1p1_to_p3(&A2, &t); + ge_add(&t, &A2, &Ai[0]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[1], &u); + ge_add(&t, &A2, &Ai[1]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[2], &u); + ge_add(&t, &A2, &Ai[2]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[3], &u); + ge_add(&t, &A2, &Ai[3]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[4], &u); + ge_add(&t, &A2, &Ai[4]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[5], &u); + ge_add(&t, &A2, &Ai[5]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[6], &u); + ge_add(&t, &A2, &Ai[6]); + ge_p1p1_to_p3(&u, &t); + ge_p3_to_cached(&Ai[7], &u); + + ge_p3_0(r); + + for (i = 252; i >= 0; --i) { + ge_p3_dbl(&t, r); + + if (aslide[i] > 0) { + ge_p1p1_to_p3(&u, &t); + ge_add(&t, &u, &Ai[aslide[i] / 2]); + } else if (aslide[i] < 0) { + ge_p1p1_to_p3(&u, &t); + ge_sub(&t, &u, &Ai[(-aslide[i]) / 2]); + } + + ge_p1p1_to_p3(r, &t); + } +} + /* Input: a[0]+256*a[1]+...+256^31*a[31] = a diff --git a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c index 8a00cb88..8da3de42 100644 --- a/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c +++ b/src/libsodium/crypto_generichash/blake2b/ref/blake2b-ref.c @@ -14,11 +14,13 @@ */ #include +#include #include #include #include #include "blake2.h" +#include "core.h" #include "private/common.h" #include "runtime.h" #include "utils.h" @@ -159,11 +161,12 @@ static inline int blake2b_init0(blake2b_state *S) { int i; - memset(S, 0, sizeof(blake2b_state)); for (i = 0; i < 8; i++) { S->h[i] = blake2b_IV[i]; } + memset(S->t, 0, offsetof(blake2b_state, last_node) + sizeof(S->last_node) + - offsetof(blake2b_state, t)); return 0; } @@ -190,9 +193,9 @@ blake2b_init(blake2b_state *S, const uint8_t outlen) { blake2b_param P[1]; - if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) - abort(); - + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) { + sodium_misuse(); + } P->digest_length = outlen; P->key_length = 0; P->fanout = 1; @@ -213,9 +216,9 @@ blake2b_init_salt_personal(blake2b_state *S, const uint8_t outlen, { blake2b_param P[1]; - if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) - abort(); - + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) { + sodium_misuse(); + } P->digest_length = outlen; P->key_length = 0; P->fanout = 1; @@ -244,12 +247,12 @@ blake2b_init_key(blake2b_state *S, const uint8_t outlen, const void *key, { blake2b_param P[1]; - if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) - abort(); - - if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) - abort(); - + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) { + sodium_misuse(); + } + if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) { + sodium_misuse(); + } P->digest_length = outlen; P->key_length = keylen; P->fanout = 1; @@ -262,9 +265,9 @@ blake2b_init_key(blake2b_state *S, const uint8_t outlen, const void *key, memset(P->salt, 0, sizeof(P->salt)); memset(P->personal, 0, sizeof(P->personal)); - if (blake2b_init_param(S, P) < 0) - abort(); - + if (blake2b_init_param(S, P) < 0) { + sodium_misuse(); + } { uint8_t block[BLAKE2B_BLOCKBYTES]; memset(block, 0, BLAKE2B_BLOCKBYTES); @@ -282,12 +285,12 @@ blake2b_init_key_salt_personal(blake2b_state *S, const uint8_t outlen, { blake2b_param P[1]; - if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) - abort(); - - if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) - abort(); - + if ((!outlen) || (outlen > BLAKE2B_OUTBYTES)) { + sodium_misuse(); + } + if (!key || !keylen || keylen > BLAKE2B_KEYBYTES) { + sodium_misuse(); + } P->digest_length = outlen; P->key_length = keylen; P->fanout = 1; @@ -308,9 +311,9 @@ blake2b_init_key_salt_personal(blake2b_state *S, const uint8_t outlen, memset(P->personal, 0, sizeof(P->personal)); } - if (blake2b_init_param(S, P) < 0) - abort(); - + if (blake2b_init_param(S, P) < 0) { + sodium_misuse(); + } { uint8_t block[BLAKE2B_BLOCKBYTES]; memset(block, 0, BLAKE2B_BLOCKBYTES); @@ -355,7 +358,7 @@ int blake2b_final(blake2b_state *S, uint8_t *out, uint8_t outlen) { if (!outlen || outlen > BLAKE2B_OUTBYTES) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); } if (blake2b_is_lastblock(S)) { return -1; @@ -387,6 +390,9 @@ blake2b_final(blake2b_state *S, uint8_t *out, uint8_t outlen) memcpy(out, buffer, outlen); } #endif + sodium_memzero(S->h, sizeof S->h); + sodium_memzero(S->buf, sizeof S->buf); + return 0; } @@ -398,27 +404,29 @@ blake2b(uint8_t *out, const void *in, const void *key, const uint8_t outlen, blake2b_state S[1]; /* Verify parameters */ - if (NULL == in && inlen > 0) - abort(); - - if (NULL == out) - abort(); - - if (!outlen || outlen > BLAKE2B_OUTBYTES) - abort(); - - if (NULL == key && keylen > 0) - abort(); - - if (keylen > BLAKE2B_KEYBYTES) - abort(); - + if (NULL == in && inlen > 0) { + sodium_misuse(); + } + if (NULL == out) { + sodium_misuse(); + } + if (!outlen || outlen > BLAKE2B_OUTBYTES) { + sodium_misuse(); + } + if (NULL == key && keylen > 0) { + sodium_misuse(); + } + if (keylen > BLAKE2B_KEYBYTES) { + sodium_misuse(); + } if (keylen > 0) { - if (blake2b_init_key(S, outlen, key, keylen) < 0) - abort(); + if (blake2b_init_key(S, outlen, key, keylen) < 0) { + sodium_misuse(); + } } else { - if (blake2b_init(S, outlen) < 0) - abort(); + if (blake2b_init(S, outlen) < 0) { + sodium_misuse(); + } } blake2b_update(S, (const uint8_t *) in, inlen); @@ -434,28 +442,30 @@ blake2b_salt_personal(uint8_t *out, const void *in, const void *key, blake2b_state S[1]; /* Verify parameters */ - if (NULL == in && inlen > 0) - abort(); - - if (NULL == out) - abort(); - - if (!outlen || outlen > BLAKE2B_OUTBYTES) - abort(); - - if (NULL == key && keylen > 0) - abort(); - - if (keylen > BLAKE2B_KEYBYTES) - abort(); - + if (NULL == in && inlen > 0) { + sodium_misuse(); + } + if (NULL == out) { + sodium_misuse(); + } + if (!outlen || outlen > BLAKE2B_OUTBYTES) { + sodium_misuse(); + } + if (NULL == key && keylen > 0) { + sodium_misuse(); + } + if (keylen > BLAKE2B_KEYBYTES) { + sodium_misuse(); + } if (keylen > 0) { if (blake2b_init_key_salt_personal(S, outlen, key, keylen, salt, - personal) < 0) - abort(); + personal) < 0) { + sodium_misuse(); + } } else { - if (blake2b_init_salt_personal(S, outlen, salt, personal) < 0) - abort(); + if (blake2b_init_salt_personal(S, outlen, salt, personal) < 0) { + sodium_misuse(); + } } blake2b_update(S, (const uint8_t *) in, inlen); diff --git a/src/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c b/src/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c index 3778dfe3..8d0f2536 100644 --- a/src/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c +++ b/src/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c @@ -222,9 +222,11 @@ crypto_hash_sha512_update(crypto_hash_sha512_state *state, bitlen[1] = ((uint64_t) inlen) << 3; bitlen[0] = ((uint64_t) inlen) >> 61; + /* LCOV_EXCL_START */ if ((state->count[1] += bitlen[1]) < bitlen[1]) { state->count[0]++; } + /* LCOV_EXCL_STOP */ state->count[0] += bitlen[0]; if (inlen < 128 - r) { for (i = 0; i < inlen; i++) { diff --git a/src/libsodium/crypto_kx/crypto_kx.c b/src/libsodium/crypto_kx/crypto_kx.c index ef878d94..877ab7ff 100644 --- a/src/libsodium/crypto_kx/crypto_kx.c +++ b/src/libsodium/crypto_kx/crypto_kx.c @@ -1,6 +1,7 @@ #include +#include "core.h" #include "crypto_generichash.h" #include "crypto_kx.h" #include "crypto_scalarmult.h" @@ -47,6 +48,9 @@ crypto_kx_client_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES], if (tx == NULL) { tx = rx; } + if (rx == NULL) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } if (crypto_scalarmult(q, client_sk, server_pk) != 0) { return -1; } @@ -85,6 +89,9 @@ crypto_kx_server_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES], if (tx == NULL) { tx = rx; } + if (rx == NULL) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } if (crypto_scalarmult(q, server_sk, client_pk) != 0) { return -1; } diff --git a/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c b/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c index aff802de..953685c1 100644 --- a/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c +++ b/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c @@ -40,14 +40,14 @@ enum poly1305_state_flags_t { poly1305_final_shift8 = 4, poly1305_final_shift16 = 8, poly1305_final_r2_r = 16, /* use [r^2,r] for the final block */ - poly1305_final_r_1 = 32, /* use [r,1] for the final block */ + poly1305_final_r_1 = 32 /* use [r,1] for the final block */ }; typedef struct poly1305_state_internal_t { union { uint64_t h[3]; uint32_t hh[10]; - }; /* 40 bytes */ + } H; /* 40 bytes */ uint32_t R[5]; /* 20 bytes */ uint32_t R2[5]; /* 20 bytes */ uint32_t R4[5]; /* 20 bytes */ @@ -120,9 +120,9 @@ poly1305_init_ext(poly1305_state_internal_t *st, const unsigned char key[32], bytes = ~(unsigned long long) 0; } /* H = 0 */ - _mm_storeu_si128((xmmi *) (void *) &st->hh[0], _mm_setzero_si128()); - _mm_storeu_si128((xmmi *) (void *) &st->hh[4], _mm_setzero_si128()); - _mm_storeu_si128((xmmi *) (void *) &st->hh[8], _mm_setzero_si128()); + _mm_storeu_si128((xmmi *) (void *) &st->H.hh[0], _mm_setzero_si128()); + _mm_storeu_si128((xmmi *) (void *) &st->H.hh[4], _mm_setzero_si128()); + _mm_storeu_si128((xmmi *) (void *) &st->H.hh[8], _mm_setzero_si128()); /* clamp key */ memcpy(&t0, key, 8); @@ -242,9 +242,9 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, bytes -= 32; st->flags |= poly1305_started; } else { - T0 = _mm_loadu_si128((const xmmi *) (const void *) &st->hh[0]); - T1 = _mm_loadu_si128((const xmmi *) (const void *) &st->hh[4]); - T2 = _mm_loadu_si128((const xmmi *) (const void *) &st->hh[8]); + T0 = _mm_loadu_si128((const xmmi *) (const void *) &st->H.hh[0]); + T1 = _mm_loadu_si128((const xmmi *) (const void *) &st->H.hh[4]); + T2 = _mm_loadu_si128((const xmmi *) (const void *) &st->H.hh[8]); H0 = _mm_shuffle_epi32(T0, _MM_SHUFFLE(1, 1, 0, 0)); H1 = _mm_shuffle_epi32(T0, _MM_SHUFFLE(3, 3, 2, 2)); H2 = _mm_shuffle_epi32(T1, _MM_SHUFFLE(1, 1, 0, 0)); @@ -684,9 +684,9 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, T4 = _mm_shuffle_epi32(H4, _MM_SHUFFLE(0, 0, 2, 0)); T0 = _mm_unpacklo_epi64(T0, T1); T1 = _mm_unpacklo_epi64(T2, T3); - _mm_storeu_si128((xmmi *) (void *) &st->hh[0], T0); - _mm_storeu_si128((xmmi *) (void *) &st->hh[4], T1); - _mm_storel_epi64((xmmi *) (void *) &st->hh[8], T4); + _mm_storeu_si128((xmmi *) (void *) &st->H.hh[0], T0); + _mm_storeu_si128((xmmi *) (void *) &st->H.hh[4], T1); + _mm_storel_epi64((xmmi *) (void *) &st->H.hh[8], T4); } else { uint32_t t0, t1, t2, t3, t4, b; uint64_t h0, h1, h2, g0, g1, g2, c, nc; @@ -755,9 +755,9 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m, h1 = (h1 & nc) | (g1 & c); h2 = (h2 & nc) | (g2 & c); - st->h[0] = h0; - st->h[1] = h1; - st->h[2] = h2; + st->H.h[0] = h0; + st->H.h[1] = h1; + st->H.h[2] = h2; } } @@ -833,9 +833,9 @@ poly1305_finish_ext(poly1305_state_internal_t *st, const unsigned char *m, poly1305_blocks(st, NULL, 32); } - h0 = st->h[0]; - h1 = st->h[1]; - h2 = st->h[2]; + h0 = st->H.h[0]; + h1 = st->H.h[1]; + h2 = st->H.h[2]; /* pad */ h0 = ((h0) | (h1 << 44)); diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-core.c b/src/libsodium/crypto_pwhash/argon2/argon2-core.c index 091ce33f..318e73ef 100644 --- a/src/libsodium/crypto_pwhash/argon2/argon2-core.c +++ b/src/libsodium/crypto_pwhash/argon2/argon2-core.c @@ -36,28 +36,6 @@ static fill_segment_fn fill_segment = fill_segment_ref; -/***************Instance and Position constructors**********/ -void -init_block_value(block *b, uint8_t in) -{ - memset(b->v, in, sizeof(b->v)); -} - -void -copy_block(block *dst, const block *src) -{ - memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK); -} - -void -xor_block(block *dst, const block *src) -{ - int i; - for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { - dst->v[i] ^= src->v[i]; - } -} - static void load_block(block *dst, const void *input) { @@ -105,6 +83,7 @@ allocate_memory(block_region **region, uint32_t m_cost) if (!*region) { return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */ } + (*region)->base = (*region)->memory = NULL; #if defined(MAP_ANON) && defined(HAVE_MMAP) if ((base = mmap(NULL, memory_size, PROT_READ | PROT_WRITE, @@ -154,12 +133,18 @@ static void clear_memory(argon2_instance_t *instance, int clear); static void clear_memory(argon2_instance_t *instance, int clear) { - if (instance->region != NULL && clear) { - /* LCOV_EXCL_START */ - sodium_memzero(instance->region->memory, - sizeof(block) * instance->memory_blocks); - /* LCOV_EXCL_STOP */ + /* LCOV_EXCL_START */ + if (clear) { + if (instance->region != NULL) { + sodium_memzero(instance->region->memory, + sizeof(block) * instance->memory_blocks); + } + if (instance->pseudo_rands != NULL) { + sodium_memzero(instance->pseudo_rands, + sizeof(uint64_t) * instance->segment_length); + } } + /* LCOV_EXCL_STOP */ } /* Deallocates memory @@ -170,7 +155,7 @@ static void free_memory(block_region *memory); static void free_memory(block_region *region) { - if (region->base) { + if (region && region->base) { #if defined(MAP_ANON) && defined(HAVE_MMAP) if (munmap(region->base, region->size)) { return; /* LCOV_EXCL_LINE */ @@ -182,6 +167,19 @@ free_memory(block_region *region) free(region); } +void +free_instance(argon2_instance_t *instance, int flags) +{ + /* Clear memory */ + clear_memory(instance, flags & ARGON2_FLAG_CLEAR_MEMORY); + + /* Deallocate the memory */ + free(instance->pseudo_rands); + instance->pseudo_rands = NULL; + free_memory(instance->region); + instance->region = NULL; +} + void finalize(const argon2_context *context, argon2_instance_t *instance) { @@ -212,11 +210,7 @@ finalize(const argon2_context *context, argon2_instance_t *instance) ARGON2_BLOCK_SIZE); /* clear blockhash_bytes */ } - /* Clear memory */ - clear_memory(instance, context->flags & ARGON2_FLAG_CLEAR_PASSWORD); - - /* Deallocate the memory */ - free_memory(instance->region); + free_instance(instance, context->flags); } } @@ -292,14 +286,13 @@ index_alpha(const argon2_instance_t *instance, return absolute_position; } -int +void fill_memory_blocks(argon2_instance_t *instance) { - int result; uint32_t r, s; if (instance == NULL || instance->lanes == 0) { - return ARGON2_OK; /* LCOV_EXCL_LINE */ + return; /* LCOV_EXCL_LINE */ } for (r = 0; r < instance->passes; ++r) { @@ -313,14 +306,10 @@ fill_memory_blocks(argon2_instance_t *instance) position.lane = l; position.slice = (uint8_t) s; position.index = 0; - result = fill_segment(instance, position); - if (ARGON2_OK != result) { - return result; /* LCOV_EXCL_LINE */ - } + fill_segment(instance, position); } } } - return ARGON2_OK; } int @@ -510,10 +499,12 @@ initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type) crypto_generichash_blake2b_update( &BlakeHash, (const uint8_t *) context->pwd, context->pwdlen); + /* LCOV_EXCL_START */ if (context->flags & ARGON2_FLAG_CLEAR_PASSWORD) { - sodium_memzero(context->pwd, context->pwdlen); /* LCOV_EXCL_LINE */ - context->pwdlen = 0; /* LCOV_EXCL_LINE */ + sodium_memzero(context->pwd, context->pwdlen); + context->pwdlen = 0; } + /* LCOV_EXCL_STOP */ } STORE32_LE(value, context->saltlen); @@ -527,8 +518,8 @@ initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type) STORE32_LE(value, context->secretlen); crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + /* LCOV_EXCL_START */ if (context->secret != NULL) { - /* LCOV_EXCL_START */ crypto_generichash_blake2b_update( &BlakeHash, (const uint8_t *) context->secret, context->secretlen); @@ -536,18 +527,18 @@ initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type) sodium_memzero(context->secret, context->secretlen); context->secretlen = 0; } - /* LCOV_EXCL_STOP */ } + /* LCOV_EXCL_STOP */ STORE32_LE(value, context->adlen); crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value)); + /* LCOV_EXCL_START */ if (context->ad != NULL) { - /* LCOV_EXCL_START */ crypto_generichash_blake2b_update( &BlakeHash, (const uint8_t *) context->ad, context->adlen); - /* LCOV_EXCL_STOP */ } + /* LCOV_EXCL_STOP */ crypto_generichash_blake2b_final(&BlakeHash, blockhash, ARGON2_PREHASH_DIGEST_LENGTH); @@ -559,13 +550,20 @@ initialize(argon2_instance_t *instance, argon2_context *context) uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH]; int result = ARGON2_OK; - if (instance == NULL || context == NULL) + if (instance == NULL || context == NULL) { return ARGON2_INCORRECT_PARAMETER; + } /* 1. Memory allocation */ + if ((instance->pseudo_rands = (uint64_t *) + malloc(sizeof(uint64_t) * instance->segment_length)) == NULL) { + return ARGON2_MEMORY_ALLOCATION_ERROR; + } + result = allocate_memory(&(instance->region), instance->memory_blocks); if (ARGON2_OK != result) { + free_instance(instance, context->flags); return result; } @@ -591,6 +589,13 @@ int argon2_pick_best_implementation(void) { /* LCOV_EXCL_START */ +#if defined(HAVE_AVX512FINTRIN_H) && defined(HAVE_AVX2INTRIN_H) && \ + defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H) + if (sodium_runtime_has_avx512f()) { + fill_segment = fill_segment_avx512f; + return 0; + } +#endif #if defined(HAVE_AVX2INTRIN_H) && defined(HAVE_TMMINTRIN_H) && \ defined(HAVE_SMMINTRIN_H) if (sodium_runtime_has_avx2()) { diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-core.h b/src/libsodium/crypto_pwhash/argon2/argon2-core.h index 69d5925b..ab259bdf 100644 --- a/src/libsodium/crypto_pwhash/argon2/argon2-core.h +++ b/src/libsodium/crypto_pwhash/argon2/argon2-core.h @@ -14,6 +14,8 @@ #ifndef argon2_core_H #define argon2_core_H +#include + #include "argon2.h" /*************************Argon2 internal @@ -28,6 +30,7 @@ enum argon2_ctx_constants { ARGON2_QWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 8, ARGON2_OWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 16, ARGON2_HWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 32, + ARGON2_512BIT_WORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 64, /* Number of pseudo-random values generated by one call to Blake in Argon2i to @@ -60,13 +63,28 @@ typedef struct block_region_ { /*****************Functions that work with the block******************/ /* Initialize each byte of the block with @in */ -void init_block_value(block *b, uint8_t in); +static inline void +init_block_value(block *b, uint8_t in) +{ + memset(b->v, in, sizeof(b->v)); +} /* Copy block @src to block @dst */ -void copy_block(block *dst, const block *src); +static inline void +copy_block(block *dst, const block *src) +{ + memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK); +} /* XOR @src onto @dst bytewise */ -void xor_block(block *dst, const block *src); +static inline void +xor_block(block *dst, const block *src) +{ + int i; + for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) { + dst->v[i] ^= src->v[i]; + } +} /* * Argon2 instance: memory pointer, number of passes, amount of memory, type, @@ -76,6 +94,7 @@ void xor_block(block *dst, const block *src); */ typedef struct Argon2_instance_t { block_region *region; /* Memory region pointer */ + uint64_t *pseudo_rands; uint32_t passes; /* Number of passes */ uint32_t memory_blocks; /* Number of blocks in memory */ uint32_t segment_length; @@ -162,6 +181,11 @@ void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance); */ int initialize(argon2_instance_t *instance, argon2_context *context); +/* + * Deallocates memory. Used on error path. + */ +void free_instance(argon2_instance_t *instance, int flags); + /* * XORing the last block of each lane, hashing it, making the tag. Deallocates * the memory. @@ -182,15 +206,17 @@ void finalize(const argon2_context *context, argon2_instance_t *instance); * @param position Current position * @pre all block pointers must be valid */ -typedef int (*fill_segment_fn)(const argon2_instance_t *instance, - argon2_position_t position); +typedef void (*fill_segment_fn)(const argon2_instance_t *instance, + argon2_position_t position); int argon2_pick_best_implementation(void); -int fill_segment_avx2(const argon2_instance_t *instance, - argon2_position_t position); -int fill_segment_ssse3(const argon2_instance_t *instance, +void fill_segment_avx512f(const argon2_instance_t *instance, + argon2_position_t position); +void fill_segment_avx2(const argon2_instance_t *instance, argon2_position_t position); -int fill_segment_ref(const argon2_instance_t *instance, - argon2_position_t position); +void fill_segment_ssse3(const argon2_instance_t *instance, + argon2_position_t position); +void fill_segment_ref(const argon2_instance_t *instance, + argon2_position_t position); /* * Function that fills the entire memory t_cost times based on the first two @@ -198,6 +224,6 @@ int fill_segment_ref(const argon2_instance_t *instance, * @param instance Pointer to the current instance * @return Zero if successful, -1 if memory failed to allocate */ -int fill_memory_blocks(argon2_instance_t *instance); +void fill_memory_blocks(argon2_instance_t *instance); #endif diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c b/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c index 5224cb61..a08acdda 100644 --- a/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c +++ b/src/libsodium/crypto_pwhash/argon2/argon2-encoding.c @@ -1,5 +1,6 @@ #include "argon2-encoding.h" #include "argon2-core.h" +#include "utils.h" #include #include #include @@ -9,19 +10,6 @@ * Example code for a decoder and encoder of "hash strings", with Argon2 * parameters. * - * This code comprises three sections: - * - * -- The first section contains generic Base64 encoding and decoding - * functions. It is conceptually applicable to any hash function - * implementation that uses Base64 to encode and decode parameters, - * salts and outputs. It could be made into a library, provided that - * the relevant functions are made public (non-static) and be given - * reasonable names to avoid collisions with other functions. - * - * -- The second section is specific to Argon2. It encodes and decodes - * the parameters, salts and outputs. It does not compute the hash - * itself. - * * The code was originally written by Thomas Pornin , * to whom comments and remarks may be sent. It is released under what * should amount to Public Domain or its closest equivalent; the @@ -39,156 +27,6 @@ */ /* ==================================================================== */ -/* - * Common code; could be shared between different hash functions. - * - * Note: the Base64 functions below assume that uppercase letters (resp. - * lowercase letters) have consecutive numerical codes, that fit on 8 - * bits. All modern systems use ASCII-compatible charsets, where these - * properties are true. If you are stuck with a dinosaur of a system - * that still defaults to EBCDIC then you already have much bigger - * interoperability issues to deal with. - */ - -/* - * Some macros for constant-time comparisons. These work over values in - * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true". - */ -#define EQ(x, y) \ - ((((0U - ((unsigned) (x) ^ (unsigned) (y))) >> 8) & 0xFF) ^ 0xFF) -#define GT(x, y) ((((unsigned) (y) - (unsigned) (x)) >> 8) & 0xFF) -#define GE(x, y) (GT(y, x) ^ 0xFF) -#define LT(x, y) GT(y, x) -#define LE(x, y) GE(y, x) - -/* - * Convert value x (0..63) to corresponding Base64 character. - */ -static int -b64_byte_to_char(unsigned x) -{ - return (LT(x, 26) & (x + 'A')) | - (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) | - (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '+') | - (EQ(x, 63) & '/'); -} - -/* - * Convert character c to the corresponding 6-bit value. If character c - * is not a Base64 character, then 0xFF (255) is returned. - */ -static unsigned -b64_char_to_byte(int c) -{ - unsigned x; - - x = (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) | - (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) | - (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) | - (EQ(c, '/') & 63); - return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF)); -} - -/* - * Convert some bytes to Base64. 'dst_len' is the length (in characters) - * of the output buffer 'dst'; if that buffer is not large enough to - * receive the result (including the terminating 0), then (size_t)-1 - * is returned. Otherwise, the zero-terminated Base64 string is written - * in the buffer, and the output length (counted WITHOUT the terminating - * zero) is returned. - */ -static size_t -to_base64(char *dst, size_t dst_len, const void *src, size_t src_len) -{ - size_t olen; - const unsigned char *buf; - unsigned acc, acc_len; - - olen = (src_len / 3) << 2; - switch (src_len % 3) { - case 2: - olen++; - /* fall through */ - case 1: - olen += 2; - break; - } - if (dst_len <= olen) { - return (size_t) -1; - } - acc = 0; - acc_len = 0; - buf = (const unsigned char *) src; - while (src_len-- > 0) { - acc = (acc << 8) + (*buf++); - acc_len += 8; - while (acc_len >= 6) { - acc_len -= 6; - *dst++ = (char) b64_byte_to_char((acc >> acc_len) & 0x3F); - } - } - if (acc_len > 0) { - *dst++ = (char) b64_byte_to_char((acc << (6 - acc_len)) & 0x3F); - } - *dst++ = 0; - return olen; -} - -/* - * Decode Base64 chars into bytes. The '*dst_len' value must initially - * contain the length of the output buffer '*dst'; when the decoding - * ends, the actual number of decoded bytes is written back in - * '*dst_len'. - * - * Decoding stops when a non-Base64 character is encountered, or when - * the output buffer capacity is exceeded. If an error occurred (output - * buffer is too small, invalid last characters leading to unprocessed - * buffered bits), then NULL is returned; otherwise, the returned value - * points to the first non-Base64 character in the source stream, which - * may be the terminating zero. - */ -static const char * -from_base64(void *dst, size_t *dst_len, const char *src) -{ - size_t len; - unsigned char *buf; - unsigned acc, acc_len; - - buf = (unsigned char *) dst; - len = 0; - acc = 0; - acc_len = 0; - for (;;) { - unsigned d; - - d = b64_char_to_byte(*src); - if (d == 0xFF) { - break; - } - src++; - acc = (acc << 6) + d; - acc_len += 6; - if (acc_len >= 8) { - acc_len -= 8; - if ((len++) >= *dst_len) { - return NULL; - } - *buf++ = (acc >> acc_len) & 0xFF; - } - } - - /* - * If the input length is equal to 1 modulo 4 (which is - * invalid), then there will remain 6 unprocessed bits; - * otherwise, only 0, 2 or 4 bits are buffered. The buffered - * bits must also all be zero. - */ - if (acc_len > 4 || (acc & ((1U << acc_len) - 1)) != 0) { - return NULL; - } - *dst_len = len; - return src; -} /* * Decode decimal integer from 'str'; the value is written in '*v'. @@ -300,14 +138,18 @@ decode_string(argon2_context *ctx, const char *str, argon2_type type) } while ((void)0, 0) /* Decoding base64 into a binary buffer */ -#define BIN(buf, max_len, len) \ - do { \ - size_t bin_len = (max_len); \ - str = from_base64(buf, &bin_len, str); \ - if (str == NULL || bin_len > UINT32_MAX) { \ - return ARGON2_DECODING_FAIL; \ - } \ - (len) = (uint32_t) bin_len; \ +#define BIN(buf, max_len, len) \ + do { \ + size_t bin_len = (max_len); \ + const char *str_end; \ + if (sodium_base642bin((buf), (max_len), str, strlen(str), NULL, \ + &bin_len, &str_end, \ + sodium_base64_VARIANT_ORIGINAL_NO_PADDING) != 0 || \ + bin_len > UINT32_MAX) { \ + return ARGON2_DECODING_FAIL; \ + } \ + (len) = (uint32_t) bin_len; \ + str = str_end; \ } while ((void) 0, 0) size_t maxsaltlen = ctx->saltlen; @@ -416,14 +258,16 @@ encode_string(char *dst, size_t dst_len, argon2_context *ctx, argon2_type type) SS(tmp); \ } while ((void) 0, 0) -#define SB(buf, len) \ - do { \ - size_t sb_len = to_base64(dst, dst_len, buf, len); \ - if (sb_len == (size_t) -1) { \ - return ARGON2_ENCODING_FAIL; \ - } \ - dst += sb_len; \ - dst_len -= sb_len; \ +#define SB(buf, len) \ + do { \ + size_t sb_len; \ + if (sodium_bin2base64(dst, dst_len, (buf), (len), \ + sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == NULL) { \ + return ARGON2_ENCODING_FAIL; \ + } \ + sb_len = strlen(dst); \ + dst += sb_len; \ + dst_len -= sb_len; \ } while ((void) 0, 0) int validation_result; diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx2.c b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx2.c index 8597fc44..8acb42ca 100644 --- a/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx2.c +++ b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx2.c @@ -140,7 +140,7 @@ generate_addresses(const argon2_instance_t *instance, } } -int +void fill_segment_avx2(const argon2_instance_t *instance, argon2_position_t position) { @@ -148,14 +148,14 @@ fill_segment_avx2(const argon2_instance_t *instance, uint64_t pseudo_rand, ref_index, ref_lane; uint32_t prev_offset, curr_offset; uint32_t starting_index, i; - __m256i state[32]; + __m256i state[ARGON2_HWORDS_IN_BLOCK]; int data_independent_addressing = 1; /* Pseudo-random values that determine the reference block position */ uint64_t *pseudo_rands = NULL; if (instance == NULL) { - return ARGON2_OK; + return; } if (instance->type == Argon2_id && @@ -163,11 +163,7 @@ fill_segment_avx2(const argon2_instance_t *instance, data_independent_addressing = 0; } - pseudo_rands = - (uint64_t *) malloc(sizeof(uint64_t) * instance->segment_length); - if (pseudo_rands == NULL) { - return ARGON2_MEMORY_ALLOCATION_ERROR; - } + pseudo_rands = instance->pseudo_rands; if (data_independent_addressing) { generate_addresses(instance, &position, pseudo_rands); @@ -239,9 +235,5 @@ fill_segment_avx2(const argon2_instance_t *instance, (uint8_t *) curr_block->v); } } - - free(pseudo_rands); - - return ARGON2_OK; } #endif diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx512f.c b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx512f.c new file mode 100644 index 00000000..1f1ec8b3 --- /dev/null +++ b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-avx512f.c @@ -0,0 +1,244 @@ +/* + * Argon2 source code package + * + * Written by Daniel Dinu and Dmitry Khovratovich, 2015 + * + * This work is licensed under a Creative Commons CC0 1.0 License/Waiver. + * + * You should have received a copy of the CC0 Public Domain Dedication along + * with + * this software. If not, see + * . + */ + +#include +#include +#include + +#include "argon2-core.h" +#include "argon2.h" +#include "private/common.h" +#include "private/sse2_64_32.h" + +#if defined(HAVE_AVX512FINTRIN_H) && defined(HAVE_AVX2INTRIN_H) && \ + defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H) + +# ifdef __GNUC__ +# pragma GCC target("sse2") +# pragma GCC target("ssse3") +# pragma GCC target("sse4.1") +# pragma GCC target("avx2") +# pragma GCC target("avx512f") +# endif + +# ifdef _MSC_VER +# include /* for _mm_set_epi64x */ +# endif +#include +#include +#include +#include + +# include "blamka-round-avx512f.h" + +static void +fill_block(__m512i *state, const uint8_t *ref_block, uint8_t *next_block) +{ + __m512i block_XY[ARGON2_512BIT_WORDS_IN_BLOCK]; + uint32_t i; + + for (i = 0; i < ARGON2_512BIT_WORDS_IN_BLOCK; i++) { + block_XY[i] = state[i] = _mm512_xor_si512( + state[i], _mm512_loadu_si512((__m512i const *) (&ref_block[64 * i]))); + } + + for (i = 0; i < 2; ++i) { + BLAKE2_ROUND_1( + state[8 * i + 0], state[8 * i + 1], state[8 * i + 2], state[8 * i + 3], + state[8 * i + 4], state[8 * i + 5], state[8 * i + 6], state[8 * i + 7]); + } + + for (i = 0; i < 2; ++i) { + BLAKE2_ROUND_2( + state[2 * 0 + i], state[2 * 1 + i], state[2 * 2 + i], state[2 * 3 + i], + state[2 * 4 + i], state[2 * 5 + i], state[2 * 6 + i], state[2 * 7 + i]); + } + + for (i = 0; i < ARGON2_512BIT_WORDS_IN_BLOCK; i++) { + state[i] = _mm512_xor_si512(state[i], block_XY[i]); + _mm512_storeu_si512((__m512i *) (&next_block[64 * i]), state[i]); + } +} + +static void +fill_block_with_xor(__m512i *state, const uint8_t *ref_block, + uint8_t *next_block) +{ + __m512i block_XY[ARGON2_512BIT_WORDS_IN_BLOCK]; + uint32_t i; + + for (i = 0; i < ARGON2_512BIT_WORDS_IN_BLOCK; i++) { + state[i] = _mm512_xor_si512( + state[i], _mm512_loadu_si512((__m512i const *) (&ref_block[64 * i]))); + block_XY[i] = _mm512_xor_si512( + state[i], _mm512_loadu_si512((__m512i const *) (&next_block[64 * i]))); + } + + for (i = 0; i < 2; ++i) { + BLAKE2_ROUND_1( + state[8 * i + 0], state[8 * i + 1], state[8 * i + 2], state[8 * i + 3], + state[8 * i + 4], state[8 * i + 5], state[8 * i + 6], state[8 * i + 7]); + } + + for (i = 0; i < 2; ++i) { + BLAKE2_ROUND_2( + state[2 * 0 + i], state[2 * 1 + i], state[2 * 2 + i], state[2 * 3 + i], + state[2 * 4 + i], state[2 * 5 + i], state[2 * 6 + i], state[2 * 7 + i]); + } + + for (i = 0; i < ARGON2_512BIT_WORDS_IN_BLOCK; i++) { + state[i] = _mm512_xor_si512(state[i], block_XY[i]); + _mm512_storeu_si512((__m512i *) (&next_block[64 * i]), state[i]); + } +} + +static void +generate_addresses(const argon2_instance_t *instance, + const argon2_position_t *position, uint64_t *pseudo_rands) +{ + block address_block, input_block, tmp_block; + uint32_t i; + + init_block_value(&address_block, 0); + init_block_value(&input_block, 0); + + if (instance != NULL && position != NULL) { + input_block.v[0] = position->pass; + input_block.v[1] = position->lane; + input_block.v[2] = position->slice; + input_block.v[3] = instance->memory_blocks; + input_block.v[4] = instance->passes; + input_block.v[5] = instance->type; + + for (i = 0; i < instance->segment_length; ++i) { + if (i % ARGON2_ADDRESSES_IN_BLOCK == 0) { + /* Temporary zero-initialized blocks */ + __m512i zero_block[ARGON2_512BIT_WORDS_IN_BLOCK]; + __m512i zero2_block[ARGON2_512BIT_WORDS_IN_BLOCK]; + + memset(zero_block, 0, sizeof(zero_block)); + memset(zero2_block, 0, sizeof(zero2_block)); + init_block_value(&address_block, 0); + init_block_value(&tmp_block, 0); + /* Increasing index counter */ + input_block.v[6]++; + /* First iteration of G */ + fill_block_with_xor(zero_block, (uint8_t *) &input_block.v, + (uint8_t *) &tmp_block.v); + /* Second iteration of G */ + fill_block_with_xor(zero2_block, (uint8_t *) &tmp_block.v, + (uint8_t *) &address_block.v); + } + + pseudo_rands[i] = address_block.v[i % ARGON2_ADDRESSES_IN_BLOCK]; + } + } +} + +void +fill_segment_avx512f(const argon2_instance_t *instance, + argon2_position_t position) +{ + block *ref_block = NULL, *curr_block = NULL; + uint64_t pseudo_rand, ref_index, ref_lane; + uint32_t prev_offset, curr_offset; + uint32_t starting_index, i; + __m512i state[ARGON2_512BIT_WORDS_IN_BLOCK]; + int data_independent_addressing = 1; + + /* Pseudo-random values that determine the reference block position */ + uint64_t *pseudo_rands = NULL; + + if (instance == NULL) { + return; + } + + if (instance->type == Argon2_id && + (position.pass != 0 || position.slice >= ARGON2_SYNC_POINTS / 2)) { + data_independent_addressing = 0; + } + + pseudo_rands = instance->pseudo_rands; + + if (data_independent_addressing) { + generate_addresses(instance, &position, pseudo_rands); + } + + starting_index = 0; + + if ((0 == position.pass) && (0 == position.slice)) { + starting_index = 2; /* we have already generated the first two blocks */ + } + + /* Offset of the current block */ + curr_offset = position.lane * instance->lane_length + + position.slice * instance->segment_length + starting_index; + + if (0 == curr_offset % instance->lane_length) { + /* Last block in this lane */ + prev_offset = curr_offset + instance->lane_length - 1; + } else { + /* Previous block */ + prev_offset = curr_offset - 1; + } + + memcpy(state, ((instance->region->memory + prev_offset)->v), + ARGON2_BLOCK_SIZE); + + for (i = starting_index; i < instance->segment_length; + ++i, ++curr_offset, ++prev_offset) { + /*1.1 Rotating prev_offset if needed */ + if (curr_offset % instance->lane_length == 1) { + prev_offset = curr_offset - 1; + } + + /* 1.2 Computing the index of the reference block */ + /* 1.2.1 Taking pseudo-random value from the previous block */ + if (data_independent_addressing) { +#pragma warning(push) +#pragma warning(disable : 6385) + pseudo_rand = pseudo_rands[i]; +#pragma warning(pop) + } else { + pseudo_rand = instance->region->memory[prev_offset].v[0]; + } + + /* 1.2.2 Computing the lane of the reference block */ + ref_lane = ((pseudo_rand >> 32)) % instance->lanes; + + if ((position.pass == 0) && (position.slice == 0)) { + /* Can not reference other lanes yet */ + ref_lane = position.lane; + } + + /* 1.2.3 Computing the number of possible reference block within the + * lane. + */ + position.index = i; + ref_index = index_alpha(instance, &position, pseudo_rand & 0xFFFFFFFF, + ref_lane == position.lane); + + /* 2 Creating a new block */ + ref_block = instance->region->memory + + instance->lane_length * ref_lane + ref_index; + curr_block = instance->region->memory + curr_offset; + if (position.pass != 0) { + fill_block_with_xor(state, (uint8_t *) ref_block->v, + (uint8_t *) curr_block->v); + } else { + fill_block(state, (uint8_t *) ref_block->v, + (uint8_t *) curr_block->v); + } + } +} +#endif diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c index 98ad50c9..75e8d8f5 100644 --- a/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c +++ b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ref.c @@ -140,7 +140,7 @@ generate_addresses(const argon2_instance_t *instance, } } -int +void fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position) { block *ref_block = NULL, *curr_block = NULL; @@ -153,7 +153,7 @@ fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position) int data_independent_addressing = 1; if (instance == NULL) { - return ARGON2_OK; + return; } if (instance->type == Argon2_id && @@ -161,12 +161,7 @@ fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position) data_independent_addressing = 0; } - pseudo_rands = - (uint64_t *) malloc(sizeof(uint64_t) * (instance->segment_length)); - - if (pseudo_rands == NULL) { - return ARGON2_MEMORY_ALLOCATION_ERROR; - } + pseudo_rands = instance->pseudo_rands; if (data_independent_addressing) { generate_addresses(instance, &position, pseudo_rands); @@ -235,8 +230,4 @@ fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position) curr_block); } } - - free(pseudo_rands); - - return ARGON2_OK; } diff --git a/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c index 4056080d..796c4455 100644 --- a/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c +++ b/src/libsodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c @@ -139,7 +139,7 @@ generate_addresses(const argon2_instance_t *instance, } } -int +void fill_segment_ssse3(const argon2_instance_t *instance, argon2_position_t position) { @@ -147,14 +147,14 @@ fill_segment_ssse3(const argon2_instance_t *instance, uint64_t pseudo_rand, ref_index, ref_lane; uint32_t prev_offset, curr_offset; uint32_t starting_index, i; - __m128i state[64]; + __m128i state[ARGON2_OWORDS_IN_BLOCK]; int data_independent_addressing = 1; /* Pseudo-random values that determine the reference block position */ uint64_t *pseudo_rands = NULL; if (instance == NULL) { - return ARGON2_OK; + return; } if (instance->type == Argon2_id && @@ -162,11 +162,7 @@ fill_segment_ssse3(const argon2_instance_t *instance, data_independent_addressing = 0; } - pseudo_rands = - (uint64_t *) malloc(sizeof(uint64_t) * instance->segment_length); - if (pseudo_rands == NULL) { - return ARGON2_MEMORY_ALLOCATION_ERROR; - } + pseudo_rands = instance->pseudo_rands; if (data_independent_addressing) { generate_addresses(instance, &position, pseudo_rands); @@ -238,9 +234,5 @@ fill_segment_ssse3(const argon2_instance_t *instance, (uint8_t *) curr_block->v); } } - - free(pseudo_rands); - - return ARGON2_OK; } #endif diff --git a/src/libsodium/crypto_pwhash/argon2/argon2.c b/src/libsodium/crypto_pwhash/argon2/argon2.c index f52381db..3eb4b97e 100644 --- a/src/libsodium/crypto_pwhash/argon2/argon2.c +++ b/src/libsodium/crypto_pwhash/argon2/argon2.c @@ -70,11 +70,7 @@ argon2_ctx(argon2_context *context, argon2_type type) } /* 4. Filling memory */ - result = fill_memory_blocks(&instance); - - if (ARGON2_OK != result) { - return result; - } + fill_memory_blocks(&instance); /* 5. Finalization */ finalize(context, &instance); diff --git a/src/libsodium/crypto_pwhash/argon2/blamka-round-avx512f.h b/src/libsodium/crypto_pwhash/argon2/blamka-round-avx512f.h new file mode 100644 index 00000000..9a822402 --- /dev/null +++ b/src/libsodium/crypto_pwhash/argon2/blamka-round-avx512f.h @@ -0,0 +1,145 @@ +#ifndef blamka_round_avx512f_H +#define blamka_round_avx512f_H + +#include "private/common.h" +#include "private/sse2_64_32.h" + +#define ror64(x, n) _mm512_ror_epi64((x), (n)) + +static inline __m512i +muladd(__m512i x, __m512i y) +{ + __m512i z = _mm512_mul_epu32(x, y); + + return _mm512_add_epi64(_mm512_add_epi64(x, y), _mm512_add_epi64(z, z)); +} + +#define G1_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + A0 = muladd(A0, B0); \ + A1 = muladd(A1, B1); \ + \ + D0 = _mm512_xor_si512(D0, A0); \ + D1 = _mm512_xor_si512(D1, A1); \ + \ + D0 = ror64(D0, 32); \ + D1 = ror64(D1, 32); \ + \ + C0 = muladd(C0, D0); \ + C1 = muladd(C1, D1); \ + \ + B0 = _mm512_xor_si512(B0, C0); \ + B1 = _mm512_xor_si512(B1, C1); \ + \ + B0 = ror64(B0, 24); \ + B1 = ror64(B1, 24); \ + } while ((void)0, 0) + +#define G2_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + A0 = muladd(A0, B0); \ + A1 = muladd(A1, B1); \ + \ + D0 = _mm512_xor_si512(D0, A0); \ + D1 = _mm512_xor_si512(D1, A1); \ + \ + D0 = ror64(D0, 16); \ + D1 = ror64(D1, 16); \ + \ + C0 = muladd(C0, D0); \ + C1 = muladd(C1, D1); \ + \ + B0 = _mm512_xor_si512(B0, C0); \ + B1 = _mm512_xor_si512(B1, C1); \ + \ + B0 = ror64(B0, 63); \ + B1 = ror64(B1, 63); \ + } while ((void)0, 0) + +#define DIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + B0 = _mm512_permutex_epi64(B0, _MM_SHUFFLE(0, 3, 2, 1)); \ + B1 = _mm512_permutex_epi64(B1, _MM_SHUFFLE(0, 3, 2, 1)); \ + \ + C0 = _mm512_permutex_epi64(C0, _MM_SHUFFLE(1, 0, 3, 2)); \ + C1 = _mm512_permutex_epi64(C1, _MM_SHUFFLE(1, 0, 3, 2)); \ + \ + D0 = _mm512_permutex_epi64(D0, _MM_SHUFFLE(2, 1, 0, 3)); \ + D1 = _mm512_permutex_epi64(D1, _MM_SHUFFLE(2, 1, 0, 3)); \ + } while ((void)0, 0) + +#define UNDIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + B0 = _mm512_permutex_epi64(B0, _MM_SHUFFLE(2, 1, 0, 3)); \ + B1 = _mm512_permutex_epi64(B1, _MM_SHUFFLE(2, 1, 0, 3)); \ + \ + C0 = _mm512_permutex_epi64(C0, _MM_SHUFFLE(1, 0, 3, 2)); \ + C1 = _mm512_permutex_epi64(C1, _MM_SHUFFLE(1, 0, 3, 2)); \ + \ + D0 = _mm512_permutex_epi64(D0, _MM_SHUFFLE(0, 3, 2, 1)); \ + D1 = _mm512_permutex_epi64(D1, _MM_SHUFFLE(0, 3, 2, 1)); \ + } while ((void)0, 0) + +#define BLAKE2_ROUND(A0, B0, C0, D0, A1, B1, C1, D1) \ + do { \ + G1_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \ + G2_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \ + \ + DIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1); \ + \ + G1_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \ + G2_AVX512F(A0, B0, C0, D0, A1, B1, C1, D1); \ + \ + UNDIAGONALIZE(A0, B0, C0, D0, A1, B1, C1, D1); \ + } while ((void)0, 0) + +#define SWAP_HALVES(A0, A1) \ + do { \ + __m512i t0, t1; \ + t0 = _mm512_shuffle_i64x2(A0, A1, _MM_SHUFFLE(1, 0, 1, 0)); \ + t1 = _mm512_shuffle_i64x2(A0, A1, _MM_SHUFFLE(3, 2, 3, 2)); \ + A0 = t0; \ + A1 = t1; \ + } while((void)0, 0) + +#define SWAP_QUARTERS(A0, A1) \ + do { \ + SWAP_HALVES(A0, A1); \ + A0 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A0); \ + A1 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A1); \ + } while((void)0, 0) + +#define UNSWAP_QUARTERS(A0, A1) \ + do { \ + A0 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A0); \ + A1 = _mm512_permutexvar_epi64(_mm512_setr_epi64(0, 1, 4, 5, 2, 3, 6, 7), A1); \ + SWAP_HALVES(A0, A1); \ + } while((void)0, 0) + +#define BLAKE2_ROUND_1(A0, C0, B0, D0, A1, C1, B1, D1) \ + do { \ + SWAP_HALVES(A0, B0); \ + SWAP_HALVES(C0, D0); \ + SWAP_HALVES(A1, B1); \ + SWAP_HALVES(C1, D1); \ + BLAKE2_ROUND(A0, B0, C0, D0, A1, B1, C1, D1); \ + SWAP_HALVES(A0, B0); \ + SWAP_HALVES(C0, D0); \ + SWAP_HALVES(A1, B1); \ + SWAP_HALVES(C1, D1); \ + } while ((void)0, 0) + +#define BLAKE2_ROUND_2(A0, A1, B0, B1, C0, C1, D0, D1) \ + do { \ + SWAP_QUARTERS(A0, A1); \ + SWAP_QUARTERS(B0, B1); \ + SWAP_QUARTERS(C0, C1); \ + SWAP_QUARTERS(D0, D1); \ + BLAKE2_ROUND(A0, B0, C0, D0, A1, B1, C1, D1); \ + UNSWAP_QUARTERS(A0, A1); \ + UNSWAP_QUARTERS(B0, B1); \ + UNSWAP_QUARTERS(C0, C1); \ + UNSWAP_QUARTERS(D0, D1); \ + } while ((void)0, 0) + +#endif diff --git a/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c b/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c index 78a67184..7acdab03 100644 --- a/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c +++ b/src/libsodium/crypto_pwhash/argon2/pwhash_argon2i.c @@ -3,11 +3,15 @@ #include #include #include +#include #include #include "argon2-core.h" +#include "argon2-encoding.h" #include "argon2.h" +#include "crypto_pwhash.h" #include "crypto_pwhash_argon2i.h" +#include "crypto_pwhash_argon2id.h" #include "randombytes.h" #include "utils.h" @@ -211,3 +215,55 @@ crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYTES], } return -1; } + +static int +_needs_rehash(const char *str, unsigned long long opslimit, size_t memlimit, + argon2_type type) +{ + unsigned char *fodder; + argon2_context ctx; + size_t fodder_len; + int ret = -1; + + fodder_len = strlen(str); + memlimit /= 1024U; + if (opslimit > UINT32_MAX || memlimit > UINT32_MAX || + fodder_len >= crypto_pwhash_STRBYTES) { + errno = EINVAL; + return -1; + } + memset(&ctx, 0, sizeof ctx); + if ((fodder = (unsigned char *) calloc(fodder_len, 1U)) == NULL) { + return -1; /* LCOV_EXCL_LINE */ + } + ctx.out = ctx.pwd = ctx.salt = fodder; + ctx.outlen = ctx.pwdlen = ctx.saltlen = (uint32_t) fodder_len; + ctx.ad = ctx.secret = NULL; + ctx.adlen = ctx.secretlen = 0U; + if (decode_string(&ctx, str, type) != 0) { + errno = EINVAL; + ret = -1; + } else if (ctx.t_cost != (uint32_t) opslimit || + ctx.m_cost != (uint32_t) memlimit) { + ret = 1; + } else { + ret = 0; + } + free(fodder); + + return ret; +} + +int +crypto_pwhash_argon2i_str_needs_rehash(const char str[crypto_pwhash_argon2i_STRBYTES], + unsigned long long opslimit, size_t memlimit) +{ + return _needs_rehash(str, opslimit, memlimit, Argon2_i); +} + +int +crypto_pwhash_argon2id_str_needs_rehash(const char str[crypto_pwhash_argon2id_STRBYTES], + unsigned long long opslimit, size_t memlimit) +{ + return _needs_rehash(str, opslimit, memlimit, Argon2_id); +} diff --git a/src/libsodium/crypto_pwhash/crypto_pwhash.c b/src/libsodium/crypto_pwhash/crypto_pwhash.c index 3bccfe2b..db55cd3d 100644 --- a/src/libsodium/crypto_pwhash/crypto_pwhash.c +++ b/src/libsodium/crypto_pwhash/crypto_pwhash.c @@ -2,6 +2,7 @@ #include #include +#include "core.h" #include "crypto_pwhash.h" int @@ -150,6 +151,23 @@ crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], opslimit, memlimit); } +int +crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit, int alg) +{ + switch (alg) { + case crypto_pwhash_ALG_ARGON2I13: + return crypto_pwhash_argon2i_str(out, passwd, passwdlen, + opslimit, memlimit); + case crypto_pwhash_ALG_ARGON2ID13: + return crypto_pwhash_argon2id_str(out, passwd, passwdlen, + opslimit, memlimit); + } + sodium_misuse(); + /* NOTREACHED */ +} + int crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], const char * const passwd, @@ -168,6 +186,23 @@ crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], return -1; } +int +crypto_pwhash_str_needs_rehash(const char str[crypto_pwhash_STRBYTES], + unsigned long long opslimit, size_t memlimit) +{ + if (strncmp(str, crypto_pwhash_argon2id_STRPREFIX, + sizeof crypto_pwhash_argon2id_STRPREFIX - 1) == 0) { + return crypto_pwhash_argon2id_str_needs_rehash(str, opslimit, memlimit); + } + if (strncmp(str, crypto_pwhash_argon2i_STRPREFIX, + sizeof crypto_pwhash_argon2i_STRPREFIX - 1) == 0) { + return crypto_pwhash_argon2i_str_needs_rehash(str, opslimit, memlimit); + } + errno = EINVAL; + + return -1; +} + const char * crypto_pwhash_primitive(void) { return crypto_pwhash_PRIMITIVE; diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c index a8f90add..e15e12b2 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c @@ -105,6 +105,34 @@ decode64_uint32(uint32_t *dst, uint32_t dstbits, const uint8_t *src) return src; } +const uint8_t * +escrypt_parse_setting(const uint8_t *setting, + uint32_t *N_log2_p, uint32_t *r_p, uint32_t *p_p) +{ + const uint8_t *src; + + if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') { + return NULL; + } + src = setting + 3; + + if (decode64_one(N_log2_p, *src)) { + return NULL; + } + src++; + + src = decode64_uint32(r_p, 30, src); + if (!src) { + return NULL; + } + + src = decode64_uint32(p_p, 30, src); + if (!src) { + return NULL; + } + return src; +} + uint8_t * escrypt_r(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen, const uint8_t *setting, uint8_t *buf, size_t buflen) @@ -122,25 +150,11 @@ escrypt_r(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen, uint32_t r; uint32_t p; - if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') { + src = escrypt_parse_setting(setting, &N_log2, &r, &p); + if (!src) { return NULL; } - src = setting + 3; - - if (decode64_one(&N_log2, *src)) { - return NULL; - } - src++; N = (uint64_t) 1 << N_log2; - - src = decode64_uint32(&r, 30, src); - if (!src) { - return NULL; - } - src = decode64_uint32(&p, 30, src); - if (!src) { - return NULL; - } prefixlen = src - setting; salt = src; @@ -195,7 +209,7 @@ escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, const uint8_t *src, return NULL; /* LCOV_EXCL_LINE */ } if (N_log2 > 63 || ((uint64_t) r * (uint64_t) p >= (1U << 30))) { - return NULL; + return NULL; /* LCOV_EXCL_LINE */ } dst = buf; *dst++ = '$'; diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h index d55120b6..83101967 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h @@ -91,4 +91,8 @@ extern uint8_t *escrypt_gensalt_r(uint32_t __N_log2, uint32_t __r, uint32_t __p, const uint8_t *__src, size_t __srclen, uint8_t *__buf, size_t __buflen); +extern const uint8_t *escrypt_parse_setting(const uint8_t *setting, + uint32_t *N_log2_p, uint32_t *r_p, + uint32_t *p_p); + #endif /* !_CRYPTO_SCRYPT_H_ */ diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c index 25fa3811..42cab61f 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c @@ -31,7 +31,9 @@ #include +#include "core.h" #include "crypto_auth_hmacsha256.h" +#include "crypto_pwhash_scryptsalsa208sha256.h" #include "pbkdf2-sha256.h" #include "private/common.h" #include "utils.h" @@ -55,8 +57,10 @@ PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt, size_t clen; #if SIZE_MAX > 0x1fffffffe0ULL + COMPILER_ASSERT(crypto_pwhash_scryptsalsa208sha256_BYTES_MAX + <= 0x1fffffffe0ULL); if (dkLen > 0x1fffffffe0ULL) { - abort(); + sodium_misuse(); /* LCOV_EXCL_LINE */ } #endif crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen); diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c index 0c42af0a..5c711bb3 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c @@ -254,3 +254,32 @@ crypto_pwhash_scryptsalsa208sha256_str_verify( return ret; } + +int +crypto_pwhash_scryptsalsa208sha256_str_needs_rehash( + const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES], + unsigned long long opslimit, size_t memlimit) +{ + uint32_t N_log2, N_log2_; + uint32_t p, p_; + uint32_t r, r_; + + if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) { + errno = EINVAL; + return -1; + } + if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) != + &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) { + errno = EINVAL; + return -1; + } + if (escrypt_parse_setting((const uint8_t *) str, + &N_log2_, &r_, &p_) == NULL) { + errno = EINVAL; + return -1; + } + if (N_log2 != N_log2_ || r != r_ || p != p_) { + return 1; + } + return 0; +} diff --git a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c index 0eb802e4..754a19fd 100644 --- a/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c +++ b/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c @@ -318,10 +318,12 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen, /* Sanity-check parameters. */ # if SIZE_MAX > UINT32_MAX +/* LCOV_EXCL_START */ if (buflen > (((uint64_t)(1) << 32) - 1) * 32) { errno = EFBIG; return -1; } +/* LCOV_EXCL_END */ # endif if ((uint64_t)(r) * (uint64_t)(p) >= ((uint64_t) 1 << 30)) { errno = EFBIG; @@ -339,6 +341,7 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen, errno = EINVAL; return -1; } +/* LCOV_EXCL_START */ if ((r > SIZE_MAX / 128 / p) || # if SIZE_MAX / 256 <= UINT32_MAX (r > SIZE_MAX / 256) || @@ -347,21 +350,26 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen, errno = ENOMEM; return -1; } +/* LCOV_EXCL_END */ /* Allocate memory. */ B_size = (size_t) 128 * r * p; V_size = (size_t) 128 * r * N; need = B_size + V_size; +/* LCOV_EXCL_START */ if (need < V_size) { errno = ENOMEM; return -1; } +/* LCOV_EXCL_END */ XY_size = (size_t) 256 * r + 64; need += XY_size; +/* LCOV_EXCL_START */ if (need < XY_size) { errno = ENOMEM; return -1; } +/* LCOV_EXCL_END */ if (local->size < need) { if (free_region(local)) { return -1; /* LCOV_EXCL_LINE */ diff --git a/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c b/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c index 72968ffe..0c75b019 100644 --- a/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c +++ b/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c @@ -20,11 +20,11 @@ int crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n, const unsigned char *p) { - size_t i; - unsigned char d = 0; + size_t i; + volatile unsigned char d = 0; if (implementation->mult(q, n, p) != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } for (i = 0; i < crypto_scalarmult_curve25519_BYTES; i++) { d |= q[i]; diff --git a/src/libsodium/crypto_secretbox/crypto_secretbox.c b/src/libsodium/crypto_secretbox/crypto_secretbox.c index 669b5742..45f678ec 100644 --- a/src/libsodium/crypto_secretbox/crypto_secretbox.c +++ b/src/libsodium/crypto_secretbox/crypto_secretbox.c @@ -32,6 +32,12 @@ crypto_secretbox_macbytes(void) return crypto_secretbox_MACBYTES; } +size_t +crypto_secretbox_messagebytes_max(void) +{ + return crypto_secretbox_MESSAGEBYTES_MAX; +} + const char * crypto_secretbox_primitive(void) { diff --git a/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c b/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c index e4e7c72d..b1203849 100644 --- a/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c +++ b/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c @@ -5,6 +5,7 @@ #include #include +#include "core.h" #include "crypto_core_hsalsa20.h" #include "crypto_onetimeauth_poly1305.h" #include "crypto_secretbox.h" @@ -29,7 +30,7 @@ crypto_secretbox_detached(unsigned char *c, unsigned char *mac, if (((uintptr_t) c > (uintptr_t) m && (uintptr_t) c - (uintptr_t) m < mlen) || ((uintptr_t) m > (uintptr_t) c && - (uintptr_t) m - (uintptr_t) c < mlen)) { + (uintptr_t) m - (uintptr_t) c < mlen)) { /* LCOV_EXCL_LINE */ memmove(c, m, mlen); m = c; } @@ -71,8 +72,8 @@ crypto_secretbox_easy(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, const unsigned char *k) { - if (mlen > SIZE_MAX - crypto_secretbox_MACBYTES) { - return -1; + if (mlen > crypto_secretbox_MESSAGEBYTES_MAX) { + sodium_misuse(); } return crypto_secretbox_detached(c + crypto_secretbox_MACBYTES, c, m, mlen, n, k); @@ -103,7 +104,7 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c, if (((uintptr_t) c >= (uintptr_t) m && (uintptr_t) c - (uintptr_t) m < clen) || ((uintptr_t) m >= (uintptr_t) c && - (uintptr_t) m - (uintptr_t) c < clen)) { + (uintptr_t) m - (uintptr_t) c < clen)) { /* LCOV_EXCL_LINE */ memmove(m, c, clen); c = m; } diff --git a/src/libsodium/crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c b/src/libsodium/crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c index f7f6a4ea..e76167d2 100644 --- a/src/libsodium/crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c +++ b/src/libsodium/crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c @@ -5,6 +5,7 @@ #include #include +#include "core.h" #include "crypto_core_hchacha20.h" #include "crypto_onetimeauth_poly1305.h" #include "crypto_secretbox_xchacha20poly1305.h" @@ -33,7 +34,7 @@ crypto_secretbox_xchacha20poly1305_detached(unsigned char *c, if (((uintptr_t) c > (uintptr_t) m && (uintptr_t) c - (uintptr_t) m < mlen) || ((uintptr_t) m > (uintptr_t) c && - (uintptr_t) m - (uintptr_t) c < mlen)) { + (uintptr_t) m - (uintptr_t) c < mlen)) { /* LCOV_EXCL_LINE */ memmove(c, m, mlen); m = c; } @@ -77,8 +78,8 @@ crypto_secretbox_xchacha20poly1305_easy(unsigned char *c, const unsigned char *n, const unsigned char *k) { - if (mlen > SIZE_MAX - crypto_secretbox_xchacha20poly1305_MACBYTES) { - return -1; + if (mlen > crypto_secretbox_xchacha20poly1305_MESSAGEBYTES_MAX) { + sodium_misuse(); } return crypto_secretbox_xchacha20poly1305_detached (c + crypto_secretbox_xchacha20poly1305_MACBYTES, c, m, mlen, n, k); @@ -110,7 +111,7 @@ crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m, if (((uintptr_t) c >= (uintptr_t) m && (uintptr_t) c - (uintptr_t) m < clen) || ((uintptr_t) m >= (uintptr_t) c && - (uintptr_t) m - (uintptr_t) c < clen)) { + (uintptr_t) m - (uintptr_t) c < clen)) { /* LCOV_EXCL_LINE */ memmove(m, c, clen); c = m; } @@ -168,3 +169,9 @@ crypto_secretbox_xchacha20poly1305_macbytes(void) { return crypto_secretbox_xchacha20poly1305_MACBYTES; } + +size_t +crypto_secretbox_xchacha20poly1305_messagebytes_max(void) +{ + return crypto_secretbox_xchacha20poly1305_MESSAGEBYTES_MAX; +} diff --git a/src/libsodium/crypto_secretbox/xsalsa20poly1305/secretbox_xsalsa20poly1305.c b/src/libsodium/crypto_secretbox/xsalsa20poly1305/secretbox_xsalsa20poly1305.c index 1094c1f2..7240050d 100644 --- a/src/libsodium/crypto_secretbox/xsalsa20poly1305/secretbox_xsalsa20poly1305.c +++ b/src/libsodium/crypto_secretbox/xsalsa20poly1305/secretbox_xsalsa20poly1305.c @@ -76,6 +76,12 @@ crypto_secretbox_xsalsa20poly1305_macbytes(void) return crypto_secretbox_xsalsa20poly1305_MACBYTES; } +size_t +crypto_secretbox_xsalsa20poly1305_messagebytes_max(void) +{ + return crypto_secretbox_xsalsa20poly1305_MESSAGEBYTES_MAX; +} + void crypto_secretbox_xsalsa20poly1305_keygen(unsigned char k[crypto_secretbox_xsalsa20poly1305_KEYBYTES]) { diff --git a/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c new file mode 100644 index 00000000..2d0c9ff9 --- /dev/null +++ b/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c @@ -0,0 +1,303 @@ +#include +#include +#include +#include + +#include "core.h" +#include "crypto_aead_chacha20poly1305.h" +#include "crypto_aead_xchacha20poly1305.h" +#include "crypto_core_hchacha20.h" +#include "crypto_onetimeauth_poly1305.h" +#include "crypto_secretstream_xchacha20poly1305.h" +#include "randombytes.h" +#include "utils.h" + +#include "private/common.h" + +#define crypto_secretstream_xchacha20poly1305_COUNTERBYTES 4U +#define crypto_secretstream_xchacha20poly1305_INONCEBYTES 8U + +#define STATE_COUNTER(STATE) ((STATE)->nonce) +#define STATE_INONCE(STATE) ((STATE)->nonce + \ + crypto_secretstream_xchacha20poly1305_COUNTERBYTES) + +static const unsigned char _pad0[16] = { 0 }; + +void +crypto_secretstream_xchacha20poly1305_keygen + (unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) +{ + randombytes_buf(k, crypto_secretstream_xchacha20poly1305_KEYBYTES); +} + +int +crypto_secretstream_xchacha20poly1305_init_push + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char out[crypto_secretstream_xchacha20poly1305_HEADERBYTES], + const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) +{ + COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_HEADERBYTES == + crypto_core_hchacha20_INPUTBYTES + + crypto_secretstream_xchacha20poly1305_INONCEBYTES); + COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_HEADERBYTES == + crypto_aead_xchacha20poly1305_ietf_NPUBBYTES); + COMPILER_ASSERT(sizeof state->nonce == + crypto_secretstream_xchacha20poly1305_INONCEBYTES + + crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + + randombytes_buf(out, crypto_secretstream_xchacha20poly1305_HEADERBYTES); + crypto_core_hchacha20(state->k, out, k, NULL); + memset(STATE_COUNTER(state), 0, crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + memcpy(STATE_INONCE(state), out + crypto_core_hchacha20_INPUTBYTES, + crypto_secretstream_xchacha20poly1305_INONCEBYTES); + memset(state->_pad, 0, sizeof state->_pad); + + return 0; +} + +int +crypto_secretstream_xchacha20poly1305_init_pull + (crypto_secretstream_xchacha20poly1305_state *state, + const unsigned char in[crypto_secretstream_xchacha20poly1305_HEADERBYTES], + const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]) +{ + crypto_core_hchacha20(state->k, in, k, NULL); + memset(STATE_COUNTER(state), 0, crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + memcpy(STATE_INONCE(state), in + crypto_core_hchacha20_INPUTBYTES, + crypto_secretstream_xchacha20poly1305_INONCEBYTES); + memset(state->_pad, 0, sizeof state->_pad); + + return 0; +} + +void +crypto_secretstream_xchacha20poly1305_rekey + (crypto_secretstream_xchacha20poly1305_state *state) +{ + unsigned char new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + + crypto_secretstream_xchacha20poly1305_INONCEBYTES]; + size_t i; + + for (i = 0U; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) { + new_key_and_inonce[i] = state->k[i]; + } + for (i = 0U; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) { + new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i] = + STATE_INONCE(state)[i]; + } + crypto_stream_chacha20_ietf_xor(new_key_and_inonce, new_key_and_inonce, + sizeof new_key_and_inonce, + state->nonce, state->k); + for (i = 0U; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) { + state->k[i] = new_key_and_inonce[i]; + } + for (i = 0U; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) { + STATE_INONCE(state)[i] = + new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i]; + } + memset(STATE_COUNTER(state), 0, + crypto_secretstream_xchacha20poly1305_COUNTERBYTES); +} + +int +crypto_secretstream_xchacha20poly1305_push + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *out, unsigned long long *outlen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, unsigned char tag) +{ + crypto_onetimeauth_poly1305_state poly1305_state; + unsigned char block[64U]; + unsigned char slen[8U]; + unsigned char *c; + unsigned char *mac; + + if (outlen_p != NULL) { + *outlen_p = 0U; + } + if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + crypto_stream_chacha20_ietf(block, sizeof block, state->nonce, state->k); + crypto_onetimeauth_poly1305_init(&poly1305_state, block); + sodium_memzero(block, sizeof block); + + crypto_onetimeauth_poly1305_update(&poly1305_state, ad, adlen); + crypto_onetimeauth_poly1305_update(&poly1305_state, _pad0, + (0x10 - adlen) & 0xf); + memset(block, 0, sizeof block); + block[0] = tag; + + crypto_stream_chacha20_ietf_xor_ic(block, block, sizeof block, + state->nonce, 1U, state->k); + crypto_onetimeauth_poly1305_update(&poly1305_state, block, sizeof block); + out[0] = block[0]; + + c = out + (sizeof tag); + crypto_stream_chacha20_ietf_xor_ic(c, m, mlen, state->nonce, 2U, state->k); + crypto_onetimeauth_poly1305_update(&poly1305_state, c, mlen); + crypto_onetimeauth_poly1305_update + (&poly1305_state, _pad0, (0x10 - (sizeof block) + mlen) & 0xf); + + STORE64_LE(slen, (uint64_t) adlen); + crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen); + STORE64_LE(slen, (sizeof block) + mlen); + crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen); + + mac = c + mlen; + crypto_onetimeauth_poly1305_final(&poly1305_state, mac); + sodium_memzero(&poly1305_state, sizeof poly1305_state); + + COMPILER_ASSERT(crypto_onetimeauth_poly1305_BYTES >= + crypto_secretstream_xchacha20poly1305_INONCEBYTES); + XOR_BUF(STATE_INONCE(state), mac, + crypto_secretstream_xchacha20poly1305_INONCEBYTES); + sodium_increment(STATE_COUNTER(state), + crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + if ((tag & crypto_secretstream_xchacha20poly1305_TAG_REKEY) != 0 || + sodium_is_zero(STATE_COUNTER(state), + crypto_secretstream_xchacha20poly1305_COUNTERBYTES)) { + crypto_secretstream_xchacha20poly1305_rekey(state); + } + if (outlen_p != NULL) { + *outlen_p = crypto_secretstream_xchacha20poly1305_ABYTES + mlen; + } + return 0; +} + +int +crypto_secretstream_xchacha20poly1305_pull + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p, + const unsigned char *in, unsigned long long inlen, + const unsigned char *ad, unsigned long long adlen) +{ + crypto_onetimeauth_poly1305_state poly1305_state; + unsigned char block[64U]; + unsigned char slen[8U]; + unsigned char mac[crypto_onetimeauth_poly1305_BYTES]; + const unsigned char *c; + const unsigned char *stored_mac; + unsigned long long mlen; + unsigned char tag; + + if (mlen_p != NULL) { + *mlen_p = 0U; + } + if (tag_p != NULL) { + *tag_p = 0xff; + } + if (inlen < crypto_secretstream_xchacha20poly1305_ABYTES) { + return -1; + } + mlen = inlen - crypto_secretstream_xchacha20poly1305_ABYTES; + if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) { + sodium_misuse(); + } + crypto_stream_chacha20_ietf(block, sizeof block, state->nonce, state->k); + crypto_onetimeauth_poly1305_init(&poly1305_state, block); + sodium_memzero(block, sizeof block); + + crypto_onetimeauth_poly1305_update(&poly1305_state, ad, adlen); + crypto_onetimeauth_poly1305_update(&poly1305_state, _pad0, + (0x10 - adlen) & 0xf); + + memset(block, 0, sizeof block); + block[0] = in[0]; + crypto_stream_chacha20_ietf_xor_ic(block, block, sizeof block, + state->nonce, 1U, state->k); + tag = block[0]; + block[0] = in[0]; + crypto_onetimeauth_poly1305_update(&poly1305_state, block, sizeof block); + + c = in + (sizeof tag); + crypto_onetimeauth_poly1305_update(&poly1305_state, c, mlen); + crypto_onetimeauth_poly1305_update + (&poly1305_state, _pad0, (0x10 - (sizeof block) + mlen) & 0xf); + + STORE64_LE(slen, (uint64_t) adlen); + crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen); + STORE64_LE(slen, (sizeof block) + mlen); + crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen); + + crypto_onetimeauth_poly1305_final(&poly1305_state, mac); + sodium_memzero(&poly1305_state, sizeof poly1305_state); + + stored_mac = c + mlen; + if (sodium_memcmp(mac, stored_mac, sizeof mac) != 0) { + sodium_memzero(mac, sizeof mac); + return -1; + } + + crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, state->nonce, 2U, state->k); + XOR_BUF(STATE_INONCE(state), mac, + crypto_secretstream_xchacha20poly1305_INONCEBYTES); + sodium_increment(STATE_COUNTER(state), + crypto_secretstream_xchacha20poly1305_COUNTERBYTES); + if ((tag & crypto_secretstream_xchacha20poly1305_TAG_REKEY) != 0 || + sodium_is_zero(STATE_COUNTER(state), + crypto_secretstream_xchacha20poly1305_COUNTERBYTES)) { + crypto_secretstream_xchacha20poly1305_rekey(state); + } + if (mlen_p != NULL) { + *mlen_p = mlen; + } + if (tag_p != NULL) { + *tag_p = tag; + } + return 0; +} + +size_t +crypto_secretstream_xchacha20poly1305_statebytes(void) +{ + return sizeof(crypto_secretstream_xchacha20poly1305_state); +} + +size_t +crypto_secretstream_xchacha20poly1305_abytes(void) +{ + return crypto_secretstream_xchacha20poly1305_ABYTES; +} + +size_t +crypto_secretstream_xchacha20poly1305_headerbytes(void) +{ + return crypto_secretstream_xchacha20poly1305_HEADERBYTES; +} + +size_t +crypto_secretstream_xchacha20poly1305_keybytes(void) +{ + return crypto_secretstream_xchacha20poly1305_KEYBYTES; +} + +size_t +crypto_secretstream_xchacha20poly1305_messagebytes_max(void) +{ + return crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX; +} + +unsigned char +crypto_secretstream_xchacha20poly1305_tag_message(void) +{ + return crypto_secretstream_xchacha20poly1305_TAG_MESSAGE; +} + +unsigned char +crypto_secretstream_xchacha20poly1305_tag_push(void) +{ + return crypto_secretstream_xchacha20poly1305_TAG_PUSH; +} + +unsigned char +crypto_secretstream_xchacha20poly1305_tag_rekey(void) +{ + return crypto_secretstream_xchacha20poly1305_TAG_REKEY; +} + +unsigned char +crypto_secretstream_xchacha20poly1305_tag_final(void) +{ + return crypto_secretstream_xchacha20poly1305_TAG_FINAL; +} diff --git a/src/libsodium/crypto_sign/crypto_sign.c b/src/libsodium/crypto_sign/crypto_sign.c index b93fa0ef..127072f7 100644 --- a/src/libsodium/crypto_sign/crypto_sign.c +++ b/src/libsodium/crypto_sign/crypto_sign.c @@ -31,6 +31,12 @@ crypto_sign_secretkeybytes(void) return crypto_sign_SECRETKEYBYTES; } +size_t +crypto_sign_messagebytes_max(void) +{ + return crypto_sign_MESSAGEBYTES_MAX; +} + const char * crypto_sign_primitive(void) { diff --git a/src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h b/src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h index 8d93892b..d35ae6fb 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h +++ b/src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h @@ -15,4 +15,7 @@ int _crypto_sign_ed25519_verify_detached(const unsigned char *sig, unsigned long long mlen, const unsigned char *pk, int prehashed); + +int _crypto_sign_ed25519_small_order(const unsigned char p[32]); + #endif diff --git a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c index 8a7b444c..bdc6b017 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/keypair.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/keypair.c @@ -4,6 +4,7 @@ #include "crypto_hash_sha512.h" #include "crypto_scalarmult_curve25519.h" #include "crypto_sign_ed25519.h" +#include "ed25519_ref10.h" #include "private/curve25519_ref10.h" #include "randombytes.h" #include "utils.h" @@ -46,10 +47,16 @@ crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk, const unsigned char *ed25519_pk) { ge_p3 A; + ge_p3 pl; fe x; fe one_minus_y; - if (ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) { + if (_crypto_sign_ed25519_small_order(ed25519_pk) || + ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) { + return -1; + } + ge_mul_l(&pl, &A); + if (fe_isnonzero(pl.X)) { return -1; } fe_1(one_minus_y); @@ -71,7 +78,7 @@ crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk, crypto_hash_sha512(h, ed25519_sk, crypto_sign_ed25519_SECRETKEYBYTES - - crypto_sign_ed25519_PUBLICKEYBYTES); + crypto_sign_ed25519_PUBLICKEYBYTES); h[0] &= 248; h[31] &= 127; h[31] |= 64; diff --git a/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c b/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c index c572ff11..5ff14884 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c @@ -83,7 +83,7 @@ crypto_sign_edwards25519sha512batch_open(unsigned char *m, ge_p3 cs3; *mlen_p = 0; - if (smlen < 64 || smlen > SIZE_MAX) { + if (smlen < 64 || smlen - 64 > crypto_sign_edwards25519sha512batch_MESSAGEBYTES_MAX) { return -1; } mlen = smlen - 64; diff --git a/src/libsodium/crypto_sign/ed25519/ref10/open.c b/src/libsodium/crypto_sign/ed25519/ref10/open.c index 95e55d2d..fa1c72d8 100644 --- a/src/libsodium/crypto_sign/ed25519/ref10/open.c +++ b/src/libsodium/crypto_sign/ed25519/ref10/open.c @@ -33,8 +33,8 @@ crypto_sign_check_S_lt_L(const unsigned char *S) return -(c == 0); } -static int -small_order(const unsigned char R[32]) +int +_crypto_sign_ed25519_small_order(const unsigned char p[32]) { CRYPTO_ALIGN(16) static const unsigned char blacklist[][32] = { @@ -97,7 +97,7 @@ small_order(const unsigned char R[32]) for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) { c = 0; for (j = 0; j < 32; j++) { - c |= R[j] ^ blacklist[i][j]; + c |= p[j] ^ blacklist[i][j]; } if (c == 0) { return 1; @@ -123,7 +123,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig, ge_p2 R; #ifndef ED25519_COMPAT - if (crypto_sign_check_S_lt_L(sig + 32) != 0 || small_order(sig) != 0) { + if (crypto_sign_check_S_lt_L(sig + 32) != 0 || + _crypto_sign_ed25519_small_order(sig) != 0) { return -1; } #else @@ -170,7 +171,7 @@ crypto_sign_ed25519_open(unsigned char *m, unsigned long long *mlen_p, { unsigned long long mlen; - if (smlen < 64 || smlen > SIZE_MAX) { + if (smlen < 64 || smlen - 64 > crypto_sign_ed25519_MESSAGEBYTES_MAX) { goto badsig; } mlen = smlen - 64; diff --git a/src/libsodium/crypto_sign/ed25519/sign_ed25519.c b/src/libsodium/crypto_sign/ed25519/sign_ed25519.c index 9ec477a1..e2a5a4a6 100644 --- a/src/libsodium/crypto_sign/ed25519/sign_ed25519.c +++ b/src/libsodium/crypto_sign/ed25519/sign_ed25519.c @@ -35,6 +35,12 @@ crypto_sign_ed25519_secretkeybytes(void) return crypto_sign_ed25519_SECRETKEYBYTES; } +size_t +crypto_sign_ed25519_messagebytes_max(void) +{ + return crypto_sign_ed25519_MESSAGEBYTES_MAX; +} + int crypto_sign_ed25519_sk_to_seed(unsigned char *seed, const unsigned char *sk) { diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c index c8cdff37..6149af39 100644 --- a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c +++ b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c @@ -3,6 +3,7 @@ #include #include +#include "core.h" #include "crypto_stream_chacha20.h" #include "private/common.h" #include "private/sse2_64_32.h" @@ -76,8 +77,8 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c, if (!bytes) { return; /* LCOV_EXCL_LINE */ } - if (bytes > 64ULL * (1ULL << 32) - 64ULL) { - abort(); + if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); } # include "u8.h" # include "u4.h" diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c index 06895932..b7b9aa4a 100644 --- a/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c +++ b/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c @@ -3,6 +3,7 @@ #include #include +#include "core.h" #include "crypto_stream_chacha20.h" #include "private/common.h" #include "private/sse2_64_32.h" @@ -71,8 +72,8 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c, if (!bytes) { return; /* LCOV_EXCL_LINE */ } - if (bytes > 64ULL * (1ULL << 32) - 64ULL) { - abort(); + if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); } # include "u4.h" # include "u1.h" diff --git a/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h b/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h index 3312d29b..17c3ff8e 100644 --- a/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h +++ b/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h @@ -7,7 +7,7 @@ if (bytes > 0) { _mm_set_epi8(14, 13, 12, 15, 10, 9, 8, 11, 6, 5, 4, 7, 2, 1, 0, 3); uint8_t partialblock[64]; - int i; + unsigned int i; x_0 = _mm_loadu_si128((__m128i*) (x + 0)); x_1 = _mm_loadu_si128((__m128i*) (x + 4)); diff --git a/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c b/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c index 7a19cebb..f88a99db 100644 --- a/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c +++ b/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c @@ -9,6 +9,7 @@ #include #include +#include "core.h" #include "crypto_stream_chacha20.h" #include "private/common.h" #include "utils.h" @@ -91,8 +92,8 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c, if (!bytes) { return; /* LCOV_EXCL_LINE */ } - if (bytes > 64ULL * (1ULL << 32) - 64ULL) { - abort(); + if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) { + sodium_misuse(); } j0 = ctx->input[0]; j1 = ctx->input[1]; diff --git a/src/libsodium/crypto_stream/chacha20/stream_chacha20.c b/src/libsodium/crypto_stream/chacha20/stream_chacha20.c index 0f7520ec..19c6eae9 100644 --- a/src/libsodium/crypto_stream/chacha20/stream_chacha20.c +++ b/src/libsodium/crypto_stream/chacha20/stream_chacha20.c @@ -26,6 +26,12 @@ crypto_stream_chacha20_noncebytes(void) { return crypto_stream_chacha20_NONCEBYTES; } +size_t +crypto_stream_chacha20_messagebytes_max(void) +{ + return crypto_stream_chacha20_MESSAGEBYTES_MAX; +} + size_t crypto_stream_chacha20_ietf_keybytes(void) { return crypto_stream_chacha20_ietf_KEYBYTES; @@ -36,6 +42,12 @@ crypto_stream_chacha20_ietf_noncebytes(void) { return crypto_stream_chacha20_ietf_NONCEBYTES; } +size_t +crypto_stream_chacha20_ietf_messagebytes_max(void) +{ + return crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX; +} + int crypto_stream_chacha20(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k) diff --git a/src/libsodium/crypto_stream/crypto_stream.c b/src/libsodium/crypto_stream/crypto_stream.c index 7d93243b..58d25381 100644 --- a/src/libsodium/crypto_stream/crypto_stream.c +++ b/src/libsodium/crypto_stream/crypto_stream.c @@ -14,6 +14,12 @@ crypto_stream_noncebytes(void) return crypto_stream_NONCEBYTES; } +size_t +crypto_stream_messagebytes_max(void) +{ + return crypto_stream_MESSAGEBYTES_MAX; +} + const char * crypto_stream_primitive(void) { diff --git a/src/libsodium/crypto_stream/salsa20/stream_salsa20.c b/src/libsodium/crypto_stream/salsa20/stream_salsa20.c index 91e99df7..8714de11 100644 --- a/src/libsodium/crypto_stream/salsa20/stream_salsa20.c +++ b/src/libsodium/crypto_stream/salsa20/stream_salsa20.c @@ -37,6 +37,12 @@ crypto_stream_salsa20_noncebytes(void) return crypto_stream_salsa20_NONCEBYTES; } +size_t +crypto_stream_salsa20_messagebytes_max(void) +{ + return crypto_stream_salsa20_MESSAGEBYTES_MAX; +} + int crypto_stream_salsa20(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k) @@ -89,5 +95,5 @@ _crypto_stream_salsa20_pick_best_implementation(void) return 0; } #endif - return 0; + return 0; /* LCOV_EXCL_LINE */ } diff --git a/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h b/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h index b6613dbd..b2d41680 100644 --- a/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h +++ b/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h @@ -7,7 +7,7 @@ if (bytes > 0) { __m128i b0, b1, b2, b3, b4, b5, b6, b7; uint8_t partialblock[64]; - int i; + unsigned int i; a0 = diag1; for (i = 0; i < ROUNDS; i += 4) { diff --git a/src/libsodium/crypto_stream/salsa2012/stream_salsa2012.c b/src/libsodium/crypto_stream/salsa2012/stream_salsa2012.c index d6c01b82..d0cc0f68 100644 --- a/src/libsodium/crypto_stream/salsa2012/stream_salsa2012.c +++ b/src/libsodium/crypto_stream/salsa2012/stream_salsa2012.c @@ -13,6 +13,12 @@ crypto_stream_salsa2012_noncebytes(void) return crypto_stream_salsa2012_NONCEBYTES; } +size_t +crypto_stream_salsa2012_messagebytes_max(void) +{ + return crypto_stream_salsa2012_MESSAGEBYTES_MAX; +} + void crypto_stream_salsa2012_keygen(unsigned char k[crypto_stream_salsa2012_KEYBYTES]) { diff --git a/src/libsodium/crypto_stream/salsa208/stream_salsa208.c b/src/libsodium/crypto_stream/salsa208/stream_salsa208.c index 1a7752af..b79bda5e 100644 --- a/src/libsodium/crypto_stream/salsa208/stream_salsa208.c +++ b/src/libsodium/crypto_stream/salsa208/stream_salsa208.c @@ -13,6 +13,12 @@ crypto_stream_salsa208_noncebytes(void) return crypto_stream_salsa208_NONCEBYTES; } +size_t +crypto_stream_salsa208_messagebytes_max(void) +{ + return crypto_stream_salsa208_MESSAGEBYTES_MAX; +} + void crypto_stream_salsa208_keygen(unsigned char k[crypto_stream_salsa208_KEYBYTES]) { diff --git a/src/libsodium/crypto_stream/xchacha20/stream_xchacha20.c b/src/libsodium/crypto_stream/xchacha20/stream_xchacha20.c index ee2345c2..8b1bc09a 100644 --- a/src/libsodium/crypto_stream/xchacha20/stream_xchacha20.c +++ b/src/libsodium/crypto_stream/xchacha20/stream_xchacha20.c @@ -19,6 +19,12 @@ crypto_stream_xchacha20_noncebytes(void) return crypto_stream_xchacha20_NONCEBYTES; } +size_t +crypto_stream_xchacha20_messagebytes_max(void) +{ + return crypto_stream_xchacha20_MESSAGEBYTES_MAX; +} + int crypto_stream_xchacha20(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k) diff --git a/src/libsodium/crypto_stream/xsalsa20/stream_xsalsa20.c b/src/libsodium/crypto_stream/xsalsa20/stream_xsalsa20.c index 1405b699..dc831a94 100644 --- a/src/libsodium/crypto_stream/xsalsa20/stream_xsalsa20.c +++ b/src/libsodium/crypto_stream/xsalsa20/stream_xsalsa20.c @@ -53,6 +53,12 @@ crypto_stream_xsalsa20_noncebytes(void) return crypto_stream_xsalsa20_NONCEBYTES; } +size_t +crypto_stream_xsalsa20_messagebytes_max(void) +{ + return crypto_stream_xsalsa20_MESSAGEBYTES_MAX; +} + void crypto_stream_xsalsa20_keygen(unsigned char k[crypto_stream_xsalsa20_KEYBYTES]) { diff --git a/src/libsodium/crypto_verify/sodium/verify.c b/src/libsodium/crypto_verify/sodium/verify.c index f7626cf8..ffebf220 100644 --- a/src/libsodium/crypto_verify/sodium/verify.c +++ b/src/libsodium/crypto_verify/sodium/verify.c @@ -6,56 +6,93 @@ #include "crypto_verify_32.h" #include "crypto_verify_64.h" -int -crypto_verify_16(const unsigned char *x, const unsigned char *y) -{ - uint_fast16_t d = 0U; - int i; - - for (i = 0; i < 16; i++) { - d |= x[i] ^ y[i]; - } - return (1 & ((d - 1) >> 8)) - 1; -} - size_t crypto_verify_16_bytes(void) { return crypto_verify_16_BYTES; } -int -crypto_verify_32(const unsigned char *x, const unsigned char *y) -{ - uint_fast16_t d = 0U; - int i; - - for (i = 0; i < 32; i++) { - d |= x[i] ^ y[i]; - } - return (1 & ((d - 1) >> 8)) - 1; -} - size_t crypto_verify_32_bytes(void) { return crypto_verify_32_BYTES; } -int -crypto_verify_64(const unsigned char *x, const unsigned char *y) -{ - uint_fast16_t d = 0U; - int i; - - for (i = 0; i < 64; i++) { - d |= x[i] ^ y[i]; - } - return (1 & ((d - 1) >> 8)) - 1; -} - size_t crypto_verify_64_bytes(void) { return crypto_verify_64_BYTES; } + +#if defined(HAVE_EMMINTRIN_H) && defined(__SSE2__) + +# ifdef __GNUC__ +# pragma GCC target("sse2") +# endif +# include + +static inline int +crypto_verify_n(const unsigned char *x_, const unsigned char *y_, + const int n) +{ + const __m128i zero = _mm_setzero_si128(); + volatile __m128i v1, v2, z; + volatile int m; + int i; + + const volatile __m128i *volatile x = + (const volatile __m128i *volatile) (const void *) x_; + const volatile __m128i *volatile y = + (const volatile __m128i *volatile) (const void *) y_; + v1 = _mm_loadu_si128((const __m128i *) &x[0]); + v2 = _mm_loadu_si128((const __m128i *) &y[0]); + z = _mm_xor_si128(v1, v2); + for (i = 1; i < n / 16; i++) { + v1 = _mm_loadu_si128((const __m128i *) &x[i]); + v2 = _mm_loadu_si128((const __m128i *) &y[i]); + z = _mm_or_si128(z, _mm_xor_si128(v1, v2)); + } + m = _mm_movemask_epi8(_mm_cmpeq_epi32(z, zero)); + v1 = zero; v2 = zero; z = zero; + + return (int) (((uint32_t) m + 1U) >> 16) - 1; +} + +#else + +static inline int +crypto_verify_n(const unsigned char *x_, const unsigned char *y_, + const int n) +{ + const volatile unsigned char *volatile x = + (const volatile unsigned char *volatile) x_; + const volatile unsigned char *volatile y = + (const volatile unsigned char *volatile) y_; + volatile uint_fast16_t d = 0U; + int i; + + for (i = 0; i < n; i++) { + d |= x[i] ^ y[i]; + } + return (1 & ((d - 1) >> 8)) - 1; +} + +#endif + +int +crypto_verify_16(const unsigned char *x, const unsigned char *y) +{ + return crypto_verify_n(x, y, crypto_verify_16_BYTES); +} + +int +crypto_verify_32(const unsigned char *x, const unsigned char *y) +{ + return crypto_verify_n(x, y, crypto_verify_32_BYTES); +} + +int +crypto_verify_64(const unsigned char *x, const unsigned char *y) +{ + return crypto_verify_n(x, y, crypto_verify_64_BYTES); +} diff --git a/src/libsodium/include/Makefile.am b/src/libsodium/include/Makefile.am index a63d127a..06f3f4a4 100644 --- a/src/libsodium/include/Makefile.am +++ b/src/libsodium/include/Makefile.am @@ -36,6 +36,7 @@ SODIUM_EXPORT = \ sodium/crypto_secretbox.h \ sodium/crypto_secretbox_xchacha20poly1305.h \ sodium/crypto_secretbox_xsalsa20poly1305.h \ + sodium/crypto_secretstream_xchacha20poly1305.h \ sodium/crypto_shorthash.h \ sodium/crypto_shorthash_siphash24.h \ sodium/crypto_sign.h \ diff --git a/src/libsodium/include/sodium.h b/src/libsodium/include/sodium.h index d0bb25c8..8c3e8bc7 100644 --- a/src/libsodium/include/sodium.h +++ b/src/libsodium/include/sodium.h @@ -31,11 +31,11 @@ #include "sodium/crypto_onetimeauth_poly1305.h" #include "sodium/crypto_pwhash.h" #include "sodium/crypto_pwhash_argon2i.h" -#include "sodium/crypto_pwhash_scryptsalsa208sha256.h" #include "sodium/crypto_scalarmult.h" #include "sodium/crypto_scalarmult_curve25519.h" #include "sodium/crypto_secretbox.h" #include "sodium/crypto_secretbox_xsalsa20poly1305.h" +#include "sodium/crypto_secretstream_xchacha20poly1305.h" #include "sodium/crypto_shorthash.h" #include "sodium/crypto_shorthash_siphash24.h" #include "sodium/crypto_sign.h" @@ -59,6 +59,7 @@ #ifndef SODIUM_LIBRARY_MINIMAL # include "sodium/crypto_box_curve25519xchacha20poly1305.h" # include "sodium/crypto_secretbox_xchacha20poly1305.h" +# include "sodium/crypto_pwhash_scryptsalsa208sha256.h" # include "sodium/crypto_stream_aes128ctr.h" # include "sodium/crypto_stream_salsa2012.h" # include "sodium/crypto_stream_salsa208.h" diff --git a/src/libsodium/include/sodium/core.h b/src/libsodium/include/sodium/core.h index 3ca44762..dd088d2c 100644 --- a/src/libsodium/include/sodium/core.h +++ b/src/libsodium/include/sodium/core.h @@ -12,6 +12,15 @@ SODIUM_EXPORT int sodium_init(void) __attribute__ ((warn_unused_result)); +/* ---- */ + +SODIUM_EXPORT +int sodium_set_misuse_handler(void (*handler)(void)); + +SODIUM_EXPORT +void sodium_misuse(void) + __attribute__ ((noreturn)); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h index 972df54f..46a3800f 100644 --- a/src/libsodium/include/sodium/crypto_aead_aes256gcm.h +++ b/src/libsodium/include/sodium/crypto_aead_aes256gcm.h @@ -1,6 +1,26 @@ #ifndef crypto_aead_aes256gcm_H #define crypto_aead_aes256gcm_H +/* + * WARNING: Despite being the most popular AEAD construction due to its + * use in TLS, safely using AES-GCM in a different context is tricky. + * + * No more than ~ 350 GB of input data should be encrypted with a given key. + * This is for ~ 16 KB messages -- Actual figures vary according to + * message sizes. + * + * In addition, nonces are short and repeated nonces would totally destroy + * the security of this scheme. + * + * Nonces should thus come from atomic counters, which can be difficult to + * set up in a distributed environment. + * + * Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*() + * instead. It doesn't have any of these limitations. + * Or, if you don't need to authenticate additional data, just stick to + * crypto_secretbox(). + */ + #include #include "export.h" @@ -30,6 +50,12 @@ size_t crypto_aead_aes256gcm_npubbytes(void); SODIUM_EXPORT size_t crypto_aead_aes256gcm_abytes(void); +#define crypto_aead_aes256gcm_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_aes256gcm_ABYTES, \ + (16ULL * ((1ULL << 32) - 2ULL)) - crypto_aead_aes256gcm_ABYTES) +SODIUM_EXPORT +size_t crypto_aead_aes256gcm_messagebytes_max(void); + typedef CRYPTO_ALIGN(16) unsigned char crypto_aead_aes256gcm_state[512]; SODIUM_EXPORT diff --git a/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h b/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h index 0bbc6885..a575ec71 100644 --- a/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h +++ b/src/libsodium/include/sodium/crypto_aead_chacha20poly1305.h @@ -30,6 +30,12 @@ size_t crypto_aead_chacha20poly1305_ietf_npubbytes(void); SODIUM_EXPORT size_t crypto_aead_chacha20poly1305_ietf_abytes(void); +#define crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_chacha20poly1305_ietf_ABYTES, \ + (64ULL * (1ULL << 32) - 64ULL) - crypto_aead_chacha20poly1305_ietf_ABYTES) +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_ietf_messagebytes_max(void); + SODIUM_EXPORT int crypto_aead_chacha20poly1305_ietf_encrypt(unsigned char *c, unsigned long long *clen_p, @@ -98,6 +104,11 @@ size_t crypto_aead_chacha20poly1305_npubbytes(void); SODIUM_EXPORT size_t crypto_aead_chacha20poly1305_abytes(void); +#define crypto_aead_chacha20poly1305_MESSAGEBYTES_MAX \ + (SODIUM_SIZE_MAX - crypto_aead_chacha20poly1305_ABYTES) +SODIUM_EXPORT +size_t crypto_aead_chacha20poly1305_messagebytes_max(void); + SODIUM_EXPORT int crypto_aead_chacha20poly1305_encrypt(unsigned char *c, unsigned long long *clen_p, @@ -150,10 +161,11 @@ void crypto_aead_chacha20poly1305_keygen(unsigned char k[crypto_aead_chacha20pol /* Aliases */ -#define crypto_aead_chacha20poly1305_IETF_KEYBYTES crypto_aead_chacha20poly1305_ietf_KEYBYTES -#define crypto_aead_chacha20poly1305_IETF_NSECBYTES crypto_aead_chacha20poly1305_ietf_NSECBYTES -#define crypto_aead_chacha20poly1305_IETF_NPUBBYTES crypto_aead_chacha20poly1305_ietf_NPUBBYTES -#define crypto_aead_chacha20poly1305_IETF_ABYTES crypto_aead_chacha20poly1305_ietf_ABYTES +#define crypto_aead_chacha20poly1305_IETF_KEYBYTES crypto_aead_chacha20poly1305_ietf_KEYBYTES +#define crypto_aead_chacha20poly1305_IETF_NSECBYTES crypto_aead_chacha20poly1305_ietf_NSECBYTES +#define crypto_aead_chacha20poly1305_IETF_NPUBBYTES crypto_aead_chacha20poly1305_ietf_NPUBBYTES +#define crypto_aead_chacha20poly1305_IETF_ABYTES crypto_aead_chacha20poly1305_ietf_ABYTES +#define crypto_aead_chacha20poly1305_IETF_MESSAGEBYTES_MAX crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX #ifdef __cplusplus } diff --git a/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h index f863ce88..99692aae 100644 --- a/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h +++ b/src/libsodium/include/sodium/crypto_aead_xchacha20poly1305.h @@ -27,6 +27,11 @@ size_t crypto_aead_xchacha20poly1305_ietf_npubbytes(void); SODIUM_EXPORT size_t crypto_aead_xchacha20poly1305_ietf_abytes(void); +#define crypto_aead_xchacha20poly1305_ietf_MESSAGEBYTES_MAX \ + (SODIUM_SIZE_MAX - crypto_aead_xchacha20poly1305_ietf_ABYTES) +SODIUM_EXPORT +size_t crypto_aead_xchacha20poly1305_ietf_messagebytes_max(void); + SODIUM_EXPORT int crypto_aead_xchacha20poly1305_ietf_encrypt(unsigned char *c, unsigned long long *clen_p, @@ -79,10 +84,11 @@ void crypto_aead_xchacha20poly1305_ietf_keygen(unsigned char k[crypto_aead_xchac /* Aliases */ -#define crypto_aead_xchacha20poly1305_IETF_KEYBYTES crypto_aead_xchacha20poly1305_ietf_KEYBYTES -#define crypto_aead_xchacha20poly1305_IETF_NSECBYTES crypto_aead_xchacha20poly1305_ietf_NSECBYTES -#define crypto_aead_xchacha20poly1305_IETF_NPUBBYTES crypto_aead_xchacha20poly1305_ietf_NPUBBYTES -#define crypto_aead_xchacha20poly1305_IETF_ABYTES crypto_aead_xchacha20poly1305_ietf_ABYTES +#define crypto_aead_xchacha20poly1305_IETF_KEYBYTES crypto_aead_xchacha20poly1305_ietf_KEYBYTES +#define crypto_aead_xchacha20poly1305_IETF_NSECBYTES crypto_aead_xchacha20poly1305_ietf_NSECBYTES +#define crypto_aead_xchacha20poly1305_IETF_NPUBBYTES crypto_aead_xchacha20poly1305_ietf_NPUBBYTES +#define crypto_aead_xchacha20poly1305_IETF_ABYTES crypto_aead_xchacha20poly1305_ietf_ABYTES +#define crypto_aead_xchacha20poly1305_IETF_MESSAGEBYTES_MAX crypto_aead_xchacha20poly1305_ietf_MESSAGEBYTES_MAX #ifdef __cplusplus } diff --git a/src/libsodium/include/sodium/crypto_box.h b/src/libsodium/include/sodium/crypto_box.h index 614cd1e0..99ee19a8 100644 --- a/src/libsodium/include/sodium/crypto_box.h +++ b/src/libsodium/include/sodium/crypto_box.h @@ -40,6 +40,10 @@ size_t crypto_box_noncebytes(void); SODIUM_EXPORT size_t crypto_box_macbytes(void); +#define crypto_box_MESSAGEBYTES_MAX crypto_box_curve25519xsalsa20poly1305_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_box_messagebytes_max(void); + #define crypto_box_PRIMITIVE "curve25519xsalsa20poly1305" SODIUM_EXPORT const char *crypto_box_primitive(void); diff --git a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h index b781cc6e..c1cf7566 100644 --- a/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h +++ b/src/libsodium/include/sodium/crypto_box_curve25519xchacha20poly1305.h @@ -3,6 +3,7 @@ #define crypto_box_curve25519xchacha20poly1305_H #include +#include "crypto_stream_xchacha20.h" #include "export.h" #ifdef __cplusplus @@ -36,6 +37,11 @@ size_t crypto_box_curve25519xchacha20poly1305_noncebytes(void); SODIUM_EXPORT size_t crypto_box_curve25519xchacha20poly1305_macbytes(void); +#define crypto_box_curve25519xchacha20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xchacha20_MESSAGEBYTES_MAX - crypto_box_curve25519xchacha20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_box_curve25519xchacha20poly1305_messagebytes_max(void); + SODIUM_EXPORT int crypto_box_curve25519xchacha20poly1305_seed_keypair(unsigned char *pk, unsigned char *sk, diff --git a/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h b/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h index 9b5a39c3..c5b15f42 100644 --- a/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h +++ b/src/libsodium/include/sodium/crypto_box_curve25519xsalsa20poly1305.h @@ -2,6 +2,7 @@ #define crypto_box_curve25519xsalsa20poly1305_H #include +#include "crypto_stream_xsalsa20.h" #include "export.h" #ifdef __cplusplus @@ -35,6 +36,29 @@ size_t crypto_box_curve25519xsalsa20poly1305_noncebytes(void); SODIUM_EXPORT size_t crypto_box_curve25519xsalsa20poly1305_macbytes(void); +/* Only for the libsodium API - The NaCl compatibility API would require BOXZEROBYTES extra bytes */ +#define crypto_box_curve25519xsalsa20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xsalsa20_MESSAGEBYTES_MAX - crypto_box_curve25519xsalsa20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_box_curve25519xsalsa20poly1305_messagebytes_max(void); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_seed_keypair(unsigned char *pk, + unsigned char *sk, + const unsigned char *seed); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_keypair(unsigned char *pk, + unsigned char *sk); + +SODIUM_EXPORT +int crypto_box_curve25519xsalsa20poly1305_beforenm(unsigned char *k, + const unsigned char *pk, + const unsigned char *sk) + __attribute__ ((warn_unused_result)); + +/* -- NaCl compatibility interface ; Requires padding -- */ + #define crypto_box_curve25519xsalsa20poly1305_BOXZEROBYTES 16U SODIUM_EXPORT size_t crypto_box_curve25519xsalsa20poly1305_boxzerobytes(void); @@ -63,21 +87,6 @@ int crypto_box_curve25519xsalsa20poly1305_open(unsigned char *m, const unsigned char *sk) __attribute__ ((warn_unused_result)); -SODIUM_EXPORT -int crypto_box_curve25519xsalsa20poly1305_seed_keypair(unsigned char *pk, - unsigned char *sk, - const unsigned char *seed); - -SODIUM_EXPORT -int crypto_box_curve25519xsalsa20poly1305_keypair(unsigned char *pk, - unsigned char *sk); - -SODIUM_EXPORT -int crypto_box_curve25519xsalsa20poly1305_beforenm(unsigned char *k, - const unsigned char *pk, - const unsigned char *sk) - __attribute__ ((warn_unused_result)); - SODIUM_EXPORT int crypto_box_curve25519xsalsa20poly1305_afternm(unsigned char *c, const unsigned char *m, diff --git a/src/libsodium/include/sodium/crypto_core_salsa208.h b/src/libsodium/include/sodium/crypto_core_salsa208.h index 3c13efa4..876bda89 100644 --- a/src/libsodium/include/sodium/crypto_core_salsa208.h +++ b/src/libsodium/include/sodium/crypto_core_salsa208.h @@ -10,19 +10,23 @@ extern "C" { #define crypto_core_salsa208_OUTPUTBYTES 64U SODIUM_EXPORT -size_t crypto_core_salsa208_outputbytes(void); +size_t crypto_core_salsa208_outputbytes(void) + __attribute__ ((deprecated)); #define crypto_core_salsa208_INPUTBYTES 16U SODIUM_EXPORT -size_t crypto_core_salsa208_inputbytes(void); +size_t crypto_core_salsa208_inputbytes(void) + __attribute__ ((deprecated)); #define crypto_core_salsa208_KEYBYTES 32U SODIUM_EXPORT -size_t crypto_core_salsa208_keybytes(void); +size_t crypto_core_salsa208_keybytes(void) + __attribute__ ((deprecated)); #define crypto_core_salsa208_CONSTBYTES 16U SODIUM_EXPORT -size_t crypto_core_salsa208_constbytes(void); +size_t crypto_core_salsa208_constbytes(void) + __attribute__ ((deprecated)); SODIUM_EXPORT int crypto_core_salsa208(unsigned char *out, const unsigned char *in, diff --git a/src/libsodium/include/sodium/crypto_pwhash.h b/src/libsodium/include/sodium/crypto_pwhash.h index 4a5309c4..d43932b2 100644 --- a/src/libsodium/include/sodium/crypto_pwhash.h +++ b/src/libsodium/include/sodium/crypto_pwhash.h @@ -94,6 +94,10 @@ size_t crypto_pwhash_opslimit_sensitive(void); SODIUM_EXPORT size_t crypto_pwhash_memlimit_sensitive(void); +/* + * With this function, do not forget to store all parameters, including the + * algorithm identifier in order to produce deterministic output. + */ SODIUM_EXPORT int crypto_pwhash(unsigned char * const out, unsigned long long outlen, const char * const passwd, unsigned long long passwdlen, @@ -101,18 +105,34 @@ int crypto_pwhash(unsigned char * const out, unsigned long long outlen, unsigned long long opslimit, size_t memlimit, int alg) __attribute__ ((warn_unused_result)); +/* + * The output string already includes all the required parameters, including + * the algorithm identifier. The string is all that has to be stored in + * order to verify a password. + */ SODIUM_EXPORT int crypto_pwhash_str(char out[crypto_pwhash_STRBYTES], const char * const passwd, unsigned long long passwdlen, unsigned long long opslimit, size_t memlimit) __attribute__ ((warn_unused_result)); +SODIUM_EXPORT +int crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES], + const char * const passwd, unsigned long long passwdlen, + unsigned long long opslimit, size_t memlimit, int alg) + __attribute__ ((warn_unused_result)); + SODIUM_EXPORT int crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES], const char * const passwd, unsigned long long passwdlen) __attribute__ ((warn_unused_result)); +SODIUM_EXPORT +int crypto_pwhash_str_needs_rehash(const char str[crypto_pwhash_STRBYTES], + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)); + #define crypto_pwhash_PRIMITIVE "argon2i" SODIUM_EXPORT const char *crypto_pwhash_primitive(void) diff --git a/src/libsodium/include/sodium/crypto_pwhash_argon2i.h b/src/libsodium/include/sodium/crypto_pwhash_argon2i.h index fed96587..8e4c1c35 100644 --- a/src/libsodium/include/sodium/crypto_pwhash_argon2i.h +++ b/src/libsodium/include/sodium/crypto_pwhash_argon2i.h @@ -22,7 +22,7 @@ int crypto_pwhash_argon2i_alg_argon2i13(void); SODIUM_EXPORT size_t crypto_pwhash_argon2i_bytes_min(void); -#define crypto_pwhash_argon2i_BYTES_MAX 4294967295U +#define crypto_pwhash_argon2i_BYTES_MAX SODIUM_MIN(SODIUM_SIZE_MAX, 4294967295U) SODIUM_EXPORT size_t crypto_pwhash_argon2i_bytes_max(void); @@ -58,7 +58,8 @@ size_t crypto_pwhash_argon2i_opslimit_max(void); SODIUM_EXPORT size_t crypto_pwhash_argon2i_memlimit_min(void); -#define crypto_pwhash_argon2i_MEMLIMIT_MAX ((SIZE_MAX >= 4398046510080U) ? 4398046510080U : (SIZE_MAX >= 2147483648U) ? 2147483648U : 32768U) +#define crypto_pwhash_argon2i_MEMLIMIT_MAX \ + ((SIZE_MAX >= 4398046510080U) ? 4398046510080U : (SIZE_MAX >= 2147483648U) ? 2147483648U : 32768U) SODIUM_EXPORT size_t crypto_pwhash_argon2i_memlimit_max(void); @@ -109,6 +110,11 @@ int crypto_pwhash_argon2i_str_verify(const char str[crypto_pwhash_argon2i_STRBYT unsigned long long passwdlen) __attribute__ ((warn_unused_result)); +SODIUM_EXPORT +int crypto_pwhash_argon2i_str_needs_rehash(const char str[crypto_pwhash_argon2i_STRBYTES], + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/include/sodium/crypto_pwhash_argon2id.h b/src/libsodium/include/sodium/crypto_pwhash_argon2id.h index 550fd6fd..51b17aa8 100644 --- a/src/libsodium/include/sodium/crypto_pwhash_argon2id.h +++ b/src/libsodium/include/sodium/crypto_pwhash_argon2id.h @@ -22,7 +22,7 @@ int crypto_pwhash_argon2id_alg_argon2id13(void); SODIUM_EXPORT size_t crypto_pwhash_argon2id_bytes_min(void); -#define crypto_pwhash_argon2id_BYTES_MAX 4294967295U +#define crypto_pwhash_argon2id_BYTES_MAX SODIUM_MIN(SODIUM_SIZE_MAX, 4294967295U) SODIUM_EXPORT size_t crypto_pwhash_argon2id_bytes_max(void); @@ -58,7 +58,8 @@ size_t crypto_pwhash_argon2id_opslimit_max(void); SODIUM_EXPORT size_t crypto_pwhash_argon2id_memlimit_min(void); -#define crypto_pwhash_argon2id_MEMLIMIT_MAX ((SIZE_MAX >= 4398046510080U) ? 4398046510080U : (SIZE_MAX >= 2147483648U) ? 2147483648U : 32768U) +#define crypto_pwhash_argon2id_MEMLIMIT_MAX \ + ((SIZE_MAX >= 4398046510080U) ? 4398046510080U : (SIZE_MAX >= 2147483648U) ? 2147483648U : 32768U) SODIUM_EXPORT size_t crypto_pwhash_argon2id_memlimit_max(void); @@ -109,6 +110,11 @@ int crypto_pwhash_argon2id_str_verify(const char str[crypto_pwhash_argon2id_STRB unsigned long long passwdlen) __attribute__ ((warn_unused_result)); +SODIUM_EXPORT +int crypto_pwhash_argon2id_str_needs_rehash(const char str[crypto_pwhash_argon2id_STRBYTES], + unsigned long long opslimit, size_t memlimit) + __attribute__ ((warn_unused_result)); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h b/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h index 9f693e54..951b87b9 100644 --- a/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h +++ b/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h @@ -18,7 +18,8 @@ extern "C" { SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_bytes_min(void); -#define crypto_pwhash_scryptsalsa208sha256_BYTES_MAX SIZE_MAX +#define crypto_pwhash_scryptsalsa208sha256_BYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX, 0x1fffffffe0ULL) SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_bytes_max(void); @@ -26,7 +27,7 @@ size_t crypto_pwhash_scryptsalsa208sha256_bytes_max(void); SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_passwd_min(void); -#define crypto_pwhash_scryptsalsa208sha256_PASSWD_MAX SIZE_MAX +#define crypto_pwhash_scryptsalsa208sha256_PASSWD_MAX SODIUM_SIZE_MAX SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_passwd_max(void); @@ -54,7 +55,8 @@ size_t crypto_pwhash_scryptsalsa208sha256_opslimit_max(void); SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_memlimit_min(void); -#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_MAX ((SIZE_MAX >= 68719476736U) ? 68719476736U : SIZE_MAX) +#define crypto_pwhash_scryptsalsa208sha256_MEMLIMIT_MAX \ + SODIUM_MIN(SIZE_MAX, 68719476736ULL) SODIUM_EXPORT size_t crypto_pwhash_scryptsalsa208sha256_memlimit_max(void); @@ -105,6 +107,12 @@ int crypto_pwhash_scryptsalsa208sha256_ll(const uint8_t * passwd, size_t passwdl uint8_t * buf, size_t buflen) __attribute__ ((warn_unused_result)); +SODIUM_EXPORT +int crypto_pwhash_scryptsalsa208sha256_str_needs_rehash(const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES], + unsigned long long opslimit, + size_t memlimit) + __attribute__ ((warn_unused_result)); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/include/sodium/crypto_secretbox.h b/src/libsodium/include/sodium/crypto_secretbox.h index 9b098200..55e94a02 100644 --- a/src/libsodium/include/sodium/crypto_secretbox.h +++ b/src/libsodium/include/sodium/crypto_secretbox.h @@ -29,6 +29,10 @@ size_t crypto_secretbox_macbytes(void); SODIUM_EXPORT const char *crypto_secretbox_primitive(void); +#define crypto_secretbox_MESSAGEBYTES_MAX crypto_secretbox_xsalsa20poly1305_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_secretbox_messagebytes_max(void); + SODIUM_EXPORT int crypto_secretbox_easy(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, diff --git a/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h index 7a61a091..2919da16 100644 --- a/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h +++ b/src/libsodium/include/sodium/crypto_secretbox_xchacha20poly1305.h @@ -2,6 +2,7 @@ #define crypto_secretbox_xchacha20poly1305_H #include +#include "crypto_stream_xchacha20.h" #include "export.h" #ifdef __cplusplus @@ -23,6 +24,11 @@ size_t crypto_secretbox_xchacha20poly1305_noncebytes(void); SODIUM_EXPORT size_t crypto_secretbox_xchacha20poly1305_macbytes(void); +#define crypto_secretbox_xchacha20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xchacha20_MESSAGEBYTES_MAX - crypto_secretbox_xchacha20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_secretbox_xchacha20poly1305_messagebytes_max(void); + SODIUM_EXPORT int crypto_secretbox_xchacha20poly1305_easy(unsigned char *c, const unsigned char *m, diff --git a/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h b/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h index 5aa30805..4b8c7c8e 100644 --- a/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h +++ b/src/libsodium/include/sodium/crypto_secretbox_xsalsa20poly1305.h @@ -2,6 +2,7 @@ #define crypto_secretbox_xsalsa20poly1305_H #include +#include "crypto_stream_xsalsa20.h" #include "export.h" #ifdef __cplusplus @@ -23,15 +24,11 @@ size_t crypto_secretbox_xsalsa20poly1305_noncebytes(void); SODIUM_EXPORT size_t crypto_secretbox_xsalsa20poly1305_macbytes(void); -#define crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES 16U +/* Only for the libsodium API - The NaCl compatibility API would require BOXZEROBYTES extra bytes */ +#define crypto_secretbox_xsalsa20poly1305_MESSAGEBYTES_MAX \ + (crypto_stream_xsalsa20_MESSAGEBYTES_MAX - crypto_secretbox_xsalsa20poly1305_MACBYTES) SODIUM_EXPORT -size_t crypto_secretbox_xsalsa20poly1305_boxzerobytes(void); - -#define crypto_secretbox_xsalsa20poly1305_ZEROBYTES \ - (crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES + \ - crypto_secretbox_xsalsa20poly1305_MACBYTES) -SODIUM_EXPORT -size_t crypto_secretbox_xsalsa20poly1305_zerobytes(void); +size_t crypto_secretbox_xsalsa20poly1305_messagebytes_max(void); SODIUM_EXPORT int crypto_secretbox_xsalsa20poly1305(unsigned char *c, @@ -51,6 +48,18 @@ int crypto_secretbox_xsalsa20poly1305_open(unsigned char *m, SODIUM_EXPORT void crypto_secretbox_xsalsa20poly1305_keygen(unsigned char k[crypto_secretbox_xsalsa20poly1305_KEYBYTES]); +/* -- NaCl compatibility interface ; Requires padding -- */ + +#define crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES 16U +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_boxzerobytes(void); + +#define crypto_secretbox_xsalsa20poly1305_ZEROBYTES \ + (crypto_secretbox_xsalsa20poly1305_BOXZEROBYTES + \ + crypto_secretbox_xsalsa20poly1305_MACBYTES) +SODIUM_EXPORT +size_t crypto_secretbox_xsalsa20poly1305_zerobytes(void); + #ifdef __cplusplus } #endif diff --git a/src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h b/src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h new file mode 100644 index 00000000..7d3fa2a9 --- /dev/null +++ b/src/libsodium/include/sodium/crypto_secretstream_xchacha20poly1305.h @@ -0,0 +1,102 @@ +#ifndef crypto_secretstream_xchacha20poly1305_H +#define crypto_secretstream_xchacha20poly1305_H + +#include + +#include "crypto_aead_xchacha20poly1305.h" +#include "crypto_stream_chacha20.h" +#include "export.h" + +#ifdef __cplusplus +# ifdef __GNUC__ +# pragma GCC diagnostic ignored "-Wlong-long" +# endif +extern "C" { +#endif + +#define crypto_secretstream_xchacha20poly1305_ABYTES \ + (1U + crypto_aead_xchacha20poly1305_ietf_ABYTES) +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_abytes(void); + +#define crypto_secretstream_xchacha20poly1305_HEADERBYTES \ + crypto_aead_xchacha20poly1305_ietf_NPUBBYTES +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_headerbytes(void); + +#define crypto_secretstream_xchacha20poly1305_KEYBYTES \ + crypto_aead_xchacha20poly1305_ietf_KEYBYTES +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_keybytes(void); + +#define crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX, ((1ULL << 32) - 2ULL) * 64ULL) +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_messagebytes_max(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_MESSAGE 0x00 +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_message(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_PUSH 0x01 +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_push(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_REKEY 0x02 +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_rekey(void); + +#define crypto_secretstream_xchacha20poly1305_TAG_FINAL \ + (crypto_secretstream_xchacha20poly1305_TAG_PUSH | \ + crypto_secretstream_xchacha20poly1305_TAG_REKEY) +SODIUM_EXPORT +unsigned char crypto_secretstream_xchacha20poly1305_tag_final(void); + +typedef struct crypto_secretstream_xchacha20poly1305_state { + unsigned char k[crypto_stream_chacha20_ietf_KEYBYTES]; + unsigned char nonce[crypto_stream_chacha20_ietf_NONCEBYTES]; + unsigned char _pad[8]; +} crypto_secretstream_xchacha20poly1305_state; + +SODIUM_EXPORT +size_t crypto_secretstream_xchacha20poly1305_statebytes(void); + +SODIUM_EXPORT +void crypto_secretstream_xchacha20poly1305_keygen + (unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_init_push + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char header[crypto_secretstream_xchacha20poly1305_HEADERBYTES], + const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_push + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *c, unsigned long long *clen_p, + const unsigned char *m, unsigned long long mlen, + const unsigned char *ad, unsigned long long adlen, unsigned char tag); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_init_pull + (crypto_secretstream_xchacha20poly1305_state *state, + const unsigned char header[crypto_secretstream_xchacha20poly1305_HEADERBYTES], + const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES]); + +SODIUM_EXPORT +int crypto_secretstream_xchacha20poly1305_pull + (crypto_secretstream_xchacha20poly1305_state *state, + unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p, + const unsigned char *c, unsigned long long clen, + const unsigned char *ad, unsigned long long adlen); + +SODIUM_EXPORT +void crypto_secretstream_xchacha20poly1305_rekey + (crypto_secretstream_xchacha20poly1305_state *state); + +#ifdef __cplusplus +} +#endif + +#endif diff --git a/src/libsodium/include/sodium/crypto_sign.h b/src/libsodium/include/sodium/crypto_sign.h index b0335bf2..85aff0c9 100644 --- a/src/libsodium/include/sodium/crypto_sign.h +++ b/src/libsodium/include/sodium/crypto_sign.h @@ -41,6 +41,10 @@ size_t crypto_sign_publickeybytes(void); SODIUM_EXPORT size_t crypto_sign_secretkeybytes(void); +#define crypto_sign_MESSAGEBYTES_MAX crypto_sign_ed25519_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_sign_messagebytes_max(void); + #define crypto_sign_PRIMITIVE "ed25519" SODIUM_EXPORT const char *crypto_sign_primitive(void); diff --git a/src/libsodium/include/sodium/crypto_sign_ed25519.h b/src/libsodium/include/sodium/crypto_sign_ed25519.h index 17c150f2..38d2b9dd 100644 --- a/src/libsodium/include/sodium/crypto_sign_ed25519.h +++ b/src/libsodium/include/sodium/crypto_sign_ed25519.h @@ -35,6 +35,10 @@ size_t crypto_sign_ed25519_publickeybytes(void); SODIUM_EXPORT size_t crypto_sign_ed25519_secretkeybytes(void); +#define crypto_sign_ed25519_MESSAGEBYTES_MAX (SODIUM_SIZE_MAX - crypto_sign_ed25519_BYTES) +SODIUM_EXPORT +size_t crypto_sign_ed25519_messagebytes_max(void); + SODIUM_EXPORT int crypto_sign_ed25519(unsigned char *sm, unsigned long long *smlen_p, const unsigned char *m, unsigned long long mlen, diff --git a/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h b/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h index 2224a94e..4bb91924 100644 --- a/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h +++ b/src/libsodium/include/sodium/crypto_sign_edwards25519sha512batch.h @@ -25,6 +25,7 @@ extern "C" { #define crypto_sign_edwards25519sha512batch_BYTES 64U #define crypto_sign_edwards25519sha512batch_PUBLICKEYBYTES 32U #define crypto_sign_edwards25519sha512batch_SECRETKEYBYTES (32U + 32U) +#define crypto_sign_edwards25519sha512batch_MESSAGEBYTES_MAX (SODIUM_SIZE_MAX - crypto_sign_edwards25519sha512batch_BYTES) SODIUM_EXPORT int crypto_sign_edwards25519sha512batch(unsigned char *sm, diff --git a/src/libsodium/include/sodium/crypto_stream.h b/src/libsodium/include/sodium/crypto_stream.h index 22de6ff5..d288f0b6 100644 --- a/src/libsodium/include/sodium/crypto_stream.h +++ b/src/libsodium/include/sodium/crypto_stream.h @@ -29,6 +29,10 @@ size_t crypto_stream_keybytes(void); SODIUM_EXPORT size_t crypto_stream_noncebytes(void); +#define crypto_stream_MESSAGEBYTES_MAX crypto_stream_xsalsa20_MESSAGEBYTES_MAX +SODIUM_EXPORT +size_t crypto_stream_messagebytes_max(void); + #define crypto_stream_PRIMITIVE "xsalsa20" SODIUM_EXPORT const char *crypto_stream_primitive(void); diff --git a/src/libsodium/include/sodium/crypto_stream_aes128ctr.h b/src/libsodium/include/sodium/crypto_stream_aes128ctr.h index 33ee1b89..a65f1915 100644 --- a/src/libsodium/include/sodium/crypto_stream_aes128ctr.h +++ b/src/libsodium/include/sodium/crypto_stream_aes128ctr.h @@ -31,6 +31,9 @@ size_t crypto_stream_aes128ctr_noncebytes(void); SODIUM_EXPORT size_t crypto_stream_aes128ctr_beforenmbytes(void); +#define crypto_stream_aes128ctr_SIZE_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX, 16ULL * (1ULL << 32)) + SODIUM_EXPORT int crypto_stream_aes128ctr(unsigned char *out, unsigned long long outlen, const unsigned char *n, const unsigned char *k) diff --git a/src/libsodium/include/sodium/crypto_stream_chacha20.h b/src/libsodium/include/sodium/crypto_stream_chacha20.h index 352b9290..d3e2b234 100644 --- a/src/libsodium/include/sodium/crypto_stream_chacha20.h +++ b/src/libsodium/include/sodium/crypto_stream_chacha20.h @@ -28,6 +28,10 @@ size_t crypto_stream_chacha20_keybytes(void); SODIUM_EXPORT size_t crypto_stream_chacha20_noncebytes(void); +#define crypto_stream_chacha20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_chacha20_messagebytes_max(void); + /* ChaCha20 with a 64-bit nonce and a 64-bit counter, as originally designed */ SODIUM_EXPORT @@ -58,6 +62,11 @@ size_t crypto_stream_chacha20_ietf_keybytes(void); SODIUM_EXPORT size_t crypto_stream_chacha20_ietf_noncebytes(void); +#define crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX \ + SODIUM_MIN(SODIUM_SIZE_MAX, 64ULL * (1ULL << 32)) +SODIUM_EXPORT +size_t crypto_stream_chacha20_ietf_messagebytes_max(void); + SODIUM_EXPORT int crypto_stream_chacha20_ietf(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k); @@ -80,6 +89,7 @@ void crypto_stream_chacha20_ietf_keygen(unsigned char k[crypto_stream_chacha20_i #define crypto_stream_chacha20_IETF_KEYBYTES crypto_stream_chacha20_ietf_KEYBYTES #define crypto_stream_chacha20_IETF_NONCEBYTES crypto_stream_chacha20_ietf_NONCEBYTES +#define crypto_stream_chacha20_IETF_MESSAGEBYTES_MAX crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX #ifdef __cplusplus } diff --git a/src/libsodium/include/sodium/crypto_stream_salsa20.h b/src/libsodium/include/sodium/crypto_stream_salsa20.h index 961e5c1c..0c7688c7 100644 --- a/src/libsodium/include/sodium/crypto_stream_salsa20.h +++ b/src/libsodium/include/sodium/crypto_stream_salsa20.h @@ -28,6 +28,10 @@ size_t crypto_stream_salsa20_keybytes(void); SODIUM_EXPORT size_t crypto_stream_salsa20_noncebytes(void); +#define crypto_stream_salsa20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_salsa20_messagebytes_max(void); + SODIUM_EXPORT int crypto_stream_salsa20(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k); diff --git a/src/libsodium/include/sodium/crypto_stream_salsa2012.h b/src/libsodium/include/sodium/crypto_stream_salsa2012.h index d5c44282..c93d1c81 100644 --- a/src/libsodium/include/sodium/crypto_stream_salsa2012.h +++ b/src/libsodium/include/sodium/crypto_stream_salsa2012.h @@ -27,6 +27,10 @@ size_t crypto_stream_salsa2012_keybytes(void); SODIUM_EXPORT size_t crypto_stream_salsa2012_noncebytes(void); +#define crypto_stream_salsa2012_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_salsa2012_messagebytes_max(void); + SODIUM_EXPORT int crypto_stream_salsa2012(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k); diff --git a/src/libsodium/include/sodium/crypto_stream_salsa208.h b/src/libsodium/include/sodium/crypto_stream_salsa208.h index 02b4166e..653f6504 100644 --- a/src/libsodium/include/sodium/crypto_stream_salsa208.h +++ b/src/libsodium/include/sodium/crypto_stream_salsa208.h @@ -21,23 +21,33 @@ extern "C" { #define crypto_stream_salsa208_KEYBYTES 32U SODIUM_EXPORT -size_t crypto_stream_salsa208_keybytes(void); +size_t crypto_stream_salsa208_keybytes(void) + __attribute__ ((deprecated)); #define crypto_stream_salsa208_NONCEBYTES 8U SODIUM_EXPORT -size_t crypto_stream_salsa208_noncebytes(void); +size_t crypto_stream_salsa208_noncebytes(void) + __attribute__ ((deprecated)); + +#define crypto_stream_salsa208_MESSAGEBYTES_MAX SODIUM_SIZE_MAX + SODIUM_EXPORT +size_t crypto_stream_salsa208_messagebytes_max(void) + __attribute__ ((deprecated)); SODIUM_EXPORT int crypto_stream_salsa208(unsigned char *c, unsigned long long clen, - const unsigned char *n, const unsigned char *k); + const unsigned char *n, const unsigned char *k) + __attribute__ ((deprecated)); SODIUM_EXPORT int crypto_stream_salsa208_xor(unsigned char *c, const unsigned char *m, unsigned long long mlen, const unsigned char *n, - const unsigned char *k); + const unsigned char *k) + __attribute__ ((deprecated)); SODIUM_EXPORT -void crypto_stream_salsa208_keygen(unsigned char k[crypto_stream_salsa208_KEYBYTES]); +void crypto_stream_salsa208_keygen(unsigned char k[crypto_stream_salsa208_KEYBYTES]) + __attribute__ ((deprecated)); #ifdef __cplusplus } diff --git a/src/libsodium/include/sodium/crypto_stream_xchacha20.h b/src/libsodium/include/sodium/crypto_stream_xchacha20.h index f884798e..cf0407ff 100644 --- a/src/libsodium/include/sodium/crypto_stream_xchacha20.h +++ b/src/libsodium/include/sodium/crypto_stream_xchacha20.h @@ -28,6 +28,10 @@ size_t crypto_stream_xchacha20_keybytes(void); SODIUM_EXPORT size_t crypto_stream_xchacha20_noncebytes(void); +#define crypto_stream_xchacha20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_xchacha20_messagebytes_max(void); + SODIUM_EXPORT int crypto_stream_xchacha20(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k); diff --git a/src/libsodium/include/sodium/crypto_stream_xsalsa20.h b/src/libsodium/include/sodium/crypto_stream_xsalsa20.h index ed5ae3c3..cb4c44a8 100644 --- a/src/libsodium/include/sodium/crypto_stream_xsalsa20.h +++ b/src/libsodium/include/sodium/crypto_stream_xsalsa20.h @@ -28,6 +28,10 @@ size_t crypto_stream_xsalsa20_keybytes(void); SODIUM_EXPORT size_t crypto_stream_xsalsa20_noncebytes(void); +#define crypto_stream_xsalsa20_MESSAGEBYTES_MAX SODIUM_SIZE_MAX +SODIUM_EXPORT +size_t crypto_stream_xsalsa20_messagebytes_max(void); + SODIUM_EXPORT int crypto_stream_xsalsa20(unsigned char *c, unsigned long long clen, const unsigned char *n, const unsigned char *k); diff --git a/src/libsodium/include/sodium/export.h b/src/libsodium/include/sodium/export.h index c33bced8..0f624ae3 100644 --- a/src/libsodium/include/sodium/export.h +++ b/src/libsodium/include/sodium/export.h @@ -11,6 +11,7 @@ #ifdef SODIUM_STATIC # define SODIUM_EXPORT +# define SODIUM_EXPORT_WEAK #else # if defined(_MSC_VER) # ifdef SODIUM_DLL_EXPORT @@ -31,6 +32,11 @@ # define SODIUM_EXPORT __attribute__ ((visibility ("default"))) # endif # endif +# if defined(__ELF__) && !defined(SODIUM_DISABLE_WEAK_FUNCTIONS) +# define SODIUM_EXPORT_WEAK SODIUM_EXPORT __attribute__((weak)) +# else +# define SODIUM_EXPORT_WEAK SODIUM_EXPORT +# endif #endif #ifndef CRYPTO_ALIGN @@ -41,4 +47,7 @@ # endif #endif +#define SODIUM_MIN(A, B) ((A) < (B) ? (A) : (B)) +#define SODIUM_SIZE_MAX SODIUM_MIN(UINT64_MAX, SIZE_MAX) + #endif diff --git a/src/libsodium/include/sodium/private/common.h b/src/libsodium/include/sodium/private/common.h index 5e27e574..7e9919fd 100644 --- a/src/libsodium/include/sodium/private/common.h +++ b/src/libsodium/include/sodium/private/common.h @@ -177,6 +177,17 @@ store32_be(uint8_t dst[4], uint32_t w) #endif } +#define XOR_BUF(OUT, IN, N) xor_buf((OUT), (IN), (N)) +static inline void +xor_buf(unsigned char *out, const unsigned char *in, size_t n) +{ + size_t i; + + for (i = 0; i < n; i++) { + out[i] ^= in[i]; + } +} + #ifndef __GNUC__ # ifdef __attribute__ # undef __attribute__ diff --git a/src/libsodium/include/sodium/private/curve25519_ref10.h b/src/libsodium/include/sodium/private/curve25519_ref10.h index 2b9caeb1..18780028 100644 --- a/src/libsodium/include/sodium/private/curve25519_ref10.h +++ b/src/libsodium/include/sodium/private/curve25519_ref10.h @@ -19,36 +19,26 @@ typedef int32_t fe[10]; #define fe_tobytes crypto_core_curve25519_ref10_fe_tobytes #define fe_copy crypto_core_curve25519_ref10_fe_copy #define fe_isnonzero crypto_core_curve25519_ref10_fe_isnonzero -#define fe_isnegative crypto_core_curve25519_ref10_fe_isnegative #define fe_0 crypto_core_curve25519_ref10_fe_0 #define fe_1 crypto_core_curve25519_ref10_fe_1 -#define fe_cmov crypto_core_curve25519_ref10_fe_cmov #define fe_add crypto_core_curve25519_ref10_fe_add #define fe_sub crypto_core_curve25519_ref10_fe_sub -#define fe_neg crypto_core_curve25519_ref10_fe_neg #define fe_mul crypto_core_curve25519_ref10_fe_mul #define fe_sq crypto_core_curve25519_ref10_fe_sq -#define fe_sq2 crypto_core_curve25519_ref10_fe_sq2 #define fe_invert crypto_core_curve25519_ref10_fe_invert -#define fe_pow22523 crypto_core_curve25519_ref10_fe_pow22523 extern void fe_frombytes(fe,const unsigned char *); extern void fe_tobytes(unsigned char *,const fe); extern void fe_copy(fe,const fe); extern int fe_isnonzero(const fe); -extern int fe_isnegative(const fe); extern void fe_0(fe); extern void fe_1(fe); -extern void fe_cmov(fe,const fe,unsigned int); extern void fe_add(fe,const fe,const fe); extern void fe_sub(fe,const fe,const fe); -extern void fe_neg(fe,const fe); extern void fe_mul(fe,const fe,const fe); extern void fe_sq(fe,const fe); -extern void fe_sq2(fe,const fe); extern void fe_invert(fe,const fe); -extern void fe_pow22523(fe,const fe); /* ge means group element. @@ -106,45 +96,27 @@ typedef struct { #define ge_tobytes crypto_core_curve25519_ref10_ge_tobytes #define ge_p3_tobytes crypto_core_curve25519_ref10_ge_p3_tobytes -#define ge_p2_0 crypto_core_curve25519_ref10_ge_p2_0 -#define ge_p3_0 crypto_core_curve25519_ref10_ge_p3_0 -#define ge_precomp_0 crypto_core_curve25519_ref10_ge_precomp_0 -#define ge_p3_to_p2 crypto_core_curve25519_ref10_ge_p3_to_p2 #define ge_p3_to_cached crypto_core_curve25519_ref10_ge_p3_to_cached #define ge_p1p1_to_p2 crypto_core_curve25519_ref10_ge_p1p1_to_p2 -#define ge_p1p1_to_p3 crypto_core_curve25519_ref10_ge_p1p1_to_p3 -#define ge_p2_dbl crypto_core_curve25519_ref10_ge_p2_dbl -#define ge_p3_dbl crypto_core_curve25519_ref10_ge_p3_dbl -#define ge_madd crypto_core_curve25519_ref10_ge_madd -#define ge_msub crypto_core_curve25519_ref10_ge_msub #define ge_add crypto_core_curve25519_ref10_ge_add -#define ge_sub crypto_core_curve25519_ref10_ge_sub #define ge_scalarmult_base crypto_core_curve25519_ref10_ge_scalarmult_base #define ge_double_scalarmult_vartime crypto_core_curve25519_ref10_ge_double_scalarmult_vartime #define ge_scalarmult_vartime crypto_core_curve25519_ref10_ge_scalarmult_vartime +#define ge_mul_l crypto_core_curve25519_ref10_ge_mul_l extern void ge_tobytes(unsigned char *,const ge_p2 *); extern void ge_p3_tobytes(unsigned char *,const ge_p3 *); extern int ge_frombytes_negate_vartime(ge_p3 *,const unsigned char *); -extern void ge_p2_0(ge_p2 *); -extern void ge_p3_0(ge_p3 *); -extern void ge_precomp_0(ge_precomp *); -extern void ge_p3_to_p2(ge_p2 *,const ge_p3 *); extern void ge_p3_to_cached(ge_cached *,const ge_p3 *); extern void ge_p1p1_to_p2(ge_p2 *,const ge_p1p1 *); -extern void ge_p1p1_to_p3(ge_p3 *,const ge_p1p1 *); -extern void ge_p2_dbl(ge_p1p1 *,const ge_p2 *); -extern void ge_p3_dbl(ge_p1p1 *,const ge_p3 *); -extern void ge_madd(ge_p1p1 *,const ge_p3 *,const ge_precomp *); -extern void ge_msub(ge_p1p1 *,const ge_p3 *,const ge_precomp *); extern void ge_add(ge_p1p1 *,const ge_p3 *,const ge_cached *); -extern void ge_sub(ge_p1p1 *,const ge_p3 *,const ge_cached *); extern void ge_scalarmult_base(ge_p3 *,const unsigned char *); extern void ge_double_scalarmult_vartime(ge_p2 *,const unsigned char *,const ge_p3 *,const unsigned char *); extern void ge_scalarmult_vartime(ge_p3 *,const unsigned char *,const ge_p3 *); +extern void ge_mul_l(ge_p3 *r, const ge_p3 *A); /* The set of scalars is \Z/l diff --git a/src/libsodium/include/sodium/randombytes.h b/src/libsodium/include/sodium/randombytes.h index d112fb29..d19f684e 100644 --- a/src/libsodium/include/sodium/randombytes.h +++ b/src/libsodium/include/sodium/randombytes.h @@ -25,6 +25,8 @@ typedef struct randombytes_implementation { int (*close)(void); /* optional */ } randombytes_implementation; +#define randombytes_BYTES_MAX SODIUM_MIN(SODIUM_SIZE_MAX, 0xffffffffUL) + #define randombytes_SEEDBYTES 32U SODIUM_EXPORT size_t randombytes_seedbytes(void); diff --git a/src/libsodium/include/sodium/runtime.h b/src/libsodium/include/sodium/runtime.h index 76859ea0..d35083d9 100644 --- a/src/libsodium/include/sodium/runtime.h +++ b/src/libsodium/include/sodium/runtime.h @@ -8,31 +8,34 @@ extern "C" { #endif -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_neon(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_sse2(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_sse3(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_ssse3(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_sse41(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_avx(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_avx2(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK +int sodium_runtime_has_avx512f(void); + +SODIUM_EXPORT_WEAK int sodium_runtime_has_pclmul(void); -SODIUM_EXPORT +SODIUM_EXPORT_WEAK int sodium_runtime_has_aesni(void); /* ------------------------------------------------------------------------- */ diff --git a/src/libsodium/include/sodium/utils.h b/src/libsodium/include/sodium/utils.h index 0a7aadb4..a4b4a1cf 100644 --- a/src/libsodium/include/sodium/utils.h +++ b/src/libsodium/include/sodium/utils.h @@ -61,6 +61,34 @@ int sodium_hex2bin(unsigned char * const bin, const size_t bin_maxlen, const char * const ignore, size_t * const bin_len, const char ** const hex_end); +#define sodium_base64_VARIANT_ORIGINAL 1 +#define sodium_base64_VARIANT_ORIGINAL_NO_PADDING 3 +#define sodium_base64_VARIANT_URLSAFE 5 +#define sodium_base64_VARIANT_URLSAFE_NO_PADDING 7 + +/* + * Computes the required length to encode BIN_LEN bytes as a base64 string + * using the given variant. The computed length includes a trailing \0. + */ +#define sodium_base64_ENCODED_LEN(BIN_LEN, VARIANT) \ + (((BIN_LEN) / 3U) * 4U + \ + ((((BIN_LEN) - ((BIN_LEN) / 3U) * 3U) | (((BIN_LEN) - ((BIN_LEN) / 3U) * 3U) >> 1)) & 1U) * \ + (4U - (~((((VARIANT) & 2U) >> 1) - 1U) & (3U - ((BIN_LEN) - ((BIN_LEN) / 3U) * 3U)))) + 1U) + +SODIUM_EXPORT +size_t sodium_base64_encoded_len(const size_t bin_len, const int variant); + +SODIUM_EXPORT +char *sodium_bin2base64(char * const b64, const size_t b64_maxlen, + const unsigned char * const bin, const size_t bin_len, + const int variant); + +SODIUM_EXPORT +int sodium_base642bin(unsigned char * const bin, const size_t bin_maxlen, + const char * const b64, const size_t b64_len, + const char * const ignore, size_t * const bin_len, + const char ** const b64_end, const int variant); + SODIUM_EXPORT int sodium_mlock(void * const addr, const size_t len); @@ -120,6 +148,14 @@ int sodium_mprotect_readonly(void *ptr); SODIUM_EXPORT int sodium_mprotect_readwrite(void *ptr); +SODIUM_EXPORT +int sodium_pad(size_t *padded_buflen_p, unsigned char *buf, + size_t unpadded_buflen, size_t blocksize, size_t max_buflen); + +SODIUM_EXPORT +int sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf, + size_t padded_buflen, size_t blocksize); + /* -------- */ int _sodium_alloc_init(void); diff --git a/src/libsodium/randombytes/nativeclient/randombytes_nativeclient.c b/src/libsodium/randombytes/nativeclient/randombytes_nativeclient.c index 468cd653..85ffa9b2 100644 --- a/src/libsodium/randombytes/nativeclient/randombytes_nativeclient.c +++ b/src/libsodium/randombytes/nativeclient/randombytes_nativeclient.c @@ -6,6 +6,7 @@ #ifdef __native_client__ # include +# include "core.h" # include "utils.h" # include "randombytes.h" # include "randombytes_nativeclient.h" @@ -20,12 +21,12 @@ randombytes_nativeclient_buf(void * const buf, const size_t size) if (nacl_interface_query(NACL_IRT_RANDOM_v0_1, &rand_intf, sizeof rand_intf) != sizeof rand_intf) { - abort(); + sodium_misuse(); } while (toread > (size_t) 0U) { if (rand_intf.get_random_bytes(buf_, size, &readnb) != 0 || readnb > size) { - abort(); + sodium_misuse(); } toread -= readnb; buf_ += readnb; diff --git a/src/libsodium/randombytes/randombytes.c b/src/libsodium/randombytes/randombytes.c index b1926dda..708616b8 100644 --- a/src/libsodium/randombytes/randombytes.c +++ b/src/libsodium/randombytes/randombytes.c @@ -10,6 +10,7 @@ # include #endif +#include "core.h" #include "crypto_stream_chacha20.h" #include "randombytes.h" #ifdef RANDOMBYTES_DEFAULT_IMPLEMENTATION @@ -93,22 +94,22 @@ randombytes_stir(void) EM_ASM({ if (Module.getRandomValue === undefined) { try { - var window_ = "object" === typeof window ? window : self, - crypto_ = typeof window_.crypto !== "undefined" ? window_.crypto : window_.msCrypto, - randomValuesStandard = function() { - var buf = new Uint32Array(1); - crypto_.getRandomValues(buf); - return buf[0] >>> 0; - }; + var window_ = 'object' === typeof window ? window : self; + var crypto_ = typeof window_.crypto !== 'undefined' ? window_.crypto : window_.msCrypto; + var randomValuesStandard = function() { + var buf = new Uint32Array(1); + crypto_.getRandomValues(buf); + return buf[0] >>> 0; + }; randomValuesStandard(); Module.getRandomValue = randomValuesStandard; } catch (e) { try { - var crypto = require('crypto'), - randomValueNodeJS = function() { - var buf = crypto.randomBytes(4); - return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0; - }; + var crypto = require('crypto'); + var randomValueNodeJS = function() { + var buf = crypto.randomBytes(4); + return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0; + }; randomValueNodeJS(); Module.getRandomValue = randomValueNodeJS; } catch (e) { @@ -135,10 +136,12 @@ randombytes_uniform(const uint32_t upper_bound) if (upper_bound < 2) { return 0; } - min = (1U + ~upper_bound) % upper_bound; + min = (1U + ~upper_bound) % upper_bound; /* = 2**32 mod upper_bound */ do { r = randombytes_random(); } while (r < min); + /* r is now clamped to a set whose size mod upper_bound == 0 + * the worst case (2**31+1) requires ~ 2 attempts */ return r % upper_bound; } @@ -171,8 +174,9 @@ randombytes_buf_deterministic(void * const buf, const size_t size, COMPILER_ASSERT(randombytes_SEEDBYTES == crypto_stream_chacha20_ietf_KEYBYTES); #if SIZE_MAX > 0x4000000000ULL + COMPILER_ASSERT(randombytes_BYTES_MAX <= 0x4000000000ULL); if (size > 0x4000000000ULL) { - abort(); + sodium_misuse(); } #endif crypto_stream_chacha20_ietf((unsigned char *) buf, (unsigned long long) size, diff --git a/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c b/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c index a2261952..3b06d9c6 100644 --- a/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c +++ b/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c @@ -25,13 +25,14 @@ # include #endif +#include "core.h" #include "crypto_core_salsa20.h" #include "crypto_generichash.h" #include "crypto_stream_salsa20.h" +#include "private/common.h" #include "randombytes.h" #include "randombytes_salsa20_random.h" #include "utils.h" -#include "private/common.h" #ifdef _WIN32 # include @@ -98,7 +99,7 @@ sodium_hrtime(void) struct timeval tv; if (gettimeofday(&tv, NULL) != 0) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } ts = ((uint64_t) tv.tv_sec) * 1000000U + (uint64_t) tv.tv_usec; } @@ -172,7 +173,7 @@ randombytes_salsa20_random_random_dev_open(void) # endif "/dev/random", NULL }; - const char ** device = devices; + const char **device = devices; int fd; # if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL) @@ -277,7 +278,7 @@ randombytes_salsa20_random_init(void) if ((stream.random_data_source_fd = randombytes_salsa20_random_random_dev_open()) == -1) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } errno = errno_save; # endif /* HAVE_SAFE_ARC4RANDOM */ @@ -331,29 +332,29 @@ randombytes_salsa20_random_stir(void) # elif defined(SYS_getrandom) && defined(__NR_getrandom) if (stream.getrandom_available != 0) { if (randombytes_linux_getrandom(m0, sizeof m0) != 0) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } } else if (stream.random_data_source_fd == -1 || safe_read(stream.random_data_source_fd, m0, sizeof m0) != (ssize_t) sizeof m0) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } # else if (stream.random_data_source_fd == -1 || safe_read(stream.random_data_source_fd, m0, sizeof m0) != (ssize_t) sizeof m0) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } # endif #else /* _WIN32 */ if (! RtlGenRandom((PVOID) m0, (ULONG) sizeof m0)) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } #endif if (crypto_generichash(stream.key, sizeof stream.key, k0, sizeof_k0, hsigma, sizeof hsigma) != 0) { - abort(); /* LCOV_EXCL_LINE */ + abort(); /* really abort -- it should never happen */ /* LCOV_EXCL_LINE */ } COMPILER_ASSERT(sizeof stream.key <= sizeof m0); randombytes_salsa20_random_rekey(m0); @@ -370,7 +371,7 @@ randombytes_salsa20_random_stir_if_needed(void) if (stream.initialized == 0) { randombytes_salsa20_random_stir(); } else if (stream.pid != getpid()) { - abort(); + sodium_misuse(); /* LCOV_EXCL_LINE */ } #else if (stream.initialized == 0) { diff --git a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c index feede465..f4dec08f 100644 --- a/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c +++ b/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c @@ -24,6 +24,8 @@ # include #endif +#include "core.h" +#include "private/common.h" #include "randombytes.h" #include "randombytes_sysrandom.h" #include "utils.h" @@ -34,6 +36,15 @@ * memory overhead if this API is not being used for other purposes * - `RtlGenRandom` is thus called directly instead. A detailed explanation * can be found here: https://blogs.msdn.microsoft.com/michael_howard/2005/01/14/cryptographically-secure-random-number-on-windows-without-using-cryptoapi/ + * + * In spite of the disclaimer on the `RtlGenRandom` documentation page that was + * written back in the Windows XP days, this function is here to stay. The CRT + * function `rand_s()` directly depends on it, so touching it would break many + * applications released since Windows XP. + * + * Also note that Rust, Firefox and BoringSSL (thus, Google Chrome and everything + * based on Chromium) also depend on it, and that libsodium allows the RNG to be + * replaced without patching nor recompiling the library. */ # include # define RtlGenRandom SystemFunction036 @@ -68,7 +79,7 @@ randombytes_sysrandom_stir(void) static void randombytes_sysrandom_buf(void * const buf, const size_t size) { - return arc4random_buf(buf, size); + arc4random_buf(buf, size); } static int @@ -156,7 +167,7 @@ randombytes_sysrandom_random_dev_open(void) # endif "/dev/random", NULL }; - const char ** device = devices; + const char **device = devices; int fd; # if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL) @@ -253,7 +264,7 @@ randombytes_sysrandom_init(void) if ((stream.random_data_source_fd = randombytes_sysrandom_random_dev_open()) == -1) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } errno = errno_save; } @@ -323,21 +334,22 @@ randombytes_sysrandom_buf(void * const buf, const size_t size) # if defined(SYS_getrandom) && defined(__NR_getrandom) if (stream.getrandom_available != 0) { if (randombytes_linux_getrandom(buf, size) != 0) { - abort(); + sodium_misuse(); /* LCOV_EXCL_LINE */ } return; } # endif if (stream.random_data_source_fd == -1 || safe_read(stream.random_data_source_fd, buf, size) != (ssize_t) size) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } #else - if (size > (size_t) 0xffffffff) { - abort(); /* LCOV_EXCL_LINE */ + COMPILER_ASSERT(randombytes_BYTES_MAX <= 0xffffffffUL); + if (size > (size_t) 0xffffffffUL) { + sodium_misuse(); /* LCOV_EXCL_LINE */ } if (! RtlGenRandom((PVOID) buf, (ULONG) size)) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } #endif } diff --git a/src/libsodium/sodium/codecs.c b/src/libsodium/sodium/codecs.c new file mode 100644 index 00000000..77fa464c --- /dev/null +++ b/src/libsodium/sodium/codecs.c @@ -0,0 +1,333 @@ +#include +#include +#include +#include +#include +#include +#include + +#include "core.h" +#include "utils.h" + +/* Derived from original code by CodesInChaos */ +char * +sodium_bin2hex(char *const hex, const size_t hex_maxlen, + const unsigned char *const bin, const size_t bin_len) +{ + size_t i = (size_t) 0U; + unsigned int x; + int b; + int c; + + if (bin_len >= SIZE_MAX / 2 || hex_maxlen <= bin_len * 2U) { + sodium_misuse(); /* LCOV_EXCL_LINE */ + } + while (i < bin_len) { + c = bin[i] & 0xf; + b = bin[i] >> 4; + x = (unsigned char) (87U + c + (((c - 10U) >> 8) & ~38U)) << 8 | + (unsigned char) (87U + b + (((b - 10U) >> 8) & ~38U)); + hex[i * 2U] = (char) x; + x >>= 8; + hex[i * 2U + 1U] = (char) x; + i++; + } + hex[i * 2U] = 0U; + + return hex; +} + +int +sodium_hex2bin(unsigned char *const bin, const size_t bin_maxlen, + const char *const hex, const size_t hex_len, + const char *const ignore, size_t *const bin_len, + const char **const hex_end) +{ + size_t bin_pos = (size_t) 0U; + size_t hex_pos = (size_t) 0U; + int ret = 0; + unsigned char c; + unsigned char c_acc = 0U; + unsigned char c_alpha0, c_alpha; + unsigned char c_num0, c_num; + unsigned char c_val; + unsigned char state = 0U; + + while (hex_pos < hex_len) { + c = (unsigned char) hex[hex_pos]; + c_num = c ^ 48U; + c_num0 = (c_num - 10U) >> 8; + c_alpha = (c & ~32U) - 55U; + c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8; + if ((c_num0 | c_alpha0) == 0U) { + if (ignore != NULL && state == 0U && strchr(ignore, c) != NULL) { + hex_pos++; + continue; + } + break; + } + c_val = (c_num0 & c_num) | (c_alpha0 & c_alpha); + if (bin_pos >= bin_maxlen) { + ret = -1; + errno = ERANGE; + break; + } + if (state == 0U) { + c_acc = c_val * 16U; + } else { + bin[bin_pos++] = c_acc | c_val; + } + state = ~state; + hex_pos++; + } + if (state != 0U) { + hex_pos--; + errno = EINVAL; + ret = -1; + } + if (ret != 0) { + bin_pos = (size_t) 0U; + } + if (hex_end != NULL) { + *hex_end = &hex[hex_pos]; + } else if (hex_pos != hex_len) { + errno = EINVAL; + ret = -1; + } + if (bin_len != NULL) { + *bin_len = bin_pos; + } + return ret; +} + +/* + * Some macros for constant-time comparisons. These work over values in + * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true". + * + * Original code by Thomas Pornin. + */ +#define EQ(x, y) \ + ((((0U - ((unsigned int) (x) ^ (unsigned int) (y))) >> 8) & 0xFF) ^ 0xFF) +#define GT(x, y) ((((unsigned int) (y) - (unsigned int) (x)) >> 8) & 0xFF) +#define GE(x, y) (GT(y, x) ^ 0xFF) +#define LT(x, y) GT(y, x) +#define LE(x, y) GE(y, x) + +static int +b64_byte_to_char(unsigned int x) +{ + return (LT(x, 26) & (x + 'A')) | + (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) | + (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '+') | + (EQ(x, 63) & '/'); +} + +static unsigned int +b64_char_to_byte(int c) +{ + const unsigned int x = + (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) | + (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) | + (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) | + (EQ(c, '/') & 63); + + return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF)); +} + +static int +b64_byte_to_urlsafe_char(unsigned int x) +{ + return (LT(x, 26) & (x + 'A')) | + (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) | + (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '-') | + (EQ(x, 63) & '_'); +} + +static unsigned int +b64_urlsafe_char_to_byte(int c) +{ + const unsigned x = + (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) | + (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) | + (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '-') & 62) | + (EQ(c, '_') & 63); + + return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF)); +} + + +#define VARIANT_NO_PADDING_MASK 0x2U +#define VARIANT_URLSAFE_MASK 0x4U + +static void +sodium_base64_check_variant(const int variant) +{ + if ((((unsigned int) variant) & ~ 0x6U) != 0x1U) { + sodium_misuse(); + } +} + +size_t +sodium_base64_encoded_len(const size_t bin_len, const int variant) +{ + sodium_base64_check_variant(variant); + + return sodium_base64_ENCODED_LEN(bin_len, variant); +} + +char * +sodium_bin2base64(char * const b64, const size_t b64_maxlen, + const unsigned char * const bin, const size_t bin_len, + const int variant) +{ + size_t acc_len = (size_t) 0; + size_t b64_len; + size_t b64_pos = (size_t) 0; + size_t bin_pos = (size_t) 0; + size_t nibbles; + size_t remainder; + unsigned int acc = 0U; + + sodium_base64_check_variant(variant); + nibbles = bin_len / 3; + remainder = bin_len - 3 * nibbles; + b64_len = nibbles * 4; + if (remainder != 0) { + if ((((unsigned int) variant) & VARIANT_NO_PADDING_MASK) == 0U) { + b64_len += 4; + } else { + b64_len += 2 + (remainder >> 1); + } + } + if (b64_maxlen <= b64_len) { + sodium_misuse(); + } + if ((((unsigned int) variant) & VARIANT_URLSAFE_MASK) != 0U) { + while (bin_pos < bin_len) { + acc = (acc << 8) + bin[bin_pos++]; + acc_len += 8; + while (acc_len >= 6) { + acc_len -= 6; + b64[b64_pos++] = (char) b64_byte_to_urlsafe_char((acc >> acc_len) & 0x3F); + } + } + if (acc_len > 0) { + b64[b64_pos++] = (char) b64_byte_to_urlsafe_char((acc << (6 - acc_len)) & 0x3F); + } + } else { + while (bin_pos < bin_len) { + acc = (acc << 8) + bin[bin_pos++]; + acc_len += 8; + while (acc_len >= 6) { + acc_len -= 6; + b64[b64_pos++] = (char) b64_byte_to_char((acc >> acc_len) & 0x3F); + } + } + if (acc_len > 0) { + b64[b64_pos++] = (char) b64_byte_to_char((acc << (6 - acc_len)) & 0x3F); + } + } + assert(b64_pos <= b64_len); + while (b64_pos < b64_len) { + b64[b64_pos++] = '='; + } + do { + b64[b64_pos++] = 0U; + } while (b64_pos < b64_maxlen); + + return b64; +} + +static int +_sodium_base642bin_skip_padding(const char * const b64, const size_t b64_len, + size_t * const b64_pos_p, + const char * const ignore, size_t padding_len) +{ + int c; + + while (padding_len > 0) { + if (*b64_pos_p >= b64_len) { + errno = ERANGE; + return -1; + } + c = b64[*b64_pos_p]; + if (c == '=') { + padding_len--; + } else if (ignore == NULL || strchr(ignore, c) == NULL) { + errno = EINVAL; + return -1; + } + (*b64_pos_p)++; + } + return 0; +} + +int +sodium_base642bin(unsigned char * const bin, const size_t bin_maxlen, + const char * const b64, const size_t b64_len, + const char * const ignore, size_t * const bin_len, + const char ** const b64_end, const int variant) +{ + size_t acc_len = (size_t) 0; + size_t b64_pos = (size_t) 0; + size_t bin_pos = (size_t) 0; + int is_urlsafe; + int ret = 0; + unsigned int acc = 0U; + unsigned int d; + char c; + + sodium_base64_check_variant(variant); + is_urlsafe = ((unsigned int) variant) & VARIANT_URLSAFE_MASK; + while (b64_pos < b64_len) { + c = b64[b64_pos]; + if (is_urlsafe) { + d = b64_urlsafe_char_to_byte(c); + } else { + d = b64_char_to_byte(c); + } + if (d == 0xFF) { + if (ignore != NULL && strchr(ignore, c) != NULL) { + b64_pos++; + continue; + } + break; + } + acc = (acc << 6) + d; + acc_len += 6; + if (acc_len >= 8) { + acc_len -= 8; + if (bin_pos >= bin_maxlen) { + errno = ERANGE; + ret = -1; + break; + } + bin[bin_pos++] = (acc >> acc_len) & 0xFF; + } + b64_pos++; + } + if (acc_len > 4U || (acc & ((1U << acc_len) - 1U)) != 0U) { + ret = -1; + } else if (ret == 0 && + (((unsigned int) variant) & VARIANT_NO_PADDING_MASK) == 0U) { + ret = _sodium_base642bin_skip_padding(b64, b64_len, &b64_pos, ignore, + acc_len / 2); + } + if (ret != 0) { + bin_pos = (size_t) 0U; + } else if (ignore != NULL) { + while (b64_pos < b64_len && strchr(ignore, b64[b64_pos]) != NULL) { + b64_pos++; + } + } + if (b64_end != NULL) { + *b64_end = &b64[b64_pos]; + } else if (b64_pos != b64_len) { + errno = EINVAL; + ret = -1; + } + if (bin_len != NULL) { + *bin_len = bin_pos; + } + return ret; +} diff --git a/src/libsodium/sodium/core.c b/src/libsodium/sodium/core.c index 9e8cfa8d..ce466958 100644 --- a/src/libsodium/sodium/core.c +++ b/src/libsodium/sodium/core.c @@ -1,4 +1,5 @@ +#include #include #include #ifdef _WIN32 @@ -40,11 +41,11 @@ int sodium_init(void) { if (sodium_crit_enter() != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } if (initialized != 0) { if (sodium_crit_leave() != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } return 1; } @@ -59,7 +60,7 @@ sodium_init(void) _crypto_stream_salsa20_pick_best_implementation(); initialized = 1; if (sodium_crit_leave() != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } return 0; } @@ -94,7 +95,7 @@ int sodium_crit_enter(void) { if (_sodium_crit_init() != 0) { - return -1; + return -1; /* LCOV_EXCL_LINE */ } EnterCriticalSection(&_sodium_lock); @@ -169,3 +170,34 @@ sodium_crit_leave(void) } #endif + +static void (*_misuse_handler)(void); + +void +sodium_misuse(void) +{ + void (*handler)(void); + + if (sodium_crit_enter() == 0) { + handler = _misuse_handler; + if (sodium_crit_leave() == 0 && handler != NULL) { + handler(); + } + } +/* LCOV_EXCL_START */ + abort(); +} +/* LCOV_EXCL_STOP */ + +int +sodium_set_misuse_handler(void (*handler)(void)) +{ + if (sodium_crit_enter() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + _misuse_handler = handler; + if (sodium_crit_leave() != 0) { + return -1; /* LCOV_EXCL_LINE */ + } + return 0; +} diff --git a/src/libsodium/sodium/runtime.c b/src/libsodium/sodium/runtime.c index fd64003d..ec5d884f 100644 --- a/src/libsodium/sodium/runtime.c +++ b/src/libsodium/sodium/runtime.c @@ -16,6 +16,7 @@ typedef struct CPUFeatures_ { int has_sse41; int has_avx; int has_avx2; + int has_avx512f; int has_pclmul; int has_aesni; } CPUFeatures; @@ -23,6 +24,7 @@ typedef struct CPUFeatures_ { static CPUFeatures _cpu_features; #define CPUID_EBX_AVX2 0x00000020 +#define CPUID_EBX_AVX512F 0x00010000 #define CPUID_ECX_SSE3 0x00000001 #define CPUID_ECX_PCLMUL 0x00000002 @@ -176,6 +178,16 @@ _sodium_runtime_intel_cpu_features(CPUFeatures * const cpu_features) } #endif + cpu_features->has_avx512f = 0; +#ifdef HAVE_AVX512FINTRIN_H + if (cpu_features->has_avx2) { + unsigned int cpu_info7[4]; + + _cpuid(cpu_info7, 0x00000007); + cpu_features->has_avx512f = ((cpu_info7[1] & CPUID_EBX_AVX512F) != 0x0); + } +#endif + #ifdef HAVE_WMMINTRIN_H cpu_features->has_pclmul = ((cpu_info[2] & CPUID_ECX_PCLMUL) != 0x0); cpu_features->has_aesni = ((cpu_info[2] & CPUID_ECX_AESNI) != 0x0); @@ -241,6 +253,12 @@ sodium_runtime_has_avx2(void) return _cpu_features.has_avx2; } +int +sodium_runtime_has_avx512f(void) +{ + return _cpu_features.has_avx512f; +} + int sodium_runtime_has_pclmul(void) { diff --git a/src/libsodium/sodium/utils.c b/src/libsodium/sodium/utils.c index 0796e1fe..6666ef95 100644 --- a/src/libsodium/sodium/utils.c +++ b/src/libsodium/sodium/utils.c @@ -21,6 +21,7 @@ # include #endif +#include "core.h" #include "randombytes.h" #include "utils.h" @@ -62,19 +63,17 @@ static size_t page_size; static unsigned char canary[CANARY_SIZE]; +/* LCOV_EXCL_START */ #ifdef HAVE_WEAK_SYMBOLS __attribute__((weak)) void -_sodium_memzero_as_a_weak_symbol_to_prevent_lto(void *const pnt, - const size_t len) +_sodium_dummy_symbol_to_prevent_memzero_lto(void *const pnt, + const size_t len) { - unsigned char *pnt_ = (unsigned char *) pnt; - size_t i = (size_t) 0U; - - while (i < len) { - pnt_[i++] = 0U; - } + (void) pnt; /* LCOV_EXCL_LINE */ + (void) len; /* LCOV_EXCL_LINE */ } #endif +/* LCOV_EXCL_STOP */ void sodium_memzero(void *const pnt, const size_t len) @@ -83,12 +82,13 @@ sodium_memzero(void *const pnt, const size_t len) SecureZeroMemory(pnt, len); #elif defined(HAVE_MEMSET_S) if (len > 0U && memset_s(pnt, (rsize_t) len, 0, (rsize_t) len) != 0) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } #elif defined(HAVE_EXPLICIT_BZERO) explicit_bzero(pnt, len); #elif HAVE_WEAK_SYMBOLS - _sodium_memzero_as_a_weak_symbol_to_prevent_lto(pnt, len); + memset(pnt, 0, len); + _sodium_dummy_symbol_to_prevent_memzero_lto(pnt, len); #else volatile unsigned char *volatile pnt_ = (volatile unsigned char *volatile) pnt; @@ -163,7 +163,7 @@ sodium_compare(const unsigned char *b1_, const unsigned char *b2_, size_t len) size_t i; volatile unsigned char gt = 0U; volatile unsigned char eq = 1U; - volatile uint16_t x1, x2; + uint16_t x1, x2; #if HAVE_WEAK_SYMBOLS _sodium_dummy_symbol_to_prevent_compare_lto(b1, b2, len); @@ -182,8 +182,8 @@ sodium_compare(const unsigned char *b1_, const unsigned char *b2_, size_t len) int sodium_is_zero(const unsigned char *n, const size_t nlen) { - size_t i; - unsigned char d = 0U; + size_t i; + volatile unsigned char d = 0U; for (i = 0U; i < nlen; i++) { d |= n[i]; @@ -287,89 +287,6 @@ sodium_add(unsigned char *a, const unsigned char *b, const size_t len) } } -/* Derived from original code by CodesInChaos */ -char * -sodium_bin2hex(char *const hex, const size_t hex_maxlen, - const unsigned char *const bin, const size_t bin_len) -{ - size_t i = (size_t) 0U; - unsigned int x; - int b; - int c; - - if (bin_len >= SIZE_MAX / 2 || hex_maxlen <= bin_len * 2U) { - abort(); /* LCOV_EXCL_LINE */ - } - while (i < bin_len) { - c = bin[i] & 0xf; - b = bin[i] >> 4; - x = (unsigned char) (87U + c + (((c - 10U) >> 8) & ~38U)) << 8 | - (unsigned char) (87U + b + (((b - 10U) >> 8) & ~38U)); - hex[i * 2U] = (char) x; - x >>= 8; - hex[i * 2U + 1U] = (char) x; - i++; - } - hex[i * 2U] = 0U; - - return hex; -} - -int -sodium_hex2bin(unsigned char *const bin, const size_t bin_maxlen, - const char *const hex, const size_t hex_len, - const char *const ignore, size_t *const bin_len, - const char **const hex_end) -{ - size_t bin_pos = (size_t) 0U; - size_t hex_pos = (size_t) 0U; - int ret = 0; - unsigned char c; - unsigned char c_acc = 0U; - unsigned char c_alpha0, c_alpha; - unsigned char c_num0, c_num; - unsigned char c_val; - unsigned char state = 0U; - - while (hex_pos < hex_len) { - c = (unsigned char) hex[hex_pos]; - c_num = c ^ 48U; - c_num0 = (c_num - 10U) >> 8; - c_alpha = (c & ~32U) - 55U; - c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8; - if ((c_num0 | c_alpha0) == 0U) { - if (ignore != NULL && state == 0U && strchr(ignore, c) != NULL) { - hex_pos++; - continue; - } - break; - } - c_val = (c_num0 & c_num) | (c_alpha0 & c_alpha); - if (bin_pos >= bin_maxlen) { - ret = -1; - errno = ERANGE; - break; - } - if (state == 0U) { - c_acc = c_val * 16U; - } else { - bin[bin_pos++] = c_acc | c_val; - } - state = ~state; - hex_pos++; - } - if (state != 0U) { - hex_pos--; - } - if (hex_end != NULL) { - *hex_end = &hex[hex_pos]; - } - if (bin_len != NULL) { - *bin_len = bin_pos; - } - return ret; -} - int _sodium_alloc_init(void) { @@ -385,7 +302,7 @@ _sodium_alloc_init(void) page_size = (size_t) si.dwPageSize; # endif if (page_size < CANARY_SIZE || page_size < sizeof(size_t)) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } #endif randombytes_buf(canary, sizeof canary); @@ -478,7 +395,7 @@ _out_of_bounds(void) # elif defined(SIGKILL) raise(SIGKILL); # endif - abort(); + abort(); /* not something we want any higher-level API to catch */ } /* LCOV_EXCL_LINE */ static inline size_t @@ -537,7 +454,7 @@ _unprotected_ptr_from_user_ptr(void *const ptr) page_mask = page_size - 1U; unprotected_ptr_u = ((uintptr_t) canary_ptr & (uintptr_t) ~page_mask); if (unprotected_ptr_u <= page_size * 2U) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } return (unsigned char *) unprotected_ptr_u; } @@ -567,7 +484,7 @@ _sodium_malloc(const size_t size) return NULL; } if (page_size <= sizeof canary || page_size < sizeof unprotected_size) { - abort(); /* LCOV_EXCL_LINE */ + sodium_misuse(); /* LCOV_EXCL_LINE */ } size_with_canary = (sizeof canary) + size; unprotected_size = _page_round(size_with_canary); @@ -702,3 +619,73 @@ sodium_mprotect_readwrite(void *ptr) { return _sodium_mprotect(ptr, _mprotect_readwrite); } + +int +sodium_pad(size_t *padded_buflen_p, unsigned char *buf, + size_t unpadded_buflen, size_t blocksize, size_t max_buflen) +{ + unsigned char *tail; + size_t i; + size_t xpadlen; + size_t xpadded_len; + volatile unsigned char mask; + unsigned char barrier_mask; + + if (blocksize <= 0U) { + return -1; + } + xpadlen = blocksize - 1U; + if ((blocksize & (blocksize - 1U)) == 0U) { + xpadlen -= unpadded_buflen & (blocksize - 1U); + } else { + xpadlen -= unpadded_buflen % blocksize; + } + if ((size_t) SIZE_MAX - unpadded_buflen <= xpadlen) { + sodium_misuse(); + } + xpadded_len = unpadded_buflen + xpadlen; + if (xpadded_len >= max_buflen) { + return -1; + } + tail = &buf[xpadded_len]; + if (padded_buflen_p != NULL) { + *padded_buflen_p = xpadded_len + 1U; + } + mask = 0U; + for (i = 0; i < blocksize; i++) { + barrier_mask = (unsigned char) (((i ^ xpadlen) - 1U) >> 8); + tail[-i] = (tail[-i] & mask) | (0x80 & barrier_mask); + mask |= barrier_mask; + } + return 0; +} + +int +sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf, + size_t padded_buflen, size_t blocksize) +{ + const unsigned char *tail; + unsigned char acc = 0U; + unsigned char c; + unsigned char valid = 0U; + volatile size_t pad_len = 0U; + size_t i; + size_t is_barrier; + + if (padded_buflen < blocksize || blocksize <= 0U) { + return -1; + } + tail = &buf[padded_buflen - 1U]; + + for (i = 0U; i < blocksize; i++) { + c = tail[-i]; + is_barrier = + (( (acc - 1U) & (pad_len - 1U) & ((c ^ 0x80) - 1U) ) >> 8) & 1U; + acc |= c; + pad_len |= i & (1U + ~is_barrier); + valid |= (unsigned char) is_barrier; + } + *unpadded_buflen_p = padded_buflen - 1U - pad_len; + + return (int) (valid - 1U); +} diff --git a/test/constcheck.sh b/test/constcheck.sh new file mode 100755 index 00000000..4681d358 --- /dev/null +++ b/test/constcheck.sh @@ -0,0 +1,19 @@ +#! /bin/sh + +CT='ct.c' + +echo '#include ' > "$CT" +echo '#include ' >> "$CT" +echo 'int main(void) {' >> "$CT" +for macro in $(egrep -r '#define crypto_.*BYTES(_[A-Z]+)? ' src/libsodium/include | \ + cut -d: -f2- | cut -d' ' -f2 | \ + fgrep -v edwards25519sha512batch | sort -u); do + func=$(echo "$macro" | tr A-Z a-z) + echo " assert($func() == $macro);" >> "$CT" +done +echo "return 0; }" >> "$CT" + +${CC:-cc} "$CT" $CPPFLAGS $CFLAGS $LDFLAGS -lsodium || exit 1 +./a.out || exit 1 +rm -f a.out "$CT" + diff --git a/test/default/Makefile.am b/test/default/Makefile.am index db117202..5fb572b9 100644 --- a/test/default/Makefile.am +++ b/test/default/Makefile.am @@ -21,6 +21,7 @@ EXTRA_DIST = \ box_seal.exp \ box_seed.exp \ chacha20.exp \ + codecs.exp \ core1.exp \ core2.exp \ core3.exp \ @@ -37,6 +38,8 @@ EXTRA_DIST = \ kdf.exp \ keygen.exp \ kx.exp \ + metamorphic.exp \ + misuse.exp \ onetimeauth.exp \ onetimeauth2.exp \ onetimeauth7.exp \ @@ -56,6 +59,7 @@ EXTRA_DIST = \ secretbox8.exp \ secretbox_easy.exp \ secretbox_easy2.exp \ + secretstream.exp \ shorthash.exp \ sign.exp \ siphashx24.exp \ @@ -90,6 +94,7 @@ DISTCLEANFILES = \ box_seal.res \ box_seed.res \ chacha20.res \ + codecs.res \ core1.res \ core2.res \ core3.res \ @@ -106,6 +111,8 @@ DISTCLEANFILES = \ kdf.res \ keygen.res \ kx.res \ + metamorphic.res \ + misuse.res \ onetimeauth.res \ onetimeauth2.res \ onetimeauth7.res \ @@ -125,6 +132,7 @@ DISTCLEANFILES = \ secretbox8.res \ secretbox_easy.res \ secretbox_easy2.res \ + secretstream.res \ shorthash.res \ sign.res \ siphashx24.res \ @@ -160,6 +168,7 @@ CLEANFILES = \ box_seal.final \ box_seed.final \ chacha20.final \ + codecs.final \ core1.final \ core2.final \ core3.final \ @@ -176,6 +185,8 @@ CLEANFILES = \ kdf.final \ keygen.final \ kx.final \ + metamorphic.final \ + misuse.final \ onetimeauth.final \ onetimeauth2.final \ onetimeauth7.final \ @@ -195,6 +206,7 @@ CLEANFILES = \ secretbox8.final \ secretbox_easy.final \ secretbox_easy2.final \ + secretstream.final \ shorthash.final \ sign.final \ siphashx24.final \ @@ -225,6 +237,7 @@ CLEANFILES = \ box_seal.nexe \ box_seed.nexe \ chacha20.nexe \ + codecs.nexe \ core1.nexe \ core2.nexe \ core3.nexe \ @@ -241,6 +254,8 @@ CLEANFILES = \ kdf.nexe \ keygen.nexe \ kx.nexe \ + metamorphic.nexe \ + misuse.nexe \ onetimeauth.nexe \ onetimeauth2.nexe \ onetimeauth7.nexe \ @@ -260,6 +275,7 @@ CLEANFILES = \ secretbox8.nexe \ secretbox_easy.nexe \ secretbox_easy2.nexe \ + secretstream.nexe \ shorthash.nexe \ sign.nexe \ siphashx24.nexe \ @@ -303,6 +319,7 @@ TESTS_TARGETS = \ box_seal \ box_seed \ chacha20 \ + codecs \ core1 \ core2 \ core3 \ @@ -318,6 +335,8 @@ TESTS_TARGETS = \ kdf \ keygen \ kx \ + metamorphic \ + misuse \ onetimeauth \ onetimeauth2 \ onetimeauth7 \ @@ -335,6 +354,7 @@ TESTS_TARGETS = \ secretbox8 \ secretbox_easy \ secretbox_easy2 \ + secretstream \ shorthash \ sign \ sodium_core \ @@ -415,6 +435,9 @@ box_seed_LDADD = $(TESTS_LDADD) chacha20_SOURCE = cmptest.h chacha20.c chacha20_LDADD = $(TESTS_LDADD) +codecs_SOURCE = cmptest.h codecs.c +codecs_LDADD = $(TESTS_LDADD) + core1_SOURCE = cmptest.h core1.c core1_LDADD = $(TESTS_LDADD) @@ -460,6 +483,12 @@ keygen_LDADD = $(TESTS_LDADD) kx_SOURCE = cmptest.h kx.c kx_LDADD = $(TESTS_LDADD) +metamorphic_SOURCE = cmptest.h metamorphic.c +metamorphic_LDADD = $(TESTS_LDADD) + +misuse_SOURCE = cmptest.h misuse.c +misuse_LDADD = $(TESTS_LDADD) + onetimeauth_SOURCE = cmptest.h onetimeauth.c onetimeauth_LDADD = $(TESTS_LDADD) @@ -517,6 +546,9 @@ secretbox_easy_LDADD = $(TESTS_LDADD) secretbox_easy2_SOURCE = cmptest.h secretbox_easy2.c secretbox_easy2_LDADD = $(TESTS_LDADD) +secretstream_SOURCE = cmptest.h secretstream.c +secretstream_LDADD = $(TESTS_LDADD) + shorthash_SOURCE = cmptest.h shorthash.c shorthash_LDADD = $(TESTS_LDADD) diff --git a/test/default/aead_aes256gcm.c b/test/default/aead_aes256gcm.c index cc1ba3f5..abfed6ab 100644 --- a/test/default/aead_aes256gcm.c +++ b/test/default/aead_aes256gcm.c @@ -3185,6 +3185,11 @@ tv(void) printf("Verification of test vector #%u with a truncated tag failed\n", (unsigned int) i); } + if (i == 0 && crypto_aead_aes256gcm_decrypt(NULL, NULL, + NULL, ciphertext, ciphertext_len, + ad, ad_len, nonce, key) != 0) { + printf("Verification of test vector #%u's tag failed\n", (unsigned int) i); + } if (crypto_aead_aes256gcm_decrypt(decrypted, &found_message_len, NULL, ciphertext, ciphertext_len, ad, ad_len, nonce, key) != 0) { @@ -3231,6 +3236,7 @@ main(void) assert(crypto_aead_aes256gcm_npubbytes() == crypto_aead_aes256gcm_NPUBBYTES); assert(crypto_aead_aes256gcm_abytes() == crypto_aead_aes256gcm_ABYTES); assert(crypto_aead_aes256gcm_statebytes() >= sizeof(crypto_aead_aes256gcm_state)); + assert(crypto_aead_aes256gcm_messagebytes_max() == crypto_aead_aes256gcm_MESSAGEBYTES_MAX); printf("OK\n"); return 0; diff --git a/test/default/aead_chacha20poly1305.c b/test/default/aead_chacha20poly1305.c index 8d1b3aae..30b9e66a 100644 --- a/test/default/aead_chacha20poly1305.c +++ b/test/default/aead_chacha20poly1305.c @@ -66,6 +66,10 @@ tv(void) printf("m != m2\n"); } memset(m2, 0, m2len); + assert(crypto_aead_chacha20poly1305_decrypt_detached(NULL, NULL, + c, MLEN, mac, + ad, ADLEN, + nonce, firstkey) == 0); if (crypto_aead_chacha20poly1305_decrypt_detached(m2, NULL, c, MLEN, mac, ad, ADLEN, @@ -163,6 +167,12 @@ tv(void) assert(crypto_aead_chacha20poly1305_keybytes() > 0U); assert(crypto_aead_chacha20poly1305_npubbytes() > 0U); assert(crypto_aead_chacha20poly1305_nsecbytes() == 0U); + assert(crypto_aead_chacha20poly1305_messagebytes_max() > 0U); + assert(crypto_aead_chacha20poly1305_messagebytes_max() == crypto_aead_chacha20poly1305_MESSAGEBYTES_MAX); + assert(crypto_aead_chacha20poly1305_keybytes() == crypto_aead_chacha20poly1305_KEYBYTES); + assert(crypto_aead_chacha20poly1305_nsecbytes() == crypto_aead_chacha20poly1305_NSECBYTES); + assert(crypto_aead_chacha20poly1305_npubbytes() == crypto_aead_chacha20poly1305_NPUBBYTES); + assert(crypto_aead_chacha20poly1305_abytes() == crypto_aead_chacha20poly1305_ABYTES); return 0; } @@ -239,6 +249,10 @@ tv_ietf(void) printf("m != m2\n"); } memset(m2, 0, m2len); + assert(crypto_aead_chacha20poly1305_ietf_decrypt_detached(NULL, NULL, + c, MLEN, mac, + ad, ADLEN, + nonce, firstkey) == 0); if (crypto_aead_chacha20poly1305_ietf_decrypt_detached(m2, NULL, c, MLEN, mac, ad, ADLEN, @@ -338,10 +352,12 @@ tv_ietf(void) assert(crypto_aead_chacha20poly1305_ietf_npubbytes() > crypto_aead_chacha20poly1305_npubbytes()); assert(crypto_aead_chacha20poly1305_ietf_nsecbytes() == 0U); assert(crypto_aead_chacha20poly1305_ietf_nsecbytes() == crypto_aead_chacha20poly1305_nsecbytes()); + assert(crypto_aead_chacha20poly1305_ietf_messagebytes_max() == crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX); assert(crypto_aead_chacha20poly1305_IETF_KEYBYTES == crypto_aead_chacha20poly1305_ietf_KEYBYTES); assert(crypto_aead_chacha20poly1305_IETF_NSECBYTES == crypto_aead_chacha20poly1305_ietf_NSECBYTES); assert(crypto_aead_chacha20poly1305_IETF_NPUBBYTES == crypto_aead_chacha20poly1305_ietf_NPUBBYTES); assert(crypto_aead_chacha20poly1305_IETF_ABYTES == crypto_aead_chacha20poly1305_ietf_ABYTES); + assert(crypto_aead_chacha20poly1305_IETF_MESSAGEBYTES_MAX == crypto_aead_chacha20poly1305_ietf_MESSAGEBYTES_MAX); return 0; } diff --git a/test/default/aead_xchacha20poly1305.c b/test/default/aead_xchacha20poly1305.c index de2d445d..0927ce6c 100644 --- a/test/default/aead_xchacha20poly1305.c +++ b/test/default/aead_xchacha20poly1305.c @@ -29,6 +29,7 @@ tv(void) = { 0x50, 0x51, 0x52, 0x53, 0xc0, 0xc1, 0xc2, 0xc3, 0xc4, 0xc5, 0xc6, 0xc7 }; unsigned char *c = (unsigned char *) sodium_malloc(CLEN); unsigned char *detached_c = (unsigned char *) sodium_malloc(MLEN); + unsigned char *key2 = (unsigned char *) sodium_malloc(crypto_aead_xchacha20poly1305_ietf_KEYBYTES); unsigned char *mac = (unsigned char *) sodium_malloc(crypto_aead_xchacha20poly1305_ietf_ABYTES); unsigned char *m2 = (unsigned char *) sodium_malloc(MLEN); unsigned long long found_clen; @@ -39,8 +40,8 @@ tv(void) assert(sizeof MESSAGE - 1U == MLEN); memcpy(m, MESSAGE, MLEN); crypto_aead_xchacha20poly1305_ietf_encrypt(c, &found_clen, m, MLEN, - ad, ADLEN, - NULL, nonce, firstkey); + ad, ADLEN, + NULL, nonce, firstkey); if (found_clen != MLEN + crypto_aead_xchacha20poly1305_ietf_abytes()) { printf("found_clen is not properly set\n"); } @@ -52,10 +53,10 @@ tv(void) } printf("\n"); crypto_aead_xchacha20poly1305_ietf_encrypt_detached(detached_c, - mac, &found_maclen, - m, MLEN, - ad, ADLEN, - NULL, nonce, firstkey); + mac, &found_maclen, + m, MLEN, + ad, ADLEN, + NULL, nonce, firstkey); if (found_maclen != crypto_aead_xchacha20poly1305_ietf_abytes()) { printf("found_maclen is not properly set\n"); } @@ -64,7 +65,7 @@ tv(void) } if (crypto_aead_xchacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, CLEN, ad, - ADLEN, nonce, firstkey) != 0) { + ADLEN, nonce, firstkey) != 0) { printf("crypto_aead_xchacha20poly1305_ietf_decrypt() failed\n"); } if (m2len != MLEN) { @@ -75,9 +76,9 @@ tv(void) } memset(m2, 0, m2len); if (crypto_aead_xchacha20poly1305_ietf_decrypt_detached(m2, NULL, - c, MLEN, mac, - ad, ADLEN, - nonce, firstkey) != 0) { + c, MLEN, mac, + ad, ADLEN, + nonce, firstkey) != 0) { printf("crypto_aead_xchacha20poly1305_ietf_decrypt_detached() failed\n"); } if (memcmp(m, m2, MLEN) != 0) { @@ -87,14 +88,14 @@ tv(void) for (i = 0U; i < CLEN; i++) { c[i] ^= (i + 1U); if (crypto_aead_xchacha20poly1305_ietf_decrypt(m2, NULL, NULL, c, CLEN, - ad, ADLEN, nonce, firstkey) + ad, ADLEN, nonce, firstkey) == 0 || memcmp(m, m2, MLEN) == 0) { printf("message can be forged\n"); } c[i] ^= (i + 1U); } crypto_aead_xchacha20poly1305_ietf_encrypt(c, &found_clen, m, MLEN, - NULL, 0U, NULL, nonce, firstkey); + NULL, 0U, NULL, nonce, firstkey); if (found_clen != CLEN) { printf("clen is not properly set (adlen=0)\n"); } @@ -106,7 +107,7 @@ tv(void) } printf("\n"); if (crypto_aead_xchacha20poly1305_ietf_decrypt(m2, &m2len, NULL, c, CLEN, - NULL, 0U, nonce, firstkey) != 0) { + NULL, 0U, nonce, firstkey) != 0) { printf("crypto_aead_xchacha20poly1305_ietf_decrypt() failed (adlen=0)\n"); } if (m2len != MLEN) { @@ -138,7 +139,7 @@ tv(void) memcpy(c, m, MLEN); crypto_aead_xchacha20poly1305_ietf_encrypt(c, &found_clen, c, MLEN, - NULL, 0U, NULL, nonce, firstkey); + NULL, 0U, NULL, nonce, firstkey); if (found_clen != CLEN) { printf("clen is not properly set (adlen=0)\n"); } @@ -151,7 +152,7 @@ tv(void) printf("\n"); if (crypto_aead_xchacha20poly1305_ietf_decrypt(c, &m2len, NULL, c, CLEN, - NULL, 0U, nonce, firstkey) != 0) { + NULL, 0U, nonce, firstkey) != 0) { printf("crypto_aead_xchacha20poly1305_ietf_decrypt() failed (adlen=0)\n"); } if (m2len != MLEN) { @@ -161,8 +162,15 @@ tv(void) printf("m != c (adlen=0)\n"); } + crypto_aead_xchacha20poly1305_ietf_keygen(key2); + if (crypto_aead_xchacha20poly1305_ietf_decrypt(c, &m2len, NULL, c, CLEN, + NULL, 0U, nonce, key2) == 0) { + printf("crypto_aead_xchacha20poly1305_ietf_decrypt() with a wrong key should have failed\n"); + } + sodium_free(c); sodium_free(detached_c); + sodium_free(key2); sodium_free(mac); sodium_free(m2); sodium_free(m); @@ -171,10 +179,12 @@ tv(void) assert(crypto_aead_xchacha20poly1305_ietf_npubbytes() == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES); assert(crypto_aead_xchacha20poly1305_ietf_nsecbytes() == 0U); assert(crypto_aead_xchacha20poly1305_ietf_nsecbytes() == crypto_aead_xchacha20poly1305_ietf_NSECBYTES); + assert(crypto_aead_xchacha20poly1305_ietf_messagebytes_max() == crypto_aead_xchacha20poly1305_ietf_MESSAGEBYTES_MAX); assert(crypto_aead_xchacha20poly1305_IETF_KEYBYTES == crypto_aead_xchacha20poly1305_ietf_KEYBYTES); assert(crypto_aead_xchacha20poly1305_IETF_NSECBYTES == crypto_aead_xchacha20poly1305_ietf_NSECBYTES); assert(crypto_aead_xchacha20poly1305_IETF_NPUBBYTES == crypto_aead_xchacha20poly1305_ietf_NPUBBYTES); assert(crypto_aead_xchacha20poly1305_IETF_ABYTES == crypto_aead_xchacha20poly1305_ietf_ABYTES); + assert(crypto_aead_xchacha20poly1305_IETF_MESSAGEBYTES_MAX == crypto_aead_xchacha20poly1305_ietf_MESSAGEBYTES_MAX); return 0; } diff --git a/test/default/auth.c b/test/default/auth.c index 8672c760..60d26587 100644 --- a/test/default/auth.c +++ b/test/default/auth.c @@ -19,6 +19,7 @@ int main(void) { crypto_auth_hmacsha512_state st; + crypto_auth_hmacsha256_state st256; size_t i; assert(crypto_auth_hmacsha512_statebytes() == @@ -52,6 +53,18 @@ main(void) printf("\n"); } + memset(a2, 0, sizeof a2); + crypto_auth_hmacsha256_init(&st256, key2, sizeof key2); + crypto_auth_hmacsha256_update(&st256, NULL, 0U); + crypto_auth_hmacsha256_update(&st256, c, 1U); + crypto_auth_hmacsha256_update(&st256, c, sizeof c - 2U); + crypto_auth_hmacsha256_final(&st256, a2); + for (i = 0; i < sizeof a2; ++i) { + printf(",0x%02x", (unsigned int) a2[i]); + if (i % 8 == 7) + printf("\n"); + } + assert(crypto_auth_bytes() > 0U); assert(crypto_auth_keybytes() > 0U); assert(strcmp(crypto_auth_primitive(), "hmacsha512256") == 0); diff --git a/test/default/auth.exp b/test/default/auth.exp index b18278ce..03b57d63 100644 --- a/test/default/auth.exp +++ b/test/default/auth.exp @@ -20,3 +20,11 @@ ,0x31,0x8a,0x9a,0x0b,0x3b,0x78,0x60,0xa4 ,0x31,0x6f,0x72,0x9b,0x8d,0x30,0x0f,0x15 ,0x9b,0x2f,0x60,0x93,0xa8,0x60,0xc1,0xed +,0x62,0x27,0xe4,0xce,0x7c,0x7f,0xe7,0xa4 +,0xba,0x9e,0x2a,0xc3,0x42,0xc3,0x5d,0x24 +,0x03,0x3e,0x38,0x8c,0x9b,0xdc,0x29,0x9b +,0x4a,0x50,0x50,0xf6,0x71,0x70,0xf4,0x83 +,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 +,0x00,0x00,0x00,0x00,0x00,0x00,0x00,0x00 diff --git a/test/default/box.c b/test/default/box.c index 917e4dc4..228aca7b 100644 --- a/test/default/box.c +++ b/test/default/box.c @@ -87,6 +87,7 @@ main(void) assert(crypto_box_zerobytes() > 0U); assert(crypto_box_boxzerobytes() > 0U); assert(crypto_box_macbytes() > 0U); + assert(crypto_box_messagebytes_max() > 0U); assert(strcmp(crypto_box_primitive(), "curve25519xsalsa20poly1305") == 0); assert(crypto_box_curve25519xsalsa20poly1305_seedbytes() == crypto_box_seedbytes()); @@ -104,6 +105,8 @@ main(void) crypto_box_boxzerobytes()); assert(crypto_box_curve25519xsalsa20poly1305_macbytes() == crypto_box_macbytes()); + assert(crypto_box_curve25519xsalsa20poly1305_messagebytes_max() == + crypto_box_messagebytes_max()); return 0; } diff --git a/test/default/box2.c b/test/default/box2.c index b0174d47..3e46fda8 100644 --- a/test/default/box2.c +++ b/test/default/box2.c @@ -64,6 +64,8 @@ main(void) assert(ret == -1); memset(m, 0, sizeof m); + ret = crypto_box_beforenm(k, small_order_p, bobsk); + assert(ret == -1); ret = crypto_box_beforenm(k, alicepk, bobsk); assert(ret == 0); if (crypto_box_open_afternm(m, c, 163, nonce, k) == 0) { diff --git a/test/default/box_easy.c b/test/default/box_easy.c index c75debb1..9a336d3f 100644 --- a/test/default/box_easy.c +++ b/test/default/box_easy.c @@ -64,11 +64,8 @@ main(void) } printf("\n"); c[randombytes_uniform(crypto_box_MACBYTES)]++; - ret = - crypto_box_open_easy(c, c, crypto_box_MACBYTES, nonce, bobpk, alicesk); + ret = crypto_box_open_easy(c, c, crypto_box_MACBYTES, nonce, bobpk, alicesk); assert(ret == -1); - assert(crypto_box_easy(c, m, SIZE_MAX - 1U, nonce, bobpk, alicesk) == -1); - return 0; } diff --git a/test/default/box_easy2.c b/test/default/box_easy2.c index 5b042b8f..05cb099f 100644 --- a/test/default/box_easy2.c +++ b/test/default/box_easy2.c @@ -88,10 +88,10 @@ main(void) memset(m2, 0, m2_size); - if (crypto_box_easy_afternm(c, m, SIZE_MAX - 1U, nonce, k1) == 0) { + if (crypto_box_easy_afternm(c, m, 0, nonce, k1) != 0) { printf( - "crypto_box_easy_afternm() with a short ciphertext should have " - "failed\n"); + "crypto_box_easy_afternm() with a null ciphertext should have " + "worked\n"); } crypto_box_easy_afternm(c, m, (unsigned long long) mlen, nonce, k1); if (crypto_box_open_easy_afternm( @@ -113,6 +113,10 @@ main(void) ret = crypto_box_detached(c, mac, m, (unsigned long long) mlen, nonce, alicepk, bobsk); assert(ret == 0); + if (crypto_box_open_detached(m2, c, mac, (unsigned long long) mlen, nonce, + small_order_p, alicesk) != -1) { + printf("crypto_box_open_detached() with a weak key passed\n"); + } if (crypto_box_open_detached(m2, c, mac, (unsigned long long) mlen, nonce, bobpk, alicesk) != 0) { printf("crypto_box_open_detached() failed\n"); diff --git a/test/default/chacha20.c b/test/default/chacha20.c index 3cba6c31..0abe8d34 100644 --- a/test/default/chacha20.c +++ b/test/default/chacha20.c @@ -75,7 +75,7 @@ void tv(void) crypto_stream_chacha20_xor_ic(out, out, sizeof out, nonce, 1U, key); sodium_bin2hex(out_hex, sizeof out_hex, out, sizeof out); printf("[%s]\n", out_hex); -}; +} static void tv_ietf(void) @@ -163,7 +163,7 @@ void tv_ietf(void) crypto_stream_chacha20_ietf_xor_ic(out, out, sizeof out, nonce, 1U, key); sodium_bin2hex(out_hex, sizeof out_hex, out, sizeof out); printf("[%s]\n", out_hex); -}; +} int main(void) @@ -172,8 +172,15 @@ main(void) tv_ietf(); assert(crypto_stream_chacha20_keybytes() > 0U); + assert(crypto_stream_chacha20_keybytes() == crypto_stream_chacha20_KEYBYTES); assert(crypto_stream_chacha20_noncebytes() > 0U); + assert(crypto_stream_chacha20_noncebytes() == crypto_stream_chacha20_NONCEBYTES); + assert(crypto_stream_chacha20_messagebytes_max() == crypto_stream_chacha20_MESSAGEBYTES_MAX); + assert(crypto_stream_chacha20_ietf_keybytes() > 0U); + assert(crypto_stream_chacha20_ietf_keybytes() == crypto_stream_chacha20_ietf_KEYBYTES); assert(crypto_stream_chacha20_ietf_noncebytes() > 0U); + assert(crypto_stream_chacha20_ietf_noncebytes() == crypto_stream_chacha20_ietf_NONCEBYTES); + assert(crypto_stream_chacha20_ietf_messagebytes_max() == crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX); return 0; } diff --git a/test/default/cmptest.h b/test/default/cmptest.h index 96a0ad76..d1b9bafc 100644 --- a/test/default/cmptest.h +++ b/test/default/cmptest.h @@ -30,7 +30,53 @@ int xmain(void); -#ifndef BROWSER_TESTS +#ifdef BENCHMARKS + +# include + +# ifndef ITERATIONS +# define ITERATIONS 128 +# endif + +static unsigned long long now(void) +{ + struct timeval tp; + unsigned long long now; + + if (gettimeofday(&tp, NULL) != 0) { + abort(); + } + now = ((unsigned long long) tp.tv_sec * 1000000ULL) + + (unsigned long long) tp.tv_usec; + + return now; +} + +int main(void) +{ + unsigned long long ts_start; + unsigned long long ts_end; + unsigned int i; + + if (sodium_init() != 0) { + return 99; + } + randombytes_set_implementation(&randombytes_salsa20_implementation); + ts_start = now(); + for (i = 0; i < ITERATIONS; i++) { + if (xmain() != 0) { + abort(); + } + } + ts_end = now(); + printf("%llu\n", 1000000ULL * (ts_end - ts_start) / ITERATIONS); + + return 0; +} + +#define printf(...) do { } while(0) + +#elif !defined(BROWSER_TESTS) FILE *fp_res; diff --git a/test/default/codecs.c b/test/default/codecs.c new file mode 100644 index 00000000..a2bf55d7 --- /dev/null +++ b/test/default/codecs.c @@ -0,0 +1,226 @@ +#define TEST_NAME "codecs" +#include "cmptest.h" + +int +main(void) +{ + unsigned char buf1[1000]; + char buf3[33]; + unsigned char buf4[4]; + const char *b64; + char *b64_; + const char *b64_end; + unsigned char *bin; + unsigned char *bin_padded; + const char *hex; + const char *hex_end; + size_t b64_len; + size_t bin_len, bin_len2; + unsigned int i; + + printf("%s\n", + sodium_bin2hex(buf3, 33U, (const unsigned char *) "0123456789ABCDEF", + 16U)); + hex = "Cafe : 6942"; + sodium_hex2bin(buf4, sizeof buf4, hex, strlen(hex), ": ", &bin_len, + &hex_end); + printf("%lu:%02x%02x%02x%02x\n", (unsigned long) bin_len, + buf4[0], buf4[1], buf4[2], buf4[3]); + printf("dt1: %ld\n", (long) (hex_end - hex)); + + hex = "Cafe : 6942"; + sodium_hex2bin(buf4, sizeof buf4, hex, strlen(hex), ": ", &bin_len, NULL); + printf("%lu:%02x%02x%02x%02x\n", (unsigned long) bin_len, + buf4[0], buf4[1], buf4[2], buf4[3]); + + hex = "deadbeef"; + if (sodium_hex2bin(buf1, 1U, hex, 8U, NULL, &bin_len, &hex_end) != -1) { + printf("sodium_hex2bin() overflow not detected\n"); + } + printf("dt2: %ld\n", (long) (hex_end - hex)); + + hex = "de:ad:be:eff"; + if (sodium_hex2bin(buf1, 4U, hex, 12U, ":", &bin_len, &hex_end) != -1) { + printf( + "sodium_hex2bin() with an odd input length and a short output " + "buffer\n"); + } + printf("dt3: %ld\n", (long) (hex_end - hex)); + + hex = "de:ad:be:eff"; + if (sodium_hex2bin(buf1, sizeof buf1, hex, 12U, ":", + &bin_len, &hex_end) != -1) { + printf("sodium_hex2bin() with an odd input length\n"); + } + printf("dt4: %ld\n", (long) (hex_end - hex)); + + hex = "de:ad:be:eff"; + if (sodium_hex2bin(buf1, sizeof buf1, hex, 13U, ":", + &bin_len, &hex_end) != -1) { + printf("sodium_hex2bin() with an odd input length (2)\n"); + } + printf("dt5: %ld\n", (long) (hex_end - hex)); + + hex = "de:ad:be:eff"; + if (sodium_hex2bin(buf1, sizeof buf1, hex, 12U, ":", + &bin_len, NULL) != -1) { + printf("sodium_hex2bin() with an odd input length and no end pointer\n"); + } + + hex = "de:ad:be:ef*"; + if (sodium_hex2bin(buf1, sizeof buf1, hex, 12U, ":", + &bin_len, &hex_end) != 0) { + printf("sodium_hex2bin() with an extra character and an end pointer\n"); + } + printf("dt6: %ld\n", (long) (hex_end - hex)); + + hex = "de:ad:be:ef*"; + if (sodium_hex2bin(buf1, sizeof buf1, hex, 12U, ":", + &bin_len, NULL) != -1) { + printf("sodium_hex2bin() with an extra character and no end pointer\n"); + } + + printf("%s\n", + sodium_bin2base64(buf3, 31U, (const unsigned char *) "\xfb\xf0\xf1" "0123456789ABCDEFab", + 21U, sodium_base64_VARIANT_ORIGINAL)); + printf("%s\n", + sodium_bin2base64(buf3, 33U, (const unsigned char *) "\xfb\xf0\xf1" "0123456789ABCDEFabc", + 22U, sodium_base64_VARIANT_ORIGINAL_NO_PADDING)); + printf("%s\n", + sodium_bin2base64(buf3, 31U, (const unsigned char *) "\xfb\xf0\xf1" "0123456789ABCDEFab", + 21U, sodium_base64_VARIANT_URLSAFE)); + printf("%s\n", + sodium_bin2base64(buf3, 33U, (const unsigned char *) "\xfb\xf0\xf1" "0123456789ABCDEFabc", + 22U, sodium_base64_VARIANT_URLSAFE_NO_PADDING)); + printf("%s\n", + sodium_bin2base64(buf3, 1U, NULL, + 0U, sodium_base64_VARIANT_ORIGINAL)); + printf("%s\n", + sodium_bin2base64(buf3, 5U, (const unsigned char *) "a", + 1U, sodium_base64_VARIANT_ORIGINAL)); + printf("%s\n", + sodium_bin2base64(buf3, 5U, (const unsigned char *) "ab", + 2U, sodium_base64_VARIANT_ORIGINAL)); + printf("%s\n", + sodium_bin2base64(buf3, 5U, (const unsigned char *) "abc", + 3U, sodium_base64_VARIANT_ORIGINAL)); + printf("%s\n", + sodium_bin2base64(buf3, 1U, NULL, + 0U, sodium_base64_VARIANT_ORIGINAL_NO_PADDING)); + printf("%s\n", + sodium_bin2base64(buf3, 3U, (const unsigned char *) "a", + 1U, sodium_base64_VARIANT_ORIGINAL_NO_PADDING)); + printf("%s\n", + sodium_bin2base64(buf3, 4U, (const unsigned char *) "ab", + 2U, sodium_base64_VARIANT_ORIGINAL_NO_PADDING)); + printf("%s\n", + sodium_bin2base64(buf3, 5U, (const unsigned char *) "abc", + 3U, sodium_base64_VARIANT_ORIGINAL_NO_PADDING)); + + b64 = "VGhpcyBpcyBhIGpvdXJu" "\n" "ZXkgaW50by" " " "Bzb3VuZA=="; + memset(buf4, '*', sizeof buf4); + assert(sodium_base642bin(buf4, sizeof buf4, b64, strlen(b64), "\n\r ", &bin_len, + &b64_end, sodium_base64_VARIANT_ORIGINAL) == -1); + buf4[bin_len] = 0; + printf("[%s]\n", (const char *) buf4); + printf("[%s]\n", b64_end); + + memset(buf1, '*', sizeof buf1); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), "\n\r ", &bin_len, + &b64_end, sodium_base64_VARIANT_ORIGINAL) == 0); + buf1[bin_len] = 0; + printf("[%s]\n", (const char *) buf1); + assert(*b64_end == 0); + + memset(buf1, '*', sizeof buf1); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), NULL, &bin_len, + &b64_end, sodium_base64_VARIANT_ORIGINAL) == 0); + buf1[bin_len] = 0; + printf("[%s]\n", (const char *) buf1); + printf("[%s]\n", b64_end); + + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), NULL, NULL, + &b64_end, sodium_base64_VARIANT_ORIGINAL) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), NULL, NULL, + &b64_end, sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), " \r\n", NULL, + &b64_end, sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), NULL, NULL, + &b64_end, sodium_base64_VARIANT_URLSAFE_NO_PADDING) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), " \r\n", NULL, + &b64_end, sodium_base64_VARIANT_URLSAFE_NO_PADDING) == 0); + + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), NULL, NULL, + NULL, sodium_base64_VARIANT_ORIGINAL) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), NULL, NULL, + NULL, sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), " \r\n", NULL, + NULL, sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), NULL, NULL, + NULL, sodium_base64_VARIANT_URLSAFE_NO_PADDING) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, b64, strlen(b64), " \r\n", NULL, + NULL, sodium_base64_VARIANT_URLSAFE_NO_PADDING) == -1); + + assert(sodium_base642bin(NULL, (size_t) 10U, "a=", (size_t) 2U, NULL, NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + assert(sodium_base642bin(NULL, (size_t) 10U, "a*", (size_t) 2U, NULL, NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + assert(sodium_base642bin(NULL, (size_t) 10U, "a*", (size_t) 2U, "~", NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + assert(sodium_base642bin(NULL, (size_t) 10U, "a*", (size_t) 2U, "*", NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + assert(sodium_base642bin(NULL, (size_t) 10U, "a==", (size_t) 3U, NULL, NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + assert(sodium_base642bin(NULL, (size_t) 10U, "a=*", (size_t) 3U, NULL, NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + assert(sodium_base642bin(NULL, (size_t) 10U, "a=*", (size_t) 3U, "~", NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + assert(sodium_base642bin(NULL, (size_t) 10U, "a=*", (size_t) 3U, "*", NULL, NULL, + sodium_base64_VARIANT_URLSAFE) == -1); + + assert(sodium_base642bin(buf1, sizeof buf1, "O1R", (size_t) 3U, NULL, NULL, NULL, + sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, "O1Q", (size_t) 3U, NULL, NULL, NULL, + sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, "O1", (size_t) 2U, NULL, NULL, NULL, + sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, "Ow", (size_t) 2U, NULL, NULL, NULL, + sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, "O", (size_t) 1U, NULL, NULL, NULL, + sodium_base64_VARIANT_ORIGINAL_NO_PADDING) == -1); + + assert(sodium_base642bin(buf1, sizeof buf1, "kaw", (size_t) 3U, NULL, NULL, NULL, + sodium_base64_VARIANT_ORIGINAL) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, "kQ*", (size_t) 3U, "@", NULL, NULL, + sodium_base64_VARIANT_ORIGINAL) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, "kQ*", (size_t) 3U, "*", NULL, NULL, + sodium_base64_VARIANT_ORIGINAL) == -1); + assert(sodium_base642bin(buf1, sizeof buf1, "kaw=**", (size_t) 6U, "*", NULL, NULL, + sodium_base64_VARIANT_ORIGINAL) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, "kaw*=*", (size_t) 6U, "~*", NULL, NULL, + sodium_base64_VARIANT_ORIGINAL) == 0); + assert(sodium_base642bin(buf1, sizeof buf1, "ka*w*=*", (size_t) 7U, "*~", NULL, NULL, + sodium_base64_VARIANT_ORIGINAL) == 0); + + for (i = 0; i < 1000; i++) { + assert(sizeof buf1 >= 100); + bin_len = (size_t) randombytes_uniform(100); + bin = (unsigned char *) sodium_malloc(bin_len); + b64_len = (bin_len + 2U) / 3U * 4U + 1U; + assert(b64_len == sodium_base64_encoded_len(bin_len, sodium_base64_VARIANT_URLSAFE)); + b64_ = (char *) sodium_malloc(b64_len); + randombytes_buf(bin, bin_len); + memcpy(buf1, bin, bin_len); + b64 = sodium_bin2base64(b64_, b64_len, bin, bin_len, + sodium_base64_VARIANT_URLSAFE); + assert(b64 != NULL); + assert(sodium_base642bin(bin, bin_len + 10, b64, b64_len, + NULL, NULL, &b64_end, + sodium_base64_VARIANT_URLSAFE) == 0); + assert(b64_end == &b64[b64_len - 1]); + assert(memcmp(bin, buf1, bin_len) == 0); + sodium_free(bin); + sodium_free(b64_); + } + return 0; +} diff --git a/test/default/codecs.exp b/test/default/codecs.exp new file mode 100644 index 00000000..863091be --- /dev/null +++ b/test/default/codecs.exp @@ -0,0 +1,28 @@ +30313233343536373839414243444546 +4:cafe6942 +dt1: 11 +4:cafe6942 +dt2: 2 +dt3: 11 +dt4: 11 +dt5: 11 +dt6: 11 ++/DxMDEyMzQ1Njc4OUFCQ0RFRmFi ++/DxMDEyMzQ1Njc4OUFCQ0RFRmFiYw +-_DxMDEyMzQ1Njc4OUFCQ0RFRmFi +-_DxMDEyMzQ1Njc4OUFCQ0RFRmFiYw + +YQ== +YWI= +YWJj + +YQ +YWI +YWJj +[] +[BpcyBhIGpvdXJu +ZXkgaW50by Bzb3VuZA==] +[This is a journey into sound] +[This is a journ] +[ +ZXkgaW50by Bzb3VuZA==] diff --git a/test/default/core3.c b/test/default/core3.c index 9691bf17..d6f7f609 100644 --- a/test/default/core3.c +++ b/test/default/core3.c @@ -2,43 +2,70 @@ #define TEST_NAME "core3" #include "cmptest.h" -static unsigned char secondkey[32] = { 0xdc, 0x90, 0x8d, 0xda, 0x0b, 0x93, 0x44, +static unsigned char SECONDKEY[32] = { 0xdc, 0x90, 0x8d, 0xda, 0x0b, 0x93, 0x44, 0xa9, 0x53, 0x62, 0x9b, 0x73, 0x38, 0x20, 0x77, 0x88, 0x80, 0xf3, 0xce, 0xb4, 0x21, 0xbb, 0x61, 0xb9, 0x1c, 0xbd, 0x4c, 0x3e, 0x66, 0x25, 0x6c, 0xe4 }; -static unsigned char noncesuffix[8] = { 0x82, 0x19, 0xe0, 0x03, +static unsigned char NONCESUFFIX[8] = { 0x82, 0x19, 0xe0, 0x03, 0x6b, 0x7a, 0x0b, 0x37 }; -static unsigned char c[16] = { 0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33, +static unsigned char C[16] = { 0x65, 0x78, 0x70, 0x61, 0x6e, 0x64, 0x20, 0x33, 0x32, 0x2d, 0x62, 0x79, 0x74, 0x65, 0x20, 0x6b }; -static unsigned char in[16]; - -static unsigned char output[64 * 256 * 256]; - -static unsigned char h[32]; - int main(void) { - int i; - long long pos = 0; + unsigned char *secondkey; + unsigned char *c; + unsigned char *noncesuffix; + unsigned char *in; + unsigned char *output; + unsigned char *h; + size_t output_len = 64 * 256 * 256; + size_t pos = 0; + int i; - for (i = 0; i < 8; ++i) + secondkey = (unsigned char *) sodium_malloc(32); + memcpy(secondkey, SECONDKEY, 32); + noncesuffix = (unsigned char *) sodium_malloc(8); + memcpy(noncesuffix, NONCESUFFIX, 8); + c = (unsigned char *) sodium_malloc(16); + memcpy(c, C, 16); + in = (unsigned char *) sodium_malloc(16); + output = (unsigned char *) sodium_malloc(output_len); + h = (unsigned char *) sodium_malloc(32); + + for (i = 0; i < 8; i++) { in[i] = noncesuffix[i]; + } + for (; i < 16; i++) { + in[i] = 0; + } do { do { crypto_core_salsa20(output + pos, in, secondkey, c); pos += 64; - } while (++in[8]); - } while (++in[9]); - crypto_hash_sha256(h, output, sizeof output); + in[8]++; + } while (in[8] != 0); + in[9]++; + } while (in[9] != 0); + + crypto_hash_sha256(h, output, output_len); + for (i = 0; i < 32; ++i) { printf("%02x", h[i]); } printf("\n"); + + sodium_free(h); + sodium_free(output); + sodium_free(in); + sodium_free(c); + sodium_free(noncesuffix); + sodium_free(secondkey); + assert(crypto_core_salsa20_outputbytes() > 0U); assert(crypto_core_salsa20_inputbytes() > 0U); assert(crypto_core_salsa20_keybytes() > 0U); diff --git a/test/default/ed25519_convert.c b/test/default/ed25519_convert.c index c65b9906..04b3a691 100644 --- a/test/default/ed25519_convert.c +++ b/test/default/ed25519_convert.c @@ -45,6 +45,23 @@ main(void) printf("conversion failed\n"); } } + + sodium_hex2bin(ed25519_pk, crypto_sign_ed25519_PUBLICKEYBYTES, + "0000000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000", + 64, NULL, NULL, NULL); + assert(crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) == -1); + sodium_hex2bin(ed25519_pk, crypto_sign_ed25519_PUBLICKEYBYTES, + "0200000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000", + 64, NULL, NULL, NULL); + assert(crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) == -1); + sodium_hex2bin(ed25519_pk, crypto_sign_ed25519_PUBLICKEYBYTES, + "0500000000000000000000000000000000000000000000000000000000000000" + "0000000000000000000000000000000000000000000000000000000000000000", + 64, NULL, NULL, NULL); + assert(crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) == -1); + printf("ok\n"); return 0; diff --git a/test/default/kdf.c b/test/default/kdf.c index 211cc4af..48225c5a 100644 --- a/test/default/kdf.c +++ b/test/default/kdf.c @@ -19,8 +19,8 @@ tv_kdf(void) } subkey = (unsigned char *) sodium_malloc(crypto_kdf_BYTES_MAX); for (i = 0; i < 10; i++) { - assert(crypto_kdf_blake2b_derive_from_key(subkey, crypto_kdf_BYTES_MAX, - i, context, master_key) == 0); + assert(crypto_kdf_derive_from_key(subkey, crypto_kdf_BYTES_MAX, + i, context, master_key) == 0); sodium_bin2hex(hex, sizeof hex, subkey, crypto_kdf_BYTES_MAX); printf("%s\n", hex); } @@ -28,8 +28,8 @@ tv_kdf(void) for (i = 0; i < crypto_kdf_BYTES_MAX + 2; i++) { subkey = (unsigned char *) sodium_malloc(crypto_kdf_BYTES_MAX); - if (crypto_kdf_blake2b_derive_from_key(subkey, (size_t) i, - i, context, master_key) == 0) { + if (crypto_kdf_derive_from_key(subkey, (size_t) i, + i, context, master_key) == 0) { sodium_bin2hex(hex, sizeof hex, subkey, (size_t) i); printf("%s\n", hex); } else { @@ -48,6 +48,10 @@ tv_kdf(void) assert(crypto_kdf_contextbytes() == crypto_kdf_CONTEXTBYTES); assert(crypto_kdf_KEYBYTES >= 16); assert(crypto_kdf_keybytes() == crypto_kdf_KEYBYTES); + assert(crypto_kdf_bytes_min() == crypto_kdf_blake2b_bytes_min()); + assert(crypto_kdf_bytes_max() == crypto_kdf_blake2b_bytes_max()); + assert(crypto_kdf_contextbytes() == crypto_kdf_blake2b_contextbytes()); + assert(crypto_kdf_keybytes() == crypto_kdf_blake2b_keybytes()); printf("tv_kdf: ok\n"); } diff --git a/test/default/keygen.c b/test/default/keygen.c index 113b6f13..a53d8184 100644 --- a/test/default/keygen.c +++ b/test/default/keygen.c @@ -23,8 +23,11 @@ tv_keygen(void) { crypto_onetimeauth_poly1305_keygen, crypto_onetimeauth_poly1305_KEYBYTES }, { crypto_aead_chacha20poly1305_ietf_keygen, crypto_aead_chacha20poly1305_ietf_KEYBYTES }, { crypto_aead_chacha20poly1305_keygen, crypto_aead_chacha20poly1305_KEYBYTES }, + { crypto_aead_chacha20poly1305_ietf_keygen, crypto_aead_chacha20poly1305_ietf_KEYBYTES }, + { crypto_aead_xchacha20poly1305_ietf_keygen, crypto_aead_xchacha20poly1305_ietf_KEYBYTES }, { crypto_secretbox_xsalsa20poly1305_keygen, crypto_secretbox_xsalsa20poly1305_KEYBYTES }, { crypto_secretbox_keygen, crypto_secretbox_KEYBYTES }, + { crypto_secretstream_xchacha20poly1305_keygen, crypto_secretstream_xchacha20poly1305_KEYBYTES }, { crypto_shorthash_keygen, crypto_shorthash_KEYBYTES }, { crypto_stream_keygen, crypto_stream_KEYBYTES }, { crypto_stream_chacha20_keygen, crypto_stream_chacha20_KEYBYTES }, @@ -34,7 +37,7 @@ tv_keygen(void) }; const KeygenTV *tv; unsigned char *key; - int i; + size_t i; int j; for (i = 0; i < (sizeof tvs) / (sizeof tvs[0]); i++) { @@ -49,7 +52,7 @@ tv_keygen(void) } sodium_free(key); if (j >= 10000) { - printf("Buffer underflow with test vector %d\n", i); + printf("Buffer underflow with test vector %u\n", (unsigned int) i); } } printf("tv_keygen: ok\n"); diff --git a/test/default/kx.c b/test/default/kx.c index dcc247f5..e03f2d0c 100644 --- a/test/default/kx.c +++ b/test/default/kx.c @@ -2,6 +2,12 @@ #define TEST_NAME "kx" #include "cmptest.h" +static const unsigned char small_order_p[crypto_scalarmult_BYTES] = { + 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, + 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, + 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 +}; + static void tv_kx(void) { @@ -33,6 +39,9 @@ tv_kx(void) client_rx = (unsigned char *) sodium_malloc(crypto_kx_SESSIONKEYBYTES); client_tx = (unsigned char *) sodium_malloc(crypto_kx_SESSIONKEYBYTES); + assert(crypto_kx_client_session_keys(client_rx, client_tx, + client_pk, client_sk, + small_order_p) == -1); if (crypto_kx_client_session_keys(client_rx, client_tx, client_pk, client_sk, server_pk) != 0) { printf("crypto_kx_client_session_keys() failed\n"); @@ -41,6 +50,9 @@ tv_kx(void) server_rx = (unsigned char *) sodium_malloc(crypto_kx_SESSIONKEYBYTES); server_tx = (unsigned char *) sodium_malloc(crypto_kx_SESSIONKEYBYTES); + assert(crypto_kx_server_session_keys(server_rx, server_tx, + server_pk, server_sk, + small_order_p) == -1); if (crypto_kx_server_session_keys(server_rx, server_tx, server_pk, server_sk, client_pk) != 0) { printf("crypto_kx_server_session_keys() failed\n"); @@ -91,6 +103,24 @@ tv_kx(void) sodium_bin2hex(hex, sizeof hex, client_tx, crypto_kx_SESSIONKEYBYTES); printf("client_tx: [%s]\n", hex); + randombytes_buf(client_rx, crypto_kx_SESSIONKEYBYTES); + randombytes_buf(client_tx, crypto_kx_SESSIONKEYBYTES); + randombytes_buf(server_rx, crypto_kx_SESSIONKEYBYTES); + randombytes_buf(server_tx, crypto_kx_SESSIONKEYBYTES); + if (crypto_kx_client_session_keys(client_rx, NULL, + client_pk, client_sk, server_pk) != 0 || + crypto_kx_client_session_keys(NULL, client_tx, + client_pk, client_sk, server_pk) != 0 || + crypto_kx_server_session_keys(server_rx, NULL, + server_pk, server_sk, client_pk) != 0 || + crypto_kx_server_session_keys(NULL, server_tx, + server_pk, server_sk, client_pk) != 0) { + printf("failure when one of the pointers happens to be NULL"); + } + assert(memcmp(client_rx, client_tx, crypto_kx_SESSIONKEYBYTES) == 0); + assert(memcmp(client_tx, server_rx, crypto_kx_SESSIONKEYBYTES) == 0); + assert(memcmp(server_rx, server_tx, crypto_kx_SESSIONKEYBYTES) == 0); + sodium_free(client_rx); sodium_free(client_tx); sodium_free(server_rx); diff --git a/test/default/metamorphic.c b/test/default/metamorphic.c new file mode 100644 index 00000000..4e9b9be0 --- /dev/null +++ b/test/default/metamorphic.c @@ -0,0 +1,187 @@ + +#define TEST_NAME "metamorphic" +#include "cmptest.h" + +#define MAXLEN 512 +#define MAX_ITER 1000 + +static void +mm_generichash(void) +{ + crypto_generichash_state st; + unsigned char *h, *h2; + unsigned char *k; + unsigned char *m; + size_t hlen; + size_t klen; + size_t mlen; + size_t l1, l2; + int i; + + for (i = 0; i < MAX_ITER; i++) { + mlen = randombytes_uniform(MAXLEN); + m = (unsigned char *) sodium_malloc(mlen); + klen = randombytes_uniform(crypto_generichash_KEYBYTES_MAX - + crypto_generichash_KEYBYTES_MIN + 1U) + + crypto_generichash_KEYBYTES_MIN; + k = (unsigned char *) sodium_malloc(klen); + hlen = randombytes_uniform(crypto_generichash_BYTES_MAX - + crypto_generichash_BYTES_MIN + 1U) + + crypto_generichash_BYTES_MIN; + h = (unsigned char *) sodium_malloc(hlen); + h2 = (unsigned char *) sodium_malloc(hlen); + + randombytes_buf(k, klen); + randombytes_buf(m, mlen); + + crypto_generichash_init(&st, k, klen, hlen); + l1 = randombytes_uniform(mlen); + l2 = randombytes_uniform(mlen - l1); + crypto_generichash_update(&st, m, l1); + crypto_generichash_update(&st, m + l1, l2); + crypto_generichash_update(&st, m + l1 + l2, mlen - l1 - l2); + crypto_generichash_final(&st, h, hlen); + + crypto_generichash(h2, hlen, m, mlen, k, klen); + + assert(memcmp(h, h2, hlen) == 0); + + sodium_free(h2); + sodium_free(h); + sodium_free(k); + sodium_free(m); + } +} + +static void +mm_onetimeauth(void) +{ + crypto_onetimeauth_state st; + unsigned char *h, *h2; + unsigned char *k; + unsigned char *m; + size_t mlen; + size_t l1, l2; + int i; + + for (i = 0; i < MAX_ITER; i++) { + mlen = randombytes_uniform(MAXLEN); + m = (unsigned char *) sodium_malloc(mlen); + k = (unsigned char *) sodium_malloc(crypto_onetimeauth_KEYBYTES); + h = (unsigned char *) sodium_malloc(crypto_onetimeauth_BYTES); + h2 = (unsigned char *) sodium_malloc(crypto_onetimeauth_BYTES); + + crypto_onetimeauth_keygen(k); + randombytes_buf(m, mlen); + + crypto_onetimeauth_init(&st, k); + l1 = randombytes_uniform(mlen); + l2 = randombytes_uniform(mlen - l1); + crypto_onetimeauth_update(&st, m, l1); + crypto_onetimeauth_update(&st, m + l1, l2); + crypto_onetimeauth_update(&st, m + l1 + l2, mlen - l1 - l2); + crypto_onetimeauth_final(&st, h); + + crypto_onetimeauth(h2, m, mlen, k); + + assert(memcmp(h, h2, crypto_onetimeauth_BYTES) == 0); + + sodium_free(h2); + sodium_free(h); + sodium_free(k); + sodium_free(m); + } +} + +static void +mm_hmacsha256(void) +{ + crypto_auth_hmacsha256_state st; + unsigned char *h, *h2; + unsigned char *k; + unsigned char *m; + size_t mlen; + size_t l1, l2; + int i; + + for (i = 0; i < MAX_ITER; i++) { + mlen = randombytes_uniform(MAXLEN); + m = (unsigned char *) sodium_malloc(mlen); + k = (unsigned char *) sodium_malloc(crypto_auth_hmacsha256_KEYBYTES); + h = (unsigned char *) sodium_malloc(crypto_auth_hmacsha256_BYTES); + h2 = (unsigned char *) sodium_malloc(crypto_auth_hmacsha256_BYTES); + + crypto_auth_hmacsha256_keygen(k); + randombytes_buf(m, mlen); + + crypto_auth_hmacsha256_init(&st, k, crypto_auth_hmacsha256_KEYBYTES); + l1 = randombytes_uniform(mlen); + l2 = randombytes_uniform(mlen - l1); + crypto_auth_hmacsha256_update(&st, m, l1); + crypto_auth_hmacsha256_update(&st, m + l1, l2); + crypto_auth_hmacsha256_update(&st, m + l1 + l2, mlen - l1 - l2); + crypto_auth_hmacsha256_final(&st, h); + + crypto_auth_hmacsha256(h2, m, mlen, k); + + assert(memcmp(h, h2, crypto_auth_hmacsha256_BYTES) == 0); + + sodium_free(h2); + sodium_free(h); + sodium_free(k); + sodium_free(m); + } +} + +static void +mm_hmacsha512(void) +{ + crypto_auth_hmacsha512_state st; + unsigned char *h, *h2; + unsigned char *k; + unsigned char *m; + size_t mlen; + size_t l1, l2; + int i; + + for (i = 0; i < MAX_ITER; i++) { + mlen = randombytes_uniform(MAXLEN); + m = (unsigned char *) sodium_malloc(mlen); + k = (unsigned char *) sodium_malloc(crypto_auth_hmacsha512_KEYBYTES); + h = (unsigned char *) sodium_malloc(crypto_auth_hmacsha512_BYTES); + h2 = (unsigned char *) sodium_malloc(crypto_auth_hmacsha512_BYTES); + + crypto_auth_hmacsha512_keygen(k); + randombytes_buf(m, mlen); + + crypto_auth_hmacsha512_init(&st, k, crypto_auth_hmacsha512_KEYBYTES); + l1 = randombytes_uniform(mlen); + l2 = randombytes_uniform(mlen - l1); + crypto_auth_hmacsha512_update(&st, m, l1); + crypto_auth_hmacsha512_update(&st, m + l1, l2); + crypto_auth_hmacsha512_update(&st, m + l1 + l2, mlen - l1 - l2); + crypto_auth_hmacsha512_final(&st, h); + + crypto_auth_hmacsha512(h2, m, mlen, k); + + assert(memcmp(h, h2, crypto_auth_hmacsha512_BYTES) == 0); + + sodium_free(h2); + sodium_free(h); + sodium_free(k); + sodium_free(m); + } +} + +int +main(void) +{ + mm_generichash(); + mm_onetimeauth(); + mm_hmacsha256(); + mm_hmacsha512(); + + printf("OK\n"); + + return 0; +} diff --git a/test/default/metamorphic.exp b/test/default/metamorphic.exp new file mode 100644 index 00000000..d86bac9d --- /dev/null +++ b/test/default/metamorphic.exp @@ -0,0 +1 @@ +OK diff --git a/test/default/misuse.c b/test/default/misuse.c new file mode 100644 index 00000000..24cee622 --- /dev/null +++ b/test/default/misuse.c @@ -0,0 +1,145 @@ + +#define TEST_NAME "misuse" +#include "cmptest.h" + +#ifdef HAVE_CATCHABLE_ABRT +# include + +static void +sigabrt_handler_13(int sig) +{ + (void) sig; + exit(0); +} + +static void +sigabrt_handler_12(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_13); + assert(crypto_pwhash_str_alg(NULL, "", 0U, 1U, 1U, -1) == -1); + exit(1); +} + +static void +sigabrt_handler_11(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_12); + assert(crypto_box_easy(NULL, NULL, crypto_stream_xsalsa20_MESSAGEBYTES_MAX, + NULL, NULL, NULL) == -1); + exit(1); +} + +static void +sigabrt_handler_10(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_11); + assert(crypto_box_easy_afternm(NULL, NULL, crypto_stream_xsalsa20_MESSAGEBYTES_MAX, + NULL, NULL) == -1); + exit(1); +} + +static void +sigabrt_handler_9(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_10); + assert(sodium_base642bin(NULL, 1, NULL, 1, NULL, NULL, NULL, -1) == -1); + exit(1); +} + +static void +sigabrt_handler_8(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_9); + assert(sodium_bin2base64(NULL, 1, NULL, 1, sodium_base64_VARIANT_ORIGINAL) == NULL); + exit(1); +} + +static void +sigabrt_handler_7(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_8); + assert(sodium_bin2base64(NULL, 1, NULL, 1, -1) == NULL); + exit(1); +} + +static void +sigabrt_handler_6(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_7); + assert(sodium_pad(NULL, NULL, SIZE_MAX, 16, 1) == -1); + exit(1); +} + +static void +sigabrt_handler_5(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_6); + assert(crypto_aead_xchacha20poly1305_ietf_encrypt(NULL, NULL, NULL, UINT64_MAX, + NULL, 0, NULL, NULL, NULL) == -1); + exit(1); +} + +static void +sigabrt_handler_4(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_5); + assert(crypto_aead_chacha20poly1305_ietf_encrypt(NULL, NULL, NULL, UINT64_MAX, + NULL, 0, NULL, NULL, NULL) == -1); + exit(1); +} + +static void +sigabrt_handler_3(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_4); + assert(crypto_aead_chacha20poly1305_encrypt(NULL, NULL, NULL, UINT64_MAX, + NULL, 0, NULL, NULL, NULL) == -1); + exit(1); +} + +static void +sigabrt_handler_2(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_3); +#if SIZE_MAX > 0x4000000000ULL + randombytes_buf_deterministic(NULL, 0x4000000001ULL, NULL); +#else + abort(); +#endif + exit(1); +} + +static void +sigabrt_handler_1(int sig) +{ + (void) sig; + signal(SIGABRT, sigabrt_handler_2); + assert(crypto_kx_server_session_keys(NULL, NULL, NULL, NULL, NULL) == -1); + exit(1); +} + +int +main(void) +{ + signal(SIGABRT, sigabrt_handler_1); + assert(crypto_kx_client_session_keys(NULL, NULL, NULL, NULL, NULL) == -1); + return 1; +} +#else +int +main(void) +{ + return 0; +} +#endif diff --git a/test/default/misuse.exp b/test/default/misuse.exp new file mode 100644 index 00000000..e69de29b diff --git a/test/default/onetimeauth.c b/test/default/onetimeauth.c index 0bd60669..7a4931b4 100644 --- a/test/default/onetimeauth.c +++ b/test/default/onetimeauth.c @@ -56,6 +56,8 @@ main(void) assert(crypto_onetimeauth_poly1305_bytes() == crypto_onetimeauth_bytes()); assert(crypto_onetimeauth_poly1305_keybytes() == crypto_onetimeauth_keybytes()); + assert(crypto_onetimeauth_statebytes() > 0); + assert(crypto_onetimeauth_statebytes() == crypto_onetimeauth_poly1305_statebytes()); return 0; } diff --git a/test/default/pwhash.c b/test/default/pwhash.c index 00f3a157..60ef3a01 100644 --- a/test/default/pwhash.c +++ b/test/default/pwhash.c @@ -157,6 +157,10 @@ tv2(void) 1ULL << 12, 0) != -1) { printf("[tv2] pwhash should have failed (0)\n"); } + if (crypto_pwhash_argon2i(out, sizeof out, "password", strlen("password"), salt, 3, + 1ULL << 12, 0) != -1) { + printf("[tv2] pwhash should have failed (0')\n"); + } if (crypto_pwhash(out, sizeof out, "password", strlen("password"), salt, 3, 1, crypto_pwhash_alg_default()) != -1) { printf("[tv2] pwhash should have failed (1)\n"); @@ -220,17 +224,14 @@ tv3(void) } while (++i < (sizeof tests) / (sizeof tests[0])); } -int -main(void) +static void +str_tests(void) { char *str_out; char *str_out2; char *salt; const char *passwd = "Correct Horse Battery Staple"; - tv(); - tv2(); - tv3(); salt = (char *) sodium_malloc(crypto_pwhash_SALTBYTES); str_out = (char *) sodium_malloc(crypto_pwhash_STRBYTES); str_out2 = (char *) sodium_malloc(crypto_pwhash_STRBYTES); @@ -238,16 +239,26 @@ main(void) if (crypto_pwhash_str(str_out, passwd, strlen(passwd), OPSLIMIT, MEMLIMIT) != 0) { printf("pwhash_str failure\n"); - return 1; } if (crypto_pwhash_str(str_out2, passwd, strlen(passwd), OPSLIMIT, MEMLIMIT) != 0) { printf("pwhash_str(2) failure\n"); - return 1; } if (strcmp(str_out, str_out2) == 0) { printf("pwhash_str() doesn't generate different salts\n"); } + if (crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT) != 0) { + printf("needs_rehash() false positive\n"); + } + if (crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT / 2) != 1 || + crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT / 2, MEMLIMIT) != 1 || + crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT * 2) != 1 || + crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT * 2, MEMLIMIT) != 1) { + printf("needs_rehash() false negative\n"); + } + if (crypto_pwhash_str_needs_rehash(str_out + 1, OPSLIMIT, MEMLIMIT) != -1) { + printf("needs_rehash() didn't fail with an invalid hash string\n"); + } if (sodium_is_zero((const unsigned char *) str_out + strlen(str_out), crypto_pwhash_STRBYTES - strlen(str_out)) != 1 || sodium_is_zero((const unsigned char *) str_out2 + strlen(str_out2), @@ -267,12 +278,10 @@ main(void) if (crypto_pwhash_str(str_out2, passwd, 0x100000000ULL, OPSLIMIT, MEMLIMIT) != -1) { printf("pwhash_str() with a large password should have failed\n"); - return 1; } if (crypto_pwhash_str(str_out2, passwd, strlen(passwd), 1, MEMLIMIT) != -1) { printf("pwhash_str() with a small opslimit should have failed\n"); - return 1; } if (crypto_pwhash_str_verify("$argon2i$m=65536,t=2,p=1c29tZXNhbHQ" "$9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ", @@ -333,6 +342,60 @@ main(void) "password", strlen("password")) != -1 || errno != EINVAL) { printf("pwhash_str_verify(invalid(9)) failure\n"); } + if (crypto_pwhash_str_verify( + "$argon2i$v=1$m=4096,t=3,p=2$b2RpZHVla~=mRpc29kaXNrdw" + "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + "password", strlen("password")) != -1 || errno != EINVAL) { + printf("pwhash_str_verify(invalid(10)) failure\n"); + } + if (crypto_pwhash_str_verify( + "$argon2i$v=1$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" + "$TNnWIwlu1061JHrnCqIAmjs3huSxYI~=U+0jWipu7Kc9M", + "password", strlen("password")) != -1 || errno != EINVAL) { + printf("pwhash_str_verify(invalid(11)) failure\n"); + } + assert(crypto_pwhash_str_alg(str_out, "test", 4, OPSLIMIT, MEMLIMIT, + crypto_pwhash_ALG_ARGON2I13) == 0); + assert(crypto_pwhash_argon2i_str_verify(str_out, "test", 4) == 0); + assert(crypto_pwhash_argon2i_str_needs_rehash(str_out, + OPSLIMIT, MEMLIMIT) == 0); + assert(crypto_pwhash_argon2i_str_needs_rehash(str_out, + OPSLIMIT / 2, MEMLIMIT) == 1); + assert(crypto_pwhash_argon2i_str_needs_rehash(str_out, + OPSLIMIT, MEMLIMIT / 2) == 1); + assert(crypto_pwhash_argon2i_str_needs_rehash(str_out, 0, 0) == 1); + assert(crypto_pwhash_argon2id_str_needs_rehash(str_out, 0, 0) == -1); + assert(crypto_pwhash_argon2i_str_needs_rehash(str_out + 1, + OPSLIMIT, MEMLIMIT) == -1); + assert(crypto_pwhash_argon2id_str_needs_rehash(str_out, 0, 0) == -1); + assert(crypto_pwhash_argon2id_str_needs_rehash("", OPSLIMIT, MEMLIMIT) == -1); + assert(crypto_pwhash_str_alg(str_out, "test", 4, OPSLIMIT, MEMLIMIT, + crypto_pwhash_ALG_ARGON2ID13) == 0); + assert(crypto_pwhash_argon2id_str_verify(str_out, "test", 4) == 0); + assert(crypto_pwhash_argon2id_str_needs_rehash(str_out, + OPSLIMIT, MEMLIMIT) == 0); + assert(crypto_pwhash_argon2id_str_needs_rehash(str_out, + OPSLIMIT / 2, MEMLIMIT) == 1); + assert(crypto_pwhash_argon2id_str_needs_rehash(str_out, + OPSLIMIT, MEMLIMIT / 2) == 1); + assert(crypto_pwhash_argon2id_str_needs_rehash(str_out, 0, 0) == 1); + assert(crypto_pwhash_argon2i_str_needs_rehash(str_out, 0, 0) == -1); + assert(crypto_pwhash_argon2id_str_needs_rehash("", OPSLIMIT, MEMLIMIT) == -1); + assert(crypto_pwhash_argon2id_str_needs_rehash(str_out + 1, + OPSLIMIT, MEMLIMIT) == -1); + sodium_free(salt); + sodium_free(str_out); + sodium_free(str_out2); +} + +int +main(void) +{ + tv(); + tv2(); + tv3(); + str_tests(); + assert(crypto_pwhash_bytes_min() > 0U); assert(crypto_pwhash_bytes_max() > crypto_pwhash_bytes_min()); assert(crypto_pwhash_passwd_max() > crypto_pwhash_passwd_min()); @@ -408,10 +471,26 @@ main(void) crypto_pwhash_argon2i_alg_argon2i13()); assert(crypto_pwhash_alg_argon2i13() == crypto_pwhash_ALG_ARGON2I13); assert(crypto_pwhash_alg_argon2i13() == crypto_pwhash_alg_default()); + assert(crypto_pwhash_alg_argon2id13() == crypto_pwhash_ALG_ARGON2ID13); + assert(crypto_pwhash_alg_argon2id13() != crypto_pwhash_alg_argon2i13()); + assert(crypto_pwhash_alg_argon2id13() != crypto_pwhash_alg_default()); - sodium_free(salt); - sodium_free(str_out); - sodium_free(str_out2); + assert(crypto_pwhash_argon2i(NULL, 0, NULL, 0, NULL, + crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE, + crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE, + 0) == -1); + assert(crypto_pwhash_argon2i(NULL, 0, NULL, 0, NULL, + crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE, + crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE, + crypto_pwhash_ALG_ARGON2ID13) == -1); + assert(crypto_pwhash_argon2id(NULL, 0, NULL, 0, NULL, + crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE, + crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE, + 0) == -1); + assert(crypto_pwhash_argon2id(NULL, 0, NULL, 0, NULL, + crypto_pwhash_argon2i_OPSLIMIT_INTERACTIVE, + crypto_pwhash_argon2i_MEMLIMIT_INTERACTIVE, + crypto_pwhash_ALG_ARGON2I13) == -1); printf("OK\n"); diff --git a/test/default/pwhash_argon2id.c b/test/default/pwhash_argon2id.c index 3b37a9eb..b54daaa2 100644 --- a/test/default/pwhash_argon2id.c +++ b/test/default/pwhash_argon2id.c @@ -240,7 +240,6 @@ main(void) printf("pwhash_argon2id_str failure: %s\n", strerror(errno)); return 1; } - exit(0); if (crypto_pwhash_argon2id_str(str_out2, passwd, strlen(passwd), OPSLIMIT, MEMLIMIT) != 0) { printf("pwhash_argon2id_str(2) failure\n"); @@ -249,6 +248,26 @@ main(void) if (strcmp(str_out, str_out2) == 0) { printf("pwhash_argon2id_str() doesn't generate different salts\n"); } + if (crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT) != 0 || + crypto_pwhash_argon2id_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT) != 0) { + printf("needs_rehash() false positive\n"); + } + if (crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT / 2) != 1 || + crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT / 2, MEMLIMIT) != 1 || + crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT * 2) != 1 || + crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT * 2, MEMLIMIT) != 1) { + printf("needs_rehash() false negative\n"); + } + if (crypto_pwhash_argon2id_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT / 2) != 1 || + crypto_pwhash_argon2id_str_needs_rehash(str_out, OPSLIMIT / 2, MEMLIMIT) != 1 || + crypto_pwhash_argon2id_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT * 2) != 1 || + crypto_pwhash_argon2id_str_needs_rehash(str_out, OPSLIMIT * 2, MEMLIMIT) != 1) { + printf("needs_rehash() false negative\n"); + } + if (crypto_pwhash_str_needs_rehash(str_out + 1, OPSLIMIT, MEMLIMIT) != -1 || + crypto_pwhash_argon2id_str_needs_rehash(str_out + 1, OPSLIMIT, MEMLIMIT) != -1) { + printf("needs_rehash() didn't fail with an invalid hash string\n"); + } if (sodium_is_zero((const unsigned char *) str_out + strlen(str_out), crypto_pwhash_argon2id_STRBYTES - strlen(str_out)) != 1 || sodium_is_zero((const unsigned char *) str_out2 + strlen(str_out2), @@ -258,6 +277,9 @@ main(void) if (crypto_pwhash_argon2id_str_verify(str_out, passwd, strlen(passwd)) != 0) { printf("pwhash_argon2id_str_verify(1) failure\n"); } + if (crypto_pwhash_str_verify(str_out, passwd, strlen(passwd)) != 0) { + printf("pwhash_argon2id_str_verify(1') failure\n"); + } str_out[14]++; if (crypto_pwhash_argon2id_str_verify(str_out, passwd, strlen(passwd)) != -1) { printf("pwhash_argon2id_str_verify(2) failure\n"); @@ -275,62 +297,58 @@ main(void) printf("pwhash_argon2id_str() with a small opslimit should have failed\n"); return 1; } - if (crypto_pwhash_argon2id_str_verify("$argon2i$m=65536,t=2,p=1c29tZXNhbHQ" + if (crypto_pwhash_argon2id_str_verify("$argon2id$m=65536,t=2,p=1c29tZXNhbHQ" "$9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ", "password", 0x100000000ULL) != -1) { printf("pwhash_argon2id_str_verify(invalid(0)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify("$argon2i$m=65536,t=2,p=1c29tZXNhbHQ" + if (crypto_pwhash_argon2id_str_verify("$argon2id$m=65536,t=2,p=1c29tZXNhbHQ" "$9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ", "password", strlen("password")) != -1) { printf("pwhash_argon2id_str_verify(invalid(1)) failure %d\n", errno); } - if (crypto_pwhash_argon2id_str_verify("$argon2i$m=65536,t=2,p=1$c29tZXNhbHQ" + if (crypto_pwhash_argon2id_str_verify("$argon2id$m=65536,t=2,p=1$c29tZXNhbHQ" "9sTbSlTio3Biev89thdrlKKiCaYsjjYVJxGAL3swxpQ", "password", strlen("password")) != -1) { printf("pwhash_argon2id_str_verify(invalid(2)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify("$argon2i$m=65536,t=2,p=1$c29tZXNhbHQ" + if (crypto_pwhash_argon2id_str_verify("$argon2id$m=65536,t=2,p=1$c29tZXNhbHQ" "$b2G3seW+uPzerwQQC+/E1K50CLLO7YXy0JRcaTuswRo", "password", strlen("password")) != -1) { printf("pwhash_argon2id_str_verify(invalid(3)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify("$argon2i$v=19$m=65536,t=2,p=1c29tZXNhbHQ" + if (crypto_pwhash_argon2id_str_verify("$argon2id$v=19$m=65536,t=2,p=1c29tZXNhbHQ" "$wWKIMhR9lyDFvRz9YTZweHKfbftvj+qf+YFY4NeBbtA", "password", strlen("password")) != -1) { printf("pwhash_argon2id_str_verify(invalid(4)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify("$argon2i$v=19$m=65536,t=2,p=1$c29tZXNhbHQ" + if (crypto_pwhash_argon2id_str_verify("$argon2id$v=19$m=65536,t=2,p=1$c29tZXNhbHQ" "wWKIMhR9lyDFvRz9YTZweHKfbftvj+qf+YFY4NeBbtA", "password", strlen("password")) != -1) { printf("pwhash_argon2id_str_verify(invalid(5)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify("$argon2i$v=19$m=65536,t=2,p=1$c29tZXNhbHQ" + if (crypto_pwhash_argon2id_str_verify("$argon2id$v=19$m=65536,t=2,p=1$c29tZXNhbHQ" "$8iIuixkI73Js3G1uMbezQXD0b8LG4SXGsOwoQkdAQIM", "password", strlen("password")) != -1) { printf("pwhash_argon2id_str_verify(invalid(6)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify( - "$argon2i$v=19$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" - "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", - "password", strlen("password")) != 0) { + if (crypto_pwhash_str_verify("$argon2id$v=19$m=256,t=3,p=1$MDEyMzQ1Njc" + "$G5ajKFCoUzaXRLdz7UJb5wGkb2Xt+X5/GQjUYtS2+TE", + "password", strlen("password")) != 0) { printf("pwhash_argon2id_str_verify(valid(7)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify( - "$argon2i$v=19$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" - "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + if (crypto_pwhash_argon2id_str_verify("$argon2id$v=19$m=256,t=3,p=1$MDEyMzQ1Njc" + "$G5ajKFCoUzaXRLdz7UJb5wGkb2Xt+X5/GQjUYtS2+TE", "passwore", strlen("passwore")) != -1 || errno != EINVAL) { printf("pwhash_argon2id_str_verify(invalid(7)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify( - "$Argon2i$v=19$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" - "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + if (crypto_pwhash_argon2id_str_verify("$Argon2id$v=19$m=256,t=3,p=1$MDEyMzQ1Njc" + "$G5ajKFCoUzaXRLdz7UJb5wGkb2Xt+X5/GQjUYtS2+TE", "password", strlen("password")) != -1 || errno != EINVAL) { printf("pwhash_argon2id_str_verify(invalid(8)) failure\n"); } - if (crypto_pwhash_argon2id_str_verify( - "$argon2i$v=1$m=4096,t=3,p=2$b2RpZHVlamRpc29kaXNrdw" - "$TNnWIwlu1061JHrnCqIAmjs3huSxYIU+0jWipu7Kc9M", + if (crypto_pwhash_argon2id_str_verify("$argon2id$v=19$m=256,t=3,p=2$MDEyMzQ1Njc" + "$G5ajKFCoUzaXRLdz7UJb5wGkb2Xt+X5/GQjUYtS2+TE", "password", strlen("password")) != -1 || errno != EINVAL) { printf("pwhash_argon2id_str_verify(invalid(9)) failure\n"); } diff --git a/test/default/pwhash_argon2id.exp b/test/default/pwhash_argon2id.exp index 83ee78e3..abea0611 100644 --- a/test/default/pwhash_argon2id.exp +++ b/test/default/pwhash_argon2id.exp @@ -12,4 +12,4 @@ d6e9d6cabd42fb9ba7162fe9b8e41d59d3c7034756cb460c9affe393308bd0225ce0371f2e6c3ca3 [tv3] pwhash_argon2id_str failure (maybe intentional): [1] [tv3] pwhash_argon2id_str failure (maybe intentional): [2] [tv3] pwhash_argon2id_str failure (maybe intentional): [3] -pwhash_argon2id_str failure +OK diff --git a/test/default/pwhash_scrypt.c b/test/default/pwhash_scrypt.c index 02bf2bd4..334c2ed3 100644 --- a/test/default/pwhash_scrypt.c +++ b/test/default/pwhash_scrypt.c @@ -10,9 +10,9 @@ static void tv(void) { static struct { - const char * passwd_hex; + const char *passwd_hex; size_t passwdlen; - const char * salt_hex; + const char *salt_hex; size_t outlen; unsigned long long opslimit; size_t memlimit; @@ -117,9 +117,9 @@ static void tv2(void) { static struct { - const char * passwd_hex; + const char *passwd_hex; size_t passwdlen; - const char * salt_hex; + const char *salt_hex; size_t outlen; unsigned long long opslimit; size_t memlimit; @@ -260,8 +260,19 @@ tv3(void) { "Y0!?iQa9M%5ekffW(`", "$7$" }, { "Y0!?iQa9M%5ekffW(`", "" }, { "Y0!?iQa9M%5ekffW(`", - "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" - "" }, + "$7$A6....1....TrXs5Zk6s8sWHpQgWDIXTR8kUU3s6Jc3s.DtdS8M2i4$" }, + { "test", + "$7$.6..../.....lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." }, + { "test", + "$7$z6..../.....lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." }, + { "test", + "$7$8zzzzz/.....lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." }, + { "test", + "$7$8zzzzzzzzzz.lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." }, + { "test", + "$7$8.....zzzzz.lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." }, + { "test", + "$7$86..../..../lgPchkGHqbeONR/xtuXyjCrt9kUSg6NlKFQO0OSxo/$.DbajbPYH9T7sg3fOtcgxvJzzfIgJBIxMkeQ8b24YQ." } }; char * out; char * passwd; @@ -283,17 +294,14 @@ tv3(void) } while (++i < (sizeof tests) / (sizeof tests[0])); } -int -main(void) +static void +str_tests(void) { - char * str_out; - char * str_out2; - char * salt; + char *str_out; + char *str_out2; + char *salt; const char *passwd = "Correct Horse Battery Staple"; - tv(); - tv2(); - tv3(); salt = (char *) sodium_malloc(crypto_pwhash_scryptsalsa208sha256_SALTBYTES); str_out = (char *) sodium_malloc(crypto_pwhash_scryptsalsa208sha256_STRBYTES); @@ -312,6 +320,24 @@ main(void) if (strcmp(str_out, str_out2) == 0) { printf("pwhash_str doesn't generate different salts\n"); } + if (crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + (str_out, OPSLIMIT, MEMLIMIT) != 0) { + printf("needs_rehash() false positive\n"); + } + if (crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + (str_out, OPSLIMIT, MEMLIMIT / 2) != 1 || + crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + (str_out, OPSLIMIT / 2, MEMLIMIT) != 1 || + crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + (str_out, OPSLIMIT, MEMLIMIT * 2) != 1 || + crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + (str_out, OPSLIMIT * 2, MEMLIMIT) != 1) { + printf("needs_rehash() false negative\n"); + } + if (crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + (str_out + 1, OPSLIMIT, MEMLIMIT) != -1) { + printf("needs_rehash() didn't fail with an invalid hash string\n"); + } if (crypto_pwhash_scryptsalsa208sha256_str_verify(str_out, passwd, strlen(passwd)) != 0) { printf("pwhash_str_verify failure\n"); @@ -328,6 +354,27 @@ main(void) str_out[14]--; assert(str_out[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U] == 0); + + assert(crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + (str_out, 0, 0) == 1); + assert(crypto_pwhash_str_needs_rehash(str_out, 0, 0) == -1); + assert(crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT) == -1); + assert(crypto_pwhash_scryptsalsa208sha256_str_needs_rehash + ("", OPSLIMIT, MEMLIMIT) == -1); + + sodium_free(salt); + sodium_free(str_out); + sodium_free(str_out2); +} + +int +main(void) +{ + tv(); + tv2(); + tv3(); + str_tests(); + assert(crypto_pwhash_scryptsalsa208sha256_bytes_min() > 0U); assert(crypto_pwhash_scryptsalsa208sha256_bytes_max() > crypto_pwhash_scryptsalsa208sha256_bytes_min()); @@ -347,10 +394,6 @@ main(void) assert(crypto_pwhash_scryptsalsa208sha256_opslimit_sensitive() > 0U); assert(crypto_pwhash_scryptsalsa208sha256_memlimit_sensitive() > 0U); - sodium_free(salt); - sodium_free(str_out); - sodium_free(str_out2); - printf("OK\n"); return 0; diff --git a/test/default/pwhash_scrypt.exp b/test/default/pwhash_scrypt.exp index e0e892a2..fa9320d6 100644 --- a/test/default/pwhash_scrypt.exp +++ b/test/default/pwhash_scrypt.exp @@ -29,4 +29,10 @@ pwhash_str failure: [24] pwhash_str failure: [25] pwhash_str failure: [26] pwhash_str failure: [27] +pwhash_str failure: [28] +pwhash_str failure: [29] +pwhash_str failure: [30] +pwhash_str failure: [31] +pwhash_str failure: [32] +pwhash_str failure: [33] OK diff --git a/test/default/randombytes.c b/test/default/randombytes.c index 83de344f..551afaf4 100644 --- a/test/default/randombytes.c +++ b/test/default/randombytes.c @@ -39,12 +39,14 @@ randombytes_tests(void) unsigned int i; uint32_t n; -#ifdef __EMSCRIPTEN__ +#ifndef BENCHMARKS +# ifdef __EMSCRIPTEN__ assert(strcmp(randombytes_implementation_name(), "js") == 0); -#elif defined(__native_client__) +# elif defined(__native_client__) assert(strcmp(randombytes_implementation_name(), "nativeclient") == 0); -#else +# else assert(strcmp(randombytes_implementation_name(), "sysrandom") == 0); +# endif #endif randombytes(x, 1U); do { @@ -137,6 +139,7 @@ impl_tests(void) impl.uniform = randombytes_uniform_impl; randombytes_close(); randombytes_set_implementation(&impl); + assert(randombytes_uniform(1) == 1); assert(randombytes_uniform(v) == v); assert(randombytes_uniform(v) == v); assert(randombytes_uniform(v) == v); @@ -158,5 +161,7 @@ main(void) #endif printf("OK\n"); + randombytes_set_implementation(&randombytes_salsa20_implementation); + return 0; } diff --git a/test/default/secretbox.c b/test/default/secretbox.c index 45a3fbdf..df1d62ff 100644 --- a/test/default/secretbox.c +++ b/test/default/secretbox.c @@ -55,11 +55,17 @@ main(void) } printf("\n"); + assert(crypto_secretbox(c, c, 31, nonce, firstkey) == -1); + assert(crypto_secretbox(c, c, 12, nonce, firstkey) == -1); + assert(crypto_secretbox(c, c, 1, nonce, firstkey) == -1); + assert(crypto_secretbox(c, c, 0, nonce, firstkey) == -1); + assert(crypto_secretbox_keybytes() > 0U); assert(crypto_secretbox_noncebytes() > 0U); assert(crypto_secretbox_zerobytes() > 0U); assert(crypto_secretbox_boxzerobytes() > 0U); assert(crypto_secretbox_macbytes() > 0U); + assert(crypto_secretbox_messagebytes_max() > 0U); assert(strcmp(crypto_secretbox_primitive(), "xsalsa20poly1305") == 0); assert(crypto_secretbox_keybytes() == crypto_secretbox_xsalsa20poly1305_keybytes()); @@ -71,6 +77,8 @@ main(void) crypto_secretbox_xsalsa20poly1305_boxzerobytes()); assert(crypto_secretbox_macbytes() == crypto_secretbox_xsalsa20poly1305_macbytes()); + assert(crypto_secretbox_messagebytes_max() == + crypto_secretbox_xsalsa20poly1305_messagebytes_max()); return 0; } diff --git a/test/default/secretbox2.c b/test/default/secretbox2.c index 3e5247b3..e6320b77 100644 --- a/test/default/secretbox2.c +++ b/test/default/secretbox2.c @@ -46,5 +46,10 @@ main(void) } printf("\n"); } + assert(crypto_secretbox_open(m, c, 31, nonce, firstkey) == -1); + assert(crypto_secretbox_open(m, c, 16, nonce, firstkey) == -1); + assert(crypto_secretbox_open(m, c, 1, nonce, firstkey) == -1); + assert(crypto_secretbox_open(m, c, 0, nonce, firstkey) == -1); + return 0; } diff --git a/test/default/secretbox_easy.c b/test/default/secretbox_easy.c index 1dfcc004..4542bbdb 100644 --- a/test/default/secretbox_easy.c +++ b/test/default/secretbox_easy.c @@ -76,7 +76,7 @@ main(void) } printf("\n"); - assert(crypto_secretbox_easy(c, m, SIZE_MAX - 1U, nonce, firstkey) == -1); + assert(crypto_secretbox_easy(c, m, 0, nonce, firstkey) == 0); /* Null message */ @@ -99,6 +99,24 @@ main(void) printf("Null tampered crypto_secretbox_open_easy() failed\n"); } + /* No overlap, but buffers are next to each other */ + + memset(c, 0, 131 + crypto_secretbox_MACBYTES + 1); + memcpy(c, m, 20); + crypto_secretbox_easy(c, c + 10, 10, nonce, firstkey); + for (i = 0; i < 10 + crypto_secretbox_MACBYTES; ++i) { + printf(",0x%02x", (unsigned int) c[i]); + } + printf("\n"); + + memset(c, 0, 131 + crypto_secretbox_MACBYTES + 1); + memcpy(c, m, 20); + crypto_secretbox_easy(c + 10, c, 10, nonce, firstkey); + for (i = 0; i < 10 + crypto_secretbox_MACBYTES; ++i) { + printf(",0x%02x", (unsigned int) c[i]); + } + printf("\n"); + sodium_free(mac); sodium_free(c); diff --git a/test/default/secretbox_easy.exp b/test/default/secretbox_easy.exp index ab1eda90..3cffae86 100644 --- a/test/default/secretbox_easy.exp +++ b/test/default/secretbox_easy.exp @@ -5,3 +5,5 @@ ,0xf3,0xff,0xc7,0x70,0x3f,0x94,0x00,0xe5,0x2a,0x7d,0xfb,0x4b,0x3d,0x33,0x05,0xd9,0x8e,0x99,0x3b,0x9f,0x48,0x68,0x12,0x73,0xc2,0x96,0x50,0xba,0x32,0xfc,0x76,0xce,0x48,0x33,0x2e,0xa7,0x16,0x4d,0x96,0xa4,0x47,0x6f,0xb8,0xc5,0x31,0xa1,0x18,0x6a,0xc0,0xdf,0xc1,0x7c,0x98,0xdc,0xe8,0x7b,0x4d,0xa7,0xf0,0x11,0xec,0x48,0xc9,0x72,0x71,0xd2,0xc2,0x0f,0x9b,0x92,0x8f,0xe2,0x27,0x0d,0x6f,0xb8,0x63,0xd5,0x17,0x38,0xb4,0x8e,0xee,0xe3,0x14,0xa7,0xcc,0x8a,0xb9,0x32,0x16,0x45,0x48,0xe5,0x26,0xae,0x90,0x22,0x43,0x68,0x51,0x7a,0xcf,0xea,0xbd,0x6b,0xb3,0x73,0x2b,0xc0,0xe9,0xda,0x99,0x83,0x2b,0x61,0xca,0x01,0xb6,0xde,0x56,0x24,0x4a,0x9e,0x88,0xd5,0xf9,0xb3,0x79,0x73,0xf6,0x22,0xa4,0x3d,0x14,0xa6,0x59,0x9b,0x1f,0x65,0x4c,0xb4,0x5a,0x74,0xe3,0x55,0xa5 ,0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65,0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80,0x8e ,0x25,0x39,0x12,0x1d,0x8e,0x23,0x4e,0x65,0x2d,0x65,0x1f,0xa4,0xc8,0xcf,0xf8,0x80,0x8e +,0x8c,0xf3,0x90,0x57,0xc9,0xbc,0xf2,0xba,0x98,0x87,0xfb,0x15,0x9f,0x21,0x0c,0xd8,0x23,0x88,0x8f,0xb1,0x78,0x92,0xb2,0x8e,0xc8,0xa8 +,0xbe,0x07,0x5f,0xc5,0x3c,0x81,0xf2,0xd5,0xcf,0x14,0xd2,0xe8,0xe8,0x1a,0xac,0xd2,0xba,0x1b,0xaa,0x60,0x99,0xe3,0xd9,0x63,0x56,0x18 diff --git a/test/default/secretbox_easy2.c b/test/default/secretbox_easy2.c index e8fb6baf..0ccc0f8f 100644 --- a/test/default/secretbox_easy2.c +++ b/test/default/secretbox_easy2.c @@ -40,6 +40,10 @@ main(void) } } crypto_secretbox_detached(c, mac, m, (unsigned long long) mlen, nonce, k); + if (crypto_secretbox_open_detached(NULL, c, mac, (unsigned long long) mlen, + nonce, k) != 0) { + printf("crypto_secretbox_open_detached() with a NULL message pointer failed\n"); + } if (crypto_secretbox_open_detached(m2, c, mac, (unsigned long long) mlen, nonce, k) != 0) { printf("crypto_secretbox_open_detached() failed\n"); diff --git a/test/default/secretstream.c b/test/default/secretstream.c new file mode 100644 index 00000000..b3cefc97 --- /dev/null +++ b/test/default/secretstream.c @@ -0,0 +1,279 @@ + +#define TEST_NAME "secretstream" +#include "cmptest.h" + +int +main(void) +{ + crypto_secretstream_xchacha20poly1305_state *state; + crypto_secretstream_xchacha20poly1305_state state_copy; + unsigned char *ad; + unsigned char *header; + unsigned char *k; + unsigned char *c1, *c2, *c3; + unsigned char *m1, *m2, *m3; + unsigned char *m1_, *m2_, *m3_; + unsigned long long res_len; + size_t ad_len; + size_t m1_len, m2_len, m3_len; + int ret; + unsigned char tag; + + state = (crypto_secretstream_xchacha20poly1305_state *) + sodium_malloc(crypto_secretstream_xchacha20poly1305_statebytes()); + header = (unsigned char *) + sodium_malloc(crypto_secretstream_xchacha20poly1305_HEADERBYTES); + + ad_len = randombytes_uniform(100); + m1_len = randombytes_uniform(1000); + m2_len = randombytes_uniform(1000); + m3_len = randombytes_uniform(1000); + + c1 = (unsigned char *) + sodium_malloc(m1_len + crypto_secretstream_xchacha20poly1305_ABYTES); + c2 = (unsigned char *) + sodium_malloc(m2_len + crypto_secretstream_xchacha20poly1305_ABYTES); + c3 = (unsigned char *) + sodium_malloc(m3_len + crypto_secretstream_xchacha20poly1305_ABYTES); + + ad = (unsigned char *) sodium_malloc(ad_len); + m1 = (unsigned char *) sodium_malloc(m1_len); + m2 = (unsigned char *) sodium_malloc(m2_len); + m3 = (unsigned char *) sodium_malloc(m3_len); + m1_ = (unsigned char *) sodium_malloc(m1_len); + m2_ = (unsigned char *) sodium_malloc(m2_len); + m3_ = (unsigned char *) sodium_malloc(m3_len); + + randombytes_buf(ad, ad_len); + + randombytes_buf(m1, m1_len); + memcpy(m1_, m1, m1_len); + randombytes_buf(m2, m2_len); + memcpy(m2_, m2, m2_len); + randombytes_buf(m3, m3_len); + memcpy(m3_, m3, m3_len); + + k = (unsigned char *) + sodium_malloc(crypto_secretstream_xchacha20poly1305_KEYBYTES); + crypto_secretstream_xchacha20poly1305_keygen(k); + + /* push */ + + ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_push + (state, c1, &res_len, m1, m1_len, NULL, 0, 0); + assert(ret == 0); + assert(res_len == m1_len + crypto_secretstream_xchacha20poly1305_ABYTES); + + ret = crypto_secretstream_xchacha20poly1305_push + (state, c2, NULL, m2, m2_len, ad, 0, 0); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_push + (state, c3, NULL, m3, m3_len, ad, ad_len, + crypto_secretstream_xchacha20poly1305_TAG_FINAL); + assert(ret == 0); + + /* pull */ + + ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m1, &res_len, &tag, + c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + assert(tag == 0); + assert(memcmp(m1, m1_, m1_len) == 0); + assert(res_len == m1_len); + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, + c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + assert(tag == 0); + assert(memcmp(m2, m2_, m2_len) == 0); + + if (ad_len > 0) { + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m3, NULL, &tag, + c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == -1); + } + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m3, NULL, &tag, + c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, ad, ad_len); + assert(ret == 0); + assert(tag == crypto_secretstream_xchacha20poly1305_TAG_FINAL); + assert(memcmp(m3, m3_, m3_len) == 0); + + /* previous with FINAL tag */ + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m3, NULL, &tag, + c3, m3_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == -1); + + /* previous without a tag */ + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, + c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == -1); + + /* short ciphertext */ + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, c2, + randombytes_uniform(crypto_secretstream_xchacha20poly1305_ABYTES), + NULL, 0); + assert(ret == -1); + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, c2, 0, NULL, 0); + assert(ret == -1); + + /* empty ciphertext */ + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, c2, + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == -1); + + /* without explicit rekeying */ + + ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k); + assert(ret == 0); + ret = crypto_secretstream_xchacha20poly1305_push + (state, c1, NULL, m1, m1_len, NULL, 0, 0); + assert(ret == 0); + ret = crypto_secretstream_xchacha20poly1305_push + (state, c2, NULL, m2, m2_len, NULL, 0, 0); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k); + assert(ret == 0); + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m1, NULL, &tag, + c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, + c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + + /* with explicit rekeying */ + + ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k); + assert(ret == 0); + ret = crypto_secretstream_xchacha20poly1305_push + (state, c1, NULL, m1, m1_len, NULL, 0, 0); + assert(ret == 0); + + crypto_secretstream_xchacha20poly1305_rekey(state); + + ret = crypto_secretstream_xchacha20poly1305_push + (state, c2, NULL, m2, m2_len, NULL, 0, 0); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k); + assert(ret == 0); + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m1, NULL, &tag, + c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, + c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == -1); + + crypto_secretstream_xchacha20poly1305_rekey(state); + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, + c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + + /* New stream */ + + ret = crypto_secretstream_xchacha20poly1305_init_push(state, header, k); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_push + (state, c1, &res_len, m1, m1_len, NULL, 0, + crypto_secretstream_xchacha20poly1305_TAG_PUSH); + assert(ret == 0); + assert(res_len == m1_len + crypto_secretstream_xchacha20poly1305_ABYTES); + + /* Force a counter overflow, check that the key has been updated + * even though the tag was not changed to REKEY */ + + memset(state->nonce, 0xff, 4U); + state_copy = *state; + + ret = crypto_secretstream_xchacha20poly1305_push + (state, c2, NULL, m2, m2_len, ad, 0, 0); + assert(ret == 0); + + assert(memcmp(state_copy.k, state->k, sizeof state->k) != 0); + assert(memcmp(state_copy.nonce, state->nonce, sizeof state->nonce) != 0); + assert(sodium_is_zero(state->nonce, 4U)); + + ret = crypto_secretstream_xchacha20poly1305_init_pull(state, header, k); + assert(ret == 0); + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m1, &res_len, &tag, + c1, m1_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + assert(tag == crypto_secretstream_xchacha20poly1305_TAG_PUSH); + assert(memcmp(m1, m1_, m1_len) == 0); + assert(res_len == m1_len); + + memset(state->nonce, 0xff, 4U); + + ret = crypto_secretstream_xchacha20poly1305_pull + (state, m2, NULL, &tag, + c2, m2_len + crypto_secretstream_xchacha20poly1305_ABYTES, NULL, 0); + assert(ret == 0); + assert(tag == 0); + assert(memcmp(m2, m2_, m2_len) == 0); + + sodium_free(m3_); + sodium_free(m2_); + sodium_free(m1_); + sodium_free(m3); + sodium_free(m2); + sodium_free(m1); + sodium_free(ad); + sodium_free(c3); + sodium_free(c2); + sodium_free(c1); + sodium_free(k); + sodium_free(header); + sodium_free(state); + + assert(crypto_secretstream_xchacha20poly1305_abytes() == + crypto_secretstream_xchacha20poly1305_ABYTES); + assert(crypto_secretstream_xchacha20poly1305_headerbytes() == + crypto_secretstream_xchacha20poly1305_HEADERBYTES); + assert(crypto_secretstream_xchacha20poly1305_keybytes() == + crypto_secretstream_xchacha20poly1305_KEYBYTES); + assert(crypto_secretstream_xchacha20poly1305_messagebytes_max() == + crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX); + + assert(crypto_secretstream_xchacha20poly1305_tag_message() == + crypto_secretstream_xchacha20poly1305_TAG_MESSAGE); + assert(crypto_secretstream_xchacha20poly1305_tag_push() == + crypto_secretstream_xchacha20poly1305_TAG_PUSH); + assert(crypto_secretstream_xchacha20poly1305_tag_rekey() == + crypto_secretstream_xchacha20poly1305_TAG_REKEY); + assert(crypto_secretstream_xchacha20poly1305_tag_final() == + crypto_secretstream_xchacha20poly1305_TAG_FINAL); + + printf("OK\n"); + + return 0; +} diff --git a/test/default/secretstream.exp b/test/default/secretstream.exp new file mode 100644 index 00000000..d86bac9d --- /dev/null +++ b/test/default/secretstream.exp @@ -0,0 +1 @@ +OK diff --git a/test/default/sign.c b/test/default/sign.c index 814f9672..a577df80 100644 --- a/test/default/sign.c +++ b/test/default/sign.c @@ -1190,6 +1190,35 @@ int main(void) i, pk) != -1) { printf("detached signature verification should have failed\n"); } + assert(crypto_sign_detached(sig, NULL, + (const unsigned char *)test_data[i].m, i, skpk) == 0); + + sodium_hex2bin(pk, crypto_sign_PUBLICKEYBYTES, + "3eee494fb9eac773144e34b0c755affaf33ea782c0722e5ea8b150e61209ab36", + crypto_sign_PUBLICKEYBYTES * 2, NULL, NULL, NULL); + if (crypto_sign_verify_detached(sig, + (const unsigned char *)test_data[i].m, + i, pk) != -1) { + printf("signature with an invalid public key should have failed\n"); + } + + sodium_hex2bin(pk, crypto_sign_PUBLICKEYBYTES, + "0200000000000000000000000000000000000000000000000000000000000000", + crypto_sign_PUBLICKEYBYTES * 2, NULL, NULL, NULL); + if (crypto_sign_verify_detached(sig, + (const unsigned char *)test_data[i].m, + i, pk) != -1) { + printf("signature with an invalid public key should have failed\n"); + } + + sodium_hex2bin(pk, crypto_sign_PUBLICKEYBYTES, + "0500000000000000000000000000000000000000000000000000000000000000", + crypto_sign_PUBLICKEYBYTES * 2, NULL, NULL, NULL); + if (crypto_sign_verify_detached(sig, + (const unsigned char *)test_data[i].m, + i, pk) != -1) { + printf("signature with an invalid public key should have failed\n"); + } if (crypto_sign_seed_keypair(pk, sk, keypair_seed) != 0) { printf("crypto_sign_seed_keypair() failure\n"); @@ -1271,9 +1300,11 @@ int main(void) assert(crypto_sign_seedbytes() > 0U); assert(crypto_sign_publickeybytes() > 0U); assert(crypto_sign_secretkeybytes() > 0U); + assert(crypto_sign_messagebytes_max() > 0U); assert(strcmp(crypto_sign_primitive(), "ed25519") == 0); assert(crypto_sign_bytes() == crypto_sign_ed25519_bytes()); assert(crypto_sign_seedbytes() == crypto_sign_ed25519_seedbytes()); + assert(crypto_sign_messagebytes_max() == crypto_sign_ed25519_messagebytes_max()); assert(crypto_sign_publickeybytes() == crypto_sign_ed25519_publickeybytes()); assert(crypto_sign_secretkeybytes() diff --git a/test/default/sodium_core.c b/test/default/sodium_core.c index 7f957759..d8d368d6 100644 --- a/test/default/sodium_core.c +++ b/test/default/sodium_core.c @@ -2,18 +2,40 @@ #define TEST_NAME "sodium_core" #include "cmptest.h" +static void +misuse_handler(void) +{ + printf("misuse_handler()\n"); + exit(0); +} + int main(void) { - printf("%d\n", sodium_init()); + sodium_set_misuse_handler(NULL); + sodium_set_misuse_handler(misuse_handler); + sodium_set_misuse_handler(NULL); + + assert(sodium_init() == 1); (void) sodium_runtime_has_neon(); (void) sodium_runtime_has_sse2(); (void) sodium_runtime_has_sse3(); (void) sodium_runtime_has_ssse3(); (void) sodium_runtime_has_sse41(); + (void) sodium_runtime_has_avx(); + (void) sodium_runtime_has_avx2(); + (void) sodium_runtime_has_avx512f(); (void) sodium_runtime_has_pclmul(); (void) sodium_runtime_has_aesni(); + sodium_set_misuse_handler(misuse_handler); +#ifndef __EMSCRIPTEN__ + sodium_misuse(); + printf("Misuse handler returned\n"); +#else + printf("misuse_handler()\n"); +#endif + return 0; } diff --git a/test/default/sodium_core.exp b/test/default/sodium_core.exp index d00491fd..68a17b04 100644 --- a/test/default/sodium_core.exp +++ b/test/default/sodium_core.exp @@ -1 +1 @@ -1 +misuse_handler() diff --git a/test/default/sodium_utils.c b/test/default/sodium_utils.c index b9b93d53..247cfde2 100644 --- a/test/default/sodium_utils.c +++ b/test/default/sodium_utils.c @@ -4,20 +4,21 @@ int main(void) { - unsigned char buf_add[1000]; - unsigned char buf1[1000]; - unsigned char buf2[1000]; - unsigned char buf1_rev[1000]; - unsigned char buf2_rev[1000]; - char buf3[33]; - unsigned char buf4[4]; - unsigned char nonce[24]; - char nonce_hex[49]; - const char * hex; - const char * hex_end; - size_t bin_len; - unsigned int i; - unsigned int j; + unsigned char buf_add[1000]; + unsigned char buf1[1000]; + unsigned char buf2[1000]; + unsigned char buf1_rev[1000]; + unsigned char buf2_rev[1000]; + char buf3[33]; + unsigned char nonce[24]; + char nonce_hex[49]; + unsigned char *bin_padded; + size_t bin_len, bin_len2; + size_t bin_padded_len; + size_t bin_padded_maxlen; + size_t blocksize; + unsigned int i; + unsigned int j; randombytes_buf(buf1, sizeof buf1); memcpy(buf2, buf1, sizeof buf2); @@ -29,48 +30,6 @@ main(void) printf("%d\n", sodium_memcmp(buf1, buf2, 0U)); sodium_memzero(buf2, sizeof buf2 / 2); printf("%d\n", sodium_memcmp(buf1, buf2, sizeof buf1)); - printf("%s\n", - sodium_bin2hex(buf3, 33U, (const unsigned char *) "0123456789ABCDEF", - 16U)); - hex = "Cafe : 6942"; - sodium_hex2bin(buf4, sizeof buf4, hex, strlen(hex), ": ", &bin_len, - &hex_end); - printf("%lu:%02x%02x%02x%02x\n", (unsigned long) bin_len, buf4[0], buf4[1], - buf4[2], buf4[3]); - printf("dt1: %ld\n", (long) (hex_end - hex)); - - hex = "Cafe : 6942"; - sodium_hex2bin(buf4, sizeof buf4, hex, strlen(hex), ": ", &bin_len, NULL); - printf("%lu:%02x%02x%02x%02x\n", (unsigned long) bin_len, buf4[2], buf4[3], - buf4[2], buf4[3]); - - hex = "deadbeef"; - if (sodium_hex2bin(buf1, 1U, hex, 8U, NULL, &bin_len, &hex_end) != -1) { - printf("sodium_hex2bin() overflow not detected\n"); - } - printf("dt2: %ld\n", (long) (hex_end - hex)); - - hex = "de:ad:be:eff"; - if (sodium_hex2bin(buf1, 4U, hex, 12U, ":", &bin_len, &hex_end) != -1) { - printf( - "sodium_hex2bin() with an odd input length and a short output " - "buffer\n"); - } - printf("dt3: %ld\n", (long) (hex_end - hex)); - - hex = "de:ad:be:eff"; - if (sodium_hex2bin(buf1, sizeof buf1, hex, 12U, ":", &bin_len, &hex_end) != - 0) { - printf("sodium_hex2bin() with an odd input length\n"); - } - printf("dt4: %ld\n", (long) (hex_end - hex)); - - hex = "de:ad:be:eff"; - if (sodium_hex2bin(buf1, sizeof buf1, hex, 13U, ":", &bin_len, &hex_end) != - 0) { - printf("sodium_hex2bin() with an odd input length\n"); - } - printf("dt5: %ld\n", (long) (hex_end - hex)); memset(nonce, 0, sizeof nonce); sodium_increment(nonce, sizeof nonce); @@ -184,5 +143,35 @@ main(void) printf("%s\n", sodium_bin2hex(nonce_hex, sizeof nonce_hex, nonce, sizeof nonce)); + for (i = 0; i < 2000U; i++) { + bin_len = randombytes_uniform(200U); + blocksize = 1U + randombytes_uniform(100U); + bin_padded_maxlen = bin_len + (blocksize - bin_len % blocksize); + bin_padded = (unsigned char *) sodium_malloc(bin_padded_maxlen); + randombytes_buf(bin_padded, bin_padded_maxlen); + + assert(sodium_pad(&bin_padded_len, bin_padded, bin_len, + blocksize, bin_padded_maxlen - 1U) == -1); + assert(sodium_pad(NULL, bin_padded, bin_len, + blocksize, bin_padded_maxlen + 1U) == 0); + assert(sodium_pad(&bin_padded_len, bin_padded, bin_len, + blocksize, bin_padded_maxlen + 1U) == 0); + assert(sodium_pad(&bin_padded_len, bin_padded, bin_len, + 0U, bin_padded_maxlen) == -1); + assert(sodium_pad(&bin_padded_len, bin_padded, bin_len, + blocksize, bin_padded_maxlen) == 0); + assert(bin_padded_len == bin_padded_maxlen); + + assert(sodium_unpad(&bin_len2, bin_padded, bin_padded_len, + bin_padded_len + 1U) == -1); + assert(sodium_unpad(&bin_len2, bin_padded, bin_padded_len, + 0U) == -1); + assert(sodium_unpad(&bin_len2, bin_padded, bin_padded_len, + blocksize) == 0); + assert(bin_len2 == bin_len); + + sodium_free(bin_padded); + } + return 0; } diff --git a/test/default/sodium_utils.exp b/test/default/sodium_utils.exp index 030a1cb3..84ec7fd5 100644 --- a/test/default/sodium_utils.exp +++ b/test/default/sodium_utils.exp @@ -3,14 +3,6 @@ -1 0 0 -30313233343536373839414243444546 -4:cafe6942 -dt1: 11 -4:69426942 -dt2: 2 -dt3: 11 -dt4: 11 -dt5: 11 010000000000000000000000000000000000000000000000 000000000000000000000000000000000000000000000000 010100000000000000000000000000000000000000000000 diff --git a/test/default/stream.c b/test/default/stream.c index ccc8d15e..150fe780 100644 --- a/test/default/stream.c +++ b/test/default/stream.c @@ -55,9 +55,11 @@ main(void) assert(crypto_stream_keybytes() > 0U); assert(crypto_stream_noncebytes() > 0U); + assert(crypto_stream_messagebytes_max() > 0U); assert(strcmp(crypto_stream_primitive(), "xsalsa20") == 0); assert(crypto_stream_keybytes() == crypto_stream_xsalsa20_keybytes()); assert(crypto_stream_noncebytes() == crypto_stream_xsalsa20_noncebytes()); + assert(crypto_stream_messagebytes_max() == crypto_stream_xsalsa20_messagebytes_max()); return 0; } diff --git a/test/default/stream2.c b/test/default/stream2.c index 63e0c0ee..8e5b3f67 100644 --- a/test/default/stream2.c +++ b/test/default/stream2.c @@ -41,6 +41,7 @@ main(void) assert(crypto_stream_salsa20_keybytes() > 0U); assert(crypto_stream_salsa20_noncebytes() > 0U); + assert(crypto_stream_salsa20_messagebytes_max() > 0U); return 0; } diff --git a/test/default/xchacha20.c b/test/default/xchacha20.c index b3936b9c..a5719c8b 100644 --- a/test/default/xchacha20.c +++ b/test/default/xchacha20.c @@ -8,6 +8,12 @@ typedef struct HChaCha20TV_ { const char out[crypto_core_hchacha20_OUTPUTBYTES * 2 + 1]; } HChaCha20TV; +static const unsigned char small_order_p[crypto_scalarmult_BYTES] = { + 0xe0, 0xeb, 0x7a, 0x7c, 0x3b, 0x41, 0xb8, 0xae, 0x16, 0x56, 0xe3, + 0xfa, 0xf1, 0x9f, 0xc4, 0x6a, 0xda, 0x09, 0x8d, 0xeb, 0x9c, 0x32, + 0xb1, 0xfd, 0x86, 0x62, 0x05, 0x16, 0x5f, 0x49, 0xb8, 0x00 +}; + static void tv_hchacha20(void) { @@ -29,7 +35,7 @@ tv_hchacha20(void) unsigned char *in; unsigned char *out; unsigned char *out2; - int i; + size_t i; constant = (unsigned char *) sodium_malloc(crypto_core_hchacha20_CONSTBYTES); key = (unsigned char *) sodium_malloc(crypto_core_hchacha20_KEYBYTES); @@ -102,7 +108,7 @@ tv_stream_xchacha20(void) unsigned char *out; unsigned char *out2; size_t out_len; - int i; + size_t i; key = (unsigned char *) sodium_malloc(crypto_stream_xchacha20_KEYBYTES); nonce = (unsigned char *) sodium_malloc(crypto_stream_xchacha20_NONCEBYTES); @@ -164,6 +170,11 @@ tv_stream_xchacha20(void) hex = (char *) sodium_malloc(192 * 2 + 1); sodium_bin2hex(hex, 192 * 2 + 1, out, 192); printf("%s\n", hex); + + memset(key, 0, crypto_stream_xchacha20_KEYBYTES); + crypto_stream_xchacha20_keygen(key); + assert(sodium_is_zero(key, crypto_stream_xchacha20_KEYBYTES) == 0); + sodium_free(hex); sodium_free(out); sodium_free(out2); @@ -173,6 +184,7 @@ tv_stream_xchacha20(void) assert(crypto_stream_xchacha20_keybytes() == crypto_stream_xchacha20_KEYBYTES); assert(crypto_stream_xchacha20_noncebytes() == crypto_stream_xchacha20_NONCEBYTES); + assert(crypto_stream_xchacha20_messagebytes_max() == crypto_stream_xchacha20_MESSAGEBYTES_MAX); printf("tv_stream_xchacha20: ok\n"); } @@ -206,9 +218,8 @@ tv_secretbox_xchacha20poly1305(void) unsigned char *out; unsigned char *out2; size_t m_len; - size_t out_len; size_t n; - int i; + size_t i; key = (unsigned char *) sodium_malloc (crypto_secretbox_xchacha20poly1305_KEYBYTES); @@ -229,10 +240,17 @@ tv_secretbox_xchacha20poly1305(void) (crypto_secretbox_xchacha20poly1305_MACBYTES + m_len); sodium_hex2bin(out, crypto_secretbox_xchacha20poly1305_MACBYTES + m_len, tv->out, strlen(tv->out), NULL, NULL, NULL); - crypto_secretbox_xchacha20poly1305_easy(out2, m, m_len, nonce, key); + assert(crypto_secretbox_xchacha20poly1305_easy(out2, m, 0, nonce, key) == 0); + assert(crypto_secretbox_xchacha20poly1305_easy(out2, m, m_len, nonce, key) == 0); assert(memcmp(out, out2, crypto_secretbox_xchacha20poly1305_MACBYTES + m_len) == 0); n = randombytes_uniform(crypto_secretbox_xchacha20poly1305_MACBYTES + m_len); + assert(crypto_secretbox_xchacha20poly1305_open_easy + (out2, out2, crypto_secretbox_xchacha20poly1305_MACBYTES - 1, + nonce, key) == -1); + assert(crypto_secretbox_xchacha20poly1305_open_easy + (out2, out2, 0, + nonce, key) == -1); out2[n]++; assert(crypto_secretbox_xchacha20poly1305_open_easy (out2, out2, crypto_secretbox_xchacha20poly1305_MACBYTES + m_len, @@ -246,10 +264,18 @@ tv_secretbox_xchacha20poly1305(void) assert(crypto_secretbox_xchacha20poly1305_open_easy (out2, out2, crypto_secretbox_xchacha20poly1305_MACBYTES + m_len, nonce, key) == 0); + assert(crypto_secretbox_xchacha20poly1305_open_easy + (out2, out2, crypto_secretbox_xchacha20poly1305_MACBYTES - 1, + nonce, key) == -1); + assert(crypto_secretbox_xchacha20poly1305_open_easy + (out2, out2, 0, nonce, key) == -1); assert(memcmp(m, out2, m_len) == 0); assert(crypto_secretbox_xchacha20poly1305_open_detached (out2, out + crypto_secretbox_xchacha20poly1305_MACBYTES, out, m_len, nonce, key) == 0); + assert(crypto_secretbox_xchacha20poly1305_open_detached + (NULL, out + crypto_secretbox_xchacha20poly1305_MACBYTES, out, + m_len, nonce, key) == 0); crypto_secretbox_xchacha20poly1305_detached (out2 + crypto_secretbox_xchacha20poly1305_MACBYTES, out2, m, m_len, nonce, key); @@ -300,8 +326,18 @@ tv_box_xchacha20poly1305(void) randombytes_buf(nonce, crypto_box_curve25519xchacha20poly1305_NONCEBYTES); randombytes_buf(m, m_len); assert(crypto_box_curve25519xchacha20poly1305_keypair(pk, sk) == 0); + assert(crypto_box_curve25519xchacha20poly1305_easy(out, m, 0, nonce, + pk, sk) == 0); assert(crypto_box_curve25519xchacha20poly1305_easy(out, m, m_len, nonce, pk, sk) == 0); + assert(crypto_box_curve25519xchacha20poly1305_open_easy + (m2, out, crypto_box_curve25519xchacha20poly1305_MACBYTES + m_len, + nonce, small_order_p, sk) == -1); + assert(crypto_box_curve25519xchacha20poly1305_open_easy + (m2, out, crypto_box_curve25519xchacha20poly1305_MACBYTES - 1, + nonce, pk, sk) == -1); + assert(crypto_box_curve25519xchacha20poly1305_open_easy + (m2, out, 0, nonce, pk, sk) == -1); assert(crypto_box_curve25519xchacha20poly1305_open_easy (m2, out, crypto_box_curve25519xchacha20poly1305_MACBYTES + m_len, nonce, pk, sk) == 0); @@ -310,9 +346,18 @@ tv_box_xchacha20poly1305(void) out = (unsigned char *) sodium_malloc (crypto_box_curve25519xchacha20poly1305_MACBYTES + m_len); + assert(crypto_box_curve25519xchacha20poly1305_beforenm(pc, small_order_p, sk) == -1); assert(crypto_box_curve25519xchacha20poly1305_beforenm(pc, pk, sk) == 0); + assert(crypto_box_curve25519xchacha20poly1305_easy_afternm + (out, m, 0, nonce, pc) == 0); assert(crypto_box_curve25519xchacha20poly1305_easy_afternm (out, m, m_len, nonce, pc) == 0); + assert(crypto_box_curve25519xchacha20poly1305_open_easy_afternm + (m2, out, crypto_box_curve25519xchacha20poly1305_MACBYTES - 1, + nonce, pc) == -1); + assert(crypto_box_curve25519xchacha20poly1305_open_easy_afternm + (m2, out, 0, + nonce, pc) == -1); assert(crypto_box_curve25519xchacha20poly1305_open_easy_afternm (m2, out, crypto_box_curve25519xchacha20poly1305_MACBYTES + m_len, nonce, pc) == 0); @@ -320,8 +365,12 @@ tv_box_xchacha20poly1305(void) sodium_free(out); out = (unsigned char *) sodium_malloc(m_len); + assert(crypto_box_curve25519xchacha20poly1305_detached(out, mac, m, m_len, + nonce, small_order_p, sk) == -1); assert(crypto_box_curve25519xchacha20poly1305_detached(out, mac, m, m_len, nonce, pk, sk) == 0); + assert(crypto_box_curve25519xchacha20poly1305_open_detached + (m2, out, mac, m_len, nonce, small_order_p, sk) == -1); assert(crypto_box_curve25519xchacha20poly1305_open_detached (m2, out, mac, m_len, nonce, pk, sk) == 0); sodium_free(out); @@ -342,8 +391,8 @@ tv_box_xchacha20poly1305(void) seed = (unsigned char *) sodium_malloc (crypto_box_curve25519xchacha20poly1305_SEEDBYTES); - for (i = 0; i < crypto_box_curve25519xchacha20poly1305_SEEDBYTES; i++) { - seed[i] = i; + for (i = 0; i <(int) crypto_box_curve25519xchacha20poly1305_SEEDBYTES; i++) { + seed[i] = (unsigned char) i; } crypto_box_curve25519xchacha20poly1305_seed_keypair(pk, sk, seed); sodium_bin2hex(hex, sizeof hex, pk, crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES); @@ -360,6 +409,8 @@ tv_box_xchacha20poly1305(void) assert(crypto_box_curve25519xchacha20poly1305_secretkeybytes() == crypto_box_curve25519xchacha20poly1305_SECRETKEYBYTES); assert(crypto_box_curve25519xchacha20poly1305_beforenmbytes() == crypto_box_curve25519xchacha20poly1305_BEFORENMBYTES); assert(crypto_box_curve25519xchacha20poly1305_noncebytes() == crypto_box_curve25519xchacha20poly1305_NONCEBYTES); + assert(crypto_box_curve25519xchacha20poly1305_macbytes() == crypto_box_curve25519xchacha20poly1305_MACBYTES); + assert(crypto_box_curve25519xchacha20poly1305_messagebytes_max() == crypto_box_curve25519xchacha20poly1305_MESSAGEBYTES_MAX); printf("tv_box_xchacha20poly1305: ok\n"); }