rbnacl-libsodium 0.6.1 → 0.7.0

data/vendor/libsodium/src/libsodium/crypto_auth/hmacsha256/cp/verify_hmacsha256.c

@@ -1,9 +1,11 @@
 #include "api.h"
 #include "crypto_verify_32.h"
+#include "utils.h"
 
 int crypto_auth_verify(const unsigned char *h,const unsigned char *in,unsigned long long inlen,const unsigned char *k)
 {
   unsigned char correct[32];
   crypto_auth(correct,in,inlen,k);
-  return crypto_verify_32(h,correct);
+  return crypto_verify_32(h,correct) | (-(h - correct == 0)) |
+         sodium_memcmp(correct,h,32);
 }

data/vendor/libsodium/src/libsodium/crypto_auth/hmacsha512/cp/verify_hmacsha512.c

@@ -1,10 +1,12 @@
 #include "api.h"
 #include "crypto_verify_64.h"
+#include "utils.h"
 
 int crypto_auth_verify(const unsigned char *h, const unsigned char *in,
                        unsigned long long inlen, const unsigned char *k)
 {
   unsigned char correct[64];
   crypto_auth(correct,in,inlen,k);
-  return crypto_verify_64(h,correct);
+  return crypto_verify_64(h,correct) | (-(h - correct == 0)) |
+         sodium_memcmp(correct,h,64);
 }

data/vendor/libsodium/src/libsodium/crypto_auth/hmacsha512256/cp/verify_hmacsha512256.c

@@ -1,10 +1,12 @@
 #include "api.h"
 #include "crypto_verify_32.h"
+#include "utils.h"
 
 int crypto_auth_verify(const unsigned char *h, const unsigned char *in,
                        unsigned long long inlen, const unsigned char *k)
 {
   unsigned char correct[32];
   crypto_auth(correct,in,inlen,k);
-  return crypto_verify_32(h,correct);
+  return crypto_verify_32(h,correct) | (-(h - correct == 0)) |
+         sodium_memcmp(correct,h,32);
 }

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c

@@ -61,6 +61,12 @@ crypto_pwhash_scryptsalsa208sha256_strbytes(void)
     return crypto_pwhash_scryptsalsa208sha256_STRBYTES;
 }
 
+const char *
+crypto_pwhash_scryptsalsa208sha256_strprefix(void)
+{
+    return crypto_pwhash_scryptsalsa208sha256_STRPREFIX;
+}
+
 size_t
 crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void)
 {

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/ref10/pow225521.h

@@ -50,7 +50,7 @@
 /* qhasm: z2 = z1^2^1 */
 /* asm 1: fe_sq(>z2=fe#1,<z1=fe#11); for (i = 1;i < 1;++i) fe_sq(>z2=fe#1,>z2=fe#1); */
 /* asm 2: fe_sq(>z2=t0,<z1=z); for (i = 1;i < 1;++i) fe_sq(>z2=t0,>z2=t0); */
-fe_sq(t0,z); for (i = 1;i < 1;++i) fe_sq(t0,t0);
+fe_sq(t0,z); /* for (i = 1;i < 1;++i) fe_sq(t0,t0); */
 
 /* qhasm: z8 = z2^2^2 */
 /* asm 1: fe_sq(>z8=fe#2,<z2=fe#1); for (i = 1;i < 2;++i) fe_sq(>z8=fe#2,>z8=fe#2); */
@@ -70,7 +70,7 @@ fe_mul(t0,t0,t1);
 /* qhasm: z22 = z11^2^1 */
 /* asm 1: fe_sq(>z22=fe#3,<z11=fe#1); for (i = 1;i < 1;++i) fe_sq(>z22=fe#3,>z22=fe#3); */
 /* asm 2: fe_sq(>z22=t2,<z11=t0); for (i = 1;i < 1;++i) fe_sq(>z22=t2,>z22=t2); */
-fe_sq(t2,t0); for (i = 1;i < 1;++i) fe_sq(t2,t2);
+fe_sq(t2,t0); /* for (i = 1;i < 1;++i) fe_sq(t2,t2); */
 
 /* qhasm: z_5_0 = z9*z22 */
 /* asm 1: fe_mul(>z_5_0=fe#2,<z9=fe#2,<z22=fe#3); */

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c

@@ -2,8 +2,11 @@
 #include <string.h>
 
 #include "api.h"
-#include "randombytes.h"
 #include "crypto_hash_sha512.h"
+#include "crypto_scalarmult_curve25519.h"
+#include "randombytes.h"
+#include "utils.h"
+#include "fe.h"
 #include "ge.h"
 
 int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk,
@@ -27,7 +30,47 @@ int crypto_sign_seed_keypair(unsigned char *pk, unsigned char *sk,
 int crypto_sign_keypair(unsigned char *pk, unsigned char *sk)
 {
     unsigned char seed[32];
+    int           ret;
+
+    randombytes(seed, sizeof seed);
+    ret = crypto_sign_seed_keypair(pk, sk, seed);
+    sodium_memzero(seed, sizeof seed);
+
+    return ret;
+}
+
+int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
+                                         const unsigned char *ed25519_pk)
+{
+    ge_p3 A;
+    fe    x;
+    fe    one_minus_y;
 
-    randombytes(seed,32);
-    return crypto_sign_seed_keypair(pk,sk,seed);
+    ge_frombytes_negate_vartime(&A, ed25519_pk);
+    fe_1(one_minus_y);
+    fe_sub(one_minus_y, one_minus_y, A.Y);
+    fe_invert(one_minus_y, one_minus_y);
+    fe_1(x);
+    fe_add(x, x, A.Y);
+    fe_mul(x, x, one_minus_y);
+    fe_tobytes(curve25519_pk, x);
+
+    return 0;
+}
+
+int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
+                                         const unsigned char *ed25519_sk)
+{
+    unsigned char h[crypto_hash_sha512_BYTES];
+
+    crypto_hash_sha512(h, ed25519_sk,
+                       crypto_sign_ed25519_SECRETKEYBYTES -
+                       crypto_sign_ed25519_PUBLICKEYBYTES);
+    h[0] &= 248;
+    h[31] &= 127;
+    h[31] |= 64;
+    memcpy(curve25519_sk, h, crypto_scalarmult_curve25519_BYTES);
+    sodium_memzero(h, sizeof h);
+
+    return 0;
 }

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c

@@ -43,16 +43,8 @@ crypto_sign_verify_detached(const unsigned char *sig, const unsigned char *m,
     ge_double_scalarmult_vartime(&R, h, &A, sig + 32);
     ge_tobytes(rcheck, &R);
 
-    if (crypto_verify_32(rcheck, sig) != 0) {
-        return -1;
-    }
-    if (sig == rcheck) {
-        return -1;
-    }
-    if (sodium_memcmp(sig, rcheck, 32) != 0) {
-        return -1;
-    }
-    return 0;
+    return crypto_verify_32(rcheck, sig) | (-(rcheck - sig == 0)) |
+           sodium_memcmp(sig, rcheck, 32);
 }
 
 int

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/sign.c

@@ -5,6 +5,7 @@
 #include "crypto_hash_sha512.h"
 #include "ge.h"
 #include "sc.h"
+#include "utils.h"
 
 int
 crypto_sign_detached(unsigned char *sig, unsigned long long *siglen,
@@ -44,6 +45,9 @@ crypto_sign_detached(unsigned char *sig, unsigned long long *siglen,
     sc_reduce(hram);
     sc_muladd(sig + 32, hram, az, nonce);
 
+    sodium_memzero(az, sizeof az);
+    sodium_memzero(nonce, sizeof nonce);
+
     if (siglen != NULL) {
         *siglen = 64U;
     }
@@ -59,7 +63,9 @@ crypto_sign(unsigned char *sm, unsigned long long *smlen,
 
     if (crypto_sign_detached(sm, &siglen, m, mlen, sk) != 0 ||
         siglen > crypto_sign_ed25519_BYTES) {
-        *smlen = 0;
+        if (smlen != NULL) {
+            *smlen = 0;
+        }
         memset(sm, 0, mlen + crypto_sign_ed25519_BYTES);
         return -1;
     }

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/sign_ed25519_api.c

@@ -1,3 +1,6 @@
+
+#include <string.h>
+
 #include "crypto_sign_ed25519.h"
 
 size_t
@@ -19,3 +22,18 @@ size_t
 crypto_sign_ed25519_secretkeybytes(void) {
     return crypto_sign_ed25519_SECRETKEYBYTES;
 }
+
+int
+crypto_sign_ed25519_sk_to_seed(unsigned char *seed, const unsigned char *sk)
+{
+    memmove(seed, sk, crypto_sign_ed25519_SEEDBYTES);
+    return 0;
+}
+
+int
+crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk)
+{
+    memmove(pk, sk + crypto_sign_ed25519_SEEDBYTES,
+            crypto_sign_ed25519_PUBLICKEYBYTES);
+    return 0;
+}

data/vendor/libsodium/src/libsodium/include/Makefile.am

@@ -32,7 +32,6 @@ SODIUM_EXPORT = \
 	sodium/crypto_sign_edwards25519sha512batch.h \
 	sodium/crypto_stream.h \
 	sodium/crypto_stream_aes128ctr.h \
-	sodium/crypto_stream_aes256estream.h \
 	sodium/crypto_stream_chacha20.h \
 	sodium/crypto_stream_salsa20.h \
 	sodium/crypto_stream_salsa2012.h \

data/vendor/libsodium/src/libsodium/include/Makefile.in

@@ -325,7 +325,6 @@ SODIUM_EXPORT = \
 	sodium/crypto_sign_edwards25519sha512batch.h \
 	sodium/crypto_stream.h \
 	sodium/crypto_stream_aes128ctr.h \
-	sodium/crypto_stream_aes256estream.h \
 	sodium/crypto_stream_chacha20.h \
 	sodium/crypto_stream_salsa20.h \
 	sodium/crypto_stream_salsa2012.h \

data/vendor/libsodium/src/libsodium/include/sodium.h

@@ -32,7 +32,6 @@
 #include <sodium/crypto_sign_ed25519.h>
 #include <sodium/crypto_stream.h>
 #include <sodium/crypto_stream_aes128ctr.h>
-#include <sodium/crypto_stream_aes256estream.h>
 #include <sodium/crypto_stream_chacha20.h>
 #include <sodium/crypto_stream_salsa20.h>
 #include <sodium/crypto_stream_salsa2012.h>

data/vendor/libsodium/src/libsodium/include/sodium/crypto_onetimeauth_poly1305.h

@@ -54,9 +54,8 @@ const char *crypto_onetimeauth_poly1305_implementation_name(void);
 SODIUM_EXPORT
 int crypto_onetimeauth_poly1305_set_implementation(crypto_onetimeauth_poly1305_implementation *impl);
 
-SODIUM_EXPORT
 crypto_onetimeauth_poly1305_implementation *
-        crypto_onetimeauth_pick_best_implementation(void);
+crypto_onetimeauth_pick_best_implementation(void);
 
 SODIUM_EXPORT
 int crypto_onetimeauth_poly1305(unsigned char *out,

data/vendor/libsodium/src/libsodium/include/sodium/crypto_pwhash_scryptsalsa208sha256.h

@@ -2,6 +2,7 @@
 #define crypto_pwhash_scryptsalsa208sha256_H
 
 #include <stddef.h>
+#include <stdint.h>
 
 #include "export.h"
 
@@ -20,6 +21,10 @@ size_t crypto_pwhash_scryptsalsa208sha256_saltbytes(void);
 SODIUM_EXPORT
 size_t crypto_pwhash_scryptsalsa208sha256_strbytes(void);
 
+#define crypto_pwhash_scryptsalsa208sha256_STRPREFIX "$7$"
+SODIUM_EXPORT
+const char *crypto_pwhash_scryptsalsa208sha256_strprefix(void);
+
 #define crypto_pwhash_scryptsalsa208sha256_OPSLIMIT_INTERACTIVE 524288ULL
 SODIUM_EXPORT
 size_t crypto_pwhash_scryptsalsa208sha256_opslimit_interactive(void);

data/vendor/libsodium/src/libsodium/include/sodium/crypto_sign_ed25519.h

@@ -57,6 +57,21 @@ SODIUM_EXPORT
 int crypto_sign_ed25519_seed_keypair(unsigned char *pk, unsigned char *sk,
                                      const unsigned char *seed);
 
+SODIUM_EXPORT
+int crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
+                                         const unsigned char *ed25519_pk);
+
+SODIUM_EXPORT
+int crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
+                                         const unsigned char *ed25519_sk);
+
+SODIUM_EXPORT
+int crypto_sign_ed25519_sk_to_seed(unsigned char *seed,
+                                   const unsigned char *sk);
+
+SODIUM_EXPORT
+int crypto_sign_ed25519_sk_to_pk(unsigned char *pk, const unsigned char *sk);
+
 #ifdef __cplusplus
 }
 #endif

data/vendor/libsodium/src/libsodium/include/sodium/utils.h

@@ -16,12 +16,14 @@ extern "C" {
 # define _SODIUM_C99(X) X
 #endif
 
-unsigned char *_sodium_alignedcalloc(unsigned char ** const unaligned_p,
-                                     const size_t len);
-
 SODIUM_EXPORT
 void sodium_memzero(void * const pnt, const size_t len);
 
+/* WARNING: sodium_memcmp() must be used to verify if two secret keys
+ * are equal, in constant time.
+ * It returns 0 if the keys are equal, and -1 if they differ.
+ * This function is not designed for lexicographical comparisons.
+ */
 SODIUM_EXPORT
 int sodium_memcmp(const void * const b1_, const void * const b2_, size_t len);
 
@@ -41,6 +43,55 @@ int sodium_mlock(void * const addr, const size_t len);
 SODIUM_EXPORT
 int sodium_munlock(void * const addr, const size_t len);
 
+/* WARNING: sodium_malloc() and sodium_allocarray() are not general-purpose
+ * allocation functions.
+ *
+ * They return a pointer to a region filled with 0xd0 bytes, immediately
+ * followed by a guard page.
+ * As a result, accessing a single byte after the requested allocation size
+ * will intentionally trigger a segmentation fault.
+ *
+ * A canary and an additional guard page placed before the beginning of the
+ * region may also kill the process if a buffer underflow is detected.
+ *
+ * The memory layout is:
+ * [unprotected region size (read only)][guard page (no access)][unprotected pages (read/write)][guard page (no access)]
+ * With the layout of the unprotected pages being:
+ * [optional padding][16-bytes canary][user region]
+ *
+ * However:
+ * - These functions are significantly slower than standard functions
+ * - Each allocation requires 3 or 4 additional pages
+ * - The returned address will not be aligned if the allocation size is not
+ *   a multiple of the required alignment. For this reason, these functions
+ *   are designed to store data, such as secret keys and messages.
+ *   They should not be used to store pointers mixed with other types
+ *   in portable code unless extreme care is taken to ensure correct
+ *   pointers alignment.
+ */
+
+SODIUM_EXPORT
+void *sodium_malloc(const size_t size);
+
+SODIUM_EXPORT
+void *sodium_allocarray(size_t count, size_t size);
+
+SODIUM_EXPORT
+void sodium_free(void *ptr);
+
+SODIUM_EXPORT
+int sodium_mprotect_noaccess(void *ptr);
+
+SODIUM_EXPORT
+int sodium_mprotect_readonly(void *ptr);
+
+SODIUM_EXPORT
+int sodium_mprotect_readwrite(void *ptr);
+
+/* -------- */
+
+int _sodium_alloc_init(void);
+
 #ifdef __cplusplus
 }
 #endif

data/vendor/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c

@@ -41,7 +41,7 @@ BOOLEAN NTAPI RtlGenRandom(PVOID RandomBuffer, ULONG RandomBufferLength);
 
 typedef struct Salsa20Random_ {
     unsigned char key[crypto_stream_salsa20_KEYBYTES];
-    unsigned char rnd32[SALSA20_RANDOM_BLOCK_SIZE];
+    unsigned char rnd32[16U * SALSA20_RANDOM_BLOCK_SIZE];
     uint64_t      nonce;
     size_t        rnd32_outleft;
 #ifndef _MSC_VER
@@ -67,7 +67,7 @@ sodium_hrtime(void)
 #ifdef _WIN32
     struct _timeb tb;
 
-    _ftime(&tb);
+    _ftime_s(&tb);
     tv.tv_sec = (long) tb.time;
     tv.tv_usec = ((int) tb.millitm) * 1000;
     ret = 0;
@@ -214,14 +214,26 @@ randombytes_salsa20_random_stir_if_needed(void)
 #endif
 }
 
+static void
+randombytes_salsa20_random_rekey(const unsigned char * const mix)
+{
+    unsigned char *key = stream.key;
+    size_t         i;
+
+    for (i = (size_t) 0U; i < sizeof stream.key; i++) {
+        key[i] ^= mix[i];
+    }
+}
+
 static uint32_t
 randombytes_salsa20_random_getword(void)
 {
     uint32_t val;
     int      ret;
 
-    COMPILER_ASSERT(sizeof stream.rnd32 >= sizeof val);
-    COMPILER_ASSERT(sizeof stream.rnd32 % sizeof val == (size_t) 0U);
+    COMPILER_ASSERT(sizeof stream.rnd32 >= (sizeof stream.key) + (sizeof val));
+    COMPILER_ASSERT(((sizeof stream.rnd32) - (sizeof stream.key))
+                    % sizeof val == (size_t) 0U);
     if (stream.rnd32_outleft <= (size_t) 0U) {
         randombytes_salsa20_random_stir_if_needed();
         COMPILER_ASSERT(sizeof stream.nonce == crypto_stream_salsa20_NONCEBYTES);
@@ -230,11 +242,13 @@ randombytes_salsa20_random_getword(void)
                                     (unsigned char *) &stream.nonce,
                                     stream.key);
         assert(ret == 0);
+        stream.rnd32_outleft = (sizeof stream.rnd32) - (sizeof stream.key);
+        randombytes_salsa20_random_rekey(&stream.rnd32[stream.rnd32_outleft]);
         stream.nonce++;
-        stream.rnd32_outleft = sizeof stream.rnd32;
     }
     stream.rnd32_outleft -= sizeof val;
     memcpy(&val, &stream.rnd32[stream.rnd32_outleft], sizeof val);
+    memset(&stream.rnd32[stream.rnd32_outleft], 0, sizeof val);
 
     return val;
 }
@@ -278,10 +292,11 @@ randombytes_salsa20_random_buf(void * const buf, const size_t size)
     assert(size <= ULONG_LONG_MAX);
 #endif
     ret = crypto_stream_salsa20((unsigned char *) buf, (unsigned long long) size,
-                                (unsigned char *) &stream.nonce,
-                                stream.key);
+                                (unsigned char *) &stream.nonce, stream.key);
     assert(ret == 0);
     stream.nonce++;
+    crypto_stream_salsa20_xor(stream.key, stream.key, sizeof stream.key,
+                              (unsigned char *) &stream.nonce, stream.key);
 }
 
 /*

data/vendor/libsodium/src/libsodium/sodium/core.c

@@ -3,6 +3,7 @@
 #include "crypto_onetimeauth.h"
 #include "randombytes.h"
 #include "runtime.h"
+#include "utils.h"
 
 static int initialized;
 
@@ -17,6 +18,7 @@ sodium_init(void)
         return -1;
     }
     randombytes_stir();
+    _sodium_alloc_init();
     initialized = 1;
 
     return 0;