rbnacl-libsodium 1.0.10 → 1.0.11

data/vendor/libsodium/msvc-scripts/Makefile.in

@@ -92,6 +92,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
 	$(top_srcdir)/m4/ax_check_define.m4 \
 	$(top_srcdir)/m4/ax_check_link_flag.m4 \
+	$(top_srcdir)/m4/ax_pthread.m4 \
 	$(top_srcdir)/m4/ax_valgrind_check.m4 \
 	$(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \
 	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@@ -205,6 +206,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREAD_CC = @PTHREAD_CC@
+PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
+PTHREAD_LIBS = @PTHREAD_LIBS@
 RANLIB = @RANLIB@
 SAFECODE_HOME = @SAFECODE_HOME@
 SED = @SED@
@@ -234,6 +238,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+ax_pthread_config = @ax_pthread_config@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@

data/vendor/libsodium/msvc-scripts/process.bat

@@ -1,4 +1,4 @@
-cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.10/ < src\libsodium\include\sodium\version.h.in > tmp
+cscript msvc-scripts/rep.vbs //Nologo s/@VERSION@/1.0.11/ < src\libsodium\include\sodium\version.h.in > tmp
 cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MAJOR@/9/ < tmp > tmp2
-cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/2/ < tmp2 > src\libsodium\include\sodium\version.h
+cscript msvc-scripts/rep.vbs //Nologo s/@SODIUM_LIBRARY_VERSION_MINOR@/3/ < tmp2 > src\libsodium\include\sodium\version.h
 del tmp tmp2

data/vendor/libsodium/packaging/nuget/package.bat

@@ -1,13 +1,13 @@
 @ECHO OFF
 ECHO Started nuget packaging build.
 ECHO.
-REM http://www.nuget.org/packages/gsl
+REM https://www.nuget.org/packages/gsl
 gsl -q -script:package.gsl package.config
 ECHO.
-REM http://nuget.codeplex.com/releases
+REM https://nuget.codeplex.com/releases
 nuget pack package.nuspec -verbosity detailed
 ECHO.
 ECHO NOTE: Ignore warnings not applicable to native code: "Issue: Assembly outside lib folder."
 ECHO.
 ECHO Completed nuget packaging build. The package is in the following folder:
-CD
+CD

data/vendor/libsodium/src/Makefile.in

@@ -92,6 +92,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
 	$(top_srcdir)/m4/ax_check_define.m4 \
 	$(top_srcdir)/m4/ax_check_link_flag.m4 \
+	$(top_srcdir)/m4/ax_pthread.m4 \
 	$(top_srcdir)/m4/ax_valgrind_check.m4 \
 	$(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \
 	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@@ -265,6 +266,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREAD_CC = @PTHREAD_CC@
+PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
+PTHREAD_LIBS = @PTHREAD_LIBS@
 RANLIB = @RANLIB@
 SAFECODE_HOME = @SAFECODE_HOME@
 SED = @SED@
@@ -294,6 +298,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+ax_pthread_config = @ax_pthread_config@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@

data/vendor/libsodium/src/libsodium/Makefile.am

@@ -102,6 +102,7 @@ libsodium_la_SOURCES = \
 	crypto_verify/64/ref/verify_64.c \
 	include/sodium/private/common.h \
 	include/sodium/private/curve25519_ref10.h \
+	include/sodium/private/mutex.h \
 	randombytes/randombytes.c \
 	sodium/core.c \
 	sodium/runtime.c \
@@ -117,7 +118,7 @@ libsodium_la_SOURCES += \
 	randombytes/nativeclient/randombytes_nativeclient.c
 else
 libsodium_la_SOURCES += \
-    randombytes/sysrandom/randombytes_sysrandom.c
+	randombytes/sysrandom/randombytes_sysrandom.c
 endif
 
 endif

data/vendor/libsodium/src/libsodium/Makefile.in

@@ -97,7 +97,7 @@ host_triplet = @host@
 @EMSCRIPTEN_FALSE@@NATIVECLIENT_TRUE@	randombytes/nativeclient/randombytes_nativeclient.c
 
 @EMSCRIPTEN_FALSE@@NATIVECLIENT_FALSE@am__append_3 = \
-@EMSCRIPTEN_FALSE@@NATIVECLIENT_FALSE@    randombytes/sysrandom/randombytes_sysrandom.c
+@EMSCRIPTEN_FALSE@@NATIVECLIENT_FALSE@	randombytes/sysrandom/randombytes_sysrandom.c
 
 @HAVE_TI_MODE_TRUE@am__append_4 = \
 @HAVE_TI_MODE_TRUE@	crypto_scalarmult/curve25519/donna_c64/curve25519_donna_c64.c \
@@ -161,6 +161,7 @@ ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/m4/ax_check_compile_flag.m4 \
 	$(top_srcdir)/m4/ax_check_define.m4 \
 	$(top_srcdir)/m4/ax_check_link_flag.m4 \
+	$(top_srcdir)/m4/ax_pthread.m4 \
 	$(top_srcdir)/m4/ax_valgrind_check.m4 \
 	$(top_srcdir)/m4/ld-output-def.m4 $(top_srcdir)/m4/libtool.m4 \
 	$(top_srcdir)/m4/ltoptions.m4 $(top_srcdir)/m4/ltsugar.m4 \
@@ -319,8 +320,8 @@ am__libsodium_la_SOURCES_DIST =  \
 	crypto_verify/64/ref/verify_64.c \
 	include/sodium/private/common.h \
 	include/sodium/private/curve25519_ref10.h \
-	randombytes/randombytes.c sodium/core.c sodium/runtime.c \
-	sodium/utils.c sodium/version.c \
+	include/sodium/private/mutex.h randombytes/randombytes.c \
+	sodium/core.c sodium/runtime.c sodium/utils.c sodium/version.c \
 	randombytes/salsa20/randombytes_salsa20_random.c \
 	randombytes/nativeclient/randombytes_nativeclient.c \
 	randombytes/sysrandom/randombytes_sysrandom.c \
@@ -707,6 +708,9 @@ PACKAGE_TARNAME = @PACKAGE_TARNAME@
 PACKAGE_URL = @PACKAGE_URL@
 PACKAGE_VERSION = @PACKAGE_VERSION@
 PATH_SEPARATOR = @PATH_SEPARATOR@
+PTHREAD_CC = @PTHREAD_CC@
+PTHREAD_CFLAGS = @PTHREAD_CFLAGS@
+PTHREAD_LIBS = @PTHREAD_LIBS@
 RANLIB = @RANLIB@
 SAFECODE_HOME = @SAFECODE_HOME@
 SED = @SED@
@@ -736,6 +740,7 @@ am__leading_dot = @am__leading_dot@
 am__quote = @am__quote@
 am__tar = @am__tar@
 am__untar = @am__untar@
+ax_pthread_config = @ax_pthread_config@
 bindir = @bindir@
 build = @build@
 build_alias = @build_alias@
@@ -877,11 +882,11 @@ libsodium_la_SOURCES =  \
 	crypto_verify/64/ref/verify_64.c \
 	include/sodium/private/common.h \
 	include/sodium/private/curve25519_ref10.h \
-	randombytes/randombytes.c sodium/core.c sodium/runtime.c \
-	sodium/utils.c sodium/version.c $(am__append_1) \
-	$(am__append_2) $(am__append_3) $(am__append_4) \
-	$(am__append_5) $(am__append_6) $(am__append_7) \
-	$(am__append_8) $(am__append_9)
+	include/sodium/private/mutex.h randombytes/randombytes.c \
+	sodium/core.c sodium/runtime.c sodium/utils.c sodium/version.c \
+	$(am__append_1) $(am__append_2) $(am__append_3) \
+	$(am__append_4) $(am__append_5) $(am__append_6) \
+	$(am__append_7) $(am__append_8) $(am__append_9)
 noinst_HEADERS = \
 	crypto_scalarmult/curve25519/sandy2x/consts.S \
 	crypto_scalarmult/curve25519/sandy2x/fe51_mul.S \

data/vendor/libsodium/src/libsodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c

@@ -1,6 +1,8 @@
 
 /*
- * AES256-GCM, based on original code by Romain Dolbeau
+ * AES256-GCM, based on the "Intel Carry-Less Multiplication Instruction and its Usage for Computing
+ * the GCM Mode" paper and reference code, using the aggregated reduction method.
+ * Originally adapted by Romain Dolbeau.
  */
 
 #include <errno.h>
@@ -13,14 +15,15 @@
 #include "runtime.h"
 #include "utils.h"
 
-#if defined(HAVE_WMMINTRIN_H) || \
-    (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86)))
+#if (defined(HAVE_TMMINTRIN_H) && defined(HAVE_WMMINTRIN_H)) || \
+    (defined(_MSC_VER) && _MSC_VER >= 1600 && (defined(_M_X64) || defined(_M_AMD64) || defined(_M_IX86)))
 
 #pragma GCC target("ssse3")
 #pragma GCC target("aes")
 #pragma GCC target("pclmul")
 
-#include <immintrin.h>
+#include <tmmintrin.h>
+#include <wmmintrin.h>
 
 #ifndef ENOSYS
 # define ENOSYS ENXIO
@@ -49,68 +52,43 @@ typedef struct context {
 } context;
 
 static inline void
-aesni_key256_expand(const unsigned char *key, __m128 *rkeys)
+aesni_key256_expand(const unsigned char *key, __m128i * const rkeys)
 {
-    __m128 key0 = _mm_loadu_ps((const float *) (key + 0));
-    __m128 key1 = _mm_loadu_ps((const float *) (key + 16));
-    __m128 temp0, temp1, temp2, temp4;
-    int    idx = 0;
-
-    rkeys[idx++] = key0;
-    temp0 = key0;
-    temp2 = key1;
-    temp4 = _mm_setzero_ps();
-
-/* why single precision floating-point rather than integer instructions ?
-     because _mm_shuffle_ps takes two inputs, while _mm_shuffle_epi32 only
-     takes one - it doesn't perform the same computation...
-     _mm_shuffle_ps takes the lower 64 bits of the result from the first
-     operand, and the higher 64 bits of the result from the second operand
-     (in both cases, all four input floats are accessible).
-     I don't like the non-orthogonal naming scheme :-(
-
-     This is all strongly inspired by the openssl assembly code.
-  */
-#define BLOCK1(IMM)                                                 \
-    temp1 = _mm_castsi128_ps(_mm_aeskeygenassist_si128(_mm_castps_si128(temp2), IMM));\
-    rkeys[idx++] = temp2;                                           \
-    temp4 = _mm_shuffle_ps(temp4, temp0, 0x10);                     \
-    temp0 = _mm_xor_ps(temp0, temp4);                               \
-    temp4 = _mm_shuffle_ps(temp4, temp0, 0x8c);                     \
-    temp0 = _mm_xor_ps(temp0, temp4);                               \
-    temp1 = _mm_shuffle_ps(temp1, temp1, 0xff);                     \
-    temp0 = _mm_xor_ps(temp0, temp1)
-
-#define BLOCK2(IMM)                                                 \
-    temp1 = _mm_castsi128_ps(_mm_aeskeygenassist_si128(_mm_castps_si128(temp0), IMM));\
-    rkeys[idx++] = temp0;                                           \
-    temp4 = _mm_shuffle_ps(temp4, temp2, 0x10);                     \
-    temp2 = _mm_xor_ps(temp2, temp4);                               \
-    temp4 = _mm_shuffle_ps(temp4, temp2, 0x8c);                     \
-    temp2 = _mm_xor_ps(temp2, temp4);                               \
-    temp1 = _mm_shuffle_ps(temp1, temp1, 0xaa);                     \
-    temp2 = _mm_xor_ps(temp2, temp1)
-
-    BLOCK1(0x01);
-    BLOCK2(0x01);
-
-    BLOCK1(0x02);
-    BLOCK2(0x02);
-
-    BLOCK1(0x04);
-    BLOCK2(0x04);
-
-    BLOCK1(0x08);
-    BLOCK2(0x08);
-
-    BLOCK1(0x10);
-    BLOCK2(0x10);
-
-    BLOCK1(0x20);
-    BLOCK2(0x20);
-
-    BLOCK1(0x40);
-    rkeys[idx++] = temp0;
+    __m128i  X0, X1, X2, X3;
+    int      i = 0;
+
+    X0 = _mm_loadu_si128((const __m128i *) &key[0]);
+    rkeys[i++] = X0;
+
+    X2 = _mm_loadu_si128((const __m128i *) &key[16]);
+    rkeys[i++] = X2;
+
+#define EXPAND_KEY_1(S) do { \
+    X1 = _mm_shuffle_epi32(_mm_aeskeygenassist_si128(X2, (S)), 0xff); \
+    X3 = _mm_castps_si128(_mm_shuffle_ps(_mm_castsi128_ps(X3), _mm_castsi128_ps(X0), 0x10)); \
+    X0 = _mm_xor_si128(X0, X3); \
+    X3 = _mm_castps_si128(_mm_shuffle_ps(_mm_castsi128_ps(X3), _mm_castsi128_ps(X0), 0x8c)); \
+    X0 = _mm_xor_si128(_mm_xor_si128(X0, X3), X1); \
+    rkeys[i++] = X0; \
+} while (0)
+
+#define EXPAND_KEY_2(S) do { \
+    X1 = _mm_shuffle_epi32(_mm_aeskeygenassist_si128(X0, (S)), 0xaa); \
+    X3 = _mm_castps_si128(_mm_shuffle_ps(_mm_castsi128_ps(X3), _mm_castsi128_ps(X2), 0x10)); \
+    X2 = _mm_xor_si128(X2, X3); \
+    X3 = _mm_castps_si128(_mm_shuffle_ps(_mm_castsi128_ps(X3), _mm_castsi128_ps(X2), 0x8c)); \
+    X2 = _mm_xor_si128(_mm_xor_si128(X2, X3), X1); \
+    rkeys[i++] = X2; \
+} while (0)
+
+    X3 = _mm_setzero_si128();
+    EXPAND_KEY_1(0x01); EXPAND_KEY_2(0x01);
+    EXPAND_KEY_1(0x02); EXPAND_KEY_2(0x02);
+    EXPAND_KEY_1(0x04); EXPAND_KEY_2(0x04);
+    EXPAND_KEY_1(0x08); EXPAND_KEY_2(0x08);
+    EXPAND_KEY_1(0x10); EXPAND_KEY_2(0x10);
+    EXPAND_KEY_1(0x20); EXPAND_KEY_2(0x20);
+    EXPAND_KEY_1(0x40);
 }
 
 /** single, by-the-book AES encryption with AES-NI */
@@ -129,7 +107,7 @@ aesni_encrypt1(unsigned char *out, __m128i nv, const __m128i *rkeys)
 }
 
 /** multiple-blocks-at-once AES encryption with AES-NI ;
-    on Haswell, aesenc as a latency of 7 and a throughput of 1
+    on Haswell, aesenc has a latency of 7 and a throughput of 1
     so the sequence of aesenc should be bubble-free if you
     have at least 8 blocks. Let's build an arbitratry-sized
     function */
@@ -269,7 +247,7 @@ addmul(unsigned char *c, const unsigned char *a, unsigned int xlen, const unsign
     _mm_storeu_si128((__m128i *) c, tmp21);
 }
 
-/* pure multiplication, for pre-computing  powers of H */
+/* pure multiplication, for pre-computing powers of H */
 static inline __m128i
 mulv(__m128i A, __m128i B)
 {
@@ -328,19 +306,19 @@ mulv(__m128i A, __m128i B)
     tmp##a##B = _mm_xor_si128(tmp##a##B, X##a); \
     tmp##a = _mm_clmulepi64_si128(tmp##a, tmp##a##B, 0x00)
 
-#define REDUCE4(rev, H0_, H1_, H2_, H3_, X0_, X1_, X2_, X3_, accv) \
+#define MULREDUCE4(rev, H0_, H1_, H2_, H3_, X0_, X1_, X2_, X3_, accv) \
 do { \
     MAKE4(RED_DECL); \
-    __m128i       lo, hi; \
-    __m128i       tmp8, tmp9; \
-    __m128i       H0 = H0_; \
-    __m128i       H1 = H1_; \
-    __m128i       H2 = H2_; \
-    __m128i       H3 = H3_; \
-    __m128i       X0 = X0_; \
-    __m128i       X1 = X1_; \
-    __m128i       X2 = X2_; \
-    __m128i       X3 = X3_; \
+    __m128i lo, hi; \
+    __m128i tmp8, tmp9; \
+    __m128i H0 = H0_; \
+    __m128i H1 = H1_; \
+    __m128i H2 = H2_; \
+    __m128i H3 = H3_; \
+    __m128i X0 = X0_; \
+    __m128i X1 = X1_; \
+    __m128i X2 = X2_; \
+    __m128i X3 = X3_; \
 \
 /* byte-revert the inputs & xor the first one into the accumulator */ \
 \
@@ -449,8 +427,8 @@ do { \
     MAKE8(XORx); \
     MAKE8(STOREx); \
     accv_ = _mm_load_si128((const __m128i *) accum); \
-    REDUCE4(rev, hv, h2v, h3v, h4v, temp3, temp2, temp1, temp0, accv_); \
-    REDUCE4(rev, hv, h2v, h3v, h4v, temp7, temp6, temp5, temp4, accv_); \
+    MULREDUCE4(rev, hv, h2v, h3v, h4v, temp3, temp2, temp1, temp0, accv_); \
+    MULREDUCE4(rev, hv, h2v, h3v, h4v, temp7, temp6, temp5, temp4, accv_); \
     _mm_store_si128((__m128i *) accum, accv_); \
 } while(0)
 
@@ -466,8 +444,8 @@ do { \
     \
     MAKE8(LOADx); \
     accv_ = _mm_load_si128((const __m128i *) accum); \
-    REDUCE4(rev, hv, h2v, h3v, h4v, in3, in2, in1, in0, accv_); \
-    REDUCE4(rev, hv, h2v, h3v, h4v, in7, in6, in5, in4, accv_); \
+    MULREDUCE4(rev, hv, h2v, h3v, h4v, in3, in2, in1, in0, accv_); \
+    MULREDUCE4(rev, hv, h2v, h3v, h4v, in7, in6, in5, in4, accv_); \
     _mm_store_si128((__m128i *) accum, accv_); \
 } while(0)
 
@@ -502,7 +480,7 @@ crypto_aead_aes256gcm_beforenm(crypto_aead_aes256gcm_state *ctx_,
     unsigned char *H = ctx->H;
 
     (void) sizeof(int[(sizeof *ctx_) >= (sizeof *ctx) ? 1 : -1]);
-    aesni_key256_expand(k, (__m128 *) rkeys);
+    aesni_key256_expand(k, rkeys);
     aesni_encrypt1(H, zero, rkeys);
 
     return 0;
@@ -553,13 +531,13 @@ crypto_aead_aes256gcm_encrypt_detached_afternm(unsigned char *c,
     H4v = mulv(H3v, Hv);
 
     accv = _mm_setzero_si128();
-    /* unrolled by 4 GCM (by 8 doesn't improve using REDUCE4) */
+    /* unrolled by 4 GCM (by 8 doesn't improve using MULREDUCE4) */
     for (i = 0; i < adlen_rnd64; i += 64) {
         __m128i X4_ = _mm_loadu_si128((const __m128i *) (ad + i + 0));
         __m128i X3_ = _mm_loadu_si128((const __m128i *) (ad + i + 16));
         __m128i X2_ = _mm_loadu_si128((const __m128i *) (ad + i + 32));
         __m128i X1_ = _mm_loadu_si128((const __m128i *) (ad + i + 48));
-        REDUCE4(rev, Hv, H2v, H3v, H4v, X1_, X2_, X3_, X4_, accv);
+        MULREDUCE4(rev, Hv, H2v, H3v, H4v, X1_, X2_, X3_, X4_, accv);
     }
     _mm_store_si128((__m128i *) accum, accv);
 
@@ -700,7 +678,7 @@ crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char *
         __m128i X3_ = _mm_loadu_si128((const __m128i *) (ad + i + 16));
         __m128i X2_ = _mm_loadu_si128((const __m128i *) (ad + i + 32));
         __m128i X1_ = _mm_loadu_si128((const __m128i *) (ad + i + 48));
-        REDUCE4(rev, Hv, H2v, H3v, H4v, X1_, X2_, X3_, X4_, accv);
+        MULREDUCE4(rev, Hv, H2v, H3v, H4v, X1_, X2_, X3_, X4_, accv);
     }
     _mm_store_si128((__m128i *) accum, accv);
 
@@ -787,9 +765,14 @@ crypto_aead_aes256gcm_decrypt_detached_afternm(unsigned char *m, unsigned char *
             d |= (mac[i] ^ (T[i] ^ accum[15 - i]));
         }
         if (d != 0) {
-            memset(m, 0, mlen);
+            if (m != NULL) {
+                memset(m, 0, mlen);
+            }
             return -1;
         }
+        if (m == NULL) {
+            return 0;
+        }
     }
     n2[3] = 0U;
     COUNTER_INC2(n2);

data/vendor/libsodium/src/libsodium/crypto_aead/chacha20poly1305/sodium/aead_chacha20poly1305.c

@@ -198,6 +198,9 @@ crypto_aead_chacha20poly1305_decrypt_detached(unsigned char *m,
     (void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]);
     ret = crypto_verify_16(computed_mac, mac);
     sodium_memzero(computed_mac, sizeof computed_mac);
+    if (m == NULL) {
+        return ret;
+    }
     if (ret != 0) {
         memset(m, 0, mlen);
         return -1;
@@ -279,6 +282,9 @@ crypto_aead_chacha20poly1305_ietf_decrypt_detached(unsigned char *m,
     (void) sizeof(int[sizeof computed_mac == 16U ? 1 : -1]);
     ret = crypto_verify_16(computed_mac, mac);
     sodium_memzero(computed_mac, sizeof computed_mac);
+    if (m == NULL) {
+        return ret;
+    }
     if (ret != 0) {
         memset(m, 0, mlen);
         return -1;

data/vendor/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-compress-avx2.c

@@ -7,7 +7,7 @@
 #include <string.h>
 
 #if (defined(HAVE_AVX2INTRIN_H) && defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)) || \
-    (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64)))
+    (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64)) && _MSC_VER >= 1700)
 
 #pragma GCC target("sse2")
 #pragma GCC target("ssse3")

data/vendor/libsodium/src/libsodium/crypto_generichash/blake2/ref/blake2b-ref.c

@@ -54,6 +54,11 @@ static inline int blake2b_clear_lastnode( blake2b_state *S )
 }
 #endif
 
+static inline int blake2b_is_lastblock( const blake2b_state *S )
+{
+  return S->f[0] != 0;
+}
+
 static inline int blake2b_set_lastblock( blake2b_state *S )
 {
   if( S->last_node ) blake2b_set_lastnode( S );
@@ -327,6 +332,9 @@ int blake2b_final( blake2b_state *S, uint8_t *out, uint8_t outlen )
   if( !outlen || outlen > BLAKE2B_OUTBYTES ) {
     abort(); /* LCOV_EXCL_LINE */
   }
+  if( blake2b_is_lastblock( S ) ) {
+    return -1;
+  }
   if( S->buflen > BLAKE2B_BLOCKBYTES )
   {
     blake2b_increment_counter( S, BLAKE2B_BLOCKBYTES );
@@ -421,7 +429,7 @@ blake2b_pick_best_implementation(void)
 {
 /* LCOV_EXCL_START */
 #if (defined(HAVE_AVX2INTRIN_H) && defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)) || \
-    (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64)))
+    (defined(_MSC_VER) && (defined(_M_X64) || defined(_M_AMD64)) && _MSC_VER >= 1700)
   if (sodium_runtime_has_avx2()) {
     blake2b_compress = blake2b_compress_avx2;
     return 0;