rbnacl-libsodium 1.0.13 → 1.0.15

data/vendor/libsodium/src/libsodium/crypto_hash/sha512/cp/hash_sha512_cp.c

@@ -222,9 +222,11 @@ crypto_hash_sha512_update(crypto_hash_sha512_state *state,
 
     bitlen[1] = ((uint64_t) inlen) << 3;
     bitlen[0] = ((uint64_t) inlen) >> 61;
+    /* LCOV_EXCL_START */
     if ((state->count[1] += bitlen[1]) < bitlen[1]) {
         state->count[0]++;
     }
+    /* LCOV_EXCL_STOP */
     state->count[0] += bitlen[0];
     if (inlen < 128 - r) {
         for (i = 0; i < inlen; i++) {

data/vendor/libsodium/src/libsodium/crypto_kx/crypto_kx.c

@@ -1,6 +1,7 @@
 
 #include <stddef.h>
 
+#include "core.h"
 #include "crypto_generichash.h"
 #include "crypto_kx.h"
 #include "crypto_scalarmult.h"
@@ -47,6 +48,9 @@ crypto_kx_client_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES],
     if (tx == NULL) {
         tx = rx;
     }
+    if (rx == NULL) {
+        sodium_misuse(); /* LCOV_EXCL_LINE */
+    }
     if (crypto_scalarmult(q, client_sk, server_pk) != 0) {
         return -1;
     }
@@ -85,6 +89,9 @@ crypto_kx_server_session_keys(unsigned char rx[crypto_kx_SESSIONKEYBYTES],
     if (tx == NULL) {
         tx = rx;
     }
+    if (rx == NULL) {
+        sodium_misuse(); /* LCOV_EXCL_LINE */
+    }
     if (crypto_scalarmult(q, server_sk, client_pk) != 0) {
         return -1;
     }

data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna32.h

@@ -28,7 +28,7 @@ typedef struct poly1305_state_internal_t {
 static void
 poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32])
 {
-    /* r &= 0xffffffc0ffffffc0ffffffc0fffffff */
+    /* r &= 0xffffffc0ffffffc0ffffffc0fffffff - wiped after finalization */
     st->r[0] = (LOAD32_LE(&key[0])) & 0x3ffffff;
     st->r[1] = (LOAD32_LE(&key[3]) >> 2) & 0x3ffff03;
     st->r[2] = (LOAD32_LE(&key[6]) >> 4) & 0x3ffc0ff;

data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/donna/poly1305_donna64.h

@@ -46,6 +46,7 @@ poly1305_init(poly1305_state_internal_t *st, const unsigned char key[32])
     t0 = LOAD64_LE(&key[0]);
     t1 = LOAD64_LE(&key[8]);
 
+    /* wiped after finalization */
     st->r[0] = (t0) &0xffc0fffffff;
     st->r[1] = ((t0 >> 44) | (t1 << 20)) & 0xfffffc0ffff;
     st->r[2] = ((t1 >> 24)) & 0x00ffffffc0f;

data/vendor/libsodium/src/libsodium/crypto_onetimeauth/poly1305/sse2/poly1305_sse2.c

@@ -40,14 +40,14 @@ enum poly1305_state_flags_t {
     poly1305_final_shift8  = 4,
     poly1305_final_shift16 = 8,
     poly1305_final_r2_r    = 16, /* use [r^2,r] for the final block */
-    poly1305_final_r_1     = 32, /* use [r,1] for the final block */
+    poly1305_final_r_1     = 32  /* use [r,1] for the final block */
 };
 
 typedef struct poly1305_state_internal_t {
     union {
         uint64_t h[3];
         uint32_t hh[10];
-    };                                              /*  40 bytes  */
+    } H;                                            /*  40 bytes  */
     uint32_t           R[5];                        /*  20 bytes  */
     uint32_t           R2[5];                       /*  20 bytes  */
     uint32_t           R4[5];                       /*  20 bytes  */
@@ -120,9 +120,9 @@ poly1305_init_ext(poly1305_state_internal_t *st, const unsigned char key[32],
         bytes = ~(unsigned long long) 0;
     }
     /* H = 0 */
-    _mm_storeu_si128((xmmi *) (void *) &st->hh[0], _mm_setzero_si128());
-    _mm_storeu_si128((xmmi *) (void *) &st->hh[4], _mm_setzero_si128());
-    _mm_storeu_si128((xmmi *) (void *) &st->hh[8], _mm_setzero_si128());
+    _mm_storeu_si128((xmmi *) (void *) &st->H.hh[0], _mm_setzero_si128());
+    _mm_storeu_si128((xmmi *) (void *) &st->H.hh[4], _mm_setzero_si128());
+    _mm_storeu_si128((xmmi *) (void *) &st->H.hh[8], _mm_setzero_si128());
 
     /* clamp key */
     memcpy(&t0, key, 8);
@@ -242,9 +242,9 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m,
         bytes -= 32;
         st->flags |= poly1305_started;
     } else {
-        T0 = _mm_loadu_si128((const xmmi *) (const void *) &st->hh[0]);
-        T1 = _mm_loadu_si128((const xmmi *) (const void *) &st->hh[4]);
-        T2 = _mm_loadu_si128((const xmmi *) (const void *) &st->hh[8]);
+        T0 = _mm_loadu_si128((const xmmi *) (const void *) &st->H.hh[0]);
+        T1 = _mm_loadu_si128((const xmmi *) (const void *) &st->H.hh[4]);
+        T2 = _mm_loadu_si128((const xmmi *) (const void *) &st->H.hh[8]);
         H0 = _mm_shuffle_epi32(T0, _MM_SHUFFLE(1, 1, 0, 0));
         H1 = _mm_shuffle_epi32(T0, _MM_SHUFFLE(3, 3, 2, 2));
         H2 = _mm_shuffle_epi32(T1, _MM_SHUFFLE(1, 1, 0, 0));
@@ -684,9 +684,9 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m,
         T4 = _mm_shuffle_epi32(H4, _MM_SHUFFLE(0, 0, 2, 0));
         T0 = _mm_unpacklo_epi64(T0, T1);
         T1 = _mm_unpacklo_epi64(T2, T3);
-        _mm_storeu_si128((xmmi *) (void *) &st->hh[0], T0);
-        _mm_storeu_si128((xmmi *) (void *) &st->hh[4], T1);
-        _mm_storel_epi64((xmmi *) (void *) &st->hh[8], T4);
+        _mm_storeu_si128((xmmi *) (void *) &st->H.hh[0], T0);
+        _mm_storeu_si128((xmmi *) (void *) &st->H.hh[4], T1);
+        _mm_storel_epi64((xmmi *) (void *) &st->H.hh[8], T4);
     } else {
         uint32_t t0, t1, t2, t3, t4, b;
         uint64_t h0, h1, h2, g0, g1, g2, c, nc;
@@ -755,9 +755,9 @@ poly1305_blocks(poly1305_state_internal_t *st, const unsigned char *m,
         h1 = (h1 & nc) | (g1 & c);
         h2 = (h2 & nc) | (g2 & c);
 
-        st->h[0] = h0;
-        st->h[1] = h1;
-        st->h[2] = h2;
+        st->H.h[0] = h0;
+        st->H.h[1] = h1;
+        st->H.h[2] = h2;
     }
 }
 
@@ -833,9 +833,9 @@ poly1305_finish_ext(poly1305_state_internal_t *st, const unsigned char *m,
         poly1305_blocks(st, NULL, 32);
     }
 
-    h0 = st->h[0];
-    h1 = st->h[1];
-    h2 = st->h[2];
+    h0 = st->H.h[0];
+    h1 = st->H.h[1];
+    h2 = st->H.h[2];
 
     /* pad */
     h0 = ((h0) | (h1 << 44));

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.c

@@ -36,28 +36,6 @@
 
 static fill_segment_fn fill_segment = fill_segment_ref;
 
-/***************Instance and Position constructors**********/
-void
-init_block_value(block *b, uint8_t in)
-{
-    memset(b->v, in, sizeof(b->v));
-}
-
-void
-copy_block(block *dst, const block *src)
-{
-    memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK);
-}
-
-void
-xor_block(block *dst, const block *src)
-{
-    int i;
-    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) {
-        dst->v[i] ^= src->v[i];
-    }
-}
-
 static void
 load_block(block *dst, const void *input)
 {
@@ -105,6 +83,7 @@ allocate_memory(block_region **region, uint32_t m_cost)
     if (!*region) {
         return ARGON2_MEMORY_ALLOCATION_ERROR; /* LCOV_EXCL_LINE */
     }
+    (*region)->base = (*region)->memory = NULL;
 
 #if defined(MAP_ANON) && defined(HAVE_MMAP)
     if ((base = mmap(NULL, memory_size, PROT_READ | PROT_WRITE,
@@ -154,12 +133,18 @@ static void clear_memory(argon2_instance_t *instance, int clear);
 static void
 clear_memory(argon2_instance_t *instance, int clear)
 {
-    if (instance->region != NULL && clear) {
-        /* LCOV_EXCL_START */
-        sodium_memzero(instance->region->memory,
-                       sizeof(block) * instance->memory_blocks);
-        /* LCOV_EXCL_STOP */
+    /* LCOV_EXCL_START */
+    if (clear) {
+        if (instance->region != NULL) {
+            sodium_memzero(instance->region->memory,
+                           sizeof(block) * instance->memory_blocks);
+        }
+        if (instance->pseudo_rands != NULL) {
+            sodium_memzero(instance->pseudo_rands,
+                           sizeof(uint64_t) * instance->segment_length);
+        }
     }
+    /* LCOV_EXCL_STOP */
 }
 
 /* Deallocates memory
@@ -170,7 +155,7 @@ static void free_memory(block_region *memory);
 static void
 free_memory(block_region *region)
 {
-    if (region->base) {
+    if (region && region->base) {
 #if defined(MAP_ANON) && defined(HAVE_MMAP)
         if (munmap(region->base, region->size)) {
             return; /* LCOV_EXCL_LINE */
@@ -182,6 +167,19 @@ free_memory(block_region *region)
     free(region);
 }
 
+void
+free_instance(argon2_instance_t *instance, int flags)
+{
+    /* Clear memory */
+    clear_memory(instance, flags & ARGON2_FLAG_CLEAR_MEMORY);
+
+    /* Deallocate the memory */
+    free(instance->pseudo_rands);
+    instance->pseudo_rands = NULL;
+    free_memory(instance->region);
+    instance->region = NULL;
+}
+
 void
 finalize(const argon2_context *context, argon2_instance_t *instance)
 {
@@ -212,11 +210,7 @@ finalize(const argon2_context *context, argon2_instance_t *instance)
                            ARGON2_BLOCK_SIZE); /* clear blockhash_bytes */
         }
 
-        /* Clear memory */
-        clear_memory(instance, context->flags & ARGON2_FLAG_CLEAR_PASSWORD);
-
-        /* Deallocate the memory */
-        free_memory(instance->region);
+        free_instance(instance, context->flags);
     }
 }
 
@@ -292,14 +286,13 @@ index_alpha(const argon2_instance_t *instance,
     return absolute_position;
 }
 
-int
+void
 fill_memory_blocks(argon2_instance_t *instance)
 {
-    int      result;
     uint32_t r, s;
 
     if (instance == NULL || instance->lanes == 0) {
-        return ARGON2_OK; /* LCOV_EXCL_LINE */
+        return; /* LCOV_EXCL_LINE */
     }
 
     for (r = 0; r < instance->passes; ++r) {
@@ -313,14 +306,10 @@ fill_memory_blocks(argon2_instance_t *instance)
                 position.lane  = l;
                 position.slice = (uint8_t) s;
                 position.index = 0;
-                result         = fill_segment(instance, position);
-                if (ARGON2_OK != result) {
-                    return result; /* LCOV_EXCL_LINE */
-                }
+                fill_segment(instance, position);
             }
         }
     }
-    return ARGON2_OK;
 }
 
 int
@@ -510,10 +499,12 @@ initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type)
         crypto_generichash_blake2b_update(
             &BlakeHash, (const uint8_t *) context->pwd, context->pwdlen);
 
+        /* LCOV_EXCL_START */
         if (context->flags & ARGON2_FLAG_CLEAR_PASSWORD) {
-            sodium_memzero(context->pwd, context->pwdlen); /* LCOV_EXCL_LINE */
-            context->pwdlen = 0;                           /* LCOV_EXCL_LINE */
+            sodium_memzero(context->pwd, context->pwdlen);
+            context->pwdlen = 0;
         }
+        /* LCOV_EXCL_STOP */
     }
 
     STORE32_LE(value, context->saltlen);
@@ -527,8 +518,8 @@ initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type)
     STORE32_LE(value, context->secretlen);
     crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
 
+    /* LCOV_EXCL_START */
     if (context->secret != NULL) {
-        /* LCOV_EXCL_START */
         crypto_generichash_blake2b_update(
             &BlakeHash, (const uint8_t *) context->secret, context->secretlen);
 
@@ -536,18 +527,18 @@ initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type)
             sodium_memzero(context->secret, context->secretlen);
             context->secretlen = 0;
         }
-        /* LCOV_EXCL_STOP */
     }
+    /* LCOV_EXCL_STOP */
 
     STORE32_LE(value, context->adlen);
     crypto_generichash_blake2b_update(&BlakeHash, value, sizeof(value));
 
+    /* LCOV_EXCL_START */
     if (context->ad != NULL) {
-        /* LCOV_EXCL_START */
         crypto_generichash_blake2b_update(
             &BlakeHash, (const uint8_t *) context->ad, context->adlen);
-        /* LCOV_EXCL_STOP */
     }
+    /* LCOV_EXCL_STOP */
 
     crypto_generichash_blake2b_final(&BlakeHash, blockhash,
                                      ARGON2_PREHASH_DIGEST_LENGTH);
@@ -559,13 +550,20 @@ initialize(argon2_instance_t *instance, argon2_context *context)
     uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];
     int     result = ARGON2_OK;
 
-    if (instance == NULL || context == NULL)
+    if (instance == NULL || context == NULL) {
         return ARGON2_INCORRECT_PARAMETER;
+    }
 
     /* 1. Memory allocation */
 
+    if ((instance->pseudo_rands = (uint64_t *)
+         malloc(sizeof(uint64_t) * instance->segment_length)) == NULL) {
+        return ARGON2_MEMORY_ALLOCATION_ERROR;
+    }
+
     result = allocate_memory(&(instance->region), instance->memory_blocks);
     if (ARGON2_OK != result) {
+        free_instance(instance, context->flags);
         return result;
     }
 
@@ -591,6 +589,13 @@ int
 argon2_pick_best_implementation(void)
 {
 /* LCOV_EXCL_START */
+#if defined(HAVE_AVX512FINTRIN_H) && defined(HAVE_AVX2INTRIN_H) && \
+    defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)
+    if (sodium_runtime_has_avx512f()) {
+        fill_segment = fill_segment_avx512f;
+        return 0;
+    }
+#endif
 #if defined(HAVE_AVX2INTRIN_H) && defined(HAVE_TMMINTRIN_H) && \
     defined(HAVE_SMMINTRIN_H)
     if (sodium_runtime_has_avx2()) {

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/argon2-core.h

@@ -14,6 +14,8 @@
 #ifndef argon2_core_H
 #define argon2_core_H
 
+#include <string.h>
+
 #include "argon2.h"
 
 /*************************Argon2 internal
@@ -28,6 +30,7 @@ enum argon2_ctx_constants {
     ARGON2_QWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 8,
     ARGON2_OWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 16,
     ARGON2_HWORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 32,
+    ARGON2_512BIT_WORDS_IN_BLOCK = ARGON2_BLOCK_SIZE / 64,
 
     /* Number of pseudo-random values generated by one call to Blake in Argon2i
        to
@@ -60,13 +63,28 @@ typedef struct block_region_ {
 /*****************Functions that work with the block******************/
 
 /* Initialize each byte of the block with @in */
-void init_block_value(block *b, uint8_t in);
+static inline void
+init_block_value(block *b, uint8_t in)
+{
+    memset(b->v, in, sizeof(b->v));
+}
 
 /* Copy block @src to block @dst */
-void copy_block(block *dst, const block *src);
+static inline void
+copy_block(block *dst, const block *src)
+{
+    memcpy(dst->v, src->v, sizeof(uint64_t) * ARGON2_QWORDS_IN_BLOCK);
+}
 
 /* XOR @src onto @dst bytewise */
-void xor_block(block *dst, const block *src);
+static inline void
+xor_block(block *dst, const block *src)
+{
+    int i;
+    for (i = 0; i < ARGON2_QWORDS_IN_BLOCK; ++i) {
+        dst->v[i] ^= src->v[i];
+    }
+}
 
 /*
  * Argon2 instance: memory pointer, number of passes, amount of memory, type,
@@ -76,6 +94,7 @@ void xor_block(block *dst, const block *src);
  */
 typedef struct Argon2_instance_t {
     block_region *region;        /* Memory region pointer */
+    uint64_t     *pseudo_rands;
     uint32_t      passes;        /* Number of passes */
     uint32_t      memory_blocks; /* Number of blocks in memory */
     uint32_t      segment_length;
@@ -162,6 +181,11 @@ void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance);
  */
 int initialize(argon2_instance_t *instance, argon2_context *context);
 
+/*
+ * Deallocates memory. Used on error path.
+ */
+void free_instance(argon2_instance_t *instance, int flags);
+
 /*
  * XORing the last block of each lane, hashing it, making the tag. Deallocates
  * the memory.
@@ -182,15 +206,17 @@ void finalize(const argon2_context *context, argon2_instance_t *instance);
  * @param position Current position
  * @pre all block pointers must be valid
  */
-typedef int (*fill_segment_fn)(const argon2_instance_t *instance,
-                               argon2_position_t        position);
+typedef void (*fill_segment_fn)(const argon2_instance_t *instance,
+                                argon2_position_t        position);
 int argon2_pick_best_implementation(void);
-int fill_segment_avx2(const argon2_instance_t *instance,
-                      argon2_position_t        position);
-int fill_segment_ssse3(const argon2_instance_t *instance,
+void fill_segment_avx512f(const argon2_instance_t *instance,
+                          argon2_position_t        position);
+void fill_segment_avx2(const argon2_instance_t *instance,
                        argon2_position_t        position);
-int fill_segment_ref(const argon2_instance_t *instance,
-                     argon2_position_t        position);
+void fill_segment_ssse3(const argon2_instance_t *instance,
+                        argon2_position_t        position);
+void fill_segment_ref(const argon2_instance_t *instance,
+                      argon2_position_t        position);
 
 /*
  * Function that fills the entire memory t_cost times based on the first two
@@ -198,6 +224,6 @@ int fill_segment_ref(const argon2_instance_t *instance,
  * @param instance Pointer to the current instance
  * @return Zero if successful, -1 if memory failed to allocate
  */
-int fill_memory_blocks(argon2_instance_t *instance);
+void fill_memory_blocks(argon2_instance_t *instance);
 
 #endif