rbnacl-libsodium 1.0.13 → 1.0.15

data/vendor/libsodium/src/libsodium/crypto_pwhash/argon2/pwhash_argon2id.c

@@ -8,6 +8,7 @@
 #include "argon2-core.h"
 #include "argon2.h"
 #include "crypto_pwhash_argon2id.h"
+#include "private/common.h"
 #include "randombytes.h"
 #include "utils.h"
 
@@ -22,30 +23,36 @@ crypto_pwhash_argon2id_alg_argon2id13(void)
 size_t
 crypto_pwhash_argon2id_bytes_min(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2id_BYTES_MIN >= ARGON2_MIN_OUTLEN);
     return crypto_pwhash_argon2id_BYTES_MIN;
 }
 
 size_t
 crypto_pwhash_argon2id_bytes_max(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2id_BYTES_MAX <= ARGON2_MAX_OUTLEN);
     return crypto_pwhash_argon2id_BYTES_MAX;
 }
 
 size_t
 crypto_pwhash_argon2id_passwd_min(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2id_PASSWD_MIN >= ARGON2_MIN_PWD_LENGTH);
     return crypto_pwhash_argon2id_PASSWD_MIN;
 }
 
 size_t
 crypto_pwhash_argon2id_passwd_max(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2id_PASSWD_MAX <= ARGON2_MAX_PWD_LENGTH);
     return crypto_pwhash_argon2id_PASSWD_MAX;
 }
 
 size_t
 crypto_pwhash_argon2id_saltbytes(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2id_SALTBYTES >= ARGON2_MIN_SALT_LENGTH);
+    COMPILER_ASSERT(crypto_pwhash_argon2id_SALTBYTES <= ARGON2_MAX_SALT_LENGTH);
     return crypto_pwhash_argon2id_SALTBYTES;
 }
 
@@ -64,24 +71,28 @@ crypto_pwhash_argon2id_strprefix(void)
 size_t
 crypto_pwhash_argon2id_opslimit_min(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2id_OPSLIMIT_MIN >= ARGON2_MIN_TIME);
     return crypto_pwhash_argon2id_OPSLIMIT_MIN;
 }
 
 size_t
 crypto_pwhash_argon2id_opslimit_max(void)
 {
+    COMPILER_ASSERT(crypto_pwhash_argon2id_OPSLIMIT_MAX <= ARGON2_MAX_TIME);
     return crypto_pwhash_argon2id_OPSLIMIT_MAX;
 }
 
 size_t
 crypto_pwhash_argon2id_memlimit_min(void)
 {
+    COMPILER_ASSERT((crypto_pwhash_argon2id_MEMLIMIT_MIN / 1024U) >= ARGON2_MIN_MEMORY);
     return crypto_pwhash_argon2id_MEMLIMIT_MIN;
 }
 
 size_t
 crypto_pwhash_argon2id_memlimit_max(void)
 {
+    COMPILER_ASSERT((crypto_pwhash_argon2id_MEMLIMIT_MAX / 1024U) <= ARGON2_MAX_MEMORY);
     return crypto_pwhash_argon2id_MEMLIMIT_MAX;
 }
 
@@ -128,20 +139,29 @@ crypto_pwhash_argon2id(unsigned char *const out, unsigned long long outlen,
                        unsigned long long opslimit, size_t memlimit, int alg)
 {
     memset(out, 0, outlen);
-    memlimit /= 1024U;
-    if (outlen > ARGON2_MAX_OUTLEN || passwdlen > ARGON2_MAX_PWD_LENGTH ||
-        opslimit > ARGON2_MAX_TIME || memlimit > ARGON2_MAX_MEMORY) {
+    if (outlen > crypto_pwhash_argon2id_BYTES_MAX) {
         errno = EFBIG;
         return -1;
     }
-    if (outlen < ARGON2_MIN_OUTLEN || passwdlen < ARGON2_MIN_PWD_LENGTH ||
-        opslimit < ARGON2_MIN_TIME || memlimit < ARGON2_MIN_MEMORY) {
+    if (outlen < crypto_pwhash_argon2id_BYTES_MIN) {
+        errno = EINVAL;
+        return -1;
+    }
+    if (passwdlen > crypto_pwhash_argon2id_PASSWD_MAX ||
+        opslimit > crypto_pwhash_argon2id_OPSLIMIT_MAX ||
+        memlimit > crypto_pwhash_argon2id_MEMLIMIT_MAX) {
+        errno = EFBIG;
+        return -1;
+    }
+    if (passwdlen < crypto_pwhash_argon2id_PASSWD_MIN ||
+        opslimit < crypto_pwhash_argon2id_OPSLIMIT_MIN ||
+        memlimit < crypto_pwhash_argon2id_MEMLIMIT_MIN) {
         errno = EINVAL;
         return -1;
     }
     switch (alg) {
     case crypto_pwhash_argon2id_ALG_ARGON2ID13:
-        if (argon2id_hash_raw((uint32_t) opslimit, (uint32_t) memlimit,
+        if (argon2id_hash_raw((uint32_t) opslimit, (uint32_t) (memlimit / 1024U),
                               (uint32_t) 1U, passwd, (size_t) passwdlen, salt,
                               (size_t) crypto_pwhash_argon2id_SALTBYTES, out,
                               (size_t) outlen) != ARGON2_OK) {
@@ -163,19 +183,20 @@ crypto_pwhash_argon2id_str(char out[crypto_pwhash_argon2id_STRBYTES],
     unsigned char salt[crypto_pwhash_argon2id_SALTBYTES];
 
     memset(out, 0, crypto_pwhash_argon2id_STRBYTES);
-    memlimit /= 1024U;
-    if (passwdlen > ARGON2_MAX_PWD_LENGTH || opslimit > ARGON2_MAX_TIME ||
-        memlimit > ARGON2_MAX_MEMORY) {
+    if (passwdlen > crypto_pwhash_argon2id_PASSWD_MAX ||
+        opslimit > crypto_pwhash_argon2id_OPSLIMIT_MAX ||
+        memlimit > crypto_pwhash_argon2id_MEMLIMIT_MAX) {
         errno = EFBIG;
         return -1;
     }
-    if (passwdlen < ARGON2_MIN_PWD_LENGTH || opslimit < ARGON2_MIN_TIME ||
-        memlimit < ARGON2_MIN_MEMORY) {
+    if (passwdlen < crypto_pwhash_argon2id_PASSWD_MIN ||
+        opslimit < crypto_pwhash_argon2id_OPSLIMIT_MIN ||
+        memlimit < crypto_pwhash_argon2id_MEMLIMIT_MIN) {
         errno = EINVAL;
         return -1;
     }
     randombytes_buf(salt, sizeof salt);
-    if (argon2id_hash_encoded((uint32_t) opslimit, (uint32_t) memlimit,
+    if (argon2id_hash_encoded((uint32_t) opslimit, (uint32_t) (memlimit / 1024U),
                               (uint32_t) 1U, passwd, (size_t) passwdlen, salt,
                               sizeof salt, STR_HASHBYTES, out,
                               crypto_pwhash_argon2id_STRBYTES) != ARGON2_OK) {
@@ -191,12 +212,12 @@ crypto_pwhash_argon2id_str_verify(const char str[crypto_pwhash_argon2id_STRBYTES
 {
     int verify_ret;
 
-    if (passwdlen > ARGON2_MAX_PWD_LENGTH) {
+    if (passwdlen > crypto_pwhash_argon2id_PASSWD_MAX) {
         errno = EFBIG;
         return -1;
     }
     /* LCOV_EXCL_START */
-    if (passwdlen < ARGON2_MIN_PWD_LENGTH) {
+    if (passwdlen < crypto_pwhash_argon2id_PASSWD_MIN) {
         errno = EINVAL;
         return -1;
     }

data/vendor/libsodium/src/libsodium/crypto_pwhash/crypto_pwhash.c

@@ -2,6 +2,7 @@
 #include <errno.h>
 #include <string.h>
 
+#include "core.h"
 #include "crypto_pwhash.h"
 
 int
@@ -19,7 +20,7 @@ crypto_pwhash_alg_argon2id13(void)
 int
 crypto_pwhash_alg_default(void)
 {
-    return crypto_pwhash_ALG_ARGON2I13;
+    return crypto_pwhash_ALG_DEFAULT;
 }
 
 size_t
@@ -131,10 +132,12 @@ crypto_pwhash(unsigned char * const out, unsigned long long outlen,
               unsigned long long opslimit, size_t memlimit, int alg)
 {
     switch (alg) {
-    case crypto_pwhash_ALG_ARGON2ID13:
     case crypto_pwhash_ALG_ARGON2I13:
         return crypto_pwhash_argon2i(out, outlen, passwd, passwdlen, salt,
                                      opslimit, memlimit, alg);
+    case crypto_pwhash_ALG_ARGON2ID13:
+        return crypto_pwhash_argon2id(out, outlen, passwd, passwdlen, salt,
+                                      opslimit, memlimit, alg);
     default:
         errno = EINVAL;
         return -1;
@@ -146,8 +149,25 @@ crypto_pwhash_str(char out[crypto_pwhash_STRBYTES],
                   const char * const passwd, unsigned long long passwdlen,
                   unsigned long long opslimit, size_t memlimit)
 {
-    return crypto_pwhash_argon2i_str(out, passwd, passwdlen,
-                                     opslimit, memlimit);
+    return crypto_pwhash_argon2id_str(out, passwd, passwdlen,
+                                      opslimit, memlimit);
+}
+
+int
+crypto_pwhash_str_alg(char out[crypto_pwhash_STRBYTES],
+                      const char * const passwd, unsigned long long passwdlen,
+                      unsigned long long opslimit, size_t memlimit, int alg)
+{
+    switch (alg) {
+    case crypto_pwhash_ALG_ARGON2I13:
+        return crypto_pwhash_argon2i_str(out, passwd, passwdlen,
+                                         opslimit, memlimit);
+    case crypto_pwhash_ALG_ARGON2ID13:
+        return crypto_pwhash_argon2id_str(out, passwd, passwdlen,
+                                          opslimit, memlimit);
+    }
+    sodium_misuse();
+    /* NOTREACHED */
 }
 
 int
@@ -168,6 +188,23 @@ crypto_pwhash_str_verify(const char str[crypto_pwhash_STRBYTES],
     return -1;
 }
 
+int
+crypto_pwhash_str_needs_rehash(const char str[crypto_pwhash_STRBYTES],
+                               unsigned long long opslimit, size_t memlimit)
+{
+    if (strncmp(str, crypto_pwhash_argon2id_STRPREFIX,
+                sizeof crypto_pwhash_argon2id_STRPREFIX - 1) == 0) {
+        return crypto_pwhash_argon2id_str_needs_rehash(str, opslimit, memlimit);
+    }
+    if (strncmp(str, crypto_pwhash_argon2i_STRPREFIX,
+                sizeof crypto_pwhash_argon2i_STRPREFIX - 1) == 0) {
+        return crypto_pwhash_argon2i_str_needs_rehash(str, opslimit, memlimit);
+    }
+    errno = EINVAL;
+
+    return -1;
+}
+
 const char *
 crypto_pwhash_primitive(void) {
     return crypto_pwhash_PRIMITIVE;

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt-common.c

@@ -105,6 +105,34 @@ decode64_uint32(uint32_t *dst, uint32_t dstbits, const uint8_t *src)
     return src;
 }
 
+const uint8_t *
+escrypt_parse_setting(const uint8_t *setting,
+                      uint32_t *N_log2_p, uint32_t *r_p, uint32_t *p_p)
+{
+    const uint8_t *src;
+
+    if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') {
+        return NULL;
+    }
+    src = setting + 3;
+
+    if (decode64_one(N_log2_p, *src)) {
+        return NULL;
+    }
+    src++;
+
+    src = decode64_uint32(r_p, 30, src);
+    if (!src) {
+        return NULL;
+    }
+
+    src = decode64_uint32(p_p, 30, src);
+    if (!src) {
+        return NULL;
+    }
+    return src;
+}
+
 uint8_t *
 escrypt_r(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
           const uint8_t *setting, uint8_t *buf, size_t buflen)
@@ -122,25 +150,11 @@ escrypt_r(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
     uint32_t       r;
     uint32_t       p;
 
-    if (setting[0] != '$' || setting[1] != '7' || setting[2] != '$') {
-        return NULL;
-    }
-    src = setting + 3;
-
-    if (decode64_one(&N_log2, *src)) {
-        return NULL;
-    }
-    src++;
-    N = (uint64_t) 1 << N_log2;
-
-    src = decode64_uint32(&r, 30, src);
-    if (!src) {
-        return NULL;
-    }
-    src = decode64_uint32(&p, 30, src);
+    src = escrypt_parse_setting(setting, &N_log2, &r, &p);
     if (!src) {
         return NULL;
     }
+    N = (uint64_t) 1 << N_log2;
     prefixlen = src - setting;
 
     salt = src;
@@ -195,7 +209,7 @@ escrypt_gensalt_r(uint32_t N_log2, uint32_t r, uint32_t p, const uint8_t *src,
         return NULL; /* LCOV_EXCL_LINE */
     }
     if (N_log2 > 63 || ((uint64_t) r * (uint64_t) p >= (1U << 30))) {
-        return NULL;
+        return NULL; /* LCOV_EXCL_LINE */
     }
     dst    = buf;
     *dst++ = '$';

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h

@@ -91,4 +91,8 @@ extern uint8_t *escrypt_gensalt_r(uint32_t __N_log2, uint32_t __r, uint32_t __p,
                                   const uint8_t *__src, size_t __srclen,
                                   uint8_t *__buf, size_t __buflen);
 
+extern const uint8_t *escrypt_parse_setting(const uint8_t *setting,
+                                            uint32_t *N_log2_p, uint32_t *r_p,
+                                            uint32_t *p_p);
+
 #endif /* !_CRYPTO_SCRYPT_H_ */

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c

@@ -31,7 +31,9 @@
 
 #include <sys/types.h>
 
+#include "core.h"
 #include "crypto_auth_hmacsha256.h"
+#include "crypto_pwhash_scryptsalsa208sha256.h"
 #include "pbkdf2-sha256.h"
 #include "private/common.h"
 #include "utils.h"
@@ -55,8 +57,10 @@ PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
     size_t                       clen;
 
 #if SIZE_MAX > 0x1fffffffe0ULL
+    COMPILER_ASSERT(crypto_pwhash_scryptsalsa208sha256_BYTES_MAX
+                    <= 0x1fffffffe0ULL);
     if (dkLen > 0x1fffffffe0ULL) {
-        abort();
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 #endif
     crypto_auth_hmacsha256_init(&PShctx, passwd, passwdlen);

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c

@@ -27,7 +27,7 @@ pickparams(unsigned long long opslimit, const size_t memlimit,
     }
     *r = 8;
     if (opslimit < memlimit / 32) {
-        *p   = 1;
+        *p = 1;
         maxN = opslimit / (*r * 4);
         for (*N_log2 = 1; *N_log2 < 63; *N_log2 += 1) {
             if ((uint64_t)(1) << *N_log2 > maxN / 2) {
@@ -254,3 +254,32 @@ crypto_pwhash_scryptsalsa208sha256_str_verify(
 
     return ret;
 }
+
+int
+crypto_pwhash_scryptsalsa208sha256_str_needs_rehash(
+    const char str[crypto_pwhash_scryptsalsa208sha256_STRBYTES],
+    unsigned long long opslimit, size_t memlimit)
+{
+    uint32_t N_log2, N_log2_;
+    uint32_t p, p_;
+    uint32_t r, r_;
+
+    if (pickparams(opslimit, memlimit, &N_log2, &p, &r) != 0) {
+        errno = EINVAL;
+        return -1;
+    }
+    if (memchr(str, 0, crypto_pwhash_scryptsalsa208sha256_STRBYTES) !=
+        &str[crypto_pwhash_scryptsalsa208sha256_STRBYTES - 1U]) {
+        errno = EINVAL;
+        return -1;
+    }
+    if (escrypt_parse_setting((const uint8_t *) str,
+                              &N_log2_, &r_, &p_) == NULL) {
+        errno = EINVAL;
+        return -1;
+    }
+    if (N_log2 != N_log2_ || r != r_ || p != p_) {
+        return 1;
+    }
+    return 0;
+}

data/vendor/libsodium/src/libsodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c

@@ -318,10 +318,12 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
 
 /* Sanity-check parameters. */
 # if SIZE_MAX > UINT32_MAX
+/* LCOV_EXCL_START */
     if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
         errno = EFBIG;
         return -1;
     }
+/* LCOV_EXCL_END */
 # endif
     if ((uint64_t)(r) * (uint64_t)(p) >= ((uint64_t) 1 << 30)) {
         errno = EFBIG;
@@ -339,6 +341,7 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
         errno = EINVAL;
         return -1;
     }
+/* LCOV_EXCL_START */
     if ((r > SIZE_MAX / 128 / p) ||
 # if SIZE_MAX / 256 <= UINT32_MAX
         (r > SIZE_MAX / 256) ||
@@ -347,21 +350,26 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
         errno = ENOMEM;
         return -1;
     }
+/* LCOV_EXCL_END */
 
     /* Allocate memory. */
     B_size = (size_t) 128 * r * p;
     V_size = (size_t) 128 * r * N;
     need   = B_size + V_size;
+/* LCOV_EXCL_START */
     if (need < V_size) {
         errno = ENOMEM;
         return -1;
     }
+/* LCOV_EXCL_END */
     XY_size = (size_t) 256 * r + 64;
     need += XY_size;
+/* LCOV_EXCL_START */
     if (need < XY_size) {
         errno = ENOMEM;
         return -1;
     }
+/* LCOV_EXCL_END */
     if (local->size < need) {
         if (free_region(local)) {
             return -1; /* LCOV_EXCL_LINE */

data/vendor/libsodium/src/libsodium/crypto_scalarmult/curve25519/scalarmult_curve25519.c

@@ -20,11 +20,11 @@ int
 crypto_scalarmult_curve25519(unsigned char *q, const unsigned char *n,
                              const unsigned char *p)
 {
-    size_t        i;
-    unsigned char d = 0;
+    size_t                 i;
+    volatile unsigned char d = 0;
 
     if (implementation->mult(q, n, p) != 0) {
-        return -1;
+        return -1; /* LCOV_EXCL_LINE */
     }
     for (i = 0; i < crypto_scalarmult_curve25519_BYTES; i++) {
         d |= q[i];

data/vendor/libsodium/src/libsodium/crypto_secretbox/crypto_secretbox.c

@@ -32,6 +32,12 @@ crypto_secretbox_macbytes(void)
     return crypto_secretbox_MACBYTES;
 }
 
+size_t
+crypto_secretbox_messagebytes_max(void)
+{
+    return crypto_secretbox_MESSAGEBYTES_MAX;
+}
+
 const char *
 crypto_secretbox_primitive(void)
 {