rbnacl-libsodium 1.0.13 → 1.0.15

data/vendor/libsodium/src/libsodium/crypto_secretbox/crypto_secretbox_easy.c

@@ -5,6 +5,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "core.h"
 #include "crypto_core_hsalsa20.h"
 #include "crypto_onetimeauth_poly1305.h"
 #include "crypto_secretbox.h"
@@ -29,7 +30,7 @@ crypto_secretbox_detached(unsigned char *c, unsigned char *mac,
     if (((uintptr_t) c > (uintptr_t) m &&
          (uintptr_t) c - (uintptr_t) m < mlen) ||
         ((uintptr_t) m > (uintptr_t) c &&
-         (uintptr_t) m - (uintptr_t) c < mlen)) {
+         (uintptr_t) m - (uintptr_t) c < mlen)) { /* LCOV_EXCL_LINE */
         memmove(c, m, mlen);
         m = c;
     }
@@ -71,8 +72,8 @@ crypto_secretbox_easy(unsigned char *c, const unsigned char *m,
                       unsigned long long mlen, const unsigned char *n,
                       const unsigned char *k)
 {
-    if (mlen > SIZE_MAX - crypto_secretbox_MACBYTES) {
-        return -1;
+    if (mlen > crypto_secretbox_MESSAGEBYTES_MAX) {
+        sodium_misuse();
     }
     return crypto_secretbox_detached(c + crypto_secretbox_MACBYTES,
                                      c, m, mlen, n, k);
@@ -103,7 +104,7 @@ crypto_secretbox_open_detached(unsigned char *m, const unsigned char *c,
     if (((uintptr_t) c >= (uintptr_t) m &&
          (uintptr_t) c - (uintptr_t) m < clen) ||
         ((uintptr_t) m >= (uintptr_t) c &&
-         (uintptr_t) m - (uintptr_t) c < clen)) {
+         (uintptr_t) m - (uintptr_t) c < clen)) { /* LCOV_EXCL_LINE */
         memmove(m, c, clen);
         c = m;
     }

data/vendor/libsodium/src/libsodium/crypto_secretbox/xchacha20poly1305/secretbox_xchacha20poly1305.c

@@ -5,6 +5,7 @@
 #include <stdlib.h>
 #include <string.h>
 
+#include "core.h"
 #include "crypto_core_hchacha20.h"
 #include "crypto_onetimeauth_poly1305.h"
 #include "crypto_secretbox_xchacha20poly1305.h"
@@ -33,7 +34,7 @@ crypto_secretbox_xchacha20poly1305_detached(unsigned char *c,
     if (((uintptr_t) c > (uintptr_t) m &&
          (uintptr_t) c - (uintptr_t) m < mlen) ||
         ((uintptr_t) m > (uintptr_t) c &&
-         (uintptr_t) m - (uintptr_t) c < mlen)) {
+         (uintptr_t) m - (uintptr_t) c < mlen)) { /* LCOV_EXCL_LINE */
         memmove(c, m, mlen);
         m = c;
     }
@@ -77,8 +78,8 @@ crypto_secretbox_xchacha20poly1305_easy(unsigned char *c,
                                         const unsigned char *n,
                                         const unsigned char *k)
 {
-    if (mlen > SIZE_MAX - crypto_secretbox_xchacha20poly1305_MACBYTES) {
-        return -1;
+    if (mlen > crypto_secretbox_xchacha20poly1305_MESSAGEBYTES_MAX) {
+        sodium_misuse();
     }
     return crypto_secretbox_xchacha20poly1305_detached
         (c + crypto_secretbox_xchacha20poly1305_MACBYTES, c, m, mlen, n, k);
@@ -110,7 +111,7 @@ crypto_secretbox_xchacha20poly1305_open_detached(unsigned char *m,
     if (((uintptr_t) c >= (uintptr_t) m &&
          (uintptr_t) c - (uintptr_t) m < clen) ||
         ((uintptr_t) m >= (uintptr_t) c &&
-         (uintptr_t) m - (uintptr_t) c < clen)) {
+         (uintptr_t) m - (uintptr_t) c < clen)) { /* LCOV_EXCL_LINE */
         memmove(m, c, clen);
         c = m;
     }
@@ -168,3 +169,9 @@ crypto_secretbox_xchacha20poly1305_macbytes(void)
 {
     return crypto_secretbox_xchacha20poly1305_MACBYTES;
 }
+
+size_t
+crypto_secretbox_xchacha20poly1305_messagebytes_max(void)
+{
+    return crypto_secretbox_xchacha20poly1305_MESSAGEBYTES_MAX;
+}

data/vendor/libsodium/src/libsodium/crypto_secretbox/xsalsa20poly1305/secretbox_xsalsa20poly1305.c

@@ -76,6 +76,12 @@ crypto_secretbox_xsalsa20poly1305_macbytes(void)
     return crypto_secretbox_xsalsa20poly1305_MACBYTES;
 }
 
+size_t
+crypto_secretbox_xsalsa20poly1305_messagebytes_max(void)
+{
+    return crypto_secretbox_xsalsa20poly1305_MESSAGEBYTES_MAX;
+}
+
 void
 crypto_secretbox_xsalsa20poly1305_keygen(unsigned char k[crypto_secretbox_xsalsa20poly1305_KEYBYTES])
 {

data/vendor/libsodium/src/libsodium/crypto_secretstream/xchacha20poly1305/secretstream_xchacha20poly1305.c

@@ -0,0 +1,311 @@
+#include <stdint.h>
+#include <stdlib.h>
+#include <limits.h>
+#include <string.h>
+
+#include "core.h"
+#include "crypto_aead_chacha20poly1305.h"
+#include "crypto_aead_xchacha20poly1305.h"
+#include "crypto_core_hchacha20.h"
+#include "crypto_onetimeauth_poly1305.h"
+#include "crypto_secretstream_xchacha20poly1305.h"
+#include "randombytes.h"
+#include "utils.h"
+
+#include "private/common.h"
+
+#define crypto_secretstream_xchacha20poly1305_COUNTERBYTES  4U
+#define crypto_secretstream_xchacha20poly1305_INONCEBYTES   8U
+
+#define STATE_COUNTER(STATE) ((STATE)->nonce)
+#define STATE_INONCE(STATE)  ((STATE)->nonce + \
+                              crypto_secretstream_xchacha20poly1305_COUNTERBYTES)
+
+static const unsigned char _pad0[16] = { 0 };
+
+static inline void
+_crypto_secretstream_xchacha20poly1305_counter_reset
+    (crypto_secretstream_xchacha20poly1305_state *state)
+{
+    memset(STATE_COUNTER(state), 0,
+           crypto_secretstream_xchacha20poly1305_COUNTERBYTES);
+    STATE_COUNTER(state)[0] = 1;
+}
+
+void
+crypto_secretstream_xchacha20poly1305_keygen
+   (unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES])
+{
+    randombytes_buf(k, crypto_secretstream_xchacha20poly1305_KEYBYTES);
+}
+
+int
+crypto_secretstream_xchacha20poly1305_init_push
+   (crypto_secretstream_xchacha20poly1305_state *state,
+    unsigned char out[crypto_secretstream_xchacha20poly1305_HEADERBYTES],
+    const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES])
+{
+    COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_HEADERBYTES ==
+                    crypto_core_hchacha20_INPUTBYTES +
+                    crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+    COMPILER_ASSERT(crypto_secretstream_xchacha20poly1305_HEADERBYTES ==
+                    crypto_aead_xchacha20poly1305_ietf_NPUBBYTES);
+    COMPILER_ASSERT(sizeof state->nonce ==
+                    crypto_secretstream_xchacha20poly1305_INONCEBYTES +
+                    crypto_secretstream_xchacha20poly1305_COUNTERBYTES);
+
+    randombytes_buf(out, crypto_secretstream_xchacha20poly1305_HEADERBYTES);
+    crypto_core_hchacha20(state->k, out, k, NULL);
+    _crypto_secretstream_xchacha20poly1305_counter_reset(state);
+    memcpy(STATE_INONCE(state), out + crypto_core_hchacha20_INPUTBYTES,
+           crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+    memset(state->_pad, 0, sizeof state->_pad);
+
+    return 0;
+}
+
+int
+crypto_secretstream_xchacha20poly1305_init_pull
+   (crypto_secretstream_xchacha20poly1305_state *state,
+    const unsigned char in[crypto_secretstream_xchacha20poly1305_HEADERBYTES],
+    const unsigned char k[crypto_secretstream_xchacha20poly1305_KEYBYTES])
+{
+    crypto_core_hchacha20(state->k, in, k, NULL);
+    _crypto_secretstream_xchacha20poly1305_counter_reset(state);
+    memcpy(STATE_INONCE(state), in + crypto_core_hchacha20_INPUTBYTES,
+           crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+    memset(state->_pad, 0, sizeof state->_pad);
+
+    return 0;
+}
+
+void
+crypto_secretstream_xchacha20poly1305_rekey
+    (crypto_secretstream_xchacha20poly1305_state *state)
+{
+    unsigned char new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES +
+                                     crypto_secretstream_xchacha20poly1305_INONCEBYTES];
+    size_t        i;
+
+    for (i = 0U; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) {
+        new_key_and_inonce[i] = state->k[i];
+    }
+    for (i = 0U; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
+        new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i] =
+            STATE_INONCE(state)[i];
+    }
+    crypto_stream_chacha20_ietf_xor(new_key_and_inonce, new_key_and_inonce,
+                                    sizeof new_key_and_inonce,
+                                    state->nonce, state->k);
+    for (i = 0U; i < crypto_stream_chacha20_ietf_KEYBYTES; i++) {
+        state->k[i] = new_key_and_inonce[i];
+    }
+    for (i = 0U; i < crypto_secretstream_xchacha20poly1305_INONCEBYTES; i++) {
+        STATE_INONCE(state)[i] =
+            new_key_and_inonce[crypto_stream_chacha20_ietf_KEYBYTES + i];
+    }
+    _crypto_secretstream_xchacha20poly1305_counter_reset(state);
+}
+
+int
+crypto_secretstream_xchacha20poly1305_push
+   (crypto_secretstream_xchacha20poly1305_state *state,
+    unsigned char *out, unsigned long long *outlen_p,
+    const unsigned char *m, unsigned long long mlen,
+    const unsigned char *ad, unsigned long long adlen, unsigned char tag)
+{
+    crypto_onetimeauth_poly1305_state poly1305_state;
+    unsigned char                     block[64U];
+    unsigned char                     slen[8U];
+    unsigned char                    *c;
+    unsigned char                    *mac;
+
+    if (outlen_p != NULL) {
+        *outlen_p = 0U;
+    }
+    if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    crypto_stream_chacha20_ietf(block, sizeof block, state->nonce, state->k);
+    crypto_onetimeauth_poly1305_init(&poly1305_state, block);
+    sodium_memzero(block, sizeof block);
+
+    crypto_onetimeauth_poly1305_update(&poly1305_state, ad, adlen);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, _pad0,
+                                       (0x10 - adlen) & 0xf);
+    memset(block, 0, sizeof block);
+    block[0] = tag;
+
+    crypto_stream_chacha20_ietf_xor_ic(block, block, sizeof block,
+                                       state->nonce, 1U, state->k);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, block, sizeof block);
+    out[0] = block[0];
+
+    c = out + (sizeof tag);
+    crypto_stream_chacha20_ietf_xor_ic(c, m, mlen, state->nonce, 2U, state->k);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, c, mlen);
+    crypto_onetimeauth_poly1305_update
+        (&poly1305_state, _pad0, (0x10 - (sizeof block) + mlen) & 0xf);
+
+    STORE64_LE(slen, (uint64_t) adlen);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
+    STORE64_LE(slen, (sizeof block) + mlen);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
+
+    mac = c + mlen;
+    crypto_onetimeauth_poly1305_final(&poly1305_state, mac);
+    sodium_memzero(&poly1305_state, sizeof poly1305_state);
+
+    COMPILER_ASSERT(crypto_onetimeauth_poly1305_BYTES >=
+                    crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+    XOR_BUF(STATE_INONCE(state), mac,
+            crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+    sodium_increment(STATE_COUNTER(state),
+                     crypto_secretstream_xchacha20poly1305_COUNTERBYTES);
+    if ((tag & crypto_secretstream_xchacha20poly1305_TAG_REKEY) != 0 ||
+        sodium_is_zero(STATE_COUNTER(state),
+                       crypto_secretstream_xchacha20poly1305_COUNTERBYTES)) {
+        crypto_secretstream_xchacha20poly1305_rekey(state);
+    }
+    if (outlen_p != NULL) {
+        *outlen_p = crypto_secretstream_xchacha20poly1305_ABYTES + mlen;
+    }
+    return 0;
+}
+
+int
+crypto_secretstream_xchacha20poly1305_pull
+   (crypto_secretstream_xchacha20poly1305_state *state,
+    unsigned char *m, unsigned long long *mlen_p, unsigned char *tag_p,
+    const unsigned char *in, unsigned long long inlen,
+    const unsigned char *ad, unsigned long long adlen)
+{
+    crypto_onetimeauth_poly1305_state poly1305_state;
+    unsigned char                     block[64U];
+    unsigned char                     slen[8U];
+    unsigned char                     mac[crypto_onetimeauth_poly1305_BYTES];
+    const unsigned char              *c;
+    const unsigned char              *stored_mac;
+    unsigned long long                mlen;
+    unsigned char                     tag;
+
+    if (mlen_p != NULL) {
+        *mlen_p = 0U;
+    }
+    if (tag_p != NULL) {
+        *tag_p = 0xff;
+    }
+    if (inlen < crypto_secretstream_xchacha20poly1305_ABYTES) {
+        return -1;
+    }
+    mlen = inlen - crypto_secretstream_xchacha20poly1305_ABYTES;
+    if (mlen > crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX) {
+        sodium_misuse();
+    }
+    crypto_stream_chacha20_ietf(block, sizeof block, state->nonce, state->k);
+    crypto_onetimeauth_poly1305_init(&poly1305_state, block);
+    sodium_memzero(block, sizeof block);
+
+    crypto_onetimeauth_poly1305_update(&poly1305_state, ad, adlen);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, _pad0,
+                                       (0x10 - adlen) & 0xf);
+
+    memset(block, 0, sizeof block);
+    block[0] = in[0];
+    crypto_stream_chacha20_ietf_xor_ic(block, block, sizeof block,
+                                       state->nonce, 1U, state->k);
+    tag = block[0];
+    block[0] = in[0];
+    crypto_onetimeauth_poly1305_update(&poly1305_state, block, sizeof block);
+
+    c = in + (sizeof tag);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, c, mlen);
+    crypto_onetimeauth_poly1305_update
+        (&poly1305_state, _pad0, (0x10 - (sizeof block) + mlen) & 0xf);
+
+    STORE64_LE(slen, (uint64_t) adlen);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
+    STORE64_LE(slen, (sizeof block) + mlen);
+    crypto_onetimeauth_poly1305_update(&poly1305_state, slen, sizeof slen);
+
+    crypto_onetimeauth_poly1305_final(&poly1305_state, mac);
+    sodium_memzero(&poly1305_state, sizeof poly1305_state);
+
+    stored_mac = c + mlen;
+    if (sodium_memcmp(mac, stored_mac, sizeof mac) != 0) {
+        sodium_memzero(mac, sizeof mac);
+        return -1;
+    }
+
+    crypto_stream_chacha20_ietf_xor_ic(m, c, mlen, state->nonce, 2U, state->k);
+    XOR_BUF(STATE_INONCE(state), mac,
+            crypto_secretstream_xchacha20poly1305_INONCEBYTES);
+    sodium_increment(STATE_COUNTER(state),
+                     crypto_secretstream_xchacha20poly1305_COUNTERBYTES);
+    if ((tag & crypto_secretstream_xchacha20poly1305_TAG_REKEY) != 0 ||
+        sodium_is_zero(STATE_COUNTER(state),
+                       crypto_secretstream_xchacha20poly1305_COUNTERBYTES)) {
+        crypto_secretstream_xchacha20poly1305_rekey(state);
+    }
+    if (mlen_p != NULL) {
+        *mlen_p = mlen;
+    }
+    if (tag_p != NULL) {
+        *tag_p = tag;
+    }
+    return 0;
+}
+
+size_t
+crypto_secretstream_xchacha20poly1305_statebytes(void)
+{
+    return sizeof(crypto_secretstream_xchacha20poly1305_state);
+}
+
+size_t
+crypto_secretstream_xchacha20poly1305_abytes(void)
+{
+    return crypto_secretstream_xchacha20poly1305_ABYTES;
+}
+
+size_t
+crypto_secretstream_xchacha20poly1305_headerbytes(void)
+{
+    return crypto_secretstream_xchacha20poly1305_HEADERBYTES;
+}
+
+size_t
+crypto_secretstream_xchacha20poly1305_keybytes(void)
+{
+    return crypto_secretstream_xchacha20poly1305_KEYBYTES;
+}
+
+size_t
+crypto_secretstream_xchacha20poly1305_messagebytes_max(void)
+{
+    return crypto_secretstream_xchacha20poly1305_MESSAGEBYTES_MAX;
+}
+
+unsigned char
+crypto_secretstream_xchacha20poly1305_tag_message(void)
+{
+    return crypto_secretstream_xchacha20poly1305_TAG_MESSAGE;
+}
+
+unsigned char
+crypto_secretstream_xchacha20poly1305_tag_push(void)
+{
+    return crypto_secretstream_xchacha20poly1305_TAG_PUSH;
+}
+
+unsigned char
+crypto_secretstream_xchacha20poly1305_tag_rekey(void)
+{
+    return crypto_secretstream_xchacha20poly1305_TAG_REKEY;
+}
+
+unsigned char
+crypto_secretstream_xchacha20poly1305_tag_final(void)
+{
+    return crypto_secretstream_xchacha20poly1305_TAG_FINAL;
+}

data/vendor/libsodium/src/libsodium/crypto_sign/crypto_sign.c

@@ -31,6 +31,12 @@ crypto_sign_secretkeybytes(void)
     return crypto_sign_SECRETKEYBYTES;
 }
 
+size_t
+crypto_sign_messagebytes_max(void)
+{
+    return crypto_sign_MESSAGEBYTES_MAX;
+}
+
 const char *
 crypto_sign_primitive(void)
 {

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/ed25519_ref10.h

@@ -15,4 +15,7 @@ int _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
                                          unsigned long long   mlen,
                                          const unsigned char *pk,
                                          int prehashed);
+
+int _crypto_sign_ed25519_small_order(const unsigned char p[32]);
+
 #endif

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/keypair.c

@@ -4,6 +4,7 @@
 #include "crypto_hash_sha512.h"
 #include "crypto_scalarmult_curve25519.h"
 #include "crypto_sign_ed25519.h"
+#include "ed25519_ref10.h"
 #include "private/curve25519_ref10.h"
 #include "randombytes.h"
 #include "utils.h"
@@ -46,10 +47,16 @@ crypto_sign_ed25519_pk_to_curve25519(unsigned char *curve25519_pk,
                                      const unsigned char *ed25519_pk)
 {
     ge_p3 A;
+    ge_p3 pl;
     fe    x;
     fe    one_minus_y;
 
-    if (ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
+    if (_crypto_sign_ed25519_small_order(ed25519_pk) ||
+        ge_frombytes_negate_vartime(&A, ed25519_pk) != 0) {
+        return -1;
+    }
+    ge_mul_l(&pl, &A);
+    if (fe_isnonzero(pl.X)) {
         return -1;
     }
     fe_1(one_minus_y);
@@ -71,7 +78,7 @@ crypto_sign_ed25519_sk_to_curve25519(unsigned char *curve25519_sk,
 
     crypto_hash_sha512(h, ed25519_sk,
                        crypto_sign_ed25519_SECRETKEYBYTES -
-                           crypto_sign_ed25519_PUBLICKEYBYTES);
+                       crypto_sign_ed25519_PUBLICKEYBYTES);
     h[0] &= 248;
     h[31] &= 127;
     h[31] |= 64;