RubyGems - rbnacl-libsodium - Versions diffs - 1.0.13 → 1.0.15 - Mend

rbnacl-libsodium 1.0.13 → 1.0.15

Files changed (201) hide show

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/obsolete.c CHANGED

@@ -83,7 +83,7 @@ crypto_sign_edwards25519sha512batch_open(unsigned char       *m,
     ge_p3              cs3;
     *mlen_p = 0;
-    if (smlen < 64 || smlen > SIZE_MAX) {
+    if (smlen < 64 || smlen - 64 > crypto_sign_edwards25519sha512batch_MESSAGEBYTES_MAX) {
         return -1;
     }
     mlen = smlen - 64;

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/ref10/open.c CHANGED

@@ -33,8 +33,8 @@ crypto_sign_check_S_lt_L(const unsigned char *S)
     return -(c == 0);
 }
-static int
-small_order(const unsigned char R[32])
+int
+_crypto_sign_ed25519_small_order(const unsigned char p[32])
 {
     CRYPTO_ALIGN(16)
     static const unsigned char blacklist[][32] = {
@@ -97,7 +97,7 @@ small_order(const unsigned char R[32])
     for (i = 0; i < sizeof blacklist / sizeof blacklist[0]; i++) {
         c = 0;
         for (j = 0; j < 32; j++) {
-            c |= R[j] ^ blacklist[i][j];
+            c |= p[j] ^ blacklist[i][j];
         }
         if (c == 0) {
             return 1;
@@ -123,7 +123,8 @@ _crypto_sign_ed25519_verify_detached(const unsigned char *sig,
     ge_p2                    R;
 #ifndef ED25519_COMPAT
-    if (crypto_sign_check_S_lt_L(sig + 32) != 0 || small_order(sig) != 0) {
+    if (crypto_sign_check_S_lt_L(sig + 32) != 0 ||
+        _crypto_sign_ed25519_small_order(sig) != 0) {
         return -1;
     }
 #else
@@ -170,7 +171,7 @@ crypto_sign_ed25519_open(unsigned char *m, unsigned long long *mlen_p,
 {
     unsigned long long mlen;
-    if (smlen < 64 || smlen > SIZE_MAX) {
+    if (smlen < 64 || smlen - 64 > crypto_sign_ed25519_MESSAGEBYTES_MAX) {
         goto badsig;
     }
     mlen = smlen - 64;

data/vendor/libsodium/src/libsodium/crypto_sign/ed25519/sign_ed25519.c CHANGED

@@ -35,6 +35,12 @@ crypto_sign_ed25519_secretkeybytes(void)
     return crypto_sign_ed25519_SECRETKEYBYTES;
 }
+size_t
+crypto_sign_ed25519_messagebytes_max(void)
+{
+    return crypto_sign_ed25519_MESSAGEBYTES_MAX;
+}
 int
 crypto_sign_ed25519_sk_to_seed(unsigned char *seed, const unsigned char *sk)
 {

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-avx2.c CHANGED

@@ -3,6 +3,7 @@
 #include <stdlib.h>
 #include <string.h>
+#include "core.h"
 #include "crypto_stream_chacha20.h"
 #include "private/common.h"
 #include "private/sse2_64_32.h"
@@ -76,8 +77,8 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
     if (!bytes) {
         return; /* LCOV_EXCL_LINE */
     }
-    if (bytes > 64ULL * (1ULL << 32) - 64ULL) {
-        abort();
+    if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
     }
 # include "u8.h"
 # include "u4.h"

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/dolbeau/chacha20_dolbeau-ssse3.c CHANGED

@@ -3,6 +3,7 @@
 #include <stdlib.h>
 #include <string.h>
+#include "core.h"
 #include "crypto_stream_chacha20.h"
 #include "private/common.h"
 #include "private/sse2_64_32.h"
@@ -71,8 +72,8 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
     if (!bytes) {
         return; /* LCOV_EXCL_LINE */
     }
-    if (bytes > 64ULL * (1ULL << 32) - 64ULL) {
-        abort();
+    if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
     }
 # include "u4.h"
 # include "u1.h"

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/dolbeau/u0.h CHANGED

@@ -7,7 +7,7 @@ if (bytes > 0) {
         _mm_set_epi8(14, 13, 12, 15, 10, 9, 8, 11, 6, 5, 4, 7, 2, 1, 0, 3);
     uint8_t partialblock[64];
-    int     i;
+    unsigned int i;
     x_0 = _mm_loadu_si128((__m128i*) (x + 0));
     x_1 = _mm_loadu_si128((__m128i*) (x + 4));

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/ref/chacha20_ref.c CHANGED

@@ -9,6 +9,7 @@
 #include <stdlib.h>
 #include <string.h>
+#include "core.h"
 #include "crypto_stream_chacha20.h"
 #include "private/common.h"
 #include "utils.h"
@@ -91,8 +92,8 @@ chacha20_encrypt_bytes(chacha_ctx *ctx, const uint8_t *m, uint8_t *c,
     if (!bytes) {
         return; /* LCOV_EXCL_LINE */
     }
-    if (bytes > 64ULL * (1ULL << 32) - 64ULL) {
-        abort();
+    if (bytes > crypto_stream_chacha20_MESSAGEBYTES_MAX) {
+        sodium_misuse();
     }
     j0  = ctx->input[0];
     j1  = ctx->input[1];

data/vendor/libsodium/src/libsodium/crypto_stream/chacha20/stream_chacha20.c CHANGED

@@ -26,6 +26,12 @@ crypto_stream_chacha20_noncebytes(void) {
     return crypto_stream_chacha20_NONCEBYTES;
 }
+size_t
+crypto_stream_chacha20_messagebytes_max(void)
+{
+    return crypto_stream_chacha20_MESSAGEBYTES_MAX;
+}
 size_t
 crypto_stream_chacha20_ietf_keybytes(void) {
     return crypto_stream_chacha20_ietf_KEYBYTES;
@@ -36,6 +42,12 @@ crypto_stream_chacha20_ietf_noncebytes(void) {
     return crypto_stream_chacha20_ietf_NONCEBYTES;
 }
+size_t
+crypto_stream_chacha20_ietf_messagebytes_max(void)
+{
+    return crypto_stream_chacha20_ietf_MESSAGEBYTES_MAX;
+}
 int
 crypto_stream_chacha20(unsigned char *c, unsigned long long clen,
                        const unsigned char *n, const unsigned char *k)

data/vendor/libsodium/src/libsodium/crypto_stream/crypto_stream.c CHANGED

@@ -14,6 +14,12 @@ crypto_stream_noncebytes(void)
     return crypto_stream_NONCEBYTES;
 }
+size_t
+crypto_stream_messagebytes_max(void)
+{
+    return crypto_stream_MESSAGEBYTES_MAX;
+}
 const char *
 crypto_stream_primitive(void)
 {

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/stream_salsa20.c CHANGED

@@ -37,6 +37,12 @@ crypto_stream_salsa20_noncebytes(void)
     return crypto_stream_salsa20_NONCEBYTES;
 }
+size_t
+crypto_stream_salsa20_messagebytes_max(void)
+{
+    return crypto_stream_salsa20_MESSAGEBYTES_MAX;
+}
 int
 crypto_stream_salsa20(unsigned char *c, unsigned long long clen,
                       const unsigned char *n, const unsigned char *k)
@@ -89,5 +95,5 @@ _crypto_stream_salsa20_pick_best_implementation(void)
         return 0;
     }
 #endif
-    return 0;
+    return 0; /* LCOV_EXCL_LINE */
 }

data/vendor/libsodium/src/libsodium/crypto_stream/salsa20/xmm6int/u0.h CHANGED

@@ -7,7 +7,7 @@ if (bytes > 0) {
     __m128i b0, b1, b2, b3, b4, b5, b6, b7;
     uint8_t partialblock[64];
-    int     i;
+    unsigned int i;
     a0 = diag1;
     for (i = 0; i < ROUNDS; i += 4) {

data/vendor/libsodium/src/libsodium/crypto_stream/salsa2012/stream_salsa2012.c CHANGED

@@ -13,6 +13,12 @@ crypto_stream_salsa2012_noncebytes(void)
     return crypto_stream_salsa2012_NONCEBYTES;
 }
+size_t
+crypto_stream_salsa2012_messagebytes_max(void)
+{
+    return crypto_stream_salsa2012_MESSAGEBYTES_MAX;
+}
 void
 crypto_stream_salsa2012_keygen(unsigned char k[crypto_stream_salsa2012_KEYBYTES])
 {

data/vendor/libsodium/src/libsodium/crypto_stream/salsa208/stream_salsa208.c CHANGED

@@ -13,6 +13,12 @@ crypto_stream_salsa208_noncebytes(void)
     return crypto_stream_salsa208_NONCEBYTES;
 }
+size_t
+crypto_stream_salsa208_messagebytes_max(void)
+{
+    return crypto_stream_salsa208_MESSAGEBYTES_MAX;
+}
 void
 crypto_stream_salsa208_keygen(unsigned char k[crypto_stream_salsa208_KEYBYTES])
 {

data/vendor/libsodium/src/libsodium/crypto_stream/xchacha20/stream_xchacha20.c CHANGED

@@ -19,6 +19,12 @@ crypto_stream_xchacha20_noncebytes(void)
     return crypto_stream_xchacha20_NONCEBYTES;
 }
+size_t
+crypto_stream_xchacha20_messagebytes_max(void)
+{
+    return crypto_stream_xchacha20_MESSAGEBYTES_MAX;
+}
 int
 crypto_stream_xchacha20(unsigned char *c, unsigned long long clen,
                         const unsigned char *n, const unsigned char *k)

data/vendor/libsodium/src/libsodium/crypto_stream/xsalsa20/stream_xsalsa20.c CHANGED

@@ -53,6 +53,12 @@ crypto_stream_xsalsa20_noncebytes(void)
     return crypto_stream_xsalsa20_NONCEBYTES;
 }
+size_t
+crypto_stream_xsalsa20_messagebytes_max(void)
+{
+    return crypto_stream_xsalsa20_MESSAGEBYTES_MAX;
+}
 void
 crypto_stream_xsalsa20_keygen(unsigned char k[crypto_stream_xsalsa20_KEYBYTES])
 {

data/vendor/libsodium/src/libsodium/crypto_verify/sodium/verify.c CHANGED

@@ -6,56 +6,93 @@
 #include "crypto_verify_32.h"
 #include "crypto_verify_64.h"
-int
-crypto_verify_16(const unsigned char *x, const unsigned char *y)
+size_t
+crypto_verify_16_bytes(void)
 {
-    uint_fast16_t d = 0U;
-    int           i;
+    return crypto_verify_16_BYTES;
+}
-    for (i = 0; i < 16; i++) {
-        d |= x[i] ^ y[i];
-    }
-    return (1 & ((d - 1) >> 8)) - 1;
+size_t
+crypto_verify_32_bytes(void)
+{
+    return crypto_verify_32_BYTES;
 }
 size_t
-crypto_verify_16_bytes(void)
+crypto_verify_64_bytes(void)
 {
-    return crypto_verify_16_BYTES;
+    return crypto_verify_64_BYTES;
 }
-int
-crypto_verify_32(const unsigned char *x, const unsigned char *y)
+#if defined(HAVE_EMMINTRIN_H) && defined(__SSE2__)
+# ifdef __GNUC__
+#  pragma GCC target("sse2")
+# endif
+# include <emmintrin.h>
+static inline int
+crypto_verify_n(const unsigned char *x_, const unsigned char *y_,
+                const int n)
 {
-    uint_fast16_t d = 0U;
-    int           i;
+    const    __m128i zero = _mm_setzero_si128();
+    volatile __m128i v1, v2, z;
+    volatile int     m;
+    int              i;
+    const volatile __m128i *volatile x =
+        (const volatile __m128i *volatile) (const void *) x_;
+    const volatile __m128i *volatile y =
+        (const volatile __m128i *volatile) (const void *) y_;
+    v1 = _mm_loadu_si128((const __m128i *) &x[0]);
+    v2 = _mm_loadu_si128((const __m128i *) &y[0]);
+    z = _mm_xor_si128(v1, v2);
+    for (i = 1; i < n / 16; i++) {
+        v1 = _mm_loadu_si128((const __m128i *) &x[i]);
+        v2 = _mm_loadu_si128((const __m128i *) &y[i]);
+        z = _mm_or_si128(z, _mm_xor_si128(v1, v2));
+    }
+    m = _mm_movemask_epi8(_mm_cmpeq_epi32(z, zero));
+    v1 = zero; v2 = zero; z = zero;
-    for (i = 0; i < 32; i++) {
+    return (int) (((uint32_t) m + 1U) >> 16) - 1;
+}
+#else
+static inline int
+crypto_verify_n(const unsigned char *x_, const unsigned char *y_,
+                const int n)
+{
+    const volatile unsigned char *volatile x =
+        (const volatile unsigned char *volatile) x_;
+    const volatile unsigned char *volatile y =
+        (const volatile unsigned char *volatile) y_;
+    volatile uint_fast16_t d = 0U;
+    int i;
+    for (i = 0; i < n; i++) {
         d |= x[i] ^ y[i];
     }
     return (1 & ((d - 1) >> 8)) - 1;
 }
-size_t
-crypto_verify_32_bytes(void)
+#endif
+int
+crypto_verify_16(const unsigned char *x, const unsigned char *y)
 {
-    return crypto_verify_32_BYTES;
+    return crypto_verify_n(x, y, crypto_verify_16_BYTES);
 }
 int
-crypto_verify_64(const unsigned char *x, const unsigned char *y)
+crypto_verify_32(const unsigned char *x, const unsigned char *y)
 {
-    uint_fast16_t d = 0U;
-    int           i;
-    for (i = 0; i < 64; i++) {
-        d |= x[i] ^ y[i];
-    }
-    return (1 & ((d - 1) >> 8)) - 1;
+    return crypto_verify_n(x, y, crypto_verify_32_BYTES);
 }
-size_t
-crypto_verify_64_bytes(void)
+int
+crypto_verify_64(const unsigned char *x, const unsigned char *y)
 {
-    return crypto_verify_64_BYTES;
+    return crypto_verify_n(x, y, crypto_verify_64_BYTES);
 }

data/vendor/libsodium/src/libsodium/include/Makefile.am CHANGED

@@ -36,13 +36,13 @@ SODIUM_EXPORT = \
 	sodium/crypto_secretbox.h \
 	sodium/crypto_secretbox_xchacha20poly1305.h \
 	sodium/crypto_secretbox_xsalsa20poly1305.h \
+	sodium/crypto_secretstream_xchacha20poly1305.h \
 	sodium/crypto_shorthash.h \
 	sodium/crypto_shorthash_siphash24.h \
 	sodium/crypto_sign.h \
 	sodium/crypto_sign_ed25519.h \
 	sodium/crypto_sign_edwards25519sha512batch.h \
 	sodium/crypto_stream.h \
-	sodium/crypto_stream_aes128ctr.h \
 	sodium/crypto_stream_chacha20.h \
 	sodium/crypto_stream_salsa20.h \
 	sodium/crypto_stream_salsa2012.h \

data/vendor/libsodium/src/libsodium/include/sodium.h CHANGED

@@ -31,11 +31,11 @@
 #include "sodium/crypto_onetimeauth_poly1305.h"
 #include "sodium/crypto_pwhash.h"
 #include "sodium/crypto_pwhash_argon2i.h"
-#include "sodium/crypto_pwhash_scryptsalsa208sha256.h"
 #include "sodium/crypto_scalarmult.h"
 #include "sodium/crypto_scalarmult_curve25519.h"
 #include "sodium/crypto_secretbox.h"
 #include "sodium/crypto_secretbox_xsalsa20poly1305.h"
+#include "sodium/crypto_secretstream_xchacha20poly1305.h"
 #include "sodium/crypto_shorthash.h"
 #include "sodium/crypto_shorthash_siphash24.h"
 #include "sodium/crypto_sign.h"
@@ -59,7 +59,7 @@
 #ifndef SODIUM_LIBRARY_MINIMAL
 # include "sodium/crypto_box_curve25519xchacha20poly1305.h"
 # include "sodium/crypto_secretbox_xchacha20poly1305.h"
-# include "sodium/crypto_stream_aes128ctr.h"
+# include "sodium/crypto_pwhash_scryptsalsa208sha256.h"
 # include "sodium/crypto_stream_salsa2012.h"
 # include "sodium/crypto_stream_salsa208.h"
 # include "sodium/crypto_stream_xchacha20.h"

data/vendor/libsodium/src/libsodium/include/sodium/core.h CHANGED

@@ -12,6 +12,15 @@ SODIUM_EXPORT
 int sodium_init(void)
             __attribute__ ((warn_unused_result));
+/* ---- */
+SODIUM_EXPORT
+int sodium_set_misuse_handler(void (*handler)(void));
+SODIUM_EXPORT
+void sodium_misuse(void)
+            __attribute__ ((noreturn));
 #ifdef __cplusplus
 }
 #endif

data/vendor/libsodium/src/libsodium/include/sodium/crypto_aead_aes256gcm.h CHANGED

@@ -1,6 +1,26 @@
 #ifndef crypto_aead_aes256gcm_H
 #define crypto_aead_aes256gcm_H
+/*
+ * WARNING: Despite being the most popular AEAD construction due to its
+ * use in TLS, safely using AES-GCM in a different context is tricky.
+ *
+ * No more than ~ 350 GB of input data should be encrypted with a given key.
+ * This is for ~ 16 KB messages -- Actual figures vary according to
+ * message sizes.
+ *
+ * In addition, nonces are short and repeated nonces would totally destroy
+ * the security of this scheme.
+ *
+ * Nonces should thus come from atomic counters, which can be difficult to
+ * set up in a distributed environment.
+ *
+ * Unless you absolutely need AES-GCM, use crypto_aead_xchacha20poly1305_ietf_*()
+ * instead. It doesn't have any of these limitations.
+ * Or, if you don't need to authenticate additional data, just stick to
+ * crypto_secretbox().
+ */
 #include <stddef.h>
 #include "export.h"
@@ -30,6 +50,12 @@ size_t crypto_aead_aes256gcm_npubbytes(void);
 SODIUM_EXPORT
 size_t crypto_aead_aes256gcm_abytes(void);
+#define crypto_aead_aes256gcm_MESSAGEBYTES_MAX \
+    SODIUM_MIN(SODIUM_SIZE_MAX - crypto_aead_aes256gcm_ABYTES, \
+               (16ULL * ((1ULL << 32) - 2ULL)) - crypto_aead_aes256gcm_ABYTES)
+SODIUM_EXPORT
+size_t crypto_aead_aes256gcm_messagebytes_max(void);
 typedef CRYPTO_ALIGN(16) unsigned char crypto_aead_aes256gcm_state[512];
 SODIUM_EXPORT