RubyGems - rbnacl-libsodium - Versions diffs - 1.0.13 → 1.0.15 - Mend

rbnacl-libsodium 1.0.13 → 1.0.15

Files changed (201) hide show

data/vendor/libsodium/src/libsodium/include/sodium/runtime.h CHANGED

@@ -8,31 +8,34 @@
 extern "C" {
 #endif
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_neon(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_sse2(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_sse3(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_ssse3(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_sse41(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_avx(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_avx2(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
+int sodium_runtime_has_avx512f(void);
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_pclmul(void);
-SODIUM_EXPORT
+SODIUM_EXPORT_WEAK
 int sodium_runtime_has_aesni(void);
 /* ------------------------------------------------------------------------- */

data/vendor/libsodium/src/libsodium/include/sodium/utils.h CHANGED

@@ -61,6 +61,34 @@ int sodium_hex2bin(unsigned char * const bin, const size_t bin_maxlen,
                    const char * const ignore, size_t * const bin_len,
                    const char ** const hex_end);
+#define sodium_base64_VARIANT_ORIGINAL            1
+#define sodium_base64_VARIANT_ORIGINAL_NO_PADDING 3
+#define sodium_base64_VARIANT_URLSAFE             5
+#define sodium_base64_VARIANT_URLSAFE_NO_PADDING  7
+/*
+ * Computes the required length to encode BIN_LEN bytes as a base64 string
+ * using the given variant. The computed length includes a trailing \0.
+ */
+#define sodium_base64_ENCODED_LEN(BIN_LEN, VARIANT) \
+    (((BIN_LEN) / 3U) * 4U + \
+    ((((BIN_LEN) - ((BIN_LEN) / 3U) * 3U) | (((BIN_LEN) - ((BIN_LEN) / 3U) * 3U) >> 1)) & 1U) * \
+     (4U - (~((((VARIANT) & 2U) >> 1) - 1U) & (3U - ((BIN_LEN) - ((BIN_LEN) / 3U) * 3U)))) + 1U)
+SODIUM_EXPORT
+size_t sodium_base64_encoded_len(const size_t bin_len, const int variant);
+SODIUM_EXPORT
+char *sodium_bin2base64(char * const b64, const size_t b64_maxlen,
+                        const unsigned char * const bin, const size_t bin_len,
+                        const int variant);
+SODIUM_EXPORT
+int sodium_base642bin(unsigned char * const bin, const size_t bin_maxlen,
+                      const char * const b64, const size_t b64_len,
+                      const char * const ignore, size_t * const bin_len,
+                      const char ** const b64_end, const int variant);
 SODIUM_EXPORT
 int sodium_mlock(void * const addr, const size_t len);
@@ -120,6 +148,14 @@ int sodium_mprotect_readonly(void *ptr);
 SODIUM_EXPORT
 int sodium_mprotect_readwrite(void *ptr);
+SODIUM_EXPORT
+int sodium_pad(size_t *padded_buflen_p, unsigned char *buf,
+               size_t unpadded_buflen, size_t blocksize, size_t max_buflen);
+SODIUM_EXPORT
+int sodium_unpad(size_t *unpadded_buflen_p, const unsigned char *buf,
+                 size_t padded_buflen, size_t blocksize);
 /* -------- */
 int _sodium_alloc_init(void);

data/vendor/libsodium/src/libsodium/randombytes/nativeclient/randombytes_nativeclient.c CHANGED

@@ -6,6 +6,7 @@
 #ifdef __native_client__
 # include <irt.h>
+# include "core.h"
 # include "utils.h"
 # include "randombytes.h"
 # include "randombytes_nativeclient.h"
@@ -20,12 +21,12 @@ randombytes_nativeclient_buf(void * const buf, const size_t size)
     if (nacl_interface_query(NACL_IRT_RANDOM_v0_1, &rand_intf,
                              sizeof rand_intf) != sizeof rand_intf) {
-        abort();
+        sodium_misuse();
     }
     while (toread > (size_t) 0U) {
         if (rand_intf.get_random_bytes(buf_, size, &readnb) != 0 ||
             readnb > size) {
-            abort();
+            sodium_misuse();
         }
         toread -= readnb;
         buf_ += readnb;

data/vendor/libsodium/src/libsodium/randombytes/randombytes.c CHANGED

@@ -10,6 +10,7 @@
 # include <emscripten.h>
 #endif
+#include "core.h"
 #include "crypto_stream_chacha20.h"
 #include "randombytes.h"
 #ifdef RANDOMBYTES_DEFAULT_IMPLEMENTATION
@@ -93,22 +94,22 @@ randombytes_stir(void)
     EM_ASM({
         if (Module.getRandomValue === undefined) {
             try {
-                var window_ = "object" === typeof window ? window : self,
-                    crypto_ = typeof window_.crypto !== "undefined" ? window_.crypto : window_.msCrypto,
-                    randomValuesStandard = function() {
-                        var buf = new Uint32Array(1);
-                        crypto_.getRandomValues(buf);
-                        return buf[0] >>> 0;
-                    };
+                var window_ = 'object' === typeof window ? window : self;
+                var crypto_ = typeof window_.crypto !== 'undefined' ? window_.crypto : window_.msCrypto;
+                var randomValuesStandard = function() {
+                    var buf = new Uint32Array(1);
+                    crypto_.getRandomValues(buf);
+                    return buf[0] >>> 0;
+                };
                 randomValuesStandard();
                 Module.getRandomValue = randomValuesStandard;
             } catch (e) {
                 try {
-                    var crypto = require('crypto'),
-                        randomValueNodeJS = function() {
-                            var buf = crypto.randomBytes(4);
-                            return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0;
-                        };
+                    var crypto = require('crypto');
+                    var randomValueNodeJS = function() {
+                        var buf = crypto.randomBytes(4);
+                        return (buf[0] << 24 | buf[1] << 16 | buf[2] << 8 | buf[3]) >>> 0;
+                    };
                     randomValueNodeJS();
                     Module.getRandomValue = randomValueNodeJS;
                 } catch (e) {
@@ -135,10 +136,12 @@ randombytes_uniform(const uint32_t upper_bound)
     if (upper_bound < 2) {
         return 0;
     }
-    min = (1U + ~upper_bound) % upper_bound;
+    min = (1U + ~upper_bound) % upper_bound; /* = 2**32 mod upper_bound */
     do {
         r = randombytes_random();
     } while (r < min);
+    /* r is now clamped to a set whose size mod upper_bound == 0
+     * the worst case (2**31+1) requires ~ 2 attempts */
     return r % upper_bound;
 }
@@ -171,8 +174,9 @@ randombytes_buf_deterministic(void * const buf, const size_t size,
     COMPILER_ASSERT(randombytes_SEEDBYTES == crypto_stream_chacha20_ietf_KEYBYTES);
 #if SIZE_MAX > 0x4000000000ULL
+    COMPILER_ASSERT(randombytes_BYTES_MAX <= 0x4000000000ULL);
     if (size > 0x4000000000ULL) {
-        abort();
+        sodium_misuse();
     }
 #endif
     crypto_stream_chacha20_ietf((unsigned char *) buf, (unsigned long long) size,

data/vendor/libsodium/src/libsodium/randombytes/salsa20/randombytes_salsa20_random.c CHANGED

@@ -25,13 +25,14 @@
 # include <poll.h>
 #endif
+#include "core.h"
 #include "crypto_core_salsa20.h"
 #include "crypto_generichash.h"
 #include "crypto_stream_salsa20.h"
+#include "private/common.h"
 #include "randombytes.h"
 #include "randombytes_salsa20_random.h"
 #include "utils.h"
-#include "private/common.h"
 #ifdef _WIN32
 # include <windows.h>
@@ -98,7 +99,7 @@ sodium_hrtime(void)
         struct timeval tv;
         if (gettimeofday(&tv, NULL) != 0) {
-            abort(); /* LCOV_EXCL_LINE */
+            sodium_misuse(); /* LCOV_EXCL_LINE */
         }
         ts = ((uint64_t) tv.tv_sec) * 1000000U + (uint64_t) tv.tv_usec;
     }
@@ -172,7 +173,7 @@ randombytes_salsa20_random_random_dev_open(void)
 #  endif
         "/dev/random", NULL
     };
-    const char **     device = devices;
+    const char      **device = devices;
     int               fd;
 # if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
@@ -277,7 +278,7 @@ randombytes_salsa20_random_init(void)
     if ((stream.random_data_source_fd =
          randombytes_salsa20_random_random_dev_open()) == -1) {
-        abort(); /* LCOV_EXCL_LINE */
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
     errno = errno_save;
 # endif /* HAVE_SAFE_ARC4RANDOM */
@@ -331,29 +332,29 @@ randombytes_salsa20_random_stir(void)
 # elif defined(SYS_getrandom) && defined(__NR_getrandom)
     if (stream.getrandom_available != 0) {
         if (randombytes_linux_getrandom(m0, sizeof m0) != 0) {
-            abort(); /* LCOV_EXCL_LINE */
+            sodium_misuse(); /* LCOV_EXCL_LINE */
         }
     } else if (stream.random_data_source_fd == -1 ||
                safe_read(stream.random_data_source_fd, m0,
                          sizeof m0) != (ssize_t) sizeof m0) {
-        abort(); /* LCOV_EXCL_LINE */
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 # else
     if (stream.random_data_source_fd == -1 ||
         safe_read(stream.random_data_source_fd, m0,
                   sizeof m0) != (ssize_t) sizeof m0) {
-        abort(); /* LCOV_EXCL_LINE */
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 # endif
 #else /* _WIN32 */
     if (! RtlGenRandom((PVOID) m0, (ULONG) sizeof m0)) {
-        abort(); /* LCOV_EXCL_LINE */
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 #endif
     if (crypto_generichash(stream.key, sizeof stream.key, k0, sizeof_k0,
                            hsigma, sizeof hsigma) != 0) {
-        abort(); /* LCOV_EXCL_LINE */
+        abort(); /* really abort -- it should never happen */ /* LCOV_EXCL_LINE */
     }
     COMPILER_ASSERT(sizeof stream.key <= sizeof m0);
     randombytes_salsa20_random_rekey(m0);
@@ -370,7 +371,7 @@ randombytes_salsa20_random_stir_if_needed(void)
     if (stream.initialized == 0) {
         randombytes_salsa20_random_stir();
     } else if (stream.pid != getpid()) {
-        abort();
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 #else
     if (stream.initialized == 0) {

data/vendor/libsodium/src/libsodium/randombytes/sysrandom/randombytes_sysrandom.c CHANGED

@@ -24,6 +24,8 @@
 # include <poll.h>
 #endif
+#include "core.h"
+#include "private/common.h"
 #include "randombytes.h"
 #include "randombytes_sysrandom.h"
 #include "utils.h"
@@ -34,6 +36,15 @@
  *     memory overhead if this API is not being used for other purposes
  *  - `RtlGenRandom` is thus called directly instead. A detailed explanation
  *     can be found here: https://blogs.msdn.microsoft.com/michael_howard/2005/01/14/cryptographically-secure-random-number-on-windows-without-using-cryptoapi/
+ *
+ * In spite of the disclaimer on the `RtlGenRandom` documentation page that was
+ * written back in the Windows XP days, this function is here to stay. The CRT
+ * function `rand_s()` directly depends on it, so touching it would break many
+ * applications released since Windows XP.
+ *
+ * Also note that Rust, Firefox and BoringSSL (thus, Google Chrome and everything
+ * based on Chromium) also depend on it, and that libsodium allows the RNG to be
+ * replaced without patching nor recompiling the library.
  */
 # include <windows.h>
 # define RtlGenRandom SystemFunction036
@@ -68,7 +79,7 @@ randombytes_sysrandom_stir(void)
 static void
 randombytes_sysrandom_buf(void * const buf, const size_t size)
 {
-    return arc4random_buf(buf, size);
+    arc4random_buf(buf, size);
 }
 static int
@@ -156,7 +167,7 @@ randombytes_sysrandom_random_dev_open(void)
 # endif
         "/dev/random", NULL
     };
-    const char **      device = devices;
+    const char       **device = devices;
     int                fd;
 # if defined(__linux__) && !defined(USE_BLOCKING_RANDOM) && !defined(NO_BLOCKING_RANDOM_POLL)
@@ -253,7 +264,7 @@ randombytes_sysrandom_init(void)
     if ((stream.random_data_source_fd =
          randombytes_sysrandom_random_dev_open()) == -1) {
-        abort(); /* LCOV_EXCL_LINE */
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
     errno = errno_save;
 }
@@ -323,21 +334,22 @@ randombytes_sysrandom_buf(void * const buf, const size_t size)
 # if defined(SYS_getrandom) && defined(__NR_getrandom)
     if (stream.getrandom_available != 0) {
         if (randombytes_linux_getrandom(buf, size) != 0) {
-            abort();
+            sodium_misuse(); /* LCOV_EXCL_LINE */
         }
         return;
     }
 # endif
     if (stream.random_data_source_fd == -1 ||
         safe_read(stream.random_data_source_fd, buf, size) != (ssize_t) size) {
-        abort(); /* LCOV_EXCL_LINE */
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 #else
-    if (size > (size_t) 0xffffffff) {
-        abort(); /* LCOV_EXCL_LINE */
+    COMPILER_ASSERT(randombytes_BYTES_MAX <= 0xffffffffUL);
+    if (size > (size_t) 0xffffffffUL) {
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
     if (! RtlGenRandom((PVOID) buf, (ULONG) size)) {
-        abort(); /* LCOV_EXCL_LINE */
+        sodium_misuse(); /* LCOV_EXCL_LINE */
     }
 #endif
 }

data/vendor/libsodium/src/libsodium/sodium/codecs.c ADDED

@@ -0,0 +1,333 @@
+#include <assert.h>
+#include <errno.h>
+#include <limits.h>
+#include <stddef.h>
+#include <stdint.h>
+#include <stdlib.h>
+#include <string.h>
+#include "core.h"
+#include "utils.h"
+/* Derived from original code by CodesInChaos */
+char *
+sodium_bin2hex(char *const hex, const size_t hex_maxlen,
+               const unsigned char *const bin, const size_t bin_len)
+{
+    size_t       i = (size_t) 0U;
+    unsigned int x;
+    int          b;
+    int          c;
+    if (bin_len >= SIZE_MAX / 2 || hex_maxlen <= bin_len * 2U) {
+        sodium_misuse(); /* LCOV_EXCL_LINE */
+    }
+    while (i < bin_len) {
+        c = bin[i] & 0xf;
+        b = bin[i] >> 4;
+        x = (unsigned char) (87U + c + (((c - 10U) >> 8) & ~38U)) << 8 |
+            (unsigned char) (87U + b + (((b - 10U) >> 8) & ~38U));
+        hex[i * 2U] = (char) x;
+        x >>= 8;
+        hex[i * 2U + 1U] = (char) x;
+        i++;
+    }
+    hex[i * 2U] = 0U;
+    return hex;
+}
+int
+sodium_hex2bin(unsigned char *const bin, const size_t bin_maxlen,
+               const char *const hex, const size_t hex_len,
+               const char *const ignore, size_t *const bin_len,
+               const char **const hex_end)
+{
+    size_t        bin_pos = (size_t) 0U;
+    size_t        hex_pos = (size_t) 0U;
+    int           ret     = 0;
+    unsigned char c;
+    unsigned char c_acc = 0U;
+    unsigned char c_alpha0, c_alpha;
+    unsigned char c_num0, c_num;
+    unsigned char c_val;
+    unsigned char state = 0U;
+    while (hex_pos < hex_len) {
+        c        = (unsigned char) hex[hex_pos];
+        c_num    = c ^ 48U;
+        c_num0   = (c_num - 10U) >> 8;
+        c_alpha  = (c & ~32U) - 55U;
+        c_alpha0 = ((c_alpha - 10U) ^ (c_alpha - 16U)) >> 8;
+        if ((c_num0 | c_alpha0) == 0U) {
+            if (ignore != NULL && state == 0U && strchr(ignore, c) != NULL) {
+                hex_pos++;
+                continue;
+            }
+            break;
+        }
+        c_val = (c_num0 & c_num) | (c_alpha0 & c_alpha);
+        if (bin_pos >= bin_maxlen) {
+            ret   = -1;
+            errno = ERANGE;
+            break;
+        }
+        if (state == 0U) {
+            c_acc = c_val * 16U;
+        } else {
+            bin[bin_pos++] = c_acc | c_val;
+        }
+        state = ~state;
+        hex_pos++;
+    }
+    if (state != 0U) {
+        hex_pos--;
+        errno = EINVAL;
+        ret = -1;
+    }
+    if (ret != 0) {
+        bin_pos = (size_t) 0U;
+    }
+    if (hex_end != NULL) {
+        *hex_end = &hex[hex_pos];
+    } else if (hex_pos != hex_len) {
+        errno = EINVAL;
+        ret = -1;
+    }
+    if (bin_len != NULL) {
+        *bin_len = bin_pos;
+    }
+    return ret;
+}
+/*
+ * Some macros for constant-time comparisons. These work over values in
+ * the 0..255 range. Returned value is 0x00 on "false", 0xFF on "true".
+ *
+ * Original code by Thomas Pornin.
+ */
+#define EQ(x, y) \
+    ((((0U - ((unsigned int) (x) ^ (unsigned int) (y))) >> 8) & 0xFF) ^ 0xFF)
+#define GT(x, y) ((((unsigned int) (y) - (unsigned int) (x)) >> 8) & 0xFF)
+#define GE(x, y) (GT(y, x) ^ 0xFF)
+#define LT(x, y) GT(y, x)
+#define LE(x, y) GE(y, x)
+static int
+b64_byte_to_char(unsigned int x)
+{
+    return (LT(x, 26) & (x + 'A')) |
+           (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) |
+           (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '+') |
+           (EQ(x, 63) & '/');
+}
+static unsigned int
+b64_char_to_byte(int c)
+{
+    const unsigned int x =
+        (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) |
+        (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) |
+        (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '+') & 62) |
+        (EQ(c, '/') & 63);
+    return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF));
+}
+static int
+b64_byte_to_urlsafe_char(unsigned int x)
+{
+    return (LT(x, 26) & (x + 'A')) |
+           (GE(x, 26) & LT(x, 52) & (x + ('a' - 26))) |
+           (GE(x, 52) & LT(x, 62) & (x + ('0' - 52))) | (EQ(x, 62) & '-') |
+           (EQ(x, 63) & '_');
+}
+static unsigned int
+b64_urlsafe_char_to_byte(int c)
+{
+    const unsigned x =
+        (GE(c, 'A') & LE(c, 'Z') & (c - 'A')) |
+        (GE(c, 'a') & LE(c, 'z') & (c - ('a' - 26))) |
+        (GE(c, '0') & LE(c, '9') & (c - ('0' - 52))) | (EQ(c, '-') & 62) |
+        (EQ(c, '_') & 63);
+    return x | (EQ(x, 0) & (EQ(c, 'A') ^ 0xFF));
+}
+#define VARIANT_NO_PADDING_MASK 0x2U
+#define VARIANT_URLSAFE_MASK    0x4U
+static void
+sodium_base64_check_variant(const int variant)
+{
+    if ((((unsigned int) variant) & ~ 0x6U) != 0x1U) {
+        sodium_misuse();
+    }
+}
+size_t
+sodium_base64_encoded_len(const size_t bin_len, const int variant)
+{
+    sodium_base64_check_variant(variant);
+    return sodium_base64_ENCODED_LEN(bin_len, variant);
+}
+char *
+sodium_bin2base64(char * const b64, const size_t b64_maxlen,
+                  const unsigned char * const bin, const size_t bin_len,
+                  const int variant)
+{
+    size_t       acc_len = (size_t) 0;
+    size_t       b64_len;
+    size_t       b64_pos = (size_t) 0;
+    size_t       bin_pos = (size_t) 0;
+    size_t       nibbles;
+    size_t       remainder;
+    unsigned int acc = 0U;
+    sodium_base64_check_variant(variant);
+    nibbles = bin_len / 3;
+    remainder = bin_len - 3 * nibbles;
+    b64_len = nibbles * 4;
+    if (remainder != 0) {
+        if ((((unsigned int) variant) & VARIANT_NO_PADDING_MASK) == 0U) {
+            b64_len += 4;
+        } else {
+            b64_len += 2 + (remainder >> 1);
+        }
+    }
+    if (b64_maxlen <= b64_len) {
+        sodium_misuse();
+    }
+    if ((((unsigned int) variant) & VARIANT_URLSAFE_MASK) != 0U) {
+        while (bin_pos < bin_len) {
+            acc = (acc << 8) + bin[bin_pos++];
+            acc_len += 8;
+            while (acc_len >= 6) {
+                acc_len -= 6;
+                b64[b64_pos++] = (char) b64_byte_to_urlsafe_char((acc >> acc_len) & 0x3F);
+            }
+        }
+        if (acc_len > 0) {
+            b64[b64_pos++] = (char) b64_byte_to_urlsafe_char((acc << (6 - acc_len)) & 0x3F);
+        }
+    } else {
+        while (bin_pos < bin_len) {
+            acc = (acc << 8) + bin[bin_pos++];
+            acc_len += 8;
+            while (acc_len >= 6) {
+                acc_len -= 6;
+                b64[b64_pos++] = (char) b64_byte_to_char((acc >> acc_len) & 0x3F);
+            }
+        }
+        if (acc_len > 0) {
+            b64[b64_pos++] = (char) b64_byte_to_char((acc << (6 - acc_len)) & 0x3F);
+        }
+    }
+    assert(b64_pos <= b64_len);
+    while (b64_pos < b64_len) {
+        b64[b64_pos++] = '=';
+    }
+    do {
+        b64[b64_pos++] = 0U;
+    } while (b64_pos < b64_maxlen);
+    return b64;
+}
+static int
+_sodium_base642bin_skip_padding(const char * const b64, const size_t b64_len,
+                                size_t * const b64_pos_p,
+                                const char * const ignore, size_t padding_len)
+{
+    int c;
+    while (padding_len > 0) {
+        if (*b64_pos_p >= b64_len) {
+            errno = ERANGE;
+            return -1;
+        }
+        c = b64[*b64_pos_p];
+        if (c == '=') {
+            padding_len--;
+        } else if (ignore == NULL || strchr(ignore, c) == NULL) {
+            errno = EINVAL;
+            return -1;
+        }
+        (*b64_pos_p)++;
+    }
+    return 0;
+}
+int
+sodium_base642bin(unsigned char * const bin, const size_t bin_maxlen,
+                  const char * const b64, const size_t b64_len,
+                  const char * const ignore, size_t * const bin_len,
+                  const char ** const b64_end, const int variant)
+{
+    size_t       acc_len = (size_t) 0;
+    size_t       b64_pos = (size_t) 0;
+    size_t       bin_pos = (size_t) 0;
+    int          is_urlsafe;
+    int          ret = 0;
+    unsigned int acc = 0U;
+    unsigned int d;
+    char         c;
+    sodium_base64_check_variant(variant);
+    is_urlsafe = ((unsigned int) variant) & VARIANT_URLSAFE_MASK;
+    while (b64_pos < b64_len) {
+        c = b64[b64_pos];
+        if (is_urlsafe) {
+            d = b64_urlsafe_char_to_byte(c);
+        } else {
+            d = b64_char_to_byte(c);
+        }
+        if (d == 0xFF) {
+            if (ignore != NULL && strchr(ignore, c) != NULL) {
+                b64_pos++;
+                continue;
+            }
+            break;
+        }
+        acc = (acc << 6) + d;
+        acc_len += 6;
+        if (acc_len >= 8) {
+            acc_len -= 8;
+            if (bin_pos >= bin_maxlen) {
+                errno = ERANGE;
+                ret = -1;
+                break;
+            }
+            bin[bin_pos++] = (acc >> acc_len) & 0xFF;
+        }
+        b64_pos++;
+    }
+    if (acc_len > 4U || (acc & ((1U << acc_len) - 1U)) != 0U) {
+        ret = -1;
+    } else if (ret == 0 &&
+               (((unsigned int) variant) & VARIANT_NO_PADDING_MASK) == 0U) {
+        ret = _sodium_base642bin_skip_padding(b64, b64_len, &b64_pos, ignore,
+                                              acc_len / 2);
+    }
+    if (ret != 0) {
+        bin_pos = (size_t) 0U;
+    } else if (ignore != NULL) {
+        while (b64_pos < b64_len && strchr(ignore, b64[b64_pos]) != NULL) {
+            b64_pos++;
+        }
+    }
+    if (b64_end != NULL) {
+        *b64_end = &b64[b64_pos];
+    } else if (b64_pos != b64_len) {
+        errno = EINVAL;
+        ret = -1;
+    }
+    if (bin_len != NULL) {
+        *bin_len = bin_pos;
+    }
+    return ret;
+}