rbnacl-libsodium 1.0.15.1 → 1.0.16

data/vendor/libsodium/test/default/aead_aes256gcm.c

@@ -3170,7 +3170,7 @@ tv(void)
         found_message_len = 1;
         if (crypto_aead_aes256gcm_decrypt(decrypted, &found_message_len,
                                           NULL, ciphertext,
-                                          randombytes_uniform(ciphertext_len),
+                                          randombytes_uniform((uint32_t) ciphertext_len),
                                           ad, ad_len, nonce, key) != -1) {
             printf("Verification of test vector #%u after truncation succeeded\n",
                    (unsigned int) i);

data/vendor/libsodium/test/default/cmptest.h

@@ -2,6 +2,10 @@
 #ifndef __CMPTEST_H__
 #define __CMPTEST_H__
 
+#ifdef NDEBUG
+#/**/undef/**/ NDEBUG
+#endif
+
 #include <assert.h>
 #include <stdio.h>
 #include <stdint.h>

data/vendor/libsodium/test/default/core3.c

@@ -27,6 +27,7 @@ main(void)
     size_t         pos = 0;
     int            i;
 
+    pos = 0;
     secondkey = (unsigned char *) sodium_malloc(32);
     memcpy(secondkey, SECONDKEY, 32);
     noncesuffix = (unsigned char *) sodium_malloc(8);
@@ -59,6 +60,45 @@ main(void)
     }
     printf("\n");
 
+#ifndef SODIUM_LIBRARY_MINIMAL
+    pos = 0;
+    do {
+        do {
+            crypto_core_salsa2012(output + pos, in, secondkey, c);
+            pos += 64;
+            in[8]++;
+        } while (in[8] != 0);
+        in[9]++;
+    } while (in[9] != 0);
+
+    crypto_hash_sha256(h, output, output_len);
+
+    for (i = 0; i < 32; ++i) {
+        printf("%02x", h[i]);
+    }
+    printf("\n");
+
+    pos = 0;
+    do {
+        do {
+            crypto_core_salsa208(output + pos, in, secondkey, c);
+            pos += 64;
+            in[8]++;
+        } while (in[8] != 0);
+        in[9]++;
+    } while (in[9] != 0);
+
+    crypto_hash_sha256(h, output, output_len);
+
+    for (i = 0; i < 32; ++i) {
+        printf("%02x", h[i]);
+    }
+    printf("\n");
+#else
+    printf("a4e3147dddd2ba7775939b50208a22eb3277d4e4bad8a1cfbc999c6bd392b638\n"
+           "017421baa9959cbe894bd003ec87938254f47c1e757eb66cf89c353d0c2b68de\n");
+#endif
+
     sodium_free(h);
     sodium_free(output);
     sodium_free(in);
@@ -66,10 +106,10 @@ main(void)
     sodium_free(noncesuffix);
     sodium_free(secondkey);
 
-    assert(crypto_core_salsa20_outputbytes() > 0U);
-    assert(crypto_core_salsa20_inputbytes() > 0U);
-    assert(crypto_core_salsa20_keybytes() > 0U);
-    assert(crypto_core_salsa20_constbytes() > 0U);
+    assert(crypto_core_salsa20_outputbytes() == crypto_core_salsa20_OUTPUTBYTES);
+    assert(crypto_core_salsa20_inputbytes() == crypto_core_salsa20_INPUTBYTES);
+    assert(crypto_core_salsa20_keybytes() == crypto_core_salsa20_KEYBYTES);
+    assert(crypto_core_salsa20_constbytes() == crypto_core_salsa20_CONSTBYTES);
 
     return 0;
 }

data/vendor/libsodium/test/default/core3.exp

@@ -1 +1,3 @@
 662b9d0e3463029156069b12f918691a98f7dfb2ca0393c96bbfc6b1fbd630a2
+a4e3147dddd2ba7775939b50208a22eb3277d4e4bad8a1cfbc999c6bd392b638
+017421baa9959cbe894bd003ec87938254f47c1e757eb66cf89c353d0c2b68de

data/vendor/libsodium/test/default/core4.c

@@ -27,7 +27,7 @@ main(void)
         } else {
             printf(" ");
         }
-        printf("%3d", (unsigned int) out[i]);
+        printf("%3u", (unsigned int) out[i]);
         if (i % 8 == 7) {
             printf("\n");
         }

data/vendor/libsodium/test/default/core_ed25519.c

@@ -0,0 +1,151 @@
+#define TEST_NAME "core_ed25519"
+#include "cmptest.h"
+
+static const unsigned char non_canonical_p[32] = {
+    0xf6, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
+};
+static const unsigned char non_canonical_invalid_p[32] = {
+    0xf5, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
+};
+static const unsigned char max_canonical_p[32] = {
+    0xe4, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+    0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
+};
+
+static void
+add_P(unsigned char * const S)
+{
+    static const unsigned char P[32] = {
+        0xed, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff,
+        0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0x7f
+    };
+    unsigned char c = 0U;
+    unsigned int  i;
+    unsigned int  s;
+
+    for (i = 0U; i < 32U; i++) {
+        s = S[i] + P[i] + c;
+        S[i] = (unsigned char) s;
+        c = (s >> 8) & 1;
+    }
+}
+
+int
+main(void)
+{
+    unsigned char *h;
+    unsigned char *p, *p2, *p3;
+    unsigned char *sc;
+    int            i, j;
+
+    h = (unsigned char *) sodium_malloc(crypto_core_ed25519_UNIFORMBYTES);
+    p = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES);
+    for (i = 0; i < 1000; i++) {
+        randombytes_buf(h, crypto_core_ed25519_UNIFORMBYTES);
+        if (crypto_core_ed25519_from_uniform(p, h) != 0) {
+            printf("crypto_core_ed25519_from_uniform() failed\n");
+        }
+        if (crypto_core_ed25519_is_valid_point(p) == 0) {
+            printf("crypto_core_ed25519_from_uniform() returned an invalid point\n");
+        }
+    }
+
+    p2 = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES);
+    p3 = (unsigned char *) sodium_malloc(crypto_core_ed25519_BYTES);
+    randombytes_buf(h, crypto_core_ed25519_UNIFORMBYTES);
+    crypto_core_ed25519_from_uniform(p2, h);
+
+    j = 1 + (int) randombytes_uniform(100);
+    memcpy(p3, p, crypto_core_ed25519_BYTES);
+    for (i = 0; i < j; i++) {
+        crypto_core_ed25519_add(p, p, p2);
+        if (crypto_core_ed25519_is_valid_point(p) != 1) {
+            printf("crypto_core_add() returned an invalid point\n");
+        }
+    }
+    if (memcmp(p, p3, crypto_core_ed25519_BYTES) == 0) {
+        printf("crypto_core_add() failed\n");
+    }
+    for (i = 0; i < j; i++) {
+        crypto_core_ed25519_sub(p, p, p2);
+    }
+    if (memcmp(p, p3, crypto_core_ed25519_BYTES) != 0) {
+        printf("crypto_core_add() or crypto_core_sub() failed\n");
+    }
+    sc = (unsigned char *) sodium_malloc(crypto_scalarmult_ed25519_SCALARBYTES);
+    memset(sc, 0, crypto_scalarmult_ed25519_SCALARBYTES);
+    sc[0] = 8;
+    memcpy(p2, p, crypto_core_ed25519_BYTES);
+    memcpy(p3, p, crypto_core_ed25519_BYTES);
+
+    for (i = 0; i < 254; i++) {
+        crypto_core_ed25519_add(p2, p2, p2);
+    }
+    for (i = 0; i < 8; i++) {
+        crypto_core_ed25519_add(p2, p2, p);
+    }
+    if (crypto_scalarmult_ed25519(p3, sc, p) != 0) {
+        printf("crypto_scalarmult_ed25519() failed\n");
+    }
+    if (memcmp(p2, p3, crypto_core_ed25519_BYTES) != 0) {
+        printf("crypto_scalarmult_ed25519() is inconsistent with crypto_core_ed25519_add()\n");
+    }
+
+    assert(crypto_core_ed25519_is_valid_point(p) == 1);
+
+    memset(p, 0, crypto_core_ed25519_BYTES);
+    assert(crypto_core_ed25519_is_valid_point(p) == 0);
+
+    p[0] = 1;
+    assert(crypto_core_ed25519_is_valid_point(p) == 0);
+
+    p[0] = 2;
+    assert(crypto_core_ed25519_is_valid_point(p) == 0);
+
+    p[0] = 9;
+    assert(crypto_core_ed25519_is_valid_point(p) == 1);
+
+    assert(crypto_core_ed25519_is_valid_point(max_canonical_p) == 1);
+    assert(crypto_core_ed25519_is_valid_point(non_canonical_invalid_p) == 0);
+    assert(crypto_core_ed25519_is_valid_point(non_canonical_p) == 0);
+
+    memcpy(p2, p, crypto_core_ed25519_BYTES);
+    add_P(p2);
+    crypto_core_ed25519_add(p3, p2, p2);
+    crypto_core_ed25519_sub(p3, p3, p2);
+    assert(memcmp(p2, p, crypto_core_ed25519_BYTES) != 0);
+    assert(memcmp(p3, p, crypto_core_ed25519_BYTES) == 0);
+
+    p[0] = 2;
+    assert(crypto_core_ed25519_add(p3, p2, p) == -1);
+    assert(crypto_core_ed25519_add(p3, p2, non_canonical_p) == 0);
+    assert(crypto_core_ed25519_add(p3, p2, non_canonical_invalid_p) == -1);
+    assert(crypto_core_ed25519_add(p3, p, p3) == -1);
+    assert(crypto_core_ed25519_add(p3, non_canonical_p, p3) == 0);
+    assert(crypto_core_ed25519_add(p3, non_canonical_invalid_p, p3) == -1);
+
+    assert(crypto_core_ed25519_sub(p3, p2, p) == -1);
+    assert(crypto_core_ed25519_sub(p3, p2, non_canonical_p) == 0);
+    assert(crypto_core_ed25519_sub(p3, p2, non_canonical_invalid_p) == -1);
+    assert(crypto_core_ed25519_sub(p3, p, p3) == -1);
+    assert(crypto_core_ed25519_sub(p3, non_canonical_p, p3) == 0);
+    assert(crypto_core_ed25519_sub(p3, non_canonical_invalid_p, p3) == -1);
+
+    sodium_free(sc);
+    sodium_free(p3);
+    sodium_free(p2);
+    sodium_free(p);
+    sodium_free(h);
+
+    assert(crypto_core_ed25519_BYTES == crypto_core_ed25519_bytes());
+    assert(crypto_core_ed25519_UNIFORMBYTES == crypto_core_ed25519_uniformbytes());
+    assert(crypto_core_ed25519_UNIFORMBYTES >= crypto_core_ed25519_BYTES);
+
+    printf("OK\n");
+
+    return 0;
+}

data/vendor/libsodium/test/default/core_ed25519.exp

@@ -0,0 +1 @@
+OK

data/vendor/libsodium/test/default/ed25519_convert.c

@@ -18,9 +18,17 @@ main(void)
     unsigned char curve25519_sk[crypto_scalarmult_curve25519_BYTES];
     char          curve25519_pk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
     char          curve25519_sk_hex[crypto_scalarmult_curve25519_BYTES * 2 + 1];
+    unsigned char hseed[crypto_hash_sha512_BYTES];
     unsigned int  i;
 
-    crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, keypair_seed);
+    assert(crypto_sign_ed25519_SEEDBYTES <= crypto_hash_sha512_BYTES);
+#ifdef ED25519_NONDETERMINISTIC
+    crypto_hash_sha512(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
+#else
+    memcpy(hseed, keypair_seed, crypto_sign_ed25519_SEEDBYTES);
+#endif
+    crypto_sign_ed25519_seed_keypair(ed25519_pk, ed25519_skpk, hseed);
+
     if (crypto_sign_ed25519_pk_to_curve25519(curve25519_pk, ed25519_pk) != 0) {
         printf("conversion failed\n");
     }

data/vendor/libsodium/test/default/index.html.tpl

@@ -28,9 +28,20 @@ body {
 <h1></h1>
 <section class="test" id="test-res"></section>
 <script>
+var performance;
+if (typeof performance !== 'object') {
+  performance = {
+    mark: function(s) { this[s] = new Date() },
+    measure: function(_t, s1, s2) { this.t = this[s2] - this[s1] },
+    getEntriesByName: function() { return [ { duration: this.t } ] }
+  };
+}
+
+var Module = { preRun: function() { performance.mark('bench_start') } };
+
 function runTest(tname) {
     var xhr, expected, hn, idx = 0, passed = true;
-    
+
     function outputReceived(e) {
         var found = e.data;
         var p = document.createElement('p');
@@ -42,8 +53,11 @@ function runTest(tname) {
         document.getElementById('test-res').appendChild(p);
         if (idx >= expected.length) {
             if (passed) {
-                hn.appendChild(document.createTextNode(' - PASSED'));
-                hn.className = 'passed';                    
+                performance.mark('bench_end')
+                performance.measure('bench', 'bench_start', 'bench_end');
+                var duration = Math.round(performance.getEntriesByName('bench')[0].duration);
+                hn.appendChild(document.createTextNode(' - PASSED (time: ' + duration + ' ms)'));
+                hn.className = 'passed';
             } else {
                 hn.appendChild(document.createTextNode(' - FAILED'));
                 hn.className = 'err';

data/vendor/libsodium/test/default/kdf.c

@@ -10,6 +10,7 @@ tv_kdf(void)
     char          *context;
     char           hex[crypto_kdf_BYTES_MAX * 2 + 1];
     uint64_t       i;
+    int            ret;
 
     context = (char *) sodium_malloc(crypto_kdf_CONTEXTBYTES);
     memcpy(context, "KDF test", strlen("KDF test"));
@@ -19,8 +20,9 @@ tv_kdf(void)
     }
     subkey = (unsigned char *) sodium_malloc(crypto_kdf_BYTES_MAX);
     for (i = 0; i < 10; i++) {
-        assert(crypto_kdf_derive_from_key(subkey, crypto_kdf_BYTES_MAX,
-                                          i, context, master_key) == 0);
+        ret = crypto_kdf_derive_from_key(subkey, crypto_kdf_BYTES_MAX,
+                                         i, context, master_key);
+        assert(ret == 0);
         sodium_bin2hex(hex, sizeof hex, subkey, crypto_kdf_BYTES_MAX);
         printf("%s\n", hex);
     }

data/vendor/libsodium/test/default/metamorphic.c

@@ -35,8 +35,8 @@ mm_generichash(void)
         randombytes_buf(m, mlen);
 
         crypto_generichash_init(&st, k, klen, hlen);
-        l1 = randombytes_uniform(mlen);
-        l2 = randombytes_uniform(mlen - l1);
+        l1 = randombytes_uniform((uint32_t) mlen);
+        l2 = randombytes_uniform((uint32_t) (mlen - l1));
         crypto_generichash_update(&st, m, l1);
         crypto_generichash_update(&st, m + l1, l2);
         crypto_generichash_update(&st, m + l1 + l2, mlen - l1 - l2);
@@ -75,8 +75,8 @@ mm_onetimeauth(void)
         randombytes_buf(m, mlen);
 
         crypto_onetimeauth_init(&st, k);
-        l1 = randombytes_uniform(mlen);
-        l2 = randombytes_uniform(mlen - l1);
+        l1 = randombytes_uniform((uint32_t) mlen);
+        l2 = randombytes_uniform((uint32_t) (mlen - l1));
         crypto_onetimeauth_update(&st, m, l1);
         crypto_onetimeauth_update(&st, m + l1, l2);
         crypto_onetimeauth_update(&st, m + l1 + l2, mlen - l1 - l2);
@@ -115,8 +115,8 @@ mm_hmacsha256(void)
         randombytes_buf(m, mlen);
 
         crypto_auth_hmacsha256_init(&st, k, crypto_auth_hmacsha256_KEYBYTES);
-        l1 = randombytes_uniform(mlen);
-        l2 = randombytes_uniform(mlen - l1);
+        l1 = randombytes_uniform((uint32_t) mlen);
+        l2 = randombytes_uniform((uint32_t) (mlen - l1));
         crypto_auth_hmacsha256_update(&st, m, l1);
         crypto_auth_hmacsha256_update(&st, m + l1, l2);
         crypto_auth_hmacsha256_update(&st, m + l1 + l2, mlen - l1 - l2);
@@ -155,8 +155,8 @@ mm_hmacsha512(void)
         randombytes_buf(m, mlen);
 
         crypto_auth_hmacsha512_init(&st, k, crypto_auth_hmacsha512_KEYBYTES);
-        l1 = randombytes_uniform(mlen);
-        l2 = randombytes_uniform(mlen - l1);
+        l1 = randombytes_uniform((uint32_t) mlen);
+        l2 = randombytes_uniform((uint32_t) (mlen - l1));
         crypto_auth_hmacsha512_update(&st, m, l1);
         crypto_auth_hmacsha512_update(&st, m + l1, l2);
         crypto_auth_hmacsha512_update(&st, m + l1 + l2, mlen - l1 - l2);

data/vendor/libsodium/test/default/misuse.c

@@ -6,17 +6,45 @@
 # include <signal.h>
 
 static void
-sigabrt_handler_13(int sig)
+sigabrt_handler_15(int sig)
 {
     (void) sig;
     exit(0);
 }
 
+# ifndef SODIUM_LIBRARY_MINIMAL
+static void
+sigabrt_handler_14(int sig)
+{
+    (void) sig;
+    signal(SIGABRT, sigabrt_handler_15);
+    assert(crypto_box_curve25519xchacha20poly1305_easy
+           (NULL, NULL, crypto_stream_xchacha20_MESSAGEBYTES_MAX - 1,
+            NULL, NULL, NULL) == -1);
+    exit(1);
+}
+
+static void
+sigabrt_handler_13(int sig)
+{
+    (void) sig;
+    signal(SIGABRT, sigabrt_handler_14);
+    assert(crypto_box_curve25519xchacha20poly1305_easy_afternm
+           (NULL, NULL, crypto_stream_xchacha20_MESSAGEBYTES_MAX - 1,
+            NULL, NULL) == -1);
+    exit(1);
+}
+# endif
+
 static void
 sigabrt_handler_12(int sig)
 {
     (void) sig;
+# ifdef SODIUM_LIBRARY_MINIMAL
+    signal(SIGABRT, sigabrt_handler_15);
+# else
     signal(SIGABRT, sigabrt_handler_13);
+# endif
     assert(crypto_pwhash_str_alg(NULL, "", 0U, 1U, 1U, -1) == -1);
     exit(1);
 }

data/vendor/libsodium/test/default/pwhash_argon2i.c

@@ -121,14 +121,14 @@ tv2(void)
           "8d220b20c60d7c07ec1fd93c52c31020300c6c1facd77937a597c7a6",
           127,
           "5541fbc995d5c197ba290346d2c559dedf405cf97e5f95482143202f9e74f5c2",
-          155, 4, 1397645, 1 },
+          155, 4, 397645, 1 },
         { "a347ae92bce9f80f6f595a4480fc9c2fe7e7d7148d371e9487d75f5c23008ffae0"
           "65577a928febd9b1973a5a95073acdbeb6a030cfc0d79caa2dc5cd011cef02c08d"
           "a232d76d52dfbca38ca8dcbd665b17d1665f7cf5fe59772ec909733b24de97d6f5"
           "8d220b20c60d7c07ec1fd93c52c31020300c6c1facd77937a597c7a6",
           127,
           "5541fbc995d5c197ba290346d2c559dedf405cf97e5f95482143202f9e74f5c2",
-          155, 3, 1397645, 1 },
+          155, 3, 397645, 1 },
     };
     char          passwd[256];
     unsigned char salt[crypto_pwhash_SALTBYTES];
@@ -181,6 +181,8 @@ tv2(void)
                       1ULL << 12, crypto_pwhash_alg_argon2i13()) != -1) {
         printf("[tv2] pwhash with a long password length should have failed\n");
     }
+    assert(crypto_pwhash_argon2i(out, sizeof out, "password", strlen("password"), salt,
+                                 OPSLIMIT, MEMLIMIT, crypto_pwhash_alg_argon2id13()) == -1);
 }
 
 static void
@@ -256,7 +258,11 @@ str_tests(void)
         crypto_pwhash_argon2i_str_needs_rehash(str_out, OPSLIMIT * 2, MEMLIMIT) != 1) {
         printf("needs_rehash() false negative\n");
     }
-    if (crypto_pwhash_argon2i_str_needs_rehash(str_out + 1, OPSLIMIT, MEMLIMIT) != -1) {
+    if (crypto_pwhash_str_needs_rehash(str_out, OPSLIMIT, MEMLIMIT / 2) != 1) {
+        printf("pwhash_str_needs_rehash() didn't handle argon2i\n");
+    }
+    if (crypto_pwhash_str_needs_rehash(str_out + 1, OPSLIMIT, MEMLIMIT) != -1 ||
+        crypto_pwhash_argon2i_str_needs_rehash(str_out + 1, OPSLIMIT, MEMLIMIT) != -1) {
         printf("needs_rehash() didn't fail with an invalid hash string\n");
     }
     if (sodium_is_zero((const unsigned char *) str_out + strlen(str_out),