Update Sodium

Sources/Sodium/LICENSE

@@ -1,7 +1,7 @@
 /*
  * ISC License
  *
- * Copyright (c) 2013-2019
+ * Copyright (c) 2013-2021
  * Frank Denis <j at pureftpd dot org>
  *
  * Permission to use, copy, modify, and/or distribute this software for any

Sources/Sodium/crypto_aead/aes256gcm/aesni/aead_aes256gcm_aesni.c

@@ -365,7 +365,7 @@ do { \
   */ \
     MAKE4(RED_MUL_MID); \
 \
-/* substracts x1*h1 and x0*h0 */ \
+    /* subtracts x1*h1 and x0*h0 */ \
     tmp0 = _mm_xor_si128(tmp0, lo); \
     tmp0 = _mm_xor_si128(tmp0, hi); \
     tmp0 = _mm_xor_si128(tmp1, tmp0); \

Sources/Sodium/crypto_box/crypto_box_seal.c

@@ -32,10 +32,10 @@ crypto_box_seal(unsigned char *c, const unsigned char *m,
     if (crypto_box_keypair(epk, esk) != 0) {
         return -1; /* LCOV_EXCL_LINE */
     }
-    memcpy(c, epk, crypto_box_PUBLICKEYBYTES);
     _crypto_box_seal_nonce(nonce, epk, pk);
     ret = crypto_box_easy(c + crypto_box_PUBLICKEYBYTES, m, mlen,
                           nonce, pk, esk);
+    memcpy(c, epk, crypto_box_PUBLICKEYBYTES);
     sodium_memzero(esk, sizeof esk);
     sodium_memzero(epk, sizeof epk);
     sodium_memzero(nonce, sizeof nonce);

Sources/Sodium/crypto_box/curve25519xchacha20poly1305/box_seal_curve25519xchacha20poly1305.c

@@ -38,11 +38,11 @@ crypto_box_curve25519xchacha20poly1305_seal(unsigned char *c, const unsigned cha
     if (crypto_box_curve25519xchacha20poly1305_keypair(epk, esk) != 0) {
         return -1; /* LCOV_EXCL_LINE */
     }
-    memcpy(c, epk, crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES);
     _crypto_box_curve25519xchacha20poly1305_seal_nonce(nonce, epk, pk);
     ret = crypto_box_curve25519xchacha20poly1305_easy(
          c + crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES, m, mlen,
          nonce, pk, esk);
+    memcpy(c, epk, crypto_box_curve25519xchacha20poly1305_PUBLICKEYBYTES);
     sodium_memzero(esk, sizeof esk);
     sodium_memzero(epk, sizeof epk);
     sodium_memzero(nonce, sizeof nonce);

Sources/Sodium/crypto_core/ed25519/core_ed25519.c

@@ -81,10 +81,10 @@ crypto_core_ed25519_from_hash(unsigned char *p, const unsigned char *h)
 void
 crypto_core_ed25519_random(unsigned char *p)
 {
-    unsigned char h[crypto_core_ed25519_HASHBYTES];
+    unsigned char h[crypto_core_ed25519_UNIFORMBYTES];
 
     randombytes_buf(h, sizeof h);
-    (void) crypto_core_ed25519_from_hash(p, h);
+    (void) crypto_core_ed25519_from_uniform(p, h);
 }
 
 void

Sources/Sodium/crypto_core/ed25519/ref10/ed25519_ref10.c

@@ -81,8 +81,7 @@ fe25519_invert(fe25519 out, const fe25519 z)
         fe25519_sq(t3, t3);
     }
     fe25519_mul(t2, t3, t2);
-    fe25519_sq(t2, t2);
-    for (i = 1; i < 10; ++i) {
+    for (i = 1; i < 11; ++i) {
         fe25519_sq(t2, t2);
     }
     fe25519_mul(t1, t2, t1);
@@ -96,13 +95,11 @@ fe25519_invert(fe25519 out, const fe25519 z)
         fe25519_sq(t3, t3);
     }
     fe25519_mul(t2, t3, t2);
-    fe25519_sq(t2, t2);
-    for (i = 1; i < 50; ++i) {
+    for (i = 1; i < 51; ++i) {
         fe25519_sq(t2, t2);
     }
     fe25519_mul(t1, t2, t1);
-    fe25519_sq(t1, t1);
-    for (i = 1; i < 5; ++i) {
+    for (i = 1; i < 6; ++i) {
         fe25519_sq(t1, t1);
     }
     fe25519_mul(out, t1, t0);
@@ -138,8 +135,7 @@ fe25519_pow22523(fe25519 out, const fe25519 z)
         fe25519_sq(t2, t2);
     }
     fe25519_mul(t1, t2, t1);
-    fe25519_sq(t1, t1);
-    for (i = 1; i < 10; ++i) {
+    for (i = 1; i < 11; ++i) {
         fe25519_sq(t1, t1);
     }
     fe25519_mul(t0, t1, t0);
@@ -153,8 +149,7 @@ fe25519_pow22523(fe25519 out, const fe25519 z)
         fe25519_sq(t2, t2);
     }
     fe25519_mul(t1, t2, t1);
-    fe25519_sq(t1, t1);
-    for (i = 1; i < 50; ++i) {
+    for (i = 1; i < 51; ++i) {
         fe25519_sq(t1, t1);
     }
     fe25519_mul(t0, t1, t0);
@@ -179,6 +174,55 @@ fe25519_abs(fe25519 h, const fe25519 f)
     fe25519_cneg(h, f, fe25519_isnegative(f));
 }
 
+static inline void
+fe25519_sqmul(fe25519 s, const int n, const fe25519 a)
+{
+    int i;
+
+    for (i = 0; i < n; i++) {
+        fe25519_sq(s, s);
+    }
+    fe25519_mul(s, s, a);
+}
+
+static unsigned int
+fe25519_notsquare(const fe25519 x)
+{
+    fe25519       _10, _11, _1100, _1111, _11110000, _11111111;
+    fe25519       t, u, v;
+    unsigned char s[32];
+
+    /* Jacobi symbol - x^((p-1)/2) */
+    fe25519_mul(_10, x, x);
+    fe25519_mul(_11, x, _10);
+    fe25519_sq(_1100, _11);
+    fe25519_sq(_1100, _1100);
+    fe25519_mul(_1111, _11, _1100);
+    fe25519_sq(_11110000, _1111);
+    fe25519_sq(_11110000, _11110000);
+    fe25519_sq(_11110000, _11110000);
+    fe25519_sq(_11110000, _11110000);
+    fe25519_mul(_11111111, _1111, _11110000);
+    fe25519_copy(t, _11111111);
+    fe25519_sqmul(t, 2, _11);
+    fe25519_copy(u, t);
+    fe25519_sqmul(t, 10, u);
+    fe25519_sqmul(t, 10, u);
+    fe25519_copy(v, t);
+    fe25519_sqmul(t, 30, v);
+    fe25519_copy(v, t);
+    fe25519_sqmul(t, 60, v);
+    fe25519_copy(v, t);
+    fe25519_sqmul(t, 120, v);
+    fe25519_sqmul(t, 10, u);
+    fe25519_sqmul(t, 3, _11);
+    fe25519_sq(t, t);
+
+    fe25519_tobytes(s, t);
+
+    return s[1] & 1;
+}
+
 /*
  r = p + q
  */
@@ -2071,46 +2115,52 @@ sc25519_sqmul(unsigned char s[32], const int n, const unsigned char a[32])
 void
 sc25519_invert(unsigned char recip[32], const unsigned char s[32])
 {
-    unsigned char _10[32], _100[32], _11[32], _101[32], _111[32],
-        _1001[32], _1011[32], _1111[32];
+    unsigned char _10[32], _100[32], _1000[32], _10000[32], _100000[32],
+        _1000000[32], _10010011[32], _10010111[32], _100110[32], _1010[32],
+        _1010000[32], _1010011[32], _1011[32], _10110[32], _10111101[32],
+        _11[32], _1100011[32], _1100111[32], _11010011[32], _1101011[32],
+        _11100111[32], _11101011[32], _11110101[32];
 
     sc25519_sq(_10, s);
-    sc25519_sq(_100, _10);
-    sc25519_mul(_11, _10, s);
-    sc25519_mul(_101, _10, _11);
-    sc25519_mul(_111, _10, _101);
-    sc25519_mul(_1001, _10, _111);
-    sc25519_mul(_1011, _10, _1001);
-    sc25519_mul(_1111, _100, _1011);
-    sc25519_mul(recip, _1111, s);
-
-    sc25519_sqmul(recip, 123 + 3, _101);
-    sc25519_sqmul(recip, 2 + 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 4, _1001);
-    sc25519_sqmul(recip, 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 1 + 3, _101);
-    sc25519_sqmul(recip, 3 + 3, _101);
-    sc25519_sqmul(recip, 3, _111);
-    sc25519_sqmul(recip, 1 + 4, _1111);
-    sc25519_sqmul(recip, 2 + 3, _111);
-    sc25519_sqmul(recip, 2 + 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1011);
-    sc25519_sqmul(recip, 2 + 4, _1011);
-    sc25519_sqmul(recip, 6 + 4, _1001);
-    sc25519_sqmul(recip, 2 + 2, _11);
-    sc25519_sqmul(recip, 3 + 2, _11);
-    sc25519_sqmul(recip, 3 + 2, _11);
-    sc25519_sqmul(recip, 1 + 4, _1001);
-    sc25519_sqmul(recip, 1 + 3, _111);
-    sc25519_sqmul(recip, 2 + 4, _1111);
-    sc25519_sqmul(recip, 1 + 4, _1011);
-    sc25519_sqmul(recip, 3, _101);
-    sc25519_sqmul(recip, 2 + 4, _1111);
-    sc25519_sqmul(recip, 3, _101);
-    sc25519_sqmul(recip, 1 + 2, _11);
+    sc25519_mul(_11, s, _10);
+    sc25519_mul(_100, s, _11);
+    sc25519_sq(_1000, _100);
+    sc25519_mul(_1010, _10, _1000);
+    sc25519_mul(_1011, s, _1010);
+    sc25519_sq(_10000, _1000);
+    sc25519_sq(_10110, _1011);
+    sc25519_mul(_100000, _1010, _10110);
+    sc25519_mul(_100110, _10000, _10110);
+    sc25519_sq(_1000000, _100000);
+    sc25519_mul(_1010000, _10000, _1000000);
+    sc25519_mul(_1010011, _11, _1010000);
+    sc25519_mul(_1100011, _10000, _1010011);
+    sc25519_mul(_1100111, _100, _1100011);
+    sc25519_mul(_1101011, _100, _1100111);
+    sc25519_mul(_10010011, _1000000, _1010011);
+    sc25519_mul(_10010111, _100, _10010011);
+    sc25519_mul(_10111101, _100110, _10010111);
+    sc25519_mul(_11010011, _10110, _10111101);
+    sc25519_mul(_11100111, _1010000, _10010111);
+    sc25519_mul(_11101011, _100, _11100111);
+    sc25519_mul(_11110101, _1010, _11101011);
+
+    sc25519_mul(recip, _1011, _11110101);
+    sc25519_sqmul(recip, 126, _1010011);
+    sc25519_sqmul(recip, 9, _10);
+    sc25519_mul(recip, recip, _11110101);
+    sc25519_sqmul(recip, 7, _1100111);
+    sc25519_sqmul(recip, 9, _11110101);
+    sc25519_sqmul(recip, 11, _10111101);
+    sc25519_sqmul(recip, 8, _11100111);
+    sc25519_sqmul(recip, 9, _1101011);
+    sc25519_sqmul(recip, 6, _1011);
+    sc25519_sqmul(recip, 14, _10010011);
+    sc25519_sqmul(recip, 10, _1100011);
+    sc25519_sqmul(recip, 9, _10010111);
+    sc25519_sqmul(recip, 10, _11110101);
+    sc25519_sqmul(recip, 8, _11010011);
+    sc25519_sqmul(recip, 8, _11101011);
 }
 
 /*
@@ -2469,94 +2519,35 @@ sc25519_is_canonical(const unsigned char s[32])
     return (c != 0);
 }
 
-static void
-chi25519(fe25519 out, const fe25519 z)
-{
-    fe25519 t0, t1, t2, t3;
-    int     i;
-
-    fe25519_sq(t0, z);
-    fe25519_mul(t1, t0, z);
-    fe25519_sq(t0, t1);
-    fe25519_sq(t2, t0);
-    fe25519_sq(t2, t2);
-    fe25519_mul(t2, t2, t0);
-    fe25519_mul(t1, t2, z);
-    fe25519_sq(t2, t1);
-
-    for (i = 1; i < 5; i++) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    fe25519_sq(t2, t1);
-    for (i = 1; i < 10; i++) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t2, t2, t1);
-    fe25519_sq(t3, t2);
-    for (i = 1; i < 20; i++) {
-        fe25519_sq(t3, t3);
-    }
-    fe25519_mul(t2, t3, t2);
-    fe25519_sq(t2, t2);
-    for (i = 1; i < 10; i++) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    fe25519_sq(t2, t1);
-    for (i = 1; i < 50; i++) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t2, t2, t1);
-    fe25519_sq(t3, t2);
-    for (i = 1; i < 100; i++) {
-        fe25519_sq(t3, t3);
-    }
-    fe25519_mul(t2, t3, t2);
-    fe25519_sq(t2, t2);
-    for (i = 1; i < 50; i++) {
-        fe25519_sq(t2, t2);
-    }
-    fe25519_mul(t1, t2, t1);
-    fe25519_sq(t1, t1);
-    for (i = 1; i < 4; i++) {
-        fe25519_sq(t1, t1);
-    }
-    fe25519_mul(out, t1, t0);
-}
-
 static void
 ge25519_elligator2(unsigned char s[32], const fe25519 r, const unsigned char x_sign)
 {
-    fe25519      e;
+    fe25519      gx;
     fe25519      negx;
     fe25519      rr2;
     fe25519      x, x2, x3;
     ge25519_p3   p3;
     ge25519_p1p1 p1;
     ge25519_p2   p2;
-    unsigned int e_is_minus_1;
+    unsigned int notsquare;
 
     fe25519_sq2(rr2, r);
     rr2[0]++;
     fe25519_invert(rr2, rr2);
-    fe25519_mul(x, curve25519_A, rr2);
+    fe25519_mul32(x, rr2, curve25519_A[0]);
     fe25519_neg(x, x);
 
     fe25519_sq(x2, x);
     fe25519_mul(x3, x, x2);
-    fe25519_add(e, x3, x);
-    fe25519_mul(x2, x2, curve25519_A);
-    fe25519_add(e, x2, e);
-
-    chi25519(e, e);
+    fe25519_add(gx, x3, x);
+    fe25519_mul32(x2, x2, curve25519_A[0]);
+    fe25519_add(gx, x2, gx);
 
-    fe25519_tobytes(s, e);
-    e_is_minus_1 = s[1] & 1;
+    notsquare = fe25519_notsquare(gx);
     fe25519_neg(negx, x);
-    fe25519_cmov(x, negx, e_is_minus_1);
+    fe25519_cmov(x, negx, notsquare);
     fe25519_0(x2);
-    fe25519_cmov(x2, curve25519_A, e_is_minus_1);
+    fe25519_cmov(x2, curve25519_A, notsquare);
     fe25519_sub(x, x, x2);
 
     /* yed = (x-1)/(x+1) */
@@ -2675,6 +2666,7 @@ ristretto255_is_canonical(const unsigned char *s)
 {
     unsigned char c;
     unsigned char d;
+    unsigned char e;
     unsigned int  i;
 
     c = (s[31] & 0x7f) ^ 0x7f;
@@ -2683,8 +2675,9 @@ ristretto255_is_canonical(const unsigned char *s)
     }
     c = (((unsigned int) c) - 1U) >> 8;
     d = (0xed - 1U - (unsigned int) s[0]) >> 8;
+    e = s[31] >> 7;
 
-    return 1 - (((c & d) | s[0]) & 1);
+    return 1 - (((c & d) | e | s[0]) & 1);
 }
 
 int
@@ -2773,7 +2766,7 @@ ristretto255_p3_tobytes(unsigned char *s, const ge25519_p3 *h)
 
     fe25519_mul(ix, h->X, sqrtm1);     /* ix = X*sqrt(-1) */
     fe25519_mul(iy, h->Y, sqrtm1);     /* iy = Y*sqrt(-1) */
-    fe25519_mul(eden, den1, invsqrtamd); /* eden = den1*sqrt(a-d) */
+    fe25519_mul(eden, den1, invsqrtamd); /* eden = den1/sqrt(a-d) */
 
     fe25519_mul(t_z_inv, h->T, z_inv); /* t_z_inv = T*z_inv */
     rotate = fe25519_isnegative(t_z_inv);
@@ -2816,7 +2809,7 @@ ristretto255_elligator(ge25519_p3 *p, const fe25519 t)
     fe25519_mul(u, u, onemsqd);        /* u = (r+1)*(1-d^2) */
     fe25519_1(c);
     fe25519_neg(c, c);                 /* c = -1 */
-    fe25519_add(rpd, r, d);            /* rpd = r*d */
+    fe25519_add(rpd, r, d);            /* rpd = r+d */
     fe25519_mul(v, r, d);              /* v = r*d */
     fe25519_sub(v, c, v);              /* v = c-r*d */
     fe25519_mul(v, v, rpd);            /* v = (c-r*d)*(r+d) */

Sources/Sodium/crypto_generichash/blake2b/ref/blake2.h

@@ -23,20 +23,6 @@
 #include "crypto_generichash_blake2b.h"
 #include "export.h"
 
-#define blake2b_init_param crypto_generichash_blake2b__init_param
-#define blake2b_init crypto_generichash_blake2b__init
-#define blake2b_init_salt_personal \
-    crypto_generichash_blake2b__init_salt_personal
-#define blake2b_init_key crypto_generichash_blake2b__init_key
-#define blake2b_init_key_salt_personal \
-    crypto_generichash_blake2b__init_key_salt_personal
-#define blake2b_update crypto_generichash_blake2b__update
-#define blake2b_final crypto_generichash_blake2b__final
-#define blake2b crypto_generichash_blake2b__blake2b
-#define blake2b_salt_personal crypto_generichash_blake2b__blake2b_salt_personal
-#define blake2b_pick_best_implementation \
-    crypto_generichash_blake2b__pick_best_implementation
-
 enum blake2b_constant {
     BLAKE2B_BLOCKBYTES    = 128,
     BLAKE2B_OUTBYTES      = 64,

Sources/Sodium/crypto_pwhash/argon2/argon2-core.c

@@ -35,13 +35,17 @@
 # define MAP_ANON MAP_ANONYMOUS
 #endif
 #ifndef MAP_NOCORE
-# define MAP_NOCORE 0
+# ifdef MAP_CONCEAL
+#  define MAP_NOCORE MAP_CONCEAL
+# else
+#  define MAP_NOCORE 0
+# endif
 #endif
 #ifndef MAP_POPULATE
 # define MAP_POPULATE 0
 #endif
 
-static fill_segment_fn fill_segment = fill_segment_ref;
+static fill_segment_fn fill_segment = argon2_fill_segment_ref;
 
 static void
 load_block(block *dst, const void *input)
@@ -171,8 +175,8 @@ free_memory(block_region *region)
     free(region);
 }
 
-void
-free_instance(argon2_instance_t *instance, int flags)
+static void
+argon2_free_instance(argon2_instance_t *instance, int flags)
 {
     /* Clear memory */
     clear_memory(instance, flags & ARGON2_FLAG_CLEAR_MEMORY);
@@ -185,7 +189,7 @@ free_instance(argon2_instance_t *instance, int flags)
 }
 
 void
-finalize(const argon2_context *context, argon2_instance_t *instance)
+argon2_finalize(const argon2_context *context, argon2_instance_t *instance)
 {
     if (context != NULL && instance != NULL) {
         block    blockhash;
@@ -214,12 +218,12 @@ finalize(const argon2_context *context, argon2_instance_t *instance)
                            ARGON2_BLOCK_SIZE); /* clear blockhash_bytes */
         }
 
-        free_instance(instance, context->flags);
+        argon2_free_instance(instance, context->flags);
     }
 }
 
 void
-fill_memory_blocks(argon2_instance_t *instance, uint32_t pass)
+argon2_fill_memory_blocks(argon2_instance_t *instance, uint32_t pass)
 {
     argon2_position_t position;
     uint32_t l;
@@ -241,7 +245,7 @@ fill_memory_blocks(argon2_instance_t *instance, uint32_t pass)
 }
 
 int
-validate_inputs(const argon2_context *context)
+argon2_validate_inputs(const argon2_context *context)
 {
     /* LCOV_EXCL_START */
     if (NULL == context) {
@@ -321,6 +325,15 @@ validate_inputs(const argon2_context *context)
         }
     }
 
+    /* Validate lanes */
+    if (ARGON2_MIN_LANES > context->lanes) {
+        return ARGON2_LANES_TOO_FEW;
+    }
+
+    if (ARGON2_MAX_LANES < context->lanes) {
+        return ARGON2_LANES_TOO_MANY;
+    }
+
     /* Validate memory cost */
     if (ARGON2_MIN_MEMORY > context->m_cost) {
         return ARGON2_MEMORY_TOO_LITTLE;
@@ -343,15 +356,6 @@ validate_inputs(const argon2_context *context)
         return ARGON2_TIME_TOO_LARGE;
     }
 
-    /* Validate lanes */
-    if (ARGON2_MIN_LANES > context->lanes) {
-        return ARGON2_LANES_TOO_FEW;
-    }
-
-    if (ARGON2_MAX_LANES < context->lanes) {
-        return ARGON2_LANES_TOO_MANY;
-    }
-
     /* Validate threads */
     if (ARGON2_MIN_THREADS > context->threads) {
         return ARGON2_THREADS_TOO_FEW;
@@ -365,8 +369,8 @@ validate_inputs(const argon2_context *context)
     return ARGON2_OK;
 }
 
-void
-fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance)
+static void
+argon2_fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance)
 {
     uint32_t l;
     /* Make the first and second block in each lane as G(H0||i||0) or
@@ -389,8 +393,9 @@ fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance)
     sodium_memzero(blockhash_bytes, ARGON2_BLOCK_SIZE);
 }
 
-void
-initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type)
+static void
+argon2_initial_hash(uint8_t *blockhash, argon2_context *context,
+                    argon2_type type)
 {
     crypto_generichash_blake2b_state BlakeHash;
     uint8_t                          value[4U /* sizeof(uint32_t) */];
@@ -473,7 +478,7 @@ initial_hash(uint8_t *blockhash, argon2_context *context, argon2_type type)
 }
 
 int
-initialize(argon2_instance_t *instance, argon2_context *context)
+argon2_initialize(argon2_instance_t *instance, argon2_context *context)
 {
     uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH];
     int     result = ARGON2_OK;
@@ -491,7 +496,7 @@ initialize(argon2_instance_t *instance, argon2_context *context)
 
     result = allocate_memory(&(instance->region), instance->memory_blocks);
     if (ARGON2_OK != result) {
-        free_instance(instance, context->flags);
+        argon2_free_instance(instance, context->flags);
         return result;
     }
 
@@ -499,45 +504,46 @@ initialize(argon2_instance_t *instance, argon2_context *context)
     /* H_0 + 8 extra bytes to produce the first blocks */
     /* uint8_t blockhash[ARGON2_PREHASH_SEED_LENGTH]; */
     /* Hashing all inputs */
-    initial_hash(blockhash, context, instance->type);
+    argon2_initial_hash(blockhash, context, instance->type);
     /* Zeroing 8 extra bytes */
     sodium_memzero(blockhash + ARGON2_PREHASH_DIGEST_LENGTH,
                    ARGON2_PREHASH_SEED_LENGTH - ARGON2_PREHASH_DIGEST_LENGTH);
 
     /* 3. Creating first blocks, we always have at least two blocks in a slice
      */
-    fill_first_blocks(blockhash, instance);
+    argon2_fill_first_blocks(blockhash, instance);
     /* Clearing the hash */
     sodium_memzero(blockhash, ARGON2_PREHASH_SEED_LENGTH);
 
     return ARGON2_OK;
 }
 
-int
+static int
 argon2_pick_best_implementation(void)
 {
 /* LCOV_EXCL_START */
 #if defined(HAVE_AVX512FINTRIN_H) && defined(HAVE_AVX2INTRIN_H) && \
-    defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H)
+    defined(HAVE_TMMINTRIN_H) && defined(HAVE_SMMINTRIN_H) && \
+    !defined(__APPLE__)
     if (sodium_runtime_has_avx512f()) {
-        fill_segment = fill_segment_avx512f;
+        fill_segment = argon2_fill_segment_avx512f;
         return 0;
     }
 #endif
 #if defined(HAVE_AVX2INTRIN_H) && defined(HAVE_TMMINTRIN_H) && \
     defined(HAVE_SMMINTRIN_H)
     if (sodium_runtime_has_avx2()) {
-        fill_segment = fill_segment_avx2;
+        fill_segment = argon2_fill_segment_avx2;
         return 0;
     }
 #endif
 #if defined(HAVE_EMMINTRIN_H) && defined(HAVE_TMMINTRIN_H)
     if (sodium_runtime_has_ssse3()) {
-        fill_segment = fill_segment_ssse3;
+        fill_segment = argon2_fill_segment_ssse3;
         return 0;
     }
 #endif
-    fill_segment = fill_segment_ref;
+    fill_segment = argon2_fill_segment_ref;
 
     return 0;
     /* LCOV_EXCL_STOP */

Sources/Sodium/crypto_pwhash/argon2/argon2-core.h

@@ -214,28 +214,7 @@ static uint32_t index_alpha(const argon2_instance_t *instance,
  * @return ARGON2_OK if everything is all right, otherwise one of error codes
  * (all defined in <argon2.h>
  */
-int validate_inputs(const argon2_context *context);
-
-/*
- * Hashes all the inputs into @a blockhash[PREHASH_DIGEST_LENGTH], clears
- * password and secret if needed
- * @param  context  Pointer to the Argon2 internal structure containing memory
- * pointer, and parameters for time and space requirements.
- * @param  blockhash Buffer for pre-hashing digest
- * @param  type Argon2 type
- * @pre    @a blockhash must have at least @a PREHASH_DIGEST_LENGTH bytes
- * allocated
- */
-void initial_hash(uint8_t *blockhash, argon2_context *context,
-                  argon2_type type);
-
-/*
- * Function creates first 2 blocks per lane
- * @param instance Pointer to the current instance
- * @param blockhash Pointer to the pre-hashing digest
- * @pre blockhash must point to @a PREHASH_SEED_LENGTH allocated values
- */
-void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance);
+int argon2_validate_inputs(const argon2_context *context);
 
 /*
  * Function allocates memory, hashes the inputs with Blake,  and creates first
@@ -247,12 +226,7 @@ void fill_first_blocks(uint8_t *blockhash, const argon2_instance_t *instance);
  * @return Zero if successful, -1 if memory failed to allocate. @context->state
  * will be modified if successful.
  */
-int initialize(argon2_instance_t *instance, argon2_context *context);
-
-/*
- * Deallocates memory. Used on error path.
- */
-void free_instance(argon2_instance_t *instance, int flags);
+int argon2_initialize(argon2_instance_t *instance, argon2_context *context);
 
 /*
  * XORing the last block of each lane, hashing it, making the tag. Deallocates
@@ -265,7 +239,8 @@ void free_instance(argon2_instance_t *instance, int flags);
  * @pre if context->free_cbk is not NULL, it should point to a function that
  * deallocates memory
  */
-void finalize(const argon2_context *context, argon2_instance_t *instance);
+void argon2_finalize(const argon2_context *context,
+                     argon2_instance_t *instance);
 
 /*
  * Function that fills the segment using previous segments also from other
@@ -276,15 +251,14 @@ void finalize(const argon2_context *context, argon2_instance_t *instance);
  */
 typedef void (*fill_segment_fn)(const argon2_instance_t *instance,
                                 argon2_position_t        position);
-int argon2_pick_best_implementation(void);
-void fill_segment_avx512f(const argon2_instance_t *instance,
-                          argon2_position_t        position);
-void fill_segment_avx2(const argon2_instance_t *instance,
-                       argon2_position_t        position);
-void fill_segment_ssse3(const argon2_instance_t *instance,
-                        argon2_position_t        position);
-void fill_segment_ref(const argon2_instance_t *instance,
-                      argon2_position_t        position);
+void argon2_fill_segment_avx512f(const argon2_instance_t *instance,
+                                 argon2_position_t        position);
+void argon2_fill_segment_avx2(const argon2_instance_t *instance,
+                              argon2_position_t        position);
+void argon2_fill_segment_ssse3(const argon2_instance_t *instance,
+                               argon2_position_t        position);
+void argon2_fill_segment_ref(const argon2_instance_t *instance,
+                             argon2_position_t        position);
 
 /*
  * Function that fills the entire memory t_cost times based on the first two
@@ -292,6 +266,6 @@ void fill_segment_ref(const argon2_instance_t *instance,
  * @param instance Pointer to the current instance
  * @return Zero if successful, -1 if memory failed to allocate
  */
-void fill_memory_blocks(argon2_instance_t *instance, uint32_t pass);
+void argon2_fill_memory_blocks(argon2_instance_t *instance, uint32_t pass);
 
 #endif

Sources/Sodium/crypto_pwhash/argon2/argon2-encoding.c

@@ -83,7 +83,7 @@ decode_decimal(const char *str, unsigned long *v)
  * output length must be in the allowed ranges defined in argon2.h.
  *
  * The ctx struct must contain buffers large enough to hold the salt and pwd
- * when it is fed into decode_string.
+ * when it is fed into argon2_decode_string.
  */
 
 /*
@@ -91,7 +91,7 @@ decode_decimal(const char *str, unsigned long *v)
  * Returned value is ARGON2_OK on success.
  */
 int
-decode_string(argon2_context *ctx, const char *str, argon2_type type)
+argon2_decode_string(argon2_context *ctx, const char *str, argon2_type type)
 {
 /* Prefix checking */
 #define CC(prefix)                               \
@@ -193,7 +193,7 @@ decode_string(argon2_context *ctx, const char *str, argon2_type type)
     BIN(ctx->salt, maxsaltlen, ctx->saltlen);
     CC("$");
     BIN(ctx->out, maxoutlen, ctx->outlen);
-    validation_result = validate_inputs(ctx);
+    validation_result = argon2_validate_inputs(ctx);
     if (validation_result != ARGON2_OK) {
         return validation_result;
     }
@@ -238,7 +238,8 @@ u32_to_string(char *str, uint32_t x)
  * On success, ARGON2_OK is returned.
  */
 int
-encode_string(char *dst, size_t dst_len, argon2_context *ctx, argon2_type type)
+argon2_encode_string(char *dst, size_t dst_len, argon2_context *ctx,
+                     argon2_type type)
 {
 #define SS(str)                          \
     do {                                 \
@@ -280,7 +281,7 @@ encode_string(char *dst, size_t dst_len, argon2_context *ctx, argon2_type type)
     default:
         return ARGON2_ENCODING_FAIL;
     }
-    validation_result = validate_inputs(ctx);
+    validation_result = argon2_validate_inputs(ctx);
     if (validation_result != ARGON2_OK) {
         return validation_result;
     }

Sources/Sodium/crypto_pwhash/argon2/argon2-encoding.h

@@ -17,8 +17,8 @@
  *
  * No other parameters are checked
  */
-int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
-                  argon2_type type);
+int argon2_encode_string(char *dst, size_t dst_len, argon2_context *ctx,
+                         argon2_type type);
 
 /*
  * Decodes an Argon2 hash string into the provided structure 'ctx'.
@@ -28,6 +28,7 @@ int encode_string(char *dst, size_t dst_len, argon2_context *ctx,
  *
  * Returned value is ARGON2_OK on success.
  */
-int decode_string(argon2_context *ctx, const char *str, argon2_type type);
+int argon2_decode_string(argon2_context *ctx, const char *str,
+                         argon2_type type);
 
 #endif

Sources/Sodium/crypto_pwhash/argon2/argon2-fill-block-avx2.c

@@ -141,8 +141,8 @@ generate_addresses(const argon2_instance_t *instance,
 }
 
 void
-fill_segment_avx2(const argon2_instance_t *instance,
-                  argon2_position_t        position)
+argon2_fill_segment_avx2(const argon2_instance_t *instance,
+                         argon2_position_t        position)
 {
     block    *ref_block = NULL, *curr_block = NULL;
     uint64_t  pseudo_rand, ref_index, ref_lane;

Sources/Sodium/crypto_pwhash/argon2/argon2-fill-block-avx512f.c

@@ -146,8 +146,8 @@ generate_addresses(const argon2_instance_t *instance,
 }
 
 void
-fill_segment_avx512f(const argon2_instance_t *instance,
-                     argon2_position_t        position)
+argon2_fill_segment_avx512f(const argon2_instance_t *instance,
+                            argon2_position_t        position)
 {
     block    *ref_block = NULL, *curr_block = NULL;
     uint64_t  pseudo_rand, ref_index, ref_lane;

Sources/Sodium/crypto_pwhash/argon2/argon2-fill-block-ref.c

@@ -141,7 +141,8 @@ generate_addresses(const argon2_instance_t *instance,
 }
 
 void
-fill_segment_ref(const argon2_instance_t *instance, argon2_position_t position)
+argon2_fill_segment_ref(const argon2_instance_t *instance,
+                        argon2_position_t position)
 {
     block    *ref_block = NULL, *curr_block = NULL;
     /* Pseudo-random values that determine the reference block position */

Sources/Sodium/crypto_pwhash/argon2/argon2-fill-block-ssse3.c

@@ -140,8 +140,8 @@ generate_addresses(const argon2_instance_t *instance,
 }
 
 void
-fill_segment_ssse3(const argon2_instance_t *instance,
-                   argon2_position_t        position)
+argon2_fill_segment_ssse3(const argon2_instance_t *instance,
+                          argon2_position_t        position)
 {
     block    *ref_block = NULL, *curr_block = NULL;
     uint64_t  pseudo_rand, ref_index, ref_lane;

Sources/Sodium/crypto_pwhash/argon2/argon2.c

@@ -27,7 +27,7 @@ int
 argon2_ctx(argon2_context *context, argon2_type type)
 {
     /* 1. Validate all inputs */
-    int               result = validate_inputs(context);
+    int               result = argon2_validate_inputs(context);
     uint32_t          memory_blocks, segment_length;
     uint32_t          pass;
     argon2_instance_t instance;
@@ -65,7 +65,7 @@ argon2_ctx(argon2_context *context, argon2_type type)
     /* 3. Initialization: Hashing inputs, allocating memory, filling first
      * blocks
      */
-    result = initialize(&instance, context);
+    result = argon2_initialize(&instance, context);
 
     if (ARGON2_OK != result) {
         return result;
@@ -73,11 +73,11 @@ argon2_ctx(argon2_context *context, argon2_type type)
 
     /* 4. Filling memory */
     for (pass = 0; pass < instance.passes; pass++) {
-        fill_memory_blocks(&instance, pass);
+        argon2_fill_memory_blocks(&instance, pass);
     }
 
     /* 5. Finalization */
-    finalize(context, &instance);
+    argon2_finalize(context, &instance);
 
     return ARGON2_OK;
 }
@@ -134,14 +134,10 @@ argon2_hash(const uint32_t t_cost, const uint32_t m_cost,
         return result;
     }
 
-    /* if raw hash requested, write it */
-    if (hash) {
-        memcpy(hash, out, hashlen);
-    }
-
     /* if encoding requested, write it */
     if (encoded && encodedlen) {
-        if (encode_string(encoded, encodedlen, &context, type) != ARGON2_OK) {
+        if (argon2_encode_string(encoded, encodedlen,
+                                 &context, type) != ARGON2_OK) {
             sodium_memzero(out, hashlen);
             sodium_memzero(encoded, encodedlen);
             free(out);
@@ -149,6 +145,11 @@ argon2_hash(const uint32_t t_cost, const uint32_t m_cost,
         }
     }
 
+    /* if raw hash requested, write it */
+    if (hash) {
+        memcpy(hash, out, hashlen);
+    }
+
     sodium_memzero(out, hashlen);
     free(out);
 
@@ -214,7 +215,7 @@ argon2_verify(const char *encoded, const void *pwd, const size_t pwdlen,
     ctx.secret    = NULL;
     ctx.secretlen = 0;
 
-    /* max values, to be updated in decode_string */
+    /* max values, to be updated in argon2_decode_string */
     encoded_len = strlen(encoded);
     if (encoded_len > UINT32_MAX) {
         return ARGON2_DECODING_LENGTH_FAIL;
@@ -240,7 +241,7 @@ argon2_verify(const char *encoded, const void *pwd, const size_t pwdlen,
         return ARGON2_MEMORY_ALLOCATION_ERROR;
     }
 
-    decode_result = decode_string(&ctx, encoded, type);
+    decode_result = argon2_decode_string(&ctx, encoded, type);
     if (decode_result != ARGON2_OK) {
         free(ctx.ad);
         free(ctx.salt);

Sources/Sodium/crypto_pwhash/argon2/argon2.h

@@ -283,7 +283,7 @@ int argon2_hash(const uint32_t t_cost, const uint32_t m_cost,
 
 /**
  * Verifies a password against an encoded string
- * Encoded string is restricted as in validate_inputs()
+ * Encoded string is restricted as in argon2_validate_inputs()
  * @param encoded String encoding parameters, salt, hash
  * @param pwd Pointer to password
  * @pre   Returns ARGON2_OK if successful
@@ -292,7 +292,7 @@ int argon2i_verify(const char *encoded, const void *pwd, const size_t pwdlen);
 
 /**
  * Verifies a password against an encoded string
- * Encoded string is restricted as in validate_inputs()
+ * Encoded string is restricted as in argon2_validate_inputs()
  * @param encoded String encoding parameters, salt, hash
  * @param pwd Pointer to password
  * @pre   Returns ARGON2_OK if successful

Sources/Sodium/crypto_pwhash/argon2/pwhash_argon2i.c

@@ -163,6 +163,10 @@ crypto_pwhash_argon2i(unsigned char *const out, unsigned long long outlen,
         errno = EINVAL;
         return -1;
     }
+    if ((const void *) out == (const void *) passwd) {
+        errno = EINVAL;
+        return -1;
+    }
     switch (alg) {
     case crypto_pwhash_argon2i_ALG_ARGON2I13:
         if (argon2i_hash_raw((uint32_t) opslimit, (uint32_t) (memlimit / 1024U),
@@ -261,7 +265,7 @@ _needs_rehash(const char *str, unsigned long long opslimit, size_t memlimit,
     ctx.outlen = ctx.pwdlen    = ctx.saltlen = (uint32_t) fodder_len;
     ctx.ad     = ctx.secret    = NULL;
     ctx.adlen  = ctx.secretlen = 0U;
-    if (decode_string(&ctx, str, type) != 0) {
+    if (argon2_decode_string(&ctx, str, type) != 0) {
         errno = EINVAL;
         ret = -1;
     } else if (ctx.t_cost != (uint32_t) opslimit ||

Sources/Sodium/crypto_pwhash/argon2/pwhash_argon2id.c

@@ -159,6 +159,10 @@ crypto_pwhash_argon2id(unsigned char *const out, unsigned long long outlen,
         errno = EINVAL;
         return -1;
     }
+    if ((const void *) out == (const void *) passwd) {
+        errno = EINVAL;
+        return -1;
+    }
     switch (alg) {
     case crypto_pwhash_argon2id_ALG_ARGON2ID13:
         if (argon2id_hash_raw((uint32_t) opslimit, (uint32_t) (memlimit / 1024U),

Sources/Sodium/crypto_pwhash/scryptsalsa208sha256/crypto_scrypt.h

@@ -61,38 +61,38 @@ typedef union {
 
 typedef escrypt_region_t escrypt_local_t;
 
-extern int escrypt_init_local(escrypt_local_t *__local);
+int escrypt_init_local(escrypt_local_t *__local);
 
-extern int escrypt_free_local(escrypt_local_t *__local);
+int escrypt_free_local(escrypt_local_t *__local);
 
-extern void *alloc_region(escrypt_region_t *region, size_t size);
-extern int free_region(escrypt_region_t *region);
+void *escrypt_alloc_region(escrypt_region_t *region, size_t size);
+int escrypt_free_region(escrypt_region_t *region);
 
 typedef int (*escrypt_kdf_t)(escrypt_local_t *__local, const uint8_t *__passwd,
                              size_t __passwdlen, const uint8_t *__salt,
                              size_t __saltlen, uint64_t __N, uint32_t __r,
                              uint32_t __p, uint8_t *__buf, size_t __buflen);
 
-extern int escrypt_kdf_nosse(escrypt_local_t *__local, const uint8_t *__passwd,
-                             size_t __passwdlen, const uint8_t *__salt,
-                             size_t __saltlen, uint64_t __N, uint32_t __r,
-                             uint32_t __p, uint8_t *__buf, size_t __buflen);
+int escrypt_kdf_nosse(escrypt_local_t *__local, const uint8_t *__passwd,
+                      size_t __passwdlen, const uint8_t *__salt,
+                      size_t __saltlen, uint64_t __N, uint32_t __r,
+                      uint32_t __p, uint8_t *__buf, size_t __buflen);
 
-extern int escrypt_kdf_sse(escrypt_local_t *__local, const uint8_t *__passwd,
-                           size_t __passwdlen, const uint8_t *__salt,
-                           size_t __saltlen, uint64_t __N, uint32_t __r,
-                           uint32_t __p, uint8_t *__buf, size_t __buflen);
+int escrypt_kdf_sse(escrypt_local_t *__local, const uint8_t *__passwd,
+                    size_t __passwdlen, const uint8_t *__salt,
+                    size_t __saltlen, uint64_t __N, uint32_t __r,
+                    uint32_t __p, uint8_t *__buf, size_t __buflen);
 
-extern uint8_t *escrypt_r(escrypt_local_t *__local, const uint8_t *__passwd,
-                          size_t __passwdlen, const uint8_t *__setting,
-                          uint8_t *__buf, size_t __buflen);
+uint8_t *escrypt_r(escrypt_local_t *__local, const uint8_t *__passwd,
+                   size_t __passwdlen, const uint8_t *__setting,
+                   uint8_t *__buf, size_t __buflen);
 
-extern uint8_t *escrypt_gensalt_r(uint32_t __N_log2, uint32_t __r, uint32_t __p,
-                                  const uint8_t *__src, size_t __srclen,
-                                  uint8_t *__buf, size_t __buflen);
+uint8_t *escrypt_gensalt_r(uint32_t __N_log2, uint32_t __r, uint32_t __p,
+                           const uint8_t *__src, size_t __srclen,
+                           uint8_t *__buf, size_t __buflen);
 
-extern const uint8_t *escrypt_parse_setting(const uint8_t *setting,
-                                            uint32_t *N_log2_p, uint32_t *r_p,
-                                            uint32_t *p_p);
+const uint8_t *escrypt_parse_setting(const uint8_t *setting,
+                                     uint32_t *N_log2_p, uint32_t *r_p,
+                                     uint32_t *p_p);
 
 #endif /* !_CRYPTO_SCRYPT_H_ */

Sources/Sodium/crypto_pwhash/scryptsalsa208sha256/nosse/pwhash_scryptsalsa208sha256_nosse.c

@@ -106,7 +106,7 @@ blkxor(escrypt_block_t *dest, const escrypt_block_t *src, size_t len)
 #endif
 }
 
-/**
+/*
  * salsa20_8(B):
  * Apply the salsa20/8 core to the provided block.
  */
@@ -168,11 +168,12 @@ salsa20_8(uint32_t B[16])
     }
 }
 
-/**
+/*
  * blockmix_salsa8(Bin, Bout, X, r):
- * Compute Bout = BlockMix_{salsa20/8, r}(Bin).  The input Bin must be 128r
- * bytes in length; the output Bout must also be the same size.  The
- * temporary space X must be 64 bytes.
+ * Compute Bout = BlockMix_{salsa20/8, r}(Bin).
+ * The input Bin must be 128r bytes in length;
+ * The output Bout must also be the same size.
+ * The temporary space X must be 64 bytes.
  */
 static void
 blockmix_salsa8(const uint32_t *Bin, uint32_t *Bout, uint32_t *X, size_t r)
@@ -207,19 +208,19 @@ blockmix_salsa8(const uint32_t *Bin, uint32_t *Bout, uint32_t *X, size_t r)
     }
 }
 
-/**
+/*
  * integerify(B, r):
  * Return the result of parsing B_{2r-1} as a little-endian integer.
  */
 static inline uint64_t
 integerify(const void *B, size_t r)
 {
-    const uint32_t *X = (const uint32_t *) ((uintptr_t)(B) + (2 * r - 1) * 64);
+    const uint32_t *X = ((const uint32_t *) B) + (2 * r - 1) * 16;
 
-    return (((uint64_t)(X[1]) << 32) + X[0]);
+    return ((uint64_t) (X[1]) << 32) + X[0];
 }
 
-/**
+/*
  * smix(B, r, N, V, XY):
  * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
  * the temporary storage V must be 128rN bytes in length; the temporary
@@ -282,7 +283,7 @@ smix(uint8_t *B, size_t r, uint64_t N, uint32_t *V, uint32_t *XY)
     }
 }
 
-/**
+/*
  * escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
  *     N, r, p, buf, buflen):
  * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
@@ -305,10 +306,6 @@ escrypt_kdf_nosse(escrypt_local_t *local, const uint8_t *passwd,
     uint32_t  i;
 
 /* Sanity-check parameters. */
-    if (r == 0 || p == 0) {
-        errno = EINVAL;
-        return -1;
-    }
 #if SIZE_MAX > UINT32_MAX
     if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
         errno = EFBIG;
@@ -355,10 +352,10 @@ escrypt_kdf_nosse(escrypt_local_t *local, const uint8_t *passwd,
         return -1;
     }
     if (local->size < need) {
-        if (free_region(local)) {
+        if (escrypt_free_region(local)) {
             return -1;
         }
-        if (!alloc_region(local, need)) {
+        if (!escrypt_alloc_region(local, need)) {
             return -1;
         }
     }
@@ -367,7 +364,7 @@ escrypt_kdf_nosse(escrypt_local_t *local, const uint8_t *passwd,
     XY = (uint32_t *) ((uint8_t *) V + V_size);
 
     /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
-    PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
+    escrypt_PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
 
     /* 2: for i = 0 to p - 1 do */
     for (i = 0; i < p; i++) {
@@ -376,7 +373,7 @@ escrypt_kdf_nosse(escrypt_local_t *local, const uint8_t *passwd,
     }
 
     /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
-    PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
+    escrypt_PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
 
     /* Success! */
     return 0;

Sources/Sodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.c

@@ -39,13 +39,14 @@
 #include "utils.h"
 
 /**
- * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * escrypt_PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
  * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
  * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
  */
 void
-PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen, const uint8_t *salt,
-              size_t saltlen, uint64_t c, uint8_t *buf, size_t dkLen)
+escrypt_PBKDF2_SHA256(const uint8_t *passwd, size_t passwdlen,
+                      const uint8_t *salt, size_t saltlen, uint64_t c,
+                      uint8_t *buf, size_t dkLen)
 {
     crypto_auth_hmacsha256_state PShctx, hctx;
     size_t                       i;

Sources/Sodium/crypto_pwhash/scryptsalsa208sha256/pbkdf2-sha256.h

@@ -35,11 +35,11 @@
 #include "crypto_auth_hmacsha256.h"
 
 /**
- * PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
+ * escrypt_PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, c, buf, dkLen):
  * Compute PBKDF2(passwd, salt, c, dkLen) using HMAC-SHA256 as the PRF, and
  * write the output to buf.  The value dkLen must be at most 32 * (2^32 - 1).
  */
-void PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t, uint64_t,
-                   uint8_t *, size_t);
+void escrypt_PBKDF2_SHA256(const uint8_t *, size_t, const uint8_t *, size_t,
+                           uint64_t, uint8_t *, size_t);
 
 #endif /* !_SHA256_H_ */

Sources/Sodium/crypto_pwhash/scryptsalsa208sha256/pwhash_scryptsalsa208sha256.c

@@ -176,6 +176,10 @@ crypto_pwhash_scryptsalsa208sha256(unsigned char *const       out,
         errno = EINVAL; /* LCOV_EXCL_LINE */
         return -1;      /* LCOV_EXCL_LINE */
     }
+    if ((const void *) out == (const void *) passwd) {
+        errno = EINVAL;
+        return -1;
+    }
     return crypto_pwhash_scryptsalsa208sha256_ll(
         (const uint8_t *) passwd, (size_t) passwdlen, (const uint8_t *) salt,
         crypto_pwhash_scryptsalsa208sha256_SALTBYTES, (uint64_t)(1) << N_log2,

Sources/Sodium/crypto_pwhash/scryptsalsa208sha256/scrypt_platform.c

@@ -31,14 +31,18 @@
 # define MAP_ANON MAP_ANONYMOUS
 #endif
 #ifndef MAP_NOCORE
-# define MAP_NOCORE 0
+# ifdef MAP_CONCEAL
+#  define MAP_NOCORE MAP_CONCEAL
+# else
+#  define MAP_NOCORE 0
+# endif
 #endif
 #ifndef MAP_POPULATE
 # define MAP_POPULATE 0
 #endif
 
 void *
-alloc_region(escrypt_region_t *region, size_t size)
+escrypt_alloc_region(escrypt_region_t *region, size_t size)
 {
     uint8_t *base, *aligned;
 #if defined(MAP_ANON) && defined(HAVE_MMAP)
@@ -77,7 +81,7 @@ init_region(escrypt_region_t *region)
 }
 
 int
-free_region(escrypt_region_t *region)
+escrypt_free_region(escrypt_region_t *region)
 {
     if (region->base) {
 #if defined(MAP_ANON) && defined(HAVE_MMAP)
@@ -104,5 +108,5 @@ escrypt_init_local(escrypt_local_t *local)
 int
 escrypt_free_local(escrypt_local_t *local)
 {
-    return free_region(local);
+    return escrypt_free_region(local);
 }

Sources/Sodium/crypto_pwhash/scryptsalsa208sha256/sse/pwhash_scryptsalsa208sha256_sse.c

@@ -50,17 +50,12 @@
 # include "../crypto_scrypt.h"
 # include "../pbkdf2-sha256.h"
 
-# if defined(__XOP__) && defined(DISABLED)
-#  define ARX(out, in1, in2, s) \
-    out = _mm_xor_si128(out, _mm_roti_epi32(_mm_add_epi32(in1, in2), s));
-# else
-#  define ARX(out, in1, in2, s)                                    \
+# define ARX(out, in1, in2, s)                                     \
     {                                                              \
         __m128i T = _mm_add_epi32(in1, in2);                       \
         out       = _mm_xor_si128(out, _mm_slli_epi32(T, s));      \
         out       = _mm_xor_si128(out, _mm_srli_epi32(T, 32 - s)); \
     }
-# endif
 
 # define SALSA20_2ROUNDS              \
     /* Operate on "columns". */       \
@@ -85,7 +80,7 @@
     X2 = _mm_shuffle_epi32(X2, 0x4E); \
     X3 = _mm_shuffle_epi32(X3, 0x93);
 
-/**
+/*
  * Apply the salsa20/8 core to the block provided in (X0 ... X3) ^ (Z0 ... Z3).
  */
 # define SALSA20_8_XOR(in, out)                               \
@@ -103,10 +98,11 @@
         (out)[3] = X3 = _mm_add_epi32(X3, Y3);                \
     }
 
-/**
+/*
  * blockmix_salsa8(Bin, Bout, r):
- * Compute Bout = BlockMix_{salsa20/8, r}(Bin).  The input Bin must be 128r
- * bytes in length; the output Bout must also be the same size.
+ * Compute Bout = BlockMix_{salsa20/8, r}(Bin).
+ * The input Bin must be 128r bytes in length;
+ * the output Bout must also be the same size.
  */
 static inline void
 blockmix_salsa8(const __m128i *Bin, __m128i *Bout, size_t r)
@@ -208,18 +204,20 @@ blockmix_salsa8_xor(const __m128i *Bin1, const __m128i *Bin2, __m128i *Bout,
 # undef XOR4
 # undef XOR4_2
 
-/**
+/*
  * integerify(B, r):
  * Return the result of parsing B_{2r-1} as a little-endian integer.
  * Note that B's layout is permuted compared to the generic implementation.
  */
-static inline uint32_t
+static inline uint64_t
 integerify(const void *B, size_t r)
 {
-    return *(const uint32_t *) ((uintptr_t)(B) + (2 * r - 1) * 64);
+    const uint64_t *X = ((const uint64_t *) B) + (2 * r - 1) * 8;
+
+    return *X;
 }
 
-/**
+/*
  * smix(B, r, N, V, XY):
  * Compute B = SMix_r(B, N).  The input B must be 128r bytes in length;
  * the temporary storage V must be 128rN bytes in length; the temporary
@@ -228,12 +226,12 @@ integerify(const void *B, size_t r)
  * multiple of 64 bytes.
  */
 static void
-smix(uint8_t *B, size_t r, uint32_t N, void *V, void *XY)
+smix(uint8_t *B, size_t r, uint64_t N, void *V, void *XY)
 {
     size_t    s   = 128 * r;
-    __m128i * X   = (__m128i *) V, *Y;
+    __m128i  *X   = (__m128i *) V, *Y;
     uint32_t *X32 = (uint32_t *) V;
-    uint32_t  i, j;
+    uint64_t  i, j;
     size_t    k;
 
     /* 1: X <-- B */
@@ -295,7 +293,7 @@ smix(uint8_t *B, size_t r, uint32_t N, void *V, void *XY)
     }
 }
 
-/**
+/*
  * escrypt_kdf(local, passwd, passwdlen, salt, saltlen,
  *     N, r, p, buf, buflen):
  * Compute scrypt(passwd[0 .. passwdlen - 1], salt[0 .. saltlen - 1], N, r,
@@ -317,10 +315,6 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
     uint32_t  i;
 
 /* Sanity-check parameters. */
-    if (r == 0 || p == 0) {
-        errno = EINVAL;
-        return -1;
-    }
 # if SIZE_MAX > UINT32_MAX
 /* LCOV_EXCL_START */
     if (buflen > (((uint64_t)(1) << 32) - 1) * 32) {
@@ -375,10 +369,10 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
     }
 /* LCOV_EXCL_END */
     if (local->size < need) {
-        if (free_region(local)) {
+        if (escrypt_free_region(local)) {
             return -1; /* LCOV_EXCL_LINE */
         }
-        if (!alloc_region(local, need)) {
+        if (!escrypt_alloc_region(local, need)) {
             return -1; /* LCOV_EXCL_LINE */
         }
     }
@@ -387,16 +381,16 @@ escrypt_kdf_sse(escrypt_local_t *local, const uint8_t *passwd, size_t passwdlen,
     XY = (uint32_t *) ((uint8_t *) V + V_size);
 
     /* 1: (B_0 ... B_{p-1}) <-- PBKDF2(P, S, 1, p * MFLen) */
-    PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
+    escrypt_PBKDF2_SHA256(passwd, passwdlen, salt, saltlen, 1, B, B_size);
 
     /* 2: for i = 0 to p - 1 do */
     for (i = 0; i < p; i++) {
         /* 3: B_i <-- MF(B_i, N) */
-        smix(&B[(size_t) 128 * i * r], r, (uint32_t) N, V, XY);
+        smix(&B[(size_t) 128 * i * r], r, N, V, XY);
     }
 
     /* 5: DK <-- PBKDF2(P, B, 1, dkLen) */
-    PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
+    escrypt_PBKDF2_SHA256(passwd, passwdlen, B, B_size, 1, buf, buflen);
 
     /* Success! */
     return 0;

Sources/Sodium/crypto_scalarmult/curve25519/ref10/x25519_ref10.c

@@ -123,7 +123,7 @@ crypto_scalarmult_curve25519_ref10(unsigned char *q,
         fe25519_mul(x2, tmp1, tmp0);
         fe25519_sub(tmp1, tmp1, tmp0);
         fe25519_sq(z2, z2);
-        fe25519_scalar_product(z3, tmp1, 121666);
+        fe25519_mul32(z3, tmp1, 121666);
         fe25519_sq(x3, x3);
         fe25519_add(tmp0, tmp0, z3);
         fe25519_mul(z3, x1, z2);

Sources/Sodium/crypto_scalarmult/curve25519/sandy2x/curve25519_sandy2x.c

@@ -15,7 +15,6 @@
 #include "fe.h"
 #include "fe51.h"
 #include "ladder.h"
-#include "ladder_base.h"
 
 #define x1 var[0]
 #define x2 var[1]
@@ -61,54 +60,10 @@ crypto_scalarmult_curve25519_sandy2x(unsigned char *q, const unsigned char *n,
   return 0;
 }
 
-#undef x2
-#undef z2
-
-#define x2 var[0]
-#define z2 var[1]
-
-static int
-crypto_scalarmult_curve25519_sandy2x_base(unsigned char *q,
-                                          const unsigned char *n)
-{
-  unsigned char *t = q;
-  fe             var[3];
-  fe51           x_51;
-  fe51           z_51;
-  unsigned int   i;
-
-  for (i = 0;i < 32; i++) {
-      t[i] = n[i];
-  }
-  t[0] &= 248;
-  t[31] &= 127;
-  t[31] |= 64;
-
-  ladder_base(var, t);
-
-  z_51.v[0] = (z2[1] << 26) + z2[0];
-  z_51.v[1] = (z2[3] << 26) + z2[2];
-  z_51.v[2] = (z2[5] << 26) + z2[4];
-  z_51.v[3] = (z2[7] << 26) + z2[6];
-  z_51.v[4] = (z2[9] << 26) + z2[8];
-
-  x_51.v[0] = (x2[1] << 26) + x2[0];
-  x_51.v[1] = (x2[3] << 26) + x2[2];
-  x_51.v[2] = (x2[5] << 26) + x2[4];
-  x_51.v[3] = (x2[7] << 26) + x2[6];
-  x_51.v[4] = (x2[9] << 26) + x2[8];
-
-  fe51_invert(&z_51, &z_51);
-  fe51_mul(&x_51, &x_51, &z_51);
-  fe51_pack(q, &x_51);
-
-  return 0;
-}
-
 struct crypto_scalarmult_curve25519_implementation
 crypto_scalarmult_curve25519_sandy2x_implementation = {
     SODIUM_C99(.mult = ) crypto_scalarmult_curve25519_sandy2x,
-    SODIUM_C99(.mult_base = ) crypto_scalarmult_curve25519_sandy2x_base
+    SODIUM_C99(.mult_base = ) NULL
 };
 
 #endif