3rdparty: Update monocypher from 3.1.2 to 3.1.3

src/3rdparty/monocypher/AUTHORS.md

@@ -1,21 +1,21 @@
 Designers
 ---------
 
-- **Chacha20:** Daniel J. Bernstein.
+- **ChaCha20:** Daniel J. Bernstein.
 - **Poly1305:** Daniel J. Bernstein.
-- **Blake2:**   Jean-Philippe Aumasson, Christian Winnerlein, Samuel Neves,
-                and Zooko Wilcox-O'Hearn
-- **Argon2:**   Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich
-- **X25519:**   Daniel J. Bernstein
+- **BLAKE2:**   Jean-Philippe Aumasson, Christian Winnerlein, Samuel Neves,
+                and Zooko Wilcox-O'Hearn.
+- **Argon2:**   Alex Biryukov, Daniel Dinu, and Dmitry Khovratovich.
+- **X25519:**   Daniel J. Bernstein.
 - **EdDSA:**    Daniel J. Bernstein, Bo-Yin Yang, Niels Duif, Peter
-                Schwabe, and Tanja Lange
+                Schwabe, and Tanja Lange.
 
 Implementors
 ------------
 
-- **Chacha20:** Loup Vaillant, implemented from spec.
+- **ChaCha20:** Loup Vaillant, implemented from spec.
 - **Poly1305:** Loup Vaillant, implemented from spec.
-- **Blake2b:**  Loup Vaillant, implemented from spec.
+- **BLAKE2b:**  Loup Vaillant, implemented from spec.
 - **Argon2i:**  Loup Vaillant, implemented from spec.
 - **X25519:**   Daniel J. Bernstein, taken and packaged from SUPERCOP
                 ref10.
@@ -42,7 +42,7 @@ Thanks
 
 Fabio Scotoni provided much needed advice about testing, interface,
 packaging, and the general direction of the whole project.  He also
-redesigned monocypher.org style sheets.
+redesigned the monocypher.org style sheets.
 
 Mike Pechkin and André Maroneze found bugs in earlier versions of
 Monocypher.
@@ -55,3 +55,9 @@ Mike Hamburg explained comb algorithms, including the signed
 all-bits-set comb described in his 2012 paper, Fast and compact
 elliptic-curve cryptography.  This made EdDSA signatures over twice as
 fast.
+
+Samuel Lucas found many typos in both the manual and the website.
+
+Jens Alfke added some #ifdefs that enabled Monocypher to compile into
+a C++ namespace, preventing symbol collisions with similarly-named
+functions in other crypto libraries.

src/3rdparty/monocypher/CHANGELOG.md

@@ -1,3 +1,18 @@
+3.1.3
+-----
+2022/04/25
+
+- Fixed many typos in the documentation.
+- Fixed buffer overflow in speed benchmarks.
+- Fixed some MSVC warnings.
+- Fixed a minor violation of the Elligator2 reverse map specs.
+- Added `change-prefix.sh` to help changing the `crypto_` prefix.
+- Added the `MONOCYPHER_CPP_NAMESPACE` preprocessor definition to
+  support namespaces for C++.
+- Deprecated `crypto_key_exchange()`
+- Use GitHub actions to automate the regular test suite.
+
+
 3.1.2
 -----
 2020/12/27
@@ -32,7 +47,7 @@
 
 - Added Elligator 2 mappings (hash to curve, curve to hash).
 - Added OPRF support (with scalar inversion).
-- Added Edwards25519 -> Curve25519 conversions
+- Added Edwards25519 -> Curve25519 conversions.
 
 
 3.0.0
@@ -47,8 +62,8 @@
 - `crypto_x25519()` and `crypto_key_exchange()` now return `void`.
 - Added a custom hash interface to EdDSA.  Several instances of EdDSA
   can share the same binary.
-- Added optional support for HMAC SHA-512
-- Moved all SHA-512 operations to `src/optional/monocypher-ed25519.(h|c)`
+- Added optional support for HMAC SHA-512.
+- Moved SHA-512 operations to `src/optional/monocypher-ed25519.(h|c)`.
 - Optional support for Ed25519 no longer requires a preprocessor flag.
   Add `src/optional/monocypher-ed25519.(h|c)` to your project instead.
 
@@ -57,9 +72,9 @@
 -----
 2019/10/21
 
-- Added the `BLAKE2_NO_UNROLLING` preprocessor definition. Activating it
-  makes the binary about 5KB smaller, and speeds up processing times on
-  many embedded processors.
+- Added the `BLAKE2_NO_UNROLLING` preprocessor definition. Activating
+  it makes the binary about 5KB smaller and speeds up processing times
+  on many embedded processors.
 - Reduced the stack usage of signature verification by about
   40%. Signature verification now fits in smaller machines.
 - Fixed many implicit casts warnings.
@@ -78,8 +93,8 @@
 -----
 2018/06/24
 
-- Corrected a critical vulnerability in EdDSA, where crypto_check() was
-  accepting invalid signatures.  (Found by Mike Pechkin.)  The current
+- Corrected a critical vulnerability found by Mike Pechkin in EdDSA,
+  where crypto_check() was accepting invalid signatures.  The current
   fix removes a buggy optimisation, effectively halving the performance
   of EdDSA.
 - The test suite no longer tries to allocate zero bytes (some platforms
@@ -89,8 +104,8 @@
 -----
 2018/06/16
 
-- Corrected undefined behaviour in Blake2b
-- Improved the test suite (faster, better coverage)
+- Corrected undefined behaviour in BLAKE2b.
+- Improved the test suite (faster, better coverage).
 
 2.0.2
 -----
@@ -118,13 +133,13 @@
 - Changed the authenticated encryption format.  It now conforms to
   RFC 7539, with one exception: it uses XChacha20 initialisation instead
   of the IETF version of Chacha20.  This new format conforms to
-  Libsodium's `crypto_aead_xchacha20poly1305_ietf_encrypt`.
+  libsodium's `crypto_aead_xchacha20poly1305_ietf_encrypt`.
 - Removed `crypto_lock_encrypt()` and `crypto_lock_auth()`.
 - Renamed `crypto_lock_aead_auth()` to `crypto_lock_auth_ad()`.
 - Renamed `crypto_unlock_aead_auth()` to `crypto_unlock_auth_ad()`.
-- Added  `crypto_lock_auth_message()` and `crypto_unlock_auth_message()`
-- Renamed `crypto_aead_lock` to `crypto_lock_aead`;
-- Renamed `crypto_aead_unlock` to `crypto_unlock_aead`;
+- Added `crypto_lock_auth_message()` and `crypto_unlock_auth_message()`.
+- Renamed `crypto_aead_lock` to `crypto_lock_aead`.
+- Renamed `crypto_aead_unlock` to `crypto_unlock_aead`.
 
 The format change facilitates optimisation by aligning data to block
 boundaries.  The API changes increase consistency.
@@ -144,8 +159,8 @@ boundaries.  The API changes increase consistency.
 2017/07/23
 
 - Optimised the loading and unloading code of the symmetric crypto
-  (Blake2b, sha512, Chacha20, and Poly1305).
-- Fused self contained tests together for easier analysis with Frama-C
+  (BLAKE2b, SHA-512, Chacha20, and Poly1305).
+- Fused self-contained tests together for easier analysis with Frama-C
   and the TIS interpreter.
 
 1.0
@@ -164,7 +179,7 @@ boundaries.  The API changes increase consistency.
 
 - Added about a hundred lines of code to improve performance of public
   key cryptography.  Diffie-Hellman is now 20% faster than before.
-  (The effects are less pronounces for EdDSA).
+  The effects are less pronounced for EdDSA.
 - Added random self-consistency tests.
 - Added a speed benchmark against libsodium.
 
@@ -175,30 +190,30 @@ boundaries.  The API changes increase consistency.
 - Slightly changed the authenticated encryption API.  Functions are
   now all in "detached" mode.  The reason is better support for
   authenticated encryption _without_ additional data.
-- Rewrote Blake2b from spec, so it can use the same licence as
+- Rewrote BLAKE2b from spec so it can use the same licence as
   everything else.
 - Added random tests that compare Monocypher with libsodium and
   ed25519-donna.
 - Added explicit support for Frama-C analysis (this doesn't affect the
-  source code)
+  source code).
 
 0.6
 ---
 2017/03/17
 
-- Fixed incorrect poly1305 output on empty messages.  (Found by Mike
+- Fixed incorrect Poly1305 output on empty messages.  (Found by Mike
   Pechkin.)
 
 0.5
 ---
 2017/03/10
 
-- Fixed many undefined behaviours in curve25519, that occur whenever
+- Fixed many undefined behaviours in Curve25519 that occur whenever
   we perform a left shift on a signed negative integer.  It doesn't
   affect the generated code, but you never know.  (Found with Frama-C
   by André Maroneze.)
 
-Fun fact: TweetNaCl and ref10 have the same bug.  Libsodium have
+Fun fact: TweetNaCl and ref10 have the same bug.  Libsodium has
 corrected the issue, though.
 
 For those who don't comprehend the magnitude of this madness, the
@@ -210,10 +225,10 @@ section 6.5.7(§4) of the C11 standard.
 2017/03/09
 
 - Fixed critical bug causing Argon2i to fail whenever it uses more
-  than 512 blocks.  It was reading uninitialised memory, and the
+  than 512 blocks.  It was reading uninitialised memory and the
   results were incorrect.  (Found by Mike Pechkin.)
-- Fixed an undefined behaviour in curve25519 (`fe_tobytes()`).  It was
-  accessing uninitialised memory, before throwing it away.  It didn't
+- Fixed an undefined behaviour in Curve25519 (`fe_tobytes()`).  It was
+  accessing uninitialised memory before throwing it away.  It didn't
   affect the compiled code nor the results, but you never know.
   (Found with [Frama-C](http://frama-c.com) by André Maroneze.)
 
@@ -221,10 +236,10 @@ section 6.5.7(§4) of the C11 standard.
 ---
 2017/02/27
 
-- Got the invariants of poly1305 right, put them in the comments.
+- Got the invariants of Poly1305 right and put them in the comments.
   There was no bug, but that was lucky (turned out the IETF test
   vectors were designed to trigger the bugs I was afraid of).
-- Simplified poly1305 finalisation (replaced conditional subtraction
+- Simplified Poly1305 finalisation (replaced conditional subtraction
   by a carry propagation).
 - Made a few cosmetic changes here and there.
 
@@ -235,9 +250,9 @@ section 6.5.7(§4) of the C11 standard.
 - Public interface significantly reworked. Removed redundant, hard to
   mess up constructions.
 - Added AEAD.
-- Sped up curve25519 by a factor of more than 6 (switched to ref10
-  arithmetic)
-- Added various test vectors, completed the consistency tests.
+- Sped up Curve25519 by a factor of more than 6 (switched to ref10
+  arithmetic).
+- Added various test vectors and completed the consistency tests.
 
 0.1
 ---

src/3rdparty/monocypher/README.md

@@ -3,14 +3,37 @@ Monocypher
 
 Monocypher is an easy to use, easy to deploy, auditable crypto library
 written in portable C.  It approaches the size of [TweetNaCl][] and the
-speed of [Libsodium][].
+speed of [libsodium][].
 
 [Official site.](https://monocypher.org/)  
 [Official releases.](https://monocypher.org/download/)
 
-[Libsodium]: https://libsodium.org
+[libsodium]: https://libsodium.org
 [TweetNaCl]: https://tweetnacl.cr.yp.to/
 
+
+Features
+--------
+
+- [Authenticated Encryption][AEAD] with XChaCha20 and Poly1305
+  (RFC 8439).
+- [Hashing][HASH] with BLAKE2b.
+- [Password Hashing][PWH] with Argon2i.
+- [Public Key Cryptography][PKC] with X25519 (key exchange).
+- [Public Key Signatures][PKS] with EdDSA (RFC 8032) and Ed25519.
+- [Steganography support][STEG] with Elligator 2.
+- [OPRF and PAKE support][PAKE] with Elligator 2 and scalar
+  inversion.
+
+[AEAD]: https://monocypher.org/manual/aead
+[HASH]: https://monocypher.org/manual/hash
+[PWH]:  https://monocypher.org/manual/argon2i
+[PKC]:  https://monocypher.org/manual/key_exchange
+[PKS]:  https://monocypher.org/manual/sign
+[STEG]: https://monocypher.org/manual/advanced/elligator
+[PAKE]: https://monocypher.org/manual/advanced/x25519_inverse
+
+
 Manual
 ------
 
@@ -123,14 +146,14 @@ Speed benchmark
 
 This will give you an idea how fast Monocypher is on your machine.  Make
 sure you run it on the target platform if performance is a concern.  If
-Monocypher is too slow, try Libsodium.  If you're not sure, you can
+Monocypher is too slow, try libsodium.  If you're not sure, you can
 always switch later.
 
 
 Note: the speed benchmark currently requires the POSIX
 `clock_gettime()` function.
 
-There are similar benchmarks for Libsodium, TweetNaCl, LibHydrogen,
+There are similar benchmarks for libsodium, TweetNaCl, LibHydrogen,
 c25519, and ed25519-donna (the portable, 32-bit version):
 
     $ make speed-sodium
@@ -169,10 +192,23 @@ is activated by compiling monocypher.c with the `-DBLAKE2_NO_UNROLLING`
 option.
 
 The `-DBLAKE2_NO_UNROLLING` option is a performance tweak.  By default,
-Monocypher unrolls the Blake2b inner loop, because doing so is over 25%
+Monocypher unrolls the BLAKE2b inner loop, because doing so is over 25%
 faster on modern processors.  Some embedded processors however, run the
 unrolled loop _slower_ (possibly because of the cost of fetching 5KB of
 additional code).  If you're using an embedded platform, try this
 option.  The binary will be about 5KB smaller, and in some cases faster.
 
+The `MONOCYPHER_CPP_NAMESPACE` preprocessor definition allows C++ users
+who compile Monocypher as C++ to wrap it in a namespace. When it is not
+defined (the default), we assume Monocypher is compiled as C, and an
+`extern "C"` declaration is added when we detect that the header is
+included in C++ code.
+
+The `change-prefix.sh` script can rename all functions by replacing
+"crypto_" by a chosen prefix, so you can avoid name clashes. For
+instance, the following command changes all instances of "crypto_" by
+"foobar_" (note the absence of the underscore):
+
+    ./change-prefix.sh foobar
+
 

src/3rdparty/monocypher/monocypher.h

@@ -1,4 +1,4 @@
-// Monocypher version 3.1.2
+// Monocypher version 3.1.3
 //
 // This file is dual-licensed.  Choose whichever licence you want from
 // the two licences listed below.
@@ -57,7 +57,9 @@
 #include <stddef.h>
 #include <stdint.h>
 
-#ifdef __cplusplus
+#ifdef MONOCYPHER_CPP_NAMESPACE
+namespace MONOCYPHER_CPP_NAMESPACE {
+#elif defined(__cplusplus)
 extern "C" {
 #endif
 
@@ -83,12 +85,12 @@ typedef struct {
 typedef struct {
     uint32_t r[4];   // constant multiplier (from the secret key)
     uint32_t h[5];   // accumulated hash
-    uint32_t c[5];   // chunk of the message
+    uint8_t  c[16];  // chunk of the message
     uint32_t pad[4]; // random number added at the end (from the secret key)
     size_t   c_idx;  // How many bytes are there in the chunk.
 } crypto_poly1305_ctx;
 
-// Hash (Blake2b)
+// Hash (BLAKE2b)
 typedef struct {
     uint64_t hash[8];
     uint64_t input_offset[2];
@@ -158,7 +160,7 @@ int crypto_unlock_aead(uint8_t       *plain_text,
                        const uint8_t *cipher_text, size_t text_size);
 
 
-// General purpose hash (Blake2b)
+// General purpose hash (BLAKE2b)
 // ------------------------------
 
 // Direct interface
@@ -207,7 +209,7 @@ void crypto_key_exchange(uint8_t       shared_key      [32],
                          const uint8_t their_public_key[32]);
 
 
-// Signatures (EdDSA with curve25519 + Blake2b)
+// Signatures (EdDSA with curve25519 + BLAKE2b)
 // --------------------------------------------
 
 // Generate public key