3rdparty: Update monocypher from 3.1.3 to 4.0.1

Update to match interface changes
2023-06-14 17:36:06 +01:00
parent 11a3dc287b
commit c4c14cb6a7
7 changed files with 2087 additions and 2180 deletions
--- a/src/3rdparty/monocypher/CHANGELOG.md
+++ b/src/3rdparty/monocypher/CHANGELOG.md
@@ -1,3 +1,27 @@
 4.0.1
 -----
 2023/03/06
 - Fixed Ed25519 secret key size in function prototype.
 - Fixed soname (should have been changed in 4.0.0)
 - Added convenience sub-targets to makefile.
 - Briefly specified wire format of Elligator and incremental AEAD.
 4.0.0
 -----
 2023/02/20
 - Fixed unsafe signature API.
 - Simpler, more flexible low-level signature API.
 - Fully specified, consensus-friendly signatures.
 - Added Argon2d and Argon2id, support multiple lanes.
 - Added safe and fast streaming AEAD.
 - Added HKDF-SHA-512 and documented BLAKE2b KDF.
 - More consistent and memorable function names.
 - POSIX makefile.
 3.1.3
 -----
 2022/04/25
@@ -151,6 +175,8 @@ boundaries.  The API changes increase consistency.
 - Rewrote the manual into proper man pages.
 - Added incremental interfaces for authenticated encryption and
  signatures.
 - Replaced `crypto_memcmp()` by 3 fixed size buffer comparisons (16, 32,
  and 64 bytes), to make sure the generated code remains constant time.
 - A couple breaking API changes, easily fixed by renaming the affected
  functions.
--- a/src/3rdparty/monocypher/LICENCE.md
+++ b/src/3rdparty/monocypher/LICENCE.md
@@ -11,9 +11,9 @@ to what file during which years.  See below for special notes.
 Licence 1 (2-clause BSD)
 ------------------------
-Copyright (c) 2017-2020, Loup Vaillant
+Copyright (c) 2017-2023, Loup Vaillant
 Copyright (c) 2017-2019, Michael Savage
-Copyright (c) 2017-2020, Fabio Scotoni
+Copyright (c) 2017-2023, Fabio Scotoni
 All rights reserved.
 Redistribution and use in source and binary forms, with or without
@@ -165,9 +165,3 @@ rights.
   - Affirmer understands and acknowledges that Creative Commons is not
     a party to this document and has no duty or obligation with respect
     to this CC0 or use of the Work.
 Special notes
 -------------
 The files in `tests/externals/` were placed in the public domain by
 their respective authors.  See the `AUTHORS.md` files in each directory.
--- a/src/3rdparty/monocypher/README.md
+++ b/src/3rdparty/monocypher/README.md
@@ -16,22 +16,22 @@ Features
 --------
 - [Authenticated Encryption][AEAD] with XChaCha20 and Poly1305
-  (RFC&nbsp;8439).
+  (RFC 8439).
- [Hashing][HASH] with BLAKE2b.
+- [Hashing and key derivation][HASH] with BLAKE2b (and [SHA-512][]).
- [Password Hashing][PWH] with Argon2i.
+- [Password Hashing][PWH] with Argon2.
- [Public Key Cryptography][PKC] with X25519 (key exchange).
+- [Public Key Cryptography][PKC] with X25519 key exchanges.
- [Public Key Signatures][PKS] with EdDSA (RFC 8032) and Ed25519.
+- [Public Key Signatures][EDDSA] with EdDSA and [Ed25519][].
- [Steganography support][STEG] with Elligator&nbsp;2.
+- [Steganography and PAKE][STEG] with [Elligator 2][ELLI].
 - [OPRF and PAKE support][PAKE] with Elligator&nbsp;2 and scalar
  inversion.
 [AEAD]:    https://monocypher.org/manual/aead
-[HASH]: https://monocypher.org/manual/hash
+[HASH]:    https://monocypher.org/manual/blake2
-[PWH]:  https://monocypher.org/manual/argon2i
+[SHA-512]: https://monocypher.org/manual/sha-512
-[PKC]:  https://monocypher.org/manual/key_exchange
+[PWH]:     https://monocypher.org/manual/argon2
-[PKS]:  https://monocypher.org/manual/sign
+[PKC]:     https://monocypher.org/manual/x25519
-[STEG]: https://monocypher.org/manual/advanced/elligator
+[EDDSA]:   https://monocypher.org/manual/eddsa
-[PAKE]: https://monocypher.org/manual/advanced/x25519_inverse
+[Ed25519]: https://monocypher.org/manual/ed25519
 [STEG]:    https://monocypher.org/manual/elligator
 [ELLI]:    https://elligator.org
 Manual
@@ -40,10 +40,6 @@ Manual
 The manual can be found at https://monocypher.org/manual/, and in the
 `doc/` folder.
 The `doc/man/` folder contains the man pages.  You can install them in
 your system by running `make install-doc`. Official releases also have a
 `doc/html/` folder with an html version.
 Installation
 ------------
@@ -54,41 +50,37 @@ The easiest way to use Monocypher is to include `src/monocypher.h` and
 `src/monocypher.c` directly into your project.  They compile as C (since
 C99) and C++ (since C++98).
 If you need the optional SHA-512 or Ed25519, grab
 `src/optional/monocypher-ed25519.h` and
 `src/optional/monocypher-ed25519.c` as well.
 ### Option 2: grab the library
 Run `make`, then grab the `src/monocypher.h` header and either the
 `lib/libmonocypher.a` or `lib/libmonocypher.so` library.  The default
-compiler is `gcc -std=gnu99`, and the default flags are `-pedantic -Wall
+compiler is `gcc -std=c99`, and the default flags are `-pedantic -Wall
 -Wextra -O3 -march=native`.  If they don't work on your platform, you
 can change them like this:
-    $ make CC="clang -std=c99" CFLAGS="-O2"
+    $ make CC="clang -std=c11" CFLAGS="-O2"
 ### Option 3: install it on your system
-The following should work on most UNIX systems:
+Run `make`, then `make install` as root. This will install Monocypher in
-
+`/usr/local` by default. This can be changed with `PREFIX` and
-    $ make install
+`DESTDIR`:
 This will install Monocypher in `/usr/local/` by default. Libraries
 will go to `/usr/local/lib/`, the header in `/usr/local/include/`, and
 the man pages in `/usr/local/share/man/man3`.  You can change those
 defaults with the `PREFIX` and `DESTDIR` variables thus:
    $ make install PREFIX="/opt"
-Once installed, you can use `pkg-config` to compile and link your
+Once installed, you may use `pkg-config` to compile and link your
-program.  For instance, if you have a one file C project that uses
+program.  For instance:
 Monocypher, you can compile it thus:
-    $ gcc -o myProgram myProgram.c        \
+    $ gcc program.c $(pkg-config monocypher --cflags) -c
-        $(pkg-config monocypher --cflags) \
+    $ gcc program.o $(pkg-config monocypher --libs)   -o program
        $(pkg-config monocypher --libs)
-The `cflags` line gives the include path for monocypher.h, and the
+If for any reason you wish to avoid installing the man pages or the
-`libs` line provides the link path and option required to find
+`pkg-config` file, you can use the following installation sub targets
-`libmonocypher.a` (or `libmonocypher.so`).
+instead: `install-lib`, `install-doc`, and `install-pc`.
 Test suite
@@ -96,9 +88,9 @@ Test suite
    $ make test
-It should display a nice printout of all the tests, all starting with
+It should display a nice printout of all the tests, ending with "All
-"OK".  If you see "FAILURE" anywhere, something has gone very wrong
+tests OK!". If you see "failure" or "Error" anywhere, something has gone
-somewhere.
+wrong.
 *Do not* use Monocypher without running those tests at least once.
@@ -139,53 +131,13 @@ Notes:
 [TIS]: https://trust-in-soft.com/tis-interpreter/
 Speed benchmark
 ---------------
    $ make speed
 This will give you an idea how fast Monocypher is on your machine.  Make
 sure you run it on the target platform if performance is a concern.  If
 Monocypher is too slow, try libsodium.  If you're not sure, you can
 always switch later.
 Note: the speed benchmark currently requires the POSIX
 `clock_gettime()` function.
 There are similar benchmarks for libsodium, TweetNaCl, LibHydrogen,
 c25519, and ed25519-donna (the portable, 32-bit version):
    $ make speed-sodium
    $ make speed-tweetnacl
    $ make speed-hydrogen
    $ make speed-c25519
    $ make speed-donna
 (The `speed-hydrogen` target assumes it has pkg-config installed. Try
 `make pkg-config-libhydrogen` as root if it is not.)
 You can also adjust the optimisation options for Monocypher, TweetNaCl,
 and c25519 (the default is `-O3 march=native`):
    $ make speed           CFLAGS="-O2"
    $ make speed-tweetnacl CFLAGS="-O2"
 Customisation
 -------------
 Monocypher has optional compatibility with Ed25519. To have that, add
 `monocypher-ed25519.h` and `monocypher-ed25519.c` provided in
-`src/optional` to your project.  If you're using the makefile, define
+`src/optional` to your project.  If you compile or install Monocypher
-the `USE_ED25519` variable to link it to monocypher.a and monocypher.so:
+with the makefile, they will be automatically included.
    $ make USE_ED25519=true
 If you install Monocypher with the makefile, you also need that option
 to copy `monocypher-ed25519.h` automatically:
    $ make install USE_ED25519=true
 Monocypher also has the `BLAKE2_NO_UNROLLING` preprocessor flag, which
 is activated by compiling monocypher.c with the `-DBLAKE2_NO_UNROLLING`
@@ -205,10 +157,8 @@ defined (the default), we assume Monocypher is compiled as C, and an
 included in C++ code.
 The `change-prefix.sh` script can rename all functions by replacing
-"crypto_" by a chosen prefix, so you can avoid name clashes. For
+`crypto_` by a chosen prefix, so you can avoid name clashes. For
-instance, the following command changes all instances of "crypto_" by
+instance, the following command changes all instances of `crypto_` by
-"foobar_" (note the absence of the underscore):
+`foobar_` (note the absence of the underscore):
    ./change-prefix.sh foobar
--- a/src/3rdparty/monocypher/monocypher.c
+++ b/src/3rdparty/monocypher/monocypher.c
--- a/src/3rdparty/monocypher/monocypher.h
+++ b/src/3rdparty/monocypher/monocypher.h
@@ -1,4 +1,4 @@
-// Monocypher version 3.1.3
+// Monocypher version 4.0.1
 //
 // This file is dual-licensed.  Choose whichever licence you want from
 // the two licences listed below.
@@ -63,60 +63,6 @@ namespace MONOCYPHER_CPP_NAMESPACE {
 extern "C" {
 #endif
 ////////////////////////
 /// Type definitions ///
 ////////////////////////
 // Vtable for EdDSA with a custom hash.
 // Instantiate it to define a custom hash.
 // Its size, contents, and layout, are part of the public API.
 typedef struct {
    void (*hash)(uint8_t hash[64], const uint8_t *message, size_t message_size);
    void (*init  )(void *ctx);
    void (*update)(void *ctx, const uint8_t *message, size_t message_size);
    void (*final )(void *ctx, uint8_t hash[64]);
    size_t ctx_size;
 } crypto_sign_vtable;
 // Do not rely on the size or contents of any of the types below,
 // they may change without notice.
 // Poly1305
 typedef struct {
    uint32_t r[4];   // constant multiplier (from the secret key)
    uint32_t h[5];   // accumulated hash
    uint8_t  c[16];  // chunk of the message
    uint32_t pad[4]; // random number added at the end (from the secret key)
    size_t   c_idx;  // How many bytes are there in the chunk.
 } crypto_poly1305_ctx;
 // Hash (BLAKE2b)
 typedef struct {
    uint64_t hash[8];
    uint64_t input_offset[2];
    uint64_t input[16];
    size_t   input_idx;
    size_t   hash_size;
 } crypto_blake2b_ctx;
 // Signatures (EdDSA)
 typedef struct {
    const crypto_sign_vtable *hash;
    uint8_t buf[96];
    uint8_t pk [32];
 } crypto_sign_ctx_abstract;
 typedef crypto_sign_ctx_abstract crypto_check_ctx_abstract;
 typedef struct {
    crypto_sign_ctx_abstract ctx;
    crypto_blake2b_ctx       hash;
 } crypto_sign_ctx;
 typedef crypto_sign_ctx crypto_check_ctx;
 ////////////////////////////
 /// High level interface ///
 ////////////////////////////
 // Constant time comparisons
 // -------------------------
@@ -125,36 +71,49 @@ int crypto_verify16(const uint8_t a[16], const uint8_t b[16]);
 int crypto_verify32(const uint8_t a[32], const uint8_t b[32]);
 int crypto_verify64(const uint8_t a[64], const uint8_t b[64]);
 // Erase sensitive data
 // --------------------
 // Please erase all copies
 void crypto_wipe(void *secret, size_t size);
 // Authenticated encryption
 // ------------------------
-void crypto_lock(uint8_t        mac[16],
+void crypto_aead_lock(uint8_t       *cipher_text,
-                 uint8_t       *cipher_text,
+                      uint8_t        mac  [16],
                 const uint8_t  key[32],
                 const uint8_t  nonce[24],
                 const uint8_t *plain_text, size_t text_size);
 int crypto_unlock(uint8_t       *plain_text,
                  const uint8_t  key[32],
                  const uint8_t  nonce[24],
                  const uint8_t  mac[16],
                  const uint8_t *cipher_text, size_t text_size);
 // With additional data
 void crypto_lock_aead(uint8_t        mac[16],
                      uint8_t       *cipher_text,
                      const uint8_t  key  [32],
                      const uint8_t  nonce[24],
                      const uint8_t *ad,         size_t ad_size,
                      const uint8_t *plain_text, size_t text_size);
-int crypto_unlock_aead(uint8_t       *plain_text,
+int crypto_aead_unlock(uint8_t       *plain_text,
                       const uint8_t  mac  [16],
                       const uint8_t  key  [32],
                       const uint8_t  nonce[24],
                       const uint8_t *ad,          size_t ad_size,
                       const uint8_t *cipher_text, size_t text_size);
 // Authenticated stream
 // --------------------
 typedef struct {
 	uint64_t counter;
 	uint8_t  key[32];
 	uint8_t  nonce[8];
 } crypto_aead_ctx;
 void crypto_aead_init_x(crypto_aead_ctx *ctx,
                        const uint8_t key[32], const uint8_t nonce[24]);
 void crypto_aead_init_djb(crypto_aead_ctx *ctx,
                          const uint8_t key[32], const uint8_t nonce[8]);
 void crypto_aead_init_ietf(crypto_aead_ctx *ctx,
                           const uint8_t key[32], const uint8_t nonce[12]);
 void crypto_aead_write(crypto_aead_ctx *ctx,
                       uint8_t         *cipher_text,
                       uint8_t          mac[16],
                       const uint8_t   *ad        , size_t ad_size,
                       const uint8_t   *plain_text, size_t text_size);
 int crypto_aead_read(crypto_aead_ctx *ctx,
                     uint8_t         *plain_text,
                     const uint8_t    mac[16],
                     const uint8_t   *ad        , size_t ad_size,
                     const uint8_t   *cipher_text, size_t text_size);
@@ -164,117 +123,155 @@ int crypto_unlock_aead(uint8_t       *plain_text,
 // ------------------------------
 // Direct interface
-void crypto_blake2b(uint8_t hash[64],
+void crypto_blake2b(uint8_t *hash,          size_t hash_size,
                    const uint8_t *message, size_t message_size);
-void crypto_blake2b_general(uint8_t       *hash   , size_t hash_size,
+void crypto_blake2b_keyed(uint8_t *hash,          size_t hash_size,
-                            const uint8_t *key    , size_t key_size, // optional
+                          const uint8_t *key,     size_t key_size,
                          const uint8_t *message, size_t message_size);
 // Incremental interface
-void crypto_blake2b_init  (crypto_blake2b_ctx *ctx);
+typedef struct {
 	// Do not rely on the size or contents of this type,
 	// for they may change without notice.
 	uint64_t hash[8];
 	uint64_t input_offset[2];
 	uint64_t input[16];
 	size_t   input_idx;
 	size_t   hash_size;
 } crypto_blake2b_ctx;
 void crypto_blake2b_init(crypto_blake2b_ctx *ctx, size_t hash_size);
 void crypto_blake2b_keyed_init(crypto_blake2b_ctx *ctx, size_t hash_size,
                               const uint8_t *key, size_t key_size);
 void crypto_blake2b_update(crypto_blake2b_ctx *ctx,
                           const uint8_t *message, size_t message_size);
 void crypto_blake2b_final(crypto_blake2b_ctx *ctx, uint8_t *hash);
 void crypto_blake2b_general_init(crypto_blake2b_ctx *ctx, size_t hash_size,
                                 const uint8_t      *key, size_t key_size);
-// vtable for signatures
+// Password key derivation (Argon2)
-extern const crypto_sign_vtable crypto_blake2b_vtable;
+// --------------------------------
 #define CRYPTO_ARGON2_D  0
 #define CRYPTO_ARGON2_I  1
 #define CRYPTO_ARGON2_ID 2
 typedef struct {
 	uint32_t algorithm;  // Argon2d, Argon2i, Argon2id
 	uint32_t nb_blocks;  // memory hardness, >= 8 * nb_lanes
 	uint32_t nb_passes;  // CPU hardness, >= 1 (>= 3 recommended for Argon2i)
 	uint32_t nb_lanes;   // parallelism level (single threaded anyway)
 } crypto_argon2_config;
 typedef struct {
 	const uint8_t *pass;
 	const uint8_t *salt;
 	uint32_t pass_size;
 	uint32_t salt_size;  // 16 bytes recommended
 } crypto_argon2_inputs;
 typedef struct {
 	const uint8_t *key; // may be NULL if no key
 	const uint8_t *ad;  // may be NULL if no additional data
 	uint32_t key_size;  // 0 if no key (32 bytes recommended otherwise)
 	uint32_t ad_size;   // 0 if no additional data
 } crypto_argon2_extras;
 extern const crypto_argon2_extras crypto_argon2_no_extras;
 void crypto_argon2(uint8_t *hash, uint32_t hash_size, void *work_area,
                   crypto_argon2_config config,
                   crypto_argon2_inputs inputs,
                   crypto_argon2_extras extras);
-// Password key derivation (Argon2 i)
+// Key exchange (X-25519)
-// ----------------------------------
+// ----------------------
 void crypto_argon2i(uint8_t       *hash,      uint32_t hash_size,     // >= 4
                    void          *work_area, uint32_t nb_blocks,     // >= 8
                    uint32_t       nb_iterations,                     // >= 3
                    const uint8_t *password,  uint32_t password_size,
                    const uint8_t *salt,      uint32_t salt_size);    // >= 8
-void crypto_argon2i_general(uint8_t       *hash,      uint32_t hash_size,// >= 4
+// Shared secrets are not quite random.
-                            void          *work_area, uint32_t nb_blocks,// >= 8
+// Hash them to derive an actual shared key.
-                            uint32_t       nb_iterations,                // >= 3
+void crypto_x25519_public_key(uint8_t       public_key[32],
-                            const uint8_t *password,  uint32_t password_size,
+                              const uint8_t secret_key[32]);
-                            const uint8_t *salt,      uint32_t salt_size,// >= 8
+void crypto_x25519(uint8_t       raw_shared_secret[32],
                            const uint8_t *key,       uint32_t key_size,
                            const uint8_t *ad,        uint32_t ad_size);
 // Key exchange (x25519 + HChacha20)
 // ---------------------------------
 #define crypto_key_exchange_public_key crypto_x25519_public_key
 void crypto_key_exchange(uint8_t       shared_key      [32],
                   const uint8_t your_secret_key  [32],
                   const uint8_t their_public_key [32]);
 // Conversion to EdDSA
 void crypto_x25519_to_eddsa(uint8_t eddsa[32], const uint8_t x25519[32]);
-// Signatures (EdDSA with curve25519 + BLAKE2b)
+// scalar "division"
-// --------------------------------------------
+// Used for OPRF.  Be aware that exponential blinding is less secure
 // than Diffie-Hellman key exchange.
 void crypto_x25519_inverse(uint8_t       blind_salt [32],
                           const uint8_t private_key[32],
                           const uint8_t curve_point[32]);
-// Generate public key
+// "Dirty" versions of x25519_public_key().
-void crypto_sign_public_key(uint8_t        public_key[32],
+// Use with crypto_elligator_rev().
-                            const uint8_t  secret_key[32]);
+// Leaks 3 bits of the private key.
 void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]);
 void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]);
-// Direct interface
+
-void crypto_sign(uint8_t        signature [64],
+// Signatures
-                 const uint8_t  secret_key[32],
+// ----------
-                 const uint8_t  public_key[32], // optional, may be 0
+
 // EdDSA with curve25519 + BLAKE2b
 void crypto_eddsa_key_pair(uint8_t secret_key[64],
                           uint8_t public_key[32],
                           uint8_t seed[32]);
 void crypto_eddsa_sign(uint8_t        signature [64],
                       const uint8_t  secret_key[64],
                       const uint8_t *message, size_t message_size);
-int crypto_check(const uint8_t  signature [64],
+int crypto_eddsa_check(const uint8_t  signature [64],
                       const uint8_t  public_key[32],
                       const uint8_t *message, size_t message_size);
-////////////////////////////
+// Conversion to X25519
-/// Low level primitives ///
+void crypto_eddsa_to_x25519(uint8_t x25519[32], const uint8_t eddsa[32]);
-////////////////////////////
+
 // EdDSA building blocks
 void crypto_eddsa_trim_scalar(uint8_t out[32], const uint8_t in[32]);
 void crypto_eddsa_reduce(uint8_t reduced[32], const uint8_t expanded[64]);
 void crypto_eddsa_mul_add(uint8_t r[32],
                          const uint8_t a[32],
                          const uint8_t b[32],
                          const uint8_t c[32]);
 void crypto_eddsa_scalarbase(uint8_t point[32], const uint8_t scalar[32]);
 int crypto_eddsa_check_equation(const uint8_t signature[64],
                                const uint8_t public_key[32],
                                const uint8_t h_ram[32]);
 // For experts only.  You have been warned.
 // Chacha20
 // --------
 // Specialised hash.
 // Used to hash X25519 shared secrets.
-void crypto_hchacha20(uint8_t       out[32],
+void crypto_chacha20_h(uint8_t       out[32],
                       const uint8_t key[32],
                       const uint8_t in [16]);
 // Unauthenticated stream cipher.
 // Don't forget to add authentication.
-void crypto_chacha20(uint8_t       *cipher_text,
+uint64_t crypto_chacha20_djb(uint8_t       *cipher_text,
                     const uint8_t *plain_text,
                     size_t         text_size,
                     const uint8_t  key[32],
                     const uint8_t  nonce[8]);
 void crypto_xchacha20(uint8_t       *cipher_text,
                      const uint8_t *plain_text,
                      size_t         text_size,
                      const uint8_t  key[32],
                      const uint8_t  nonce[24]);
 void crypto_ietf_chacha20(uint8_t       *cipher_text,
                          const uint8_t *plain_text,
                          size_t         text_size,
                          const uint8_t  key[32],
                          const uint8_t  nonce[12]);
 uint64_t crypto_chacha20_ctr(uint8_t       *cipher_text,
                             const uint8_t *plain_text,
                             size_t         text_size,
                             const uint8_t  key[32],
                             const uint8_t  nonce[8],
                             uint64_t       ctr);
-uint64_t crypto_xchacha20_ctr(uint8_t       *cipher_text,
+uint32_t crypto_chacha20_ietf(uint8_t       *cipher_text,
                              const uint8_t *plain_text,
                              size_t         text_size,
                              const uint8_t  key[32],
                              const uint8_t  nonce[24],
                              uint64_t       ctr);
 uint32_t crypto_ietf_chacha20_ctr(uint8_t       *cipher_text,
                              const uint8_t *plain_text,
                              size_t         text_size,
                              const uint8_t  key[32],
                              const uint8_t  nonce[12],
                              uint32_t       ctr);
 uint64_t crypto_chacha20_x(uint8_t       *cipher_text,
                           const uint8_t *plain_text,
                           size_t         text_size,
                           const uint8_t  key[32],
                           const uint8_t  nonce[24],
                           uint64_t       ctr);
 // Poly 1305
 // ---------
@@ -289,94 +286,34 @@ void crypto_poly1305(uint8_t        mac[16],
                     const uint8_t  key[32]);
 // Incremental interface
 typedef struct {
 	// Do not rely on the size or contents of this type,
 	// for they may change without notice.
 	uint8_t  c[16];  // chunk of the message
 	size_t   c_idx;  // How many bytes are there in the chunk.
 	uint32_t r  [4]; // constant multiplier (from the secret key)
 	uint32_t pad[4]; // random number added at the end (from the secret key)
 	uint32_t h  [5]; // accumulated hash
 } crypto_poly1305_ctx;
 void crypto_poly1305_init  (crypto_poly1305_ctx *ctx, const uint8_t key[32]);
 void crypto_poly1305_update(crypto_poly1305_ctx *ctx,
                            const uint8_t *message, size_t message_size);
 void crypto_poly1305_final (crypto_poly1305_ctx *ctx, uint8_t mac[16]);
 // X-25519
 // -------
 // Shared secrets are not quite random.
 // Hash them to derive an actual shared key.
 void crypto_x25519_public_key(uint8_t       public_key[32],
                              const uint8_t secret_key[32]);
 void crypto_x25519(uint8_t       raw_shared_secret[32],
                   const uint8_t your_secret_key  [32],
                   const uint8_t their_public_key [32]);
 // "Dirty" versions of x25519_public_key()
 // Only use to generate ephemeral keys you want to hide.
 // Note that those functions leaks 3 bits of the private key.
 void crypto_x25519_dirty_small(uint8_t pk[32], const uint8_t sk[32]);
 void crypto_x25519_dirty_fast (uint8_t pk[32], const uint8_t sk[32]);
 // scalar "division"
 // Used for OPRF.  Be aware that exponential blinding is less secure
 // than Diffie-Hellman key exchange.
 void crypto_x25519_inverse(uint8_t       blind_salt [32],
                           const uint8_t private_key[32],
                           const uint8_t curve_point[32]);
 // EdDSA to X25519
 // ---------------
 void crypto_from_eddsa_private(uint8_t x25519[32], const uint8_t eddsa[32]);
 void crypto_from_eddsa_public (uint8_t x25519[32], const uint8_t eddsa[32]);
 // EdDSA -- Incremental interface
 // ------------------------------
 // Signing (2 passes)
 // Make sure the two passes hash the same message,
 // else you might reveal the private key.
 void crypto_sign_init_first_pass(crypto_sign_ctx_abstract *ctx,
                                 const uint8_t  secret_key[32],
                                 const uint8_t  public_key[32]);
 void crypto_sign_update(crypto_sign_ctx_abstract *ctx,
                        const uint8_t *message, size_t message_size);
 void crypto_sign_init_second_pass(crypto_sign_ctx_abstract *ctx);
 // use crypto_sign_update() again.
 void crypto_sign_final(crypto_sign_ctx_abstract *ctx, uint8_t signature[64]);
 // Verification (1 pass)
 // Make sure you don't use (parts of) the message
 // before you're done checking it.
 void crypto_check_init  (crypto_check_ctx_abstract *ctx,
                         const uint8_t signature[64],
                         const uint8_t public_key[32]);
 void crypto_check_update(crypto_check_ctx_abstract *ctx,
                         const uint8_t *message, size_t message_size);
 int crypto_check_final  (crypto_check_ctx_abstract *ctx);
 // Custom hash interface
 void crypto_sign_public_key_custom_hash(uint8_t       public_key[32],
                                        const uint8_t secret_key[32],
                                        const crypto_sign_vtable *hash);
 void crypto_sign_init_first_pass_custom_hash(crypto_sign_ctx_abstract *ctx,
                                             const uint8_t secret_key[32],
                                             const uint8_t public_key[32],
                                             const crypto_sign_vtable *hash);
 void crypto_check_init_custom_hash(crypto_check_ctx_abstract *ctx,
                                   const uint8_t signature[64],
                                   const uint8_t public_key[32],
                                   const crypto_sign_vtable *hash);
 // Elligator 2
 // -----------
 // Elligator mappings proper
-void crypto_hidden_to_curve(uint8_t curve [32], const uint8_t hidden[32]);
+void crypto_elligator_map(uint8_t curve [32], const uint8_t hidden[32]);
-int  crypto_curve_to_hidden(uint8_t hidden[32], const uint8_t curve [32],
+int  crypto_elligator_rev(uint8_t hidden[32], const uint8_t curve [32],
                          uint8_t tweak);
 // Easy to use key pair generation
-void crypto_hidden_key_pair(uint8_t hidden[32], uint8_t secret_key[32],
+void crypto_elligator_key_pair(uint8_t hidden[32], uint8_t secret_key[32],
                               uint8_t seed[32]);
 #ifdef __cplusplus
 }
 #endif
--- a/src/network/network.cpp
+++ b/src/network/network.cpp
@@ -235,19 +235,16 @@ std::vector<uint8> GenerateGeneralPasswordHash(const std::string &password, cons
 	if (password.empty()) return {};
 	std::vector<byte> data;
-	data.reserve(password.size() + password_server_id.size() + 6);
+	data.reserve(password_server_id.size() + password.size() + 10);
 	BufferSerialiser buffer(data);
 	/* key field */
 	buffer.Send_uint64(password_game_seed);
 	/* message field */
 	buffer.Send_string(password_server_id);
 	buffer.Send_string(password);
 	std::vector<byte> output;
 	output.resize(64);
-	crypto_blake2b_general(output.data(), output.size(), data.data(), 8, data.data() + 8, data.size() - 8);
+	crypto_blake2b(output.data(), output.size(), data.data(), data.size());
 	return output;
 }
--- a/src/sl/company_sl.cpp
+++ b/src/sl/company_sl.cpp
@@ -605,7 +605,7 @@ static void Load_PLYP()
 	std::vector<uint8> buffer(size - 16 - 24 - 16);
 	ReadBuffer::GetCurrent()->CopyBytes(buffer.data(), buffer.size());
-	if (crypto_unlock(buffer.data(), _network_company_password_storage_key, nonce, mac, buffer.data(), buffer.size()) == 0) {
+	if (crypto_aead_unlock(buffer.data(), mac, _network_company_password_storage_key, nonce, nullptr, 0, buffer.data(), buffer.size()) == 0) {
 		SlLoadFromBuffer(buffer.data(), buffer.size(), [invalid_mask]() {
 			_network_company_server_id.resize(SlReadUint32());
 			ReadBuffer::GetCurrent()->CopyBytes((uint8 *)_network_company_server_id.data(), _network_company_server_id.size());
@@ -684,7 +684,7 @@ static void Save_PLYP()
 	uint8 mac[16];    /* Message authentication code */
 	/* Encrypt in place */
-	crypto_lock(mac, buffer.data(), _network_company_password_storage_key, nonce, buffer.data(), buffer.size());
+	crypto_aead_lock(buffer.data(), mac, _network_company_password_storage_key, nonce, nullptr, 0, buffer.data(), buffer.size());
 	SlSetLength(2 + 16 + 24 + 16 + buffer.size());
 	SlWriteUint16(0); // Invalid mask